@7nsane/zift 1.1.0 → 1.2.0

package/bin/zift.js

@@ -12,22 +12,30 @@ async function main() {
   let target = '.';
   let format = 'text';
   let isInstallMode = false;
+  let installer = 'npm';
 
+  // 1. Setup Command
   if (args[0] === 'setup') {
     await runSetup();
     return;
   }
 
-  if (args[0] === 'install' || args[0] === 'i') {
+  // 2. Detection for bun/pnpm usage
+  if (args.includes('--bun')) installer = 'bun';
+  if (args.includes('--pnpm')) installer = 'pnpm';
+
+  // 3. Installation Verbs
+  if (args[0] === 'install' || args[0] === 'i' || args[0] === 'add') {
     isInstallMode = true;
     target = args.find((a, i) => i > 0 && !a.startsWith('-')) || '.';
   }
 
   if (args.includes('--zift')) {
     isInstallMode = true;
-    target = args.find(a => !a.startsWith('-') && !['install', 'i', 'npm'].includes(a)) || '.';
+    target = args.find(a => !a.startsWith('-') && !['install', 'i', 'add', 'npm', 'bun', 'pnpm'].includes(a)) || '.';
   }
 
+  // 4. Flags
   for (let i = 0; i < args.length; i++) {
     if (args[i] === '--format' && args[i + 1]) {
       format = args[i + 1];
@@ -35,26 +43,28 @@ async function main() {
     }
   }
 
+  // 5. No Args? Show Help
   if (args.length === 0) {
     showHelp();
     return;
   }
 
+  // 6. Execution
   const isLocal = fs.existsSync(target) && fs.lstatSync(target).isDirectory();
 
   if (isLocal) {
     await runLocalScan(target, format);
   } else {
-    await runRemoteAudit(target, format, isInstallMode);
+    await runRemoteAudit(target, format, installer);
   }
 }
 
 async function runSetup() {
   const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
-  console.log(chalk.blue.bold('\n🛡️  Zift Secure Alias Setup'));
-  console.log(chalk.gray('Configure `npm install --zift` for automatic security audits.\n'));
+  console.log(chalk.blue.bold('\n🛡️  Zift Secure Alias Setup (Universal)'));
+  console.log(chalk.gray('Configure secure wrappers for npm, bun, and pnpm.\n'));
 
-  const question = chalk.white('Add the Zift secure wrapper to your shell profile? (y/n): ');
+  const question = chalk.white('Add secure wrappers to your shell profile? (y/n): ');
 
   rl.question(question, (answer) => {
     rl.close();
@@ -66,74 +76,47 @@ async function runSetup() {
         } else {
           reloadCmd = setupUnix();
         }
-        console.log(chalk.green('\n✅ Setup complete! Profile updated.'));
-        console.log(chalk.yellow.bold(`\nTo activate IMMEDIATELY, run this command:`));
-        console.log(chalk.cyan.inverse(`  ${reloadCmd}  \n`));
-        console.log(chalk.gray('Alternatively, simply restart your terminal.'));
+        console.log(chalk.green('\n✅ Setup complete! All package managers are now secured.'));
+        console.log(chalk.yellow.bold(`\nTo activate IMMEDIATELY, run: `) + chalk.cyan.inverse(` ${reloadCmd} `));
       } catch (e) {
         console.error(chalk.red('\n❌ Setup failed: ') + e.message);
       }
-    } else {
-      console.log(chalk.yellow('\nSetup cancelled.'));
     }
   });
 }
 
 function setupWindows() {
   const psFunction = `
-# Zift Secure Alias
-function npm {
-    if ($args -contains "--zift") {
-        $pkg = $args | Where-Object { $_ -ne "install" -and $_ -ne "i" -and $_ -ne "--zift" } | Select-Object -First 1
-        Write-Host "\n🛡️ Zift: Intercepting installation for audit...\n" -ForegroundColor Green
-        npx @7nsane/zift@latest install $pkg
-    } else {
-        & (Get-Command npm.cmd).Definition @args
-    }
-}
+# Zift Secure Wrappers
+function npm { if ($args -contains "--zift") { npx @7nsane/zift@latest install ($args | Where-Object { $_ -ne "install" -and $_ -ne "i" -and $_ -ne "--zift" } | Select-Object -First 1) } else { & (Get-Command npm.cmd).Definition @args } }
+function bun { if ($args -contains "--zift") { npx @7nsane/zift@latest install ($args | Where-Object { $_ -ne "add" -and $_ -ne "install" -and $_ -ne "--zift" } | Select-Object -First 1) --bun } else { & (Get-Command bun.exe).Definition @args } }
+function pnpm { if ($args -contains "--zift") { npx @7nsane/zift@latest install ($args | Where-Object { $_ -ne "add" -and $_ -ne "install" -and $_ -ne "i" -and $_ -ne "--zift" } | Select-Object -First 1) --pnpm } else { & (Get-Command pnpm.cmd).Definition @args } }
 `;
   const profilePath = cp.execSync('powershell -NoProfile -Command "echo $PROFILE"').toString().trim();
-  const profileDir = path.dirname(profilePath);
-  if (!fs.existsSync(profileDir)) fs.mkdirSync(profileDir, { recursive: true });
   fs.appendFileSync(profilePath, psFunction);
   return '. $PROFILE';
 }
 
