Skip to content

Commit 11a0a60

Browse files
committed
docs+fix: README 中文优先 + 修 .env.example 误报 (v0.6.7)
- README 第一屏改为中文(标题/定位/30秒体检),英文降为 ## English - .env.example/.sample/.template/.dist 模板文件不再报权限误报(真实项目实测发现) - test-compliance 74→75;全套 263 全绿
1 parent 7715be9 commit 11a0a60

5 files changed

Lines changed: 37 additions & 11 deletions

File tree

CHANGELOG.md

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file.
55
The format is based on [Keep a Changelog](https://keepachangelog.com/),
66
and this project adheres to [Semantic Versioning](https://semver.org/).
77

8+
## [0.6.7] - 2026-06-20
9+
10+
### Changed
11+
- **README 中文优先**:第一屏改为中文标题/定位/「30 秒合规体检」,英文降为 `## English` 章节(项目面向中国市场,理应中文打头)
12+
- **修复 `.env.example` 误报**`.env.example` / `.sample` / `.template` / `.dist` 等模板文件不再报"权限过宽"(它们本就该提交、不含真实密钥)——真实第三方项目实测发现
13+
- `test-compliance.ts` 扩至 75 项(含 .env 模板回归);全套 **263 测试**全绿
14+
815
## [0.6.6] - 2026-06-20
916

1017
### Changed — 诚信:静态扫描不再虚报"已合规"

README.md

Lines changed: 21 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -4,41 +4,52 @@
44

55
# ShellWard
66

7-
**AI Agent Security & Compliance Gateway**the AI agent security middleware built for **China's regulatory regime** (网安法 / PIPL / 等保2.0 / 数据出境 / AI标识). Scan your project for compliance risks, then block prompt injection, data exfiltration, and dangerous commands at runtime. Chinese-language threat detection + Chinese PII + zero dependencies — things English tools don't do.
7+
**AI 应用合规网关**为中国监管而生的 AI Agent 安全合规工具(网安法 2026 / PIPL / 等保2.0 / 数据出境 / AI标识)。先一行命令体检项目合规风险,再在运行时拦截提示注入、数据外泄与危险命令。中文威胁检测 + 中文 PII + 零依赖——英文工具不做的事。
88

99
[![npm](https://img.shields.io/npm/v/shellward?color=cb0000&label=npm)](https://www.npmjs.com/package/shellward)
1010
[![license](https://img.shields.io/badge/license-Apache--2.0-blue)](./LICENSE)
11-
[![tests](https://img.shields.io/badge/tests-262%20passing-brightgreen)](#performance)
11+
[![tests](https://img.shields.io/badge/tests-263%20passing-brightgreen)](#performance)
1212
[![deps](https://img.shields.io/badge/dependencies-0-brightgreen)](#performance)
1313

14-
**🌐 Website: https://jnmetacode.github.io/shellward/**
14+
**🌐 官网: https://jnmetacode.github.io/shellward/**
1515

16-
[English](#demo) | [中文](#中文)
16+
[中文](#30-秒合规体检) | [English](#english)
1717

18-
## 30-Second Compliance Scan
18+
## 30 秒合规体检
1919

20-
Zero install, read-only, nothing uploaded. Scan your AI project for compliance risks right now:
20+
零安装、只读、不上传任何数据。一行命令,扫出你的 AI 项目踩了哪些合规红线:
2121

2222
```bash
2323
npx shellward scan
2424
```
2525

26-
Outputs a red/yellow/green scorecard mapped to 网安法 / PIPL / 等保2.0 / 数据出境 / AI标识, plus the concrete `file:line` findings in your project:
26+
输出一张映射到 **网安法 / PIPL / 等保2.0 / 数据出境 / AI标识** 的红黄绿评分卡,并精确到 `文件:行`
2727

2828
```
2929
## 🔍 项目实测风险
3030
🌐 数据出境风险: 2 | 🔑 硬编码密钥: 3 | 🪪 个人信息暴露: 2 | 📂 .env 权限: 1
3131
3232
- .env:2 境外大模型端点: OpenAI — 向其发送个人信息即构成数据出境
33+
- package.json:12 境外大模型 SDK 依赖: openai — 项目内含数据出境通道
3334
- src/config.ts:3 硬编码 GitHub Token: ghp_12*** — 凭据不应写入源码
3435
- customers.csv:2 手机号 13912*** — 个人信息出现在文件中,需评估脱敏
3536
36-
合规得分: 75/100 [B] 🟢 8 | 🟡 3 | 🔴 1 | ⚪ 2
37+
合规得分: 63/100 [C]
3738
```
3839

