@telelabsai/ship 1.1.2 → 1.1.4

package/.claude/skills/ship-secure/references/dependency-audit.md

@@ -0,0 +1,71 @@
+# Dependency Audit
+
+## Step 1: Run Package Manager Audit
+
+| Ecosystem | Command |
+|-----------|---------|
+| npm | `npm audit --json 2>/dev/null` |
+| yarn | `yarn audit --json 2>/dev/null` |
+| pnpm | `pnpm audit --json 2>/dev/null` |
+| pip | `pip audit --format json 2>/dev/null` or `safety check --json 2>/dev/null` |
+| go | `govulncheck ./... 2>/dev/null` |
+| cargo | `cargo audit --json 2>/dev/null` |
+
+If command not available, fall back to reading lock files manually.
+
+## Step 2: Analyze Results
+
+For each vulnerability found:
+- Package name and installed version
+- CVE ID and severity (critical, high, medium, low)
+- Description of the vulnerability
+- Fixed version (if available)
+- Whether it's a direct or transitive dependency
+- Whether it's reachable in the codebase (import used or not)
+
+## Step 3: Check for Outdated Packages
+
+```bash
+npm outdated --json 2>/dev/null
+```
+
+Flag:
+- Major version behind on security-critical packages (auth, crypto, http)
+- Packages with no updates in 2+ years (potentially abandoned)
+- Packages with known security track record issues
+
+## Step 4: Check for Suspicious Packages
+
+Flag:
+- Packages with very low download counts
+- Packages that were recently transferred to new owners
+- Typosquatting (package names similar to popular ones)
+- Packages requesting unnecessary permissions
+
+## Severity Classification
+
+Uses the same 3-level system as all Ship tools:
+
+| Level | CVSS Mapping | When |
+|-------|-------------|------|
+| Critical | CVSS >= 7.0 | Known CVE with high/critical severity, exploit available |
+| Warning | CVSS 4.0-6.9 | Known CVE with medium severity, outdated major version on critical package |
+| Suggestion | CVSS < 4.0 | Low severity CVE, outdated package, informational |
+
+## Output Format
+
+```markdown
+### Dependencies
+
+#### Vulnerabilities
+- [critical] package@version — CVE-XXXX-XXXXX: description
+  Fix: upgrade to package@fixed-version
+
+#### Outdated (security-relevant)
+- package@current → package@latest (N major versions behind)
+
+#### Summary
+Total packages: N
+Vulnerable: N (critical: N, warning: N, suggestion: N)
+Outdated: N
+```

