@vibgrate/cli 1.0.30 → 1.0.31

package/dist/{baseline-AA2FVYAX.js → baseline-IWG6EIKC.js}

@@ -1,8 +1,8 @@
 import {
   baselineCommand,
   runBaseline
-} from "./chunk-T4GNX4OC.js";
-import "./chunk-XLRCQ476.js";
+} from "./chunk-BHUP76M7.js";
+import "./chunk-B4D6EY5P.js";
 export {
   baselineCommand,
   runBaseline

package/dist/{chunk-XLRCQ476.js → chunk-B4D6EY5P.js}

@@ -1015,6 +1015,11 @@ function formatExtended(ext) {
     if (ss.heuristicFindings.length > 0) {
       lines.push(`    ${chalk.red("Potential secret signals")}: ${ss.heuristicFindings.length}`);
     }
+    const missingNames = tools.filter((t) => !t.available).map((t) => t.name);
+    if (missingNames.length > 0) {
+      lines.push(`    ${chalk.dim("Install with:")} ${chalk.cyan(`brew install ${missingNames.join(" ")}`)}`);
+      lines.push(`    ${chalk.dim("Or run:")} ${chalk.cyan("vibgrate scan --install-tools")}`);
+    }
     lines.push("");
   }
   if (ext.platformMatrix) {
@@ -1643,7 +1648,7 @@ var pushCommand = new Command2("push").description("Push scan results to Vibgrat
 // src/commands/scan.ts
 import * as path20 from "path";
 import { Command as Command3 } from "commander";
-import chalk5 from "chalk";
+import chalk6 from "chalk";
 
 // src/scanners/node-scanner.ts
 import * as path5 from "path";
@@ -5955,6 +5960,98 @@ async function scanOwaspCategoryMapping(rootDir, cache, options = {}, runner = r
   };
 }
 
