@lateos/npm-scan 0.4.0 → 0.5.0

package/README.md

@@ -17,11 +17,17 @@ npx @lateos/npm-scan scan lodash
 
 ## Features
 
-- **Static Analysis** — detects malicious lifecycle scripts, obfuscated payloads, credential harvesting, persistence, network exfiltration, dependency confusion, typosquatting, tarball tampering, conditional triggers, and sandbox evasion (ATK-001–010)
+- **Static Analysis** — detects malicious lifecycle scripts, obfuscated payloads, credential harvesting, persistence, network exfiltration, dependency confusion, typosquatting, tarball tampering, conditional triggers, sandbox evasion, and transitive propagation (ATK-001–011)
 - **SBOM Output** — CycloneDX 1.5 and SPDX 2.3 with findings mapped as vulnerabilities
-- **NIST 800-161 Compliance** — HTML report includes control traceability matrix (SR-2.1 → SR-10.3)
+- **NIST 800-161 Compliance** — HTML report includes control traceability matrix (SR-2.1 → SR-11.4)
+- **EU CRA Compliance** — report maps findings to Cyber Resilience Act articles and Annex I requirements
+- **SIEM Export** — CEF format for Splunk and other SIEM ingestion (premium)
+- **EU CRA Compliance** — report maps findings to Cyber Resilience Act articles (premium)
+- **License Key Gating** — premium features locked behind signed license keys
+- **REST API** — FastAPI-based API with webhooks, auth, scan management (premium)
+- **Kubernetes / Helm** — Helm chart for deploying the full pipeline on K8s (premium)
 - **SQLite Storage** — local scan history, zero external dependencies
-- **CLI** — `scan`, `scan-lockfile`, `report --sbom --html --nist`
+- **CLI** — `scan`, `scan-lockfile`, `report --sbom --html --nist --cra --siem`
 - **Dynamic Sandbox** — gVisor-based isolation (premium, documented in `docs/sandbox-threat-model.md`)
 - **GitHub Action** — scans lockfile on PRs
 - **Docker** — multi-arch images via GHCR
@@ -38,17 +44,25 @@ npm-scan report -i <id>              Show findings for a scan
 npm-scan report -i <id> --sbom       Generate CycloneDX SBOM
 npm-scan report -i <id> --sbom spdx  Generate SPDX SBOM
 npm-scan report -i <id> --html       Generate HTML report (with NIST table)
+npm-scan report -i <id> --nist       Print NIST 800-161 compliance table
+npm-scan report -i <id> --cra        Print EU CRA compliance table
+npm-scan report -i <id> --siem cef   Generate SIEM CEF output (premium)
 npm-scan report --html               Generate HTML report for all scans
+npm-scan report --nist               Print NIST compliance for all scans
+npm-scan report --cra                Print EU CRA compliance for all scans (premium)
+npm-scan report --siem cef           Generate SIEM for all scans (premium)
 ```
 
 ## Architecture
 
 ```
 cli/          Commander.js CLI entrypoint
-backend/      Detectors, fetch, SQLite db, SBOM, report
+backend/      Detectors, fetch, SQLite db, SBOM, report, license, SIEM, CRA
+api/          FastAPI REST API + webhooks (premium)
 docker/       Multi-arch Docker images + compose
+deploy/       Kubernetes Helm chart (premium)
 docs/         Project plan, attack taxonomy (ATK), sandbox threat model
-tests/        Corpus: 5 clean + 30 malicious packages
+tests/        Corpus: 5 clean + 33 malicious packages
 ```
 
 ## Detectors (ATK Taxonomy)
@@ -65,6 +79,8 @@ tests/        Corpus: 5 clean + 30 malicious packages
 | ATK-008 | Tarball tampering (published ≠ source)      | high     |
 | ATK-009 | Conditional/dormant triggers (CI, time)     | high     |
 | ATK-010 | Sandbox evasion / anti-analysis             | medium   |
+| ATK-011 | Transitive propagation (worm)               | high     |
+| ATK-011 | Transitive propagation (worm)               | high     |
 
 See `docs/attack-taxonomy.md` for full NIST 800-161 mappings, evasion surfaces, and PoC examples.
