shellward 0.7.11 → 0.7.13

package/dist/compliance/audit.js

@@ -236,9 +236,10 @@ function checkEnv(c, env) {
         if (env.overseas.length > 0) {
             const names = env.overseas.map(o => o.provider_zh).join(', ');
             const namesEn = env.overseas.map(o => o.provider_en).join(', ');
-            return mk(c, 'fail', `检测到境外大模型端点配置: ${names} — 若向其发送个人信息/重要数据即构成数据出境，须走合规路径`, `Overseas LLM endpoint(s) configured: ${namesEn} — sending PI/important data = cross-border export`);
+            // 检出境外调用是"事实"，是否违规取决于是否发送 PII/重要数据 → 标"需评估"而非"不合规"
+            return mk(c, 'warn', `检测到境外大模型调用: ${names}。是否违规取决于发送的数据：涉及个人信息/重要数据需走合规路径或改用境内模型；仅非个人/非重要数据通常可接受。`, `Overseas LLM detected: ${namesEn}. Compliance depends on the data sent — PI/important data needs a compliant path; non-personal data is usually fine.`);
         }
-        return mk(c, 'pass', '未检测到境外大模型端点配置', 'No overseas LLM endpoint detected');
+        return mk(c, 'pass', '未检测到境外大模型调用', 'No overseas LLM detected');
     }
     return mk(c, 'manual', '需人工确认', 'Manual check required');
 }

package/dist/compliance/html-report.js

@@ -14,7 +14,7 @@ const STATUS = {
     manual: { zh: '待确认', en: 'Review', cls: 'manual' },
 };
 const KIND = {
-    overseas: { zh: '数据出境风险', en: 'Data export risk', icon: '🌐' },
+    overseas: { zh: '境外大模型调用（需评估出境）', en: 'Overseas LLM (assess export)', icon: '🌐' },
     secret: { zh: '硬编码密钥', en: 'Hardcoded secret', icon: '🔑' },
     pii: { zh: '个人信息暴露', en: 'PII exposure', icon: '🪪' },
     'env-perm': { zh: '.env 权限', en: '.env permission', icon: '📂' },
@@ -161,6 +161,18 @@ export function renderHtmlReport(report, scan, locale, meta) {
         }
         S.push('</tbody></table></div>');
     }
+    // ===== 接入运行时指引：把 ⚪ 待核验项变成可验证（回答"需要接入才能测"）=====
+    if (report.staticScan && report.manual > 0) {
+        const cfg = `{
+  "mcpServers": {
+    "shellward": { "command": "npx", "args": ["-y", "-p", "shellward", "shellward-mcp"] }
+  }
+}`;
+        S.push(sectionHead('🔌', t('让待核验项可验证：接入运行时', 'Make ⚪ items verifiable: deploy runtime'), t('静态扫描测不了运行时行为，接入后这些项才能被持续验证', 'Static scan cannot test runtime behavior; deploy to validate')));
+        S.push(`<p class="note">${t(`把下面这段加到 Claude Desktop / Cursor / OpenClaw 的 MCP 配置，重启后 ShellWard 就作为<b>运行时防护</b>在你的 AI 应用里运行——上方 ${report.manual} 项（审计留存、运行时拦截、数据外发管控等）即可被真实验证。`, `Add this to your Claude Desktop / Cursor / OpenClaw MCP config and restart — ShellWard then runs as a <b>runtime guard</b>, validating the ${report.manual} ⚪ items above.`)}</p>`);
+        S.push(`<div class="cfg"><pre id="mcpcfg">${esc(cfg)}</pre><button onclick="(function(b){navigator.clipboard&&navigator.clipboard.writeText(document.getElementById('mcpcfg').textContent).then(function(){b.textContent='${t('已复制', 'Copied')}'})})(this)">${t('复制', 'Copy')}</button></div>`);
+        S.push(`<p class="muted">${t('或命令行直接起：', 'Or run directly:')} <code>npx shellward mcp</code> · ${t('文档', 'Docs')}: <a href="https://github.com/jnMetaCode/shellward">github.com/jnMetaCode/shellward</a></p>`);
+    }
     const disclaimer = t('本报告由 ShellWard 合规网关自动生成，帮助评估并满足合规技术要求，不构成法律意见，亦不替代算法备案/定级备案/PIA 等主体责任。⚪ 待确认项需结合业务人工判定。', 'Generated by ShellWard Compliance Gateway. Assists with technical compliance; not legal advice. ⚪ items require manual review.');
     return `<!DOCTYPE html>
 <html lang="${zh ? 'zh-CN' : 'en'}">
@@ -323,6 +335,12 @@ table.tbl td.right{width:64px}
 .manual-note{margin:8px 36px 12px;font-size:13px;color:#475569;background:#eff6ff;
   border-left:3px solid #3b82f6;line-height:1.6}
 .manual-note code{background:#dbeafe;padding:1px 6px;border-radius:5px}
+.cfg{position:relative;margin:8px 36px}
+.cfg pre{background:#0f172a;color:#e2e8f0;border-radius:10px;padding:16px 18px;margin:0;
+  font-family:ui-monospace,Menlo,monospace;font-size:12.5px;overflow-x:auto;line-height:1.5}
+.cfg button{position:absolute;top:10px;right:12px;background:#1e293b;color:#94a3b8;border:0;
+  border-radius:6px;padding:5px 12px;font-size:12px;cursor:pointer}
+.cfg button:hover{color:#fff}
 
