@arcis/node 1.4.4 → 1.5.1

package/dist/validation/redirect.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"redirect.d.ts","sourceRoot":"","sources":["../../src/validation/redirect.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,sCAAsC;AACtC,MAAM,WAAW,uBAAuB;IACtC,4DAA4D;IAC5D,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,mEAAmE;IACnE,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,wEAAwE;IACxE,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;CAC7B;AAED,oCAAoC;AACpC,MAAM,WAAW,sBAAsB;IACrC,uCAAuC;IACvC,IAAI,EAAE,OAAO,CAAC;IACd,iEAAiE;IACjE,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAQD;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,gBAAgB,CAC9B,GAAG,EAAE,MAAM,EACX,OAAO,GAAE,uBAA4B,GACpC,sBAAsB,CAqExB;AAED;;;;;;GAMG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,GAAE,uBAA4B,GAAG,OAAO,CAE1F"}
+{"version":3,"file":"redirect.d.ts","sourceRoot":"","sources":["../../src/validation/redirect.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,sCAAsC;AACtC,MAAM,WAAW,uBAAuB;IACtC,4DAA4D;IAC5D,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,mEAAmE;IACnE,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,wEAAwE;IACxE,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;CAC7B;AAED,oCAAoC;AACpC,MAAM,WAAW,sBAAsB;IACrC,uCAAuC;IACvC,IAAI,EAAE,OAAO,CAAC;IACd,iEAAiE;IACjE,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAQD;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,gBAAgB,CAC9B,GAAG,EAAE,MAAM,EACX,OAAO,GAAE,uBAA4B,GACpC,sBAAsB,CA2ExB;AAED;;;;;;GAMG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,GAAE,uBAA4B,GAAG,OAAO,CAE1F"}

package/dist/validation/schema.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/validation/schema.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAmC,cAAc,EAAE,MAAM,SAAS,CAAC;AAE/E,OAAO,KAAK,EAAE,gBAAgB,EAAkB,MAAM,eAAe,CAAC;AAGtE;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,QAAQ,CACtB,MAAM,EAAE,gBAAgB,EACxB,MAAM,GAAE,MAAM,GAAG,OAAO,GAAG,QAAiB,GAC3C,cAAc,CA0BhB;AAoKD;;;GAGG;AACH,eAAO,MAAM,eAAe,iBAAW,CAAC"}
+{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/validation/schema.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAmC,cAAc,EAAE,MAAM,SAAS,CAAC;AAE/E,OAAO,KAAK,EAAE,gBAAgB,EAAkB,MAAM,eAAe,CAAC;AAGtE;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,QAAQ,CACtB,MAAM,EAAE,gBAAgB,EACxB,MAAM,GAAE,MAAM,GAAG,OAAO,GAAG,QAAiB,GAC3C,cAAc,CAkChB;AAoKD;;;GAGG;AACH,eAAO,MAAM,eAAe,iBAAW,CAAC"}

package/dist/validation/url-async.d.ts

@@ -0,0 +1,137 @@
+/**
+ * @module @arcis/node/validation/url-async
+ *
+ * Async SSRF guard that closes the DNS-rebinding TOCTOU gap left open
+ * by the synchronous `validateUrl` (sdk-vectors.md #31, issue #50).
+ *
+ * The synchronous `validateUrl` only checks the *string form* of the
+ * hostname. It catches obvious cases — `127.0.0.1`, `10.0.0.1`,
+ * `169.254.169.254` — but a hostname like `evil.com` passes through
+ * even when its DNS A-record points to `10.0.0.1`, because resolution
+ * happens later inside `fetch`. An attacker controlling the
+ * `evil.com` zone can also rebind the answer between Arcis's check
+ * and the actual TCP connect, which is the classic DNS TOCTOU.
+ *
+ * Two layers of fix shipped here:
+ *
+ * 1. **`validateUrlAsync(url, options)`** — runs the existing sync
+ *    `validateUrl` first, then `dns.lookup(hostname, { all: true })`,
+ *    then re-runs the same private-range check on every resolved
+ *    address. Returns the pinned IP list so callers can reuse it for
+ *    the actual connection (closing the TOCTOU window).
