@lateos/npm-scan 0.18.2 → 1.0.0

package/VALIDATION.md

@@ -0,0 +1,92 @@
+# npm-scan Validation & Calibration Report
+**Date**: 2026-06-03  
+**Detectors Validated**: TIER1-VERSION-ANOMALY, TIER1-OBFUSCATION-HEURISTICS, TIER1-LIFECYCLE-HOOK, TIER1-BINARY-EMBED, TIER1-TYPOSQUAT, TIER1-INFOSTEALER  
+**Campaigns Tested**: 3 real May 2026 attack vectors  
+**Packages Analyzed**: 7 (validation) + 1,000 (calibration)
+
+## Campaign Detection Rates
+
+| Campaign | Total | Detected | Rate | Expected | Matched | Match% |
+|---|---|---|---|---|---|---|
+| 176-Package Dependency Confusion | 3 | 3 | 100.0% | 7 | 5 | 71.4% |
+| Mini Shai-Hulud (Obfuscated) | 2 | 2 | 100.0% | 5 | 3 | 60.0% |
+| Bitwarden CLI Impersonation | 2 | 2 | 100.0% | 5 | 3 | 60.0% |
+
+Every campaign package triggered at least one expected detector. Expected-match rate accounts for detectors that require file content (binary embed, infostealer exact patterns) not present in fixture metadata.
+
+## Detector Performance (Validation)
+
+| Detector | Hits | Expected | Precision | Avg Confidence |
+|---|---|---|---|---|
+| TIER1-LIFECYCLE-HOOK | 4 | 4 | 100.0% | 92.5 |
+| TIER1-VERSION-ANOMALY | 3 | 3 | 100.0% | 92.0 |
+| TIER1-OBFUSCATION-HEURISTICS | 2 | 2 | 100.0% | 80.0 |
+| TIER1-TYPOSQUAT | 4 | 2 | 50.0% | 68.8 |
+
+## Threshold Calibration
+
+**Pre-calibration**: Global confidence threshold at 70  
+**Post-calibration**: Per-detector thresholds from analysis:
+
+| Detector | Flag | Warn | Calibration Basis |
+|---|---|---|---|
+| TIER1-TYPOSQUAT | 85 | 70 | 46 edit-distance=1 FPs on scoped sub-packages eliminated at 85 |
+| TIER1-OBFUSCATION-HEURISTICS | 75 | 60 | Bundlers/transpilers exempt via whitelist |
+| TIER1-VERSION-ANOMALY | 72 | 60 | Sentinel patterns always flag at 92 |
+| TIER1-BINARY-EMBED | 80 | 65 | Cross-platform binary sets rare in legit packages |
+| TIER1-LIFECYCLE-HOOK | 65 | 50 | Moderate threshold for hooks |
+| TIER1-INFOSTEALER | 72 | 55 | Pattern-based C2 signatures |
+| TIER1-METADATA-SPOOF | 70 | 55 | Namespace/repo URL spoofing |
+| TIER1-VERSION-CONFUSION | 75 | 60 | High-version heuristics |
+| TIER1-CLOUD-IMDS | 80 | 65 | IMDS targeting rarely legitimate |
+| TIER1-MULTISTAGE-POSTINSTALL | 75 | 60 | Two-stage download+exec |
+| TIER1-SLSA-ATTESTATION | 85 | 70 | Placeholder |
+
+**False Positive Calibration on Top 1,000 npm Packages**:
+- Threshold 70: 47 FPs (4.7%) — all TIER1-TYPOSQUAT edit-distance=1 on scoped sub-packages
+- Threshold 76: 2 FPs (0.2%) — @commitlint/read + preact (both whitelisted)
+- Threshold 85: **0 FPs (0.0%)** — well under 2% target
+
+**Whitelist Additions** (10 packages, 4 detectors):
+- Bundlers/minifiers (webpack, terser, uglify-js, browserify, rollup, esbuild) → TIER1-OBFUSCATION-HEURISTICS
+- Transpilers (typescript, @babel/core) → TIER1-OBFUSCATION-HEURISTICS
+- Utility libs (lodash, underscore, crypto-js) → TIER1-OBFUSCATION-HEURISTICS
+- Date lib (moment) → TIER1-BINARY-EMBED
+- Scoped packages (preact, @commitlint/read) → TYPOSQUAT_VPMDHAJ / TIER1-TYPOSQUAT
+
+## Campaign Coverage Analysis
+
+### Campaign 1: Dependency Confusion (sentinel versions)
+- TIER1-VERSION-ANOMALY catches all three (99.99.99/11.11.11/10.10.10) at 92% confidence
+- TIER1-LIFECYCLE-HOOK fires on postinstall/preinstall scripts at 70-100%
+- TIER1-BINARY-EMBED does not fire (no binary files in fixture data)
+- Additional: TIER1-VERSION-CONFUSION fires at 85/65/65 (enhanced coverage)
+
+### Campaign 2: Mini Shai-Hulud (obfuscation)
