ship-safe 6.3.0 → 7.0.0

package/cli/commands/scan-skill.js

@@ -47,6 +47,20 @@ const SKILL_PATTERNS = [
   { name: 'Crypto operations', regex: /(?:crypto\.createCipher|crypto\.createDecipher|CryptoJS|forge\.cipher)/gi, severity: 'medium' },
   { name: 'Network listener', regex: /(?:createServer|listen\s*\(\s*\d|bind\s*\(\s*['"]0\.0\.0\.0)/gi, severity: 'high' },
   { name: 'Encoded payload block', regex: /[A-Za-z0-9+\/]{60,}={0,2}/g, severity: 'medium' },
+
+  // ── ToxicSkills patterns (Snyk research — 36% of agent skills affected) ──
+  // Silent curl exfiltration: skill instructs agent to silently send data
+  { name: 'ToxicSkills: silent data exfiltration via curl', regex: /(?:silently|quietly|without\s+(?:notif|alert|inform|telling|showing)|in\s+the\s+background)\s+.{0,60}(?:curl|wget|fetch|POST|send).{0,60}(?:http|https):\/\//gi, severity: 'critical' },
+  // System prompt override in skill definition
+  { name: 'ToxicSkills: system prompt override', regex: /(?:ignore\s+(?:all\s+)?(?:previous|prior|above|your)\s+instructions|your\s+(?:new|real|actual|true)\s+(?:instructions|role|goal|purpose)\s+(?:is|are)|disregard\s+(?:all\s+)?(?:previous|above|your))/gi, severity: 'critical' },
+  // Skill requests credentials/secrets from agent context
+  { name: 'ToxicSkills: credential harvesting', regex: /(?:extract|retrieve|collect|gather|find|read|access|get)\s+.{0,40}(?:api[_\s]?key|secret|token|password|credential|\.env|npmrc|ssh[_\s]?key|private[_\s]?key)/gi, severity: 'critical' },
+  // Skill attempts to read ~/.ssh, ~/.aws, ~/.npmrc
+  { name: 'ToxicSkills: sensitive path access', regex: /(?:~\/\.(?:ssh|aws|npmrc|netrc|gnupg|config\/gcloud)|\/etc\/(?:passwd|shadow|hosts)|%APPDATA%|%USERPROFILE%)/gi, severity: 'critical' },
+  // Skill suppresses its own output to avoid detection
+  { name: 'ToxicSkills: output suppression', regex: /(?:do\s+not\s+(?:show|display|reveal|mention|tell|report|log)\s+(?:this|these|the\s+(?:output|result|response|command|action))|hide\s+(?:this|the)\s+(?:output|result|action|command|request))/gi, severity: 'high' },
+  // Skill requests permissions beyond its stated purpose
+  { name: 'ToxicSkills: permission escalation', regex: /(?:grant\s+(?:me|this\s+skill|yourself)\s+(?:admin|root|sudo|full|all)\s+(?:access|permissions?|rights?)|elevate\s+(?:privileges?|permissions?|rights?)|run\s+as\s+(?:admin|root|sudo))/gi, severity: 'high' },
 ];
 
 // =============================================================================

package/cli/commands/watch.js

@@ -16,6 +16,7 @@ import chalk from 'chalk';
 import { SKIP_DIRS, SKIP_EXTENSIONS, SKIP_FILENAMES, SECRET_PATTERNS, SECURITY_PATTERNS } from '../utils/patterns.js';
 import { isHighEntropyMatch, getConfidence } from '../utils/entropy.js';
 import * as output from '../utils/output.js';
+import { ScoringEngine } from '../agents/scoring-engine.js';
 
 // Agent config files to watch
 const AGENT_CONFIG_PATTERNS = [
@@ -26,6 +27,10 @@ const AGENT_CONFIG_PATTERNS = [
   '.cursor/mcp.json', '.vscode/mcp.json',
 ];
 
+// Watch state persistence
+const WATCH_DB_DIR = '.ship-safe';
+const WATCH_DB_FILE = 'watch.json';
+
 export async function watchCommand(targetPath = '.', options = {}) {
   const absolutePath = path.resolve(targetPath);
 
@@ -34,15 +39,26 @@ export async function watchCommand(targetPath = '.', options = {}) {
     process.exit(1);
   }
 
+  // Status mode: print current watch state and exit
+  if (options.status) {
+    return showWatchStatus(absolutePath);
+  }
+
   // Config-only watch mode
   if (options.configs) {
     return watchConfigs(absolutePath);
   }
 
