ship-safe 9.2.1 → 9.2.3

package/cli/.ship-safe/history.json

@@ -0,0 +1,190 @@
+[
+  {
+    "timestamp": "2026-04-24T05:18:07.805Z",
+    "score": 13,
+    "grade": "F",
+    "totalFindings": 533,
+    "totalDepVulns": 0,
+    "categoryScores": {
+      "secrets": {
+        "deduction": 15,
+        "counts": {
+          "critical": 5,
+          "high": 0,
+          "medium": 2,
+          "low": 0
+        }
+      },
+      "injection": {
+        "deduction": 15,
+        "counts": {
+          "critical": 24,
+          "high": 47,
+          "medium": 22,
+          "low": 0
+        }
+      },
+      "deps": {
+        "deduction": 0,
+        "counts": {
+          "critical": 0,
+          "high": 0,
+          "medium": 0,
+          "low": 0
+        }
+      },
+      "auth": {
+        "deduction": 15,
+        "counts": {
+          "critical": 5,
+          "high": 18,
+          "medium": 10,
+          "low": 0
+        }
+      },
+      "config": {
+        "deduction": 8,
+        "counts": {
+          "critical": 3,
+          "high": 16,
+          "medium": 12,
+          "low": 2
+        }
+      },
+      "supply-chain": {
+        "deduction": 12,
+        "counts": {
+          "critical": 3,
+          "high": 4,
+          "medium": 0,
+          "low": 0
+        }
+      },
+      "api": {
+        "deduction": 10,
+        "counts": {
+          "critical": 3,
+          "high": 21,
+          "medium": 5,
+          "low": 6
+        }
+      },
+      "llm": {
+        "deduction": 12,
+        "counts": {
+          "critical": 23,
+          "high": 178,
+          "medium": 124,
+          "low": 0
+        }
+      }
+    },
+    "suppressions": {
+      "total": 94,
+      "rules": {
+        "suppression": 1,
+        "_unspecified": 78,
+        "annotations": 2,
+        "on": 4,
+        "comments": 1,
+        "RULE_NAME": 1,
+        "comment": 5,
+        "as": 2
+      }
+    }
+  },
+  {
+    "timestamp": "2026-04-25T19:29:18.418Z",
+    "score": 13,
+    "grade": "F",
+    "totalFindings": 541,
+    "totalDepVulns": 0,
+    "categoryScores": {
+      "secrets": {
+        "deduction": 15,
+        "counts": {
+          "critical": 6,
+          "high": 0,
+          "medium": 2,
+          "low": 0
+        }
+      },
+      "injection": {
+        "deduction": 15,
+        "counts": {
+          "critical": 24,
+          "high": 47,
+          "medium": 22,
+          "low": 0
+        }
+      },
+      "deps": {
+        "deduction": 0,
+        "counts": {
+          "critical": 0,
+          "high": 0,
+          "medium": 0,
+          "low": 0
+        }
+      },
+      "auth": {
+        "deduction": 15,
+        "counts": {
+          "critical": 5,
+          "high": 18,
+          "medium": 10,
+          "low": 0
+        }
+      },
+      "config": {
+        "deduction": 8,
+        "counts": {
+          "critical": 3,
+          "high": 16,
+          "medium": 12,
+          "low": 2
+        }
+      },
+      "supply-chain": {
+        "deduction": 12,
+        "counts": {
+          "critical": 3,
+          "high": 4,
+          "medium": 0,
+          "low": 0
+        }
+      },
+      "api": {
+        "deduction": 10,
+        "counts": {
+          "critical": 3,
+          "high": 21,
+          "medium": 5,
+          "low": 6
+        }
+      },
+      "llm": {
+        "deduction": 12,
+        "counts": {
+          "critical": 23,
+          "high": 165,
+          "medium": 144,
+          "low": 0
+        }
+      }
+    },
+    "suppressions": {
+      "total": 94,
+      "rules": {
+        "_unspecified": 78,
+        "suppression": 1,
+        "annotations": 2,
+        "on": 4,
+        "comments": 1,
+        "RULE_NAME": 1,
+        "comment": 5,
+        "as": 2
+      }
+    }
+  }
+]