+- TIER1-OBFUSCATION-HEURISTICS fires on both packages at 90% and 70%
+- TIER1-LIFECYCLE-HOOK fires on @antv/core at 100%
+- TIER1-INFOSTEALER does not fire (fixture scripts lack exact pattern signatures)
+- Additional: TIER1-TYPOSQUAT fires at 75-100%, MINI_SHAI_HULUD campaign detector fires
+
+### Campaign 3: Bitwarden Impersonation
+- TIER1-LIFECYCLE-HOOK fires on second wave at 100%
+- TIER1-TYPOSQUAT fires at 50% (below flag threshold of 85)
+- TIER1-OBFUSCATION-HEURISTICS does not fire on first wave (script not sufficiently obfuscated)
+- Additional: TRAPDOOR and TYPOSQUAT_VPMDHAJ detectors fire on second wave
+
+## Test Suite
+- 690 total tests (671 pass, 0 fail, 19 skip)
+- Existing corpus tests (33 malicious + 50 clean) all pass with no regressions
+- 15 new validation tests added (D5: 3, D6: 6, D7: 6)
+
+## Recommendations
+
+1. **Ship D6 + D7 as production Tier 1**: Detection rates and false positive rates justify GA
+2. **Implement D8 (SLSA) when npm registry API stabilizes** (~Q4 2026)
+3. **Add dynamic whitelist refresh**: Fetch top 1,000 packages monthly; re-calibrate annually
+4. **Monitor typosquat FP rate**: 46 FPs eliminated at threshold 85; lower threshold increases FP risk
+
+**Validation Artifacts**:
+- `detection-rates.json`: Per-campaign, per-detector metrics
+- `false-positives.jsonl`: Flagged packages from top 1K npm (0.0% FP rate at threshold 85)
+- `fp-analysis.json`: Detector-level FP analysis and recommendations

package/backend/cra.js

@@ -1,69 +1,69 @@
-export function generateCRA(scans) {
-  const atkMap = {};
-  for (const s of scans) {
-    for (const f of (s.findings || [])) {
-      const key = f.atk_id || f.id;
-      if (!atkMap[key]) atkMap[key] = [];
-      atkMap[key].push({ ...f, package_name: s.package_name, version: s.version });
-    }
-  }
-
-  const CRA_ARTICLES = [
-    { article: 'Art. 7', title: 'Secure by default configuration', atkId: 'ATK-001', desc: 'Lifecycle hooks used for insecure defaults' },
-    { article: 'Art. 7', title: 'Secure by default configuration', atkId: 'ATK-010', desc: 'Anti-analysis in default state' },
-    { article: 'Art. 10(1)', title: 'Vulnerability disclosure', atkId: 'ATK-008', desc: 'Tarball integrity prevents disclosure accuracy' },
-    { article: 'Art. 10(2)', title: 'Known vulnerability reporting', atkId: 'ATK-006', desc: 'Dependency confusion undermines visibility' },
-    { article: 'Art. 11', title: 'Software Bill of Materials', atkId: 'ATK-008', desc: 'Integrity of SBOM entries must be verified' },
-    { article: 'Art. 11', title: 'Software Bill of Materials', atkId: 'ATK-006', desc: 'SBOM must reflect actual dependency graph' },
-    { article: 'Annex I(1.1)', title: 'No known exploitable vulnerabilities', atkId: 'ATK-009', desc: 'Conditional triggers may activate known vulns' },
-    { article: 'Annex I(1.3)', title: 'Least privilege', atkId: 'ATK-003', desc: 'Credential harvesting violates least privilege' },
-    { article: 'Annex I(1.5)', title: 'Limited attack surface', atkId: 'ATK-002', desc: 'Obfuscation increases attack surface' },
-    { article: 'Annex I(1.5)', title: 'Limited attack surface', atkId: 'ATK-004', desc: 'Persistence mechanisms expand attack surface' },
-    { article: 'Annex I(1.5)', title: 'Limited attack surface', atkId: 'ATK-005', desc: 'Network exfiltration expands attack surface' },
-    { article: 'Annex I(2.1)', title: 'Protection against unauthorized access', atkId: 'ATK-003', desc: 'Credential harvesting enables unauthorized access' },
