@westbayberry/dg 1.0.3 → 1.0.4

package/dist/index.js

@@ -1,1246 +0,0 @@
-#!/usr/bin/env node
-/******/ (() => { // webpackBootstrap
-/******/ 	"use strict";
-/******/ 	var __webpack_modules__ = ({
-
-/***/ 879:
-/***/ ((__unused_webpack_module, exports) => {
-
-
-Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.APIError = void 0;
-exports.callAnalyzeAPI = callAnalyzeAPI;
-class APIError extends Error {
-    constructor(message, statusCode, body) {
-        super(message);
-        this.statusCode = statusCode;
-        this.body = body;
-        this.name = "APIError";
-    }
-}
-exports.APIError = APIError;
-const BATCH_SIZE = 15;
-const MAX_RETRIES = 2;
-const RETRY_DELAY_MS = 5000;
-async function callAnalyzeAPI(packages, config, onProgress) {
-    if (packages.length <= BATCH_SIZE) {
-        return callAnalyzeBatch(packages, config);
-    }
-    const batches = [];
-    for (let i = 0; i < packages.length; i += BATCH_SIZE) {
-        batches.push(packages.slice(i, i + BATCH_SIZE));
-    }
-    // Process batches sequentially — parallel batches overload the server on cold scans
-    const results = [];
-    let completed = 0;
-    for (const batch of batches) {
-        const result = await callBatchWithRetry(batch, config);
-        completed += batch.length;
-        if (onProgress) {
-            onProgress(completed, packages.length);
-        }
-        results.push(result);
-    }
-    return mergeResponses(results, config);
-}
-/**
- * Retry a batch on 504 (gateway timeout). The server continues processing
- * during a timeout, so retries find previously-analyzed packages cached
- * in Redis — fewer cold packages means faster response.
- */
-async function callBatchWithRetry(packages, config) {
-    for (let attempt = 0; attempt <= MAX_RETRIES; attempt++) {
-        try {
-            return await callAnalyzeBatch(packages, config);
-        }
-        catch (error) {
-            const is504 = error instanceof APIError && error.statusCode === 504;
-            const isTimeout = error instanceof APIError && error.statusCode === 408;
-            if ((is504 || isTimeout) && attempt < MAX_RETRIES) {
-                // Server is still working — wait, then retry.
-                // Packages that finished before the timeout are now cached.
-                const delay = RETRY_DELAY_MS * (attempt + 1);
-                process.stderr.write(`  Batch timed out, retrying in ${delay / 1000}s (attempt ${attempt + 2}/${MAX_RETRIES + 1})...\n`);
-                await new Promise((r) => setTimeout(r, delay));
-                continue;
-            }
-            throw error;
-        }
-    }
-    // Unreachable, but TypeScript needs it
-    throw new Error("Exhausted retries");
-}
-function mergeResponses(results, config) {
-    const allPackages = results.flatMap((r) => r.packages);
-    const maxScore = Math.max(0, ...allPackages.map((p) => p.score));
-    const action = maxScore >= config.blockThreshold
-        ? "block"
-        : maxScore >= config.warnThreshold
-            ? "warn"
-            : "pass";
-    const safeVersions = {};
-    for (const r of results) {
-        Object.assign(safeVersions, r.safeVersions);
-    }
-    return {
-        score: maxScore,
-        action: action,
-        packages: allPackages,
-        safeVersions,
-        durationMs: Math.max(0, ...results.map((r) => r.durationMs)),
-    };
-}
-async function callAnalyzeBatch(packages, config) {
-    const url = `${config.apiUrl}/v1/analyze`;
-    const payload = {
-        packages: packages.map((p) => ({
-            name: p.name,
-            version: p.version,
-            previousVersion: p.previousVersion,
-            isNew: p.isNew,
-        })),
-        config: {
-            blockThreshold: config.blockThreshold,
-            warnThreshold: config.warnThreshold,
-        },
-    };
-    const controller = new AbortController();
-    const timeoutId = setTimeout(() => controller.abort(), 120000);
-    let response;
-    try {
-        response = await fetch(url, {
-            method: "POST",
-            headers: {
-                "Content-Type": "application/json",
-                Authorization: `Bearer ${config.apiKey}`,
-                "User-Agent": "dependency-guardian-cli/1.0.0",
-            },
-            body: JSON.stringify(payload),
-            signal: controller.signal,
-        });
-    }
-    catch (error) {
-        clearTimeout(timeoutId);
-        if (error instanceof Error && error.name === "AbortError") {
-            throw new APIError("Request timed out after 120s. Try scanning fewer packages.", 408, "");
-        }
-        // Node.js fetch wraps the real error in .cause
-        const cause = error instanceof Error && error.cause;
-        const detail = cause ? `: ${cause.message || cause}` : "";
-        throw new Error(`fetch failed${detail}`);
-    }
-    clearTimeout(timeoutId);
-    if (response.status === 401) {
-        throw new APIError("Invalid API key. Check your --api-key or DG_API_KEY value.\n" +
-            "Get your key at https://westbayberry.com/dashboard", 401, "");
-    }
-    if (response.status === 429) {
-        throw new APIError("Rate limit exceeded. Upgrade your plan at https://westbayberry.com/pricing", 429, "");
-    }
-    if (!response.ok) {
-        const body = await response.text();
-        throw new APIError(`API returned ${response.status}: ${body}`, response.status, body);
-    }
-    return (await response.json());
-}
-
-
-/***/ }),
-
-/***/ 988:
-/***/ ((__unused_webpack_module, exports) => {
-
-
-/**
- * Zero-dependency ANSI color helpers.
