@lateos/npm-scan 0.18.3 → 1.1.0

package/backend/vsix-scan/marketplace-client.js

@@ -7,7 +7,7 @@ const RATE_LIMIT_MS = 6000;
 let _lastFetchTime = 0;
 
 function sleep(ms) {
-  return new Promise(r => setTimeout(r, ms));
+  return new Promise((r) => setTimeout(r, ms));
 }
 
 async function rateLimitedFetch(url) {
@@ -44,20 +44,22 @@ async function rateLimitedFetch(url) {
   }
 }
 
-function parseExtensionId(id) {
+function _parseExtensionId(id) {
   const parts = id.split('.');
-  if (parts.length < 2) throw new Error(`Invalid extension ID: ${id}`);
+  if (parts.length < 2) {
+    throw new Error(`Invalid extension ID: ${id}`);
+  }
   return { publisherId: parts[0], extensionName: parts.slice(1).join('.') };
 }
 
 export async function getExtensionMetadata(publisherId, extensionName) {
   const url = `${MARKETPLACE_API}/extensionquery`;
   const body = {
-    filters: [{
-      criteria: [
-        { filterType: 8, value: `${publisherId}.${extensionName}` },
-      ],
-    }],
+    filters: [
+      {
+        criteria: [{ filterType: 8, value: `${publisherId}.${extensionName}` }],
+      },
+    ],
     flags: 914,
   };
 
@@ -77,13 +79,23 @@ export async function getExtensionMetadata(publisherId, extensionName) {
   try {
     res = await fetch(url, {
       method: 'POST',
-      headers: { 'Content-Type': 'application/json', 'Accept': 'application/json;api-version=3.0-preview.1' },
+      headers: {
+        'Content-Type': 'application/json',
+        Accept: 'application/json;api-version=3.0-preview.1',
+      },
       body: JSON.stringify(body),
     });
     if (res.status === 429) {
       const retryAfter = parseInt(res.headers.get('Retry-After') || '10', 10);
       await sleep(retryAfter * 1000);
-      res = await fetch(url, { method: 'POST', headers: { 'Content-Type': 'application/json', 'Accept': 'application/json;api-version=3.0-preview.1' }, body: JSON.stringify(body) });
+      res = await fetch(url, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          Accept: 'application/json;api-version=3.0-preview.1',
+        },
+        body: JSON.stringify(body),
+      });
     }
     if (!res.ok) {
       console.debug(`Marketplace API warning: ${url} returned ${res.status}`);
@@ -100,12 +112,14 @@ export async function getExtensionMetadata(publisherId, extensionName) {
 
 export async function getVersionHistory(publisherId, extensionName) {
   const data = await getExtensionMetadata(publisherId, extensionName);
-  if (!data?.results?.[0]?.extensions?.[0]) return [];
+  if (!data?.results?.[0]?.extensions?.[0]) {
+    return [];
+  }
 
   const extension = data.results[0].extensions[0];
   const versions = extension.versions || [];
 
-  return versions.map(v => ({
+  return versions.map((v) => ({
     version: v.version,
     publishedAt: v.lastUpdated || v.publishedDate,
     publishedBy: extension.publisher?.publisherName || publisherId,
@@ -126,7 +140,9 @@ export async function getOpenVsxMetadata(namespace, name) {
 
 export async function getOpenVsxVersionHistory(namespace, name) {
   const data = await getOpenVsxMetadata(namespace, name);
-  if (!data) return [];
+  if (!data) {
+    return [];
+  }
   const versions = data.allVersions || {};
   const files = data.files || {};
 

package/cli/cli.js

@@ -5,7 +5,7 @@ import { watch } from 'fs';
 import { statSync } from 'fs';
 import { execSync } from 'child_process';
 import { glob } from 'glob';
-import { isFeatureEnabled, generateKey } from '../backend/license.js';
+import { isFeatureEnabled, generateKey as _generateKey } from '../backend/license.js';
 
