@westbayberry/dg 1.0.2 → 1.0.4

package/dist/index.js

@@ -1,892 +0,0 @@
-#!/usr/bin/env node
-/******/ (() => { // webpackBootstrap
-/******/ 	"use strict";
-/******/ 	var __webpack_modules__ = ({
-
-/***/ 879:
-/***/ ((__unused_webpack_module, exports) => {
-
-
-Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.APIError = void 0;
-exports.callAnalyzeAPI = callAnalyzeAPI;
-class APIError extends Error {
-    constructor(message, statusCode, body) {
-        super(message);
-        this.statusCode = statusCode;
-        this.body = body;
-        this.name = "APIError";
-    }
-}
-exports.APIError = APIError;
-const BATCH_SIZE = 15;
-const MAX_RETRIES = 2;
-const RETRY_DELAY_MS = 5000;
-async function callAnalyzeAPI(packages, config, onProgress) {
-    if (packages.length <= BATCH_SIZE) {
-        return callAnalyzeBatch(packages, config);
-    }
-    const batches = [];
-    for (let i = 0; i < packages.length; i += BATCH_SIZE) {
-        batches.push(packages.slice(i, i + BATCH_SIZE));
-    }
-    // Process batches sequentially — parallel batches overload the server on cold scans
-    const results = [];
-    let completed = 0;
-    for (const batch of batches) {
-        const result = await callBatchWithRetry(batch, config);
-        completed += batch.length;
-        if (onProgress) {
-            onProgress(completed, packages.length);
-        }
-        results.push(result);
-    }
-    return mergeResponses(results, config);
-}
-/**
- * Retry a batch on 504 (gateway timeout). The server continues processing
- * during a timeout, so retries find previously-analyzed packages cached
- * in Redis — fewer cold packages means faster response.
- */
-async function callBatchWithRetry(packages, config) {
-    for (let attempt = 0; attempt <= MAX_RETRIES; attempt++) {
-        try {
-            return await callAnalyzeBatch(packages, config);
-        }
-        catch (error) {
-            const is504 = error instanceof APIError && error.statusCode === 504;
-            const isTimeout = error instanceof APIError && error.statusCode === 408;
-            if ((is504 || isTimeout) && attempt < MAX_RETRIES) {
-                // Server is still working — wait, then retry.
-                // Packages that finished before the timeout are now cached.
-                const delay = RETRY_DELAY_MS * (attempt + 1);
-                process.stderr.write(`  Batch timed out, retrying in ${delay / 1000}s (attempt ${attempt + 2}/${MAX_RETRIES + 1})...\n`);
-                await new Promise((r) => setTimeout(r, delay));
-                continue;
-            }
-            throw error;
-        }
-    }
-    // Unreachable, but TypeScript needs it
-    throw new Error("Exhausted retries");
-}
-function mergeResponses(results, config) {
-    const allPackages = results.flatMap((r) => r.packages);
-    const maxScore = Math.max(0, ...allPackages.map((p) => p.score));
-    const action = maxScore >= config.blockThreshold
-        ? "block"
-        : maxScore >= config.warnThreshold
-            ? "warn"
-            : "pass";
-    const safeVersions = {};
-    for (const r of results) {
-        Object.assign(safeVersions, r.safeVersions);
-    }
-    return {
-        score: maxScore,
-        action: action,
-        packages: allPackages,
-        safeVersions,
-        durationMs: Math.max(0, ...results.map((r) => r.durationMs)),
-    };
-}
-async function callAnalyzeBatch(packages, config) {
-    const url = `${config.apiUrl}/v1/analyze`;
-    const payload = {
-        packages: packages.map((p) => ({
-            name: p.name,
-            version: p.version,
-            previousVersion: p.previousVersion,
-            isNew: p.isNew,
-        })),
-        config: {
-            blockThreshold: config.blockThreshold,
-            warnThreshold: config.warnThreshold,
-        },
-    };
-    const controller = new AbortController();
