shellward 0.7.10 → 0.7.12

package/README.md

@@ -8,7 +8,7 @@
 
 [![npm](https://img.shields.io/npm/v/shellward?color=cb0000&label=npm)](https://www.npmjs.com/package/shellward)
 [![license](https://img.shields.io/badge/license-Apache--2.0-blue)](./LICENSE)
-[![tests](https://img.shields.io/badge/tests-302%20passing-brightgreen)](#performance)
+[![tests](https://img.shields.io/badge/tests-303%20passing-brightgreen)](#performance)
 [![deps](https://img.shields.io/badge/dependencies-0-brightgreen)](#performance)
 
 **🌐 官网: https://jnmetacode.github.io/shellward/**

package/dist/compliance/audit.js

@@ -121,17 +121,52 @@ export function runProjectComplianceAudit(config, root) {
     }
     // CLI 静态扫描：未部署运行时 → 能力/审计类不虚报"已启用"，只如实评估项目证据
     const report = runComplianceAudit(config, env, { deployed: false });
+    // 「敏感个人信息识别」这条静态扫描确实做得到 —— 直接连到扫描结果，不再标"待核验"
+    const piiCount = scan.findings.filter(f => f.kind === 'pii').length;
+    const spi = report.results.find(r => r.control.id === 'pipl-spi-detect');
+    if (spi) {
+        if (piiCount > 0) {
+            spi.status = 'fail';
+            spi.detail_zh = `扫描在项目文件中发现 ${piiCount} 处个人信息暴露（见上方「项目实测风险」）— 需评估最小必要并脱敏`;
+            spi.detail_en = `Scan found ${piiCount} PII exposure(s) in files — assess minimization & de-identify`;
+        }
+        else {
+            spi.status = 'pass';
+            spi.detail_zh = '已扫描项目文件，未发现明文个人信息暴露（运行时 PII 处理建议仍接入 ShellWard）';
+            spi.detail_en = 'Scanned files; no plaintext PII exposure found';
+        }
+    }
+    // override 改了状态 → 重算计数与控制项得分
+    recount(report);
+    const baseScore = computeScore(report.results);
     // 发现驱动评分：项目实测风险按严重度扣分（封顶 40），使分数反映"你的真实风险"
     const penalty = computeProjectPenalty(scan);
-    if (penalty > 0) {
-        report.score = Math.max(0, report.score - penalty);
-        report.grade = gradeOf(report.score);
+    report.score = Math.max(0, baseScore - penalty);
+    report.grade = gradeOf(report.score);
+    if (penalty > 0)
         report.projectPenalty = penalty;
-    }
     report.staticScan = true;
     report.filesScanned = scan.filesScanned;
     return { report, scan };
 }
+/** 重新统计 pass/warn/fail/manual 计数（控制项状态被覆盖后调用） */
+function recount(report) {
+    let passed = 0, warned = 0, failed = 0, manual = 0;
+    for (const r of report.results) {
+        if (r.status === 'pass')
+            passed++;
+        else if (r.status === 'warn')
+            warned++;
+        else if (r.status === 'fail')
+            failed++;
+        else
+            manual++;
+    }
+    report.passed = passed;
+    report.warned = warned;
+    report.failed = failed;
+    report.manual = manual;
+}
 const FINDING_PENALTY = { critical: 8, high: 4, medium: 1 };
 const MAX_PROJECT_PENALTY = 40;
 function computeProjectPenalty(scan) {