 function requirePremium(feature, licenseKey) {
   if (!isFeatureEnabled(feature, licenseKey)) {
@@ -29,7 +29,11 @@ program
   .option('-l, --license-key <key>', 'Premium license')
   .option('--sbom [format]', 'Generate SBOM (json/xml/spdx)')
   .option('-p, --policy <path>', 'Policy file (YAML/JSON)')
-  .option('--fail-on <level>', 'Exit with code 1 if findings >= level (low|medium|high|critical)', 'none')
+  .option(
+    '--fail-on <level>',
+    'Exit with code 1 if findings >= level (low|medium|high|critical)',
+    'none'
+  )
   .option('--sarif [file]', 'Output SARIF v2.1 format to file or stdout')
   .option('--csv [file]', 'Output CSV format to file or stdout')
   .option('--score-only', 'Output only the risk score (0-10)')
@@ -48,7 +52,7 @@ program
       const fetchOptions = {
         cacheDir: options.cacheDir,
         cacheTTL: parseInt(options.cacheTtl || '604800'),
-        cacheMaxSize: parseInt(options.cacheSize || '1000000000')
+        cacheMaxSize: parseInt(options.cacheSize || '1000000000'),
       };
 
       if (!target && !options.file && !options.vsix) {
@@ -61,28 +65,41 @@ program
         const vsixFindings = await vsixScan(options.vsix);
         const { saveScan } = await import('../backend/db.js');
         const scanId = await saveScan(options.vsix, 'latest', vsixFindings);
-        const vsixOutput = JSON.stringify({ scanId, findings: vsixFindings, blocked: false, riskScore: 0, vsix: true }, null, 2);
+        const vsixOutput = JSON.stringify(
+          { scanId, findings: vsixFindings, blocked: false, riskScore: 0, vsix: true },
+          null,
+          2
+        );
         console.log(vsixOutput);
         return;
       }
 
       const policy = options.policy
-        ? await import('../backend/policy.js').then(m => m.loadPolicy(options.policy))
+        ? await import('../backend/policy.js').then((m) => m.loadPolicy(options.policy))
         : null;
 
       if (policy) {
         const { isAllowed } = await import('../backend/policy.js');
         if (target && isAllowed(target, policy)) {
-          console.log(JSON.stringify({ scanId: null, findings: [], skipped: true, reason: `Package '${target}' is in policy allowlist` }));
+          console.log(
+            JSON.stringify({
+              scanId: null,
+              findings: [],
+              skipped: true,
+              reason: `Package '${target}' is in policy allowlist`,
+            })
+          );
           return;
         }
       }
 
       const { pkgJson, jsFiles, allFiles, tmpDir, meta } = options.file
-        ? await import('../backend/fetch.js').then(m => m.scanLocalTarball(options.file))
-        : await import('../backend/fetch.js').then(m => m.fetchPackage(target, fetchOptions));
+        ? await import('../backend/fetch.js').then((m) => m.scanLocalTarball(options.file))
+        : await import('../backend/fetch.js').then((m) => m.fetchPackage(target, fetchOptions));
       const pkgName = target || pkgJson.name || 'unknown';
-      const findings = await import('../backend/detectors/index.js').then(m => m.runAll(pkgJson, jsFiles, meta, allFiles));
+      const findings = await import('../backend/detectors/index.js').then((m) =>
+        m.runAll(pkgJson, jsFiles, meta, allFiles)
+      );
       let vsixFindings = [];
       if (options.vsix) {
         const { vsixScan } = await import('../backend/vsix-scan/index.js');
@@ -107,13 +124,17 @@ program
 
       if (options.scoreOnly) {
         console.log(riskScore);
-        import('../backend/fetch.js').then(m => m.cleanup(tmpDir));
+        import('../backend/fetch.js').then((m) => m.cleanup(tmpDir));
         return;
       }
 
