@veestack-tools/cli 3.0.1

package/.env.example

@@ -0,0 +1,14 @@
+# VeeStack CLI Environment Variables
+# Copy this file to .env and fill in your actual values
+
+# Supabase Configuration (Required)
+SUPABASE_URL=https://your-project.supabase.co
+SUPABASE_ANON_KEY=your_anon_key_here
+
+# IMPORTANT SECURITY NOTES:
+# - CLI should use SUPABASE_ANON_KEY (not Service Role Key)
+# - User authentication is handled via OAuth browser flow
+# - Access token is stored securely after login
+
+# Optional: For admin/debug scripts only (never commit this)
+# SUPABASE_SERVICE_ROLE_KEY=your_service_role_key_here

package/bin/veestack.mjs

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+import '../dist/index.js';

package/package.json

@@ -0,0 +1,29 @@
+{
+  "name": "@veestack-tools/cli",
+  "version": "3.0.1",
+  "type": "module",
+  "bin": {
+    "veestack": "bin/veestack.mjs"
+  },
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "start": "node bin/veestack.mjs"
+  },
+  "dependencies": {
+    "@veestack-tools/types": "workspace:*",
+    "@veestack-tools/utils": "workspace:*",
+    "@veestack-tools/engine": "workspace:*",
+    "commander": "^11.1.0",
+    "chalk": "^5.3.0",
+    "ora": "^8.0.1",
+    "glob": "^10.3.10",
+    "prompts": "^2.4.2"
+  },
+  "devDependencies": {
+    "@types/node": "^20.11.5",
+    "@types/prompts": "^2.4.9",
+    "tsup": "^8.0.2",
+    "typescript": "^5.3.3"
+  }
+}

package/src/commands/login.ts

@@ -0,0 +1,60 @@
+import { writeFileSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+import ora from 'ora';
+import prompts from 'prompts';
+
+export async function loginCommand(options: { key?: string }): Promise<void> {
+  const spinner = ora({
+    text: 'Authenticating...',
+    spinner: 'dots',
+    stream: process.stdout
+  });
+
+  try {
+    let apiKey = options.key;
+
+    if (!apiKey) {
+      const response = await prompts({
+        type: 'password',
+        name: 'key',
+        message: 'Enter your VeeStack API key:',
+        validate: (value) => value.length > 0 || 'API key is required'
+      });
+
+      if (!response.key) {
+        console.log('❌ Login cancelled');
+        process.exit(1);
+      }
+
+      apiKey = response.key;
+    }
+
+    spinner.start('Validating API key...');
+
+    // Mock validation - in production this would validate with the server
+    await new Promise(resolve => setTimeout(resolve, 1000));
+
+    // Save to config file
+    const configDir = join(homedir(), '.veestack');
+    const configFile = join(configDir, 'config.json');
+
+    try {
+      const fs = await import('fs/promises');
+      await fs.mkdir(configDir, { recursive: true });
+      await fs.writeFile(configFile, JSON.stringify({ apiKey }, null, 2));
+    } catch {
+      // Fallback to sync
+      const fs = await import('fs');
+      fs.mkdirSync(configDir, { recursive: true });
+      writeFileSync(configFile, JSON.stringify({ apiKey }, null, 2));
+    }
+
+    spinner.succeed('Authenticated successfully');
+    console.log('✅ API key saved to ~/.veestack/config.json');
+  } catch (error) {
+    spinner.fail('Authentication failed');
+    console.error(error);
+    process.exit(1);
+  }
+}