 
@@ -73,8 +89,8 @@ See `docs/attack-taxonomy.md` for full NIST 800-161 mappings, evasion surfaces,
 ```bash
 npm install
 npm run dev          # CLI stub
-npm run test         # Unit tests (13)
-npm run corpus       # False-positive corpus test (30 malicious, 5 clean)
+npm run test         # Unit tests (14)
+npm run corpus       # False-positive corpus test (33 malicious, 5 clean)
 ```
 
 ## License

package/api/README.md

@@ -0,0 +1,32 @@
+# npm-scan REST API
+
+FastAPI-based REST API for hosted/team tier. Requires premium or enterprise license.
+
+## Quick Start
+
+```bash
+pip install -r api/requirements.txt
+python -m api.main
+```
+
+## Endpoints
+
+| Method | Path | Description |
+|--------|------|-------------|
+| POST | /api/v1/scan | Submit a package for scanning |
+| GET | /api/v1/scans | List recent scans |
+| GET | /api/v1/scans/{id} | Get scan details |
+| GET | /api/v1/scans/{id}/findings | Get findings for a scan |
+| GET | /api/v1/scans/{id}/report | Generate report |
+| POST | /api/v1/webhooks | Register a webhook |
+| GET | /api/v1/webhooks | List webhooks |
+| DELETE | /api/v1/webhooks/{id} | Delete a webhook |
+| POST | /api/v1/auth/login | Login |
+| POST | /api/v1/auth/register | Register |
+| GET | /api/v1/health | Health check |
+
+## Authentication
+
+All endpoints except `/api/v1/health`, `/api/v1/auth/login`, and `/api/v1/auth/register` require an API key or session token.
+
+Pass as header: `Authorization: Bearer <api_key>`

package/api/main.py

@@ -0,0 +1,43 @@
+"""
+npm-scan REST API — FastAPI application.
+Requires premium/enterprise license key for all endpoints.
+"""
+
+from fastapi import FastAPI, Depends, HTTPException, status
+from fastapi.middleware.cors import CORSMiddleware
+import os
+
+from .routers import scans, webhooks, auth, health
+
+app = FastAPI(
+    title="npm-scan API",
+    version=os.environ.get("npm_package_version", "0.5.0"),
+    description="npm supply chain security scanner — REST API",
+)
+
+app.add_middleware(
+    CORSMiddleware,
+    allow_origins=["*"],
+    allow_credentials=True,
+    allow_methods=["*"],
+    allow_headers=["*"],
+)
+
+app.include_router(health.router, prefix="/api/v1", tags=["health"])
+app.include_router(auth.router, prefix="/api/v1/auth", tags=["auth"])
+app.include_router(scans.router, prefix="/api/v1", tags=["scans"])
+app.include_router(webhooks.router, prefix="/api/v1", tags=["webhooks"])
+
+
+def main():
+    import uvicorn
+    uvicorn.run(
+        "api.main:app",
+        host=os.environ.get("API_HOST", "0.0.0.0"),
+        port=int(os.environ.get("API_PORT", "8000")),
+        reload=os.environ.get("API_RELOAD", "false").lower() == "true",
+    )
+
+
+if __name__ == "__main__":
+    main()

package/api/requirements.txt

@@ -0,0 +1,7 @@
+fastapi>=0.115.0
+uvicorn[standard]>=0.32.0
+psycopg2-binary>=2.9.10
+python-jose[cryptography]>=3.3.0
+passlib[bcrypt]>=1.7.4
+httpx>=0.28.0
+pydantic>=2.10.0

package/api/routers/auth.py

@@ -0,0 +1,35 @@
+"""Authentication endpoints — login, register, API key management."""
+
+from fastapi import APIRouter, HTTPException, Depends
+from pydantic import BaseModel, EmailStr
+from typing import Optional
+import os
+
+router = APIRouter()
+
+
+class RegisterRequest(BaseModel):
+    email: EmailStr
+    name: str
+    password: str
+    team_name: Optional[str] = None
+
+
+class LoginRequest(BaseModel):
+    email: EmailStr
+    password: str
+
+
+class TokenResponse(BaseModel):
+    access_token: str
+    token_type: str = "bearer"
+
+
+@router.post("/register", response_model=TokenResponse)
+async def register(req: RegisterRequest):
+    raise HTTPException(status_code=501, detail="Registration requires PostgreSQL backend — not yet connected")
+
+
+@router.post("/login", response_model=TokenResponse)
+async def login(req: LoginRequest):
+    raise HTTPException(status_code=501, detail="Login requires PostgreSQL backend — not yet connected")

package/api/routers/health.py

@@ -0,0 +1,10 @@
+"""Health check endpoint."""