package/dist/web/scan-server.js

@@ -34,9 +34,12 @@ export function validateRepoUrl(input) {
         return { ok: false, reason: '仅支持 github.com / gitlab.com / gitee.com / bitbucket.org 的公开仓库 URL' };
     return { ok: true, url };
 }
+// 报告「返回」链接：本地模式用绝对地址（上传报告经 blob: URL 打开，相对 '/' 会失效）
+let SERVER_BASE = '/';
 export function startWebServer(opts) {
     const locale = resolveLocale(DEFAULT_CONFIG);
     const host = opts.local ? '127.0.0.1' : '0.0.0.0';
+    SERVER_BASE = opts.local ? `http://localhost:${opts.port}/` : '/';
     let active = 0;
     const server = createServer(async (req, res) => {
         try {
@@ -110,7 +113,7 @@ async function handleRepo(res, repo, locale, inc, dec) {
     try {
         await cloneRepo(v.url, dir);
         const { report, scan } = runProjectComplianceAudit(DEFAULT_CONFIG, dir);
-        send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root: v.url, backLink: '/' }));
+        send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root: v.url, backLink: SERVER_BASE }));
     }
     catch (e) {
         const msg = esc(e?.message || String(e));
@@ -133,7 +136,7 @@ async function handleLocal(res, path, locale, inc, dec) {
     inc();
     try {
         const { report, scan } = runProjectComplianceAudit(DEFAULT_CONFIG, root);
-        send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root, backLink: '/' }));
+        send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root, backLink: SERVER_BASE }));
     }
     finally {
         dec();
@@ -192,7 +195,7 @@ async function handleUpload(req, res, locale, inc, dec) {
         }
         const { report, scan } = runProjectComplianceAudit(DEFAULT_CONFIG, dir);
         const rootName = typeof payload.root === 'string' && payload.root ? payload.root : '(uploaded folder)';
-        send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root: rootName, backLink: '/' }));
+        send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root: rootName, backLink: SERVER_BASE }));
     }
     catch (e) {
         send(res, 500, 'text/html', errorPage('扫描失败：' + esc(e?.message || String(e))));
@@ -248,7 +251,7 @@ function handleDemo(res, locale, inc, dec) {
         writeFileSync(join(dir, 'data', 'customers.csv'), 'name,id_card,phone,card\n张三,110101199003071233,13800138000,4111111111111111\n');
         writeFileSync(join(dir, '.env'), 'AWS_ACCESS_KEY=AKIARZ9MKP2QWLS7YV3N\nDB_PASSWORD=Sup3rS3cretProdPwd2026\n');
         const { report, scan } = runProjectComplianceAudit(DEFAULT_CONFIG, dir);
-        send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root: '示例项目（含风险）/ demo-ai-app', backLink: '/' }));
+        send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root: '示例项目（含风险）/ demo-ai-app', backLink: SERVER_BASE }));
     }
     catch (e) {
         send(res, 500, 'text/html', errorPage('演示失败：' + esc(e?.message || String(e))));
@@ -391,20 +394,26 @@ function page(title, body) {
 *{box-sizing:border-box}body{margin:0;min-height:100vh;display:grid;place-items:center;
 background:linear-gradient(135deg,#eef1f6,#e2e8f0);color:#0f172a;
 font:16px/1.6 -apple-system,BlinkMacSystemFont,"Segoe UI","PingFang SC","Microsoft YaHei",sans-serif}
-.hero{background:#fff;max-width:560px;width:92%;margin:40px;padding:40px;border-radius:18px;
-box-shadow:0 12px 40px rgba(15,23,42,.12);text-align:center}
-.logo{font-weight:800;font-size:15px}.logo span{color:#cb0000}
-h1{font-size:30px;margin:14px 0 8px;letter-spacing:-.5px}
-.sub{color:#64748b;margin:0 0 26px}
+.hero{background:#fff;max-width:580px;width:92%;margin:40px;padding:38px 40px 34px;border-radius:18px;
+box-shadow:0 12px 40px rgba(15,23,42,.12);text-align:center;border-top:4px solid #cb0000}
+.logo{font-weight:800;font-size:15px;letter-spacing:.2px}.logo span{color:#cb0000}
+h1{font-size:29px;margin:12px 0 8px;letter-spacing:-.5px}
+.sub{color:#64748b;margin:0 0 24px;font-size:15px}
 form{display:flex;flex-direction:column;gap:10px;text-align:left}
-label{font-size:13px;font-weight:600;color:#475569}
+label{font-size:13px;font-weight:700;color:#334155}
 input{padding:14px 16px;border:1px solid #cbd5e1;border-radius:10px;font-size:16px;width:100%}
 input:focus{outline:none;border-color:#cb0000;box-shadow:0 0 0 3px rgba(203,0,0,.12)}
-.hint{font-size:12.5px;color:#64748b;margin:2px 0 6px}
+.hint{font-size:12.5px;color:#64748b;margin:2px 0 6px;line-height:1.55}
 .hint code{background:#f1f5f9;padding:1px 6px;border-radius:5px}
-input[type=file]{padding:12px;background:#f8fafc;cursor:pointer}
+/* 文件选择器：美化成虚线投放区 + 红色按钮 */
+input[type=file]{width:100%;padding:20px 16px;border:2px dashed #cbd5e1;border-radius:12px;
+background:#f8fafc;cursor:pointer;font-size:14px;color:#64748b;transition:.15s}
+input[type=file]:hover{border-color:#cb0000;background:#fff}
+input[type=file]::file-selector-button{background:#cb0000;color:#fff;border:0;border-radius:8px;
+padding:9px 18px;margin-right:14px;font-weight:700;font-size:14px;cursor:pointer}
+input[type=file]::file-selector-button:hover{background:#a80000}
 button{background:#cb0000;color:#fff;border:0;border-radius:10px;padding:14px;font-size:16px;
-font-weight:700;cursor:pointer;margin-top:4px}button:hover{background:#a80000}
+font-weight:700;cursor:pointer;margin-top:4px;transition:.15s}button:hover{background:#a80000}
 button:disabled{background:#94a3b8;cursor:default}
 form{margin:0 0 14px}.or{text-align:center;color:#94a3b8;font-size:13px;margin:6px 0 14px}
 .status{display:none;margin:10px 0 0;padding:10px 14px;border-radius:8px;background:#f1f5f9;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shellward",
-  "version": "0.7.10",
+  "version": "0.7.12",
   "mcpName": "io.github.jnMetaCode/shellward",
   "description": "AI agent security & MCP security middleware — prompt injection detection, AI firewall, runtime guardrails & data-loss prevention for LLM tool calls. 8-layer defense against data exfiltration & dangerous commands. Zero dependencies. SDK + OpenClaw plugin. Supports LangChain, AutoGPT, Claude Code, Cursor, OpenAI Agents, Hermes Agent.",
   "keywords": [

