@trailofbits/vsix-audit 0.1.0

package/dist/scanner/detection-coverage.test.js

@@ -0,0 +1,216 @@
+import { existsSync } from "node:fs";
+import { join } from "node:path";
+import { describe, expect, it } from "vitest";
+import { scanExtension } from "./index.js";
+const ZOO_ROOT = join(import.meta.dirname, "..", "..", "zoo");
+const SAMPLES_DIR = process.env["VSIX_ZOO_PATH"] || join(ZOO_ROOT, "samples");
+const TEST_CORPUS_DIR = join(import.meta.dirname, "..", "..", "test-corpus");
+const CLEAN_DIR = join(TEST_CORPUS_DIR, "clean");
+const hasSamples = existsSync(join(SAMPLES_DIR, "apollyon"));
+const hasCleanCorpus = existsSync(CLEAN_DIR);
+const MALWARE_SAMPLES = [
+    {
+        path: "apollyon",
+        description: "Discord webhook exfiltration PoC",
+        expectedFindings: [
+            // Discord webhook YARA rule is high severity (per rule metadata)
+            { id: "YARA_C2_JS_Discord_Webhook_Jan25", severity: "high" },
+        ],
+        optionalFindings: ["OBFUSCATION_HIGH_ENTROPY"],
+    },
+    {
+        path: "kagema/ShowSnowcrypto.SnowShoNo/showsnowcrypto.snowshono-0.6.0",
+        description: "SnowShoNo C2 malware",
+        expectedFindings: [
+            { id: "KNOWN_C2_DOMAIN", severity: "critical", metadata: { domain: "niggboo.com" } },
+        ],
+        optionalFindings: ["YARA_SUSP_JS_Obfuscator_Hex_Vars_Jan25", "ACTIVATION_STARTUP"],
+    },
+    {
+        path: "glassworm/icon-theme-materiall.vsix",
+        description: "GlassWorm supply chain malware with Rust implant",
+        expectedFindings: [
+            { id: "BLOCKLIST_MATCH", severity: "critical" },
+            { id: "KNOWN_MALWARE_HASH", severity: "critical" },
+        ],
+        optionalFindings: ["ACTIVATION_WILDCARD", "THEME_WITH_CODE", "LIFECYCLE_SCRIPT"],
+    },
+    {
+        path: "ecm3401/Extension-Attack-Suite",
+        description: "Educational attack suite with multiple techniques",
+        expectedFindings: [
+            { id: "KNOWN_MALWARE_HASH", severity: "critical" },
+            { id: "BIDI_OVERRIDE", severity: "critical" },
+        ],
+        optionalFindings: [
+            "AST_EVAL_DYNAMIC",
+            "AST_FUNCTION_CONSTRUCTOR",
+            "AST_PROCESS_BINDING",
+            "YARA_MAL_JS_GlassWorm_Unicode_Stealth_Jan25",
+            "YARA_C2_JS_WebSocket_Command_Exec_Jan25",
+            "YARA_LOADER_PS_Download_Execute_Jan25",
+        ],
+    },
+];
+/**
+ * Clean extensions that should produce minimal findings.
+ * Used for false positive baseline testing.
+ */
+const CLEAN_EXTENSIONS = [
+    "esbenp.prettier-vscode.vsix",
+    "dbaeumer.vscode-eslint.vsix",
+    "4ops.packer.vsix",
+    "yzhang.markdown-all-in-one.vsix",
+];
+/**
+ * Finding IDs that are acceptable in clean extensions.
+ * These represent patterns that occur in legitimate code but are flagged
+ * for completeness.
+ */
+const ACCEPTABLE_CLEAN_FINDINGS = new Set([
+    // Legitimate activation patterns
+    "ACTIVATION_STARTUP",
+    "ACTIVATION_WILDCARD",
+    // Entropy from minified code is expected
+    "OBFUSCATION_HIGH_ENTROPY",
+    // Dynamic imports are common in modern bundled code
+    "AST_DYNAMIC_IMPORT",
+    // Process bindings in Node.js polyfills
+    "AST_PROCESS_BINDING",
+    // Wallet-like strings in package-lock.json (integrity hashes)
+    "CRYPTO_WALLET_DETECTED",
+]);
+/**
+ * Finding IDs that should NEVER appear in clean extensions.
+ * If these appear, they indicate a false positive that needs investigation.
