@vainplex/shieldapi-cli 1.2.1 → 1.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +31 -7
  2. package/package.json +1 -1
  3. package/src/index.js +1 -1
package/README.md CHANGED
@@ -109,18 +109,42 @@ if [ $? -eq 1 ]; then
109
109
  fi
110
110
  ```
111
111
 
112
- ## Security
112
+ ## Security & Privacy
113
113
 
114
- - **Passwords are hashed locally** with SHA-1 before any network request. Plaintext never leaves your machine.
115
- - **Private keys are never persisted** to disk, logs, or displayed in output.
116
- - **No telemetry** — zero phone-home, zero analytics.
117
- - **Shell history warning** the CLI warns when passwords are passed as arguments (use `--stdin` for sensitive passwords).
114
+ ### Your password never leaves your machine in plaintext
115
+
116
+ 1. Your password is **SHA-1 hashed locally** on your machine plaintext never touches the network.
117
+ 2. The SHA-1 hash is sent over **HTTPS** to the ShieldAPI server.
118
+ 3. The server uses the [HIBP k-Anonymity protocol](https://haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByRange) — only the **first 5 characters** of the hash go to the upstream breach database. The full hash never leaves ShieldAPI.
119
+
120
+ **Want true end-to-end k-Anonymity?** Use the `check-password-range` endpoint directly via the API — it only accepts a 5-character prefix and returns all matching suffixes, so you can check locally.
121
+
122
+ ### Avoiding shell history exposure
123
+
124
+ Passing a password as a CLI argument stores it in your shell history (`~/.bash_history`). Use these safer alternatives:
118
125
 
119
126
  ```bash
120
- # Secure password checking (avoids shell history)
121
- echo "mysecretpassword" | shieldapi password dummy --stdin
127
+ # Option 1: Read from stdin (recommended)
128
+ read -sp "Password: " PW && echo -n "$PW" | shieldapi password dummy --stdin --demo
129
+
130
+ # Option 2: Pipe directly
131
+ echo -n "mypassword" | shieldapi password dummy --stdin --demo
132
+
133
+ # Option 3: Hash first, then check the hash
134
+ shieldapi hash "mypassword" # → shows SHA-1 locally
135
+ shieldapi password "7C6A18..." --hash --demo # check by hash, not password
136
+
137
+ # Option 4: Clear history after
138
+ shieldapi password "test" --demo && history -d $(history 1 | awk '{print $1}')
122
139
  ```
123
140
 
141
+ ### Other security guarantees
142
+
143
+ - **Private keys are never persisted** to disk, logs, or displayed in output.
144
+ - **No telemetry** — zero phone-home, zero analytics.
145
+ - **HTTPS only** — all API communication is encrypted.
146
+ - **Shell history warning** — the CLI warns when passwords are passed as arguments.
147
+
124
148
  ## How x402 Works
125
149
 
126
150
  [x402](https://x402.org) is an open protocol for HTTP payments. Instead of API keys:
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@vainplex/shieldapi-cli",
3
- "version": "1.2.1",
3
+ "version": "1.2.2",
4
4
  "description": "Security intelligence from your terminal. Pay-per-request with USDC.",
5
5
  "type": "module",
6
6
  "bin": {
package/src/index.js CHANGED
@@ -14,7 +14,7 @@ export function run(argv) {
14
14
  program
15
15
  .name('shieldapi')
16
16
  .description('🛡️ ShieldAPI CLI — Security intelligence from your terminal. Pay-per-request with USDC.')
17
- .version('1.2.1')
17
+ .version('1.2.2')
18
18
  .option('--wallet <key>', 'Private key for x402 payments (or set SHIELDAPI_WALLET_KEY)')
19
19
  .option('--json', 'Output raw JSON instead of formatted output')
20
20
  .option('--no-color', 'Disable colors')