ship-safe 9.2.4 → 9.3.1

package/README.md

@@ -98,7 +98,7 @@ $ ship-safe
   ███████╗██╗  ██╗██╗██████╗     ███████╗ █████╗ ███████╗███████╗
   ...
 
-  v9.2.3  ·  DeepSeek  ·  ~/my-project
+  v9.3.1  ·  DeepSeek  ·  ~/my-project
 
   /scan to find issues  ·  /agent to fix them  ·  /help for more
 

package/cli/agents/agent-attestation-agent.js

@@ -61,7 +61,7 @@ const PATTERNS = [
     owasp: 'ASI-10',
     confidence: 'high',
     description: 'hermes-agent package version is not pinned — a malicious minor/patch release could modify agent behavior.',
-    fix: 'Pin to exact version: "\"@nousresearch/hermes-agent\": \"1.2.3\""',
+    fix: 'Pin to exact version: "@nousresearch/hermes-agent": "1.2.3"',
   },
 
   // ── Missing integrity fields ────────────────────────────────────────────────

package/cli/agents/agent-config-scanner.js

@@ -208,6 +208,7 @@ const PATTERNS = [
   {
     rule: 'AGENT_CFG_ZERO_WIDTH',
     title: 'Agent Config: Zero-Width Character Cluster',
+    // eslint-disable-next-line no-misleading-character-class
     regex: /[\u200B\u200C\u200D\uFEFF\u2060]{4,}/g,
     severity: 'high',
     cwe: 'CWE-116',

package/cli/agents/agentic-supply-chain-agent.js

@@ -434,7 +434,7 @@ export class AgenticSupplyChainAgent extends BaseAgent {
     if (!content) return;
 
     // Look for AI plugins in netlify.toml [[plugins]] sections
-    const pluginMatches = content.matchAll(/\[\[plugins\]\][^\[]*package\s*=\s*["']([^"']+)["']/gs);
+    const pluginMatches = content.matchAll(/\[\[plugins\]\][^[]*package\s*=\s*["']([^"']+)["']/gs);
     for (const m of pluginMatches) {
       const pkg = m[1];
       if (!NETLIFY_AI_PLUGINS.has(pkg) && !/ai|llm|openai|anthropic|langchain|vector/.test(pkg)) continue;

package/cli/agents/cicd-scanner.js

@@ -74,7 +74,7 @@ const PATTERNS = [
   {
     rule: 'CICD_HARDCODED_SECRET',
     title: 'CI/CD: Hardcoded Secret in Workflow',
-    regex: /(?:api[_-]?key|token|password|secret)\s*[:=]\s*["'][a-zA-Z0-9_\-]{20,}["']/gi,
+    regex: /(?:api[_-]?key|token|password|secret)\s*[:=]\s*["'][a-zA-Z0-9_-]{20,}["']/gi,
     severity: 'critical',
     cwe: 'CWE-798',
     owasp: 'CICD-SEC-6',
@@ -148,7 +148,7 @@ const PATTERNS = [
   {
     rule: 'CICD_ENV_EXFILTRATION',
     title: 'CI/CD: Potential Secret/Env Exfiltration',
-    regex: /(?:curl|wget|Invoke-WebRequest|Invoke-RestMethod)\b[^\n]*\$\{\{\s*(?:secrets\.|env\.)[^\}]+\}\}/g,
+    regex: /(?:curl|wget|Invoke-WebRequest|Invoke-RestMethod)\b[^\n]*\$\{\{\s*(?:secrets\.|env\.)[^}]+\}\}/g,
     severity: 'critical',
     cwe: 'CWE-200',
     owasp: 'CICD-SEC-6',

package/cli/agents/deep-analyzer.js

@@ -445,7 +445,7 @@ export class DeepAnalyzer {
         codeContext: this._getFileContext(f),
       }));
 
-      let projectContext = this._buildProjectContext(context);
+      const projectContext = this._buildProjectContext(context);
       const prompt = `Analyze these ${items.length} security findings for taint reachability and exploitability.${projectContext}\n\nFindings:\n${JSON.stringify(items, null, 2)}`;
 