package/.claude/skills/ship-secure/references/owasp-checks.md

@@ -0,0 +1,197 @@
+# Vulnerability Checks
+
+## A01: Broken Access Control
+
+Check for:
+- Endpoints without authentication middleware
+- Missing authorization (user accessing other users' resources)
+- CORS misconfiguration (wildcard *, credentials: true)
+- Directory traversal (user input in file paths: `../../../etc/passwd`)
+- Insecure direct object references (sequential IDs: `/api/users/1`, `/api/users/2`)
+- Missing function-level access control (admin routes accessible to regular users)
+- RBAC not enforced consistently
+
+Patterns to search:
+```
+app.get('/admin     (without auth middleware)
+req.params.id       (used directly to fetch without ownership check)
+Access-Control-Allow-Origin: *
+path.join(userInput)
+```
+
+## A02: Cryptographic Failures
+
+Check for:
+- Passwords stored in plain text or with weak hash (MD5, SHA1)
+- Missing encryption on sensitive data at rest
+- Hardcoded encryption keys or salts
+- HTTP instead of HTTPS for sensitive data
+- Weak random number generation (Math.random for tokens)
+- Missing TLS version enforcement
+- Sensitive data in URL parameters (tokens, passwords in query strings)
+
+Patterns:
+```
+md5(    sha1(    Math.random()
+password =      secret =      (in plain assignment without hashing)
+http://         (for API calls with sensitive data)
+```
+
+## A03: Injection
+
+Check for:
+- SQL injection (string concatenation in queries)
+- NoSQL injection (user input in MongoDB queries without sanitization)
+- Command injection (user input in exec, spawn, system calls)
+- LDAP injection
+- XPath injection
+- Template injection (user input in template engines)
+- Header injection (user input in HTTP headers)
+
+Patterns:
+```
+`SELECT * FROM users WHERE id = ${    (SQL injection)
+exec(`${userInput}                     (command injection)
+db.collection.find({ $where:           (NoSQL injection)
+res.setHeader(userInput                (header injection)
+```
+
+## A04: Insecure Design
+
+Check for:
+- No rate limiting on authentication endpoints
+- No account lockout after failed attempts
+- Missing CAPTCHA on public forms
+- No request throttling on expensive operations
+- Trust boundary violations (trusting client-side validation)
+- Business logic flaws (negative quantities, price manipulation)
+
+## A05: Security Misconfiguration
+
+Check for:
+- Debug mode enabled in production config
+- Default credentials in config files
+- Unnecessary HTTP methods enabled (TRACE, OPTIONS on all routes)
+- Missing security headers (X-Content-Type-Options, X-Frame-Options, CSP, HSTS)
+- Verbose error messages exposing stack traces
+- Directory listing enabled
+- Unnecessary features/services running
+- Default sample apps or docs deployed
+
+Patterns:
+```
+DEBUG = True       NODE_ENV !== 'production'
+X-Powered-By       (not disabled)
+stack:              (in error responses)
+```
+
+## A06: Vulnerable and Outdated Components
+
+Check for:
+- Known CVEs in dependencies (npm audit, pip audit)
+- Outdated major versions of critical packages
+- Abandoned packages (no updates in 2+ years)
+- Packages with known security issues that haven't been patched
+
+## A07: Identification and Authentication Failures
+
+Check for:
+- No password strength requirements
+- Missing brute force protection
+- Session tokens in URLs
+- Sessions not invalidated on logout
+- Missing session timeout
+- Weak password recovery (security questions, predictable tokens)
+- JWT without expiration or with excessive lifetime
+- Missing token refresh mechanism
+- No multi-factor authentication option on sensitive operations
+
+Patterns:
+```
+jwt.sign(payload)                    (no expiresIn)
+req.session.destroy()                (missing or inconsistent)
+token = req.query.token              (token in URL)
+```
+
+## A08: Software and Data Integrity Failures
+
+Check for:
+- CI/CD pipeline without integrity verification
+- Deserialization of untrusted data
+- Auto-updates without signature verification
+- npm/pip install from untrusted sources
+
+## A09: Security Logging and Monitoring Failures
+
+Check for:
+- Failed login attempts not logged
+- No audit trail for admin operations
+- Sensitive data in logs (passwords, tokens, PII)
+- No alerting on suspicious activity
+- Logs without timestamps or user context
+- Missing request ID for tracing
+
+Patterns:
+```
+console.log(password    console.log(token    console.log(secret
+catch (err) { }                              (swallowed with no logging)
+```
+
+## A10: Server-Side Request Forgery (SSRF)
+
+Check for:
+- User-supplied URLs used in server-side HTTP requests
+- No URL validation or allowlist
+- Internal service endpoints accessible via user input
+- Redirect following without validation
+
+Patterns:
+```
+fetch(userInput)     axios.get(req.body.url)
+http.get(url)        (where url comes from user)
+```
+
+## Exposed Endpoints and Infrastructure
+
+Check for:
+- Internal/admin endpoints accessible without auth or IP restriction
+- Debug/test routes left in production (`/debug`, `/test`, `/__dev__`)
+- Health check endpoints exposing sensitive info (DB strings, versions, env vars)
+- GraphQL introspection enabled in production
+- API documentation (Swagger/OpenAPI) accessible without authentication in production
+- Unused or deprecated endpoints still active and reachable
+- Default framework error pages revealing stack traces or framework version
+- `.env`, `config.json`, or other config files accessible via HTTP
+- Source maps served in production (exposes original source code)
+- CORS wildcard (`*`) with `credentials: true`
+
+Patterns:
+```
+/admin       /debug       /test        (without auth middleware)
+/graphql     (with introspection enabled)
+/api-docs    /swagger     (without auth in production)
+/.env        /config      (accessible via HTTP)
+*.map        (source maps in production build)
+```
+
+## Webhook and Payment Security (Full Codebase)
+
+Check for:
+- Webhook endpoints without signature verification
+- Webhook secrets stored in source code instead of environment variables
+- Payment endpoints without idempotency protection
+- Financial operations without transaction wrapping
+- Missing audit logging on payment events
+- No rate limiting on payment or webhook endpoints
+- Webhook handlers that return 200 before completing processing
+- Missing dead letter queue for failed webhook events
+- Payment amount validation missing (negative, zero, excessive amounts)
+- No reconciliation mechanism between payment provider and local state
+
+Patterns:
+```
+app.post('/webhook          (without signature verification)
+app.post('/payment          (without idempotency middleware)
+stripe.webhooks.construct   (verify this is actually called, not skipped)
+amount = req.body.amount    (trusting client-sent amount)
+```

