ship-safe 9.2.2 → 9.2.4

package/README.md

@@ -98,7 +98,7 @@ $ ship-safe
   ███████╗██╗  ██╗██╗██████╗     ███████╗ █████╗ ███████╗███████╗
   ...
 
-  v9.2.1  ·  DeepSeek  ·  ~/my-project
+  v9.2.3  ·  DeepSeek  ·  ~/my-project
 
   /scan to find issues  ·  /agent to fix them  ·  /help for more
 
@@ -113,6 +113,7 @@ shipsafe ›
 | `/show <n>` | Full detail on finding n |
 | `/plan <n>` | Preview fix plan for finding n (no writes) |
 | `/undo [--all]` | Revert the last fix (or all fixes) |
+| `/share` | Publish scan report as a public URL (7 days) |
 | `/diff` | Show git working-tree diff |
 | `/provider <name>` | Switch LLM provider mid-session |
 | `/quit` | Exit (also `Ctrl-D` or `Ctrl-C`) |

package/cli/agents/mcp-security-agent.js

@@ -64,7 +64,7 @@ const PATTERNS = [
   {
     rule: 'MCP_STDIO_NO_SANDBOX',
     title: 'MCP: stdio Transport Without Sandbox',
-    regex: /(?:StdioServerTransport|stdio|transport.*stdio)/g,
+    regex: /(?:StdioServerTransport|new\s+StdioTransport|transport\s*[:=]\s*['"]stdio['"]|StdioClientTransport)/g,
     severity: 'medium',
     cwe: 'CWE-269',
     owasp: 'A04:2021',

package/cli/bin/ship-safe.js

@@ -31,6 +31,7 @@ import { rotateCommand } from '../commands/rotate.js';
 import { agentCommand } from '../commands/agent.js';
 import { agentFixCommand } from '../commands/agent-fix.js';
 import { undoCommand } from '../commands/undo.js';
+import { shareCommand } from '../commands/share.js';
 import { shellCommand } from '../commands/shell.js';
 import { depsCommand } from '../commands/deps.js';
 import { scoreCommand } from '../commands/score.js';
@@ -217,6 +218,14 @@ program
   .option('--dry-run', 'Show what would be reverted without writing anything')
   .action(undoCommand);
 
+// -----------------------------------------------------------------------------
+// SHARE COMMAND
+// -----------------------------------------------------------------------------
+program
+  .command('share [path]')
+  .description('Publish your latest scan report as a public URL (valid 7 days)')
+  .action(shareCommand);
+
 // -----------------------------------------------------------------------------
 // SHELL COMMAND
 // -----------------------------------------------------------------------------

package/cli/commands/audit.js

@@ -499,6 +499,18 @@ export async function auditCommand(targetPath = '.', options = {}) {
       printComparison(scoringEngine, absolutePath, scoreResult);
     }
 
+    // ── Upgrade prompt ────────────────────────────────────────────────────
+    const criticalCount = filteredFindings.filter(f => f.severity === 'critical').length;
+    const highCount     = filteredFindings.filter(f => f.severity === 'high').length;
+    const fixable       = criticalCount + highCount;
+    if (fixable > 0 && scoreResult.score < 80) {
+      console.log();
+      console.log(chalk.yellow('  ┌─────────────────────────────────────────────────────────┐'));
+      console.log(chalk.yellow('  │') + chalk.white.bold(`  ${fixable} critical/high finding${fixable === 1 ? '' : 's'} — fix them automatically`) + chalk.yellow('        │'));
+      console.log(chalk.yellow('  │') + chalk.cyan('  npx ship-safe agent .') + chalk.gray('  ·  ') + chalk.cyan('shipsafecli.com/pricing') + chalk.yellow('     │'));
+      console.log(chalk.yellow('  └─────────────────────────────────────────────────────────┘'));
+    }
+
     console.log();
     console.log(chalk.cyan('═'.repeat(60)));
     console.log();

package/cli/commands/ci.js

@@ -241,10 +241,10 @@ function buildSARIF(findings, rootPath) {
         locations: [{
           physicalLocation: {
             artifactLocation: {
-              uri: path.relative(rootPath, f.file).replace(/\\/g, '/'),
+              uri: path.relative(rootPath, f.file).replace(/\\/g, '/').replace(/\[/g, '%5B').replace(/\]/g, '%5D'),
               uriBaseId: '%SRCROOT%',
             },
-            region: { startLine: f.line, startColumn: f.column || 1 },
+            region: { startLine: Math.max(1, f.line || 1), startColumn: f.column || 1 },
           },
         }],
       })),

