@lateos/npm-scan 0.7.6 → 0.8.0

package/backend/pdf.js

@@ -0,0 +1,245 @@
+import { PDFDocument, StandardFonts, rgb } from 'pdf-lib';
+
+const SEV_ORDER = ['critical', 'high', 'medium', 'low'];
+const SEV_COLORS = { critical: rgb(0.8, 0.2, 0.2), high: rgb(0.75, 0.15, 0.15), medium: rgb(0.9, 0.5, 0.1), low: rgb(0.8, 0.7, 0.1) };
+
+const NIST_SR_MAP = {
+  'ATK-001': { control: 'SR-3.1', title: 'Malicious code detection' },
+  'ATK-002': { control: 'SR-4.2', title: 'Code obfuscation analysis' },
+  'ATK-003': { control: 'SR-5.3', title: 'Credential protection' },
+  'ATK-004': { control: 'SR-6.4', title: 'Persistence monitoring' },
+  'ATK-005': { control: 'SR-7.5', title: 'Data exfiltration prevention' },
+  'ATK-006': { control: 'SR-2.2', title: 'Dependency validation' },
+  'ATK-007': { control: 'SR-2.1', title: 'Typosquatting prevention' },
+  'ATK-008': { control: 'SR-8.1', title: 'Integrity verification' },
+  'ATK-009': { control: 'SR-9.2', title: 'Conditional behavior analysis' },
+  'ATK-010': { control: 'SR-10.3', title: 'Anti-evasion detection' },
+  'ATK-011': { control: 'SR-11.4', title: 'Supply chain propagation monitoring' },
+};
+
+const MARGIN = 50;
+const PAGE_W = 612;
+const PAGE_H = 792;
+const CONTENT_W = PAGE_W - MARGIN * 2;
+
+function wrapText(text, font, size, maxWidth) {
+  const words = text.split(' ');
+  const lines = [];
+  let current = '';
+  for (const word of words) {
+    const test = current ? current + ' ' + word : word;
+    if (font.widthOfTextAtSize(test, size) > maxWidth) {
+      if (current) lines.push(current);
+      current = word;
+    } else {
+      current = test;
+    }
+  }
+  if (current) lines.push(current);
+  return lines;
+}
+
+function drawTableRow(page, font, columns, y, colWidths, fontSize, isHeader) {
+  let x = MARGIN;
+  const rowH = fontSize + 6;
+  for (let i = 0; i < columns.length; i++) {
+    const text = columns[i];
+    const lines = wrapText(text, font, fontSize, colWidths[i] - 4);
+    for (let j = 0; j < lines.length; j++) {
+      page.drawText(lines[j], { x: x + 2, y: y - (j * fontSize) - 2, size: fontSize, font, color: rgb(0, 0, 0) });
+    }
+    x += colWidths[i];
+  }
+  return y - rowH;
+}
+
+function drawPageHeader(page, font, text, y) {
+  page.drawText(text, { x: MARGIN, y, size: 14, font, color: rgb(0.2, 0.2, 0.2) });
+  page.drawLine({ start: { x: MARGIN, y: y - 4 }, end: { x: PAGE_W - MARGIN, y: y - 4 }, thickness: 1, color: rgb(0.7, 0.7, 0.7) });
+  return y - 20;
+}
+
+export async function generatePDF(scans) {
+  const doc = await PDFDocument.create();
+  const font = await doc.embedFont(StandardFonts.Helvetica);
+  const boldFont = await doc.embedFont(StandardFonts.HelveticaBold);
+  const version = process.env.npm_package_version || '0.0.0';
+
+  const sevCounts = { critical: 0, high: 0, medium: 0, low: 0 };
+  let totalFindings = 0;
+  for (const s of scans) {
+    for (const f of (s.findings || [])) {
+      if (sevCounts[f.severity] !== undefined) sevCounts[f.severity]++;
+      totalFindings++;
+    }
+  }
+