package/src/commands/scan.ts

@@ -0,0 +1,219 @@
+import { glob } from 'glob';
+import { readFileSync, statSync, readdirSync } from 'fs';
+import { join, resolve } from 'path';
+import type { Snapshot, FileNode, DependencyNode } from '@veestack-tools/types';
+import crypto from 'crypto';
+import ora from 'ora';
+
+export async function scanCommand(options: {
+  path: string;
+  output: string;
+}): Promise<void> {
+  const spinner = ora({
+    text: 'Scanning project...',
+    spinner: 'dots',
+    stream: process.stdout
+  }).start();
+
+  try {
+    const snapshot = await generateSnapshot(options.path);
+
+    spinner.succeed(`Scanned ${snapshot.metadata.total_files} files`);
+
+    // Save to file
+    const fs = await import('fs/promises');
+    await fs.writeFile(options.output, JSON.stringify(snapshot, null, 2));
+
+    console.log(`\n✅ Snapshot saved to ${options.output}`);
+  } catch (error) {
+    spinner.fail('Scan failed');
+    console.error(error);
+    process.exit(1);
+  }
+}
+
+async function generateSnapshot(projectPath: string): Promise<Snapshot> {
+  const files = await scanFiles(projectPath);
+  const dependencies = await scanDependencies(projectPath);
+
+  const metadata = {
+    total_files: files.length,
+    total_dependencies: dependencies.length,
+    total_size_bytes: files.reduce((sum, f) => sum + f.size_bytes, 0),
+    total_lines: files.reduce((sum, f) => sum + (f.estimated_lines || 0), 0),
+    max_directory_depth: Math.max(...files.map((f) => f.depth), 0),
+    language_breakdown: calculateLanguageBreakdown(files),
+  };
+
+  return {
+    snapshot_version: '1.0.0',
+    engine_target_version: '1.0.0',
+    project_id: crypto.randomUUID(),
+    generated_at: new Date().toISOString(),
+    root_path_hash: hashString(projectPath),
+    project_root: resolve(projectPath),  // Use absolute path for content scanning
+    metadata,
+    files,
+    dependencies,
+  };
+}
+
+async function scanFiles(projectPath: string): Promise<FileNode[]> {
+  const files: FileNode[] = [];
+  const patterns = ['**/*'];
+
+  const filePaths = await glob(patterns, {
+    cwd: projectPath,
+    ignore: [
+      '**/node_modules/**',
+      '**/.git/**',
+      '**/dist/**',
+      '**/build/**',
+      '**/.next/**',
+      '**/out/**',
+      '**/coverage/**',
+    ],
+    absolute: false,
+  });
+
+  for (const filePath of filePaths) {
+    const fullPath = join(projectPath, filePath);
+    const stats = statSync(fullPath);
+
+    if (stats.isFile()) {
+      const fileNode: FileNode = {
+        id: crypto.randomUUID(),
+        path: filePath,           // Actual relative path for rule evaluation
+        path_hash: hashString(filePath),
+        depth: filePath.split(/[\\/]/).length,
+        size_bytes: stats.size,
+        estimated_lines: Math.floor(stats.size / 50), // Rough estimate
+        extension: filePath.split('.').pop() || '',
+        is_binary: isBinaryFile(filePath),
+      };
+
+      files.push(fileNode);
+    }
+  }
+
+  // Sort deterministically by path_hash
+  return files.sort((a, b) => a.path_hash.localeCompare(b.path_hash));
+}
+
+async function scanDependencies(projectPath: string): Promise<DependencyNode[]> {
+  const dependencies: DependencyNode[] = [];
+
+  try {
+    const packageJsonPath = join(projectPath, 'package.json');
+    const packageJson = JSON.parse(readFileSync(packageJsonPath, 'utf-8'));
+
+    const processDeps = (
+      deps: Record<string, string>,
+      category: 'dev' | 'prod' | 'peer'
+    ) => {
+      for (const [name, version] of Object.entries(deps)) {
+        const versionMatch = version.match(/^(\d+)\.(\d+)/);
+        const major = versionMatch ? parseInt(versionMatch[1]) : 0;
+        const minor = versionMatch ? parseInt(versionMatch[2]) : 0;
+
+        dependencies.push({
+          id: crypto.randomUUID(),
+          name_hash: hashString(name),
+          major_version: major,
+          minor_version: minor,
+          category,
+        });
+      }
+    };
+
+    if (packageJson.dependencies) {
+      processDeps(packageJson.dependencies, 'prod');
+    }
+
+    if (packageJson.devDependencies) {
+      processDeps(packageJson.devDependencies, 'dev');
+    }
+
+    if (packageJson.peerDependencies) {
+      processDeps(packageJson.peerDependencies, 'peer');
+    }
+  } catch (error) {
+    // No package.json found
+  }
+
+  // Sort deterministically by name_hash
+  return dependencies.sort((a, b) => a.name_hash.localeCompare(b.name_hash));
+}
+
+function calculateLanguageBreakdown(files: FileNode[]): Record<string, number> {
+  const breakdown: Record<string, number> = {};
+
+  for (const file of files) {
+    const ext = file.extension.toLowerCase();
+    const lang = getLanguageFromExtension(ext);
+    breakdown[lang] = (breakdown[lang] || 0) + 1;
+  }
+
+  return breakdown;
+}
+
+function getLanguageFromExtension(ext: string): string {
+  const map: Record<string, string> = {
+    ts: 'TypeScript',
+    js: 'JavaScript',
+    tsx: 'TypeScript',
+    jsx: 'JavaScript',
+    py: 'Python',
+    go: 'Go',
+    rs: 'Rust',
+    java: 'Java',
+    kt: 'Kotlin',
+    rb: 'Ruby',
+    php: 'PHP',
+    cs: 'C#',
+    cpp: 'C++',
+    c: 'C',
+    h: 'C',
+    json: 'JSON',
+    yaml: 'YAML',
+    yml: 'YAML',
+    md: 'Markdown',
+    html: 'HTML',
+    css: 'CSS',
+    scss: 'SCSS',
+    sql: 'SQL',
+    sh: 'Shell',
+  };
+
+  return map[ext] || 'Other';
+}
+
+function isBinaryFile(filePath: string): boolean {
+  const binaryExtensions = [
+    '.exe',
+    '.dll',
+    '.so',
+    '.dylib',
+    '.bin',
+    '.png',
+    '.jpg',
+    '.jpeg',
+    '.gif',
+    '.pdf',
+    '.zip',
+    '.tar',
+    '.gz',
+    '.7z',
+    '.woff',
+    '.woff2',
+    '.ttf',
+    '.eot',
+  ];
+
+  const ext = filePath.split('.').pop()?.toLowerCase();
+  return ext ? binaryExtensions.includes('.' + ext) : false;
+}
+
+function hashString(str: string): string {
+  return crypto.createHash('sha256').update(str).digest('hex');
+}

