@westbayberry/dg 1.0.0

package/README.md

@@ -0,0 +1,90 @@
+# @westbayberry/dg
+
+Supply chain security scanner for npm dependencies. Detects malicious packages, typosquatting, dependency confusion, and 20+ attack patterns before they reach production.
+
+## Install
+
+```bash
+npm install -g @westbayberry/dg
+```
+
+Or run without installing:
+
+```bash
+npx @westbayberry/dg scan
+```
+
+## Quick Start
+
+1. Get your API key at [westbayberry.com/dashboard](https://westbayberry.com/dashboard)
+2. Run a scan:
+
+```bash
+export DG_API_KEY=dg_live_your_key_here
+dg scan
+```
+
+That's it. The CLI auto-detects changed packages by diffing your lockfile against the base branch.
+
+## Usage
+
+```
+dg scan [options]
+```
+
+### Options
+
+| Flag | Env Var | Default | Description |
+|------|---------|---------|-------------|
+| `--api-key <key>` | `DG_API_KEY` | *required* | Your API key |
+| `--mode <mode>` | `DG_MODE` | `warn` | `block` / `warn` / `off` |
+| `--block-threshold <n>` | | `70` | Score threshold for blocking |
+| `--warn-threshold <n>` | | `60` | Score threshold for warnings |
+| `--max-packages <n>` | | `200` | Max packages per scan |
+| `--allowlist <pkgs>` | `DG_ALLOWLIST` | | Comma-separated packages to skip |
+| `--json` | | | Output JSON for CI parsing |
+| `--scan-all` | | | Scan all packages, not just changed |
+| `--base-lockfile <path>` | | | Explicit base lockfile for diff |
+| `--api-url <url>` | `DG_API_URL` | `https://api.westbayberry.com` | API endpoint |
+
+### Exit Codes
+
+| Code | Meaning | CI Action |
+|------|---------|-----------|
+| `0` | Pass | Continue |
+| `1` | Warning | Advisory — review recommended |
+| `2` | Block | Fail the pipeline |
+
+## CI Examples
+
+### GitHub Actions
+
+```yaml
+- name: Scan dependencies
+  run: npx @westbayberry/dg scan --mode block
+  env:
+    DG_API_KEY: ${{ secrets.DG_API_KEY }}
+```
+
+### GitLab CI
+
+```yaml
+dependency-scan:
+  script:
+    - npx @westbayberry/dg scan --mode block
+  variables:
+    DG_API_KEY: $DG_API_KEY
+```
+
+### Any CI
+
+```bash
+export DG_API_KEY="$DG_API_KEY"
+npx @westbayberry/dg scan --mode block --json
+```
+
+## Links
+
+- [Dashboard & API Keys](https://westbayberry.com/dashboard)
+- [Documentation](https://westbayberry.com/docs)
+- [Pricing](https://westbayberry.com/pricing)

package/dist/index.js

@@ -0,0 +1,804 @@
+#!/usr/bin/env node
+/******/ (() => { // webpackBootstrap
+/******/ 	"use strict";
+/******/ 	var __webpack_modules__ = ({
+
+/***/ 879:
+/***/ ((__unused_webpack_module, exports) => {
+
+
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.APIError = void 0;
+exports.callAnalyzeAPI = callAnalyzeAPI;
+class APIError extends Error {
+    constructor(message, statusCode, body) {
+        super(message);
+        this.statusCode = statusCode;
+        this.body = body;
+        this.name = "APIError";
+    }
+}
+exports.APIError = APIError;
+async function callAnalyzeAPI(packages, config) {
+    const url = `${config.apiUrl}/v1/analyze`;
+    const payload = {
+        packages: packages.map((p) => ({
+            name: p.name,
+            version: p.version,
+            previousVersion: p.previousVersion,
+            isNew: p.isNew,
+        })),
+        config: {
+            blockThreshold: config.blockThreshold,
+            warnThreshold: config.warnThreshold,
+        },
+    };
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), 120000);
+    let response;
+    try {
+        response = await fetch(url, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                Authorization: `Bearer ${config.apiKey}`,
+                "User-Agent": "dependency-guardian-cli/1.0.0",
+            },
+            body: JSON.stringify(payload),
+            signal: controller.signal,
+        });
+    }
+    catch (error) {
+        clearTimeout(timeoutId);
+        if (error instanceof Error && error.name === "AbortError") {
+            throw new APIError("Request timed out after 120s. Try scanning fewer packages.", 408, "");
+        }
+        throw error;
+    }
+    clearTimeout(timeoutId);
+    if (response.status === 401) {
+        throw new APIError("Invalid API key. Check your --api-key or DG_API_KEY value.\n" +
+            "Get your key at https://westbayberry.com/dashboard", 401, "");
+    }
+    if (response.status === 429) {
+        throw new APIError("Rate limit exceeded. Upgrade your plan at https://westbayberry.com/pricing", 429, "");
+    }
+    if (!response.ok) {
+        const body = await response.text();
+        throw new APIError(`API returned ${response.status}: ${body}`, response.status, body);
+    }
+    return (await response.json());
+}
+
+
+/***/ }),
+
+/***/ 988:
+/***/ ((__unused_webpack_module, exports) => {
+
+
+/**
+ * Zero-dependency ANSI color helpers.
