Getting Started
@bene-npm/shield-ui is a security-themed React component library. Zero external dependencies, full TypeScript support, and a 3-theme system out of the box.
Installation
Requires React 18 or 19 as a peer dependency. No CSS imports or Tailwind configuration needed — all components use inline styles.
Quick Start
ShieldProvider is optional. Components fall back to the dark theme when used without a provider.
Theme System
Wrap your app or a section with ShieldProvider to set the active theme. All child components automatically reflect the theme via the React context-based useTheme() hook.
| Token | Dark | Hacker | Corporate | Description |
|---|---|---|---|---|
| t.bg | #06080c | #000 | #f5f7fa | Page background |
| t.surface | #0c0f18 | #0a0a0a | #fff | Card/panel background |
| t.surfaceAlt | #111520 | #111 | #f0f2f5 | Input / alt surface |
| t.text | #e8eaf0 | #33ff66 | #111827 | Primary text |
| t.textMuted | #8892a4 | #00cc44 | #374151 | Secondary text |
| t.textDim | #4a5568 | #006622 | #9ca3af | Disabled / hint text |
| t.accent | #38bdf8 | #00ff41 | #2563eb | Primary accent color |
| t.critical | #ff2d55 | #ff0000 | #dc2626 | Critical / error |
| t.high | #ff6b35 | #ff6600 | #ea580c | High severity |
| t.medium | #f59e0b | #ffaa00 | #d97706 | Medium severity |
| t.success | #30d158 | #00ff41 | #16a34a | Success / low severity |
| t.warning | #fbbf24 | #ffcc00 | #ca8a04 | Warning |
| t.mono | JetBrains Mono | monospace | ui-monospace | Monospace font family |
Hooks & Utilities
The theme system exports three hooks and one plain function. Use the plain getSevColor() inside .map() callbacks where calling a hook would violate React's rules.
TypeScript Types
All public types are re-exported from the package root — no deep imports needed.
Display & Badges4 components
SeverityBadge
since v1.0.0Communicates threat severity at a glance. Renders a colored label badge with optional pulse animation and a numeric count bubble. The color is automatically derived from the active theme.
| Prop | Type | Default | Req. | Since | Description |
|---|---|---|---|---|---|
| level | "CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO" | "MEDIUM" | — | v1.0.0 | The severity tier. Controls the badge color and label text. |
| size | "sm" | "md" | "lg" | "md" | — | v1.0.0 | Controls padding and font size. sm = compact, lg = prominent. |
| pulse | boolean | false | — | v1.0.0 | Enables a repeating opacity animation to draw attention to the badge. |
| count | number | — | — | v1.0.0 | Renders a small numeric bubble to the right of the badge, useful for issue counts. |
- Colors are sourced from the active theme via useTheme(), so they update automatically when ShieldProvider theme changes.
- The pulse animation references the badgePulse keyframe defined in globals.css. Ensure your app includes this file, or define the keyframe yourself.
ShieldBadge
since v1.0.0A shield-icon trust/verification badge for packages, endpoints, or system components. Shows a shield SVG with a status icon and optional label.
| Prop | Type | Default | Req. | Since | Description |
|---|---|---|---|---|---|
| status | "verified" | "warning" | "compromised" | "unknown" | "verified" | — | v1.0.0 | Determines the shield color and icon. verified = green, warning = amber, compromised = red, unknown = muted. |
| label | string | — | — | v1.0.0 | Optional text label rendered next to the shield icon. |
CveTag
since v1.0.0A compact inline CVE identifier tag with a colored severity dot. Designed for use in tables, lists, and inline prose.
| Prop | Type | Default | Req. | Since | Description |
|---|---|---|---|---|---|
| id | string | "CVE-2024-0001" | — | v1.0.0 | The CVE identifier string to display. |
| severity | SeverityLevel | "HIGH" | — | v1.0.0 | Controls the severity dot color next to the CVE ID. |
- SeverityLevel = "CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO"
ComplianceBadge
since v2.0.0Displays a compliance framework badge with an icon, label, and current status. Supports SOC 2, ISO 27001, GDPR, HIPAA, PCI DSS, and NIST.