-    const timeoutId = setTimeout(() => controller.abort(), 120000);
-    let response;
-    try {
-        response = await fetch(url, {
-            method: "POST",
-            headers: {
-                "Content-Type": "application/json",
-                Authorization: `Bearer ${config.apiKey}`,
-                "User-Agent": "dependency-guardian-cli/1.0.0",
-            },
-            body: JSON.stringify(payload),
-            signal: controller.signal,
-        });
-    }
-    catch (error) {
-        clearTimeout(timeoutId);
-        if (error instanceof Error && error.name === "AbortError") {
-            throw new APIError("Request timed out after 120s. Try scanning fewer packages.", 408, "");
-        }
-        // Node.js fetch wraps the real error in .cause
-        const cause = error instanceof Error && error.cause;
-        const detail = cause ? `: ${cause.message || cause}` : "";
-        throw new Error(`fetch failed${detail}`);
-    }
-    clearTimeout(timeoutId);
-    if (response.status === 401) {
-        throw new APIError("Invalid API key. Check your --api-key or DG_API_KEY value.\n" +
-            "Get your key at https://westbayberry.com/dashboard", 401, "");
-    }
-    if (response.status === 429) {
-        throw new APIError("Rate limit exceeded. Upgrade your plan at https://westbayberry.com/pricing", 429, "");
-    }
-    if (!response.ok) {
-        const body = await response.text();
-        throw new APIError(`API returned ${response.status}: ${body}`, response.status, body);
-    }
-    return (await response.json());
-}
-
-
-/***/ }),
-
-/***/ 988:
-/***/ ((__unused_webpack_module, exports) => {
-
-
-/**
- * Zero-dependency ANSI color helpers.
- * Disabled when stdout is not a TTY or NO_COLOR is set.
- */
-Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.cyan = exports.yellow = exports.green = exports.red = exports.dim = exports.bold = void 0;
-const enabled = process.stdout.isTTY === true && !process.env.NO_COLOR;
-const wrap = (code, reset) => enabled ? (s) => `\x1b[${code}m${s}\x1b[${reset}m` : (s) => s;
-exports.bold = wrap("1", "22");
-exports.dim = wrap("2", "22");
-exports.red = wrap("31", "39");
-exports.green = wrap("32", "39");
-exports.yellow = wrap("33", "39");
-exports.cyan = wrap("36", "39");
-
-
-/***/ }),
-
-/***/ 973:
-/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
-
-
-Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.USAGE = void 0;
-exports.parseConfig = parseConfig;
-exports.getVersion = getVersion;
-const node_util_1 = __nccwpck_require__(975);
-const node_fs_1 = __nccwpck_require__(24);
-const node_path_1 = __nccwpck_require__(760);
-const USAGE = `
-  Dependency Guardian — Supply chain security scanner
-
-  Usage:
-    dependency-guardian scan [options]
-    dg scan [options]
-
-  Commands:
-    scan          Scan dependencies for security risks (default)
-
-  Options:
-    --api-key <key>          API key (or set DG_API_KEY env var)
-    --api-url <url>          API base URL (default: https://api.westbayberry.com)
-    --mode <mode>            block | warn | off (default: warn)
-    --block-threshold <n>    Score threshold for blocking (default: 70)
-    --warn-threshold <n>     Score threshold for warnings (default: 60)
-    --max-packages <n>       Max packages per scan (default: 200)
-    --allowlist <pkgs>       Comma-separated package names to skip
-    --json                   Output JSON for CI parsing
-    --scan-all               Scan all packages, not just changed
-    --base-lockfile <path>   Path to base lockfile for explicit diff
-    --help                   Show this help message
-    --version                Show version number
-
-  Environment Variables:
-    DG_API_KEY               API key
-    DG_API_URL               API base URL
-    DG_MODE                  Mode (block/warn/off)
-    DG_ALLOWLIST             Comma-separated allowlist
