code-abyss 1.6.15 → 1.7.0

package/skills/tools/verify-module/scripts/module_scanner.js

@@ -0,0 +1,145 @@
+#!/usr/bin/env node
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+
+const REQUIRED_FILES = { 'README.md': '模块说明文档', 'DESIGN.md': '设计决策文档' };
+const ALT_SRC_DIRS = ['src', 'lib', 'pkg', 'internal', 'cmd', 'app'];
+const ALT_TEST_DIRS = ['tests', 'test', '__tests__', 'spec'];
+const ROOT_SCRIPT_FILES = new Set(['install.sh', 'uninstall.sh', 'install.ps1', 'uninstall.ps1', 'Dockerfile', 'Makefile']);
+const CODE_EXTS = new Set(['.py', '.go', '.rs', '.ts', '.js', '.java', '.sh', '.ps1']);
+const TEST_PATTERNS = ['test_', '_test.', '.test.', 'spec_', '_spec.'];
+
+function scanStructure(p, depth = 3) {
+  const s = { name: path.basename(p), type: 'dir', children: [] };
+  if (depth <= 0) return s;
+  try {
+    for (const name of fs.readdirSync(p).sort()) {
+      if (name.startsWith('.')) continue;
+      const full = path.join(p, name);
+      const stat = fs.statSync(full);
+      if (stat.isFile()) s.children.push({ name, type: 'file', size: stat.size });
+      else if (stat.isDirectory()) s.children.push(scanStructure(full, depth - 1));
+    }
+  } catch {}
+  return s;
+}
+
+function rglob(dir, test) {
+  try {
+    for (const name of fs.readdirSync(dir)) {
+      const full = path.join(dir, name);
+      try {
+        const stat = fs.statSync(full);
+        if (stat.isFile() && test(name)) return true;
+        if (stat.isDirectory()) { if (rglob(full, test)) return true; }
+      } catch {}
+    }
+  } catch {}
+  return false;
+}
+
+function scanModule(target) {
+  const modulePath = path.resolve(target);
+  const issues = [];
+  const add = (severity, message, p) => issues.push({ severity, message, path: p || null });
+
+  if (!fs.existsSync(modulePath)) { add('error', `路径不存在: ${modulePath}`); return { modulePath, issues, structure: {} }; }
+  if (!fs.statSync(modulePath).isDirectory()) { add('error', `不是目录: ${modulePath}`); return { modulePath, issues, structure: {} }; }
+
+  const structure = scanStructure(modulePath);
+
+  // required files
+  for (const [file, desc] of Object.entries(REQUIRED_FILES)) {
+    const fp = path.join(modulePath, file);
+    if (!fs.existsSync(fp)) add('error', `缺少必需文档: ${file} (${desc})`, fp);
+    else if (fs.statSync(fp).size < 50) add('warning', `文档内容过少: ${file} (< 50 bytes)`, fp);
+  }
+
+  // source dirs
+  let srcFound = ALT_SRC_DIRS.some(d => { try { return fs.statSync(path.join(modulePath, d)).isDirectory(); } catch { return false; } });
+  const entries = fs.readdirSync(modulePath);
+  const rootCode = entries.filter(n => { try { const s = fs.statSync(path.join(modulePath, n)); return s.isFile() && CODE_EXTS.has(path.extname(n)); } catch { return false; } });
+  const rootScript = entries.filter(n => { try { return fs.statSync(path.join(modulePath, n)).isFile() && ROOT_SCRIPT_FILES.has(n); } catch { return false; } });
+  if (rootCode.length || rootScript.length) { srcFound = true; if (rootCode.length > 5) add('warning', `根目录代码文件过多 (${rootCode.length}个)，建议整理到 src/ 目录`); }
+  if (!srcFound) add('warning', '未找到源码目录或代码文件');
+
+  // test dirs
+  let testFound = ALT_TEST_DIRS.some(d => { try { return fs.statSync(path.join(modulePath, d)).isDirectory(); } catch { return false; } });
+  if (!testFound) testFound = rglob(modulePath, n => TEST_PATTERNS.some(p => n.includes(p)));
+  if (!testFound) add('warning', '未找到测试目录或测试文件');
+
+  // doc quality
+  const readme = path.join(modulePath, 'README.md');
+  if (fs.existsSync(readme)) {
+    const c = fs.readFileSync(readme, 'utf-8');
+    if (!c.includes('#')) add('warning', 'README.md 缺少标题', readme);