+  // Deep mode: run full orchestrator on changes
+  if (options.deep) {
+    return watchDeep(absolutePath, options);
+  }
+
   console.log();
   output.header('Ship Safe — Watch Mode');
   console.log();
   console.log(chalk.cyan('  Watching for file changes...'));
+  console.log(chalk.gray('  Use --deep for full agent scanning, --status for current findings'));
   console.log(chalk.gray('  Press Ctrl+C to stop'));
   console.log();
 
@@ -230,6 +246,195 @@ async function watchConfigs(absolutePath) {
   }
 }
 
+// =============================================================================
+// STATUS MODE
+// =============================================================================
+
+function showWatchStatus(rootPath) {
+  const dbFile = path.join(rootPath, WATCH_DB_DIR, WATCH_DB_FILE);
+  if (!fs.existsSync(dbFile)) {
+    console.log('\n  No watch data found. Run: ship-safe watch . --deep\n');
+    return;
+  }
+
+  try {
+    const data = JSON.parse(fs.readFileSync(dbFile, 'utf-8'));
+    console.log(`\n  ${chalk.cyan.bold('Ship Safe Watch — Status')}`);
+    console.log(`  ${'─'.repeat(40)}`);
+    console.log(`  Last scan:  ${data.lastScan || 'never'}`);
+    console.log(`  Scans run:  ${data.scanCount || 0}`);
+    console.log(`  Score:      ${data.score?.score ?? '?'}/100 ${data.score?.grade ?? ''}`);
+    console.log(`  Findings:   ${data.score?.totalFindings ?? 0}`);
+
+    if (data.agentic) {
+      console.log(`  Agentic:    ${data.agentic.flagged}/${data.agentic.total} OWASP Agentic risks flagged`);
+    }
+
+    // Severity breakdown
+    const sevCounts = { critical: 0, high: 0, medium: 0, low: 0 };
+    for (const f of (data.findings || [])) {
+      sevCounts[f.severity] = (sevCounts[f.severity] || 0) + 1;
+    }
+    console.log(`    Critical: ${sevCounts.critical}`);
+    console.log(`    High:     ${sevCounts.high}`);
+    console.log(`    Medium:   ${sevCounts.medium}`);
+    console.log(`    Low:      ${sevCounts.low}\n`);
+  } catch {
+    console.log('\n  Failed to read watch data. File may be corrupted.\n');
+  }
+}
+
+// =============================================================================
+// DEEP WATCH MODE (full orchestrator)
+// =============================================================================
+
+async function watchDeep(absolutePath, options = {}) {
+  const { buildOrchestrator } = await import('../agents/index.js');
+  const { ReconAgent } = await import('../agents/recon-agent.js');
+
+  const debounceMs = options.debounce || 1500;
+  const threshold = options.threshold || null;
+  const scoringEngine = new ScoringEngine();
+
+  console.log();
+  output.header('Ship Safe — Deep Watch Mode');
+  console.log();
+  console.log(chalk.cyan('  Running full agent scans on file changes'));
+  console.log(chalk.gray(`  Debounce: ${debounceMs}ms`));
+  if (threshold) console.log(chalk.gray(`  Threshold: ${threshold}/100`));
+  console.log(chalk.gray('  Press Ctrl+C to stop'));
+  console.log();
+
+  // Initial recon
+  const reconAgent = new ReconAgent();
+  console.log(chalk.gray('  Running initial recon...'));
+  let recon;
+  try {
+    const reconResults = await reconAgent.analyze({ rootPath: absolutePath });
+    recon = Array.isArray(reconResults) ? {} : reconResults;
+  } catch { recon = {}; }
+  console.log(chalk.gray('  Recon complete. Watching...\n'));
+
+  let pendingFiles = new Set();
+  let debounceTimer = null;
+  let scanCount = 0;
+
+  const dbDir = path.join(absolutePath, WATCH_DB_DIR);
+  const dbFile = path.join(dbDir, WATCH_DB_FILE);
+
+  const processChanges = async () => {
+    const files = [...pendingFiles];
+    pendingFiles.clear();
+    if (files.length === 0) return;
+
+    scanCount++;
+    const timestamp = new Date().toLocaleTimeString();
+    console.log(chalk.gray(`  [${timestamp}] ${files.length} file(s) changed — deep scanning...`));
+
+    try {
+      const orchestrator = buildOrchestrator();
+      const context = {
+        rootPath: absolutePath,
+        files,
+        changedFiles: files,
+        recon,
+        options: { incremental: true },
+      };
+
+      const findings = await orchestrator.run(context);
+      const scoreResult = scoringEngine.compute(findings);
+
+      // Persist results
+      try {
+        if (!fs.existsSync(dbDir)) fs.mkdirSync(dbDir, { recursive: true });