+
+from fastapi import APIRouter
+
+router = APIRouter()
+
+
+@router.get("/health")
+async def health_check():
+    return {"status": "ok", "version": "0.5.0"}

package/api/routers/scans.py

@@ -0,0 +1,66 @@
+"""Scan endpoints — submit, list, retrieve scans and findings."""
+
+from fastapi import APIRouter, HTTPException, Query
+from pydantic import BaseModel
+from typing import Optional, List
+from datetime import datetime
+
+router = APIRouter()
+
+
+class ScanRequest(BaseModel):
+    package_name: str
+    version: Optional[str] = "latest"
+
+
+class Finding(BaseModel):
+    atk_id: str
+    severity: str
+    title: Optional[str] = None
+    description: Optional[str] = None
+    evidence: Optional[str] = None
+
+
+class Scan(BaseModel):
+    id: str
+    package_name: str
+    version: str
+    status: str
+    scanned_at: datetime
+    findings: List[Finding] = []
+
+
+SCANS_DB: list[Scan] = []
+
+
+@router.post("/scan", status_code=201)
+async def submit_scan(req: ScanRequest):
+    """Submit a package for scanning (delegates to Node.js CLI)."""
+    raise HTTPException(
+        status_code=501,
+        detail="Scan execution requires async worker — use `npm-scan scan <package>` via CLI"
+    )
+
+
+@router.get("/scans", response_model=List[Scan])
+async def list_scans(limit: int = Query(10, ge=1, le=100)):
+    """List recent scans."""
+    return SCANS_DB[-limit:][::-1]
+
+
+@router.get("/scans/{scan_id}")
+async def get_scan(scan_id: str):
+    """Get scan details by ID."""
+    for scan in SCANS_DB:
+        if scan.id == scan_id:
+            return scan
+    raise HTTPException(status_code=404, detail=f"Scan {scan_id} not found")
+
+
+@router.get("/scans/{scan_id}/findings")
+async def get_findings(scan_id: str):
+    """Get findings for a specific scan."""
+    for scan in SCANS_DB:
+        if scan.id == scan_id:
+            return scan.findings
+    raise HTTPException(status_code=404, detail=f"Scan {scan_id} not found")

package/api/routers/webhooks.py

@@ -0,0 +1,78 @@
+"""Webhook endpoints — register, list, delete webhooks."""
+
+from fastapi import APIRouter, HTTPException
+from pydantic import BaseModel, HttpUrl
+from typing import List, Optional
+from datetime import datetime
+import hashlib
+import hmac
+import json
+import os
+
+router = APIRouter()
+
+
+class WebhookCreate(BaseModel):
+    url: HttpUrl
+    events: List[str] = ["scan.completed", "finding.critical"]
+
+
+class Webhook(BaseModel):
+    id: str
+    url: str
+    events: List[str]
+    active: bool = True
+    secret: Optional[str] = None
+    created_at: datetime
+
+
+HOOKS_DB: list[Webhook] = []
+
+
+@router.post("/webhooks", status_code=201)
+async def create_webhook(hook: WebhookCreate):
+    """Register a new webhook endpoint."""
+    wh = Webhook(
+        id=hash(str(hook.url) + str(datetime.now())),
+        url=str(hook.url),
+        events=list(set(hook.events)),
+        secret=os.urandom(16).hex(),
+        created_at=datetime.now(),
+    )
+    HOOKS_DB.append(wh)
+    return wh
+
+
+@router.get("/webhooks")
+async def list_webhooks():
+    """List all registered webhooks."""
+    return HOOKS_DB
+
+
+@router.delete("/webhooks/{hook_id}")
+async def delete_webhook(hook_id: str):
+    """Delete a webhook by ID."""
+    for i, wh in enumerate(HOOKS_DB):
+        if wh.id == hook_id:
+            HOOKS_DB.pop(i)
+            return {"deleted": hook_id}
+    raise HTTPException(status_code=404, detail="Webhook not found")
+
+
+async def dispatch_webhooks(event: str, payload: dict):
+    """Dispatch an event to all subscribed webhooks (called by worker)."""