| Prop | Type | Default | Req. | Since | Description |
|---|---|---|---|---|---|
| standard | "SOC2" | "ISO27001" | "GDPR" | "HIPAA" | "PCI" | "NIST" | "SOC2" | — | v2.0.0 | The compliance framework to display. Each standard has a unique icon and label. |
| status | "compliant" | "in-progress" | "failing" | "not-applicable" | "compliant" | — | v2.0.0 | Current compliance status. Controls the status label color and icon. |
- Exported types: ComplianceStandard, ComplianceStatus
Scanning & Progress4 components
ScanProgress
since v1.0.0An animated progress bar for scan operations. Displays a shimmer effect while scanning, and switches to solid color on completion or error. Label text sits above the bar.
| Prop | Type | Default | Req. | Since | Description |
|---|---|---|---|---|---|
| progress | number | 0 | — | v1.0.0 | Progress percentage from 0–100. |
| status | "scanning" | "complete" | "error" | "warning" | "scanning" | — | v1.0.0 | Controls bar color and shimmer animation. scanning = accent + shimmer, complete = success, error = critical, warning = warning. |
| label | string | "Scanning dependencies..." | — | v1.0.0 | Descriptive text shown above the progress bar. |
- The shimmer animation references the scanShimmer keyframe from globals.css.
- progress is clamped to 100 internally — passing values above 100 is safe.
SecurityScore
since v1.0.0An animated SVG circular gauge that visualizes a security posture score. The arc color shifts from red at low scores to green at high scores. The number animates from 0 to the target value on mount.
| Prop | Type | Default | Req. | Since | Description |
|---|---|---|---|---|---|
| score | number | 72 | — | v1.0.0 | Score from 0–100. Drives both the arc fill percentage and the color. |
| size | number | 120 | — | v1.0.0 | Diameter of the SVG in pixels. |
| label | string | "Security Score" | — | v1.0.0 | Small caption text below the numeric score. |
- Color thresholds: ≥80 = success (green), ≥60 = warning (amber), <60 = critical (red).
- The counter animation uses a setInterval inside a useEffect — it cleans up automatically on unmount.
StatusIndicator
since v1.0.0A pulsing status dot with optional label. Five semantic states cover the full range of system health monitoring scenarios.
| Prop | Type | Default | Req. | Since | Description |
|---|---|---|---|---|---|
| status | "online" | "warning" | "critical" | "offline" | "scanning" | "online" | — | v1.0.0 | Determines dot color and pulse animation. offline = no pulse. |
| label | string | — | — | v1.0.0 | Optional text label rendered next to the dot. |
| size | "sm" | "md" | "lg" | "md" | — | v1.0.0 | Controls dot diameter. |
MetricCard
since v2.0.0A security KPI card with an animated counter, trend indicator, and optional sparkline chart. The numeric value smoothly animates from 0 to the target on mount.
| Prop | Type | Default | Req. | Since | Description |
|---|---|---|---|---|---|
| title | string | — | ✓ | v2.0.0 | Card heading. Shown above the value. |
| value | number | string | — | ✓ | v2.0.0 | The primary metric value. Numbers animate on mount; strings are displayed statically. |
| trend | number | — | — | v2.0.0 | Trend percentage shown below the value. Positive = red (more = worse for security), negative = green (fewer issues = better). 0 = neutral. |
| trendLabel | string | — | — | v2.0.0 | Context label next to the trend indicator, e.g. "vs last scan". |
| severity | SeverityLevel | — | — | v2.0.0 | If provided, overrides the value color with the severity color from the active theme. |
| icon | string | — | — | v2.0.0 | Optional emoji or character shown in the top-right corner of the card. |
| sparkData | number[] | — | — | v2.0.0 | Array of historical values used to render a sparkline SVG behind the card content. |
- trend direction is inverted from financial convention: positive trend = bad (red), negative = good (green). This matches security metric semantics where fewer issues is the goal.
- The animation uses useAnimVal() internally — value changes after mount will re-animate.
- getSevColor() (not useSev()) is used inside the component to avoid hook-in-callback issues.