+// src/utils/tool-installer.ts
+import { spawn as spawn4 } from "child_process";
+import chalk5 from "chalk";
+var SECURITY_TOOLS = [
+  { name: "semgrep", command: "semgrep", brew: "semgrep", winget: null, scoop: null, pip: "semgrep" },
+  { name: "gitleaks", command: "gitleaks", brew: "gitleaks", winget: "gitleaks.gitleaks", scoop: "gitleaks", pip: null },
+  { name: "trufflehog", command: "trufflehog", brew: "trufflehog", winget: null, scoop: "trufflehog", pip: null }
+];
+var IS_WIN = process.platform === "win32";
+function runCommand(cmd, args) {
+  return new Promise((resolve9) => {
+    const child = spawn4(cmd, args, {
+      stdio: ["ignore", "pipe", "pipe"],
+      shell: IS_WIN
+      // required for .cmd/.ps1 wrappers on Windows
+    });
+    let stdout = "";
+    let stderr = "";
+    child.stdout.on("data", (d) => {
+      stdout += d.toString();
+    });
+    child.stderr.on("data", (d) => {
+      stderr += d.toString();
+    });
+    child.on("error", () => resolve9({ exitCode: 127, stdout, stderr }));
+    child.on("close", (code) => resolve9({ exitCode: code ?? 1, stdout, stderr }));
+  });
+}
+async function commandExists(command) {
+  const checker = IS_WIN ? "where" : "which";
+  const { exitCode } = await runCommand(checker, [command]);
+  return exitCode === 0;
+}
+async function tryInstall(tool, strategies, log) {
+  for (const { pm, args } of strategies) {
+    log(chalk5.dim(`    ${pm} ${args.join(" ")}\u2026`));
+    const { exitCode, stderr } = await runCommand(pm, args);
+    if (exitCode === 0) {
+      log(`    ${chalk5.green("\u2714")} ${tool.name} installed via ${pm}`);
+      return { ok: true, pm };
+    }
+    const hint = stderr.split("\n").find((l) => l.trim().length > 0) ?? "";
+    log(chalk5.dim(`    ${pm} failed${hint ? `: ${hint.trim()}` : ""}`));
+  }
+  return { ok: false, pm: "" };
+}
+async function installMissingTools(log = (m) => process.stderr.write(m + "\n")) {
+  const result = { installed: [], failed: [], skipped: [], packageManager: null };
+  const missing = [];
+  for (const tool of SECURITY_TOOLS) {
+    if (!await commandExists(tool.command)) {
+      missing.push(tool);
+    }
+  }
+  if (missing.length === 0) return result;
+  const [hasBrew, hasWinget, hasScoop, hasPipx, hasPip] = await Promise.all([
+    commandExists("brew"),
+    IS_WIN ? commandExists("winget") : Promise.resolve(false),
+    IS_WIN ? commandExists("scoop") : Promise.resolve(false),
+    commandExists("pipx"),
+    commandExists("pip")
+  ]);
+  log(chalk5.dim(`  Installing ${missing.map((t) => t.name).join(", ")}\u2026`));
+  for (const tool of missing) {
+    const strategies = [];
+    if (!IS_WIN) {
+      if (hasBrew) strategies.push({ pm: "brew", args: ["install", tool.brew] });
+      if (tool.pip && hasPipx) strategies.push({ pm: "pipx", args: ["install", tool.pip] });
+      if (tool.pip && hasPip) strategies.push({ pm: "pip", args: ["install", tool.pip] });
+    } else {
+      if (tool.winget && hasWinget) strategies.push({ pm: "winget", args: ["install", "--id", tool.winget, "-e", "--accept-source-agreements", "--accept-package-agreements"] });
+      if (tool.scoop && hasScoop) strategies.push({ pm: "scoop", args: ["install", tool.scoop] });
+      if (tool.pip && hasPipx) strategies.push({ pm: "pipx", args: ["install", tool.pip] });
+      if (tool.pip && hasPip) strategies.push({ pm: "pip", args: ["install", tool.pip] });
+    }
+    if (strategies.length === 0) {
+      result.skipped.push(tool.name);
+      log(`    ${chalk5.yellow("\u26A0")} ${tool.name}: no supported package manager found`);
+      continue;
+    }
+    const { ok, pm } = await tryInstall(tool, strategies, log);
+    if (ok) {
+      result.installed.push(tool.name);
+      if (!result.packageManager) result.packageManager = pm;
+    } else {
+      result.failed.push(tool.name);
+      log(`    ${chalk5.red("\u2716")} ${tool.name}: all install methods failed`);
+    }
+  }
+  return result;
+}
+
 // src/commands/scan.ts
 async function runScan(rootDir, opts) {
   const scanStart = Date.now();
@@ -6001,14 +6098,14 @@ async function runScan(rootDir, opts) {
     progress.finish();
     const msg = [
       "",
-      chalk5.red.bold("  \u2716 Vibgrate cannot connect to the npm registry to check package versions."),
+      chalk6.red.bold("  \u2716 Vibgrate cannot connect to the npm registry to check package versions."),
       "",
-      chalk5.dim("    Possible causes:"),
-      chalk5.dim("    \u2022 No internet connection"),
-      chalk5.dim("    \u2022 Corporate proxy/firewall blocking registry.npmjs.org"),
-      chalk5.dim("    \u2022 npm is not installed or not in PATH"),
