npm - ship-safe - Versions diffs - 6.1.1 → 6.3.0 - Mend

ship-safe 6.1.1 → 6.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (49) hide show

package/README.md +748 -641
package/cli/agents/api-fuzzer.js +345 -345
package/cli/agents/auth-bypass-agent.js +348 -348
package/cli/agents/base-agent.js +272 -272
package/cli/agents/cicd-scanner.js +236 -201
package/cli/agents/config-auditor.js +521 -521
package/cli/agents/deep-analyzer.js +6 -2
package/cli/agents/git-history-scanner.js +170 -170
package/cli/agents/html-reporter.js +568 -568
package/cli/agents/index.js +85 -84
package/cli/agents/injection-tester.js +500 -500
package/cli/agents/legal-risk-agent.js +302 -0
package/cli/agents/llm-redteam.js +251 -251
package/cli/agents/mobile-scanner.js +231 -231
package/cli/agents/orchestrator.js +322 -322
package/cli/agents/pii-compliance-agent.js +301 -301
package/cli/agents/scoring-engine.js +248 -248
package/cli/agents/supabase-rls-agent.js +154 -154
package/cli/agents/supply-chain-agent.js +650 -507
package/cli/bin/ship-safe.js +464 -426
package/cli/commands/agent.js +608 -608
package/cli/commands/audit.js +1006 -980
package/cli/commands/baseline.js +193 -193
package/cli/commands/ci.js +342 -342
package/cli/commands/deps.js +516 -516
package/cli/commands/doctor.js +159 -159
package/cli/commands/fix.js +218 -218
package/cli/commands/hooks.js +268 -0
package/cli/commands/init.js +407 -407
package/cli/commands/legal.js +158 -0
package/cli/commands/mcp.js +304 -304
package/cli/commands/red-team.js +7 -1
package/cli/commands/remediate.js +798 -798
package/cli/commands/rotate.js +571 -571
package/cli/commands/scan.js +569 -569
package/cli/commands/score.js +449 -449
package/cli/commands/watch.js +281 -281
package/cli/hooks/patterns.js +313 -0
package/cli/hooks/post-tool-use.js +140 -0
package/cli/hooks/pre-tool-use.js +186 -0
package/cli/index.js +73 -69
package/cli/providers/llm-provider.js +397 -287
package/cli/utils/autofix-rules.js +74 -74
package/cli/utils/cache-manager.js +311 -311
package/cli/utils/output.js +230 -230
package/cli/utils/patterns.js +1121 -1121
package/cli/utils/pdf-generator.js +94 -94
package/package.json +69 -69
package/configs/supabase/rls-templates.sql +0 -242