-    { article: 'Annex I(2.3)', title: 'Data integrity', atkId: 'ATK-008', desc: 'Tarball tampering violates data integrity' },
-    { article: 'Annex I(2.3)', title: 'Data integrity', atkId: 'ATK-011', desc: 'Propagation attacks compromise data integrity' },
-    { article: 'Annex I(3.2)', title: 'Incident detection and reporting', atkId: 'ATK-009', desc: 'Conditional triggers evade incident detection' },
-    { article: 'Annex I(3.2)', title: 'Incident detection and reporting', atkId: 'ATK-010', desc: 'Sandbox evasion defeats incident detection' },
-    { article: 'Annex I(3.3)', title: 'Supply chain security monitoring', atkId: 'ATK-011', desc: 'Propagation requires SC monitoring' },
-    { article: 'Annex I(3.3)', title: 'Supply chain security monitoring', atkId: 'ATK-007', desc: 'Typosquatting undermines SC trust' },
-  ];
-
-  let rows = '';
-  for (const { article, title, atkId, desc } of CRA_ARTICLES) {
-    const findings = atkMap[atkId] || [];
-    const status = findings.length > 0 ? 'fail' : 'pass';
-    const colorClass = status === 'pass' ? 'pass' : 'fail';
-    const label = findings.length > 0 ? `${findings.length} finding(s)` : 'No findings';
-    rows += `<tr><td>${article}</td><td>${title}</td><td>${desc}</td><td class="nist-${colorClass}">${label}</td><td>${atkId}</td></tr>`;
-  }
-
-  return `<h2>EU CRA Compliance Summary</h2>
-<table>
-<thead><tr><th>CRA Article</th><th>Requirement</th><th>Relevance</th><th>Status</th><th>ATK</th></tr></thead>
-<tbody>${rows}</tbody>
-</table>`;
-}
-
-export function generateCRAHTML(scans) {
-  const body = generateCRA(scans);
-  return `<!DOCTYPE html>
-<html lang="en">
-<head><meta charset="UTF-8"><title>EU CRA Compliance Report</title>
-<style>
-body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif; max-width: 960px; margin: 0 auto; padding: 20px; background: #0d1117; color: #c9d1d9; }
-h1, h2 { color: #58a6ff; }
-table { width: 100%; border-collapse: collapse; margin: 12px 0; }
-th, td { padding: 8px 12px; text-align: left; border-bottom: 1px solid #30363d; }
-th { background: #161b22; }
-.nist-pass { background: #1b3a1b; color: #7ee787; }
-.nist-fail { background: #3a1b1b; color: #ff7b72; }
-.meta { color: #8b949e; font-size: 13px; margin-top: 30px; }
-</style></head>
-<body>
-<h1>npm-scan EU CRA Compliance Report</h1>
-<p>Generated ${new Date().toISOString()} | npm-scan v${process.env.npm_package_version || '0.4.0'}</p>
-${body}
-<p class="meta">EU Cyber Resilience Act (Regulation 2023/2841) mapped to ATK findings.</p>
-</body></html>`;
+export function generateCRA(scans) {
+  const atkMap = {};
+  for (const s of scans) {
+    for (const f of (s.findings || [])) {
+      const key = f.atk_id || f.id;
+      if (!atkMap[key]) atkMap[key] = [];
+      atkMap[key].push({ ...f, package_name: s.package_name, version: s.version });
+    }
+  }
+
+  const CRA_ARTICLES = [
+    { article: 'Art. 7', title: 'Secure by default configuration', atkId: 'ATK-001', desc: 'Lifecycle hooks used for insecure defaults' },
+    { article: 'Art. 7', title: 'Secure by default configuration', atkId: 'ATK-010', desc: 'Anti-analysis in default state' },
+    { article: 'Art. 10(1)', title: 'Vulnerability disclosure', atkId: 'ATK-008', desc: 'Tarball integrity prevents disclosure accuracy' },
+    { article: 'Art. 10(2)', title: 'Known vulnerability reporting', atkId: 'ATK-006', desc: 'Dependency confusion undermines visibility' },