+      chalk6.dim("    Possible causes:"),
+      chalk6.dim("    \u2022 No internet connection"),
+      chalk6.dim("    \u2022 Corporate proxy/firewall blocking registry.npmjs.org"),
+      chalk6.dim("    \u2022 npm is not installed or not in PATH"),
       "",
-      chalk5.dim("    Try running: ") + chalk5.cyan("npm view npm dist-tags.latest"),
+      chalk6.dim("    Try running: ") + chalk6.cyan("npm view npm dist-tags.latest"),
       ""
     ].join("\n");
     console.error(msg);
@@ -6123,6 +6220,13 @@ async function runScan(rootDir, opts) {
       );
     }
     if (scanners?.securityScanners?.enabled !== false) {
+      if (opts.installTools) {
+        const installResult = await installMissingTools();
+        if (installResult.installed.length > 0) {
+          process.stderr.write(chalk6.dim(`  Installed: ${installResult.installed.join(", ")}
+`));
+        }
+      }
       progress.startStep("secscan");
       scannerTasks.push(
         scanSecurityScanners(rootDir, fileCache).then((result) => {
@@ -6265,35 +6369,35 @@ async function runScan(rootDir, opts) {
   const skippedLarge = fileCache.skippedLargeFiles;
   if (stuckPaths.length > 0) {
     console.log(
-      chalk5.yellow(`
+      chalk6.yellow(`
 \u26A0 ${stuckPaths.length} path${stuckPaths.length === 1 ? "" : "s"} timed out (>60s) and ${stuckPaths.length === 1 ? "was" : "were"} skipped:`)
     );
     for (const d of stuckPaths) {
-      console.log(chalk5.dim(`  \u2192 ${d}`));
+      console.log(chalk6.dim(`  \u2192 ${d}`));
     }
     const newExcludes = stuckPaths.map((d) => `${d}/**`);
     const updated = await appendExcludePatterns(rootDir, newExcludes);
     if (updated) {
-      console.log(chalk5.green("\u2714") + ` Added ${newExcludes.length} pattern${newExcludes.length !== 1 ? "s" : ""} to exclude list in config`);
+      console.log(chalk6.green("\u2714") + ` Added ${newExcludes.length} pattern${newExcludes.length !== 1 ? "s" : ""} to exclude list in config`);
     }
   }
   if (skippedLarge.length > 0) {
     const sizeLimit = config.maxFileSizeToScan ?? 5242880;
     const sizeMB = (sizeLimit / 1048576).toFixed(0);
     console.log(
-      chalk5.yellow(`
+      chalk6.yellow(`
 \u26A0 ${skippedLarge.length} file${skippedLarge.length === 1 ? "" : "s"} skipped (>${sizeMB} MB):`)
     );
     for (const f of skippedLarge.slice(0, 10)) {
-      console.log(chalk5.dim(`  \u2192 ${f}`));
+      console.log(chalk6.dim(`  \u2192 ${f}`));
     }
     if (skippedLarge.length > 10) {
-      console.log(chalk5.dim(`  \u2026 and ${skippedLarge.length - 10} more`));
+      console.log(chalk6.dim(`  \u2026 and ${skippedLarge.length - 10} more`));
     }
   }
   fileCache.clear();
   if (allProjects.length === 0) {
-    console.log(chalk5.yellow("No projects found."));
+    console.log(chalk6.yellow("No projects found."));
   }
   if (extended.fileHotspots) filesScanned += extended.fileHotspots.totalFiles;
   if (extended.securityPosture) filesScanned += 1;
@@ -6329,7 +6433,7 @@ async function runScan(rootDir, opts) {
         artifact.baseline = baselinePath;
         artifact.delta = artifact.drift.score - baseline.drift.score;
       } catch {
-        console.error(chalk5.yellow(`Warning: Could not read baseline file: ${baselinePath}`));
+        console.error(chalk6.yellow(`Warning: Could not read baseline file: ${baselinePath}`));
       }
     }
   }
@@ -6366,7 +6470,7 @@ async function runScan(rootDir, opts) {
     const jsonStr = JSON.stringify(artifact, null, 2);
     if (opts.out) {
       await writeTextFile(path20.resolve(opts.out), jsonStr);
-      console.log(chalk5.green("\u2714") + ` JSON written to ${opts.out}`);
+      console.log(chalk6.green("\u2714") + ` JSON written to ${opts.out}`);
     } else {
       console.log(jsonStr);
     }
@@ -6375,7 +6479,7 @@ async function runScan(rootDir, opts) {
     const sarifStr = JSON.stringify(sarif, null, 2);
     if (opts.out) {
       await writeTextFile(path20.resolve(opts.out), sarifStr);
-      console.log(chalk5.green("\u2714") + ` SARIF written to ${opts.out}`);
+      console.log(chalk6.green("\u2714") + ` SARIF written to ${opts.out}`);
     } else {
       console.log(sarifStr);
     }
@@ -6391,14 +6495,14 @@ async function runScan(rootDir, opts) {
 async function autoPush(artifact, rootDir, opts) {
   const dsn = opts.dsn || process.env.VIBGRATE_DSN;
   if (!dsn) {
-    console.error(chalk5.red("No DSN provided for push."));
-    console.error(chalk5.dim("Set VIBGRATE_DSN environment variable or use --dsn flag."));
+    console.error(chalk6.red("No DSN provided for push."));
+    console.error(chalk6.dim("Set VIBGRATE_DSN environment variable or use --dsn flag."));
