@westbayberry/dg 1.0.13 → 1.0.16

package/README.md

@@ -1,6 +1,6 @@
 # @westbayberry/dg
 
-Supply chain security scanner for npm and Python dependencies. Detects malicious packages, typosquatting, dependency confusion, and 20+ attack patterns before they reach production.
+Supply chain security scanner for npm and Python dependencies. Scans lockfile changes against 26+ detectors to catch malicious packages, typosquatting, dependency confusion, credential theft, and obfuscated code before they reach production.
 
 ## Install
 
@@ -8,6 +8,8 @@ Supply chain security scanner for npm and Python dependencies. Detects malicious
 npm install -g @westbayberry/dg
 ```
 
+Requires Node.js 18+.
+
 ## Quick Start
 
 ```bash
@@ -15,48 +17,93 @@ dg login
 dg scan
 ```
 
-The CLI auto-discovers projects in your directory tree — npm lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml) and Python dependency files (requirements.txt, Pipfile.lock, poetry.lock). If multiple projects are found, you pick which ones to scan.
+The CLI walks your directory tree and finds npm lockfiles (`package-lock.json`, `yarn.lock`, `pnpm-lock.yaml`) and Python dependency files (`requirements.txt`, `Pipfile.lock`, `poetry.lock`). If multiple projects are found, an interactive selector lets you pick which ones to scan.
+
+Only changed packages are scanned by default — `dg` diffs your lockfile against the git merge-base with `main` to find what's new or updated.
 
 ## Commands
 
 ```
-dg scan [options]        Scan dependencies (auto-discovers npm + Python projects)
-dg npm install <pkg>     Scan packages before installing
+dg scan [options]        Scan dependencies for supply chain threats
+dg npm install <pkg>     Scan packages before installing them
 dg login                 Authenticate with your WestBayBerry account
 dg logout                Remove saved credentials
-dg hook install          Install git pre-commit hook to scan lockfile changes
+dg hook install          Install git pre-commit hook
 dg hook uninstall        Remove the pre-commit hook
 dg update                Check for and install the latest version
 dg wrap                  Show instructions to alias npm to dg
 ```
 
-### Scan Options
+## What It Detects
+
+Each package is analyzed by 26+ detectors covering:
+
+| Category | Examples |
+|----------|----------|
+| **Code execution** | `child_process` spawning, `eval`/`Function` calls, shell command injection |
+| **Network exfiltration** | HTTP/WebSocket/DNS/gRPC calls, URL obfuscation, data exfil patterns |
+| **Credential theft** | Reading SSH keys, browser tokens, cloud credentials, `.npmrc`/`.pypirc` |
+| **Install scripts** | Suspicious `preinstall`/`postinstall` hooks, download-and-execute chains |
+| **Obfuscation** | Hex/unicode encoding, string reconstruction, phantom eval, minified payloads |
+| **Supply chain** | Typosquatting, dependency confusion, version squatting, borrowed repo URLs |
+| **Persistence** | Writing to shell configs, cron jobs, systemd units, SSH `authorized_keys` |
+| **Behavioral** | Time-gated payloads, purpose mismatch, runtime evasion, binary addons |
+| **Reputation** | Missing/fake GitHub repos, ghost packages, low download counts |
+
+Findings include severity (1–5), confidence (0–1), and code evidence with file paths and line numbers.
+
+## Scan Options
 
 | Flag | Default | Description |
 |------|---------|-------------|
 | `--mode <mode>` | `warn` | `block` / `warn` / `off` |
-| `--block-threshold <n>` | `70` | Score threshold for blocking |
-| `--warn-threshold <n>` | `60` | Score threshold for warnings |
+| `--block-threshold <n>` | `70` | Score threshold for blocking (0–100) |
+| `--warn-threshold <n>` | `60` | Score threshold for warnings (0–100) |
 | `--max-packages <n>` | `200` | Max packages per scan |
 | `--allowlist <pkgs>` | | Comma-separated packages to skip |
-| `--json` | | Output JSON for CI parsing |
+| `--json` | | Output raw JSON (for CI parsing) |
 | `--scan-all` | | Scan all packages, not just changed |
 | `--base-lockfile <path>` | | Explicit base lockfile for diff |
 | `--workspace <dir>` | | Scan a specific workspace subdirectory |
-| `--debug` | | Show diagnostic output |
+| `--debug` | | Show discovery, batching, and timing info |
 
-### Exit Codes
+## Exit Codes
 
 | Code | Meaning | CI Action |
 |------|---------|-----------|
 | `0` | Pass | Continue |
 | `1` | Warning | Advisory — review recommended |
 | `2` | Block | Fail the pipeline |
-| `3` | Error | Internal error |
+| `3` | Error | Internal error (auth, network, etc.) |
 
-## CI Setup
+## Configuration
+
+Settings can come from CLI flags, environment variables, or a `.dgrc.json` config file (searched in the current directory, then `~/`). CLI flags take highest precedence.
+
+### `.dgrc.json`
+
+```json
+{
+  "apiKey": "dg_...",
+  "mode": "block",
+  "blockThreshold": 70,
+  "warnThreshold": 60,
+  "maxPackages": 200,
+  "allowlist": ["known-safe-pkg"]
+}
+```
+
+### Environment Variables
+
+| Variable | Description |
+|----------|-------------|
+| `DG_API_URL` | API base URL |
+| `DG_MODE` | `block` / `warn` / `off` |
+| `DG_ALLOWLIST` | Comma-separated allowlist |
+| `DG_DEBUG` | Set to `1` for diagnostic output |
+| `DG_WORKSPACE` | Workspace subdirectory |
 
-Authenticate first, then add the scan to your pipeline:
+## CI Setup
 
 ### GitHub Actions
 
@@ -74,6 +121,18 @@ npx @westbayberry/dg login
 npx @westbayberry/dg scan --mode block --json
 ```
 
+The `--json` flag outputs machine-readable results. Exit code `2` signals a blocked scan — wire it into your pipeline to fail the build.
+
+### Monorepo / Workspace
+
+Scan a specific workspace:
+
+```bash
+dg scan --workspace packages/api
+```
+
+Or let `dg` discover all projects and pick interactively.
+
 ## Git Hook
 
 Block commits that introduce risky dependencies:
@@ -82,22 +141,34 @@ Block commits that introduce risky dependencies:
 dg hook install
 ```
 
-This installs a pre-commit hook that runs `dg scan --mode block` whenever a lockfile change is staged. Use `dg hook uninstall` to remove it.
+This adds a pre-commit hook that runs `dg scan --mode block` whenever a lockfile is staged. If any package scores above the block threshold, the commit is rejected. Remove it with `dg hook uninstall`.