package/src/commands/upload.ts

@@ -0,0 +1,241 @@
+import { readFileSync } from 'fs';
+import ora from 'ora';
+import chalk from 'chalk';
+import readline from 'readline';
+
+const supabaseUrl = process.env.SUPABASE_URL || 'https://qhonrrojtqklvlkvfswb.supabase.co';
+const supabaseAnonKey = process.env.SUPABASE_ANON_KEY || ''; // Must be set in environment
+
+// Fetch projects from Supabase
+async function fetchProjects(): Promise<any[]> {
+  try {
+    const res = await fetch(`${supabaseUrl}/rest/v1/projects?select=id,name,created_at&order=created_at.desc`, {
+      headers: { 'apikey': supabaseAnonKey, 'Authorization': `Bearer ${supabaseAnonKey}` },
+    });
+    if (res.ok) {
+      const data = await res.json() as any[];
+      return data;
+    }
+    return [];
+  } catch {
+    return [];
+  }
+}
+
+// Create new project in Supabase
+async function createProject(name: string): Promise<string | null> {
+  try {
+    const res = await fetch(`${supabaseUrl}/rest/v1/projects`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'apikey': supabaseAnonKey,
+        'Authorization': `Bearer ${supabaseAnonKey}`,
+        'Prefer': 'return=representation',
+      },
+      body: JSON.stringify({
+        name,
+        user_id: '00000000-0000-0000-0000-000000000001', // Default user
+      }),
+    });
+    if (res.ok) {
+      const data = await res.json() as any[];
+      return data[0]?.id || null;
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+
+// Interactive prompt
+function askQuestion(question: string): Promise<string> {
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: process.stdout,
+  });
+  return new Promise((resolve) => {
+    rl.question(question, (answer) => {
+      rl.close();
+      resolve(answer);
+    });
+  });
+}
+
+// Select or create project
+async function selectOrCreateProject(): Promise<string | null> {
+  console.log(chalk.blue('\n📁 Loading projects...\n'));
+  
+  const projects = await fetchProjects();
+  
+  if (projects.length === 0) {
+    console.log(chalk.yellow('No projects found.\n'));
+    const answer = await askQuestion('Do you want to create a new project? (y/n): ');
+    if (answer.toLowerCase() === 'y') {
+      const name = await askQuestion('Enter project name: ');
+      if (name.trim()) {
+        const projectId = await createProject(name.trim());
+        if (projectId) {
+          console.log(chalk.green(`\n✅ Project "${name}" created successfully!`));
+          return projectId;
+        }
+      }
+    }
+    return null;
+  }
+  
+  // Display projects
+  console.log(chalk.white('Select a project:\n'));
+  console.log(chalk.gray('0. [+] Create new project\n'));
+  
+  projects.forEach((p, i) => {
+    console.log(chalk.white(`${i + 1}. ${p.name}`));
+    console.log(chalk.gray(`   ID: ${p.id}`));
+    console.log(chalk.gray(`   Created: ${new Date(p.created_at).toLocaleDateString()}\n`));
+  });
+  
+  const answer = await askQuestion('Enter number (0-' + projects.length + '): ');
+  const choice = parseInt(answer, 10);
+  
+  if (choice === 0) {
+    // Create new project
+    const name = await askQuestion('\nEnter project name: ');
+    if (name.trim()) {
+      const projectId = await createProject(name.trim());
+      if (projectId) {
+        console.log(chalk.green(`\n✅ Project "${name}" created successfully!`));
+        return projectId;
+      }
+    }
+    return null;
+  } else if (choice > 0 && choice <= projects.length) {
+    // Select existing project
+    const selected = projects[choice - 1];
+    console.log(chalk.green(`\n✅ Selected project: "${selected.name}"`));
+    return selected.id;
+  } else {
+    console.log(chalk.red('\n❌ Invalid selection'));
+    return null;
+  }
+}
+
+export async function uploadCommand(options: {
+  file: string;
+  projectId?: string;
+  apiKey?: string;
+}): Promise<void> {
+  const spinner = ora('Preparing upload...').start();
+
+  try {
+    const fs = await import('fs/promises');
