@secbez-labs/cli 0.1.0

package/dist/index.d.ts

@@ -0,0 +1 @@
+#!/usr/bin/env node

package/dist/index.js

@@ -0,0 +1,887 @@
+#!/usr/bin/env node
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+
+// src/index.ts
+import { Command } from "commander";
+
+// src/commands/check.ts
+import chalk2 from "chalk";
+import ora from "ora";
+
+// src/lib/crawler.ts
+import fs from "fs";
+import path from "path";
+var DEFAULT_IGNORE = [
+  "node_modules",
+  ".git",
+  "dist",
+  "build",
+  ".next",
+  "__pycache__",
+  ".venv",
+  "venv",
+  "vendor",
+  "target",
+  ".idea",
+  ".vscode",
+  "coverage",
+  ".nyc_output",
+  ".turbo",
+  ".cache",
+  "*.min.js",
+  "*.bundle.js",
+  "*.map",
+  "package-lock.json",
+  "pnpm-lock.yaml",
+  "yarn.lock"
+];
+var SUPPORTED_EXTENSIONS = /* @__PURE__ */ new Set([
+  ".ts",
+  ".tsx",
+  ".js",
+  ".jsx",
+  ".mjs",
+  ".cjs",
+  ".py",
+  ".pyi"
+]);
+function detectLanguage(filePath) {
+  const ext = path.extname(filePath).toLowerCase();
+  const map = {
+    ".ts": "typescript",
+    ".tsx": "typescript",
+    ".js": "javascript",
+    ".jsx": "javascript",
+    ".mjs": "javascript",
+    ".cjs": "javascript",
+    ".py": "python",
+    ".pyi": "python"
+  };
+  return map[ext] || "unknown";
+}
+function loadIgnorePatterns(rootDir) {
+  const patterns = [...DEFAULT_IGNORE];
+  const secbezIgnore = path.join(rootDir, ".secbezignore");
+  if (fs.existsSync(secbezIgnore)) {
+    const lines = fs.readFileSync(secbezIgnore, "utf-8").split("\n").map((l) => l.trim()).filter((l) => l && !l.startsWith("#"));
+    patterns.push(...lines);
+  }
+  const gitIgnore = path.join(rootDir, ".gitignore");
+  if (fs.existsSync(gitIgnore)) {
+    const lines = fs.readFileSync(gitIgnore, "utf-8").split("\n").map((l) => l.trim()).filter((l) => l && !l.startsWith("#"));
+    patterns.push(...lines);
+  }
+  return patterns;
+}
+function shouldIgnore(relativePath, ignorePatterns) {
+  const parts = relativePath.split(path.sep);
+  for (const pattern of ignorePatterns) {
+    if (parts.some((p) => p === pattern)) return true;
+    if (pattern.startsWith("*.")) {
+      const ext = pattern.slice(1);
+      if (relativePath.endsWith(ext)) return true;
+    }
+    if (relativePath === pattern) return true;
+  }
+  return false;
+}
+function crawlDirectory(rootDir, maxFiles = 2e3) {
+  const absRoot = path.resolve(rootDir);
+  const ignorePatterns = loadIgnorePatterns(absRoot);
+  const files = [];
+  function walk(dir) {
+    if (files.length >= maxFiles) return;
+    let entries;
+    try {
+      entries = fs.readdirSync(dir, { withFileTypes: true });
+    } catch {
+      return;
+    }
+    for (const entry of entries) {
+      if (files.length >= maxFiles) return;
+      const fullPath = path.join(dir, entry.name);
+      const relativePath = path.relative(absRoot, fullPath);
+      if (shouldIgnore(relativePath, ignorePatterns)) continue;
+      if (entry.isDirectory()) {
+        walk(fullPath);
+      } else if (entry.isFile()) {
+        const ext = path.extname(entry.name).toLowerCase();
+        if (!SUPPORTED_EXTENSIONS.has(ext)) continue;
+        try {
+          const stat = fs.statSync(fullPath);
+          if (stat.size > 1e6) continue;
+          const content = fs.readFileSync(fullPath, "utf-8");
+          files.push({
+            path: fullPath,
+            relativePath,
+            content,
+            language: detectLanguage(fullPath),
+            sizeBytes: stat.size
+          });
+        } catch {
+        }
+      }
+    }
+  }
+  walk(absRoot);
+  return files;
+}
+
+// src/lib/config.ts
+import fs2 from "fs";
+import os from "os";
+import path2 from "path";
+var CONFIG_DIR = path2.join(os.homedir(), ".secbez");
+var CONFIG_FILE = path2.join(CONFIG_DIR, "config.json");