 
 ## npm Wrapper
 
-Scan packages before installing:
+Scan packages before they're installed:
 
 ```bash
 dg npm install express lodash
 ```
 
-Use `--dg-force` to bypass a block. Or alias npm globally:
+Packages are resolved and scanned through the API. If a package is blocked, you'll get a confirmation prompt — press `y` to install anyway, or use `--dg-force` to skip the prompt.
+
+To make this the default for all `npm install` commands:
 
 ```bash
 echo 'alias npm="dg npm"' >> ~/.zshrc
 ```
 
+## Python Support
+
+Python projects are detected alongside npm. The scanner reads:
+
+- `requirements.txt` — `name==version` pins
+- `Pipfile.lock` — default and develop sections
+- `poetry.lock` — `[[package]]` entries
+
+Python packages are analyzed through the same detection engine against the PyPI registry.
+
 ## Links
 
 - [Dashboard](https://westbayberry.com/dashboard)

package/dist/index.mjs

@@ -114,12 +114,6 @@ function parseConfig(argv) {
   const noConfig = values["no-config"];
   const dgrc = noConfig ? {} : loadDgrc();
   const apiKey = dgrc.apiKey ?? "";
-  if (!apiKey) {
-    process.stderr.write(
-      "Error: Not logged in. Run `dg login` to authenticate.\n"
-    );
-    process.exit(1);
-  }
   const modeRaw = values.mode ?? process.env.DG_MODE ?? dgrc.mode ?? "warn";
   if (!["block", "warn", "off"].includes(modeRaw)) {
     process.stderr.write(
@@ -131,7 +125,10 @@ function parseConfig(argv) {
   const allowlistRaw = values.allowlist ?? process.env.DG_ALLOWLIST ?? "";
   const blockThreshold = Number(values["block-threshold"] ?? dgrc.blockThreshold ?? "70");
   const warnThreshold = Number(values["warn-threshold"] ?? dgrc.warnThreshold ?? "60");
-  const maxPackages = Number(values["max-packages"] ?? dgrc.maxPackages ?? "200");
+  let maxPackages = Number(values["max-packages"] ?? dgrc.maxPackages ?? "200");
+  if (!apiKey) {
+    maxPackages = Math.min(maxPackages, 50);
+  }
   const debug = values.debug || process.env.DG_DEBUG === "1";
   if (isNaN(blockThreshold) || blockThreshold < 0 || blockThreshold > 100) {
     process.stderr.write("Error: --block-threshold must be a number between 0 and 100\n");
@@ -3296,7 +3293,7 @@ var require_react_development = __commonJS({
           }
           return dispatcher.useContext(Context);
         }
-        function useState6(initialState) {
+        function useState7(initialState) {
           var dispatcher = resolveDispatcher();
           return dispatcher.useState(initialState);
         }
@@ -3304,7 +3301,7 @@ var require_react_development = __commonJS({
           var dispatcher = resolveDispatcher();
           return dispatcher.useReducer(reducer4, initialArg, init);
         }
-        function useRef6(initialValue) {
+        function useRef7(initialValue) {
           var dispatcher = resolveDispatcher();
           return dispatcher.useRef(initialValue);
         }
@@ -4098,8 +4095,8 @@ var require_react_development = __commonJS({
         exports.useLayoutEffect = useLayoutEffect2;
         exports.useMemo = useMemo4;
         exports.useReducer = useReducer5;
-        exports.useRef = useRef6;
-        exports.useState = useState6;
+        exports.useRef = useRef7;
+        exports.useState = useState7;
         exports.useSyncExternalStore = useSyncExternalStore;
         exports.useTransition = useTransition;
         exports.version = ReactVersion;
@@ -38917,15 +38914,35 @@ async function callAnalyzeAPI(packages, config, onProgress) {
   for (let i = 0; i < packages.length; i += BATCH_SIZE) {
     batches.push(packages.slice(i, i + BATCH_SIZE));
   }
-  const results = [];
+  const MAX_CONCURRENT_BATCHES = 2;
+  const results = new Array(batches.length);
   let completed = 0;
-  for (const batch of batches) {
-    const result = await callBatchWithRetry(batch, config);
-    completed += batch.length;
+  let nextIdx = 0;
+  async function runBatch(idx) {
+    const result = await callBatchWithRetry(batches[idx], config);
+    results[idx] = result;
+    completed += batches[idx].length;
     if (onProgress) {
-      onProgress(completed, packages.length, batch.map((p) => p.name));
+      onProgress(completed, packages.length, batches[idx].map((p) => p.name));
+    }
+  }
+  const inFlight = /* @__PURE__ */ new Set();
+  while (nextIdx < batches.length && inFlight.size < MAX_CONCURRENT_BATCHES) {
+    const idx = nextIdx++;
+    const p = runBatch(idx).then(() => {
+      inFlight.delete(p);
+    });
+    inFlight.add(p);
+  }
+  while (inFlight.size > 0) {
+    await Promise.race(inFlight);
+    while (nextIdx < batches.length && inFlight.size < MAX_CONCURRENT_BATCHES) {
+      const idx = nextIdx++;
+      const p = runBatch(idx).then(() => {
+        inFlight.delete(p);
+      });
+      inFlight.add(p);
     }
-    results.push(result);
   }
   return mergeResponses(results, config);
 }
@@ -38984,13 +39001,16 @@ async function callAnalyzeBatch(packages, config) {
   const timeoutId = setTimeout(() => controller.abort(), 12e4);
   let response;
   try {
+    const headers = {
+      "Content-Type": "application/json",
+      "User-Agent": "dependency-guardian-cli/1.0.0"
+    };
+    if (config.apiKey) {
+      headers["Authorization"] = `Bearer ${config.apiKey}`;
+    }
     response = await fetch(url, {
       method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        Authorization: `Bearer ${config.apiKey}`,
-        "User-Agent": "dependency-guardian-cli/1.0.0"
-      },
+      headers,
       body: JSON.stringify(payload),
       signal: controller.signal
     });
@@ -39012,6 +39032,14 @@ async function callAnalyzeBatch(packages, config) {
     );
   }
   if (response.status === 429) {
+    const body = await response.json().catch(() => ({}));
+    if (body.anonymous) {
+      throw new APIError(
+        "Anonymous scan limit reached. Run `dg login` for 200 free scans/month.",
+        429,
+        ""
+      );
+    }
     throw new APIError(
       "Rate limit exceeded. Upgrade your plan at https://westbayberry.com/pricing",
       429,
@@ -39064,13 +39092,16 @@ async function callPyPIBatch(packages, config) {
   const timeoutId = setTimeout(() => controller.abort(), 12e4);
   let response;
