@ship-safe/cli 1.1.8 → 1.1.12

package/dist/index.js

@@ -7,6 +7,9 @@ var __export = (target, all) => {
 
 // src/index.ts
 import { Command, InvalidArgumentError, Option } from "commander";
+import { readFileSync as readFileSync6 } from "fs";
+import { fileURLToPath } from "url";
+import { dirname, join as join5 } from "path";
 
 // src/commands/scan.ts
 import { resolve as resolve2, join as join4 } from "path";
@@ -14,9 +17,65 @@ import { existsSync as existsSync5, readFileSync as readFileSync5, writeFileSync
 import { homedir as homedir3 } from "os";
 import chalk5 from "chalk";
 import ora2 from "ora";
-import { select } from "@inquirer/prompts";
+import { select, confirm } from "@inquirer/prompts";
 import { parse as parseYaml } from "yaml";
 
+// ../../packages/scanner/dist/chunk-C2F2TUFE.js
+import Anthropic from "@anthropic-ai/sdk";
+var clients = /* @__PURE__ */ new Map();
+function getClient(apiKey) {
+  let client = clients.get(apiKey);
+  if (!client) {
+    client = new Anthropic({ apiKey, maxRetries: 2 });
+    clients.set(apiKey, client);
+  }
+  return client;
+}
+async function callClaude(apiKey, system, prompt, options) {
+  const anthropic = getClient(apiKey);
+  const maxTokens = options?.maxTokens ?? 4096;
+  const response = await anthropic.messages.create(
+    {
+      model: options?.model ?? "claude-haiku-4-5-20251001",
+      max_tokens: maxTokens,
+      temperature: 0,
+      // Zero temperature for fully deterministic JSON output
+      // Use content block format with cache_control for prompt caching.
+      // The system prompt is identical across chunks within a scan —
+      // caching it saves ~90% on input tokens for subsequent chunk calls.
+      system: [
+        {
+          type: "text",
+          text: system,
+          cache_control: { type: "ephemeral" }
+        }
+      ],
+      messages: [{ role: "user", content: prompt }]
+    },
+    { timeout: 6e4 }
+  );
+  const truncated = response.stop_reason === "max_tokens";
+  if (response.usage) {
+    console.log(
+      `[LLM] model=${options?.model ?? "haiku"} input=${response.usage.input_tokens} output=${response.usage.output_tokens}` + (response.usage.cache_read_input_tokens ? ` cached=${response.usage.cache_read_input_tokens}` : "")
+    );
+  }
+  if (truncated) {
+    console.warn(
+      `[LLM] Response truncated (hit ${maxTokens} max_tokens). Some findings may be lost.`
+    );
+  }
+  const textBlock = response.content.find((b) => b.type === "text");
+  return {
+    text: textBlock?.text ?? "",
+    truncated,
+    usage: response.usage ? {
+      inputTokens: response.usage.input_tokens,
+      outputTokens: response.usage.output_tokens
+    } : void 0
+  };
+}
+
 // ../../node_modules/.pnpm/zod@3.25.76/node_modules/zod/v3/external.js
 var external_exports = {};
 __export(external_exports, {
@@ -4184,7 +4243,6 @@ var llmResponseSchema = external_exports.object({
 // ../../packages/scanner/dist/index.js
 import path from "path";
 import { createHash } from "crypto";
-import Anthropic from "@anthropic-ai/sdk";
 function detectLanguage(filePath) {
   const ext = path.extname(filePath).toLowerCase();
   return LANGUAGE_EXTENSIONS[ext] ?? "unknown";
@@ -6201,59 +6259,6 @@ function deduplicateFindings(findings) {
     (a, b) => SEVERITY_ORDER[a.severity] - SEVERITY_ORDER[b.severity]
   );
 }
-var clients = /* @__PURE__ */ new Map();
-function getClient(apiKey) {
-  let client = clients.get(apiKey);
-  if (!client) {
-    client = new Anthropic({ apiKey, maxRetries: 2 });
-    clients.set(apiKey, client);
-  }
-  return client;
-}
-async function callClaude(apiKey, system, prompt, options) {
-  const anthropic = getClient(apiKey);
-  const maxTokens = options?.maxTokens ?? 4096;
-  const response = await anthropic.messages.create(
-    {
-      model: options?.model ?? "claude-haiku-4-5-20251001",
-      max_tokens: maxTokens,
-      temperature: 0,
-      // Zero temperature for fully deterministic JSON output
-      // Use content block format with cache_control for prompt caching.
-      // The system prompt is identical across chunks within a scan —
-      // caching it saves ~90% on input tokens for subsequent chunk calls.
-      system: [
-        {
-          type: "text",
-          text: system,
-          cache_control: { type: "ephemeral" }
-        }
-      ],
-      messages: [{ role: "user", content: prompt }]
-    },
-    { timeout: 6e4 }
-  );
-  const truncated = response.stop_reason === "max_tokens";
-  if (response.usage) {
-    console.log(
-      `[LLM] model=${options?.model ?? "haiku"} input=${response.usage.input_tokens} output=${response.usage.output_tokens}` + (response.usage.cache_read_input_tokens ? ` cached=${response.usage.cache_read_input_tokens}` : "")
-    );
-  }
-  if (truncated) {
-    console.warn(
-      `[LLM] Response truncated (hit ${maxTokens} max_tokens). Some findings may be lost.`
-    );
-  }
-  const textBlock = response.content.find((b) => b.type === "text");
-  return {
-    text: textBlock?.text ?? "",
-    truncated,
-    usage: response.usage ? {
-      inputTokens: response.usage.input_tokens,
-      outputTokens: response.usage.output_tokens
-    } : void 0
-  };
-}
 var MAX_LINES_PER_CHUNK = 3e3;
 var LOGIC_PATTERNS = [
   // Route handlers that handle user input (security-sensitive)
@@ -6397,6 +6402,22 @@ Example of a medium-severity finding:
   }
 ]
 