 /* 法规分组 */
 .reg{margin:14px 36px;padding:0;border:1px solid var(--line);border-radius:12px;overflow:hidden}

package/dist/compliance/report.js

@@ -116,7 +116,7 @@ export function renderComplianceReport(report, locale) {
     return L.join('\n');
 }
 const KIND_LABEL = {
-    overseas: { zh: '数据出境风险', en: 'Data export risk', icon: '🌐' },
+    overseas: { zh: '境外大模型调用（需评估出境）', en: 'Overseas LLM (assess export)', icon: '🌐' },
     secret: { zh: '硬编码密钥', en: 'Hardcoded secret', icon: '🔑' },
     pii: { zh: '个人信息暴露', en: 'PII exposure', icon: '🪪' },
     'env-perm': { zh: '.env 权限', en: '.env permission', icon: '📂' },

package/dist/web/scan-server.js

@@ -34,9 +34,12 @@ export function validateRepoUrl(input) {
         return { ok: false, reason: '仅支持 github.com / gitlab.com / gitee.com / bitbucket.org 的公开仓库 URL' };
     return { ok: true, url };
 }
+// 报告「返回」链接：本地模式用绝对地址（上传报告经 blob: URL 打开，相对 '/' 会失效）
+let SERVER_BASE = '/';
 export function startWebServer(opts) {
     const locale = resolveLocale(DEFAULT_CONFIG);
     const host = opts.local ? '127.0.0.1' : '0.0.0.0';
+    SERVER_BASE = opts.local ? `http://localhost:${opts.port}/` : '/';
     let active = 0;
     const server = createServer(async (req, res) => {
         try {
@@ -110,7 +113,7 @@ async function handleRepo(res, repo, locale, inc, dec) {
     try {
         await cloneRepo(v.url, dir);
         const { report, scan } = runProjectComplianceAudit(DEFAULT_CONFIG, dir);
-        send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root: v.url, backLink: '/' }));
+        send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root: v.url, backLink: SERVER_BASE }));
     }
     catch (e) {
         const msg = esc(e?.message || String(e));
@@ -133,7 +136,7 @@ async function handleLocal(res, path, locale, inc, dec) {
     inc();
     try {
         const { report, scan } = runProjectComplianceAudit(DEFAULT_CONFIG, root);
-        send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root, backLink: '/' }));
+        send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root, backLink: SERVER_BASE }));
     }
     finally {
         dec();
@@ -192,7 +195,7 @@ async function handleUpload(req, res, locale, inc, dec) {
         }
         const { report, scan } = runProjectComplianceAudit(DEFAULT_CONFIG, dir);
         const rootName = typeof payload.root === 'string' && payload.root ? payload.root : '(uploaded folder)';
-        send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root: rootName, backLink: '/' }));
+        send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root: rootName, backLink: SERVER_BASE }));
     }
     catch (e) {
         send(res, 500, 'text/html', errorPage('扫描失败：' + esc(e?.message || String(e))));
@@ -248,7 +251,7 @@ function handleDemo(res, locale, inc, dec) {
         writeFileSync(join(dir, 'data', 'customers.csv'), 'name,id_card,phone,card\n张三,110101199003071233,13800138000,4111111111111111\n');
         writeFileSync(join(dir, '.env'), 'AWS_ACCESS_KEY=AKIARZ9MKP2QWLS7YV3N\nDB_PASSWORD=Sup3rS3cretProdPwd2026\n');
         const { report, scan } = runProjectComplianceAudit(DEFAULT_CONFIG, dir);
-        send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root: '示例项目（含风险）/ demo-ai-app', backLink: '/' }));
+        send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root: '示例项目（含风险）/ demo-ai-app', backLink: SERVER_BASE }));
