fix(web): 修客户端扫不了(过滤漏.md/document.write不可靠) + web集成测试 v0.7.5

jnMetaCode · jnMetaCode · commit dedf01b51fad · 2026-06-20T10:10:45.000+08:00
- 客户端过滤对齐服务端SCAN_EXT(含.md/.mdx/.ipynb),markdown项目不再被全滤光
- 结果渲染改 Blob URL 跳转(替代不可靠的document.write)
- 加可见状态提示,不再静默失败
- 新增 test-web.ts 18项端到端集成测试,纳入 npm test
- 全套300测试全绿
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,15 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/),
 and this project adheres to [Semantic Versioning](https://semver.org/).
 
+## [0.7.5] - 2026-06-20
+
+### Fixed — web 客户端"扫不了"的真实 bug（用户反馈后修）
+- **客户端文件过滤未对齐服务端**：上传时漏掉 `.md`/`.mdx`/`.ipynb` 等，导致 markdown 为主的项目（如 prompt/skill 库）被全滤光、提示"未找到可扫描文件"。现与服务端 SCAN_EXT 对齐
+- **结果渲染从 `document.write` 改为 Blob URL 跳转**，更可靠（此前某些情况报告写不出、页面像卡住）
+- **加可见状态提示**：读取/扫描/失败都在页面显示（不再静默失败或只弹 alert）
+- 新增 `test-web.ts`（18 项端到端集成测试：上传扫描、本地路径、URL 校验、路径穿越防护、双模式权限），纳入 `npm test`
+- 全套 **300 测试**全绿
+
 ## [0.7.4] - 2026-06-20
 
 ### Added — 合规扫描检测基准（把"信我能检"变成"看数字"）
diff --git a/README.md b/README.md
@@ -8,7 +8,7 @@
 
 [![npm](https://img.shields.io/npm/v/shellward?color=cb0000&label=npm)](https://www.npmjs.com/package/shellward)
 [![license](https://img.shields.io/badge/license-Apache--2.0-blue)](./LICENSE)
-[![tests](https://img.shields.io/badge/tests-282%20passing-brightgreen)](#performance)
+[![tests](https://img.shields.io/badge/tests-300%20passing-brightgreen)](#performance)
 [![deps](https://img.shields.io/badge/dependencies-0-brightgreen)](#performance)
 
 **🌐 官网: https://jnmetacode.github.io/shellward/**
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "shellward",
-  "version": "0.7.4",
+  "version": "0.7.5",
   "mcpName": "io.github.jnMetaCode/shellward",
   "description": "AI agent security & MCP security middleware — prompt injection detection, AI firewall, runtime guardrails & data-loss prevention for LLM tool calls. 8-layer defense against data exfiltration & dangerous commands. Zero dependencies. SDK + OpenClaw plugin. Supports LangChain, AutoGPT, Claude Code, Cursor, OpenAI Agents, Hermes Agent.",
   "keywords": [
@@ -57,7 +57,7 @@
   "scripts": {
     "build": "tsc",
     "mcp": "npx tsx src/mcp-server.ts",
-    "test": "npx tsx test-sdk.ts && npx tsx test-integration.ts && npx tsx test-edge-cases.ts && npx tsx test-rugpull.ts && npx tsx test-redos.ts && npx tsx test-mcp-client.ts && npx tsx test-mcp.ts && npx tsx test-compliance.ts",
+    "test": "npx tsx test-sdk.ts && npx tsx test-integration.ts && npx tsx test-edge-cases.ts && npx tsx test-rugpull.ts && npx tsx test-redos.ts && npx tsx test-mcp-client.ts && npx tsx test-mcp.ts && npx tsx test-compliance.ts && npx tsx test-web.ts",
     "test:redos": "npx tsx test-redos.ts",
     "test:compliance": "npx tsx test-compliance.ts",
     "test:integration": "npx tsx test-integration.ts",
diff --git a/src/web/scan-server.ts b/src/web/scan-server.ts
@@ -212,6 +212,7 @@ function formPage(local: boolean): string {
         <label>① 选择本地项目文件夹（推荐）</label>
         <input type="file" id="dir" webkitdirectory directory multiple>
         <button id="dbtn" type="submit">开始体检 →</button>
+        <div id="status" class="status"></div>
         <p class="hint">📂 直接选你的项目文件夹，无需敲路径。文件仅发送到<b>本机的本地服务</b>处理，<b>不经过任何外部服务器、不出本机</b>。</p>
       </form>
       <div class="or">— 或 —</div>` : ''
@@ -230,17 +231,20 @@ function formPage(local: boolean): string {
 }
 