+var DEFAULT_CONFIG = {
+  apiUrl: "https://api.secbez.com",
+  defaultSeverity: "low",
+  defaultFormat: "table"
+};
+function ensureConfigDir() {
+  if (!fs2.existsSync(CONFIG_DIR)) {
+    fs2.mkdirSync(CONFIG_DIR, { recursive: true, mode: 448 });
+  }
+}
+function loadConfig() {
+  ensureConfigDir();
+  if (!fs2.existsSync(CONFIG_FILE)) {
+    return { ...DEFAULT_CONFIG };
+  }
+  try {
+    const raw = fs2.readFileSync(CONFIG_FILE, "utf-8");
+    return { ...DEFAULT_CONFIG, ...JSON.parse(raw) };
+  } catch {
+    return { ...DEFAULT_CONFIG };
+  }
+}
+function saveConfig(config) {
+  ensureConfigDir();
+  const existing = loadConfig();
+  const merged = { ...existing, ...config };
+  fs2.writeFileSync(CONFIG_FILE, JSON.stringify(merged, null, 2), {
+    mode: 384
+  });
+}
+function getApiKey() {
+  return process.env.SECBEZ_API_KEY || loadConfig().apiKey;
+}
+function getApiUrl() {
+  return process.env.SECBEZ_API_URL || loadConfig().apiUrl;
+}
+
+// src/lib/scanner.ts
+import crypto from "crypto";
+var RULES = [
+  // --- SQL Injection ---
+  {
+    id: "sqli/string-concat",
+    category: "sqli",
+    severity: "critical",
+    confidence: "high",
+    title: "SQL Injection via string concatenation",
+    message: "SQL query built with string concatenation using user-controlled input. Use parameterized queries instead.",
+    pattern: /(?:query|prepare|exec|execute|raw)\s*\(\s*(?:`[^`]*\$\{|['"][^'"]*['"]\s*\+|['"][^'"]*['"]\s*\.\s*concat)/gi,
+    languages: ["typescript", "javascript"],
+    references: ["CWE-89", "https://owasp.org/Top10/A03_2021-Injection/"]
+  },
+  {
+    id: "sqli/template-literal",
+    category: "sqli",
+    severity: "critical",
+    confidence: "high",
+    title: "SQL Injection via template literal",
+    message: "SQL query uses template literals with embedded expressions. Use parameterized queries.",
+    pattern: /(?:SELECT|INSERT|UPDATE|DELETE|FROM|WHERE|JOIN|AND|OR)\s[^;]*\$\{[^}]+\}/gi,
+    languages: ["typescript", "javascript"],
+    references: ["CWE-89"]
+  },
+  {
+    id: "sqli/f-string",
+    category: "sqli",
+    severity: "critical",
+    confidence: "high",
+    title: "SQL Injection via f-string",
+    message: "SQL query uses Python f-string with embedded expressions. Use parameterized queries.",
+    pattern: /(?:execute|executemany|cursor\.execute)\s*\(\s*f['"][^'"]*\{[^}]+\}/gi,
+    languages: ["python"],
+    references: ["CWE-89"]
+  },
+  // --- XSS ---
+  {
+    id: "xss/dangerously-set-html",
+    category: "xss",
+    severity: "high",
+    confidence: "high",
+    title: "Cross-Site Scripting via dangerouslySetInnerHTML",
+    message: "Using dangerouslySetInnerHTML with potentially untrusted content enables XSS attacks.",
+    pattern: /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:/gi,
+    languages: ["typescript", "javascript"],
+    references: ["CWE-79", "https://owasp.org/Top10/A03_2021-Injection/"]
+  },
+  {
+    id: "xss/innerhtml-assignment",
+    category: "xss",
+    severity: "high",
+    confidence: "medium",
+    title: "Cross-Site Scripting via innerHTML",
+    message: "Direct innerHTML assignment with dynamic content can lead to XSS.",
+    pattern: /\.innerHTML\s*=\s*(?!['"`]<)/gi,
+    languages: ["typescript", "javascript"],
+    references: ["CWE-79"]
+  },
+  {
+    id: "xss/document-write",
+    category: "xss",
+    severity: "high",
+    confidence: "medium",
+    title: "Cross-Site Scripting via document.write",
+    message: "document.write with dynamic content can lead to DOM-based XSS.",
+    pattern: /document\.write(?:ln)?\s*\(/gi,
+    languages: ["typescript", "javascript"],
+    references: ["CWE-79"]
+  },
+  // --- Auth ---
+  {
+    id: "auth/jwt-none-alg",
+    category: "auth",
