@georgegiosue/pzx 0.1.5

package/dist/index.js

@@ -0,0 +1,1487 @@
+#!/usr/bin/env bun
+// @bun
+var __require = import.meta.require;
+
+// src/cli.ts
+import { resolve } from "path";
+function parseArgs(argv) {
+  const args = argv.slice(2);
+  let packageName;
+  let version;
+  let scanRoot = process.cwd();
+  let showHelp = false;
+  for (let i = 0;i < args.length; i++) {
+    const arg = args[i];
+    if (arg === "--help" || arg === "-h") {
+      showHelp = true;
+      continue;
+    }
+    if (arg === "--root" || arg === "-r") {
+      scanRoot = resolve(args[++i] || ".");
+      continue;
+    }
+    if (arg === "--home") {
+      scanRoot = process.env.HOME || process.env.USERPROFILE || "~";
+      continue;
+    }
+    if (!packageName) {
+      packageName = arg;
+      continue;
+    }
+    if (!version) {
+      version = arg;
+      continue;
+    }
+  }
+  return { packageName, version, scanRoot, showHelp };
+}
+
+// src/colors.ts
+var c = {
+  red: (s) => `\x1B[31m${s}\x1B[0m`,
+  green: (s) => `\x1B[32m${s}\x1B[0m`,
+  yellow: (s) => `\x1B[33m${s}\x1B[0m`,
+  cyan: (s) => `\x1B[36m${s}\x1B[0m`,
+  magenta: (s) => `\x1B[35m${s}\x1B[0m`,
+  bold: (s) => `\x1B[1m${s}\x1B[0m`,
+  dim: (s) => `\x1B[2m${s}\x1B[0m`,
+  boldRed: (s) => `\x1B[1;31m${s}\x1B[0m`,
+  boldGreen: (s) => `\x1B[1;32m${s}\x1B[0m`,
+  boldYellow: (s) => `\x1B[1;33m${s}\x1B[0m`,
+  boldCyan: (s) => `\x1B[1;36m${s}\x1B[0m`,
+  boldMagenta: (s) => `\x1B[1;35m${s}\x1B[0m`
+};
+
+// src/semver.ts
+function parseSemver(v) {
+  const cleaned = v.replace(/^[v^~>=<]+/, "");
+  const base = cleaned.split("-")[0].split("+")[0];
+  const parts = base.split(".");
+  return [
+    parseInt(parts[0] || "0", 10),
+    parseInt(parts[1] || "0", 10),
+    parseInt(parts[2] || "0", 10)
+  ];
+}
+function compareSemver(a, b) {
+  const pa = parseSemver(a);
+  const pb = parseSemver(b);
+  for (let i = 0;i < 3; i++) {
+    if (pa[i] < pb[i])
+      return -1;
+    if (pa[i] > pb[i])
+      return 1;
+  }
+  return 0;
+}
+function semverGte(a, b) {
+  return compareSemver(a, b) >= 0;
+}
+
+// src/osv.ts
+var OSV_API = "https://api.osv.dev/v1/query";
+async function queryOSV(packageName, version) {
+  const allVulns = [];
+  let pageToken;
+  do {
+    const body = {
+      package: { name: packageName, ecosystem: "npm" }
+    };
+    if (version)
+      body.version = version;
+    if (pageToken)
+      body.page_token = pageToken;
+    const res = await fetch(OSV_API, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(body)
+    });
+    if (!res.ok) {
+      throw new Error(`OSV API returned ${res.status}: ${res.statusText}`);
+    }
+    const data = await res.json();
+    if (data.vulns)
+      allVulns.push(...data.vulns);
+    pageToken = data.next_page_token;
+  } while (pageToken);
+  return allVulns;
+}
+function isVersionAffected(version, vuln) {
+  if (!vuln.affected)
+    return false;
+  for (const aff of vuln.affected) {
+    if (aff.package.ecosystem !== "npm")
+      continue;
+    if (aff.versions?.includes(version))
+      return true;
+    if (aff.ranges) {
+      for (const range of aff.ranges) {
+        if (range.type !== "ECOSYSTEM")
+          continue;
+        let vulnerable = false;
+        for (const event of range.events) {
+          if (event.introduced !== undefined) {
+            if (event.introduced === "0" || semverGte(version, event.introduced)) {
+              vulnerable = true;
+            }
+          }
+          if (event.fixed !== undefined) {
+            if (semverGte(version, event.fixed)) {
+              vulnerable = false;
+            }
+          }
+          if (event.last_affected !== undefined) {
+            if (compareSemver(version, event.last_affected) > 0) {
+              vulnerable = false;
+            }
+          }
+        }
+        if (vulnerable)
+          return true;
+      }
+    }
+  }
+  return false;
+}
+function getCVEs(vuln) {
+  return (vuln.aliases ?? []).filter((a) => a.startsWith("CVE-"));
+}
+function getAffectedRange(version, vuln) {
+  const ranges = [];
+  if (!vuln.affected)
+    return ranges;
+  for (const aff of vuln.affected) {
+    if (aff.package.ecosystem !== "npm")
+      continue;
+    if (!aff.ranges)
+      continue;
+    for (const range of aff.ranges) {
+      if (range.type !== "ECOSYSTEM")
+        continue;
+      let currentIntroduced = null;
+      for (const event of range.events) {
+        if (event.introduced !== undefined) {
+          if (event.introduced === "0" || semverGte(version, event.introduced)) {
+            currentIntroduced = event.introduced;
+          }
+        }
+        if (event.fixed !== undefined) {
+          if (currentIntroduced && !semverGte(version, event.fixed)) {
+            ranges.push({ introduced: currentIntroduced, fixed: event.fixed });
+          }
+        }
+      }
+      if (currentIntroduced && ranges.length === 0) {
+        ranges.push({ introduced: currentIntroduced, fixed: null });
+      }
+    }
+  }
+  return ranges;
+}
+
+// src/formatter.ts
+function printUsage() {
+  console.log(`
+${c.boldCyan("pzx")} \u2014 SCA para npm: vulnerabilidades + cadena de suministro + sandbox
+
+${c.bold("Uso:")} pzx [paquete] [version] [opciones]
+
+${c.bold("Argumentos:")}
+  paquete     Nombre del paquete npm (ej: lodash, @babel/core)
+              Sin argumento: escanea TODOS los paquetes instalados
+  version     Version especifica a consultar (opcional)
+
+${c.bold("Opciones:")}
+  --root, -r  Directorio raiz para escanear (default: directorio actual)
+  --home      Escanear desde el directorio home
+  --help, -h  Mostrar esta ayuda
+
+${c.bold("Ejemplos:")}
+  pzx                          Escaneo completo (todos los paquetes)
+  pzx lodash                   Buscar lodash