+    if (!['usage', 'install', '使用', '安装', 'example', '示例'].some(k => c.toLowerCase().includes(k))) add('info', 'README.md 建议添加使用说明或示例', readme);
+  }
+  const design = path.join(modulePath, 'DESIGN.md');
+  if (fs.existsSync(design)) {
+    const c = fs.readFileSync(design, 'utf-8');
+    if (!['决策', 'decision', '选择', 'choice', '权衡', 'trade'].some(k => c.toLowerCase().includes(k))) add('info', 'DESIGN.md 建议记录设计决策和权衡', design);
+  }
+
+  return { modulePath, issues, structure };
+}
+
+function formatStructure(s, indent = 0) {
+  const pre = '  '.repeat(indent);
+  if (s.type === 'dir') {
+    const lines = [`${pre}\u{1F4C1} ${s.name}/`];
+    for (const ch of (s.children || [])) lines.push(formatStructure(ch, indent + 1));
+    return lines.join('\n');
+  }
+  const sz = (s.size || 0) < 1024 ? `(${s.size} B)` : `(${Math.floor(s.size / 1024)} KB)`;
+  return `${pre}\u{1F4C4} ${s.name} ${sz}`;
+}
+
+function formatReport(r, verbose) {
+  const passed = !r.issues.some(i => i.severity === 'error');
+  const errs = r.issues.filter(i => i.severity === 'error').length;
+  const warns = r.issues.filter(i => i.severity === 'warning').length;
+  const lines = [
+    '='.repeat(60), '模块完整性扫描报告', '='.repeat(60),
+    `\n模块路径: ${r.modulePath}`,
+    `扫描结果: ${passed ? '\u2713 通过' : '\u2717 未通过'}`,
+    `错误: ${errs} | 警告: ${warns}`
+  ];
+  if (r.issues.length) {
+    lines.push('\n' + '-'.repeat(40), '问题列表:', '-'.repeat(40));
+    for (const i of r.issues) {
+      const icon = { error: '\u2717', warning: '\u26A0', info: '\u2139' }[i.severity];
+      lines.push(`  ${icon} [${i.severity.toUpperCase()}] ${i.message}`);
+      if (i.path && verbose) lines.push(`    路径: ${i.path}`);
+    }
+  }
+  if (verbose && r.structure.name) {
+    lines.push('\n' + '-'.repeat(40), '目录结构:', '-'.repeat(40), formatStructure(r.structure));
+  }
+  lines.push('\n' + '='.repeat(60));
+  return lines.join('\n');
+}
+
+// CLI
+const args = process.argv.slice(2);
+const verbose = args.includes('-v') || args.includes('--verbose');
+const jsonOut = args.includes('--json');
+const target = args.find(a => !a.startsWith('-')) || '.';
+
+const result = scanModule(target);
+const passed = !result.issues.some(i => i.severity === 'error');
+
+if (jsonOut) {
+  console.log(JSON.stringify({
+    module_path: result.modulePath, passed,
+    error_count: result.issues.filter(i => i.severity === 'error').length,
+    warning_count: result.issues.filter(i => i.severity === 'warning').length,
+    issues: result.issues
+  }, null, 2));
+} else {
+  console.log(formatReport(result, verbose));
+}
+
+process.exit(passed ? 0 : 1);

package/skills/tools/verify-quality/SKILL.md

@@ -1,6 +1,8 @@
 ---
 name: verify-quality
 description: 代码质量校验关卡。检测复杂度、重复代码、命名规范、函数长度等质量指标。当魔尊提到代码质量、复杂度检查、代码异味、重构建议、lint检查、代码规范时使用。在复杂模块、重构完成时自动触发。
+license: MIT
+compatibility: node>=18
 user-invocable: true
 disable-model-invocation: false
 allowed-tools: Bash, Read, Glob
@@ -24,9 +26,9 @@ argument-hint: <扫描路径>
 
 ```bash
 # 在 skill 目录下运行
-python scripts/quality_checker.py <扫描路径>
-python scripts/quality_checker.py <扫描路径> -v      # 详细模式
-python scripts/quality_checker.py <扫描路径> --json  # JSON 输出
+node scripts/quality_checker.js <扫描路径>
+node scripts/quality_checker.js <扫描路径> -v      # 详细模式
+node scripts/quality_checker.js <扫描路径> --json  # JSON 输出
 ```
 
 ## 检测指标

package/skills/tools/verify-quality/scripts/quality_checker.js

@@ -0,0 +1,276 @@
+#!/usr/bin/env node
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+
+// 质量规则配置
+const MAX_LINE_LENGTH = 120;
+const MAX_FUNCTION_LENGTH = 50;
+const MAX_FILE_LENGTH = 500;
+const MAX_COMPLEXITY = 10;
