ship-safe 9.1.0 → 9.1.2

package/cli/commands/audit.js

@@ -35,6 +35,7 @@ import {
   loadGitignorePatterns
 } from '../utils/patterns.js';
 import { isHighEntropyMatch, getConfidence } from '../utils/entropy.js';
+import { printBanner } from '../utils/output.js';
 import { CacheManager } from '../utils/cache-manager.js';
 import { filterBaseline } from './baseline.js';
 import { SecurityMemory } from '../utils/security-memory.js';
@@ -89,11 +90,7 @@ export async function auditCommand(targetPath = '.', options = {}) {
   }
 
   if (!machineOutput) {
-    console.log();
-    console.log(chalk.cyan('═'.repeat(60)));
-    console.log(chalk.cyan.bold('  Ship Safe — Full Security Audit'));
-    console.log(chalk.cyan('═'.repeat(60)));
-    console.log();
+    printBanner();
   }
 
   // ── Cache Layer ──────────────────────────────────────────────────────────

package/cli/commands/red-team.js

@@ -18,6 +18,8 @@ import path from 'path';
 import chalk from 'chalk';
 import ora from 'ora';
 import { buildOrchestratorAsync } from '../agents/index.js';
+import { SwarmOrchestrator } from '../agents/swarm-orchestrator.js';
+import { ReconAgent } from '../agents/recon-agent.js';
 import { ScoringEngine } from '../agents/scoring-engine.js';
 import { PolicyEngine } from '../agents/policy-engine.js';
 import { HTMLReporter } from '../agents/html-reporter.js';
@@ -25,6 +27,7 @@ import { SBOMGenerator } from '../agents/sbom-generator.js';
 import { autoDetectProvider } from '../providers/llm-provider.js';
 import { runDepsAudit } from './deps.js';
 import * as output from '../utils/output.js';
+import { printBanner } from '../utils/output.js';
 
 export async function redTeamCommand(targetPath = '.', options = {}) {
   const absolutePath = path.resolve(targetPath);
@@ -34,31 +37,75 @@ export async function redTeamCommand(targetPath = '.', options = {}) {
     process.exit(1);
   }
 
-  console.log();
-  output.header('Ship Safe v4.0 — Multi-Agent Security Audit');
   console.log();
 
-  // ── 1. Run orchestrator ─────────────────────────────────────────────────────
-  const orchestrator = await buildOrchestratorAsync(absolutePath, { quiet: true });
+  let findings = [];
+  let recon = {};
+  let agentResults = [];
 
-  const agentFilter = options.agents
-    ? options.agents.split(',').map(a => a.trim())
-    : null;
+  // ── 1a. Swarm mode (parallel execution via best available provider) ────────
+  if (options.swarm) {
+    printBanner();
+    output.header('AI Swarm Mode');
+    console.log();
 
-  const orchestratorOpts = {
-    verbose: options.verbose,
-    agents: agentFilter,
-  };
-  if (options.deep) orchestratorOpts.deep = true;
-  if (options.local) orchestratorOpts.local = true;
-  if (options.model) orchestratorOpts.model = options.model;
-  if (options.provider) orchestratorOpts.provider = options.provider;
-  if (options.baseUrl) orchestratorOpts.baseUrl = options.baseUrl;
-  if (options.budget) orchestratorOpts.budget = options.budget;
+    const swarm = SwarmOrchestrator.create(absolutePath, {
+      provider: options.provider,
+      model: options.model,
+      verbose: options.verbose,
+      budgetCents: options.budget || 200,
+    });
+
+    if (!swarm) {
+      output.error('Swarm mode requires DEEPSEEK_API_KEY or MOONSHOT_API_KEY. Set one and retry.');
+      process.exit(1);
+    }
 