+ */
+const NEVER_IN_CLEAN_FINDINGS = new Set([
+    "BLOCKLIST_MATCH",
+    "KNOWN_MALWARE_HASH",
+    "KNOWN_C2_DOMAIN",
+    "KNOWN_C2_IP",
+    "KNOWN_MALWARE_WALLET",
+    "MALICIOUS_NPM_PACKAGE",
+    "BIDI_OVERRIDE",
+    "INVISIBLE_CODE_EXECUTION",
+]);
+const defaultOptions = {
+    output: "text",
+    severity: "low",
+    network: false,
+};
+describe.skipIf(!hasSamples)("Malware Sample Detection Coverage", () => {
+    for (const sample of MALWARE_SAMPLES) {
+        describe(sample.description, () => {
+            it(`detects expected findings in ${sample.path}`, async () => {
+                const samplePath = join(SAMPLES_DIR, sample.path);
+                const result = await scanExtension(samplePath, defaultOptions);
+                const findingIds = new Set(result.findings.map((f) => f.id));
+                // Check all expected findings are present
+                for (const expected of sample.expectedFindings) {
+                    const finding = result.findings.find((f) => f.id === expected.id);
+                    expect(finding, `Expected finding ${expected.id} not found. Found: ${[...findingIds].join(", ")}`).toBeDefined();
+                    if (expected.severity) {
+                        expect(finding?.severity).toBe(expected.severity);
+                    }
+                    if (expected.metadata) {
+                        for (const [key, value] of Object.entries(expected.metadata)) {
+                            expect(finding?.metadata?.[key]).toBe(value);
+                        }
+                    }
+                }
+            }, 30000); // 30s timeout for large samples
+            it(`produces at least one meaningful finding for ${sample.path}`, async () => {
+                const samplePath = join(SAMPLES_DIR, sample.path);
+                const result = await scanExtension(samplePath, defaultOptions);
+                // Every malware sample should produce at least one finding at medium+ severity
+                const meaningfulFindings = result.findings.filter((f) => f.severity === "critical" || f.severity === "high" || f.severity === "medium");
+                expect(meaningfulFindings.length).toBeGreaterThan(0);
+            }, 30000);
+        });
+    }
+});
+describe.skipIf(!hasCleanCorpus)("Clean Extension False Positive Testing", () => {
+    for (const ext of CLEAN_EXTENSIONS) {
+        it(`${ext} has no critical findings that indicate malware`, async () => {
+            const extPath = join(CLEAN_DIR, ext);
+            if (!existsSync(extPath)) {
+                console.warn(`Skipping ${ext}: not found in clean corpus`);
+                return;
+            }
+            const result = await scanExtension(extPath, defaultOptions);
+            // Check that no "never in clean" findings appear
+            const badFindings = result.findings.filter((f) => NEVER_IN_CLEAN_FINDINGS.has(f.id));
+            expect(badFindings, `Clean extension ${ext} has findings that should never appear in clean code: ${badFindings.map((f) => f.id).join(", ")}`).toHaveLength(0);
+        }, 30000);
+    }
+    it("summarizes findings across clean corpus", async () => {
+        const findingCounts = {};
+        let totalScanned = 0;
+        for (const ext of CLEAN_EXTENSIONS) {
+            const extPath = join(CLEAN_DIR, ext);
+            if (!existsSync(extPath))
+                continue;
+            const result = await scanExtension(extPath, defaultOptions);
+            totalScanned++;
+            for (const finding of result.findings) {
+                findingCounts[finding.id] = (findingCounts[finding.id] || 0) + 1;
+            }
+        }
+        // Log summary for analysis (not a hard failure)
+        console.log(`\nClean corpus summary (${totalScanned} extensions):`);
+        const sorted = Object.entries(findingCounts).sort((a, b) => b[1] - a[1]);
+        for (const [id, count] of sorted) {
+            const pct = ((count / totalScanned) * 100).toFixed(0);
+            const status = ACCEPTABLE_CLEAN_FINDINGS.has(id) ? "✓" : "⚠";
+            console.log(`  ${status} ${id}: ${count}/${totalScanned} (${pct}%)`);
+        }
+        expect(totalScanned).toBeGreaterThan(0);
+    }, 120000);
+});
+describe.skipIf(!hasSamples)("Detection Quality Assertions", () => {
+    it("all expected YARA rules fire on their target samples", async () => {
+        const yaraFindings = {};
+        for (const sample of MALWARE_SAMPLES) {
+            const samplePath = join(SAMPLES_DIR, sample.path);
+            const result = await scanExtension(samplePath, defaultOptions);
+            const yaraIds = result.findings.filter((f) => f.id.startsWith("YARA_")).map((f) => f.id);
