@arcis/node 1.4.4 → 1.5.0

package/dist/validation/redirect.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"redirect.d.ts","sourceRoot":"","sources":["../../src/validation/redirect.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,sCAAsC;AACtC,MAAM,WAAW,uBAAuB;IACtC,4DAA4D;IAC5D,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,mEAAmE;IACnE,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,wEAAwE;IACxE,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;CAC7B;AAED,oCAAoC;AACpC,MAAM,WAAW,sBAAsB;IACrC,uCAAuC;IACvC,IAAI,EAAE,OAAO,CAAC;IACd,iEAAiE;IACjE,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAQD;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,gBAAgB,CAC9B,GAAG,EAAE,MAAM,EACX,OAAO,GAAE,uBAA4B,GACpC,sBAAsB,CAqExB;AAED;;;;;;GAMG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,GAAE,uBAA4B,GAAG,OAAO,CAE1F"}
+{"version":3,"file":"redirect.d.ts","sourceRoot":"","sources":["../../src/validation/redirect.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,sCAAsC;AACtC,MAAM,WAAW,uBAAuB;IACtC,4DAA4D;IAC5D,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,mEAAmE;IACnE,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,wEAAwE;IACxE,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;CAC7B;AAED,oCAAoC;AACpC,MAAM,WAAW,sBAAsB;IACrC,uCAAuC;IACvC,IAAI,EAAE,OAAO,CAAC;IACd,iEAAiE;IACjE,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAQD;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,gBAAgB,CAC9B,GAAG,EAAE,MAAM,EACX,OAAO,GAAE,uBAA4B,GACpC,sBAAsB,CA2ExB;AAED;;;;;;GAMG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,GAAE,uBAA4B,GAAG,OAAO,CAE1F"}

package/dist/validation/schema.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/validation/schema.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAmC,cAAc,EAAE,MAAM,SAAS,CAAC;AAE/E,OAAO,KAAK,EAAE,gBAAgB,EAAkB,MAAM,eAAe,CAAC;AAGtE;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,QAAQ,CACtB,MAAM,EAAE,gBAAgB,EACxB,MAAM,GAAE,MAAM,GAAG,OAAO,GAAG,QAAiB,GAC3C,cAAc,CA0BhB;AAoKD;;;GAGG;AACH,eAAO,MAAM,eAAe,iBAAW,CAAC"}
+{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/validation/schema.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAmC,cAAc,EAAE,MAAM,SAAS,CAAC;AAE/E,OAAO,KAAK,EAAE,gBAAgB,EAAkB,MAAM,eAAe,CAAC;AAGtE;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,QAAQ,CACtB,MAAM,EAAE,gBAAgB,EACxB,MAAM,GAAE,MAAM,GAAG,OAAO,GAAG,QAAiB,GAC3C,cAAc,CAkChB;AAoKD;;;GAGG;AACH,eAAO,MAAM,eAAe,iBAAW,CAAC"}

package/dist/validation/url-async.d.ts

@@ -0,0 +1,137 @@
+/**
+ * @module @arcis/node/validation/url-async
+ *
+ * Async SSRF guard that closes the DNS-rebinding TOCTOU gap left open
+ * by the synchronous `validateUrl` (sdk-vectors.md #31, issue #50).
+ *
+ * The synchronous `validateUrl` only checks the *string form* of the
+ * hostname. It catches obvious cases — `127.0.0.1`, `10.0.0.1`,
+ * `169.254.169.254` — but a hostname like `evil.com` passes through
+ * even when its DNS A-record points to `10.0.0.1`, because resolution
+ * happens later inside `fetch`. An attacker controlling the
+ * `evil.com` zone can also rebind the answer between Arcis's check
+ * and the actual TCP connect, which is the classic DNS TOCTOU.
+ *
+ * Two layers of fix shipped here:
+ *
+ * 1. **`validateUrlAsync(url, options)`** — runs the existing sync
+ *    `validateUrl` first, then `dns.lookup(hostname, { all: true })`,
+ *    then re-runs the same private-range check on every resolved
+ *    address. Returns the pinned IP list so callers can reuse it for
+ *    the actual connection (closing the TOCTOU window).
+ *
+ * 2. **`pinnedDnsLookup(ip)`** — returns a Node `lookup` callback
+ *    that resolves any hostname to the pre-validated IP. Wire this
+ *    into `https.request({ lookup })` / `http.request({ lookup })`
+ *    so the connection uses the IP Arcis already validated, not
+ *    whatever DNS returns at connect time. Pure stdlib — no undici,
+ *    no extra dep.
+ *
+ * 3. **`safeFollowRedirect(prev, location, options)`** — when the
+ *    server replies 30x, run the same async guard against the new
+ *    Location URL. Resolves the absolute URL using the previous
+ *    response URL as base. Caller decides whether to follow.
+ *
+ * The function signatures keep `lookup` injectable so tests can
+ * substitute a fake resolver without monkey-patching `node:dns`.
+ *
+ * ```ts
+ * import https from 'node:https';
+ * import { validateUrlAsync, pinnedDnsLookup } from '@arcis/node';
+ *
+ * const result = await validateUrlAsync(url);
+ * if (!result.safe) throw new Error(result.reason);
+ *
+ * https.get(url, { lookup: pinnedDnsLookup(result.resolvedIp!) }, (res) => {
+ *   // The TCP connect now goes to result.resolvedIp regardless of
+ *   // what DNS would say at this exact moment.
+ * });
+ * ```
+ */
+import { type ValidateUrlOptions, type ValidateUrlResult } from './url';
+/**
+ * Subset of `dns.lookup`'s `{ all: true }` callback signature. Kept
+ * narrow so a test fake can satisfy it without depending on Node's
+ * full `LookupAddress` type.
+ */
+export type LookupAddress = {
+    address: string;
+    family: number;
+};
+/**
+ * Function shape compatible with `dns.lookup(hostname, { all: true })`.
+ * Returns a list of resolved addresses. Tests inject a fake.
+ */
+export type DnsLookup = (hostname: string) => Promise<LookupAddress[]>;
+export interface ValidateUrlAsyncOptions extends ValidateUrlOptions {
+    /**
+     * DNS lookup function. Defaults to a Promise wrapper around
+     * `dns.lookup(hostname, { all: true })`. Tests inject a stub.
+     */
+    lookup?: DnsLookup;
+    /**
+     * If true, accept the first non-private IP and ignore the rest.
+     * Default false: every resolved IP must pass the private-range
+     * check. Hosts with mixed-public/private answers (round-robin DNS
+     * with one internal record) still fail-closed.
+     */
+    acceptFirstPublic?: boolean;
+}
+export interface ValidateUrlAsyncResult extends ValidateUrlResult {
+    /**
+     * Single pinned IP (the first public address if all checks passed,
+     * or undefined when the string-only synchronous validator already
+     * decided — e.g., the hostname *was* a literal IP). Use this with
+     * `pinnedDnsLookup()` to wire the actual fetch.
+     */
+    resolvedIp?: string;
+    /** Every IP returned by DNS, in resolver order. */
+    resolvedIps?: string[];
+}
+/**
+ * Async SSRF guard with DNS resolution. Runs the sync validator
+ * first, then resolves DNS and validates every returned IP against
+ * the same private-range rules. Returns a pinned IP for the caller
+ * to reuse.
+ *
+ * Failure modes (any returns `{ safe: false, reason }`):
+ * - Sync validator already rejects (string-pattern fail).
+ * - DNS lookup throws (NXDOMAIN, network error). Reason carries the
+ *   underlying error message.
+ * - DNS returns no addresses.
+ * - Any resolved address fails the private-range check (default) or
+ *   *all* fail it when `acceptFirstPublic` is true.
+ */
+export declare function validateUrlAsync(url: string, options?: ValidateUrlAsyncOptions): Promise<ValidateUrlAsyncResult>;
+/**
+ * Build a `lookup` callback that pins the resolution to a single
+ * pre-validated IP, regardless of what DNS would say at connect time.
+ * Drop into `https.request({ lookup })` / `http.request({ lookup })`.
+ *
+ * Closes the TOCTOU window between `validateUrlAsync` and the actual
+ * TCP connect. The pinned IP must be one that already passed the
+ * async validator — wiring it without that check defeats the purpose.
+ *
+ * The returned function matches Node's `dns.lookup` callback shape
+ * for the `{ all: false, family: 0 }` case (single address). The
+ * default Node http/https stack uses that shape.