package/.claude/skills/ship-secure/references/secret-patterns.md

@@ -0,0 +1,50 @@
+# Secret Detection Patterns
+
+All secret patterns are defined in a single source of truth:
+
+**File:** `.claude/shared/secret-patterns.json`
+
+This file is used by:
+- `.claude/hooks/git-safety.cjs` (blocks staging sensitive files in Claude Code)
+- `git-hooks/pre-commit.cjs` (blocks commits containing secrets)
+- `ship-secure` skill (full codebase scan)
+
+## How to Add New Patterns
+
+Edit `.claude/shared/secret-patterns.json` once. All hooks and skills pick it up automatically.
+
+## Categories in the Shared File
+
+- **apiKeys** — AWS, OpenAI, Anthropic, GitHub, Stripe, Slack, SendGrid, etc.
+- **credentials** — Hardcoded passwords, secrets, tokens, client secrets
+- **databaseUrls** — MongoDB, PostgreSQL, MySQL, Redis, RabbitMQ connection strings
+- **privateKeys** — RSA, EC, DSA, PGP private keys
+- **dangerousFiles** — .env, .pem, .key, credentials.json, id_rsa, etc.
+- **falsePositives** — process.env, os.environ, placeholders, .env.example
+
+## Scan Targets
+
+All source files excluding:
+- `node_modules/`, `.git/`, `dist/`, `build/`, `.next/`
+- Binary files
+- Lock files (`package-lock.json`, `yarn.lock`)
+
+## Severity Rules
+
+Uses the same 3-level system as all Ship tools:
+
+- Real API key or secret in source → Critical
+- Private key in repository → Critical
+- Database URL with credentials → Critical
+- .env file tracked in git → Critical
+- Hardcoded password in test file → Warning
+- Pattern match that might be false positive → Suggestion
+
+## False Positive Handling
+
+Skip if value matches any entry in `falsePositives` array:
+- Environment variable reference (`process.env.`, `os.environ`)
+- Placeholder values (`<PLACEHOLDER>`, `YOUR_KEY_HERE`, `changeme`)
+- Example files (`.env.example`, `.env.template`)
+- Empty strings
+- Commented out lines

package/.claude/skills/ship-test/SKILL.md

@@ -0,0 +1,85 @@
+---
+name: ship-test
+description: "AI test analysis. Runs test suite, analyzes coverage, finds untested code paths, identifies weak assertions and flaky patterns."
+argument-hint: "[--coverage] [--missing] [--ci]"
+---
+
+# ship-test — AI Test Analysis
+
+## Usage
+
+```
+ship test                  # run tests + analyze results
+ship test --coverage       # coverage report only
+ship test --missing        # find untested code paths
+ship test --ci             # CI mode (structured output, exit code)
+```
+
+## Workflow
+
+### Step 1: Detect Test Framework
+
+Auto-detect from project files:
+- `jest.config.*` or `jest` in package.json → Jest
+- `vitest.config.*` or `vitest` in package.json → Vitest
+- `mocha` in package.json → Mocha
+- `.mocharc.*` → Mocha
+- `pytest.ini` or `pyproject.toml` with pytest → Pytest
+- `go test` → Go testing
+- Fallback: read `scripts.test` from package.json
+
+### Step 2: Run Tests
+
+```bash
+# Use the detected framework's command
+npm test              # or yarn test, pnpm test
+# With coverage flag if supported
+npm test -- --coverage
+```
+
+### Step 3: Analyze Results
+
+Read test output and classify:
+
+**Failures:** For each failed test:
+- Which test failed (file, test name)
+- What was expected vs received
+- Root cause analysis (read the source code to understand why)
+- Suggested fix
+
+**Coverage:** Parse coverage output:
+- Statements, branches, functions, lines percentages
+- Files with lowest coverage
+- Uncovered lines/branches
+
+### Step 4: Find Untested Paths
+
+Read source files and compare against test files:
+- Functions with no corresponding test
+- Error/catch blocks never tested
+- Edge cases not covered (null, empty, boundary values)
+- Conditional branches with no test for false path
+- API endpoints without integration tests
+
+### Step 5: Assess Test Quality
+
+Check for:
+- Weak assertions (only checking truthiness, not specific values)
+- Tests that can never fail (no assertions)
+- Flaky patterns (timing-dependent, order-dependent, global state)
+- Mocking too much (mock hides real bugs)
+- Not testing error scenarios
+- Missing cleanup/teardown
+- Duplicate test coverage (same thing tested multiple ways)
+- Tests that test implementation, not behavior
+
+### Step 6: Report
+
+Output per `references/output-format.md`.
+
+## Quick Reference
+
+| Reference | Content |
+|-----------|---------|
+| `references/test-workflow.md` | Detailed test execution steps |
+| `references/coverage-analysis.md` | Coverage analysis rules and thresholds |