+ * Disabled when stdout is not a TTY or NO_COLOR is set.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.cyan = exports.yellow = exports.green = exports.red = exports.dim = exports.bold = void 0;
+const enabled = process.stdout.isTTY === true && !process.env.NO_COLOR;
+const wrap = (code, reset) => enabled ? (s) => `\x1b[${code}m${s}\x1b[${reset}m` : (s) => s;
+exports.bold = wrap("1", "22");
+exports.dim = wrap("2", "22");
+exports.red = wrap("31", "39");
+exports.green = wrap("32", "39");
+exports.yellow = wrap("33", "39");
+exports.cyan = wrap("36", "39");
+
+
+/***/ }),
+
+/***/ 973:
+/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
+
+
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.USAGE = void 0;
+exports.parseConfig = parseConfig;
+exports.getVersion = getVersion;
+const node_util_1 = __nccwpck_require__(975);
+const node_fs_1 = __nccwpck_require__(24);
+const node_path_1 = __nccwpck_require__(760);
+const USAGE = `
+  Dependency Guardian — Supply chain security scanner
+
+  Usage:
+    dependency-guardian scan [options]
+    dg scan [options]
+
+  Commands:
+    scan          Scan dependencies for security risks (default)
+
+  Options:
+    --api-key <key>          API key (or set DG_API_KEY env var)
+    --api-url <url>          API base URL (default: https://api.westbayberry.com)
+    --mode <mode>            block | warn | off (default: warn)
+    --block-threshold <n>    Score threshold for blocking (default: 70)
+    --warn-threshold <n>     Score threshold for warnings (default: 60)
+    --max-packages <n>       Max packages per scan (default: 200)
+    --allowlist <pkgs>       Comma-separated package names to skip
+    --json                   Output JSON for CI parsing
+    --scan-all               Scan all packages, not just changed
+    --base-lockfile <path>   Path to base lockfile for explicit diff
+    --help                   Show this help message
+    --version                Show version number
+
+  Environment Variables:
+    DG_API_KEY               API key
+    DG_API_URL               API base URL
+    DG_MODE                  Mode (block/warn/off)
+    DG_ALLOWLIST             Comma-separated allowlist
+
+  Exit Codes:
+    0  pass    — No risks detected
+    1  warn    — Risks detected (advisory)
+    2  block   — High-risk packages detected
+
+  Examples:
+    DG_API_KEY=dg_live_xxx dg scan
+    dg scan --api-key dg_live_xxx --json
+    dg scan --scan-all --mode block
+    dg scan --base-lockfile ./main-lockfile.json
+`.trimStart();
+exports.USAGE = USAGE;
+function getVersion() {
+    try {
+        const pkg = JSON.parse((0, node_fs_1.readFileSync)((0, node_path_1.join)(__dirname, "..", "package.json"), "utf-8"));
+        return pkg.version ?? "1.0.0";
+    }
+    catch {
+        return "1.0.0";
+    }
+}
+function parseConfig(argv) {
+    const { values, positionals } = (0, node_util_1.parseArgs)({
+        args: argv.slice(2),
+        options: {
+            "api-key": { type: "string" },
+            "api-url": { type: "string" },
+            mode: { type: "string" },
+            "block-threshold": { type: "string" },
+            "warn-threshold": { type: "string" },
+            "max-packages": { type: "string" },
+            allowlist: { type: "string" },
+            json: { type: "boolean", default: false },
+            "scan-all": { type: "boolean", default: false },
+            "base-lockfile": { type: "string" },
+            help: { type: "boolean", default: false },
+            version: { type: "boolean", default: false },
+        },
+        allowPositionals: true,
+        strict: false,
+    });
+    if (values.help) {
+        process.stdout.write(USAGE);
+        process.exit(0);
+    }
+    if (values.version) {
+        process.stdout.write(`dependency-guardian v${getVersion()}\n`);
+        process.exit(0);
+    }
+    const command = positionals[0] ?? "scan";
+    const apiKey = values["api-key"] ??