+Example of a clean code response (no vulnerabilities found):
+
+Code analyzed:
+\`\`\`
+import { hash } from "bcrypt";
+import { db } from "./db";
+
+export async function createUser(email: string, password: string) {
+  const hashed = await hash(password, 12);
+  return db.insert("users", { email, password: hashed });
+}
+\`\`\`
+
+Response:
+[]
+
 If the code has no security issues, respond with: []
 
 You will receive source code wrapped in <user_code_to_analyze> tags. Analyze it for security vulnerabilities. Focus on context-dependent issues that need human-level understanding.
@@ -6533,10 +6554,15 @@ async function scanWithLLM(files, apiKey, platform) {
   });
   const CONCURRENCY = 5;
   const chunkResults = [];
+  const CIRCUIT_BREAKER_THRESHOLD = 3;
+  let consecutiveFailures = 0;
+  let circuitBroken = false;
   for (let i = 0; i < sortedChunks.length; i += CONCURRENCY) {
+    if (circuitBroken) break;
     const batch = sortedChunks.slice(i, i + CONCURRENCY);
     const batchResults = await Promise.all(
       batch.map(async (chunk) => {
+        if (circuitBroken) return [];
         const prompt = buildAnalysisPrompt(chunk.files, platform);
         const systemPrompt = getSystemPrompt(platform);
         const chunkFindings = [];
@@ -6567,6 +6593,7 @@ async function scanWithLLM(files, apiKey, platform) {
             );
             llmFindings = parseResponse(retry.text);
           }
+          consecutiveFailures = 0;
           for (const lf of llmFindings) {
             let matchedPath = lf.file;
             let content = fileMap.get(lf.file);
@@ -6616,16 +6643,42 @@ async function scanWithLLM(files, apiKey, platform) {
             });
           }
         } catch (error) {
+          consecutiveFailures++;
           console.error(
-            `LLM scan failed for chunk: ${error instanceof Error ? error.message : "unknown"}`
+            `LLM scan failed for chunk (${consecutiveFailures} consecutive): ${error instanceof Error ? error.message : "unknown"}`
           );
+          if (consecutiveFailures >= CIRCUIT_BREAKER_THRESHOLD) {
+            circuitBroken = true;
+            console.warn(
+              `[llm] Circuit breaker tripped: ${consecutiveFailures} consecutive failures. Skipping remaining chunks.`
+            );
+          }
         }
         return chunkFindings;
       })
     );
     chunkResults.push(...batchResults);
   }
-  return chunkResults.flat();
+  const findings = chunkResults.flat();
+  if (circuitBroken) {
+    findings.push({
+      id: generateFindingId("_circuit_breaker", 0, "llm-partial-results"),
+      ruleId: "llm-circuit-breaker",
+      title: "AI scan returned partial results",
+      description: "The AI scanner encountered multiple consecutive failures and stopped early. Some files were not analyzed. Please retry the scan or check back later.",
+      plainEnglish: "The AI analysis couldn't finish checking all your files due to repeated errors. You may be missing some findings \u2014 try scanning again.",
+      severity: "low",
+      confidence: "high",
+      source: "llm",
+      file: "",
+      line: 0,
+      snippet: "",
+      fix: {
+        description: "Re-run the scan. If the issue persists, the AI service may be temporarily degraded."
+      }
+    });
+  }
+  return findings;
 }
 function parseTranslations(text) {
   const start = text.lastIndexOf("[");
@@ -6932,6 +6985,7 @@ async function scan(config, onProgress) {
     summary,
     report,
     durationMs,
+    platform,
     ...warnings.length > 0 ? { warnings } : {}
   };
 }
@@ -7226,7 +7280,7 @@ function formatSarifOutput(result) {
         tool: {
           driver: {
             name: "ShipSafe",
-            version: "0.1.0",
+            version: "1.1.11",
             rules: result.findings.map((f) => ({
               id: f.ruleId,
               shortDescription: { text: f.title },
@@ -7878,6 +7932,68 @@ async function scanCommand(targetPath, options) {
       )
     );
   }
+  if (!options.ci && token && result.findings.length > 0 && options.output === "table") {