+    import httpx
+
+    for wh in HOOKS_DB:
+        if not wh.active or event not in wh.events:
+            continue
+        body = json.dumps({"event": event, "payload": payload, "timestamp": datetime.now().isoformat()})
+        sig = hmac.new(wh.secret.encode(), body.encode(), hashlib.sha256).hexdigest()
+        async with httpx.AsyncClient() as client:
+            try:
+                await client.post(wh.url, content=body, headers={
+                    "Content-Type": "application/json",
+                    "X-Webhook-Signature": sig,
+                })
+            except Exception:
+                pass  # log failure in production

package/backend/db/pg-schema.sql

@@ -0,0 +1,155 @@
+-- PostgreSQL schema for hosted/team tier (premium)
+-- Extends the SQLite schema with teams, users, RBAC, audit logs, webhooks
+
+-- Extensions
+CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
+CREATE EXTENSION IF NOT EXISTS "pgcrypto";
+
+-- Teams / Organizations
+CREATE TABLE IF NOT EXISTS teams (
+  id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
+  name TEXT NOT NULL,
+  slug TEXT UNIQUE NOT NULL,
+  license_edition TEXT NOT NULL DEFAULT 'community',
+  license_key TEXT,
+  license_expires_at TIMESTAMPTZ,
+  max_seats INTEGER NOT NULL DEFAULT 5,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+-- Users
+CREATE TABLE IF NOT EXISTS users (
+  id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
+  email TEXT UNIQUE NOT NULL,
+  name TEXT NOT NULL,
+  password_hash TEXT NOT NULL,
+  team_id UUID REFERENCES teams(id) ON DELETE CASCADE,
+  role TEXT NOT NULL CHECK (role IN ('admin', 'editor', 'viewer')) DEFAULT 'viewer',
+  last_login_at TIMESTAMPTZ,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+-- Scans (extends SQLite scans with team ownership)
+CREATE TABLE IF NOT EXISTS scans (
+  id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
+  team_id UUID REFERENCES teams(id) ON DELETE CASCADE,
+  user_id UUID REFERENCES users(id) ON DELETE SET NULL,
+  package_name TEXT NOT NULL,
+  version TEXT,
+  status TEXT NOT NULL DEFAULT 'pending'
+    CHECK (status IN ('pending', 'fetching', 'analyzing', 'completed', 'failed')),
+  sbom_json JSONB,
+  findings_summary JSONB,
+  duration_ms INTEGER,
+  scanned_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+-- Findings
+CREATE TABLE IF NOT EXISTS findings (
+  id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
+  scan_id UUID NOT NULL REFERENCES scans(id) ON DELETE CASCADE,
+  atk_id TEXT NOT NULL,
+  severity TEXT NOT NULL CHECK (severity IN ('info', 'low', 'medium', 'high', 'critical')),
+  title TEXT,
+  description TEXT,
+  evidence TEXT,
+  mitigation TEXT,
+  file_path TEXT,
+  line_number INTEGER
+);
+
+-- Indexes
+CREATE INDEX IF NOT EXISTS idx_scans_team ON scans(team_id);
+CREATE INDEX IF NOT EXISTS idx_scans_package ON scans(package_name);
+CREATE INDEX IF NOT EXISTS idx_scans_status ON scans(status);
+CREATE INDEX IF NOT EXISTS idx_scans_created ON scans(scanned_at DESC);
+CREATE INDEX IF NOT EXISTS idx_findings_scan ON findings(scan_id);
+CREATE INDEX IF NOT EXISTS idx_findings_atk ON findings(atk_id);
+CREATE INDEX IF NOT EXISTS idx_findings_severity ON findings(severity);
+CREATE INDEX IF NOT EXISTS idx_users_team ON users(team_id);
+
+-- Audit log
+CREATE TABLE IF NOT EXISTS audit_log (
+  id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
+  team_id UUID NOT NULL REFERENCES teams(id) ON DELETE CASCADE,
+  user_id UUID REFERENCES users(id) ON DELETE SET NULL,
+  action TEXT NOT NULL,
+  resource_type TEXT NOT NULL,
+  resource_id TEXT,
+  details JSONB,
+  ip_address INET,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_audit_team ON audit_log(team_id, created_at DESC);
+
+-- Webhooks
+CREATE TABLE IF NOT EXISTS webhooks (
+  id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
+  team_id UUID NOT NULL REFERENCES teams(id) ON DELETE CASCADE,
+  url TEXT NOT NULL,
+  secret TEXT NOT NULL DEFAULT encode(gen_random_bytes(32), 'hex'),
+  events TEXT[] NOT NULL DEFAULT '{}',
+  active BOOLEAN NOT NULL DEFAULT true,
