npm - shellward - Versions diffs - 0.7.3 → 0.7.5 - Mend

shellward 0.7.3 → 0.7.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -8,7 +8,7 @@
 [![npm](https://img.shields.io/npm/v/shellward?color=cb0000&label=npm)](https://www.npmjs.com/package/shellward)
 [![license](https://img.shields.io/badge/license-Apache--2.0-blue)](./LICENSE)
-[![tests](https://img.shields.io/badge/tests-282%20passing-brightgreen)](#performance)
+[![tests](https://img.shields.io/badge/tests-300%20passing-brightgreen)](#performance)
 [![deps](https://img.shields.io/badge/dependencies-0-brightgreen)](#performance)
 **🌐 官网: https://jnmetacode.github.io/shellward/**
@@ -390,6 +390,9 @@ Effectiveness is measured, not asserted. `npm run bench` runs every detector ove
 | Dangerous commands | 100% | 100% | 100% |
 | PII / secrets | 100% | 100% | 100% |
 | MCP tool poisoning | 100% | 100% | 100% |
+| **Compliance scan** (overseas / secret / PII vs hard negatives) | 100% | 100% | 100% |
+The compliance scanner has its own gated corpus — `npm run bench:scan` runs the **real `scanProject` pipeline** over 31 labeled cases (17 real risks + 14 hard negatives: domestic endpoints, placeholder keys, doc examples, lock files, invalid checksums). Self-authored corpus, CI-gated against regression.
 83 gated samples (attacks + hard negatives). Zero-width-interleaved and empty-quote (`r''m`) obfuscation are normalized before matching. The corpus also tracks **5 documented bypasses** (leetspeak, base64, non-zh/en languages, shell variable indirection) that regex/heuristics are not expected to catch — listed explicitly and excluded from the gate rather than hidden.