+ */
+export declare function pinnedDnsLookup(ip: string): (hostname: string, options: {
+    family?: number;
+    hints?: number;
+    verbatim?: boolean;
+}, callback: (err: NodeJS.ErrnoException | null, address: string, family: number) => void) => void;
+/**
+ * Validate a redirect target with the same TOCTOU-aware pipeline.
+ *
+ * `prev` is the URL of the response that returned the 30x; `location`
+ * is the raw `Location:` header value (which may be relative). The
+ * function resolves `location` against `prev` per RFC 3986 then runs
+ * `validateUrlAsync` on the absolute result.
+ *
+ * Use this on every hop of a redirect chain. Without it, a server
+ * that you trust today can redirect tomorrow's request to
+ * `http://169.254.169.254/`.
+ */
+export declare function safeFollowRedirect(prev: string, location: string, options?: ValidateUrlAsyncOptions): Promise<ValidateUrlAsyncResult>;
+//# sourceMappingURL=url-async.d.ts.map

package/dist/validation/url-async.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"url-async.d.ts","sourceRoot":"","sources":["../../src/validation/url-async.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiDG;AAGH,OAAO,EAAe,KAAK,kBAAkB,EAAE,KAAK,iBAAiB,EAAE,MAAM,OAAO,CAAC;AAErF;;;;GAIG;AACH,MAAM,MAAM,aAAa,GAAG;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAEhE;;;GAGG;AACH,MAAM,MAAM,SAAS,GAAG,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,aAAa,EAAE,CAAC,CAAC;AAUvE,MAAM,WAAW,uBAAwB,SAAQ,kBAAkB;IACjE;;;OAGG;IACH,MAAM,CAAC,EAAE,SAAS,CAAC;IACnB;;;;;OAKG;IACH,iBAAiB,CAAC,EAAE,OAAO,CAAC;CAC7B;AAED,MAAM,WAAW,sBAAuB,SAAQ,iBAAiB;IAC/D;;;;;OAKG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mDAAmD;IACnD,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;CACxB;AA0BD;;;;;;;;;;;;;GAaG;AACH,wBAAsB,gBAAgB,CACpC,GAAG,EAAE,MAAM,EACX,OAAO,GAAE,uBAA4B,GACpC,OAAO,CAAC,sBAAsB,CAAC,CA4DjC;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,eAAe,CAC7B,EAAE,EAAE,MAAM,GACT,CACD,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE;IAAE,MAAM,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,OAAO,CAAA;CAAE,EAChE,QAAQ,EAAE,CAAC,GAAG,EAAE,MAAM,CAAC,cAAc,GAAG,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,KAAK,IAAI,KACnF,IAAI,CAQR;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,kBAAkB,CACtC,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,uBAA4B,GACpC,OAAO,CAAC,sBAAsB,CAAC,CAWjC"}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@arcis/node",
-  "version": "1.4.4",
-  "description": "Zero-dependency security middleware for Node.js. Protects against XSS, SQL injection, CSRF, SSRF, HPP, rate limiting, bot detection, and 15+ more attack types. Supply chain attack scanner included.",
+  "version": "1.5.0",
+  "description": "Inside-the-app security middleware for Node.js. One install protects Express, NestJS, SvelteKit, Astro, Nuxt, Bun + Hono against XSS, SQL injection, CSRF, SSRF, HPP, prompt injection, bot traffic, rate limiting, and 20+ more attack types. Includes prompt-injection signature library, LLM token-budget middleware, 646-pattern bot corpus, and the @arcis/cli supply-chain scanner.",
   "main": "dist/index.js",
   "module": "dist/index.mjs",
   "types": "dist/index.d.ts",
@@ -50,14 +50,57 @@
       "types": "./dist/telemetry/index.d.ts",
       "import": "./dist/telemetry/index.mjs",
       "require": "./dist/telemetry/index.js"
+    },
+    "./fastify": {
+      "types": "./dist/fastify/index.d.ts",
+      "import": "./dist/fastify/index.mjs",
+      "require": "./dist/fastify/index.js"
+    },
+    "./koa": {
+      "types": "./dist/koa/index.d.ts",
+      "import": "./dist/koa/index.mjs",
+      "require": "./dist/koa/index.js"
+    },
+    "./nestjs": {
+      "types": "./dist/nestjs/index.d.ts",
+      "import": "./dist/nestjs/index.mjs",
+      "require": "./dist/nestjs/index.js"
+    },
+    "./nextjs": {
+      "types": "./dist/nextjs/index.d.ts",
+      "import": "./dist/nextjs/index.mjs",
+      "require": "./dist/nextjs/index.js"
+    },
+    "./sveltekit": {
+      "types": "./dist/sveltekit/index.d.ts",
+      "import": "./dist/sveltekit/index.mjs",
+      "require": "./dist/sveltekit/index.js"
+    },
+    "./astro": {
+      "types": "./dist/astro/index.d.ts",
+      "import": "./dist/astro/index.mjs",
+      "require": "./dist/astro/index.js"
+    },
+    "./nuxt": {
+      "types": "./dist/nuxt/index.d.ts",
+      "import": "./dist/nuxt/index.mjs",
+      "require": "./dist/nuxt/index.js"
+    },
+    "./bun": {
+      "types": "./dist/bun/index.d.ts",
+      "import": "./dist/bun/index.mjs",
+      "require": "./dist/bun/index.js"
+    },
+    "./hono": {
+      "types": "./dist/hono/index.d.ts",
+      "import": "./dist/hono/index.mjs",
+      "require": "./dist/hono/index.js"
     }
   },
   "files": [
-    "dist"
+    "dist",
+    "scripts/postinstall.cjs"
   ],
-  "bin": {
-    "arcis": "./dist/cli/arcis.mjs"
-  },
   "scripts": {
     "build": "tsup && tsc --emitDeclarationOnly --declaration --declarationMap",
     "dev": "tsup --watch",
@@ -68,7 +111,8 @@
     "test:coverage": "vitest --coverage",
     "lint": "eslint src",
     "typecheck": "tsc --noEmit",
-    "prepublishOnly": "npm run build"
+    "prepublishOnly": "npm run build",
+    "postinstall": "node scripts/postinstall.cjs"
   },
   "keywords": [
     "security",
@@ -100,6 +144,7 @@
     "express": ">=4.0.0"
   },
   "devDependencies": {
+    "@nestjs/common": "^11.1.19",
     "@types/express": "^5.0.6",
     "@types/node": "^25.5.0",
     "@typescript-eslint/eslint-plugin": "^8.58.0",

package/scripts/postinstall.cjs

@@ -0,0 +1,26 @@
+/* eslint-disable */
+// Postinstall notice for @arcis/node.
+//
+// Surface the fact that the Arcis CLI (audit / scan / sca) ships as a
+// separate native binary. Without this message, users who installed the
+// Node SDK type `arcis` in their shell, get "command not found", and
+// assume the package is broken.
+//
+// Skip in CI / non-TTY / when npm asks us not to log.
+if (process.env.CI || process.env.ARCIS_SKIP_NOTICE) return;
+
+const isTTY = process.stdout && process.stdout.isTTY;
+const c = (s, code) => (isTTY ? `\x1b[${code}m${s}\x1b[0m` : s);
+
+const lines = [
+  '',
+  c('  Arcis Node SDK installed.', '1;36'),
+  '',
+  c('  The CLI (audit / scan / sca) ships separately as a native binary:', '2'),
+  c('    npm install -g @arcis/cli', '32'),
+  '',
+  c('  This package is the SDK / middleware. It does not put a CLI on', '2'),
+  c('  your shell PATH. Docs: https://gagancm.github.io/arcis/documentation/cli.html', '2'),
+  '',
+];
+for (const line of lines) console.log(line);

package/dist/cli/arcis.d.ts

@@ -1,23 +0,0 @@
-#!/usr/bin/env node
-/**
- * @arcis/node — `arcis` CLI dispatcher.
- *
- * Surface (mirrors the Python CLI's discovery layer):
- *
- *   arcis              → catalog
- *   arcis --list       → catalog with examples
- *   arcis --help / -h  → catalog + run-cmd hint
- *   arcis --version / -V
- *   arcis update [--apply] [--check]
- *   arcis scan / audit / sca → forward to Python `arcis` if on PATH,
- *                              else print install hint
- *
- * Why we delegate scan/audit/sca to Python rather than re-implementing:
- * the threat database, audit rules, and attack-payload catalog are
- * Python-side data files. Maintaining two copies means drift; one
- * canonical CLI + a thin Node forwarder is simpler. The Node binary
- * exists primarily so users who installed `@arcis/node` from npm get
- * the same `arcis update` / discovery UX as Python users.
