code-abyss 1.6.16 → 1.7.1

package/skills/tools/verify-quality/scripts/quality_checker.js

@@ -0,0 +1,337 @@
+#!/usr/bin/env node
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const { parseCliArgs, buildReport, hasFatal } = require(path.join(__dirname, '..', '..', 'lib', 'shared.js'));
+
+// 质量规则配置
+const MAX_LINE_LENGTH = 120;
+const MAX_FUNCTION_LENGTH = 50;
+const MAX_FILE_LENGTH = 500;
+const MAX_COMPLEXITY = 10;
+const MAX_PARAMETERS = 5;
+const MIN_FUNCTION_NAME_LENGTH = 2;
+
+const EXCLUDE_DIRS = new Set(['.git', 'node_modules', '__pycache__', '.venv', 'venv', 'dist', 'build', '.tox']);
+const CODE_EXTENSIONS = new Set(['.py', '.js', '.ts', '.go', '.java', '.rs', '.c', '.cpp']);
+
+const COMMENT_PREFIXES = {
+  '.js': '//', '.ts': '//', '.go': '//', '.java': '//',
+  '.c': '//', '.cpp': '//', '.rs': '//',
+};
+
+// --- Analysis ---
+
+function analyzeGenericFile(filePath) {
+  const metrics = {
+    path: filePath, lines: 0, code_lines: 0, comment_lines: 0,
+    blank_lines: 0, functions: 0, classes: 0,
+    max_complexity: 0, avg_function_length: 0,
+  };
+  const issues = [];
+  let content;
+  try {
+    content = fs.readFileSync(filePath, 'utf-8');
+  } catch { return { metrics, issues }; }
+
+  const lines = content.split('\n');
+  metrics.lines = lines.length;
+  const prefix = COMMENT_PREFIXES[
+    path.extname(filePath).toLowerCase()
+  ] || '//';
+
+  for (let i = 0; i < lines.length; i++) {
+    const stripped = lines[i].trim();
+    if (!stripped) metrics.blank_lines++;
+    else if (
+      stripped.startsWith(prefix) ||
+      stripped.startsWith('/*') ||
+      stripped.startsWith('*')
+    ) metrics.comment_lines++;
+    else metrics.code_lines++;
+
+    if (lines[i].length > MAX_LINE_LENGTH) {
+      issues.push({
+        severity: 'info', category: '格式',
+        message: `行过长 (${lines[i].length} > ${MAX_LINE_LENGTH})`,
+        file_path: filePath, line_number: i + 1,
+        suggestion: null,
+      });
+    }
+  }
+
+  if (metrics.code_lines > MAX_FILE_LENGTH) {
+    issues.push({
+      severity: 'warning', category: '复杂度',
+      message: `文件过长 (${metrics.code_lines} 行代码 > ${MAX_FILE_LENGTH})`,
+      file_path: filePath, suggestion: '考虑拆分为多个模块',
+      line_number: null,
+    });
+  }
+
+  return { metrics, issues };
+}
+
+function analyzePythonFile(filePath) {
+  const metrics = {
+    path: filePath, lines: 0, code_lines: 0, comment_lines: 0,
+    blank_lines: 0, functions: 0, classes: 0,
+    max_complexity: 0, avg_function_length: 0,
+  };
+  const issues = [];
+  let content;
+  try {
+    content = fs.readFileSync(filePath, 'utf-8');
+  } catch (e) {
+    issues.push({
+      severity: 'error', category: '文件',
+      message: `无法读取文件: ${e.message}`,
+      file_path: filePath, line_number: null, suggestion: null,
+    });
+    return { metrics, issues };
+  }
+
+  const lines = content.split('\n');
+  metrics.lines = lines.length;
+  let inMultiline = false;
+
+  for (let i = 0; i < lines.length; i++) {
+    const stripped = lines[i].trim();
+    if (!stripped) { metrics.blank_lines++; }
+    else if (stripped.startsWith('#')) { metrics.comment_lines++; }