+  // ─── Page 1: Title ──────────────────────────────────────────────────
+  let page = doc.addPage([PAGE_W, PAGE_H]);
+  let y = PAGE_H - MARGIN;
+
+  page.drawText('npm-scan Report', { x: MARGIN, y, size: 24, font: boldFont, color: rgb(0, 0, 0) });
+  y -= 30;
+  page.drawText(`Generated: ${new Date().toISOString()}`, { x: MARGIN, y, size: 10, font, color: rgb(0.4, 0.4, 0.4) });
+  y -= 14;
+  page.drawText(`Version: ${version}  |  Packages scanned: ${scans.length}  |  Total findings: ${totalFindings}`, { x: MARGIN, y, size: 10, font, color: rgb(0.4, 0.4, 0.4) });
+  y -= 30;
+
+  // Severity summary
+  page.drawText('Severity Summary', { x: MARGIN, y, size: 14, font: boldFont, color: rgb(0, 0, 0) });
+  y -= 20;
+
+  for (const sev of SEV_ORDER) {
+    const count = sevCounts[sev] || 0;
+    const color = SEV_COLORS[sev] || rgb(0, 0, 0);
+    page.drawCircle({ x: MARGIN + 6, y: y - 4, size: 4, color });
+    page.drawText(`${sev}: ${count}`, { x: MARGIN + 16, y: y - 8, size: 11, font, color: rgb(0, 0, 0) });
+    y -= 18;
+  }
+
+  y -= 20;
+
+  // Per-package summary
+  for (const s of scans) {
+    const findings = s.findings || [];
+    if (y < MARGIN + 60) { page = doc.addPage([PAGE_W, PAGE_H]); y = PAGE_H - MARGIN; }
+
+    page.drawText(`${s.package_name}@${s.version || 'unknown'}`, { x: MARGIN, y, size: 12, font: boldFont, color: rgb(0, 0, 0) });
+    y -= 16;
+    page.drawText(`  ${findings.length} findings`, { x: MARGIN, y, size: 10, font, color: rgb(0.4, 0.4, 0.4) });
+    y -= 14;
+
+    for (const f of findings) {
+      if (y < MARGIN + 20) { page = doc.addPage([PAGE_W, PAGE_H]); y = PAGE_H - MARGIN; }
+      const sevColor = SEV_COLORS[f.severity] || rgb(0, 0, 0);
+      page.drawCircle({ x: MARGIN + 3, y: y + 2, size: 3, color: sevColor });
+      const line = `${f.atk_id || f.id}  ${f.severity}  ${(f.description || f.title || '').slice(0, 70)}`;
+      page.drawText(line, { x: MARGIN + 12, y, size: 9, font, color: rgb(0.1, 0.1, 0.1) });
+      y -= 13;
+    }
+  }
+
+  // ─── Page: Findings Table ───────────────────────────────────────────
+  page = doc.addPage([PAGE_W, PAGE_H]);
+  y = PAGE_H - MARGIN;
+  y = drawPageHeader(page, boldFont, 'All Findings', y);
+  y -= 6;
+
+  const colWidths = [60, 55, 140, CONTENT_W - 255];
+  const headers = ['ATK ID', 'Severity', 'Title', 'Evidence'];
+
+  // Draw header
+  let x = MARGIN;
+  for (let i = 0; i < headers.length; i++) {
+    page.drawText(headers[i], { x: x + 2, y, size: 10, font: boldFont, color: rgb(0, 0, 0) });
+    x += colWidths[i];
+  }
+  y -= 16;
+
+  lineLoop: for (const s of scans) {
+    for (const f of (s.findings || [])) {
+      if (y < MARGIN + 20) {
+        page = doc.addPage([PAGE_W, PAGE_H]);
+        y = PAGE_H - MARGIN;
+        y = drawPageHeader(page, boldFont, 'All Findings (continued)', y);
+        y -= 6;
+      }
+
+      const rowData = [
+        f.atk_id || f.id || '',
+        f.severity || '',
+        (f.title || '').slice(0, 30),
+        (f.evidence || '').slice(0, 60),
+      ];
+
+      let rowY = y;
+      let maxLines = 1;