+            yaraFindings[sample.path] = yaraIds;
+        }
+        // Verify at least one YARA rule fires on each malware sample
+        for (const [path, rules] of Object.entries(yaraFindings)) {
+            // apollyon should trigger Discord webhook rule
+            if (path === "apollyon") {
+                expect(rules).toContain("YARA_C2_JS_Discord_Webhook_Jan25");
+            }
+            // ecm3401 should trigger multiple YARA rules
+            if (path.includes("ecm3401")) {
+                expect(rules.length).toBeGreaterThan(0);
+            }
+        }
+    }, 60000);
+    it("IOC checks detect known C2 infrastructure", async () => {
+        const kagemaSample = join(SAMPLES_DIR, "kagema/ShowSnowcrypto.SnowShoNo/showsnowcrypto.snowshono-0.6.0");
+        const result = await scanExtension(kagemaSample, defaultOptions);
+        const c2Finding = result.findings.find((f) => f.id === "KNOWN_C2_DOMAIN");
+        expect(c2Finding).toBeDefined();
+        expect(c2Finding?.metadata?.["domain"]).toBe("niggboo.com");
+    }, 30000);
+    it("hash matching catches known malware files", async () => {
+        const glasswormSample = join(SAMPLES_DIR, "glassworm/icon-theme-materiall.vsix");
+        const result = await scanExtension(glasswormSample, defaultOptions);
+        const hashFindings = result.findings.filter((f) => f.id === "KNOWN_MALWARE_HASH");
+        expect(hashFindings.length).toBeGreaterThan(0);
+        // Should detect the darwin.node, os.node, and extension.js hashes
+        const files = hashFindings.map((f) => f.location?.file);
+        expect(files.some((f) => f?.includes("darwin.node"))).toBe(true);
+    }, 30000);
+    it("blocklist matching catches known malicious extension IDs", async () => {
+        const glasswormSample = join(SAMPLES_DIR, "glassworm/icon-theme-materiall.vsix");
+        const result = await scanExtension(glasswormSample, defaultOptions);
+        const blocklistFinding = result.findings.find((f) => f.id === "BLOCKLIST_MATCH");
+        expect(blocklistFinding).toBeDefined();
+        expect(blocklistFinding?.severity).toBe("critical");
+    }, 30000);
+});
+//# sourceMappingURL=detection-coverage.test.js.map

package/dist/scanner/detection-coverage.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"detection-coverage.test.js","sourceRoot":"","sources":["../../src/scanner/detection-coverage.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAG3C,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;AAC9D,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,IAAI,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;AAC9E,MAAM,eAAe,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,aAAa,CAAC,CAAC;AAC7E,MAAM,SAAS,GAAG,IAAI,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;AAEjD,MAAM,UAAU,GAAG,UAAU,CAAC,IAAI,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC,CAAC;AAC7D,MAAM,cAAc,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC;AAkB7C,MAAM,eAAe,GAAwB;IAC3C;QACE,IAAI,EAAE,UAAU;QAChB,WAAW,EAAE,kCAAkC;QAC/C,gBAAgB,EAAE;YAChB,iEAAiE;YACjE,EAAE,EAAE,EAAE,kCAAkC,EAAE,QAAQ,EAAE,MAAM,EAAE;SAC7D;QACD,gBAAgB,EAAE,CAAC,0BAA0B,CAAC;KAC/C;IACD;QACE,IAAI,EAAE,gEAAgE;QACtE,WAAW,EAAE,sBAAsB;QACnC,gBAAgB,EAAE;YAChB,EAAE,EAAE,EAAE,iBAAiB,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE,aAAa,EAAE,EAAE;SACrF;QACD,gBAAgB,EAAE,CAAC,wCAAwC,EAAE,oBAAoB,CAAC;KACnF;IACD;QACE,IAAI,EAAE,qCAAqC;QAC3C,WAAW,EAAE,kDAAkD;QAC/D,gBAAgB,EAAE;YAChB,EAAE,EAAE,EAAE,iBAAiB,EAAE,QAAQ,EAAE,UAAU,EAAE;YAC/C,EAAE,EAAE,EAAE,oBAAoB,EAAE,QAAQ,EAAE,UAAU,EAAE;SACnD;QACD,gBAAgB,EAAE,CAAC,qBAAqB,EAAE,iBAAiB,EAAE,kBAAkB,CAAC;KACjF;IACD;QACE,IAAI,EAAE,gCAAgC;QACtC,WAAW,EAAE,mDAAmD;QAChE,gBAAgB,EAAE;YAChB,EAAE,EAAE,EAAE,oBAAoB,EAAE,QAAQ,EAAE,UAAU,EAAE;YAClD,EAAE,EAAE,EAAE,eAAe,EAAE,QAAQ,EAAE,UAAU,EAAE;SAC9C;QACD,gBAAgB,EAAE;YAChB,kBAAkB;YAClB,0BAA0B;YAC1B,qBAAqB;YACrB,6CAA6C;YAC7C,yCAAyC;YACzC,uCAAuC;SACxC;KACF;CACF,CAAC;AAEF;;;GAGG;AACH,MAAM,gBAAgB,GAAG;IACvB,6BAA6B;IAC7B,6BAA6B;IAC7B,kBAAkB;IAClB,iCAAiC;CAClC,CAAC;AAEF;;;;GAIG;AACH,MAAM,yBAAyB,GAAG,IAAI,GAAG,CAAC;IACxC,iCAAiC;IACjC,oBAAoB;IACpB,qBAAqB;IACrB,yCAAyC;IACzC,0BAA0B;IAC1B,oDAAoD;IACpD,oBAAoB;IACpB,wCAAwC;IACxC,qBAAqB;IACrB,8DAA8D;IAC9D,wBAAwB;CACzB,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAC;IACtC,iBAAiB;IACjB,oBAAoB;IACpB,iBAAiB;IACjB,aAAa;IACb,sBAAsB;IACtB,uBAAuB;IACvB,eAAe;IACf,0BAA0B;CAC3B,CAAC,CAAC;AAEH,MAAM,cAAc,GAAgB;IAClC,MAAM,EAAE,MAAM;IACd,QAAQ,EAAE,KAAK;IACf,OAAO,EAAE,KAAK;CACf,CAAC;AAEF,QAAQ,CAAC,MAAM,CAAC,CAAC,UAAU,CAAC,CAAC,mCAAmC,EAAE,GAAG,EAAE;IACrE,KAAK,MAAM,MAAM,IAAI,eAAe,EAAE,CAAC;QACrC,QAAQ,CAAC,MAAM,CAAC,WAAW,EAAE,GAAG,EAAE;YAChC,EAAE,CAAC,gCAAgC,MAAM,CAAC,