-  const results = await orchestrator.runAll(absolutePath, orchestratorOpts); // ship-safe-ignore — orchestrator result, not LLM output triggering actions
+    const reconSpinner = ora({ text: 'Mapping attack surface...', color: 'cyan' }).start();
+    const reconAgent = new ReconAgent();
+    const reconResult = await reconAgent.analyze({ rootPath: absolutePath });
+    recon = Array.isArray(reconResult) ? {} : reconResult;
+    const files = await reconAgent.discoverFiles(absolutePath);
+    reconSpinner.succeed(chalk.green('Attack surface mapped'));
 
-  const { recon, findings, agentResults } = results;
+    const providerLabel = swarm.provider?.name || 'AI';
+    const swarmSpinner = ora({ text: `Deploying ${chalk.cyan('23 swarm agents')} via ${providerLabel}...`, color: 'cyan' }).start();
+    try {
+      findings = await swarm.run(absolutePath, recon, files);
+      swarmSpinner.succeed(chalk.green(`Swarm complete — ${findings.length} finding(s)`));
+    } catch (err) {
+      swarmSpinner.fail(chalk.red(`Swarm failed: ${err.message}`));
+      process.exit(1);
+    }
+
+    agentResults = [{ agent: 'KimiSwarm', category: 'swarm', findingCount: findings.length, success: true }];
+
+  } else {
+    // ── 1b. Standard local orchestration ───────────────────────────────────
+    printBanner();
+    output.header('Multi-Agent Security Audit');
+    console.log();
+
+    const orchestrator = await buildOrchestratorAsync(absolutePath, { quiet: true });
+
+    const agentFilter = options.agents
+      ? options.agents.split(',').map(a => a.trim())
+      : null;
+
+    const orchestratorOpts = {
+      verbose: options.verbose,
+      agents: agentFilter,
+    };
+    if (options.deep) orchestratorOpts.deep = true;
+    if (options.local) orchestratorOpts.local = true;
+    if (options.model) orchestratorOpts.model = options.model;
+    if (options.provider) orchestratorOpts.provider = options.provider;
+    if (options.baseUrl) orchestratorOpts.baseUrl = options.baseUrl;
+    if (options.budget) orchestratorOpts.budget = options.budget;
+
+    const results = await orchestrator.runAll(absolutePath, orchestratorOpts); // ship-safe-ignore — orchestrator result, not LLM output triggering actions
+    ({ recon, findings, agentResults } = results);
+  }
 
   // ── 2. Dependency audit ─────────────────────────────────────────────────────
   let depVulns = [];

package/cli/commands/rotate.js

@@ -10,8 +10,9 @@
  * (no auth required — designed for reporting exposed credentials).
  *
  * USAGE:
- *   ship-safe rotate .              Scan and rotate all found secrets
- *   ship-safe rotate . --provider github   Only rotate GitHub tokens
+ *   ship-safe rotate .                         Scan local files and rotate found secrets
+ *   ship-safe rotate . --provider github        Only rotate GitHub tokens
+ *   ship-safe rotate --plan rotation-plan.json  Execute a plan from shipsafecli.com/rotate
  *
  * RECOMMENDED ORDER:
  *   1. ship-safe rotate      ← revoke the key so it can't be used
@@ -21,6 +22,7 @@
 
 import fs from 'fs';
 import path from 'path';
+import readline from 'readline';
 import { execSync } from 'child_process';
 import chalk from 'chalk';
 import ora from 'ora';
@@ -461,10 +463,205 @@ function maskToken(token) {
 }
 
 // =============================================================================
-// MAIN COMMAND
+// PLAN-BASED ROTATION (--plan rotation-plan.json)
 // =============================================================================
 