     if (opts.strict) process.exit(1);
     return;
   }
   const parsed = parseDsn(dsn);
   if (!parsed) {
-    console.error(chalk5.red("Invalid DSN format."));
+    console.error(chalk6.red("Invalid DSN format."));
     if (opts.strict) process.exit(1);
     return;
   }
@@ -6409,13 +6513,13 @@ async function autoPush(artifact, rootDir, opts) {
     try {
       host = resolveIngestHost(opts.region);
     } catch (e) {
-      console.error(chalk5.red(e instanceof Error ? e.message : String(e)));
+      console.error(chalk6.red(e instanceof Error ? e.message : String(e)));
       if (opts.strict) process.exit(1);
       return;
     }
   }
   const url = `${parsed.scheme}://${host}/v1/ingest/scan`;
-  console.log(chalk5.dim(`Uploading to ${host}...`));
+  console.log(chalk6.dim(`Uploading to ${host}...`));
   try {
     const response = await fetch(url, {
       method: "POST",
@@ -6431,20 +6535,20 @@ async function autoPush(artifact, rootDir, opts) {
       throw new Error(`HTTP ${response.status}: ${text}`);
     }
     const result = await response.json();
-    console.log(chalk5.green("\u2714") + ` Uploaded successfully (${result.ingestId ?? "ok"})`);
+    console.log(chalk6.green("\u2714") + ` Uploaded successfully (${result.ingestId ?? "ok"})`);
     if (result.ingestId) {
-      console.log(chalk5.dim(`  See Dashboard for full report: `) + chalk5.cyan(`https://dash.vibgrate.com/${parsed.workspaceId}/scan/${result.ingestId}`));
+      console.log(chalk6.dim(`  See Dashboard for full report: `) + chalk6.cyan(`https://dash.vibgrate.com/${parsed.workspaceId}/scan/${result.ingestId}`));
     }
   } catch (e) {
     const msg = e instanceof Error ? e.message : String(e);
-    console.error(chalk5.red(`Upload failed: ${msg}`));
+    console.error(chalk6.red(`Upload failed: ${msg}`));
     if (opts.strict) process.exit(1);
   }
 }
-var scanCommand = new Command3("scan").description("Scan a project for upgrade drift").argument("[path]", "Path to scan", ".").option("--out <file>", "Output file path").option("--format <format>", "Output format (text|json|sarif)", "text").option("--fail-on <level>", "Fail on warn or error").option("--baseline <file>", "Compare against baseline").option("--changed-only", "Only scan changed files").option("--concurrency <n>", "Max concurrent npm calls", "8").option("--push", "Auto-push results to Vibgrate API after scan").option("--dsn <dsn>", "DSN token for push (or use VIBGRATE_DSN env)").option("--region <region>", "Override data residency region for push (us, eu)").option("--strict", "Fail on push errors").action(async (targetPath, opts) => {
+var scanCommand = new Command3("scan").description("Scan a project for upgrade drift").argument("[path]", "Path to scan", ".").option("--out <file>", "Output file path").option("--format <format>", "Output format (text|json|sarif)", "text").option("--fail-on <level>", "Fail on warn or error").option("--baseline <file>", "Compare against baseline").option("--changed-only", "Only scan changed files").option("--concurrency <n>", "Max concurrent npm calls", "8").option("--push", "Auto-push results to Vibgrate API after scan").option("--dsn <dsn>", "DSN token for push (or use VIBGRATE_DSN env)").option("--region <region>", "Override data residency region for push (us, eu)").option("--strict", "Fail on push errors").option("--install-tools", "Auto-install missing security scanners via Homebrew").action(async (targetPath, opts) => {
   const rootDir = path20.resolve(targetPath);
   if (!await pathExists(rootDir)) {
-    console.error(chalk5.red(`Path does not exist: ${rootDir}`));
+    console.error(chalk6.red(`Path does not exist: ${rootDir}`));
     process.exit(1);
   }
   const scanOpts = {
@@ -6457,19 +6561,20 @@ var scanCommand = new Command3("scan").description("Scan a project for upgrade d
     push: opts.push,
     dsn: opts.dsn,
     region: opts.region,
-    strict: opts.strict
+    strict: opts.strict,
+    installTools: opts.installTools
   };
   const artifact = await runScan(rootDir, scanOpts);
   if (opts.failOn) {
     const hasErrors = artifact.findings.some((f) => f.level === "error");
     const hasWarnings = artifact.findings.some((f) => f.level === "warning");
     if (opts.failOn === "error" && hasErrors) {
-      console.error(chalk5.red(`
+      console.error(chalk6.red(`
 Failing: ${artifact.findings.filter((f) => f.level === "error").length} error finding(s) detected.`));
       process.exit(2);
     }
     if (opts.failOn === "warn" && (hasErrors || hasWarnings)) {
-      console.error(chalk5.red(`
+      console.error(chalk6.red(`
 Failing: findings detected at warn level or above.`));
       process.exit(2);
     }