+ *
+ * 2. **`pinnedDnsLookup(ip)`** — returns a Node `lookup` callback
+ *    that resolves any hostname to the pre-validated IP. Wire this
+ *    into `https.request({ lookup })` / `http.request({ lookup })`
+ *    so the connection uses the IP Arcis already validated, not
+ *    whatever DNS returns at connect time. Pure stdlib — no undici,
+ *    no extra dep.
+ *
+ * 3. **`safeFollowRedirect(prev, location, options)`** — when the
+ *    server replies 30x, run the same async guard against the new
+ *    Location URL. Resolves the absolute URL using the previous
+ *    response URL as base. Caller decides whether to follow.
+ *
+ * The function signatures keep `lookup` injectable so tests can
+ * substitute a fake resolver without monkey-patching `node:dns`.
+ *
+ * ```ts
+ * import https from 'node:https';
+ * import { validateUrlAsync, pinnedDnsLookup } from '@arcis/node';
+ *
+ * const result = await validateUrlAsync(url);
+ * if (!result.safe) throw new Error(result.reason);
+ *
+ * https.get(url, { lookup: pinnedDnsLookup(result.resolvedIp!) }, (res) => {
+ *   // The TCP connect now goes to result.resolvedIp regardless of
+ *   // what DNS would say at this exact moment.
+ * });
+ * ```
+ */
+import { type ValidateUrlOptions, type ValidateUrlResult } from './url';
+/**
+ * Subset of `dns.lookup`'s `{ all: true }` callback signature. Kept
+ * narrow so a test fake can satisfy it without depending on Node's
+ * full `LookupAddress` type.
+ */
+export type LookupAddress = {
+    address: string;
+    family: number;
+};
+/**
+ * Function shape compatible with `dns.lookup(hostname, { all: true })`.
+ * Returns a list of resolved addresses. Tests inject a fake.
+ */
+export type DnsLookup = (hostname: string) => Promise<LookupAddress[]>;
+export interface ValidateUrlAsyncOptions extends ValidateUrlOptions {
+    /**
+     * DNS lookup function. Defaults to a Promise wrapper around
+     * `dns.lookup(hostname, { all: true })`. Tests inject a stub.
+     */
+    lookup?: DnsLookup;
+    /**
+     * If true, accept the first non-private IP and ignore the rest.
+     * Default false: every resolved IP must pass the private-range
+     * check. Hosts with mixed-public/private answers (round-robin DNS
+     * with one internal record) still fail-closed.
+     */
+    acceptFirstPublic?: boolean;
+}
+export interface ValidateUrlAsyncResult extends ValidateUrlResult {
+    /**
+     * Single pinned IP (the first public address if all checks passed,
+     * or undefined when the string-only synchronous validator already
+     * decided — e.g., the hostname *was* a literal IP). Use this with
+     * `pinnedDnsLookup()` to wire the actual fetch.
+     */
+    resolvedIp?: string;
+    /** Every IP returned by DNS, in resolver order. */
+    resolvedIps?: string[];
+}
+/**
+ * Async SSRF guard with DNS resolution. Runs the sync validator
+ * first, then resolves DNS and validates every returned IP against
+ * the same private-range rules. Returns a pinned IP for the caller
+ * to reuse.
+ *
+ * Failure modes (any returns `{ safe: false, reason }`):
+ * - Sync validator already rejects (string-pattern fail).
+ * - DNS lookup throws (NXDOMAIN, network error). Reason carries the
+ *   underlying error message.
+ * - DNS returns no addresses.
+ * - Any resolved address fails the private-range check (default) or
+ *   *all* fail it when `acceptFirstPublic` is true.
+ */
+export declare function validateUrlAsync(url: string, options?: ValidateUrlAsyncOptions): Promise<ValidateUrlAsyncResult>;
+/**
+ * Build a `lookup` callback that pins the resolution to a single
+ * pre-validated IP, regardless of what DNS would say at connect time.
+ * Drop into `https.request({ lookup })` / `http.request({ lookup })`.
+ *
+ * Closes the TOCTOU window between `validateUrlAsync` and the actual
+ * TCP connect. The pinned IP must be one that already passed the
+ * async validator — wiring it without that check defeats the purpose.
