ship-safe 7.0.0 → 9.0.0

package/cli/commands/scan-skill.js

@@ -19,6 +19,59 @@ import { createHash } from 'crypto';
 import * as output from '../utils/output.js';
 import { ThreatIntel } from '../utils/threat-intel.js';
 
+// =============================================================================
+// HERMES SKILL FRONTMATTER PATTERNS (Track D — cross-skill/tool binding)
+// =============================================================================
+
+// Built-in tool registries that skills may reference.
+// Ship Safe tools are added lazily in checkHermesFrontmatter() to avoid
+// loading hermes-tool-registry.js (and its crypto import) on every invocation.
+const KNOWN_TOOL_REGISTRIES = {
+  // Common Hermes community tools (names only — no handler)
+  'web_search': 'hermes-community',
+  'web_browser': 'hermes-community',
+  'file_read': 'hermes-community',
+  'file_write': 'hermes-community',
+  'code_execute': 'hermes-community',
+  'github_api': 'hermes-community',
+  'memory_store': 'hermes-community',
+  'memory_retrieve': 'hermes-community',
+};
+
+// Hermes-specific patterns to check in skill markdown/frontmatter
+const HERMES_SKILL_PATTERNS = [
+  {
+    name: 'Hermes: XML tool_call injection',
+    regex: /<tool_call>[\s\S]{0,300}<\/tool_call>/gi,
+    severity: 'critical',
+    note: 'Skill body contains a <tool_call> block — will be executed by Hermes agents that load this skill.',
+  },
+  {
+    name: 'Hermes: function_calls injection',
+    regex: /<function_calls>[\s\S]{0,300}<\/function_calls>/gi,
+    severity: 'critical',
+    note: 'Skill body contains a <function_calls> block — classic Hermes function-call injection.',
+  },
+  {
+    name: 'Hermes: Forced tool invocation instruction',
+    regex: /(?:you\s+must\s+(?:call|invoke|use)\s+(?:the\s+)?tool|always\s+(?:call|invoke|run)\s+(?:the\s+)?(?:tool|function)|tool\s+MUST\s+be\s+(?:called|invoked|used))/gi,
+    severity: 'high',
+    note: 'Skill instructs agent to call a specific tool unconditionally — bypasses agent autonomy.',
+  },
+  {
+    name: 'Hermes: Plan/goal hijacking',
+    regex: /(?:update\s+(?:your\s+)?(?:goal|plan|objective)\s+to|change\s+(?:your\s+)?(?:goal|plan|objective)|your\s+(?:new\s+)?(?:goal|plan|primary\s+objective)\s+(?:is|should\s+be))/gi,
+    severity: 'critical',
+    note: 'Skill attempts to overwrite the agent\'s goal or plan state — ASI-01 Goal Hijacking.',
+  },
+  {
+    name: 'Hermes: Memory layer write instruction',
+    regex: /(?:write\s+(?:this|the\s+following)\s+to\s+(?:memory|episodic|semantic|working)\s+memory|store\s+(?:this|the\s+following)\s+in\s+(?:memory|episodic|semantic))/gi,
+    severity: 'high',
+    note: 'Skill instructs agent to write attacker-controlled data to memory — ASI-06 Memory Poisoning.',
+  },
+];
+
 // =============================================================================
 // POPULAR SKILL NAMES (for typosquatting detection)
 // =============================================================================
@@ -113,7 +166,7 @@ export async function scanSkillCommand(target, options = {}) {
   console.log(chalk.gray(`  Size: ${content.length} bytes`));
   console.log();
 
-  const findings = analyzeSkill(content, skillName, source);
+  const findings = await analyzeSkill(content, skillName, source);
 
   if (options.json) {
     console.log(JSON.stringify({ skill: skillName, source, findings, summary: getSummary(findings) }, null, 2));
@@ -127,7 +180,7 @@ export async function scanSkillCommand(target, options = {}) {
 // SKILL ANALYSIS
 // =============================================================================
 
-function analyzeSkill(content, skillName, source) {
+async function analyzeSkill(content, skillName, source) {
   const findings = [];
 