   try {
+    const headers = {
+      "Content-Type": "application/json",
+      "User-Agent": "dependency-guardian-cli/1.0.0"
+    };
+    if (config.apiKey) {
+      headers["Authorization"] = `Bearer ${config.apiKey}`;
+    }
     response = await fetch(url, {
       method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        Authorization: `Bearer ${config.apiKey}`,
-        "User-Agent": "dependency-guardian-cli/1.0.0"
-      },
+      headers,
       body: JSON.stringify(payload),
       signal: controller.signal
     });
@@ -39092,6 +39123,14 @@ async function callPyPIBatch(packages, config) {
     );
   }
   if (response.status === 429) {
+    const body = await response.json().catch(() => ({}));
+    if (body.anonymous) {
+      throw new APIError(
+        "Anonymous scan limit reached. Run `dg login` for 200 free scans/month.",
+        429,
+        ""
+      );
+    }
     throw new APIError(
       "Rate limit exceeded. Upgrade your plan at https://westbayberry.com/pricing",
       429,
@@ -39116,7 +39155,7 @@ var init_api = __esm({
         this.name = "APIError";
       }
     };
-    BATCH_SIZE = 15;
+    BATCH_SIZE = 200;
     MAX_RETRIES = 2;
     RETRY_DELAY_MS = 5e3;
   }
@@ -39587,6 +39626,144 @@ var init_lockfile = __esm({
   }
 });
 
+// src/discover.ts
+var discover_exports = {};
+__export(discover_exports, {
+  discoverProjects: () => discoverProjects
+});
+import { existsSync as existsSync6, readFileSync as readFileSync7, readdirSync, statSync } from "node:fs";
+import { join as join6, relative, basename } from "node:path";
+function discoverProjects(root) {
+  const projects = [];
+  walk(root, root, 0, projects);
+  return projects.sort((a, b) => a.relativePath.localeCompare(b.relativePath));
+}
+function walk(dir, root, depth, out) {
+  if (depth > MAX_DEPTH) return;
+  for (const lockfile of NPM_LOCKFILES) {
+    const lockPath = join6(dir, lockfile);
+    if (existsSync6(lockPath)) {
+      const count = countNpmPackages(lockPath);
+      if (count > 0) {
+        out.push({
+          path: dir,
+          relativePath: relative(root, dir) || ".",
+          ecosystem: "npm",
+          depFile: lockfile,
+          packageCount: count
+        });
+      }
+      break;
+    }
+  }
+  for (const depFile of PYTHON_DEPFILES) {
+    const depPath = join6(dir, depFile);
+    if (existsSync6(depPath)) {
+      const count = countPythonPackages(depPath, depFile);
+      if (count > 0) {
+        out.push({
+          path: dir,
+          relativePath: relative(root, dir) || ".",
+          ecosystem: "pypi",
+          depFile,
+          packageCount: count
+        });
+      }
+      break;
+    }
+  }
+  let entries;
+  try {
+    entries = readdirSync(dir);
+  } catch {
+    return;
+  }
+  for (const entry of entries) {
+    if (SKIP_DIRS.has(entry) || entry.startsWith(".")) continue;
+    const full = join6(dir, entry);
+    try {
+      if (statSync(full).isDirectory()) {
+        walk(full, root, depth + 1, out);
+      }
+    } catch {
+    }
+  }
+}
+function countNpmPackages(lockPath) {
+  try {
+    const name = basename(lockPath);
+    const content = readFileSync7(lockPath, "utf-8");
+    if (name === "yarn.lock") {
+      return (content.match(/^\S.*:$/gm) || []).length;
+    }
+    if (name === "pnpm-lock.yaml") {
+      return (content.match(/^\s{2}'?[/@]/gm) || []).length || estimateLines(content, 200);
+    }
+    const parsed = JSON.parse(content);
+    if (parsed.packages) {
+      return Object.keys(parsed.packages).filter((k) => k !== "").length;
+    }
+    if (parsed.dependencies) {
+      return Object.keys(parsed.dependencies).length;
+    }
+    return 0;
+  } catch {
+    return 0;
+  }
+}
+function countPythonPackages(depPath, depFile) {
+  try {
+    const content = readFileSync7(depPath, "utf-8");
+    if (depFile === "Pipfile.lock") {
+      const parsed = JSON.parse(content);
+      const defaultCount = Object.keys(parsed.default || {}).length;
+      const devCount = Object.keys(parsed.develop || {}).length;
+      return defaultCount + devCount;
+    }
+    if (depFile === "poetry.lock") {
+      return (content.match(/^\[\[package\]\]/gm) || []).length;
+    }
+    return content.split("\n").filter(
+      (line) => line.trim() && !line.trim().startsWith("#") && !line.trim().startsWith("-")
+    ).length;
+  } catch {
+    return 0;
+  }
+}
+function estimateLines(content, fallback) {
+  const lines = content.split("\n").length;
+  return lines > 20 ? Math.floor(lines / 4) : fallback;
+}
+var SKIP_DIRS, NPM_LOCKFILES, PYTHON_DEPFILES, MAX_DEPTH;
+var init_discover = __esm({
+  "src/discover.ts"() {
+    "use strict";
+    SKIP_DIRS = /* @__PURE__ */ new Set([
+      "node_modules",
+      ".venv",
+      "venv",
+      "__pycache__",
+      ".git",
+      ".tox",
+      ".eggs",
+      "dist",
+      "build",
+      ".next",
+      ".nuxt",
+      "coverage",
+      ".cache",
+      ".pytest_cache",
+      ".mypy_cache",
+      "validation-results",
+      "test-fixtures",
+      "fixtures"
+    ]);
+    NPM_LOCKFILES = ["package-lock.json", "yarn.lock", "pnpm-lock.yaml", "npm-shrinkwrap.json"];
+    PYTHON_DEPFILES = ["requirements.txt", "Pipfile.lock", "poetry.lock"];
+    MAX_DEPTH = 8;
+  }
+});
+
 // src/static-output.ts
 var static_output_exports = {};
 __export(static_output_exports, {
@@ -39617,7 +39794,7 @@ function truncate(s, max) {
 function groupPackages(packages) {
   const map = /* @__PURE__ */ new Map();
   for (const pkg of packages) {
-    const fingerprint = pkg.findings.length === 0 ? `__clean_${pkg.score}` : pkg.findings.map((f) => `${f.id}:${f.severity}`).sort().join("|") + `|score:${pkg.score}`;
+    const fingerprint = pkg.findings.length === 0 ? `__clean_${pkg.score}` : pkg.findings.map((f) => `${f.category}:${f.severity}`).sort().join("|") + `|score:${pkg.score}`;
     const group = map.get(fingerprint) ?? [];
     group.push(pkg);
     map.set(fingerprint, group);
@@ -39699,7 +39876,7 @@ function renderResultStatic(result, config) {
       const sevLabel = SEVERITY_LABELS[finding.severity] ?? "INFO";
       const colorFn = severityColor(finding.severity);
       lines.push(