+  pzx @babel/core 7.20.0      Version especifica
+  pzx express --home           Escanear desde home
+
+${c.bold("Compilar como binario:")}
+  bun build --compile ./index.ts --outfile pzx
+`);
+}
+
+// src/scanner.ts
+var {Glob } = globalThis.Bun;
+import { dirname, join } from "path";
+var DEP_FIELDS = [
+  "dependencies",
+  "devDependencies",
+  "peerDependencies",
+  "optionalDependencies"
+];
+var BATCH_SIZE = 50;
+var EMPTY_SCRIPTS = {
+  preinstall: null,
+  install: null,
+  postinstall: null
+};
+async function scanPackageJsonFiles(scanRoot) {
+  const files = [];
+  const glob = new Glob("**/package.json");
+  for await (const filePath of glob.scan({
+    cwd: scanRoot,
+    absolute: true,
+    followSymlinks: false,
+    onlyFiles: true
+  })) {
+    if (filePath.includes("/node_modules/") || filePath.includes("/.git/")) {
+      continue;
+    }
+    files.push(filePath);
+  }
+  return files;
+}
+async function filterProjectsWithPackage(packageJsonPaths, packageName) {
+  const matches = [];
+  for (let i = 0;i < packageJsonPaths.length; i += BATCH_SIZE) {
+    const batch = packageJsonPaths.slice(i, i + BATCH_SIZE);
+    const results = await Promise.all(batch.map(async (pkgPath) => {
+      try {
+        const pkg = await Bun.file(pkgPath).json();
+        for (const field of DEP_FIELDS) {
+          if (pkg[field]?.[packageName]) {
+            return {
+              packageJsonPath: pkgPath,
+              projectDir: dirname(pkgPath),
+              declaredVersion: pkg[field][packageName],
+              depType: field
+            };
+          }
+        }
+      } catch {}
+      return null;
+    }));
+    for (const r of results) {
+      if (r)
+        matches.push(r);
+    }
+  }
+  return matches;
+}
+function extractLifecycleScripts(scripts) {
+  if (!scripts)
+    return { ...EMPTY_SCRIPTS };
+  return {
+    preinstall: scripts.preinstall ?? null,
+    install: scripts.install ?? null,
+    postinstall: scripts.postinstall ?? null
+  };
+}
+function resolveEntryPoint(packageDir, pkg) {
+  if (typeof pkg.exports === "string") {
+    return join(packageDir, pkg.exports);
+  }
+  if (pkg.exports && typeof pkg.exports === "object") {
+    const dot = pkg.exports["."];
+    if (typeof dot === "string")
+      return join(packageDir, dot);
+    if (dot && typeof dot === "object") {
+      const dotObj = dot;
+      const resolved = dotObj.import ?? dotObj.require ?? dotObj.default;
+      if (typeof resolved === "string")
+        return join(packageDir, resolved);
+    }
+  }
+  if (pkg.module)
+    return join(packageDir, pkg.module);
+  if (pkg.main)
+    return join(packageDir, pkg.main);
+  return join(packageDir, "index.js");
+}
+async function resolveInstalledPackage(projectDir, packageName) {
+  let dir = projectDir;
+  while (true) {
+    const candidate = join(dir, "node_modules", packageName, "package.json");
+    try {
+      const file = Bun.file(candidate);
+      if (await file.exists()) {
+        const pkg = await file.json();
+        const packageDir = dirname(candidate);
+        const entryPoint = resolveEntryPoint(packageDir, pkg);
+        return {
+          version: pkg.version ?? null,
+          lifecycleScripts: extractLifecycleScripts(pkg.scripts),
+          entryPoint,
+          packageDir,
+          packageDeps: pkg.dependencies ?? {}
+        };
+      }
+    } catch {}
+    const parent = dirname(dir);
+    if (parent === dir)
+      break;
+    dir = parent;
+  }
+  return {
+    version: null,
+    lifecycleScripts: { ...EMPTY_SCRIPTS },
+    entryPoint: null,
+    packageDir: null,
+    packageDeps: {}
+  };
+}
+
+// src/registry.ts
+var NPM_REGISTRY = "https://registry.npmjs.org";
+async function fetchRegistryMetadata(packageName, installedVersion) {
+  const url = `${NPM_REGISTRY}/${encodeURIComponent(packageName)}`;
+  const res = await fetch(url, {
+    headers: { Accept: "application/json" }
+  });
+  if (!res.ok) {
+    throw new Error(`NPM Registry returned ${res.status}: ${res.statusText}`);
+  }
+  const data = await res.json();
+  const lastModified = new Date(data.time.modified);
+  let versionPublishedAt = null;
+  if (installedVersion && data.time[installedVersion]) {
+    versionPublishedAt = new Date(data.time[installedVersion]);
+  }
+  let deprecated = null;
+  if (installedVersion && data.versions?.[installedVersion]?.deprecated) {
+    deprecated = data.versions[installedVersion].deprecated;
+  } else if (data.deprecated) {
+    deprecated = data.deprecated;
+  }
+  const maintainerCount = data.maintainers?.length ?? 0;
+  const repoUrl = data.repository?.url;
+  const hasRepository = typeof repoUrl === "string" && repoUrl.length > 0;
+  return {
+    lastModified,
+    versionPublishedAt,
+    deprecated,
+    maintainerCount,
+    hasRepository
+  };
+}
+
+// src/static-analysis.ts
+var IOC_SIGNATURES = [
+  { name: "eval()", pattern: /\beval\s*\(/ },
+  { name: "new Function()", pattern: /new\s+Function\s*\(/ },
+  { name: "Buffer.from base64", pattern: /Buffer\.from\s*\([^)]*['"]base64['"]\s*\)/ },
+  { name: "Hex string largo", pattern: /\\x[0-9a-fA-F]{2}(?:\\x[0-9a-fA-F]{2}){15,}/ },
+  { name: "child_process", pattern: /require\s*\(\s*['"]child_process['"]\s*\)/ },
+  { name: "child_process import", pattern: /from\s+['"]child_process['"]/ },
+  { name: "exec()", pattern: /\bexec\s*\(\s*['"`]/ },
+  { name: "execSync()", pattern: /\bexecSync\s*\(/ },
+  { name: "os.networkInterfaces", pattern: /os\.networkInterfaces\s*\(/ },
+  { name: "IP cruda en URL", pattern: /https?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/ },
+  { name: "process.env exfiltration", pattern: /process\.env\b.*(?:fetch|http|request|axios|got)\b/ },
+  { name: "DNS exfiltration", pattern: /dns\.resolve|dns\.lookup.*process\.env/ }
+];
