shellward 0.7.4 → 0.7.6

package/README.md

@@ -8,7 +8,7 @@
 
 [![npm](https://img.shields.io/npm/v/shellward?color=cb0000&label=npm)](https://www.npmjs.com/package/shellward)
 [![license](https://img.shields.io/badge/license-Apache--2.0-blue)](./LICENSE)
-[![tests](https://img.shields.io/badge/tests-282%20passing-brightgreen)](#performance)
+[![tests](https://img.shields.io/badge/tests-300%20passing-brightgreen)](#performance)
 [![deps](https://img.shields.io/badge/dependencies-0-brightgreen)](#performance)
 
 **🌐 官网: https://jnmetacode.github.io/shellward/**

package/dist/compliance/html-report.js

@@ -74,7 +74,14 @@ export function renderHtmlReport(report, scan, locale, meta) {
     // ===== 项目实测风险 =====
     S.push(sectionHead('🔍', t('项目实测风险', 'Project Scan Findings'), t(`已扫描 ${scan.filesScanned} 个文件${scan.truncated ? '（已达上限）' : ''} · 耗时 ${scan.durationMs ?? '?'}ms · 应用 ${scan.rulesChecked ?? '?'} 条检测规则`, `Scanned ${scan.filesScanned} files${scan.truncated ? ' (limit reached)' : ''} · ${scan.durationMs ?? '?'}ms · ${scan.rulesChecked ?? '?'} detection rules`)));
     if (scan.findings.length === 0) {
-        S.push(`<div class="empty">🟢 ${t('未在项目文件中发现硬编码密钥、个人信息暴露或境外端点。', 'No hardcoded secrets, PII, or overseas endpoints found in project files.')}</div>`);
+        // 空结果也要展示"检查过程"——逐项列出查了什么、均未命中，证明确实扫了
+        S.push(`<div class="empty">🟢 ${t('逐项检查完成，未在可扫描文件中发现风险。', 'All checks passed — no risks found in scannable files.')}</div>`);
+        S.push(`<table class="tbl checked"><tbody>
+      <tr><td>🌐 ${t('境外大模型端点 + SDK 依赖', 'Overseas LLM endpoints + SDK deps')}</td><td class="muted">${t('OpenAI / Anthropic / Gemini / Cohere… 共 38 个特征', '38 signatures')}</td><td class="right ok">✓ ${t('0 命中', '0 hits')}</td></tr>
+      <tr><td>🔑 ${t('硬编码密钥', 'Hardcoded secrets')}</td><td class="muted">${t('OpenAI/GitHub/AWS key、私钥、JWT、口令、连接串', 'OpenAI/GitHub/AWS/private key/JWT/password/conn-string')}</td><td class="right ok">✓ ${t('0 命中', '0 hits')}</td></tr>
+      <tr><td>🪪 ${t('中文 PII + 国际 PII', 'Chinese + intl PII')}</td><td class="muted">${t('身份证(校验位)/手机号/银行卡(Luhn)/SSN/信用卡', 'CN ID(checksum)/mobile/UnionPay(Luhn)/SSN/credit card')}</td><td class="right ok">✓ ${t('0 命中', '0 hits')}</td></tr>
+      <tr><td>📂 .env ${t('权限', 'permission')}</td><td class="muted">${t('含密钥的 .env 不应组/其他可读', '.env should not be group/other readable')}</td><td class="right ok">✓ ${t('正常', 'OK')}</td></tr>
+    </tbody></table>`);
     }
     else {
         S.push('<div class="chips">');
@@ -258,6 +265,8 @@ section,.reg{padding:0 36px}
   padding:0 8px;border-radius:999px;margin-left:4px;font-weight:600}
 .empty{margin:8px 36px;padding:16px 18px;background:var(--pass-bg);color:var(--pass);
   border-radius:10px;font-weight:600;font-size:14px}
+.checked td.ok{color:var(--pass);font-weight:700}
+.checked td:first-child{font-weight:600;white-space:nowrap}
 
