npm - @ship-safe/cli - Versions diffs - 1.1.13 → 1.1.14 - Mend

@ship-safe/cli 1.1.13 → 1.1.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/index.js +60 -10
package/package.json +11 -10

package/dist/index.js CHANGED Viewed

@@ -5926,14 +5926,26 @@ function isInsideStringLiteral(line, pattern) {
   }
   return backtickCount % 2 === 1;
 }
+function isJsxTextContent(line) {
+  const trimmed = line.trim();
+  if (/^\w+\s*[:=]\s*["'`]/.test(trimmed) && trimmed.length > 80) {
+    const nonCodeChars = trimmed.replace(/[a-zA-Z\s.,!?;:'"()\-]/g, "").length;
+    if (nonCodeChars / trimmed.length < 0.15) return true;
+  }
+  if (/>[^<]{40,}</.test(trimmed)) return true;
+  if (/["'`][A-Z][^"'`]{60,}["'`]/.test(trimmed)) {
+    return true;
+  }
+  return false;
+}
 function matchRule(rule, file) {
   if (!rule.languages.includes("*") && !rule.languages.includes(file.language)) {
     return [];
   }
   const isSecretRule = rule.id.startsWith("secrets/");
   if (!isSecretRule) {
-    const docPaths = /(?:\/docs\/|\/examples\/|\/fixtures\/|__tests__\/fixtures)/i;
-    if (docPaths.test(file.path)) return [];
+    const contentPaths = /(?:\/docs\/|\/blog\/|\/for\/|\/examples\/|\/fixtures\/|\/tutorials?\/|\/guides?\/|__tests__\/fixtures)/i;
+    if (contentPaths.test(file.path)) return [];
   }
   const findings = [];
   const lines = file.content.split("\n");
@@ -5946,6 +5958,7 @@ function matchRule(rule, file) {
       regex.lastIndex = 0;
       if (!isSecretRule && isCommentLine(line)) continue;
       if (!isSecretRule && isInsideStringLiteral(line, new RegExp(pattern.regex, "gi"))) continue;
+      if (!isSecretRule && isJsxTextContent(line)) continue;
       if (rule.excludePatterns?.length) {
         const excluded = rule.excludePatterns.some((ep) => {
           const exRegex = new RegExp(ep.regex, "i");
@@ -6839,12 +6852,15 @@ function detectPlatform(files) {
     if (lower.endsWith("package.json") && content.includes('"v0"')) {
       signals.v0.push("v0 dependency in package.json");
     }
-    if (content.includes("base44") || content.includes("Base44")) {
-      signals.base44.push("base44 reference in source");
-    }
     if (lower.includes("base44.config") || lower.includes(".base44")) {
       signals.base44.push("base44 config file");
     }
+    if (/from\s+['"]@?base44\b/i.test(content) || /require\s*\(\s*['"]@?base44\b/i.test(content)) {
+      signals.base44.push("base44 SDK import in source");
+    }
+    if (/https?:\/\/[^"'\s]*base44\.app/i.test(content)) {
+      signals.base44.push("base44.app URL in source");
+    }
   }
   const scores = Object.entries(signals).filter(([key]) => key !== "manual").map(([platform, sigs]) => ({
     platform,
@@ -7757,19 +7773,48 @@ async function scanCommand(targetPath, options) {
   );
   if (tokenData?.cliTier) {
     const aiSpinner = ora2({
-      text: chalk5.dim("Running AI-powered deep analysis..."),
+      text: chalk5.dim("Running AI-powered deep analysis... (this may take 1-3 minutes)"),
       color: "yellow",
       spinner: "dots12"
     }).start();
+    const stages = [
+      "Uploading files to AI scanner...",
+      "Analyzing code with Claude AI...",
+      "Detecting auth & logic vulnerabilities...",
+      "Checking business logic flaws...",
+      "Generating plain-English report..."
+    ];
+    let stageIdx = 0;
+    const progressInterval = setInterval(() => {
+      stageIdx = Math.min(stageIdx + 1, stages.length - 1);
+      aiSpinner.text = chalk5.dim(`${stages[stageIdx]} (${(stageIdx + 1) * 20}%)`);
+    }, 15e3);
     try {