-
-  Exit Codes:
-    0  pass    — No risks detected
-    1  warn    — Risks detected (advisory)
-    2  block   — High-risk packages detected
-
-  Examples:
-    DG_API_KEY=dg_live_xxx dg scan
-    dg scan --api-key dg_live_xxx --json
-    dg scan --scan-all --mode block
-    dg scan --base-lockfile ./main-lockfile.json
-`.trimStart();
-exports.USAGE = USAGE;
-function getVersion() {
-    try {
-        const pkg = JSON.parse((0, node_fs_1.readFileSync)((0, node_path_1.join)(__dirname, "..", "package.json"), "utf-8"));
-        return pkg.version ?? "1.0.0";
-    }
-    catch {
-        return "1.0.0";
-    }
-}
-function parseConfig(argv) {
-    const { values, positionals } = (0, node_util_1.parseArgs)({
-        args: argv.slice(2),
-        options: {
-            "api-key": { type: "string" },
-            "api-url": { type: "string" },
-            mode: { type: "string" },
-            "block-threshold": { type: "string" },
-            "warn-threshold": { type: "string" },
-            "max-packages": { type: "string" },
-            allowlist: { type: "string" },
-            json: { type: "boolean", default: false },
-            "scan-all": { type: "boolean", default: false },
-            "base-lockfile": { type: "string" },
-            help: { type: "boolean", default: false },
-            version: { type: "boolean", default: false },
-        },
-        allowPositionals: true,
-        strict: false,
-    });
-    if (values.help) {
-        process.stdout.write(USAGE);
-        process.exit(0);
-    }
-    if (values.version) {
-        process.stdout.write(`dependency-guardian v${getVersion()}\n`);
-        process.exit(0);
-    }
-    const command = positionals[0] ?? "scan";
-    if (values["api-key"]) {
-        process.stderr.write("Warning: --api-key is deprecated (visible in process list). Use DG_API_KEY env var instead.\n");
-    }
-    const apiKey = values["api-key"] ??
-        process.env.DG_API_KEY ??
-        "";
-    if (!apiKey) {
-        process.stderr.write("Error: API key required. Set DG_API_KEY environment variable.\n" +
-            "Do NOT pass keys via --api-key (visible in process list).\n" +
-            "Get your key at https://westbayberry.com/dashboard\n");
-        process.exit(1);
-    }
-    const modeRaw = values.mode ??
-        process.env.DG_MODE ??
-        "warn";
-    if (!["block", "warn", "off"].includes(modeRaw)) {
-        process.stderr.write(`Error: Invalid mode "${modeRaw}". Must be block, warn, or off.\n`);
-        process.exit(1);
-    }
-    const allowlistRaw = values.allowlist ??
-        process.env.DG_ALLOWLIST ??
-        "";
-    return {
-        apiKey,
-        apiUrl: values["api-url"] ??
-            process.env.DG_API_URL ??
-            "https://api.westbayberry.com",
-        mode: modeRaw,
-        blockThreshold: Number(values["block-threshold"] ?? "70"),
-        warnThreshold: Number(values["warn-threshold"] ?? "60"),
-        maxPackages: Number(values["max-packages"] ?? "200"),
-        allowlist: allowlistRaw
-            .split(",")
-            .map((s) => s.trim())
-            .filter(Boolean),
-        json: values.json,
-        scanAll: values["scan-all"],
-        baseLockfile: values["base-lockfile"] ?? null,
-        command,
-    };
-}
-
-
-/***/ }),
-
-/***/ 746:
-/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
-
-
-Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.discoverChanges = discoverChanges;
-const node_child_process_1 = __nccwpck_require__(421);
-const node_fs_1 = __nccwpck_require__(24);
-const node_path_1 = __nccwpck_require__(760);
-const parse_package_lock_1 = __nccwpck_require__(88);
-const diff_1 = __nccwpck_require__(229);
-const parse_package_json_1 = __nccwpck_require__(417);
-/**
- * Discover changed (or all) packages by reading the local lockfile
- * and comparing against a base.