       try {

package/cli/agents/hermes-security-agent.js

@@ -283,6 +283,45 @@ const PATTERNS = [
     confidence: 'high',
   },
 
+  // Hermes v0.13.0 "Tenacity Release" coverage (May 7, 2026):
+  // The three Tenacity patches require multi-line analysis and are
+  // implemented as structural checks below (checkAuthJsonTOCTOU,
+  // checkCronSkillInjection, checkBrowserCloudMetadataFloor).
+
+  // ────────────────────────────────────────────────────────────────────────────
+  // TRACK X — xurl skill / X API integration (xAI xurl guide, May 2026)
+  // The xurl skill lets a Hermes agent read and write to X. It is a separate
+  // CLI shelled out from the agent, backed by OAuth credentials in ~/.xurl.
+  // ────────────────────────────────────────────────────────────────────────────
+
+  {
+    rule: 'HERMES_XURL_SUBPROCESS_INJECTION',
+    title: 'Hermes: xurl Command Built From Interpolated Input',
+    // exec/spawn of an `xurl …` command string with a ${} interpolation —
+    // the agent's natural-language → xurl translation is being assembled as a
+    // shell string. Prompt injection then controls xurl flags or shell metachars.
+    regex: /(?:exec|execSync|spawn|spawnSync|spawnAsync|shell)\s*\(?\s*`[^`]*\bxurl\b[^`]*\$\{/g,
+    severity: 'critical',
+    cwe: 'CWE-78',
+    owasp: 'ASI03',
+    description: 'An `xurl` command is assembled as a shell string with an interpolated value. xurl can post, reply, DM, and manage lists on the linked X account — a prompt injection that reaches this interpolation controls real write actions on a live social account.',
+    fix: 'Never build the xurl command as a string. Pass arguments as an argv array (execFile/spawn with an args array), validate every argument against an allowlist, and treat all LLM/user text as untrusted.',
+  },
+
+  {
+    rule: 'HERMES_XURL_TOKEN_STORE_EXPOSURE',
+    title: 'Hermes: xurl / Hermes Credential Store Copied or Tracked',
+    // ~/.xurl (OAuth tokens + client secrets, YAML) or ~/.hermes/auth.json
+    // referenced in a Dockerfile COPY/ADD, a cp/rsync/tar, or otherwise
+    // moved off the developer machine.
+    regex: /(?:COPY|ADD|cp|rsync|scp|tar|mv)\s+[^\n]*(?:\.xurl\b|\.hermes\/auth\.json|\.hermes\b)/g,
+    severity: 'critical',
+    cwe: 'CWE-538',
+    owasp: 'ASI10',
+    description: 'A Hermes / xurl credential store (~/.xurl holds OAuth tokens and X API client secrets; ~/.hermes/auth.json holds auto-refreshing provider tokens) is being copied into an image, archive, or another host. These tokens grant durable, refreshable access to the linked accounts.',
+    fix: 'Never bake credential stores into images or backups. Mount them at runtime from a secret manager, and add .xurl / .hermes/ / auth.json to .gitignore and .dockerignore.',
+  },
+
 ];
 
 // =============================================================================
@@ -434,6 +473,218 @@ function checkMemoryFileDeserialization(content, filePath, agent) {
   return findings;
 }
 