+const MAX_PARAMETERS = 5;
+const MIN_FUNCTION_NAME_LENGTH = 2;
+
+const EXCLUDE_DIRS = new Set(['.git', 'node_modules', '__pycache__', '.venv', 'venv', 'dist', 'build', '.tox']);
+const CODE_EXTENSIONS = new Set(['.py', '.js', '.ts', '.go', '.java', '.rs', '.c', '.cpp']);
+
+const COMMENT_PREFIXES = { '.js': '//', '.ts': '//', '.go': '//', '.java': '//', '.c': '//', '.cpp': '//', '.rs': '//' };
+
+// --- Analysis ---
+
+function analyzeGenericFile(filePath) {
+  const metrics = { path: filePath, lines: 0, code_lines: 0, comment_lines: 0, blank_lines: 0, functions: 0, classes: 0, max_complexity: 0, avg_function_length: 0 };
+  const issues = [];
+  let content;
+  try { content = fs.readFileSync(filePath, 'utf-8'); } catch { return { metrics, issues }; }
+
+  const lines = content.split('\n');
+  metrics.lines = lines.length;
+  const prefix = COMMENT_PREFIXES[path.extname(filePath).toLowerCase()] || '//';
+
+  for (let i = 0; i < lines.length; i++) {
+    const stripped = lines[i].trim();
+    if (!stripped) metrics.blank_lines++;
+    else if (stripped.startsWith(prefix) || stripped.startsWith('/*') || stripped.startsWith('*')) metrics.comment_lines++;
+    else metrics.code_lines++;
+
+    if (lines[i].length > MAX_LINE_LENGTH) {
+      issues.push({ severity: 'info', category: '格式', message: `行过长 (${lines[i].length} > ${MAX_LINE_LENGTH})`, file_path: filePath, line_number: i + 1, suggestion: null });
+    }
+  }
+
+  if (metrics.code_lines > MAX_FILE_LENGTH) {
+    issues.push({ severity: 'warning', category: '复杂度', message: `文件过长 (${metrics.code_lines} 行代码 > ${MAX_FILE_LENGTH})`, file_path: filePath, suggestion: '考虑拆分为多个模块', line_number: null });
+  }
+
+  return { metrics, issues };
+}
+
+function analyzePythonFile(filePath) {
+  const metrics = { path: filePath, lines: 0, code_lines: 0, comment_lines: 0, blank_lines: 0, functions: 0, classes: 0, max_complexity: 0, avg_function_length: 0 };
+  const issues = [];
+  let content;
+  try { content = fs.readFileSync(filePath, 'utf-8'); } catch (e) {
+    issues.push({ severity: 'error', category: '文件', message: `无法读取文件: ${e.message}`, file_path: filePath, line_number: null, suggestion: null });
+    return { metrics, issues };
+  }
+
+  const lines = content.split('\n');
+  metrics.lines = lines.length;
+  let inMultiline = false;
+
+  for (let i = 0; i < lines.length; i++) {
+    const stripped = lines[i].trim();
+    if (!stripped) { metrics.blank_lines++; }
+    else if (stripped.startsWith('#')) { metrics.comment_lines++; }
+    else if (stripped.includes('"""') || stripped.includes("'''")) {
+      const dq = (stripped.match(/"""/g) || []).length;
+      const sq = (stripped.match(/'''/g) || []).length;
+      if (dq === 2 || sq === 2) { metrics.comment_lines++; }
+      else { inMultiline = !inMultiline; metrics.comment_lines++; }
+    } else if (inMultiline) { metrics.comment_lines++; }
+    else { metrics.code_lines++; }
+
+    if (lines[i].length > MAX_LINE_LENGTH) {
+      issues.push({ severity: 'info', category: '格式', message: `行过长 (${lines[i].length} > ${MAX_LINE_LENGTH})`, file_path: filePath, line_number: i + 1, suggestion: null });
+    }
+  }
+
+  if (metrics.code_lines > MAX_FILE_LENGTH) {
+    issues.push({ severity: 'warning', category: '复杂度', message: `文件过长 (${metrics.code_lines} 行代码 > ${MAX_FILE_LENGTH})`, file_path: filePath, suggestion: '考虑拆分为多个模块', line_number: null });
+  }
+
+  // Regex-based Python analysis (no AST available in Node)
+  const funcRegex = /^( *)(?:async\s+)?def\s+(\w+)\s*\(([^)]*)\)/gm;
+  const classRegex = /^( *)class\s+(\w+)/gm;
+  const functions = [];
+  let match;
+