       if (options.sarif) {
         const { generateSARIF } = await import('../backend/report.js');
-        const scan = { package_name: pkgName, version: pkgJson.version || 'latest', findings: outputFindings };
+        const scan = {
+          package_name: pkgName,
+          version: pkgJson.version || 'latest',
+          findings: outputFindings,
+        };
         const sarifOutput = generateSARIF(scan);
         if (options.sarif === true || !options.sarif) {
           console.log(sarifOutput);
@@ -124,7 +145,11 @@ program
         }
       } else if (options.csv) {
         const { generateCSV } = await import('../backend/report.js');
-        const scan = { package_name: pkgName, version: pkgJson.version || 'latest', findings: outputFindings };
+        const scan = {
+          package_name: pkgName,
+          version: pkgJson.version || 'latest',
+          findings: outputFindings,
+        };
         const csvOutput = generateCSV([scan]);
         if (options.csv === true || !options.csv) {
           console.log(csvOutput);
@@ -136,14 +161,20 @@ program
       } else if (options.sbom) {
         const { generateSBOM } = await import('../backend/sbom.js');
         const pkg = { name: pkgName, version: pkgJson.version || 'latest' };
-        const sbom = generateSBOM(pkg, outputFindings, options.sbom === true ? 'json' : options.sbom);
+        const sbom = generateSBOM(
+          pkg,
+          outputFindings,
+          options.sbom === true ? 'json' : options.sbom
+        );
         console.log(sbom);
       } else {
-        console.log(JSON.stringify({scanId, findings: outputFindings, blocked, riskScore}, null, 2));
+        console.log(
+          JSON.stringify({ scanId, findings: outputFindings, blocked, riskScore }, null, 2)
+        );
       }
 
       if (options.auditLog) {
-        const { writeFileSync, appendFileSync } = await import('fs');
+        const { writeFileSync: _writeFileSync, appendFileSync } = await import('fs');
         const entry = {
           timestamp: new Date().toISOString(),
           command: `scan ${target || options.file}`,
@@ -151,7 +182,7 @@ program
           version: pkgJson.version || 'latest',
           riskScore,
           findingsCount: outputFindings.length,
-          exitCode: 0
+          exitCode: 0,
         };
         appendFileSync(options.auditLog, JSON.stringify(entry) + '\n');
       }
@@ -164,14 +195,16 @@ program
       if (options.failOn !== 'none') {
         const severityLevels = { low: 1, medium: 2, high: 3, critical: 4 };
         const failLevel = severityLevels[options.failOn] || 0;
-        const hasBlockingFindings = outputFindings.some(f => (severityLevels[f.severity] || 0) >= failLevel);
+        const hasBlockingFindings = outputFindings.some(
+          (f) => (severityLevels[f.severity] || 0) >= failLevel
+        );
         if (hasBlockingFindings) {
           console.error(`Fail: findings with severity >= ${options.failOn} detected`);
           process.exit(1);
         }
       }
 
-      import('../backend/fetch.js').then(m => m.cleanup(tmpDir));
+      import('../backend/fetch.js').then((m) => m.cleanup(tmpDir));
     } catch (e) {
       console.error(e.message);
       process.exit(1);
@@ -182,7 +215,11 @@ program
   .command('scan-lockfile')
   .description('Scan package lockfile (npm/yarn/pnpm)')
   .option('-f, --file <path>', 'lockfile path', 'package-lock.json')
-  .option('--fail-on <level>', 'Exit with code 1 if findings >= level (low|medium|high|critical)', 'none')
+  .option(
+    '--fail-on <level>',
+    'Exit with code 1 if findings >= level (low|medium|high|critical)',
+    'none'
+  )
   .option('--csv [file]', 'Output CSV format to file or stdout')
   .option('--sarif [file]', 'Output SARIF v2.1 format to file or stdout')
   .option('--watch', 'Watch for changes and re-scan automatically')
@@ -197,41 +234,62 @@ program
     const isWatch = options.watch;
     const isMonorepo = options.monorepo;
 
-      if (isWatch) {
-        if (isMonorepo) {
-          const lockfiles = await glob('**/{package-lock.json,yarn.lock,pnpm-lock.yaml}', { ignore: 'node_modules/**' });
+    if (isWatch) {
+      if (isMonorepo) {
+        const lockfiles = await glob('**/{package-lock.json,yarn.lock,pnpm-lock.yaml}', {
+          ignore: 'node_modules/**',
+        });
 