+// =============================================================================
+// HERMES v0.13.0 / v2026.5.7 — "TENACITY RELEASE" STRUCTURAL CHECKS
+// =============================================================================
+// Three patches in Hermes Agent v0.13.0 (May 7, 2026) closed P0
+// vulnerabilities that need cross-line analysis to detect:
+//   - PRs #21176 + #21194 — TOCTOU on auth.json / MCP OAuth credentials
+//   - PR  #21350         — Cron task assembles a prompt from skill content
+//                          without scanning for injection
+//   - PR  #21228         — Browser tool lacks the cloud-metadata SSRF floor
+
+const CRED_PATH_RE  = /(auth|credential|token|oauth|\.hermes\/(?:auth|creds))/i;
+const STAT_OR_READ  = /fs\.(?:existsSync|statSync|accessSync|readFileSync)\s*\([^)]*\)/g;
+const WRITE_SYNC    = /fs\.writeFileSync\s*\(\s*([^,)]*)/g;
+const METADATA_HOSTS = /(?:169\.254\.169\.254|169\.254\.170\.2|fd00:ec2|metadata\.google\.internal|100\.100\.100\.200|metadata\.azure)/i;
+
+/**
+ * Detect a stat-then-write or read-then-write race on a credential-bearing
+ * path. Hermes v0.13.0 PR #21194 closed this for auth.json by switching to
+ * atomic write-then-rename via write-file-atomic; PR #21176 closed the same
+ * for MCP OAuth credential storage. Detection: a stat/read of a path with
+ * "auth"/"credential"/"token"/"oauth"/".hermes/auth" in the argument is
+ * followed within 25 lines by a writeFileSync to a similar path, and the
+ * file does NOT import `write-file-atomic`.
+ */
+function checkAuthJsonTOCTOU(content, filePath, agent) {
+  const findings = [];
+
+  // If the file uses write-file-atomic (or equivalent atomic rename pattern),
+  // skip — the TOCTOU window is already closed.
+  if (/write-file-atomic|renameSync\s*\(\s*[^,]*\.tmp/i.test(content)) return findings;
+
+  const lines = content.split('\n');
+
+  // Find every stat/read on a credential path
+  const reads = [];
+  let m;
+  STAT_OR_READ.lastIndex = 0;
+  while ((m = STAT_OR_READ.exec(content)) !== null) {
+    if (!CRED_PATH_RE.test(m[0])) continue;
+    const line = content.slice(0, m.index).split('\n').length;
+    reads.push({ line, text: m[0] });
+  }
+
+  if (reads.length === 0) return findings;
+
+  // Find every writeFileSync on a credential path
+  WRITE_SYNC.lastIndex = 0;
+  while ((m = WRITE_SYNC.exec(content)) !== null) {
+    const pathArg = m[1] || '';
+    if (!CRED_PATH_RE.test(pathArg)) continue;
+
+    const writeLine = content.slice(0, m.index).split('\n').length;
+    const racingRead = reads.find(r => writeLine - r.line >= 0 && writeLine - r.line <= 25);
+    if (!racingRead) continue;
+
+    findings.push(createFinding({
+      file: filePath,
+      line: writeLine,
+      severity: 'high',
+      category: agent.category,
+      rule: 'HERMES_AUTH_JSON_TOCTOU',
+      title: 'Hermes: TOCTOU on auth.json / MCP OAuth Credentials',
+      description: `Pattern fixed by Hermes v0.13.0 PRs #21176 + #21194 — TOCTOU window between ${racingRead.text} (line ${racingRead.line}) and fs.writeFileSync(${pathArg.trim().slice(0, 60)}…, …) (line ${writeLine}). A concurrent process can race the write and leave the credential file inconsistent or attacker-controlled.`,
+      matched: lines[writeLine - 1]?.trim().slice(0, 240) || '',
+      confidence: 'medium',
+      cwe: 'CWE-367',
+      owasp: 'ASI04',
+      fix: 'Write credentials atomically via the write-file-atomic package (or a manual write-to-temp + fsync + renameSync). See PR #21194 in hermes-agent for the reference fix.',
+    }));
+  }
+
+  return findings;
+}
+
+/**
+ * Detect a scheduled task (cron / setInterval / scheduler) that loads
+ * a Hermes skill file and assembles its content into a prompt without
+ * a scan / sanitize / validate / scanForInjection call in the same
+ * function body. Hermes v0.13.0 PR #21350 closes this by scanning the
+ * assembled prompt before execution.
+ */
+function checkCronSkillInjection(content, filePath, agent) {
+  const findings = [];
+
+  const SCHEDULE_RE = /(cron(?:\.schedule)?|@cron|nodeCron|node[-_]?cron|node[-_]?schedule|scheduler\.(?:schedule|every|at)|setInterval|setTimeout)\s*\(/g;
+  const SKILL_LOAD_RE = /(?:readFile(?:Sync)?|fs\.read|loadSkill|skills\.get)\s*\([^)]*(?:skill|\.hermes\/skills|hermes-skills|playbook|\.md)/i;
+
+  let m;
+  SCHEDULE_RE.lastIndex = 0;
+  while ((m = SCHEDULE_RE.exec(content)) !== null) {
+    // Window: the body of the schedule callback. We approximate as the next
+    // ~30 lines after the schedule call.
+    const startIdx = m.index + m[0].length;
+    const window = content.slice(startIdx, startIdx + 2400);
+
+    if (!SKILL_LOAD_RE.test(window)) continue;
+    // Skip if the same window already runs a scan/sanitize/validate
+    if (/(?:scanForInjection|sanitize|validatePrompt|ship[-_]?safe\.?scan|injection[-_]?scan)/i.test(window)) continue;
+
+    const line = content.slice(0, m.index).split('\n').length;
+    findings.push(createFinding({
+      file: filePath,
+      line,
+      severity: 'high',
+      category: agent.category,
+      rule: 'HERMES_CRON_SKILL_INJECTION',
+      title: 'Hermes: Cron Task Loads Skill Content Without Injection Scan',
+      description: 'Pattern fixed by Hermes v0.13.0 PR #21350 — a scheduled task loads a Hermes skill file (.md) and assembles its content into a prompt. Skill markdown is attacker-influenceable (anyone with PR access can edit it); without an injection scan on the assembled prompt, the scheduled run can be hijacked by a poisoned skill body.',
+      matched: m[0].trim(),
+      confidence: 'medium',
+      cwe: 'CWE-94',
+      owasp: 'ASI01',
+      fix: 'Run the assembled prompt through ship-safe scan (or your own prompt-injection scanner) before invoking the agent. Pin the skill commit hash on every scheduled run.',
+    }));
+  }
+
+  return findings;
+}
+
+/**
+ * Detect a browser- or HTTP-fetch tool definition that performs an outbound