+function promptHidden(question) {
+  return new Promise(resolve => {
+    process.stdout.write(question);
+    const stdin = process.stdin;
+    const wasRaw = stdin.isRaw;
+    try { stdin.setRawMode(true); } catch { /* not a TTY */ }
+    stdin.resume();
+    stdin.setEncoding('utf8');
+    let value = '';
+    function onData(ch) {
+      if (ch === '\n' || ch === '\r' || ch === '\u0003') {
+        stdin.removeListener('data', onData);
+        try { stdin.setRawMode(!!wasRaw); } catch { /* ignore */ }
+        stdin.pause();
+        process.stdout.write('\n');
+        if (ch === '\u0003') process.exit(0);
+        resolve(value);
+      } else if (ch === '\u007f' || ch === '\b') {
+        value = value.slice(0, -1);
+      } else {
+        value += ch;
+        process.stdout.write('*');
+      }
+    }
+    stdin.on('data', onData);
+  });
+}
+
+async function updateVercelEnvVar(token, projectId, envId, envType, newValue, teamId) {
+  const params = new URLSearchParams();
+  if (teamId) params.set('teamId', teamId);
+  const url = `https://api.vercel.com/v9/projects/${projectId}/env/${envId}?${params}`;
+  const r = await fetch(url, {
+    method: 'PATCH',
+    headers: { Authorization: `Bearer ${token}`, 'Content-Type': 'application/json' },
+    body: JSON.stringify({ value: newValue, type: envType || 'encrypted' }),
+  });
+  if (!r.ok) {
+    const body = await r.text();
+    throw new Error(`${r.status}: ${body}`);
+  }
+}
+
+export async function rotatePlanCommand(planFile) {
+  // ── 1. Read and validate plan ──────────────────────────────────────────────
+  const planPath = path.resolve(planFile);
+  if (!fs.existsSync(planPath)) {
+    output.error(`Plan file not found: ${planPath}`);
+    process.exit(1);
+  }
+
+  let plan;
+  try {
+    plan = JSON.parse(fs.readFileSync(planPath, 'utf-8'));
+  } catch {
+    output.error('Failed to parse rotation plan JSON. Make sure it was downloaded from shipsafecli.com/rotate');
+    process.exit(1);
+  }
+
+  const issuers = plan.issuers;
+  if (!issuers || typeof issuers !== 'object' || Object.keys(issuers).length === 0) {
+    output.success('No credentials in rotation plan — nothing to rotate.');
+    return;
+  }
+
+  const totalEnvVars = Object.values(issuers).reduce((sum, g) => sum + (g.affected?.length ?? 0), 0);
+  const issuerList = Object.entries(issuers);
+
+  output.header('Credential Rotation Plan');
+  console.log(chalk.gray(`\n  Plan generated: ${plan.generated ?? 'unknown'}`));
+  console.log(chalk.gray(`  Projects scanned: ${plan.projectsScanned ?? 'unknown'}`));
+  console.log(chalk.gray(`  Env vars to update: ${totalEnvVars}`));
+  console.log(chalk.gray(`  Credential types: ${issuerList.length}\n`));
+
+  // ── 2. Prompt for Vercel token ────────────────────────────────────────────
+  console.log(chalk.cyan.bold('  This command will update your Vercel env vars via the API.'));
+  console.log(chalk.gray('  Your token is used only for API calls and is never stored.\n'));
+
+  const vercelToken = await promptHidden(chalk.white('  Enter your Vercel API token: '));
+  if (!vercelToken) {
+    output.error('No Vercel token provided. Aborting.');
+    process.exit(1);
+  }
+
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+  const teamId = plan.teamId || '';
+
+  // ── 3. Process each issuer ────────────────────────────────────────────────
+  const auditLog = [];
+  let totalUpdated = 0;
+  let totalFailed = 0;
+
+  for (let i = 0; i < issuerList.length; i++) {
+    const [issuerKey, issuerData] = issuerList[i];
+    const affected = issuerData.affected ?? [];
+    if (affected.length === 0) continue;
+
+    const projectCount = new Set(affected.map(a => a.projectId)).size;
+    console.log(chalk.white.bold(`\n  [${i + 1}/${issuerList.length}] ${issuerData.name ?? issuerKey}`));