-        `    ${colorFn(pad(sevLabel, 10))}${finding.id} \u2014 ${finding.title}`
+        `    ${colorFn(pad(sevLabel, 10))}${finding.category} \u2014 ${finding.title}`
       );
       const evidenceLimit = 3;
       for (let i = 0; i < Math.min(finding.evidence.length, evidenceLimit); i++) {
@@ -39750,7 +39927,24 @@ async function runStatic(config) {
   const discovery = discoverChanges(process.cwd(), config);
   dbg(`discovery method: ${discovery.method}`);
   if (discovery.packages.length === 0) {
-    process.stderr.write(import_chalk4.default.dim("  No package changes detected.\n"));
+    const { discoverProjects: discoverProjects2 } = await Promise.resolve().then(() => (init_discover(), discover_exports));
+    const subProjects = discoverProjects2(process.cwd());
+    if (subProjects.length > 0) {
+      process.stderr.write(import_chalk4.default.yellow("  No packages found in current directory, but found projects in subdirectories:\n\n"));
+      for (const proj of subProjects) {
+        const pkgLabel = proj.packageCount === 1 ? "package" : "packages";
+        process.stderr.write(
+          import_chalk4.default.white(`    ${proj.ecosystem}  `) + import_chalk4.default.cyan(proj.relativePath) + import_chalk4.default.dim(` (${proj.packageCount} ${pkgLabel})
+`)
+        );
+      }
+      process.stderr.write(import_chalk4.default.dim("\n  Use --workspace to scan a specific project:\n"));
+      process.stderr.write(import_chalk4.default.dim(`    dg scan --workspace ${subProjects[0].relativePath}${config.scanAll ? " --scan-all" : ""}
+
+`));
+    } else {
+      process.stderr.write(import_chalk4.default.dim("  No package changes detected.\n"));
+    }
     process.exit(0);
   }
   const packages = discovery.packages.filter(
@@ -39789,6 +39983,11 @@ async function runStatic(config) {
   );
   const output = renderResultStatic(result, config);
   process.stdout.write(output + "\n");
+  if (!config.apiKey && !config.json) {
+    process.stderr.write(
+      "\n" + import_chalk4.default.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n") + import_chalk4.default.cyan("  Want this on every PR? ") + "Run " + import_chalk4.default.white("dg login") + import_chalk4.default.dim(" \u2192 free tier, 200 scans/month\n") + import_chalk4.default.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n")
+    );
+  }
   if (result.action === "block" && config.mode === "block") {
     process.exit(2);
   } else if (result.action === "block" || result.action === "warn") {
@@ -39907,6 +40106,11 @@ async function scanAndInstallStatic(resolved, parsed, config) {
   }
   const output = renderResultStatic(result, config);
   process.stdout.write(output + "\n");
+  if (!config.apiKey) {
+    process.stderr.write(
+      "\n" + import_chalk4.default.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n") + import_chalk4.default.cyan("  Want this on every PR? ") + "Run " + import_chalk4.default.white("dg login") + import_chalk4.default.dim(" \u2192 free tier, 200 scans/month\n") + import_chalk4.default.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n")
+    );
+  }
   if (result.action === "warn") {
     process.stderr.write(
       import_chalk4.default.yellow("  Warnings detected. Proceeding with install.\n\n")
@@ -40037,14 +40241,14 @@ __export(hook_exports, {
 });
 import { execFileSync as execFileSync2 } from "node:child_process";
 import {
-  existsSync as existsSync6,
-  readFileSync as readFileSync7,
+  existsSync as existsSync7,
+  readFileSync as readFileSync8,
   writeFileSync as writeFileSync3,
   mkdirSync,
   chmodSync as chmodSync2,
   unlinkSync as unlinkSync2
 } from "node:fs";
-import { join as join6 } from "node:path";
+import { join as join7 } from "node:path";
 function findGitDir() {
   try {
     return execFileSync2("git", ["rev-parse", "--git-dir"], {
@@ -40057,11 +40261,11 @@ function findGitDir() {
 }
 function installHook() {
   const gitDir = findGitDir();
-  const hooksDir = join6(gitDir, "hooks");
-  const hookPath = join6(hooksDir, "pre-commit");
+  const hooksDir = join7(gitDir, "hooks");
+  const hookPath = join7(hooksDir, "pre-commit");
   mkdirSync(hooksDir, { recursive: true });
-  if (existsSync6(hookPath)) {
-    const existing = readFileSync7(hookPath, "utf-8");
+  if (existsSync7(hookPath)) {
+    const existing = readFileSync8(hookPath, "utf-8");
     if (existing.includes(HOOK_MARKER)) {
       process.stderr.write("  Hook already installed.\n");
       return;
@@ -40081,12 +40285,12 @@ function installHook() {
 }
 function uninstallHook() {
   const gitDir = findGitDir();
-  const hookPath = join6(gitDir, "hooks", "pre-commit");
-  if (!existsSync6(hookPath)) {
+  const hookPath = join7(gitDir, "hooks", "pre-commit");
+  if (!existsSync7(hookPath)) {
     process.stderr.write("  No hook to remove.\n");
     return;
   }
-  const content = readFileSync7(hookPath, "utf-8");
+  const content = readFileSync8(hookPath, "utf-8");
   if (!content.includes(HOOK_MARKER)) {
     process.stderr.write(
       "  No Dependency Guardian hook found in pre-commit.\n"
@@ -40447,7 +40651,7 @@ var init_DurationLine = __esm({
 function groupPackages2(packages) {
   const map = /* @__PURE__ */ new Map();
   for (const pkg of packages) {
-    const fingerprint = pkg.findings.length === 0 ? `__clean_${pkg.score}` : pkg.findings.map((f) => `${f.id}:${f.severity}`).sort().join("|") + `|score:${pkg.score}`;
+    const fingerprint = pkg.findings.length === 0 ? `__clean_${pkg.score}` : pkg.findings.map((f) => `${f.category}:${f.severity}`).sort().join("|") + `|score:${pkg.score}`;
     const group = map.get(fingerprint) ?? [];
     group.push(pkg);
     map.set(fingerprint, group);
@@ -40567,7 +40771,7 @@ var init_ResultsView = __esm({
                 /* @__PURE__ */ (0, import_jsx_runtime5.jsxs)(Text, { children: [
                   "  ",
                   colorFn(pad2(sevLabel, 10)),
-                  finding.id,
+                  finding.category,
                   " ",
                   "\u2014",
                   " ",
@@ -40582,7 +40786,7 @@ var init_ResultsView = __esm({
                   import_chalk6.default.dim(`... and ${overflow} more`)
                 ] }),