+var MAX_FILE_SIZE = 2 * 1024 * 1024;
+function scanSource(source, fileName) {
+  const matches = [];
+  const lines = source.split(`
+`);
+  for (let i = 0;i < lines.length; i++) {
+    const line = lines[i];
+    for (const sig of IOC_SIGNATURES) {
+      if (sig.pattern.test(line)) {
+        const snippet = line.trim().length > 120 ? line.trim().substring(0, 120) + "..." : line.trim();
+        matches.push({
+          pattern: sig.name,
+          line: i + 1,
+          snippet
+        });
+      }
+    }
+  }
+  return matches;
+}
+async function analyzeEntryPoint(entryPointPath) {
+  try {
+    const file = Bun.file(entryPointPath);
+    if (!await file.exists())
+      return [];
+    const size = file.size;
+    if (size > MAX_FILE_SIZE)
+      return [];
+    const source = await file.text();
+    return scanSource(source, entryPointPath);
+  } catch {
+    return [];
+  }
+}
+function matchesToRisks(matches, filePath) {
+  if (matches.length === 0)
+    return [];
+  const uniquePatterns = [
+    ...new Set(matches.map((m) => m.pattern))
+  ];
+  const details = matches.slice(0, 5).map((m) => `L${m.line}: [${m.pattern}] ${m.snippet}`);
+  const suffix = matches.length > 5 ? `
+  ... y ${matches.length - 5} mas` : "";
+  return [
+    {
+      type: "obfuscation",
+      severity: "critical",
+      message: `Patrones sospechosos en ${filePath.split("/").pop()}: ${uniquePatterns.join(", ")}`,
+      detail: details.join(`
+  `) + suffix
+    }
+  ];
+}
+
+// src/dep-audit.ts
+var RANDOM_NAME_PATTERN = /^[a-z]{8,}$/;
+var URL_VERSION_PATTERN = /^(?:https?:\/\/|git\+https?:\/\/|git:\/\/|git\+ssh:\/\/)/;
+var IP_IN_URL_PATTERN = /https?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/;
+var FILE_PROTOCOL_PATTERN = /^file:/;
+var ENTROPY_THRESHOLD = 3.5;
+var MIN_NAME_LENGTH_FOR_ENTROPY = 6;
+function hasVowel(s) {
+  return /[aeiou]/i.test(s);
+}
+function shannonEntropy(s) {
+  const freq = new Map;
+  for (const ch of s) {
+    freq.set(ch, (freq.get(ch) ?? 0) + 1);
+  }
+  let entropy = 0;
+  for (const count of freq.values()) {
+    const p = count / s.length;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+function isRandomName(name) {
+  const baseName = name.startsWith("@") ? name.split("/")[1] ?? name : name;
+  if (baseName.length < MIN_NAME_LENGTH_FOR_ENTROPY)
+    return false;
+  if (RANDOM_NAME_PATTERN.test(baseName) && !hasVowel(baseName)) {
+    return true;
+  }
+  if (baseName.length >= MIN_NAME_LENGTH_FOR_ENTROPY && shannonEntropy(baseName) > ENTROPY_THRESHOLD && !hasVowel(baseName)) {
+    return true;
+  }
+  return false;
+}
+function isSuspiciousVersion(version) {
+  if (URL_VERSION_PATTERN.test(version))
+    return true;
+  if (IP_IN_URL_PATTERN.test(version))
+    return true;
+  if (FILE_PROTOCOL_PATTERN.test(version))
+    return true;
+  return false;
+}
+function auditDependencies(deps) {
+  const suspicious = [];
+  for (const [name, version] of Object.entries(deps)) {
+    if (isRandomName(name)) {
+      suspicious.push({
+        name,
+        version,
+        reason: "Nombre con patron aleatorio"
+      });
+    }
+    if (isSuspiciousVersion(version)) {
+      suspicious.push({
+        name,
+        version,
+        reason: "Origen no estandar (URL/IP/file)"
+      });
+    }
+  }
+  return suspicious;
+}
+function auditToRisks(suspicious) {
+  if (suspicious.length === 0)
+    return [];
+  const details = suspicious.map((d) => `${d.name}@${d.version} (${d.reason})`);
+  return [
+    {
+      type: "suspicious-deps",
+      severity: "high",
+      message: `${suspicious.length} sub-dependencia(s) sospechosa(s)`,
+      detail: details.join(`
+  `)
+    }
+  ];
+}
+
+// src/ast-analysis.ts
+var SENSITIVE_MODULES = new Set([
+  "child_process",
+  "node:child_process",
+  "crypto",
+  "node:crypto",
+  "os",
+  "node:os",
+  "vm",
+  "node:vm",
+  "net",
+  "node:net",
+  "dgram",
+  "node:dgram",
+  "dns",
+  "node:dns",
+  "tls",
+  "node:tls",
+  "cluster",
+  "node:cluster",
+  "worker_threads",
+  "node:worker_threads"
+]);
+var BASE64_PATTERN = /["'`]([A-Za-z0-9+/=]{60,})["'`]/g;
+var ENTROPY_THRESHOLD2 = 4.5;
+var MAX_FILE_SIZE2 = 2 * 1024 * 1024;
+function shannonEntropy2(s) {
+  const freq = new Map;
+  for (const ch of s) {
+    freq.set(ch, (freq.get(ch) ?? 0) + 1);
+  }
+  let entropy = 0;
+  for (const count of freq.values()) {
+    const p = count / s.length;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+function detectHighEntropyStrings(source) {
+  const results = [];
+  let match;
+  while ((match = BASE64_PATTERN.exec(source)) !== null) {
+    const candidate = match[1];
+    if (shannonEntropy2(candidate) >= ENTROPY_THRESHOLD2) {
+      const preview = candidate.length > 40 ? candidate.substring(0, 40) + "..." : candidate;
+      results.push(preview);
+    }
+  }
+  return results;
+}
+async function analyzeAST(entryPointPath) {
+  const empty = {
+    sensitiveModules: [],
+    highEntropyStrings: []
+  };
+  try {
+    const file = Bun.file(entryPointPath);
+    if (!await file.exists())
+      return empty;
+    if (file.size > MAX_FILE_SIZE2)
+      return empty;
+    const source = await file.text();
+    const loader = entryPointPath.endsWith(".ts") ? "ts" : entryPointPath.endsWith(".tsx") ? "tsx" : entryPointPath.endsWith(".jsx") ? "jsx" : "js";
+    const transpiler = new Bun.Transpiler({ loader });
+    const imports = transpiler.scanImports(source);
+    const sensitiveModules = [];
+    for (const imp of imports) {
+      if (SENSITIVE_MODULES.has(imp.path)) {
+        const clean = imp.path.replace("node:", "");
+        if (!sensitiveModules.includes(clean)) {
+          sensitiveModules.push(clean);
+        }
+      }
+    }
+    const highEntropyStrings = detectHighEntropyStrings(source);