+    const snapshotData = await fs.readFile(options.file, 'utf-8');
+    const snapshot = JSON.parse(snapshotData);
+
+    // Determine project ID
+    let projectId: string | undefined = options.projectId;
+    
+    if (!projectId) {
+      spinner.stop();
+      const selectedProjectId = await selectOrCreateProject();
+      if (!selectedProjectId) {
+        console.log(chalk.red('\n❌ No project selected. Exiting.'));
+        process.exit(1);
+      }
+      projectId = selectedProjectId;
+      spinner.start('Uploading snapshot...');
+    }
+
+    // 1. Create snapshot
+    spinner.text = 'Creating snapshot...';
+    const snapshotRes = await fetch(`${supabaseUrl}/rest/v1/snapshots`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'apikey': supabaseAnonKey,
+        'Authorization': `Bearer ${supabaseAnonKey}`,
+        'Prefer': 'return=representation',
+      },
+      body: JSON.stringify({
+        project_id: projectId,
+        file_count: snapshot.metadata.total_files,
+        size_mb: snapshot.metadata.total_size_bytes / (1024 * 1024),
+        storage_path: 'local://' + projectId,
+      }),
+    });
+
+    if (!snapshotRes.ok) {
+      const error = await snapshotRes.json() as any;
+      spinner.fail('Failed to create snapshot');
+      console.error(chalk.red(`Error: ${error.message || error.details || 'Unknown error'}`));
+      process.exit(1);
+    }
+
+    const snapshotData2 = await snapshotRes.json() as any[];
+    const snapshotId = snapshotData2[0]?.id || snapshotData2[0]?.id;
+
+    // 2. Run analysis locally
+    spinner.text = 'Analyzing snapshot...';
+    const { CoreEngine } = await import('@veestack-tools/engine');
+    const { RULES } = await import('@veestack-tools/engine');
+    
+    const engine = new CoreEngine();
+    RULES.forEach((rule: any) => engine.registerRule(rule));
+    const result = await engine.analyze(snapshot);
+
+    if (!result.success) {
+      spinner.fail('Analysis failed');
+      console.error(chalk.red('Error:', result.error));
+      process.exit(1);
+    }
+
+    // 3. Create report
+    spinner.text = 'Creating report...';
+    const reportRes = await fetch(`${supabaseUrl}/rest/v1/reports`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'apikey': supabaseAnonKey,
+        'Authorization': `Bearer ${supabaseAnonKey}`,
+        'Prefer': 'return=representation',
+      },
+      body: JSON.stringify({
+        snapshot_id: snapshotId,
+        score: result.report.total_score,
+        issues_count: result.report.summary.total_findings,
+        critical_count: result.report.summary.critical_count,
+        high_count: result.report.summary.high_count,
+        medium_count: result.report.summary.medium_count,
+        low_count: result.report.summary.low_count,
+        execution_time_ms: 0,
+        report_json: result.report,
+      }),
+    });
+
+    if (!reportRes.ok) {
+      const error = await reportRes.json() as any;
+      spinner.fail('Failed to create report');
+      console.error(chalk.red(`Error: ${error.message || error.details || 'Unknown error'}`));
+      process.exit(1);
+    }
+
+    const reportData = await reportRes.json() as any[];
+    const reportId = reportData[0]?.id || reportData[0]?.id;
+
+    spinner.succeed('Analysis complete');
+
+    console.log(chalk.green('\n✅ Report generated and saved to VeeStack'));
+    console.log(chalk.gray('Project ID:'), projectId);
+    console.log(chalk.gray('Snapshot ID:'), snapshotId);
+    console.log(chalk.gray('Report ID:'), reportId);
+    console.log(chalk.bold('\n📊 Score:'), result.report.total_score);
+    console.log(chalk.gray('Severity:'), result.report.severity_band);
+    console.log(chalk.gray('Findings:'), result.report.summary.total_findings);
+    
+    console.log(chalk.blue('\n🔗 View your report at:'));
+    console.log(chalk.underline(`http://localhost:3001/reports/${reportId}?project=${projectId}`));
+  } catch (error) {
+    spinner.fail('Upload failed');
+    console.error(error);
+    process.exit(1);
+  }
+}