+  last_triggered_at TIMESTAMPTZ,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_webhooks_team ON webhooks(team_id);
+
+-- API keys
+CREATE TABLE IF NOT EXISTS api_keys (
+  id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
+  team_id UUID NOT NULL REFERENCES teams(id) ON DELETE CASCADE,
+  user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+  name TEXT NOT NULL,
+  key_hash TEXT NOT NULL,
+  scopes TEXT[] NOT NULL DEFAULT '{}',
+  last_used_at TIMESTAMPTZ,
+  expires_at TIMESTAMPTZ,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_api_keys_team ON api_keys(team_id);
+
+-- Session tokens
+CREATE TABLE IF NOT EXISTS sessions (
+  id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
+  user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+  token_hash TEXT NOT NULL,
+  expires_at TIMESTAMPTZ NOT NULL,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_sessions_user ON sessions(user_id);
+CREATE INDEX IF NOT EXISTS idx_sessions_expires ON sessions(expires_at);
+
+-- Materialized view: package risk aggregation
+CREATE MATERIALIZED VIEW IF NOT EXISTS package_risk AS
+SELECT
+  s.package_name,
+  s.version,
+  COUNT(DISTINCT f.id) AS finding_count,
+  COUNT(DISTINCT f.id) FILTER (WHERE f.severity IN ('high', 'critical')) AS high_crit_count,
+  ARRAY_AGG(DISTINCT f.atk_id) AS atk_ids,
+  MAX(s.scanned_at) AS last_scanned
+FROM scans s
+JOIN findings f ON f.scan_id = s.id
+WHERE s.status = 'completed'
+GROUP BY s.package_name, s.version;
+
+CREATE UNIQUE INDEX IF NOT EXISTS idx_package_risk_pkg ON package_risk(package_name, version);
+
+-- Function: touch updated_at
+CREATE OR REPLACE FUNCTION touch_updated_at()
+RETURNS TRIGGER AS $$
+BEGIN
+  NEW.updated_at = NOW();
+  RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+CREATE TRIGGER trg_teams_updated_at
+  BEFORE UPDATE ON teams
+  FOR EACH ROW EXECUTE FUNCTION touch_updated_at();

package/backend/license.js

@@ -1,13 +1,85 @@
+import { createHmac, timingSafeEqual } from 'crypto';
+
+const HMAC_KEY = process.env.NPM_SCAN_LICENSE_SECRET || 'npm-scan-default-dev-key';
+
+const FEATURE_TIERS = {
+  community: [],
+  premium: ['sandbox', 'siem', 'cra', 'nist-pdf', 'rest-api', 'webhooks', 'helm'],
+  enterprise: ['sandbox', 'siem', 'cra', 'nist-pdf', 'rest-api', 'webhooks', 'helm', 'sso', 'audit-logs', 'pg-backend', 'kubernetes'],
+};
+
+const ALL_FEATURES = Object.values(FEATURE_TIERS).flat();
+const ALLOWED_UNLOCKED = ['sbom', 'nist-html', 'html-report', 'sqlite'];
+
+function generateSignature(payload) {
+  return createHmac('sha256', HMAC_KEY).update(JSON.stringify(payload)).digest('hex');
+}
+
+export function generateKey(edition, options = {}) {
+  const payload = {
+    edition,
+    issued: new Date().toISOString(),
+    exp: options.expiresAt || null,
+    seats: options.seats || 1,
+    org: options.org || null,
+  };
+  const sig = generateSignature(payload);
+  const encoded = Buffer.from(JSON.stringify(payload)).toString('base64url');
+  return `npm-scan-${edition}-${encoded}.${sig}`;
+}
+
 export function validateLicense(key, feature = '*') {
-  if (!key || !key.startsWith('npm-scan-premium-')) {
-    throw new Error(`Invalid license for feature: ${feature}`);
+  if (!key) {
+    throw new Error('No license key provided');
+  }
+
+  if (feature === 'scan' || ALLOWED_UNLOCKED.includes(feature)) {
+    return { edition: 'community', features: ALL_FEATURES };
+  }
+
+  const parts = key.split('-');
+  if (parts.length < 4 || !key.includes('.')) {
+    throw new Error('Invalid license key format');
+  }
+
+  const edition = parts[2];
+  const encodedPayload = parts.slice(3).join('-').split('.')[0];
+  const sig = key.split('.')[1];
+
+  let payload;
+  try {
+    payload = JSON.parse(Buffer.from(encodedPayload, 'base64url').toString('utf8'));
+  } catch {
+    throw new Error('Invalid license key payload');
   }
-  return true;
+
+  const expectedSig = generateSignature(payload);
+  const sigBuf = Buffer.from(sig, 'hex');
+  const expectedBuf = Buffer.from(expectedSig, 'hex');
+  if (sigBuf.length !== expectedBuf.length || !timingSafeEqual(sigBuf, expectedBuf)) {