+    return { sensitiveModules, highEntropyStrings };
+  } catch {
+    return empty;
+  }
+}
+function astResultToRisks(result, filePath) {
+  const risks = [];
+  const fileName = filePath.split("/").pop() ?? filePath;
+  if (result.sensitiveModules.length > 0) {
+    risks.push({
+      type: "ast-sensitive-import",
+      severity: "high",
+      message: `Importa modulos sensibles del sistema: ${result.sensitiveModules.join(", ")}`,
+      detail: `Detectado en ${fileName} via AST`
+    });
+  }
+  if (result.highEntropyStrings.length > 0) {
+    risks.push({
+      type: "high-entropy-string",
+      severity: "critical",
+      message: `${result.highEntropyStrings.length} string(s) Base64 de alta entropia (posible payload ofuscado)`,
+      detail: result.highEntropyStrings.slice(0, 3).map((s) => `"${s}"`).join(`
+  `)
+    });
+  }
+  return risks;
+}
+
+// src/sandbox.ts
+import { join as join2 } from "path";
+import { mkdirSync } from "fs";
+var SANDBOX_TIMEOUT_MS = 1500;
+var VIOLATION_PATTERN = /SANDBOX_VIOLATION:(\w+)(?::(.*))?/g;
+var BUN_PATH = process.execPath;
+function generateMockEnv() {
+  return `
+// \u2500\u2500\u2500 pzx sandbox: intercepta APIs peligrosas \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+const _origFetch = globalThis.fetch;
+globalThis.fetch = (...args) => {
+  const url = typeof args[0] === "string" ? args[0] : args[0]?.url ?? "unknown";
+  console.error("SANDBOX_VIOLATION:NETWORK:" + url);
+  return Promise.resolve(new Response("", { status: 200 }));
+};
+
+try {
+  const _fs = require("fs");
+  const _origRead = _fs.readFileSync;
+  _fs.readFileSync = (...args) => {
+    console.error("SANDBOX_VIOLATION:FS_READ:" + String(args[0]));
+    return Buffer.from("");
+  };
+  const _origWrite = _fs.writeFileSync;
+  _fs.writeFileSync = (...args) => {
+    console.error("SANDBOX_VIOLATION:FS_READ:" + String(args[0]));
+  };
+} catch {}
+
+try {
+  const _cp = require("child_process");
+  for (const fn of ["exec", "execSync", "spawn", "spawnSync", "execFile", "execFileSync"]) {
+    _cp[fn] = (...args) => {
+      console.error("SANDBOX_VIOLATION:EXEC:" + String(args[0]));
+      return { stdout: "", stderr: "", pid: 0, on: () => {}, kill: () => {} };
+    };
+  }
+} catch {}
+
+try {
+  const _http = require("http");
+  const _origRequest = _http.request;
+  _http.request = (...args) => {
+    const url = typeof args[0] === "string" ? args[0] : args[0]?.hostname ?? "unknown";
+    console.error("SANDBOX_VIOLATION:NETWORK:" + url);
+    return { on: () => {}, end: () => {}, write: () => {} };
+  };
+} catch {}
+
+try {
+  const _https = require("https");
+  const _origRequest = _https.request;
+  _https.request = (...args) => {
+    const url = typeof args[0] === "string" ? args[0] : args[0]?.hostname ?? "unknown";
+    console.error("SANDBOX_VIOLATION:NETWORK:" + url);
+    return { on: () => {}, end: () => {}, write: () => {} };
+  };
+} catch {}
+`.trim();
+}
+function generateDetonate(entryPoint) {
+  return `try { require(${JSON.stringify(entryPoint)}); } catch {}`;
+}
+async function writeSandboxFiles(entryPoint) {
+  const id = Math.random().toString(36).substring(2, 10);
+  const dir = join2("/tmp", `pzx-sandbox-${id}`);
+  mkdirSync(dir, { recursive: true });
+  const mockEnvPath = join2(dir, "mock-env.js");
+  const detonatePath = join2(dir, "detonate.js");
+  await Promise.all([
+    Bun.write(mockEnvPath, generateMockEnv()),
+    Bun.write(detonatePath, generateDetonate(entryPoint))
+  ]);
+  return { mockEnvPath, detonatePath, dir };
+}
+function parseSandboxOutput(output) {
+  const violations = [];
+  let match;
+  while ((match = VIOLATION_PATTERN.exec(output)) !== null) {
+    const rawType = match[1];
+    const detail = match[2] ?? "";
+    const type = rawType === "NETWORK" ? "NETWORK" : rawType === "EXEC" ? "EXEC" : "FS_READ";
+    violations.push({ type, detail });
+  }
+  return violations;
+}
+async function detonate(entryPoint) {
+  const { mockEnvPath, detonatePath, dir } = await writeSandboxFiles(entryPoint);
+  try {
+    const proc = Bun.spawn([BUN_PATH, "-r", mockEnvPath, detonatePath], {
+      env: { HOME: "/tmp" },
+      stdout: "pipe",
+      stderr: "pipe",
+      cwd: dir
+    });
+    const timeoutPromise = new Promise((resolve2) => {
+      setTimeout(() => resolve2("timeout"), SANDBOX_TIMEOUT_MS);
+    });
+    const exitPromise = proc.exited.then(() => "done");
+    const race = await Promise.race([
+      exitPromise,
+      timeoutPromise
+    ]);
+    const timedOut = race === "timeout";
+    if (timedOut) {
+      proc.kill();
+    }
+    const [stdoutText, stderrText] = await Promise.all([
+      new Response(proc.stdout).text(),
+      new Response(proc.stderr).text()
+    ]);
+    const combined = stdoutText + `
+` + stderrText;
+    const violations = parseSandboxOutput(combined);
+    return {
+      violations,
+      timedOut,
+      exitCode: timedOut ? null : proc.exitCode,
+      stderr: stderrText.substring(0, 2000)
+    };
+  } finally {
+    try {
+      const { rmSync } = await import("fs");
+      rmSync(dir, { recursive: true, force: true });
+    } catch {}
+  }
+}
+function sandboxResultToRisks(result) {
+  const risks = [];
+  const networkViolations = result.violations.filter((v) => v.type === "NETWORK");
+  if (networkViolations.length > 0) {
+    const targets = networkViolations.slice(0, 3).map((v) => v.detail).join(", ");
+    risks.push({
+      type: "sandbox-network",
+      severity: "critical",
+      message: "El paquete intento acceder a la red durante la inicializacion",
+      detail: `Destinos: ${targets}`
+    });
+  }
+  const execViolations = result.violations.filter((v) => v.type === "EXEC");
+  if (execViolations.length > 0) {
+    const cmds = execViolations.slice(0, 3).map((v) => v.detail).join(", ");
