npm - shellward - Versions diffs - 0.7.5 → 0.7.6 - Mend

shellward 0.7.5 → 0.7.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/compliance/html-report.js +10 -1
package/dist/compliance/report.js +18 -1
package/dist/web/scan-server.js +38 -0
package/package.json +1 -1
package/src/compliance/html-report.ts +10 -2
package/src/compliance/report.ts +17 -1
package/src/web/scan-server.ts +36 -0

package/dist/compliance/html-report.js CHANGED Viewed

@@ -74,7 +74,14 @@ export function renderHtmlReport(report, scan, locale, meta) {
     // ===== 项目实测风险 =====
     S.push(sectionHead('🔍', t('项目实测风险', 'Project Scan Findings'), t(`已扫描 ${scan.filesScanned} 个文件${scan.truncated ? '（已达上限）' : ''} · 耗时 ${scan.durationMs ?? '?'}ms · 应用 ${scan.rulesChecked ?? '?'} 条检测规则`, `Scanned ${scan.filesScanned} files${scan.truncated ? ' (limit reached)' : ''} · ${scan.durationMs ?? '?'}ms · ${scan.rulesChecked ?? '?'} detection rules`)));
     if (scan.findings.length === 0) {
-        S.push(`<div class="empty">🟢 ${t('未在项目文件中发现硬编码密钥、个人信息暴露或境外端点。', 'No hardcoded secrets, PII, or overseas endpoints found in project files.')}</div>`);
+        // 空结果也要展示"检查过程"——逐项列出查了什么、均未命中，证明确实扫了
+        S.push(`<div class="empty">🟢 ${t('逐项检查完成，未在可扫描文件中发现风险。', 'All checks passed — no risks found in scannable files.')}</div>`);
+        S.push(`<table class="tbl checked"><tbody>
+      <tr><td>🌐 ${t('境外大模型端点 + SDK 依赖', 'Overseas LLM endpoints + SDK deps')}</td><td class="muted">${t('OpenAI / Anthropic / Gemini / Cohere… 共 38 个特征', '38 signatures')}</td><td class="right ok">✓ ${t('0 命中', '0 hits')}</td></tr>
+      <tr><td>🔑 ${t('硬编码密钥', 'Hardcoded secrets')}</td><td class="muted">${t('OpenAI/GitHub/AWS key、私钥、JWT、口令、连接串', 'OpenAI/GitHub/AWS/private key/JWT/password/conn-string')}</td><td class="right ok">✓ ${t('0 命中', '0 hits')}</td></tr>
+      <tr><td>🪪 ${t('中文 PII + 国际 PII', 'Chinese + intl PII')}</td><td class="muted">${t('身份证(校验位)/手机号/银行卡(Luhn)/SSN/信用卡', 'CN ID(checksum)/mobile/UnionPay(Luhn)/SSN/credit card')}</td><td class="right ok">✓ ${t('0 命中', '0 hits')}</td></tr>
+      <tr><td>📂 .env ${t('权限', 'permission')}</td><td class="muted">${t('含密钥的 .env 不应组/其他可读', '.env should not be group/other readable')}</td><td class="right ok">✓ ${t('正常', 'OK')}</td></tr>
+    </tbody></table>`);
     }
     else {
         S.push('<div class="chips">');
@@ -258,6 +265,8 @@ section,.reg{padding:0 36px}
   padding:0 8px;border-radius:999px;margin-left:4px;font-weight:600}
 .empty{margin:8px 36px;padding:16px 18px;background:var(--pass-bg);color:var(--pass);
   border-radius:10px;font-weight:600;font-size:14px}
+.checked td.ok{color:var(--pass);font-weight:700}
+.checked td:first-child{font-weight:600;white-space:nowrap}
 /* chips 概览 */
 .chips{display:flex;flex-wrap:wrap;gap:8px;margin:6px 36px 4px}

