ship-safe 9.2.0 → 9.2.2

package/cli/.ship-safe/history.json

@@ -0,0 +1,190 @@
+[
+  {
+    "timestamp": "2026-04-24T05:18:07.805Z",
+    "score": 13,
+    "grade": "F",
+    "totalFindings": 533,
+    "totalDepVulns": 0,
+    "categoryScores": {
+      "secrets": {
+        "deduction": 15,
+        "counts": {
+          "critical": 5,
+          "high": 0,
+          "medium": 2,
+          "low": 0
+        }
+      },
+      "injection": {
+        "deduction": 15,
+        "counts": {
+          "critical": 24,
+          "high": 47,
+          "medium": 22,
+          "low": 0
+        }
+      },
+      "deps": {
+        "deduction": 0,
+        "counts": {
+          "critical": 0,
+          "high": 0,
+          "medium": 0,
+          "low": 0
+        }
+      },
+      "auth": {
+        "deduction": 15,
+        "counts": {
+          "critical": 5,
+          "high": 18,
+          "medium": 10,
+          "low": 0
+        }
+      },
+      "config": {
+        "deduction": 8,
+        "counts": {
+          "critical": 3,
+          "high": 16,
+          "medium": 12,
+          "low": 2
+        }
+      },
+      "supply-chain": {
+        "deduction": 12,
+        "counts": {
+          "critical": 3,
+          "high": 4,
+          "medium": 0,
+          "low": 0
+        }
+      },
+      "api": {
+        "deduction": 10,
+        "counts": {
+          "critical": 3,
+          "high": 21,
+          "medium": 5,
+          "low": 6
+        }
+      },
+      "llm": {
+        "deduction": 12,
+        "counts": {
+          "critical": 23,
+          "high": 178,
+          "medium": 124,
+          "low": 0
+        }
+      }
+    },
+    "suppressions": {
+      "total": 94,
+      "rules": {
+        "suppression": 1,
+        "_unspecified": 78,
+        "annotations": 2,
+        "on": 4,
+        "comments": 1,
+        "RULE_NAME": 1,
+        "comment": 5,
+        "as": 2
+      }
+    }
+  },
+  {
+    "timestamp": "2026-04-25T19:29:18.418Z",
+    "score": 13,
+    "grade": "F",
+    "totalFindings": 541,
+    "totalDepVulns": 0,
+    "categoryScores": {
+      "secrets": {
+        "deduction": 15,
+        "counts": {
+          "critical": 6,
+          "high": 0,
+          "medium": 2,
+          "low": 0
+        }
+      },
+      "injection": {
+        "deduction": 15,
+        "counts": {
+          "critical": 24,
+          "high": 47,
+          "medium": 22,
+          "low": 0
+        }
+      },
+      "deps": {
+        "deduction": 0,
+        "counts": {
+          "critical": 0,
+          "high": 0,
+          "medium": 0,
+          "low": 0
+        }
+      },
+      "auth": {
+        "deduction": 15,
+        "counts": {
+          "critical": 5,
+          "high": 18,
+          "medium": 10,
+          "low": 0
+        }
+      },
+      "config": {
+        "deduction": 8,
+        "counts": {
+          "critical": 3,
+          "high": 16,
+          "medium": 12,
+          "low": 2
+        }
+      },
+      "supply-chain": {
+        "deduction": 12,
+        "counts": {
+          "critical": 3,
+          "high": 4,
+          "medium": 0,
+          "low": 0
+        }
+      },
+      "api": {
+        "deduction": 10,
+        "counts": {
+          "critical": 3,
+          "high": 21,
+          "medium": 5,
+          "low": 6
+        }
+      },
+      "llm": {
+        "deduction": 12,
+        "counts": {
+          "critical": 23,
+          "high": 165,
+          "medium": 144,
+          "low": 0
+        }
+      }
+    },
+    "suppressions": {
+      "total": 94,
+      "rules": {
+        "_unspecified": 78,
+        "suppression": 1,
+        "annotations": 2,
+        "on": 4,
+        "comments": 1,
+        "RULE_NAME": 1,
+        "comment": 5,
+        "as": 2
+      }
+    }
+  }
+]