   // 1. Static pattern analysis
@@ -152,10 +205,12 @@ function analyzeSkill(content, skillName, source) {
   try {
     const manifest = JSON.parse(content);
     if (manifest.permissions) {
-      const dangerous = ['shell', 'exec', 'system', 'network', 'filesystem', 'admin', 'root'];
+      const dangerousPerm = [/\bshell\b/i, /\bexec\b/i, /\bsystem\b/i, /\badmin\b/i, /\broot\b/i,
+        /filesystem\s*:\s*(write|read-write)/i, /network\s*:\s*(unrestricted|all)/i,
+        /^filesystem$/i, /^network$/i];
       for (const perm of (Array.isArray(manifest.permissions) ? manifest.permissions : [])) {
         const permStr = typeof perm === 'string' ? perm : perm.name || '';
-        if (dangerous.some(d => permStr.toLowerCase().includes(d))) {
+        if (dangerousPerm.some(p => p.test(permStr))) {
           findings.push({
             check: 'permission-audit',
             name: `Dangerous permission: ${permStr}`,
@@ -216,6 +271,194 @@ function analyzeSkill(content, skillName, source) {
     });
   }
 
+  // 6. Hermes-specific: frontmatter tool binding + permission drift validation
+  findings.push(...(await checkHermesFrontmatter(content)));
+
+  // 7. Hermes-specific: function-call injection and goal hijacking in body
+  findings.push(...checkHermesBodyPatterns(content, lines));
+
+  return findings;
+}
+
+// =============================================================================
+// HERMES FRONTMATTER VALIDATION (Track D)
+// =============================================================================
+
+/**
+ * Parse YAML frontmatter block (between --- delimiters) from markdown skill.
+ * Returns a plain object with string/array values; null if no frontmatter.
+ */
+function parseFrontmatter(content) {
+  const match = content.match(/^---\r?\n([\s\S]*?)\r?\n---/);
+  if (!match) return null;
+
+  const fm = {};
+  const yamlBlock = match[1];
+
+  for (const line of yamlBlock.split('\n')) {
+    const kv = line.match(/^(\w[\w-]*):\s*(.*)$/);
+    if (!kv) continue;
+    const [, key, rawVal] = kv;
+    const val = rawVal.trim();
+
+    if (val.startsWith('[') && val.endsWith(']')) {
+      // Inline array: [a, b, c]
+      fm[key] = val.slice(1, -1).split(',').map(s => s.trim().replace(/['"]/g, '')).filter(Boolean);
+    } else {
+      fm[key] = val.replace(/^['"]|['"]$/g, '');
+    }
+  }
+
+  // Collect multi-line list values (indented - items)
+  const listRe = /^(\w[\w-]*):\s*\n((?:\s+-\s+.+\n?)+)/gm;
+  let m;
+  while ((m = listRe.exec(yamlBlock)) !== null) {
+    const [, key, block] = m;
+    fm[key] = block.match(/-\s+(.+)/g)?.map(s => s.replace(/^-\s+/, '').replace(/['"]/g, '').trim()) ?? [];
+  }
+
+  return fm;
+}
+
+let _hermesToolsLoaded = false;
+async function ensureHermesToolsLoaded() {
+  if (_hermesToolsLoaded) return;
+  try {
+    const { HERMES_TOOLS } = await import('../utils/hermes-tool-registry.js');
+    for (const t of HERMES_TOOLS) KNOWN_TOOL_REGISTRIES[t.name] = 'ship-safe';
+  } catch { /* non-fatal — registry unavailable */ }
+  _hermesToolsLoaded = true;
+}
+
+async function checkHermesFrontmatter(content) {
+  await ensureHermesToolsLoaded();
+  const findings = [];
+  const fm = parseFrontmatter(content);
+
+  // Not a markdown skill with frontmatter — skip
+  if (!fm) return findings;
+
+  // ── Check: missing permissions field ──────────────────────────────────────
+  if (!fm.permissions) {
+    findings.push({
+      check: 'hermes-frontmatter',
+      name: 'Hermes: Skill missing permissions field (ASI-02 Excessive Agency)',
+      severity: 'medium',
+      line: 0,
+      matched: 'No permissions: field in frontmatter — skill may be granted more access than intended',
+    });
+  } else {
+    // ── Check: wildcard permissions ──────────────────────────────────────────
+    const perms = Array.isArray(fm.permissions) ? fm.permissions : [fm.permissions];