Threat & Intelligence5 components
ThreatCard
since v1.0.0An expandable vulnerability card that presents CVE details in a collapsible format. Shows the CVE ID, severity badge, title, and affected package in the header. Click to expand for full description, version info, and fix version.
| Prop | Type | Default | Req. | Since | Description |
|---|---|---|---|---|---|
| id | string | "CVE-2024-38816" | — | v1.0.0 | The CVE identifier. |
| severity | SeverityLevel | "HIGH" | — | v1.0.0 | Severity level — controls left border color and badge. |
| title | string | "Path Traversal in Spring Framework" | — | v1.0.0 | Short vulnerability title. |
| pkg | string | "spring-webmvc" | — | v1.0.0 | Affected package name. |
| version | string | "6.1.12" | — | v1.0.0 | Vulnerable version string. |
| fixed | string | — | — | v1.0.0 | Version in which the issue was patched. Shown with a green fix indicator. |
| description | string | — | — | v1.0.0 | Full vulnerability description, shown on expand. |
| published | string | — | — | v1.0.0 | Publication date string, e.g. "2024-09-13". |
SecurityTimeline
since v2.0.0A vertical chronological event feed with a connecting line, severity-colored dot indicators, and optional description text. Ideal for audit logs, incident timelines, and CVE patch histories.
| Prop | Type | Default | Req. | Since | Description |
|---|---|---|---|---|---|
| events | TimelineEvent[] | [] | — | v2.0.0 | Array of timeline events to display, in order from newest to oldest (or whatever order is meaningful). |
- TimelineEvent = { time: string; title: string; severity?: SeverityLevel; description?: string }
- Dot and line colors use getSevColor() to avoid hook-in-loop violations.
- Each event entrance uses the sectionIn animation keyframe (staggered by index * 0.05s).
RiskMatrix
since v2.0.0A 5×5 likelihood/impact risk matrix grid. Each cell is color-coded from green (low risk) to red (critical risk). Pass risk items with likelihood and impact scores (1–5) and they appear as numbered dots inside the matching cell. Hover a populated cell to see the risk labels.
| Prop | Type | Default | Req. | Since | Description |
|---|---|---|---|---|---|
| items | RiskItem[] | [] | — | v2.0.0 | Risk items to plot on the matrix. Each item maps to a cell at (likelihood, impact). |
- RiskItem = { label: string; likelihood: number; impact: number } — likelihood and impact should be integers 1–5.
- Multiple items with the same cell coordinates are stacked — the cell shows the count and the tooltip lists all labels.
- Color thresholds: ratio ≥ 0.64 = critical, ≥ 0.36 = high, ≥ 0.16 = medium, < 0.16 = success.
AttackChain
since v2.0.0A MITRE ATT&CK-style kill chain visualization with 7 fixed phases. Active phases are highlighted; inactive phases are dimmed. Click any active phase to expand its technique tags below the chain.
| Prop | Type | Default | Req. | Since | Description |
|---|---|---|---|---|---|
| activePhases | string[] | [] | — | v2.0.0 | IDs of phases that should be highlighted as active/observed. |
| techniques | Record<string, string[]> | {} | — | v2.0.0 | Map of phase ID → technique name array. Populated phases show a count badge and expand on click. |
- Built-in phase IDs: "recon" | "weapon" | "delivery" | "exploit" | "install" | "c2" | "actions"
- Phases not listed in activePhases are rendered at 35% opacity to show the full kill chain context.
- Only one phase can be expanded at a time — clicking an already-open phase collapses it.
Terminal & Code2 components
TerminalOutput
since v1.0.0A macOS-styled terminal window with a traffic-light title bar. Supports static display or an optional character-by-character typing animation. Each line can have an independent color.
| Prop | Type | Default | Req. | Since | Description |
|---|---|---|---|---|---|
| lines | TerminalLine[] | [] | — | v1.0.0 | Lines to display. Each line is either a plain string or an object with text and color. |
| title | string | "terminal" | — | v1.0.0 | Text shown in the terminal title bar. |
| typing | boolean | false | — | v1.0.0 | When true, animates the output character by character at ~18ms per character. |
- TerminalLine = string | { text: string; color: string }
- Important: wrap the lines array in useMemo() or define it outside your component. The typing animation restarts whenever the lines prop reference changes.
