ship-safe 6.2.0 → 6.3.0

package/README.md

@@ -11,6 +11,7 @@
   <a href="https://nodejs.org"><img src="https://img.shields.io/node/v/ship-safe" alt="Node.js version" /></a>
   <a href="https://opensource.org/licenses/MIT"><img src="https://img.shields.io/badge/License-MIT-yellow.svg" alt="License: MIT" /></a>
   <a href="https://github.com/asamassekou10/ship-safe/stargazers"><img src="https://img.shields.io/github/stars/asamassekou10/ship-safe?style=social" alt="GitHub stars" /></a>
+  <a href="https://github.com/sponsors/asamassekou10"><img src="https://img.shields.io/badge/Sponsor-%E2%9D%A4-ea4aaa?logo=github" alt="Sponsor" /></a>
 </p>
 
 ---
@@ -720,6 +721,18 @@ See [CONTRIBUTING.md](./CONTRIBUTING.md) for guidelines.
 
 ---
 
+## Sponsors
+
+Ship Safe is MIT-licensed and free forever. If it saves you time or helps you ship more securely, consider sponsoring — it helps keep the project maintained and growing.
+
+<p align="center">
+  <a href="https://github.com/sponsors/asamassekou10">
+    <img src="https://img.shields.io/badge/Sponsor%20Ship%20Safe-%E2%9D%A4-ea4aaa?style=for-the-badge&logo=github" alt="Sponsor Ship Safe" />
+  </a>
+</p>
+
+---
+
 ## License
 
 MIT - Use it, share it, secure your stuff.

package/cli/agents/index.js

@@ -26,6 +26,7 @@ export { PIIComplianceAgent } from './pii-compliance-agent.js';
 export { VibeCodingAgent } from './vibe-coding-agent.js';
 export { ExceptionHandlerAgent } from './exception-handler-agent.js';
 export { AgentConfigScanner } from './agent-config-scanner.js';
+export { LegalRiskAgent, LEGALLY_RISKY_PACKAGES } from './legal-risk-agent.js';
 export { ABOMGenerator } from './abom-generator.js';
 export { VerifierAgent } from './verifier-agent.js';
 export { DeepAnalyzer } from './deep-analyzer.js';