- * Disabled when stdout is not a TTY or NO_COLOR is set.
- */
-Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.cyan = exports.yellow = exports.green = exports.red = exports.dim = exports.bold = void 0;
-const enabled = process.stdout.isTTY === true && !process.env.NO_COLOR;
-const wrap = (code, reset) => enabled ? (s) => `\x1b[${code}m${s}\x1b[${reset}m` : (s) => s;
-exports.bold = wrap("1", "22");
-exports.dim = wrap("2", "22");
-exports.red = wrap("31", "39");
-exports.green = wrap("32", "39");
-exports.yellow = wrap("33", "39");
-exports.cyan = wrap("36", "39");
-
-
-/***/ }),
-
-/***/ 973:
-/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
-
-
-Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.USAGE = void 0;
-exports.parseConfig = parseConfig;
-exports.getVersion = getVersion;
-const node_util_1 = __nccwpck_require__(975);
-const node_fs_1 = __nccwpck_require__(24);
-const node_path_1 = __nccwpck_require__(760);
-const node_os_1 = __nccwpck_require__(161);
-function loadDgrc() {
-    const candidates = [
-        (0, node_path_1.join)(process.cwd(), ".dgrc.json"),
-        (0, node_path_1.join)((0, node_os_1.homedir)(), ".dgrc.json"),
-    ];
-    for (const filepath of candidates) {
-        if ((0, node_fs_1.existsSync)(filepath)) {
-            try {
-                return JSON.parse((0, node_fs_1.readFileSync)(filepath, "utf-8"));
-            }
-            catch {
-                process.stderr.write(`Warning: Failed to parse ${filepath}, ignoring.\n`);
-            }
-        }
-    }
-    return {};
-}
-const USAGE = `
-  Dependency Guardian — Supply chain security scanner
-
-  Usage:
-    dependency-guardian scan [options]
-    dg scan [options]
-    dg npm install <pkg> [npm-flags]
-    dg wrap
-
-  Commands:
-    scan          Scan dependencies for security risks (default)
-    npm           Wrap npm commands — scans packages before installing
-    wrap          Show instructions to alias npm to dg
-
-  Options:
-    --api-key <key>          API key (or set DG_API_KEY env var)
-    --api-url <url>          API base URL (default: https://api.westbayberry.com)
-    --mode <mode>            block | warn | off (default: warn)
-    --block-threshold <n>    Score threshold for blocking (default: 70)
-    --warn-threshold <n>     Score threshold for warnings (default: 60)
-    --max-packages <n>       Max packages per scan (default: 200)
-    --allowlist <pkgs>       Comma-separated package names to skip
-    --json                   Output JSON for CI parsing
-    --scan-all               Scan all packages, not just changed
-    --base-lockfile <path>   Path to base lockfile for explicit diff
-    --debug                  Show diagnostic output (discovery, batches, timing)
-    --no-config              Skip loading .dgrc.json config file
-    --help                   Show this help message
-    --version                Show version number
-
-  Config File:
-    Place a .dgrc.json in your project root or home directory.
