npm - @grwnd/pi-governance - Versions diffs - 3.0.2 → 3.1.0 - Mend

@grwnd/pi-governance 3.0.2 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/extensions/index.cjs +1103 -1
package/dist/extensions/index.cjs.map +1 -1
package/dist/extensions/index.js +1103 -1
package/dist/extensions/index.js.map +1 -1
package/dist/index.cjs +1052 -0
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +206 -2
package/dist/index.d.ts +206 -2
package/dist/index.js +1044 -0
package/dist/index.js.map +1 -1
package/package.json +1 -1

package/dist/index.cjs CHANGED Viewed

@@ -3085,7 +3085,15 @@ __export(index_exports, {
   createApprovalFlow: () => createApprovalFlow,
   createIdentityChain: () => createIdentityChain,
   createPolicyEngine: () => createPolicyEngine,
+  detectTyposquat: () => detectTyposquat,
+  evaluateInstall: () => evaluateInstall,
+  fetchRegistryMetadata: () => fetchRegistryMetadata,
+  levenshteinDistance: () => levenshteinDistance,
   loadConfig: () => loadConfig,
+  normalizedSimilarity: () => normalizedSimilarity,
+  parseInstallCommand: () => parseInstallCommand,
+  queryVulnerabilities: () => queryVulnerabilities,
+  queryVulnerabilitiesBatch: () => queryVulnerabilitiesBatch,
   renderTemplate: () => render,
   startWizardServer: () => startWizardServer
 });
@@ -3234,6 +3242,32 @@ var DlpConfig = import_typebox.Type.Object({
   allowlist: import_typebox.Type.Optional(import_typebox.Type.Array(DlpAllowlistEntryConfig)),
   role_overrides: import_typebox.Type.Optional(import_typebox.Type.Record(import_typebox.Type.String(), DlpRoleOverrideConfig))
 });
+var DependencyGuardianChecksConfig = import_typebox.Type.Object({
+  existence: import_typebox.Type.Boolean({ default: true }),
+  reputation: import_typebox.Type.Boolean({ default: true }),
+  typosquatting: import_typebox.Type.Boolean({ default: true }),
+  install_scripts: import_typebox.Type.Boolean({ default: true }),
+  vulnerabilities: import_typebox.Type.Boolean({ default: true })
+});
+var DependencyGuardianConfig = import_typebox.Type.Object({
+  enabled: import_typebox.Type.Boolean({ default: true }),
+  checks: import_typebox.Type.Optional(DependencyGuardianChecksConfig),
+  risk_thresholds: import_typebox.Type.Optional(
+    import_typebox.Type.Object({
+      min_age_days: import_typebox.Type.Number({ default: 30, minimum: 0 }),
+      min_weekly_downloads: import_typebox.Type.Number({ default: 100, minimum: 0 })
+    })
+  ),
+  on_risk: import_typebox.Type.Optional(
+    import_typebox.Type.Union([import_typebox.Type.Literal("escalate"), import_typebox.Type.Literal("block"), import_typebox.Type.Literal("audit")], {
+      default: "escalate"
+    })
+  ),
+  allowlist: import_typebox.Type.Optional(import_typebox.Type.Array(import_typebox.Type.String())),
+  blocklist: import_typebox.Type.Optional(import_typebox.Type.Array(import_typebox.Type.String())),
+  blocklist_patterns: import_typebox.Type.Optional(import_typebox.Type.Array(import_typebox.Type.String())),
+  custom_registry_bypass: import_typebox.Type.Boolean({ default: true })
+});
 var GovernanceConfigSchema = import_typebox.Type.Object({
   auth: import_typebox.Type.Optional(AuthConfig),
   policy: import_typebox.Type.Optional(PolicyConfig),
@@ -3241,6 +3275,7 @@ var GovernanceConfigSchema = import_typebox.Type.Object({
   hitl: import_typebox.Type.Optional(HitlConfig),
   audit: import_typebox.Type.Optional(AuditConfig),
   dlp: import_typebox.Type.Optional(DlpConfig),
+  dependency_guardian: import_typebox.Type.Optional(DependencyGuardianConfig),
   org_units: import_typebox.Type.Optional(import_typebox.Type.Record(import_typebox.Type.String(), OrgUnitOverride))
 });
@@ -4061,6 +4096,1015 @@ var DlpMasker = class {
   }
 };
+// src/lib/deps/parser.ts
+var FLAGS_WITH_VALUE = /* @__PURE__ */ new Set([
+  // npm/yarn/pnpm
+  "--registry",
+  "--save-prefix",
+  "--tag",
+  "--cache",
+  "--prefix",
+  // pip
+  "-r",
+  "--requirement",
+  "-c",
+  "--constraint",
+  "-e",
+  "--editable",
+  "-t",
+  "--target",
+  "--index-url",
+  "-i",
+  "--extra-index-url",