+        fs.writeFileSync(dbFile, JSON.stringify({
+          lastScan: new Date().toISOString(),
+          scanCount,
+          score: {
+            score: scoreResult.score,
+            grade: scoreResult.grade?.letter,
+            totalFindings: scoreResult.totalFindings,
+          },
+          agentic: scoreResult.agenticSummary
+            ? { flagged: scoreResult.agenticSummary.flagged, total: scoreResult.agenticSummary.total }
+            : null,
+          findings: findings.map(f => ({
+            file: path.relative(absolutePath, f.file || ''),
+            line: f.line,
+            severity: f.severity,
+            rule: f.rule,
+            title: f.title,
+            agenticRisk: f.agenticRisk || null,
+          })),
+        }, null, 2));
+      } catch { /* non-fatal */ }
+
+      // Output
+      const criticals = findings.filter(f => f.severity === 'critical').length;
+      const highs = findings.filter(f => f.severity === 'high').length;
+
+      if (findings.length === 0) {
+        console.log(chalk.green(`  [${timestamp}] ✔ Clean — Score: ${scoreResult.score}/100 ${scoreResult.grade?.letter}\n`));
+      } else {
+        const scoreColor = scoreResult.score >= 75 ? chalk.cyan : scoreResult.score >= 50 ? chalk.yellow : chalk.red;
+        console.log(`  [${timestamp}] ${chalk.white(`${findings.length} finding(s)`)}: ${criticals ? chalk.red.bold(`${criticals} critical`) : ''}${criticals && highs ? ', ' : ''}${highs ? chalk.yellow(`${highs} high`) : ''}. Score: ${scoreColor(`${scoreResult.score}/100 ${scoreResult.grade?.letter}`)}`);
+
+        for (const f of findings.filter(f => f.severity === 'critical' || f.severity === 'high')) {
+          const relFile = path.relative(absolutePath, f.file || '');
+          const sev = f.severity === 'critical' ? chalk.red.bold('!!') : chalk.yellow(' !');
+          const agentic = f.agenticRisk ? chalk.gray(` [${f.agenticRisk.id}]`) : '';
+          console.log(`    ${sev} ${f.title} — ${relFile}:${f.line}${agentic}`);
+        }
+        console.log('');
+      }
+
+      if (threshold && scoreResult.score < threshold) {
+        console.log(chalk.red.bold(`  ⚠ Score ${scoreResult.score} below threshold ${threshold}\n`));
+      }
+    } catch (err) {
+      console.log(chalk.red(`  [${timestamp}] Scan error: ${err.message}\n`));
+    }
+  };
+
+  try {
+    const watcher = fs.watch(absolutePath, { recursive: true }, (eventType, filename) => {
+      if (!filename) return;
+
+      // Skip non-scannable
+      const relPath = filename.replace(/\\/g, '/');
+      for (const skipDir of SKIP_DIRS) {
+        if (relPath.includes(`${skipDir}/`)) return;
+      }
+      const ext = path.extname(filename).toLowerCase();
+      if (SKIP_EXTENSIONS.has(ext)) return;
+      if (SKIP_FILENAMES.has(path.basename(filename))) return;
+      if (filename.endsWith('.min.js') || filename.endsWith('.min.css')) return;
+
+      const fullPath = path.join(absolutePath, filename);
+      if (!fs.existsSync(fullPath)) return;
+
+      pendingFiles.add(fullPath);
+      if (debounceTimer) clearTimeout(debounceTimer);
+      debounceTimer = setTimeout(processChanges, debounceMs);
+    });
+
+    process.on('SIGINT', () => {
+      watcher.close();
+      console.log(`\n  Watch stopped. ${scanCount} scan(s) completed.\n`);
+      process.exit(0);
+    });
+
+    setInterval(() => {}, 1000 * 60 * 60);
+  } catch (err) {
+    output.error(`Watch failed: ${err.message}`);
+    process.exit(1);
+  }
+}
+
+// =============================================================================
+// CONFIG WATCH — scanConfigFiles
+// =============================================================================
+
 async function scanConfigFiles(files, rootPath) {
   // Dynamic import to avoid circular dependency
   const { AgentConfigScanner } = await import('../agents/agent-config-scanner.js');

package/cli/providers/llm-provider.js

@@ -196,7 +196,7 @@ class GoogleProvider extends BaseLLMProvider {
 class OllamaProvider extends BaseLLMProvider {
   constructor(apiKey, options = {}) {
     super('Ollama', null, options);
-    this.model = options.model || 'llama3.2';
+    this.model = options.model || 'gemma4:e4b';
     this.baseUrl = options.baseUrl || 'http://localhost:11434/api/chat';
   }
 