+        process.env.DG_API_KEY ??
+        "";
+    if (!apiKey) {
+        process.stderr.write("Error: API key required. Set --api-key or DG_API_KEY environment variable.\n" +
+            "Get your key at https://westbayberry.com/dashboard\n");
+        process.exit(1);
+    }
+    const modeRaw = values.mode ??
+        process.env.DG_MODE ??
+        "warn";
+    if (!["block", "warn", "off"].includes(modeRaw)) {
+        process.stderr.write(`Error: Invalid mode "${modeRaw}". Must be block, warn, or off.\n`);
+        process.exit(1);
+    }
+    const allowlistRaw = values.allowlist ??
+        process.env.DG_ALLOWLIST ??
+        "";
+    return {
+        apiKey,
+        apiUrl: values["api-url"] ??
+            process.env.DG_API_URL ??
+            "https://api.westbayberry.com",
+        mode: modeRaw,
+        blockThreshold: Number(values["block-threshold"] ?? "70"),
+        warnThreshold: Number(values["warn-threshold"] ?? "60"),
+        maxPackages: Number(values["max-packages"] ?? "200"),
+        allowlist: allowlistRaw
+            .split(",")
+            .map((s) => s.trim())
+            .filter(Boolean),
+        json: values.json,
+        scanAll: values["scan-all"],
+        baseLockfile: values["base-lockfile"] ?? null,
+        command,
+    };
+}
+
+
+/***/ }),
+
+/***/ 746:
+/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
+
+
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.discoverChanges = discoverChanges;
+const node_child_process_1 = __nccwpck_require__(421);
+const node_fs_1 = __nccwpck_require__(24);
+const node_path_1 = __nccwpck_require__(760);
+const parse_package_lock_1 = __nccwpck_require__(88);
+const diff_1 = __nccwpck_require__(229);
+const parse_package_json_1 = __nccwpck_require__(417);
+/**
+ * Discover changed (or all) packages by reading the local lockfile
+ * and comparing against a base.
