ship-safe 9.2.1 → 9.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/README.md +85 -713
  2. package/cli/.ship-safe/context.json +8157 -0
  3. package/cli/.ship-safe/history.json +190 -0
  4. package/cli/commands/audit.js +1 -1
  5. package/cli/commands/shell.js +5 -1
  6. package/package.json +1 -1
package/cli/.ship-safe/history.json ADDED
@@ -0,0 +1,190 @@
1
+ [
2
+ {
3
+ "timestamp": "2026-04-24T05:18:07.805Z",
4
+ "score": 13,
5
+ "grade": "F",
6
+ "totalFindings": 533,
7
+ "totalDepVulns": 0,
8
+ "categoryScores": {
9
+ "secrets": {
10
+ "deduction": 15,
11
+ "counts": {
12
+ "critical": 5,
13
+ "high": 0,
14
+ "medium": 2,
15
+ "low": 0
16
+ }
17
+ },
18
+ "injection": {
19
+ "deduction": 15,
20
+ "counts": {
21
+ "critical": 24,
22
+ "high": 47,
23
+ "medium": 22,
24
+ "low": 0
25
+ }
26
+ },
27
+ "deps": {
28
+ "deduction": 0,
29
+ "counts": {
30
+ "critical": 0,
31
+ "high": 0,
32
+ "medium": 0,
33
+ "low": 0
34
+ }
35
+ },
36
+ "auth": {
37
+ "deduction": 15,
38
+ "counts": {
39
+ "critical": 5,
40
+ "high": 18,
41
+ "medium": 10,
42
+ "low": 0
43
+ }
44
+ },
45
+ "config": {
46
+ "deduction": 8,
47
+ "counts": {
48
+ "critical": 3,
49
+ "high": 16,
50
+ "medium": 12,
51
+ "low": 2
52
+ }
53
+ },
54
+ "supply-chain": {
55
+ "deduction": 12,
56
+ "counts": {
57
+ "critical": 3,
58
+ "high": 4,
59
+ "medium": 0,
60
+ "low": 0
61
+ }
62
+ },
63
+ "api": {
64
+ "deduction": 10,
65
+ "counts": {
66
+ "critical": 3,
67
+ "high": 21,
68
+ "medium": 5,
69
+ "low": 6
70
+ }
71
+ },
72
+ "llm": {
73
+ "deduction": 12,
74
+ "counts": {
75
+ "critical": 23,
76
+ "high": 178,
77
+ "medium": 124,
78
+ "low": 0
79
+ }
80
+ }
81
+ },
82
+ "suppressions": {
83
+ "total": 94,
84
+ "rules": {
85
+ "suppression": 1,
86
+ "_unspecified": 78,
87
+ "annotations": 2,
88
+ "on": 4,
89
+ "comments": 1,
90
+ "RULE_NAME": 1,
91
+ "comment": 5,
92
+ "as": 2
93
+ }
94
+ }
95
+ },
96
+ {
97
+ "timestamp": "2026-04-25T19:29:18.418Z",
98
+ "score": 13,
99
+ "grade": "F",
100
+ "totalFindings": 541,
101
+ "totalDepVulns": 0,
102
+ "categoryScores": {
103
+ "secrets": {
104
+ "deduction": 15,
105
+ "counts": {
106
+ "critical": 6,
107
+ "high": 0,
108
+ "medium": 2,
109
+ "low": 0
110
+ }
111
+ },
112
+ "injection": {
113
+ "deduction": 15,
114
+ "counts": {
115
+ "critical": 24,
116
+ "high": 47,
117
+ "medium": 22,
118
+ "low": 0
119
+ }
120
+ },
121
+ "deps": {
122
+ "deduction": 0,
123
+ "counts": {
124
+ "critical": 0,
125
+ "high": 0,
126
+ "medium": 0,
127
+ "low": 0
128
+ }
129
+ },
130
+ "auth": {
131
+ "deduction": 15,
132
+ "counts": {
133
+ "critical": 5,
134
+ "high": 18,
135
+ "medium": 10,
136
+ "low": 0
137
+ }
138
+ },
139
+ "config": {
140
+ "deduction": 8,
141
+ "counts": {
142
+ "critical": 3,
143
+ "high": 16,
144
+ "medium": 12,
145
+ "low": 2
146
+ }
147
+ },
148
+ "supply-chain": {
149
+ "deduction": 12,
150
+ "counts": {
151
+ "critical": 3,
152
+ "high": 4,
153
+ "medium": 0,