- The blink keyframe (cursor blink) and the dark code background (#04060a) adapt to corporate theme automatically.
SecretCodeBlock
since v2.0.0A code viewer that automatically detects and highlights secrets embedded in source text. Detected patterns are underlined with a colored border and show a tooltip with the secret type on hover. A warning count badge appears in the header when secrets are found.
| Prop | Type | Default | Req. | Since | Description |
|---|---|---|---|---|---|
| code | string | "" | — | v2.0.0 | The raw source text to display and scan. |
| title | string | "source" | — | v2.0.0 | Filename or label shown in the header bar. |
- Detected patterns: AWS Access Keys (AKIA…), JWTs (eyJ…), API keys (api_key= / apikey=), passwords (password= / passwd=), connection strings (postgres://, mongodb://, redis://…), Bearer tokens.
- Detection runs inside useMemo([code]) — no performance impact from re-renders unrelated to code changes.
- This component is for display/audit purposes only. It does not transmit or store the code content.
Network & Infrastructure3 components
DataFlowLine
since v1.0.0An animated directional data flow visualization between two labeled nodes. Shows encryption status with a lock icon and TLS label, and a threat indicator for compromised or untrusted flows.
| Prop | Type | Default | Req. | Since | Description |
|---|---|---|---|---|---|
| from | string | "Client" | — | v1.0.0 | Label for the source node on the left. |
| to | string | "Server" | — | v1.0.0 | Label for the destination node on the right. |
| encrypted | boolean | true | — | v1.0.0 | Shows a green lock icon and TLS label when true. Shows a red unlocked icon when false. |
| threat | boolean | false | — | v1.0.0 | When true, turns the flow line red and adds a ⚠ threat indicator in the center. |
- The animated dot uses the flowPulse keyframe from globals.css.
PortScanMap
since v2.0.0Renders port scan results as a grid of labeled tiles. Each tile shows the port number, well-known service name, and a ⚠ RISK label for inherently dangerous ports. Tile colors reflect port status: open = green/red, filtered = amber, closed = muted.
| Prop | Type | Default | Req. | Since | Description |
|---|---|---|---|---|---|
| ports | PortEntry[] | [] | — | v2.0.0 | Array of ports to display. Can be plain numbers (treated as open) or objects with port + status. |
- PortEntry = number | { port: number; status: PortStatus }
- PortStatus = "open" | "filtered" | "closed"
- Built-in service names: 21=FTP, 22=SSH, 23=Telnet, 25=SMTP, 53=DNS, 80=HTTP, 443=HTTPS, 445=SMB, 3306=MySQL, 3389=RDP, 5432=Postgres, 6379=Redis, 8080=HTTP-Alt, 27017=MongoDB.
- Ports flagged as dangerous by default: 21 (FTP), 23 (Telnet), 25 (SMTP), 445 (SMB), 3389 (RDP).
HeatmapGrid
since v2.0.0A 2D grid heatmap for visualizing numeric intensity data across two axes (e.g., vulnerability count by day/hour, or error rate by service/region). Cell color intensity scales from the theme border color (zero) to critical red (maximum).
| Prop | Type | Default | Req. | Since | Description |
|---|---|---|---|---|---|
| data | number[][] | [] | — | v2.0.0 | 2D array of numeric values. Rows are y-axis entries, columns are x-axis entries. Zero cells are rendered as empty. |
| xLabels | string[] | [] | — | v2.0.0 | Labels for the column axis (shown below the grid). |
| yLabels | string[] | [] | — | v2.0.0 | Labels for the row axis (shown to the left of each row). |
- The max value across all cells determines the color scale — a single very high outlier will make all other cells appear pale. Normalize your data if needed.
- Cell values are shown as text inside the cell when > 0.