+  "--find-links",
+  "-f",
+  "--root",
+  "--prefix",
+  // cargo
+  "--git",
+  "--branch",
+  "--rev",
+  "--path",
+  "--version"
+]);
+var CUSTOM_REGISTRY_FLAGS = /* @__PURE__ */ new Set(["--registry", "--index-url", "-i", "--extra-index-url"]);
+var LOCKFILE_PATTERNS = [
+  /\bnpm\s+ci\b/,
+  /\bpnpm\s+install\s+--frozen-lockfile\b/,
+  /\byarn\s+install\s+--frozen-lockfile\b/,
+  /\bpip\s+install\b.*--require-hashes\b/
+];
+var MANAGER_MATCHERS = [
+  { manager: "npm", ecosystem: "npm", subcommandPattern: /\bnpm\s+(install|i|add)\s/ },
+  { manager: "yarn", ecosystem: "npm", subcommandPattern: /\byarn\s+(add|install)\s/ },
+  { manager: "pnpm", ecosystem: "npm", subcommandPattern: /\bpnpm\s+(add|install|i)\s/ },
+  { manager: "pip", ecosystem: "pypi", subcommandPattern: /\bpip\s+install\s/ },
+  { manager: "cargo", ecosystem: "crates.io", subcommandPattern: /\bcargo\s+(add|install)\s/ }
+];
+function splitVersionFromName(raw, ecosystem) {
+  if (ecosystem === "npm") {
+    const atIdx = raw.lastIndexOf("@");
+    if (atIdx > 0) {
+      return { name: raw.slice(0, atIdx), version: raw.slice(atIdx + 1) };
+    }
+    return { name: raw };
+  }
+  if (ecosystem === "pypi") {
+    const match = raw.match(/^([a-zA-Z0-9_.-]+)([=<>!~]+.+)?$/);
+    if (match) {
+      return { name: match[1], version: match[2] };
+    }
+    return { name: raw };
+  }
+  if (ecosystem === "crates.io") {
+    const atIdx = raw.indexOf("@");
+    if (atIdx > 0) {
+      return { name: raw.slice(0, atIdx), version: raw.slice(atIdx + 1) };
+    }
+    return { name: raw };
+  }
+  return { name: raw };
+}
+function parseInstallCommand(command) {
+  const trimmed = command.trim();
+  const isLockfileInstall = LOCKFILE_PATTERNS.some((p) => p.test(trimmed));
+  if (/\bnpm\s+ci\b/.test(trimmed)) {
+    return {
+      manager: "npm",
+      packages: [],
+      flags: [],
+      raw: trimmed,
+      isLockfileInstall: true,
+      usesCustomRegistry: false
+    };
+  }
+  for (const matcher of MANAGER_MATCHERS) {
+    if (!matcher.subcommandPattern.test(trimmed)) continue;
+    const subMatch = trimmed.match(matcher.subcommandPattern);
+    if (!subMatch) continue;
+    const afterSubcommand = trimmed.slice(subMatch.index + subMatch[0].length);
+    const tokens = tokenize(afterSubcommand);
+    const packages = [];
+    const flags = [];
+    let usesCustomRegistry = false;
+    for (let i = 0; i < tokens.length; i++) {
+      const token = tokens[i];
+      if (token.startsWith("-")) {
+        flags.push(token);
+        const flagName = token.includes("=") ? token.slice(0, token.indexOf("=")) : token;
+        if (CUSTOM_REGISTRY_FLAGS.has(flagName)) {
+          usesCustomRegistry = true;
+        }
+        if (FLAGS_WITH_VALUE.has(flagName) || token.includes("=")) {
+          if (!token.includes("=")) i++;
+        }
+        continue;
+      }
+      if (matcher.manager === "pip" && (token.endsWith(".txt") || token.endsWith(".cfg"))) {
+        continue;
+      }
+      if (matcher.manager === "pip" && (token.startsWith("/") || token.startsWith("./") || token.startsWith("http://") || token.startsWith("https://") || token.startsWith("git+"))) {
+        continue;
+      }
+      const { name, version } = splitVersionFromName(token, matcher.ecosystem);
+      if (name) {
+        packages.push({ name, version, ecosystem: matcher.ecosystem });
+      }
+    }
+    return {
+      manager: matcher.manager,
+      packages,
+      flags,
+      raw: trimmed,
+      isLockfileInstall,
+      usesCustomRegistry
+    };
+  }
+  return void 0;
+}
+function tokenize(input) {
+  const tokens = [];
+  let current = "";
+  let inSingleQuote = false;
+  let inDoubleQuote = false;
+  for (let i = 0; i < input.length; i++) {
+    const ch = input[i];
+    if (ch === "'" && !inDoubleQuote) {
+      inSingleQuote = !inSingleQuote;
+      continue;
+    }
+    if (ch === '"' && !inSingleQuote) {
+      inDoubleQuote = !inDoubleQuote;
+      continue;
+    }
+    if (ch === " " && !inSingleQuote && !inDoubleQuote) {