-    Precedence: CLI flags > env vars > .dgrc.json > defaults
-
-  Environment Variables:
-    DG_API_KEY               API key
-    DG_API_URL               API base URL
-    DG_MODE                  Mode (block/warn/off)
-    DG_ALLOWLIST             Comma-separated allowlist
-    DG_DEBUG                 Enable debug output (set to 1)
-
-  Exit Codes:
-    0  pass    — No risks detected
-    1  warn    — Risks detected (advisory)
-    2  block   — High-risk packages detected
-    3  error   — Internal error (API failure, config error)
-
-  Examples:
-    DG_API_KEY=dg_live_xxx dg scan
-    dg scan --api-key dg_live_xxx --json
-    dg scan --scan-all --mode block
-    dg scan --base-lockfile ./main-lockfile.json
-    dg npm install express lodash
-    dg npm install @scope/pkg@^2.0.0
-    dg npm install risky-pkg --dg-force
-`.trimStart();
-exports.USAGE = USAGE;
-function getVersion() {
-    try {
-        const pkg = JSON.parse((0, node_fs_1.readFileSync)((0, node_path_1.join)(__dirname, "..", "package.json"), "utf-8"));
-        return pkg.version ?? "1.0.0";
-    }
-    catch {
-        return "1.0.0";
-    }
-}
-function parseConfig(argv) {
-    const { values, positionals } = (0, node_util_1.parseArgs)({
-        args: argv.slice(2),
-        options: {
-            "api-key": { type: "string" },
-            "api-url": { type: "string" },
-            mode: { type: "string" },
-            "block-threshold": { type: "string" },
-            "warn-threshold": { type: "string" },
-            "max-packages": { type: "string" },
-            allowlist: { type: "string" },
-            json: { type: "boolean", default: false },
-            "scan-all": { type: "boolean", default: false },
-            "base-lockfile": { type: "string" },
-            debug: { type: "boolean", default: false },
-            "no-config": { type: "boolean", default: false },
-            help: { type: "boolean", default: false },
-            version: { type: "boolean", default: false },
-        },
-        allowPositionals: true,
-        strict: false,
-    });
-    if (values.help) {
-        process.stdout.write(USAGE);
-        process.exit(0);
-    }
-    if (values.version) {
-        process.stdout.write(`dependency-guardian v${getVersion()}\n`);
-        process.exit(0);
-    }
-    const command = positionals[0] ?? "scan";
-    const noConfig = values["no-config"];
-    const dgrc = noConfig ? {} : loadDgrc();
-    if (values["api-key"]) {
-        process.stderr.write("Warning: --api-key is deprecated (visible in process list). Use DG_API_KEY env var instead.\n");
-    }
-    const apiKey = values["api-key"] ??
-        process.env.DG_API_KEY ??
-        dgrc.apiKey ??
-        "";
-    if (!apiKey) {
-        process.stderr.write("Error: API key required. Set DG_API_KEY environment variable.\n" +
-            "Do NOT pass keys via --api-key (visible in process list).\n" +
-            "Get your key at https://westbayberry.com/dashboard\n");
-        process.exit(1);
-    }
-    const modeRaw = values.mode ??
-        process.env.DG_MODE ??
-        dgrc.mode ??
-        "warn";
-    if (!["block", "warn", "off"].includes(modeRaw)) {
-        process.stderr.write(`Error: Invalid mode "${modeRaw}". Must be block, warn, or off.\n`);
-        process.exit(1);
-    }
-    const allowlistRaw = values.allowlist ??
-        process.env.DG_ALLOWLIST ??
-        "";
-    const blockThreshold = Number(values["block-threshold"] ?? dgrc.blockThreshold ?? "70");
-    const warnThreshold = Number(values["warn-threshold"] ?? dgrc.warnThreshold ?? "60");
-    const maxPackages = Number(values["max-packages"] ?? dgrc.maxPackages ?? "200");
-    const debug = values.debug || process.env.DG_DEBUG === "1";
-    if (isNaN(blockThreshold) || blockThreshold < 0 || blockThreshold > 100) {
-        process.stderr.write("Error: --block-threshold must be a number between 0 and 100\n");
-        process.exit(1);
-    }
-    if (isNaN(warnThreshold) || warnThreshold < 0 || warnThreshold > 100) {
-        process.stderr.write("Error: --warn-threshold must be a number between 0 and 100\n");
-        process.exit(1);
-    }
-    if (isNaN(maxPackages) || maxPackages < 1 || maxPackages > 10000) {
-        process.stderr.write("Error: --max-packages must be a number between 1 and 10000\n");
-        process.exit(1);
-    }
-    return {
-        apiKey,
-        apiUrl: values["api-url"] ??
-            process.env.DG_API_URL ??