                 /* @__PURE__ */ (0, import_jsx_runtime5.jsx)(Text, { children: " " })
-              ] }, `${finding.id}-${idx}`);
+              ] }, `${finding.category}-${idx}`);
             }),
             safeVersion && /* @__PURE__ */ (0, import_jsx_runtime5.jsxs)(Text, { children: [
               "  ",
@@ -40807,140 +41011,6 @@ var init_NpmWrapperApp = __esm({
   }
 });
 
-// src/discover.ts
-import { existsSync as existsSync7, readFileSync as readFileSync8, readdirSync, statSync } from "node:fs";
-import { join as join7, relative, basename } from "node:path";
-function discoverProjects(root) {
-  const projects = [];
-  walk(root, root, 0, projects);
-  return projects.sort((a, b) => a.relativePath.localeCompare(b.relativePath));
-}
-function walk(dir, root, depth, out) {
-  if (depth > MAX_DEPTH) return;
-  for (const lockfile of NPM_LOCKFILES) {
-    const lockPath = join7(dir, lockfile);
-    if (existsSync7(lockPath)) {
-      const count = countNpmPackages(lockPath);
-      if (count > 0) {
-        out.push({
-          path: dir,
-          relativePath: relative(root, dir) || ".",
-          ecosystem: "npm",
-          depFile: lockfile,
-          packageCount: count
-        });
-      }
-      break;
-    }
-  }
-  for (const depFile of PYTHON_DEPFILES) {
-    const depPath = join7(dir, depFile);
-    if (existsSync7(depPath)) {
-      const count = countPythonPackages(depPath, depFile);
-      if (count > 0) {
-        out.push({
-          path: dir,
-          relativePath: relative(root, dir) || ".",
-          ecosystem: "pypi",
-          depFile,
-          packageCount: count
-        });
-      }
-      break;
-    }
-  }
-  let entries;
-  try {
-    entries = readdirSync(dir);
-  } catch {
-    return;
-  }
-  for (const entry of entries) {
-    if (SKIP_DIRS.has(entry) || entry.startsWith(".")) continue;
-    const full = join7(dir, entry);
-    try {
-      if (statSync(full).isDirectory()) {
-        walk(full, root, depth + 1, out);
-      }
-    } catch {
-    }
-  }
-}
-function countNpmPackages(lockPath) {
-  try {
-    const name = basename(lockPath);
-    const content = readFileSync8(lockPath, "utf-8");
-    if (name === "yarn.lock") {
-      return (content.match(/^\S.*:$/gm) || []).length;
-    }
-    if (name === "pnpm-lock.yaml") {
-      return (content.match(/^\s{2}'?[/@]/gm) || []).length || estimateLines(content, 200);
-    }
-    const parsed = JSON.parse(content);
-    if (parsed.packages) {
-      return Object.keys(parsed.packages).filter((k) => k !== "").length;
-    }
-    if (parsed.dependencies) {
-      return Object.keys(parsed.dependencies).length;
-    }
-    return 0;
-  } catch {
-    return 0;
-  }
-}
-function countPythonPackages(depPath, depFile) {
-  try {
-    const content = readFileSync8(depPath, "utf-8");
-    if (depFile === "Pipfile.lock") {
-      const parsed = JSON.parse(content);
-      const defaultCount = Object.keys(parsed.default || {}).length;
-      const devCount = Object.keys(parsed.develop || {}).length;
-      return defaultCount + devCount;
-    }
-    if (depFile === "poetry.lock") {
-      return (content.match(/^\[\[package\]\]/gm) || []).length;
-    }
-    return content.split("\n").filter(
-      (line) => line.trim() && !line.trim().startsWith("#") && !line.trim().startsWith("-")
-    ).length;
-  } catch {
-    return 0;
-  }
-}
-function estimateLines(content, fallback) {
-  const lines = content.split("\n").length;
-  return lines > 20 ? Math.floor(lines / 4) : fallback;
-}
-var SKIP_DIRS, NPM_LOCKFILES, PYTHON_DEPFILES, MAX_DEPTH;
-var init_discover = __esm({
-  "src/discover.ts"() {
-    "use strict";
-    SKIP_DIRS = /* @__PURE__ */ new Set([
-      "node_modules",
-      ".venv",
-      "venv",
-      "__pycache__",
-      ".git",
-      ".tox",
-      ".eggs",
-      "dist",
-      "build",
-      ".next",
-      ".nuxt",
-      "coverage",
-      ".cache",
-      ".pytest_cache",
-      ".mypy_cache",
-      "validation-results",
-      "test-fixtures",
-      "fixtures"
-    ]);
-    NPM_LOCKFILES = ["package-lock.json", "yarn.lock", "pnpm-lock.yaml", "npm-shrinkwrap.json"];
-    PYTHON_DEPFILES = ["requirements.txt", "Pipfile.lock", "poetry.lock"];
-    MAX_DEPTH = 8;
-  }
-});
-
 // src/ui/hooks/useScan.ts
 function reducer3(_state, action) {
   switch (action.type) {
@@ -40969,6 +41039,10 @@ function useScan(config) {
     started.current = true;
     const projects = discoverProjects(process.cwd());
     if (projects.length > 1) setMultiProjects(projects);
+    if (projects.length > 1) {
+      dispatch({ type: "PROJECTS_FOUND", projects });
+      return;
+    }
     try {
       const discovery = discoverChanges(process.cwd(), config);
       const packages = discovery.packages.filter((p) => !config.allowlist.includes(p.name));
@@ -40984,12 +41058,8 @@ function useScan(config) {
         dispatch({ type: "DISCOVERY_EMPTY", message: "No dependency files found." });
         return;
       }
-      if (projects.length === 1) {
-        dispatch({ type: "DISCOVERY_COMPLETE", packages: [], skippedCount: 0 });
-        scanProjects(projects, config, dispatch);
-        return;
-      }
-      dispatch({ type: "PROJECTS_FOUND", projects });
+      dispatch({ type: "DISCOVERY_COMPLETE", packages: [], skippedCount: 0 });
+      scanProjects(projects, config, dispatch);
     }
   }, [config]);
   const scanSelectedProjects = (0, import_react27.useCallback)((projects) => {
@@ -41180,11 +41250,45 @@ var init_useExpandAnimation = __esm({
   }
 });
 
+// src/ui/hooks/useTerminalSize.ts
+function useTerminalSize() {
+  const { stdout } = use_stdout_default();
+  const [size, setSize] = (0, import_react29.useState)({
+    rows: stdout?.rows ?? process.stdout.rows ?? 24,
+    cols: stdout?.columns ?? process.stdout.columns ?? 80
+  });
+  (0, import_react29.useEffect)(() => {
+    const handle = () => {
+      const rows = process.stdout.rows ?? 24;
+      const cols = process.stdout.columns ?? 80;
+      if (process.stdout.isTTY) {
+        process.stdout.write("\x1B[2J\x1B[H");
+      }
+      setSize({ rows, cols });
+    };
+    process.stdout.setMaxListeners(process.stdout.getMaxListeners() + 1);