+ *
+ * The returned function matches Node's `dns.lookup` callback shape
+ * for the `{ all: false, family: 0 }` case (single address). The
+ * default Node http/https stack uses that shape.
+ */
+export declare function pinnedDnsLookup(ip: string): (hostname: string, options: {
+    family?: number;
+    hints?: number;
+    verbatim?: boolean;
+}, callback: (err: NodeJS.ErrnoException | null, address: string, family: number) => void) => void;
+/**
+ * Validate a redirect target with the same TOCTOU-aware pipeline.
+ *
+ * `prev` is the URL of the response that returned the 30x; `location`
+ * is the raw `Location:` header value (which may be relative). The
+ * function resolves `location` against `prev` per RFC 3986 then runs
+ * `validateUrlAsync` on the absolute result.
+ *
+ * Use this on every hop of a redirect chain. Without it, a server
+ * that you trust today can redirect tomorrow's request to
+ * `http://169.254.169.254/`.
+ */
+export declare function safeFollowRedirect(prev: string, location: string, options?: ValidateUrlAsyncOptions): Promise<ValidateUrlAsyncResult>;
+//# sourceMappingURL=url-async.d.ts.map

package/dist/validation/url-async.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"url-async.d.ts","sourceRoot":"","sources":["../../src/validation/url-async.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiDG;AAGH,OAAO,EAAe,KAAK,kBAAkB,EAAE,KAAK,iBAAiB,EAAE,MAAM,OAAO,CAAC;AAErF;;;;GAIG;AACH,MAAM,MAAM,aAAa,GAAG;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAEhE;;;GAGG;AACH,MAAM,MAAM,SAAS,GAAG,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,aAAa,EAAE,CAAC,CAAC;AAUvE,MAAM,WAAW,uBAAwB,SAAQ,kBAAkB;IACjE;;;OAGG;IACH,MAAM,CAAC,EAAE,SAAS,CAAC;IACnB;;;;;OAKG;IACH,iBAAiB,CAAC,EAAE,OAAO,CAAC;CAC7B;AAED,MAAM,WAAW,sBAAuB,SAAQ,iBAAiB;IAC/D;;;;;OAKG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mDAAmD;IACnD,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;CACxB;AA0BD;;;;;;;;;;;;;GAaG;AACH,wBAAsB,gBAAgB,CACpC,GAAG,EAAE,MAAM,EACX,OAAO,GAAE,uBAA4B,GACpC,OAAO,CAAC,sBAAsB,CAAC,CA4DjC;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,eAAe,CAC7B,EAAE,EAAE,MAAM,GACT,CACD,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE;IAAE,MAAM,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,OAAO,CAAA;CAAE,EAChE,QAAQ,EAAE,CAAC,GAAG,EAAE,MAAM,CAAC,cAAc,GAAG,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,KAAK,IAAI,KACnF,IAAI,CAQR;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,kBAAkB,CACtC,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,uBAA4B,GACpC,OAAO,CAAC,sBAAsB,CAAC,CAWjC"}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@arcis/node",
-  "version": "1.4.4",
-  "description": "Zero-dependency security middleware for Node.js. Protects against XSS, SQL injection, CSRF, SSRF, HPP, rate limiting, bot detection, and 15+ more attack types. Supply chain attack scanner included.",
+  "version": "1.5.1",
+  "description": "Inside-the-app security middleware for Node.js. One install protects Express, NestJS, SvelteKit, Astro, Nuxt, Bun + Hono against XSS, SQL injection, CSRF, SSRF, HPP, prompt injection, bot traffic, rate limiting, and 20+ more attack types. Includes prompt-injection signature library, LLM token-budget middleware, 646-pattern bot corpus, and the @arcis/cli supply-chain scanner.",
   "main": "dist/index.js",
   "module": "dist/index.mjs",
   "types": "dist/index.d.ts",
@@ -50,14 +50,57 @@
       "types": "./dist/telemetry/index.d.ts",
       "import": "./dist/telemetry/index.mjs",
       "require": "./dist/telemetry/index.js"
+    },
+    "./fastify": {
+      "types": "./dist/fastify/index.d.ts",
+      "import": "./dist/fastify/index.mjs",