+  while ((match = funcRegex.exec(content)) !== null) {
+    const lineNum = content.substring(0, match.index).split('\n').length;
+    const name = match[2];
+    const indent = match[1].length;
+    const params = match[3].trim() ? match[3].split(',').map(p => p.trim()).filter(p => p && p !== 'self' && p !== 'cls') : [];
+
+    // Calculate function length by finding next line at same or lesser indent
+    const funcLines = lines.slice(lineNum); // lines after def
+    let length = 1;
+    for (let j = 1; j < funcLines.length; j++) {
+      const l = funcLines[j];
+      if (l.trim() === '') { length++; continue; }
+      const curIndent = l.match(/^(\s*)/)[1].length;
+      if (curIndent <= indent && l.trim() !== '') break;
+      length++;
+    }
+
+    // Estimate complexity from function body
+    const bodyLines = lines.slice(lineNum, lineNum + length - 1);
+    let complexity = 1;
+    for (const bl of bodyLines) {
+      const s = bl.trim();
+      if (/^(if|elif|while|for)\s/.test(s) || /^(if|elif|while|for)\(/.test(s)) complexity++;
+      if (/^except(\s|:)/.test(s)) complexity++;
+      if (/\s(and|or)\s/.test(s)) complexity++;
+      if (/\sfor\s/.test(s) && /\sin\s/.test(s) && (s.includes('[') || s.includes('('))) complexity++;
+    }
+
+    functions.push({ name, line: lineNum, length, complexity, parameters: params.length });
+    metrics.max_complexity = Math.max(metrics.max_complexity, complexity);
+
+    // Check function length
+    if (length > MAX_FUNCTION_LENGTH) {
+      issues.push({ severity: 'warning', category: '复杂度', message: `函数 '${name}' 过长 (${length} 行 > ${MAX_FUNCTION_LENGTH})`, file_path: filePath, line_number: lineNum, suggestion: '考虑拆分为多个小函数' });
+    }
+    // Check complexity
+    if (complexity > MAX_COMPLEXITY) {
+      issues.push({ severity: 'warning', category: '复杂度', message: `函数 '${name}' 圈复杂度过高 (${complexity} > ${MAX_COMPLEXITY})`, file_path: filePath, line_number: lineNum, suggestion: '减少嵌套层级，提取子函数' });
+    }
+    // Check parameter count
+    if (params.length > MAX_PARAMETERS) {
+      issues.push({ severity: 'warning', category: '设计', message: `函数 '${name}' 参数过多 (${params.length} > ${MAX_PARAMETERS})`, file_path: filePath, line_number: lineNum, suggestion: '考虑使用配置对象或数据类封装参数' });
+    }
+    // Check naming
+    const SPECIAL = new Set(['setUp', 'tearDown', 'setUpClass', 'tearDownClass', 'setUpModule', 'tearDownModule']);
+    if (!name.startsWith('_') && !SPECIAL.has(name) && !name.startsWith('visit_')) {
+      if (!/^[a-z][a-z0-9_]*$/.test(name)) {
+        issues.push({ severity: 'info', category: '命名', message: `函数名 '${name}' 不符合 snake_case 规范`, file_path: filePath, line_number: lineNum, suggestion: '函数名应使用 snake_case，如 my_function_name' });
+      }
+    }
+    if (name.length < MIN_FUNCTION_NAME_LENGTH) {
+      issues.push({ severity: 'warning', category: '命名', message: `函数名 '${name}' 过短`, file_path: filePath, line_number: lineNum, suggestion: '使用更具描述性的函数名' });
+    }
+  }
+
+  while ((match = classRegex.exec(content)) !== null) {
+    const lineNum = content.substring(0, match.index).split('\n').length;
+    const name = match[2];
+    metrics.classes++;
+    if (!/^[A-Z][a-zA-Z0-9]*$/.test(name)) {
+      issues.push({ severity: 'warning', category: '命名', message: `类名 '${name}' 不符合 PascalCase 规范`, file_path: filePath, line_number: lineNum, suggestion: '类名应使用 PascalCase，如 MyClassName' });
+    }
+  }
+
+  metrics.functions = functions.length;
+  if (functions.length > 0) {
+    metrics.avg_function_length = functions.reduce((s, f) => s + f.length, 0) / functions.length;
+  }
+
+  return { metrics, issues };
+}
+
+// --- Directory scan ---
+