package/src/compliance/audit.ts

@@ -189,19 +189,48 @@ export function runProjectComplianceAudit(config: ShellWardConfig, root: string)
   // CLI 静态扫描：未部署运行时 → 能力/审计类不虚报"已启用"，只如实评估项目证据
   const report = runComplianceAudit(config, env, { deployed: false })
 
+  // 「敏感个人信息识别」这条静态扫描确实做得到 —— 直接连到扫描结果，不再标"待核验"
+  const piiCount = scan.findings.filter(f => f.kind === 'pii').length
+  const spi = report.results.find(r => r.control.id === 'pipl-spi-detect')
+  if (spi) {
+    if (piiCount > 0) {
+      spi.status = 'fail'
+      spi.detail_zh = `扫描在项目文件中发现 ${piiCount} 处个人信息暴露（见上方「项目实测风险」）— 需评估最小必要并脱敏`
+      spi.detail_en = `Scan found ${piiCount} PII exposure(s) in files — assess minimization & de-identify`
+    } else {
+      spi.status = 'pass'
+      spi.detail_zh = '已扫描项目文件，未发现明文个人信息暴露（运行时 PII 处理建议仍接入 ShellWard）'
+      spi.detail_en = 'Scanned files; no plaintext PII exposure found'
+    }
+  }
+
+  // override 改了状态 → 重算计数与控制项得分
+  recount(report)
+  const baseScore = computeScore(report.results)
+
   // 发现驱动评分：项目实测风险按严重度扣分（封顶 40），使分数反映"你的真实风险"
   const penalty = computeProjectPenalty(scan)
-  if (penalty > 0) {
-    report.score = Math.max(0, report.score - penalty)
-    report.grade = gradeOf(report.score)
-    report.projectPenalty = penalty
-  }
+  report.score = Math.max(0, baseScore - penalty)
+  report.grade = gradeOf(report.score)
+  if (penalty > 0) report.projectPenalty = penalty
   report.staticScan = true
   report.filesScanned = scan.filesScanned
 