package/cli/agents/legal-risk-agent.js

@@ -0,0 +1,302 @@
+/**
+ * LegalRiskAgent
+ * ==============
+ *
+ * Scans project dependency manifests for packages that carry legal risk:
+ * active DMCA takedowns, known leaked-source derivatives, IP disputes,
+ * or license violations.
+ *
+ * This is a separate threat category from security IOCs — the danger is
+ * not malware, but legal liability for shipping the dependency.
+ *
+ * Supported manifests:
+ *   npm/yarn/pnpm  → package.json
+ *   Python         → requirements.txt, pyproject.toml
+ *   Rust           → Cargo.toml
+ *   Go             → go.mod
+ *
+ * USAGE:
+ *   ship-safe legal .
+ *   ship-safe audit . --include-legal
+ */
+
+import fs from 'fs';
+import path from 'path';
+import { BaseAgent, createFinding } from './base-agent.js';
+
+// =============================================================================
+// LEGALLY RISKY PACKAGES
+// Format: { name, versions, ecosystem, risk, severity, detail, references }
+//
+// versions: array of specific bad versions, or '*' for all versions
+// ecosystem: 'npm' | 'pypi' | 'cargo' | 'go' | '*'
+// risk: 'dmca' | 'ip-dispute' | 'leaked-source' | 'license-violation'
+// =============================================================================
+export const LEGALLY_RISKY_PACKAGES = [
+  // ---------------------------------------------------------------------------
+  // Claude Code source leak (March 31 2026)
+  // Anthropic's Claude Code source was accidentally leaked. Several repos
+  // appeared immediately; Anthropic filed DMCA takedowns but derivatives
+  // remain online. Shipping any of these exposes you to IP liability.
+  // ---------------------------------------------------------------------------
+  {
+    name: 'claw-code',
+    versions: '*',
+    ecosystem: 'npm',
+    risk: 'dmca',
+    severity: 'high',
+    detail:
+      'Derived from leaked Anthropic Claude Code source (March 2026). ' +
+      'Anthropic has filed DMCA takedown notices. Shipping this package ' +
+      'may expose your project to IP infringement liability.',
+    references: [
+      'https://cybernews.com/security/anthropic-claude-code-source-leak/',
+      'https://venturebeat.com/technology/claude-codes-source-code-appears-to-have-leaked-heres-what-we-know',
+    ],
+  },
+  {
+    name: 'claw-code-js',
+    versions: '*',
+    ecosystem: 'npm',
+    risk: 'leaked-source',
+    severity: 'high',
+    detail:
+      'JavaScript port derived from the leaked Anthropic Claude Code source (March 2026). ' +
+      'Under active DMCA enforcement. Contains Anthropic proprietary IP.',
+    references: [
+      'https://cybernews.com/tech/claude-code-leak-spawns-fastest-github-repo/',
+    ],
+  },
+  {
+    name: 'claude-code-oss',
+    versions: '*',
+    ecosystem: 'npm',
+    risk: 'leaked-source',
+    severity: 'high',
+    detail:
+      'Open-source mirror of the leaked Claude Code source (March 2026). ' +
+      'Despite "open-source" branding, the underlying code is Anthropic proprietary IP ' +
+      'and DMCA takedowns are in progress.',
+    references: [
+      'https://cybernews.com/security/anthropic-claude-code-source-leak/',
+    ],
+  },
+  // ---------------------------------------------------------------------------
+  // License violations — well-known cases
+  // ---------------------------------------------------------------------------
+  {
+    name: 'faker',
+    versions: ['6.6.6'],
+    ecosystem: 'npm',
+    risk: 'license-violation',
+    severity: 'medium',
+    detail:
+      'faker@6.6.6 was deliberately sabotaged by its maintainer (January 2022). ' +
+      'The package prints an infinite loop of gibberish. Replaced by @faker-js/faker ' +
+      'which is community-maintained under MIT.',
+    references: [
+      'https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/',
+    ],
+  },
+  {
+    name: 'colors',
+    versions: ['1.4.44-liberty-2'],
+    ecosystem: 'npm',
+    risk: 'license-violation',
+    severity: 'medium',
+    detail:
+      'colors@1.4.44-liberty-2 was a malicious release by the maintainer that ' +
+      'deliberately printed an infinite loop. Use colors@1.4.0 or the maintained fork.',
+    references: [
+      'https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/',
+    ],
+  },
+];
+
+// =============================================================================
+// AGENT
+// =============================================================================
+
+export class LegalRiskAgent extends BaseAgent {
+  constructor() {
+    super('LegalRiskAgent', 'Legal risk audit: DMCA, IP disputes, leaked source in dependencies', 'legal');
+  }
+
+  async analyze(context) {
+    const { rootPath } = context;
+    const findings = [];
+
+    findings.push(...this._scanNpm(rootPath));
+    findings.push(...this._scanPython(rootPath));
+    findings.push(...this._scanCargo(rootPath));
+    findings.push(...this._scanGoMod(rootPath));
+
+    return findings;
+  }
+
+  // ---------------------------------------------------------------------------
+  // npm / yarn / pnpm — package.json
+  // ---------------------------------------------------------------------------
+  _scanNpm(rootPath) {
+    const findings = [];
+    const pkgPath = path.join(rootPath, 'package.json');
+    if (!fs.existsSync(pkgPath)) return findings;
+
+    let pkg;
+    try {