- */
-export {};
-//# sourceMappingURL=arcis.d.ts.map

package/dist/cli/arcis.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"arcis.d.ts","sourceRoot":"","sources":["../../src/cli/arcis.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;;;;;;GAmBG"}

package/dist/cli/arcis.js

@@ -1,312 +0,0 @@
-#!/usr/bin/env node
-'use strict';
-
-var child_process = require('child_process');
-var fs = require('fs');
-var path = require('path');
-var url = require('url');
-
-var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
-var USE_COLOR = !process.env.NO_COLOR && process.stdout.isTTY === true;
-function c(text, ...codes) {
-  if (!USE_COLOR) return text;
-  return codes.join("") + text + "\x1B[0m";
-}
-var BOLD = "\x1B[1m";
-var DIM = "\x1B[2m";
-var GREEN = "\x1B[32m";
-var YELLOW = "\x1B[33m";
-var CYAN = "\x1B[36m";
-var RED = "\x1B[31m";
-function getInstalledVersion() {
-  try {
-    const here = url.fileURLToPath((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('arcis.js', document.baseURI).href)));
-    let dir = path.dirname(here);
-    for (let i = 0; i < 6; i++) {
-      try {
-        const raw = fs.readFileSync(path.resolve(dir, "package.json"), "utf-8");
-        const pkg = JSON.parse(raw);
-        if (pkg.name === "@arcis/node" && pkg.version) {
-          return pkg.version;
-        }
-      } catch {
-      }
-      const parent = path.resolve(dir, "..");
-      if (parent === dir) break;
-      dir = parent;
-    }
-  } catch {
-  }
-  return "?";
-}
-async function fetchLatestVersion() {
-  try {
-    const controller = new AbortController();
-    const timer = setTimeout(() => controller.abort(), 5e3);
-    try {
-      const resp = await fetch("https://registry.npmjs.org/@arcis/node", {
-        headers: { Accept: "application/json" },
-        signal: controller.signal
-      });
-      if (!resp.ok) return null;
-      const data = await resp.json();
-      return data["dist-tags"]?.latest ?? null;
-    } finally {
-      clearTimeout(timer);
-    }
-  } catch {
-    return null;
-  }
-}
-function parseVersion(v) {
-  const parts = v.split(".");
-  const out = [];
-  for (const p of parts) {
-    if (!/^\d+$/.test(p)) return null;
-    out.push(Number(p));
-  }
-  return out;
-}
-function versionCompare(a, b) {
-  const len = Math.max(a.length, b.length);
-  for (let i = 0; i < len; i++) {
-    const x = a[i] ?? 0;
-    const y = b[i] ?? 0;
-    if (x < y) return -1;
-    if (x > y) return 1;
-  }
-  return 0;
-}
-function hasPythonArcis() {
-  const probes = [
-    { cmd: "arcis", args: ["--version"] },
-    { cmd: "python", args: ["-m", "arcis.cli", "--version"] },
-    { cmd: "python3", args: ["-m", "arcis.cli", "--version"] }
-  ];
-  for (const p of probes) {
-    try {
-      const result = child_process.spawnSync(p.cmd, p.args, {
-        stdio: ["ignore", "ignore", "ignore"],
-        timeout: 3e3,
-        shell: process.platform === "win32"
-      });
-      if (result.status === 0) return true;
-    } catch {
-    }
-  }
-  return false;
-}
-function forwardToPython(args) {
-  const candidates = [
-    { cmd: "arcis", args },
-    { cmd: "python", args: ["-m", "arcis.cli", ...args] },
-    { cmd: "python3", args: ["-m", "arcis.cli", ...args] }
-  ];
-  for (const cand of candidates) {
-    const result = child_process.spawnSync(cand.cmd, cand.args, {
-      stdio: "inherit",
-      shell: process.platform === "win32"
-    });
-    if (result.error) continue;
-    process.exit(result.status ?? 0);
-  }
-  console.error(
-    c("arcis: could not invoke the Python CLI. Install with:", RED, BOLD)
-  );
-  console.error("  pip install arcis");
-  process.exit(127);
-}
-function printCatalog(verbose) {
-  const ver = getInstalledVersion();
-  console.log();
-  console.log(`  ${c("Arcis", BOLD, CYAN)}  ${c(`v${ver}`, DIM)}  ${c("(node)", DIM)}`);
-  console.log(c("  Zero-dep security middleware + scanners.", DIM));
-  console.log();
-  console.log(c("  Commands", BOLD));
-  const rows = [
-    [
-      "scan",
-      "Send live attack payloads to a running app.",
-      "arcis scan http://localhost:8000 --route POST:/echo --field q"
-    ],
-    [
-      "audit",
-      "Static-analyse Python / JS / TS source for unsafe patterns.",
-      "arcis audit ."
-    ],
-    [
-      "sca",
-      "Match installed dependencies against the supply-chain threat DB.",
-      "arcis sca ."
-    ],
-    ["update", "Check npm for a newer @arcis/node release.", "arcis update --apply"]
-  ];
-  for (const [name, desc, example] of rows) {
-    console.log(`    ${c(name.padEnd(8), BOLD, GREEN)} ${desc}`);
-    if (verbose) {
-      console.log(`             ${c(example, DIM)}`);
-    }
-  }
-  console.log();
-  console.log(c("  Discovery", BOLD));
-  console.log(`    ${c("--list", BOLD, CYAN).padEnd(24)} Show this catalog (verbose).`);
-  console.log(
-    `    ${c("<cmd> --help", BOLD, CYAN).padEnd(24)} Show full flags for that command.`
-  );
-  console.log();
-  console.log(c("  Note", BOLD));
-  console.log(
-    `    scan/audit/sca delegate to the Python CLI (canonical impl).`
-  );
-  console.log(`    Install once with:  ${c("pip install arcis", GREEN)}`);
-  console.log();
-}
-async function updateCommand(args) {
-  const apply = args.includes("--apply");
-  const check = args.includes("--check");
-  const yes = args.includes("--yes") || args.includes("-y");
-  const current = getInstalledVersion();
-  const latest = await fetchLatestVersion();
-  if (check) {
-    if (latest === null) {
-      console.error("arcis: could not reach npm to check for updates");
-      process.exitCode = 2;
-      return;
-    }
-    const cur2 = parseVersion(current);
-    const lat2 = parseVersion(latest);
-    if (!cur2 || !lat2 || versionCompare(cur2, lat2) >= 0) {