package/dist/web/scan-server.js CHANGED Viewed

@@ -227,6 +227,7 @@ function formPage(local) {
         <label>① 选择本地项目文件夹（推荐）</label>
         <input type="file" id="dir" webkitdirectory directory multiple>
         <button id="dbtn" type="submit">开始体检 →</button>
+        <div id="status" class="status"></div>
         <p class="hint">📂 直接选你的项目文件夹，无需敲路径。文件仅发送到<b>本机的本地服务</b>处理，<b>不经过任何外部服务器、不出本机</b>。</p>
       </form>
       <div class="or">— 或 —</div>` : '';
@@ -243,17 +244,20 @@ function formPage(local) {
     ${local ? UPLOAD_SCRIPT : ''}`);
 }
 // 客户端：读取所选文件夹 → 过滤(跳过 node_modules 等、仅文本/配置、限大小) → POST 到本机服务
+// 注意：过滤后缀须与服务端 SCAN_EXT 对齐（含 .md），否则 markdown 项目会被全滤光显得"扫不了"。
 const UPLOAD_SCRIPT = `<script>
 (function(){
   var SKIP=/(^|\\/)(node_modules|\\.git|dist|build|\\.next|out|vendor|coverage|\\.venv|venv|__pycache__|target|\\.cache)(\\/|$)/;
-  var EXT=/\\.(ts|tsx|js|jsx|mjs|cjs|py|go|rb|java|php|rs|json|yaml|yml|toml|ini|conf|sh|txt|csv)$/i;
+  var EXT=/\\.(ts|tsx|js|jsx|mjs|cjs|py|go|rb|java|php|rs|json|yaml|yml|toml|ini|conf|sh|txt|csv|md|mdx|ipynb|properties|xml|gradle|tf)$/i;
   var ENV=/(^|\\/)\\.env(\\.|$)/; var DEP=/^(package\\.json|requirements\\.txt|pyproject\\.toml|go\\.mod)$/;
   var form=document.getElementById('dirform'); if(!form) return;
+  var statusEl=document.getElementById('status');
+  function s(m){ if(statusEl){statusEl.textContent=m;statusEl.style.display='block';} }
   form.addEventListener('submit', async function(e){
     e.preventDefault();
     var inp=document.getElementById('dir'), btn=document.getElementById('dbtn');
-    if(!inp.files||!inp.files.length){alert('请先选择项目文件夹');return;}
-    btn.disabled=true; btn.textContent='读取中…';
+    if(!inp.files||!inp.files.length){ s('请先点上方按钮选择项目文件夹'); return; }
+    btn.disabled=true;
     var picked=[], total=0, root='';
     for(var i=0;i<inp.files.length;i++){
       var f=inp.files[i], rel=f.webkitRelativePath||f.name; if(!root)root=rel.split('/')[0];
@@ -264,13 +268,17 @@ const UPLOAD_SCRIPT = `<script>
       if(picked.length>=3000||total>8388608) break;
       total+=f.size; picked.push(f);
     }
-    if(!picked.length){alert('未找到可扫描的源码/配置文件');btn.disabled=false;btn.textContent='开始体检 →';return;}
-    btn.textContent='扫描中… ('+picked.length+' 个文件)';
+    if(!picked.length){ s('未找到可扫描的源码/配置文件（已自动跳过 node_modules、图片、超大文件）。请选含代码或配置的目录。'); btn.disabled=false; return; }
+    s('读取 '+picked.length+' 个文件…');
     var out=[]; for(var j=0;j<picked.length;j++){ try{ out.push({path:picked[j].webkitRelativePath||picked[j].name, content:await picked[j].text()}); }catch(_){} }
+    s('扫描中…（'+out.length+' 个文件，请稍候）');
     try{
       var resp=await fetch('/scan-files',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({root:root,files:out})});
-      var html=await resp.text(); document.open(); document.write(html); document.close();
-    }catch(err){ alert('扫描失败: '+err); btn.disabled=false; btn.textContent='开始体检 →'; }
+      if(!resp.ok){ s('扫描失败：HTTP '+resp.status+'。请重试，或改用命令行 npx shellward scan。'); btn.disabled=false; return; }
+      var html=await resp.text();
+      // 用 Blob URL 跳转展示报告（比 document.write 可靠）
+      window.location.href=URL.createObjectURL(new Blob([html],{type:'text/html'}));
+    }catch(err){ s('扫描失败：'+(err&&err.message||err)+'。请重试。'); btn.disabled=false; }
   });
 })();
 </script>`;
@@ -302,6 +310,8 @@ button{background:#cb0000;color:#fff;border:0;border-radius:10px;padding:14px;fo
 font-weight:700;cursor:pointer;margin-top:4px}button:hover{background:#a80000}
 button:disabled{background:#94a3b8;cursor:default}
 form{margin:0 0 14px}.or{text-align:center;color:#94a3b8;font-size:13px;margin:6px 0 14px}
+.status{display:none;margin:10px 0 0;padding:10px 14px;border-radius:8px;background:#f1f5f9;
+color:#334155;font-size:13.5px;border-left:3px solid #cb0000;text-align:left}
 .foot{margin:24px 0 0;font-size:12.5px;color:#94a3b8}.foot a,.back{color:#cb0000;text-decoration:none}
 .back{font-weight:600}
 </style></head><body>${body}</body></html>`;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "shellward",
-  "version": "0.7.3",
+  "version": "0.7.5",
   "mcpName": "io.github.jnMetaCode/shellward",
   "description": "AI agent security & MCP security middleware — prompt injection detection, AI firewall, runtime guardrails & data-loss prevention for LLM tool calls. 8-layer defense against data exfiltration & dangerous commands. Zero dependencies. SDK + OpenClaw plugin. Supports LangChain, AutoGPT, Claude Code, Cursor, OpenAI Agents, Hermes Agent.",
   "keywords": [
@@ -57,7 +57,7 @@
   "scripts": {
     "build": "tsc",
     "mcp": "npx tsx src/mcp-server.ts",
-    "test": "npx tsx test-sdk.ts && npx tsx test-integration.ts && npx tsx test-edge-cases.ts && npx tsx test-rugpull.ts && npx tsx test-redos.ts && npx tsx test-mcp-client.ts && npx tsx test-mcp.ts && npx tsx test-compliance.ts",
+    "test": "npx tsx test-sdk.ts && npx tsx test-integration.ts && npx tsx test-edge-cases.ts && npx tsx test-rugpull.ts && npx tsx test-redos.ts && npx tsx test-mcp-client.ts && npx tsx test-mcp.ts && npx tsx test-compliance.ts && npx tsx test-web.ts",
     "test:redos": "npx tsx test-redos.ts",
     "test:compliance": "npx tsx test-compliance.ts",
     "test:integration": "npx tsx test-integration.ts",
@@ -65,6 +65,7 @@
     "test:sdk": "npx tsx test-sdk.ts",
     "test:mcp": "npx tsx test-mcp.ts",
     "bench": "npx tsx bench/run.ts",
+    "bench:scan": "npx tsx bench/scan-bench.ts",
     "prepublishOnly": "npm run build"
   },
   "openclaw": {