+function scanDirectory(scanPath, excludeDirs) {
+  const resolved = path.resolve(scanPath);
+  const exclude = excludeDirs || EXCLUDE_DIRS;
+  const result = { scan_path: resolved, files_scanned: 0, total_lines: 0, total_code_lines: 0, issues: [], file_metrics: [] };
+
+  function walk(dir) {
+    let entries;
+    try { entries = fs.readdirSync(dir, { withFileTypes: true }); } catch { return; }
+    for (const entry of entries) {
+      if (exclude.has(entry.name)) continue;
+      const full = path.join(dir, entry.name);
+      if (entry.isDirectory()) { walk(full); continue; }
+      const ext = path.extname(entry.name).toLowerCase();
+      if (!CODE_EXTENSIONS.has(ext)) continue;
+
+      result.files_scanned++;
+      const { metrics, issues } = ext === '.py' ? analyzePythonFile(full) : analyzeGenericFile(full);
+      result.file_metrics.push(metrics);
+      result.issues.push(...issues);
+      result.total_lines += metrics.lines;
+      result.total_code_lines += metrics.code_lines;
+    }
+  }
+
+  walk(resolved);
+  return result;
+}
+
+// --- Reporting ---
+
+function errorCount(result) { return result.issues.filter(i => i.severity === 'error').length; }
+function warningCount(result) { return result.issues.filter(i => i.severity === 'warning').length; }
+function passed(result) { return !result.issues.some(i => i.severity === 'error'); }
+
+function formatReport(result, verbose) {
+  const lines = [];
+  const sep = '='.repeat(60);
+  const dash = '-'.repeat(40);
+  lines.push(sep, '代码质量检查报告', sep);
+  lines.push(`\n扫描路径: ${result.scan_path}`);
+  lines.push(`扫描文件: ${result.files_scanned}`);
+  lines.push(`总行数: ${result.total_lines}`);
+  lines.push(`代码行数: ${result.total_code_lines}`);
+  lines.push(`检查结果: ${passed(result) ? '✓ 通过' : '✗ 需要关注'}`);
+  lines.push(`错误: ${errorCount(result)} | 警告: ${warningCount(result)}`);
+
+  if (result.issues.length) {
+    lines.push('\n' + dash, '问题列表:', dash);
+    const byCategory = {};
+    for (const issue of result.issues) {
+      (byCategory[issue.category] || (byCategory[issue.category] = [])).push(issue);
+    }
+    const icons = { error: '✗', warning: '⚠', info: 'ℹ' };
+    for (const cat of Object.keys(byCategory).sort()) {
+      const catIssues = byCategory[cat];
+      lines.push(`\n【${cat}】(${catIssues.length} 个)`);
+      for (const issue of catIssues.slice(0, 10)) {
+        const icon = icons[issue.severity];
+        const loc = issue.line_number ? `:${issue.line_number}` : '';
+        lines.push(`  ${icon} ${issue.file_path}${loc}`);
+        lines.push(`    ${issue.message}`);
+        if (verbose && issue.suggestion) lines.push(`    💡 ${issue.suggestion}`);
+      }
+      if (catIssues.length > 10) lines.push(`  ... 及其他 ${catIssues.length - 10} 个问题`);
+    }
+  }
+
+  if (verbose && result.file_metrics.length) {
+    const complex = result.file_metrics.filter(m => m.max_complexity > 0).sort((a, b) => b.max_complexity - a.max_complexity).slice(0, 5);
+    if (complex.length) {
+      lines.push('\n' + dash, '复杂度最高的文件:', dash);
+      for (const m of complex) lines.push(`  ${m.path}: 复杂度 ${m.max_complexity}, ${m.functions} 个函数`);
+    }
+  }
+
+  lines.push('\n' + sep);
+  return lines.join('\n');
+}
+
+// --- CLI ---
+
+function main() {
+  const args = process.argv.slice(2);
+  let scanPath = '.', verbose = false, jsonOutput = false;
+
+  for (let i = 0; i < args.length; i++) {
+    if (args[i] === '-v' || args[i] === '--verbose') verbose = true;
+    else if (args[i] === '--json') jsonOutput = true;
+    else if (!args[i].startsWith('-')) scanPath = args[i];
+  }
+
+  const result = scanDirectory(scanPath);
+
+  if (jsonOutput) {