-      console.log(`@arcis/node ${current} is up-to-date`);
-      process.exitCode = 0;
-      return;
-    }
-    console.error(`@arcis/node ${current} is outdated; latest is ${latest}`);
-    process.exitCode = 1;
-    return;
-  }
-  console.log();
-  console.log(c("  @arcis/node update check", BOLD, CYAN));
-  console.log(c("  Source: https://registry.npmjs.org/@arcis/node", DIM));
-  console.log();
-  if (latest === null) {
-    console.log(`    Installed   @arcis/node ${current}`);
-    console.log(
-      `    Latest      ${c("? unreachable", YELLOW)}  ${c("(network error or npm down)", DIM)}`
-    );
-    console.log();
-    console.log(c("  Try again later, or run 'npm view @arcis/node version' directly.", DIM));
-    console.log();
-    process.exitCode = 2;
-    return;
-  }
-  const cur = parseVersion(current);
-  const lat = parseVersion(latest);
-  if (!cur || !lat) {
-    console.log(
-      `    Installed   @arcis/node ${current}  ${c("(pre-release or unparseable)", DIM)}`
-    );
-    console.log(`    Latest      @arcis/node ${latest}`);
-    console.log();
-    console.log(c("  Skipping comparison \u2014 manually decide.", DIM));
-    console.log();
-    process.exitCode = 0;
-    return;
-  }
-  if (versionCompare(cur, lat) >= 0) {
-    console.log(`    Installed   @arcis/node ${current}`);
-    console.log(`    Latest      @arcis/node ${latest}`);
-    console.log();
-    console.log(c("  You are on the latest version.", BOLD, GREEN));
-    console.log();
-    process.exitCode = 0;
-    return;
-  }
-  console.log(`    Installed   @arcis/node ${current}`);
-  console.log(
-    `    Latest      ${c(`@arcis/node ${latest}`, BOLD)}  ${c("(update available)", YELLOW)}`
-  );
-  console.log();
-  console.log(c("  Run to upgrade", BOLD));
-  console.log(`    ${c("npm install @arcis/node@latest", GREEN)}`);
-  console.log();
-  if (!apply) {
-    console.log(c("  Or rerun: 'arcis update --apply' to upgrade in place.", DIM));
-    console.log();
-    process.exitCode = 1;
-    return;
-  }
-  if (!yes && process.stdin.isTTY) {
-    process.stdout.write("Upgrade now? [y/N] ");
-    const response = await new Promise((res) => {
-      process.stdin.once("data", (chunk) => res(chunk.toString().trim().toLowerCase()));
-    });
-    if (!response.startsWith("y")) {
-      process.exitCode = 1;
-      return;
-    }
-  }
-  const npmCmd = process.platform === "win32" ? "npm.cmd" : "npm";
-  console.log(`  $ ${npmCmd} install @arcis/node@latest`);
-  const result = child_process.spawnSync(npmCmd, ["install", "@arcis/node@latest"], {
-    stdio: "inherit"
-  });
-  process.exitCode = result.status ?? 1;
-}
-async function main() {
-  const args = process.argv.slice(2);
-  if (args.length === 0) {
-    printCatalog(false);
-    process.exit(0);
-  }
-  const arg0 = args[0];
-  if (arg0 === "--list" || arg0 === "-l") {
-    printCatalog(true);
-    process.exit(0);
-  }
-  if (arg0 === "-h" || arg0 === "--help") {
-    printCatalog(false);
-    console.log(c("  Run 'arcis <command> --help' for full flags.", DIM));
-    console.log();
-    process.exit(0);
-  }
-  if (arg0 === "-V" || arg0 === "--version") {
-    console.log(getInstalledVersion());
-    process.exit(0);
-  }
-  if (arg0 === "update") {
-    await updateCommand(args.slice(1));
-    return;
-  }
-  if (arg0 === "scan" || arg0 === "audit" || arg0 === "sca") {
-    if (!hasPythonArcis()) {
-      console.error(
-        c(
-          `arcis: '${arg0}' is implemented by the Python CLI. Install with:`,
-          YELLOW,
-          BOLD
-        )
-      );
-      console.error("  pip install arcis");
-      console.error();
-      console.error(c("Why: scan/audit/sca rely on Python's threat-DB and rule data.", DIM));
-      console.error(
-        c(
-          "@arcis/node implements the middleware + dashboard upload \u2014 see the docs.",
-          DIM
-        )
-      );
-      process.exit(127);
-    }
-    forwardToPython(args);
-    return;
-  }
-  console.error(`arcis: unknown command '${arg0}'`);
-  console.error("Run 'arcis --list' for available commands.");
-  process.exit(1);
-}
-main().catch((err) => {
-  console.error(c(`arcis: unexpected error: ${err}`, RED));
-  process.exit(1);
-});
-//# sourceMappingURL=arcis.js.map
-//# sourceMappingURL=arcis.js.map

package/dist/cli/arcis.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../../src/cli/arcis.ts"],"names":["fileURLToPath","dirname","readFileSync","resolve","spawnSync","cur","lat"],"mappings":";;;;;;;;;AA6BA,IAAM,YACJ,CAAC,OAAA,CAAQ,IAAI,QAAA,IAAY,OAAA,CAAQ,OAAO,KAAA,KAAU,IAAA;AAEpD,SAAS,CAAA,CAAE,SAAiB,KAAA,EAAyB;AACnD,EAAA,IAAI,CAAC,WAAW,OAAO,IAAA;AACvB,EAAA,OAAO,KAAA,CAAM,IAAA,CAAK,EAAE,CAAA,GAAI,IAAA,GAAO,SAAA;AACjC;AAEA,IAAM,IAAA,GAAO,SAAA;AACb,IAAM,GAAA,GAAM,SAAA;AACZ,IAAM,KAAA,GAAQ,UAAA;AACd,IAAM,MAAA,GAAS,UAAA;AACf,IAAM,IAAA,GAAO,UAAA;AACb,IAAM,GAAA,GAAM,UAAA;AAIZ,SAAS,mBAAA,GAA8B;AAGrC,EAAA,IAAI;AACF,IAAA,MAAM,IAAA,GAAOA,iBAAA,CAAc,0PAAe,CAAA;AAE1C,IAAA,IAAI,GAAA,GAAMC,aAAQ,IAAI,CAAA;AACtB,IAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,CAAA,EAAG,CAAA,EAAA,EAAK;AAC1B,MAAA,IAAI;AACF,QAAA,MAAM,MAAMC,eAAA,CAAaC,YAAA,CAAQ,GAAA,EAAK,cAAc,GAAG,OAAO,CAAA;AAC9D,QAAA,MAAM,GAAA,GAAM,IAAA,CAAK,KAAA,CAAM,GAAG,CAAA;AAC1B,QAAA,IAAI,GAAA,CAAI,IAAA,KAAS,aAAA,IAAiB,GAAA,CAAI,OAAA,EAAS;AAC7C,UAAA,OAAO,GAAA,CAAI,OAAA;AAAA,QACb;AAAA,MACF,CAAA,CAAA,MAAQ;AAAA,MAER;AACA,MAAA,MAAM,MAAA,GAASA,YAAA,CAAQ,GAAA,EAAK,IAAI,CAAA;AAChC,MAAA,IAAI,WAAW,GAAA,EAAK;AACpB,MAAA,GAAA,GAAM,MAAA;AAAA,IACR;AAAA,EACF,CAAA,CAAA,MAAQ;AAAA,EAER;AACA,EAAA,OAAO,GAAA;AACT;AAMA,eAAe,kBAAA,GAA6C;AAC1D,EAAA,IAAI;AACF,IAAA,MAAM,UAAA,GAAa,IAAI,eAAA,EAAgB;AACvC,IAAA,MAAM,QAAQ,UAAA,CAAW,MAAM,UAAA,CAAW,KAAA,IAAS,GAAK,CAAA;AACxD,IAAA,IAAI;AACF,MAAA,MAAM,IAAA,GAAO,MAAM,KAAA,CAAM,wCAAA,EAA0C;AAAA,QACjE,OAAA,EAAS,EAAE,MAAA,EAAQ,kBAAA,EAAmB;AAAA,QACtC,QAAQ,UAAA,CAAW;AAAA,OACpB,CAAA;AACD,MAAA,IAAI,CAAC,IAAA,CAAK,EAAA,EAAI,OAAO,IAAA;AACrB,MAAA,MAAM,IAAA,GAAQ,MAAM,IAAA,CAAK,IAAA,EAAK;AAC9B,MAAA,OAAO,IAAA,CAAK,WAAW,CAAA,EAAG,MAAA,IAAU,IAAA;AAAA,IACtC,CAAA,SAAE;AACA,MAAA,YAAA,CAAa,KAAK,CAAA;AAAA,IACpB;AAAA,EACF,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAEA,SAAS,aAAa,CAAA,EAA4B;AAChD,EAAA,MAAM,KAAA,GAAQ,CAAA,CAAE,KAAA,CAAM,GAAG,CAAA;AACzB,EAAA,MAAM,MAAgB,EAAC;AACvB,EAAA,KAAA,MAAW,KAAK,KAAA,EAAO;AACrB,IAAA,IAAI,CAAC,OAAA,CAAQ,IAAA,CAAK,CAAC,GAAG,OAAO,IAAA;AAC7B,IAAA,GAAA,CAAI,IAAA,CAAK,MAAA,CAAO,CAAC,CAAC,CAAA;AAAA,EACpB;AACA,EAAA,OAAO,GAAA;AACT;AAEA,SAAS,cAAA,CAAe,GAAa,CAAA,EAAqB;AACxD,EAAA,MAAM,MAAM,IAAA,CAAK,GAAA,CAAI,CAAA,CAAE,MAAA,EAAQ,EAAE,MAAM,CAAA;AACvC,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,GAAA,EAAK,CAAA,EAAA,EAAK;AAC5B,IAAA,MAAM,CAAA,GAAI,CAAA,CAAE,CAAC,CAAA,IAAK,CAAA;AAClB,IAAA,MAAM,CAAA,GAAI,CAAA,CAAE,CAAC,CAAA,IAAK,CAAA;AAClB,IAAA,IAAI,CAAA,GAAI,GAAG,OAAO,EAAA;AAClB,IAAA,IAAI,CAAA,GAAI,GAAG,OAAO,CAAA;AAAA,EACpB;AACA,EAAA,OAAO,CAAA;AACT;AAIA,SAAS,cAAA,GAA0B;AAGjC,EAAA,MAAM,MAAA,GAAiD;AAAA,IACrD,EAAE,GAAA,EAAK,OAAA,EAAS,IAAA,EAAM,CAAC,WAAW,CAAA,EAAE;AAAA,IACpC,EAAE,KAAK,QAAA,EAAU,IAAA,EAAM,CAAC,IAAA,EAAM,WAAA,EAAa,WAAW,CAAA,EAAE;AAAA,IACxD,EAAE,KAAK,SAAA,EAAW,IAAA,EAAM,CAAC,IAAA,EAAM,WAAA,EAAa,WAAW,CAAA;AAAE,GAC3D;AACA,EAAA,KAAA,MAAW,KAAK,MAAA,EAAQ;AACtB,IAAA,IAAI;AACF,MAAA,MAAM,MAAA,GAASC,uBAAA,CAAU,CAAA,CAAE,GAAA,EAAK,EAAE,IAAA,EAAM;AAAA,QACtC,KAAA,EAAO,CAAC,QAAA,EAAU,QAAA,EAAU,QAAQ,CAAA;AAAA,QACpC,OAAA,EAAS,GAAA;AAAA,QACT,KAAA,EAAO,QAAQ,QAAA,KAAa;AAAA,OAC7B,CAAA;AACD,MAAA,IAAI,MAAA,CAAO,MAAA,KAAW,CAAA,EAAG,OAAO,IAAA;AAAA,IAClC,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AACA,EAAA,OAAO,KAAA;AACT;AAEA,SAAS,gBAAgB,IAAA,EAAuB;AAI9C,EAAA,MAAM,UAAA,GAAqD;AAAA,IACzD,EAAE,GAAA,EAAK,OAAA,EAAS,IAAA,EAAK;AAAA,IACrB,EAAE,KAAK,QAAA,EAAU,IAAA,EAAM,CAAC,IAAA,EAAM,WAAA,EAAa,GAAG,IAAI,CAAA,EAAE;AAAA,IACpD,EAAE,KAAK,SAAA,EAAW,IAAA,EAAM,CAAC,IAAA,EAAM,WAAA,EAAa,GAAG,IAAI,CAAA;AAAE,GACvD;AACA,EAAA,KAAA,MAAW,QAAQ,UAAA,EAAY;AAC7B,IAAA,MAAM,MAAA,GAASA,uBAAA,CAAU,IAAA,CAAK,GAAA,EAAK,KAAK,IAAA,EAAM;AAAA,MAC5C,KAAA,EAAO,SAAA;AAAA,MACP,KAAA,EAAO,QAAQ,QAAA,KAAa;AAAA,KAC7B,CAAA;AACD,IAAA,IAAI,OAAO,KAAA,EAAO;AAClB,IAAA,OAAA,CAAQ,IAAA,CAAK,MAAA,CAAO,MAAA,IAAU,CAAC,CAAA;AAAA,EACjC;AACA,EAAA,OAAA,CAAQ,KAAA;AAAA,IACN,CAAA,CAAE,uDAAA,EAAyD,GAAA,EAAK,IAAI;AAAA,GACtE;AACA,EAAA,OAAA,CAAQ,MAAM,qBAAqB,CAAA;AACnC,EAAA,OAAA,CAAQ,KAAK,GAAG,CAAA;AAClB;AAIA,SAAS,aAAa,OAAA,EAAwB;AAC5C,EAAA,MAAM,MAAM,mBAAA,EAAoB;AAChC,EAAA,OAAA,CAAQ,GAAA,EAAI;AACZ,EAAA,OAAA,CAAQ,IAAI,CAAA,EAAA,EAAK,CAAA,CAAE,SAAS,IAAA,EAAM,IAAI,CAAC,CAAA,EAAA,EAAK,CAAA,CAAE,IAAI,GAAG,CAAA,CAAA,EAAI,GAAG,CAAC,CAAA,EAAA,EAAK,EAAE,QAAA,EAAU,GAAG,CAAC,CAAA,CAAE,CAAA;AACpF,EAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,CAAE,4CAAA,EAA8C,GAAG,CAAC,CAAA;AAChE,EAAA,OAAA,CAAQ,GAAA,EAAI;AACZ,EAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,CAAE,YAAA,EAAc,IAAI,CAAC,CAAA;AACjC,EAAA,MAAM,IAAA,GAAwC;AAAA,IAC5C;AAAA,MACE,MAAA;AAAA,MACA,6CAAA;AAAA,MACA;AAAA,KACF;AAAA,IACA;AAAA,MACE,OAAA;AAAA,MACA,6DAAA;AAAA,MACA;AAAA,KACF;AAAA,IACA;AAAA,MACE,KAAA;AAAA,MACA,kEAAA;AAAA,MACA;AAAA,KACF;AAAA,IACA,CAAC,QAAA,EAAU,4CAAA,EAA8C,sBAAsB;AAAA,GACjF;AACA,EAAA,KAAA,MAAW,CAAC,IAAA,EAAM,IAAA,EAAM,OAAO,KAAK,IAAA,EAAM;AACxC,IAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,IAAA,EAAO,CAAA,CAAE,IAAA,CAAK,MAAA,CAAO,CAAC,CAAA,EAAG,IAAA,EAAM,KAAK,CAAC,CAAA,CAAA,EAAI,IAAI,CAAA,CAAE,CAAA;AAC3D,IAAA,IAAI,OAAA,EAAS;AACX,MAAA,OAAA,CAAQ,IAAI,CAAA,aAAA,EAAgB,CAAA,CAAE,OAAA,EAAS,GAAG,CAAC,CAAA,CAAE,CAAA;AAAA,IAC/C;AAAA,EACF;AACA,EAAA,OAAA,CAAQ,GAAA,EAAI;AACZ,EAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,CAAE,aAAA,EAAe,IAAI,CAAC,CAAA;AAClC,EAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,IAAA,EAAO,CAAA,CAAE,QAAA,EAAU,IAAA,EAAM,IAAI,CAAA,CAAE,MAAA,CAAO,EAAE,CAAC,CAAA,6BAAA,CAA+B,CAAA;AACpF,EAAA,OAAA,CAAQ,GAAA;AAAA,IACN,CAAA,IAAA,EAAO,EAAE,cAAA,EAAgB,IAAA,EAAM,IAAI,CAAA,CAAE,MAAA,CAAO,EAAE,CAAC,CAAA,kCAAA;AAAA,GACjD;AACA,EAAA,OAAA,CAAQ,GAAA,EAAI;AACZ,EAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,CAAE,QAAA,EAAU,IAAI,CAAC,CAAA;AAC7B,EAAA,OAAA,CAAQ,GAAA;AAAA,IACN,CAAA,+DAAA;AAAA,GACF;AACA,EAAA,OAAA,CAAQ,IAAI,CAAA,wBAAA,EAA2B,CAAA,CAAE,mBAAA,EAAqB,KAAK,CAAC,CAAA,CAAE,CAAA;AACtE,EAAA,OAAA,CAAQ,GAAA,EAAI;AACd;AAIA,eAAe,cAAc,IAAA,EAA+B;AAM1D,EAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,QAAA,CAAS,SAAS,CAAA;AACrC,EAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,QAAA,CAAS,SAAS,CAAA;AACrC,EAAA,MAAM,MAAM,IAAA,CAAK,QAAA,CAAS,OAAO,CAAA,IAAK,IAAA,CAAK,SAAS,IAAI,CAAA;AAExD,EAAA,MAAM,UAAU,mBAAA,EAAoB;AACpC,EAAA,MAAM,MAAA,GAAS,MAAM,kBAAA,EAAmB;AAExC,EAAA,IAAI,KAAA,EAAO;AACT,IAAA,IAAI,WAAW,IAAA,EAAM;AACnB,MAAA,OAAA,CAAQ,MAAM,iDAAiD,CAAA;AAC/D,MAAA,OAAA,CAAQ,QAAA,GAAW,CAAA;AACnB,MAAA;AAAA,IACF;AACA,IAAA,MAAMC,IAAAA,GAAM,aAAa,OAAO,CAAA;AAChC,IAAA,MAAMC,IAAAA,GAAM,aAAa,MAAM,CAAA;AAC/B,IAAA,IAAI,CAACD,QAAO,CAACC,IAAAA,IAAO,eAAeD,IAAAA,EAAKC,IAAG,KAAK,CAAA,EAAG;AACjD,MAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,YAAA,EAAe,OAAO,CAAA,cAAA,CAAgB,CAAA;AAClD,MAAA,OAAA,CAAQ,QAAA,GAAW,CAAA;AACnB,MAAA;AAAA,IACF;AACA,IAAA,OAAA,CAAQ,KAAA,CAAM,CAAA,YAAA,EAAe,OAAO,CAAA,wBAAA,EAA2B,MAAM,CAAA,CAAE,CAAA;AACvE,IAAA,OAAA,CAAQ,QAAA,GAAW,CAAA;AACnB,IAAA;AAAA,EACF;AAEA,EAAA,OAAA,CAAQ,GAAA,EAAI;AACZ,EAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,CAAE,4BAAA,EAA8B,IAAA,EAAM,IAAI,CAAC,CAAA;AACvD,EAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,CAAE,kDAAA,EAAoD,GAAG,CAAC,CAAA;AACtE,EAAA,OAAA,CAAQ,GAAA,EAAI;AAEZ,EAAA,IAAI,WAAW,IAAA,EAAM;AACnB,IAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,4BAAA,EAA+B,OAAO,CAAA,CAAE,CAAA;AACpD,IAAA,OAAA,CAAQ,GAAA;AAAA,MACN,CAAA,gBAAA,EAAmB,EAAE,eAAA,EAAiB,MAAM,CAAC,CAAA,EAAA,EAAK,CAAA,CAAE,6BAAA,EAA+B,GAAG,CAAC,CAAA;AAAA,KACzF;AACA,IAAA,OAAA,CAAQ,GAAA,EAAI;AACZ,IAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,CAAE,oEAAA,EAAsE,GAAG,CAAC,CAAA;AACxF,IAAA,OAAA,CAAQ,GAAA,EAAI;AACZ,IAAA,OAAA,CAAQ,QAAA,GAAW,CAAA;AACnB,IAAA;AAAA,EACF;AAEA,EAAA,MAAM,GAAA,GAAM,aAAa,OAAO,CAAA;AAChC,EAAA,MAAM,GAAA,GAAM,aAAa,MAAM,CAAA;AAC/B,EAAA,IAAI,CAAC,GAAA,IAAO,CAAC,GAAA,EAAK;AAChB,IAAA,OAAA,CAAQ,GAAA;AAAA,MACN,+BAA+B,OAAO,CAAA,EAAA,EAAK,CAAA,CAAE,8BAAA,EAAgC,GAAG,CAAC,CAAA;AAAA,KACnF;AACA,IAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,4BAAA,EAA+B,MAAM,CAAA,CAAE,CAAA;AACnD,IAAA,OAAA,CAAQ,GAAA,EAAI;AACZ,IAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,CAAE,+CAAA,EAA4C,GAAG,CAAC,CAAA;AAC9D,IAAA,OAAA,CAAQ,GAAA,EAAI;AACZ,IAAA,OAAA,CAAQ,QAAA,GAAW,CAAA;AACnB,IAAA;AAAA,EACF;AAEA,EAAA,IAAI,cAAA,CAAe,GAAA,EAAK,GAAG,CAAA,IAAK,CAAA,EAAG;AACjC,IAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,4BAAA,EAA+B,OAAO,CAAA,CAAE,CAAA;AACpD,IAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,4BAAA,EAA+B,MAAM,CAAA,CAAE,CAAA;AACnD,IAAA,OAAA,CAAQ,GAAA,EAAI;AACZ,IAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,CAAE,kCAAA,EAAoC,IAAA,EAAM,KAAK,CAAC,CAAA;AAC9D,IAAA,OAAA,CAAQ,GAAA,EAAI;AACZ,IAAA,OAAA,CAAQ,QAAA,GAAW,CAAA;AACnB,IAAA;AAAA,EACF;AAEA,EAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,4BAAA,EAA+B,OAAO,CAAA,CAAE,CAAA;AACpD,EAAA,OAAA,CAAQ,GAAA;AAAA,IACN,CAAA,gBAAA,EAAmB,CAAA,CAAE,CAAA,YAAA,EAAe,MAAM,CAAA,CAAA,EAAI,IAAI,CAAC,CAAA,EAAA,EAAK,CAAA,CAAE,oBAAA,EAAsB,MAAM,CAAC,CAAA;AAAA,GACzF;AACA,EAAA,OAAA,CAAQ,GAAA,EAAI;AACZ,EAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,CAAE,kBAAA,EAAoB,IAAI,CAAC,CAAA;AACvC,EAAA,OAAA,CAAQ,IAAI,CAAA,IAAA,EAAO,CAAA,CAAE,gCAAA,EAAkC,KAAK,CAAC,CAAA,CAAE,CAAA;AAC/D,EAAA,OAAA,CAAQ,GAAA,EAAI;AAEZ,EAAA,IAAI,CAAC,KAAA,EAAO;AACV,IAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,CAAE,yDAAA,EAA2D,GAAG,CAAC,CAAA;AAC7E,IAAA,OAAA,CAAQ,GAAA,EAAI;AACZ,IAAA,OAAA,CAAQ,QAAA,GAAW,CAAA;AACnB,IAAA;AAAA,EACF;AAEA,EAAA,IAAI,CAAC,GAAA,IAAO,OAAA,CAAQ,KAAA,CAAM,KAAA,EAAO;AAC/B,IAAA,OAAA,CAAQ,MAAA,CAAO,MAAM,qBAAqB,CAAA;AAC1C,IAAA,MAAM,QAAA,GAAW,MAAM,IAAI,OAAA,CAAgB,CAAC,GAAA,KAAQ;AAClD,MAAA,OAAA,CAAQ,KAAA,CAAM,IAAA,CAAK,MAAA,EAAQ,CAAC,KAAA,KAAkB,GAAA,CAAI,KAAA,CAAM,QAAA,EAAS,CAAE,IAAA,EAAK,CAAE,WAAA,EAAa,CAAC,CAAA;AAAA,IAC1F,CAAC,CAAA;AACD,IAAA,IAAI,CAAC,QAAA,CAAS,UAAA,CAAW,GAAG,CAAA,EAAG;AAC7B,MAAA,OAAA,CAAQ,QAAA,GAAW,CAAA;AACnB,MAAA;AAAA,IACF;AAAA,EACF;AAEA,EAAA,MAAM,MAAA,GAAS,OAAA,CAAQ,QAAA,KAAa,OAAA,GAAU,SAAA,GAAY,KAAA;AAC1D,EAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,IAAA,EAAO,MAAM,CAAA,2BAAA,CAA6B,CAAA;AACtD,EAAA,MAAM,SAASF,uBAAA,CAAU,MAAA,EAAQ,CAAC,SAAA,EAAW,oBAAoB,CAAA,EAAG;AAAA,IAClE,KAAA,EAAO;AAAA,GACR,CAAA;AACD,EAAA,OAAA,CAAQ,QAAA,GAAW,OAAO,MAAA,IAAU,CAAA;AACtC;AAIA,eAAe,IAAA,GAAsB;AACnC,EAAA,MAAM,IAAA,GAAO,OAAA,CAAQ,IAAA,CAAK,KAAA,CAAM,CAAC,CAAA;AAEjC,EAAA,IAAI,IAAA,CAAK,WAAW,CAAA,EAAG;AACrB,IAAA,YAAA,CAAa,KAAK,CAAA;AAClB,IAAA,OAAA,CAAQ,KAAK,CAAC,CAAA;AAAA,EAChB;AAEA,EAAA,MAAM,IAAA,GAAO,KAAK,CAAC,CAAA;AAEnB,EAAA,IAAI,IAAA,KAAS,QAAA,IAAY,IAAA,KAAS,IAAA,EAAM;AACtC,IAAA,YAAA,CAAa,IAAI,CAAA;AACjB,IAAA,OAAA,CAAQ,KAAK,CAAC,CAAA;AAAA,EAChB;AAEA,EAAA,IAAI,IAAA,KAAS,IAAA,IAAQ,IAAA,KAAS,QAAA,EAAU;AACtC,IAAA,YAAA,CAAa,KAAK,CAAA;AAClB,IAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,CAAE,gDAAA,EAAkD,GAAG,CAAC,CAAA;AACpE,IAAA,OAAA,CAAQ,GAAA,EAAI;AACZ,IAAA,OAAA,CAAQ,KAAK,CAAC,CAAA;AAAA,EAChB;AAEA,EAAA,IAAI,IAAA,KAAS,IAAA,IAAQ,IAAA,KAAS,WAAA,EAAa;AACzC,IAAA,OAAA,CAAQ,GAAA,CAAI,qBAAqB,CAAA;AACjC,IAAA,OAAA,CAAQ,KAAK,CAAC,CAAA;AAAA,EAChB;AAEA,EAAA,IAAI,SAAS,QAAA,EAAU;AACrB,IAAA,MAAM,aAAA,CAAc,IAAA,CAAK,KAAA,CAAM,CAAC,CAAC,CAAA;AACjC,IAAA;AAAA,EACF;AAEA,EAAA,IAAI,IAAA,KAAS,MAAA,IAAU,IAAA,KAAS,OAAA,IAAW,SAAS,KAAA,EAAO;AACzD,IAAA,IAAI,CAAC,gBAAe,EAAG;AACrB,MAAA,OAAA,CAAQ,KAAA;AAAA,QACN,CAAA;AAAA,UACE,WAAW,IAAI,CAAA,iDAAA,CAAA;AAAA,UACf,MAAA;AAAA,UACA;AAAA;AACF,OACF;AACA,MAAA,OAAA,CAAQ,MAAM,qBAAqB,CAAA;AACnC,MAAA,OAAA,CAAQ,KAAA,EAAM;AACd,MAAA,OAAA,CAAQ,KAAA,CAAM,CAAA,CAAE,+DAAA,EAAiE,GAAG,CAAC,CAAA;AACrF,MAAA,OAAA,CAAQ,KAAA;AAAA,QACN,CAAA;AAAA,UACE,+EAAA;AAAA,UACA;AAAA;AACF,OACF;AACA,MAAA,OAAA,CAAQ,KAAK,GAAG,CAAA;AAAA,IAClB;AACA,IAAA,eAAA,CAAgB,IAAI,CAAA;AACpB,IAAA;AAAA,EACF;AAEA,EAAA,OAAA,CAAQ,KAAA,CAAM,CAAA,wBAAA,EAA2B,IAAI,CAAA,CAAA,CAAG,CAAA;AAChD,EAAA,OAAA,CAAQ,MAAM,4CAA4C,CAAA;AAC1D,EAAA,OAAA,CAAQ,KAAK,CAAC,CAAA;AAChB;AAEA,IAAA,EAAK,CAAE,KAAA,CAAM,CAAC,GAAA,KAAQ;AACpB,EAAA,OAAA,CAAQ,MAAM,CAAA,CAAE,CAAA,yBAAA,EAA4B,GAAG,CAAA,CAAA,EAAI,GAAG,CAAC,CAAA;AACvD,EAAA,OAAA,CAAQ,KAAK,CAAC,CAAA;AAChB,CAAC,CAAA","file":"arcis.js","sourcesContent":["#!/usr/bin/env node\n/**\n * @arcis/node — `arcis` CLI dispatcher.\n *\n * Surface (mirrors the Python CLI's discovery layer):\n *\n *   arcis              → catalog\n *   arcis --list       → catalog with examples\n *   arcis --help / -h  → catalog + run-cmd hint\n *   arcis --version / -V\n *   arcis update [--apply] [--check]\n *   arcis scan / audit / sca → forward to Python `arcis` if on PATH,\n *                              else print install hint\n *\n * Why we delegate scan/audit/sca to Python rather than re-implementing:\n * the threat database, audit rules, and attack-payload catalog are\n * Python-side data files. Maintaining two copies means drift; one\n * canonical CLI + a thin Node forwarder is simpler. The Node binary\n * exists primarily so users who installed `@arcis/node` from npm get\n * the same `arcis update` / discovery UX as Python users.