+      if (current) tokens.push(current);
+      current = "";
+    } else {
+      current += ch;
+    }
+  }
+  if (current) tokens.push(current);
+  return tokens;
+}
+// src/lib/deps/registry.ts
+var REQUEST_TIMEOUT_MS = 5e3;
+function withTimeout(ms) {
+  return AbortSignal.timeout(ms);
+}
+async function fetchNpmMetadata(name) {
+  const encodedName = name.startsWith("@") ? `@${encodeURIComponent(name.slice(1))}` : encodeURIComponent(name);
+  const url = `https://registry.npmjs.org/${encodedName}`;
+  let res;
+  try {
+    res = await fetch(url, { signal: withTimeout(REQUEST_TIMEOUT_MS) });
+  } catch {
+    return notFound(name, "npm");
+  }
+  if (!res.ok) return notFound(name, "npm");
+  const data = await res.json();
+  const latest = data["dist-tags"]?.["latest"];
+  const latestVersion = latest ? data.versions?.[latest] : void 0;
+  const scripts = latestVersion?.scripts ?? {};
+  const hasInstallScripts = !!(scripts["preinstall"] || scripts["install"] || scripts["postinstall"]);
+  let weeklyDownloads;
+  try {
+    const dlUrl = `https://api.npmjs.org/downloads/point/last-week/${encodedName}`;
+    const dlRes = await fetch(dlUrl, { signal: withTimeout(REQUEST_TIMEOUT_MS) });
+    if (dlRes.ok) {
+      const dlData = await dlRes.json();
+      weeklyDownloads = dlData.downloads;
+    }
+  } catch {
+  }
+  return {
+    name,
+    ecosystem: "npm",
+    exists: true,
+    createdAt: data.time?.["created"] ? new Date(data.time["created"]) : void 0,
+    modifiedAt: data.time?.["modified"] ? new Date(data.time["modified"]) : void 0,
+    latestVersion: latest,
+    weeklyDownloads,
+    maintainerCount: data.maintainers?.length,
+    hasRepository: !!data.repository,
+    hasReadme: !!(data.readme && data.readme.length > 10),
+    hasInstallScripts,
+    description: data.description,
+    license: data.license
+  };
+}
+async function fetchPyPIMetadata(name) {
+  const url = `https://pypi.org/pypi/${encodeURIComponent(name)}/json`;
+  let res;
+  try {
+    res = await fetch(url, { signal: withTimeout(REQUEST_TIMEOUT_MS) });
+  } catch {
+    return notFound(name, "pypi");
+  }
+  if (!res.ok) return notFound(name, "pypi");
+  const data = await res.json();
+  let earliest;
+  for (const files of Object.values(data.releases)) {
+    for (const file of files) {
+      const d = new Date(file.upload_time);
+      if (!earliest || d < earliest) earliest = d;
+    }
+  }
+  const projectUrls = data.info.project_urls ?? {};
+  const hasRepo = !!(data.info.home_page || projectUrls["Source"] || projectUrls["Repository"] || projectUrls["GitHub"] || projectUrls["Homepage"]);
+  const hasMaintainer = !!(data.info.maintainer || data.info.author);
+  let weeklyDownloads;
+  try {
+    const statsUrl = `https://pypistats.org/api/packages/${encodeURIComponent(name)}/recent`;
+    const statsRes = await fetch(statsUrl, {
+      signal: withTimeout(REQUEST_TIMEOUT_MS),
+      headers: { Accept: "application/json" }
+    });
+    if (statsRes.ok) {
+      const statsData = await statsRes.json();
+      weeklyDownloads = statsData.data?.last_week;
+    }
+  } catch {
+  }
+  return {
+    name,
+    ecosystem: "pypi",
+    exists: true,
+    createdAt: earliest,
+    modifiedAt: data.urls.length > 0 ? new Date(data.urls[data.urls.length - 1].upload_time) : void 0,
+    latestVersion: data.info.version,
+    weeklyDownloads,
+    maintainerCount: hasMaintainer ? 1 : 0,
+    hasRepository: hasRepo,
+    hasReadme: !!(data.info.description && data.info.description.length > 10),
+    hasInstallScripts: false,
+    // PyPI doesn't have post-install scripts in the same way
+    description: data.info.summary,
+    license: data.info.license
+  };
+}
+function notFound(name, ecosystem) {
+  return {
+    name,
+    ecosystem,
+    exists: false,
+    hasRepository: false,
+    hasReadme: false,
+    hasInstallScripts: false
+  };
+}
+var cache = /* @__PURE__ */ new Map();
+var MAX_CACHE_SIZE = 200;
+function cacheKey(name, ecosystem) {
+  return `${ecosystem}:${name}`;
+}