+      for (let i = 0; i < rowData.length; i++) {
+        const lines = wrapText(rowData[i], font, 9, colWidths[i] - 4);
+        if (lines.length > maxLines) maxLines = lines.length;
+      }
+
+      if (y - (maxLines * 11) < MARGIN) {
+        page = doc.addPage([PAGE_W, PAGE_H]);
+        y = PAGE_H - MARGIN;
+        y = drawPageHeader(page, boldFont, 'All Findings (continued)', y);
+        y -= 6;
+        rowY = y;
+      }
+
+      x = MARGIN;
+      for (let i = 0; i < rowData.length; i++) {
+        const lines = wrapText(rowData[i], font, 9, colWidths[i] - 4);
+        for (let j = 0; j < lines.length; j++) {
+          const color = i === 1 && SEV_COLORS[f.severity] ? SEV_COLORS[f.severity] : rgb(0, 0, 0);
+          page.drawText(lines[j], { x: x + 2, y: rowY - (j * 11) - 2, size: 9, font, color });
+        }
+        x += colWidths[i];
+      }
+
+      const lineY = rowY + 2;
+      page.drawLine({ start: { x: MARGIN, y: lineY }, end: { x: PAGE_W - MARGIN, y: lineY }, thickness: 0.5, color: rgb(0.85, 0.85, 0.85) });
+      y = rowY - (maxLines * 11) - 4;
+    }
+  }
+
+  // ─── Page: NIST 800-161 Compliance Matrix ───────────────────────────
+  page = doc.addPage([PAGE_W, PAGE_H]);
+  y = PAGE_H - MARGIN;
+  y = drawPageHeader(page, boldFont, 'NIST SP 800-161 Compliance Summary', y);
+  y -= 6;
+
+  const nistColWidths = [70, CONTENT_W - 180, 110];
+  const nistHeaders = ['Control', 'Control Title', 'Status'];
+  x = MARGIN;
+  for (let i = 0; i < nistHeaders.length; i++) {
+    page.drawText(nistHeaders[i], { x: x + 2, y, size: 10, font: boldFont, color: rgb(0, 0, 0) });
+    x += nistColWidths[i];
+  }
+  y -= 16;
+
+  const atkMap = {};
+  for (const s of scans) {
+    for (const f of (s.findings || [])) {
+      const key = f.atk_id || f.id;
+      if (!atkMap[key]) atkMap[key] = [];
+      atkMap[key].push(f);
+    }
+  }
+
+  for (const [atkId, { control, title }] of Object.entries(NIST_SR_MAP)) {
+    if (y < MARGIN + 20) {
+      page = doc.addPage([PAGE_W, PAGE_H]);
+      y = PAGE_H - MARGIN;
+    }
+
+    const count = (atkMap[atkId] || []).length;
+    const status = count > 0 ? `${count} finding(s)` : 'Pass';
+    const statusColor = count > 0 ? rgb(0.8, 0.2, 0.2) : rgb(0.2, 0.6, 0.2);
+
+    const rowData = [control, title, status];
+    const rowWidths = nistColWidths;
+
+    x = MARGIN;
+    for (let i = 0; i < rowData.length; i++) {
+      const color = i === 2 ? statusColor : rgb(0, 0, 0);
+      const fnt = i === 0 ? boldFont : font;
+      page.drawText(rowData[i], { x: x + 2, y: y - 2, size: 9, font: fnt, color });
+      x += rowWidths[i];
+    }
+
+    page.drawLine({ start: { x: MARGIN, y: y + 4 }, end: { x: PAGE_W - MARGIN, y: y + 4 }, thickness: 0.5, color: rgb(0.85, 0.85, 0.85) });
+    y -= 18;
+  }
+
+  // Footer
+  const pages = doc.getPages();
+  for (const p of pages) {
+    const { width } = p.getSize();
+    p.drawText(`npm-scan v${version} | Apache-2.0 + Commons Clause`, {
+      x: MARGIN, y: 20, size: 8, font, color: rgb(0.6, 0.6, 0.6),
+    });
+  }
+
+  return doc.save();
+}