+      pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
+    } catch {
+      return findings;
+    }
+
+    const allDeps = {
+      ...(pkg.dependencies || {}),
+      ...(pkg.devDependencies || {}),
+      ...(pkg.optionalDependencies || {}),
+      ...(pkg.peerDependencies || {}),
+    };
+
+    for (const [name, version] of Object.entries(allDeps)) {
+      const entry = LEGALLY_RISKY_PACKAGES.find(
+        e => e.name === name && (e.ecosystem === 'npm' || e.ecosystem === '*')
+      );
+      if (!entry) continue;
+
+      const bare = String(version).replace(/^[\^~>=<]+/, '').trim();
+      const versionMatches =
+        entry.versions === '*' || entry.versions.includes(bare);
+
+      if (versionMatches) {
+        findings.push(this._makeFinding(pkgPath, name, bare, entry));
+      }
+    }
+
+    return findings;
+  }
+
+  // ---------------------------------------------------------------------------
+  // Python — requirements.txt
+  // ---------------------------------------------------------------------------
+  _scanPython(rootPath) {
+    const findings = [];
+    const reqPath = path.join(rootPath, 'requirements.txt');
+    if (!fs.existsSync(reqPath)) return findings;
+
+    const lines = (this.readFile(reqPath) || '').split('\n');
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i].trim();
+      if (!line || line.startsWith('#')) continue;
+
+      // Match: package==version or package>=version etc., or bare package name
+      const m = line.match(/^([\w.-]+)\s*(?:[=<>!~]=?\s*([\d.\w]+))?/);
+      if (!m) continue;
+      const [, name, version = '*'] = m;
+
+      const entry = LEGALLY_RISKY_PACKAGES.find(
+        e => e.name.toLowerCase() === name.toLowerCase() &&
+          (e.ecosystem === 'pypi' || e.ecosystem === '*')
+      );
+      if (!entry) continue;
+
+      const versionMatches =
+        entry.versions === '*' || entry.versions.includes(version);
+      if (versionMatches) {
+        findings.push(this._makeFinding(reqPath, name, version, entry));
+      }
+    }
+
+    return findings;
+  }
+
+  // ---------------------------------------------------------------------------
+  // Rust — Cargo.toml
+  // ---------------------------------------------------------------------------
+  _scanCargo(rootPath) {
+    const findings = [];
+    const cargoPath = path.join(rootPath, 'Cargo.toml');
+    if (!fs.existsSync(cargoPath)) return findings;
+
+    const content = this.readFile(cargoPath) || '';
+    // Match lines like: package-name = "1.2.3" or package-name = { version = "1.2.3" }
+    const depPattern = /^\s*([\w-]+)\s*=\s*(?:"([\d.\w^~>=<*]+)"|{[^}]*version\s*=\s*"([\d.\w^~>=<*]+)")/gm;
+    let match;
+    while ((match = depPattern.exec(content)) !== null) {
+      const name = match[1];
+      const version = (match[2] || match[3] || '*').replace(/^[\^~>=<]+/, '').trim();
+
+      const entry = LEGALLY_RISKY_PACKAGES.find(
+        e => e.name === name && (e.ecosystem === 'cargo' || e.ecosystem === '*')
+      );
+      if (!entry) continue;
+
+      const versionMatches = entry.versions === '*' || entry.versions.includes(version);
+      if (versionMatches) {
+        findings.push(this._makeFinding(cargoPath, name, version, entry));
+      }
+    }
+
+    return findings;
+  }
+
+  // ---------------------------------------------------------------------------
+  // Go — go.mod
+  // ---------------------------------------------------------------------------
+  _scanGoMod(rootPath) {
+    const findings = [];
+    const goModPath = path.join(rootPath, 'go.mod');
+    if (!fs.existsSync(goModPath)) return findings;
+
+    const lines = (this.readFile(goModPath) || '').split('\n');
+    for (const line of lines) {
+      const m = line.trim().match(/^([\w./\-]+)\s+(v[\d.]+)/);
+      if (!m) continue;
+      const [, name, version] = m;
+
+      const entry = LEGALLY_RISKY_PACKAGES.find(
+        e => e.name === name && (e.ecosystem === 'go' || e.ecosystem === '*')
+      );
+      if (!entry) continue;
+
+      const bare = version.replace(/^v/, '');
+      const versionMatches = entry.versions === '*' || entry.versions.includes(bare);
+      if (versionMatches) {
+        findings.push(this._makeFinding(goModPath, name, bare, entry));
+      }
+    }
+
+    return findings;
+  }
+
+  // ---------------------------------------------------------------------------
+  // Finding factory
+  // ---------------------------------------------------------------------------
+  _makeFinding(file, name, version, entry) {
+    const riskLabel = {
+      dmca: 'DMCA Takedown',
+      'ip-dispute': 'IP Dispute',
+      'leaked-source': 'Leaked Source',
+      'license-violation': 'License Violation',
+    }[entry.risk] || entry.risk;
+
+    const versionStr = version === '*' ? '(any version)' : `@${version}`;
+
+    return createFinding({
+      file,
+      line: 0,
+      severity: entry.severity,
+      category: 'legal',
+      rule: `LEGAL_RISK_${entry.risk.toUpperCase().replace(/-/g, '_')}`,
+      title: `[${riskLabel}] ${name}${versionStr}`,
+      description: entry.detail,
+      matched: version === '*' ? name : `${name}@${version}`,
+      confidence: 'high',
+      fix:
+        `Remove ${name} from your dependencies. ` +
+        (entry.references.length > 0
+          ? `See: ${entry.references[0]}`
+          : ''),
+    });
+  }
+}
+
+export default LegalRiskAgent;

