@westbayberry/dg 1.0.2 → 1.0.3

package/README.md

@@ -57,7 +57,7 @@ dg scan [options]
 
 ## CI Examples
 
-### GitHub Actions
+### GitHub Actions CI
 
 ```yaml
 - name: Scan dependencies

package/dist/index.js

@@ -180,15 +180,37 @@ exports.getVersion = getVersion;
 const node_util_1 = __nccwpck_require__(975);
 const node_fs_1 = __nccwpck_require__(24);
 const node_path_1 = __nccwpck_require__(760);
+const node_os_1 = __nccwpck_require__(161);
+function loadDgrc() {
+    const candidates = [
+        (0, node_path_1.join)(process.cwd(), ".dgrc.json"),
+        (0, node_path_1.join)((0, node_os_1.homedir)(), ".dgrc.json"),
+    ];
+    for (const filepath of candidates) {
+        if ((0, node_fs_1.existsSync)(filepath)) {
+            try {
+                return JSON.parse((0, node_fs_1.readFileSync)(filepath, "utf-8"));
+            }
+            catch {
+                process.stderr.write(`Warning: Failed to parse ${filepath}, ignoring.\n`);
+            }
+        }
+    }
+    return {};
+}
 const USAGE = `
   Dependency Guardian — Supply chain security scanner
 
   Usage:
     dependency-guardian scan [options]
     dg scan [options]
+    dg npm install <pkg> [npm-flags]
+    dg wrap
 
   Commands:
     scan          Scan dependencies for security risks (default)
+    npm           Wrap npm commands — scans packages before installing
+    wrap          Show instructions to alias npm to dg
 
   Options:
     --api-key <key>          API key (or set DG_API_KEY env var)
@@ -201,25 +223,36 @@ const USAGE = `
     --json                   Output JSON for CI parsing
     --scan-all               Scan all packages, not just changed
     --base-lockfile <path>   Path to base lockfile for explicit diff
+    --debug                  Show diagnostic output (discovery, batches, timing)
+    --no-config              Skip loading .dgrc.json config file
     --help                   Show this help message
     --version                Show version number
 
+  Config File:
+    Place a .dgrc.json in your project root or home directory.
+    Precedence: CLI flags > env vars > .dgrc.json > defaults
+
   Environment Variables:
     DG_API_KEY               API key
     DG_API_URL               API base URL
     DG_MODE                  Mode (block/warn/off)
     DG_ALLOWLIST             Comma-separated allowlist
+    DG_DEBUG                 Enable debug output (set to 1)
 
   Exit Codes:
     0  pass    — No risks detected
     1  warn    — Risks detected (advisory)
     2  block   — High-risk packages detected
+    3  error   — Internal error (API failure, config error)
 
   Examples:
     DG_API_KEY=dg_live_xxx dg scan
     dg scan --api-key dg_live_xxx --json
     dg scan --scan-all --mode block
     dg scan --base-lockfile ./main-lockfile.json
+    dg npm install express lodash
+    dg npm install @scope/pkg@^2.0.0
+    dg npm install risky-pkg --dg-force
 `.trimStart();
 exports.USAGE = USAGE;
 function getVersion() {
@@ -245,6 +278,8 @@ function parseConfig(argv) {
             json: { type: "boolean", default: false },
             "scan-all": { type: "boolean", default: false },
             "base-lockfile": { type: "string" },
+            debug: { type: "boolean", default: false },
+            "no-config": { type: "boolean", default: false },
             help: { type: "boolean", default: false },
             version: { type: "boolean", default: false },
         },
@@ -260,11 +295,14 @@ function parseConfig(argv) {
         process.exit(0);
     }
     const command = positionals[0] ?? "scan";
+    const noConfig = values["no-config"];
+    const dgrc = noConfig ? {} : loadDgrc();
     if (values["api-key"]) {
         process.stderr.write("Warning: --api-key is deprecated (visible in process list). Use DG_API_KEY env var instead.\n");
     }
     const apiKey = values["api-key"] ??
         process.env.DG_API_KEY ??
+        dgrc.apiKey ??
         "";
     if (!apiKey) {
         process.stderr.write("Error: API key required. Set DG_API_KEY environment variable.\n" +
@@ -274,6 +312,7 @@ function parseConfig(argv) {
     }
     const modeRaw = values.mode ??
         process.env.DG_MODE ??