package/dist/{chunk-T4GNX4OC.js → chunk-BHUP76M7.js}

@@ -1,7 +1,7 @@
 import {
   runScan,
   writeJsonFile
-} from "./chunk-XLRCQ476.js";
+} from "./chunk-B4D6EY5P.js";
 
 // src/commands/baseline.ts
 import * as path from "path";

package/dist/cli.js

@@ -4,7 +4,7 @@ import {
 } from "./chunk-GN3IWKSY.js";
 import {
   baselineCommand
-} from "./chunk-T4GNX4OC.js";
+} from "./chunk-BHUP76M7.js";
 import {
   VERSION,
   dsnCommand,
@@ -15,7 +15,7 @@ import {
   readJsonFile,
   scanCommand,
   writeDefaultConfig
-} from "./chunk-XLRCQ476.js";
+} from "./chunk-B4D6EY5P.js";
 
 // src/cli.ts
 import { Command as Command4 } from "commander";
@@ -38,7 +38,7 @@ var initCommand = new Command("init").description("Initialize vibgrate in a proj
     console.log(chalk.green("\u2714") + ` Created ${chalk.bold("vibgrate.config.ts")}`);
   }
   if (opts.baseline) {
-    const { runBaseline } = await import("./baseline-AA2FVYAX.js");
+    const { runBaseline } = await import("./baseline-IWG6EIKC.js");
     await runBaseline(rootDir);
   }
   console.log("");

package/dist/index.d.ts

@@ -103,6 +103,8 @@ interface ScanOptions {
     region?: string;
     /** Fail on push errors (like --strict on push command) */
     strict?: boolean;
+    /** Auto-install missing security tools via Homebrew */
+    installTools?: boolean;
 }
 interface ScannerToggle {
     enabled: boolean;

package/dist/index.js

@@ -7,7 +7,7 @@ import {
   formatText,
   generateFindings,
   runScan
-} from "./chunk-XLRCQ476.js";
+} from "./chunk-B4D6EY5P.js";
 export {
   computeDriftScore,
   formatMarkdown,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vibgrate/cli",
-  "version": "1.0.30",
+  "version": "1.0.31",
   "description": "CLI for measuring upgrade drift across Node & .NET projects",
   "type": "module",
   "bin": {