package/dist/compliance/report.js CHANGED Viewed

@@ -130,7 +130,24 @@ export function renderProjectFindings(scan, locale) {
         : `> Scanned ${scan.filesScanned} files${scan.truncated ? ' (limit reached)' : ''} · ${scan.durationMs ?? '?'}ms · ${scan.rulesChecked ?? '?'} detection rules`);
     L.push('');
     if (scan.findings.length === 0) {
-        L.push(zh ? '🟢 未在项目文件中发现硬编码密钥、个人信息暴露或境外端点。' : '🟢 No hardcoded secrets, PII exposure, or overseas endpoints found in project files.');
+        L.push(zh ? '🟢 逐项检查完成，未在可扫描文件中发现风险：' : '🟢 All checks passed — no risks found:');
+        L.push('');
+        if (zh) {
+            L.push('| 检查项 | 覆盖 | 结果 |');
+            L.push('|---|---|---|');
+            L.push('| 🌐 境外大模型端点 + SDK 依赖 | OpenAI/Anthropic/Gemini… 38 个特征 | ✓ 0 命中 |');
+            L.push('| 🔑 硬编码密钥 | OpenAI/GitHub/AWS key、私钥、JWT、口令、连接串 | ✓ 0 命中 |');
+            L.push('| 🪪 中文+国际 PII | 身份证(校验位)/手机号/银行卡(Luhn)/SSN/信用卡 | ✓ 0 命中 |');
+            L.push('| 📂 .env 权限 | 含密钥的 .env 不应组/其他可读 | ✓ 正常 |');
+        }
+        else {
+            L.push('| Check | Coverage | Result |');
+            L.push('|---|---|---|');
+            L.push('| 🌐 Overseas endpoints + SDK deps | 38 signatures | ✓ 0 hits |');
+            L.push('| 🔑 Hardcoded secrets | OpenAI/GitHub/AWS/private key/JWT/password | ✓ 0 hits |');
+            L.push('| 🪪 PII (CN + intl) | CN ID/mobile/UnionPay/SSN/credit card | ✓ 0 hits |');
+            L.push('| 📂 .env permission | group/other-readable check | ✓ OK |');
+        }
         L.push('');
         return L.join('\n');
     }