package/cli/bin/ship-safe.js

@@ -45,6 +45,7 @@ import { scanSkillCommand } from '../commands/scan-skill.js';
 import { abomCommand } from '../commands/abom.js';
 import { updateIntelCommand } from '../commands/update-intel.js';
 import { hooksCommand } from '../commands/hooks.js';
+import { legalCommand } from '../commands/legal.js';
 import { ABOMGenerator } from '../agents/abom-generator.js';
 import { PolicyEngine } from '../agents/policy-engine.js';
 import { SBOMGenerator } from '../agents/sbom-generator.js';
@@ -220,6 +221,7 @@ program
   .option('--base-url <url>', 'Custom OpenAI-compatible endpoint (e.g. http://localhost:1234/v1/chat/completions)')
   .option('--budget <cents>', 'Max spend in cents for deep analysis (default: 50)', parseInt)
   .option('--verify', 'Check if leaked secrets are still active (probes provider APIs)')
+  .option('--include-legal', 'Also run the legal risk scan (DMCA, leaked source, IP disputes)')
   .option('-v, --verbose', 'Verbose output')
   .action(auditCommand);
 
@@ -392,6 +394,15 @@ How it works:
 `)
   .action(hooksCommand);
 
+// -----------------------------------------------------------------------------
+// LEGAL COMMAND
+// -----------------------------------------------------------------------------
+program
+  .command('legal [path]')
+  .description('Legal risk audit: DMCA notices, leaked-source derivatives, IP disputes in dependencies')
+  .option('--json', 'Output results as JSON')
+  .action(legalCommand);
+
 // -----------------------------------------------------------------------------
 // UPDATE-INTEL COMMAND
 // -----------------------------------------------------------------------------
@@ -430,6 +441,7 @@ if (process.argv.length === 2) {
   console.log(chalk.white('  npx ship-safe scan-skill <u>') + chalk.gray('# Vet a skill before installing'));
   console.log(chalk.white('  npx ship-safe abom .        ') + chalk.gray('# Agent Bill of Materials (CycloneDX)'));
   console.log(chalk.white('  npx ship-safe sbom .        ') + chalk.gray('# Generate CycloneDX SBOM (CRA-ready)'));
+  console.log(chalk.white('  npx ship-safe legal .        ') + chalk.gray('# Legal risk audit: DMCA, leaked source, IP disputes'));
   console.log(chalk.white('  npx ship-safe update-intel  ') + chalk.gray('# Update threat intelligence feed'));
   console.log(chalk.white('  npx ship-safe policy init   ') + chalk.gray('# Create security policy template'));
   console.log(chalk.white('  npx ship-safe doctor        ') + chalk.gray('# Check environment and configuration'));

package/cli/commands/audit.js

@@ -18,6 +18,7 @@ import chalk from 'chalk';
 import ora from 'ora';
 import fg from 'fast-glob';
 import { buildOrchestrator } from '../agents/index.js';
+import { LegalRiskAgent } from '../agents/legal-risk-agent.js';
 import { ScoringEngine } from '../agents/scoring-engine.js';
 import { PolicyEngine } from '../agents/policy-engine.js';
 import { HTMLReporter } from '../agents/html-reporter.js';
@@ -56,6 +57,7 @@ const CATEGORY_LABELS = {
   'supply-chain': 'Supply Chain',
   api: 'API Security',
   llm: 'AI/LLM Security',
+  legal: 'Legal Risk',
 };
 
 const EFFORT_MAP = {
@@ -67,6 +69,7 @@ const EFFORT_MAP = {
   'supply-chain': 'medium',
   api: 'medium',
   llm: 'high',
+  legal: 'low',
 };
 