+async function fetchRegistryMetadata(name, ecosystem) {
+  const key = cacheKey(name, ecosystem);
+  const cached = cache.get(key);
+  if (cached) return cached;
+  let result;
+  switch (ecosystem) {
+    case "npm":
+      result = await fetchNpmMetadata(name);
+      break;
+    case "pypi":
+      result = await fetchPyPIMetadata(name);
+      break;
+    default:
+      result = notFound(name, ecosystem);
+  }
+  if (cache.size >= MAX_CACHE_SIZE) {
+    const firstKey = cache.keys().next().value;
+    if (firstKey !== void 0) cache.delete(firstKey);
+  }
+  cache.set(key, result);
+  return result;
+}
+// src/lib/deps/vulnerabilities.ts
+var REQUEST_TIMEOUT_MS2 = 5e3;
+function osvEcosystem(ecosystem) {
+  switch (ecosystem) {
+    case "npm":
+      return "npm";
+    case "pypi":
+      return "PyPI";
+    case "crates.io":
+      return "crates.io";
+    default:
+      return ecosystem;
+  }
+}
+function parseSeverity(vuln) {
+  const sevEntry = vuln.severity?.find((s) => s.type === "CVSS_V3");
+  if (!sevEntry) return "medium";
+  const scoreStr = sevEntry.score;
+  const numericMatch = scoreStr.match(/(\d+\.\d+)/);
+  if (numericMatch) {
+    const score = parseFloat(numericMatch[1]);
+    if (score >= 9) return "critical";
+    if (score >= 7) return "high";
+    if (score >= 4) return "medium";
+    return "low";
+  }
+  return "medium";
+}
+function extractFixedVersion(vuln) {
+  for (const affected of vuln.affected ?? []) {
+    for (const range of affected.ranges ?? []) {
+      for (const event of range.events ?? []) {
+        if (event.fixed) return event.fixed;
+      }
+    }
+  }
+  return void 0;
+}
+function mapVuln(vuln) {
+  return {
+    id: vuln.id,
+    summary: vuln.summary ?? vuln.details?.slice(0, 200) ?? "No description",
+    severity: parseSeverity(vuln),
+    fixedIn: extractFixedVersion(vuln),
+    aliases: vuln.aliases ?? []
+  };
+}
+async function queryVulnerabilities(name, ecosystem, version) {
+  const body = {
+    package: { name, ecosystem: osvEcosystem(ecosystem) }
+  };
+  if (version) body.version = version;
+  try {
+    const res = await fetch("https://api.osv.dev/v1/query", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(body),
+      signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS2)
+    });
+    if (!res.ok) {
+      return { package: name, ecosystem, vulnerabilities: [], error: `OSV HTTP ${res.status}` };
+    }
+    const data = await res.json();
+    return {
+      package: name,
+      ecosystem,
+      vulnerabilities: (data.vulns ?? []).map(mapVuln)
+    };
+  } catch (err) {
+    return {
+      package: name,
+      ecosystem,
+      vulnerabilities: [],
+      error: err instanceof Error ? err.message : "Unknown error"
+    };
+  }
+}
+async function queryVulnerabilitiesBatch(packages) {
+  if (packages.length === 0) return [];
+  if (packages.length === 1) {
+    const pkg = packages[0];
+    return [await queryVulnerabilities(pkg.name, pkg.ecosystem, pkg.version)];
+  }
+  const queries = packages.map((pkg) => {
+    const q = {
+      package: { name: pkg.name, ecosystem: osvEcosystem(pkg.ecosystem) }
+    };
+    if (pkg.version) q.version = pkg.version;
+    return q;
+  });
+  try {
+    const res = await fetch("https://api.osv.dev/v1/querybatch", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ queries }),
+      signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS2)
+    });
+    if (!res.ok) {
+      return packages.map((pkg) => ({
+        package: pkg.name,
+        ecosystem: pkg.ecosystem,
+        vulnerabilities: [],
+        error: `OSV HTTP ${res.status}`
+      }));
+    }
+    const data = await res.json();
+    return data.results.map((result, i) => ({
+      package: packages[i].name,
+      ecosystem: packages[i].ecosystem,
+      vulnerabilities: (result.vulns ?? []).map(mapVuln)
+    }));
+  } catch (err) {
+    const errMsg = err instanceof Error ? err.message : "Unknown error";
+    return packages.map((pkg) => ({
+      package: pkg.name,
+      ecosystem: pkg.ecosystem,