+    { article: 'Art. 11', title: 'Software Bill of Materials', atkId: 'ATK-008', desc: 'Integrity of SBOM entries must be verified' },
+    { article: 'Art. 11', title: 'Software Bill of Materials', atkId: 'ATK-006', desc: 'SBOM must reflect actual dependency graph' },
+    { article: 'Annex I(1.1)', title: 'No known exploitable vulnerabilities', atkId: 'ATK-009', desc: 'Conditional triggers may activate known vulns' },
+    { article: 'Annex I(1.3)', title: 'Least privilege', atkId: 'ATK-003', desc: 'Credential harvesting violates least privilege' },
+    { article: 'Annex I(1.5)', title: 'Limited attack surface', atkId: 'ATK-002', desc: 'Obfuscation increases attack surface' },
+    { article: 'Annex I(1.5)', title: 'Limited attack surface', atkId: 'ATK-004', desc: 'Persistence mechanisms expand attack surface' },
+    { article: 'Annex I(1.5)', title: 'Limited attack surface', atkId: 'ATK-005', desc: 'Network exfiltration expands attack surface' },
+    { article: 'Annex I(2.1)', title: 'Protection against unauthorized access', atkId: 'ATK-003', desc: 'Credential harvesting enables unauthorized access' },
+    { article: 'Annex I(2.3)', title: 'Data integrity', atkId: 'ATK-008', desc: 'Tarball tampering violates data integrity' },
+    { article: 'Annex I(2.3)', title: 'Data integrity', atkId: 'ATK-011', desc: 'Propagation attacks compromise data integrity' },
+    { article: 'Annex I(3.2)', title: 'Incident detection and reporting', atkId: 'ATK-009', desc: 'Conditional triggers evade incident detection' },
+    { article: 'Annex I(3.2)', title: 'Incident detection and reporting', atkId: 'ATK-010', desc: 'Sandbox evasion defeats incident detection' },
+    { article: 'Annex I(3.3)', title: 'Supply chain security monitoring', atkId: 'ATK-011', desc: 'Propagation requires SC monitoring' },
+    { article: 'Annex I(3.3)', title: 'Supply chain security monitoring', atkId: 'ATK-007', desc: 'Typosquatting undermines SC trust' },
+  ];
+
+  let rows = '';
+  for (const { article, title, atkId, desc } of CRA_ARTICLES) {
+    const findings = atkMap[atkId] || [];
+    const status = findings.length > 0 ? 'fail' : 'pass';
+    const colorClass = status === 'pass' ? 'pass' : 'fail';
+    const label = findings.length > 0 ? `${findings.length} finding(s)` : 'No findings';
+    rows += `<tr><td>${article}</td><td>${title}</td><td>${desc}</td><td class="nist-${colorClass}">${label}</td><td>${atkId}</td></tr>`;
+  }
+
+  return `<h2>EU CRA Compliance Summary</h2>
+<table>
+<thead><tr><th>CRA Article</th><th>Requirement</th><th>Relevance</th><th>Status</th><th>ATK</th></tr></thead>
+<tbody>${rows}</tbody>
+</table>`;
+}
+
+export function generateCRAHTML(scans) {
+  const body = generateCRA(scans);
+  return `<!DOCTYPE html>
+<html lang="en">
+<head><meta charset="UTF-8"><title>EU CRA Compliance Report</title>
+<style>
+body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif; max-width: 960px; margin: 0 auto; padding: 20px; background: #0d1117; color: #c9d1d9; }
+h1, h2 { color: #58a6ff; }
+table { width: 100%; border-collapse: collapse; margin: 12px 0; }
+th, td { padding: 8px 12px; text-align: left; border-bottom: 1px solid #30363d; }
+th { background: #161b22; }
+.nist-pass { background: #1b3a1b; color: #7ee787; }
+.nist-fail { background: #3a1b1b; color: #ff7b72; }
+.meta { color: #8b949e; font-size: 13px; margin-top: 30px; }
+</style></head>
+<body>
+<h1>npm-scan EU CRA Compliance Report</h1>