 // =============================================================================
@@ -239,11 +242,28 @@ export async function auditCommand(targetPath = '.', options = {}) {
     console.log(chalk.gray('  [Phase 3/4] Dependencies: skipped (--no-deps)'));
   }
 
+  // ── Phase 3b: Legal Risk Scan (opt-in) ───────────────────────────────────
+  let legalFindings = [];
+  if (options.includeLegal) {
+    const legalSpinner = machineOutput ? null : ora({ text: chalk.white('[Phase 3b] Legal risk scan…'), color: 'cyan' }).start();
+    try {
+      const legalAgent = new LegalRiskAgent();
+      legalFindings = await legalAgent.analyze({ rootPath: absolutePath, files: allFiles });
+      if (legalSpinner) legalSpinner.succeed(
+        legalFindings.length === 0
+          ? chalk.green('[Phase 3b] Legal: clean')
+          : chalk.yellow(`[Phase 3b] Legal: ${legalFindings.length} finding(s)`)
+      );
+    } catch {
+      if (legalSpinner) legalSpinner.succeed(chalk.gray('[Phase 3b] Legal: skipped'));
+    }
+  }
+
   // ── Phase 4: Merge, Score, and Build Plan ─────────────────────────────────
   const scoreSpinner = machineOutput ? null : ora({ text: chalk.white('[Phase 4/4] Computing security score...'), color: 'cyan' }).start();
 
-  // Merge secret findings + agent findings, deduplicate
-  const allFindings = deduplicateFindings([...secretFindings, ...agentFindings]);
+  // Merge secret findings + agent findings + legal findings, deduplicate
+  const allFindings = deduplicateFindings([...secretFindings, ...agentFindings, ...legalFindings]);
 
   // Apply policy
   const policy = PolicyEngine.load(absolutePath);