package/dist/web/scan-server.js CHANGED Viewed

@@ -52,6 +52,12 @@ export function startWebServer(opts) {
                     return send(res, 503, 'text/html', errorPage('服务繁忙，请稍后再试'));
                 return await handleUpload(req, res, locale, () => { active++; }, () => { active--; });
             }
+            // 演示：扫一个内置的「含风险样例项目」——证明"秒出≠没检查"（满屏发现 + 行号）
+            if (u.pathname === '/demo') {
+                if (active >= MAX_CONCURRENT)
+                    return send(res, 503, 'text/html', errorPage('服务繁忙，请稍后再试'));
+                return handleDemo(res, locale, () => { active++; }, () => { active--; });
+            }
             if (u.pathname === '/scan') {
                 if (active >= MAX_CONCURRENT) {
                     return send(res, 503, 'text/html', errorPage('服务繁忙，请稍后再试（并发上限）'));
@@ -193,6 +199,36 @@ async function handleUpload(req, res, locale, inc, dec) {
         catch { /* ignore */ }
     }
 }
+/** 演示：内置「含风险样例项目」扫描，证明检测真在工作 */
+function handleDemo(res, locale, inc, dec) {
+    const dir = mkdtempSync(join(tmpdir(), 'sw-demo-'));
+    inc();
+    try {
+        mkdirSync(join(dir, 'src'), { recursive: true });
+        mkdirSync(join(dir, 'data'), { recursive: true });
+        writeFileSync(join(dir, 'package.json'), JSON.stringify({
+            name: 'demo-ai-app', dependencies: { 'openai': '^4.20.0', '@anthropic-ai/sdk': '^0.20.0', 'express': '^4' },
+        }, null, 2));
+        writeFileSync(join(dir, 'src', 'config.ts'), 'export const LLM = "https://api.openai.com/v1"\n'
+            + 'const OPENAI_KEY = "sk-Rz9MkP2qWlS7yV3nD8tB1hC4xJ6pQsTuVwYz0"\n'
+            + 'const GITHUB_TOKEN = "ghp_Rz9MkP2qWlS7yV3nD8tB1hC4xJ6pQsTuVwYz"\n'
+            + 'export const ADMIN_PHONE = "13912345678"\n');
+        writeFileSync(join(dir, 'data', 'customers.csv'), 'name,id_card,phone,card\n张三,110101199003071233,13800138000,4111111111111111\n');
+        writeFileSync(join(dir, '.env'), 'AWS_ACCESS_KEY=AKIARZ9MKP2QWLS7YV3N\nDB_PASSWORD=Sup3rS3cretProdPwd2026\n');
+        const { report, scan } = runProjectComplianceAudit(DEFAULT_CONFIG, dir);
+        send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root: '示例项目（含风险）/ demo-ai-app' }));
+    }
+    catch (e) {
+        send(res, 500, 'text/html', errorPage('演示失败：' + esc(e?.message || String(e))));
+    }
+    finally {
+        dec();
+        try {
+            rmSync(dir, { recursive: true, force: true });
+        }
+        catch { /* ignore */ }
+    }
+}
 /** 浅克隆公开仓库到临时目录（不鉴权、超时、不执行任何仓库代码） */
 function cloneRepo(url, dir) {
     return new Promise((res, rej) => {
@@ -238,6 +274,7 @@ function formPage(local) {
       <p class="sub">${local ? '选项目文件夹或贴公开仓库链接' : '贴公开仓库链接'}，30 秒查出数据出境 / 硬编码密钥 / 个人信息暴露等中国合规红线。</p>
       ${uploadForm}
       ${urlForm}
+      <p class="demo">🤔 觉得"秒出"不真？ <a href="/demo">▶ 看一个含风险的示例报告</a>（同样秒出，但满屏发现 + 行号）</p>
       <p class="foot">网安法 2026 · PIPL · 等保2.0 · 数据出境 · AI标识 ｜ 零依赖 · 开源 ·
         <a href="https://github.com/jnMetaCode/shellward">GitHub ⭐</a></p>
     </div>
@@ -312,6 +349,7 @@ button:disabled{background:#94a3b8;cursor:default}
 form{margin:0 0 14px}.or{text-align:center;color:#94a3b8;font-size:13px;margin:6px 0 14px}
 .status{display:none;margin:10px 0 0;padding:10px 14px;border-radius:8px;background:#f1f5f9;
 color:#334155;font-size:13.5px;border-left:3px solid #cb0000;text-align:left}
+.demo{margin:18px 0 0;font-size:13px;color:#475569}.demo a{font-weight:600}
 .foot{margin:24px 0 0;font-size:12.5px;color:#94a3b8}.foot a,.back{color:#cb0000;text-decoration:none}
 .back{font-weight:600}
 </style></head><body>${body}</body></html>`;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "shellward",
-  "version": "0.7.5",
+  "version": "0.7.6",
   "mcpName": "io.github.jnMetaCode/shellward",
   "description": "AI agent security & MCP security middleware — prompt injection detection, AI firewall, runtime guardrails & data-loss prevention for LLM tool calls. 8-layer defense against data exfiltration & dangerous commands. Zero dependencies. SDK + OpenClaw plugin. Supports LangChain, AutoGPT, Claude Code, Cursor, OpenAI Agents, Hermes Agent.",
   "keywords": [