Forms1 component
PasswordStrength
since v2.0.0A live password strength analyzer. As the user types, it calculates Shannon entropy, maps it to a strength label (Very Weak → Excellent), renders a 5-segment bar, and estimates brute-force crack time at 10 billion guesses/second.
| Prop | Type | Default | Req. | Since | Description |
|---|---|---|---|---|---|
| value | string | "" | — | v2.0.0 | Controlled input value. If omitted, the component manages its own state internally. |
| onChange | (value: string) => void | — | — | v2.0.0 | Callback fired on every keystroke when the component is used in controlled mode. |
- Entropy formula: length × log₂(pool size), where pool size is the sum of character-class sizes present (lowercase 26, uppercase 26, digits 10, symbols 32).
- Strength thresholds: ≥80 bits = Excellent, ≥60 = Strong, ≥40 = Fair, ≥20 = Weak, <20 = Very Weak.
- The input uses type="password" for security — the value is masked by default.
- Both entropy and crack time recalculate inside useMemo — no performance overhead.
Live Data1 component
LogStream
since v2.1.0A live scrolling log viewer for security dashboards. Displays log lines with timestamp, severity level, source, and message. Supports regex/text filtering with match highlighting, pause/resume, and automatic scroll-to-bottom.
| Prop | Type | Default | Req. | Since | Description |
|---|---|---|---|---|---|
| lines | LogLine[] | [] | — | v2.1.0 | Array of log line objects to display. |
| maxLines | number | 100 | — | v2.1.0 | Maximum number of lines retained. Oldest lines are dropped when the limit is exceeded. |
| filter | string | "" | — | v2.1.0 | Plain text or regex filter applied to each line's message, source, and level fields. Matching text is highlighted in accent color. |
| paused | boolean | false | — | v2.1.0 | Controlled pause state. When true, auto-scroll stops and a PAUSED pill is shown. Omit to use internal state. |
| onPause | (paused: boolean) => void | — | — | v2.1.0 | Callback fired when the user clicks the pause/resume button. |
| title | string | "Log Stream" | — | v2.1.0 | Title shown in the header bar. |
| height | number | 280 | — | v2.1.0 | Pixel height of the scrollable log area. |
- LogLine.level accepts CRITICAL | HIGH | MEDIUM | LOW | INFO | DEBUG — DEBUG renders in textDim color, others use severity theme colors.
- If filter throws an invalid regex, LogStream falls back to case-insensitive plain-text matching.
- Auto-scroll uses scrollIntoView({ behavior: 'smooth' }) on a sentinel div — this only fires when paused is false.
Network & Infrastructure3 components
CertificateCard
since v2.1.0SSL/TLS certificate information card with live expiry countdown. Color-codes the expiry status: green (>30 days), amber (8–30 days), pulsing red (≤7 days), and red expired. Displays subject, issuer, validity range, key type, SHA-256 fingerprint, SANs, and chain of trust.
| Prop | Type | Default | Req. | Since | Description |
|---|---|---|---|---|---|
| subject | string | — | ✓ | v2.1.0 | Certificate subject, typically the CN (common name) such as 'api.example.com'. |
| issuer | string | — | ✓ | v2.1.0 | Certificate issuer, e.g. "Let's Encrypt R3" or "DigiCert Global CA". |
| validFrom | string | — | ✓ | v2.1.0 | ISO date string for when the certificate became valid (YYYY-MM-DD or full ISO 8601). |
| validTo | string | — | ✓ | v2.1.0 | ISO date string for expiry. This drives the expiry countdown and color logic. |
| fingerprint | string | — | — | v2.1.0 | SHA-256 fingerprint hex string. Truncated in the UI; click 'Copy' to copy the full value. |
| keyType | string | — | — | v2.1.0 | Key algorithm and size, e.g. 'RSA 2048' or 'EC P-256'. |
| sans | string[] | [] | — | v2.1.0 | Subject Alternative Names. Each SAN is rendered as a small monospace chip. |
| chain | string[] | [] | — | v2.1.0 | Certificate chain as a list of CA names, root-first. |
- Expiry is computed client-side on each render using Date.now() — no re-render interval is set, so the countdown refreshes only when the component re-renders.