IAAI,EAAE,EAAE,KAAK,IAAI,EAAE;gBAC3D,MAAM,UAAU,GAAG,IAAI,CAAC,WAAW,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;gBAClD,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC;gBAE/D,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;gBAE7D,0CAA0C;gBAC1C,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,gBAAgB,EAAE,CAAC;oBAC/C,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,QAAQ,CAAC,EAAE,CAAC,CAAC;oBAElE,MAAM,CACJ,OAAO,EACP,oBAAoB,QAAQ,CAAC,EAAE,sBAAsB,CAAC,GAAG,UAAU,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAClF,CAAC,WAAW,EAAE,CAAC;oBAEhB,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;wBACtB,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;oBACpD,CAAC;oBAED,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;wBACtB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;4BAC7D,MAAM,CAAC,OAAO,EAAE,QAAQ,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;wBAC/C,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC,gCAAgC;YAE3C,EAAE,CAAC,gDAAgD,MAAM,CAAC,IAAI,EAAE,EAAE,KAAK,IAAI,EAAE;gBAC3E,MAAM,UAAU,GAAG,IAAI,CAAC,WAAW,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;gBAClD,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC;gBAE/D,+EAA+E;gBAC/E,MAAM,kBAAkB,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAC/C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,IAAI,CAAC,CAAC,QAAQ,KAAK,MAAM,IAAI,CAAC,CAAC,QAAQ,KAAK,QAAQ,CACrF,CAAC;gBAEF,MAAM,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YACvD,CAAC,EAAE,KAAK,CAAC,CAAC;QACZ,CAAC,CAAC,CAAC;IACL,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,MAAM,CAAC,CAAC,cAAc,CAAC,CAAC,wCAAwC,EAAE,GAAG,EAAE;IAC9E,KAAK,MAAM,GAAG,IAAI,gBAAgB,EAAE,CAAC;QACnC,EAAE,CAAC,GAAG,GAAG,iDAAiD,EAAE,KAAK,IAAI,EAAE;YACrE,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;YACrC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBACzB,OAAO,CAAC,IAAI,CAAC,YAAY,GAAG,6BAA6B,CAAC,CAAC;gBAC3D,OAAO;YACT,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;YAE5D,iDAAiD;YACjD,MAAM,WAAW,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,uBAAuB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YAErF,MAAM,CACJ,WAAW,EACX,mBAAmB,GAAG,yDAAyD,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACzH,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACpB,CAAC,EAAE,KAAK,CAAC,CAAC;IACZ,CAAC;IAED,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,aAAa,GAA2B,EAAE,CAAC;QACjD,IAAI,YAAY,GAAG,CAAC,CAAC;QAErB,KAAK,MAAM,GAAG,IAAI,gBAAgB,EAAE,CAAC;YACnC,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;YACrC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC;gBAAE,SAAS;YAEnC,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;YAC5D,YAAY,EAAE,CAAC;YAEf,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACtC,aAAa,CAAC,OAAO,CAAC,EAAE,CAAC,GAAG,CAAC,aAAa,CAAC,OAAO,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;YACnE,CAAC;QACH,CAAC;QAED,gDAAgD;QAChD,OAAO,CAAC,GAAG,CAAC,2BAA2B,YAAY,eAAe,CAAC,CAAC;QACpE,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACzE,KAAK,MAAM,CAAC,EAAE,EAAE,KAAK,CAAC,IAAI,MAAM,EAAE,CAAC;YACjC,MAAM,GAAG,GAAG,CAAC,CAAC,KAAK,GAAG,YAAY,CAAC,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;YACtD,MAAM,MAAM,GAAG,yBAAyB,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;YAC7D,OAAO,CAAC,GAAG,CAAC,KAAK,MAAM,IAAI,EAAE,KAAK,KAAK,IAAI,YAAY,KAAK,GAAG,IAAI,CAAC,CAAC;QACvE,CAAC;QAED,MAAM,CAAC,YAAY,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;IAC1C,CAAC,EAAE,MAAM,CAAC,CAAC;AACb,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,MAAM,CAAC,CAAC,UAAU,CAAC,CAAC,8BAA8B,EAAE,GAAG,EAAE;IAChE,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;QACpE,MAAM,YAAY,GAA6B,EAAE,CAAC;QAElD,KAAK,MAAM,MAAM,IAAI,eAAe,EAAE,CAAC;YACrC,MAAM,UAAU,GAAG,IAAI,CAAC,WAAW,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;YAClD,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC;YAE/D,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YAEzF,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC;QACtC,CAAC;QAED,6DAA6D;QAC7D,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;YACzD,+CAA+C;YAC/C,IAAI,IAAI,KAAK,UAAU,EAAE,CAAC;gBACxB,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,kCAAkC,CAAC,CAAC;YAC9D,CAAC;YAED,6CAA6C;YAC7C,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;gBAC7B,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAC1C,CAAC;QACH,CAAC;IACH,CAAC,EAAE,KAAK,CAAC,CAAC;IAEV,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;QACzD,MAAM,YAAY,GAAG,IAAI,CACvB,WAAW,EACX,gEAAgE,CACjE,CAAC;QACF,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,YAAY,EAAE,cAAc,CAAC,CAAC;QAEjE,MAAM,SAAS,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,iBAAiB,CAAC,CAAC;QAC1E,MAAM,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAC;QAChC,MAAM,CAAC,SAAS,EAAE,QAAQ,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC9D,CAAC,EAAE,KAAK,CAAC,CAAC;IAEV,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;QACzD,MAAM,eAAe,GAAG,IAAI,CAAC,WAAW,EAAE,qCAAqC,CAAC,CAAC;QACjF,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,eAAe,EAAE,cAAc,CAAC,CAAC;QAEpE,MAAM,YAAY,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,oBAAoB,CAAC,CAAC;QAClF,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAE/C,kEAAkE;QAClE,MAAM,KAAK,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QACxD,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACnE,CAAC,EAAE,KAAK,CAAC,CAAC;IAEV,EAAE,CAAC,0DAA0D,EAAE,KAAK,IAAI,EAAE;QACxE,MAAM,eAAe,GAAG,IAAI,CAAC,WAAW,EAAE,qCAAqC,CAAC,CAAC;QACjF,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,eAAe,EAAE,cAAc,CAAC,CAAC;QAEpE,MAAM,gBAAgB,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,iBAAiB,CAAC,CAAC;QACjF,MAAM,CAAC,gBAAgB,CAAC,CAAC,WAAW,EAAE,CAAC;QACvC,MAAM,CAAC,gBAAgB,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACtD,CAAC,EAAE,KAAK,CAAC,CAAC;AACZ,CAAC,CAAC,CAAC"}

package/dist/scanner/download.d.ts

@@ -0,0 +1,76 @@
+import type { Registry } from "./types.js";
+export interface ExtensionMetadata {
+    extensionId: string;
+    publisher: string;
+    name: string;
+    version: string;
+    displayName?: string;
+    description?: string;
+    installCount?: number;
+    lastUpdated?: string;
+    registry?: Registry;
+}
+export interface DownloadOptions {
+    destDir?: string;
+    useCache?: boolean;
+    forceDownload?: boolean;
+}
+export interface DownloadResult {
+    path: string;
+    metadata: ExtensionMetadata;
+    fromCache?: boolean;
+}
+export interface ParsedExtensionId {
+    publisher: string;
+    name: string;
+    version?: string;
+    registry: Registry;
+}
+/**
+ * Parse an extension ID in the format "publisher.name" or "publisher.name@version"
+ * Optionally with registry prefix: "openvsx:publisher.name" or "marketplace:publisher.name"
+ */
+export declare function parseExtensionId(input: string): ParsedExtensionId;
+/**
+ * Query the VS Code Marketplace for extension metadata
+ */
+export declare function queryExtension(publisher: string, name: string, version?: string): Promise<ExtensionMetadata>;
+/**
+ * Query OpenVSX for extension metadata
+ */
+export declare function queryOpenVSX(publisher: string, name: string, version?: string): Promise<ExtensionMetadata>;
+/**
+ * Query Cursor Extension Marketplace for extension metadata
+ */
+export declare function queryCursor(publisher: string, name: string, version?: string): Promise<ExtensionMetadata>;
+/**
+ * Get the download URL for a VSIX package from the VS Code Marketplace
+ */
+export declare function getMarketplaceDownloadUrl(publisher: string, name: string, version: string): string;
+/**
+ * Get the download URL for a VSIX package from OpenVSX
+ */
+export declare function getOpenVSXDownloadUrl(publisher: string, name: string, version: string): string;
+/**
+ * Get the download URL for a VSIX package from Cursor Extension Marketplace
+ */
+export declare function getCursorDownloadUrl(publisher: string, name: string, version: string): string;
+/**
+ * Get the download URL for a VSIX package
+ * @deprecated Use getMarketplaceDownloadUrl or getOpenVSXDownloadUrl instead
+ */
+export declare function getDownloadUrl(publisher: string, name: string, version: string): string;
+/**
+ * Download a VSIX from the marketplace
+ */
+export declare function downloadVsix(publisher: string, name: string, version: string, destPath: string, registry?: Registry): Promise<void>;
+/**
+ * Download an extension from the VS Code Marketplace or OpenVSX
+ *
+ * @param extensionId - Extension ID in format "publisher.name", "publisher.name@version",
+ *                      or with registry prefix: "openvsx:publisher.name", "marketplace:publisher.name"
+ * @param options - Optional settings
+ * @returns Path to downloaded VSIX and extension metadata
+ */
+export declare function downloadExtension(extensionId: string, options?: DownloadOptions): Promise<DownloadResult>;
+//# sourceMappingURL=download.d.ts.map