+      vulnerabilities: [],
+      error: errMsg
+    }));
+  }
+}
+// src/lib/deps/levenshtein.ts
+function levenshteinDistance(a, b) {
+  if (a === b) return 0;
+  if (a.length === 0) return b.length;
+  if (b.length === 0) return a.length;
+  if (a.length > b.length) [a, b] = [b, a];
+  const m = a.length;
+  const n = b.length;
+  const row = new Array(m + 1);
+  for (let j = 0; j <= m; j++) row[j] = j;
+  for (let i = 1; i <= n; i++) {
+    let corner = row[0];
+    row[0] = i;
+    for (let j = 1; j <= m; j++) {
+      const temp = row[j];
+      if (b[i - 1] === a[j - 1]) {
+        row[j] = corner;
+      } else {
+        row[j] = 1 + Math.min(corner, temp, row[j - 1]);
+      }
+      corner = temp;
+    }
+  }
+  return row[m];
+}
+function normalizedSimilarity(a, b) {
+  const maxLen = Math.max(a.length, b.length);
+  if (maxLen === 0) return 1;
+  return 1 - levenshteinDistance(a, b) / maxLen;
+}
+function normalizeName(name) {
+  const stripped = name.replace(/^@[^/]+\//, "");
+  return stripped.replace(/[-_.]/g, "").toLowerCase();
+}
+function detectTyposquat(name, corpus) {
+  const normalized = normalizeName(name);
+  let bestMatch;
+  let bestDistance = Infinity;
+  for (const target of corpus) {
+    const normalizedTarget = normalizeName(target);
+    if (normalizedTarget === normalized) return void 0;
+    const distance = levenshteinDistance(normalized, normalizedTarget);
+    const similarity = normalizedSimilarity(normalized, normalizedTarget);
+    const shouldFlag = distance === 1 || distance === 2 && normalized.length >= 5 || similarity >= 0.85;
+    if (shouldFlag && distance < bestDistance) {
+      bestDistance = distance;
+      bestMatch = { target, distance, similarity };
+    }
+  }
+  return bestMatch;
+}
+// src/lib/deps/allowlist.ts
+var DEFAULT_NPM_ALLOWLIST = [
+  // Frameworks
+  "express",
+  "react",
+  "react-dom",
+  "next",
+  "vue",
+  "angular",
+  "svelte",
+  "fastify",
+  "koa",
+  "hapi",
+  "nest",
+  "nuxt",
+  // Build tools
+  "typescript",
+  "webpack",
+  "vite",
+  "esbuild",
+  "tsup",
+  "rollup",
+  "parcel",
+  "babel",
+  "swc",
+  // Quality tools
+  "prettier",
+  "eslint",
+  "vitest",
+  "jest",
+  "mocha",
+  "chai",
+  "sinon",
+  "husky",
+  "lint-staged",
+  // Utilities
+  "lodash",
+  "axios",
+  "chalk",
+  "commander",
+  "debug",
+  "async",
+  "uuid",
+  "semver",
+  "glob",
+  "fs-extra",
+  "mkdirp",
+  "rimraf",
+  "minimist",
+  "yargs",
+  "dotenv",
+  "nanoid",
+  "date-fns",
+  "dayjs",
+  "moment",
+  "rxjs",
+  "immer",
+  // Validation
+  "zod",
+  "joi",
+  "ajv",
+  "yup",
+  // HTTP / API
+  "cors",
+  "body-parser",
+  "cookie-parser",
+  "morgan",
+  "helmet",
+  "jsonwebtoken",
+  "bcrypt",
+  "passport",
+  // Database
+  "mongoose",
+  "sequelize",
+  "prisma",
+  "typeorm",
+  "knex",
+  "pg",
+  "mysql2",
+  "redis",
+  "ioredis",
+  "better-sqlite3",
+  // Realtime
+  "socket.io",
+  "ws",
+  // State management
+  "zustand",
+  "redux",
+  "mobx",
+  // CSS
+  "tailwindcss",
+  "postcss",
+  "autoprefixer",
+  "sass",
+  "styled-components",
+  "clsx",
+  "classnames",
+  // Media
+  "sharp",
+  "puppeteer",
+  "cheerio",
+  "marked",
+  "highlight.js",
+  // Types
+  "tslib"
+];
+var DEFAULT_PYPI_ALLOWLIST = [
+  // Web
+  "requests",
+  "flask",
+  "django",
+  "fastapi",
+  "aiohttp",
+  "httpx",
+  "uvicorn",
+  "gunicorn",
+  "starlette",
+  // Data
+  "numpy",
+  "pandas",
+  "scipy",
+  "matplotlib",
+  "scikit-learn",
+  "pillow",
+  // Infrastructure
+  "boto3",
+  "botocore",
+  "urllib3",
+  "certifi",
+  "charset-normalizer",
+  "idna",
+  // Core
+  "setuptools",
+  "pip",
+  "wheel",
+  "packaging",
+  "typing-extensions",
+  "six",
+  "python-dateutil",
+  "pyyaml",
+  "tomli",
+  "filelock",
+  "attrs",
+  "click",
+  "importlib-metadata",
+  "zipp",
+  "platformdirs",
+  // Crypto
+  "cryptography",
+  "cffi",
+  "pycparser",
+  "jmespath",
+  "pyasn1",
+  // DB
+  "sqlalchemy",
+  "psycopg2",
+  "redis",
+  "celery",
+  // Template / Markup
+  "jinja2",
+  "markupsafe",
+  "beautifulsoup4",