+    const wildcards = perms.filter(p => /^\*$|^all$|^any$/i.test(String(p)));
+    if (wildcards.length > 0) {
+      findings.push({
+        check: 'hermes-frontmatter',
+        name: 'Hermes: Wildcard permissions (* / all) — excessive agency (ASI-02)',
+        severity: 'high',
+        line: 0,
+        matched: `permissions: [${wildcards.join(', ')}]`,
+      });
+    }
+
+    // ── Check: dangerous explicit permissions ────────────────────────────────
+    // Match whole-word or exact qualified values — don't fire on "filesystem: read-only"
+    const dangerousPatterns = [
+      /\bshell\b/i, /\bexec\b/i, /\bsystem\b/i, /\badmin\b/i, /\broot\b/i, /\bsudo\b/i,
+      /filesystem\s*:\s*write/i, /filesystem\s*:\s*read-write/i,
+      /network\s*:\s*unrestricted/i, /network\s*:\s*all/i,
+      /^filesystem$/i, /^network$/i,  // bare "filesystem" or "network" without qualifier is ambiguous → flag
+    ];
+    for (const perm of perms) {
+      if (dangerousPatterns.some(p => p.test(String(perm)))) {
+        findings.push({
+          check: 'hermes-frontmatter',
+          name: `Hermes: Dangerous permission declared: ${perm}`,
+          severity: 'high',
+          line: 0,
+          matched: `permissions: [${perm}]`,
+        });
+      }
+    }
+  }
+
+  // ── Check: missing version pin ────────────────────────────────────────────
+  if (!fm.version) {
+    findings.push({
+      check: 'hermes-frontmatter',
+      name: 'Hermes: Skill missing version field — unpinned skill (ASI-10 Supply Chain)',
+      severity: 'medium',
+      line: 0,
+      matched: 'No version: field in frontmatter — skill version drift cannot be detected',
+    });
+  }
+
+  // ── Check: cross-skill tool binding validation ────────────────────────────
+  const tools = Array.isArray(fm.tools) ? fm.tools : fm.tools ? [fm.tools] : [];
+  for (const toolName of tools) {
+    if (!KNOWN_TOOL_REGISTRIES[toolName]) {
+      findings.push({
+        check: 'hermes-tool-binding',
+        name: `Hermes: Unresolvable tool reference: "${toolName}"`,
+        severity: 'high',
+        line: 0,
+        matched: `tools: [${toolName}] — not found in any known tool registry. May cause silent failures or late-binding substitution.`,
+      });
+    }
+  }
+
+  // ── Check: tools declared but no permissions field ────────────────────────
+  if (tools.length > 0 && !fm.permissions) {
+    findings.push({
+      check: 'hermes-tool-binding',
+      name: 'Hermes: Skill declares tools without permissions (permission drift)',
+      severity: 'high',
+      line: 0,
+      matched: `tools: [${tools.join(', ')}] declared but no permissions: field — skill runs with ambient agent permissions`,
+    });
+  }
+
+  return findings;
+}
+
+function checkHermesBodyPatterns(content, lines) {
+  const findings = [];
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    for (const pattern of HERMES_SKILL_PATTERNS) {
+      pattern.regex.lastIndex = 0;
+      if (pattern.regex.test(line)) {
+        findings.push({
+          check: 'hermes-injection',
+          name: pattern.name,
+          severity: pattern.severity,
+          line: i + 1,
+          matched: line.trim().slice(0, 100),
+        });
+      }
+    }
+  }
+
+  // Multi-line checks for <tool_call> blocks that span lines
+  for (const pattern of HERMES_SKILL_PATTERNS) {
+    pattern.regex.lastIndex = 0;
+    const match = pattern.regex.exec(content);
+    if (match) {
+      // Avoid duplicate if already caught line-by-line
+      const alreadyFound = findings.some(f => f.name === pattern.name);
+      if (!alreadyFound) {
+        findings.push({
+          check: 'hermes-injection',
+          name: pattern.name,
+          severity: pattern.severity,
+          line: 0,
+          matched: match[0].slice(0, 100),
+        });
+      }
+    }
+  }
+
   return findings;
 }
 