+ */
+function discoverChanges(cwd, config) {
+    const lockfilePath = findLockfile(cwd);
+    if (!lockfilePath) {
+        throw new Error("No package-lock.json found. Run from your project root or use --base-lockfile.");
+    }
+    const headContent = (0, node_fs_1.readFileSync)(lockfilePath, "utf-8");
+    const headParsed = (0, parse_package_lock_1.parseLockfile)(headContent);
+    const directDeps = getDirectDeps(cwd);
+    // 1. --scan-all: treat everything as new
+    if (config.scanAll) {
+        const packages = [];
+        for (const [name, entry] of headParsed.packages) {
+            if (packages.length >= config.maxPackages)
+                break;
+            packages.push({
+                name,
+                version: entry.version,
+                previousVersion: null,
+                isNew: true,
+            });
+        }
+        return { packages, method: "scan-all", skipped: [] };
+    }
+    // 2. --base-lockfile: explicit diff
+    if (config.baseLockfile) {
+        if (!(0, node_fs_1.existsSync)(config.baseLockfile)) {
+            throw new Error(`Base lockfile not found: ${config.baseLockfile}`);
+        }
+        const baseContent = (0, node_fs_1.readFileSync)(config.baseLockfile, "utf-8");
+        const baseParsed = (0, parse_package_lock_1.parseLockfile)(baseContent);
+        const diff = (0, diff_1.diffLockfiles)(baseParsed, headParsed, config.maxPackages, directDeps);
+        return {
+            packages: diff.changes.map(toPackageInput),
+            method: "base-lockfile",
+            skipped: diff.skipped,
+        };
+    }
+    // 3. Git auto-diff
+    const baseContent = getGitBaseLockfile(cwd);
+    if (baseContent !== null) {
+        const baseParsed = (0, parse_package_lock_1.parseLockfile)(baseContent);
+        const diff = (0, diff_1.diffLockfiles)(baseParsed, headParsed, config.maxPackages, directDeps);
+        return {
+            packages: diff.changes.map(toPackageInput),
+            method: "git-diff",
+            skipped: diff.skipped,
+        };
+    }
+    // 4. Fallback: try package.json diff, else scan all
+    const pkgJsonPath = (0, node_path_1.join)(cwd, "package.json");
+    if ((0, node_fs_1.existsSync)(pkgJsonPath)) {
+        const headPkgJson = (0, node_fs_1.readFileSync)(pkgJsonPath, "utf-8");
+        const basePkgJson = getGitBaseFile(cwd, "package.json");
+        if (basePkgJson !== null) {
+            const diff = (0, parse_package_json_1.diffPackageJsons)(basePkgJson, headPkgJson, config.maxPackages);
+            return {
+                packages: diff.changes.map(toPackageInput),
+                method: "fallback",
+                skipped: [],
+            };
+        }
+    }
+    // Ultimate fallback: scan everything
+    const packages = [];
+    for (const [name, entry] of headParsed.packages) {
+        if (packages.length >= config.maxPackages)
+            break;
+        packages.push({
+            name,
+            version: entry.version,
+            previousVersion: null,
+            isNew: true,
+        });
+    }
+    return { packages, method: "fallback", skipped: [] };
+}
+function findLockfile(cwd) {
+    const candidates = ["package-lock.json", "npm-shrinkwrap.json"];
+    for (const name of candidates) {
+        const p = (0, node_path_1.join)(cwd, name);
+        if ((0, node_fs_1.existsSync)(p))
+            return p;
+    }
+    return null;
+}
+function getDirectDeps(cwd) {
+    try {
+        const content = (0, node_fs_1.readFileSync)((0, node_path_1.join)(cwd, "package.json"), "utf-8");
+        const pkg = JSON.parse(content);
+        return new Set([
+            ...Object.keys(pkg.dependencies ?? {}),
+            ...Object.keys(pkg.devDependencies ?? {}),
+        ]);
+    }
+    catch {
+        return new Set();
+    }
+}
+function getGitBaseLockfile(cwd) {
+    try {
+        const mergeBase = (0, node_child_process_1.execSync)("git merge-base HEAD main", {
+            cwd,
+            encoding: "utf-8",
+            stdio: ["pipe", "pipe", "pipe"],
+        }).trim();
+        if (!mergeBase)
+            return null;
+        return (0, node_child_process_1.execSync)(`git show ${mergeBase}:package-lock.json`, {
+            cwd,
+            encoding: "utf-8",
+            stdio: ["pipe", "pipe", "pipe"],