- */
-function discoverChanges(cwd, config) {
-    const lockfilePath = findLockfile(cwd);
-    if (!lockfilePath) {
-        throw new Error("No package-lock.json found. Run from your project root or use --base-lockfile.");
-    }
-    const headContent = (0, node_fs_1.readFileSync)(lockfilePath, "utf-8");
-    const headParsed = (0, parse_package_lock_1.parseLockfile)(headContent);
-    const directDeps = getDirectDeps(cwd);
-    // 1. --scan-all: treat everything as new
-    if (config.scanAll) {
-        const packages = [];
-        for (const [name, entry] of headParsed.packages) {
-            if (packages.length >= config.maxPackages)
-                break;
-            packages.push({
-                name,
-                version: entry.version,
-                previousVersion: null,
-                isNew: true,
-            });
-        }
-        return { packages, method: "scan-all", skipped: [] };
-    }
-    // 2. --base-lockfile: explicit diff
-    if (config.baseLockfile) {
-        if (!(0, node_fs_1.existsSync)(config.baseLockfile)) {
-            throw new Error(`Base lockfile not found: ${config.baseLockfile}`);
-        }
-        const baseContent = (0, node_fs_1.readFileSync)(config.baseLockfile, "utf-8");
-        const baseParsed = (0, parse_package_lock_1.parseLockfile)(baseContent);
-        const diff = (0, diff_1.diffLockfiles)(baseParsed, headParsed, config.maxPackages, directDeps);
-        return {
-            packages: diff.changes.map(toPackageInput),
-            method: "base-lockfile",
-            skipped: diff.skipped,
-        };
-    }
-    // 3. Git auto-diff
-    const baseContent = getGitBaseLockfile(cwd);
-    if (baseContent !== null) {
-        const baseParsed = (0, parse_package_lock_1.parseLockfile)(baseContent);
-        const diff = (0, diff_1.diffLockfiles)(baseParsed, headParsed, config.maxPackages, directDeps);
-        return {
-            packages: diff.changes.map(toPackageInput),
-            method: "git-diff",
-            skipped: diff.skipped,
-        };
-    }
-    // 4. Fallback: try package.json diff, resolve ranges via lockfile
-    const pkgJsonPath = (0, node_path_1.join)(cwd, "package.json");
-    if ((0, node_fs_1.existsSync)(pkgJsonPath)) {
-        const headPkgJson = (0, node_fs_1.readFileSync)(pkgJsonPath, "utf-8");
-        const basePkgJson = getGitBaseFile(cwd, "package.json");
-        if (basePkgJson !== null) {
-            const diff = (0, parse_package_json_1.diffPackageJsons)(basePkgJson, headPkgJson, config.maxPackages);
-            // Resolve semver ranges (e.g. "^3.0.1") to exact versions from the lockfile
-            const resolved = diff.changes.map((change) => {
-                const lockEntry = headParsed.packages.get(change.name);
-                return {
-                    ...change,
-                    newVersion: lockEntry?.version ?? change.newVersion,
-                };
-            });
-            return {
-                packages: resolved.map(toPackageInput),
-                method: "fallback",
-                skipped: [],
-            };
-        }
-    }
-    // Ultimate fallback: scan everything
-    const packages = [];
-    for (const [name, entry] of headParsed.packages) {
-        if (packages.length >= config.maxPackages)
-            break;
-        packages.push({
-            name,
-            version: entry.version,
-            previousVersion: null,
-            isNew: true,
-        });
-    }
-    return { packages, method: "fallback", skipped: [] };
-}
-function findLockfile(cwd) {
-    const candidates = ["package-lock.json", "npm-shrinkwrap.json"];
-    for (const name of candidates) {
-        const p = (0, node_path_1.join)(cwd, name);
-        if ((0, node_fs_1.existsSync)(p))
-            return p;
-    }
-    return null;
-}
-function getDirectDeps(cwd) {
-    try {
-        const content = (0, node_fs_1.readFileSync)((0, node_path_1.join)(cwd, "package.json"), "utf-8");
-        const pkg = JSON.parse(content);