 /* chips 概览 */
 .chips{display:flex;flex-wrap:wrap;gap:8px;margin:6px 36px 4px}

package/dist/compliance/report.js

@@ -130,7 +130,24 @@ export function renderProjectFindings(scan, locale) {
         : `> Scanned ${scan.filesScanned} files${scan.truncated ? ' (limit reached)' : ''} · ${scan.durationMs ?? '?'}ms · ${scan.rulesChecked ?? '?'} detection rules`);
     L.push('');
     if (scan.findings.length === 0) {
-        L.push(zh ? '🟢 未在项目文件中发现硬编码密钥、个人信息暴露或境外端点。' : '🟢 No hardcoded secrets, PII exposure, or overseas endpoints found in project files.');
+        L.push(zh ? '🟢 逐项检查完成，未在可扫描文件中发现风险：' : '🟢 All checks passed — no risks found:');
+        L.push('');
+        if (zh) {
+            L.push('| 检查项 | 覆盖 | 结果 |');
+            L.push('|---|---|---|');
+            L.push('| 🌐 境外大模型端点 + SDK 依赖 | OpenAI/Anthropic/Gemini… 38 个特征 | ✓ 0 命中 |');
+            L.push('| 🔑 硬编码密钥 | OpenAI/GitHub/AWS key、私钥、JWT、口令、连接串 | ✓ 0 命中 |');
+            L.push('| 🪪 中文+国际 PII | 身份证(校验位)/手机号/银行卡(Luhn)/SSN/信用卡 | ✓ 0 命中 |');
+            L.push('| 📂 .env 权限 | 含密钥的 .env 不应组/其他可读 | ✓ 正常 |');
+        }
+        else {
+            L.push('| Check | Coverage | Result |');
+            L.push('|---|---|---|');
+            L.push('| 🌐 Overseas endpoints + SDK deps | 38 signatures | ✓ 0 hits |');
+            L.push('| 🔑 Hardcoded secrets | OpenAI/GitHub/AWS/private key/JWT/password | ✓ 0 hits |');
+            L.push('| 🪪 PII (CN + intl) | CN ID/mobile/UnionPay/SSN/credit card | ✓ 0 hits |');
+            L.push('| 📂 .env permission | group/other-readable check | ✓ OK |');
+        }
         L.push('');
         return L.join('\n');
     }