package/backend/policy.js

@@ -0,0 +1,111 @@
+import { readFileSync } from 'fs';
+import { load as yamlLoad } from 'js-yaml';
+
+const SEVERITY_ORDER = ['none', 'low', 'medium', 'high', 'critical'];
+const VALID_SEVERITIES = new Set(SEVERITY_ORDER);
+
+function severityIndex(s) {
+  return SEVERITY_ORDER.indexOf(s);
+}
+
+function loadPolicy(path) {
+  const raw = readFileSync(path, 'utf8').trim();
+  let policy;
+
+  if (path.endsWith('.json')) {
+    policy = JSON.parse(raw);
+  } else {
+    policy = yamlLoad(raw);
+  }
+
+  if (!policy || typeof policy !== 'object') {
+    throw new Error('Policy file must contain a valid YAML/JSON object');
+  }
+
+  if (policy.severity_overrides) {
+    for (const [atkId, severity] of Object.entries(policy.severity_overrides)) {
+      if (!VALID_SEVERITIES.has(severity)) {
+        throw new Error(`Invalid severity "${severity}" for ${atkId} — must be one of: low, medium, high, critical`);
+      }
+    }
+  }
+
+  if (policy.fail_on && !VALID_SEVERITIES.has(policy.fail_on)) {
+    throw new Error(`Invalid fail_on "${policy.fail_on}" — must be one of: none, low, medium, high, critical`);
+  }
+
+  if (policy.suppress) {
+    if (!Array.isArray(policy.suppress)) {
+      throw new Error('suppress must be an array');
+    }
+    for (const rule of policy.suppress) {
+      if (!rule.atk_id) {
+        throw new Error('Each suppress rule must have an atk_id');
+      }
+    }
+  }
+
+  if (policy.allow) {
+    if (policy.allow.packages && !Array.isArray(policy.allow.packages)) {
+      throw new Error('allow.packages must be an array');
+    }
+  }
+
+  return sanitizePolicy(policy);
+}
+
+function sanitizePolicy(policy) {
+  return {
+    allow: { packages: policy.allow?.packages ?? [] },
+    severity_overrides: policy.severity_overrides ?? {},
+    fail_on: policy.fail_on ?? 'none',
+    suppress: (policy.suppress ?? []).map(r => ({
+      atk_id: r.atk_id,
+      package: r.package || '*',
+      reason: r.reason || '',
+    })),
+  };
+}
+
+function isAllowed(packageName, policy) {
+  if (!policy.allow.packages.length) return false;
+  const nameOnly = packageName.split('@')[0];
+  return policy.allow.packages.some(p => p === packageName || p === nameOnly);
+}
+
+function matchesSuppressRule(finding, pkgName, rule) {
+  if (rule.atk_id !== (finding.atk_id || finding.id)) return false;
+  if (rule.package === '*') return true;
+  return rule.package === pkgName;
+}
+
+function applyPolicy(findings, packageName, policy) {
+  let filtered = [...findings];
+
+  if (policy.suppress.length) {
+    filtered = filtered.filter(f =>
+      !policy.suppress.some(r => matchesSuppressRule(f, packageName, r))
+    );
+  }
+
+  filtered = filtered.map(f => {
+    const override = policy.severity_overrides[f.atk_id || f.id];
+    if (override) {
+      return { ...f, severity: override, _severityOverridden: true };
+    }
+    return f;
+  });
+
+  const blocked = checkFailOn(filtered, policy);
+
+  return { findings: filtered, blocked };
+}
+
+function checkFailOn(findings, policy) {
+  if (policy.fail_on === 'none') return false;
+
+  const threshold = severityIndex(policy.fail_on);
+  return findings.some(f => severityIndex(f.severity) >= threshold);
+}
+
+export { loadPolicy, applyPolicy, isAllowed };

package/backend/report.js

@@ -96,6 +96,51 @@ const NIST_SR_MAP = {
   'ATK-011': { control: 'SR-11.4', title: 'Supply chain propagation monitoring' },
 };
 