+    severity: "critical",
+    confidence: "high",
+    title: "JWT algorithm none accepted",
+    message: 'Accepting JWT tokens with algorithm "none" bypasses signature verification entirely.',
+    pattern: /(?:alg(?:orithm)?)\s*===?\s*['"]none['"]/gi,
+    languages: ["typescript", "javascript"],
+    references: ["CWE-345", "CWE-347"]
+  },
+  {
+    id: "auth/hardcoded-secret",
+    category: "secret_leak",
+    severity: "high",
+    confidence: "medium",
+    title: "Hardcoded secret or API key",
+    message: "Secrets hardcoded in source code can be extracted from version control.",
+    pattern: /(?:secret|api_?key|password|token|auth)\s*[:=]\s*['"][a-zA-Z0-9_\-./+]{16,}['"]/gi,
+    languages: ["typescript", "javascript", "python"],
+    references: ["CWE-798"],
+    suppressIf: [/process\.env/, /env\[/, /os\.environ/]
+  },
+  {
+    id: "auth/weak-password-hash",
+    category: "auth",
+    severity: "high",
+    confidence: "high",
+    title: "Weak password hashing algorithm",
+    message: "MD5 or SHA1 should not be used for password hashing. Use bcrypt, scrypt, or argon2.",
+    pattern: /(?:createHash|hashlib\.)\s*\(\s*['"](?:md5|sha1)['"]\s*\).*(?:password|passwd|pwd)/gi,
+    languages: ["typescript", "javascript", "python"],
+    references: ["CWE-328"]
+  },
+  // --- IDOR ---
+  {
+    id: "idor/param-direct-query",
+    category: "idor",
+    severity: "high",
+    confidence: "medium",
+    title: "Potential IDOR \u2014 resource accessed by user-supplied ID without ownership check",
+    message: "Resource fetched using request parameter ID without verifying the resource belongs to the authenticated user.",
+    pattern: /(?:params|query)\.[a-zA-Z]*[Ii]d\b.*(?:findFirst|findUnique|findOne|prepare|query|get)\s*\(/gi,
+    languages: ["typescript", "javascript"],
+    references: ["CWE-639"]
+  },
+  // --- SSRF ---
+  {
+    id: "ssrf/user-controlled-fetch",
+    category: "other",
+    severity: "high",
+    confidence: "medium",
+    title: "Server-Side Request Forgery \u2014 user-controlled URL fetched server-side",
+    message: "A URL from user input is fetched server-side without validation, allowing SSRF attacks.",
+    pattern: /(?:fetch|axios\.(?:get|post)|got|request|http\.get|urllib\.request)\s*\(\s*(?:req\.(?:body|query|params)\.[a-zA-Z_]+|(?:source_)?url|webhook[._]?url)/gi,
+    languages: ["typescript", "javascript", "python"],
+    references: ["CWE-918", "https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery/"]
+  },
+  // --- Path Traversal ---
+  {
+    id: "path-traversal/user-path",
+    category: "other",
+    severity: "high",
+    confidence: "medium",
+    title: "Path traversal via user-controlled filename",
+    message: "File path constructed from user input without sanitization can allow reading/writing arbitrary files.",
+    pattern: /path\.(?:join|resolve)\s*\([^)]*(?:req\.(?:params|query|body)\.[a-zA-Z_]+|filename|filePath)/gi,
+    languages: ["typescript", "javascript"],
+    references: ["CWE-22"],
+    suppressIf: [/path\.relative/, /\.startsWith\s*\(/]
+  },
+  // --- CSRF ---
+  {
+    id: "csrf/no-csrf-token",
+    category: "auth",
+    severity: "medium",
+    confidence: "low",
+    title: "Missing CSRF protection on state-changing endpoint",
+    message: "POST/PUT/PATCH/DELETE endpoint does not appear to validate a CSRF token.",
+    pattern: /(?:app|router)\.(?:post|put|patch|delete)\s*\(\s*['"][^'"]+['"]/gi,
+    languages: ["typescript", "javascript"],
+    references: ["CWE-352"],
+    suppressIf: [/csrf/, /csrfToken/, /\_csrf/, /xsrf/]
+  },
+  // --- Race Conditions ---
+  {
+    id: "race/toctou-check-then-update",
+    category: "business_logic",
+    severity: "medium",
+    confidence: "medium",
+    title: "Potential TOCTOU race condition",