package/cli/commands/legal.js ADDED Viewed

@@ -0,0 +1,158 @@
+/**
+ * Legal Command
+ * =============
+ *
+ * Scans dependency manifests for packages that carry legal risk:
+ * active DMCA takedowns, leaked-source derivatives, IP disputes,
+ * and license violations.
+ *
+ * USAGE:
+ *   ship-safe legal [path]        Scan for legally risky dependencies
+ *   ship-safe legal . --json      JSON output
+ *
+ * EXIT CODES:
+ *   0  Clean — no legally risky packages found
+ *   1  Findings — one or more legally risky packages detected
+ */
+import fs from 'fs';
+import path from 'path';
+import chalk from 'chalk';
+import ora from 'ora';
+import { LegalRiskAgent } from '../agents/legal-risk-agent.js';
+import * as output from '../utils/output.js';
+// =============================================================================
+// RISK LABELS & COLORS
+// =============================================================================
+const RISK_COLORS = {
+  dmca:              chalk.red.bold,
+  'ip-dispute':      chalk.red,
+  'leaked-source':   chalk.yellow.bold,
+  'license-violation': chalk.yellow,
+};
+const RISK_LABELS = {
+  dmca:              'DMCA Takedown',
+  'ip-dispute':      'IP Dispute',
+  'leaked-source':   'Leaked Source',
+  'license-violation': 'License Violation',
+};
+const SEVERITY_COLORS = {
+  critical: chalk.bgRed.white.bold,
+  high:     chalk.red.bold,
+  medium:   chalk.yellow,
+  low:      chalk.blue,
+};
+// =============================================================================
+// MAIN COMMAND
+// =============================================================================
+export async function legalCommand(targetPath = '.', options = {}) {
+  const absolutePath = path.resolve(targetPath);
+  if (!fs.existsSync(absolutePath)) {
+    output.error(`Path does not exist: ${absolutePath}`);
+    process.exit(1);
+  }
+  if (!options.json) {
+    console.log();
+    output.header('Legal Risk Audit');
+    console.log(chalk.gray('  Scanning for DMCA notices, leaked-source derivatives, and IP disputes'));
+    console.log();
+  }
+  // ── Run the agent ──────────────────────────────────────────────────────────
+  const spinner = options.json
+    ? null
+    : ora({ text: 'Scanning dependency manifests…', color: 'cyan' }).start();
+  const agent = new LegalRiskAgent();
+  let findings = [];
+  try {
+    findings = await agent.analyze({ rootPath: absolutePath, files: [] });
+    if (spinner) spinner.stop();
+  } catch (err) {
+    if (spinner) spinner.stop();
+    output.error(`Legal scan failed: ${err.message}`);
+    process.exit(1);
+  }
+  // ── JSON output ────────────────────────────────────────────────────────────
+  if (options.json) {
+    console.log(JSON.stringify({ findings, total: findings.length }, null, 2));
+    process.exit(findings.length > 0 ? 1 : 0);
+  }
+  // ── Human-readable output ──────────────────────────────────────────────────
+  if (findings.length === 0) {
+    output.success('No legally risky packages found.');
+    console.log();
+    console.log(chalk.gray('  Scanned: package.json, requirements.txt, Cargo.toml, go.mod'));
+    console.log();
+    return;
+  }
+  // Group by severity
+  const bySeverity = { critical: [], high: [], medium: [], low: [] };
+  for (const f of findings) {
+    (bySeverity[f.severity] || bySeverity.medium).push(f);
+  }
+  const total = findings.length;
+  const critCount = bySeverity.critical.length;
+  const highCount = bySeverity.high.length;
+  // Summary line
+  console.log(
+    chalk.red.bold(`  ${total} legal risk finding${total === 1 ? '' : 's'}`),
+    chalk.gray('—'),
+    critCount > 0 ? chalk.red.bold(`${critCount} critical`) + chalk.gray(', ') : '',
+    highCount > 0 ? chalk.red(`${highCount} high`) : '',
+  );
+  console.log();
+  // Print findings
+  for (const severity of ['critical', 'high', 'medium', 'low']) {
+    const group = bySeverity[severity];
+    if (group.length === 0) continue;
+    for (const f of group) {
+      const sevBadge = SEVERITY_COLORS[severity]
+        ? SEVERITY_COLORS[severity](` ${severity.toUpperCase()} `)
+        : chalk.gray(` ${severity.toUpperCase()} `);
+      // Extract risk type from rule: LEGAL_RISK_DMCA → dmca
+      const riskKey = f.rule
+        .replace('LEGAL_RISK_', '')
+        .toLowerCase()
+        .replace(/_/g, '-');
+      const riskColor = RISK_COLORS[riskKey] || chalk.white;
+      const riskLabel = RISK_LABELS[riskKey] || riskKey;
+      console.log(`  ${sevBadge}  ${chalk.white.bold(f.title)}`);
+      console.log(`          ${riskColor(`[${riskLabel}]`)}  ${chalk.gray(path.relative(absolutePath, f.file) || f.file)}`);
+      console.log();
+      console.log(`          ${chalk.gray(f.description)}`);
+      console.log();
+      if (f.fix) {
+        console.log(`          ${chalk.cyan('Fix:')} ${chalk.gray(f.fix)}`);
+      }
+      console.log();
+      console.log(chalk.gray('  ' + '─'.repeat(56)));
+      console.log();
+    }
+  }
+  // Footer
+  console.log(chalk.yellow.bold('  ⚠  Shipping legally risky packages can expose your project to IP liability.'));
+  console.log(chalk.gray('     Review each finding and remove the affected dependency before releasing.'));
+  console.log();
+  process.exit(1);
+}