package/dist/web/scan-server.js

@@ -52,6 +52,12 @@ export function startWebServer(opts) {
                     return send(res, 503, 'text/html', errorPage('服务繁忙，请稍后再试'));
                 return await handleUpload(req, res, locale, () => { active++; }, () => { active--; });
             }
+            // 演示：扫一个内置的「含风险样例项目」——证明"秒出≠没检查"（满屏发现 + 行号）
+            if (u.pathname === '/demo') {
+                if (active >= MAX_CONCURRENT)
+                    return send(res, 503, 'text/html', errorPage('服务繁忙，请稍后再试'));
+                return handleDemo(res, locale, () => { active++; }, () => { active--; });
+            }
             if (u.pathname === '/scan') {
                 if (active >= MAX_CONCURRENT) {
                     return send(res, 503, 'text/html', errorPage('服务繁忙，请稍后再试（并发上限）'));
@@ -193,6 +199,36 @@ async function handleUpload(req, res, locale, inc, dec) {
         catch { /* ignore */ }
     }
 }
+/** 演示：内置「含风险样例项目」扫描，证明检测真在工作 */
+function handleDemo(res, locale, inc, dec) {
+    const dir = mkdtempSync(join(tmpdir(), 'sw-demo-'));
+    inc();
+    try {
+        mkdirSync(join(dir, 'src'), { recursive: true });
+        mkdirSync(join(dir, 'data'), { recursive: true });
+        writeFileSync(join(dir, 'package.json'), JSON.stringify({
+            name: 'demo-ai-app', dependencies: { 'openai': '^4.20.0', '@anthropic-ai/sdk': '^0.20.0', 'express': '^4' },
+        }, null, 2));
+        writeFileSync(join(dir, 'src', 'config.ts'), 'export const LLM = "https://api.openai.com/v1"\n'
+            + 'const OPENAI_KEY = "sk-Rz9MkP2qWlS7yV3nD8tB1hC4xJ6pQsTuVwYz0"\n'
+            + 'const GITHUB_TOKEN = "ghp_Rz9MkP2qWlS7yV3nD8tB1hC4xJ6pQsTuVwYz"\n'
+            + 'export const ADMIN_PHONE = "13912345678"\n');
+        writeFileSync(join(dir, 'data', 'customers.csv'), 'name,id_card,phone,card\n张三,110101199003071233,13800138000,4111111111111111\n');
+        writeFileSync(join(dir, '.env'), 'AWS_ACCESS_KEY=AKIARZ9MKP2QWLS7YV3N\nDB_PASSWORD=Sup3rS3cretProdPwd2026\n');
+        const { report, scan } = runProjectComplianceAudit(DEFAULT_CONFIG, dir);
+        send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root: '示例项目（含风险）/ demo-ai-app' }));
+    }
+    catch (e) {
+        send(res, 500, 'text/html', errorPage('演示失败：' + esc(e?.message || String(e))));
+    }
+    finally {
+        dec();
+        try {
+            rmSync(dir, { recursive: true, force: true });
+        }
+        catch { /* ignore */ }
+    }
+}
 /** 浅克隆公开仓库到临时目录（不鉴权、超时、不执行任何仓库代码） */
 function cloneRepo(url, dir) {
     return new Promise((res, rej) => {
@@ -227,6 +263,7 @@ function formPage(local) {
         <label>① 选择本地项目文件夹（推荐）</label>
         <input type="file" id="dir" webkitdirectory directory multiple>
         <button id="dbtn" type="submit">开始体检 →</button>
+        <div id="status" class="status"></div>
         <p class="hint">📂 直接选你的项目文件夹，无需敲路径。文件仅发送到<b>本机的本地服务</b>处理，<b>不经过任何外部服务器、不出本机</b>。</p>
       </form>
       <div class="or">— 或 —</div>` : '';
@@ -237,23 +274,27 @@ function formPage(local) {
       <p class="sub">${local ? '选项目文件夹或贴公开仓库链接' : '贴公开仓库链接'}，30 秒查出数据出境 / 硬编码密钥 / 个人信息暴露等中国合规红线。</p>
       ${uploadForm}
       ${urlForm}
+      <p class="demo">🤔 觉得"秒出"不真？ <a href="/demo">▶ 看一个含风险的示例报告</a>（同样秒出，但满屏发现 + 行号）</p>
       <p class="foot">网安法 2026 · PIPL · 等保2.0 · 数据出境 · AI标识 ｜ 零依赖 · 开源 ·
         <a href="https://github.com/jnMetaCode/shellward">GitHub ⭐</a></p>
     </div>
     ${local ? UPLOAD_SCRIPT : ''}`);
 }
 // 客户端：读取所选文件夹 → 过滤(跳过 node_modules 等、仅文本/配置、限大小) → POST 到本机服务
+// 注意：过滤后缀须与服务端 SCAN_EXT 对齐（含 .md），否则 markdown 项目会被全滤光显得"扫不了"。
 const UPLOAD_SCRIPT = `<script>
 (function(){
   var SKIP=/(^|\\/)(node_modules|\\.git|dist|build|\\.next|out|vendor|coverage|\\.venv|venv|__pycache__|target|\\.cache)(\\/|$)/;
-  var EXT=/\\.(ts|tsx|js|jsx|mjs|cjs|py|go|rb|java|php|rs|json|yaml|yml|toml|ini|conf|sh|txt|csv)$/i;
+  var EXT=/\\.(ts|tsx|js|jsx|mjs|cjs|py|go|rb|java|php|rs|json|yaml|yml|toml|ini|conf|sh|txt|csv|md|mdx|ipynb|properties|xml|gradle|tf)$/i;
   var ENV=/(^|\\/)\\.env(\\.|$)/; var DEP=/^(package\\.json|requirements\\.txt|pyproject\\.toml|go\\.mod)$/;