 // 客户端：读取所选文件夹 → 过滤(跳过 node_modules 等、仅文本/配置、限大小) → POST 到本机服务
+// 注意：过滤后缀须与服务端 SCAN_EXT 对齐（含 .md），否则 markdown 项目会被全滤光显得"扫不了"。
 const UPLOAD_SCRIPT = `<script>
 (function(){
   var SKIP=/(^|\\/)(node_modules|\\.git|dist|build|\\.next|out|vendor|coverage|\\.venv|venv|__pycache__|target|\\.cache)(\\/|$)/;
-  var EXT=/\\.(ts|tsx|js|jsx|mjs|cjs|py|go|rb|java|php|rs|json|yaml|yml|toml|ini|conf|sh|txt|csv)$/i;
+  var EXT=/\\.(ts|tsx|js|jsx|mjs|cjs|py|go|rb|java|php|rs|json|yaml|yml|toml|ini|conf|sh|txt|csv|md|mdx|ipynb|properties|xml|gradle|tf)$/i;
   var ENV=/(^|\\/)\\.env(\\.|$)/; var DEP=/^(package\\.json|requirements\\.txt|pyproject\\.toml|go\\.mod)$/;
   var form=document.getElementById('dirform'); if(!form) return;
+  var statusEl=document.getElementById('status');
+  function s(m){ if(statusEl){statusEl.textContent=m;statusEl.style.display='block';} }
   form.addEventListener('submit', async function(e){
     e.preventDefault();
     var inp=document.getElementById('dir'), btn=document.getElementById('dbtn');
-    if(!inp.files||!inp.files.length){alert('请先选择项目文件夹');return;}
-    btn.disabled=true; btn.textContent='读取中…';
+    if(!inp.files||!inp.files.length){ s('请先点上方按钮选择项目文件夹'); return; }
+    btn.disabled=true;
     var picked=[], total=0, root='';
     for(var i=0;i<inp.files.length;i++){
       var f=inp.files[i], rel=f.webkitRelativePath||f.name; if(!root)root=rel.split('/')[0];
@@ -251,13 +255,17 @@ const UPLOAD_SCRIPT = `<script>
       if(picked.length>=3000||total>8388608) break;
       total+=f.size; picked.push(f);
     }
-    if(!picked.length){alert('未找到可扫描的源码/配置文件');btn.disabled=false;btn.textContent='开始体检 →';return;}
-    btn.textContent='扫描中… ('+picked.length+' 个文件)';
+    if(!picked.length){ s('未找到可扫描的源码/配置文件（已自动跳过 node_modules、图片、超大文件）。请选含代码或配置的目录。'); btn.disabled=false; return; }
+    s('读取 '+picked.length+' 个文件…');
     var out=[]; for(var j=0;j<picked.length;j++){ try{ out.push({path:picked[j].webkitRelativePath||picked[j].name, content:await picked[j].text()}); }catch(_){} }
+    s('扫描中…（'+out.length+' 个文件，请稍候）');
     try{
       var resp=await fetch('/scan-files',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({root:root,files:out})});
-      var html=await resp.text(); document.open(); document.write(html); document.close();
-    }catch(err){ alert('扫描失败: '+err); btn.disabled=false; btn.textContent='开始体检 →'; }
+      if(!resp.ok){ s('扫描失败：HTTP '+resp.status+'。请重试，或改用命令行 npx shellward scan。'); btn.disabled=false; return; }
+      var html=await resp.text();
+      // 用 Blob URL 跳转展示报告（比 document.write 可靠）
+      window.location.href=URL.createObjectURL(new Blob([html],{type:'text/html'}));
+    }catch(err){ s('扫描失败：'+(err&&err.message||err)+'。请重试。'); btn.disabled=false; }
   });
 })();
 </script>`
@@ -291,6 +299,8 @@ button{background:#cb0000;color:#fff;border:0;border-radius:10px;padding:14px;fo
 font-weight:700;cursor:pointer;margin-top:4px}button:hover{background:#a80000}
 button:disabled{background:#94a3b8;cursor:default}
 form{margin:0 0 14px}.or{text-align:center;color:#94a3b8;font-size:13px;margin:6px 0 14px}
+.status{display:none;margin:10px 0 0;padding:10px 14px;border-radius:8px;background:#f1f5f9;
+color:#334155;font-size:13.5px;border-left:3px solid #cb0000;text-align:left}
 .foot{margin:24px 0 0;font-size:12.5px;color:#94a3b8}.foot a,.back{color:#cb0000;text-decoration:none}
 .back{font-weight:600}
 </style></head><body>${body}</body></html>`
diff --git a/test-web.ts b/test-web.ts
@@ -0,0 +1,111 @@
+#!/usr/bin/env npx tsx
+// test-web.ts — web 扫描服务端到端集成测试（启真实 http 服务，打全部端点）
+
+import { spawn } from 'child_process'
+import { mkdtempSync, writeFileSync, mkdirSync, rmSync } from 'fs'
+import { join } from 'path'
+import { tmpdir } from 'os'
+
+let passed = 0, failed = 0
+function test(name: string, cond: boolean, detail?: string) {
+  if (cond) { passed++; console.log(`  ✅ ${name}`) }
+  else { failed++; console.log(`  ❌ ${name}${detail ? ' — ' + detail : ''}`) }
+}
+
+async function waitUp(url: string, ms = 8000): Promise<boolean> {
+  const t0 = Date.now()
+  while (Date.now() - t0 < ms) {