   return { report, scan }
 }
 
+/** 重新统计 pass/warn/fail/manual 计数（控制项状态被覆盖后调用） */
+function recount(report: ComplianceReport): void {
+  let passed = 0, warned = 0, failed = 0, manual = 0
+  for (const r of report.results) {
+    if (r.status === 'pass') passed++
+    else if (r.status === 'warn') warned++
+    else if (r.status === 'fail') failed++
+    else manual++
+  }
+  report.passed = passed; report.warned = warned; report.failed = failed; report.manual = manual
+}
+
 const FINDING_PENALTY = { critical: 8, high: 4, medium: 1 } as const
 const MAX_PROJECT_PENALTY = 40
 

package/src/web/scan-server.ts

@@ -41,9 +41,13 @@ export function validateRepoUrl(input: string): { ok: true; url: string } | { ok
   return { ok: true, url }
 }
 
+// 报告「返回」链接：本地模式用绝对地址（上传报告经 blob: URL 打开，相对 '/' 会失效）
+let SERVER_BASE = '/'
+
 export function startWebServer(opts: WebServerOptions): void {
   const locale = resolveLocale(DEFAULT_CONFIG)
   const host = opts.local ? '127.0.0.1' : '0.0.0.0'
+  SERVER_BASE = opts.local ? `http://localhost:${opts.port}/` : '/'
   let active = 0
 