package/cli/bin/ship-safe.js

@@ -31,6 +31,7 @@ import { rotateCommand } from '../commands/rotate.js';
 import { agentCommand } from '../commands/agent.js';
 import { agentFixCommand } from '../commands/agent-fix.js';
 import { undoCommand } from '../commands/undo.js';
+import { shareCommand } from '../commands/share.js';
 import { shellCommand } from '../commands/shell.js';
 import { depsCommand } from '../commands/deps.js';
 import { scoreCommand } from '../commands/score.js';
@@ -217,6 +218,14 @@ program
   .option('--dry-run', 'Show what would be reverted without writing anything')
   .action(undoCommand);
 
+// -----------------------------------------------------------------------------
+// SHARE COMMAND
+// -----------------------------------------------------------------------------
+program
+  .command('share [path]')
+  .description('Publish your latest scan report as a public URL (valid 7 days)')
+  .action(shareCommand);
+
 // -----------------------------------------------------------------------------
 // SHELL COMMAND
 // -----------------------------------------------------------------------------

package/cli/commands/audit.js

@@ -327,7 +327,7 @@ export async function auditCommand(targetPath = '.', options = {}) {
   );
 
   // ── AI Classification (optional, with LLM cache) ───────────────────────
-  if (options.ai !== false) {
+  if (options.ai !== false && !options.noAi) {
     const provider = autoDetectProvider(absolutePath, {
       provider:   options.provider,
       baseUrl:    options.baseUrl,
@@ -499,6 +499,18 @@ export async function auditCommand(targetPath = '.', options = {}) {
       printComparison(scoringEngine, absolutePath, scoreResult);
     }
 
+    // ── Upgrade prompt ────────────────────────────────────────────────────
+    const criticalCount = filteredFindings.filter(f => f.severity === 'critical').length;
+    const highCount     = filteredFindings.filter(f => f.severity === 'high').length;
+    const fixable       = criticalCount + highCount;
+    if (fixable > 0 && scoreResult.score < 80) {
+      console.log();
+      console.log(chalk.yellow('  ┌─────────────────────────────────────────────────────────┐'));
+      console.log(chalk.yellow('  │') + chalk.white.bold(`  ${fixable} critical/high finding${fixable === 1 ? '' : 's'} — fix them automatically`) + chalk.yellow('        │'));
+      console.log(chalk.yellow('  │') + chalk.cyan('  npx ship-safe agent .') + chalk.gray('  ·  ') + chalk.cyan('shipsafecli.com/pricing') + chalk.yellow('     │'));
+      console.log(chalk.yellow('  └─────────────────────────────────────────────────────────┘'));
+    }
+
     console.log();
     console.log(chalk.cyan('═'.repeat(60)));
     console.log();

package/cli/commands/share.js

@@ -0,0 +1,71 @@
+/**
+ * Share Command — Publish a scan report as a public URL
+ *
+ * Usage:
+ *   ship-safe share [path]
+ *
+ * Reads the latest scan from .ship-safe/history.json (or runs a fresh scan),
+ * uploads it to shipsafecli.com, and returns a shareable link valid for 7 days.
+ */
+
+import fs from 'fs';
+import path from 'path';
+import chalk from 'chalk';
+import ora from 'ora';
+
+const SHARE_ENDPOINT = 'https://shipsafecli.com/api/share';
+
+export async function shareCommand(targetPath = '.', options = {}) {
+  const root = path.resolve(targetPath);
+
+  // ── Load last scan from history ──────────────────────────────────────────
+  const historyPath = path.join(root, '.ship-safe', 'history.json');
+  let report = null;
+
+  if (fs.existsSync(historyPath)) {
+    try {
+      const history = JSON.parse(fs.readFileSync(historyPath, 'utf8'));
+      const entries = Array.isArray(history) ? history : [history];
+      if (entries.length > 0) report = entries[entries.length - 1];
+    } catch {
+      // fall through
+    }
+  }
+
+  if (!report) {
+    console.log(chalk.yellow('  No scan found. Run a scan first:'));
+    console.log(chalk.gray('  npx ship-safe audit .'));
+    process.exit(1);
+  }
+
+  const spinner = ora({ text: 'Uploading report...', color: 'cyan' }).start();
+
+  try {
+    const res = await fetch(SHARE_ENDPOINT, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        score:    report.score ?? null,
+        grade:    report.grade ?? null,
+        repo:     report.rootPath ? path.basename(report.rootPath) : null,
+        findings: report.totalFindings ?? 0,
+        report,
+      }),
+    });
+
+    if (!res.ok) {
+      throw new Error(`Server returned ${res.status}`);
+    }
+
+    const { url } = await res.json();
+    spinner.succeed(chalk.green('Report shared!'));
+    console.log();
+    console.log(chalk.white('  Share URL: ') + chalk.cyan.bold(url));
+    console.log(chalk.gray('  Link expires in 7 days.'));
+    console.log();
+  } catch (err) {
+    spinner.fail(chalk.red('Failed to share report'));
+    console.log(chalk.gray(`  ${err.message}`));
+    process.exit(1);
+  }
+}