package/src/compliance/html-report.ts CHANGED Viewed

@@ -100,8 +100,14 @@ export function renderHtmlReport(
       `Scanned ${scan.filesScanned} files${scan.truncated ? ' (limit reached)' : ''} · ${scan.durationMs ?? '?'}ms · ${scan.rulesChecked ?? '?'} detection rules`)))
   if (scan.findings.length === 0) {
-    S.push(`<div class="empty">🟢 ${t('未在项目文件中发现硬编码密钥、个人信息暴露或境外端点。',
-      'No hardcoded secrets, PII, or overseas endpoints found in project files.')}</div>`)
+    // 空结果也要展示"检查过程"——逐项列出查了什么、均未命中，证明确实扫了
+    S.push(`<div class="empty">🟢 ${t('逐项检查完成，未在可扫描文件中发现风险。', 'All checks passed — no risks found in scannable files.')}</div>`)
+    S.push(`<table class="tbl checked"><tbody>
+      <tr><td>🌐 ${t('境外大模型端点 + SDK 依赖', 'Overseas LLM endpoints + SDK deps')}</td><td class="muted">${t('OpenAI / Anthropic / Gemini / Cohere… 共 38 个特征', '38 signatures')}</td><td class="right ok">✓ ${t('0 命中', '0 hits')}</td></tr>
+      <tr><td>🔑 ${t('硬编码密钥', 'Hardcoded secrets')}</td><td class="muted">${t('OpenAI/GitHub/AWS key、私钥、JWT、口令、连接串', 'OpenAI/GitHub/AWS/private key/JWT/password/conn-string')}</td><td class="right ok">✓ ${t('0 命中', '0 hits')}</td></tr>
+      <tr><td>🪪 ${t('中文 PII + 国际 PII', 'Chinese + intl PII')}</td><td class="muted">${t('身份证(校验位)/手机号/银行卡(Luhn)/SSN/信用卡', 'CN ID(checksum)/mobile/UnionPay(Luhn)/SSN/credit card')}</td><td class="right ok">✓ ${t('0 命中', '0 hits')}</td></tr>
+      <tr><td>📂 .env ${t('权限', 'permission')}</td><td class="muted">${t('含密钥的 .env 不应组/其他可读', '.env should not be group/other readable')}</td><td class="right ok">✓ ${t('正常', 'OK')}</td></tr>
+    </tbody></table>`)
   } else {
     S.push('<div class="chips">')
     for (const k of KIND_ORDER) if (scan.counts[k] > 0) {
@@ -296,6 +302,8 @@ section,.reg{padding:0 36px}
   padding:0 8px;border-radius:999px;margin-left:4px;font-weight:600}
 .empty{margin:8px 36px;padding:16px 18px;background:var(--pass-bg);color:var(--pass);
   border-radius:10px;font-weight:600;font-size:14px}
+.checked td.ok{color:var(--pass);font-weight:700}
+.checked td:first-child{font-weight:600;white-space:nowrap}
 /* chips 概览 */
 .chips{display:flex;flex-wrap:wrap;gap:8px;margin:6px 36px 4px}

package/src/compliance/report.ts CHANGED Viewed

@@ -146,7 +146,23 @@ export function renderProjectFindings(scan: ProjectScanResult, locale: 'zh' | 'e
   L.push('')
   if (scan.findings.length === 0) {
-    L.push(zh ? '🟢 未在项目文件中发现硬编码密钥、个人信息暴露或境外端点。' : '🟢 No hardcoded secrets, PII exposure, or overseas endpoints found in project files.')
+    L.push(zh ? '🟢 逐项检查完成，未在可扫描文件中发现风险：' : '🟢 All checks passed — no risks found:')
+    L.push('')
+    if (zh) {
+      L.push('| 检查项 | 覆盖 | 结果 |')
+      L.push('|---|---|---|')
+      L.push('| 🌐 境外大模型端点 + SDK 依赖 | OpenAI/Anthropic/Gemini… 38 个特征 | ✓ 0 命中 |')
+      L.push('| 🔑 硬编码密钥 | OpenAI/GitHub/AWS key、私钥、JWT、口令、连接串 | ✓ 0 命中 |')
+      L.push('| 🪪 中文+国际 PII | 身份证(校验位)/手机号/银行卡(Luhn)/SSN/信用卡 | ✓ 0 命中 |')
+      L.push('| 📂 .env 权限 | 含密钥的 .env 不应组/其他可读 | ✓ 正常 |')
+    } else {
+      L.push('| Check | Coverage | Result |')
+      L.push('|---|---|---|')
+      L.push('| 🌐 Overseas endpoints + SDK deps | 38 signatures | ✓ 0 hits |')
+      L.push('| 🔑 Hardcoded secrets | OpenAI/GitHub/AWS/private key/JWT/password | ✓ 0 hits |')
+      L.push('| 🪪 PII (CN + intl) | CN ID/mobile/UnionPay/SSN/credit card | ✓ 0 hits |')
+      L.push('| 📂 .env permission | group/other-readable check | ✓ OK |')
+    }
     L.push('')
     return L.join('\n')
   }