-            dgrc.apiUrl ??
-            "https://api.westbayberry.com",
-        mode: modeRaw,
-        blockThreshold,
-        warnThreshold,
-        maxPackages,
-        allowlist: allowlistRaw
-            ? allowlistRaw.split(",").map((s) => s.trim()).filter(Boolean)
-            : (dgrc.allowlist ?? []),
-        json: values.json,
-        scanAll: values["scan-all"],
-        baseLockfile: values["base-lockfile"] ?? null,
-        command,
-        debug,
-    };
-}
-
-
-/***/ }),
-
-/***/ 746:
-/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
-
-
-Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.discoverChanges = discoverChanges;
-const node_child_process_1 = __nccwpck_require__(421);
-const node_fs_1 = __nccwpck_require__(24);
-const node_path_1 = __nccwpck_require__(760);
-const parse_package_lock_1 = __nccwpck_require__(88);
-const diff_1 = __nccwpck_require__(229);
-const parse_package_json_1 = __nccwpck_require__(417);
-/**
- * Discover changed (or all) packages by reading the local lockfile
- * and comparing against a base.
- */
-function discoverChanges(cwd, config) {
-    const lockfilePath = findLockfile(cwd);
-    if (!lockfilePath) {
-        throw new Error("No package-lock.json found. Run from your project root or use --base-lockfile.");
-    }
-    const headContent = (0, node_fs_1.readFileSync)(lockfilePath, "utf-8");
-    const headParsed = (0, parse_package_lock_1.parseLockfile)(headContent);
-    const directDeps = getDirectDeps(cwd);
-    // 1. --scan-all: treat everything as new
-    if (config.scanAll) {
-        const packages = [];
-        for (const [name, entry] of headParsed.packages) {
-            if (packages.length >= config.maxPackages)
-                break;
-            packages.push({
-                name,
-                version: entry.version,
-                previousVersion: null,
-                isNew: true,
-            });
-        }
-        return { packages, method: "scan-all", skipped: [] };
-    }
-    // 2. --base-lockfile: explicit diff
-    if (config.baseLockfile) {
-        if (!(0, node_fs_1.existsSync)(config.baseLockfile)) {
-            throw new Error(`Base lockfile not found: ${config.baseLockfile}`);
-        }
-        const baseContent = (0, node_fs_1.readFileSync)(config.baseLockfile, "utf-8");
-        const baseParsed = (0, parse_package_lock_1.parseLockfile)(baseContent);
-        const diff = (0, diff_1.diffLockfiles)(baseParsed, headParsed, config.maxPackages, directDeps);
-        return {
-            packages: diff.changes.map(toPackageInput),
-            method: "base-lockfile",
-            skipped: diff.skipped,
-        };
-    }
-    // 3. Git auto-diff
-    const baseContent = getGitBaseLockfile(cwd);
-    if (baseContent !== null) {
-        const baseParsed = (0, parse_package_lock_1.parseLockfile)(baseContent);
-        const diff = (0, diff_1.diffLockfiles)(baseParsed, headParsed, config.maxPackages, directDeps);
-        return {
-            packages: diff.changes.map(toPackageInput),
-            method: "git-diff",
-            skipped: diff.skipped,
-        };
-    }
-    // 4. Fallback: try package.json diff, resolve ranges via lockfile
-    const pkgJsonPath = (0, node_path_1.join)(cwd, "package.json");
-    if ((0, node_fs_1.existsSync)(pkgJsonPath)) {
-        const headPkgJson = (0, node_fs_1.readFileSync)(pkgJsonPath, "utf-8");
-        const basePkgJson = getGitBaseFile(cwd, "package.json");
-        if (basePkgJson !== null) {
-            const diff = (0, parse_package_json_1.diffPackageJsons)(basePkgJson, headPkgJson, config.maxPackages);
-            // Resolve semver ranges (e.g. "^3.0.1") to exact versions from the lockfile
-            const resolved = diff.changes.map((change) => {
-                const lockEntry = headParsed.packages.get(change.name);
-                return {
-                    ...change,
-                    newVersion: lockEntry?.version ?? change.newVersion,
-                };
-            });
-            return {
-                packages: resolved.map(toPackageInput),
-                method: "fallback",
-                skipped: [],
-            };
-        }
-    }
-    // Ultimate fallback: scan everything
-    const packages = [];
-    for (const [name, entry] of headParsed.packages) {
-        if (packages.length >= config.maxPackages)
-            break;
-        packages.push({
-            name,
-            version: entry.version,
-            previousVersion: null,
-            isNew: true,
-        });
-    }
-    return { packages, method: "fallback", skipped: [] };
-}
-function findLockfile(cwd) {
-    const candidates = ["package-lock.json", "npm-shrinkwrap.json"];