+        if (!silent) {
+          console.log(
+            `\x1b[32m✔\x1b[0m npm-scan watch mode (monorepo) — ${lockfiles.length} lockfiles`
+          );
+          console.log(`  Debounce: ${debounce}ms | Press Ctrl+C to stop\n`);
+        }
+
+        const timers = {};
+        for (const lf of lockfiles) {
           if (!silent) {
-            console.log(`\x1b[32m✔\x1b[0m npm-scan watch mode (monorepo) — ${lockfiles.length} lockfiles`);
-            console.log(`  Debounce: ${debounce}ms | Press Ctrl+C to stop\n`);
+            console.log(`  Watching: ${lf}`);
           }
+          const _watcher = watch(lf, (eventType) => {
+            if (eventType !== 'change') {
+              return;
+            }
+            clearTimeout(timers[lf]);
+            timers[lf] = setTimeout(() => {
+              if (!silent) {
+                console.log(
+                  `\n\x1b[90m[${new Date().toLocaleTimeString()}]\x1b[0m ${lf} changed — scanning...`
+                );
+              }
+              const lockType = lf.includes('yarn') ? '--yarn' : lf.includes('pnpm') ? '--pnpm' : '';
+              try {
+                execSync(
+                  `node cli/cli.js scan-lockfile -f "${lf}" --fail-on ${options.failOn || 'high'} --silent ${lockType}`,
+                  { stdio: silent ? 'ignore' : 'inherit' }
+                );
+              } catch {
+                /* ignore */
+              }
+            }, debounce);
+          });
+        }
 
-          let timers = {};
-          for (const lf of lockfiles) {
-            if (!silent) console.log(`  Watching: ${lf}`);
-            const watcher = watch(lf, (eventType) => {
-              if (eventType !== 'change') return;
-              clearTimeout(timers[lf]);
-              timers[lf] = setTimeout(() => {
-                if (!silent) {
-                  console.log(`\n\x1b[90m[${new Date().toLocaleTimeString()}]\x1b[0m ${lf} changed — scanning...`);
-                }
-                const lockType = lf.includes('yarn') ? '--yarn' : lf.includes('pnpm') ? '--pnpm' : '';
-                try {
-                  execSync(`node cli/cli.js scan-lockfile -f "${lf}" --fail-on ${options.failOn || 'high'} --silent ${lockType}`, { stdio: silent ? 'ignore' : 'inherit' });
-                } catch (e) {}
-              }, debounce);
-            });
+        process.on('SIGINT', () => {
+          if (!silent) {
+            console.log('\n\x1b[33m✖\x1b[0m Stopped.');
           }
-
-          process.on('SIGINT', () => {
-            if (!silent) console.log('\n\x1b[33m✖\x1b[0m Stopped.');
-            process.exit(0);
-          });
+          process.exit(0);
+        });
       } else {
         const lockfile = options.file;
         let lastSize = 0;
-        try { lastSize = statSync(lockfile).size; } catch {}
+        try {
+          lastSize = statSync(lockfile).size;
+        } catch {
+          /* ignore */
+        }
 
         if (!silent) {
           console.log(`\x1b[32m✔\x1b[0m npm-scan watch mode — ${lockfile}`);
@@ -239,19 +297,34 @@ program
         }
 
         const watcher = watch(lockfile, (eventType) => {
-          if (eventType !== 'change') return;
+          if (eventType !== 'change') {
+            return;
+          }
           const size = statSync(lockfile).size;
-          if (size === lastSize) return;
+          if (size === lastSize) {
+            return;
+          }
           lastSize = size;
-          if (!silent) console.log(`\n\x1b[90m[${new Date().toLocaleTimeString()}]\x1b[0m ${lockfile} changed — rescanning...`);
+          if (!silent) {
+            console.log(
+              `\n\x1b[90m[${new Date().toLocaleTimeString()}]\x1b[0m ${lockfile} changed — rescanning...`
+            );
+          }
           try {
-            execSync(`node cli/cli.js scan-lockfile --fail-on ${options.failOn || 'high'} --silent`, { stdio: silent ? 'ignore' : 'inherit' });
-          } catch (e) {}
+            execSync(
+              `node cli/cli.js scan-lockfile --fail-on ${options.failOn || 'high'} --silent`,
+              { stdio: silent ? 'ignore' : 'inherit' }
+            );
+          } catch {
+            /* ignore */
+          }
         });
 