+  "lxml",
+  "scrapy",
+  // Validation
+  "pydantic",
+  // Testing
+  "pytest",
+  "tox",
+  "coverage",
+  "mock"
+];
+var DEFAULT_BLOCKLIST_EXACT = [
+  // npm typosquats (historically malicious)
+  "crossenv",
+  "cross-env.js",
+  "d3.js",
+  "fabric-js",
+  "ffmpegs",
+  "gruntcli",
+  "http-proxy.js",
+  "jquery.js",
+  "mongose",
+  "mssql-node",
+  "nodecaffe",
+  "nodefabric",
+  "nodemailer-js",
+  "noderequest",
+  "nodesass",
+  "opencv.js",
+  "openssl.js",
+  "shadowsock",
+  "sqliter",
+  "sqlserver",
+  // npm compromised
+  "flatmap-stream",
+  // PyPI typosquats
+  "colourama",
+  "python3-dateutil",
+  "requesocks",
+  "requesst",
+  "beautifulsup",
+  "numppy",
+  "numpys",
+  "djanga",
+  "urlib3"
+];
+var DEFAULT_BLOCKLIST_PATTERNS = [
+  /-free-download$/,
+  /-crack$/,
+  /-keygen$/,
+  /-license-key$/,
+  /-hack$/,
+  /-serial$/,
+  /-activation$/,
+  /-premium-free$/,
+  /-generator-free$/
+];
+function buildAllowBlockLists(ecosystem, userAllowlist, userBlocklist, userBlocklistPatterns) {
+  const base = ecosystem === "npm" ? DEFAULT_NPM_ALLOWLIST : ecosystem === "pypi" ? DEFAULT_PYPI_ALLOWLIST : [];
+  return {
+    allowlist: [...base, ...userAllowlist],
+    blocklist: [...DEFAULT_BLOCKLIST_EXACT, ...userBlocklist],
+    blocklistPatterns: [
+      ...DEFAULT_BLOCKLIST_PATTERNS,
+      ...userBlocklistPatterns.map((p) => new RegExp(p))
+    ]
+  };
+}
+function isAllowlisted(name, allowlist) {
+  return allowlist.includes(name);
+}
+function isBlocklisted(name, blocklist, blocklistPatterns) {
+  if (blocklist.includes(name)) return true;
+  return blocklistPatterns.some((p) => p.test(name));
+}
+// src/lib/deps/risk.ts
+var DEFAULT_THRESHOLDS = {
+  minAgeDays: 30,
+  minWeeklyDownloads: 100
+};
+var SEVERITY_ORDER2 = {
+  info: 0,
+  low: 1,
+  medium: 2,
+  high: 3,
+  critical: 4
+};
+function maxSeverity(a, b) {
+  return SEVERITY_ORDER2[a] >= SEVERITY_ORDER2[b] ? a : b;
+}
+function computeRiskReport(metadata, vulns, typosquatMatch, isBlocklisted2, isAllowlisted2, thresholds = DEFAULT_THRESHOLDS) {
+  const signals = [];
+  let overallRisk = "info";
+  if (!metadata.exists) {
+    signals.push({
+      name: "package_not_found",
+      severity: "critical",
+      detail: `Package "${metadata.name}" does not exist on ${metadata.ecosystem}`
+    });
+    overallRisk = "critical";
+  }
+  if (isBlocklisted2) {
+    signals.push({
+      name: "on_blocklist",
+      severity: "critical",
+      detail: `Package "${metadata.name}" is on the blocklist`
+    });
+    overallRisk = "critical";
+  }
+  for (const vuln of vulns) {
+    signals.push({
+      name: "known_vulnerability",
+      severity: vuln.severity,
+      detail: `${vuln.id}: ${vuln.summary}${vuln.fixedIn ? ` (fixed in ${vuln.fixedIn})` : ""}`
+    });
+    overallRisk = maxSeverity(overallRisk, vuln.severity);
+  }
+  if (isAllowlisted2 && signals.length === 0) {
+    return {
+      package: metadata.name,
+      ecosystem: metadata.ecosystem,
+      overallRisk: "info",
+      signals: [],
+      vulnerabilities: vulns,
+      recommendation: "allow",
+      metadata
+    };
+  }
+  if (!isAllowlisted2 && metadata.exists) {
+    if (metadata.createdAt) {
+      const ageDays = (Date.now() - metadata.createdAt.getTime()) / (1e3 * 60 * 60 * 24);
+      if (ageDays < 7) {
+        signals.push({
+          name: "very_new_package",
+          severity: "high",
+          detail: `Created ${Math.floor(ageDays)} days ago`
+        });
+        overallRisk = maxSeverity(overallRisk, "high");
+      } else if (ageDays < thresholds.minAgeDays) {
+        signals.push({
+          name: "new_package",
+          severity: "medium",
+          detail: `Created ${Math.floor(ageDays)} days ago (threshold: ${thresholds.minAgeDays})`
+        });
+        overallRisk = maxSeverity(overallRisk, "medium");
+      }
+    }
+    if (metadata.weeklyDownloads !== void 0) {
+      if (metadata.weeklyDownloads < thresholds.minWeeklyDownloads) {
+        const sev = metadata.weeklyDownloads < 10 ? "high" : "medium";