+ * request without enforcing the cloud-metadata SSRF floor. Hermes v0.13.0
+ * PR #21228 closes this in browser-tool hybrid routing by blocking
+ * 169.254.169.254 (AWS/Alibaba), 100.100.100.200 (Alibaba),
+ * metadata.google.internal (GCP), and 169.254.170.2 (ECS task metadata).
+ */
+function checkBrowserCloudMetadataFloor(content, filePath, agent) {
+  const findings = [];
+
+  // If the file already enforces a metadata floor, skip.
+  if (METADATA_HOSTS.test(content)) return findings;
+
+  const TOOL_NAME_RE = /(?:registerTool|server\.tool|addTool|tools\.push|tools\.set)\s*\(\s*['"]?(browser|navigate|web[-_]?browse|fetch[-_]?url|http[-_]?request|browse[-_]?url|webBrowse|fetchUrl|httpRequest)['"]?/gi;
+
+  let m;
+  TOOL_NAME_RE.lastIndex = 0;
+  while ((m = TOOL_NAME_RE.exec(content)) !== null) {
+    // Window: the tool handler body
+    const startIdx = m.index + m[0].length;
+    const window = content.slice(startIdx, startIdx + 1500);
+
+    // Must perform an outbound fetch inside the handler
+    if (!/(?:fetch\s*\(|axios\.|got\s*\(|http\.(?:get|request)|requests\.(?:get|post)|urllib\.|httpx\.)/i.test(window)) continue;
+
+    const line = content.slice(0, m.index).split('\n').length;
+    findings.push(createFinding({
+      file: filePath,
+      line,
+      severity: 'high',
+      category: agent.category,
+      rule: 'HERMES_BROWSER_CLOUD_METADATA_SSRF',
+      title: 'Hermes: Browser/HTTP Tool Without Cloud-Metadata SSRF Floor',
+      description: 'Pattern fixed by Hermes v0.13.0 PR #21228 — a browser or HTTP tool issues outbound requests without enforcing the cloud-metadata SSRF floor. An attacker who controls the URL via prompt injection can reach 169.254.169.254 (AWS/Alibaba), 100.100.100.200 (Alibaba), metadata.google.internal (GCP), or 169.254.170.2 (ECS task metadata) and exfiltrate IAM credentials.',
+      matched: m[0].trim().slice(0, 120),
+      confidence: 'medium',
+      cwe: 'CWE-918',
+      owasp: 'ASI04',
+      fix: 'Block these hosts at the tool boundary: 169.254.169.254, fd00:ec2::254, 100.100.100.200, metadata.google.internal, 169.254.170.2. See PR #21228 in hermes-agent for the reference cloud-metadata floor.',
+    }));
+  }
+
+  return findings;
+}
+
+/**
+ * Detect the xurl indirect-injection → action loop. The xurl skill lets a
+ * Hermes agent both READ X content (search / timeline / bookmarks — all
+ * attacker-controlled) and WRITE to X (post / reply / quote / like / DM).
+ * When a single skill, cron task, or source flow does both with no
+ * human-approval gate, a poisoned post the agent reads can hijack it into
+ * posting on the user's behalf — the canonical OWASP ASI-01/ASI-08 chain.
+ */
+function checkXurlReadWriteLoop(content, filePath, agent) {
+  const findings = [];
+
+  // Only relevant if the file actually touches the xurl skill.
+  if (!/\bxurl\b|\/xurl\b/i.test(content)) return findings;
+
+  // xurl READ-class operations — content sources the agent does not control
+  const READ_RE  = /\bxurl\s+(?:search|bookmarks|timeline|users?|get)\b|\b(?:search\s+for\s+posts|my\s+(?:latest\s+)?timeline|all\s+of\s+my\s+bookmarks|look\s+up\s+@)/i;
+  // xurl WRITE-class operations — real, visible actions on the live account
+  const WRITE_RE = /\bxurl\s+(?:post|reply|quote|like|unlike|bookmark|unbookmark|dm|delete)\b|\b(?:post\s+["'`]|reply\s+to\s+post|quote\s+post|like\s+post|send\s+a\s+dm)/i;
+  // Presence of a human-in-the-loop gate disqualifies the finding
+  const GATE_RE  = /\b(?:requireApproval|human[-_]?(?:approval|review|confirm)|confirm(?:ation)?\s*(?:gate|required|before)|awaitConfirm|ask\s+(?:the\s+user\s+)?before|dry[-_]?run)\b/i;
+
+  const hasRead  = READ_RE.test(content);
+  const hasWrite = WRITE_RE.test(content);
+  if (!hasRead || !hasWrite) return findings;
+  if (GATE_RE.test(content)) return findings;
+
+  // Anchor the finding on the first write operation
+  const wm = content.match(WRITE_RE);
+  const line = wm ? content.slice(0, content.indexOf(wm[0])).split('\n').length : 1;
+
+  findings.push(createFinding({
+    file: filePath,
+    line,
+    severity: 'critical',
+    category: agent.category,
+    rule: 'HERMES_XURL_READ_WRITE_LOOP',
+    title: 'Hermes: xurl Read-then-Write Loop Without a Human Gate',
+    description: 'This file drives the xurl skill to both read X content (search / timeline / bookmarks — all attacker-controlled) and write to X (post / reply / quote / like / DM) with no human-approval gate. A poisoned post the agent reads while summarizing a timeline or bookmark set can hijack it via indirect prompt injection into posting, replying, or DMing on the linked account.',
+    matched: wm ? wm[0].trim().slice(0, 120) : 'xurl read + write in one flow',
+    confidence: 'medium',
+    cwe: 'CWE-94',
+    owasp: 'ASI01',
+    fix: 'Split read and write into separate, gated steps. Require explicit human approval before any xurl write (post/reply/quote/like/DM). Treat every piece of fetched X content as untrusted input and scan it for injection before it reaches the model.',
+  }));
+
+  return findings;
+}
+
 // =============================================================================
 // AGENT CLASS
 // =============================================================================
@@ -487,6 +738,12 @@ export class HermesSecurityAgent extends BaseAgent {
       findings.push(...checkToolContextForwarding(content, filePath, this));
       findings.push(...checkSkillFrontmatter(content, filePath, this));
       findings.push(...checkMemoryFileDeserialization(content, filePath, this));
+      // Hermes v0.13.0 "Tenacity Release" coverage
+      findings.push(...checkAuthJsonTOCTOU(content, filePath, this));
+      findings.push(...checkCronSkillInjection(content, filePath, this));
+      findings.push(...checkBrowserCloudMetadataFloor(content, filePath, this));
+      // xurl skill / X API integration coverage
+      findings.push(...checkXurlReadWriteLoop(content, filePath, this));
     }
 
