@hungpg/skill-audit 0.1.1 → 0.3.0

package/dist/hooks.js

@@ -0,0 +1,278 @@
+/**
+ * Hook Configuration for Claude Code
+ *
+ * Provides PreToolUse hook that audits skills before installation.
+ * Hook is triggered when user runs `npx skills add <package>`.
+ */
+import { readFileSync, writeFileSync, existsSync, mkdirSync, copyFileSync } from "fs";
+import { join, dirname } from "path";
+import { homedir } from "os";
+// Default settings path for Claude Code
+const CLAUDE_SETTINGS_PATH = join(homedir(), ".claude", "settings.json");
+const CLAUDE_SETTINGS_BACKUP = join(homedir(), ".claude", "settings.json.backup");
+const SKIP_HOOK_FILE = join(homedir(), ".skill-audit-skip-hook");
+// Hook identifier for skill-audit
+const HOOK_ID = "skill-audit-pre-install";
+/**
+ * Get the default hook configuration
+ */
+export function getDefaultHookConfig() {
+    return {
+        threshold: 3.0,
+        blockOnFailure: true
+    };
+}
+/**
+ * Generate the PreToolUse hook configuration
+ */
+export function generateHookConfig(config = getDefaultHookConfig()) {
+    return {
+        hooks: {
+            PreToolUse: [
+                {
+                    id: HOOK_ID,
+                    matcher: {
+                        toolName: "run_shell_command",
+                        input: "npx skills add"
+                    },
+                    hooks: [
+                        {
+                            type: "command",
+                            command: `skill-audit --mode audit --threshold ${config.threshold}${config.blockOnFailure ? " --block" : ""}`
+                        }
+                    ]
+                }
+            ]
+        }
+    };
+}
+/**
+ * Check if the skip hook file exists
+ */
+export function shouldSkipHookPrompt() {
+    return existsSync(SKIP_HOOK_FILE);
+}
+/**
+ * Create the skip hook file
+ */
+export function createSkipHookFile() {
+    writeFileSync(SKIP_HOOK_FILE, JSON.stringify({
+        createdAt: new Date().toISOString(),
+        reason: "User chose to skip hook installation prompt"
+    }, null, 2));
+}
+/**
+ * Remove the skip hook file
+ */
+export function removeSkipHookFile() {
+    if (existsSync(SKIP_HOOK_FILE)) {
+        const fs = require("fs");
+        fs.unlinkSync(SKIP_HOOK_FILE);
+    }
+}
+/**
+ * Load existing settings.json
+ */
+function loadSettings() {
+    if (!existsSync(CLAUDE_SETTINGS_PATH)) {
+        return {};
+    }
+    try {
+        const content = readFileSync(CLAUDE_SETTINGS_PATH, "utf-8");
+        return JSON.parse(content);
+    }
+    catch (e) {
+        console.error("Failed to parse existing settings.json:", e);
+        return {};
+    }
+}
+/**
+ * Backup existing settings.json
+ */
+function backupSettings() {
+    if (!existsSync(CLAUDE_SETTINGS_PATH)) {
+        return true; // Nothing to backup
+    }
+    try {
+        // Ensure directory exists
+        const settingsDir = dirname(CLAUDE_SETTINGS_BACKUP);
+        if (!existsSync(settingsDir)) {
+            mkdirSync(settingsDir, { recursive: true });
+        }
+        copyFileSync(CLAUDE_SETTINGS_PATH, CLAUDE_SETTINGS_BACKUP);
+        return true;
+    }
+    catch (e) {
+        console.error("Failed to backup settings.json:", e);
+        return false;
+    }
+}
+/**
+ * Check if hook is already installed
+ */
+export function isHookInstalled() {
+    const settings = loadSettings();
+    if (!settings.hooks || !Array.isArray(settings.hooks.PreToolUse)) {
+        return false;
+    }
+    // PreToolUse can be an array of arrays or array of objects
+    const preToolUseHooks = settings.hooks.PreToolUse;
+    for (const item of preToolUseHooks) {