     }
     catch (e) {
         send(res, 500, 'text/html', errorPage('演示失败：' + esc(e?.message || String(e))));
@@ -391,20 +394,26 @@ function page(title, body) {
 *{box-sizing:border-box}body{margin:0;min-height:100vh;display:grid;place-items:center;
 background:linear-gradient(135deg,#eef1f6,#e2e8f0);color:#0f172a;
 font:16px/1.6 -apple-system,BlinkMacSystemFont,"Segoe UI","PingFang SC","Microsoft YaHei",sans-serif}
-.hero{background:#fff;max-width:560px;width:92%;margin:40px;padding:40px;border-radius:18px;
-box-shadow:0 12px 40px rgba(15,23,42,.12);text-align:center}
-.logo{font-weight:800;font-size:15px}.logo span{color:#cb0000}
-h1{font-size:30px;margin:14px 0 8px;letter-spacing:-.5px}
-.sub{color:#64748b;margin:0 0 26px}
+.hero{background:#fff;max-width:580px;width:92%;margin:40px;padding:38px 40px 34px;border-radius:18px;
+box-shadow:0 12px 40px rgba(15,23,42,.12);text-align:center;border-top:4px solid #cb0000}
+.logo{font-weight:800;font-size:15px;letter-spacing:.2px}.logo span{color:#cb0000}
+h1{font-size:29px;margin:12px 0 8px;letter-spacing:-.5px}
+.sub{color:#64748b;margin:0 0 24px;font-size:15px}
 form{display:flex;flex-direction:column;gap:10px;text-align:left}
-label{font-size:13px;font-weight:600;color:#475569}
+label{font-size:13px;font-weight:700;color:#334155}
 input{padding:14px 16px;border:1px solid #cbd5e1;border-radius:10px;font-size:16px;width:100%}
 input:focus{outline:none;border-color:#cb0000;box-shadow:0 0 0 3px rgba(203,0,0,.12)}
-.hint{font-size:12.5px;color:#64748b;margin:2px 0 6px}
+.hint{font-size:12.5px;color:#64748b;margin:2px 0 6px;line-height:1.55}
 .hint code{background:#f1f5f9;padding:1px 6px;border-radius:5px}
-input[type=file]{padding:12px;background:#f8fafc;cursor:pointer}
+/* 文件选择器：美化成虚线投放区 + 红色按钮 */
+input[type=file]{width:100%;padding:20px 16px;border:2px dashed #cbd5e1;border-radius:12px;
+background:#f8fafc;cursor:pointer;font-size:14px;color:#64748b;transition:.15s}
+input[type=file]:hover{border-color:#cb0000;background:#fff}
+input[type=file]::file-selector-button{background:#cb0000;color:#fff;border:0;border-radius:8px;
+padding:9px 18px;margin-right:14px;font-weight:700;font-size:14px;cursor:pointer}
+input[type=file]::file-selector-button:hover{background:#a80000}
 button{background:#cb0000;color:#fff;border:0;border-radius:10px;padding:14px;font-size:16px;
-font-weight:700;cursor:pointer;margin-top:4px}button:hover{background:#a80000}
+font-weight:700;cursor:pointer;margin-top:4px;transition:.15s}button:hover{background:#a80000}
 button:disabled{background:#94a3b8;cursor:default}
 form{margin:0 0 14px}.or{text-align:center;color:#94a3b8;font-size:13px;margin:6px 0 14px}
 .status{display:none;margin:10px 0 0;padding:10px 14px;border-radius:8px;background:#f1f5f9;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shellward",
-  "version": "0.7.11",
+  "version": "0.7.13",
   "mcpName": "io.github.jnMetaCode/shellward",
   "description": "AI agent security & MCP security middleware — prompt injection detection, AI firewall, runtime guardrails & data-loss prevention for LLM tool calls. 8-layer defense against data exfiltration & dangerous commands. Zero dependencies. SDK + OpenClaw plugin. Supports LangChain, AutoGPT, Claude Code, Cursor, OpenAI Agents, Hermes Agent.",
   "keywords": [