+      const MAX_AI_FILES = 100;
+      const MAX_FILE_BYTES = 1e5;
+      const MAX_TOTAL_BYTES = 4 * 1024 * 1024;
+      let totalBytes = 0;
+      const aiFiles = [];
+      for (const f of files) {
+        const size = new TextEncoder().encode(f.content).byteLength;
+        if (size > MAX_FILE_BYTES) continue;
+        if (totalBytes + size > MAX_TOTAL_BYTES) break;
+        totalBytes += size;
+        aiFiles.push(f);
+        if (aiFiles.length >= MAX_AI_FILES) break;
+      }
+      aiSpinner.text = chalk5.dim(`Uploading ${aiFiles.length} files to AI scanner...`);
       const aiRes = await fetch(`${options.apiUrl}/api/cli/ai-scan`, {
         method: "POST",
         headers: {
           "Content-Type": "application/json",
           Authorization: `Bearer ${tokenData.token}`
         },
-        body: JSON.stringify({ files })
+        body: JSON.stringify({ files: aiFiles }),
+        signal: AbortSignal.timeout(3e5)
+        // 5 minute timeout
       });
+      clearInterval(progressInterval);
       if (aiRes.ok) {
         const aiData = await aiRes.json();
         const aiFindings = aiData.findings.map((f) => ({
@@ -7805,8 +7850,9 @@ async function scanCommand(targetPath, options) {
             `AI analysis: ${aiFindings.length} additional findings`
           )
         );
+        const isUnlimited = !aiData.quota.limit || aiData.quota.limit < 0 || aiData.quota.limit >= 999999;
         printInfo(
-          `AI scans: ${aiData.quota.used}/${aiData.quota.limit} used this month (${aiData.quota.remaining} remaining)`
+          isUnlimited ? `AI scans: ${aiData.quota.used} used this month (unlimited plan)` : `AI scans: ${aiData.quota.used}/${aiData.quota.limit} used this month (${aiData.quota.remaining} remaining)`
         );
       } else if (aiRes.status === 429) {
         aiSpinner.warn(
@@ -7826,10 +7872,14 @@ async function scanCommand(targetPath, options) {
           chalk5.yellow(`AI analysis unavailable (HTTP ${aiRes.status}). ${errBody || "Showing rule-based results only."}`)
         );
       }
-    } catch {
+    } catch (fetchErr) {
+      clearInterval(progressInterval);
+      const errMsg = fetchErr instanceof Error ? fetchErr.message : String(fetchErr);
       aiSpinner.warn(
-        chalk5.yellow("Could not reach AI scanning service. Showing rule-based results only.")
+        chalk5.yellow(`Could not reach AI scanning service: ${errMsg}`)
       );
+    } finally {
+      clearInterval(progressInterval);
     }
   }
   const ignoredRules = loadIgnoredRules(resolvedPath);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@ship-safe/cli",
-  "version": "1.1.13",
+  "version": "1.1.14",
   "description": "Security scanner for AI-generated code — find vulnerabilities before you ship",
   "type": "module",
   "license": "MIT",
@@ -38,6 +38,12 @@
     "access": "public",
     "registry": "https://registry.npmjs.org/"
   },
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "type-check": "tsc --noEmit",
+    "prepublishOnly": "pnpm run build"
+  },
   "dependencies": {
     "@anthropic-ai/sdk": "^0.39",
     "@inquirer/prompts": "^8.3.2",
@@ -48,15 +54,10 @@
     "yaml": "^2"
   },
   "devDependencies": {
+    "@shipsafe/scanner": "workspace:*",
+    "@shipsafe/shared": "workspace:*",
     "@types/node": "^22",
     "tsup": "^8",
-    "typescript": "^5.7",
-    "@shipsafe/scanner": "0.1.0",
-    "@shipsafe/shared": "0.1.0"
-  },
-  "scripts": {
-    "build": "tsup",
-    "dev": "tsup --watch",
-    "type-check": "tsc --noEmit"
+    "typescript": "^5.7"
   }
-}
+}