+    message: "Value is checked then updated in separate operations without a transaction or atomic operation.",
+    pattern: /(?:if\s*\([^)]*(?:balance|stock|count|uses|quantity|credits?|amount)[^)]*\)[\s\S]{1,200}(?:UPDATE|update|set)\s*\()/gi,
+    languages: ["typescript", "javascript"],
+    references: ["CWE-367"]
+  },
+  // --- Mass Assignment ---
+  {
+    id: "mass-assignment/unfiltered-body",
+    category: "idor",
+    severity: "high",
+    confidence: "medium",
+    title: "Mass assignment \u2014 request body spread directly into database update",
+    message: "User-supplied fields are directly used in a database update without allowlisting, enabling privilege escalation.",
+    pattern: /(?:Object\.entries|Object\.keys|\.\.\.req\.body|\.\.\.body|\.\.\.input|for\s*\(\s*(?:const|let)\s*\[key|updates\s*=\s*req\.body)[\s\S]{0,300}(?:UPDATE|update|set)\s*\(/gi,
+    languages: ["typescript", "javascript"],
+    references: ["CWE-915"]
+  },
+  // --- Eval / Code Injection ---
+  {
+    id: "rce/eval",
+    category: "rce",
+    severity: "critical",
+    confidence: "high",
+    title: "Code injection via eval or Function constructor",
+    message: "Using eval() or new Function() with dynamic input enables remote code execution.",
+    pattern: /(?:eval|new\s+Function)\s*\(\s*(?!['"`])/gi,
+    languages: ["typescript", "javascript"],
+    references: ["CWE-94"]
+  },
+  {
+    id: "rce/exec",
+    category: "rce",
+    severity: "critical",
+    confidence: "medium",
+    title: "Command injection via child_process",
+    message: "Shell command constructed with user input can lead to command injection.",
+    pattern: /(?:exec|execSync|spawn|spawnSync)\s*\(\s*(?:`[^`]*\$\{|[^'"`\s]+\s*\+)/gi,
+    languages: ["typescript", "javascript"],
+    references: ["CWE-78"]
+  },
+  // --- Python-specific ---
+  {
+    id: "rce/python-exec",
+    category: "rce",
+    severity: "critical",
+    confidence: "high",
+    title: "Code injection via exec/eval",
+    message: "Using exec() or eval() with dynamic input enables code execution.",
+    pattern: /(?:exec|eval)\s*\(\s*(?!['"])/gi,
+    languages: ["python"],
+    references: ["CWE-94"]
+  },
+  {
+    id: "rce/python-os-system",
+    category: "rce",
+    severity: "critical",
+    confidence: "medium",
+    title: "Command injection via os.system or subprocess",
+    message: "Shell command with user input can lead to command injection.",
+    pattern: /(?:os\.system|os\.popen|subprocess\.(?:call|run|Popen|check_output))\s*\(\s*(?:f['"]|[^'"`\s]+\s*\+)/gi,
+    languages: ["python"],
+    references: ["CWE-78"]
+  }
+];
+function fingerprint(ruleId, filePath, lineNumber) {
+  const input = `${ruleId}:${filePath}:${lineNumber}`;
+  return crypto.createHash("sha256").update(input).digest("hex");
+}
+function getLineNumber(content, matchIndex) {
+  return content.substring(0, matchIndex).split("\n").length;
+}
+function getSnippet(content, lineNumber, contextLines = 2) {
+  const lines = content.split("\n");
+  const start = Math.max(0, lineNumber - contextLines - 1);
+  const end = Math.min(lines.length, lineNumber + contextLines);
+  return lines.slice(start, end).map((l, i) => {
+    const num = start + i + 1;
+    const marker = num === lineNumber ? ">" : " ";
+    return `${marker} ${num} | ${l}`;
+  }).join("\n");
+}
+function isLineSuppressed(content, lineNumber, suppressPatterns) {
+  if (!suppressPatterns || suppressPatterns.length === 0) return false;
+  const lines = content.split("\n");
+  const start = Math.max(0, lineNumber - 4);
+  const end = Math.min(lines.length, lineNumber + 2);
+  const context = lines.slice(start, end).join("\n");
+  return suppressPatterns.some((p) => p.test(context));
+}
+function scanFile(filePath, content, language) {