@@ -281,7 +524,7 @@ async function scanAllSkills(rootPath) {
           const response = await fetch(url);
           if (!response.ok) throw new Error(`HTTP ${response.status}`);
           const content = await response.text();
-          const findings = analyzeSkill(content, name, url);
+          const findings = await analyzeSkill(content, name, url);
           if (findings.length > 0) {
             printSkillFindings(findings, name);
           } else {

package/cli/commands/watch.js

@@ -13,6 +13,7 @@
 import fs from 'fs';
 import path from 'path';
 import chalk from 'chalk';
+import { execFileSync } from 'child_process';
 import { SKIP_DIRS, SKIP_EXTENSIONS, SKIP_FILENAMES, SECRET_PATTERNS, SECURITY_PATTERNS } from '../utils/patterns.js';
 import { isHighEntropyMatch, getConfidence } from '../utils/entropy.js';
 import * as output from '../utils/output.js';
@@ -289,11 +290,13 @@ function showWatchStatus(rootPath) {
 // =============================================================================
 
 async function watchDeep(absolutePath, options = {}) {
-  const { buildOrchestrator } = await import('../agents/index.js');
+  const { buildOrchestratorAsync } = await import('../agents/index.js');
   const { ReconAgent } = await import('../agents/recon-agent.js');
 
-  const debounceMs = options.debounce || 1500;
-  const threshold = options.threshold || null;
+  const debounceMs    = options.debounce   || 1500;
+  const threshold     = options.threshold  || null;
+  const slackWebhook  = options.slack      || process.env.SHIP_SAFE_SLACK_WEBHOOK || null;
+  const prComments    = options.prComment  || false;
   const scoringEngine = new ScoringEngine();
 
   console.log();
@@ -301,7 +304,9 @@ async function watchDeep(absolutePath, options = {}) {
   console.log();
   console.log(chalk.cyan('  Running full agent scans on file changes'));
   console.log(chalk.gray(`  Debounce: ${debounceMs}ms`));
-  if (threshold) console.log(chalk.gray(`  Threshold: ${threshold}/100`));
+  if (threshold)   console.log(chalk.gray(`  Threshold: ${threshold}/100`));
+  if (slackWebhook) console.log(chalk.gray('  Slack:     notifications enabled'));
+  if (prComments)  console.log(chalk.gray('  PR:        inline comments enabled (requires gh CLI)'));
   console.log(chalk.gray('  Press Ctrl+C to stop'));
   console.log();
 
@@ -332,7 +337,7 @@ async function watchDeep(absolutePath, options = {}) {
     console.log(chalk.gray(`  [${timestamp}] ${files.length} file(s) changed — deep scanning...`));
 
     try {
-      const orchestrator = buildOrchestrator();
+      const orchestrator = await buildOrchestratorAsync(absolutePath, { quiet: true });
       const context = {
         rootPath: absolutePath,
         files,
@@ -391,6 +396,16 @@ async function watchDeep(absolutePath, options = {}) {
       if (threshold && scoreResult.score < threshold) {
         console.log(chalk.red.bold(`  ⚠ Score ${scoreResult.score} below threshold ${threshold}\n`));
       }
+
+      // ── Slack Notification ──────────────────────────────────────────────
+      if (slackWebhook && findings.length > 0) {
+        await postSlackAlert(slackWebhook, findings, scoreResult, absolutePath).catch(() => {});
+      }
+
+      // ── GitHub PR Inline Comments ────────────────────────────────────────
+      if (prComments && findings.length > 0) {
+        await postPRComments(findings, absolutePath).catch(() => {});
+      }
     } catch (err) {
       console.log(chalk.red(`  [${timestamp}] Scan error: ${err.message}\n`));
     }
@@ -431,6 +446,128 @@ async function watchDeep(absolutePath, options = {}) {
   }
 }
 
