feat(scan): 扫描透明度(耗时+规则数) + 修境外厂商重复 (v0.7.3)

jnMetaCode · jnMetaCode · commit 9e77d6db07c7 · 2026-06-20T09:29:30.000+08:00
- 报告显示扫描耗时+检测规则数,让"秒出"可验证(正则匹配本就毫秒级,快≠假)
- 修数据出境控制项同一厂商列两次(端点+SDK依赖去重,不区分大小写)
- 回应用户"还是秒出?"的信任质疑
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/),
 and this project adheres to [Semantic Versioning](https://semver.org/).
 
+## [0.7.3] - 2026-06-20
+
+### Added — 扫描透明度（"秒出=干活了吗"的证据）
+- 报告显示**扫描耗时 + 应用的检测规则数**（如"已扫描 150 个文件 · 耗时 28ms · 应用 53 条检测规则"）——让"快"可被验证：正则匹配文本本就是毫秒级，快≠假
+### Fixed
+- 数据出境控制项不再把同一厂商列两次（端点命中 + SDK 依赖命中去重，不区分大小写）
+
 ## [0.7.2] - 2026-06-20
 
 ### Changed — 诚实度与真实覆盖（用户反馈"上传就出结果太假"后修正）
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "shellward",
-  "version": "0.7.2",
+  "version": "0.7.3",
   "mcpName": "io.github.jnMetaCode/shellward",
   "description": "AI agent security & MCP security middleware — prompt injection detection, AI firewall, runtime guardrails & data-loss prevention for LLM tool calls. 8-layer defense against data exfiltration & dangerous commands. Zero dependencies. SDK + OpenClaw plugin. Supports LangChain, AutoGPT, Claude Code, Cursor, OpenAI Agents, Hermes Agent.",
   "keywords": [
diff --git a/src/compliance/audit.ts b/src/compliance/audit.ts
@@ -171,10 +171,11 @@ export function runProjectComplianceAudit(config: ShellWardConfig, root: string)
 
   // 把文件中实测到的境外端点/依赖并入 facts（按 endpointId 或 provider 去重），
   // 使数据出境项基于真实证据（含 SDK 依赖通道）
-  const seen = new Set(env.overseas.map(o => o.endpointId || o.provider_en))
+  const seen = new Set(env.overseas.map(o => (o.endpointId || o.provider_en || '').toLowerCase()))
   for (const f of scan.findings) {
     if (f.kind !== 'overseas') continue
-    const key = f.endpointId || f.provider_en || ''
+    // 按厂商去重（不区分大小写），避免"端点命中"与"SDK依赖命中"把同一厂商列两次
+    const key = (f.provider_en || f.endpointId || '').toLowerCase()
     if (!key || seen.has(key)) continue
     seen.add(key)
     env.overseas.push({
diff --git a/src/compliance/html-report.ts b/src/compliance/html-report.ts
@@ -96,8 +96,8 @@ export function renderHtmlReport(
 
   // ===== 项目实测风险 =====
   S.push(sectionHead('🔍', t('项目实测风险', 'Project Scan Findings'),
-    t(`已扫描 ${scan.filesScanned} 个文件${scan.truncated ? '（已达上限）' : ''}`,
-      `Scanned ${scan.filesScanned} files${scan.truncated ? ' (limit reached)' : ''}`)))
+    t(`已扫描 ${scan.filesScanned} 个文件${scan.truncated ? '（已达上限）' : ''} · 耗时 ${scan.durationMs ?? '?'}ms · 应用 ${scan.rulesChecked ?? '?'} 条检测规则`,
+      `Scanned ${scan.filesScanned} files${scan.truncated ? ' (limit reached)' : ''} · ${scan.durationMs ?? '?'}ms · ${scan.rulesChecked ?? '?'} detection rules`)))
 
   if (scan.findings.length === 0) {
     S.push(`<div class="empty">🟢 ${t('未在项目文件中发现硬编码密钥、个人信息暴露或境外端点。',
diff --git a/src/compliance/project-scan.ts b/src/compliance/project-scan.ts
diff --git a/src/compliance/report.ts b/src/compliance/report.ts
@@ -141,8 +141,8 @@ export function renderProjectFindings(scan: ProjectScanResult, locale: 'zh' | 'e
   L.push(zh ? '## 🔍 项目实测风险' : '## 🔍 Project Scan Findings')
   L.push('')
   L.push(zh
-    ? `> 已扫描 ${scan.filesScanned} 个文件${scan.truncated ? '（已达上限，部分未扫）' : ''}`
-    : `> Scanned ${scan.filesScanned} files${scan.truncated ? ' (limit reached, partial)' : ''}`)
+    ? `> 已扫描 ${scan.filesScanned} 个文件${scan.truncated ? '（已达上限）' : ''} · 耗时 ${scan.durationMs ?? '?'}ms · 应用 ${scan.rulesChecked ?? '?'} 条检测规则`
+    : `> Scanned ${scan.filesScanned} files${scan.truncated ? ' (limit reached)' : ''} · ${scan.durationMs ?? '?'}ms · ${scan.rulesChecked ?? '?'} detection rules`)
   L.push('')
 
   if (scan.findings.length === 0) {

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "shellward",`
`3`		`- "version": "0.7.2",`
	`3`	`+ "version": "0.7.3",`
`4`	`4`	`"mcpName": "io.github.jnMetaCode/shellward",`
`5`	`5`	`"description": "AI agent security & MCP security middleware — prompt injection detection, AI firewall, runtime guardrails & data-loss prevention for LLM tool calls. 8-layer defense against data exfiltration & dangerous commands. Zero dependencies. SDK + OpenClaw plugin. Supports LangChain, AutoGPT, Claude Code, Cursor, OpenAI Agents, Hermes Agent.",`
`6`	`6`	`"keywords": [`