package/src/index.ts

@@ -0,0 +1,36 @@
+#!/usr/bin/env node
+
+import { Command } from 'commander';
+import { scanCommand } from './commands/scan';
+import { uploadCommand } from './commands/upload';
+import { loginCommand } from './commands/login';
+
+const program = new Command();
+
+program
+  .name('veestack')
+  .description('VeeStack CLI - Technical Stack Visibility Tool')
+  .version('3.0.1');
+
+program
+  .command('scan')
+  .description('Scan a project directory and generate analysis')
+  .option('-p, --path <path>', 'Path to project directory', '.')
+  .option('-o, --output <path>', 'Output file path', 'snapshot.json')
+  .option('--ci', 'CI mode (no interactive prompts)')
+  .action(scanCommand);
+
+program
+  .command('upload')
+  .description('Upload a snapshot to VeeStack server')
+  .option('-f, --file <path>', 'Snapshot file path', 'snapshot.json')
+  .option('-p, --project-id <id>', 'Project ID')
+  .action(uploadCommand);
+
+program
+  .command('login')
+  .description('Authenticate with VeeStack server')
+  .option('-k, --key <apiKey>', 'API key')
+  .action(loginCommand);
+
+program.parse();

package/src/wasm/license.ts

@@ -0,0 +1,181 @@
+import crypto from 'crypto';
+import fs from 'fs';
+import path from 'path';
+import { WasmEngineLoader, type WasmSnapshot, type WasmFileInfo, type WasmDependency, type WasmMetadata } from '../wasm/loader.js';
+
+const LICENSE_FILE = '.veestack/license.key';
+const SESSION_FILE = '.veestack/session.json';
+
+export interface LicenseData {
+  key: string;
+  hardware_id: string;
+  issued_at: string;
+  expires_at: string;
+  tier: 'free' | 'pro' | 'enterprise';
+  features: string[];
+}
+
+export class LicenseManager {
+  private projectPath: string;
+  private licenseData: LicenseData | null = null;
+
+  constructor(projectPath: string = '.') {
+    this.projectPath = projectPath;
+  }
+
+  /**
+   * Check if valid license exists
+   */
+  async hasValidLicense(): Promise<boolean> {
+    const licensePath = path.join(this.projectPath, LICENSE_FILE);
+    
+    if (!fs.existsSync(licensePath)) {
+      return false;
+    }
+
+    try {
+      const data = fs.readFileSync(licensePath, 'utf-8');
+      this.licenseData = JSON.parse(data);
+      
+      // Validate hardware binding
+      const currentHardwareId = this.generateHardwareId();
+      if (this.licenseData?.hardware_id !== currentHardwareId) {
+        console.warn('⚠️  License bound to different machine');
+        return false;
+      }
+
+      // Check expiration
+      if (this.licenseData?.expires_at) {
+        const expiry = new Date(this.licenseData.expires_at);
+        if (expiry < new Date()) {
+          console.warn('⚠️  License has expired');
+          return false;
+        }
+      }
+
+      return true;
+    } catch (error) {
+      console.error('❌ Error reading license:', error);
+      return false;
+    }
+  }
+
+  /**
+   * Get license key
+   */
+  getLicenseKey(): string | null {
+    return this.licenseData?.key || null;
+  }
+
+  /**
+   * Get license tier
+   */
+  getLicenseTier(): string {
+    return this.licenseData?.tier || 'free';
+  }
+
+  /**
+   * Validate license with remote server
+   */
+  async validateWithServer(apiUrl: string, apiKey: string): Promise<boolean> {
+    if (!this.licenseData) return false;
+
+    try {
+      const response = await fetch(`${apiUrl}/functions/v1/validate-license`, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'Authorization': `Bearer ${apiKey}`
+        },
+        body: JSON.stringify({
+          license_key: this.licenseData.key,
+          hardware_id: this.licenseData.hardware_id
+        })
+      });
+
+      if (!response.ok) return false;
+      
+      const result = await response.json() as { valid: boolean };
+      return result.valid === true;
+    } catch (error) {
+      console.error('❌ License validation error:', error);
+      return false;
+    }
+  }
+
+  /**
+   * Generate hardware fingerprint
+   */
+  generateHardwareId(): string {
+    const components = [
+      process.platform,
+      process.arch,
+      process.version,
+      require('os').hostname(),
+      require('os').userInfo().username,
+      'veestack-v1'
+    ];
+    
+    const combined = components.join('|');
+    return crypto.createHash('sha256').update(combined).digest('hex');
+  }
+
+  /**
+   * Save license to file
+   */
+  async saveLicense(licenseData: LicenseData): Promise<void> {
+    const licenseDir = path.dirname(path.join(this.projectPath, LICENSE_FILE));
+    
+    if (!fs.existsSync(licenseDir)) {
+      fs.mkdirSync(licenseDir, { recursive: true });
+    }
+
+    fs.writeFileSync(
+      path.join(this.projectPath, LICENSE_FILE),
+      JSON.stringify(licenseData, null, 2)
+    );
+    
+    this.licenseData = licenseData;
+  }
+
+  /**
+   * Get or create session
+   */
+  getOrCreateSession(): { sessionId: string; isNew: boolean } {
+    const sessionPath = path.join(this.projectPath, SESSION_FILE);
+    
+    if (fs.existsSync(sessionPath)) {
+      try {
+        const data = JSON.parse(fs.readFileSync(sessionPath, 'utf-8'));
+        
+        // Check if session is still valid (24 hours)
+        const created = new Date(data.created_at);
+        const now = new Date();
+        const hoursDiff = (now.getTime() - created.getTime()) / (1000 * 60 * 60);
+        
+        if (hoursDiff < 24) {
+          return { sessionId: data.session_id, isNew: false };
+        }
+      } catch {
+        // Invalid session file, create new
+      }
+    }
+
+    // Create new session
+    const sessionId = crypto.randomUUID();
+    const sessionData = {
+      session_id: sessionId,
+      created_at: new Date().toISOString(),
+      hardware_id: this.generateHardwareId()
+    };
+
+    const sessionDir = path.dirname(sessionPath);
+    if (!fs.existsSync(sessionDir)) {
+      fs.mkdirSync(sessionDir, { recursive: true });
+    }
+
+    fs.writeFileSync(sessionPath, JSON.stringify(sessionData, null, 2));
+    
+    return { sessionId, isNew: true };
+  }
+}