package/cli/bin/ship-safe.js

@@ -663,7 +663,9 @@ How it works:
 // No command + interactive TTY → drop into the REPL.
 // Help banner is still available via `--help` and shown when stdin is piped.
 if (process.argv.length === 2 && process.stdin.isTTY) {
-  shellCommand('.', {});
+  // Await shell before exiting; do NOT fall through to program.parse() or it
+  // will print the help banner concurrently with the REPL banner.
+  shellCommand('.', {}).then(() => process.exit(0)).catch(() => process.exit(1));
 } else if (process.argv.length === 2) {
   console.log(banner);
   console.log(chalk.yellow('\nQuick start:\n'));
@@ -707,6 +709,6 @@ if (process.argv.length === 2 && process.stdin.isTTY) {
   console.log(chalk.white('\n  npx ship-safe --help        ') + chalk.gray('# Show all options'));
   console.log();
   process.exit(0);
+} else {
+  program.parse();
 }
-
-program.parse();

package/cli/commands/audit.js

@@ -327,7 +327,7 @@ export async function auditCommand(targetPath = '.', options = {}) {
   );
 
   // ── AI Classification (optional, with LLM cache) ───────────────────────
-  if (options.ai !== false) {
+  if (options.ai !== false && !options.noAi) {
     const provider = autoDetectProvider(absolutePath, {
       provider:   options.provider,
       baseUrl:    options.baseUrl,

package/cli/commands/shell.js

@@ -20,7 +20,9 @@
 
 import { createInterface } from 'readline';
 import { execFileSync, spawnSync } from 'child_process';
+import { readFileSync as fsReadFileSync } from 'fs';
 import path from 'path';
+import { fileURLToPath } from 'url';
 import chalk from 'chalk';
 import ora from 'ora';
 import { autoDetectProvider } from '../providers/llm-provider.js';
@@ -31,6 +33,84 @@ import * as output from '../utils/output.js';
 
 const SEV_RANK = { critical: 4, high: 3, medium: 2, low: 1, info: 0 };
 
+// Read version from package.json so the banner stays in sync with releases.
+const PKG_VERSION = (() => {
+  try {
+    const here = path.dirname(fileURLToPath(import.meta.url));
+    const pkg  = JSON.parse(fsReadFileSync(path.join(here, '..', '..', 'package.json'), 'utf8'));
+    return pkg.version;
+  } catch { return ''; }
+})();
+
+const BANNER_LINES = [
+  '  ███████╗██╗  ██╗██╗██████╗     ███████╗ █████╗ ███████╗███████╗',
+  '  ██╔════╝██║  ██║██║██╔══██╗    ██╔════╝██╔══██╗██╔════╝██╔════╝',
+  '  ███████╗███████║██║██████╔╝    ███████╗███████║█████╗  █████╗  ',
+  '  ╚════██║██╔══██║██║██╔═══╝     ╚════██║██╔══██║██╔══╝  ██╔══╝  ',
+  '  ███████║██║  ██║██║██║         ███████║██║  ██║██║     ███████╗',
+  '  ╚══════╝╚═╝  ╚═╝╚═╝╚═╝         ╚══════╝╚═╝  ╚═╝╚═╝     ╚══════╝',
+];
+
+// Characters drawn from the same box-drawing + block set the banner uses,
+// so random frames look plausibly related rather than pure noise.
+const GLITCH_CHARS = '█▓▒░╔╗╚╝╠╣╦╩╬═║┼┤├┬┴┐└┘┌─│╱╲╳';
+
+function glitchFrame(line, reveal) {
+  // `reveal` is 0.0..1.0 — characters left of the reveal frontier are real,
+  // everything to the right is randomised from the glitch set.
+  return line.split('').map((ch, i) => {
+    const pos = i / line.length;
+    if (pos < reveal || ch === ' ') return ch;
+    return GLITCH_CHARS[Math.floor(Math.random() * GLITCH_CHARS.length)];
+  }).join('');
+}
+
+function sleep(ms) {
+  return new Promise(r => setTimeout(r, ms));
+}
+
+async function shipSafeBannerAnimated() {
+  const cols   = process.stdout.columns;
+  const narrow = typeof cols === 'number' && cols > 0 && cols < 70;
+  if (narrow) {
+    console.log(chalk.cyan.bold('  S H I P   S A F E'));
+    return;
+  }
+
+  const lines = BANNER_LINES;
+  const FRAMES    = 8;   // glitch passes before the line locks in
+  const FRAME_MS  = 18;  // ms between frames within a line
+  const LINE_MS   = 28;  // ms between lines starting
+
+  // Print an empty placeholder so we know exactly where each line lives.
+  // We'll overwrite them in-place using cursor-up escape codes.
+  process.stdout.write('\n');
+  for (const line of lines) {
+    process.stdout.write(' '.repeat(line.length) + '\n');
+  }
+  process.stdout.write('\n');
+
+  for (let li = 0; li < lines.length; li++) {
+    const line = lines[li];
+    // Move cursor up to this line's row (from the blank line after the banner).
+    const stepsUp = lines.length - li + 1;
+    process.stdout.write(`\x1B[${stepsUp}A`); // cursor up N
+
+    // Animate: reveal marches from 0 → 1 across FRAMES frames.
+    for (let f = 0; f <= FRAMES; f++) {
+      const reveal = f / FRAMES;
+      const scrambled = glitchFrame(line, reveal);
+      process.stdout.write('\r' + chalk.cyan(scrambled));
+      if (f < FRAMES) await sleep(FRAME_MS);
+    }
+
+    // Write the final clean line and move back down to the bottom blank line.
+    process.stdout.write('\r' + chalk.cyan(line));
+    process.stdout.write(`\x1B[${stepsUp}B`); // cursor down N
+    await sleep(LINE_MS);
+  }
+}
+
 export async function shellCommand(targetPath = '.', options = {}) {
   const root = path.resolve(targetPath);
 