+        // Handle nested array structure
+        if (Array.isArray(item)) {
+            if (item.some((h) => h.id === HOOK_ID)) {
+                return true;
+            }
+        }
+        else if (typeof item === "object" && item !== null) {
+            if (item.id === HOOK_ID) {
+                return true;
+            }
+        }
+    }
+    return false;
+}
+/**
+ * Install the PreToolUse hook
+ */
+export function installHook(config = getDefaultHookConfig()) {
+    // Check if already installed
+    if (isHookInstalled()) {
+        return { success: true, message: "Hook is already installed" };
+    }
+    // Backup existing settings
+    if (!backupSettings()) {
+        return { success: false, message: "Failed to backup settings.json" };
+    }
+    // Load existing settings
+    const settings = loadSettings();
+    // Initialize hooks structure if not present
+    if (!settings.hooks) {
+        settings.hooks = {};
+    }
+    if (!settings.hooks.PreToolUse) {
+        settings.hooks.PreToolUse = [];
+    }
+    // Create the new hook object
+    const newHook = {
+        id: HOOK_ID,
+        matcher: {
+            toolName: "run_shell_command",
+            input: "npx skills add"
+        },
+        hooks: [
+            {
+                type: "command",
+                command: `skill-audit --mode audit --threshold ${config.threshold}${config.blockOnFailure ? " --block" : ""}`
+            }
+        ]
+    };
+    // Add the hook - wrap in array to match existing structure
+    const preToolUseHooks = settings.hooks.PreToolUse;
+    preToolUseHooks.push([newHook]);
+    // Ensure directory exists
+    const settingsDir = dirname(CLAUDE_SETTINGS_PATH);
+    if (!existsSync(settingsDir)) {
+        mkdirSync(settingsDir, { recursive: true });
+    }
+    // Write updated settings
+    try {
+        writeFileSync(CLAUDE_SETTINGS_PATH, JSON.stringify(settings, null, 2));
+        return { success: true, message: `Hook installed successfully (threshold: ${config.threshold})` };
+    }
+    catch (e) {
+        // Restore backup on failure
+        if (existsSync(CLAUDE_SETTINGS_BACKUP)) {
+            copyFileSync(CLAUDE_SETTINGS_BACKUP, CLAUDE_SETTINGS_PATH);
+        }
+        return { success: false, message: `Failed to write settings: ${e}` };
+    }
+}
+/**
+ * Uninstall the PreToolUse hook
+ */
+export function uninstallHook() {
+    const settings = loadSettings();
+    if (!settings.hooks || !Array.isArray(settings.hooks.PreToolUse)) {
+        return { success: true, message: "No hooks to remove" };
+    }
+    const preToolUseHooks = settings.hooks.PreToolUse;
+    const initialLength = preToolUseHooks.length;
+    // Filter out our hook (handles nested array structure)
+    const filteredHooks = preToolUseHooks.filter((item) => {
+        if (Array.isArray(item)) {
+            return !item.some((h) => h.id === HOOK_ID);
+        }
+        else if (typeof item === "object" && item !== null) {
+            return item.id !== HOOK_ID;
+        }
+        return true;
+    });
+    if (filteredHooks.length === initialLength) {
+        return { success: true, message: "Hook was not installed" };
+    }
+    // Backup before modification
+    if (!backupSettings()) {
+        return { success: false, message: "Failed to backup settings.json" };
+    }
+    // Update settings
+    settings.hooks.PreToolUse = filteredHooks;
+    // Remove hooks object if empty
+    if (filteredHooks.length === 0) {
+        delete settings.hooks.PreToolUse;
+    }
+    if (Object.keys(settings.hooks).length === 0) {
+        delete settings.hooks;
+    }
+    // Write updated settings
+    try {