+    risks.push({
+      type: "sandbox-exec",
+      severity: "critical",
+      message: "Intento ejecutar comandos en la terminal",
+      detail: `Comandos: ${cmds}`
+    });
+  }
+  const fsViolations = result.violations.filter((v) => v.type === "FS_READ");
+  if (fsViolations.length > 0) {
+    const paths = fsViolations.slice(0, 3).map((v) => v.detail).join(", ");
+    risks.push({
+      type: "sandbox-fs",
+      severity: "critical",
+      message: "Intento leer/escribir el sistema de archivos",
+      detail: `Rutas: ${paths}`
+    });
+  }
+  if (result.timedOut) {
+    risks.push({
+      type: "sandbox-timeout",
+      severity: "high",
+      message: "Comportamiento anomalo: bloqueo del hilo principal o persistencia",
+      detail: "El proceso fue terminado tras 1500ms sin respuesta"
+    });
+  }
+  return risks;
+}
+
+// src/sca.ts
+var DANGEROUS_SCRIPTS = [
+  "preinstall",
+  "install",
+  "postinstall"
+];
+var ABANDONMENT_THRESHOLD_MS = 3 * 365 * 24 * 60 * 60 * 1000;
+var QUARANTINE_THRESHOLD_MS = 48 * 60 * 60 * 1000;
+function detectLifecycleScripts(scripts) {
+  const risks = [];
+  for (const name of DANGEROUS_SCRIPTS) {
+    const value = scripts[name];
+    if (value !== null) {
+      risks.push({
+        type: "lifecycle-scripts",
+        severity: "high",
+        message: `Script de ejecucion automatica: ${name}`,
+        detail: value
+      });
+    }
+  }
+  return risks;
+}
+function detectAbandonment(meta, now = new Date) {
+  const elapsed = now.getTime() - meta.lastModified.getTime();
+  if (elapsed > ABANDONMENT_THRESHOLD_MS) {
+    const years = Math.floor(elapsed / (365 * 24 * 60 * 60 * 1000));
+    return {
+      type: "abandoned",
+      severity: "medium",
+      message: `Sin actualizacion en ${years} a\xF1o(s) (riesgo de takeover)`,
+      detail: `Ultima actualizacion: ${meta.lastModified.toISOString().split("T")[0]}`
+    };
+  }
+  return null;
+}
+function detectDeprecation(meta) {
+  if (meta.deprecated) {
+    return {
+      type: "deprecated",
+      severity: "medium",
+      message: "Paquete marcado como DEPRECADO",
+      detail: meta.deprecated
+    };
+  }
+  return null;
+}
+function detectQuarantine(meta, now = new Date) {
+  if (!meta.versionPublishedAt)
+    return null;
+  const elapsed = now.getTime() - meta.versionPublishedAt.getTime();
+  if (elapsed < QUARANTINE_THRESHOLD_MS) {
+    const hours = Math.floor(elapsed / (60 * 60 * 1000));
+    return {
+      type: "quarantine",
+      severity: "high",
+      message: `Publicado hace ${hours}h (cuarentena sugerida)`,
+      detail: `Fecha de publicacion: ${meta.versionPublishedAt.toISOString()}`
+    };
+  }
+  return null;
+}
+function detectTyposquatting(meta) {
+  if (meta.maintainerCount <= 1 && !meta.hasRepository) {
+    return {
+      type: "typosquatting",
+      severity: "high",
+      message: "Posible typosquatting: un solo mantenedor y sin repositorio",
+      detail: `Mantenedores: ${meta.maintainerCount}, Repositorio: no`
+    };
+  }
+  return null;
+}
+function analyzeSupplyChainRisks(scripts, meta, now = new Date, staticMatches = [], entryPoint = null, packageDeps = {}, astAnalysis, sandboxResult) {
+  const risks = [];
+  risks.push(...detectLifecycleScripts(scripts));
+  if (meta) {
+    const abandonment = detectAbandonment(meta, now);
+    if (abandonment)
+      risks.push(abandonment);
+    const deprecation = detectDeprecation(meta);
+    if (deprecation)
+      risks.push(deprecation);
+    const quarantine = detectQuarantine(meta, now);
+    if (quarantine)
+      risks.push(quarantine);
+    const typosquatting = detectTyposquatting(meta);
+    if (typosquatting)
+      risks.push(typosquatting);
+  }
+  if (staticMatches.length > 0 && entryPoint) {
+    risks.push(...matchesToRisks(staticMatches, entryPoint));
+  }
+  const suspicious = auditDependencies(packageDeps);
+  risks.push(...auditToRisks(suspicious));
+  if (astAnalysis && entryPoint) {
+    risks.push(...astResultToRisks(astAnalysis, entryPoint));
+  }
+  if (sandboxResult) {
+    risks.push(...sandboxResultToRisks(sandboxResult));
+  }
+  return risks;
+}
+
+// src/reporter.ts
+function printBanner(pkg, version, scanRoot) {
+  const versionLabel = version ? ` v${version}` : "";
+  console.log(`
+${c.boldCyan("pzx")} \u2014 buscando ${c.bold(`"${pkg}"`)}${versionLabel} en ${c.dim(scanRoot)}
+`);
+}
+function printVulnSummary(pkg, version, vulns) {
+  if (vulns.length > 0) {
+    console.log(c.boldRed(`\u26A0 ${vulns.length} vulnerabilidad(es) conocida(s) para ${pkg}:`));
+    const preview = vulns.slice(0, 5);
+    for (const v of preview) {
+      const cves = getCVEs(v);
+      const cveStr = cves.length > 0 ? c.magenta(cves.join(", ")) : c.dim("sin CVE");
+      console.log(`  ${c.red(v.id)} ${cveStr} ${c.dim(v.summary ?? "")}`);
+    }
+    if (vulns.length > 5) {
+      console.log(c.dim(`  ... y ${vulns.length - 5} m\xE1s`));
+    }
+    console.log();
+  } else {
+    const versionLabel = version ? ` v${version}` : "";
+    console.log(c.boldGreen(`\u2713 Sin vulnerabilidades conocidas para ${pkg}${versionLabel}
+`));
+  }
+}
+function printRegistrySummary(meta) {
+  if (!meta) {
+    console.log(c.yellow(`\u26A0 No se pudo consultar el registro NPM
+`));
+    return;
+  }
+  const modified = meta.lastModified.toISOString().split("T")[0];
+  console.log(c.dim(`Ultima actualizacion en NPM: ${modified}
+`));
+}
+function printNoProjectsFound(pkg, scanRoot) {
+  console.log(c.yellow(`No se encontraron proyectos que referencien "${pkg}" en ${scanRoot}`));
+}
+function printProjectCount(pkg, count) {
+  console.log(c.dim(`Encontrados ${count} proyecto(s) con "${pkg}"
+`));
+}
+function formatOsvStatus(installedVersion, vulns) {
+  const affectingVulns = vulns.filter((v) => isVersionAffected(installedVersion, v));