+        signals.push({
+          name: "low_downloads",
+          severity: sev,
+          detail: `${metadata.weeklyDownloads} weekly downloads (threshold: ${thresholds.minWeeklyDownloads})`
+        });
+        overallRisk = maxSeverity(overallRisk, sev);
+      }
+    }
+    if (typosquatMatch) {
+      signals.push({
+        name: "typosquat_suspect",
+        severity: "high",
+        detail: `Similar to "${typosquatMatch.target}" (edit distance: ${typosquatMatch.distance})`
+      });
+      overallRisk = maxSeverity(overallRisk, "high");
+    }
+    if (metadata.hasInstallScripts) {
+      signals.push({
+        name: "has_install_scripts",
+        severity: "medium",
+        detail: "Package has preinstall/install/postinstall scripts"
+      });
+      overallRisk = maxSeverity(overallRisk, "medium");
+    }
+    if (!metadata.hasRepository) {
+      signals.push({
+        name: "no_repository",
+        severity: "low",
+        detail: "No source repository URL in metadata"
+      });
+      overallRisk = maxSeverity(overallRisk, "low");
+    }
+    if (!metadata.hasReadme) {
+      signals.push({
+        name: "no_readme",
+        severity: "low",
+        detail: "No README content"
+      });
+      overallRisk = maxSeverity(overallRisk, "low");
+    }
+    if (!metadata.license) {
+      signals.push({
+        name: "no_license",
+        severity: "low",
+        detail: "No license declared"
+      });
+      overallRisk = maxSeverity(overallRisk, "low");
+    }
+    if (metadata.maintainerCount !== void 0 && metadata.maintainerCount <= 1) {
+      signals.push({
+        name: "single_maintainer",
+        severity: "info",
+        detail: `${metadata.maintainerCount} maintainer(s)`
+      });
+    }
+  }
+  let recommendation;
+  if (SEVERITY_ORDER2[overallRisk] >= SEVERITY_ORDER2["critical"]) {
+    recommendation = "block";
+  } else if (SEVERITY_ORDER2[overallRisk] >= SEVERITY_ORDER2["medium"]) {
+    recommendation = "escalate";
+  } else {
+    recommendation = "allow";
+  }
+  return {
+    package: metadata.name,
+    ecosystem: metadata.ecosystem,
+    overallRisk,
+    signals,
+    vulnerabilities: vulns,
+    recommendation,
+    metadata
+  };
+}
+// src/lib/deps/guardian.ts
+var DEFAULT_CONFIG2 = {
+  enabled: true,
+  checks: {
+    existence: true,
+    reputation: true,
+    typosquatting: true,
+    install_scripts: true,
+    vulnerabilities: true
+  },
+  risk_thresholds: {
+    min_age_days: 30,
+    min_weekly_downloads: 100
+  },
+  on_risk: "escalate",
+  allowlist: [],
+  blocklist: [],
+  blocklist_patterns: [],
+  custom_registry_bypass: true
+};
+async function evaluateInstall(command, config = DEFAULT_CONFIG2) {
+  if (!config.enabled) {
+    return skippedResult(command, "Dependency guardian is disabled");
+  }
+  const parsed = parseInstallCommand(command);
+  if (!parsed) {
+    return skippedResult(command, "Not a recognized install command");
+  }
+  if (parsed.isLockfileInstall) {
+    return skippedResult(command, "Lock-file install (pinned dependencies)");
+  }
+  if (config.custom_registry_bypass && parsed.usesCustomRegistry) {
+    return skippedResult(command, "Custom registry detected (bypass enabled)");
+  }
+  if (parsed.packages.length === 0) {
+    return skippedResult(command, "No specific packages to validate");
+  }
+  const ecosystems = [...new Set(parsed.packages.map((p) => p.ecosystem))];
+  const listsPerEcosystem = new Map(
+    ecosystems.map((eco) => [
+      eco,
+      buildAllowBlockLists(eco, config.allowlist, config.blocklist, config.blocklist_patterns)
+    ])
+  );
+  const metadataPromises = parsed.packages.map(async (pkg) => {
+    if (!config.checks.existence && !config.checks.reputation && !config.checks.install_scripts) {
+      return void 0;
+    }
+    return fetchRegistryMetadata(pkg.name, pkg.ecosystem);
+  });
+  const vulnPromise = config.checks.vulnerabilities ? queryVulnerabilitiesBatch(
+    parsed.packages.map((p) => ({
+      name: p.name,
+      ecosystem: p.ecosystem,