+        writeFileSync(CLAUDE_SETTINGS_PATH, JSON.stringify(settings, null, 2));
+        return { success: true, message: "Hook uninstalled successfully" };
+    }
+    catch (e) {
+        // Restore backup on failure
+        if (existsSync(CLAUDE_SETTINGS_BACKUP)) {
+            copyFileSync(CLAUDE_SETTINGS_BACKUP, CLAUDE_SETTINGS_PATH);
+        }
+        return { success: false, message: `Failed to write settings: ${e}` };
+    }
+}
+/**
+ * Get hook status
+ */
+export function getHookStatus() {
+    const settings = loadSettings();
+    if (!settings.hooks || !Array.isArray(settings.hooks.PreToolUse)) {
+        return { installed: false, settingsPath: CLAUDE_SETTINGS_PATH };
+    }
+    const preToolUseHooks = settings.hooks.PreToolUse;
+    // Find the hook in nested array structure
+    let hook;
+    for (const item of preToolUseHooks) {
+        if (Array.isArray(item)) {
+            hook = item.find((h) => h.id === HOOK_ID);
+            if (hook)
+                break;
+        }
+        else if (typeof item === "object" && item !== null) {
+            if (item.id === HOOK_ID) {
+                hook = item;
+                break;
+            }
+        }
+    }
+    if (!hook) {
+        return { installed: false, settingsPath: CLAUDE_SETTINGS_PATH };
+    }
+    // Extract config from hook command
+    const hookHooks = hook.hooks;
+    const command = hookHooks[0].command;
+    const thresholdMatch = command.match(/--threshold\s+([\d.]+)/);
+    const threshold = thresholdMatch ? parseFloat(thresholdMatch[1]) : 3.0;
+    const blockOnFailure = command.includes("--block");
+    return {
+        installed: true,
+        config: { threshold, blockOnFailure },
+        settingsPath: CLAUDE_SETTINGS_PATH
+    };
+}

package/dist/index.js

@@ -5,14 +5,15 @@ import { auditSecurity } from "./security.js";
 import { validateSkillSpec } from "./spec.js";
 import { createGroupedAuditResult } from "./scoring.js";
 import { scanDependencies } from "./deps.js";
-import { getKEV, getEPSS, isCacheStale } from "./intel.js";
+import { getKEV, getEPSS, getNVD, isCacheStale, downloadOfflineDB } from "./intel.js";
+import { installHook, uninstallHook, getHookStatus, getDefaultHookConfig } from "./hooks.js";
 import { writeFileSync } from "fs";
 // Build CLI - no subcommands, just options + action
 const program = new Command();
 program
-    .name("skills-audit")
+    .name("skill-audit")
     .description("Security auditing CLI for AI agent skills")
-    .version("0.1.0")
+    .version("0.3.0")
     .option("-g, --global", "Audit global skills only (default: true)")
     .option("-p, --project", "Audit project-level skills only")
     .option("-a, --agent <agents...>", "Filter by specific agents")
@@ -23,16 +24,73 @@ program
     .option("--no-deps", "Skip dependency scanning (faster)")
     .option("--mode <mode>", "Audit mode: 'lint' (spec only) or 'audit' (full)", "audit")
     .option("--update-db", "Update advisory intelligence feeds")
-    .option("--source <sources...>", "Sources for update-db: kev, epss, all", ["all"])
+    .option("--source <sources...>", "Sources for update-db: kev, epss, nvd, all", ["all"])
     .option("--strict", "Fail if feeds are stale")
-    .option("--quiet", "Suppress non-error output");
+    .option("--quiet", "Suppress non-error output")
+    .option("--download-offline-db <dir>", "Download offline vulnerability databases to directory")
+    .option("--install-hook", "Install PreToolUse hook for automatic skill auditing")
+    .option("--uninstall-hook", "Remove the PreToolUse hook")
+    .option("--hook-threshold <score>", "Risk threshold for hook (default: 3.0)", parseFloat)