+  if (affectingVulns.length === 0) {
+    return c.boldGreen("Seguro");
+  }
+  const labels = affectingVulns.map((v) => {
+    const cves = getCVEs(v);
+    const cveStr = cves.length > 0 ? cves.join(", ") : v.id;
+    return c.boldRed(`VULNERABLE ${cveStr}`);
+  });
+  return labels.join(" | ");
+}
+function formatNpmStatus(meta) {
+  if (!meta)
+    return c.dim("Sin datos de registro");
+  if (meta.deprecated) {
+    return c.boldYellow(`DEPRECADO: ${meta.deprecated}`);
+  }
+  const now = Date.now();
+  const elapsed = now - meta.lastModified.getTime();
+  const threeYears = 3 * 365 * 24 * 60 * 60 * 1000;
+  if (elapsed > threeYears) {
+    const years = Math.floor(elapsed / (365 * 24 * 60 * 60 * 1000));
+    return c.yellow(`Inactivo (${years} a\xF1os sin actualizar)`);
+  }
+  return c.green("Activo");
+}
+function formatRisks(risks) {
+  if (risks.length === 0)
+    return c.green("Ninguno");
+  const parts = risks.map((r) => {
+    switch (r.type) {
+      case "lifecycle-scripts":
+        return c.magenta(`[!] ${r.message}`);
+      case "abandoned":
+        return c.yellow(`[~] ${r.message}`);
+      case "deprecated":
+        return c.yellow(`[~] ${r.message}`);
+      case "quarantine":
+        return c.boldCyan(`[!!] ${r.message}`);
+      case "obfuscation":
+        return c.boldRed(`[!!!] ${r.message}`);
+      case "typosquatting":
+        return c.boldYellow(`[!!] ${r.message}`);
+      case "suspicious-deps":
+        return c.boldMagenta(`[!!] ${r.message}`);
+      case "ast-sensitive-import":
+        return c.boldYellow(`[!] ${r.message}`);
+      case "high-entropy-string":
+        return c.boldRed(`[!!] ${r.message}`);
+      case "sandbox-network":
+        return c.boldRed(`[!!!] ${r.message}`);
+      case "sandbox-exec":
+        return c.boldRed(`[!!!] ${r.message}`);
+      case "sandbox-fs":
+        return c.boldRed(`[!!!] ${r.message}`);
+      case "sandbox-timeout":
+        return c.boldYellow(`[!] ${r.message}`);
+    }
+  });
+  return parts.join(`
+              `);
+}
+function formatVulnDetails(installedVersion, vulns) {
+  const lines = [];
+  const affectingVulns = vulns.filter((v) => isVersionAffected(installedVersion, v));
+  for (const v of affectingVulns) {
+    const cves = getCVEs(v);
+    const cveStr = cves.length > 0 ? ` (${c.magenta(cves.join(", "))})` : "";
+    const ranges = getAffectedRange(installedVersion, v);
+    let rangeStr = "";
+    if (ranges.length > 0) {
+      const r = ranges[0];
+      const intro = r.introduced === "0" ? "todas" : r.introduced;
+      const fix = r.fixed ?? "sin fix";
+      rangeStr = c.dim(` [${intro} \u2192 ${fix}]`);
+    }
+    lines.push(`              ${c.red(v.id)}${cveStr}${rangeStr}`);
+    if (v.summary) {
+      lines.push(`              ${c.dim(v.summary)}`);
+    }
+  }
+  return lines;
+}
+function formatRiskDetails(risks) {
+  const lines = [];
+  for (const r of risks) {
+    if (r.type === "lifecycle-scripts") {
+      lines.push(`              ${c.dim(`\u2192 ${r.detail}`)}`);
+    }
+    if (r.type === "quarantine") {
+      lines.push(`              ${c.dim(r.detail)}`);
+    }
+    if (r.type === "obfuscation") {
+      for (const line of r.detail.split(`
+  `)) {
+        lines.push(`              ${c.red(line)}`);
+      }
+    }
+    if (r.type === "typosquatting") {
+      lines.push(`              ${c.yellow(r.detail)}`);
+    }
+    if (r.type === "suspicious-deps") {
+      for (const line of r.detail.split(`
+  `)) {
+        lines.push(`              ${c.magenta(line)}`);
+      }
+    }
+    if (r.type === "ast-sensitive-import" || r.type === "high-entropy-string") {
+      lines.push(`              ${c.yellow(r.detail)}`);
+    }
+    if (r.type === "sandbox-network" || r.type === "sandbox-exec" || r.type === "sandbox-fs") {
+      lines.push(`              ${c.red(`\u2192 ${r.detail}`)}`);
+    }
+    if (r.type === "sandbox-timeout") {
+      lines.push(`              ${c.yellow(r.detail)}`);
+    }
+  }
+  return lines;
+}
+function printProjectReport(report, vulns) {
+  console.log(`${c.boldCyan(`[Proyecto: ${report.projectDir}]`)}`);
+  if (!report.installedVersion) {
+    console.log(` \u2514\u2500\u2500 Instalado: ${c.boldYellow("NO INSTALADO")}`);
+    console.log(` \u2514\u2500\u2500 Declarado: ${c.yellow(report.declaredVersion)} (${report.depType})`);
+    console.log(` \u2514\u2500\u2500 ${c.yellow("Ejecuta bun install o npm install")}`);
+    console.log();
+    return;
+  }
+  const installed = report.installedVersion;
+  console.log(` \u2514\u2500\u2500 Instalado: ${c.bold(installed)} ${c.dim(`(declarado: ${report.declaredVersion})`)}`);
+  const osvStatus = formatOsvStatus(installed, vulns);
+  console.log(` \u2514\u2500\u2500 Estado OSV: ${osvStatus}`);
+  const vulnDetails = formatVulnDetails(installed, vulns);
+  for (const line of vulnDetails) {
+    console.log(line);
+  }
+  const npmStatus = formatNpmStatus(report.registryMeta);
+  console.log(` \u2514\u2500\u2500 NPM Status: ${npmStatus}`);
+  const risksStr = formatRisks(report.risks);
+  console.log(` \u2514\u2500\u2500 Riesgos: ${risksStr}`);
+  const riskDetails = formatRiskDetails(report.risks);
+  for (const line of riskDetails) {
+    console.log(line);
+  }
+  console.log();
+}
+function printReports(reports, vulns) {
+  const summary = {
+    vulnerable: 0,
+    safe: 0,
+    notInstalled: 0,
+    withRisks: 0
+  };
+  for (const report of reports) {
+    printProjectReport(report, vulns);
+    if (!report.installedVersion) {
+      summary.notInstalled++;
+      continue;
+    }
+    const isVulnerable = vulns.some((v) => isVersionAffected(report.installedVersion, v));
+    if (isVulnerable) {
+      summary.vulnerable++;
+    } else {