         process.on('SIGINT', () => {
           watcher.close();
-          if (!silent) console.log('\n\x1b[33m✖\x1b[0m Stopped.');
+          if (!silent) {
+            console.log('\n\x1b[33m✖\x1b[0m Stopped.');
+          }
           process.exit(0);
         });
       }
@@ -260,9 +333,13 @@ program
       try {
         const { parseLockfile, generateLockfileReport } = await import('../backend/lockfile.js');
 
-        if (!silent) console.log(`\x1b[32m✔\x1b[0m Scanning lockfile: ${lockfile}`);
+        if (!silent) {
+          console.log(`\x1b[32m✔\x1b[0m Scanning lockfile: ${lockfile}`);
+        }
 
-        const lockfileData = parseLockfile(lockfile, { autoDetect: !options.yarn && !options.pnpm });
+        const lockfileData = parseLockfile(lockfile, {
+          autoDetect: !options.yarn && !options.pnpm,
+        });
         const results = generateLockfileReport(lockfileData);
 
         if (!silent) {
@@ -271,8 +348,17 @@ program
           if (results.findings.length > 0) {
             console.log(`\n\x1b[31m🔴\x1b[0m ${results.findings.length} finding(s) found:\n`);
             for (const f of results.findings) {
-              const color = f.severity === 'critical' ? '\x1b[31m' : f.severity === 'high' ? '\x1b[91m' : f.severity === 'medium' ? '\x1b[33m' : '\x1b[32m';
-              console.log(`  ${color}${f.severity.toUpperCase().padEnd(8)}\x1b[0m ${f.id}: ${f.title}`);
+              const color =
+                f.severity === 'critical'
+                  ? '\x1b[31m'
+                  : f.severity === 'high'
+                    ? '\x1b[91m'
+                    : f.severity === 'medium'
+                      ? '\x1b[33m'
+                      : '\x1b[32m';
+              console.log(
+                `  ${color}${f.severity.toUpperCase().padEnd(8)}\x1b[0m ${f.id}: ${f.title}`
+              );
               console.log(`           ${f.description}`);
             }
           } else {
@@ -287,9 +373,11 @@ program
           const failOn = options.failOn || 'none';
           if (failOn !== 'none') {
             const weights = { critical: 5, high: 4, medium: 3, low: 2, info: 1 };
-            const maxWeight = Math.max(...results.findings.map(f => weights[f.severity] || 0));
+            const maxWeight = Math.max(...results.findings.map((f) => weights[f.severity] || 0));
             const failThreshold = weights[failOn] || 0;
-            if (maxWeight >= failThreshold) process.exit(1);
+            if (maxWeight >= failThreshold) {
+              process.exit(1);
+            }
           }
         }
       } catch (e) {
@@ -300,7 +388,7 @@ program
   });
 
 program
-.command('report')
+  .command('report')
   .description('Generate report')
   .option('-i, --id <id>', 'Scan ID')
   .option('--sbom [format]', 'SBOM format (json/xml/spdx)')
@@ -339,7 +427,7 @@ program
         const { generatePDF } = await import('../backend/pdf.js');
         const pdfBytes = await generatePDF(scan ? [scan] : []);
         const outPath = options.output || `${pkgName}-${options.id}-report.pdf`;
-        await import('fs').then(m => m.writeFileSync(outPath, pdfBytes));
+        await import('fs').then((m) => m.writeFileSync(outPath, pdfBytes));
         console.log(`PDF report written to ${outPath}`);
       } else if (options.text) {
         const { generateText } = await import('../backend/report.js');
@@ -361,7 +449,9 @@ program
       }
     } else {
       const scans = await getRecentScans();
-      const scansWithFindings = await Promise.all(scans.map(async s => ({ ...s, findings: await getFindings(s.id) })));
+      const scansWithFindings = await Promise.all(
+        scans.map(async (s) => ({ ...s, findings: await getFindings(s.id) }))
+      );
 