+<p>Generated ${new Date().toISOString()} | npm-scan v${process.env.npm_package_version || '0.4.0'}</p>
+${body}
+<p class="meta">EU Cyber Resilience Act (Regulation 2023/2841) mapped to ATK findings.</p>
+</body></html>`;
 }

package/backend/db/pg-schema.sql

@@ -0,0 +1,155 @@
+-- PostgreSQL schema for hosted/team tier (premium)
+-- Extends the SQLite schema with teams, users, RBAC, audit logs, webhooks
+
+-- Extensions
+CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
+CREATE EXTENSION IF NOT EXISTS "pgcrypto";
+
+-- Teams / Organizations
+CREATE TABLE IF NOT EXISTS teams (
+  id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
+  name TEXT NOT NULL,
+  slug TEXT UNIQUE NOT NULL,
+  license_edition TEXT NOT NULL DEFAULT 'community',
+  license_key TEXT,
+  license_expires_at TIMESTAMPTZ,
+  max_seats INTEGER NOT NULL DEFAULT 5,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+-- Users
+CREATE TABLE IF NOT EXISTS users (
+  id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
+  email TEXT UNIQUE NOT NULL,
+  name TEXT NOT NULL,
+  password_hash TEXT NOT NULL,
+  team_id UUID REFERENCES teams(id) ON DELETE CASCADE,
+  role TEXT NOT NULL CHECK (role IN ('admin', 'editor', 'viewer')) DEFAULT 'viewer',
+  last_login_at TIMESTAMPTZ,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+-- Scans (extends SQLite scans with team ownership)
+CREATE TABLE IF NOT EXISTS scans (
+  id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
+  team_id UUID REFERENCES teams(id) ON DELETE CASCADE,
+  user_id UUID REFERENCES users(id) ON DELETE SET NULL,
+  package_name TEXT NOT NULL,
+  version TEXT,
+  status TEXT NOT NULL DEFAULT 'pending'
+    CHECK (status IN ('pending', 'fetching', 'analyzing', 'completed', 'failed')),
+  sbom_json JSONB,
+  findings_summary JSONB,
+  duration_ms INTEGER,
+  scanned_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+-- Findings
+CREATE TABLE IF NOT EXISTS findings (
+  id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
+  scan_id UUID NOT NULL REFERENCES scans(id) ON DELETE CASCADE,
+  atk_id TEXT NOT NULL,
+  severity TEXT NOT NULL CHECK (severity IN ('info', 'low', 'medium', 'high', 'critical')),
+  title TEXT,
+  description TEXT,
+  evidence TEXT,
+  mitigation TEXT,
+  file_path TEXT,
+  line_number INTEGER
+);
+
+-- Indexes
+CREATE INDEX IF NOT EXISTS idx_scans_team ON scans(team_id);
+CREATE INDEX IF NOT EXISTS idx_scans_package ON scans(package_name);
+CREATE INDEX IF NOT EXISTS idx_scans_status ON scans(status);
+CREATE INDEX IF NOT EXISTS idx_scans_created ON scans(scanned_at DESC);
+CREATE INDEX IF NOT EXISTS idx_findings_scan ON findings(scan_id);
+CREATE INDEX IF NOT EXISTS idx_findings_atk ON findings(atk_id);
+CREATE INDEX IF NOT EXISTS idx_findings_severity ON findings(severity);
+CREATE INDEX IF NOT EXISTS idx_users_team ON users(team_id);
+
+-- Audit log
+CREATE TABLE IF NOT EXISTS audit_log (
+  id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
+  team_id UUID NOT NULL REFERENCES teams(id) ON DELETE CASCADE,
+  user_id UUID REFERENCES users(id) ON DELETE SET NULL,
+  action TEXT NOT NULL,
+  resource_type TEXT NOT NULL,
+  resource_id TEXT,
+  details JSONB,
+  ip_address INET,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_audit_team ON audit_log(team_id, created_at DESC);
+
+-- Webhooks
+CREATE TABLE IF NOT EXISTS webhooks (
+  id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