-        return new Set([
-            ...Object.keys(pkg.dependencies ?? {}),
-            ...Object.keys(pkg.devDependencies ?? {}),
-        ]);
-    }
-    catch {
-        return new Set();
-    }
-}
-function getGitBaseLockfile(cwd) {
-    try {
-        const mergeBase = (0, node_child_process_1.execSync)("git merge-base HEAD main", {
-            cwd,
-            encoding: "utf-8",
-            stdio: ["pipe", "pipe", "pipe"],
-        }).trim();
-        if (!mergeBase)
-            return null;
-        return (0, node_child_process_1.execSync)(`git show ${mergeBase}:package-lock.json`, {
-            cwd,
-            encoding: "utf-8",
-            stdio: ["pipe", "pipe", "pipe"],
-        });
-    }
-    catch {
-        // Not a git repo, no main branch, or file doesn't exist at base
-        return null;
-    }
-}
-function getGitBaseFile(cwd, filename) {
-    try {
-        const mergeBase = (0, node_child_process_1.execSync)("git merge-base HEAD main", {
-            cwd,
-            encoding: "utf-8",
-            stdio: ["pipe", "pipe", "pipe"],
-        }).trim();
-        if (!mergeBase)
-            return null;
-        return (0, node_child_process_1.execSync)(`git show ${mergeBase}:${filename}`, {
-            cwd,
-            encoding: "utf-8",
-            stdio: ["pipe", "pipe", "pipe"],
-        });
-    }
-    catch {
-        return null;
-    }
-}
-function toPackageInput(change) {
-    return {
-        name: change.name,
-        version: change.newVersion,
-        previousVersion: change.oldVersion,
-        isNew: change.oldVersion === null,
-    };
-}
-
-
-/***/ }),
-
-/***/ 202:
-/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
-
-
-Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.renderResult = renderResult;
-const color_1 = __nccwpck_require__(988);
-const SEVERITY_LABELS = {
-    5: "CRITICAL",
-    4: "HIGH",
-    3: "MEDIUM",
-    2: "LOW",
-    1: "INFO",
-};
-function severityColor(sev) {
-    if (sev >= 5)
-        return (s) => (0, color_1.bold)((0, color_1.red)(s));
-    if (sev >= 4)
-        return color_1.red;
-    if (sev >= 3)
-        return color_1.yellow;
-    if (sev >= 2)
-        return color_1.cyan;
-    return color_1.dim;
-}
-function actionColor(action) {
-    if (action === "block")
-        return color_1.red;
-    if (action === "warn")
-        return color_1.yellow;
-    return color_1.green;
-}
-function pad(s, len) {
-    return s + " ".repeat(Math.max(0, len - s.length));
-}
-function rpad(s, len) {
-    return " ".repeat(Math.max(0, len - s.length)) + s;
-}
-function renderResult(result, config) {
-    if (config.json) {
-        return JSON.stringify(result, null, 2);
-    }
-    const lines = [];
-    const actionStr = result.action.toUpperCase();
-    const colorAction = actionColor(result.action);
-    // Header
-    lines.push("");
-    lines.push(`  ${(0, color_1.bold)("Dependency Guardian")}`);
-    lines.push(`  Score: ${(0, color_1.bold)(String(result.score))}${" ".repeat(Math.max(1, 50 - String(result.score).length))}${colorAction(actionStr)}`);
-    lines.push("");
-    // Summary
-    const flagged = result.packages.filter((p) => p.score > 0).length;
-    const total = result.packages.length;
-    lines.push(`  ${total} package${total !== 1 ? "s" : ""} scanned, ${flagged} flagged`);
-    lines.push("");
-    if (total === 0) {
-        lines.push("  No packages to scan.");
-        lines.push("");
-        return lines.join("\n");
-    }
-    // Package table
-    const COL_NAME = 22;
-    const COL_VER = 22;
-    const COL_SCORE = 7;
-    lines.push(`  ${(0, color_1.dim)(pad("Package", COL_NAME))}${(0, color_1.dim)(pad("Version", COL_VER))}${(0, color_1.dim)(pad("Score", COL_SCORE))}${(0, color_1.dim)("Action")}`);
-    lines.push(`  ${(0, color_1.dim)(pad("\u2500".repeat(COL_NAME - 2), COL_NAME))}${(0, color_1.dim)(pad("\u2500".repeat(COL_VER - 2), COL_VER))}${(0, color_1.dim)(pad("\u2500".repeat(COL_SCORE - 2), COL_SCORE))}${(0, color_1.dim)("\u2500".repeat(6))}`);