+        });
+    }
+    catch {
+        // Not a git repo, no main branch, or file doesn't exist at base
+        return null;
+    }
+}
+function getGitBaseFile(cwd, filename) {
+    try {
+        const mergeBase = (0, node_child_process_1.execSync)("git merge-base HEAD main", {
+            cwd,
+            encoding: "utf-8",
+            stdio: ["pipe", "pipe", "pipe"],
+        }).trim();
+        if (!mergeBase)
+            return null;
+        return (0, node_child_process_1.execSync)(`git show ${mergeBase}:${filename}`, {
+            cwd,
+            encoding: "utf-8",
+            stdio: ["pipe", "pipe", "pipe"],
+        });
+    }
+    catch {
+        return null;
+    }
+}
+function toPackageInput(change) {
+    return {
+        name: change.name,
+        version: change.newVersion,
+        previousVersion: change.oldVersion,
+        isNew: change.oldVersion === null,
+    };
+}
+
+
+/***/ }),
+
+/***/ 202:
+/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
+
+
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.renderResult = renderResult;
+const color_1 = __nccwpck_require__(988);
+const SEVERITY_LABELS = {
+    5: "CRITICAL",
+    4: "HIGH",
+    3: "MEDIUM",
+    2: "LOW",
+    1: "INFO",
+};
+function severityColor(sev) {
+    if (sev >= 5)
+        return (s) => (0, color_1.bold)((0, color_1.red)(s));
+    if (sev >= 4)
+        return color_1.red;
+    if (sev >= 3)
+        return color_1.yellow;
+    if (sev >= 2)
+        return color_1.cyan;
+    return color_1.dim;
+}
+function actionColor(action) {
+    if (action === "block")
+        return color_1.red;
+    if (action === "warn")
+        return color_1.yellow;
+    return color_1.green;
+}
+function pad(s, len) {
+    return s + " ".repeat(Math.max(0, len - s.length));
+}
+function rpad(s, len) {
+    return " ".repeat(Math.max(0, len - s.length)) + s;
+}
+function renderResult(result, config) {
+    if (config.json) {
+        return JSON.stringify(result, null, 2);
+    }
+    const lines = [];
+    const actionStr = result.action.toUpperCase();
+    const colorAction = actionColor(result.action);
+    // Header
+    lines.push("");
+    lines.push(`  ${(0, color_1.bold)("Dependency Guardian")}`);
+    lines.push(`  Score: ${(0, color_1.bold)(String(result.score))}${" ".repeat(Math.max(1, 50 - String(result.score).length))}${colorAction(actionStr)}`);
+    lines.push("");
+    // Summary
+    const flagged = result.packages.filter((p) => p.score > 0).length;
+    const total = result.packages.length;
+    lines.push(`  ${total} package${total !== 1 ? "s" : ""} scanned, ${flagged} flagged`);
+    lines.push("");
+    if (total === 0) {
+        lines.push("  No packages to scan.");
+        lines.push("");
+        return lines.join("\n");
+    }
+    // Package table
+    const COL_NAME = 22;
+    const COL_VER = 22;
+    const COL_SCORE = 7;
+    lines.push(`  ${(0, color_1.dim)(pad("Package", COL_NAME))}${(0, color_1.dim)(pad("Version", COL_VER))}${(0, color_1.dim)(pad("Score", COL_SCORE))}${(0, color_1.dim)("Action")}`);
+    lines.push(`  ${(0, color_1.dim)(pad("\u2500".repeat(COL_NAME - 2), COL_NAME))}${(0, color_1.dim)(pad("\u2500".repeat(COL_VER - 2), COL_VER))}${(0, color_1.dim)(pad("\u2500".repeat(COL_SCORE - 2), COL_SCORE))}${(0, color_1.dim)("\u2500".repeat(6))}`);
+    // Sort: flagged first, then by score desc
+    const sorted = [...result.packages].sort((a, b) => b.score - a.score);
+    for (const pkg of sorted) {
+        const versionStr = pkg.version;
+        const safe = result.safeVersions[pkg.name];
+        const verDisplay = safe ? `${(0, color_1.dim)(safe + " \u2192 ")}${versionStr}` : versionStr;
+        const pkgAction = pkg.score >= config.blockThreshold
+            ? "BLOCK"
+            : pkg.score >= config.warnThreshold
+                ? "WARN"
+                : "pass";
+        const pkgColor = actionColor(pkg.score >= config.blockThreshold
+            ? "block"
+            : pkg.score >= config.warnThreshold
+                ? "warn"
+                : "pass");
+        lines.push(`  ${pad(truncate(pkg.name, COL_NAME - 2), COL_NAME)}${pad(verDisplay, COL_VER)}${rpad(String(pkg.score), COL_SCORE - 2)}  ${pkgColor(pkgAction)}`);
+    }
+    lines.push("");
+    // Detailed findings for flagged packages