+    console.log(chalk.gray(`       ${affected.length} env var${affected.length !== 1 ? 's' : ''} across ${projectCount} project${projectCount !== 1 ? 's' : ''}`));
+
+    if (issuerData.rotateUrl) {
+      console.log(chalk.gray(`       Rotate URL: ${chalk.cyan(issuerData.rotateUrl)}`));
+      const opened = openBrowser(issuerData.rotateUrl);
+      if (opened) {
+        console.log(chalk.gray('       ✓ Opened in browser'));
+      } else {
+        console.log(chalk.yellow(`       → Open manually: ${issuerData.rotateUrl}`));
+      }
+    } else {
+      console.log(chalk.yellow('       No rotation URL — rotate manually in the provider dashboard.'));
+    }
+
+    // Get one new value per unique env var name for this issuer
+    const uniqueKeys = [...new Set(affected.map(a => a.envVar))];
+    const newValues = {};
+
+    for (const envKey of uniqueKeys) {
+      const newVal = await promptHidden(chalk.white(`\n  Paste new value for ${chalk.cyan(envKey)}: `));
+      if (!newVal) {
+        console.log(chalk.yellow(`  Skipping ${envKey} (no value entered)`));
+        continue;
+      }
+      newValues[envKey] = newVal;
+    }
+
+    if (Object.keys(newValues).length === 0) {
+      console.log(chalk.gray('  Skipped all env vars for this issuer.\n'));
+      continue;
+    }
+
+    // Update each affected env var via Vercel API
+    const spinner = ora({ text: `  Updating ${affected.length} env var${affected.length !== 1 ? 's' : ''}...`, color: 'cyan' }).start();
+    let issuerUpdated = 0;
+    let issuerFailed = 0;
+
+    for (const item of affected) {
+      const newVal = newValues[item.envVar];
+      if (!newVal) continue;
+      try {
+        await updateVercelEnvVar(vercelToken, item.projectId, item.envId, item.envType, newVal, teamId);
+        issuerUpdated++;
+        auditLog.push({
+          ts: new Date().toISOString(),
+          issuer: issuerKey,
+          project: item.projectName,
+          projectId: item.projectId,
+          envVar: item.envVar,
+          status: 'updated',
+        });
+      } catch (e) {
+        issuerFailed++;
+        auditLog.push({
+          ts: new Date().toISOString(),
+          issuer: issuerKey,
+          project: item.projectName,
+          projectId: item.projectId,
+          envVar: item.envVar,
+          status: 'failed',
+          error: e instanceof Error ? e.message : String(e),
+        });
+      }
+    }
+
+    totalUpdated += issuerUpdated;
+    totalFailed += issuerFailed;
+
+    if (issuerFailed === 0) {
+      spinner.succeed(chalk.green(`  Updated ${issuerUpdated} env var${issuerUpdated !== 1 ? 's' : ''}`));
+    } else {
+      spinner.warn(chalk.yellow(`  Updated ${issuerUpdated}, failed ${issuerFailed}`));
+    }
+  }
+
+  rl.close();
+
+  // ── 4. Write audit log ────────────────────────────────────────────────────
+  const auditPath = path.resolve('rotation-audit.json');
+  fs.writeFileSync(auditPath, JSON.stringify({ rotatedAt: new Date().toISOString(), auditLog }, null, 2));
+
+  // ── 5. Summary ────────────────────────────────────────────────────────────
+  console.log();
+  console.log(chalk.cyan.bold('  Rotation complete'));
+  console.log(chalk.white(`  ✓ ${totalUpdated} env var${totalUpdated !== 1 ? 's' : ''} updated`));
+  if (totalFailed > 0) {
+    console.log(chalk.red(`  ✗ ${totalFailed} failed — see rotation-audit.json for details`));
+  }
+  console.log(chalk.gray(`\n  Audit log written to: ${auditPath}`));
+  console.log(chalk.gray('  Run ship-safe scan . to confirm no hardcoded credentials remain.\n'));
+}
+
 export async function rotateCommand(targetPath = '.', options = {}) {
+  // If --plan flag provided, delegate to plan-based rotation
+  if (options.plan) {
+    return rotatePlanCommand(options.plan);
+  }
   const absolutePath = path.resolve(targetPath);
 
   if (!fs.existsSync(absolutePath)) {