+    throw new Error('Invalid license key signature');
+  }
+
+  if (payload.exp && new Date(payload.exp) < new Date()) {
+    throw new Error('License key expired');
+  }
+
+  const allowed = FEATURE_TIERS[edition];
+  if (!allowed) {
+    throw new Error(`Unknown license edition: ${edition}`);
+  }
+
+  if (feature !== '*' && !allowed.includes(feature) && !ALLOWED_UNLOCKED.includes(feature)) {
+    throw new Error(`Feature "${feature}" requires ${edition === 'community' ? 'premium' : 'enterprise'} license`);
+  }
+
+  return { edition, features: allowed, ...payload };
 }
 
 export function isFeatureEnabled(feature, licenseKey = process.env.NPM_SCAN_LICENSE_KEY) {
   try {
-    return validateLicense(licenseKey, feature);
+    validateLicense(licenseKey, feature);
+    return true;
   } catch {
     return false;
   }

package/cli/cli.js

@@ -1,11 +1,21 @@
 #!/usr/bin/env node
 
 import { Command } from 'commander';
+import { isFeatureEnabled, generateKey } from '../backend/license.js';
+
+function requirePremium(feature, licenseKey) {
+  if (!isFeatureEnabled(feature, licenseKey)) {
+    console.error(`Error: "${feature}" requires a premium license key.`);
+    console.error(`  Pass --license-key <key> or set NPM_SCAN_LICENSE_KEY env var.`);
+    console.error(`  Generate a dev key: require('@lateos/npm-scan/backend/license').generateKey('premium')`);
+    process.exit(1);
+  }
+}
 
 const program = new Command()
   .name('npm-scan')
   .description('npm supply chain security scanner')
-  .version('0.4.0');
+  .version('0.5.0');
 
 program
   .command('scan')
@@ -47,13 +57,15 @@ program
   .description('Generate report')
   .option('-i, --id <id>', 'Scan ID')
   .option('--sbom [format]', 'SBOM format (json/xml/spdx)')
-.option('--html', 'HTML report')
+  .option('--html', 'HTML report')
   .option('--nist', 'NIST 800-161 compliance report')
   .option('--cra', 'EU CRA compliance report')
   .option('--siem <format>', 'SIEM format (cef)')
   .option('-l, --license-key <key>', 'Premium license')
   .action(async (options) => {
+    const licenseKey = options.licenseKey || process.env.NPM_SCAN_LICENSE_KEY;
     const { getRecentScans, getFindings, getScan } = await import('../backend/db.js');
+
     if (options.id) {
       const findings = getFindings(options.id);
       const scanInfo = getScan(options.id);
@@ -61,16 +73,19 @@ program
       const pkgVer = scanInfo?.version || 'unknown';
       const pkg = { name: pkgName, version: pkgVer };
       const scan = findings.length ? { package_name: pkgName, version: pkgVer, findings } : null;
-      if (options.sbom) {
-        const { generateSBOM } = await import('../backend/sbom.js');
-        const sbom = generateSBOM(pkg, findings, options.sbom === true ? 'json' : options.sbom);
-        console.log(sbom);
-      } else if (options.siem) {
+
+      if (options.siem) {
+        requirePremium('siem', licenseKey);
         const { generateSIEM } = await import('../backend/siem/index.js');
         console.log(generateSIEM(scan ? [scan] : [], options.siem));
       } else if (options.cra) {
+        requirePremium('cra', licenseKey);
         const { generateCRA } = await import('../backend/cra.js');
         console.log(generateCRA(scan ? [scan] : []));
+      } else if (options.sbom) {
+        const { generateSBOM } = await import('../backend/sbom.js');
+        const sbom = generateSBOM(pkg, findings, options.sbom === true ? 'json' : options.sbom);
+        console.log(sbom);
       } else if (options.html || options.nist) {
         const { generateHTML } = await import('../backend/report.js');
         const html = generateHTML(scan ? [scan] : []);
@@ -81,10 +96,13 @@ program
     } else {
       const scans = getRecentScans();
       const scansWithFindings = scans.map(s => ({ ...s, findings: getFindings(s.id) }));
-if (options.siem) {
+
+      if (options.siem) {
+        requirePremium('siem', licenseKey);
         const { generateSIEM } = await import('../backend/siem/index.js');
         console.log(generateSIEM(scansWithFindings, options.siem));
       } else if (options.cra) {