+    else if (stripped.includes('"""') || stripped.includes("'''")) {
+      const dq = (stripped.match(/"""/g) || []).length;
+      const sq = (stripped.match(/'''/g) || []).length;
+      if (dq === 2 || sq === 2) { metrics.comment_lines++; }
+      else { inMultiline = !inMultiline; metrics.comment_lines++; }
+    } else if (inMultiline) { metrics.comment_lines++; }
+    else { metrics.code_lines++; }
+
+    if (lines[i].length > MAX_LINE_LENGTH) {
+      issues.push({
+        severity: 'info', category: '格式',
+        message: `行过长 (${lines[i].length} > ${MAX_LINE_LENGTH})`,
+        file_path: filePath, line_number: i + 1,
+        suggestion: null,
+      });
+    }
+  }
+
+  if (metrics.code_lines > MAX_FILE_LENGTH) {
+    issues.push({
+      severity: 'warning', category: '复杂度',
+      message: `文件过长 (${metrics.code_lines} 行代码 > ${MAX_FILE_LENGTH})`,
+      file_path: filePath, suggestion: '考虑拆分为多个模块',
+      line_number: null,
+    });
+  }
+
+  // Regex-based Python analysis (no AST available in Node)
+  const funcRegex = /^( *)(?:async\s+)?def\s+(\w+)\s*\(([^)]*)\)/gm;
+  const classRegex = /^( *)class\s+(\w+)/gm;
+  const functions = [];
+  let match;
+
+  while ((match = funcRegex.exec(content)) !== null) {
+    const lineNum = content.substring(0, match.index).split('\n').length;
+    const name = match[2];
+    const indent = match[1].length;
+    const params = match[3].trim()
+      ? match[3].split(',').map(p => p.trim())
+        .filter(p => p && p !== 'self' && p !== 'cls')
+      : [];
+
+    // Calculate function length by finding next line at same or lesser indent
+    const funcLines = lines.slice(lineNum); // lines after def
+    let length = 1;
+    for (let j = 1; j < funcLines.length; j++) {
+      const l = funcLines[j];
+      if (l.trim() === '') { length++; continue; }
+      const curIndent = l.match(/^(\s*)/)[1].length;
+      if (curIndent <= indent && l.trim() !== '') break;
+      length++;
+    }
+
+    // Estimate complexity from function body
+    const bodyLines = lines.slice(lineNum, lineNum + length - 1);
+    let complexity = 1;
+    for (const bl of bodyLines) {
+      const s = bl.trim();
+      if (/^(if|elif|while|for)\s/.test(s) || /^(if|elif|while|for)\(/.test(s)) complexity++;
+      if (/^except(\s|:)/.test(s)) complexity++;
+      if (/\s(and|or)\s/.test(s)) complexity++;
+      if (/\sfor\s/.test(s) && /\sin\s/.test(s) && (s.includes('[') || s.includes('('))) complexity++;
+    }
+
+    functions.push({ name, line: lineNum, length, complexity, parameters: params.length });
+    metrics.max_complexity = Math.max(metrics.max_complexity, complexity);
+
+    // Check function length
+    if (length > MAX_FUNCTION_LENGTH) {
+      issues.push({
+        severity: 'warning', category: '复杂度',
+        message: `函数 '${name}' 过长 (${length} 行 > ${MAX_FUNCTION_LENGTH})`,
+        file_path: filePath, line_number: lineNum,
+        suggestion: '考虑拆分为多个小函数',
+      });
+    }
+    // Check complexity
+    if (complexity > MAX_COMPLEXITY) {
+      issues.push({
+        severity: 'warning', category: '复杂度',