+      "require": "./dist/fastify/index.js"
+    },
+    "./koa": {
+      "types": "./dist/koa/index.d.ts",
+      "import": "./dist/koa/index.mjs",
+      "require": "./dist/koa/index.js"
+    },
+    "./nestjs": {
+      "types": "./dist/nestjs/index.d.ts",
+      "import": "./dist/nestjs/index.mjs",
+      "require": "./dist/nestjs/index.js"
+    },
+    "./nextjs": {
+      "types": "./dist/nextjs/index.d.ts",
+      "import": "./dist/nextjs/index.mjs",
+      "require": "./dist/nextjs/index.js"
+    },
+    "./sveltekit": {
+      "types": "./dist/sveltekit/index.d.ts",
+      "import": "./dist/sveltekit/index.mjs",
+      "require": "./dist/sveltekit/index.js"
+    },
+    "./astro": {
+      "types": "./dist/astro/index.d.ts",
+      "import": "./dist/astro/index.mjs",
+      "require": "./dist/astro/index.js"
+    },
+    "./nuxt": {
+      "types": "./dist/nuxt/index.d.ts",
+      "import": "./dist/nuxt/index.mjs",
+      "require": "./dist/nuxt/index.js"
+    },
+    "./bun": {
+      "types": "./dist/bun/index.d.ts",
+      "import": "./dist/bun/index.mjs",
+      "require": "./dist/bun/index.js"
+    },
+    "./hono": {
+      "types": "./dist/hono/index.d.ts",
+      "import": "./dist/hono/index.mjs",
+      "require": "./dist/hono/index.js"
     }
   },
   "files": [
-    "dist"
+    "dist",
+    "scripts/postinstall.cjs"
   ],
-  "bin": {
-    "arcis": "./dist/cli/arcis.mjs"
-  },
   "scripts": {
     "build": "tsup && tsc --emitDeclarationOnly --declaration --declarationMap",
     "dev": "tsup --watch",
@@ -68,7 +111,8 @@
     "test:coverage": "vitest --coverage",
     "lint": "eslint src",
     "typecheck": "tsc --noEmit",
-    "prepublishOnly": "npm run build"
+    "prepublishOnly": "npm run build",
+    "postinstall": "node scripts/postinstall.cjs"
   },
   "keywords": [
     "security",
@@ -100,15 +144,16 @@
     "express": ">=4.0.0"
   },
   "devDependencies": {
+    "@nestjs/common": "^11.1.21",
     "@types/express": "^5.0.6",
-    "@types/node": "^25.5.0",
-    "@typescript-eslint/eslint-plugin": "^8.58.0",
+    "@types/node": "^25.9.1",
+    "@typescript-eslint/eslint-plugin": "^8.59.4",
     "@typescript-eslint/parser": "^8.58.0",
-    "@vitest/coverage-v8": "^4.1.5",
-    "eslint": "^10.1.0",
+    "@vitest/coverage-v8": "^4.1.7",
+    "eslint": "^10.4.0",
     "express": "^5.2.1",
     "tsup": "^8.0.1",
-    "typescript": "^6.0.2",
+    "typescript": "^6.0.3",
     "vitest": "^4.1.0"
   },
   "repository": {

package/scripts/postinstall.cjs

@@ -0,0 +1,26 @@
+/* eslint-disable */
+// Postinstall notice for @arcis/node.
+//
+// Surface the fact that the Arcis CLI (audit / scan / sca) ships as a
+// separate native binary. Without this message, users who installed the
+// Node SDK type `arcis` in their shell, get "command not found", and
+// assume the package is broken.
+//
+// Skip in CI / non-TTY / when npm asks us not to log.
+if (process.env.CI || process.env.ARCIS_SKIP_NOTICE) return;
+
+const isTTY = process.stdout && process.stdout.isTTY;
+const c = (s, code) => (isTTY ? `\x1b[${code}m${s}\x1b[0m` : s);
+
+const lines = [
+  '',
+  c('  Arcis Node SDK installed.', '1;36'),
+  '',
+  c('  The CLI (audit / scan / sca) ships separately as a native binary:', '2'),
+  c('    npm install -g @arcis/cli', '32'),
+  '',
+  c('  This package is the SDK / middleware. It does not put a CLI on', '2'),
+  c('  your shell PATH. Docs: https://gagancm.github.io/arcis/documentation/cli.html', '2'),
+  '',
+];
+for (const line of lines) console.log(line);

package/dist/cli/arcis.d.ts

@@ -1,23 +0,0 @@
-#!/usr/bin/env node
-/**
- * @arcis/node — `arcis` CLI dispatcher.