+        requirePremium('cra', licenseKey);
         const { generateCRA } = await import('../backend/cra.js');
         console.log(generateCRA(scansWithFindings));
       } else if (options.html || options.nist) {

package/deploy/helm/npm-scan/Chart.yaml

@@ -0,0 +1,16 @@
+apiVersion: v2
+name: npm-scan
+description: npm supply chain security scanner — Helm chart for Kubernetes deployment
+type: application
+version: 0.5.0
+appVersion: "0.5.0"
+keywords:
+  - npm
+  - security
+  - supply-chain
+  - scanner
+sources:
+  - https://github.com/YOUR_GITHUB_USERNAME/npm-scan
+maintainers:
+  - name: Lateos
+    email: hello@lateos.ai

package/deploy/helm/npm-scan/templates/_helpers.tpl

@@ -0,0 +1,9 @@
+{{- define "npm-scan.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{- define "npm-scan.labels" -}}
+helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}

package/deploy/helm/npm-scan/templates/api.yaml

@@ -0,0 +1,66 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "npm-scan.name" . }}-api
+  labels:
+    app: {{ include "npm-scan.name" . }}-api
+    {{- include "npm-scan.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.api.replicas }}
+  selector:
+    matchLabels:
+      app: {{ include "npm-scan.name" . }}-api
+  template:
+    metadata:
+      labels:
+        app: {{ include "npm-scan.name" . }}-api
+    spec:
+      containers:
+        - name: api
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command: ["python", "-m", "api.main"]
+          ports:
+            - containerPort: {{ .Values.api.port }}
+          env:
+            - name: API_PORT
+              value: "{{ .Values.api.port }}"
+            - name: API_HOST
+              value: "{{ .Values.api.host }}"
+            - name: NPM_SCAN_LICENSE_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "npm-scan.name" . }}-license
+                  key: key
+                  optional: true
+            {{- if .Values.postgresql.enabled }}
+            - name: PG_HOST
+              value: "{{ .Values.postgresql.host }}"
+            - name: PG_PORT
+              value: "{{ .Values.postgresql.port }}"
+            - name: PG_DATABASE
+              value: "{{ .Values.postgresql.database }}"
+            - name: PG_USERNAME
+              value: "{{ .Values.postgresql.username }}"
+            - name: PG_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.postgresql.existingSecret | default (printf "%s-pg" (include "npm-scan.name" .)) }}
+                  key: password
+                  optional: true
+            {{- end }}
+          resources: {{- toYaml .Values.api.resources | nindent 12 }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "npm-scan.name" . }}-api
+  labels:
+    app: {{ include "npm-scan.name" . }}-api
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: {{ .Values.api.port }}
+  selector:
+    app: {{ include "npm-scan.name" . }}-api

package/deploy/helm/npm-scan/templates/ingress.yaml

@@ -0,0 +1,28 @@
+{{- if .Values.ingress.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "npm-scan.name" . }}
+  labels: {{- include "npm-scan.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations: {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- with .Values.ingress.className }}
+  ingressClassName: {{ . }}
+  {{- end }}
+  rules:
+    - host: {{ .Values.ingress.host | quote }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ include "npm-scan.name" . }}-api
+                port:
+                  number: {{ .Values.service.port }}
+  {{- with .Values.ingress.tls }}
+  tls: {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

package/deploy/helm/npm-scan/templates/postgresql.yaml

@@ -0,0 +1,67 @@
+{{- if .Values.postgresql.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "npm-scan.name" . }}-postgresql
+  labels:
+    app: {{ include "npm-scan.name" . }}-postgresql
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ include "npm-scan.name" . }}-postgresql
+  template:
+    metadata:
+      labels:
+        app: {{ include "npm-scan.name" . }}-postgresql
+    spec:
+      containers:
+        - name: postgresql