+        message: `函数 '${name}' 圈复杂度过高 (${complexity} > ${MAX_COMPLEXITY})`,
+        file_path: filePath, line_number: lineNum,
+        suggestion: '减少嵌套层级，提取子函数',
+      });
+    }
+    // Check parameter count
+    if (params.length > MAX_PARAMETERS) {
+      issues.push({
+        severity: 'warning', category: '设计',
+        message: `函数 '${name}' 参数过多 (${params.length} > ${MAX_PARAMETERS})`,
+        file_path: filePath, line_number: lineNum,
+        suggestion: '考虑使用配置对象或数据类封装参数',
+      });
+    }
+    // Check naming
+    const SPECIAL = new Set([
+      'setUp', 'tearDown', 'setUpClass',
+      'tearDownClass', 'setUpModule', 'tearDownModule',
+    ]);
+    if (!name.startsWith('_') && !SPECIAL.has(name) && !name.startsWith('visit_')) {
+      if (!/^[a-z][a-z0-9_]*$/.test(name)) {
+        issues.push({
+          severity: 'info', category: '命名',
+          message: `函数名 '${name}' 不符合 snake_case 规范`,
+          file_path: filePath, line_number: lineNum,
+          suggestion: '函数名应使用 snake_case',
+        });
+      }
+    }
+    if (name.length < MIN_FUNCTION_NAME_LENGTH) {
+      issues.push({
+        severity: 'warning', category: '命名',
+        message: `函数名 '${name}' 过短`,
+        file_path: filePath, line_number: lineNum,
+        suggestion: '使用更具描述性的函数名',
+      });
+    }
+  }
+
+  while ((match = classRegex.exec(content)) !== null) {
+    const lineNum = content.substring(0, match.index).split('\n').length;
+    const name = match[2];
+    metrics.classes++;
+    if (!/^[A-Z][a-zA-Z0-9]*$/.test(name)) {
+      issues.push({
+        severity: 'warning', category: '命名',
+        message: `类名 '${name}' 不符合 PascalCase 规范`,
+        file_path: filePath, line_number: lineNum,
+        suggestion: '类名应使用 PascalCase，如 MyClassName',
+      });
+    }
+  }
+
+  metrics.functions = functions.length;
+  if (functions.length > 0) {
+    metrics.avg_function_length = functions.reduce((s, f) => s + f.length, 0) / functions.length;
+  }
+
+  return { metrics, issues };
+}
+
+// --- Directory scan ---
+
+function scanDirectory(scanPath, excludeDirs) {
+  const resolved = path.resolve(scanPath);
+  const exclude = excludeDirs || EXCLUDE_DIRS;
+  const result = {
+    scan_path: resolved, files_scanned: 0,
+    total_lines: 0, total_code_lines: 0,
+    issues: [], file_metrics: [],
+  };
+
+  function walk(dir) {
+    let entries;
+    try { entries = fs.readdirSync(dir, { withFileTypes: true }); } catch { return; }
+    for (const entry of entries) {
+      if (exclude.has(entry.name)) continue;
+      const full = path.join(dir, entry.name);
+      if (entry.isDirectory()) { walk(full); continue; }
+      const ext = path.extname(entry.name).toLowerCase();
+      if (!CODE_EXTENSIONS.has(ext)) continue;
+
+      result.files_scanned++;
+      const { metrics, issues } = ext === '.py' ? analyzePythonFile(full) : analyzeGenericFile(full);
+      result.file_metrics.push(metrics);
+      result.issues.push(...issues);
+      result.total_lines += metrics.lines;
+      result.total_code_lines += metrics.code_lines;
+    }
+  }
+
+  walk(resolved);