package/.claude/skills/ship-test/references/coverage-analysis.md

@@ -0,0 +1,70 @@
+# Coverage Analysis
+
+## Thresholds
+
+| Metric | Minimum | Good | Excellent |
+|--------|---------|------|-----------|
+| Statements | 70% | 80% | 90%+ |
+| Branches | 60% | 75% | 85%+ |
+| Functions | 70% | 85% | 95%+ |
+| Lines | 70% | 80% | 90%+ |
+
+## Verdict Rules
+
+- FAIL if any test fails
+- FAIL if statements coverage < 70% (configurable)
+- PASS with warnings if coverage between 70-80%
+- PASS if all tests pass and coverage >= 80%
+
+## What to Flag
+
+### Critical (blocks merge)
+- Test failures
+- Coverage dropped compared to main branch
+- Critical path has zero test coverage (auth, payments, data mutations)
+
+### Warning
+- Coverage below threshold
+- New code has lower coverage than existing code
+- Error handling paths not tested
+- Only happy path tested, no edge cases
+
+### Suggestion
+- Test could cover additional edge case
+- Assertion could be more specific
+- Test name doesn't describe what it tests
+- Setup/teardown could be extracted to fixture
+
+## Output Format
+
+```markdown
+## Ship Test
+
+### Test Results
+Passed: N | Failed: N | Skipped: N
+Duration: Ns
+
+### Failures
+- file/test.ts — "test name"
+  Expected: X
+  Received: Y
+  Root cause: explanation
+  Fix: suggestion
+
+### Coverage
+Statements: N% | Branches: N% | Functions: N% | Lines: N%
+
+### Untested Code Paths
+- file/path.ts:LINE-LINE — description of what's not tested
+- file/path.ts:LINE — edge case not covered
+
+### Test Quality Issues
+- [weak] file/test.ts:LINE — assertion only checks truthiness
+- [flaky] file/test.ts:LINE — depends on timing
+
+### Summary
+Tests: N passed, N failed
+Coverage: N% statements
+Critical: N | Warning: N | Suggestion: N
+Verdict: PASS or FAIL
+```

package/.claude/skills/ship-test/references/output-format.md

@@ -0,0 +1,71 @@
+# Test Output Format
+
+## Standard Report
+
+```markdown
+## Ship Test
+
+### Test Results
+Passed: N | Failed: N | Skipped: N
+Duration: Ns
+
+### Failures
+- file/test.ts:LINE — "test name"
+  Expected: value
+  Received: value
+  Root cause: explanation
+  Fix: suggestion
+
+### Coverage
+Statements: N% | Branches: N% | Functions: N% | Lines: N%
+
+### Untested Code Paths
+- file/path.ts:LINE-LINE — description of what's not tested
+
+### Test Quality Issues
+- [weak] file/test.ts:LINE — assertion only checks truthiness
+- [flaky] file/test.ts:LINE — depends on timing
+- [mock] file/test.ts:LINE — mocks hide real behavior
+
+### Summary
+Tests: N passed, N failed
+Coverage: N% statements
+Critical: N | Warning: N | Suggestion: N
+Verdict: PASS or FAIL
+```
+
+## Rules
+
+- Verdict is FAIL if any test fails
+- Verdict is FAIL if coverage drops below threshold (default 70%)
+- Group failures by file
+- Include root cause analysis for each failure (read source code)
+- Include fix suggestion for each failure
+- Untested paths should reference specific file:line ranges
+- Quality issues use tags: [weak], [flaky], [mock], [duplicate], [missing-cleanup]
+
+## CI Mode
+
+Same format but:
+- No conversational text
+- Just the markdown report
+- Suitable for PR comments
+
+## No Issues Found
+
+```markdown
+## Ship Test
+
+### Test Results
+Passed: N | Failed: 0 | Skipped: 0
+Duration: Ns
+
+### Coverage
+Statements: N% | Branches: N% | Functions: N% | Lines: N%
+
+### Summary
+Tests: N passed, 0 failed
+Coverage: N% statements
+Critical: 0 | Warning: 0 | Suggestion: 0
+Verdict: PASS
+```