@@ -223,6 +223,83 @@ class OllamaProvider extends BaseLLMProvider {
   }
 }
 
+// =============================================================================
+// GEMMA 4 PROVIDER
+// Uses Ollama's structured output (format: schema) for guaranteed JSON —
+// no regex parsing, no silent dropped findings.
+// =============================================================================
+
+const CLASSIFY_SCHEMA = {
+  type: 'object',
+  properties: {
+    results: {
+      type: 'array',
+      items: {
+        type: 'object',
+        properties: {
+          id:             { type: 'string' },
+          classification: { type: 'string', enum: ['REAL', 'FALSE_POSITIVE'] },
+          reason:         { type: 'string' },
+          fix:            { type: ['string', 'null'] },
+        },
+        required: ['id', 'classification', 'reason', 'fix'],
+      },
+    },
+  },
+  required: ['results'],
+};
+
+class GemmaProvider extends OllamaProvider {
+  constructor(options = {}) {
+    super(null, {
+      model:   options.model   || 'gemma4:e4b',
+      baseUrl: options.baseUrl || 'http://localhost:11434/api/chat',
+    });
+    this.name = 'Gemma4';
+    // 256K tokens for 27b/31b, 128K for e4b — set conservatively high
+    this.contextWindow = options.model?.includes('27b') ? 131072 : 65536;
+  }
+
+  /**
+   * Classify using Ollama structured output (format: schema).
+   * Gemma 4 has trained-in function calling — the schema is enforced at the
+   * token level, so the response is always valid JSON matching CLASSIFY_SCHEMA.
+   */
+  async classify(findings, context) {
+    const prompt = this.buildClassificationPrompt(findings, context);
+
+    const response = await fetch(this.baseUrl, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        model:  this.model,
+        format: CLASSIFY_SCHEMA,
+        stream: false,
+        options: { num_ctx: this.contextWindow },
+        messages: [
+          { role: 'system', content: 'You are a security expert. Classify each finding as REAL or FALSE_POSITIVE and suggest a fix.' },
+          { role: 'user',   content: prompt },
+        ],
+      }),
+    });
+
+    if (!response.ok) {
+      throw new Error(`Gemma4/Ollama error: HTTP ${response.status}`);
+    }
+
+    const data = await response.json();
+    const text = data.message?.content || '';
+
+    try {
+      const parsed = JSON.parse(text);
+      return parsed.results ?? [];
+    } catch {
+      // Fallback: schema enforcement failed (old Ollama version) — try regex parse
+      return this.parseJSON(text);
+    }
+  }
+}
+
 // =============================================================================
 // OPENAI-COMPATIBLE PROVIDER
 // Handles Groq, Together AI, Mistral API, LM Studio, Azure OpenAI, Bedrock
@@ -239,6 +316,10 @@ const OPENAI_COMPATIBLE_PRESETS = {
   perplexity: { baseUrl: 'https://api.perplexity.ai/chat/completions',               model: 'llama-3.1-sonar-large-128k-online', envKey: 'PERPLEXITY_API_KEY' },
   lmstudio:   { baseUrl: 'http://localhost:1234/v1/chat/completions',                model: null,                         envKey: null },
   xai:        { baseUrl: 'https://api.x.ai/v1/chat/completions',                    model: 'grok-3-mini',                envKey: 'XAI_API_KEY' },
+  // Gemma 4 via Ollama — runs fully local, no API key required
+  // e4b: MoE 4B active params, ~8GB RAM;  27b: dense, ~20GB RAM
+  gemma4:     { baseUrl: 'http://localhost:11434/v1/chat/completions',               model: 'gemma4:e4b',                 envKey: null },
+  'gemma4:27b': { baseUrl: 'http://localhost:11434/v1/chat/completions',             model: 'gemma4:27b',                 envKey: null },
 };
 
 class OpenAICompatibleProvider extends OpenAIProvider {
@@ -279,6 +360,13 @@ export function createProvider(provider, apiKey, options = {}) {
     case 'ollama':
     case 'local':
       return new OllamaProvider(apiKey, options);
+    case 'gemma4':
+    case 'gemma':
+      // Gemma 4 via Ollama — structured output, no API key needed
+      return new GemmaProvider({
+        model:   options.model,
+        baseUrl: options.baseUrl,
+      });
   }
 