-    for (const name of candidates) {
-        const p = (0, node_path_1.join)(cwd, name);
-        if ((0, node_fs_1.existsSync)(p))
-            return p;
-    }
-    return null;
-}
-function getDirectDeps(cwd) {
-    try {
-        const content = (0, node_fs_1.readFileSync)((0, node_path_1.join)(cwd, "package.json"), "utf-8");
-        const pkg = JSON.parse(content);
-        return new Set([
-            ...Object.keys(pkg.dependencies ?? {}),
-            ...Object.keys(pkg.devDependencies ?? {}),
-        ]);
-    }
-    catch {
-        return new Set();
-    }
-}
-function getGitBaseLockfile(cwd) {
-    try {
-        const mergeBase = (0, node_child_process_1.execSync)("git merge-base HEAD main", {
-            cwd,
-            encoding: "utf-8",
-            stdio: ["pipe", "pipe", "pipe"],
-        }).trim();
-        if (!mergeBase)
-            return null;
-        return (0, node_child_process_1.execSync)(`git show ${mergeBase}:package-lock.json`, {
-            cwd,
-            encoding: "utf-8",
-            stdio: ["pipe", "pipe", "pipe"],
-        });
-    }
-    catch {
-        // Not a git repo, no main branch, or file doesn't exist at base
-        return null;
-    }
-}
-function getGitBaseFile(cwd, filename) {
-    try {
-        const mergeBase = (0, node_child_process_1.execSync)("git merge-base HEAD main", {
-            cwd,
-            encoding: "utf-8",
-            stdio: ["pipe", "pipe", "pipe"],
-        }).trim();
-        if (!mergeBase)
-            return null;
-        return (0, node_child_process_1.execSync)(`git show ${mergeBase}:${filename}`, {
-            cwd,
-            encoding: "utf-8",
-            stdio: ["pipe", "pipe", "pipe"],
-        });
-    }
-    catch {
-        return null;
-    }
-}
-function toPackageInput(change) {
-    return {
-        name: change.name,
-        version: change.newVersion,
-        previousVersion: change.oldVersion,
-        isNew: change.oldVersion === null,
-    };
-}
-
-
-/***/ }),
-
-/***/ 124:
-/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
-
-
-Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.parseNpmArgs = parseNpmArgs;
-exports.parsePackageSpec = parsePackageSpec;
-exports.resolveVersion = resolveVersion;
-exports.resolvePackages = resolvePackages;
-exports.runNpm = runNpm;
-exports.handleNpmCommand = handleNpmCommand;
-exports.handleWrapCommand = handleWrapCommand;
-const node_child_process_1 = __nccwpck_require__(421);
-const color_1 = __nccwpck_require__(988);
-const api_1 = __nccwpck_require__(879);
-const output_1 = __nccwpck_require__(202);
-/** npm commands that install packages and should trigger a scan */
-const INSTALL_COMMANDS = new Set(["install", "i", "add", "update", "up"]);
-/**
- * Parse the argv after `dg npm ...` to extract the npm command and package specifiers.
- */
-function parseNpmArgs(args) {
-    let dgForce = false;
-    const filtered = [];
-    // Extract dg-specific flags before passing to npm
-    for (const arg of args) {
-        if (arg === "--dg-force") {
-            dgForce = true;
-        }
-        else {
-            filtered.push(arg);
-        }
-    }
-    const command = filtered[0] ?? "";
-    const shouldScan = INSTALL_COMMANDS.has(command);
-    // Extract package specifiers: anything that's not a flag and not the command itself
-    const packages = [];
-    if (shouldScan) {
-        for (let i = 1; i < filtered.length; i++) {
-            const arg = filtered[i];
-            // Skip flags and their values
-            if (arg.startsWith("-")) {
-                // Flags that take a value: skip next arg too
-                if (flagTakesValue(arg)) {
-                    i++;
-                }
-                continue;
-            }
-            packages.push(arg);
-        }
-    }
-    return {
-        command,
-        packages,
-        rawArgs: filtered,
-        dgForce,
-        shouldScan,
-    };
-}
-/** npm flags that consume the next argument as a value */
-function flagTakesValue(flag) {
-    const valueFlagPrefixes = [
-        "--save-prefix",
-        "--tag",
-        "--registry",
-        "--cache",
-        "--prefix",
-        "--fund",
-        "--omit",
-        "--install-strategy",
-        "--workspace",
-    ];
-    // Short flags that take values
-    if (flag === "-w")
-        return true;
-    for (const prefix of valueFlagPrefixes) {
-        if (flag === prefix)
-            return true;
-    }
-    // --flag=value style doesn't consume next arg
-    return false;
-}
-/**
- * Parse a package specifier like "express", "@scope/pkg@^2.0.0", "pkg@latest"
- * into { name, versionSpec }.