\n */\n\nimport { spawnSync } from \"node:child_process\";\nimport { readFileSync } from \"node:fs\";\nimport { dirname, resolve } from \"node:path\";\nimport { fileURLToPath } from \"node:url\";\n\n// ── ANSI helpers ─────────────────────────────────────────────────────\n\nconst USE_COLOR =\n  !process.env.NO_COLOR && process.stdout.isTTY === true;\n\nfunction c(text: string, ...codes: string[]): string {\n  if (!USE_COLOR) return text;\n  return codes.join(\"\") + text + \"\\x1b[0m\";\n}\n\nconst BOLD = \"\\x1b[1m\";\nconst DIM = \"\\x1b[2m\";\nconst GREEN = \"\\x1b[32m\";\nconst YELLOW = \"\\x1b[33m\";\nconst CYAN = \"\\x1b[36m\";\nconst RED = \"\\x1b[31m\";\n\n// ── Version + npm registry helpers ───────────────────────────────────\n\nfunction getInstalledVersion(): string {\n  // Read the package.json that ships with this build so we report the\n  // actual installed version, not whatever was hardcoded.\n  try {\n    const here = fileURLToPath(import.meta.url);\n    // Walk up to find the package root (contains package.json).\n    let dir = dirname(here);\n    for (let i = 0; i < 6; i++) {\n      try {\n        const raw = readFileSync(resolve(dir, \"package.json\"), \"utf-8\");\n        const pkg = JSON.parse(raw) as { name?: string; version?: string };\n        if (pkg.name === \"@arcis/node\" && pkg.version) {\n          return pkg.version;\n        }\n      } catch {\n        // climb\n      }\n      const parent = resolve(dir, \"..\");\n      if (parent === dir) break;\n      dir = parent;\n    }\n  } catch {\n    // ignore\n  }\n  return \"?\";\n}\n\ninterface NpmRegistryResponse {\n  \"dist-tags\"?: { latest?: string };\n}\n\nasync function fetchLatestVersion(): Promise<string | null> {\n  try {\n    const controller = new AbortController();\n    const timer = setTimeout(() => controller.abort(), 5_000);\n    try {\n      const resp = await fetch(\"https://registry.npmjs.org/@arcis/node\", {\n        headers: { Accept: \"application/json\" },\n        signal: controller.signal,\n      });\n      if (!resp.ok) return null;\n      const data = (await resp.json()) as NpmRegistryResponse;\n      return data[\"dist-tags\"]?.latest ?? null;\n    } finally {\n      clearTimeout(timer);\n    }\n  } catch {\n    return null;\n  }\n}\n\nfunction parseVersion(v: string): number[] | null {\n  const parts = v.split(\".\");\n  const out: number[] = [];\n  for (const p of parts) {\n    if (!/^\\d+$/.test(p)) return null;\n    out.push(Number(p));\n  }\n  return out;\n}\n\nfunction versionCompare(a: number[], b: number[]): number {\n  const len = Math.max(a.length, b.length);\n  for (let i = 0; i < len; i++) {\n    const x = a[i] ?? 0;\n    const y = b[i] ?? 0;\n    if (x < y) return -1;\n    if (x > y) return 1;\n  }\n  return 0;\n}\n\n// ── Python forwarder ─────────────────────────────────────────────────\n\nfunction hasPythonArcis(): boolean {\n  // Check both `arcis` (Windows: arcis.exe) and `python -m arcis.cli` so\n  // users who have the Python package installed but not on PATH still work.\n  const probes: Array<{ cmd: string; args: string[] }> = [\n    { cmd: \"arcis\", args: [\"--version\"] },\n    { cmd: \"python\", args: [\"-m\", \"arcis.cli\", \"--version\"] },\n    { cmd: \"python3\", args: [\"-m\", \"arcis.cli\", \"--version\"] },\n  ];\n  for (const p of probes) {\n    try {\n      const result = spawnSync(p.cmd, p.args, {\n        stdio: [\"ignore\", \"ignore\", \"ignore\"],\n        timeout: 3000,\n        shell: process.platform === \"win32\",\n      });\n      if (result.status === 0) return true;\n    } catch {\n      // try next\n    }\n  }\n  return false;\n}\n\nfunction forwardToPython(args: string[]): never {\n  // Try `arcis` first, fall back to `python -m arcis.cli`. Mirror exit\n  // code so CI scripts using the Node CLI get the same behavior they'd\n  // get from the Python CLI.\n  const candidates: Array<{ cmd: string; args: string[] }> = [\n    { cmd: \"arcis\", args },\n    { cmd: \"python\", args: [\"-m\", \"arcis.cli\", ...args] },\n    { cmd: \"python3\", args: [\"-m\", \"arcis.cli\", ...args] },\n  ];\n  for (const cand of candidates) {\n    const result = spawnSync(cand.cmd, cand.args, {\n      stdio: \"inherit\",\n      shell: process.platform === \"win32\",\n    });\n    if (result.error) continue;\n    process.exit(result.status ?? 0);\n  }\n  console.error(\n    c(\"arcis: could not invoke the Python CLI. Install with:\", RED, BOLD),\n  );\n  console.error(\"  pip install arcis\");\n  process.exit(127);\n}\n\n// ── Catalog ──────────────────────────────────────────────────────────\n\nfunction printCatalog(verbose: boolean): void {\n  const ver = getInstalledVersion();\n  console.log();\n  console.log(`  ${c(\"Arcis\", BOLD, CYAN)}  ${c(`v${ver}`, DIM)}  ${c(\"(node)\", DIM)}`);\n  console.log(c(\"  Zero-dep security middleware + scanners.\", DIM));\n  console.log();\n  console.log(c(\"  Commands\", BOLD));\n  const rows: Array<[string, string, string]> = [\n    [\n      \"scan\",\n      \"Send live attack payloads to a running app.\",\n      \"arcis scan http://localhost:8000 --route POST:/echo --field q\",\n    ],\n    [\n      \"audit\",\n      \"Static-analyse Python / JS / TS source for unsafe patterns.\",\n      \"arcis audit .\",\n    ],\n    [\n      \"sca\",\n      \"Match installed dependencies against the supply-chain threat DB.\",\n      \"arcis sca .\",\n    ],\n    [\"update\", \"Check npm for a newer @arcis/node release.\", \"arcis update --apply\"],\n  ];\n  for (const [name, desc, example] of rows) {\n    console.log(`    ${c(name.padEnd(8), BOLD, GREEN)} ${desc}`);\n    if (verbose) {\n      console.log(`             ${c(example, DIM)}`);\n    }\n  }\n  console.log();\n  console.log(c(\"  Discovery\", BOLD));\n  console.log(`    ${c(\"--list\", BOLD, CYAN).padEnd(24)} Show this catalog (verbose).`);\n  console.log(\n    `    ${c(\"<cmd> --help\", BOLD, CYAN).padEnd(24)} Show full flags for that command.