package/dist/scanner/download.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"download.d.ts","sourceRoot":"","sources":["../../src/scanner/download.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAE3C,MAAM,WAAW,iBAAiB;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,QAAQ,CAAC;CACrB;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,iBAAiB,CAAC;IAC5B,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AA0CD,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,QAAQ,CAAC;CACpB;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,iBAAiB,CAgDjE;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,MAAM,EACZ,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC,iBAAiB,CAAC,CA4E5B;AAED;;GAEG;AACH,wBAAsB,YAAY,CAChC,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,MAAM,EACZ,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC,iBAAiB,CAAC,CAsC5B;AAED;;GAEG;AACH,wBAAsB,WAAW,CAC/B,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,MAAM,EACZ,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC,iBAAiB,CAAC,CA4E5B;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CACvC,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,GACd,MAAM,CAER;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,CAE9F;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,CAE7F;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,CAEvF;AAyBD;;GAEG;AACH,wBAAsB,YAAY,CAChC,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,QAAQ,GAAE,QAAwB,GACjC,OAAO,CAAC,IAAI,CAAC,CAWf;AAED;;;;;;;GAOG;AACH,wBAAsB,iBAAiB,CACrC,WAAW,EAAE,MAAM,EACnB,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,cAAc,CAAC,CA2DzB"}

package/dist/scanner/download.js

@@ -0,0 +1,339 @@
+import { createWriteStream } from "node:fs";
+import { copyFile, mkdir } from "node:fs/promises";
+import { dirname, join } from "node:path";
+import { pipeline } from "node:stream/promises";
+import { Readable } from "node:stream";
+import { ensureCacheDir, getCachedPath, isCached } from "./cache.js";
+const GALLERY_API_URL = "https://marketplace.visualstudio.com/_apis/public/gallery/extensionquery";
+const GALLERY_API_VERSION = "7.1-preview.1";
+const OPENVSX_API_URL = "https://open-vsx.org/api";
+const CURSOR_API_URL = "https://marketplace.cursorapi.com/_apis/public/gallery/extensionquery";
+/**
+ * Parse an extension ID in the format "publisher.name" or "publisher.name@version"
+ * Optionally with registry prefix: "openvsx:publisher.name" or "marketplace:publisher.name"
+ */
+export function parseExtensionId(input) {
+    let registry = "marketplace";
+    let rest = input;
+    // Check for registry prefix
+    if (input.startsWith("openvsx:")) {
+        registry = "openvsx";
+        rest = input.slice(8);
+    }
+    else if (input.startsWith("marketplace:")) {
+        registry = "marketplace";
+        rest = input.slice(12);
+    }
+    else if (input.startsWith("cursor:")) {
+        registry = "cursor";
+        rest = input.slice(7);
+    }
+    // Check for version suffix
+    const atIndex = rest.lastIndexOf("@");
+    let identifier = rest;
+    let version;
+    if (atIndex > 0) {
+        identifier = rest.slice(0, atIndex);
+        version = rest.slice(atIndex + 1);
+    }
+    // Split publisher.name
+    const dotIndex = identifier.indexOf(".");
+    if (dotIndex <= 0) {
+        throw new Error(`Invalid extension ID: "${input}". Expected format: publisher.name or publisher.name@version`);
+    }
+    const publisher = identifier.slice(0, dotIndex);
+    const name = identifier.slice(dotIndex + 1);
+    if (!publisher || !name) {
+        throw new Error(`Invalid extension ID: "${input}". Expected format: publisher.name or publisher.name@version`);
+    }
+    const result = { publisher, name, registry };
+    if (version !== undefined) {
+        result.version = version;
+    }
+    return result;
+}
+/**
+ * Query the VS Code Marketplace for extension metadata
+ */
+export async function queryExtension(publisher, name, version) {
+    const extensionId = `${publisher}.${name}`;
+    const requestBody = {
+        filters: [
+            {
+                criteria: [{ filterType: 7, value: extensionId }],
+                pageSize: 1,
+                pageNumber: 1,
+            },
+        ],
+        flags: 0x200 | 0x80 | 0x1, // Include versions, files, and statistics
+    };
+    const response = await fetch(GALLERY_API_URL, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/json",
+            Accept: `application/json;api-version=${GALLERY_API_VERSION}`,
+        },
+        body: JSON.stringify(requestBody),
+    });
+    if (!response.ok) {
+        throw new Error(`Marketplace API error: ${response.status} ${response.statusText}`);
+    }
+    const data = (await response.json());
+    const extensions = data.results?.[0]?.extensions;
+    const ext = extensions?.[0];
+    if (!ext) {
+        throw new Error(`Extension not found: ${extensionId}`);
+    }
+    const versions = ext.versions ?? [];
+    // Find the requested version or use latest
+    let targetVersion = versions[0];
+    if (version) {
+        const found = versions.find((v) => v.version === version);
+        if (!found) {
+            throw new Error(`Version ${version} not found for ${extensionId}. Latest: ${versions[0]?.version}`);