package/cli/commands/share.js

@@ -0,0 +1,71 @@
+/**
+ * Share Command — Publish a scan report as a public URL
+ *
+ * Usage:
+ *   ship-safe share [path]
+ *
+ * Reads the latest scan from .ship-safe/history.json (or runs a fresh scan),
+ * uploads it to shipsafecli.com, and returns a shareable link valid for 7 days.
+ */
+
+import fs from 'fs';
+import path from 'path';
+import chalk from 'chalk';
+import ora from 'ora';
+
+const SHARE_ENDPOINT = 'https://shipsafecli.com/api/share';
+
+export async function shareCommand(targetPath = '.', options = {}) {
+  const root = path.resolve(targetPath);
+
+  // ── Load last scan from history ──────────────────────────────────────────
+  const historyPath = path.join(root, '.ship-safe', 'history.json');
+  let report = null;
+
+  if (fs.existsSync(historyPath)) {
+    try {
+      const history = JSON.parse(fs.readFileSync(historyPath, 'utf8'));
+      const entries = Array.isArray(history) ? history : [history];
+      if (entries.length > 0) report = entries[entries.length - 1];
+    } catch {
+      // fall through
+    }
+  }
+
+  if (!report) {
+    console.log(chalk.yellow('  No scan found. Run a scan first:'));
+    console.log(chalk.gray('  npx ship-safe audit .'));
+    process.exit(1);
+  }
+
+  const spinner = ora({ text: 'Uploading report...', color: 'cyan' }).start();
+
+  try {
+    const res = await fetch(SHARE_ENDPOINT, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        score:    report.score ?? null,
+        grade:    report.grade ?? null,
+        repo:     report.rootPath ? path.basename(report.rootPath) : null,
+        findings: report.totalFindings ?? 0,
+        report,
+      }),
+    });
+
+    if (!res.ok) {
+      throw new Error(`Server returned ${res.status}`);
+    }
+
+    const { url } = await res.json();
+    spinner.succeed(chalk.green('Report shared!'));
+    console.log();
+    console.log(chalk.white('  Share URL: ') + chalk.cyan.bold(url));
+    console.log(chalk.gray('  Link expires in 7 days.'));
+    console.log();
+  } catch (err) {
+    spinner.fail(chalk.red('Failed to share report'));
+    console.log(chalk.gray(`  ${err.message}`));
+    process.exit(1);
+  }
+}

package/cli/commands/shell.js

@@ -29,6 +29,7 @@ import { autoDetectProvider } from '../providers/llm-provider.js';
 import { auditCommand } from './audit.js';
 import { agentFixCommand } from './agent-fix.js';
 import { undoCommand } from './undo.js';
+import { shareCommand } from './share.js';
 import * as output from '../utils/output.js';
 
 const SEV_RANK = { critical: 4, high: 3, medium: 2, low: 1, info: 0 };
@@ -320,6 +321,11 @@ async function handleSlashCommand(line, state, options) {
       return true;
     }
 
+    case 'share': {
+      await shareCommand(state.root);
+      return true;
+    }
+
     case 'provider': {
       const name = args[0];
       if (!name) {
@@ -428,6 +434,7 @@ function printHelp() {
   console.log('    /plan <n>             Preview a fix plan for finding <n> (no writes)');
   console.log('    /agent [--plan-only]  Run the interactive fix loop');
   console.log('    /undo [--all]         Revert the last fix (or all)');
+  console.log('    /share                Publish scan report as a public URL (7 days)');
   console.log('    /diff [path]          Show git working-tree diff');
   console.log('    /git <args>           Pass through to git (status, log, stash, ...)');
   console.log('    /provider <name>      Switch LLM provider');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ship-safe",
-  "version": "9.2.2",
+  "version": "9.2.4",
   "description": "AI-powered multi-agent security platform. 23 agents scan 80+ attack classes including AI integration supply chain (Vercel-class attacks), Hermes Agent deployments (ASI-01–ASI-10), tool registry poisoning, function-call injection, skill permission drift, and agent attestation. Ship Safe × Hermes Agent.",
   "main": "cli/index.js",
   "bin": {