package/.claude/skills/ship-test/references/test-workflow.md

@@ -0,0 +1,47 @@
+# Test Workflow
+
+## Framework Detection
+
+| File/Config | Framework | Run command |
+|------------|-----------|-------------|
+| `vitest.config.*` | Vitest | `npx vitest run` |
+| `jest.config.*` | Jest | `npx jest` |
+| `package.json` has `vitest` | Vitest | `npx vitest run` |
+| `package.json` has `jest` | Jest | `npx jest` |
+| `package.json` has `mocha` | Mocha | `npx mocha` |
+| `pytest.ini` / `pyproject.toml` | Pytest | `pytest` |
+| `go.mod` | Go | `go test ./...` |
+| `Cargo.toml` | Rust | `cargo test` |
+| Fallback | npm | `npm test` |
+
+## Coverage Commands
+
+| Framework | Coverage command |
+|-----------|----------------|
+| Vitest | `npx vitest run --coverage` |
+| Jest | `npx jest --coverage` |
+| Pytest | `pytest --cov` |
+| Go | `go test -cover ./...` |
+
+## Analyzing Failures
+
+For each failed test:
+
+1. Read the test file to understand what it tests
+2. Read the source file to understand why it fails
+3. Determine if:
+   - Test is wrong (outdated expectation)
+   - Source code has a bug
+   - Test is flaky (timing, order, environment)
+4. Report with root cause and fix suggestion
+
+## Untested Path Detection
+
+1. List all source files (exclude tests, config, types)
+2. For each source file, find corresponding test file
+3. If no test file exists → report as "No tests"
+4. If test file exists, compare:
+   - Exported functions vs tested functions
+   - Error handling paths vs error tests
+   - Conditional branches vs branch tests
+5. Report uncovered paths with file:line references

package/.claude/skills/ship-version/SKILL.md

@@ -71,6 +71,10 @@ type(scope): description
 [optional: Refs: TICKET-ID]
 ```
 
+## Agent
+
+Use the `git-ops` agent for operations with verbose output (large diffs, long logs, merge conflicts) to keep main context clean.
+
 ## Core Workflow
 
 ### Step 1: Analyze

package/.claude/skills/ship-version/references/safety-protocols.md

@@ -2,32 +2,26 @@
 
 ## Secret Detection
 
+All secret patterns are defined in `.claude/shared/secret-patterns.json` (single source of truth).
+
 ### Scan Command
 ```bash
 git diff --cached | grep -iE "(AKIA|api[_-]?key|token|password|secret|credential|private[_-]?key|mongodb://|postgres://|mysql://|redis://|-----BEGIN)"
 ```
 
-### Patterns
-
-| Category | Pattern |
-|----------|---------|
-| API Keys | `api[_-]?key`, `apiKey` |
-| AWS | `AKIA[0-9A-Z]{16}` |
-| Tokens | `token`, `auth_token`, `jwt` |
-| Passwords | `password`, `passwd`, `pwd` |
-| Private Keys | `-----BEGIN PRIVATE KEY-----` |
-| DB URLs | `mongodb://`, `postgres://`, `mysql://` |
-| OAuth | `client_secret`, `oauth_token` |
+### Pattern Categories
 
-### Dangerous Files
-- `.env`, `.env.*` (except `.env.example`)
-- `*.key`, `*.pem`, `*.p12`
-- `credentials.json`, `secrets.json`
+Defined in `secret-patterns.json`:
+- **apiKeys** — AWS, OpenAI, Anthropic, GitHub, Stripe, Slack, SendGrid, Google, etc.
+- **credentials** — Hardcoded passwords, secrets, tokens, client secrets
+- **databaseUrls** — MongoDB, PostgreSQL, MySQL, Redis, RabbitMQ connection strings
+- **privateKeys** — RSA, EC, DSA, PGP private keys
+- **dangerousFiles** — .env, .pem, .key, .p12, credentials.json, id_rsa, etc.
 
 ### On Detection
 1. BLOCK commit
 2. Show matching lines
-3. Suggest `.gitignore` or env variables
+3. Suggest `.gitignore` or environment variables
 4. Offer to unstage: `git reset HEAD <file>`
 
 ## Branch Protection

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 TeleLabs AI
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.