-    // Sort: flagged first, then by score desc
-    const sorted = [...result.packages].sort((a, b) => b.score - a.score);
-    for (const pkg of sorted) {
-        const versionStr = pkg.version;
-        const safe = result.safeVersions[pkg.name];
-        const verDisplay = safe ? `${(0, color_1.dim)(safe + " \u2192 ")}${versionStr}` : versionStr;
-        const pkgAction = pkg.score >= config.blockThreshold
-            ? "BLOCK"
-            : pkg.score >= config.warnThreshold
-                ? "WARN"
-                : "pass";
-        const pkgColor = actionColor(pkg.score >= config.blockThreshold
-            ? "block"
-            : pkg.score >= config.warnThreshold
-                ? "warn"
-                : "pass");
-        lines.push(`  ${pad(truncate(pkg.name, COL_NAME - 2), COL_NAME)}${pad(verDisplay, COL_VER)}${rpad(String(pkg.score), COL_SCORE - 2)}  ${pkgColor(pkgAction)}`);
-    }
-    lines.push("");
-    // Detailed findings for flagged packages
-    const flaggedPkgs = sorted.filter((p) => p.score > 0);
-    for (const pkg of flaggedPkgs) {
-        lines.push(renderPackageDetail(pkg, result.safeVersions[pkg.name]));
-    }
-    // Duration
-    if (result.durationMs) {
-        lines.push(`  ${(0, color_1.dim)(`Completed in ${(result.durationMs / 1000).toFixed(1)}s`)}`);
-        lines.push("");
-    }
-    return lines.join("\n");
-}
-function renderPackageDetail(pkg, safeVersion) {
-    const lines = [];
-    const header = `${pkg.name}@${pkg.version} (score: ${pkg.score})`;
-    const rule = "\u2500".repeat(Math.max(0, 50 - header.length));
-    lines.push(`  ${(0, color_1.dim)("\u2500\u2500")} ${(0, color_1.bold)(header)} ${(0, color_1.dim)(rule)}`);
-    lines.push("");
-    for (const finding of pkg.findings) {
-        // Skip low-severity informational findings in detail view
-        if (finding.severity <= 1 && !finding.critical)
-            continue;
-        const sevLabel = SEVERITY_LABELS[finding.severity] ?? "INFO";
-        const colorFn = severityColor(finding.severity);
-        lines.push(`  ${colorFn(pad(sevLabel, 10))}${finding.id} \u2014 ${finding.title} (sev ${finding.severity}, conf ${finding.confidence.toFixed(2)})`);
-        // Show up to 3 evidence lines
-        const evidenceLimit = 3;
-        for (let i = 0; i < Math.min(finding.evidence.length, evidenceLimit); i++) {
-            lines.push(`  ${" ".repeat(10)}${(0, color_1.dim)(truncate(finding.evidence[i], 80))}`);
-        }
-        if (finding.evidence.length > evidenceLimit) {
-            lines.push(`  ${" ".repeat(10)}${(0, color_1.dim)(`... and ${finding.evidence.length - evidenceLimit} more`)}`);
-        }
-        lines.push("");
-    }
-    if (safeVersion) {
-        lines.push(`  ${(0, color_1.green)(`Safe version: ${pkg.name}@${safeVersion}`)}`);
-        lines.push("");
-    }
-    return lines.join("\n");
-}
-function truncate(s, max) {
-    if (s.length <= max)
-        return s;
-    return s.slice(0, max - 1) + "\u2026";
-}
-
-
-/***/ }),
-
-/***/ 229:
-/***/ ((__unused_webpack_module, exports) => {
-
-
-Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.diffLockfiles = diffLockfiles;
-function diffLockfiles(base, head, maxPackages, directDeps) {
-    const allChanges = [];
-    for (const [name, headEntry] of head.packages) {
-        const baseEntry = base?.packages.get(name);
-        if (!baseEntry) {
-            allChanges.push({
-                name,
-                oldVersion: null,
-                newVersion: headEntry.version,
-                isDirect: directDeps?.has(name) ?? false,
-                isDev: headEntry.dev ?? false,
-            });
-        }
-        else if (baseEntry.version !== headEntry.version) {
-            allChanges.push({
-                name,
-                oldVersion: baseEntry.version,
-                newVersion: headEntry.version,
-                isDirect: directDeps?.has(name) ?? false,
-                isDev: headEntry.dev ?? false,