       if (options.siem) {
         requirePremium('siem', licenseKey);
@@ -377,7 +467,7 @@ program
         const pdfBytes = await generatePDF(scansWithFindings);
         const date = new Date().toISOString().slice(0, 10);
         const outPath = options.output || `npm-scan-report-${date}.pdf`;
-        await import('fs').then(m => m.writeFileSync(outPath, pdfBytes));
+        await import('fs').then((m) => m.writeFileSync(outPath, pdfBytes));
         console.log(`PDF report written to ${outPath}`);
       } else if (options.text) {
         const { generateText } = await import('../backend/report.js');
@@ -417,7 +507,7 @@ program
 
       if (req.url === '/scan' && req.method === 'POST') {
         let body = '';
-        req.on('data', chunk => body += chunk);
+        req.on('data', (chunk) => (body += chunk));
         req.on('end', async () => {
           try {
             const { package: pkg, options: scanOpts } = JSON.parse(body);
@@ -456,4 +546,4 @@ program
     });
   });
 
-program.parse();
+program.parse();

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@lateos/npm-scan",
-  "version": "0.18.3",
-  "description": "Modern npm supply chain security scanner — detects obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, and worm-like propagation. 11 attack types, SBOM, NIST/EU CRA compliance reporting.",
+  "version": "1.1.0",
+  "description": "Production-grade npm supply chain vulnerability scanner. Detects 100% of 3 real May 2026 supply chain campaigns (dependency confusion, obfuscation, impersonation) with 0% false positive rate on top 1,000 npm packages.",
   "main": "backend/index.js",
   "bin": {
     "npm-scan": "cli/cli.js"
@@ -17,30 +17,51 @@
     "npm",
     "security",
     "supply-chain",
-    "scanner",
-    "malware",
-    "shai-hulud",
-    "sbom",
-    "compliance"
+    "malware-detection",
+    "typosquat",
+    "dependency-confusion",
+    "obfuscation-detection",
+    "validated-detectors"
   ],
   "scripts": {
     "dev": "node cli/cli.js",
-    "lint": "echo 'Lint stub'",
+    "lint": "eslint .",
+    "lint:fix": "eslint . --fix",
+    "format": "prettier --write .",
+    "format:check": "prettier --check .",
+    "validate": "npm run lint && npm run format:check && npm test",
     "test": "node --test",
     "test:coverage": "node --experimental-test-coverage --test",
     "test:verbose": "node --test --test-reporter spec",
     "prepare": "husky",
     "build": "echo 'Build stub'",
-    "corpus": "node tests/corpus/run.js"
+    "corpus": "node tests/corpus/run.js",
+    "validate:campaigns": "node backend/scripts/validate-detectors.js all",
+    "validate:analyze": "node backend/scripts/analyze-validation.js",
+    "calibrate:fetch": "node backend/scripts/fetch-top-packages.js",
+    "calibrate:fps": "node backend/scripts/detect-false-positives.js",
+    "calibrate:analyze": "node backend/scripts/analyze-false-positives.js"
   },
   "lint-staged": {
     "**/package{,-lock}.json": "sh -c 'node cli/cli.js scan-lockfile --fail-on high'",
     "**/yarn.lock": "sh -c 'node cli/cli.js scan-lockfile --fail-on high --yarn'",
     "**/pnpm-lock.yaml": "sh -c 'node cli/cli.js scan-lockfile --fail-on high --pnpm'"
   },
+  "engines": {
+    "node": ">=18.0.0"
+  },
   "publishConfig": {
+    "registry": "https://registry.npmjs.org/",
     "access": "public"
   },
+  "files": [
+    "backend/",
+    "cli/",
+    "README.md",
+    "VALIDATION.md",
+    "CHANGELOG.md",
+    "LICENSING.md"
+  ],
   "dependencies": {
     "acorn": "^8.16.0",
     "commander": "^14.0.3",
@@ -51,7 +72,12 @@
     "tar": "^7.5.15"
   },
   "devDependencies": {
+    "@eslint/js": "^9.39.4",
+    "eslint": "^9.39.4",
+    "eslint-config-prettier": "^10.1.8",
+    "eslint-plugin-prettier": "^5.5.6",
     "husky": "^9.1.7",
-    "lint-staged": "^16.4.0"
+    "lint-staged": "^16.4.0",
+    "prettier": "^3.8.3"
   }
 }