   var form=document.getElementById('dirform'); if(!form) return;
+  var statusEl=document.getElementById('status');
+  function s(m){ if(statusEl){statusEl.textContent=m;statusEl.style.display='block';} }
   form.addEventListener('submit', async function(e){
     e.preventDefault();
     var inp=document.getElementById('dir'), btn=document.getElementById('dbtn');
-    if(!inp.files||!inp.files.length){alert('请先选择项目文件夹');return;}
-    btn.disabled=true; btn.textContent='读取中…';
+    if(!inp.files||!inp.files.length){ s('请先点上方按钮选择项目文件夹'); return; }
+    btn.disabled=true;
     var picked=[], total=0, root='';
     for(var i=0;i<inp.files.length;i++){
       var f=inp.files[i], rel=f.webkitRelativePath||f.name; if(!root)root=rel.split('/')[0];
@@ -264,13 +305,17 @@ const UPLOAD_SCRIPT = `<script>
       if(picked.length>=3000||total>8388608) break;
       total+=f.size; picked.push(f);
     }
-    if(!picked.length){alert('未找到可扫描的源码/配置文件');btn.disabled=false;btn.textContent='开始体检 →';return;}
-    btn.textContent='扫描中… ('+picked.length+' 个文件)';
+    if(!picked.length){ s('未找到可扫描的源码/配置文件（已自动跳过 node_modules、图片、超大文件）。请选含代码或配置的目录。'); btn.disabled=false; return; }
+    s('读取 '+picked.length+' 个文件…');
     var out=[]; for(var j=0;j<picked.length;j++){ try{ out.push({path:picked[j].webkitRelativePath||picked[j].name, content:await picked[j].text()}); }catch(_){} }
+    s('扫描中…（'+out.length+' 个文件，请稍候）');
     try{
       var resp=await fetch('/scan-files',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({root:root,files:out})});
-      var html=await resp.text(); document.open(); document.write(html); document.close();
-    }catch(err){ alert('扫描失败: '+err); btn.disabled=false; btn.textContent='开始体检 →'; }
+      if(!resp.ok){ s('扫描失败：HTTP '+resp.status+'。请重试，或改用命令行 npx shellward scan。'); btn.disabled=false; return; }
+      var html=await resp.text();
+      // 用 Blob URL 跳转展示报告（比 document.write 可靠）
+      window.location.href=URL.createObjectURL(new Blob([html],{type:'text/html'}));
+    }catch(err){ s('扫描失败：'+(err&&err.message||err)+'。请重试。'); btn.disabled=false; }
   });
 })();
 </script>`;
@@ -302,6 +347,9 @@ button{background:#cb0000;color:#fff;border:0;border-radius:10px;padding:14px;fo
 font-weight:700;cursor:pointer;margin-top:4px}button:hover{background:#a80000}
 button:disabled{background:#94a3b8;cursor:default}
 form{margin:0 0 14px}.or{text-align:center;color:#94a3b8;font-size:13px;margin:6px 0 14px}
+.status{display:none;margin:10px 0 0;padding:10px 14px;border-radius:8px;background:#f1f5f9;
+color:#334155;font-size:13.5px;border-left:3px solid #cb0000;text-align:left}
+.demo{margin:18px 0 0;font-size:13px;color:#475569}.demo a{font-weight:600}
 .foot{margin:24px 0 0;font-size:12.5px;color:#94a3b8}.foot a,.back{color:#cb0000;text-decoration:none}
 .back{font-weight:600}
 </style></head><body>${body}</body></html>`;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shellward",
-  "version": "0.7.4",
+  "version": "0.7.6",
   "mcpName": "io.github.jnMetaCode/shellward",
   "description": "AI agent security & MCP security middleware — prompt injection detection, AI firewall, runtime guardrails & data-loss prevention for LLM tool calls. 8-layer defense against data exfiltration & dangerous commands. Zero dependencies. SDK + OpenClaw plugin. Supports LangChain, AutoGPT, Claude Code, Cursor, OpenAI Agents, Hermes Agent.",
   "keywords": [
@@ -57,7 +57,7 @@
   "scripts": {
     "build": "tsc",
     "mcp": "npx tsx src/mcp-server.ts",
-    "test": "npx tsx test-sdk.ts && npx tsx test-integration.ts && npx tsx test-edge-cases.ts && npx tsx test-rugpull.ts && npx tsx test-redos.ts && npx tsx test-mcp-client.ts && npx tsx test-mcp.ts && npx tsx test-compliance.ts",
+    "test": "npx tsx test-sdk.ts && npx tsx test-integration.ts && npx tsx test-edge-cases.ts && npx tsx test-rugpull.ts && npx tsx test-redos.ts && npx tsx test-mcp-client.ts && npx tsx test-mcp.ts && npx tsx test-compliance.ts && npx tsx test-web.ts",
     "test:redos": "npx tsx test-redos.ts",
     "test:compliance": "npx tsx test-compliance.ts",
     "test:integration": "npx tsx test-integration.ts",