+    const output = {
+      scan_path: result.scan_path,
+      files_scanned: result.files_scanned,
+      total_lines: result.total_lines,
+      total_code_lines: result.total_code_lines,
+      passed: passed(result),
+      error_count: errorCount(result),
+      warning_count: warningCount(result),
+      issues: result.issues
+    };
+    console.log(JSON.stringify(output, null, 2));
+  } else {
+    console.log(formatReport(result, verbose));
+  }
+
+  process.exit(passed(result) ? 0 : 1);
+}
+
+main();

package/skills/tools/verify-security/SKILL.md

@@ -1,6 +1,8 @@
 ---
 name: verify-security
 description: 安全校验关卡。自动扫描代码安全漏洞，检测危险模式，确保安全决策有文档记录。当魔尊提到安全扫描、漏洞检测、安全审计、代码安全、OWASP、注入检测、敏感信息泄露时使用。在新建模块、安全相关变更、攻防任务、重构完成时自动触发。
+license: MIT
+compatibility: node>=18
 user-invocable: true
 disable-model-invocation: false
 allowed-tools: Bash, Read, Grep
@@ -24,10 +26,10 @@ Critical/High 问题必须修复后才能交付
 
 ```bash
 # 在 skill 目录下运行
-python scripts/security_scanner.py <扫描路径>
-python scripts/security_scanner.py <扫描路径> -v           # 详细模式
-python scripts/security_scanner.py <扫描路径> --json       # JSON 输出
-python scripts/security_scanner.py <扫描路径> --exclude vendor  # 排除目录
+node scripts/security_scanner.js <扫描路径>
+node scripts/security_scanner.js <扫描路径> -v           # 详细模式
+node scripts/security_scanner.js <扫描路径> --json       # JSON 输出
+node scripts/security_scanner.js <扫描路径> --exclude vendor  # 排除目录
 ```
 
 ## 检测范围
@@ -98,7 +100,7 @@ html/template 自动转义
 ## 校验流程
 
 ```
-1. 运行 security_scanner.py 自动扫描
+1. 运行 security_scanner.js 自动扫描
 2. 分析扫描结果，按严重度排序
 3. 检查安全决策是否有文档记录
 4. 输出安全校验报告

package/skills/tools/verify-security/scripts/security_scanner.js

@@ -0,0 +1,133 @@
+#!/usr/bin/env node
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+
+const SEVERITY_ORDER = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
+
+const SECURITY_RULES = [
+  { id: 'SQL_INJECTION_DYNAMIC', category: '注入', severity: 'critical', pattern: /\b(execute|query|raw)\s*\(\s*(f["']|["'][^"'\n]*["']\s*\+\s*|["'][^"'\n]*["']\s*%\s*[^,)]|["'][^"'\n]*["']\.format\s*\()/i, extensions: ['.py', '.js', '.ts', '.go', '.java', '.php'], message: '可能存在 SQL 注入风险', recommendation: '使用参数化查询或 ORM' },
+  { id: 'SQL_INJECTION_FSTRING', category: '注入', severity: 'critical', pattern: /cursor\.(execute|executemany)\s*\(\s*f["']/i, extensions: ['.py'], message: '使用 f-string 构造 SQL 语句', recommendation: "使用参数化查询: cursor.execute('SELECT * FROM t WHERE id = %s', (id,))" },
+  { id: 'COMMAND_INJECTION', category: '注入', severity: 'critical', pattern: /(os\.system|os\.popen|subprocess\.call|subprocess\.run|subprocess\.Popen)\s*\([^)]*shell\s*=\s*True/i, extensions: ['.py'], message: '使用 shell=True 可能导致命令注入', recommendation: '避免 shell=True，使用列表参数' },
+  { id: 'COMMAND_INJECTION_EVAL', category: '注入', severity: 'critical', pattern: /\b(eval|exec)\s*\([^)]*\b(input|request|argv|args)/i, extensions: ['.py'], message: 'eval/exec 执行用户输入', recommendation: '避免对用户输入使用 eval/exec' },
+  { id: 'HARDCODED_SECRET', category: '敏感信息', severity: 'high', pattern: /(?<!\w)(password|passwd|pwd|secret|api_key|apikey|token|auth_token)\s*=\s*["'][^"']{8,}["']/i, excludePattern: /(example|placeholder|changeme|xxx|your[_-]|TODO|FIXME|<.*>|\*{3,})/i, extensions: ['.py', '.js', '.ts', '.go', '.java', '.php', '.rb', '.yaml', '.yml', '.json', '.env'], message: '可能存在硬编码密钥/密码', recommendation: '使用环境变量或密钥管理服务' },
+  { id: 'HARDCODED_AWS_KEY', category: '敏感信息', severity: 'critical', pattern: /AKIA[0-9A-Z]{16}/, extensions: ['*'], message: '发现 AWS Access Key', recommendation: '立即轮换密钥，使用 IAM 角色或环境变量' },
