v1.1.0 — Intent-Aware Guard Checks

✨ What's New

• Intent spec support — Guard can now validate your code against a declared security specification in intent/intent.yaml. The spec is fully optional; Guard behaves exactly as before without it.
• Two new checks — intent-auth (route auth compliance) and intent-mass-assignment (model constraint compliance) run automatically when the spec is present.
• guard:intent command — scaffold, validate, and inspect your intent spec from the CLI.
• Enriched mass-assignment findings — existing mass-assignment findings are automatically enriched with intent spec details (allow/forbid lists, mode) when a spec is present.
• Deterministic fingerprints — intent findings use stable, reproducible fingerprints (sorted rule IDs, sorted methods, no line numbers) for reliable baseline suppression.
• Fully additive — no breaking changes. Existing scans, baselines, CI pipelines, and configurations continue to work unchanged.

🔍 New Checks

intent-auth

Compares actual route middleware against auth requirements declared in the intent spec.

Condition	Severity
Route requires authentication but has no auth middleware	HIGH
Route requires a specific guard (e.g., auth:api) but middleware doesn't include it	HIGH
Route declared public but has no auth middleware	MEDIUM

Multiple rules matching the same route with identical requirements are deduplicated into a single finding. Overlapping rules with different requirements produce separate findings.

Works with incremental scanning (--changed, --staged) — findings are filtered the same way as route-authorization.

intent-mass-assignment

Validates model files against mass-assignment constraints declared in the intent spec.

Condition	Severity
Model declared as explicit_allowlist but missing $fillable	HIGH
Forbidden attribute found in model's $fillable	HIGH
Model declared as guarded but has $guarded = []	HIGH

If a model referenced in the spec cannot be found on disk, Guard prints a warning and continues. Warnings do not produce findings and do not fail the scan.

🧠 Intent Spec (Optional)

Guard supports an optional intent/intent.yaml file at the project root. This file declares expected security properties that Guard validates against your actual code.

• Opt-in only. If the file is missing, Guard behaves exactly as before. No configuration needed.
• Additive. When present, intent-auth and intent-mass-assignment checks run alongside existing checks. A route can receive both a route-authorization and an intent-auth finding — they are independently suppressible.
• Fail-safe. Spec parse errors and validation failures print error messages and exit non-zero. No exceptions are thrown.

Minimal example

version: "0.1"
project:
  name: my-app
  framework: laravel

auth:
  guards:
    api: token
  rules:
    - id: api-protected
      match:
        routes:
          prefix: /api
      require:
        authenticated: true
        guard: api

data:
  models:
    App\Models\User:
      massAssignment:
        mode: explicit_allowlist
        allow: [name, email]
        forbid: [is_admin]

🛡️ Safety & Compatibility

• No breaking changes to existing commands, exit codes, or report formats.
• No automatic code modification — Guard only reports findings and suggestions.
• Existing baselines remain valid. New intent findings get their own fingerprints.
• All intent checks work with --baseline, --changed, --staged, and all output formats.
• Deterministic output — same spec and code always produce the same findings and fingerprints.
• Cache version bumped to 1.1.0 — caches from previous versions are automatically invalidated on upgrade.

⚙️ New Commands

guard:intent

# Scaffold a starter intent/intent.yaml
php artisan guard:intent init

# Validate an existing intent spec
php artisan guard:intent validate

# Print a summary of the parsed spec
php artisan guard:intent show

Option	Description
--path=DIR	Path to intent directory (default: intent/)
--force	Overwrite existing files when running init

⬆️ Upgrade Notes

• No configuration changes required.
• Existing setups continue to work without modification.
• To use intent-aware checks, create an intent/intent.yaml file (manually or via guard:intent init) and run guard:scan as usual.

v1.0.0

IntentPHP Guard v1.0.0

First stable release of IntentPHP Guard — a Laravel-native CLI security scanner that detects authorization and data handling vulnerabilities.

Features

• Route Authorization Check — detects routes missing authentication/authorization middleware or gate checks
• Dangerous Query Input Check — finds user input flowing directly into query builders (SQL injection risk)
• Mass Assignment Check — identifies unsafe model creation/updates with unvalidated request data
• Baseline & Inline Suppression — fingerprint-based baseline (guard:baseline) and // guard:ignore comments
• Multiple Output Formats — Console, JSON, GitHub Actions annotations, Markdown
• Incremental Scanning — Git-aware scanning of changed files only (--changed, --staged)
• Patch Generation — deterministic template-based fixes (guard:fix) with optional AI fallback (--ai)
• AI Integration — supports local CLI tools (Claude, Codex) and OpenAI-compatible APIs
• Test Generation — auto-generate feature tests for findings (guard:test-gen)
• CI Ready — works in GitHub Actions with --format=github annotations and --strict exit codes

Requirements

• PHP 8.2+
• Laravel 10, 11, or 12

Installation

```bash
composer require --dev intentphp/guard
```