- *
- * Surface (mirrors the Python CLI's discovery layer):
- *
- *   arcis              → catalog
- *   arcis --list       → catalog with examples
- *   arcis --help / -h  → catalog + run-cmd hint
- *   arcis --version / -V
- *   arcis update [--apply] [--check]
- *   arcis scan / audit / sca → forward to Python `arcis` if on PATH,
- *                              else print install hint
- *
- * Why we delegate scan/audit/sca to Python rather than re-implementing:
- * the threat database, audit rules, and attack-payload catalog are
- * Python-side data files. Maintaining two copies means drift; one
- * canonical CLI + a thin Node forwarder is simpler. The Node binary
- * exists primarily so users who installed `@arcis/node` from npm get
- * the same `arcis update` / discovery UX as Python users.
- */
-export {};
-//# sourceMappingURL=arcis.d.ts.map

package/dist/cli/arcis.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"arcis.d.ts","sourceRoot":"","sources":["../../src/cli/arcis.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;;;;;;GAmBG"}

package/dist/cli/arcis.js

@@ -1,312 +0,0 @@
-#!/usr/bin/env node
-'use strict';
-
-var child_process = require('child_process');
-var fs = require('fs');
-var path = require('path');
-var url = require('url');
-
-var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
-var USE_COLOR = !process.env.NO_COLOR && process.stdout.isTTY === true;
-function c(text, ...codes) {
-  if (!USE_COLOR) return text;
-  return codes.join("") + text + "\x1B[0m";
-}
-var BOLD = "\x1B[1m";
-var DIM = "\x1B[2m";
-var GREEN = "\x1B[32m";
-var YELLOW = "\x1B[33m";
-var CYAN = "\x1B[36m";
-var RED = "\x1B[31m";
-function getInstalledVersion() {
-  try {
-    const here = url.fileURLToPath((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('arcis.js', document.baseURI).href)));
-    let dir = path.dirname(here);
-    for (let i = 0; i < 6; i++) {
-      try {
-        const raw = fs.readFileSync(path.resolve(dir, "package.json"), "utf-8");
-        const pkg = JSON.parse(raw);
-        if (pkg.name === "@arcis/node" && pkg.version) {
-          return pkg.version;
-        }
-      } catch {
-      }
-      const parent = path.resolve(dir, "..");
-      if (parent === dir) break;
-      dir = parent;
-    }
-  } catch {
-  }
-  return "?";
-}
-async function fetchLatestVersion() {
-  try {
-    const controller = new AbortController();
-    const timer = setTimeout(() => controller.abort(), 5e3);
-    try {
-      const resp = await fetch("https://registry.npmjs.org/@arcis/node", {
-        headers: { Accept: "application/json" },
-        signal: controller.signal
-      });
-      if (!resp.ok) return null;
-      const data = await resp.json();
-      return data["dist-tags"]?.latest ?? null;
-    } finally {
-      clearTimeout(timer);
-    }
-  } catch {
-    return null;
-  }
-}
-function parseVersion(v) {
-  const parts = v.split(".");
-  const out = [];
-  for (const p of parts) {
-    if (!/^\d+$/.test(p)) return null;
-    out.push(Number(p));
-  }
-  return out;
-}
-function versionCompare(a, b) {
-  const len = Math.max(a.length, b.length);
-  for (let i = 0; i < len; i++) {
-    const x = a[i] ?? 0;
-    const y = b[i] ?? 0;
-    if (x < y) return -1;
-    if (x > y) return 1;
-  }
-  return 0;
-}
-function hasPythonArcis() {
-  const probes = [
-    { cmd: "arcis", args: ["--version"] },
-    { cmd: "python", args: ["-m", "arcis.cli", "--version"] },
-    { cmd: "python3", args: ["-m", "arcis.cli", "--version"] }
-  ];
-  for (const p of probes) {
-    try {
-      const result = child_process.spawnSync(p.cmd, p.args, {