154
+ "low": 0
155
+ }
156
+ },
157
+ "api": {
158
+ "deduction": 10,
159
+ "counts": {
160
+ "critical": 3,
161
+ "high": 21,
162
+ "medium": 5,
163
+ "low": 6
164
+ }
165
+ },
166
+ "llm": {
167
+ "deduction": 12,
168
+ "counts": {
169
+ "critical": 23,
170
+ "high": 165,
171
+ "medium": 144,
172
+ "low": 0
173
+ }
174
+ }
175
+ },
176
+ "suppressions": {
177
+ "total": 94,
178
+ "rules": {
179
+ "_unspecified": 78,
180
+ "suppression": 1,
181
+ "annotations": 2,
182
+ "on": 4,
183
+ "comments": 1,
184
+ "RULE_NAME": 1,
185
+ "comment": 5,
186
+ "as": 2
187
+ }
188
+ }
189
+ }
190
+ ]
package/cli/commands/audit.js CHANGED
@@ -327,7 +327,7 @@ export async function auditCommand(targetPath = '.', options = {}) {
327
327
  );
328
328
 
329
329
  // ── AI Classification (optional, with LLM cache) ───────────────────────
330
- if (options.ai !== false) {
330
+ if (options.ai !== false && !options.noAi) {
331
331
  const provider = autoDetectProvider(absolutePath, {
332
332
  provider: options.provider,
333
333
  baseUrl: options.baseUrl,
package/cli/commands/shell.js CHANGED
@@ -292,13 +292,16 @@ async function handleSlashCommand(line, state, options) {
292
292
  case 'agent':
293
293
  case 'fix': {
294
294
  // Hand off to agent command. Pass through caller options + any inline flags.
295
+ // Forward the active provider key so /provider switches take effect.
295
296
  const opts = { ...options };
297
+ if (state.providerKey) opts.provider = state.providerKey;
296
298
  for (const a of args) {
297
299
  if (a === '--plan-only') opts.planOnly = true;
298
300
  if (a === '--allow-dirty') opts.allowDirty = true;
299
301
  if (a === '--branch') opts.branch = true;
300
302
  if (a === '--pr') opts.pr = true;
301
303
  if (a.startsWith('--severity=')) opts.severity = a.slice('--severity='.length);
304
+ if (a.startsWith('--provider=')) opts.provider = a.slice('--provider='.length);
302
305
  }
303
306
  try {
304
307
  await agentFixCommand(state.root, opts);
@@ -328,7 +331,8 @@ async function handleSlashCommand(line, state, options) {
328
331
  if (!next) {
329
332
  console.log(chalk.yellow(` Could not load provider "${name}" — is the API key set?`));
330
333
  } else {
331
- state.provider = next;
334
+ state.provider = next;
335
+ state.providerKey = name; // keep the string so /agent can forward it
332
336
  console.log(chalk.green(` Provider switched to ${next.name}.`));
333
337
  }
334
338
  return true;
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "ship-safe",
3
- "version": "9.2.1",
3
+ "version": "9.2.2",
4
4
  "description": "AI-powered multi-agent security platform. 23 agents scan 80+ attack classes including AI integration supply chain (Vercel-class attacks), Hermes Agent deployments (ASI-01–ASI-10), tool registry poisoning, function-call injection, skill permission drift, and agent attestation. Ship Safe × Hermes Agent.",
5
5
  "main": "cli/index.js",
6
6
  "bin": {