 function setupUnix() {
-  const bashFunction = `
-# Zift Secure Alias
-npm() {
+  const wrapperPattern = (cmd, aliasCmd) => `
+${cmd}() {
   if [[ "$*" == *"--zift"* ]]; then
-    pkg=$(echo "$@" | sed 's/install//g; s/ i //g; s/--zift//g' | xargs)
-    npx @7nsane/zift@latest install $pkg
+    pkg=$(echo "$@" | sed 's/install//g; s/add//g; s/ i //g; s/--zift//g' | xargs)
+    npx @7nsane/zift@latest install $pkg --${cmd}
   else
-    command npm "$@"
+    command ${cmd} "$@"
   fi
 }
 `;
+  const shellFunctions = wrapperPattern('npm') + wrapperPattern('bun') + wrapperPattern('pnpm');
   const home = os.homedir();
   const profiles = [path.join(home, '.bashrc'), path.join(home, '.zshrc')];
-  let reloadTarget = '~/.zshrc';
-  profiles.forEach(p => {
-    if (fs.existsSync(p)) {
-      fs.appendFileSync(p, bashFunction);
-      if (p.endsWith('.bashrc')) reloadTarget = '~/.bashrc';
-    }
-  });
-  return `source ${reloadTarget}`;
+  profiles.forEach(p => { if (fs.existsSync(p)) fs.appendFileSync(p, shellFunctions); });
+  return 'source ~/.zshrc # or ~/.bashrc';
 }
 
-async function runLocalScan(targetDir, format) {
-  const scanner = new PackageScanner(targetDir);
-  if (format === 'text') console.log(chalk.blue(`\n🔍 Scanning local directory: ${path.resolve(targetDir)}`));
-  try {
-    const findings = await scanner.scan();
-    handleFindings(findings, format, targetDir);
-  } catch (err) { handleError(err, format); }
-}
-
-async function runRemoteAudit(packageName, format, installOnSuccess) {
-  if (format === 'text') console.log(chalk.blue(`\n🌍 Remote Audit: Pre-scanning package '${packageName}'...`));
+async function runRemoteAudit(packageName, format, installer) {
+  if (format === 'text') console.log(chalk.blue(`\n🌍 Remote Audit [via ${installer}]: Pre-scanning '${packageName}'...`));
   const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'zift-audit-'));
   try {
     cp.execSync(`npm pack ${packageName}`, { cwd: tmpDir, stdio: 'ignore' });
@@ -144,22 +127,20 @@ async function runRemoteAudit(packageName, format, installOnSuccess) {
     const findings = await scanner.scan();
     handleFindings(findings, format, scanPath, true);
 
-    if (format === 'text') {
-      const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
-      const promptText = findings.length > 0
-        ? chalk.yellow(`\n⚠️  Suspicious patterns found. Still install '${packageName}'? (y/n): `)
-        : chalk.blue(`\nAudit passed. Proceed with installation of '${packageName}'? (y/n): `);
-
-      rl.question(promptText, (answer) => {
-        rl.close();
-        if (['y', 'yes'].includes(answer.toLowerCase())) {
-          console.log(chalk.blue(`\n📦 Installing ${packageName}...`));
-          cp.execSync(`npm install ${packageName}`, { stdio: 'inherit' });
-          console.log(chalk.green(`\n✅ ${packageName} installed successfully.`));
-        }
-        cleanupAndExit(tmpDir, 0);
-      });
-    } else { cleanupAndExit(tmpDir, 0); }
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+    const promptText = findings.length > 0
+      ? chalk.yellow(`\n⚠️  Suspicious patterns found. Still install '${packageName}' with ${installer}? (y/n): `)
+      : chalk.blue(`\nAudit passed. Proceed with installation of '${packageName}' via ${installer}? (y/n): `);
+
+    rl.question(promptText, (answer) => {
+      rl.close();
+      if (['y', 'yes'].includes(answer.toLowerCase())) {
+        console.log(chalk.blue(`\n📦 Running '${installer} install ${packageName}'...`));
+        const installCmd = installer === 'bun' ? `bun add ${packageName}` : installer === 'pnpm' ? `pnpm add ${packageName}` : `npm install ${packageName}`;
+        try { cp.execSync(installCmd, { stdio: 'inherit' }); } catch (err) { }
+      }
+      cleanupAndExit(tmpDir, 0);
+    });
   } catch (err) { cleanupAndExit(tmpDir, 1); }
 }
 