+        dgrc.mode ??
         "warn";
     if (!["block", "warn", "off"].includes(modeRaw)) {
         process.stderr.write(`Error: Invalid mode "${modeRaw}". Must be block, warn, or off.\n`);
@@ -282,23 +321,40 @@ function parseConfig(argv) {
     const allowlistRaw = values.allowlist ??
         process.env.DG_ALLOWLIST ??
         "";
+    const blockThreshold = Number(values["block-threshold"] ?? dgrc.blockThreshold ?? "70");
+    const warnThreshold = Number(values["warn-threshold"] ?? dgrc.warnThreshold ?? "60");
+    const maxPackages = Number(values["max-packages"] ?? dgrc.maxPackages ?? "200");
+    const debug = values.debug || process.env.DG_DEBUG === "1";
+    if (isNaN(blockThreshold) || blockThreshold < 0 || blockThreshold > 100) {
+        process.stderr.write("Error: --block-threshold must be a number between 0 and 100\n");
+        process.exit(1);
+    }
+    if (isNaN(warnThreshold) || warnThreshold < 0 || warnThreshold > 100) {
+        process.stderr.write("Error: --warn-threshold must be a number between 0 and 100\n");
+        process.exit(1);
+    }
+    if (isNaN(maxPackages) || maxPackages < 1 || maxPackages > 10000) {
+        process.stderr.write("Error: --max-packages must be a number between 1 and 10000\n");
+        process.exit(1);
+    }
     return {
         apiKey,
         apiUrl: values["api-url"] ??
             process.env.DG_API_URL ??
+            dgrc.apiUrl ??
             "https://api.westbayberry.com",
         mode: modeRaw,
-        blockThreshold: Number(values["block-threshold"] ?? "70"),
-        warnThreshold: Number(values["warn-threshold"] ?? "60"),
-        maxPackages: Number(values["max-packages"] ?? "200"),
+        blockThreshold,
+        warnThreshold,
+        maxPackages,
         allowlist: allowlistRaw
-            .split(",")
-            .map((s) => s.trim())
-            .filter(Boolean),
+            ? allowlistRaw.split(",").map((s) => s.trim()).filter(Boolean)
+            : (dgrc.allowlist ?? []),
         json: values.json,
         scanAll: values["scan-all"],
         baseLockfile: values["base-lockfile"] ?? null,
         command,
+        debug,
     };
 }
 
@@ -476,6 +532,273 @@ function toPackageInput(change) {
 }
 
 
+/***/ }),
+
+/***/ 124:
+/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
+
+
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.parseNpmArgs = parseNpmArgs;
+exports.parsePackageSpec = parsePackageSpec;
+exports.resolveVersion = resolveVersion;
+exports.resolvePackages = resolvePackages;
+exports.runNpm = runNpm;
+exports.handleNpmCommand = handleNpmCommand;
+exports.handleWrapCommand = handleWrapCommand;
+const node_child_process_1 = __nccwpck_require__(421);
+const color_1 = __nccwpck_require__(988);
+const api_1 = __nccwpck_require__(879);
+const output_1 = __nccwpck_require__(202);
+/** npm commands that install packages and should trigger a scan */
+const INSTALL_COMMANDS = new Set(["install", "i", "add", "update", "up"]);
+/**
+ * Parse the argv after `dg npm ...` to extract the npm command and package specifiers.