-            });
-        }
-    }
-    allChanges.sort((a, b) => {
-        if (a.isDirect !== b.isDirect)
-            return a.isDirect ? -1 : 1;
-        return a.name.localeCompare(b.name);
-    });
-    if (allChanges.length <= maxPackages) {
-        return { changes: allChanges, skipped: [] };
-    }
-    const changes = allChanges.slice(0, maxPackages);
-    const skipped = allChanges.slice(maxPackages).map((c) => c.name);
-    return { changes, skipped };
-}
-
-
-/***/ }),
-
-/***/ 417:
-/***/ ((__unused_webpack_module, exports) => {
-
-
-Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.diffPackageJsons = diffPackageJsons;
-function diffPackageJsons(baseContent, headContent, maxPackages) {
-    const head = JSON.parse(headContent);
-    const headDeps = {
-        ...head.dependencies,
-        ...head.devDependencies,
-    };
-    let baseDeps = {};
-    if (baseContent) {
-        const base = JSON.parse(baseContent);
-        baseDeps = { ...base.dependencies, ...base.devDependencies };
-    }
-    const changes = [];
-    for (const [name, version] of Object.entries(headDeps)) {
-        if (changes.length >= maxPackages)
-            break;
-        const baseVersion = baseDeps[name];
-        const isDev = !!(head.devDependencies && head.devDependencies[name]);
-        if (!baseVersion) {
-            changes.push({
-                name,
-                oldVersion: null,
-                newVersion: version,
-                isDirect: true,
-                isDev,
-            });
-        }
-        else if (baseVersion !== version) {
-            changes.push({
-                name,
-                oldVersion: baseVersion,
-                newVersion: version,
-                isDirect: true,
-                isDev,
-            });
-        }
-    }
-    return { changes };
-}
-
-
-/***/ }),
-
-/***/ 88:
-/***/ ((__unused_webpack_module, exports) => {
-
-
-Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.parseLockfile = parseLockfile;
-function parseLockfile(content) {
-    const json = JSON.parse(content);
-    const lockfileVersion = json.lockfileVersion ?? 1;
-    const packages = new Map();
-    if (lockfileVersion >= 2 && json.packages) {
-        for (const [path, entry] of Object.entries(json.packages)) {
-            if (path === "")
-                continue;
-            const name = extractPackageName(path);
-            if (name) {
-                const e = entry;
-                packages.set(name, {
-                    version: e.version ?? "",
-                    resolved: e.resolved,
-                    integrity: e.integrity,
-                    dev: e.dev,
-                });
-            }
-        }
-    }
-    else if (json.dependencies) {
-        parseLegacyDeps(json.dependencies, packages);
-    }
-    return { lockfileVersion, packages };
-}
-function extractPackageName(nodePath) {
-    const prefix = "node_modules/";
-    const lastIdx = nodePath.lastIndexOf(prefix);
-    if (lastIdx === -1)
-        return null;
-    const name = nodePath.slice(lastIdx + prefix.length);
-    return name || null;
-}
-function parseLegacyDeps(deps, packages, parentPrefix = "") {
-    for (const [name, value] of Object.entries(deps)) {
-        const fullName = parentPrefix ? `${parentPrefix}/${name}` : name;
-        const entry = value;
-        packages.set(fullName, {
-            version: entry.version ?? "",
-            resolved: entry.resolved,
-            integrity: entry.integrity,
-            dev: entry.dev,
-        });
-        if (entry.dependencies) {
-            parseLegacyDeps(entry.dependencies, packages);
-        }
-    }
-}
-
-
-/***/ }),
-
-/***/ 421:
-/***/ ((module) => {
-
-module.exports = require("node:child_process");
-
-/***/ }),
-
-/***/ 24:
-/***/ ((module) => {
-
-module.exports = require("node:fs");
-
-/***/ }),
-
-/***/ 760:
-/***/ ((module) => {
-
-module.exports = require("node:path");
-
-/***/ }),
-
-/***/ 975:
-/***/ ((module) => {
-
-module.exports = require("node:util");