+  return result;
+}
+
+// --- Reporting ---
+
+function passed(result) { return !hasFatal(result.issues); }
+
+function formatReport(result, verbose) {
+  const errs = result.issues.filter(i => i.severity === 'error').length;
+  const warns = result.issues.filter(i => i.severity === 'warning').length;
+  const fields = {
+    '扫描路径': result.scan_path,
+    '扫描文件': result.files_scanned,
+    '总行数': result.total_lines,
+    '代码行数': result.total_code_lines,
+    '检查结果': passed(result) ? '✓ 通过' : '✗ 需要关注',
+    '统计': `错误: ${errs} | 警告: ${warns}`,
+  };
+  let report = buildReport(
+    '代码质量检查报告', fields, result.issues, verbose, 'category'
+  );
+
+  if (verbose && result.file_metrics.length) {
+    const complex = result.file_metrics
+      .filter(m => m.max_complexity > 0)
+      .sort((a, b) => b.max_complexity - a.max_complexity)
+      .slice(0, 5);
+    if (complex.length) {
+      const lines = ['\n' + '-'.repeat(40), '复杂度最高的文件:', '-'.repeat(40)];
+      for (const m of complex) lines.push(`  ${m.path}: 复杂度 ${m.max_complexity}, ${m.functions} 个函数`);
+      report += '\n' + lines.join('\n');
+    }
+  }
+  return report;
+}
+
+// --- CLI ---
+
+function main() {
+  const opts = parseCliArgs(process.argv);
+
+  const result = scanDirectory(opts.target);
+
+  if (opts.json) {
+    const output = {
+      scan_path: result.scan_path,
+      files_scanned: result.files_scanned,
+      total_lines: result.total_lines,
+      total_code_lines: result.total_code_lines,
+      passed: passed(result),
+      error_count: result.issues.filter(i => i.severity === 'error').length,
+      warning_count: result.issues.filter(i => i.severity === 'warning').length,
+      issues: result.issues
+    };
+    console.log(JSON.stringify(output, null, 2));
+  } else {
+    console.log(formatReport(result, opts.verbose));
+  }
+
+  process.exit(passed(result) ? 0 : 1);
+}
+
+main();

package/skills/tools/verify-security/SKILL.md

@@ -1,6 +1,8 @@
 ---
 name: verify-security
 description: 安全校验关卡。自动扫描代码安全漏洞，检测危险模式，确保安全决策有文档记录。当魔尊提到安全扫描、漏洞检测、安全审计、代码安全、OWASP、注入检测、敏感信息泄露时使用。在新建模块、安全相关变更、攻防任务、重构完成时自动触发。
+license: MIT
+compatibility: node>=18
 user-invocable: true
 disable-model-invocation: false
 allowed-tools: Bash, Read, Grep
@@ -24,10 +26,10 @@ Critical/High 问题必须修复后才能交付
 
 ```bash
 # 在 skill 目录下运行
-python scripts/security_scanner.py <扫描路径>
-python scripts/security_scanner.py <扫描路径> -v           # 详细模式
-python scripts/security_scanner.py <扫描路径> --json       # JSON 输出
-python scripts/security_scanner.py <扫描路径> --exclude vendor  # 排除目录
+node scripts/security_scanner.js <扫描路径>
+node scripts/security_scanner.js <扫描路径> -v           # 详细模式
+node scripts/security_scanner.js <扫描路径> --json       # JSON 输出
+node scripts/security_scanner.js <扫描路径> --exclude vendor  # 排除目录
 ```
 
 ## 检测范围
@@ -98,7 +100,7 @@ html/template 自动转义
 ## 校验流程
 
 ```
-1. 运行 security_scanner.py 自动扫描
+1. 运行 security_scanner.js 自动扫描
 2. 分析扫描结果，按严重度排序
 3. 检查安全决策是否有文档记录
 4. 输出安全校验报告

package/skills/tools/verify-security/scripts/security_scanner.js

@@ -0,0 +1,283 @@
+#!/usr/bin/env node
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+
