Package Exports
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (cortexhq) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
๐ก๏ธ CORTEX
Intent-Aware Security for AI-Generated Code
The first security engine designed specifically for "vibe coding"
Quick Start โข Detection Engine โข CLI Commands โข Benchmarks
๐ฏ The Problem
AI coding assistants (Cursor, Copilot, Claude) generate code that works but isn't secure:
| Issue | What Happens | CORTEX Detection |
|---|---|---|
| Client-side auth | if (password === 'admin') in React |
โ Invariant violation |
| RLS bypass | using (true) in Supabase policies |
โ Policy misconfiguration |
| Hallucinated packages | npm install react-native-encrypt-fast |
โ Slopsquatting detection |
| Missing rate limits | Public /api/signup with no protection |
โ Absence-of-control |
| SQL injection | Template literals in queries | โ Taint analysis |
Traditional SAST misses these because the code is "correct" โ it just violates security intent.
โ The Solution
CORTEX is an Intent-Aware Security Engine with 6 detection layers:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CORTEX DETECTION ENGINE โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Layer 1: Semgrep Patterns (SQLi, XSS, secrets) โ
โ Layer 1.5: Dependency Intelligence (CVEs, hallucinations) โ
โ Layer 2: Taint Analysis (source โ sink tracking) โ
โ Layer 3: Policy Semantics (RLS, Firebase, CORS) โ
โ Layer 3.5: Invariant Analysis (client-side auth) โ
โ Layer 4: Absence Detection (missing rate limits) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Layer 5: Confidence Scoring + Explainable Findings โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ๐ Quick Start
# Install
npm install -g cortex-ai
# Run a security scan
cortex detect scan ./src
# Check dependencies for hallucinations
cortex detect deps
# Run benchmarks
cortex benchmark runExample Output
๐ฌ CORTEX Intent-Aware Detection Engine v2.0
๐ SECURITY SCAN SUMMARY
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ด Critical: 2
๐ High: 3
๐ก Medium: 1
๐ต Low: 0
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Total: 6 findings
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ ๐ด CRITICAL: Client-Side Authentication โ
โ โ
โ File: src/components/Login.tsx:15 โ
โ Confidence: 92% โ
โ โ
โ CODE: โ
โ > if (password === 'admin123') { setLoggedIn(true); } โ
โ โ
โ WHY THIS IS DANGEROUS: โ
โ โข Authentication check performed in browser context โ
โ โข Client-side checks can be bypassed via DevTools โ
โ โ
โ INVARIANT VIOLATED: โ
โ "Authentication decisions must occur server-side" โ
โ โ
โ FIX: โ
โ Move authentication to server-side with HttpOnly cookies โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ๐ฌ Detection Engine
Detection Classes
| Class | What It Detects | Examples |
|---|---|---|
| exploit | Active vulnerabilities | SQL injection, XSS, command injection |
| invariant | Security intent violations | Client-side auth, trust boundaries |
| policy | Misconfigured policies | RLS using(true), CORS wildcards |
| supply-chain | Dependency risks | CVEs, hallucinated packages |
| absence | Missing security controls | No rate limiting, no CAPTCHA |
55+ Security Rules
| Category | Count | Examples |
|---|---|---|
| Injection | 10 | SQL, NoSQL, command, path traversal |
| XSS | 6 | innerHTML, dangerouslySetInnerHTML |
| Secrets | 8 | API keys, tokens, hardcoded passwords |
| Auth/Authz | 8 | Client-side auth, IDOR, missing auth |
| Policy | 6 | RLS, Firebase, CORS, S3 buckets |
| Supply Chain | 6 | CVEs, hallucinations, deprecated |
| Abuse Control | 7 | Missing rate limits, no CAPTCHA |
| Crypto | 4 | Weak hashing, insecure storage |
๐ป CLI Commands
Detection Engine
cortex detect scan [path] # Full security scan
cortex detect deps # Dependency intelligence
cortex detect invariants <f> # Check invariant violations
cortex detect policies <f> # Check policy misconfigurations
cortex detect summary # Show detection capabilitiesBenchmarking
cortex benchmark run # Run all benchmarks
cortex benchmark run --update-baseline # Update baseline
cortex benchmark list # List benchmark categoriesFeedback (Confidence Calibration)
cortex feedback accept <id> # Mark as true positive
cortex feedback dismiss <id> # Mark as false positive
cortex feedback stats # View precision per ruleScope Management
cortex scope init # Create scope.yaml
cortex scope show # Display current scope
cortex scope check <path> # Check if file allowedOther Commands
cortex version # Show version
cortex security rules # List all security rules
cortex patterns detect # Auto-detect framework
cortex learn progress # Learning mode progress๐งช Benchmarks
CORTEX includes a benchmark harness with ground truth:
benchmarks/
โโโ sql-injection/ # SQL injection samples
โโโ xss/ # Cross-site scripting
โโโ client-auth-bypass/ # Client-side auth issues
โโโ rls-misconfig/ # RLS policy problems
โโโ firebase-public/ # Public storage buckets
โโโ slopsquatting/ # Hallucinated packages
โโโ race-condition/ # Race condition patterns
โโโ unprotected-endpoint/ # Missing abuse controls
โโโ expected-findings.json # 26 ground truth findingsRegression Protection: If a previously passing test regresses, CI fails.
๐ง Configuration
# .cortex/scope.yaml
task: "Add user authentication"
allow:
- src/auth/**
- src/components/Login.tsx
block:
- .env*
- src/core/**
limits:
files: 10
lines: 500๐ Documentation
- Detection Engine Guide - Layers, capabilities, limitations
- Vibe Coding Security - Security checklist
- Core Architecture - System design
- Integration Guide - CI/IDE setup
โญ Star on GitHub โข ๐ Report Bug โข ๐ก Request Feature