+  const findings = [];
+  const applicableRules = RULES.filter((r) => r.languages.includes(language));
+  for (const rule of applicableRules) {
+    rule.pattern.lastIndex = 0;
+    let match;
+    while ((match = rule.pattern.exec(content)) !== null) {
+      const lineNumber = getLineNumber(content, match.index);
+      if (isLineSuppressed(content, lineNumber, rule.suppressIf)) {
+        continue;
+      }
+      const snippet = getSnippet(content, lineNumber);
+      const fp = fingerprint(rule.id, filePath, lineNumber);
+      if (findings.some((f) => f.fingerprint === fp)) continue;
+      findings.push({
+        ruleId: rule.id,
+        category: rule.category,
+        severity: rule.severity,
+        confidence: rule.confidence,
+        title: rule.title,
+        message: rule.message,
+        filePath,
+        lineNumber,
+        snippet,
+        fingerprint: fp,
+        evidence: { snippet, highlights: [lineNumber] },
+        references: rule.references
+      });
+    }
+  }
+  return findings;
+}
+
+// src/reporters/table.ts
+import chalk from "chalk";
+import Table from "cli-table3";
+var severityColor = {
+  critical: chalk.bgRed.white.bold,
+  high: chalk.red.bold,
+  medium: chalk.yellow,
+  low: chalk.cyan,
+  info: chalk.gray
+};
+var severityOrder = {
+  critical: 0,
+  high: 1,
+  medium: 2,
+  low: 3,
+  info: 4
+};
+function renderSummary(findings, filesScanned, durationMs) {
+  const counts = {
+    critical: 0,
+    high: 0,
+    medium: 0,
+    low: 0,
+    info: 0
+  };
+  for (const f of findings) {
+    counts[f.severity] = (counts[f.severity] || 0) + 1;
+  }
+  console.log();
+  console.log(
+    chalk.bold("Scan Summary"),
+    chalk.gray(`(${filesScanned} files in ${(durationMs / 1e3).toFixed(1)}s)`)
+  );
+  console.log();
+  const parts = [];
+  if (counts.critical)
+    parts.push(severityColor.critical(` ${counts.critical} critical `));
+  if (counts.high) parts.push(severityColor.high(`${counts.high} high`));
+  if (counts.medium)
+    parts.push(severityColor.medium(`${counts.medium} medium`));
+  if (counts.low) parts.push(severityColor.low(`${counts.low} low`));
+  if (counts.info) parts.push(severityColor.info(`${counts.info} info`));
+  if (parts.length === 0) {
+    console.log(chalk.green.bold("  No findings detected"));
+  } else {
+    console.log("  " + parts.join(chalk.gray("  |  ")));
+  }
+  console.log();
+}
+function renderFindings(findings, minSeverity = "low") {
+  const minOrder = severityOrder[minSeverity] ?? 3;
+  const filtered = findings.filter((f) => (severityOrder[f.severity] ?? 4) <= minOrder).sort(
+    (a, b) => (severityOrder[a.severity] ?? 4) - (severityOrder[b.severity] ?? 4)
+  );
+  if (filtered.length === 0) return;
+  const table = new Table({
+    head: [
+      chalk.gray("Severity"),
+      chalk.gray("Category"),
+      chalk.gray("Title"),
+      chalk.gray("File"),
+      chalk.gray("Line")
+    ],
+    colWidths: [12, 16, 40, 35, 6],
+    wordWrap: true,
+    style: { head: [], border: ["gray"] }
+  });
+  for (const f of filtered) {
+    const colorFn = severityColor[f.severity] || chalk.white;
+    table.push([
+      colorFn(f.severity),
+      f.category,
+      f.title,
+      truncatePath(f.filePath, 33),
+      String(f.lineNumber)
+    ]);
+  }
+  console.log(table.toString());
+  console.log();
+}
+function renderFindingDetail(finding) {
+  const colorFn = severityColor[finding.severity] || chalk.white;
+  console.log(chalk.bold("\u2500".repeat(70)));
+  console.log(
+    colorFn(`  [${finding.severity.toUpperCase()}]`),
+    chalk.bold(finding.title)
+  );
+  console.log(chalk.gray(`  ${finding.filePath}:${finding.lineNumber}`));
+  console.log();
+  console.log(chalk.gray("  " + finding.message));