+export function generateText(scans) {
+  const lines = [];
+  lines.push('npm-scan Report');
+  lines.push('================');
+  lines.push(`Generated: ${new Date().toISOString()}`);
+  lines.push(`Packages scanned: ${scans.length}`);
+  lines.push('');
+
+  let totalFindings = 0;
+  const sevMap = { critical: 5, high: 4, medium: 3, low: 2, info: 1 };
+
+  const sevCounts = { critical: 0, high: 0, medium: 0, low: 0, info: 0 };
+  const sevLabel = ['', 'info', 'low', 'medium', 'high', 'critical'];
+
+  for (const s of scans) {
+    const findings = s.findings || [];
+    totalFindings += findings.length;
+
+    const worst = findings.reduce((m, f) => Math.max(m, sevMap[f.severity] || 0), 0);
+    const worstLabel = sevLabel[worst] || 'clean';
+
+    lines.push(`${s.package_name}@${s.version || 'unknown'} \u2500\u2500 ${findings.length} findings (worst: ${worstLabel})`);
+
+    for (const f of findings) {
+      const desc = (f.description || f.title || '').slice(0, 80);
+      sevCounts[f.severity] = (sevCounts[f.severity] || 0) + 1;
+      lines.push(`  ${f.atk_id || f.id}  ${f.severity.padEnd(8)} ${desc}`);
+    }
+
+    if (!findings.length) {
+      lines.push(`  (clean \u2014 no findings)`);
+    }
+    lines.push('');
+  }
+
+  lines.push('--- Severity Summary ---');
+  for (const sev of ['critical', 'high', 'medium', 'low']) {
+    lines.push(`  ${sev}: ${sevCounts[sev] || 0}`);
+  }
+  lines.push(`  total: ${totalFindings} findings across ${scans.length} packages`);
+  lines.push('');
+
+  return lines.join('\n');
+}
+
 function generateNistTable(scans) {
   const atkMap = getAtkFindings(scans);
   let rows = '';

package/cli/cli.js

@@ -15,7 +15,7 @@ function requirePremium(feature, licenseKey) {
 const program = new Command()
   .name('npm-scan')
   .description('npm supply chain security scanner')
-  .version('0.5.0');
+  .version('0.8.0');
 
 program
   .command('scan')
@@ -23,24 +23,54 @@ program
   .argument('<target>', 'package name')
   .option('-l, --license-key <key>', 'Premium license')
   .option('--sbom [format]', 'Generate SBOM (json/xml/spdx)')
+  .option('-p, --policy <path>', 'Policy file (YAML/JSON)')
   .action(async (target, options) => {
     try {
+      const policy = options.policy
+        ? await import('../backend/policy.js').then(m => m.loadPolicy(options.policy))
+        : null;
+
+      if (policy) {
+        const { isAllowed } = await import('../backend/policy.js');
+        if (isAllowed(target, policy)) {
+          console.log(JSON.stringify({ scanId: null, findings: [], skipped: true, reason: `Package '${target}' is in policy allowlist` }));
+          return;
+        }
+      }
+
       const { pkgJson, jsFiles, tmpDir } = await import('../backend/fetch.js').then(m => m.fetchPackage(target));
       const findings = await import('../backend/detectors/index.js').then(m => m.runAll(pkgJson, jsFiles));
       const { saveScan } = await import('../backend/db.js');
       const scanId = saveScan(target, 'latest', findings);
 