+        }
+        targetVersion = found;
+    }
+    if (!targetVersion) {
+        throw new Error(`No versions available for ${extensionId}`);
+    }
+    // Get install count from statistics
+    const installStat = ext.statistics?.find((s) => s.statisticName === "install");
+    const result = {
+        extensionId,
+        publisher: ext.publisher.publisherName,
+        name: ext.extensionName,
+        version: targetVersion.version,
+        lastUpdated: targetVersion.lastUpdated,
+        registry: "marketplace",
+    };
+    if (ext.displayName) {
+        result.displayName = ext.displayName;
+    }
+    if (ext.shortDescription) {
+        result.description = ext.shortDescription;
+    }
+    if (installStat?.value !== undefined) {
+        result.installCount = installStat.value;
+    }
+    return result;
+}
+/**
+ * Query OpenVSX for extension metadata
+ */
+export async function queryOpenVSX(publisher, name, version) {
+    const extensionId = `${publisher}.${name}`;
+    const url = version
+        ? `${OPENVSX_API_URL}/${publisher}/${name}/${version}`
+        : `${OPENVSX_API_URL}/${publisher}/${name}`;
+    const response = await fetch(url);
+    if (!response.ok) {
+        if (response.status === 404) {
+            throw new Error(`Extension not found on OpenVSX: ${extensionId}`);
+        }
+        throw new Error(`OpenVSX API error: ${response.status} ${response.statusText}`);
+    }
+    const data = (await response.json());
+    const result = {
+        extensionId,
+        publisher: data.namespace,
+        name: data.name,
+        version: data.version,
+        registry: "openvsx",
+    };
+    if (data.timestamp) {
+        result.lastUpdated = data.timestamp;
+    }
+    if (data.displayName) {
+        result.displayName = data.displayName;
+    }
+    if (data.description) {
+        result.description = data.description;
+    }
+    if (data.downloadCount !== undefined) {
+        result.installCount = data.downloadCount;
+    }
+    return result;
+}
+/**
+ * Query Cursor Extension Marketplace for extension metadata
+ */
+export async function queryCursor(publisher, name, version) {
+    const extensionId = `${publisher}.${name}`;
+    const requestBody = {
+        filters: [
+            {
+                criteria: [{ filterType: 7, value: extensionId }],
+                pageSize: 1,
+                pageNumber: 1,
+            },
+        ],
+        flags: 0x200 | 0x80 | 0x1, // Include versions, files, and statistics
+    };
+    const response = await fetch(CURSOR_API_URL, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/json",
+            Accept: `application/json;api-version=${GALLERY_API_VERSION}`,
+        },
+        body: JSON.stringify(requestBody),
+    });
+    if (!response.ok) {
+        throw new Error(`Cursor API error: ${response.status} ${response.statusText}`);
+    }
+    const data = (await response.json());
+    const extensions = data.results?.[0]?.extensions;
+    const ext = extensions?.[0];
+    if (!ext) {
+        throw new Error(`Extension not found on Cursor: ${extensionId}`);
+    }
+    const versions = ext.versions ?? [];
+    // Find the requested version or use latest
+    let targetVersion = versions[0];
+    if (version) {
+        const found = versions.find((v) => v.version === version);
+        if (!found) {
+            throw new Error(`Version ${version} not found for ${extensionId}. Latest: ${versions[0]?.version}`);
+        }
+        targetVersion = found;
+    }
+    if (!targetVersion) {
+        throw new Error(`No versions available for ${extensionId}`);
+    }
+    // Get install count from statistics
+    const installStat = ext.statistics?.find((s) => s.statisticName === "install");
+    const result = {
+        extensionId,
+        publisher: ext.publisher.publisherName,
+        name: ext.extensionName,
+        version: targetVersion.version,
+        lastUpdated: targetVersion.lastUpdated,
+        registry: "cursor",
+    };
+    if (ext.displayName) {
+        result.displayName = ext.displayName;
+    }
+    if (ext.shortDescription) {
+        result.description = ext.shortDescription;
+    }
+    if (installStat?.value !== undefined) {
+        result.installCount = installStat.value;
+    }
+    return result;
+}
+/**
+ * Get the download URL for a VSIX package from the VS Code Marketplace
+ */
+export function getMarketplaceDownloadUrl(publisher, name, version) {
+    return `https://${publisher}.gallery.vsassets.io/_apis/public/gallery/publisher/${publisher}/extension/${name}/${version}/assetbyname/Microsoft.VisualStudio.Services.VSIXPackage`;
+}