+    const flaggedPkgs = sorted.filter((p) => p.score > 0);
+    for (const pkg of flaggedPkgs) {
+        lines.push(renderPackageDetail(pkg, result.safeVersions[pkg.name]));
+    }
+    // Duration
+    if (result.durationMs) {
+        lines.push(`  ${(0, color_1.dim)(`Completed in ${(result.durationMs / 1000).toFixed(1)}s`)}`);
+        lines.push("");
+    }
+    return lines.join("\n");
+}
+function renderPackageDetail(pkg, safeVersion) {
+    const lines = [];
+    const header = `${pkg.name}@${pkg.version} (score: ${pkg.score})`;
+    const rule = "\u2500".repeat(Math.max(0, 50 - header.length));
+    lines.push(`  ${(0, color_1.dim)("\u2500\u2500")} ${(0, color_1.bold)(header)} ${(0, color_1.dim)(rule)}`);
+    lines.push("");
+    for (const finding of pkg.findings) {
+        // Skip low-severity informational findings in detail view
+        if (finding.severity <= 1 && !finding.critical)
+            continue;
+        const sevLabel = SEVERITY_LABELS[finding.severity] ?? "INFO";
+        const colorFn = severityColor(finding.severity);
+        lines.push(`  ${colorFn(pad(sevLabel, 10))}${finding.id} \u2014 ${finding.title} (sev ${finding.severity}, conf ${finding.confidence.toFixed(2)})`);
+        // Show up to 3 evidence lines
+        const evidenceLimit = 3;
+        for (let i = 0; i < Math.min(finding.evidence.length, evidenceLimit); i++) {
+            lines.push(`  ${" ".repeat(10)}${(0, color_1.dim)(truncate(finding.evidence[i], 80))}`);
+        }
+        if (finding.evidence.length > evidenceLimit) {
+            lines.push(`  ${" ".repeat(10)}${(0, color_1.dim)(`... and ${finding.evidence.length - evidenceLimit} more`)}`);
+        }
+        lines.push("");
+    }
+    if (safeVersion) {
+        lines.push(`  ${(0, color_1.green)(`Safe version: ${pkg.name}@${safeVersion}`)}`);
+        lines.push("");
+    }
+    return lines.join("\n");
+}
+function truncate(s, max) {
+    if (s.length <= max)
+        return s;
+    return s.slice(0, max - 1) + "\u2026";
+}
+
+
+/***/ }),
+
+/***/ 229:
+/***/ ((__unused_webpack_module, exports) => {
+
+
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.diffLockfiles = diffLockfiles;
+function diffLockfiles(base, head, maxPackages, directDeps) {
+    const allChanges = [];
+    for (const [name, headEntry] of head.packages) {
+        const baseEntry = base?.packages.get(name);
+        if (!baseEntry) {
+            allChanges.push({
+                name,
+                oldVersion: null,
+                newVersion: headEntry.version,
+                isDirect: directDeps?.has(name) ?? false,
+                isDev: headEntry.dev ?? false,
+            });
+        }
+        else if (baseEntry.version !== headEntry.version) {
+            allChanges.push({
+                name,
+                oldVersion: baseEntry.version,
+                newVersion: headEntry.version,
+                isDirect: directDeps?.has(name) ?? false,
+                isDev: headEntry.dev ?? false,
+            });
+        }
+    }
+    allChanges.sort((a, b) => {
+        if (a.isDirect !== b.isDirect)
+            return a.isDirect ? -1 : 1;
+        return a.name.localeCompare(b.name);
+    });
+    if (allChanges.length <= maxPackages) {
+        return { changes: allChanges, skipped: [] };
+    }
+    const changes = allChanges.slice(0, maxPackages);
+    const skipped = allChanges.slice(maxPackages).map((c) => c.name);
+    return { changes, skipped };
+}
+
+
+/***/ }),
+
+/***/ 417:
+/***/ ((__unused_webpack_module, exports) => {
+
+
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.diffPackageJsons = diffPackageJsons;
+function diffPackageJsons(baseContent, headContent, maxPackages) {
+    const head = JSON.parse(headContent);
+    const headDeps = {
+        ...head.dependencies,
+        ...head.devDependencies,
+    };
+    let baseDeps = {};
+    if (baseContent) {
+        const base = JSON.parse(baseContent);
+        baseDeps = { ...base.dependencies, ...base.devDependencies };
+    }
+    const changes = [];
+    for (const [name, version] of Object.entries(headDeps)) {
+        if (changes.length >= maxPackages)
+            break;
+        const baseVersion = baseDeps[name];
+        const isDev = !!(head.devDependencies && head.devDependencies[name]);
+        if (!baseVersion) {