+    process.stdout.on("resize", handle);
+    return () => {
+      process.stdout.off("resize", handle);
+      process.stdout.setMaxListeners(Math.max(0, process.stdout.getMaxListeners() - 1));
+    };
+  }, []);
+  return size;
+}
+var import_react29;
+var init_useTerminalSize = __esm({
+  async "src/ui/hooks/useTerminalSize.ts"() {
+    "use strict";
+    import_react29 = __toESM(require_react());
+    await init_build2();
+  }
+});
+
 // src/ui/components/InteractiveResultsView.tsx
 function groupPackages3(packages) {
   const map = /* @__PURE__ */ new Map();
   for (const pkg of packages) {
-    const fingerprint = pkg.findings.length === 0 ? `__clean_${pkg.score}` : pkg.findings.map((f) => `${f.id}:${f.severity}`).sort().join("|") + `|score:${pkg.score}`;
+    const fingerprint = pkg.findings.length === 0 ? `__clean_${pkg.score}` : pkg.findings.map((f) => `${f.category}:${f.severity}`).sort().join("|") + `|score:${pkg.score}`;
     const group = map.get(fingerprint) ?? [];
     group.push(pkg);
     map.set(fingerprint, group);
@@ -41250,15 +41354,16 @@ function viewReducer(_state, action) {
       return { cursor: action.cursor, expandedIndex: action.expandedIndex, expandLevel: action.expandLevel, viewport: action.viewport };
   }
 }
-var import_react29, import_chalk10, import_jsx_runtime10, SEVERITY_LABELS3, SEVERITY_COLORS, EVIDENCE_LIMIT2, FIXED_CHROME, InteractiveResultsView, T, FindingsSummary, FindingsDetail;
+var import_react30, import_chalk10, import_jsx_runtime10, SEVERITY_LABELS3, SEVERITY_COLORS, EVIDENCE_LIMIT2, FIXED_CHROME, InteractiveResultsView, T, FindingsSummary, FindingsDetail;
 var init_InteractiveResultsView = __esm({
   async "src/ui/components/InteractiveResultsView.tsx"() {
     "use strict";
-    import_react29 = __toESM(require_react());
+    import_react30 = __toESM(require_react());
     await init_build2();
     import_chalk10 = __toESM(require_source());
     await init_ScoreHeader();
     init_useExpandAnimation();
+    await init_useTerminalSize();
     import_jsx_runtime10 = __toESM(require_jsx_runtime());
     SEVERITY_LABELS3 = {
       5: "CRIT",
@@ -41283,40 +41388,32 @@ var init_InteractiveResultsView = __esm({
       onExit,
       onBack
     }) => {
-      (0, import_react29.useEffect)(() => {
-        if (!process.stdout.isTTY) return;
-        process.stdout.write("\x1B[?1049h");
-        return () => {
-          process.stdout.write("\x1B[?1049l");
-        };
-      }, []);
-      const flagged = (0, import_react29.useMemo)(
+      const flagged = (0, import_react30.useMemo)(
         () => result.packages.filter((p) => p.score > 0),
         [result.packages]
       );
-      const clean = (0, import_react29.useMemo)(
+      const clean = (0, import_react30.useMemo)(
         () => result.packages.filter((p) => p.score === 0),
         [result.packages]
       );
       const total = result.packages.length;
-      const groups = (0, import_react29.useMemo)(() => groupPackages3(flagged), [flagged]);
-      const [view, dispatchView] = (0, import_react29.useReducer)(viewReducer, {
+      const groups = (0, import_react30.useMemo)(() => groupPackages3(flagged), [flagged]);
+      const [view, dispatchView] = (0, import_react30.useReducer)(viewReducer, {
         cursor: 0,
         expandLevel: null,
         expandedIndex: null,
         viewport: 0
       });
-      const viewRef = (0, import_react29.useRef)(view);
+      const viewRef = (0, import_react30.useRef)(view);
       viewRef.current = view;
-      const { stdout } = use_stdout_default();
-      const termCols = stdout?.columns ?? process.stdout.columns ?? 80;
-      const termRows = stdout?.rows ?? process.stdout.rows ?? 24;
-      const availableRows = Math.max(5, termRows - FIXED_CHROME);
+      const { rows: termRows, cols: termCols } = useTerminalSize();
+      const chromeHeight = FIXED_CHROME + (config.apiKey ? 0 : 2);
+      const availableRows = Math.max(5, termRows - chromeHeight);
       const innerWidth = Math.max(40, termCols - 6);
       const getLevel = (idx) => {
         return view.expandedIndex === idx ? view.expandLevel : null;
       };
-      const expandTargetHeight = (0, import_react29.useMemo)(() => {
+      const expandTargetHeight = (0, import_react30.useMemo)(() => {
         if (view.expandedIndex === null || view.expandLevel === null) return 0;
         const group = groups[view.expandedIndex];
         if (!group) return 0;
@@ -41332,7 +41429,7 @@ var init_InteractiveResultsView = __esm({
         if (idx === view.expandedIndex) return 1 + animVisibleLines;
         return groupRowHeight(group, level, result.safeVersions);
       };
-      const visibleEnd = (0, import_react29.useMemo)(() => {
+      const visibleEnd = (0, import_react30.useMemo)(() => {
         let consumed = 0;
         let end = view.viewport;
         while (end < groups.length) {
@@ -41364,6 +41461,13 @@ var init_InteractiveResultsView = __esm({
         }
         return newStart;
       };
+      (0, import_react30.useEffect)(() => {
+        if (groups.length === 0) return;
+        const { cursor, expandedIndex, expandLevel, viewport } = viewRef.current;
+        const clamped = Math.min(viewport, Math.max(0, groups.length - 1));
+        const newVp = adjustViewport(cursor, expandedIndex, expandLevel, clamped);
+        dispatchView({ type: "MOVE", cursor, viewport: newVp });
+      }, [availableRows]);
       use_input_default((input, key) => {
         if (groups.length === 0) {
           if (input === "q" || key.return) onExit();
@@ -41391,13 +41495,15 @@ var init_InteractiveResultsView = __esm({
           const newVp = adjustViewport(cursor, newExpIdx, newExpLvl, vpStart);
           dispatchView({ type: "EXPAND", expandedIndex: newExpIdx, expandLevel: newExpLvl, viewport: newVp });
         } else if (input === "e") {
-          if (expIdx === cursor && expLvl === "detail") return;
-          const newVp = adjustViewport(cursor, cursor, "detail", vpStart);
-          dispatchView({ type: "EXPAND", expandedIndex: cursor, expandLevel: "detail", viewport: newVp });
-        } else if (input === "c") {
-          if (expIdx !== null && expLvl !== null) {