package/src/web/scan-server.ts CHANGED Viewed

@@ -212,6 +212,7 @@ function formPage(local: boolean): string {
         <label>① 选择本地项目文件夹（推荐）</label>
         <input type="file" id="dir" webkitdirectory directory multiple>
         <button id="dbtn" type="submit">开始体检 →</button>
+        <div id="status" class="status"></div>
         <p class="hint">📂 直接选你的项目文件夹，无需敲路径。文件仅发送到<b>本机的本地服务</b>处理，<b>不经过任何外部服务器、不出本机</b>。</p>
       </form>
       <div class="or">— 或 —</div>` : ''
@@ -230,17 +231,20 @@ function formPage(local: boolean): string {
 }
 // 客户端：读取所选文件夹 → 过滤(跳过 node_modules 等、仅文本/配置、限大小) → POST 到本机服务
+// 注意：过滤后缀须与服务端 SCAN_EXT 对齐（含 .md），否则 markdown 项目会被全滤光显得"扫不了"。
 const UPLOAD_SCRIPT = `<script>
 (function(){
   var SKIP=/(^|\\/)(node_modules|\\.git|dist|build|\\.next|out|vendor|coverage|\\.venv|venv|__pycache__|target|\\.cache)(\\/|$)/;
-  var EXT=/\\.(ts|tsx|js|jsx|mjs|cjs|py|go|rb|java|php|rs|json|yaml|yml|toml|ini|conf|sh|txt|csv)$/i;
+  var EXT=/\\.(ts|tsx|js|jsx|mjs|cjs|py|go|rb|java|php|rs|json|yaml|yml|toml|ini|conf|sh|txt|csv|md|mdx|ipynb|properties|xml|gradle|tf)$/i;
   var ENV=/(^|\\/)\\.env(\\.|$)/; var DEP=/^(package\\.json|requirements\\.txt|pyproject\\.toml|go\\.mod)$/;
   var form=document.getElementById('dirform'); if(!form) return;
+  var statusEl=document.getElementById('status');
+  function s(m){ if(statusEl){statusEl.textContent=m;statusEl.style.display='block';} }
   form.addEventListener('submit', async function(e){
     e.preventDefault();
     var inp=document.getElementById('dir'), btn=document.getElementById('dbtn');
-    if(!inp.files||!inp.files.length){alert('请先选择项目文件夹');return;}
-    btn.disabled=true; btn.textContent='读取中…';
+    if(!inp.files||!inp.files.length){ s('请先点上方按钮选择项目文件夹'); return; }
+    btn.disabled=true;
     var picked=[], total=0, root='';
     for(var i=0;i<inp.files.length;i++){
       var f=inp.files[i], rel=f.webkitRelativePath||f.name; if(!root)root=rel.split('/')[0];
@@ -251,13 +255,17 @@ const UPLOAD_SCRIPT = `<script>
       if(picked.length>=3000||total>8388608) break;
       total+=f.size; picked.push(f);
     }
-    if(!picked.length){alert('未找到可扫描的源码/配置文件');btn.disabled=false;btn.textContent='开始体检 →';return;}
-    btn.textContent='扫描中… ('+picked.length+' 个文件)';
+    if(!picked.length){ s('未找到可扫描的源码/配置文件（已自动跳过 node_modules、图片、超大文件）。请选含代码或配置的目录。'); btn.disabled=false; return; }
+    s('读取 '+picked.length+' 个文件…');
     var out=[]; for(var j=0;j<picked.length;j++){ try{ out.push({path:picked[j].webkitRelativePath||picked[j].name, content:await picked[j].text()}); }catch(_){} }
+    s('扫描中…（'+out.length+' 个文件，请稍候）');
     try{
       var resp=await fetch('/scan-files',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({root:root,files:out})});
-      var html=await resp.text(); document.open(); document.write(html); document.close();
-    }catch(err){ alert('扫描失败: '+err); btn.disabled=false; btn.textContent='开始体检 →'; }
+      if(!resp.ok){ s('扫描失败：HTTP '+resp.status+'。请重试，或改用命令行 npx shellward scan。'); btn.disabled=false; return; }
+      var html=await resp.text();
+      // 用 Blob URL 跳转展示报告（比 document.write 可靠）
+      window.location.href=URL.createObjectURL(new Blob([html],{type:'text/html'}));
+    }catch(err){ s('扫描失败：'+(err&&err.message||err)+'。请重试。'); btn.disabled=false; }
   });
 })();
 </script>`
@@ -291,6 +299,8 @@ button{background:#cb0000;color:#fff;border:0;border-radius:10px;padding:14px;fo
 font-weight:700;cursor:pointer;margin-top:4px}button:hover{background:#a80000}
 button:disabled{background:#94a3b8;cursor:default}
 form{margin:0 0 14px}.or{text-align:center;color:#94a3b8;font-size:13px;margin:6px 0 14px}
+.status{display:none;margin:10px 0 0;padding:10px 14px;border-radius:8px;background:#f1f5f9;
+color:#334155;font-size:13.5px;border-left:3px solid #cb0000;text-align:left}
 .foot{margin:24px 0 0;font-size:12.5px;color:#94a3b8}.foot a,.back{color:#cb0000;text-decoration:none}
 .back{font-weight:600}
 </style></head><body>${body}</body></html>`