+      summary.safe++;
+    }
+    if (report.risks.length > 0) {
+      summary.withRisks++;
+    }
+  }
+  return summary;
+}
+function printSummary(summary) {
+  console.log(c.dim("\u2500".repeat(70)));
+  console.log(`
+${c.bold("Resumen:")} ${c.red(`${summary.vulnerable} vulnerable(s)`)} \xB7 ${c.green(`${summary.safe} seguro(s)`)} \xB7 ${c.yellow(`${summary.notInstalled} no instalado(s)`)} \xB7 ${c.magenta(`${summary.withRisks} con riesgos`)}
+`);
+}
+
+// src/steps.ts
+var banner = {
+  name: "banner",
+  execute: async (ctx) => {
+    printBanner(ctx.pkg, ctx.version, ctx.scanRoot);
+  }
+};
+var fetchVulnsAndScan = {
+  name: "fetch-vulns-and-scan",
+  execute: async (ctx) => {
+    const [vulns, packageJsonPaths] = await Promise.all([
+      queryOSV(ctx.pkg, ctx.version).catch((err) => {
+        console.error(c.red(`Error consultando OSV: ${err.message}`));
+        return [];
+      }),
+      scanPackageJsonFiles(ctx.scanRoot)
+    ]);
+    ctx.vulns = vulns;
+    ctx.packageJsonPaths = packageJsonPaths;
+    printVulnSummary(ctx.pkg, ctx.version, ctx.vulns);
+  }
+};
+var fetchRegistryInfo = {
+  name: "fetch-registry-info",
+  execute: async (ctx) => {
+    try {
+      ctx.registryMeta = await fetchRegistryMetadata(ctx.pkg, ctx.version ?? null);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      console.error(c.yellow(`Advertencia NPM Registry: ${message}`));
+      ctx.registryMeta = null;
+    }
+    printRegistrySummary(ctx.registryMeta);
+  }
+};
+var filterProjects = {
+  name: "filter-projects",
+  execute: async (ctx) => {
+    ctx.matchingProjects = await filterProjectsWithPackage(ctx.packageJsonPaths, ctx.pkg);
+    if (ctx.matchingProjects.length === 0) {
+      printNoProjectsFound(ctx.pkg, ctx.scanRoot);
+      process.exit(0);
+    }
+    printProjectCount(ctx.pkg, ctx.matchingProjects.length);
+  }
+};
+var resolveVersions = {
+  name: "resolve-versions",
+  execute: async (ctx) => {
+    ctx.results = await Promise.all(ctx.matchingProjects.map(async (project) => {
+      const resolved = await resolveInstalledPackage(project.projectDir, ctx.pkg);
+      return {
+        ...project,
+        installedVersion: resolved.version,
+        lifecycleScripts: resolved.lifecycleScripts,
+        entryPoint: resolved.entryPoint,
+        packageDir: resolved.packageDir,
+        packageDeps: resolved.packageDeps
+      };
+    }));
+  }
+};
+var deepAnalysis = {
+  name: "deep-analysis",
+  execute: async (ctx) => {
+    await Promise.all(ctx.results.map(async (result) => {
+      if (result.entryPoint) {
+        const matches = await analyzeEntryPoint(result.entryPoint);
+        result.staticMatches = matches;
+      }
+    }));
+  }
+};
+var astAnalysisStep = {
+  name: "ast-analysis",
+  execute: async (ctx) => {
+    await Promise.all(ctx.results.map(async (result) => {
+      if (result.entryPoint) {
+        const astResult = await analyzeAST(result.entryPoint);
+        result.astAnalysis = astResult;
+      }
+    }));
+  }
+};
+var sandboxAnalysis = {
+  name: "sandbox-analysis",
+  execute: async (ctx) => {
+    for (const result of ctx.results) {
+      if (!result.entryPoint)
+        continue;
+      const hasSuspicion = (result.staticMatches?.length ?? 0) > 0 || (result.astAnalysis?.sensitiveModules.length ?? 0) > 0 || (result.astAnalysis?.highEntropyStrings.length ?? 0) > 0;
+      if (!hasSuspicion)
+        continue;
+      try {
+        const sandboxResult = await detonate(result.entryPoint);
+        result.sandboxResult = sandboxResult;
+      } catch {}
+    }
+  }
+};
+var analyzeRisks = {
+  name: "analyze-risks",
+  execute: async (ctx) => {
+    ctx.reports = ctx.results.map((result) => {
+      const risks = analyzeSupplyChainRisks(result.lifecycleScripts, result.installedVersion ? ctx.registryMeta : null, new Date, result.staticMatches ?? [], result.entryPoint, result.packageDeps, result.astAnalysis, result.sandboxResult);
+      return {
+        ...result,
+        risks,
+        registryMeta: ctx.registryMeta
+      };
+    });
+  }
+};
+var evaluate = {
+  name: "evaluate",
+  execute: async (ctx) => {
+    ctx.summary = printReports(ctx.reports, ctx.vulns);
+    printSummary(ctx.summary);
+    if (ctx.summary.vulnerable > 0)
+      process.exit(2);
+  }
+};
+
+// src/pipeline.ts
+function createContext(pkg, version, scanRoot) {
+  return {
+    pkg,
+    version,
+    scanRoot,
+    vulns: [],
+    packageJsonPaths: [],
+    matchingProjects: [],
+    results: [],
+    registryMeta: null,
+    reports: [],
+    summary: { vulnerable: 0, safe: 0, notInstalled: 0, withRisks: 0 }
+  };
+}
+async function executePipeline(ctx, steps) {
+  for (const step of steps) {
+    await step.execute(ctx);
+  }
+  return ctx;
+}
+var defaultSteps = [
+  banner,
+  fetchVulnsAndScan,
+  fetchRegistryInfo,
+  filterProjects,
+  resolveVersions,
+  deepAnalysis,
+  astAnalysisStep,
+  sandboxAnalysis,
+  analyzeRisks,
+  evaluate
+];
+async function run(pkg, version, scanRoot, steps = defaultSteps) {
+  const ctx = createContext(pkg, version, scanRoot);
+  return executePipeline(ctx, steps);
+}
+
+// src/scan-all.ts
+import { dirname as dirname2, join as join3 } from "path";
+import { readdirSync } from "fs";
+async function enumerateNodeModules(projectDir) {
+  const packages = [];
+  const nmDir = join3(projectDir, "node_modules");
+  let entries;
+  try {
+    entries = readdirSync(nmDir);
+  } catch {
+    return [];
+  }
+  for (const entry of entries) {
+    if (entry.startsWith("."))
+      continue;
+    if (entry.startsWith("@")) {
+      let scopedEntries;
+      try {
+        scopedEntries = readdirSync(join3(nmDir, entry));
+      } catch {
+        continue;
+      }
+      for (const scoped of scopedEntries) {
+        if (scoped.startsWith("."))