package/cli/commands/shell.js

@@ -29,6 +29,7 @@ import { autoDetectProvider } from '../providers/llm-provider.js';
 import { auditCommand } from './audit.js';
 import { agentFixCommand } from './agent-fix.js';
 import { undoCommand } from './undo.js';
+import { shareCommand } from './share.js';
 import * as output from '../utils/output.js';
 
 const SEV_RANK = { critical: 4, high: 3, medium: 2, low: 1, info: 0 };
@@ -292,13 +293,16 @@ async function handleSlashCommand(line, state, options) {
     case 'agent':
     case 'fix': {
       // Hand off to agent command. Pass through caller options + any inline flags.
+      // Forward the active provider key so /provider switches take effect.
       const opts = { ...options };
+      if (state.providerKey) opts.provider = state.providerKey;
       for (const a of args) {
         if (a === '--plan-only')   opts.planOnly = true;
         if (a === '--allow-dirty') opts.allowDirty = true;
         if (a === '--branch')      opts.branch = true;
         if (a === '--pr')          opts.pr = true;
         if (a.startsWith('--severity=')) opts.severity = a.slice('--severity='.length);
+        if (a.startsWith('--provider=')) opts.provider = a.slice('--provider='.length);
       }
       try {
         await agentFixCommand(state.root, opts);
@@ -317,6 +321,11 @@ async function handleSlashCommand(line, state, options) {
       return true;
     }
 
+    case 'share': {
+      await shareCommand(state.root);
+      return true;
+    }
+
     case 'provider': {
       const name = args[0];
       if (!name) {
@@ -328,7 +337,8 @@ async function handleSlashCommand(line, state, options) {
       if (!next) {
         console.log(chalk.yellow(`  Could not load provider "${name}" — is the API key set?`));
       } else {
-        state.provider = next;
+        state.provider    = next;
+        state.providerKey = name;   // keep the string so /agent can forward it
         console.log(chalk.green(`  Provider switched to ${next.name}.`));
       }
       return true;
@@ -424,6 +434,7 @@ function printHelp() {
   console.log('    /plan <n>             Preview a fix plan for finding <n> (no writes)');
   console.log('    /agent [--plan-only]  Run the interactive fix loop');
   console.log('    /undo [--all]         Revert the last fix (or all)');
+  console.log('    /share                Publish scan report as a public URL (7 days)');
   console.log('    /diff [path]          Show git working-tree diff');
   console.log('    /git <args>           Pass through to git (status, log, stash, ...)');
   console.log('    /provider <name>      Switch LLM provider');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ship-safe",
-  "version": "9.2.1",
+  "version": "9.2.3",
   "description": "AI-powered multi-agent security platform. 23 agents scan 80+ attack classes including AI integration supply chain (Vercel-class attacks), Hermes Agent deployments (ASI-01–ASI-10), tool registry poisoning, function-call injection, skill permission drift, and agent attestation. Ship Safe × Hermes Agent.",
   "main": "cli/index.js",
   "bin": {