     return findings;
@@ -523,7 +780,7 @@ export class HermesSecurityAgent extends BaseAgent {
       if (/\.(js|ts|mjs|cjs|py)$/.test(rel)) {
         const content = this.readFile(file);
         if (!content) continue;
-        if (/(?:hermes[-_]agent|@nousresearch\/hermes|hermes\.config|toolRegistry|registerTool|callTool|spawnAgent|createSubAgent|memory\.store|episodicMemory|semanticMemory|loadManifest)/i.test(content)) {
+        if (/(?:hermes[-_]agent|@nousresearch\/hermes|hermes\.config|toolRegistry|registerTool|callTool|spawnAgent|createSubAgent|memory\.store|episodicMemory|semanticMemory|loadManifest|\bxurl\b)/i.test(content)) {
           hermesFiles.add(file);
         }
       }

package/cli/agents/index.js

@@ -41,7 +41,7 @@ export { PolicyEngine } from './policy-engine.js';
 export { HTMLReporter } from './html-reporter.js';
 
 /**
- * Create a fully configured orchestrator with all 22 scanning agents.
+ * Create a fully configured orchestrator with all 23 scanning agents.
  * (VerifierAgent and DeepAnalyzer run as post-processors, not in the agent pool.)
  *
  * Plugin system: if rootPath is provided, custom agents from

package/cli/agents/legal-risk-agent.js

@@ -274,7 +274,7 @@ export class LegalRiskAgent extends BaseAgent {
 
     const lines = (this.readFile(goModPath) || '').split('\n');
     for (const line of lines) {
-      const m = line.trim().match(/^([\w./\-]+)\s+(v[\d.]+)/);
+      const m = line.trim().match(/^([\w./-]+)\s+(v[\d.]+)/);
       if (!m) continue;
       const [, name, version] = m;
 

package/cli/agents/mcp-security-agent.js

@@ -45,7 +45,8 @@ const PATTERNS = [
     severity: 'critical',
     cwe: 'CWE-94',
     owasp: 'A03:2021',
-    description: 'Tool registration from external/user input allows attackers to inject malicious tool definitions (tool poisoning attack).',
+    cves: ['CVE-2026-26118'],
+    description: 'Pattern exploited by CVE-2026-26118 (Microsoft MCP tool hijacking). Tool registration from external/user input allows attackers to inject malicious tool definitions (tool poisoning attack).',
     fix: 'Only register tools from trusted, hardcoded definitions. Never accept tool definitions from user input.',
   },
 
@@ -57,8 +58,9 @@ const PATTERNS = [
     severity: 'critical',
     cwe: 'CWE-306',
     owasp: 'A07:2021',
+    cves: ['CVE-2026-33032'],
     confidence: 'medium',
-    description: 'MCP server created without any authentication configuration. Any client can connect and invoke tools.',
+    description: 'Pattern exploited by CVE-2026-33032 (nginx-ui MCP unauthenticated RCE, CVSS 9.8 — 2,600+ exposed instances). MCP server created without any authentication configuration. Any client can connect and invoke tools.',
     fix: 'Add authentication to MCP server transport: API key validation, JWT verification, or OAuth',
   },
   {
@@ -81,7 +83,8 @@ const PATTERNS = [
     severity: 'critical',
     cwe: 'CWE-78',
     owasp: 'A03:2021',
-    description: 'MCP tool handler executes shell commands. If tool arguments are user-influenced via prompt injection, this enables RCE.',
+    cves: ['CVE-2026-30615'],
+    description: 'Pattern exploited by CVE-2026-30615 (Windsurf prompt-injection → local RCE, zero user interaction). MCP tool handler executes shell commands. If tool arguments are user-influenced via prompt injection, this enables RCE.',
     fix: 'Avoid shell execution in MCP tools. If necessary, use strict allowlists for commands and validate all arguments.',
   },
   {
@@ -111,9 +114,10 @@ const PATTERNS = [
     severity: 'medium',
     cwe: 'CWE-918',
     owasp: 'A10:2021',
+    cves: ['CVE-2026-44284'],
     confidence: 'medium',
-    description: 'MCP tool makes external HTTP requests. Prompt injection could trigger SSRF via tool arguments.',
-    fix: 'Validate URLs against allowlist. Block internal/private IP ranges.',
+    description: 'Pattern exploited by CVE-2026-44284 (FastGPT MCP SSRF in tool URL handling). MCP tool makes external HTTP requests. Prompt injection could trigger SSRF via tool arguments.',
+    fix: 'Validate URLs against allowlist. Block internal/private IP ranges (169.254.169.254, 100.100.100.200, metadata.google.internal).',
   },
 
   // ── Input Injection ──────────────────────────────────────────────────────

package/cli/agents/memory-poisoning-agent.js

@@ -154,6 +154,7 @@ const INJECTION_PATTERNS = [
 const HIDDEN_CONTENT_PATTERNS = [
   {
     // Unicode zero-width chars used to hide instructions
+    // eslint-disable-next-line no-misleading-character-class
     regex: /[\u200B\u200C\u200D\u2060\uFEFF]{3,}/g,
     rule: 'MEMORY_HIDDEN_UNICODE',
     title: 'Hidden Unicode Content in Agent File',

package/cli/agents/mobile-scanner.js

@@ -16,7 +16,7 @@ const PATTERNS = [
   {
     rule: 'MOBILE_HARDCODED_KEY',
     title: 'Mobile: Hardcoded API Key in Bundle',
-    regex: /(?:apiKey|api_key|API_KEY|secret|SECRET)\s*[:=]\s*["'][a-zA-Z0-9_\-]{20,}["']/g,
+    regex: /(?:apiKey|api_key|API_KEY|secret|SECRET)\s*[:=]\s*["'][a-zA-Z0-9_-]{20,}["']/g,
     severity: 'critical',
     cwe: 'CWE-798',
     owasp: 'M1',

package/cli/agents/pii-compliance-agent.js

@@ -39,7 +39,7 @@ const PATTERNS = [
   {
     rule: 'PII_IN_LOGGER',
     title: 'Privacy: PII in Structured Logger',
-    regex: /(?:logger|winston|pino|bunyan|morgan)\.(?:info|warn|error|debug|log)\s*\([\s\S]{0,200}(?:[\.\[\(]email\b|password|ssn|creditCard|credit_card|phoneNumber|phone_number|dateOfBirth|date_of_birth)/g,
+    regex: /(?:logger|winston|pino|bunyan|morgan)\.(?:info|warn|error|debug|log)\s*\([\s\S]{0,200}(?:[.[(]email\b|password|ssn|creditCard|credit_card|phoneNumber|phone_number|dateOfBirth|date_of_birth)/g,
     severity: 'high',
     cwe: 'CWE-532',
     owasp: 'A09:2021',

package/cli/agents/swarm-orchestrator.js

@@ -112,7 +112,7 @@ export class SwarmOrchestrator {
     const jsonInstruction = '\n\nOutput a JSON object with exactly these keys: {"findings":[{"agentId":"<agent-id>","file":"<relative-path>","line":<number>,"severity":"critical|high|medium|low","rule":"<rule-id>","title":"<title>","description":"<description>","remediation":"<fix>"}],"agentSummary":[{"agentId":"<agent-id>","findingCount":<number>,"status":"clean|findings"}]}';
 