- The fingerprint copy button uses navigator.clipboard.writeText — this requires a secure context (HTTPS or localhost).
IPReputationBadge
since v2.1.0Threat intelligence enrichment badge for IP addresses or domains. Shows a color-coded risk score (0=clean, 100=malicious), threat categories, and optional geo/ASN metadata. Three sizes: sm (inline), md (default card), lg (full detail card).
| Prop | Type | Default | Req. | Since | Description |
|---|---|---|---|---|---|
| ip | string | — | ✓ | v2.1.0 | IP address or domain to display. Rendered in monospace. |
| score | number | — | ✓ | v2.1.0 | Risk score from 0 (clean) to 100 (malicious). 0–29 = success, 30–59 = warning, 60–79 = high, 80–100 = critical. |
| categories | ThreatCategory[] | [] | — | v2.1.0 | Threat categories to display as chips. Each category gets a severity-appropriate color. |
| country | string | — | — | v2.1.0 | 2-letter ISO country code (e.g. 'US', 'RU'). Renders a flag emoji if the country is in the built-in map. |
| asn | string | — | — | v2.1.0 | ASN string, e.g. 'AS15169 Google LLC'. Shown in lg size only. |
| size | "sm" | "md" | "lg" | "md" | — | v2.1.0 | sm = inline score + IP, md = score ring + IP + category chips, lg = full card. |
- ThreatCategory union: 'malware' | 'spam' | 'botnet' | 'phishing' | 'scanner' | 'proxy' | 'tor'.
- Flag emojis are rendered from a built-in map of 16 common country codes. Unknown codes fall back to 🌐.
FirewallRule
since v2.1.0Visual display for firewall / ACL policy rules. Shows a table of rules with priority, source, destination, protocol/port, and action badge. Disabled rules are shown at reduced opacity with a strikethrough action. Hover highlights each row.
| Prop | Type | Default | Req. | Since | Description |
|---|---|---|---|---|---|
| rules | FWRule[] | [] | — | v2.1.0 | Array of firewall rule objects to display. |
| title | string | "Firewall Rules" | — | v2.1.0 | Header title shown above the rule list. |
| compact | boolean | false | — | v2.1.0 | When true, renders a condensed single-line layout hiding comments and labels. |
- FWRule fields: id?, priority?, src, dst, proto? (TCP|UDP|ICMP|ANY|string), port?, action (allow|deny|drop|log), enabled? (default true), label?, comment?.
- action colors: allow = success, deny/drop = critical, log = accent.
Analytics2 components
VulnDonutChart
since v2.1.0Animated SVG donut/ring chart for vulnerability severity breakdown. Arcs sweep from 0 on mount. Each severity level gets its theme color. Shows total count in the center and a legend below. Respects prefers-reduced-motion.
| Prop | Type | Default | Req. | Since | Description |
|---|---|---|---|---|---|
| critical | number | 0 | — | v2.1.0 | Count of CRITICAL vulnerabilities. |
| high | number | 0 | — | v2.1.0 | Count of HIGH vulnerabilities. |
| medium | number | 0 | — | v2.1.0 | Count of MEDIUM vulnerabilities. |
| low | number | 0 | — | v2.1.0 | Count of LOW vulnerabilities. |
| info | number | 0 | — | v2.1.0 | Count of INFO-level findings. |
| size | number | 160 | — | v2.1.0 | SVG width and height in pixels. |
| label | string | "Total" | — | v2.1.0 | Center label shown below the total count number. |
| animated | boolean | true | — | v2.1.0 | Enables the arc sweep animation on mount. Automatically disabled when prefers-reduced-motion is set. |
- When all counts are 0, a single gray ring is shown with 'No vulnerabilities' as the center text.
- Arc gaps are 3 degrees. Arc stroke width is 18px. Arcs with 0 count are skipped entirely.
- The animation uses requestAnimationFrame (same as useAnimVal) — no CSS animation dependency.