+          continue;
+        const name = `${entry}/${scoped}`;
+        const pkg2 = await readPackageMeta(projectDir, name);
+        if (pkg2)
+          packages.push(pkg2);
+      }
+      continue;
+    }
+    const pkg = await readPackageMeta(projectDir, entry);
+    if (pkg)
+      packages.push(pkg);
+  }
+  return packages;
+}
+async function readPackageMeta(projectDir, packageName) {
+  try {
+    const resolved = await resolveInstalledPackage(projectDir, packageName);
+    if (!resolved.version)
+      return null;
+    return {
+      name: packageName,
+      version: resolved.version,
+      projectDir,
+      packageDir: resolved.packageDir,
+      entryPoint: resolved.entryPoint,
+      lifecycleScripts: resolved.lifecycleScripts,
+      packageDeps: resolved.packageDeps
+    };
+  } catch {
+    return null;
+  }
+}
+async function discoverAllPackages(scanRoot) {
+  const packageJsonPaths = await scanPackageJsonFiles(scanRoot);
+  const seen = new Set;
+  const all = [];
+  for (const pkgPath of packageJsonPaths) {
+    const projectDir = dirname2(pkgPath);
+    const packages = await enumerateNodeModules(projectDir);
+    for (const pkg of packages) {
+      const key = `${pkg.packageDir}`;
+      if (seen.has(key))
+        continue;
+      seen.add(key);
+      all.push(pkg);
+    }
+  }
+  return all;
+}
+async function preFilterSuspicious(packages) {
+  const suspicious = [];
+  for (const pkg of packages) {
+    if (isSuspiciousLocal(pkg)) {
+      suspicious.push(pkg);
+      continue;
+    }
+    if (pkg.entryPoint) {
+      try {
+        const file = Bun.file(pkg.entryPoint);
+        if (await file.exists() && file.size < 2 * 1024 * 1024) {
+          const source = await file.text();
+          const regexMatches = scanSource(source, pkg.entryPoint);
+          if (regexMatches.length > 0) {
+            suspicious.push(pkg);
+            continue;
+          }
+          const astResult = await analyzeAST(pkg.entryPoint);
+          if (astResult.sensitiveModules.length > 0 || astResult.highEntropyStrings.length > 0) {
+            suspicious.push(pkg);
+            continue;
+          }
+        }
+      } catch {}
+    }
+    const depAudit = auditDependencies(pkg.packageDeps);
+    if (depAudit.length > 0) {
+      suspicious.push(pkg);
+    }
+  }
+  return suspicious;
+}
+function isSuspiciousLocal(pkg) {
+  const scripts = pkg.lifecycleScripts;
+  return scripts.preinstall !== null || scripts.install !== null || scripts.postinstall !== null;
+}
+async function analyzePackageDeep(pkg) {
+  const risks = [];
+  risks.push(...detectLifecycleScripts(pkg.lifecycleScripts));
+  if (pkg.entryPoint) {
+    try {
+      const file = Bun.file(pkg.entryPoint);
+      if (await file.exists() && file.size < 2 * 1024 * 1024) {
+        const source = await file.text();
+        const regexMatches = scanSource(source, pkg.entryPoint);
+        risks.push(...matchesToRisks(regexMatches, pkg.entryPoint));
+      }
+    } catch {}
+  }
+  if (pkg.entryPoint) {
+    const astResult = await analyzeAST(pkg.entryPoint);
+    risks.push(...astResultToRisks(astResult, pkg.entryPoint));
+  }
+  const depAudit = auditDependencies(pkg.packageDeps);
+  risks.push(...auditToRisks(depAudit));
+  if (risks.length > 0 && pkg.entryPoint) {
+    try {
+      const sandboxResult = await detonate(pkg.entryPoint);
+      risks.push(...sandboxResultToRisks(sandboxResult));
+    } catch {}
+  }
+  return risks;
+}
+async function runScanAll(scanRoot) {
+  console.log(`
+${c.boldCyan("pzx")} \u2014 escaneo completo en ${c.dim(scanRoot)}
+`);
+  console.log(c.dim("Descubriendo paquetes instalados..."));
+  const discovered = await discoverAllPackages(scanRoot);
+  console.log(c.dim(`Encontrados ${discovered.length} paquete(s)
+`));
+  if (discovered.length === 0) {
+    console.log(c.yellow("No se encontraron paquetes instalados."));
+    return;
+  }
+  console.log(c.dim("Analisis estatico local (pre-filtro)..."));
+  const suspicious = await preFilterSuspicious(discovered);
+  console.log(c.dim(`${suspicious.length}/${discovered.length} paquete(s) marcados para analisis profundo
+`));
+  if (suspicious.length === 0) {
+    console.log(c.boldGreen(`\u2713 Ningun paquete sospechoso detectado.
+`));
+    return;
+  }
+  const findings = [];
+  for (const pkg of suspicious) {
+    const risks = await analyzePackageDeep(pkg);
+    if (risks.length > 0) {
+      findings.push({ pkg, risks });
+    }
+  }
+  if (findings.length === 0) {
+    console.log(c.boldGreen(`\u2713 Analisis profundo completo \u2014 sin riesgos confirmados.
+`));
+    return;
+  }
+  console.log(c.boldRed(`\u26A0 ${findings.length} paquete(s) con riesgos:
+`));
+  for (const { pkg, risks } of findings) {
+    console.log(c.boldCyan(`[${pkg.name}@${pkg.version}]`));
+    console.log(c.dim(`  Proyecto: ${pkg.projectDir}`));
+    console.log(c.dim(`  Ubicacion: ${pkg.packageDir}`));
+    for (const risk of risks) {
+      const icon = risk.severity === "critical" ? c.boldRed("[!!!]") : risk.severity === "high" ? c.boldYellow("[!!]") : c.yellow("[!]");
+      console.log(`  ${icon} ${risk.message}`);
+      if (risk.detail) {
+        console.log(`       ${c.dim(risk.detail)}`);
+      }
+    }
+    console.log();
+  }
+  const summary = {
+    totalPackages: discovered.length,
+    suspiciousPackages: suspicious.length,
+    packagesWithVulns: 0,
+    packagesWithRisks: findings.length
+  };
+  console.log(c.dim("\u2500".repeat(70)));
+  console.log(`
+${c.bold("Resumen:")} ${c.dim(`${summary.totalPackages} total`)} \xB7 ${c.yellow(`${summary.suspiciousPackages} analizados`)} \xB7 ${c.red(`${summary.packagesWithRisks} con riesgos`)}
+`);
+  if (findings.length > 0)
+    process.exit(2);
+}
+
+// index.ts
+async function main() {
+  const { packageName, version, scanRoot, showHelp } = parseArgs(process.argv);
+  if (showHelp) {
+    printUsage();
+    process.exit(0);
+  }
+  if (!packageName) {
+    await runScanAll(scanRoot);
+    return;
+  }
+  await run(packageName, version, scanRoot);
+}
+main().catch((err) => {
+  const message = err instanceof Error ? err.message : String(err);
+  console.error(c.red(`Error fatal: ${message}`));
+  process.exit(1);
+});