+      let outputFindings = findings;
+      let blocked = false;
+
+      if (policy) {
+        const { applyPolicy } = await import('../backend/policy.js');
+        const result = applyPolicy(findings, target, policy);
+        outputFindings = result.findings;
+        blocked = result.blocked;
+      }
+
       if (options.sbom) {
         const { generateSBOM } = await import('../backend/sbom.js');
-        const sbom = generateSBOM(pkgJson, findings, options.sbom === true ? 'json' : options.sbom);
+        const pkg = { name: target, version: pkgJson.version || 'latest' };
+        const sbom = generateSBOM(pkg, outputFindings, options.sbom === true ? 'json' : options.sbom);
         console.log(sbom);
       } else {
-        console.log(JSON.stringify({scanId, findings}, null, 2));
+        console.log(JSON.stringify({scanId, findings: outputFindings, blocked}, null, 2));
+      }
+
+      if (blocked) {
+        console.error('Policy: scan blocked due to fail_on threshold');
+        process.exit(1);
       }
 
       import('../backend/fetch.js').then(m => m.cleanup(tmpDir));
     } catch (e) {
       console.error(e.message);
+      process.exit(1);
     }
   });
 
@@ -53,14 +83,17 @@ program
   });
 
 program
-  .command('report')
+.command('report')
   .description('Generate report')
   .option('-i, --id <id>', 'Scan ID')
   .option('--sbom [format]', 'SBOM format (json/xml/spdx)')
   .option('--html', 'HTML report')
+  .option('--text', 'Plain text report')
   .option('--nist', 'NIST 800-161 compliance report')
   .option('--cra', 'EU CRA compliance report')
   .option('--siem <format>', 'SIEM format (cef|ecs|sentinel|qradar)')
+  .option('--pdf', 'PDF report (premium)')
+  .option('-o, --output <path>', 'Output file path')
   .option('-l, --license-key <key>', 'Premium license')
   .action(async (options) => {
     const licenseKey = options.licenseKey || process.env.NPM_SCAN_LICENSE_KEY;
@@ -82,6 +115,16 @@ program
         requirePremium('cra', licenseKey);
         const { generateCRA } = await import('../backend/cra.js');
         console.log(generateCRA(scan ? [scan] : []));
+      } else if (options.pdf) {
+        requirePremium('nist-pdf', licenseKey);
+        const { generatePDF } = await import('../backend/pdf.js');
+        const pdfBytes = await generatePDF(scan ? [scan] : []);
+        const outPath = options.output || `${pkgName}-${options.id}-report.pdf`;
+        await import('fs').then(m => m.writeFileSync(outPath, pdfBytes));
+        console.log(`PDF report written to ${outPath}`);
+      } else if (options.text) {
+        const { generateText } = await import('../backend/report.js');
+        console.log(generateText(scan ? [scan] : []));
       } else if (options.sbom) {
         const { generateSBOM } = await import('../backend/sbom.js');
         const sbom = generateSBOM(pkg, findings, options.sbom === true ? 'json' : options.sbom);
@@ -105,6 +148,17 @@ program
         requirePremium('cra', licenseKey);
         const { generateCRA } = await import('../backend/cra.js');
         console.log(generateCRA(scansWithFindings));
+      } else if (options.pdf) {
+        requirePremium('nist-pdf', licenseKey);
+        const { generatePDF } = await import('../backend/pdf.js');
+        const pdfBytes = await generatePDF(scansWithFindings);
+        const date = new Date().toISOString().slice(0, 10);
+        const outPath = options.output || `npm-scan-report-${date}.pdf`;
+        await import('fs').then(m => m.writeFileSync(outPath, pdfBytes));
+        console.log(`PDF report written to ${outPath}`);
+      } else if (options.text) {
+        const { generateText } = await import('../backend/report.js');
+        console.log(generateText(scansWithFindings));
       } else if (options.html || options.nist) {
         const { generateHTML } = await import('../backend/report.js');
         const html = generateHTML(scansWithFindings);