- */
-function parsePackageSpec(spec) {
-    // Scoped: @scope/pkg@version
-    if (spec.startsWith("@")) {
-        const slashIdx = spec.indexOf("/");
-        if (slashIdx === -1) {
-            return { name: spec, versionSpec: null };
-        }
-        const afterSlash = spec.slice(slashIdx + 1);
-        const atIdx = afterSlash.indexOf("@");
-        if (atIdx === -1) {
-            return { name: spec, versionSpec: null };
-        }
-        return {
-            name: spec.slice(0, slashIdx + 1 + atIdx),
-            versionSpec: afterSlash.slice(atIdx + 1),
-        };
-    }
-    // Unscoped: pkg@version
-    const atIdx = spec.indexOf("@");
-    if (atIdx === -1 || atIdx === 0) {
-        return { name: spec, versionSpec: null };
-    }
-    return {
-        name: spec.slice(0, atIdx),
-        versionSpec: spec.slice(atIdx + 1),
-    };
-}
-/**
- * Resolve what version npm would install for a given package specifier.
- * Uses `npm view <spec> version` to get the resolved version.
- */
-function resolveVersion(spec) {
-    try {
-        const version = (0, node_child_process_1.execSync)(`npm view "${spec}" version`, {
-            encoding: "utf-8",
-            stdio: ["pipe", "pipe", "pipe"],
-            timeout: 15000,
-        }).trim();
-        return version || null;
-    }
-    catch {
-        return null;
-    }
-}
-/**
- * Build PackageInput[] from package specifiers by resolving versions.
- */
-function resolvePackages(specs) {
-    const resolved = [];
-    const failed = [];
-    for (const spec of specs) {
-        const { name, versionSpec } = parsePackageSpec(spec);
-        const querySpec = versionSpec ? `${name}@${versionSpec}` : name;
-        const version = resolveVersion(querySpec);
-        if (version) {
-            resolved.push({
-                name,
-                version,
-                previousVersion: null,
-                isNew: true,
-            });
-        }
-        else {
-            failed.push(spec);
-        }
-    }
-    return { resolved, failed };
-}
-/**
- * Run the actual npm command, inheriting stdio.
- * Returns the npm exit code.
- */
-function runNpm(args) {
-    return new Promise((resolve) => {
-        const child = (0, node_child_process_1.spawn)("npm", args, {
-            stdio: "inherit",
-            shell: false,
-        });
-        child.on("close", (code) => resolve(code ?? 1));
-        child.on("error", () => resolve(1));
-    });
-}
-/**
- * Main npm wrapper entry point.