+const SEVERITY_ORDER = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
+
+// prettier-ignore
+const SECURITY_RULES = [
+  {
+    id: 'SQL_INJECTION_DYNAMIC', category: '注入',
+    severity: 'critical',
+    pattern: new RegExp(
+      '\\b(execute|query|raw)\\s*\\(\\s*' +
+      '(f["\']|["\'][^"\'\\n]*["\']\\s*\\+\\s*|["\'][^"\'\\n]*["\']\\s*%\\s*[^,)]|["\'][^"\'\\n]*["\']' +
+      '\\.format\\s*\\()', 'i'),
+    extensions: ['.py', '.js', '.ts', '.go', '.java', '.php'],
+    message: '可能存在 SQL 注入风险',
+    recommendation: '使用参数化查询或 ORM',
+  },
+  {
+    id: 'SQL_INJECTION_FSTRING', category: '注入',
+    severity: 'critical',
+    pattern: /cursor\.(execute|executemany)\s*\(\s*f["']/i,
+    extensions: ['.py'],
+    message: '使用 f-string 构造 SQL 语句',
+    recommendation: '使用参数化查询',
+  },
+  {
+    id: 'COMMAND_INJECTION', category: '注入',
+    severity: 'critical',
+    pattern: /(os\.system|os\.popen|subprocess\.call|subprocess\.run|subprocess\.Popen)\s*\([^)]*shell\s*=\s*True/i,
+    extensions: ['.py'],
+    message: '使用 shell=True 可能导致命令注入',
+    recommendation: '避免 shell=True，使用列表参数',
+  },
+  {
+    id: 'COMMAND_INJECTION_EVAL', category: '注入',
+    severity: 'critical',
+    pattern: /\b(eval|exec)\s*\([^)]*\b(input|request|argv|args)/i,
+    extensions: ['.py'],
+    message: 'eval/exec 执行用户输入',
+    recommendation: '避免对用户输入使用 eval/exec',
+  },
+  {
+    id: 'HARDCODED_SECRET', category: '敏感信息',
+    severity: 'high',
+    pattern: /(?<!\w)(password|passwd|pwd|secret|api_key|apikey|token|auth_token)\s*=\s*["'][^"']{8,}["']/i,
+    excludePattern: /(example|placeholder|changeme|xxx|your[_-]|TODO|FIXME|<.*>|\*{3,})/i,
+    extensions: [
+      '.py', '.js', '.ts', '.go', '.java', '.php',
+      '.rb', '.yaml', '.yml', '.json', '.env',
+    ],
+    message: '可能存在硬编码密钥/密码',
+    recommendation: '使用环境变量或密钥管理服务',
+  },
+  {
+    id: 'HARDCODED_AWS_KEY', category: '敏感信息',
+    severity: 'critical',
+    pattern: /AKIA[0-9A-Z]{16}/,
+    extensions: ['*'],
+    message: '发现 AWS Access Key',
+    recommendation: '立即轮换密钥，使用 IAM 角色或环境变量',
+  },
+  {
+    id: 'HARDCODED_PRIVATE_KEY', category: '敏感信息',
+    severity: 'critical',
+    pattern: /-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/,
+    extensions: ['*'],
+    message: '发现私钥',
+    recommendation: '私钥不应提交到代码库',
+  },
+  {
+    id: 'XSS_INNERHTML', category: 'XSS', severity: 'high',
+    pattern: /\.innerHTML\s*=|\.outerHTML\s*=|document\.write\s*\(/i,
+    extensions: ['.js', '.ts', '.jsx', '.tsx', '.html'],
+    message: '直接操作 innerHTML 可能导致 XSS',
+    recommendation: '使用 textContent 或框架的安全绑定',
+  },
+  {
+    id: 'XSS_DANGEROUSLY', category: 'XSS',
+    severity: 'medium',
+    pattern: /dangerouslySetInnerHTML/i,
+    extensions: ['.js', '.ts', '.jsx', '.tsx'],
+    message: '使用 dangerouslySetInnerHTML',
+    recommendation: '确保内容已经过净化处理',
+  },
+  {
+    id: 'UNSAFE_PICKLE', category: '反序列化',
+    severity: 'high',
+    pattern: /pickle\.loads?\s*\(|yaml\.load\s*\([^)]*Loader\s*=\s*yaml\.Loader/i,
+    extensions: ['.py'],
+    message: '不安全的反序列化',
+    recommendation: '使用 yaml.safe_load() 或验证数据来源',