+/**
+ * Get the download URL for a VSIX package from OpenVSX
+ */
+export function getOpenVSXDownloadUrl(publisher, name, version) {
+    return `${OPENVSX_API_URL}/${publisher}/${name}/${version}/file/${publisher}.${name}-${version}.vsix`;
+}
+/**
+ * Get the download URL for a VSIX package from Cursor Extension Marketplace
+ */
+export function getCursorDownloadUrl(publisher, name, version) {
+    return `https://marketplace.cursorapi.com/_apis/public/gallery/publishers/${publisher}/vsextensions/${name}/${version}/vspackage`;
+}
+/**
+ * Get the download URL for a VSIX package
+ * @deprecated Use getMarketplaceDownloadUrl or getOpenVSXDownloadUrl instead
+ */
+export function getDownloadUrl(publisher, name, version) {
+    return getMarketplaceDownloadUrl(publisher, name, version);
+}
+/**
+ * Download a VSIX from a URL
+ */
+async function downloadVsixFromUrl(url, destPath) {
+    const response = await fetch(url);
+    if (!response.ok) {
+        throw new Error(`Download failed: ${response.status} ${response.statusText}`);
+    }
+    if (!response.body) {
+        throw new Error("Empty response body");
+    }
+    // Ensure destination directory exists
+    await mkdir(dirname(destPath), { recursive: true });
+    // Stream the response to a file
+    const nodeStream = Readable.fromWeb(response.body);
+    const fileStream = createWriteStream(destPath);
+    await pipeline(nodeStream, fileStream);
+}
+/**
+ * Download a VSIX from the marketplace
+ */
+export async function downloadVsix(publisher, name, version, destPath, registry = "marketplace") {
+    let url;
+    if (registry === "openvsx") {
+        url = getOpenVSXDownloadUrl(publisher, name, version);
+    }
+    else if (registry === "cursor") {
+        url = getCursorDownloadUrl(publisher, name, version);
+    }
+    else {
+        url = getMarketplaceDownloadUrl(publisher, name, version);
+    }
+    await downloadVsixFromUrl(url, destPath);
+}
+/**
+ * Download an extension from the VS Code Marketplace or OpenVSX
+ *
+ * @param extensionId - Extension ID in format "publisher.name", "publisher.name@version",
+ *                      or with registry prefix: "openvsx:publisher.name", "marketplace:publisher.name"
+ * @param options - Optional settings
+ * @returns Path to downloaded VSIX and extension metadata
+ */
+export async function downloadExtension(extensionId, options) {
+    const { publisher, name, version, registry } = parseExtensionId(extensionId);
+    const useCache = options?.useCache !== false;
+    const forceDownload = options?.forceDownload === true;
+    // Query the appropriate registry for metadata
+    let metadata;
+    if (registry === "openvsx") {
+        metadata = await queryOpenVSX(publisher, name, version);
+    }
+    else if (registry === "cursor") {
+        metadata = await queryCursor(publisher, name, version);
+    }
+    else {
+        metadata = await queryExtension(publisher, name, version);
+    }
+    // If destDir is explicitly provided, download directly there (bypasses cache)
+    if (options?.destDir) {
+        const filename = `${metadata.publisher}.${metadata.name}-${metadata.version}.vsix`;
+        const destPath = join(options.destDir, filename);
+        // Check cache first if enabled
+        if (useCache && !forceDownload) {
+            const cachedPath = getCachedPath(registry, metadata.publisher, metadata.name, metadata.version);
+            const cached = await isCached(registry, metadata.publisher, metadata.name, metadata.version);
+            if (cached) {
+                // Copy from cache to destination
+                await mkdir(options.destDir, { recursive: true });
+                await copyFile(cachedPath, destPath);
+                return { path: destPath, metadata, fromCache: true };
+            }
+        }
+        // Download fresh
+        await downloadVsix(metadata.publisher, metadata.name, metadata.version, destPath, registry);
+        return { path: destPath, metadata, fromCache: false };
+    }
+    // Use cache directory
+    const cachedPath = getCachedPath(registry, metadata.publisher, metadata.name, metadata.version);
+    // Check if already cached
+    if (useCache && !forceDownload) {
+        const cached = await isCached(registry, metadata.publisher, metadata.name, metadata.version);
+        if (cached) {
+            return { path: cachedPath, metadata, fromCache: true };
+        }
+    }
+    // Download to cache
+    await ensureCacheDir(registry);
+    await downloadVsix(metadata.publisher, metadata.name, metadata.version, cachedPath, registry);
+    return { path: cachedPath, metadata, fromCache: false };
+}
+//# sourceMappingURL=download.js.map