ThreatRadar
since v2.1.0SVG radar/spider chart for visualizing security posture across 3–8 custom dimensions. Renders concentric polygon rings, spoke lines, and a filled polygon for the data. Animated sweep on mount. Respects prefers-reduced-motion.
| Prop | Type | Default | Req. | Since | Description |
|---|---|---|---|---|---|
| axes | RadarAxis[] | 6 default axes | — | v2.1.0 | Array of axis definitions. Each axis has a label (string), value (0–100), and optional max (default 100). 3–8 axes recommended. |
| size | number | 200 | — | v2.1.0 | SVG size in pixels. |
| label | string | — | — | v2.1.0 | Optional title rendered above the chart. |
| animated | boolean | true | — | v2.1.0 | Animates polygon vertices from center outward on mount. |
| showValues | boolean | false | — | v2.1.0 | Appends the numeric value in parentheses to each axis label. |
- Default axes (used when axes prop is omitted): Network 72, Endpoint 55, Identity 88, Data 41, Cloud 66, Compliance 90.
- The chart uses an eased cubic-out animation for the polygon sweep.
- Label anchor (start/middle/end) is computed automatically from each label's x position relative to the chart center.
UX1 component
CommandPalette
since v2.1.0A keyboard-searchable modal command palette, inspired by VS Code's command palette. Renders as a full-screen overlay with a search input and a grouped results list. Supports fuzzy text matching, keyboard navigation (↑↓ Enter Esc), and command groups.
| Prop | Type | Default | Req. | Since | Description |
|---|---|---|---|---|---|
| open | boolean | — | ✓ | v2.1.0 | Controls visibility. When true, the modal is mounted and the input auto-focused. |
| onClose | () => void | — | ✓ | v2.1.0 | Called when the user presses Esc, clicks the overlay, or executes a command. |
| commands | PaletteCommand[] | [] | — | v2.1.0 | List of available commands. Each command has id, label, action, and optional description, icon, group, keywords. |
| placeholder | string | "Search commands…" | — | v2.1.0 | Placeholder text shown in the search input. |
- Fuzzy matching checks label, description, and keywords fields case-insensitively. There is no edit-distance fuzzy — it uses String.includes().
- Keyboard listener is added/removed on document when open changes — the component does not trap focus.
- The animation references the paletteIn keyframe defined in globals.css. Ensure your app includes this file.
- PaletteCommand.action is called when the user selects a command — onClose is called immediately after.
Threat Hunting1 component
ThreatHunterQuery
since v2.1.0A threat hunting query viewer with language badge, MITRE ATT&CK technique mapping, confidence badge, and syntax highlighting for KQL, Sigma, and YARA. Includes a one-click copy button. Fully theme-aware.
| Prop | Type | Default | Req. | Since | Description |
|---|---|---|---|---|---|
| query | string | — | ✓ | v2.1.0 | The raw query string to display. Whitespace and newlines are preserved. |
| language | QueryLanguage | "KQL" | — | v2.1.0 | Query language badge. One of: KQL | SPL | YARA | Sigma | SQL | EQL | Lucene. |
| title | string | — | — | v2.1.0 | Optional display title shown in the header bar. |
| technique | string | — | — | v2.1.0 | MITRE ATT&CK technique ID, e.g. 'T1059.001'. Shown as a chip in the header. |
| tacticLabel | string | — | — | v2.1.0 | Human-readable tactic name, e.g. 'Execution'. Appended in parentheses after the technique ID. |
| confidence | "low" | "medium" | "high" | — | — | v2.1.0 | Detection confidence badge shown in the footer. high = success, medium = accent, low = warning. |
| author | string | — | — | v2.1.0 | Author name shown in the footer right-aligned. |
| tags | string[] | [] | — | v2.1.0 | Hashtag chips shown in the footer. |
- Syntax highlighting is applied via regex split + span wrapping — no external parser is used.
- Highlighted keywords: KQL (where, project, summarize, extend, join, let, union…), Sigma (detection:, condition:, title:…), YARA (rule, strings:, condition:…).
- Copy button uses navigator.clipboard.writeText — requires a secure context (HTTPS or localhost).
- QueryLanguage union: 'KQL' | 'SPL' | 'YARA' | 'Sigma' | 'SQL' | 'EQL' | 'Lucene'.