+            changes.push({
+                name,
+                oldVersion: null,
+                newVersion: version,
+                isDirect: true,
+                isDev,
+            });
+        }
+        else if (baseVersion !== version) {
+            changes.push({
+                name,
+                oldVersion: baseVersion,
+                newVersion: version,
+                isDirect: true,
+                isDev,
+            });
+        }
+    }
+    return { changes };
+}
+
+
+/***/ }),
+
+/***/ 88:
+/***/ ((__unused_webpack_module, exports) => {
+
+
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.parseLockfile = parseLockfile;
+function parseLockfile(content) {
+    const json = JSON.parse(content);
+    const lockfileVersion = json.lockfileVersion ?? 1;
+    const packages = new Map();
+    if (lockfileVersion >= 2 && json.packages) {
+        for (const [path, entry] of Object.entries(json.packages)) {
+            if (path === "")
+                continue;
+            const name = extractPackageName(path);
+            if (name) {
+                const e = entry;
+                packages.set(name, {
+                    version: e.version ?? "",
+                    resolved: e.resolved,
+                    integrity: e.integrity,
+                    dev: e.dev,
+                });
+            }
+        }
+    }
+    else if (json.dependencies) {
+        parseLegacyDeps(json.dependencies, packages);
+    }
+    return { lockfileVersion, packages };
+}
+function extractPackageName(nodePath) {
+    const prefix = "node_modules/";
+    const lastIdx = nodePath.lastIndexOf(prefix);
+    if (lastIdx === -1)
+        return null;
+    const name = nodePath.slice(lastIdx + prefix.length);
+    return name || null;
+}
+function parseLegacyDeps(deps, packages, parentPrefix = "") {
+    for (const [name, value] of Object.entries(deps)) {
+        const fullName = parentPrefix ? `${parentPrefix}/${name}` : name;
+        const entry = value;
+        packages.set(fullName, {
+            version: entry.version ?? "",
+            resolved: entry.resolved,
+            integrity: entry.integrity,
+            dev: entry.dev,
+        });
+        if (entry.dependencies) {
+            parseLegacyDeps(entry.dependencies, packages);
+        }
+    }
+}
+
+
+/***/ }),
+
+/***/ 421:
+/***/ ((module) => {
+
+module.exports = require("node:child_process");
+
+/***/ }),
+
+/***/ 24:
+/***/ ((module) => {
+
+module.exports = require("node:fs");
+
+/***/ }),
+
+/***/ 760:
+/***/ ((module) => {
+
+module.exports = require("node:path");
+
+/***/ }),
+
+/***/ 975:
+/***/ ((module) => {
+
+module.exports = require("node:util");
+
+/***/ })
+
+/******/ 	});
+/************************************************************************/
+/******/ 	// The module cache
+/******/ 	var __webpack_module_cache__ = {};
+/******/ 	
+/******/ 	// The require function
+/******/ 	function __nccwpck_require__(moduleId) {
+/******/ 		// Check if module is in cache
+/******/ 		var cachedModule = __webpack_module_cache__[moduleId];
+/******/ 		if (cachedModule !== undefined) {
+/******/ 			return cachedModule.exports;
+/******/ 		}
+/******/ 		// Create a new module (and put it into the cache)
+/******/ 		var module = __webpack_module_cache__[moduleId] = {
+/******/ 			// no module.id needed
+/******/ 			// no module.loaded needed
+/******/ 			exports: {}
+/******/ 		};
+/******/ 	
+/******/ 		// Execute the module function
+/******/ 		var threw = true;
+/******/ 		try {
+/******/ 			__webpack_modules__[moduleId](module, module.exports, __nccwpck_require__);
+/******/ 			threw = false;
+/******/ 		} finally {
+/******/ 			if(threw) delete __webpack_module_cache__[moduleId];
+/******/ 		}
+/******/ 	
+/******/ 		// Return the exports of the module
+/******/ 		return module.exports;
+/******/ 	}
+/******/ 	
+/************************************************************************/
+/******/ 	/* webpack/runtime/compat */
+/******/ 	
+/******/ 	if (typeof __nccwpck_require__ !== 'undefined') __nccwpck_require__.ab = __dirname + "/";
+/******/ 	
+/************************************************************************/
+var __webpack_exports__ = {};
+// This entry need to be wrapped in an IIFE because it uses a non-standard name for the exports (exports).