package/src/wasm/loader.ts

@@ -0,0 +1,409 @@
+import fs from 'fs';
+import path from 'path';
+import crypto from 'crypto';
+import { fileURLToPath } from 'url';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+export interface WasmEngineConfig {
+  apiUrl: string;
+  apiKey: string;
+  licenseKey?: string;
+  sessionId: string;
+}
+
+export interface RemoteRulesResponse {
+  success: boolean;
+  rules_version: string;
+  rules_count: number;
+  encrypted_rules: string;
+  encrypted_session_key: string;
+  expires_at: string;
+  licensed: boolean;
+}
+
+export interface WasmAnalysisResult {
+  findings: WasmFinding[];
+  metrics: WasmMetrics;
+  execution_time_ms: number;
+}
+
+export interface WasmFinding {
+  rule_id: string;
+  file_path: string;
+  line_number: number;
+  severity: 'critical' | 'high' | 'medium' | 'low' | 'info';
+  message: string;
+  context_hash: string;
+}
+
+export interface WasmMetrics {
+  files_scanned: number;
+  rules_applied: number;
+  patterns_matched: number;
+}
+
+export interface WasmSnapshot {
+  version: string;
+  project_id: string;
+  files: WasmFileInfo[];
+  dependencies: WasmDependency[];
+  metadata: WasmMetadata;
+}
+
+export interface WasmFileInfo {
+  path: string;
+  path_hash: string;
+  content_hash: string;
+  extension: string;
+  size_bytes: number;
+  estimated_lines: number;
+  depth: number;
+}
+
+export interface WasmDependency {
+  name_hash: string;
+  version_major: number;
+  version_minor: number;
+  category: 'dev' | 'prod' | 'peer';
+}
+
+export interface WasmMetadata {
+  total_files: number;
+  total_dependencies: number;
+  framework: string;
+  language: string;
+}
+
+export class WasmEngineLoader {
+  private config: WasmEngineConfig;
+  private wasmModule: WebAssembly.Module | null = null;
+  private wasmInstance: WebAssembly.Instance | null = null;
+  private sessionKey: string = '';
+  private rules: any[] = [];
+
+  constructor(config: WasmEngineConfig) {
+    this.config = config;
+  }
+
+  /**
+   * Load and initialize the WASM engine
+   */
+  async initialize(): Promise<boolean> {
+    try {
+      // Find WASM file path
+      const wasmPath = this.findWasmFile();
+      
+      if (!wasmPath) {
+        console.error('❌ WASM engine not found');
+        return false;
+      }
+
+      // Read WASM file
+      const wasmBuffer = fs.readFileSync(wasmPath);
+      
+      // Compile WASM module
+      this.wasmModule = await WebAssembly.compile(wasmBuffer);
+      
+      // Create import object with required imports
+      const importObject = {
+        env: {
+          memory: new WebAssembly.Memory({ initial: 256, maximum: 512 }),
+          __memory_base: 0,
+          __table_base: 0,
+          abort: (msg: number, file: number, line: number, column: number) => {
+            console.error(`WASM abort: ${msg} at ${file}:${line}:${column}`);
+          },
+          // Add console.log for debugging
+          log: (ptr: number, len: number) => {
+            const memory = (this.wasmInstance?.exports.memory as WebAssembly.Memory);
+            if (memory) {
+              const bytes = new Uint8Array(memory.buffer, ptr, len);
+              const message = new TextDecoder().decode(bytes);
+              console.log(`[WASM] ${message}`);
+            }
+          }
+        },
+        console: {
+          log: (message: string) => {
+            console.log(`[WASM Engine] ${message}`);
+          }
+        }
+      };
+
+      // Instantiate WASM module
+      this.wasmInstance = await WebAssembly.instantiate(this.wasmModule, importObject);
+      
+      console.log('✅ WASM engine initialized successfully');
+      return true;
+    } catch (error) {
+      console.error('❌ Failed to initialize WASM engine:', error);
+      return false;
+    }
+  }
+
+  /**
+   * Fetch encrypted rules from remote server
+   */
+  async fetchRemoteRules(framework: string, language: string): Promise<boolean> {
+    try {
+      const response = await fetch(`${this.config.apiUrl}/functions/v1/rules`, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'Authorization': `Bearer ${this.config.apiKey}`
+        },
+        body: JSON.stringify({