+  team_id UUID NOT NULL REFERENCES teams(id) ON DELETE CASCADE,
+  url TEXT NOT NULL,
+  secret TEXT NOT NULL DEFAULT encode(gen_random_bytes(32), 'hex'),
+  events TEXT[] NOT NULL DEFAULT '{}',
+  active BOOLEAN NOT NULL DEFAULT true,
+  last_triggered_at TIMESTAMPTZ,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_webhooks_team ON webhooks(team_id);
+
+-- API keys
+CREATE TABLE IF NOT EXISTS api_keys (
+  id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
+  team_id UUID NOT NULL REFERENCES teams(id) ON DELETE CASCADE,
+  user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+  name TEXT NOT NULL,
+  key_hash TEXT NOT NULL,
+  scopes TEXT[] NOT NULL DEFAULT '{}',
+  last_used_at TIMESTAMPTZ,
+  expires_at TIMESTAMPTZ,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_api_keys_team ON api_keys(team_id);
+
+-- Session tokens
+CREATE TABLE IF NOT EXISTS sessions (
+  id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
+  user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+  token_hash TEXT NOT NULL,
+  expires_at TIMESTAMPTZ NOT NULL,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_sessions_user ON sessions(user_id);
+CREATE INDEX IF NOT EXISTS idx_sessions_expires ON sessions(expires_at);
+
+-- Materialized view: package risk aggregation
+CREATE MATERIALIZED VIEW IF NOT EXISTS package_risk AS
+SELECT
+  s.package_name,
+  s.version,
+  COUNT(DISTINCT f.id) AS finding_count,
+  COUNT(DISTINCT f.id) FILTER (WHERE f.severity IN ('high', 'critical')) AS high_crit_count,
+  ARRAY_AGG(DISTINCT f.atk_id) AS atk_ids,
+  MAX(s.scanned_at) AS last_scanned
+FROM scans s
+JOIN findings f ON f.scan_id = s.id
+WHERE s.status = 'completed'
+GROUP BY s.package_name, s.version;
+
+CREATE UNIQUE INDEX IF NOT EXISTS idx_package_risk_pkg ON package_risk(package_name, version);
+
+-- Function: touch updated_at
+CREATE OR REPLACE FUNCTION touch_updated_at()
+RETURNS TRIGGER AS $$
+BEGIN
+  NEW.updated_at = NOW();
+  RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+CREATE TRIGGER trg_teams_updated_at
+  BEFORE UPDATE ON teams
+  FOR EACH ROW EXECUTE FUNCTION touch_updated_at();

package/backend/db/schema.sql

@@ -1,32 +1,32 @@
--- SQLite schema for local CLI mode (free tier)
--- Tables: scans, findings (ATK-linked)
-
-CREATE TABLE IF NOT EXISTS scans (
-  id INTEGER PRIMARY KEY AUTOINCREMENT,
-  package_name TEXT NOT NULL,
-  version TEXT,
-  scanned_at DATETIME DEFAULT CURRENT_TIMESTAMP,
-  status TEXT DEFAULT 'completed',
-  sbom_json TEXT
-);
-
-CREATE TABLE IF NOT EXISTS findings (
-  id INTEGER PRIMARY KEY AUTOINCREMENT,
-  scan_id INTEGER NOT NULL,
-  atk_id TEXT NOT NULL,
-  severity TEXT CHECK (severity IN ('info', 'low', 'medium', 'high', 'critical')),
-  description TEXT,
-  evidence TEXT,
-  mitigation TEXT,
-  FOREIGN KEY (scan_id) REFERENCES scans(id) ON DELETE CASCADE
-);
-
--- View for reports
-CREATE VIEW IF NOT EXISTS scan_findings AS
-SELECT s.*, f.* FROM scans s
-JOIN findings f ON s.id = f.scan_id;
-
--- Indexes
-CREATE INDEX IF NOT EXISTS idx_scans_package ON scans(package_name);
-CREATE INDEX IF NOT EXISTS idx_findings_atk ON findings(atk_id);
-CREATE INDEX IF NOT EXISTS idx_findings_severity ON findings(severity);
+-- SQLite schema for local CLI mode (free tier)
+-- Tables: scans, findings (ATK-linked)
+
+CREATE TABLE IF NOT EXISTS scans (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  package_name TEXT NOT NULL,
+  version TEXT,
+  scanned_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+  status TEXT DEFAULT 'completed',