+ */
+function parseNpmArgs(args) {
+    let dgForce = false;
+    const filtered = [];
+    // Extract dg-specific flags before passing to npm
+    for (const arg of args) {
+        if (arg === "--dg-force") {
+            dgForce = true;
+        }
+        else {
+            filtered.push(arg);
+        }
+    }
+    const command = filtered[0] ?? "";
+    const shouldScan = INSTALL_COMMANDS.has(command);
+    // Extract package specifiers: anything that's not a flag and not the command itself
+    const packages = [];
+    if (shouldScan) {
+        for (let i = 1; i < filtered.length; i++) {
+            const arg = filtered[i];
+            // Skip flags and their values
+            if (arg.startsWith("-")) {
+                // Flags that take a value: skip next arg too
+                if (flagTakesValue(arg)) {
+                    i++;
+                }
+                continue;
+            }
+            packages.push(arg);
+        }
+    }
+    return {
+        command,
+        packages,
+        rawArgs: filtered,
+        dgForce,
+        shouldScan,
+    };
+}
+/** npm flags that consume the next argument as a value */
+function flagTakesValue(flag) {
+    const valueFlagPrefixes = [
+        "--save-prefix",
+        "--tag",
+        "--registry",
+        "--cache",
+        "--prefix",
+        "--fund",
+        "--omit",
+        "--install-strategy",
+        "--workspace",
+    ];
+    // Short flags that take values
+    if (flag === "-w")
+        return true;
+    for (const prefix of valueFlagPrefixes) {
+        if (flag === prefix)
+            return true;
+    }
+    // --flag=value style doesn't consume next arg
+    return false;
+}
+/**
+ * Parse a package specifier like "express", "@scope/pkg@^2.0.0", "pkg@latest"
+ * into { name, versionSpec }.
+ */
+function parsePackageSpec(spec) {
+    // Scoped: @scope/pkg@version
+    if (spec.startsWith("@")) {
+        const slashIdx = spec.indexOf("/");
+        if (slashIdx === -1) {
+            return { name: spec, versionSpec: null };
+        }
+        const afterSlash = spec.slice(slashIdx + 1);
+        const atIdx = afterSlash.indexOf("@");
+        if (atIdx === -1) {
+            return { name: spec, versionSpec: null };
+        }
+        return {
+            name: spec.slice(0, slashIdx + 1 + atIdx),
+            versionSpec: afterSlash.slice(atIdx + 1),
+        };
+    }
+    // Unscoped: pkg@version
+    const atIdx = spec.indexOf("@");
+    if (atIdx === -1 || atIdx === 0) {
+        return { name: spec, versionSpec: null };
+    }
+    return {
+        name: spec.slice(0, atIdx),
+        versionSpec: spec.slice(atIdx + 1),
+    };
+}
+/**
+ * Resolve what version npm would install for a given package specifier.
+ * Uses `npm view <spec> version` to get the resolved version.
+ */
+function resolveVersion(spec) {
+    try {
+        const version = (0, node_child_process_1.execSync)(`npm view "${spec}" version`, {
+            encoding: "utf-8",
+            stdio: ["pipe", "pipe", "pipe"],
+            timeout: 15000,
+        }).trim();
+        return version || null;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Build PackageInput[] from package specifiers by resolving versions.
+ */
+function resolvePackages(specs) {
+    const resolved = [];
+    const failed = [];
+    for (const spec of specs) {
+        const { name, versionSpec } = parsePackageSpec(spec);
+        const querySpec = versionSpec ? `${name}@${versionSpec}` : name;
+        const version = resolveVersion(querySpec);
+        if (version) {
+            resolved.push({
+                name,
+                version,
+                previousVersion: null,
+                isNew: true,
+            });
+        }
+        else {
+            failed.push(spec);
+        }
+    }
+    return { resolved, failed };
+}
+/**
+ * Run the actual npm command, inheriting stdio.
+ * Returns the npm exit code.
+ */
+function runNpm(args) {
+    return new Promise((resolve) => {
+        const child = (0, node_child_process_1.spawn)("npm", args, {
+            stdio: "inherit",
+            shell: false,
+        });
+        child.on("close", (code) => resolve(code ?? 1));
+        child.on("error", () => resolve(1));
+    });
+}
+/**
+ * Main npm wrapper entry point.