- */
-async function handleNpmCommand(npmArgs, config) {
-    const parsed = parseNpmArgs(npmArgs);
-    // Non-install commands: pass through directly
-    if (!parsed.shouldScan) {
-        const code = await runNpm(parsed.rawArgs);
-        process.exit(code);
-    }
-    // No packages specified (e.g. bare `npm install` from package.json)
-    if (parsed.packages.length === 0) {
-        process.stderr.write((0, color_1.dim)("  Dependency Guardian: no new packages specified, passing through to npm.\n"));
-        const code = await runNpm(parsed.rawArgs);
-        process.exit(code);
-    }
-    // Resolve versions
-    process.stderr.write((0, color_1.dim)(`  Resolving ${parsed.packages.length} package${parsed.packages.length !== 1 ? "s" : ""}...\n`));
-    const { resolved, failed } = resolvePackages(parsed.packages);
-    if (failed.length > 0) {
-        process.stderr.write((0, color_1.yellow)(`  Warning: Could not resolve versions for: ${failed.join(", ")}\n`));
-    }
-    if (resolved.length === 0) {
-        process.stderr.write((0, color_1.dim)("  No packages to scan. Passing through to npm.\n"));
-        const code = await runNpm(parsed.rawArgs);
-        process.exit(code);
-    }
-    // Filter allowlist
-    const toScan = resolved.filter((p) => !config.allowlist.includes(p.name));
-    if (toScan.length === 0) {
-        process.stderr.write((0, color_1.dim)("  All packages are allowlisted. Passing through to npm.\n"));
-        const code = await runNpm(parsed.rawArgs);
-        process.exit(code);
-    }
-    // Scan
-    process.stderr.write((0, color_1.dim)(`  Scanning ${toScan.length} package${toScan.length !== 1 ? "s" : ""}...\n`));
-    let result;
-    try {
-        const startMs = Date.now();
-        result = await (0, api_1.callAnalyzeAPI)(toScan, config);
-        const elapsed = Date.now() - startMs;
-        if (config.debug) {
-            process.stderr.write((0, color_1.dim)(`  [debug] API responded in ${elapsed}ms, action=${result.action}, score=${result.score}\n`));
-        }
-    }
-    catch (error) {
-        // API unavailable — warn and proceed
-        const msg = error instanceof Error ? error.message : String(error);
-        process.stderr.write((0, color_1.yellow)(`  Warning: Scan failed (${msg}). Proceeding with install.\n`));
-        const code = await runNpm(parsed.rawArgs);
-        process.exit(code);
-        return; // unreachable, but helps TypeScript
-    }
-    // Handle result
-    if (result.action === "pass") {
-        process.stderr.write((0, color_1.green)(`  ${(0, color_1.bold)("\u2713")} ${toScan.length} package${toScan.length !== 1 ? "s" : ""} scanned \u2014 all clear\n\n`));
-        const code = await runNpm(parsed.rawArgs);
-        process.exit(code);
-    }
-    // Render findings
-    const output = (0, output_1.renderResult)(result, config);
-    process.stdout.write(output + "\n");
-    if (result.action === "warn") {
-        process.stderr.write((0, color_1.yellow)("  Warnings detected. Proceeding with install.\n\n"));
-        const code = await runNpm(parsed.rawArgs);
-        process.exit(code);
-    }
-    // Block
-    if (result.action === "block") {
-        if (parsed.dgForce) {
-            process.stderr.write((0, color_1.yellow)((0, color_1.bold)("  --dg-force: Bypassing block. Install at your own risk.\n\n")));
-            const code = await runNpm(parsed.rawArgs);
-            process.exit(code);
-        }
-        process.stderr.write((0, color_1.red)((0, color_1.bold)("  BLOCKED: ")) +
-            (0, color_1.red)("High-risk packages detected. Install aborted.\n"));
-        process.stderr.write((0, color_1.dim)("  Use --dg-force to bypass this check.\n\n"));
-        process.exit(2);
-    }
-}
-const WRAP_USAGE = `
-  Set up dg as your npm wrapper:
-
-  Option 1 — Shell alias (recommended):
-    Add to your ~/.zshrc or ~/.bashrc:
-      alias npm='dg npm'
-
-  Option 2 — Per-project .npmrc:
-    Not yet supported.
-
-  Once set up, every \`npm install\` will be scanned automatically.
-`.trimStart();
-function handleWrapCommand() {
-    process.stdout.write(WRAP_USAGE);
-}
-
-
-/***/ }),
-
-/***/ 202:
-/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
-
-
-Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.renderResult = renderResult;
-const color_1 = __nccwpck_require__(988);
-const SEVERITY_LABELS = {
-    5: "CRITICAL",
-    4: "HIGH",
-    3: "MEDIUM",
-    2: "LOW",
-    1: "INFO",
-};
-function severityColor(sev) {
-    if (sev >= 5)