@@ -49,13 +129,18 @@ export async function shellCommand(targetPath = '.', options = {}) {
     think:    options.think || false,
   });
 
+  // Branded entry: big wordmark, version + provider + cwd, then a CTA hint.
+  // Modeled on Claude Code / Gemini CLI / Aider — establish the tool's identity
+  // in the first second, then get out of the way.
   console.log();
-  output.header('Ship Safe — Interactive Shell');
-  console.log(chalk.gray(`  cwd:      ${root}`));
-  console.log(chalk.gray(`  provider: ${state.provider ? chalk.cyan(state.provider.name) : chalk.yellow('none — set DEEPSEEK_API_KEY or similar')}`));
+  await shipSafeBannerAnimated();
+  // trailing blank line is already written by the animation loop
+  const ver  = PKG_VERSION ? `v${PKG_VERSION}` : '';
+  const prov = state.provider ? chalk.cyan(state.provider.name) : chalk.yellow('no provider');
+  const cwd  = chalk.gray(prettyCwd(root));
+  console.log(`  ${chalk.bold(ver)}  ${chalk.gray('·')}  ${prov}  ${chalk.gray('·')}  ${cwd}`);
   console.log();
-  console.log(chalk.gray('  Type /help for commands, anything else to ask the agent.'));
-  console.log(chalk.gray('  /quit or Ctrl-D to exit.'));
+  console.log(chalk.gray('  /scan to find issues  ·  /agent to fix them  ·  /help for more'));
   console.log();
 
   const rl = createInterface({
@@ -207,13 +292,16 @@ async function handleSlashCommand(line, state, options) {
     case 'agent':
     case 'fix': {
       // Hand off to agent command. Pass through caller options + any inline flags.
+      // Forward the active provider key so /provider switches take effect.
       const opts = { ...options };
+      if (state.providerKey) opts.provider = state.providerKey;
       for (const a of args) {
         if (a === '--plan-only')   opts.planOnly = true;
         if (a === '--allow-dirty') opts.allowDirty = true;
         if (a === '--branch')      opts.branch = true;
         if (a === '--pr')          opts.pr = true;
         if (a.startsWith('--severity=')) opts.severity = a.slice('--severity='.length);
+        if (a.startsWith('--provider=')) opts.provider = a.slice('--provider='.length);
       }
       try {
         await agentFixCommand(state.root, opts);
@@ -243,7 +331,8 @@ async function handleSlashCommand(line, state, options) {
       if (!next) {
         console.log(chalk.yellow(`  Could not load provider "${name}" — is the API key set?`));
       } else {
-        state.provider = next;
+        state.provider    = next;
+        state.providerKey = name;   // keep the string so /agent can forward it
         console.log(chalk.green(`  Provider switched to ${next.name}.`));
       }
       return true;
@@ -407,6 +496,12 @@ function sevTag(sev) {
   }
 }
 
+function prettyCwd(p) {
+  const home = process.env.HOME || '';
+  if (home && p.startsWith(home + '/')) return '~' + p.slice(home.length);
+  return p;
+}
+
 function gradeColor(score) {
   if (score == null) return chalk.gray;
   if (score >= 80) return chalk.green;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ship-safe",
-  "version": "9.2.0",
+  "version": "9.2.2",
   "description": "AI-powered multi-agent security platform. 23 agents scan 80+ attack classes including AI integration supply chain (Vercel-class attacks), Hermes Agent deployments (ASI-01–ASI-10), tool registry poisoning, function-call injection, skill permission drift, and agent attestation. Ship Safe × Hermes Agent.",
   "main": "cli/index.js",
   "bin": {