+          if (expIdx === cursor && expLvl === "detail") {
+            const newVp = adjustViewport(cursor, cursor, "summary", vpStart);
+            dispatchView({ type: "EXPAND", expandedIndex: cursor, expandLevel: "summary", viewport: newVp });
+          } else if (expIdx === cursor && expLvl === "summary") {
             const newVp = adjustViewport(cursor, null, null, vpStart);
             dispatchView({ type: "EXPAND", expandedIndex: null, expandLevel: null, viewport: newVp });
+          } else {
+            const newVp = adjustViewport(cursor, cursor, "detail", vpStart);
+            dispatchView({ type: "EXPAND", expandedIndex: cursor, expandLevel: "detail", viewport: newVp });
           }
         } else if (input === "b" && onBack) {
           onBack();
@@ -41514,6 +41620,12 @@ var init_InteractiveResultsView = __esm({
             ]
           }
         ),
+        !config.apiKey && /* @__PURE__ */ (0, import_jsx_runtime10.jsx)(Box_default, { paddingLeft: 1, paddingRight: 1, width: "100%", children: /* @__PURE__ */ (0, import_jsx_runtime10.jsxs)(Text, { children: [
+          import_chalk10.default.cyan("Want this on every PR?"),
+          " Run ",
+          import_chalk10.default.white("dg login"),
+          import_chalk10.default.dim(" \u2192 free tier, 200 scans/month")
+        ] }) }),
         /* @__PURE__ */ (0, import_jsx_runtime10.jsxs)(Text, { dimColor: true, children: [
           " ",
           groups.length > 0 ? /* @__PURE__ */ (0, import_jsx_runtime10.jsxs)(import_jsx_runtime10.Fragment, { children: [
@@ -41524,10 +41636,7 @@ var init_InteractiveResultsView = __esm({
             " toggle",
             "  ",
             import_chalk10.default.cyan("e"),
-            " expand",
-            "  ",
-            import_chalk10.default.cyan("c"),
-            " collapse",
+            " expand/collapse",
             "  ",
             onBack && /* @__PURE__ */ (0, import_jsx_runtime10.jsxs)(import_jsx_runtime10.Fragment, { children: [
               import_chalk10.default.cyan("b"),
@@ -41569,8 +41678,8 @@ var init_InteractiveResultsView = __esm({
             " ",
             sevColor(pad3(sevLabel, 4)),
             " ",
-            import_chalk10.default.dim(f.id)
-          ] }, `${f.id}-${idx}`)
+            import_chalk10.default.dim(f.category)
+          ] }, `${f.category}-${idx}`)
         );
       }
       if (hasAffects) {
@@ -41608,15 +41717,15 @@ var init_InteractiveResultsView = __esm({
             " ",
             sevColor(pad3(sevLabel, 4)),
             " ",
-            import_chalk10.default.bold(finding.id)
-          ] }, `${finding.id}-${idx}-badge`)
+            import_chalk10.default.bold(finding.category)
+          ] }, `${finding.category}-${idx}-badge`)
         );
         allLines.push(
           /* @__PURE__ */ (0, import_jsx_runtime10.jsxs)(Text, { dimColor: true, children: [
             continuation,
             " ",
             finding.title
-          ] }, `${finding.id}-${idx}-title`)
+          ] }, `${finding.category}-${idx}-title`)
         );
         for (let i = 0; i < evidenceSlice.length; i++) {
           allLines.push(
@@ -41626,7 +41735,7 @@ var init_InteractiveResultsView = __esm({
               import_chalk10.default.dim("\u203A"),
               " ",
               truncate3(evidenceSlice[i], evidenceWidth)
-            ] }, `${finding.id}-${idx}-ev-${i}`)
+            ] }, `${finding.category}-${idx}-ev-${i}`)
           );
         }
         if (overflow > 0) {
@@ -41635,7 +41744,7 @@ var init_InteractiveResultsView = __esm({
               continuation,
               " ",
               import_chalk10.default.dim(`+${overflow} more`)
-            ] }, `${finding.id}-${idx}-overflow`)
+            ] }, `${finding.category}-${idx}-overflow`)
           );
         }
       }
@@ -41664,19 +41773,16 @@ var init_InteractiveResultsView = __esm({
 });
 
 // src/ui/components/ProjectSelector.tsx
-var import_react30, import_jsx_runtime11, ProjectSelector;
+var import_react31, import_jsx_runtime11, ProjectSelector;
 var init_ProjectSelector = __esm({
   async "src/ui/components/ProjectSelector.tsx"() {
     "use strict";
-    import_react30 = __toESM(require_react());
+    import_react31 = __toESM(require_react());
     await init_build2();
     import_jsx_runtime11 = __toESM(require_jsx_runtime());
     ProjectSelector = ({ projects, onConfirm, onCancel }) => {
-      const [cursor, setCursor] = (0, import_react30.useState)(0);
-      (0, import_react30.useEffect)(() => {
-        process.stdout.write("\x1B[2J\x1B[H");
-      }, []);
-      const [selected, setSelected] = (0, import_react30.useState)(() => new Set(projects.map((_, i) => i)));
+      const [cursor, setCursor] = (0, import_react31.useState)(0);
+      const [selected, setSelected] = (0, import_react31.useState)(() => new Set(projects.map((_, i) => i)));
       use_input_default((input, key) => {
         if (key.upArrow) {
           setCursor((c) => Math.max(0, c - 1));
@@ -41730,11 +41836,11 @@ var App_exports = {};
 __export(App_exports, {
   App: () => App2
 });
-var import_react31, import_jsx_runtime12, App2;
+var import_react32, import_jsx_runtime12, App2;
 var init_App2 = __esm({
   async "src/ui/App.tsx"() {
     "use strict";
-    import_react31 = __toESM(require_react());
+    import_react32 = __toESM(require_react());
     await init_build2();
     init_useScan();
     await init_Spinner();
@@ -41742,11 +41848,29 @@ var init_App2 = __esm({
     await init_InteractiveResultsView();
     await init_ErrorView();
     await init_ProjectSelector();
+    await init_useTerminalSize();
     import_jsx_runtime12 = __toESM(require_jsx_runtime());
     App2 = ({ config }) => {
       const { state, scanSelectedProjects, restartSelection } = useScan(config);
       const { exit } = use_app_default();
-      const handleResultsExit = (0, import_react31.useCallback)(() => {
+      const { rows: termRows } = useTerminalSize();
+      const prevPhaseRef = (0, import_react32.useRef)(state.phase);
+      (0, import_react32.useEffect)(() => {
+        if (!process.stdout.isTTY) return;
+        process.stdout.write("\x1B[?1049h");