+(() => {
+var exports = __webpack_exports__;
+
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+const config_1 = __nccwpck_require__(973);
+const lockfile_1 = __nccwpck_require__(746);
+const api_1 = __nccwpck_require__(879);
+const output_1 = __nccwpck_require__(202);
+const color_1 = __nccwpck_require__(988);
+async function main() {
+    const config = (0, config_1.parseConfig)(process.argv);
+    if (config.mode === "off") {
+        process.stderr.write((0, color_1.dim)("  Dependency Guardian: mode is off — skipping.\n"));
+        process.exit(0);
+    }
+    // Discover packages
+    process.stderr.write((0, color_1.dim)("  Discovering package changes...\n"));
+    const discovery = (0, lockfile_1.discoverChanges)(process.cwd(), config);
+    if (discovery.packages.length === 0) {
+        process.stderr.write((0, color_1.dim)("  No package changes detected.\n"));
+        process.exit(0);
+    }
+    // Filter allowlist
+    const packages = discovery.packages.filter((p) => !config.allowlist.includes(p.name));
+    if (packages.length === 0) {
+        process.stderr.write((0, color_1.dim)("  All changed packages are allowlisted.\n"));
+        process.exit(0);
+    }
+    process.stderr.write((0, color_1.dim)(`  Scanning ${packages.length} package${packages.length !== 1 ? "s" : ""} (${discovery.method})...\n`));
+    if (discovery.skipped.length > 0) {
+        process.stderr.write((0, color_1.yellow)(`  Warning: ${discovery.skipped.length} package(s) skipped (max-packages=${config.maxPackages})\n`));
+    }
+    // Call Detection API
+    const result = await (0, api_1.callAnalyzeAPI)(packages, config);
+    // Render output
+    const output = (0, output_1.renderResult)(result, config);
+    process.stdout.write(output + "\n");
+    // Exit code
+    if (result.action === "block" && config.mode === "block") {
+        process.exit(2);
+    }
+    else if (result.action === "block" || result.action === "warn") {
+        process.exit(1);
+    }
+    process.exit(0);
+}
+main().catch((err) => {
+    process.stderr.write(`\n  ${(0, color_1.bold)((0, color_1.red)("Error:"))} ${err.message}\n\n`);
+    process.exit(1);
+});
+
+})();
+
+module.exports = __webpack_exports__;
+/******/ })()
+;

package/package.json

@@ -0,0 +1,32 @@
+{
+  "name": "@westbayberry/dg",
+  "version": "1.0.0",
+  "description": "Supply chain security scanner — scan npm dependencies in any CI or terminal",
+  "bin": {
+    "dependency-guardian": "./dist/index.js",
+    "dg": "./dist/index.js"
+  },
+  "files": ["dist"],
+  "license": "UNLICENSED",
+  "author": "WestBayBerry",
+  "homepage": "https://westbayberry.com",
+  "keywords": ["security", "npm", "supply-chain", "scanner", "cli", "dependencies"],
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "npx ncc build src/bin.ts -o dist",
+    "dev": "npx tsx src/bin.ts",
+    "test": "vitest run",
+    "prepublishOnly": "npm run build && npm test"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "devDependencies": {
+    "@types/node": "^20.0.0",
+    "@vercel/ncc": "^0.38.4",
+    "typescript": "^5.9.3",
+    "vitest": "^3.0.0"
+  }
+}