+  },
+  {
+    id: 'WEAK_CRYPTO_MD5', category: '加密',
+    severity: 'medium',
+    pattern: /\b(md5|MD5)\s*\(|hashlib\.md5\s*\(/i,
+    extensions: ['.py', '.js', '.ts', '.go', '.java', '.php'],
+    message: '使用弱哈希算法 MD5',
+    recommendation: '使用 bcrypt/argon2 或 SHA-256+',
+  },
+  {
+    id: 'WEAK_CRYPTO_SHA1', category: '加密',
+    severity: 'low',
+    pattern: /\b(sha1|SHA1)\s*\(|hashlib\.sha1\s*\(/i,
+    extensions: ['.py', '.js', '.ts', '.go', '.java', '.php'],
+    message: '使用弱哈希算法 SHA1',
+    recommendation: '使用 SHA-256 或更强的算法',
+  },
+  {
+    id: 'PATH_TRAVERSAL', category: '路径遍历',
+    severity: 'high',
+    pattern: new RegExp(
+      '(open|read|write|Path|os\\.path\\.join)\\s*\\([^\\n]*' +
+      '(request|input|argv|args|params|query|form|path_param)\\b', 'i'),
+    extensions: ['.py'],
+    message: '可能存在路径遍历风险',
+    recommendation: '验证并规范化用户输入的路径',
+  },
+  {
+    id: 'SSRF', category: 'SSRF', severity: 'high',
+    pattern: new RegExp(
+      '(requests\\.(get|post|put|delete|head)|urllib\\.request\\.urlopen)' +
+      '\\s*\\([^\\n]*(request|input|argv|args|params|query|url)\\b', 'i'),
+    extensions: ['.py'],
+    message: '可能存在 SSRF 风险',
+    recommendation: '验证并限制目标 URL',
+  },
+  {
+    id: 'DEBUG_CODE', category: '调试', severity: 'low',
+    pattern: /\b(console\.log|debugger|pdb\.set_trace|breakpoint)\s*\(/i,
+    extensions: ['.py', '.js', '.ts'],
+    message: '发现调试代码',
+    recommendation: '生产环境移除调试代码',
+  },
+  {
+    id: 'INSECURE_RANDOM', category: '加密',
+    severity: 'medium',
+    pattern: /\brandom\.(random|randint|choice|shuffle)\s*\(/i,
+    extensions: ['.py'],
+    message: '使用不安全的随机数生成器',
+    recommendation: '安全场景使用 secrets 模块',
+  },
+  {
+    id: 'XXE', category: 'XXE', severity: 'high',
+    pattern: /etree\.(parse|fromstring)\s*\([^)]*\)|xml\.dom\.minidom\.parse/i,
+    extensions: ['.py'],
+    message: 'XML 解析可能存在 XXE 风险',
+    recommendation: '禁用外部实体: XMLParser(resolve_entities=False)',
+  },
+];
+
+const CODE_EXTENSIONS = new Set([
+  '.py', '.js', '.ts', '.jsx', '.tsx', '.go',
+  '.java', '.php', '.rb', '.yaml', '.yml', '.json',
+]);
+const DEFAULT_EXCLUDES = [
+  '.git', 'node_modules', '__pycache__', '.venv', 'venv',
+  'dist', 'build', '.tox', 'tests', 'test', '__tests__', 'spec',
+];
+
+function scanFile(filePath, rules) {
+  const findings = [];
+  const ext = path.extname(filePath).toLowerCase();
+  let content;
+  try { content = fs.readFileSync(filePath, 'utf-8'); } catch { return findings; }
+  const lines = content.split('\n');
+
+  for (const rule of rules) {
+    const exts = rule.extensions;
+    if (!exts.includes('*') && !exts.includes(ext)) continue;
+
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      const stripped = line.trim();
+      const isComment = stripped.startsWith('#') ||
+        stripped.startsWith('//') || stripped.startsWith('*') ||
+        stripped.startsWith('/*');
+      if (isComment) continue;
+      const ruleDefRe = /^\s*(id|pattern|severity|message|recommendation|extensions|excludePattern|category)\s*:/;
+      if (ruleDefRe.test(stripped)) continue;
+