+ */
+async function handleNpmCommand(npmArgs, config) {
+    const parsed = parseNpmArgs(npmArgs);
+    // Non-install commands: pass through directly
+    if (!parsed.shouldScan) {
+        const code = await runNpm(parsed.rawArgs);
+        process.exit(code);
+    }
+    // No packages specified (e.g. bare `npm install` from package.json)
+    if (parsed.packages.length === 0) {
+        process.stderr.write((0, color_1.dim)("  Dependency Guardian: no new packages specified, passing through to npm.\n"));
+        const code = await runNpm(parsed.rawArgs);
+        process.exit(code);
+    }
+    // Resolve versions
+    process.stderr.write((0, color_1.dim)(`  Resolving ${parsed.packages.length} package${parsed.packages.length !== 1 ? "s" : ""}...\n`));
+    const { resolved, failed } = resolvePackages(parsed.packages);
+    if (failed.length > 0) {
+        process.stderr.write((0, color_1.yellow)(`  Warning: Could not resolve versions for: ${failed.join(", ")}\n`));
+    }
+    if (resolved.length === 0) {
+        process.stderr.write((0, color_1.dim)("  No packages to scan. Passing through to npm.\n"));
+        const code = await runNpm(parsed.rawArgs);
+        process.exit(code);
+    }
+    // Filter allowlist
+    const toScan = resolved.filter((p) => !config.allowlist.includes(p.name));
+    if (toScan.length === 0) {
+        process.stderr.write((0, color_1.dim)("  All packages are allowlisted. Passing through to npm.\n"));
+        const code = await runNpm(parsed.rawArgs);
+        process.exit(code);
+    }
+    // Scan
+    process.stderr.write((0, color_1.dim)(`  Scanning ${toScan.length} package${toScan.length !== 1 ? "s" : ""}...\n`));
+    let result;
+    try {
+        const startMs = Date.now();
+        result = await (0, api_1.callAnalyzeAPI)(toScan, config);
+        const elapsed = Date.now() - startMs;
+        if (config.debug) {
+            process.stderr.write((0, color_1.dim)(`  [debug] API responded in ${elapsed}ms, action=${result.action}, score=${result.score}\n`));
+        }
+    }
+    catch (error) {
+        // API unavailable — warn and proceed
+        const msg = error instanceof Error ? error.message : String(error);
+        process.stderr.write((0, color_1.yellow)(`  Warning: Scan failed (${msg}). Proceeding with install.\n`));
+        const code = await runNpm(parsed.rawArgs);
+        process.exit(code);
+        return; // unreachable, but helps TypeScript
+    }
+    // Handle result
+    if (result.action === "pass") {
+        process.stderr.write((0, color_1.green)(`  ${(0, color_1.bold)("\u2713")} ${toScan.length} package${toScan.length !== 1 ? "s" : ""} scanned \u2014 all clear\n\n`));
+        const code = await runNpm(parsed.rawArgs);
+        process.exit(code);
+    }
+    // Render findings
+    const output = (0, output_1.renderResult)(result, config);
+    process.stdout.write(output + "\n");
+    if (result.action === "warn") {
+        process.stderr.write((0, color_1.yellow)("  Warnings detected. Proceeding with install.\n\n"));
+        const code = await runNpm(parsed.rawArgs);
+        process.exit(code);
+    }
+    // Block
+    if (result.action === "block") {
+        if (parsed.dgForce) {
+            process.stderr.write((0, color_1.yellow)((0, color_1.bold)("  --dg-force: Bypassing block. Install at your own risk.\n\n")));
+            const code = await runNpm(parsed.rawArgs);
+            process.exit(code);
+        }
+        process.stderr.write((0, color_1.red)((0, color_1.bold)("  BLOCKED: ")) +
+            (0, color_1.red)("High-risk packages detected. Install aborted.\n"));
+        process.stderr.write((0, color_1.dim)("  Use --dg-force to bypass this check.\n\n"));
+        process.exit(2);
+    }
+}
+const WRAP_USAGE = `
+  Set up dg as your npm wrapper:
+
+  Option 1 — Shell alias (recommended):
+    Add to your ~/.zshrc or ~/.bashrc:
+      alias npm='dg npm'
+
+  Option 2 — Per-project .npmrc:
+    Not yet supported.
+
+  Once set up, every \`npm install\` will be scanned automatically.