`,\n  );\n  console.log();\n  console.log(c(\"  Note\", BOLD));\n  console.log(\n    `    scan/audit/sca delegate to the Python CLI (canonical impl).`,\n  );\n  console.log(`    Install once with:  ${c(\"pip install arcis\", GREEN)}`);\n  console.log();\n}\n\n// ── Update command ───────────────────────────────────────────────────\n\nasync function updateCommand(args: string[]): Promise<void> {\n  // Note: this function uses `process.exitCode = N; return;` rather than\n  // `process.exit(N)` because the fetch() call leaves an internal undici\n  // handle open momentarily on Windows, and process.exit() during that\n  // window throws a libuv assertion on stderr. exitCode + return lets\n  // Node drain handles cleanly before exit.\n  const apply = args.includes(\"--apply\");\n  const check = args.includes(\"--check\");\n  const yes = args.includes(\"--yes\") || args.includes(\"-y\");\n\n  const current = getInstalledVersion();\n  const latest = await fetchLatestVersion();\n\n  if (check) {\n    if (latest === null) {\n      console.error(\"arcis: could not reach npm to check for updates\");\n      process.exitCode = 2;\n      return;\n    }\n    const cur = parseVersion(current);\n    const lat = parseVersion(latest);\n    if (!cur || !lat || versionCompare(cur, lat) >= 0) {\n      console.log(`@arcis/node ${current} is up-to-date`);\n      process.exitCode = 0;\n      return;\n    }\n    console.error(`@arcis/node ${current} is outdated; latest is ${latest}`);\n    process.exitCode = 1;\n    return;\n  }\n\n  console.log();\n  console.log(c(\"  @arcis/node update check\", BOLD, CYAN));\n  console.log(c(\"  Source: https://registry.npmjs.org/@arcis/node\", DIM));\n  console.log();\n\n  if (latest === null) {\n    console.log(`    Installed   @arcis/node ${current}`);\n    console.log(\n      `    Latest      ${c(\"? unreachable\", YELLOW)}  ${c(\"(network error or npm down)\", DIM)}`,\n    );\n    console.log();\n    console.log(c(\"  Try again later, or run 'npm view @arcis/node version' directly.\", DIM));\n    console.log();\n    process.exitCode = 2;\n    return;\n  }\n\n  const cur = parseVersion(current);\n  const lat = parseVersion(latest);\n  if (!cur || !lat) {\n    console.log(\n      `    Installed   @arcis/node ${current}  ${c(\"(pre-release or unparseable)\", DIM)}`,\n    );\n    console.log(`    Latest      @arcis/node ${latest}`);\n    console.log();\n    console.log(c(\"  Skipping comparison — manually decide.\", DIM));\n    console.log();\n    process.exitCode = 0;\n    return;\n  }\n\n  if (versionCompare(cur, lat) >= 0) {\n    console.log(`    Installed   @arcis/node ${current}`);\n    console.log(`    Latest      @arcis/node ${latest}`);\n    console.log();\n    console.log(c(\"  You are on the latest version.\", BOLD, GREEN));\n    console.log();\n    process.exitCode = 0;\n    return;\n  }\n\n  console.log(`    Installed   @arcis/node ${current}`);\n  console.log(\n    `    Latest      ${c(`@arcis/node ${latest}`, BOLD)}  ${c(\"(update available)\", YELLOW)}`,\n  );\n  console.log();\n  console.log(c(\"  Run to upgrade\", BOLD));\n  console.log(`    ${c(\"npm install @arcis/node@latest\", GREEN)}`);\n  console.log();\n\n  if (!apply) {\n    console.log(c(\"  Or rerun: 'arcis update --apply' to upgrade in place.\", DIM));\n    console.log();\n    process.exitCode = 1;\n    return;\n  }\n\n  if (!yes && process.stdin.isTTY) {\n    process.stdout.write(\"Upgrade now? [y/N] \");\n    const response = await new Promise<string>((res) => {\n      process.stdin.once(\"data\", (chunk: Buffer) => res(chunk.toString().trim().toLowerCase()));\n    });\n    if (!response.startsWith(\"y\")) {\n      process.exitCode = 1;\n      return;\n    }\n  }\n\n  const npmCmd = process.platform === \"win32\" ? \"npm.cmd\" : \"npm\";\n  console.log(`  $ ${npmCmd} install @arcis/node@latest`);\n  const result = spawnSync(npmCmd, [\"install\", \"@arcis/node@latest\"], {\n    stdio: \"inherit\",\n  });\n  process.exitCode = result.status ?? 1;\n}\n\n// ── Main ─────────────────────────────────────────────────────────────\n\nasync function main(): Promise<void> {\n  const args = process.argv.slice(2);\n\n  if (args.length === 0) {\n    printCatalog(false);\n    process.exit(0);\n  }\n\n  const arg0 = args[0];\n\n  if (arg0 === \"--list\" || arg0 === \"-l\") {\n    printCatalog(true);\n    process.exit(0);\n  }\n\n  if (arg0 === \"-h\" || arg0 === \"--help\") {\n    printCatalog(false);\n    console.log(c(\"  Run 'arcis <command> --help' for full flags.\", DIM));\n    console.log();\n    process.exit(0);\n  }\n\n  if (arg0 === \"-V\" || arg0 === \"--version\") {\n    console.log(getInstalledVersion());\n    process.exit(0);\n  }\n\n  if (arg0 === \"update\") {\n    await updateCommand(args.slice(1));\n    return;\n  }\n\n  if (arg0 === \"scan\" || arg0 === \"audit\" || arg0 === \"sca\") {\n    if (!hasPythonArcis()) {\n      console.error(\n        c(\n          `arcis: '${arg0}' is implemented by the Python CLI. Install with:`,\n          YELLOW,\n          BOLD,\n        ),\n      );\n      console.error(\"  pip install arcis\");\n      console.error();\n      console.error(c(\"Why: scan/audit/sca rely on Python's threat-DB and rule data.\", DIM));\n      console.error(\n        c(\n          \"@arcis/node implements the middleware + dashboard upload — see the docs.\",\n          DIM,\n        ),\n      );\n      process.exit(127);\n    }\n    forwardToPython(args);\n    return;\n  }\n\n  console.error(`arcis: unknown command '${arg0}'`);\n  console.error(\"Run 'arcis --list' for available commands.\");\n  process.exit(1);\n}\n\nmain().catch((err) => {\n  console.error(c(`arcis: unexpected error: ${err}`, RED));\n  process.exit(1);\n});\n"]}