     const text = await this.provider.complete(systemPrompt, prompt + jsonInstruction, { maxTokens: 8192, jsonMode: true });
-    let raw = null;
+    let raw;
     try {
       raw = JSON.parse(text || '{}');
     } catch {

package/cli/bin/ship-safe.js

@@ -19,7 +19,7 @@ import { program } from 'commander';
 import chalk from 'chalk';
 import { readFileSync } from 'fs';
 import { fileURLToPath } from 'url';
-import { dirname, join } from 'path';
+import { dirname, join, resolve } from 'path';
 import { scanCommand } from '../commands/scan.js';
 import { checklistCommand } from '../commands/checklist.js';
 import { initCommand } from '../commands/init.js';
@@ -638,7 +638,7 @@ How it works:
   on every audit or watch --deep run.
 `)
   .action((action, options) => {
-    const rootPath = path.resolve(process.cwd());
+    const rootPath = resolve(process.cwd());
     if (action === 'new') {
       const pluginName = options.args?.[0] || options._name || 'my-rule';
       try {

package/cli/commands/agent-fix.js

@@ -240,6 +240,7 @@ export async function agentFixCommand(targetPath = '.', options = {}) {
 
     if (decision === 'q' || decision === 'quit') {
       console.log(chalk.gray('      Stopping.'));
+      // eslint-disable-next-line no-useless-assignment -- read by outer-loop guard at top of next iteration
       stopped = true;
       break;
     }
@@ -447,7 +448,7 @@ RULES:
   return { ok: true, plan };
 }
 
-function parseJsonLoose(response) {
+export function parseJsonLoose(response) {
   if (!response) return null;
   const cleaned = response.trim()
     .replace(/^```(?:json)?\s*/i, '')
@@ -464,7 +465,7 @@ function parseJsonLoose(response) {
   }
 }
 
-function windowFileContent(content, line) {
+export function windowFileContent(content, line) {
   if (content.length <= 8000) return content;
   if (!line) return content.slice(0, 8000);
   const lines = content.split('\n');
@@ -477,7 +478,7 @@ function windowFileContent(content, line) {
 // PLAN VALIDATION
 // =============================================================================
 
-function validatePlan(root, plan) {
+export function validatePlan(root, plan) {
   if (!Array.isArray(plan.files) || plan.files.length === 0) {
     return { ok: false, reason: 'no files in plan' };
   }
@@ -540,7 +541,7 @@ function validatePlan(root, plan) {
 
 // Try exact match first, then whitespace-normalized match if exact misses.
 // Returns { kind: 'unique'|'ambiguous'|'missing', matched, count }
-function locateFindString(haystack, needle) {
+export function locateFindString(haystack, needle) {
   const exact = countOccurrences(haystack, needle);
   if (exact === 1) return { kind: 'unique', matched: needle, count: 1 };
   if (exact > 1)   return { kind: 'ambiguous', matched: needle, count: exact };
@@ -572,7 +573,7 @@ function locateFindString(haystack, needle) {
   return { kind: 'missing', matched: null, count: 0 };
 }
 
-function countOccurrences(haystack, needle) {
+export function countOccurrences(haystack, needle) {
   if (!needle) return 0;
   let count = 0, idx = 0;
   while ((idx = haystack.indexOf(needle, idx)) !== -1) { count++; idx += needle.length; }
@@ -800,7 +801,7 @@ async function openPullRequest(root, branch, applied) {
   const title = `Security fixes: ${applied.length} file(s)`;
 
   console.log(chalk.gray('  Opening PR...'));
-  let prUrl = null;
+  let prUrl;
   try {
     prUrl = execFileSync('gh', ['pr', 'create', '--title', title, '--body', body], { cwd: root, stdio: ['ignore', 'pipe', 'pipe'] }).toString().trim();
     console.log(chalk.green(`  PR opened: ${prUrl}`));

package/cli/commands/agent.js

@@ -213,7 +213,7 @@ export async function agentCommand(targetPath = '.', options = {}) {
     console.log(chalk.white(`  ${step++}.`) + chalk.gray(' Fill in .env with fresh values from your providers'));
   }
   if (vulnCount > 0) {
-    console.log(chalk.white(`  ${step++}.`) + chalk.gray(' Apply the code fixes shown above, then re-run: ') + chalk.cyan('npx ship-safe agent .'));
+    console.log(chalk.white(`  ${step}.`) + chalk.gray(' Apply the code fixes shown above, then re-run: ') + chalk.cyan('npx ship-safe agent .'));
   }
   console.log();
 }

package/cli/commands/audit.js

@@ -96,7 +96,7 @@ export async function auditCommand(targetPath = '.', options = {}) {
   // ── Cache Layer ──────────────────────────────────────────────────────────
   const useCache = options.cache !== false;
   const cache = new CacheManager(absolutePath);
-  let cacheData = useCache ? cache.load() : null;
+  const cacheData = useCache ? cache.load() : null;
   let cacheDiff = null;
   let allFiles = [];
 