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@lateos/npm-scan",
-  "version": "0.7.6",
-  "description": "Powerful npm supply chain security scanner - detects malicious packages (Shai-Hulud style), behavioral analysis, SBOM, and compliance reporting.",
+  "version": "0.8.0",
+    "description": "Modern npm supply chain security scanner — detects obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, and worm-like propagation. 11 attack types, SBOM, NIST/EU CRA compliance reporting.",
   "main": "backend/index.js",
   "bin": {
     "npm-scan": "cli/cli.js"
@@ -10,7 +10,7 @@
   "license": "Apache-2.0",
   "repository": {
     "type": "git",
-    "url": "https://github.com/YOUR_GITHUB_USERNAME/npm-scan.git"
+    "url": "https://github.com/lateos/npm-scan.git"
   },
   "keywords": [
     "npm",
@@ -37,7 +37,9 @@
     "better-sqlite3": "^11.10.0",
     "commander": "^14.0.3",
     "glob": "^13.0.6",
+    "js-yaml": "^4.1.1",
     "node-fetch": "^3.3.2",
+    "pdf-lib": "^1.17.1",
     "tar": "^7.5.15"
   }
 }

package/.github/workflows/ci.yml

@@ -1 +0,0 @@
-name: CI\n\non:\n  push:\n    branches: [ main ]\n  pull_request:\n    branches: [ main ]\n\njobs:\n  test:\n    runs-on: ubuntu-latest\n    steps:\n    - uses: actions/checkout@v4\n    - uses: actions/setup-node@v4\n      with:\n        node-version: '20'\n        cache: 'npm'\n    - run: npm ci\n    - run: npm run lint\n    - run: npm run test\n    - run: npm run build\n    # Self-scan stub\n    - run: echo 'Self-scan: npm run scan package.json' # Phase 1+

package/.github/workflows/scan.yml

@@ -1 +0,0 @@
-name: npm-scan\n\non: [pull_request]\n\njobs:\n  scan:\n    runs-on: ubuntu-latest\n    steps:\n    - uses: actions/checkout@v4\n    - uses: actions/setup-node@v4\n      with:\n        node-version: 20\n    - run: npm ci\n    - run: npx @lateos/npm-scan@latest scan-lockfile\n      # Or: npm-scan scan-lockfile (if global)\n    # Fail PR on high/critical

package/AGENTS.md

@@ -1 +0,0 @@
-# AGENTS.md\n\n## Project\nESM Node.js CLI monorepo for npm-scan supply chain scanner.\n\n## Verification\nNo lint/test deps yet. Scripts stubbed in package.json.\nRun `npm run lint test build`.\n\n## Architecture\n- `cli/`: Commander.js entrypoints (Phase 1)\n- `backend/`: Core logic, license.js, db/schema.sql\n- `docker/`: Multi-arch images (cli, pipeline)\n- `docs/`: project-plan.md, attack-taxonomy.md\n\nFollow project-plan.md phases/ATK.\n\n## Conventions\n- No deps—verify package.json before libs.\n- License: Apache-2.0 + Commons Clause (LICENSING.md).\n- Local git (no remote).\n- Phase 0 complete: foundation stubs ready for Phase 1 detectors.

package/CONTRIBUTING.md

@@ -1 +0,0 @@
-# CONTRIBUTING.md\n\nThank you for contributing to npm-scan!\n\n## Development Workflow\n\n1. Fork repo, create feature branch `feat/atk-xxx-description`.\n2. Run `npm run lint test`.\n3. Update CHANGELOG.md.\n4. PR with self-review.\n\n## New ATK Entry / Detector\n\nATK changes require:\n- PoC malicious package sample.\n- Detection rule/code.\n- False positive analysis (test corpus).\n- NIST 800-161 mapping.\n\nUpdate docs/attack-taxonomy.md; bump version.\n\n## Licensing\n\nSee [LICENSING.md](LICENSING.md). Core Apache-2.0; premium Commons Clause.\n\n## No-Go\n- ML/ telemetry until Phase 4.\n- Secrets/keys in code/PR.\n- Sandbox changes without threat model update.\n\n## Test Corpus\n\nAdd to `tests/corpus/clean/` and `malicious/` for CI.\n\nPRs reviewed in 48h.