+  console.log();
+  if (finding.snippet) {
+    const lines = finding.snippet.split("\n");
+    for (const line of lines) {
+      if (line.startsWith(">")) {
+        console.log(chalk.yellow("  " + line));
+      } else {
+        console.log(chalk.gray("  " + line));
+      }
+    }
+    console.log();
+  }
+  if (finding.references.length > 0) {
+    console.log(
+      chalk.gray("  References: "),
+      finding.references.join(", ")
+    );
+  }
+}
+function truncatePath(p, maxLen) {
+  if (p.length <= maxLen) return p;
+  return "..." + p.slice(-(maxLen - 3));
+}
+function renderJsonOutput(findings, stats) {
+  const output = {
+    version: "1.0.0",
+    tool: "secbez-cli",
+    stats,
+    findings: findings.map((f) => ({
+      ruleId: f.ruleId,
+      category: f.category,
+      severity: f.severity,
+      confidence: f.confidence,
+      title: f.title,
+      message: f.message,
+      filePath: f.filePath,
+      lineNumber: f.lineNumber,
+      fingerprint: f.fingerprint,
+      references: f.references
+    }))
+  };
+  console.log(JSON.stringify(output, null, 2));
+}
+
+// src/commands/check.ts
+async function checkCommand(targetPath, options) {
+  const startTime = Date.now();
+  const spinner = options.format === "json" ? null : ora("Crawling files...").start();
+  const files = crawlDirectory(targetPath, options.maxFiles);
+  const totalBytes = files.reduce((sum, f) => sum + f.sizeBytes, 0);
+  if (spinner) {
+    spinner.text = `Scanning ${files.length} files (${(totalBytes / 1024).toFixed(0)} KB)...`;
+  }
+  const allFindings = [];
+  for (const file of files) {
+    const findings = scanFile(file.relativePath, file.content, file.language);
+    allFindings.push(...findings);
+  }
+  const durationMs = Date.now() - startTime;
+  if (spinner) {
+    spinner.stop();
+  }
+  const stats = {
+    filesScanned: files.length,
+    bytesProcessed: totalBytes,
+    durationMs
+  };
+  if (options.format === "json") {
+    renderJsonOutput(allFindings, stats);
+  } else {
+    renderSummary(allFindings, files.length, durationMs);
+    if (allFindings.length > 0) {
+      if (options.verbose) {
+        for (const f of allFindings) {
+          renderFindingDetail(f);
+        }
+      } else {
+        renderFindings(allFindings, options.severity);
+      }
+    }
+  }
+  if (options.online && allFindings.length > 0) {
+    const apiKey = getApiKey();
+    if (!apiKey) {
+      console.log(
+        chalk2.yellow(
+          "\n  To upload results, run: secbez login\n"
+        )
+      );
+    } else {
+      const uploadSpinner = options.format !== "json" ? ora("Uploading to dashboard...").start() : null;
+      try {
+        const repoName = detectRepoName(targetPath);
+        const apiUrl = getApiUrl();
+        const response = await fetch(`${apiUrl}/cli/scan`, {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/json",
+            Authorization: `Bearer ${apiKey}`
+          },
+          body: JSON.stringify({
+            repoName,
+            findings: allFindings,
+            stats
+          })
+        });
+        if (!response.ok) {
+          const err = await response.json().catch(() => ({ error: "Unknown error" }));
+          throw new Error(err.error || `HTTP ${response.status}`);
+        }
+        const result = await response.json();
+        if (uploadSpinner) {
+          uploadSpinner.succeed("Results uploaded to dashboard");
+        }
+        if (options.format !== "json") {
+          console.log(
+            chalk2.bold(`
+  View full report: ${chalk2.underline.blue(result.dashboardUrl)}
+`)
+          );
+        }
+        if (options.open) {
+          const { exec } = await import("child_process");
+          const cmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