package/src/compliance/audit.ts

@@ -317,11 +317,12 @@ function checkEnv(c: ComplianceControl, env: EnvFacts): ControlResult {
     if (env.overseas.length > 0) {
       const names = env.overseas.map(o => o.provider_zh).join(', ')
       const namesEn = env.overseas.map(o => o.provider_en).join(', ')
-      return mk(c, 'fail',
-        `检测到境外大模型端点配置: ${names} — 若向其发送个人信息/重要数据即构成数据出境，须走合规路径`,
-        `Overseas LLM endpoint(s) configured: ${namesEn} — sending PI/important data = cross-border export`)
+      // 检出境外调用是"事实"，是否违规取决于是否发送 PII/重要数据 → 标"需评估"而非"不合规"
+      return mk(c, 'warn',
+        `检测到境外大模型调用: ${names}。是否违规取决于发送的数据：涉及个人信息/重要数据需走合规路径或改用境内模型；仅非个人/非重要数据通常可接受。`,
+        `Overseas LLM detected: ${namesEn}. Compliance depends on the data sent — PI/important data needs a compliant path; non-personal data is usually fine.`)
     }
-    return mk(c, 'pass', '未检测到境外大模型端点配置', 'No overseas LLM endpoint detected')
+    return mk(c, 'pass', '未检测到境外大模型调用', 'No overseas LLM detected')
   }
   return mk(c, 'manual', '需人工确认', 'Manual check required')
 }

package/src/compliance/html-report.ts

@@ -20,7 +20,7 @@ const STATUS: Record<ControlStatus, { zh: string; en: string; cls: string }> = {
 }
 
 const KIND: Record<FindingKind, { zh: string; en: string; icon: string }> = {
-  overseas: { zh: '数据出境风险', en: 'Data export risk', icon: '🌐' },
+  overseas: { zh: '境外大模型调用（需评估出境）', en: 'Overseas LLM (assess export)', icon: '🌐' },
   secret: { zh: '硬编码密钥', en: 'Hardcoded secret', icon: '🔑' },
   pii: { zh: '个人信息暴露', en: 'PII exposure', icon: '🪪' },
   'env-perm': { zh: '.env 权限', en: '.env permission', icon: '📂' },
@@ -192,6 +192,22 @@ export function renderHtmlReport(
     S.push('</tbody></table></div>')
   }
 
+  // ===== 接入运行时指引：把 ⚪ 待核验项变成可验证（回答"需要接入才能测"）=====
+  if (report.staticScan && report.manual > 0) {
+    const cfg = `{
+  "mcpServers": {
+    "shellward": { "command": "npx", "args": ["-y", "-p", "shellward", "shellward-mcp"] }
+  }
+}`
+    S.push(sectionHead('🔌', t('让待核验项可验证：接入运行时', 'Make ⚪ items verifiable: deploy runtime'),
+      t('静态扫描测不了运行时行为，接入后这些项才能被持续验证', 'Static scan cannot test runtime behavior; deploy to validate')))
+    S.push(`<p class="note">${t(
+      `把下面这段加到 Claude Desktop / Cursor / OpenClaw 的 MCP 配置，重启后 ShellWard 就作为<b>运行时防护</b>在你的 AI 应用里运行——上方 ${report.manual} 项（审计留存、运行时拦截、数据外发管控等）即可被真实验证。`,
+      `Add this to your Claude Desktop / Cursor / OpenClaw MCP config and restart — ShellWard then runs as a <b>runtime guard</b>, validating the ${report.manual} ⚪ items above.`)}</p>`)
+    S.push(`<div class="cfg"><pre id="mcpcfg">${esc(cfg)}</pre><button onclick="(function(b){navigator.clipboard&&navigator.clipboard.writeText(document.getElementById('mcpcfg').textContent).then(function(){b.textContent='${t('已复制', 'Copied')}'})})(this)">${t('复制', 'Copy')}</button></div>`)
+    S.push(`<p class="muted">${t('或命令行直接起：', 'Or run directly:')} <code>npx shellward mcp</code> · ${t('文档', 'Docs')}: <a href="https://github.com/jnMetaCode/shellward">github.com/jnMetaCode/shellward</a></p>`)
+  }
+
   const disclaimer = t(
     '本报告由 ShellWard 合规网关自动生成，帮助评估并满足合规技术要求，不构成法律意见，亦不替代算法备案/定级备案/PIA 等主体责任。⚪ 待确认项需结合业务人工判定。',
     'Generated by ShellWard Compliance Gateway. Assists with technical compliance; not legal advice. ⚪ items require manual review.')
@@ -364,6 +380,12 @@ table.tbl td.right{width:64px}
 .manual-note{margin:8px 36px 12px;font-size:13px;color:#475569;background:#eff6ff;
   border-left:3px solid #3b82f6;line-height:1.6}
 .manual-note code{background:#dbeafe;padding:1px 6px;border-radius:5px}
+.cfg{position:relative;margin:8px 36px}
+.cfg pre{background:#0f172a;color:#e2e8f0;border-radius:10px;padding:16px 18px;margin:0;
+  font-family:ui-monospace,Menlo,monospace;font-size:12.5px;overflow-x:auto;line-height:1.5}
+.cfg button{position:absolute;top:10px;right:12px;background:#1e293b;color:#94a3b8;border:0;
+  border-radius:6px;padding:5px 12px;font-size:12px;cursor:pointer}
+.cfg button:hover{color:#fff}
 