+  { id: 'HARDCODED_PRIVATE_KEY', category: '敏感信息', severity: 'critical', pattern: /-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/, extensions: ['*'], message: '发现私钥', recommendation: '私钥不应提交到代码库' },
+  { id: 'XSS_INNERHTML', category: 'XSS', severity: 'high', pattern: /\.innerHTML\s*=|\.outerHTML\s*=|document\.write\s*\(/i, extensions: ['.js', '.ts', '.jsx', '.tsx', '.html'], message: '直接操作 innerHTML 可能导致 XSS', recommendation: '使用 textContent 或框架的安全绑定' },
+  { id: 'XSS_DANGEROUSLY', category: 'XSS', severity: 'medium', pattern: /dangerouslySetInnerHTML/i, extensions: ['.js', '.ts', '.jsx', '.tsx'], message: '使用 dangerouslySetInnerHTML', recommendation: '确保内容已经过净化处理' },
+  { id: 'UNSAFE_PICKLE', category: '反序列化', severity: 'high', pattern: /pickle\.loads?\s*\(|yaml\.load\s*\([^)]*Loader\s*=\s*yaml\.Loader/i, extensions: ['.py'], message: '不安全的反序列化', recommendation: '使用 yaml.safe_load() 或验证数据来源' },
+  { id: 'WEAK_CRYPTO_MD5', category: '加密', severity: 'medium', pattern: /\b(md5|MD5)\s*\(|hashlib\.md5\s*\(/i, extensions: ['.py', '.js', '.ts', '.go', '.java', '.php'], message: '使用弱哈希算法 MD5', recommendation: '密码存储使用 bcrypt/argon2，完整性校验使用 SHA-256+' },
+  { id: 'WEAK_CRYPTO_SHA1', category: '加密', severity: 'low', pattern: /\b(sha1|SHA1)\s*\(|hashlib\.sha1\s*\(/i, extensions: ['.py', '.js', '.ts', '.go', '.java', '.php'], message: '使用弱哈希算法 SHA1', recommendation: '使用 SHA-256 或更强的算法' },
+  { id: 'PATH_TRAVERSAL', category: '路径遍历', severity: 'high', pattern: /(open|read|write|Path|os\.path\.join)\s*\([^\n]*(request|input|argv|args|params|query|form|path_param)\b/i, extensions: ['.py'], message: '可能存在路径遍历风险', recommendation: '验证并规范化用户输入的路径' },
+  { id: 'SSRF', category: 'SSRF', severity: 'high', pattern: /(requests\.(get|post|put|delete|head)|urllib\.request\.urlopen)\s*\([^\n]*(request|input|argv|args|params|query|url)\b/i, extensions: ['.py'], message: '可能存在 SSRF 风险', recommendation: '验证并限制目标 URL' },
+  { id: 'DEBUG_CODE', category: '调试', severity: 'low', pattern: /\b(console\.log|debugger|pdb\.set_trace|breakpoint)\s*\(/i, extensions: ['.py', '.js', '.ts'], message: '发现调试代码', recommendation: '生产环境移除调试代码' },
+  { id: 'INSECURE_RANDOM', category: '加密', severity: 'medium', pattern: /\brandom\.(random|randint|choice|shuffle)\s*\(/i, extensions: ['.py'], message: '使用不安全的随机数生成器', recommendation: '安全场景使用 secrets 模块' },
+  { id: 'XXE', category: 'XXE', severity: 'high', pattern: /etree\.(parse|fromstring)\s*\([^)]*\)|xml\.dom\.minidom\.parse/i, extensions: ['.py'], message: 'XML 解析可能存在 XXE 风险', recommendation: '禁用外部实体: parser = etree.XMLParser(resolve_entities=False)' },
+];
+
+const CODE_EXTENSIONS = new Set(['.py', '.js', '.ts', '.jsx', '.tsx', '.go', '.java', '.php', '.rb', '.yaml', '.yml', '.json']);
+const DEFAULT_EXCLUDES = ['.git', 'node_modules', '__pycache__', '.venv', 'venv', 'dist', 'build', '.tox', 'tests', 'test', '__tests__', 'spec'];
+
+function scanFile(filePath, rules) {
+  const findings = [];
+  const ext = path.extname(filePath).toLowerCase();
+  let content;
+  try { content = fs.readFileSync(filePath, 'utf-8'); } catch { return findings; }
+  const lines = content.split('\n');
+
+  for (const rule of rules) {
+    const exts = rule.extensions;
+    if (!exts.includes('*') && !exts.includes(ext)) continue;
+
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      const stripped = line.trim();
+      if (stripped.startsWith('#') || stripped.startsWith('//') || stripped.startsWith('*') || stripped.startsWith('/*')) continue;
+
+      if (rule.pattern.test(line)) {
+        rule.pattern.lastIndex = 0;
+        if (rule.excludePattern && rule.excludePattern.test(line)) { rule.excludePattern.lastIndex = 0; continue; }