package/action.yml

@@ -1,94 +0,0 @@
-name: 'npm-scan'
-description: 'Scan npm dependencies for supply chain threats using npm-scan'
-author: 'Lateos'
-
-inputs:
-  scan-type:
-    description: 'Scan mode: lockfile to scan package-lock.json, package to scan a specific package'
-    default: 'lockfile'
-    required: false
-  package:
-    description: 'Package name to scan (required when scan-type=package)'
-    required: false
-  fail-on:
-    description: 'Fail the workflow on findings at this severity or higher (none, low, medium, high, critical)'
-    default: 'high'
-    required: false
-  license-key:
-    description: 'Premium license key for advanced features'
-    required: false
-  siem-format:
-    description: 'SIEM output format (cef, ecs, sentinel, qradar)'
-    required: false
-  sbom-format:
-    description: 'SBOM output format (json, xml, spdx)'
-    required: false
-
-outputs:
-  findings-count:
-    description: 'Number of findings detected'
-    value: ${{ steps.run.outputs.findings_count }}
-  scan-id:
-    description: 'Scan ID for later reference'
-    value: ${{ steps.run.outputs.scan_id }}
-
-runs:
-  using: 'composite'
-  steps:
-    - uses: actions/setup-node@v4
-      with:
-        node-version: '20'
-
-    - name: Install npm-scan
-      shell: bash
-      run: npm install -g @lateos/npm-scan@latest
-
-    - name: Run npm-scan scan
-      id: run
-      shell: bash
-      env:
-        NPM_SCAN_LICENSE_KEY: ${{ inputs.license-key || '' }}
-      run: |
-        set -euo pipefail
-        if [[ "${{ inputs.scan-type }}" == "package" && -n "${{ inputs.package }}" ]]; then
-          output=$(npm-scan scan "${{ inputs.package }}" 2>&1)
-        else
-          output=$(npm-scan scan-lockfile 2>&1)
-        fi
-        echo "$output"
-
-        # Extract scan ID if present
-        scan_id=$(echo "$output" | grep -oP '"scanId"\s*:\s*"\K[^"]+' || echo "")
-        if [[ -n "$scan_id" ]]; then
-          echo "scan_id=$scan_id" >> "$GITHUB_OUTPUT"
-          # Count findings
-          findings_count=$(echo "$output" | grep -oP '"severity"' | wc -l | tr -d ' ')
-          echo "findings_count=$findings_count" >> "$GITHUB_OUTPUT"
-
-          # Generate additional outputs
-          if [[ -n "${{ inputs.siem-format }}" ]]; then
-            echo "--- SIEM (${{ inputs.siem-format }}) ---"
-            npm-scan report -i "$scan_id" --siem "${{ inputs.siem-format }}" 2>&1 || true
-          fi
-          if [[ -n "${{ inputs.sbom-format }}" ]]; then
-            echo "--- SBOM (${{ inputs.sbom-format }}) ---"
-            npm-scan report -i "$scan_id" --sbom "${{ inputs.sbom-format }}" 2>&1 || true
-          fi
-        fi
-
-    - name: Check severity threshold
-      shell: bash
-      if: ${{ inputs.fail-on != 'none' }}
-      env:
-        FAIL_SEVERITY: ${{ inputs.fail-on }}
-      run: |
-        SEVERITY_ORDER="none low medium high critical"
-        FAIL_IDX=-1
-        for sev in $SEVERITY_ORDER; do
-          FAIL_IDX=$((FAIL_IDX + 1))
-          [[ "$sev" == "$FAIL_SEVERITY" ]] && break
-        done
-        # In a real scan, we'd parse the output for severity levels.
-        # For now, the action logs results and defers to the scan output.
-        echo "Fail-on threshold: $FAIL_SEVERITY (index $FAIL_IDX)"
-        echo "Review the scan output above for any findings at or above this severity."