package/cli/commands/legal.js

@@ -0,0 +1,158 @@
+/**
+ * Legal Command
+ * =============
+ *
+ * Scans dependency manifests for packages that carry legal risk:
+ * active DMCA takedowns, leaked-source derivatives, IP disputes,
+ * and license violations.
+ *
+ * USAGE:
+ *   ship-safe legal [path]        Scan for legally risky dependencies
+ *   ship-safe legal . --json      JSON output
+ *
+ * EXIT CODES:
+ *   0  Clean — no legally risky packages found
+ *   1  Findings — one or more legally risky packages detected
+ */
+
+import fs from 'fs';
+import path from 'path';
+import chalk from 'chalk';
+import ora from 'ora';
+import { LegalRiskAgent } from '../agents/legal-risk-agent.js';
+import * as output from '../utils/output.js';
+
+// =============================================================================
+// RISK LABELS & COLORS
+// =============================================================================
+
+const RISK_COLORS = {
+  dmca:              chalk.red.bold,
+  'ip-dispute':      chalk.red,
+  'leaked-source':   chalk.yellow.bold,
+  'license-violation': chalk.yellow,
+};
+
+const RISK_LABELS = {
+  dmca:              'DMCA Takedown',
+  'ip-dispute':      'IP Dispute',
+  'leaked-source':   'Leaked Source',
+  'license-violation': 'License Violation',
+};
+
+const SEVERITY_COLORS = {
+  critical: chalk.bgRed.white.bold,
+  high:     chalk.red.bold,
+  medium:   chalk.yellow,
+  low:      chalk.blue,
+};
+
+// =============================================================================
+// MAIN COMMAND
+// =============================================================================
+
+export async function legalCommand(targetPath = '.', options = {}) {
+  const absolutePath = path.resolve(targetPath);
+
+  if (!fs.existsSync(absolutePath)) {
+    output.error(`Path does not exist: ${absolutePath}`);
+    process.exit(1);
+  }
+
+  if (!options.json) {
+    console.log();
+    output.header('Legal Risk Audit');
+    console.log(chalk.gray('  Scanning for DMCA notices, leaked-source derivatives, and IP disputes'));
+    console.log();
+  }
+
+  // ── Run the agent ──────────────────────────────────────────────────────────
+  const spinner = options.json
+    ? null
+    : ora({ text: 'Scanning dependency manifests…', color: 'cyan' }).start();
+
+  const agent = new LegalRiskAgent();
+  let findings = [];
+
+  try {
+    findings = await agent.analyze({ rootPath: absolutePath, files: [] });
+    if (spinner) spinner.stop();
+  } catch (err) {
+    if (spinner) spinner.stop();
+    output.error(`Legal scan failed: ${err.message}`);
+    process.exit(1);
+  }
+
+  // ── JSON output ────────────────────────────────────────────────────────────
+  if (options.json) {
+    console.log(JSON.stringify({ findings, total: findings.length }, null, 2));
+    process.exit(findings.length > 0 ? 1 : 0);
+  }
+
+  // ── Human-readable output ──────────────────────────────────────────────────
+  if (findings.length === 0) {
+    output.success('No legally risky packages found.');
+    console.log();
+    console.log(chalk.gray('  Scanned: package.json, requirements.txt, Cargo.toml, go.mod'));
+    console.log();
+    return;
+  }
+
+  // Group by severity
+  const bySeverity = { critical: [], high: [], medium: [], low: [] };
+  for (const f of findings) {
+    (bySeverity[f.severity] || bySeverity.medium).push(f);
+  }
+
+  const total = findings.length;
+  const critCount = bySeverity.critical.length;
+  const highCount = bySeverity.high.length;
+
+  // Summary line
+  console.log(
+    chalk.red.bold(`  ${total} legal risk finding${total === 1 ? '' : 's'}`),
+    chalk.gray('—'),
+    critCount > 0 ? chalk.red.bold(`${critCount} critical`) + chalk.gray(', ') : '',
+    highCount > 0 ? chalk.red(`${highCount} high`) : '',
+  );
+  console.log();
+
+  // Print findings
+  for (const severity of ['critical', 'high', 'medium', 'low']) {
+    const group = bySeverity[severity];
+    if (group.length === 0) continue;
+
+    for (const f of group) {
+      const sevBadge = SEVERITY_COLORS[severity]
+        ? SEVERITY_COLORS[severity](` ${severity.toUpperCase()} `)
+        : chalk.gray(` ${severity.toUpperCase()} `);
+
+      // Extract risk type from rule: LEGAL_RISK_DMCA → dmca
+      const riskKey = f.rule
+        .replace('LEGAL_RISK_', '')
+        .toLowerCase()
+        .replace(/_/g, '-');
+      const riskColor = RISK_COLORS[riskKey] || chalk.white;
+      const riskLabel = RISK_LABELS[riskKey] || riskKey;
+
+      console.log(`  ${sevBadge}  ${chalk.white.bold(f.title)}`);
+      console.log(`          ${riskColor(`[${riskLabel}]`)}  ${chalk.gray(path.relative(absolutePath, f.file) || f.file)}`);
+      console.log();
+      console.log(`          ${chalk.gray(f.description)}`);
+      console.log();
+      if (f.fix) {
+        console.log(`          ${chalk.cyan('Fix:')} ${chalk.gray(f.fix)}`);
+      }
+      console.log();
+      console.log(chalk.gray('  ' + '─'.repeat(56)));
+      console.log();
+    }
+  }
+
+  // Footer
+  console.log(chalk.yellow.bold('  ⚠  Shipping legally risky packages can expose your project to IP liability.'));
+  console.log(chalk.gray('     Review each finding and remove the affected dependency before releasing.'));
+  console.log();
+
+  process.exit(1);
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ship-safe",
-  "version": "6.2.0",
+  "version": "6.3.0",
   "description": "AI-powered multi-agent security platform. 18 agents scan 80+ attack classes with LLM-powered deep analysis. Red team your code before attackers do.",
   "main": "cli/index.js",
   "bin": {