+        findings.push({ severity: rule.severity, category: rule.category, message: rule.message, file_path: filePath, line_number: i + 1, line_content: stripped.slice(0, 100), recommendation: rule.recommendation });
+      }
+    }
+  }
+  return findings;
+}
+
+function walkDir(dir, excludeDirs) {
+  const results = [];
+  let entries;
+  try { entries = fs.readdirSync(dir, { withFileTypes: true }); } catch { return results; }
+  for (const entry of entries) {
+    if (excludeDirs.includes(entry.name)) continue;
+    const full = path.join(dir, entry.name);
+    if (entry.isDirectory()) { results.push(...walkDir(full, excludeDirs)); }
+    else if (entry.isFile() && CODE_EXTENSIONS.has(path.extname(entry.name).toLowerCase())) { results.push(full); }
+  }
+  return results;
+}
+
+function scanDirectory(scanPath, excludeDirs) {
+  const resolved = path.resolve(scanPath);
+  const findings = [];
+  const files = walkDir(resolved, excludeDirs);
+  for (const f of files) findings.push(...scanFile(f, SECURITY_RULES));
+  findings.sort((a, b) => (SEVERITY_ORDER[a.severity] ?? 9) - (SEVERITY_ORDER[b.severity] ?? 9));
+  const passed = !findings.some(f => f.severity === 'critical' || f.severity === 'high');
+  return { scan_path: resolved, files_scanned: files.length, passed, findings };
+}
+
+function countBySeverity(findings) {
+  const counts = { critical: 0, high: 0, medium: 0, low: 0, info: 0 };
+  for (const f of findings) counts[f.severity] = (counts[f.severity] || 0) + 1;
+  return counts;
+}
+
+function formatReport(result, verbose) {
+  const counts = countBySeverity(result.findings);
+  const icons = { critical: '\u{1F534}', high: '\u{1F7E0}', medium: '\u{1F7E1}', low: '\u{1F535}', info: '\u26AA' };
+  const lines = [
+    '='.repeat(60), '代码安全扫描报告', '='.repeat(60),
+    `\n扫描路径: ${result.scan_path}`, `扫描文件: ${result.files_scanned}`,
+    `扫描结果: ${result.passed ? '\u2713 通过' : '\u2717 发现高危问题'}`,
+    `\n严重: ${counts.critical} | 高危: ${counts.high} | 中危: ${counts.medium} | 低危: ${counts.low}`,
+  ];
+  if (result.findings.length) {
+    lines.push('\n' + '-'.repeat(40), '发现问题:', '-'.repeat(40));
+    for (const f of result.findings) {
+      lines.push(`\n${icons[f.severity] || ''} [${f.severity.toUpperCase()}] ${f.category}`);
+      lines.push(`   文件: ${f.file_path}:${f.line_number}`);
+      lines.push(`   问题: ${f.message}`);
+      if (verbose) lines.push(`   代码: ${f.line_content}`);
+      lines.push(`   建议: ${f.recommendation}`);
+    }
+  }
+  lines.push('\n' + '='.repeat(60));
+  return lines.join('\n');
+}
+
+function main() {
+  const args = process.argv.slice(2);
+  let scanPath = '.', verbose = false, jsonOut = false, extraExcludes = [];
+
+  for (let i = 0; i < args.length; i++) {
+    if (args[i] === '-v' || args[i] === '--verbose') verbose = true;
+    else if (args[i] === '--json') jsonOut = true;
+    else if (args[i] === '--exclude') { while (i + 1 < args.length && !args[i + 1].startsWith('-')) extraExcludes.push(args[++i]); }
+    else if (args[i] === '--help' || args[i] === '-h') { console.log('Usage: security_scanner.js [path] [-v] [--json] [--exclude dir1 dir2]'); process.exit(0); }
+    else if (!args[i].startsWith('-')) scanPath = args[i];
+  }
+
+  const excludeDirs = [...DEFAULT_EXCLUDES, ...extraExcludes];
+  const result = scanDirectory(scanPath, excludeDirs);
+
+  if (jsonOut) {
+    console.log(JSON.stringify({ scan_path: result.scan_path, files_scanned: result.files_scanned, passed: result.passed, counts: countBySeverity(result.findings), findings: result.findings }, null, 2));
+  } else {
+    console.log(formatReport(result, verbose));
+  }
+  process.exit(result.passed ? 0 : 1);
+}
+
+main();