@@ -183,11 +164,11 @@ function handleFindings(findings, format, targetDir, skipExit = false) {
 }
 
 function showHelp() {
-  console.log(chalk.blue.bold('\n🛡️  Zift - The Elite Security Scanner\n'));
+  console.log(chalk.blue.bold('\n🛡️  Zift - Universal Security Scanner\n'));
   console.log('Usage:');
-  console.log('  zift setup           Configure secure npm wrapper');
-  console.log('  zift install <pkg>   Audit and install package');
-  console.log('  zift .               Scan local directory');
+  console.log('  zift setup           Secure npm, bun, and pnpm');
+  console.log('  zift install <pkg>   Scan and install package');
+  console.log('  --bun / --pnpm       Use a specific installer');
 }
 
 function cleanupAndExit(dir, code) {
@@ -200,4 +181,16 @@ function handleError(err, format) {
   process.exit(1);
 }
 
+function getSummary(findings) {
+  const s = { Critical: 0, High: 0, Medium: 0, Low: 0 };
+  findings.forEach(f => s[f.classification]++);
+  return s;
+}
+
+function printSummary(findings) {
+  const s = getSummary(findings);
+  console.log(chalk.bold('Severity Summary:'));
+  console.log(chalk.red(`  Critical: ${s.Critical}\n  High:     ${s.High}`));
+}
+
 main();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@7nsane/zift",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "A high-performance, deterministic security scanner for npm packages.",
   "main": "src/scanner.js",
   "bin": {

package/src/collector.js

@@ -48,7 +48,6 @@ class ASTCollector {
             CallExpression: (node) => {
                 const calleeCode = this.getSourceCode(node.callee);
 
-                // Detect eval / Function
                 if (calleeCode === 'eval' || calleeCode === 'Function') {
                     this.facts.DYNAMIC_EXECUTION.push({
                         file: filePath,
@@ -57,7 +56,6 @@ class ASTCollector {
                     });
                 }
 
-                // Detect Sinks
                 if (this.isNetworkSink(calleeCode)) {
                     this.facts.NETWORK_SINK.push({
                         file: filePath,
@@ -66,7 +64,6 @@ class ASTCollector {
                     });
                 }
 
-                // Detect Sources
                 if (this.isSensitiveFileRead(calleeCode, node)) {
                     this.facts.FILE_READ_SENSITIVE.push({
                         file: filePath,
@@ -77,11 +74,10 @@ class ASTCollector {
             },
             MemberExpression: (node) => {
                 const objectCode = this.getSourceCode(node.object);
-                // Detect process.env
                 if (objectCode === 'process.env' || objectCode === 'process["env"]' || objectCode === "process['env']") {
                     const property = node.property.name || (node.property.type === 'Literal' ? node.property.value : null);
                     const whitelist = ['NODE_ENV', 'TIMING', 'DEBUG', 'VERBOSE', 'CI', 'APPDATA', 'HOME', 'USERPROFILE', 'PATH', 'PWD'];
-                    if (whitelist.includes(property)) return; // Whitelist common env check
+                    if (whitelist.includes(property)) return;
 
                     this.facts.ENV_READ.push({
                         file: filePath,
@@ -100,6 +96,39 @@ class ASTCollector {
                         line: node.loc.start.line
                     });
                 }
+            },
+            AssignmentExpression: (node) => {
+                if (node.left.type === 'MemberExpression' && node.right.type === 'Identifier') {
+                    // Track property assignments: obj.prop = taintedVar
+                    const from = this.getSourceCode(node.right);
+                    const to = this.getSourceCode(node.left);
+                    this.flows.push({
+                        fromVar: from,
+                        toVar: to,
+                        file: filePath,
+                        line: node.loc.start.line
+                    });
+                }
+            },
+            ObjectExpression: (node, state, ancestors) => {
+                // Track object literal property assignments: const x = { p: process.env }
+                const parent = ancestors[ancestors.length - 2];
+                if (parent && parent.type === 'VariableDeclarator' && parent.id.type === 'Identifier') {
+                    const objName = parent.id.name;
+                    node.properties.forEach(prop => {
+                        if (prop.value.type === 'MemberExpression') {
+                            const valCode = this.getSourceCode(prop.value);
+                            if (valCode.includes('process.env')) {
+                                this.flows.push({
+                                    fromVar: valCode,
+                                    toVar: `${objName}.${this.getSourceCode(prop.key)}`,
+                                    file: filePath,
+                                    line: prop.loc.start.line
+                                });
+                            }
+                        }
+                    });
+                }
             }
         });