@@ -923,7 +923,7 @@ function outputSARIF(findings, rootPath) {
 
 // Walk up from `start` looking for `name`. Returns the absolute path or null.
 // Bounded to 8 ancestors to avoid runaway loops on weird filesystems.
-function findUpwards(start, name) {
+export function findUpwards(start, name) {
   let dir = path.resolve(start);
   for (let i = 0; i < 8; i++) {
     const candidate = path.join(dir, name);

package/cli/commands/init.js

@@ -276,10 +276,9 @@ async function handleAgentFiles(targetDir, force, results) {
         results.skipped.push(`${label} (already contains ship-safe rules)`);
         continue;
       }
-      if (force || true) { // always append unless already present
-        fs.writeFileSync(targetPath, existing.trimEnd() + '\n' + AGENT_SECTION);
-        results.merged.push(label);
-      }
+      // Always append (ship-safe marker check above already short-circuits the no-op case)
+      fs.writeFileSync(targetPath, existing.trimEnd() + '\n' + AGENT_SECTION);
+      results.merged.push(label);
     } else {
       // Ensure parent directory exists (e.g. .github/)
       const parentDir = path.dirname(targetPath);

package/cli/commands/live-advisories.js

@@ -166,7 +166,10 @@ export async function queryOSV(deps) {
     } catch (err) {
       // Network error — return what we have so far
       if (allResults.length === 0) {
-        throw new Error(`Failed to reach OSV.dev: ${err.message}. Run with --offline to skip live checks.`);
+        throw new Error(
+          `Failed to reach OSV.dev: ${err.message}. Run with --offline to skip live checks.`,
+          { cause: err },
+        );
       }
     }
   }

package/cli/commands/openclaw.js

@@ -54,7 +54,7 @@ export async function openclawCommand(targetPath = '.', options = {}) {
     mcpScanner.analyze(context),
   ]);
 
-  let findings = [...configFindings, ...mcpFindings];
+  const findings = [...configFindings, ...mcpFindings];
 
   // Threat intel enrichment
   const intel = ThreatIntel.load();

package/cli/commands/red-team.js

@@ -40,8 +40,8 @@ export async function redTeamCommand(targetPath = '.', options = {}) {
   console.log();
 
   let findings = [];
-  let recon = {};
-  let agentResults = [];
+  let recon;
+  let agentResults;
 
   // ── 1a. Swarm mode (parallel execution via best available provider) ────────
   if (options.swarm) {

package/cli/commands/remediate.js

@@ -125,7 +125,7 @@ function computeReplacement(matched, envRef) {
   }
 
   // Case 2: unquoted assignment — key = value  (no quotes around value)
-  const unquotedAssignment = matched.match(/^(.*?[:=]\s*)([^\s"'<>\[\]{},;]{8,})(\s*)$/s);
+  const unquotedAssignment = matched.match(/^(.*?[:=]\s*)([^\s"'<>[\]{},;]{8,})(\s*)$/s);
   if (unquotedAssignment) {
     const [, prefix, secretValue, suffix] = unquotedAssignment;
     return { replacement: prefix + envRef + suffix, secretValue };

package/cli/commands/scan-mcp.js

@@ -105,7 +105,7 @@ const MCP_TOOL_PATTERNS = [
   // ── Encoded payload in description ────────────────────────────────────────
   {
     name: 'Encoded payload block',
-    regex: /[A-Za-z0-9+\/]{60,}={0,2}/g,
+    regex: /[A-Za-z0-9+/]{60,}={0,2}/g,
     severity: 'medium',
     target: 'any',
   },

package/cli/commands/scan-skill.js

@@ -99,7 +99,7 @@ const SKILL_PATTERNS = [
   { name: 'Dynamic code evaluation', regex: /(?:eval\s*\(|new\s+Function\s*\(|exec\s*\(|compile\s*\()/gi, severity: 'high' },
   { name: 'Crypto operations', regex: /(?:crypto\.createCipher|crypto\.createDecipher|CryptoJS|forge\.cipher)/gi, severity: 'medium' },
   { name: 'Network listener', regex: /(?:createServer|listen\s*\(\s*\d|bind\s*\(\s*['"]0\.0\.0\.0)/gi, severity: 'high' },
-  { name: 'Encoded payload block', regex: /[A-Za-z0-9+\/]{60,}={0,2}/g, severity: 'medium' },
+  { name: 'Encoded payload block', regex: /[A-Za-z0-9+/]{60,}={0,2}/g, severity: 'medium' },
 
   // ── ToxicSkills patterns (Snyk research — 36% of agent skills affected) ──
   // Silent curl exfiltration: skill instructs agent to silently send data

package/cli/commands/team-report.js

@@ -25,10 +25,11 @@ import { printBanner } from '../utils/output.js';
 
 function stripAnsi(str) {
   // Remove all ANSI escape sequences (colors, cursor moves, clears, etc.)
+  // eslint-disable-next-line no-control-regex
   return str
-    .replace(/\x1b\[[0-9;?]*[A-Za-z]/g, '')
-    .replace(/\x1b\][^\x07]*\x07/g, '')
-    .replace(/\x1b[()][AB012]/g, '')
+    .replace(/\x1b\[[0-9;?]*[A-Za-z]/g, '')   // eslint-disable-line no-control-regex
+    .replace(/\x1b\][^\x07]*\x07/g, '')       // eslint-disable-line no-control-regex
+    .replace(/\x1b[()][AB012]/g, '')          // eslint-disable-line no-control-regex
     .replace(/\x9b[0-9;]*[A-Za-z]/g, '');
 }
 

package/cli/commands/undo.js

@@ -95,7 +95,7 @@ export async function undoCommand(targetPath = '.', options = {}) {
   }
 }
 