+// =============================================================================
+// SLACK NOTIFICATIONS
+// =============================================================================
+
+/**
+ * Post a security alert to a Slack webhook.
+ * Webhook URL can be set via --slack or SHIP_SAFE_SLACK_WEBHOOK env var.
+ */
+async function postSlackAlert(webhookUrl, findings, scoreResult, rootPath) {
+  const repoName  = path.basename(rootPath);
+  const criticals = findings.filter(f => f.severity === 'critical').length;
+  const highs     = findings.filter(f => f.severity === 'high').length;
+
+  const color = criticals > 0 ? 'danger' : highs > 0 ? 'warning' : 'good';
+  const emoji = criticals > 0 ? ':rotating_light:' : highs > 0 ? ':warning:' : ':shield:';
+
+  const topFindings = findings
+    .filter(f => f.severity === 'critical' || f.severity === 'high')
+    .slice(0, 5)
+    .map(f => `• *${f.severity.toUpperCase()}* ${f.title} — \`${f.file ? path.basename(f.file) : '?'}${f.line ? `:${f.line}` : ''}\``)
+    .join('\n');
+
+  const payload = {
+    attachments: [{
+      color,
+      fallback: `Ship Safe: ${findings.length} security finding(s) in ${repoName}`,
+      title:    `${emoji} Ship Safe — Security Alert`,
+      text:     `*${repoName}* — Score: *${scoreResult.score ?? '?'}/100* — ${findings.length} finding(s) (${criticals} critical, ${highs} high)`,
+      fields:   topFindings ? [{ title: 'Top Findings', value: topFindings, short: false }] : [],
+      footer:   'ship-safe watch --deep',
+      ts:       Math.floor(Date.now() / 1000),
+    }],
+  };
+
+  const res = await fetch(webhookUrl, {
+    method:  'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body:    JSON.stringify(payload),
+    signal:  AbortSignal.timeout(10000),
+  });
+
+  if (!res.ok) {
+    console.log(chalk.yellow(`  [Slack] Notification failed: HTTP ${res.status}`));
+  }
+}
+
+// =============================================================================
+// GITHUB PR INLINE COMMENTS
+// =============================================================================
+
+/**
+ * Post inline security comments to the currently open PR (if any).
+ * Requires `gh` CLI to be installed and authenticated.
+ *
+ * Posts a review comment for each critical/high finding in a changed file.
+ */
+async function postPRComments(findings, rootPath) {
+  // Check if gh is available
+  try {
+    execFileSync('gh', ['--version'], { stdio: 'pipe' });
+  } catch {
+    console.log(chalk.gray('  [PR] gh CLI not found — skipping PR comments'));
+    return;
+  }
+
+  // Get current PR number
+  let prNumber;
+  try {
+    const prJson = execFileSync('gh', ['pr', 'view', '--json', 'number'], {
+      cwd: rootPath, encoding: 'utf-8', stdio: 'pipe',
+    });
+    prNumber = JSON.parse(prJson).number;
+  } catch {
+    return; // No open PR on this branch
+  }
+
+  // Get current commit SHA
+  let sha;
+  try {
+    sha = execFileSync('git', ['rev-parse', 'HEAD'], {
+      cwd: rootPath, encoding: 'utf-8', stdio: 'pipe',
+    }).trim();
+  } catch {
+    return;
+  }
+
+  const criticalOrHigh = findings.filter(f =>
+    (f.severity === 'critical' || f.severity === 'high') && f.file && f.line
+  ).slice(0, 10); // Max 10 comments per scan
+
+  for (const f of criticalOrHigh) {
+    const relFile = path.relative(rootPath, f.file).replace(/\\/g, '/');
+    const body = [
+      `**Ship Safe — ${f.severity.toUpperCase()} finding**`,
+      '',
+      `**${f.title}**`,
+      f.description || '',
+      '',
+      f.remediation ? `**Fix:** ${f.remediation}` : '',
+      '',
+      `_[${f.rule}] — detected by ship-safe watch_`,
+    ].filter(l => l !== undefined).join('\n');
+
+    try {
+      execFileSync('gh', [
+        'api',
+        `repos/{owner}/{repo}/pulls/${prNumber}/comments`,
+        '--method', 'POST',
+        '--field', `body=${body}`,
+        '--field', `commit_id=${sha}`,
+        '--field', `path=${relFile}`,
+        '--field', `line=${f.line}`,
+        '--field', 'side=RIGHT',
+      ], { cwd: rootPath, stdio: 'pipe' });
+    } catch { /* individual comment failure is non-fatal */ }
+  }
+
+  if (criticalOrHigh.length > 0) {
+    console.log(chalk.gray(`  [PR #${prNumber}] Posted ${criticalOrHigh.length} inline comment(s)`));
+  }
+}
+
 // =============================================================================
 // CONFIG WATCH — scanConfigFiles
 // =============================================================================

package/cli/index.js

@@ -71,3 +71,8 @@ export { CacheManager } from './utils/cache-manager.js';
 
