ship-safe 9.3.1 → 9.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +1 -1
  2. package/cli/agents/hermes-security-agent.js +12 -9
  3. package/package.json +1 -1
package/README.md CHANGED
@@ -98,7 +98,7 @@ $ ship-safe
98
98
  ███████╗██╗ ██╗██╗██████╗ ███████╗ █████╗ ███████╗███████╗
99
99
  ...
100
100
 
101
- v9.3.1 · DeepSeek · ~/my-project
101
+ v9.3.2 · DeepSeek · ~/my-project
102
102
 
103
103
  /scan to find issues · /agent to fix them · /help for more
104
104
 
package/cli/agents/hermes-security-agent.js CHANGED
@@ -699,16 +699,19 @@ export class HermesSecurityAgent extends BaseAgent {
699
699
  }
700
700
 
701
701
  /**
702
- * Only run if the project appears to use Hermes Agent.
702
+ * Always run. The real gate is `_findHermesFiles` inside `analyze`, which
703
+ * does precise content-based detection (hermes imports, hermes.config,
704
+ * agent-manifest, .hermes/, hermes-skills/, xurl). On a non-Hermes project
705
+ * it returns an empty file list and `analyze` emits nothing.
706
+ *
707
+ * NOTE: this method previously gated on `recon.dependencies` — a field the
708
+ * ReconAgent never produces — so HermesSecurityAgent silently never ran in
709
+ * a real `audit` / `red-team` (only direct `analyze()` calls in unit tests
710
+ * exercised it). Returning true unconditionally restores the agent; the
711
+ * file-read cost is already paid by the secret scanner and other agents.
703
712
  */
704
- shouldRun(recon) {
705
- // Run if hermes is detected in dependencies or frameworks
706
- if (recon?.dependencies?.some(d => /hermes/i.test(d))) return true;
707
- if (recon?.frameworks?.some(f => /hermes/i.test(f))) return true;
708
- // Run if hermes config files were discovered during recon
709
- if (recon?.configFiles?.some(f => /hermes/i.test(f))) return true;
710
- // Don't scan every project — Hermes files are distinctive enough to skip otherwise
711
- return false;
713
+ shouldRun() {
714
+ return true;
712
715
  }
713
716
 
714
717
  async analyze(context) {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "ship-safe",
3
- "version": "9.3.1",
3
+ "version": "9.3.2",
4
4
  "description": "AI-powered multi-agent security platform. 23 agents scan 80+ attack classes including AI integration supply chain (Vercel-class attacks), Hermes Agent deployments (ASI-01–ASI-10), tool registry poisoning, function-call injection, skill permission drift, and agent attestation. Ship Safe × Hermes Agent.",
5
5
  "main": "cli/index.js",
6
6
  "bin": {