+    try {
+      const wantsFixPrompt = await confirm({
+        message: chalk5.bold("Generate an AI fix prompt you can paste into Cursor/Lovable/Bolt?"),
+        default: true
+      });
+      if (wantsFixPrompt) {
+        const fixSpinner = ora2({
+          text: chalk5.dim("Generating fix prompt..."),
+          color: "magenta",
+          spinner: "dots12"
+        }).start();
+        try {
+          const fixRes = await fetch(`${options.apiUrl}/api/cli/fix-prompt`, {
+            method: "POST",
+            headers: {
+              "Content-Type": "application/json",
+              Authorization: `Bearer ${token.token}`
+            },
+            body: JSON.stringify({
+              findings: result.findings.map((f) => ({
+                title: f.title,
+                severity: f.severity,
+                filePath: f.file,
+                lineNumber: f.line,
+                fixDescription: f.fix.description,
+                fixSuggestion: f.fix.suggestion,
+                cwe: f.cwe
+              })),
+              platform: result.platform || "manual"
+            })
+          });
+          if (fixRes.ok) {
+            const fixData = await fixRes.json();
+            fixSpinner.succeed(chalk5.green("Fix prompt generated!"));
+            console.log("");
+            console.log(chalk5.bold.magenta("\u2501".repeat(60)));
+            console.log(chalk5.bold.magenta("  AI FIX PROMPT"));
+            console.log(chalk5.dim(`  Tailored for ${fixData.platform === "manual" ? "your AI assistant" : fixData.platform}`));
+            console.log(chalk5.bold.magenta("\u2501".repeat(60)));
+            console.log("");
+            console.log(fixData.prompt);
+            console.log("");
+            console.log(chalk5.bold.magenta("\u2501".repeat(60)));
+            console.log(chalk5.dim("  Copy the above and paste it into your AI coding tool."));
+            console.log(chalk5.bold.magenta("\u2501".repeat(60)));
+            console.log("");
+          } else if (fixRes.status === 429) {
+            const errData = await fixRes.json();
+            fixSpinner.warn(chalk5.yellow(errData.error || "Fix prompt quota exhausted."));
+          } else if (fixRes.status === 401) {
+            fixSpinner.warn("Session expired. Run `shipsafe login` to re-authenticate.");
+          } else {
+            fixSpinner.fail("Could not generate fix prompt.");
+          }
+        } catch {
+          fixSpinner.fail("Could not reach ShipSafe servers.");
+        }
+      }
+    } catch {
+    }
+  }
   if (!options.ci && token) {
     try {
       const feedbackFile = join4(homedir3(), ".shipsafe", "feedback.json");
@@ -7963,6 +8079,21 @@ function initCommand() {
 }
 
 // src/index.ts
+function getVersion() {
+  try {
+    let dir = dirname(fileURLToPath(import.meta.url));
+    for (let i = 0; i < 5; i++) {
+      try {
+        const pkg = JSON.parse(readFileSync6(join5(dir, "package.json"), "utf-8"));
+        if (pkg.name === "@ship-safe/cli") return pkg.version;
+      } catch {
+      }
+      dir = dirname(dir);
+    }
+  } catch {
+  }
+  return "1.1.11";
+}
 function validateApiUrl(value) {
   let parsed;
   try {
@@ -7976,7 +8107,7 @@ function validateApiUrl(value) {
   return value;
 }
 var program = new Command();
-program.name("shipsafe").description("Security scanner for AI-generated code").version("0.1.0");
+program.name("shipsafe").description("Security scanner for AI-generated code").version(getVersion());
 program.command("scan").description("Scan a directory or file for security vulnerabilities").argument("[path]", "Path to scan", ".").addOption(
   new Option("-o, --output <format>", "Output format: table, json, sarif").choices(["table", "json", "sarif"]).default("table")
 ).addOption(

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ship-safe/cli",
-  "version": "1.1.8",
+  "version": "1.1.12",
   "description": "Security scanner for AI-generated code — find vulnerabilities before you ship",
   "type": "module",
   "license": "MIT",