package/src/compliance/html-report.ts

@@ -100,8 +100,14 @@ export function renderHtmlReport(
       `Scanned ${scan.filesScanned} files${scan.truncated ? ' (limit reached)' : ''} · ${scan.durationMs ?? '?'}ms · ${scan.rulesChecked ?? '?'} detection rules`)))
 
   if (scan.findings.length === 0) {
-    S.push(`<div class="empty">🟢 ${t('未在项目文件中发现硬编码密钥、个人信息暴露或境外端点。',
-      'No hardcoded secrets, PII, or overseas endpoints found in project files.')}</div>`)
+    // 空结果也要展示"检查过程"——逐项列出查了什么、均未命中，证明确实扫了
+    S.push(`<div class="empty">🟢 ${t('逐项检查完成，未在可扫描文件中发现风险。', 'All checks passed — no risks found in scannable files.')}</div>`)
+    S.push(`<table class="tbl checked"><tbody>
+      <tr><td>🌐 ${t('境外大模型端点 + SDK 依赖', 'Overseas LLM endpoints + SDK deps')}</td><td class="muted">${t('OpenAI / Anthropic / Gemini / Cohere… 共 38 个特征', '38 signatures')}</td><td class="right ok">✓ ${t('0 命中', '0 hits')}</td></tr>
+      <tr><td>🔑 ${t('硬编码密钥', 'Hardcoded secrets')}</td><td class="muted">${t('OpenAI/GitHub/AWS key、私钥、JWT、口令、连接串', 'OpenAI/GitHub/AWS/private key/JWT/password/conn-string')}</td><td class="right ok">✓ ${t('0 命中', '0 hits')}</td></tr>
+      <tr><td>🪪 ${t('中文 PII + 国际 PII', 'Chinese + intl PII')}</td><td class="muted">${t('身份证(校验位)/手机号/银行卡(Luhn)/SSN/信用卡', 'CN ID(checksum)/mobile/UnionPay(Luhn)/SSN/credit card')}</td><td class="right ok">✓ ${t('0 命中', '0 hits')}</td></tr>
+      <tr><td>📂 .env ${t('权限', 'permission')}</td><td class="muted">${t('含密钥的 .env 不应组/其他可读', '.env should not be group/other readable')}</td><td class="right ok">✓ ${t('正常', 'OK')}</td></tr>
+    </tbody></table>`)
   } else {
     S.push('<div class="chips">')
     for (const k of KIND_ORDER) if (scan.counts[k] > 0) {
@@ -296,6 +302,8 @@ section,.reg{padding:0 36px}
   padding:0 8px;border-radius:999px;margin-left:4px;font-weight:600}
 .empty{margin:8px 36px;padding:16px 18px;background:var(--pass-bg);color:var(--pass);
   border-radius:10px;font-weight:600;font-size:14px}
+.checked td.ok{color:var(--pass);font-weight:700}
+.checked td:first-child{font-weight:600;white-space:nowrap}
 