 /* 法规分组 */
 .reg{margin:14px 36px;padding:0;border:1px solid var(--line);border-radius:12px;overflow:hidden}

package/src/compliance/report.ts

@@ -130,7 +130,7 @@ export function renderComplianceReport(report: ComplianceReport, locale: 'zh' |
 }
 
 const KIND_LABEL: Record<FindingKind, { zh: string; en: string; icon: string }> = {
-  overseas: { zh: '数据出境风险', en: 'Data export risk', icon: '🌐' },
+  overseas: { zh: '境外大模型调用（需评估出境）', en: 'Overseas LLM (assess export)', icon: '🌐' },
   secret: { zh: '硬编码密钥', en: 'Hardcoded secret', icon: '🔑' },
   pii: { zh: '个人信息暴露', en: 'PII exposure', icon: '🪪' },
   'env-perm': { zh: '.env 权限', en: '.env permission', icon: '📂' },

package/src/web/scan-server.ts

@@ -41,9 +41,13 @@ export function validateRepoUrl(input: string): { ok: true; url: string } | { ok
   return { ok: true, url }
 }
 
+// 报告「返回」链接：本地模式用绝对地址（上传报告经 blob: URL 打开，相对 '/' 会失效）
+let SERVER_BASE = '/'
+
 export function startWebServer(opts: WebServerOptions): void {
   const locale = resolveLocale(DEFAULT_CONFIG)
   const host = opts.local ? '127.0.0.1' : '0.0.0.0'
+  SERVER_BASE = opts.local ? `http://localhost:${opts.port}/` : '/'
   let active = 0
 
