feat(report): 检查过程可见 + 含风险演示 (v0.7.6)

- 空结果展示逐项检查清单(查了什么+✓0命中+文件/规则/耗时),回应"秒出=没检查吗"
- 内置 /demo 含风险示例一键演示(满屏发现+行号),证明快≠假
- scan-server.ts 加入 .shellwardignore(演示样例含密钥字面量)
- 全套300测试全绿

Author: jnMetaCode

.shellwardignore

@@ -13,6 +13,7 @@ src/rules/injection-en.ts
 src/rules/dangerous-commands.ts
 src/rules/protected-paths.ts
 src/rules/tool-poisoning.ts
+src/web/scan-server.ts
 
 # 测试、基准语料、演示（故意包含攻击样本/示例密钥）
 test-*.ts

CHANGELOG.md

@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/),
 and this project adheres to [Semantic Versioning](https://semver.org/).
 
+## [0.7.6] - 2026-06-20
+
+### Added — 让"检查过程"可见（回应"秒出=没检查吗"）
+- **空结果也展示检查过程**：未发现风险时不再只说"未发现"，而是逐项列出查了什么（境外端点+SDK依赖38特征 / 硬编码密钥 / 中文+国际PII / .env权限）+ ✓0命中 + 文件数/规则数/耗时——证明确实逐项扫了
+- **内置"含风险示例"一键演示** (`/demo` + 首页按钮)：扫一个故意埋了风险的样例项目，同样秒出但满屏发现(境外5/密钥6/PII4 + 行号)，直观证明"快≠假"
+- 验证：独立 grep 确认真实干净项目(superpowers-zh)无风险→报0正确；往副本植入密钥→立刻命中 file:line
+
 ## [0.7.5] - 2026-06-20
 
 ### Fixed — web 客户端"扫不了"的真实 bug（用户反馈后修）

package.json

@@ -1,6 +1,6 @@
 {
   "name": "shellward",
-  "version": "0.7.5",
+  "version": "0.7.6",
   "mcpName": "io.github.jnMetaCode/shellward",
   "description": "AI agent security & MCP security middleware — prompt injection detection, AI firewall, runtime guardrails & data-loss prevention for LLM tool calls. 8-layer defense against data exfiltration & dangerous commands. Zero dependencies. SDK + OpenClaw plugin. Supports LangChain, AutoGPT, Claude Code, Cursor, OpenAI Agents, Hermes Agent.",
   "keywords": [

src/compliance/html-report.ts

@@ -100,8 +100,14 @@ export function renderHtmlReport(
       `Scanned ${scan.filesScanned} files${scan.truncated ? ' (limit reached)' : ''} · ${scan.durationMs ?? '?'}ms · ${scan.rulesChecked ?? '?'} detection rules`)))
 
   if (scan.findings.length === 0) {
-    S.push(`<div class="empty">🟢 ${t('未在项目文件中发现硬编码密钥、个人信息暴露或境外端点。',
-      'No hardcoded secrets, PII, or overseas endpoints found in project files.')}</div>`)
+    // 空结果也要展示"检查过程"——逐项列出查了什么、均未命中，证明确实扫了
+    S.push(`<div class="empty">🟢 ${t('逐项检查完成，未在可扫描文件中发现风险。', 'All checks passed — no risks found in scannable files.')}</div>`)
+    S.push(`<table class="tbl checked"><tbody>
+      <tr><td>🌐 ${t('境外大模型端点 + SDK 依赖', 'Overseas LLM endpoints + SDK deps')}</td><td class="muted">${t('OpenAI / Anthropic / Gemini / Cohere… 共 38 个特征', '38 signatures')}</td><td class="right ok">✓ ${t('0 命中', '0 hits')}</td></tr>
+      <tr><td>🔑 ${t('硬编码密钥', 'Hardcoded secrets')}</td><td class="muted">${t('OpenAI/GitHub/AWS key、私钥、JWT、口令、连接串', 'OpenAI/GitHub/AWS/private key/JWT/password/conn-string')}</td><td class="right ok">✓ ${t('0 命中', '0 hits')}</td></tr>
+      <tr><td>🪪 ${t('中文 PII + 国际 PII', 'Chinese + intl PII')}</td><td class="muted">${t('身份证(校验位)/手机号/银行卡(Luhn)/SSN/信用卡', 'CN ID(checksum)/mobile/UnionPay(Luhn)/SSN/credit card')}</td><td class="right ok">✓ ${t('0 命中', '0 hits')}</td></tr>
+      <tr><td>📂 .env ${t('权限', 'permission')}</td><td class="muted">${t('含密钥的 .env 不应组/其他可读', '.env should not be group/other readable')}</td><td class="right ok">✓ ${t('正常', 'OK')}</td></tr>
+    </tbody></table>`)
   } else {
     S.push('<div class="chips">')
     for (const k of KIND_ORDER) if (scan.counts[k] > 0) {
@@ -296,6 +302,8 @@ section,.reg{padding:0 36px}
   padding:0 8px;border-radius:999px;margin-left:4px;font-weight:600}
 .empty{margin:8px 36px;padding:16px 18px;background:var(--pass-bg);color:var(--pass);
   border-radius:10px;font-weight:600;font-size:14px}
+.checked td.ok{color:var(--pass);font-weight:700}
+.checked td:first-child{font-weight:600;white-space:nowrap}
 