39-
`npx shellward scan --json` for CI · `--ci` to fail the build on critical findings · `--html report.html` for a self-contained report you can print to PDF for 备案/audit · see [GitHub Action](#github-action-pr-compliance-gate).
40+
`--json` 供 CI · `--ci` 发现 critical 时让构建失败 · `--html report.html` 导出可打印成 PDF 的报告(备案/审计存档)· 也可作 [GitHub Action](#github-action-pr-compliance-gate) 接入 PR 门禁。
41+
42+
> 检测重点:**境外大模型端点与 SDK 依赖(数据出境——中国独有、英文工具没有的概念)**、硬编码密钥、文件中的中文 PII、`.env` 暴露。扫到境外模型(如 `openai` 依赖)时,**直接给出境内合规替代**(通义千问 / DeepSeek / Kimi / 智谱)及其 OpenAI 兼容 `base_url`——多数迁移只需改一个 `base_url`
43+
44+
更多命令、运行时防护(MCP / 插件)、与英文文档见下方 [English](#english) 章节。
45+
46+
---
47+
48+
## English
49+
50+
**AI Agent Security & Compliance Gateway** — the AI agent security middleware built for **China's regulatory regime** (CSL / PIPL / MLPS 2.0 / cross-border data / AI labeling). Scan your project for compliance risks, then block prompt injection, data exfiltration, and dangerous commands at runtime. Chinese-language threat detection + Chinese PII + zero dependencies — things English tools don't do.
4051

41-
> Detects overseas-LLM endpoints (**data-export risk** — a China-only concept English tools ignore), hardcoded secrets, Chinese PII in files, and `.env` exposure. When it finds an overseas model (e.g. an `openai` dependency), it **prescribes domestic compliant alternatives** (通义千问 / DeepSeek / Kimi / 智谱) with their OpenAI-compatible `base_url` — most migrations are just a `base_url` swap.
52+
Quick start: `npx shellward scan` — zero install, read-only, nothing uploaded. Outputs a red/yellow/green scorecard mapped to Chinese regulations plus concrete `file:line` findings, and prescribes domestic compliant model alternatives for any overseas LLM it finds.
4253

4354
## Demo
4455

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{
22
"name": "shellward",
3-
"version": "0.6.6",
3+
"version": "0.6.7",
44
"mcpName": "io.github.jnMetaCode/shellward",
55
"description": "AI agent security & MCP security middleware — prompt injection detection, AI firewall, runtime guardrails & data-loss prevention for LLM tool calls. 8-layer defense against data exfiltration & dangerous commands. Zero dependencies. SDK + OpenClaw plugin. Supports LangChain, AutoGPT, Claude Code, Cursor, OpenAI Agents, Hermes Agent.",
66
"keywords": [

src/compliance/project-scan.ts

326 Bytes
Binary file not shown.

test-compliance.ts

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -286,7 +286,15 @@ console.log('\n--- 降误报与忽略 ---')
286286
writeFileSync(join(dir, 'samples', 'leak.ts'), 'const k = "sk-RZ9mKp2QwLs7Yv3Nd8Tb1Hc4Xj6Pq"\n')
287287
writeFileSync(join(dir, '.shellwardignore'), '# test\nsamples/\n')
288288

289+
// .env 模板文件不应报权限;真实 .env 应报
290+
writeFileSync(join(dir, '.env.example'), 'OPENAI_API_KEY=your-key-here\n')
291+
try { chmodSync(join(dir, '.env.example'), 0o644) } catch {}
292+
writeFileSync(join(dir, '.env'), 'OPENAI_API_KEY=sk-RZ9mKp2QwLs7Yv3Nd8Tb1Hc4Xj6Pq\n')
293+
try { chmodSync(join(dir, '.env'), 0o644) } catch {}
294+
289295
const scan = scanProject(dir)
296+
const envPerm = scan.findings.filter(f => f.kind === 'env-perm').map(f => f.file)
297+
test('.env.example 模板不报权限', !envPerm.some(f => f.includes('.env.example')), envPerm.join(','))
290298
const secretFiles = scan.findings.filter(f => f.kind === 'secret').map(f => f.file)
291299
test('占位符密钥被过滤', !secretFiles.some(f => f.includes('placeholder')), secretFiles.join(','))
292300
test('结构真实密钥被检出', secretFiles.some(f => f.includes('real.ts')))

0 commit comments

Comments
 (0)