   const server = createServer(async (req, res) => {
@@ -113,7 +117,7 @@ async function handleRepo(res: any, repo: string, locale: 'zh' | 'en', inc: () =
   try {
     await cloneRepo(v.url, dir)
     const { report, scan } = runProjectComplianceAudit(DEFAULT_CONFIG, dir)
-    send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root: v.url, backLink: '/' }))
+    send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root: v.url, backLink: SERVER_BASE }))
   } catch (e: any) {
     const msg = esc(e?.message || String(e))
     send(res, 502, 'text/html', errorPage(
@@ -133,7 +137,7 @@ async function handleLocal(res: any, path: string, locale: 'zh' | 'en', inc: ()
   inc()
   try {
     const { report, scan } = runProjectComplianceAudit(DEFAULT_CONFIG, root)
-    send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root, backLink: '/' }))
+    send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root, backLink: SERVER_BASE }))
   } finally {
     dec()
   }
@@ -176,7 +180,7 @@ async function handleUpload(req: any, res: any, locale: 'zh' | 'en', inc: () =>
     }
     const { report, scan } = runProjectComplianceAudit(DEFAULT_CONFIG, dir)
     const rootName = typeof payload.root === 'string' && payload.root ? payload.root : '(uploaded folder)'
-    send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root: rootName, backLink: '/' }))
+    send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root: rootName, backLink: SERVER_BASE }))
   } catch (e: any) {
     send(res, 500, 'text/html', errorPage('扫描失败：' + esc(e?.message || String(e))))
   } finally {
@@ -226,7 +230,7 @@ function handleDemo(res: any, locale: 'zh' | 'en', inc: () => void, dec: () => v
     writeFileSync(join(dir, '.env'),
       'AWS_ACCESS_KEY=AKIARZ9MKP2QWLS7YV3N\nDB_PASSWORD=Sup3rS3cretProdPwd2026\n')
     const { report, scan } = runProjectComplianceAudit(DEFAULT_CONFIG, dir)
-    send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root: '示例项目（含风险）/ demo-ai-app', backLink: '/' }))
+    send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root: '示例项目（含风险）/ demo-ai-app', backLink: SERVER_BASE }))
   } catch (e: any) {
     send(res, 500, 'text/html', errorPage('演示失败：' + esc(e?.message || String(e))))
   } finally {
@@ -373,20 +377,26 @@ function page(title: string, body: string): string {
 *{box-sizing:border-box}body{margin:0;min-height:100vh;display:grid;place-items:center;
 background:linear-gradient(135deg,#eef1f6,#e2e8f0);color:#0f172a;
 font:16px/1.6 -apple-system,BlinkMacSystemFont,"Segoe UI","PingFang SC","Microsoft YaHei",sans-serif}
-.hero{background:#fff;max-width:560px;width:92%;margin:40px;padding:40px;border-radius:18px;
-box-shadow:0 12px 40px rgba(15,23,42,.12);text-align:center}
-.logo{font-weight:800;font-size:15px}.logo span{color:#cb0000}
-h1{font-size:30px;margin:14px 0 8px;letter-spacing:-.5px}
-.sub{color:#64748b;margin:0 0 26px}
+.hero{background:#fff;max-width:580px;width:92%;margin:40px;padding:38px 40px 34px;border-radius:18px;
+box-shadow:0 12px 40px rgba(15,23,42,.12);text-align:center;border-top:4px solid #cb0000}
+.logo{font-weight:800;font-size:15px;letter-spacing:.2px}.logo span{color:#cb0000}
+h1{font-size:29px;margin:12px 0 8px;letter-spacing:-.5px}
+.sub{color:#64748b;margin:0 0 24px;font-size:15px}
 form{display:flex;flex-direction:column;gap:10px;text-align:left}
-label{font-size:13px;font-weight:600;color:#475569}
+label{font-size:13px;font-weight:700;color:#334155}
 input{padding:14px 16px;border:1px solid #cbd5e1;border-radius:10px;font-size:16px;width:100%}
 input:focus{outline:none;border-color:#cb0000;box-shadow:0 0 0 3px rgba(203,0,0,.12)}
-.hint{font-size:12.5px;color:#64748b;margin:2px 0 6px}
+.hint{font-size:12.5px;color:#64748b;margin:2px 0 6px;line-height:1.55}
 .hint code{background:#f1f5f9;padding:1px 6px;border-radius:5px}
-input[type=file]{padding:12px;background:#f8fafc;cursor:pointer}
+/* 文件选择器：美化成虚线投放区 + 红色按钮 */
+input[type=file]{width:100%;padding:20px 16px;border:2px dashed #cbd5e1;border-radius:12px;
+background:#f8fafc;cursor:pointer;font-size:14px;color:#64748b;transition:.15s}
+input[type=file]:hover{border-color:#cb0000;background:#fff}
+input[type=file]::file-selector-button{background:#cb0000;color:#fff;border:0;border-radius:8px;
+padding:9px 18px;margin-right:14px;font-weight:700;font-size:14px;cursor:pointer}
+input[type=file]::file-selector-button:hover{background:#a80000}
 button{background:#cb0000;color:#fff;border:0;border-radius:10px;padding:14px;font-size:16px;
-font-weight:700;cursor:pointer;margin-top:4px}button:hover{background:#a80000}
+font-weight:700;cursor:pointer;margin-top:4px;transition:.15s}button:hover{background:#a80000}
 button:disabled{background:#94a3b8;cursor:default}
 form{margin:0 0 14px}.or{text-align:center;color:#94a3b8;font-size:13px;margin:6px 0 14px}
 .status{display:none;margin:10px 0 0;padding:10px 14px;border-radius:8px;background:#f1f5f9;