-        stdio: ["ignore", "ignore", "ignore"],
-        timeout: 3e3,
-        shell: process.platform === "win32"
-      });
-      if (result.status === 0) return true;
-    } catch {
-    }
-  }
-  return false;
-}
-function forwardToPython(args) {
-  const candidates = [
-    { cmd: "arcis", args },
-    { cmd: "python", args: ["-m", "arcis.cli", ...args] },
-    { cmd: "python3", args: ["-m", "arcis.cli", ...args] }
-  ];
-  for (const cand of candidates) {
-    const result = child_process.spawnSync(cand.cmd, cand.args, {
-      stdio: "inherit",
-      shell: process.platform === "win32"
-    });
-    if (result.error) continue;
-    process.exit(result.status ?? 0);
-  }
-  console.error(
-    c("arcis: could not invoke the Python CLI. Install with:", RED, BOLD)
-  );
-  console.error("  pip install arcis");
-  process.exit(127);
-}
-function printCatalog(verbose) {
-  const ver = getInstalledVersion();
-  console.log();
-  console.log(`  ${c("Arcis", BOLD, CYAN)}  ${c(`v${ver}`, DIM)}  ${c("(node)", DIM)}`);
-  console.log(c("  Zero-dep security middleware + scanners.", DIM));
-  console.log();
-  console.log(c("  Commands", BOLD));
-  const rows = [
-    [
-      "scan",
-      "Send live attack payloads to a running app.",
-      "arcis scan http://localhost:8000 --route POST:/echo --field q"
-    ],
-    [
-      "audit",
-      "Static-analyse Python / JS / TS source for unsafe patterns.",
-      "arcis audit ."
-    ],
-    [
-      "sca",
-      "Match installed dependencies against the supply-chain threat DB.",
-      "arcis sca ."
-    ],
-    ["update", "Check npm for a newer @arcis/node release.", "arcis update --apply"]
-  ];
-  for (const [name, desc, example] of rows) {
-    console.log(`    ${c(name.padEnd(8), BOLD, GREEN)} ${desc}`);
-    if (verbose) {
-      console.log(`             ${c(example, DIM)}`);
-    }
-  }
-  console.log();
-  console.log(c("  Discovery", BOLD));
-  console.log(`    ${c("--list", BOLD, CYAN).padEnd(24)} Show this catalog (verbose).`);
-  console.log(
-    `    ${c("<cmd> --help", BOLD, CYAN).padEnd(24)} Show full flags for that command.`
-  );
-  console.log();
-  console.log(c("  Note", BOLD));
-  console.log(
-    `    scan/audit/sca delegate to the Python CLI (canonical impl).`
-  );
-  console.log(`    Install once with:  ${c("pip install arcis", GREEN)}`);
-  console.log();
-}
-async function updateCommand(args) {
-  const apply = args.includes("--apply");
-  const check = args.includes("--check");
-  const yes = args.includes("--yes") || args.includes("-y");
-  const current = getInstalledVersion();
-  const latest = await fetchLatestVersion();
-  if (check) {
-    if (latest === null) {
-      console.error("arcis: could not reach npm to check for updates");
-      process.exitCode = 2;
-      return;
-    }
-    const cur2 = parseVersion(current);
-    const lat2 = parseVersion(latest);
-    if (!cur2 || !lat2 || versionCompare(cur2, lat2) >= 0) {
-      console.log(`@arcis/node ${current} is up-to-date`);
-      process.exitCode = 0;
-      return;
-    }
-    console.error(`@arcis/node ${current} is outdated; latest is ${latest}`);
-    process.exitCode = 1;
-    return;
-  }
-  console.log();
-  console.log(c("  @arcis/node update check", BOLD, CYAN));
-  console.log(c("  Source: https://registry.npmjs.org/@arcis/node", DIM));
-  console.log();
-  if (latest === null) {
-    console.log(`    Installed   @arcis/node ${current}`);
-    console.log(
-      `    Latest      ${c("? unreachable", YELLOW)}  ${c("(network error or npm down)", DIM)}`
-    );
-    console.log();