+    .option("--hook-status", "Show current hook status")
+    .option("--block", "Exit with code 1 if threshold exceeded (for hooks)");
 program.parse(process.argv);
 const options = program.opts();
+// Handle download-offline-db action
+if (options.downloadOfflineDb) {
+    await downloadOfflineDB(options.downloadOfflineDb);
+    process.exit(0);
+}
 // Handle update-db action
 if (options.updateDb) {
     await updateAdvisoryDB({ source: options.source, strict: options.strict });
     process.exit(0);
 }
+// Handle hook-status action
+if (options.hookStatus) {
+    const status = getHookStatus();
+    console.log("\n🪝 skill-audit Hook Status\n");
+    console.log(`   Installed: ${status.installed ? "✅ Yes" : "❌ No"}`);
+    if (status.installed && status.config) {
+        console.log(`   Threshold: ${status.config.threshold}`);
+        console.log(`   Block on failure: ${status.config.blockOnFailure ? "Yes" : "No"}`);
+    }
+    console.log(`   Settings file: ${status.settingsPath}\n`);
+    process.exit(0);
+}
+// Handle install-hook action
+if (options.installHook) {
+    const config = getDefaultHookConfig();
+    if (options.hookThreshold) {
+        config.threshold = options.hookThreshold;
+    }
+    config.blockOnFailure = true;
+    console.log("\n🪝 Installing skill-audit hook...\n");
+    const result = installHook(config);
+    if (result.success) {
+        console.log(`✅ ${result.message}`);
+        console.log(`   Settings file: ${getHookStatus().settingsPath}`);
+        console.log("\n   Skills will now be audited before installation.");
+        console.log("   Run 'skill-audit --uninstall-hook' to remove.\n");
+    }
+    else {
+        console.error(`❌ ${result.message}`);
+        process.exit(1);
+    }
+    process.exit(0);
+}
+// Handle uninstall-hook action
+if (options.uninstallHook) {
+    console.log("\n🪝 Removing skill-audit hook...\n");
+    const result = uninstallHook();
+    if (result.success) {
+        console.log(`✅ ${result.message}\n`);
+    }
+    else {
+        console.error(`❌ ${result.message}`);
+        process.exit(1);
+    }
+    process.exit(0);
+}
 // Default to global skills
 const scope = options.project ? "project" : "global";
 const mode = options.mode || "audit";
@@ -72,10 +130,11 @@ reportGroupedResults(results, {
     output: options.output,
     verbose: options.verbose,
     threshold: options.threshold,
-    mode
+    mode,
+    block: options.block
 });
 async function updateAdvisoryDB(opts) {
-    const sources = opts.source.includes("all") ? ["kev", "epss"] : opts.source;
+    const sources = opts.source.includes("all") ? ["kev", "epss", "nvd"] : opts.source;
     const quiet = program.opts().quiet;
     if (!quiet) {
         console.log("📥 Updating advisory intelligence feeds...\n");
@@ -98,6 +157,12 @@ async function updateAdvisoryDB(opts) {
                     console.log(`   ✓ EPSS: ${result.findings.length} scores cached (stale: ${result.stale})`);
                 }
             }
+            else if (source === "nvd") {
+                const result = await getNVD();
+                if (!quiet) {
+                    console.log(`   ✓ NVD: ${result.findings.length} CVEs cached (stale: ${result.stale})`);
+                }
+            }
         }
         catch (e) {
             console.error(`   ✗ Failed to fetch ${source}:`, e);
@@ -112,7 +177,7 @@ async function updateAdvisoryDB(opts) {
     }
 }
 function reportGroupedResults(results, options) {
-    const { json, output, verbose, threshold, mode } = options;
+    const { json, output, verbose, threshold, mode, block } = options;
     // Export to file if specified
     if (output) {