+        process.stdout.write("\x1B[2J\x1B[H");
+        return () => {
+          process.stdout.write("\x1B[?1049l");
+          process.stdout.write("\x1B[?25h");
+        };
+      }, []);
+      (0, import_react32.useEffect)(() => {
+        if (prevPhaseRef.current !== state.phase && process.stdout.isTTY) {
+          process.stdout.write("\x1B[2J\x1B[H");
+        }
+        prevPhaseRef.current = state.phase;
+      }, [state.phase]);
+      const handleResultsExit = (0, import_react32.useCallback)(() => {
         if (state.phase === "results") {
           const { result } = state;
           if (result.action === "block" && config.mode === "block") {
@@ -41759,7 +41883,7 @@ var init_App2 = __esm({
         }
         exit();
       }, [state, config, exit]);
-      (0, import_react31.useEffect)(() => {
+      (0, import_react32.useEffect)(() => {
         if (state.phase === "empty") {
           process.exitCode = 0;
           const timer = setTimeout(() => exit(), 0);
@@ -41771,55 +41895,58 @@ var init_App2 = __esm({
           return () => clearTimeout(timer);
         }
       }, [state, config, exit]);
-      switch (state.phase) {
-        case "discovering":
-          return /* @__PURE__ */ (0, import_jsx_runtime12.jsx)(Spinner2, { label: "Searching for dependencies..." });
-        case "selecting":
-          return /* @__PURE__ */ (0, import_jsx_runtime12.jsx)(
-            ProjectSelector,
-            {
-              projects: state.projects,
-              onConfirm: scanSelectedProjects,
-              onCancel: () => {
-                process.exitCode = 0;
-                exit();
+      const content = (() => {
+        switch (state.phase) {
+          case "discovering":
+            return /* @__PURE__ */ (0, import_jsx_runtime12.jsx)(Spinner2, { label: "Searching for dependencies..." });
+          case "selecting":
+            return /* @__PURE__ */ (0, import_jsx_runtime12.jsx)(
+              ProjectSelector,
+              {
+                projects: state.projects,
+                onConfirm: scanSelectedProjects,
+                onCancel: () => {
+                  process.exitCode = 0;
+                  exit();
+                }
               }
-            }
-          );
-        case "scanning":
-          return /* @__PURE__ */ (0, import_jsx_runtime12.jsxs)(Box_default, { flexDirection: "column", children: [
-            /* @__PURE__ */ (0, import_jsx_runtime12.jsx)(
-              ProgressBar,
+            );
+          case "scanning":
+            return /* @__PURE__ */ (0, import_jsx_runtime12.jsxs)(Box_default, { flexDirection: "column", children: [
+              /* @__PURE__ */ (0, import_jsx_runtime12.jsx)(
+                ProgressBar,
+                {
+                  value: state.done,
+                  total: state.total,
+                  label: state.currentBatch.length > 0 ? state.currentBatch[state.currentBatch.length - 1] : void 0
+                }
+              ),
+              /* @__PURE__ */ (0, import_jsx_runtime12.jsxs)(Text, { dimColor: true, children: [
+                "Scanning ",
+                state.done,
+                "/",
+                state.total,
+                " packages..."
+              ] })
+            ] });
+          case "results":
+            return /* @__PURE__ */ (0, import_jsx_runtime12.jsx)(
+              InteractiveResultsView,
               {
-                value: state.done,
-                total: state.total,
-                label: state.currentBatch.length > 0 ? state.currentBatch[state.currentBatch.length - 1] : void 0
+                result: state.result,
+                config,
+                durationMs: state.durationMs,
+                onExit: handleResultsExit,
+                onBack: restartSelection ?? void 0
               }
-            ),
-            /* @__PURE__ */ (0, import_jsx_runtime12.jsxs)(Text, { dimColor: true, children: [
-              "Scanning ",
-              state.done,
-              "/",
-              state.total,
-              " packages..."
-            ] })
-          ] });
-        case "results":
-          return /* @__PURE__ */ (0, import_jsx_runtime12.jsx)(
-            InteractiveResultsView,
-            {
-              result: state.result,
-              config,
-              durationMs: state.durationMs,
-              onExit: handleResultsExit,
-              onBack: restartSelection ?? void 0
-            }
-          );
-        case "empty":
-          return /* @__PURE__ */ (0, import_jsx_runtime12.jsx)(Text, { dimColor: true, children: state.message });
-        case "error":
-          return /* @__PURE__ */ (0, import_jsx_runtime12.jsx)(ErrorView, { error: state.error });
-      }
+            );
+          case "empty":
+            return /* @__PURE__ */ (0, import_jsx_runtime12.jsx)(Text, { dimColor: true, children: state.message });
+          case "error":
+            return /* @__PURE__ */ (0, import_jsx_runtime12.jsx)(ErrorView, { error: state.error });
+        }
+      })();
+      return /* @__PURE__ */ (0, import_jsx_runtime12.jsx)(Box_default, { flexDirection: "column", height: termRows, children: content });
     };
   }
 });

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@westbayberry/dg",
-  "version": "1.0.13",
-  "description": "Supply chain security scanner — scan npm dependencies in any CI or terminal",
+  "version": "1.0.16",
+  "description": "Supply chain security scanner for npm and Python dependencies — detects malicious packages, typosquatting, dependency confusion, and 26+ attack patterns",
   "bin": {
     "dependency-guardian": "dist/index.mjs",
     "dg": "dist/index.mjs"
@@ -12,13 +12,21 @@
   "license": "UNLICENSED",
   "author": "WestBayBerry",
   "homepage": "https://westbayberry.com",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/WestBayBerry/dependency-guardian-action.git"
+  },
   "keywords": [
     "security",
     "npm",
+    "pypi",
     "supply-chain",
     "scanner",
     "cli",
-    "dependencies"
+    "dependencies",
+    "malware",
+    "typosquatting",
+    "dependency-confusion"
   ],
   "publishConfig": {
     "access": "public"