 // ── LLM Providers ─────────────────────────────────────────────────────────────
 export { createProvider, autoDetectProvider } from './providers/llm-provider.js';
+
+// ── v8.0.0 — Ship Safe × Hermes Agent ────────────────────────────────────────
+export { HermesSecurityAgent } from './agents/hermes-security-agent.js';
+export { AgentAttestationAgent } from './agents/agent-attestation-agent.js';
+export { HERMES_TOOLS, registerWithHermes, verifyIntegrity } from './utils/hermes-tool-registry.js';

package/cli/providers/llm-provider.js

@@ -92,6 +92,9 @@ class AnthropicProvider extends BaseLLMProvider {
     this.baseUrl = options.baseUrl || 'https://api.anthropic.com/v1/messages';
   }
 
+  /** Whether this provider supports guaranteed-JSON tool-use output */
+  get supportsStructuredOutput() { return true; }
+
   async complete(systemPrompt, userPrompt, options = {}) {
     const response = await fetch(this.baseUrl, {
       method: 'POST',
@@ -101,7 +104,7 @@ class AnthropicProvider extends BaseLLMProvider {
         'content-type': 'application/json',
       },
       body: JSON.stringify({
-        model: this.model,
+        model: options.model || this.model,
         max_tokens: options.maxTokens || 2048,
         system: systemPrompt,
         messages: [{ role: 'user', content: userPrompt }],
@@ -109,12 +112,57 @@ class AnthropicProvider extends BaseLLMProvider {
     });
 
     if (!response.ok) {
-      throw new Error(`Anthropic API error: HTTP ${response.status}`);
+      const body = await response.text().catch(() => '');
+      throw new Error(`Anthropic API error: HTTP ${response.status} ${body.slice(0, 200)}`);
     }
 
     const data = await response.json();
     return data.content?.[0]?.text || '';
   }
+
+  /**
+   * Complete with guaranteed-JSON output via Anthropic tool-use API.
+   * The LLM is forced to call the named tool, so the response always matches
+   * the provided JSON Schema — no regex cleanup needed.
+   *
+   * @param {string} systemPrompt
+   * @param {string} userPrompt
+   * @param {string} toolName       — Name of the forced tool call
+   * @param {object} inputSchema    — JSON Schema for the tool's input
+   * @param {object} options        — { maxTokens, model }
+   * @returns {Promise<object|null>} — Parsed tool input object, or null on failure
+   */
+  async completeWithTools(systemPrompt, userPrompt, toolName, inputSchema, options = {}) {
+    const response = await fetch(this.baseUrl, {
+      method: 'POST',
+      headers: {
+        'x-api-key': this.apiKey,
+        'anthropic-version': '2023-06-01',
+        'content-type': 'application/json',
+      },
+      body: JSON.stringify({
+        model: options.model || this.model,
+        max_tokens: options.maxTokens || 2048,
+        system: systemPrompt,
+        messages: [{ role: 'user', content: userPrompt }],
+        tools: [{
+          name: toolName,
+          description: `Report ${toolName} results`,
+          input_schema: inputSchema,
+        }],
+        tool_choice: { type: 'tool', name: toolName },
+      }),
+    });
+
+    if (!response.ok) {
+      const body = await response.text().catch(() => '');
+      throw new Error(`Anthropic API error: HTTP ${response.status} ${body.slice(0, 200)}`);
+    }
+
+    const data = await response.json();
+    const toolUse = data.content?.find(b => b.type === 'tool_use');
+    return toolUse?.input ?? null;
+  }
 }
 
 // =============================================================================