+      if (rule.pattern.test(line)) {
+        rule.pattern.lastIndex = 0;
+        if (rule.excludePattern && rule.excludePattern.test(line)) {
+          rule.excludePattern.lastIndex = 0; continue;
+        }
+        findings.push({
+          severity: rule.severity, category: rule.category,
+          message: rule.message, file_path: filePath,
+          line_number: i + 1,
+          line_content: stripped.slice(0, 100),
+          recommendation: rule.recommendation,
+        });
+      }
+    }
+  }
+  return findings;
+}
+
+function walkDir(dir, excludeDirs) {
+  const results = [];
+  let entries;
+  try { entries = fs.readdirSync(dir, { withFileTypes: true }); } catch { return results; }
+  for (const entry of entries) {
+    if (excludeDirs.includes(entry.name)) continue;
+    const full = path.join(dir, entry.name);
+    if (entry.isDirectory()) { results.push(...walkDir(full, excludeDirs)); }
+    else if (entry.isFile()) {
+      if (CODE_EXTENSIONS.has(path.extname(entry.name).toLowerCase())) {
+        results.push(full);
+      }
+    }
+  }
+  return results;
+}
+
+function scanDirectory(scanPath, excludeDirs) {
+  const resolved = path.resolve(scanPath);
+  const findings = [];
+  const files = walkDir(resolved, excludeDirs);
+  for (const f of files) findings.push(...scanFile(f, SECURITY_RULES));
+  findings.sort((a, b) =>
+    (SEVERITY_ORDER[a.severity] ?? 9) - (SEVERITY_ORDER[b.severity] ?? 9));
+  const passed = !findings.some(
+    f => f.severity === 'critical' || f.severity === 'high'
+  );
+  return { scan_path: resolved, files_scanned: files.length, passed, findings };
+}
+
+const { buildReport, countBySeverity, parseCliArgs } = require(
+  path.join(__dirname, '..', '..', 'lib', 'shared.js')
+);
+
+function formatReport(result, verbose) {
+  const counts = countBySeverity(result.findings);
+  const fields = {
+    '扫描路径': result.scan_path,
+    '扫描文件': result.files_scanned,
+    '扫描结果': result.passed ? '\u2713 通过' : '\u2717 发现高危问题',
+    '统计': `严重: ${counts.critical || 0} | 高危: ${counts.high || 0}` +
+      ` | 中危: ${counts.medium || 0} | 低危: ${counts.low || 0}`,
+  };
+  return buildReport(
+    '代码安全扫描报告', fields, result.findings, verbose, 'category'
+  );
+}
+
+
+function main() {
+  const opts = parseCliArgs(process.argv, { exclude: [] });
+  if (opts.help) {
+    console.log('Usage: security_scanner.js [path] [-v] [--json] [--exclude dir1 dir2]');
+    process.exit(0);
+  }
+  const scanPath = opts.target;
+  const verbose = opts.verbose;
+  const jsonOut = opts.json;
+  const excludeDirs = [...DEFAULT_EXCLUDES, ...opts.exclude];
+  const result = scanDirectory(scanPath, excludeDirs);
+
+  if (jsonOut) {
+    console.log(JSON.stringify({
+      scan_path: result.scan_path,
+      files_scanned: result.files_scanned,
+      passed: result.passed,
+      counts: countBySeverity(result.findings),
+      findings: result.findings,
+    }, null, 2));
+  } else {
+    console.log(formatReport(result, verbose));
+  }
+  process.exit(result.passed ? 0 : 1);
+}
+
+if (require.main === module) {
+  main();
+}
+
+module.exports = { scanFile, SECURITY_RULES };