+  sbom_json TEXT
+);
+
+CREATE TABLE IF NOT EXISTS findings (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  scan_id INTEGER NOT NULL,
+  atk_id TEXT NOT NULL,
+  severity TEXT CHECK (severity IN ('info', 'low', 'medium', 'high', 'critical')),
+  description TEXT,
+  evidence TEXT,
+  mitigation TEXT,
+  FOREIGN KEY (scan_id) REFERENCES scans(id) ON DELETE CASCADE
+);
+
+-- View for reports
+CREATE VIEW IF NOT EXISTS scan_findings AS
+SELECT s.*, f.* FROM scans s
+JOIN findings f ON s.id = f.scan_id;
+
+-- Indexes
+CREATE INDEX IF NOT EXISTS idx_scans_package ON scans(package_name);
+CREATE INDEX IF NOT EXISTS idx_findings_atk ON findings(atk_id);
+CREATE INDEX IF NOT EXISTS idx_findings_severity ON findings(severity);

package/backend/db.js

@@ -1,89 +1,89 @@
-import initSqlJs from 'sql.js';
-import fs from 'fs';
-import path from 'path';
-import { fileURLToPath } from 'url';
-
-const __dirname = path.dirname(fileURLToPath(import.meta.url));
-const DB_PATH = path.join(process.cwd(), 'npm-scan.db');
-const SCHEMA_PATH = path.join(__dirname, 'db', 'schema.sql');
-
-let db = null;
-let initPromise = null;
-
-async function ensureInit() {
-  if (db) return;
-  if (initPromise) return initPromise;
-  initPromise = (async () => {
-    const SQL = await initSqlJs();
-    if (fs.existsSync(DB_PATH)) {
-      db = new SQL.Database(fs.readFileSync(DB_PATH));
-    } else {
-      db = new SQL.Database();
-    }
-    if (fs.existsSync(SCHEMA_PATH)) {
-      db.run(fs.readFileSync(SCHEMA_PATH, 'utf8'));
-    }
-  })();
-  return initPromise;
-}
-
-function queryAll(sql, params = []) {
-  const stmt = db.prepare(sql);
-  if (params.length) stmt.bind(params);
-  const rows = [];
-  while (stmt.step()) {
-    rows.push(stmt.getAsObject());
-  }
-  stmt.free();
-  return rows;
-}
-
-function queryOne(sql, params = []) {
-  return queryAll(sql, params)[0] || null;
-}
-
-function lastId() {
-  const r = db.exec("SELECT last_insert_rowid()");
-  return Number(r[0].values[0][0]);
-}
-
-function persist() {
-  fs.writeFileSync(DB_PATH, Buffer.from(db.export()));
-}
-
-export async function saveScan(pkgName, version = 'latest', findings = []) {
-  await ensureInit();
-  db.run("INSERT INTO scans (package_name, version) VALUES (?, ?)", [pkgName, version]);
-  const scanId = lastId();
-  const stmt = db.prepare("INSERT INTO findings (scan_id, atk_id, severity, description, evidence) VALUES (?, ?, ?, ?, ?)");
-  for (const f of findings) {
-    stmt.run([scanId, f.id, f.severity, f.title || f.description, f.evidence || '']);
-  }
-  stmt.free();
-  persist();
-  return scanId;
-}
-
-export async function getRecentScans(limit = 10) {
-  await ensureInit();
-  return queryAll("SELECT * FROM scans ORDER BY scanned_at DESC LIMIT ?", [limit]);
-}
-
-export async function getFindings(scanId) {
-  await ensureInit();
-  return queryAll("SELECT * FROM findings WHERE scan_id = ?", [scanId]);
-}
-
-export async function getScan(scanId) {
-  await ensureInit();
-  return queryOne("SELECT * FROM scans WHERE id = ?", [scanId]);
-}
-
-export async function close() {
-  if (db) {
-    persist();
-    db.close();
-    db = null;
-    initPromise = null;
-  }
+import initSqlJs from 'sql.js';
+import fs from 'fs';
+import path from 'path';
+import { fileURLToPath } from 'url';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const DB_PATH = path.join(process.cwd(), 'npm-scan.db');