 /* chips 概览 */
 .chips{display:flex;flex-wrap:wrap;gap:8px;margin:6px 36px 4px}

src/compliance/report.ts

@@ -146,7 +146,23 @@ export function renderProjectFindings(scan: ProjectScanResult, locale: 'zh' | 'e
   L.push('')
 
   if (scan.findings.length === 0) {
-    L.push(zh ? '🟢 未在项目文件中发现硬编码密钥、个人信息暴露或境外端点。' : '🟢 No hardcoded secrets, PII exposure, or overseas endpoints found in project files.')
+    L.push(zh ? '🟢 逐项检查完成，未在可扫描文件中发现风险：' : '🟢 All checks passed — no risks found:')
+    L.push('')
+    if (zh) {
+      L.push('| 检查项 | 覆盖 | 结果 |')
+      L.push('|---|---|---|')
+      L.push('| 🌐 境外大模型端点 + SDK 依赖 | OpenAI/Anthropic/Gemini… 38 个特征 | ✓ 0 命中 |')
+      L.push('| 🔑 硬编码密钥 | OpenAI/GitHub/AWS key、私钥、JWT、口令、连接串 | ✓ 0 命中 |')
+      L.push('| 🪪 中文+国际 PII | 身份证(校验位)/手机号/银行卡(Luhn)/SSN/信用卡 | ✓ 0 命中 |')
+      L.push('| 📂 .env 权限 | 含密钥的 .env 不应组/其他可读 | ✓ 正常 |')
+    } else {
+      L.push('| Check | Coverage | Result |')
+      L.push('|---|---|---|')
+      L.push('| 🌐 Overseas endpoints + SDK deps | 38 signatures | ✓ 0 hits |')
+      L.push('| 🔑 Hardcoded secrets | OpenAI/GitHub/AWS/private key/JWT/password | ✓ 0 hits |')
+      L.push('| 🪪 PII (CN + intl) | CN ID/mobile/UnionPay/SSN/credit card | ✓ 0 hits |')
+      L.push('| 📂 .env permission | group/other-readable check | ✓ OK |')
+    }
     L.push('')
     return L.join('\n')
   }

src/web/scan-server.ts

@@ -58,6 +58,11 @@ export function startWebServer(opts: WebServerOptions): void {
         if (active >= MAX_CONCURRENT) return send(res, 503, 'text/html', errorPage('服务繁忙，请稍后再试'))
         return await handleUpload(req, res, locale, () => { active++ }, () => { active-- })
       }
+      // 演示：扫一个内置的「含风险样例项目」——证明"秒出≠没检查"（满屏发现 + 行号）
+      if (u.pathname === '/demo') {
+        if (active >= MAX_CONCURRENT) return send(res, 503, 'text/html', errorPage('服务繁忙，请稍后再试'))
+        return handleDemo(res, locale, () => { active++ }, () => { active-- })
+      }
       if (u.pathname === '/scan') {
         if (active >= MAX_CONCURRENT) {
           return send(res, 503, 'text/html', errorPage('服务繁忙，请稍后再试（并发上限）'))
@@ -175,6 +180,35 @@ async function handleUpload(req: any, res: any, locale: 'zh' | 'en', inc: () =>
   }
 }
 