         const report = {
@@ -159,8 +224,16 @@ function reportGroupedResults(results, options) {
     // Check cache freshness and warn if stale
     const kevStale = isCacheStale("kev");
     const epssStale = isCacheStale("epss");
-    if (!options.json && (kevStale.warn || epssStale.warn)) {
-        console.log(`\n⚠️  Vulnerability DB is stale (${kevStale.age?.toFixed(1)} days for KEV, ${epssStale.age?.toFixed(1)} days for EPSS)`);
+    const nvdStale = isCacheStale("nvd");
+    if (!options.json && (kevStale.warn || epssStale.warn || nvdStale.warn)) {
+        const ages = [];
+        if (kevStale.age)
+            ages.push(`${kevStale.age.toFixed(1)} days for KEV`);
+        if (epssStale.age)
+            ages.push(`${epssStale.age.toFixed(1)} days for EPSS`);
+        if (nvdStale.age)
+            ages.push(`${nvdStale.age.toFixed(1)} days for NVD`);
+        console.log(`\n⚠️  Vulnerability DB is stale (${ages.join(", ")})`);
         console.log(`   Run: npx skill-audit --update-db`);
     }
     if (threshold !== undefined) {
@@ -170,6 +243,10 @@ function reportGroupedResults(results, options) {
             for (const f of failing) {
                 console.log(`   - ${f.skill.name}: ${f.riskScore}`);
             }
+            // Exit with error code if block flag is set
+            if (block) {
+                process.exit(1);
+            }
         }
         else {
             console.log(`\n✅ All skills pass threshold ${threshold}`);

package/dist/intel.js

@@ -8,6 +8,8 @@ const METRICS_FILE = join(PACKAGE_ROOT, ".cache/skill-audit/metrics.json");
 // Cache configuration - differentiated by source update frequency
 const MAX_CACHE_AGE_DAYS = {
     kev: 1, // Daily updates - critical for actively exploited vulns
+    nvd: 1, // Daily - official NVD database updates frequently
+    ghsa: 3, // 3 days - GitHub Security Advisories
     epss: 3, // Matches FIRST.org update cycle
     osv: 7 // Stable database - weekly acceptable
 };
@@ -15,6 +17,21 @@ const WARN_CACHE_AGE_DAYS = 3;
 const FETCH_TIMEOUT_MS = 30000; // 30 seconds
 const MAX_RETRIES = 3;
 const RETRY_DELAY_MS = 1000; // Base delay for exponential backoff
+// Map internal ecosystem names to GitHub GraphQL enum values
+const GHSA_ECOSYSTEM_MAP = {
+    'npm': 'NPM',
+    'PyPI': 'PIP',
+    'pypi': 'PIP',
+    'crates.io': 'RUST',
+    'RubyGems': 'RUBYGEMS',
+    'Maven': 'MAVEN',
+    'Packagist': 'COMPOSER',
+    'Go': 'GO',
+    'NuGet': 'NUGET',
+    'Pub': 'PUB',
+    'Hex': 'ERLANG',
+    'SwiftURL': 'SWIFT',
+};
 /**
  * Ensure cache directory exists
  */
@@ -101,6 +118,12 @@ function recordFetchResult(source, count, durationMs, error) {
     else if (source === 'epss') {
         metrics.epssCount = count;
     }
+    else if (source === 'nvd') {
+        metrics.nvdCount = count;
+    }
+    else if (source === 'ghsa') {
+        metrics.ghsaCount = count;
+    }
     if (error) {
         metrics.errors.push(`${source}: ${error}`);
         // Keep only last 10 errors
@@ -293,7 +316,7 @@ export async function queryGHSA(ecosystem, packageName) {
           }
         `,
                 variables: {
-                    ecosystem: ecosystem.toUpperCase(),
+                    ecosystem: GHSA_ECOSYSTEM_MAP[ecosystem] || ecosystem.toUpperCase(),
                     package: packageName
                 }
             })
@@ -386,6 +409,80 @@ export async function fetchEPSS() {
         return [];
     }
 }
+/**
+ * Fetch NIST NVD (National Vulnerability Database)
+ * Uses NVD API v2.0 with CVSS scoring
+ * API: https://nvd.nist.gov/developers/vulnerabilities
+ */
+export async function fetchNVD() {
+    const startTime = Date.now();