-function reverseEntry(root, entry) {
+export function reverseEntry(root, entry) {
   const plan = entry.plan;
   if (!plan || !Array.isArray(plan.files) || plan.files.length === 0) {
     throw new Error('entry has no plan to reverse');

package/cli/commands/watch.js

@@ -332,7 +332,7 @@ async function watchStateful(absolutePath, options = {}) {
   await watcher.setBaseline(recon, files);
   console.log(chalk.green(`  Baseline set (${watcher.provider.name} / ${watcher.provider.model}). Watching...\n`));
 
-  let pendingFiles = new Set();
+  const pendingFiles = new Set();
   let debounceTimer = null;
   let allFindings = [];
 
@@ -454,7 +454,7 @@ async function watchDeep(absolutePath, options = {}) {
   } catch { recon = {}; }
   console.log(chalk.gray('  Recon complete. Watching...\n'));
 
-  let pendingFiles = new Set();
+  const pendingFiles = new Set();
   let debounceTimer = null;
   let scanCount = 0;
 

package/cli/hooks/patterns.js

@@ -162,7 +162,7 @@ export const HIGH_PATTERNS = [
   {
     name:     'Generic high-entropy secret assignment',
     severity: 'high',
-    re:       /(?:token|secret|api_key|apikey)\s*[:=]\s*["']([A-Za-z0-9+/=_\-]{32,})["']/i,
+    re:       /(?:token|secret|api_key|apikey)\s*[:=]\s*["']([A-Za-z0-9+/=_-]{32,})["']/i,
     checkEntropy: true,  // only report if entropy > threshold
   },
 ];

package/cli/utils/patterns.js

@@ -479,6 +479,18 @@ export const SECRET_PATTERNS = [
     severity: 'high',
     description: 'xAI API keys grant access to Grok models and incur usage charges on your account.'
   },
+  {
+    name: 'X API OAuth Client Secret',
+    pattern: /(?:client[_-]?secret|consumer[_-]?secret)["'\s]*[:=]["'\s]*([A-Za-z0-9_-]{40,60})["']?/gi,
+    severity: 'critical',
+    description: 'An X (Twitter) API OAuth 2.0 client secret. With the matching client ID it lets an attacker complete the OAuth flow as your app — used by the xurl skill to post, reply, and DM on the linked account.'
+  },
+  {
+    name: 'X API v2 Bearer Token',
+    pattern: /AAAAAAAAAAAAAAAAAAAAA[A-Za-z0-9%]{60,}/g,
+    severity: 'critical',
+    description: 'An X (Twitter) API v2 bearer token. Grants app-level read access to the X API; if scoped to a user context it also enables writes.'
+  },
   {
     name: 'Tavily API Key',
     pattern: /tvly-[a-zA-Z0-9]{32,}/g,
@@ -691,14 +703,14 @@ export const SECRET_PATTERNS = [
   // =========================================================================
   {
     name: 'Generic API Key Assignment',
-    pattern: /["']?(?:api[_-]?key|apikey)["']?\s*[:=]\s*["']([a-zA-Z0-9_\-]{20,})["']/gi,
+    pattern: /["']?(?:api[_-]?key|apikey)["']?\s*[:=]\s*["']([a-zA-Z0-9_-]{20,})["']/gi,
     severity: 'medium',
     requiresEntropyCheck: true,
     description: 'Hardcoded API keys should be moved to environment variables.'
   },
   {
     name: 'Generic Secret Assignment',
-    pattern: /["']?(?:secret|secret[_-]?key)["']?\s*[:=]\s*["']([a-zA-Z0-9_\-]{20,})["']/gi,
+    pattern: /["']?(?:secret|secret[_-]?key)["']?\s*[:=]\s*["']([a-zA-Z0-9_-]{20,})["']/gi,
     severity: 'medium',
     requiresEntropyCheck: true,
     description: 'Hardcoded secrets should be moved to environment variables.'
@@ -719,7 +731,7 @@ export const SECRET_PATTERNS = [
   },
   {
     name: 'Bearer Token in Code',
-    pattern: /["']Bearer\s+[a-zA-Z0-9_\-\.=]{20,}["']/gi,
+    pattern: /["']Bearer\s+[a-zA-Z0-9_\-.=]{20,}["']/gi,
     severity: 'medium',
     requiresEntropyCheck: true,
     description: 'Hardcoded bearer tokens should not be in source code.'

package/cli/utils/secrets-verifier.js

@@ -238,7 +238,7 @@ export class SecretsVerifier {
     if (assigned) return assigned[1];
 
     // If the match itself looks like a token, use it
-    if (/^[a-zA-Z0-9_\-]{20,}$/.test(matched)) return matched;
+    if (/^[a-zA-Z0-9_-]{20,}$/.test(matched)) return matched;
 
     return null;
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ship-safe",
-  "version": "9.2.4",
+  "version": "9.3.1",
   "description": "AI-powered multi-agent security platform. 23 agents scan 80+ attack classes including AI integration supply chain (Vercel-class attacks), Hermes Agent deployments (ASI-01–ASI-10), tool registry poisoning, function-call injection, skill permission drift, and agent attestation. Ship Safe × Hermes Agent.",
   "main": "cli/index.js",
   "bin": {
@@ -10,6 +10,7 @@
   "scripts": {
     "test": "node --test cli/__tests__/*.test.js",
     "lint": "eslint cli/",
+    "lint:fix": "eslint cli/ --fix",
     "ship-safe": "node cli/bin/ship-safe.js"
   },
   "keywords": [
@@ -65,5 +66,10 @@
     "fast-glob": "^3.3.3",
     "ora": "^8.0.1",
     "write-file-atomic": "^7.0.0"
+  },
+  "devDependencies": {
+    "@eslint/js": "^10.0.1",
+    "eslint": "^10.3.0",
+    "globals": "^17.6.0"
   }
 }