   // OpenAI-compatible presets

package/cli/utils/compliance-map.js

@@ -50,6 +50,72 @@ const AGENTIC_MAP = {
   'ASI10': { soc2: ['CC7.2', 'CC7.4'], iso27001: ['A.8.9', 'A.5.30'], nistAiRmf: ['MANAGE 2.2', 'MANAGE 4.1'] },
 };
 
+// =============================================================================
+// OWASP AGENTIC AI TOP 10 (December 2025)
+// =============================================================================
+
+const OWASP_AGENTIC_TOP_10 = {
+  ASI01: { id: 'ASI01', title: 'Agent Goal Hijacking',          description: 'Manipulation of agent objectives through prompt injection, memory poisoning, or instruction override.' },
+  ASI02: { id: 'ASI02', title: 'Tool Misuse',                   description: 'Agent uses tools in unintended or dangerous ways — shell execution, file deletion, network access beyond scope.' },
+  ASI03: { id: 'ASI03', title: 'Privilege Abuse',               description: 'Agent operates with excessive permissions — writes outside project, accesses secrets, escalates access.' },
+  ASI04: { id: 'ASI04', title: 'Agentic Supply Chain',          description: 'Compromised skills, MCP servers, or tool packages that the agent depends on.' },
+  ASI05: { id: 'ASI05', title: 'Memory & Context Poisoning',    description: 'Malicious data persisted in agent memory, rules files, or context that survives sessions.' },
+  ASI06: { id: 'ASI06', title: 'Uncontrolled Data Exposure',    description: 'Agent leaks code, secrets, or PII through tool outputs, logs, or external API calls.' },
+  ASI07: { id: 'ASI07', title: 'Insecure Communication',        description: 'Unencrypted MCP transport, HTTP model endpoints, or plaintext inter-agent messaging.' },
+  ASI08: { id: 'ASI08', title: 'Missing Human Oversight',       description: 'Agent takes destructive or irreversible actions without user confirmation — proactive mode risks.' },
+  ASI09: { id: 'ASI09', title: 'Weak Identity & Auth',          description: 'Agent sessions without authentication, shared API keys, or no audit trail of actions.' },
+  ASI10: { id: 'ASI10', title: 'Rogue Agent Behavior',          description: 'Agent deviates from intended behavior — self-modification, stealth mode, output suppression.' },
+};
+
+/**
+ * Enrich a finding with OWASP Agentic Top 10 metadata.
+ * Attaches `agenticRisk` object if the finding maps to ASI01–ASI10.
+ * @param {object} finding
+ * @returns {object} — finding with agenticRisk attached (or unchanged)
+ */
+export function enrichAgenticRisk(finding) {
+  const owasp = finding.owasp;
+  if (!owasp || !OWASP_AGENTIC_TOP_10[owasp]) return finding;
+
+  const risk = OWASP_AGENTIC_TOP_10[owasp];
+  finding.agenticRisk = {
+    id: risk.id,
+    title: risk.title,
+    description: risk.description,
+  };
+  return finding;
+}
+
+/**
+ * Get OWASP Agentic Top 10 summary across all findings.
+ * @param {object[]} findings
+ * @returns {{ risks: object[], coverage: number }}
+ */
+export function getAgenticSummary(findings) {
+  const counts = {};
+  for (const f of findings) {
+    const owasp = f.owasp;
+    if (owasp && OWASP_AGENTIC_TOP_10[owasp]) {
+      counts[owasp] = (counts[owasp] || 0) + 1;
+    }
+  }
+
+  const risks = Object.entries(OWASP_AGENTIC_TOP_10).map(([id, info]) => ({
+    ...info,
+    findingCount: counts[id] || 0,
+    status: counts[id] ? 'flagged' : 'clear',
+  }));
+
+  const flagged = risks.filter(r => r.findingCount > 0).length;
+
+  return {
+    risks,
+    flagged,
+    total: 10,
+    coverage: `${flagged}/10`,
+  };
+}
+
 // =============================================================================
 // PUBLIC API
 // =============================================================================

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "ship-safe",
-  "version": "6.3.0",
-  "description": "AI-powered multi-agent security platform. 18 agents scan 80+ attack classes with LLM-powered deep analysis. Red team your code before attackers do.",
+  "version": "7.0.0",
+  "description": "AI-powered multi-agent security platform. 19 agents scan 80+ attack classes with LLM-powered deep analysis, OWASP Agentic AI Top 10 mapping, memory poisoning detection, and live advisory feeds. Red team your code before attackers do.",
   "main": "cli/index.js",
   "bin": {
     "ship-safe": "cli/bin/ship-safe.js"