+    const apiKey = process.env.NVD_API_KEY;
+    // Calculate date range for last 24 hours
+    const now = new Date();
+    const yesterday = new Date(now.getTime() - 24 * 60 * 60 * 1000);
+    // NVD API requires ISO8601 format without milliseconds
+    const formatDate = (date) => date.toISOString().replace(/\.\d{3}Z$/, 'Z');
+    const lastModStartDate = formatDate(yesterday);
+    const lastModEndDate = formatDate(now);
+    const url = `https://services.nvd.nist.gov/rest/json/cves/2.0?lastModStartDate=${lastModStartDate}&lastModEndDate=${lastModEndDate}`;
+    try {
+        const headers = {
+            'User-Agent': 'skill-audit/0.1.0 (Vulnerability Intelligence Scanner)'
+        };
+        if (apiKey) {
+            headers['apiKey'] = apiKey;
+        }
+        const response = await fetchWithRetry(url, FETCH_TIMEOUT_MS, { headers });
+        const data = await response.json();
+        if (!data.vulnerabilities) {
+            recordFetchResult('nvd', 0, Date.now() - startTime, 'No vulnerabilities in response');
+            return [];
+        }
+        const records = data.vulnerabilities.map(v => {
+            // Extract CVSS score (prefer v3.1, fallback to v3.0)
+            let cvss;
+            let cvssVector;
+            let severity;
+            if (v.cve.metrics?.cvssMetricV31?.[0]?.cvssData) {
+                const cvss31 = v.cve.metrics.cvssMetricV31[0].cvssData;
+                cvss = cvss31.baseScore;
+                cvssVector = cvss31.vectorString;
+                severity = cvss31.baseSeverity;
+            }
+            else if (v.cve.metrics?.cvssMetricV30?.[0]?.cvssData) {
+                const cvss30 = v.cve.metrics.cvssMetricV30[0].cvssData;
+                cvss = cvss30.baseScore;
+                cvssVector = cvss30.vectorString;
+                severity = cvss30.baseSeverity;
+            }
+            // Extract CWE
+            const cwe = v.cve.weaknesses?.[0]?.description?.map(d => d.value) || [];
+            // Extract description as summary
+            const summary = v.cve.descriptions?.find(d => d.lang === 'en')?.value;
+            return {
+                id: v.cve.id,
+                aliases: [v.cve.id],
+                source: "NVD",
+                severity,
+                cvss,
+                cvssVector,
+                cwe,
+                published: v.cve.published,
+                modified: v.cve.lastModified,
+                summary,
+                references: v.cve.references?.map(r => r.url) || []
+            };
+        });
+        recordFetchResult('nvd', records.length, Date.now() - startTime);
+        return records;
+    }
+    catch (error) {
+        const errorMsg = error instanceof Error ? error.message : 'Unknown error';
+        recordFetchResult('nvd', 0, Date.now() - startTime, errorMsg);
+        console.error(`NVD fetch failed:`, error);
+        return [];
+    }
+}
 /**
  * Query vulnerability intelligence for a package
  */
@@ -443,6 +540,48 @@ export async function getEPSS() {
         warn
     };
 }
+/**
+ * Get NVD vulnerabilities (enriched)
+ */
+export async function getNVD() {
+    const { stale, age, warn } = isCacheStale("nvd");
+    let records = loadFromCache("nvd");
+    if (records.length === 0 || stale) {
+        records = await fetchNVD();
+        if (records.length > 0) {
+            saveToCache("nvd", records);
+        }
+    }
+    return {
+        findings: records,
+        cacheAge: age,
+        stale,
+        warn
+    };
+}
+/**
+ * Get GHSA advisories (enriched)
+ */
+export async function getGHSA() {
+    const { stale, age, warn } = isCacheStale("ghsa");
+    let records = loadFromCache("ghsa");