+`.trimStart();
+function handleWrapCommand() {
+    process.stdout.write(WRAP_USAGE);
+}
+
+
 /***/ }),
 
 /***/ 202:
@@ -538,9 +861,10 @@ function renderResult(result, config) {
         lines.push("");
         return lines.join("\n");
     }
-    // Package table
-    const COL_NAME = 22;
-    const COL_VER = 22;
+    // Package table — adapt to terminal width
+    const termWidth = process.stdout.columns || 80;
+    const COL_NAME = Math.max(16, Math.min(40, Math.floor(termWidth * 0.3)));
+    const COL_VER = Math.max(14, Math.min(30, Math.floor(termWidth * 0.25)));
     const COL_SCORE = 7;
     lines.push(`  ${(0, color_1.dim)(pad("Package", COL_NAME))}${(0, color_1.dim)(pad("Version", COL_VER))}${(0, color_1.dim)(pad("Score", COL_SCORE))}${(0, color_1.dim)("Action")}`);
     lines.push(`  ${(0, color_1.dim)(pad("\u2500".repeat(COL_NAME - 2), COL_NAME))}${(0, color_1.dim)(pad("\u2500".repeat(COL_VER - 2), COL_VER))}${(0, color_1.dim)(pad("\u2500".repeat(COL_SCORE - 2), COL_SCORE))}${(0, color_1.dim)("\u2500".repeat(6))}`);
@@ -721,7 +1045,7 @@ function parseLockfile(content) {
             if (path === "")
                 continue;
             const name = extractPackageName(path);
-            if (name) {
+            if (name && !packages.has(name)) {
                 const e = entry;
                 packages.set(name, {
                     version: e.version ?? "",
@@ -778,6 +1102,13 @@ module.exports = require("node:fs");
 
 /***/ }),
 
+/***/ 161:
+/***/ ((module) => {
+
+module.exports = require("node:os");
+
+/***/ }),
+
 /***/ 760:
 /***/ ((module) => {
 
@@ -841,15 +1172,35 @@ const lockfile_1 = __nccwpck_require__(746);
 const api_1 = __nccwpck_require__(879);
 const output_1 = __nccwpck_require__(202);
 const color_1 = __nccwpck_require__(988);
+const npm_wrapper_1 = __nccwpck_require__(124);
 async function main() {
+    // Check for `dg npm ...` or `dg wrap` before full config parsing
+    const rawCommand = process.argv[2];
+    if (rawCommand === "npm") {
+        // Parse config but don't require lockfile discovery
+        const config = (0, config_1.parseConfig)(process.argv);
+        await (0, npm_wrapper_1.handleNpmCommand)(process.argv.slice(3), config);
+        return;
+    }
+    if (rawCommand === "wrap") {
+        (0, npm_wrapper_1.handleWrapCommand)();
+        return;
+    }
     const config = (0, config_1.parseConfig)(process.argv);
+    const dbg = (msg) => {
+        if (config.debug)
+            process.stderr.write((0, color_1.dim)(`  [debug] ${msg}\n`));
+    };
     if (config.mode === "off") {
         process.stderr.write((0, color_1.dim)("  Dependency Guardian: mode is off — skipping.\n"));
         process.exit(0);
     }
+    dbg(`mode=${config.mode} block=${config.blockThreshold} warn=${config.warnThreshold} max=${config.maxPackages}`);
+    dbg(`api=${config.apiUrl}`);
     // Discover packages
     process.stderr.write((0, color_1.dim)("  Discovering package changes...\n"));
     const discovery = (0, lockfile_1.discoverChanges)(process.cwd(), config);
+    dbg(`discovery method: ${discovery.method}`);
     if (discovery.packages.length === 0) {
         process.stderr.write((0, color_1.dim)("  No package changes detected.\n"));
         process.exit(0);
@@ -864,10 +1215,13 @@ async function main() {
     if (discovery.skipped.length > 0) {
         process.stderr.write((0, color_1.yellow)(`  Warning: ${discovery.skipped.length} package(s) skipped (max-packages=${config.maxPackages})\n`));
     }
+    dbg(`packages to scan: ${packages.map(p => `${p.name}@${p.version}`).slice(0, 10).join(", ")}${packages.length > 10 ? ` (+${packages.length - 10} more)` : ""}`);
     // Call Detection API
+    const startMs = Date.now();
     const result = await (0, api_1.callAnalyzeAPI)(packages, config, (done, total) => {
         process.stderr.write((0, color_1.dim)(`  Analyzed ${done}/${total}...\n`));
     });
+    dbg(`API responded in ${Date.now() - startMs}ms, action=${result.action}, score=${result.score}`);
     // Render output
     const output = (0, output_1.renderResult)(result, config);
     process.stdout.write(output + "\n");
@@ -882,7 +1236,7 @@ async function main() {
 }
 main().catch((err) => {
     process.stderr.write(`\n  ${(0, color_1.bold)((0, color_1.red)("Error:"))} ${err.message}\n\n`);
-    process.exit(1);
+    process.exit(3); // Exit 3 = internal error (distinct from exit 1 = warnings)
 });
 
 })();