+          exec(`${cmd} ${result.dashboardUrl}`);
+        }
+      } catch (err) {
+        if (uploadSpinner) {
+          uploadSpinner.fail(
+            `Upload failed: ${err instanceof Error ? err.message : "Unknown error"}`
+          );
+        }
+      }
+    }
+  }
+  if (options.ci || options.format === "json") {
+    const hasCritical = allFindings.some(
+      (f) => f.severity === "critical" || f.severity === "high"
+    );
+    if (hasCritical) {
+      process.exit(1);
+    }
+  }
+}
+function detectRepoName(targetPath) {
+  try {
+    const { execSync } = __require("child_process");
+    const remote = execSync("git remote get-url origin", {
+      cwd: targetPath,
+      encoding: "utf-8",
+      stdio: ["pipe", "pipe", "pipe"]
+    }).trim();
+    const match = remote.match(/[:/]([^/]+\/[^/.]+?)(?:\.git)?$/);
+    if (match) return match[1];
+  } catch {
+  }
+  const path3 = __require("path");
+  return path3.basename(path3.resolve(targetPath));
+}
+
+// src/commands/config.ts
+import chalk3 from "chalk";
+var VALID_KEYS = [
+  "apiUrl",
+  "defaultSeverity",
+  "defaultFormat"
+];
+function configSetCommand(key, value) {
+  if (!VALID_KEYS.includes(key)) {
+    console.log(chalk3.red(`
+  Unknown config key: ${key}`));
+    console.log(chalk3.gray(`  Valid keys: ${VALID_KEYS.join(", ")}
+`));
+    process.exit(1);
+  }
+  saveConfig({ [key]: value });
+  console.log(chalk3.green(`
+  Set ${key} = ${value}
+`));
+}
+function configGetCommand(key) {
+  const config = loadConfig();
+  if (key) {
+    const value = config[key];
+    if (value !== void 0) {
+      console.log(`
+  ${key} = ${key === "apiKey" ? "****" : value}
+`);
+    } else {
+      console.log(chalk3.gray(`
+  ${key} is not set
+`));
+    }
+  } else {
+    console.log(chalk3.bold("\n  Secbez CLI Configuration\n"));
+    console.log(`  apiUrl          = ${config.apiUrl}`);
+    console.log(`  apiKey          = ${config.apiKey ? "sk_live_****" : chalk3.gray("(not set)")}`);
+    console.log(`  defaultSeverity = ${config.defaultSeverity}`);
+    console.log(`  defaultFormat   = ${config.defaultFormat}`);
+    console.log();
+  }
+}
+function logoutCommand() {
+  saveConfig({ apiKey: void 0 });
+  console.log(chalk3.green("\n  Logged out. API key removed.\n"));
+}
+
+// src/commands/login.ts
+import chalk4 from "chalk";
+import { createInterface } from "readline";
+async function loginCommand() {
+  console.log();
+  console.log(chalk4.bold("  Secbez CLI Login"));
+  console.log(
+    chalk4.gray(
+      "  Get your API key from: https://app.secbez.com/settings/api-keys"
+    )
+  );
+  console.log();
+  const apiKey = await promptHidden("  API Key: ");
+  if (!apiKey || !apiKey.startsWith("sk_live_")) {
+    console.log(
+      chalk4.red('\n  Invalid API key. Keys start with "sk_live_".\n')
+    );
+    process.exit(1);
+  }
+  const apiUrl = getApiUrl();
+  try {
+    const response = await fetch(`${apiUrl}/me`, {
+      headers: { Authorization: `Bearer ${apiKey}` }
+    });
+    if (!response.ok) {
+      console.log(
+        chalk4.red(
+          "\n  Authentication failed. Check your API key and try again.\n"
+        )
+      );
+      process.exit(1);
+    }
+    const data = await response.json();
+    saveConfig({ apiKey });
+    console.log(
+      chalk4.green(`
+  Authenticated as ${chalk4.bold(data.user.email)}`)
+    );
+    console.log(
+      chalk4.gray("  Key saved to ~/.secbez/config.json\n")
+    );
+  } catch (err) {
+    console.log(
+      chalk4.red(
+        `
+  Connection failed: ${err instanceof Error ? err.message : "Unknown error"}`
+      )
+    );
+    console.log(
+      chalk4.gray(
+        `  API URL: ${apiUrl} \u2014 set SECBEZ_API_URL if using a custom instance.