+          image: postgres:16-alpine
+          ports:
+            - containerPort: 5432
+          env:
+            - name: POSTGRES_DB
+              value: "{{ .Values.postgresql.database }}"
+            - name: POSTGRES_USER
+              value: "{{ .Values.postgresql.username }}"
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "npm-scan.name" . }}-pg
+                  key: password
+          {{- if .Values.persistence.enabled }}
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/postgresql/data
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: {{ include "npm-scan.name" . }}-pg
+          {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "npm-scan.name" . }}-postgresql
+spec:
+  ports:
+    - port: 5432
+  selector:
+    app: {{ include "npm-scan.name" . }}-postgresql
+---
+{{- if .Values.persistence.enabled }}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ include "npm-scan.name" . }}-pg
+spec:
+  accessModes: [ReadWriteOnce]
+  resources:
+    requests:
+      storage: {{ .Values.persistence.size }}
+  {{- with .Values.persistence.storageClass }}
+  storageClassName: {{ . }}
+  {{- end }}
+{{- end }}
+{{- end }}

package/deploy/helm/npm-scan/templates/secrets.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "npm-scan.name" . }}-license
+  labels: {{- include "npm-scan.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  key: "{{ .Values.license.key }}"
+---
+{{- if not .Values.postgresql.existingSecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "npm-scan.name" . }}-pg
+  labels: {{- include "npm-scan.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  password: "{{ .Values.postgresql.password }}"
+{{- end }}

package/deploy/helm/npm-scan/templates/worker.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.worker.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "npm-scan.name" . }}-worker
+  labels:
+    app: {{ include "npm-scan.name" . }}-worker
+    {{- include "npm-scan.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.worker.replicas }}
+  selector:
+    matchLabels:
+      app: {{ include "npm-scan.name" . }}-worker
+  template:
+    metadata:
+      labels:
+        app: {{ include "npm-scan.name" . }}-worker
+    spec:
+      containers:
+        - name: worker
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command: ["node", "cli/cli.js"]
+          env:
+            - name: NPM_SCAN_LICENSE_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "npm-scan.name" . }}-license
+                  key: key
+                  optional: true
+          resources: {{- toYaml .Values.worker.resources | nindent 12 }}
+{{- end }}

package/deploy/helm/npm-scan/values.yaml

@@ -0,0 +1,73 @@
+# Helm values for npm-scan
+# Override per environment: helm install -f values-prod.yaml
+
+image:
+  repository: ghcr.io/lateos/npm-scan
+  tag: latest
+  pullPolicy: Always
+
+replicaCount: 1
+
+license:
+  # --license-key or NPM_SCAN_LICENSE_KEY env var
+  key: ""
+  secret: ""
+
+postgresql:
+  enabled: true
+  host: ""
+  port: 5432
+  database: npm_scan
+  username: npm_scan
+  password: ""
+  existingSecret: ""
+
+api:
+  enabled: true
+  port: 8000
+  host: 0.0.0.0
+  replicas: 1
+  corsOrigins: ["*"]
+  resources:
+    requests:
+      cpu: 100m
+      memory: 128Mi
+    limits:
+      cpu: 500m
+      memory: 512Mi
+
+worker:
+  enabled: true
+  replicas: 2
+  resources:
+    requests:
+      cpu: 200m
+      memory: 256Mi
+    limits:
+      cpu: 1
+      memory: 1Gi
+
+ingress:
+  enabled: false
+  className: ""
+  annotations: {}
+  host: npm-scan.example.com
+  tls: []
+
+service:
+  type: ClusterIP
+  port: 80
+
+persistence:
+  enabled: true
+  size: 10Gi
+  storageClass: ""
+
+nodeSelector: {}
+tolerations: []
+affinity: {}
+
+redis:
+  enabled: false
+  host: ""
+  port: 6379

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lateos/npm-scan",
-  "version": "0.4.0",
+  "version": "0.5.0",
   "description": "Powerful npm supply chain security scanner - detects malicious packages (Shai-Hulud style), behavioral analysis, SBOM, and compliance reporting.",
   "main": "backend/index.js",
   "bin": {