 /* chips 概览 */
 .chips{display:flex;flex-wrap:wrap;gap:8px;margin:6px 36px 4px}

package/src/compliance/report.ts

@@ -146,7 +146,23 @@ export function renderProjectFindings(scan: ProjectScanResult, locale: 'zh' | 'e
   L.push('')
 
   if (scan.findings.length === 0) {
-    L.push(zh ? '🟢 未在项目文件中发现硬编码密钥、个人信息暴露或境外端点。' : '🟢 No hardcoded secrets, PII exposure, or overseas endpoints found in project files.')
+    L.push(zh ? '🟢 逐项检查完成，未在可扫描文件中发现风险：' : '🟢 All checks passed — no risks found:')
+    L.push('')
+    if (zh) {
+      L.push('| 检查项 | 覆盖 | 结果 |')
+      L.push('|---|---|---|')
+      L.push('| 🌐 境外大模型端点 + SDK 依赖 | OpenAI/Anthropic/Gemini… 38 个特征 | ✓ 0 命中 |')
+      L.push('| 🔑 硬编码密钥 | OpenAI/GitHub/AWS key、私钥、JWT、口令、连接串 | ✓ 0 命中 |')
+      L.push('| 🪪 中文+国际 PII | 身份证(校验位)/手机号/银行卡(Luhn)/SSN/信用卡 | ✓ 0 命中 |')
+      L.push('| 📂 .env 权限 | 含密钥的 .env 不应组/其他可读 | ✓ 正常 |')
+    } else {
+      L.push('| Check | Coverage | Result |')
+      L.push('|---|---|---|')
+      L.push('| 🌐 Overseas endpoints + SDK deps | 38 signatures | ✓ 0 hits |')
+      L.push('| 🔑 Hardcoded secrets | OpenAI/GitHub/AWS/private key/JWT/password | ✓ 0 hits |')
+      L.push('| 🪪 PII (CN + intl) | CN ID/mobile/UnionPay/SSN/credit card | ✓ 0 hits |')
+      L.push('| 📂 .env permission | group/other-readable check | ✓ OK |')
+    }
     L.push('')
     return L.join('\n')
   }

package/src/web/scan-server.ts

@@ -58,6 +58,11 @@ export function startWebServer(opts: WebServerOptions): void {
         if (active >= MAX_CONCURRENT) return send(res, 503, 'text/html', errorPage('服务繁忙，请稍后再试'))
         return await handleUpload(req, res, locale, () => { active++ }, () => { active-- })
       }
+      // 演示：扫一个内置的「含风险样例项目」——证明"秒出≠没检查"（满屏发现 + 行号）
+      if (u.pathname === '/demo') {
+        if (active >= MAX_CONCURRENT) return send(res, 503, 'text/html', errorPage('服务繁忙，请稍后再试'))
+        return handleDemo(res, locale, () => { active++ }, () => { active-- })
+      }
       if (u.pathname === '/scan') {
         if (active >= MAX_CONCURRENT) {
           return send(res, 503, 'text/html', errorPage('服务繁忙，请稍后再试（并发上限）'))
@@ -175,6 +180,35 @@ async function handleUpload(req: any, res: any, locale: 'zh' | 'en', inc: () =>
   }
 }
 