+/** 演示：内置「含风险样例项目」扫描，证明检测真在工作 */
+function handleDemo(res: any, locale: 'zh' | 'en', inc: () => void, dec: () => void) {
+  const dir = mkdtempSync(join(tmpdir(), 'sw-demo-'))
+  inc()
+  try {
+    mkdirSync(join(dir, 'src'), { recursive: true })
+    mkdirSync(join(dir, 'data'), { recursive: true })
+    writeFileSync(join(dir, 'package.json'), JSON.stringify({
+      name: 'demo-ai-app', dependencies: { 'openai': '^4.20.0', '@anthropic-ai/sdk': '^0.20.0', 'express': '^4' },
+    }, null, 2))
+    writeFileSync(join(dir, 'src', 'config.ts'),
+      'export const LLM = "https://api.openai.com/v1"\n'
+      + 'const OPENAI_KEY = "sk-Rz9MkP2qWlS7yV3nD8tB1hC4xJ6pQsTuVwYz0"\n'
+      + 'const GITHUB_TOKEN = "ghp_Rz9MkP2qWlS7yV3nD8tB1hC4xJ6pQsTuVwYz"\n'
+      + 'export const ADMIN_PHONE = "13912345678"\n')
+    writeFileSync(join(dir, 'data', 'customers.csv'),
+      'name,id_card,phone,card\n张三,110101199003071233,13800138000,4111111111111111\n')
+    writeFileSync(join(dir, '.env'),
+      'AWS_ACCESS_KEY=AKIARZ9MKP2QWLS7YV3N\nDB_PASSWORD=Sup3rS3cretProdPwd2026\n')
+    const { report, scan } = runProjectComplianceAudit(DEFAULT_CONFIG, dir)
+    send(res, 200, 'text/html', renderHtmlReport(report, scan, locale, { root: '示例项目（含风险）/ demo-ai-app' }))
+  } catch (e: any) {
+    send(res, 500, 'text/html', errorPage('演示失败：' + esc(e?.message || String(e))))
+  } finally {
+    dec()
+    try { rmSync(dir, { recursive: true, force: true }) } catch { /* ignore */ }
+  }
+}
+
 /** 浅克隆公开仓库到临时目录（不鉴权、超时、不执行任何仓库代码） */
 function cloneRepo(url: string, dir: string): Promise<void> {
   return new Promise((res, rej) => {
@@ -224,6 +258,7 @@ function formPage(local: boolean): string {
       <p class="sub">${local ? '选项目文件夹或贴公开仓库链接' : '贴公开仓库链接'}，30 秒查出数据出境 / 硬编码密钥 / 个人信息暴露等中国合规红线。</p>
       ${uploadForm}
       ${urlForm}
+      <p class="demo">🤔 觉得"秒出"不真？ <a href="/demo">▶ 看一个含风险的示例报告</a>（同样秒出，但满屏发现 + 行号）</p>
       <p class="foot">网安法 2026 · PIPL · 等保2.0 · 数据出境 · AI标识 ｜ 零依赖 · 开源 ·
         <a href="https://github.com/jnMetaCode/shellward">GitHub ⭐</a></p>
     </div>
@@ -301,6 +336,7 @@ button:disabled{background:#94a3b8;cursor:default}
 form{margin:0 0 14px}.or{text-align:center;color:#94a3b8;font-size:13px;margin:6px 0 14px}
 .status{display:none;margin:10px 0 0;padding:10px 14px;border-radius:8px;background:#f1f5f9;
 color:#334155;font-size:13.5px;border-left:3px solid #cb0000;text-align:left}
+.demo{margin:18px 0 0;font-size:13px;color:#475569}.demo a{font-weight:600}
 .foot{margin:24px 0 0;font-size:12.5px;color:#94a3b8}.foot a,.back{color:#cb0000;text-decoration:none}
 .back{font-weight:600}
 </style></head><body>${body}</body></html>`