-    console.log(c("  Try again later, or run 'npm view @arcis/node version' directly.", DIM));
-    console.log();
-    process.exitCode = 2;
-    return;
-  }
-  const cur = parseVersion(current);
-  const lat = parseVersion(latest);
-  if (!cur || !lat) {
-    console.log(
-      `    Installed   @arcis/node ${current}  ${c("(pre-release or unparseable)", DIM)}`
-    );
-    console.log(`    Latest      @arcis/node ${latest}`);
-    console.log();
-    console.log(c("  Skipping comparison \u2014 manually decide.", DIM));
-    console.log();
-    process.exitCode = 0;
-    return;
-  }
-  if (versionCompare(cur, lat) >= 0) {
-    console.log(`    Installed   @arcis/node ${current}`);
-    console.log(`    Latest      @arcis/node ${latest}`);
-    console.log();
-    console.log(c("  You are on the latest version.", BOLD, GREEN));
-    console.log();
-    process.exitCode = 0;
-    return;
-  }
-  console.log(`    Installed   @arcis/node ${current}`);
-  console.log(
-    `    Latest      ${c(`@arcis/node ${latest}`, BOLD)}  ${c("(update available)", YELLOW)}`
-  );
-  console.log();
-  console.log(c("  Run to upgrade", BOLD));
-  console.log(`    ${c("npm install @arcis/node@latest", GREEN)}`);
-  console.log();
-  if (!apply) {
-    console.log(c("  Or rerun: 'arcis update --apply' to upgrade in place.", DIM));
-    console.log();
-    process.exitCode = 1;
-    return;
-  }
-  if (!yes && process.stdin.isTTY) {
-    process.stdout.write("Upgrade now? [y/N] ");
-    const response = await new Promise((res) => {
-      process.stdin.once("data", (chunk) => res(chunk.toString().trim().toLowerCase()));
-    });
-    if (!response.startsWith("y")) {
-      process.exitCode = 1;
-      return;
-    }
-  }
-  const npmCmd = process.platform === "win32" ? "npm.cmd" : "npm";
-  console.log(`  $ ${npmCmd} install @arcis/node@latest`);
-  const result = child_process.spawnSync(npmCmd, ["install", "@arcis/node@latest"], {
-    stdio: "inherit"
-  });
-  process.exitCode = result.status ?? 1;
-}
-async function main() {
-  const args = process.argv.slice(2);
-  if (args.length === 0) {
-    printCatalog(false);
-    process.exit(0);
-  }
-  const arg0 = args[0];
-  if (arg0 === "--list" || arg0 === "-l") {
-    printCatalog(true);
-    process.exit(0);
-  }
-  if (arg0 === "-h" || arg0 === "--help") {
-    printCatalog(false);
-    console.log(c("  Run 'arcis <command> --help' for full flags.", DIM));
-    console.log();
-    process.exit(0);
-  }
-  if (arg0 === "-V" || arg0 === "--version") {
-    console.log(getInstalledVersion());
-    process.exit(0);
-  }
-  if (arg0 === "update") {
-    await updateCommand(args.slice(1));
-    return;
-  }
-  if (arg0 === "scan" || arg0 === "audit" || arg0 === "sca") {
-    if (!hasPythonArcis()) {
-      console.error(
-        c(
-          `arcis: '${arg0}' is implemented by the Python CLI. Install with:`,
-          YELLOW,
-          BOLD
-        )
-      );
-      console.error("  pip install arcis");
-      console.error();
-      console.error(c("Why: scan/audit/sca rely on Python's threat-DB and rule data.", DIM));
-      console.error(
-        c(
-          "@arcis/node implements the middleware + dashboard upload \u2014 see the docs.",
-          DIM
-        )
-      );
-      process.exit(127);
-    }
-    forwardToPython(args);
-    return;
-  }
-  console.error(`arcis: unknown command '${arg0}'`);
-  console.error("Run 'arcis --list' for available commands.");
-  process.exit(1);
-}
-main().catch((err) => {
-  console.error(c(`arcis: unexpected error: ${err}`, RED));
-  process.exit(1);
-});
-//# sourceMappingURL=arcis.js.map
-//# sourceMappingURL=arcis.js.map