+`
+      )
+    );
+    process.exit(1);
+  }
+}
+function promptHidden(question) {
+  return new Promise((resolve) => {
+    const rl = createInterface({
+      input: process.stdin,
+      output: process.stdout
+    });
+    if (process.stdin.isTTY) {
+      process.stdout.write(question);
+      const stdin = process.stdin;
+      const wasRaw = stdin.isRaw;
+      stdin.setRawMode(true);
+      stdin.resume();
+      let input = "";
+      stdin.on("data", function onData(char) {
+        const c = char.toString("utf-8");
+        if (c === "\n" || c === "\r" || c === "") {
+          stdin.setRawMode(wasRaw ?? false);
+          stdin.pause();
+          stdin.removeListener("data", onData);
+          rl.close();
+          console.log();
+          resolve(input);
+        } else if (c === "") {
+          process.exit(0);
+        } else if (c === "\x7F" || c === "\b") {
+          input = input.slice(0, -1);
+        } else {
+          input += c;
+        }
+      });
+    } else {
+      rl.question(question, (answer) => {
+        rl.close();
+        resolve(answer.trim());
+      });
+    }
+  });
+}
+
+// src/index.ts
+var program = new Command();
+program.name("secbez").description("Secbez CLI \u2014 local security scanning for your codebase").version("0.1.0");
+program.command("check").description("Scan a directory for security vulnerabilities").argument("[path]", "Directory to scan", ".").option("-s, --severity <level>", "Minimum severity to report", "low").option(
+  "-f, --format <format>",
+  "Output format: table, json",
+  "table"
+).option("--online", "Upload results to Secbez dashboard", false).option("--open", "Open dashboard report in browser after upload", false).option("--ci", "CI mode: exit 1 on high/critical findings", false).option("-v, --verbose", "Show detailed findings with code snippets", false).option("--max-files <n>", "Maximum files to scan", "2000").action(async (targetPath, options) => {
+  await checkCommand(targetPath, {
+    severity: options.severity,
+    format: options.format,
+    online: options.online,
+    open: options.open,
+    ci: options.ci,
+    verbose: options.verbose,
+    maxFiles: parseInt(options.maxFiles)
+  });
+});
+program.command("login").description("Authenticate with your Secbez API key").action(async () => {
+  await loginCommand();
+});
+program.command("logout").description("Remove stored API key").action(() => {
+  logoutCommand();
+});
+var configCmd = program.command("config").description("Manage CLI configuration");
+configCmd.command("set").description("Set a config value").argument("<key>", "Config key").argument("<value>", "Config value").action((key, value) => {
+  configSetCommand(key, value);
+});
+configCmd.command("get").description("Show config value(s)").argument("[key]", "Config key (omit to show all)").action((key) => {
+  configGetCommand(key);
+});
+program.parse();

package/package.json

@@ -0,0 +1,35 @@
+{
+  "name": "@secbez-labs/cli",
+  "publishConfig": {
+    "access": "public"
+  },
+  "version": "0.1.0",
+  "description": "Secbez CLI — local security scanning for your codebase",
+  "type": "module",
+  "bin": {
+    "secbez": "./dist/index.js"
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsup src/index.ts --format esm --dts --clean",
+    "dev": "tsup src/index.ts --format esm --watch",
+    "typecheck": "tsc --noEmit",
+    "test": "vitest run --passWithNoTests",
+    "test:watch": "vitest"
+  },
+  "dependencies": {
+    "commander": "^12.1.0",
+    "chalk": "^5.3.0",
+    "ora": "^8.0.1",
+    "cli-table3": "^0.6.5"
+  },
+  "devDependencies": {
+    "@secbez/typescript-config": "workspace:*",
+    "@types/node": "^20.19.9",
+    "tsup": "^8.3.5",
+    "typescript": "^5.9.3",
+    "vitest": "^3.2.4"
+  }
+}