+      version: p.version
+    }))
+  ) : Promise.resolve(
+    parsed.packages.map((p) => ({
+      package: p.name,
+      ecosystem: p.ecosystem,
+      vulnerabilities: []
+    }))
+  );
+  const [metadataResults, vulnResults] = await Promise.all([
+    Promise.all(metadataPromises),
+    vulnPromise
+  ]);
+  const reports = [];
+  for (let i = 0; i < parsed.packages.length; i++) {
+    const pkg = parsed.packages[i];
+    const lists = listsPerEcosystem.get(pkg.ecosystem);
+    const allowed = isAllowlisted(pkg.name, lists.allowlist);
+    const blocked = isBlocklisted(pkg.name, lists.blocklist, lists.blocklistPatterns);
+    const metadata = metadataResults[i] ?? {
+      name: pkg.name,
+      ecosystem: pkg.ecosystem,
+      exists: true,
+      // assume exists if we didn't check
+      hasRepository: true,
+      hasReadme: true,
+      hasInstallScripts: false
+    };
+    const vulns = vulnResults[i]?.vulnerabilities ?? [];
+    const typosquatMatch = config.checks.typosquatting && !allowed ? detectTyposquat(pkg.name, lists.allowlist) : void 0;
+    const report = computeRiskReport(metadata, vulns, typosquatMatch, blocked, allowed, {
+      minAgeDays: config.risk_thresholds.min_age_days,
+      minWeeklyDownloads: config.risk_thresholds.min_weekly_downloads
+    });
+    reports.push(report);
+  }
+  let overallRecommendation = "allow";
+  for (const report of reports) {
+    if (report.recommendation === "block") {
+      overallRecommendation = "block";
+      break;
+    }
+    if (report.recommendation === "escalate") {
+      overallRecommendation = "escalate";
+    }
+  }
+  if (config.on_risk === "audit" && overallRecommendation === "escalate") {
+    overallRecommendation = "allow";
+  }
+  if (config.on_risk === "block" && overallRecommendation === "escalate") {
+    overallRecommendation = "block";
+  }
+  const summary = formatSummary(command, reports, overallRecommendation);
+  return {
+    command,
+    packages: reports,
+    overallRecommendation,
+    summary,
+    auditMetadata: {
+      command,
+      manager: parsed.manager,
+      packages: reports.map((r) => ({
+        name: r.package,
+        ecosystem: r.ecosystem,
+        risk: r.overallRisk,
+        signals: r.signals.map((s) => s.name),
+        vulnCount: r.vulnerabilities.length
+      }))
+    },
+    skipped: false
+  };
+}
+function skippedResult(command, reason) {
+  return {
+    command,
+    packages: [],
+    overallRecommendation: "allow",
+    summary: reason,
+    auditMetadata: { command, skipped: true, reason },
+    skipped: true,
+    skipReason: reason
+  };
+}
+function formatSummary(command, reports, recommendation) {
+  const lines = [];
+  lines.push(`Command: ${command}`);
+  lines.push("");
+  for (const report of reports) {
+    if (report.signals.length === 0 && report.vulnerabilities.length === 0) continue;
+    lines.push(`Package: ${report.package} (${report.ecosystem})`);
+    lines.push(`Risk: ${report.overallRisk.toUpperCase()}`);
+    if (report.signals.length > 0) {
+      lines.push("Signals:");
+      for (const signal of report.signals) {
+        const icon = signal.severity === "critical" || signal.severity === "high" ? "!!" : signal.severity === "medium" ? "! " : "  ";
+        lines.push(`  ${icon} ${signal.name}: ${signal.detail}`);
+      }
+    }
+    lines.push("");
+  }
+  if (recommendation === "block") {
+    lines.push("Recommendation: BLOCK");
+  } else if (recommendation === "escalate") {
+    lines.push("Recommendation: Requires human approval");
+  }
+  return lines.join("\n");
+}
 // src/lib/budget/tracker.ts
 var BudgetTracker = class {
   _used = 0;
@@ -6021,7 +7065,15 @@ function startWizardServer(options) {
   createApprovalFlow,
   createIdentityChain,
   createPolicyEngine,
+  detectTyposquat,
+  evaluateInstall,
+  fetchRegistryMetadata,
+  levenshteinDistance,
   loadConfig,
+  normalizedSimilarity,
+  parseInstallCommand,
+  queryVulnerabilities,
+  queryVulnerabilitiesBatch,
   renderTemplate,
   startWizardServer
 });