+/** 演示：内置「含风险样例项目」扫描，证明检测真在工作 */
+function handleDemo(res: any, locale: 'zh' | 'en', inc: () => void, dec: () => void) {
+  const dir = mkdtempSync(join(tmpdir(), 'sw-demo-'))
+  inc()
+  try {
+    mkdirSync(join(dir, 'src'), { recursive: true })
+    mkdirSync(join(dir, 'data'), { recursive: true })
+    writeFileSync(join(dir, 'package.json'), JSON.stringify({
+      name: 'demo-ai-app', dependencies: { 'openai': '^4.20.0', '@anthropic-ai/sdk': '^0.20.0', 'express': '^4' },
+    }, null, 2))
+    writeFileSync(join(dir, 'src', 'config.ts'),
+      'export const LLM = "https://api.openai.com/v1"\n'
+      + 'const OPENAI_KEY = "sk-Rz9MkP2qWlS7yV3nD8tB1hC4xJ6pQsTuVwYz0"\n'
+      + 'const GITHUB_TOKEN = "ghp_Rz9MkP2qWlS7yV3nD8tB1hC4xJ6pQsTuVwYz"\n'
+      + 'export const ADMIN_PHONE = "13912345678"\n')
+    writeFileSync(join(dir, 'data', 'customers.csv'),
+      'name,id_card,phone,card\n张三,110101199003071233,13800138000,4111111111111111\n')
+    writeFileSync(join(dir, '.env'),
+      'AWS_ACCESS_KEY=AKIARZ9MKP2QWLS7YV3N\nDB_PASSWORD=Sup3rS3cretProdPwd2026\n')
+    const { report, scan } = runProjectComplianceAudit(DEFAULT_CONFIG, dir)
+    send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root: '示例项目（含风险）/ demo-ai-app' }))
+  } catch (e: any) {
+    send(res, 500, 'text/html', errorPage('演示失败：' + esc(e?.message || String(e))))
+  } finally {
+    dec()
+    try { rmSync(dir, { recursive: true, force: true }) } catch { /* ignore */ }
+  }
+}
+
 /** 浅克隆公开仓库到临时目录（不鉴权、超时、不执行任何仓库代码） */
 function cloneRepo(url: string, dir: string): Promise<void> {
   return new Promise((res, rej) => {
@@ -212,6 +246,7 @@ function formPage(local: boolean): string {
         <label>① 选择本地项目文件夹（推荐）</label>
         <input type="file" id="dir" webkitdirectory directory multiple>
         <button id="dbtn" type="submit">开始体检 →</button>
+        <div id="status" class="status"></div>
         <p class="hint">📂 直接选你的项目文件夹，无需敲路径。文件仅发送到<b>本机的本地服务</b>处理，<b>不经过任何外部服务器、不出本机</b>。</p>
       </form>
       <div class="or">— 或 —</div>` : ''
@@ -223,6 +258,7 @@ function formPage(local: boolean): string {
       <p class="sub">${local ? '选项目文件夹或贴公开仓库链接' : '贴公开仓库链接'}，30 秒查出数据出境 / 硬编码密钥 / 个人信息暴露等中国合规红线。</p>
       ${uploadForm}
       ${urlForm}
+      <p class="demo">🤔 觉得"秒出"不真？ <a href="/demo">▶ 看一个含风险的示例报告</a>（同样秒出，但满屏发现 + 行号）</p>
       <p class="foot">网安法 2026 · PIPL · 等保2.0 · 数据出境 · AI标识 ｜ 零依赖 · 开源 ·
         <a href="https://github.com/jnMetaCode/shellward">GitHub ⭐</a></p>
     </div>
@@ -230,17 +266,20 @@ function formPage(local: boolean): string {
 }
 