+          framework,
+          language,
+          version: '1.0.0',
+          session_id: this.config.sessionId,
+          license_key: this.config.licenseKey
+        })
+      });
+
+      if (!response.ok) {
+        const error = await response.text();
+        console.error('❌ Failed to fetch rules:', error);
+        return false;
+      }
+
+      const data: RemoteRulesResponse = await response.json();
+      
+      if (!data.success) {
+        console.error('❌ Rules API returned unsuccessful response');
+        return false;
+      }
+
+      // Decrypt session key
+      this.sessionKey = this.decryptSessionKey(data.encrypted_session_key);
+      
+      // Decrypt rules
+      const decryptedRules = this.decryptRules(data.encrypted_rules);
+      this.rules = JSON.parse(decryptedRules);
+      
+      console.log(`✅ Loaded ${this.rules.length} security rules (v${data.rules_version})`);
+      
+      return true;
+    } catch (error) {
+      console.error('❌ Error fetching remote rules:', error);
+      return false;
+    }
+  }
+
+  /**
+   * Analyze a snapshot using WASM engine
+   */
+  async analyzeSnapshot(
+    snapshot: WasmSnapshot,
+    fileContents: Map<string, string>
+  ): Promise<WasmAnalysisResult | null> {
+    if (!this.wasmInstance) {
+      console.error('❌ WASM engine not initialized');
+      return null;
+    }
+
+    try {
+      const exports = this.wasmInstance.exports as any;
+
+      // Initialize session in WASM
+      const encryptedKey = this.encryptString(this.sessionKey);
+      
+      // Convert strings to WASM memory
+      const snapshotJson = JSON.stringify(snapshot);
+      const contentsJson = JSON.stringify(Object.fromEntries(fileContents));
+      
+      // Allocate memory for input
+      const snapshotPtr = this.allocateString(snapshotJson);
+      const contentsPtr = this.allocateString(contentsJson);
+      const sessionPtr = this.allocateString(encryptedKey);
+      
+      // Call WASM functions
+      const initResult = exports.initialize_session(sessionPtr);
+      if (!initResult) {
+        console.error('❌ Failed to initialize WASM session');
+        return null;
+      }
+
+      // Load encrypted rules into WASM
+      const rulesJson = JSON.stringify(this.rules);
+      const encryptedRules = this.encryptString(rulesJson);
+      const rulesPtr = this.allocateString(encryptedRules);
+      
+      const loadResult = exports.load_rules(rulesPtr);
+      if (loadResult !== 0) {
+        console.error('❌ Failed to load rules into WASM');
+        return null;
+      }
+
+      // Run analysis
+      const resultPtr = exports.analyze_snapshot(snapshotPtr, contentsPtr);
+      
+      // Read result from WASM memory
+      const resultJson = this.readString(resultPtr);
+      
+      // Free allocated memory (if WASM exports free function)
+      if (exports.free) {
+        exports.free(snapshotPtr);
+        exports.free(contentsPtr);
+        exports.free(sessionPtr);
+        exports.free(rulesPtr);
+        exports.free(resultPtr);
+      }
+
+      // Parse result
+      const result: WasmAnalysisResult = JSON.parse(resultJson);
+      
+      return result;
+    } catch (error) {
+      console.error('❌ Analysis error:', error);
+      return null;
+    }
+  }
+
+  /**
+   * Validate license key
+   */
+  validateLicense(hardwareId: string): boolean {
+    if (!this.wasmInstance) return false;
+    
+    try {
+      const exports = this.wasmInstance.exports as any;
+      const licensePtr = this.allocateString(this.config.licenseKey || '');
+      const hardwarePtr = this.allocateString(hardwareId);
+      
+      const result = exports.validate_license(licensePtr, hardwarePtr);
+      
+      return result === 1;
+    } catch (error) {
+      console.error('❌ License validation error:', error);
+      return false;
+    }
+  }
+
+  /**
+   * Generate content fingerprint
+   */
+  generateFingerprint(content: string): string {
+    if (!this.wasmInstance) {
+      // Fallback to Node.js crypto
+      return crypto.createHash('sha256').update(content).digest('hex');
+    }
+    
+    try {