package/src/web/scan-server.ts CHANGED Viewed

@@ -58,6 +58,11 @@ export function startWebServer(opts: WebServerOptions): void {
         if (active >= MAX_CONCURRENT) return send(res, 503, 'text/html', errorPage('服务繁忙，请稍后再试'))
         return await handleUpload(req, res, locale, () => { active++ }, () => { active-- })
       }
+      // 演示：扫一个内置的「含风险样例项目」——证明"秒出≠没检查"（满屏发现 + 行号）
+      if (u.pathname === '/demo') {
+        if (active >= MAX_CONCURRENT) return send(res, 503, 'text/html', errorPage('服务繁忙，请稍后再试'))
+        return handleDemo(res, locale, () => { active++ }, () => { active-- })
+      }
       if (u.pathname === '/scan') {
         if (active >= MAX_CONCURRENT) {
           return send(res, 503, 'text/html', errorPage('服务繁忙，请稍后再试（并发上限）'))
@@ -175,6 +180,35 @@ async function handleUpload(req: any, res: any, locale: 'zh' | 'en', inc: () =>
   }
 }
+/** 演示：内置「含风险样例项目」扫描，证明检测真在工作 */
+function handleDemo(res: any, locale: 'zh' | 'en', inc: () => void, dec: () => void) {
+  const dir = mkdtempSync(join(tmpdir(), 'sw-demo-'))
+  inc()
+  try {
+    mkdirSync(join(dir, 'src'), { recursive: true })
+    mkdirSync(join(dir, 'data'), { recursive: true })
+    writeFileSync(join(dir, 'package.json'), JSON.stringify({
+      name: 'demo-ai-app', dependencies: { 'openai': '^4.20.0', '@anthropic-ai/sdk': '^0.20.0', 'express': '^4' },
+    }, null, 2))
+    writeFileSync(join(dir, 'src', 'config.ts'),
+      'export const LLM = "https://api.openai.com/v1"\n'
+      + 'const OPENAI_KEY = "sk-Rz9MkP2qWlS7yV3nD8tB1hC4xJ6pQsTuVwYz0"\n'
+      + 'const GITHUB_TOKEN = "ghp_Rz9MkP2qWlS7yV3nD8tB1hC4xJ6pQsTuVwYz"\n'
+      + 'export const ADMIN_PHONE = "13912345678"\n')
+    writeFileSync(join(dir, 'data', 'customers.csv'),
+      'name,id_card,phone,card\n张三,110101199003071233,13800138000,4111111111111111\n')
+    writeFileSync(join(dir, '.env'),
+      'AWS_ACCESS_KEY=AKIARZ9MKP2QWLS7YV3N\nDB_PASSWORD=Sup3rS3cretProdPwd2026\n')
+    const { report, scan } = runProjectComplianceAudit(DEFAULT_CONFIG, dir)
+    send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root: '示例项目（含风险）/ demo-ai-app' }))
+  } catch (e: any) {
+    send(res, 500, 'text/html', errorPage('演示失败：' + esc(e?.message || String(e))))
+  } finally {
+    dec()
+    try { rmSync(dir, { recursive: true, force: true }) } catch { /* ignore */ }
+  }
+}
 /** 浅克隆公开仓库到临时目录（不鉴权、超时、不执行任何仓库代码） */
 function cloneRepo(url: string, dir: string): Promise<void> {
   return new Promise((res, rej) => {
@@ -224,6 +258,7 @@ function formPage(local: boolean): string {
       <p class="sub">${local ? '选项目文件夹或贴公开仓库链接' : '贴公开仓库链接'}，30 秒查出数据出境 / 硬编码密钥 / 个人信息暴露等中国合规红线。</p>
       ${uploadForm}
       ${urlForm}
+      <p class="demo">🤔 觉得"秒出"不真？ <a href="/demo">▶ 看一个含风险的示例报告</a>（同样秒出，但满屏发现 + 行号）</p>
       <p class="foot">网安法 2026 · PIPL · 等保2.0 · 数据出境 · AI标识 ｜ 零依赖 · 开源 ·
         <a href="https://github.com/jnMetaCode/shellward">GitHub ⭐</a></p>
     </div>
@@ -301,6 +336,7 @@ button:disabled{background:#94a3b8;cursor:default}
 form{margin:0 0 14px}.or{text-align:center;color:#94a3b8;font-size:13px;margin:6px 0 14px}
 .status{display:none;margin:10px 0 0;padding:10px 14px;border-radius:8px;background:#f1f5f9;
 color:#334155;font-size:13.5px;border-left:3px solid #cb0000;text-align:left}
+.demo{margin:18px 0 0;font-size:13px;color:#475569}.demo a{font-weight:600}
 .foot{margin:24px 0 0;font-size:12.5px;color:#94a3b8}.foot a,.back{color:#cb0000;text-decoration:none}
 .back{font-weight:600}
 </style></head><body>${body}</body></html>`