-
-/***/ })
-
-/******/ 	});
-/************************************************************************/
-/******/ 	// The module cache
-/******/ 	var __webpack_module_cache__ = {};
-/******/ 	
-/******/ 	// The require function
-/******/ 	function __nccwpck_require__(moduleId) {
-/******/ 		// Check if module is in cache
-/******/ 		var cachedModule = __webpack_module_cache__[moduleId];
-/******/ 		if (cachedModule !== undefined) {
-/******/ 			return cachedModule.exports;
-/******/ 		}
-/******/ 		// Create a new module (and put it into the cache)
-/******/ 		var module = __webpack_module_cache__[moduleId] = {
-/******/ 			// no module.id needed
-/******/ 			// no module.loaded needed
-/******/ 			exports: {}
-/******/ 		};
-/******/ 	
-/******/ 		// Execute the module function
-/******/ 		var threw = true;
-/******/ 		try {
-/******/ 			__webpack_modules__[moduleId](module, module.exports, __nccwpck_require__);
-/******/ 			threw = false;
-/******/ 		} finally {
-/******/ 			if(threw) delete __webpack_module_cache__[moduleId];
-/******/ 		}
-/******/ 	
-/******/ 		// Return the exports of the module
-/******/ 		return module.exports;
-/******/ 	}
-/******/ 	
-/************************************************************************/
-/******/ 	/* webpack/runtime/compat */
-/******/ 	
-/******/ 	if (typeof __nccwpck_require__ !== 'undefined') __nccwpck_require__.ab = __dirname + "/";
-/******/ 	
-/************************************************************************/
-var __webpack_exports__ = {};
-// This entry need to be wrapped in an IIFE because it uses a non-standard name for the exports (exports).
-(() => {
-var exports = __webpack_exports__;
-
-Object.defineProperty(exports, "__esModule", ({ value: true }));
-const config_1 = __nccwpck_require__(973);
-const lockfile_1 = __nccwpck_require__(746);
-const api_1 = __nccwpck_require__(879);
-const output_1 = __nccwpck_require__(202);
-const color_1 = __nccwpck_require__(988);
-async function main() {
-    const config = (0, config_1.parseConfig)(process.argv);
-    if (config.mode === "off") {
-        process.stderr.write((0, color_1.dim)("  Dependency Guardian: mode is off — skipping.\n"));
-        process.exit(0);
-    }
-    // Discover packages
-    process.stderr.write((0, color_1.dim)("  Discovering package changes...\n"));
-    const discovery = (0, lockfile_1.discoverChanges)(process.cwd(), config);
-    if (discovery.packages.length === 0) {
-        process.stderr.write((0, color_1.dim)("  No package changes detected.\n"));
-        process.exit(0);
-    }
-    // Filter allowlist
-    const packages = discovery.packages.filter((p) => !config.allowlist.includes(p.name));
-    if (packages.length === 0) {
-        process.stderr.write((0, color_1.dim)("  All changed packages are allowlisted.\n"));
-        process.exit(0);
-    }
-    process.stderr.write((0, color_1.dim)(`  Scanning ${packages.length} package${packages.length !== 1 ? "s" : ""} (${discovery.method})...\n`));
-    if (discovery.skipped.length > 0) {
-        process.stderr.write((0, color_1.yellow)(`  Warning: ${discovery.skipped.length} package(s) skipped (max-packages=${config.maxPackages})\n`));
-    }
-    // Call Detection API
-    const result = await (0, api_1.callAnalyzeAPI)(packages, config, (done, total) => {
-        process.stderr.write((0, color_1.dim)(`  Analyzed ${done}/${total}...\n`));
-    });
-    // Render output
-    const output = (0, output_1.renderResult)(result, config);
-    process.stdout.write(output + "\n");
-    // Exit code
-    if (result.action === "block" && config.mode === "block") {
-        process.exit(2);
-    }
-    else if (result.action === "block" || result.action === "warn") {
-        process.exit(1);
-    }
-    process.exit(0);
-}
-main().catch((err) => {
-    process.stderr.write(`\n  ${(0, color_1.bold)((0, color_1.red)("Error:"))} ${err.message}\n\n`);
-    process.exit(1);
-});
-
-})();
-
-module.exports = __webpack_exports__;
-/******/ })()
-;