+      const exports = this.wasmInstance.exports as any;
+      const contentPtr = this.allocateString(content);
+      const resultPtr = exports.generate_fingerprint(contentPtr);
+      return this.readString(resultPtr);
+    } catch {
+      return crypto.createHash('sha256').update(content).digest('hex');
+    }
+  }
+
+  /**
+   * Generate unique session ID
+   */
+  static generateSessionId(): string {
+    return crypto.randomUUID();
+  }
+
+  /**
+   * Generate hardware fingerprint
+   */
+  static generateHardwareId(): string {
+    const components = [
+      process.platform,
+      process.arch,
+      process.version,
+      require('os').hostname(),
+      'veestack'
+    ];
+    
+    const combined = components.join('|');
+    return crypto.createHash('sha256').update(combined).digest('hex');
+  }
+
+  // Private helper methods
+
+  private findWasmFile(): string | null {
+    // Search for WASM file in multiple locations
+    const possiblePaths = [
+      path.join(__dirname, '../../wasm-engine/target/wasm32-unknown-unknown/release/veestack_wasm_engine.wasm'),
+      path.join(__dirname, '../engine.wasm'),
+      path.join(process.cwd(), 'node_modules/@veestack-tools/wasm-engine/engine.wasm'),
+      path.join(__dirname, '../../../wasm-engine/pkg/veestack_wasm_engine_bg.wasm'),
+    ];
+
+    for (const wasmPath of possiblePaths) {
+      if (fs.existsSync(wasmPath)) {
+        return wasmPath;
+      }
+    }
+
+    return null;
+  }
+
+  private allocateString(str: string): number {
+    if (!this.wasmInstance) return 0;
+    
+    const encoder = new TextEncoder();
+    const bytes = encoder.encode(str + '\0');
+    
+    const exports = this.wasmInstance.exports as any;
+    const ptr = exports.malloc ? exports.malloc(bytes.length) : 0;
+    
+    if (ptr === 0) {
+      // Fallback: use memory directly
+      const memory = exports.memory as WebAssembly.Memory;
+      const view = new Uint8Array(memory.buffer);
+      const offset = 1024; // Use a fixed offset
+      view.set(bytes, offset);
+      return offset;
+    }
+    
+    const memory = exports.memory as WebAssembly.Memory;
+    const view = new Uint8Array(memory.buffer);
+    view.set(bytes, ptr);
+    
+    return ptr;
+  }
+
+  private readString(ptr: number): string {
+    if (!this.wasmInstance) return '';
+    
+    const exports = this.wasmInstance.exports as any;
+    const memory = exports.memory as WebAssembly.Memory;
+    const view = new Uint8Array(memory.buffer);
+    
+    // Find null terminator
+    let end = ptr;
+    while (view[end] !== 0 && end < view.length) {
+      end++;
+    }
+    
+    const bytes = view.slice(ptr, end);
+    return new TextDecoder().decode(bytes);
+  }
+
+  private decryptSessionKey(encrypted: string): string {
+    const decoded = Buffer.from(encrypted, 'base64');
+    return decoded.toString('utf-8');
+  }
+
+  private decryptRules(encrypted: string): string {
+    const decoded = Buffer.from(encrypted, 'base64');
+    const key = Buffer.from(this.sessionKey);
+    
+    const decrypted = decoded.map((byte, i) => byte ^ key[i % key.length]);
+    return decrypted.toString('utf-8');
+  }
+
+  private encryptString(str: string): string {
+    const key = Buffer.from('veestack_session_key_2024');
+    const data = Buffer.from(str);
+    
+    const encrypted = data.map((byte, i) => byte ^ key[i % key.length]);
+    return encrypted.toString('base64');
+  }
+}

package/tsconfig.json

@@ -0,0 +1,19 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "ESNext",
+    "lib": ["ES2022"],
+    "moduleResolution": "bundler",
+    "outDir": "./dist",
+    "rootDir": "./src",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "declaration": true,
+    "declarationMap": true,
+    "types": ["node"]
+  },
+  "include": ["src/**/*"],
+  "exclude": ["node_modules", "dist"]
+}

package/tsup.config.ts

@@ -0,0 +1,11 @@
+import { defineConfig } from 'tsup';
+
+export default defineConfig({
+  entry: ['src/index.ts'],
+  format: ['esm'],
+  dts: false,
+  clean: true,
+  external: ['@veestack/types', '@veestack/engine', '@veestack/utils'],
+  splitting: false,
+  // No banner here - we'll add shebang in package.json bin
+});