   const server = createServer(async (req, res) => {
@@ -113,7 +117,7 @@ async function handleRepo(res: any, repo: string, locale: 'zh' | 'en', inc: () =
   try {
     await cloneRepo(v.url, dir)
     const { report, scan } = runProjectComplianceAudit(DEFAULT_CONFIG, dir)
-    send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root: v.url, backLink: '/' }))
+    send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root: v.url, backLink: SERVER_BASE }))
   } catch (e: any) {
     const msg = esc(e?.message || String(e))
     send(res, 502, 'text/html', errorPage(
@@ -133,7 +137,7 @@ async function handleLocal(res: any, path: string, locale: 'zh' | 'en', inc: ()
   inc()
   try {
     const { report, scan } = runProjectComplianceAudit(DEFAULT_CONFIG, root)
-    send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root, backLink: '/' }))
+    send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root, backLink: SERVER_BASE }))
   } finally {
     dec()
   }
@@ -176,7 +180,7 @@ async function handleUpload(req: any, res: any, locale: 'zh' | 'en', inc: () =>
     }
     const { report, scan } = runProjectComplianceAudit(DEFAULT_CONFIG, dir)
     const rootName = typeof payload.root === 'string' && payload.root ? payload.root : '(uploaded folder)'
-    send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root: rootName, backLink: '/' }))
+    send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root: rootName, backLink: SERVER_BASE }))
   } catch (e: any) {
     send(res, 500, 'text/html', errorPage('扫描失败：' + esc(e?.message || String(e))))
   } finally {
@@ -226,7 +230,7 @@ function handleDemo(res: any, locale: 'zh' | 'en', inc: () => void, dec: () => v
     writeFileSync(join(dir, '.env'),
       'AWS_ACCESS_KEY=AKIARZ9MKP2QWLS7YV3N\nDB_PASSWORD=Sup3rS3cretProdPwd2026\n')
     const { report, scan } = runProjectComplianceAudit(DEFAULT_CONFIG, dir)
-    send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root: '示例项目（含风险）/ demo-ai-app', backLink: '/' }))
+    send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root: '示例项目（含风险）/ demo-ai-app', backLink: SERVER_BASE }))
   } catch (e: any) {
     send(res, 500, 'text/html', errorPage('演示失败：' + esc(e?.message || String(e))))
   } finally {
@@ -373,20 +377,26 @@ function page(title: string, body: string): string {
 *{box-sizing:border-box}body{margin:0;min-height:100vh;display:grid;place-items:center;
 background:linear-gradient(135deg,#eef1f6,#e2e8f0);color:#0f172a;
 font:16px/1.6 -apple-system,BlinkMacSystemFont,"Segoe UI","PingFang SC","Microsoft YaHei",sans-serif}
-.hero{background:#fff;max-width:560px;width:92%;margin:40px;padding:40px;border-radius:18px;
-box-shadow:0 12px 40px rgba(15,23,42,.12);text-align:center}
-.logo{font-weight:800;font-size:15px}.logo span{color:#cb0000}
-h1{font-size:30px;margin:14px 0 8px;letter-spacing:-.5px}
-.sub{color:#64748b;margin:0 0 26px}
+.hero{background:#fff;max-width:580px;width:92%;margin:40px;padding:38px 40px 34px;border-radius:18px;
+box-shadow:0 12px 40px rgba(15,23,42,.12);text-align:center;border-top:4px solid #cb0000}
+.logo{font-weight:800;font-size:15px;letter-spacing:.2px}.logo span{color:#cb0000}
+h1{font-size:29px;margin:12px 0 8px;letter-spacing:-.5px}
+.sub{color:#64748b;margin:0 0 24px;font-size:15px}
 form{display:flex;flex-direction:column;gap:10px;text-align:left}
-label{font-size:13px;font-weight:600;color:#475569}
+label{font-size:13px;font-weight:700;color:#334155}
 input{padding:14px 16px;border:1px solid #cbd5e1;border-radius:10px;font-size:16px;width:100%}
 input:focus{outline:none;border-color:#cb0000;box-shadow:0 0 0 3px rgba(203,0,0,.12)}
-.hint{font-size:12.5px;color:#64748b;margin:2px 0 6px}
+.hint{font-size:12.5px;color:#64748b;margin:2px 0 6px;line-height:1.55}
 .hint code{background:#f1f5f9;padding:1px 6px;border-radius:5px}
-input[type=file]{padding:12px;background:#f8fafc;cursor:pointer}
+/* 文件选择器：美化成虚线投放区 + 红色按钮 */
+input[type=file]{width:100%;padding:20px 16px;border:2px dashed #cbd5e1;border-radius:12px;
+background:#f8fafc;cursor:pointer;font-size:14px;color:#64748b;transition:.15s}
+input[type=file]:hover{border-color:#cb0000;background:#fff}
+input[type=file]::file-selector-button{background:#cb0000;color:#fff;border:0;border-radius:8px;
+padding:9px 18px;margin-right:14px;font-weight:700;font-size:14px;cursor:pointer}
+input[type=file]::file-selector-button:hover{background:#a80000}
 button{background:#cb0000;color:#fff;border:0;border-radius:10px;padding:14px;font-size:16px;
-font-weight:700;cursor:pointer;margin-top:4px}button:hover{background:#a80000}
+font-weight:700;cursor:pointer;margin-top:4px;transition:.15s}button:hover{background:#a80000}
 button:disabled{background:#94a3b8;cursor:default}
 form{margin:0 0 14px}.or{text-align:center;color:#94a3b8;font-size:13px;margin:6px 0 14px}
 .status{display:none;margin:10px 0 0;padding:10px 14px;border-radius:8px;background:#f1f5f9;