+const SCHEMA_PATH = path.join(__dirname, 'db', 'schema.sql');
+
+let db = null;
+let initPromise = null;
+
+async function ensureInit() {
+  if (db) return;
+  if (initPromise) return initPromise;
+  initPromise = (async () => {
+    const SQL = await initSqlJs();
+    if (fs.existsSync(DB_PATH)) {
+      db = new SQL.Database(fs.readFileSync(DB_PATH));
+    } else {
+      db = new SQL.Database();
+    }
+    if (fs.existsSync(SCHEMA_PATH)) {
+      db.run(fs.readFileSync(SCHEMA_PATH, 'utf8'));
+    }
+  })();
+  return initPromise;
+}
+
+function queryAll(sql, params = []) {
+  const stmt = db.prepare(sql);
+  if (params.length) stmt.bind(params);
+  const rows = [];
+  while (stmt.step()) {
+    rows.push(stmt.getAsObject());
+  }
+  stmt.free();
+  return rows;
+}
+
+function queryOne(sql, params = []) {
+  return queryAll(sql, params)[0] || null;
+}
+
+function lastId() {
+  const r = db.exec("SELECT last_insert_rowid()");
+  return Number(r[0].values[0][0]);
+}
+
+function persist() {
+  fs.writeFileSync(DB_PATH, Buffer.from(db.export()));
+}
+
+export async function saveScan(pkgName, version = 'latest', findings = []) {
+  await ensureInit();
+  db.run("INSERT INTO scans (package_name, version) VALUES (?, ?)", [pkgName, version]);
+  const scanId = lastId();
+  const stmt = db.prepare("INSERT INTO findings (scan_id, atk_id, severity, description, evidence) VALUES (?, ?, ?, ?, ?)");
+  for (const f of findings) {
+    stmt.run([scanId, f.id, f.severity, f.title || f.description, f.evidence || '']);
+  }
+  stmt.free();
+  persist();
+  return scanId;
+}
+
+export async function getRecentScans(limit = 10) {
+  await ensureInit();
+  return queryAll("SELECT * FROM scans ORDER BY scanned_at DESC LIMIT ?", [limit]);
+}
+
+export async function getFindings(scanId) {
+  await ensureInit();
+  return queryAll("SELECT * FROM findings WHERE scan_id = ?", [scanId]);
+}
+
+export async function getScan(scanId) {
+  await ensureInit();
+  return queryOne("SELECT * FROM scans WHERE id = ?", [scanId]);
+}
+
+export async function close() {
+  if (db) {
+    persist();
+    db.close();
+    db = null;
+    initPromise = null;
+  }
 }

package/backend/detectors/atk-001-lifecycle.js

@@ -1,18 +1,18 @@
-export async function scan(pkgJson, files = []) {
-  const findings = [];
-  const scripts = pkgJson.scripts || {};
-  const suspicious = Object.keys(scripts).filter(s => /pre|post|install/i.test(s));
-  if (suspicious.length) {
-    const content = suspicious.map(s => scripts[s]).join(' ');
-    if (/curl|wget|sh |bash |\.sh|exfil|steal|pwn|c2|pastebin/i.test(content)) {
-      findings.push({
-        id: 'ATK-001',
-        severity: 'high',
-        title: 'Malicious lifecycle scripts',
-        description: 'Suspicious install hooks',
-        evidence: suspicious.join(', ')
-      });
-    }
-  }
-  return findings;
+export async function scan(pkgJson, files = []) {
+  const findings = [];
+  const scripts = pkgJson.scripts || {};
+  const suspicious = Object.keys(scripts).filter(s => /pre|post|install/i.test(s));
+  if (suspicious.length) {
+    const content = suspicious.map(s => scripts[s]).join(' ');
+    if (/curl|wget|sh |bash |\.sh|exfil|steal|pwn|c2|pastebin/i.test(content)) {
+      findings.push({
+        id: 'ATK-001',
+        severity: 'high',
+        title: 'Malicious lifecycle scripts',
+        description: 'Suspicious install hooks',
+        evidence: suspicious.join(', ')
+      });
+    }
+  }
+  return findings;
 }