+    if (records.length === 0 || stale) {
+        // GHSA doesn't have a bulk feed - would need to query per-package
+        // For now, return empty - GHSA integration is via queryGHSA() per-package
+        return {
+            findings: [],
+            cacheAge: age,
+            stale,
+            warn
+        };
+    }
+    return {
+        findings: records,
+        cacheAge: age,
+        stale,
+        warn
+    };
+}
 /**
  * Merge advisory records by alias
  */
@@ -484,3 +623,71 @@ export function prioritizeRecords(records) {
         return 0;
     });
 }
+/**
+ * Download offline vulnerability databases
+ * @param outputDir - Directory to save offline databases
+ * @returns Object with download statistics
+ */
+export async function downloadOfflineDB(outputDir) {
+    const results = {
+        kev: { success: false, count: 0 },
+        epss: { success: false, count: 0 },
+        nvd: { success: false, count: 0 },
+        osv: { success: false, message: '' }
+    };
+    try {
+        // Ensure output directory exists
+        if (!existsSync(outputDir)) {
+            mkdirSync(outputDir, { recursive: true });
+        }
+        // Download KEV
+        console.log('📥 Downloading CISA KEV...');
+        const kevRecords = await fetchKEV();
+        if (kevRecords.length > 0) {
+            writeFileSync(join(outputDir, 'kev.json'), JSON.stringify({ fetchedAt: new Date().toISOString(), records: kevRecords }, null, 2));
+            results.kev = { success: true, count: kevRecords.length };
+            console.log(`   ✓ KEV: ${kevRecords.length} vulnerabilities`);
+        }
+        // Download EPSS
+        console.log('📥 Downloading EPSS scores...');
+        const epssRecords = await fetchEPSS();
+        if (epssRecords.length > 0) {
+            writeFileSync(join(outputDir, 'epss.json'), JSON.stringify({ fetchedAt: new Date().toISOString(), records: epssRecords }, null, 2));
+            results.epss = { success: true, count: epssRecords.length };
+            console.log(`   ✓ EPSS: ${epssRecords.length} scores`);
+        }
+        // Download NVD
+        console.log('📥 Downloading NIST NVD...');
+        const nvdRecords = await fetchNVD();
+        if (nvdRecords.length > 0) {
+            writeFileSync(join(outputDir, 'nvd.json'), JSON.stringify({ fetchedAt: new Date().toISOString(), records: nvdRecords }, null, 2));
+            results.nvd = { success: true, count: nvdRecords.length };
+            console.log(`   ✓ NVD: ${nvdRecords.length} CVEs`);
+        }
+        // Note: OSV is query-based, not a bulk download
+        // Users would need to query OSV API per-package
+        results.osv = {
+            success: true,
+            message: 'OSV uses on-demand API queries (not bulk download). Use OSV CLI for offline scanning.'
+        };
+        console.log('   ℹ️  OSV: Query-based API (use --update-db for caching)');
+        // Save metadata
+        const metadata = {
+            downloadedAt: new Date().toISOString(),
+            sources: results,
+            cacheAges: {
+                kev: MAX_CACHE_AGE_DAYS.kev,
+                epss: MAX_CACHE_AGE_DAYS.epss,
+                nvd: MAX_CACHE_AGE_DAYS.nvd,
+                osv: MAX_CACHE_AGE_DAYS.osv
+            }
+        };
+        writeFileSync(join(outputDir, 'metadata.json'), JSON.stringify(metadata, null, 2));
+        console.log('\n✅ Offline databases downloaded to:', outputDir);
+    }
+    catch (error) {
+        console.error('❌ Download failed:', error);
+        results.osv.message = error instanceof Error ? error.message : 'Download error';
+    }
+    return results;
+}