 // 客户端：读取所选文件夹 → 过滤(跳过 node_modules 等、仅文本/配置、限大小) → POST 到本机服务
+// 注意：过滤后缀须与服务端 SCAN_EXT 对齐（含 .md），否则 markdown 项目会被全滤光显得"扫不了"。
 const UPLOAD_SCRIPT = `<script>
 (function(){
   var SKIP=/(^|\\/)(node_modules|\\.git|dist|build|\\.next|out|vendor|coverage|\\.venv|venv|__pycache__|target|\\.cache)(\\/|$)/;
-  var EXT=/\\.(ts|tsx|js|jsx|mjs|cjs|py|go|rb|java|php|rs|json|yaml|yml|toml|ini|conf|sh|txt|csv)$/i;
+  var EXT=/\\.(ts|tsx|js|jsx|mjs|cjs|py|go|rb|java|php|rs|json|yaml|yml|toml|ini|conf|sh|txt|csv|md|mdx|ipynb|properties|xml|gradle|tf)$/i;
   var ENV=/(^|\\/)\\.env(\\.|$)/; var DEP=/^(package\\.json|requirements\\.txt|pyproject\\.toml|go\\.mod)$/;
   var form=document.getElementById('dirform'); if(!form) return;
+  var statusEl=document.getElementById('status');
+  function s(m){ if(statusEl){statusEl.textContent=m;statusEl.style.display='block';} }
   form.addEventListener('submit', async function(e){
     e.preventDefault();
     var inp=document.getElementById('dir'), btn=document.getElementById('dbtn');
-    if(!inp.files||!inp.files.length){alert('请先选择项目文件夹');return;}
-    btn.disabled=true; btn.textContent='读取中…';
+    if(!inp.files||!inp.files.length){ s('请先点上方按钮选择项目文件夹'); return; }
+    btn.disabled=true;
     var picked=[], total=0, root='';
     for(var i=0;i<inp.files.length;i++){
       var f=inp.files[i], rel=f.webkitRelativePath||f.name; if(!root)root=rel.split('/')[0];
@@ -251,13 +290,17 @@ const UPLOAD_SCRIPT = `<script>
       if(picked.length>=3000||total>8388608) break;
       total+=f.size; picked.push(f);
     }
-    if(!picked.length){alert('未找到可扫描的源码/配置文件');btn.disabled=false;btn.textContent='开始体检 →';return;}
-    btn.textContent='扫描中… ('+picked.length+' 个文件)';
+    if(!picked.length){ s('未找到可扫描的源码/配置文件（已自动跳过 node_modules、图片、超大文件）。请选含代码或配置的目录。'); btn.disabled=false; return; }
+    s('读取 '+picked.length+' 个文件…');
     var out=[]; for(var j=0;j<picked.length;j++){ try{ out.push({path:picked[j].webkitRelativePath||picked[j].name, content:await picked[j].text()}); }catch(_){} }
+    s('扫描中…（'+out.length+' 个文件，请稍候）');
     try{
       var resp=await fetch('/scan-files',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({root:root,files:out})});
-      var html=await resp.text(); document.open(); document.write(html); document.close();
-    }catch(err){ alert('扫描失败: '+err); btn.disabled=false; btn.textContent='开始体检 →'; }
+      if(!resp.ok){ s('扫描失败：HTTP '+resp.status+'。请重试，或改用命令行 npx shellward scan。'); btn.disabled=false; return; }
+      var html=await resp.text();
+      // 用 Blob URL 跳转展示报告（比 document.write 可靠）
+      window.location.href=URL.createObjectURL(new Blob([html],{type:'text/html'}));
+    }catch(err){ s('扫描失败：'+(err&&err.message||err)+'。请重试。'); btn.disabled=false; }
   });
 })();
 </script>`
@@ -291,6 +334,9 @@ button{background:#cb0000;color:#fff;border:0;border-radius:10px;padding:14px;fo
 font-weight:700;cursor:pointer;margin-top:4px}button:hover{background:#a80000}
 button:disabled{background:#94a3b8;cursor:default}
 form{margin:0 0 14px}.or{text-align:center;color:#94a3b8;font-size:13px;margin:6px 0 14px}
+.status{display:none;margin:10px 0 0;padding:10px 14px;border-radius:8px;background:#f1f5f9;
+color:#334155;font-size:13.5px;border-left:3px solid #cb0000;text-align:left}
+.demo{margin:18px 0 0;font-size:13px;color:#475569}.demo a{font-weight:600}
 .foot{margin:24px 0 0;font-size:12.5px;color:#94a3b8}.foot a,.back{color:#cb0000;text-decoration:none}
 .back{font-weight:600}
 </style></head><body>${body}</body></html>`