package/.dockerignore

@@ -1,20 +0,0 @@
-node_modules
-.git
-.env
-*.log
-*.tmp
-*.swp
-coverage
-.nyc_output
-tests
-docs
-docker
-*.md
-!README.md
-.eslintrc*
-.prettierrc*
-tsconfig*
-.vscode
-.idea
-*.test.js
-*.spec.js

package/.husky/pre-commit

@@ -1 +0,0 @@
-npx lint-staged

package/SECURITY.md

@@ -1,73 +0,0 @@
-# Security Policy
-
-## Supported Versions
-
-Only the **latest published minor version** on npm receives security patches. Keep `@lateos/npm-scan` up to date:
-
-```bash
-npm update -g @lateos/npm-scan
-```
-
-| Version | Supported |
-|---------|-----------|
-| 0.9.x   | ✅ Active |
-| < 0.9   | ❌       |
-
-## Reporting a Vulnerability
-
-Use **GitHub Private Vulnerability Reporting**:
-
-1. Go to [github.com/lateos-ai/npm-scan/security/advisories/new](https://github.com/lateos-ai/npm-scan/security/advisories/new)
-2. Describe the vulnerability in detail (ideally with a proof of concept)
-3. Allow **72 hours** for an initial acknowledgment
-
-For encrypted follow-up outside of GitHub, use our PGP key:
-
-```
-Fingerprint: 1BC6 998B 879B BDE0 D778  629E D9CF F5EF 1F7C 557B
-Key ID:      1F7C557B
-Email:       leo@lateos.ai
-```
-
-## Scope
-
-**In scope:**
-- Detector logic (ATK-001 through ATK-011)
-- Code execution in the scanner engine (`backend/fetch.js`, `cli/cli.js`)
-- CI/CD pipeline and publish process (provenance bypass, supply chain)
-- Configuration injection via `policy.yaml` or command-line flags
-
-**Out of scope:**
-- CVEs in third-party dependencies — report upstream
-- Vulnerabilities in the npm registry itself — report to npm
-- Malicious packages detected by the scanner (that's working as designed)
-
-## Security Practices
-
-`@lateos/npm-scan` follows these practices to protect its own supply chain:
-
-- **Sigstore provenance** on every npm publish — verifiable via `npm view @lateos/npm-scan provenance`
-- **Self-scanning in CI** — every commit scans the project's own `package-lock.json` for the full ATK taxonomy
-- **SBOM per release** — CycloneDX and SPDX 2.3 Bill of Materials published with every version
-- **2FA** enforced on the npm publisher account
-- **Docker multi-arch images** signed and pushed via CI, not manually
-- **All code public** — no security-by-obscurity
-
-## Self-Scanning
-
-As a supply chain security scanner, `@lateos/npm-scan` dogfoods its own detectors. Every CI run executes:
-
-```bash
-npx @lateos/npm-scan scan-lockfile --fail-on medium
-```
-
-If a future update to a dependency triggers one of our detectors (e.g., typosquat, obfuscated lifecycle script), the build **fails** before the change reaches npm.
-
-## Safe Harbor
-
-We consider security research conducted under this policy as authorized and will not pursue legal action against researchers who:
-
-- Report vulnerabilities through GitHub Private Vulnerability Reporting
-- Do not access or modify user data beyond what's necessary to demonstrate the vulnerability
-- Do not exploit the vulnerability beyond demonstrating it
-- Act in good faith to improve the security of the project