+    try { const r = await fetch(url); if (r.ok) return true } catch { /* retry */ }
+    await new Promise(r => setTimeout(r, 200))
+  }
+  return false
+}
+
+function startServer(args: string[]): Promise<any> {
+  const child = spawn('node', ['dist/cli.js', 'web', ...args], { stdio: 'ignore' })
+  return Promise.resolve(child)
+}
+
+async function main() {
+  console.log('\n========== ShellWard Web 服务集成测试 ==========\n')
+
+  // ---- 本地模式 ----
+  console.log('--- 本地模式 (web --local) ---')
+  const localPort = 8211
+  const localSrv = await startServer(['--local', '--port', String(localPort)])
+  const base = `http://localhost:${localPort}`
+  const up = await waitUp(base + '/')
+  test('服务启动并响应', up)
+  if (up) {
+    const home = await (await fetch(base + '/')).text()
+    test('首页含「选择本地项目文件夹」', home.includes('选择本地项目文件夹'))
+    test('首页含上传脚本 /scan-files', home.includes('scan-files'))
+    test('首页含 URL 入口', home.includes('公开仓库地址'))
+
+    // 模拟浏览器上传（客户端读文件夹后发的 JSON）
+    const payload = {
+      root: 'myproj',
+      files: [
+        { path: 'myproj/package.json', content: '{"dependencies":{"openai":"^4"}}' },
+        { path: 'myproj/app.ts', content: 'const k="sk-RZ9mKp2QwLs7Yv3Nd8Tb1Hc4Xj6Pq"\nconst phone="13912345678"' },
+      ],
+    }
+    const upl = await fetch(base + '/scan-files', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(payload) })
+    test('上传扫描返回 200', upl.status === 200, `status=${upl.status}`)
+    const uhtml = await upl.text()
+    test('上传报告是完整 HTML', uhtml.startsWith('<!DOCTYPE html>'))
+    test('上传报告含 openai 依赖发现', uhtml.includes('openai'))
+    test('上传报告含密钥发现', uhtml.includes('硬编码') || uhtml.includes('密钥'))
+    test('上传报告含手机号发现', uhtml.includes('手机号'))
+
+    // 空上传
+    const empty = await fetch(base + '/scan-files', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ files: [] }) })
+    test('空上传返回 400', empty.status === 400, `status=${empty.status}`)
+
+    // 路径穿越防护
+    const eviltmp = mkdtempSync(join(tmpdir(), 'sw-evil-'))
+    const evil = await fetch(base + '/scan-files', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ root: 'x', files: [{ path: '../../../../' + eviltmp.replace(/^\//, '') + '/PWNED', content: 'x' }] }) })
+    await evil.text()
+    let pwned = false
+    try { require('fs').statSync(join(eviltmp, 'PWNED')); pwned = true } catch { /* good */ }
+    test('路径穿越被挡（未写出目标文件）', !pwned)
+    rmSync(eviltmp, { recursive: true, force: true })
+
+    // 本地路径扫描
+    const proj = mkdtempSync(join(tmpdir(), 'sw-proj-'))
+    writeFileSync(join(proj, 'package.json'), '{"dependencies":{"@anthropic-ai/sdk":"^0.2"}}')
+    const pathScan = await fetch(base + '/scan?path=' + encodeURIComponent(proj))
+    test('本地路径扫描返回 200', pathScan.status === 200, `status=${pathScan.status}`)
+    test('本地路径扫描含 Anthropic 发现', (await pathScan.text()).includes('Anthropic'))
+    rmSync(proj, { recursive: true, force: true })
+
+    // 非法仓库 URL
+    const bad = await fetch(base + '/scan?repo=' + encodeURIComponent('http://evil.com/a/b'))
+    test('非法 URL 返回 400', bad.status === 400, `status=${bad.status}`)
+  }
+  try { localSrv.kill() } catch {}
+
+  // ---- 公网模式 ----
+  console.log('\n--- 公网模式 (web) ---')
+  const pubPort = 8212
+  const pubSrv = await startServer([String(pubPort)])
+  const pbase = `http://localhost:${pubPort}`
+  const pup = await waitUp(pbase + '/')
+  test('公网服务启动', pup)
+  if (pup) {
+    const phome = await (await fetch(pbase + '/')).text()
+    test('公网首页不含本地上传（只 URL）', !phome.includes('选择本地项目文件夹') && phome.includes('公开仓库地址'))
+    // 公网模式禁止本地路径扫描
+    const blocked = await fetch(pbase + '/scan?path=/etc')
+    test('公网模式拒绝本地路径扫描 (403)', blocked.status === 403, `status=${blocked.status}`)
+    // 公网模式拒绝上传
+    const noupload = await fetch(pbase + '/scan-files', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: '{"files":[]}' })
+    test('公网模式拒绝上传 (403)', noupload.status === 403, `status=${noupload.status}`)
+  }
+  try { pubSrv.kill() } catch {}
+
+  console.log(`\n========== Web 测试: ${passed} 通过, ${failed} 失败 ==========\n`)
+  if (failed > 0) process.exit(1)
+}
+
+main().catch(e => { console.error('测试崩溃:', e); process.exit(1) })