-        return (s) => (0, color_1.bold)((0, color_1.red)(s));
-    if (sev >= 4)
-        return color_1.red;
-    if (sev >= 3)
-        return color_1.yellow;
-    if (sev >= 2)
-        return color_1.cyan;
-    return color_1.dim;
-}
-function actionColor(action) {
-    if (action === "block")
-        return color_1.red;
-    if (action === "warn")
-        return color_1.yellow;
-    return color_1.green;
-}
-function pad(s, len) {
-    return s + " ".repeat(Math.max(0, len - s.length));
-}
-function rpad(s, len) {
-    return " ".repeat(Math.max(0, len - s.length)) + s;
-}
-function renderResult(result, config) {
-    if (config.json) {
-        return JSON.stringify(result, null, 2);
-    }
-    const lines = [];
-    const actionStr = result.action.toUpperCase();
-    const colorAction = actionColor(result.action);
-    // Header
-    lines.push("");
-    lines.push(`  ${(0, color_1.bold)("Dependency Guardian")}`);
-    lines.push(`  Score: ${(0, color_1.bold)(String(result.score))}${" ".repeat(Math.max(1, 50 - String(result.score).length))}${colorAction(actionStr)}`);
-    lines.push("");
-    // Summary
-    const flagged = result.packages.filter((p) => p.score > 0).length;
-    const total = result.packages.length;
-    lines.push(`  ${total} package${total !== 1 ? "s" : ""} scanned, ${flagged} flagged`);
-    lines.push("");
-    if (total === 0) {
-        lines.push("  No packages to scan.");
-        lines.push("");
-        return lines.join("\n");
-    }
-    // Package table — adapt to terminal width
-    const termWidth = process.stdout.columns || 80;
-    const COL_NAME = Math.max(16, Math.min(40, Math.floor(termWidth * 0.3)));
-    const COL_VER = Math.max(14, Math.min(30, Math.floor(termWidth * 0.25)));
-    const COL_SCORE = 7;
-    lines.push(`  ${(0, color_1.dim)(pad("Package", COL_NAME))}${(0, color_1.dim)(pad("Version", COL_VER))}${(0, color_1.dim)(pad("Score", COL_SCORE))}${(0, color_1.dim)("Action")}`);
-    lines.push(`  ${(0, color_1.dim)(pad("\u2500".repeat(COL_NAME - 2), COL_NAME))}${(0, color_1.dim)(pad("\u2500".repeat(COL_VER - 2), COL_VER))}${(0, color_1.dim)(pad("\u2500".repeat(COL_SCORE - 2), COL_SCORE))}${(0, color_1.dim)("\u2500".repeat(6))}`);
-    // Sort: flagged first, then by score desc
-    const sorted = [...result.packages].sort((a, b) => b.score - a.score);
-    for (const pkg of sorted) {
-        const versionStr = pkg.version;
-        const safe = result.safeVersions[pkg.name];
-        const verDisplay = safe ? `${(0, color_1.dim)(safe + " \u2192 ")}${versionStr}` : versionStr;
-        const pkgAction = pkg.score >= config.blockThreshold
-            ? "BLOCK"
-            : pkg.score >= config.warnThreshold
-                ? "WARN"
-                : "pass";
-        const pkgColor = actionColor(pkg.score >= config.blockThreshold
-            ? "block"
-            : pkg.score >= config.warnThreshold
-                ? "warn"
-                : "pass");
-        lines.push(`  ${pad(truncate(pkg.name, COL_NAME - 2), COL_NAME)}${pad(verDisplay, COL_VER)}${rpad(String(pkg.score), COL_SCORE - 2)}  ${pkgColor(pkgAction)}`);
-    }
-    lines.push("");
-    // Detailed findings for flagged packages
-    const flaggedPkgs = sorted.filter((p) => p.score > 0);
-    for (const pkg of flaggedPkgs) {
-        lines.push(renderPackageDetail(pkg, result.safeVersions[pkg.name]));
-    }
-    // Duration
-    if (result.durationMs) {
-        lines.push(`  ${(0, color_1.dim)(`Completed in ${(result.durationMs / 1000).toFixed(1)}s`)}`);
-        lines.push("");
-    }
-    return lines.join("\n");
-}
-function renderPackageDetail(pkg, safeVersion) {
-    const lines = [];
-    const header = `${pkg.name}@${pkg.version} (score: ${pkg.score})`;
-    const rule = "\u2500".repeat(Math.max(0, 50 - header.length));
-    lines.push(`  ${(0, color_1.dim)("\u2500\u2500")} ${(0, color_1.bold)(header)} ${(0, color_1.dim)(rule)}`);
-    lines.push("");
-    for (const finding of pkg.findings) {
-        // Skip low-severity informational findings in detail view
-        if (finding.severity <= 1 && !finding.critical)
-            continue;
-        const sevLabel = SEVERITY_LABELS[finding.severity] ?? "INFO";
-        const colorFn = severityColor(finding.severity);
-        lines.push(`  ${colorFn(pad(sevLabel, 10))}${finding.id} \u2014 ${finding.title} (sev ${finding.severity}, conf ${finding.confidence.toFixed(2)})`);
-        // Show up to 3 evidence lines
-        const evidenceLimit = 3;
-        for (let i = 0; i < Math.min(finding.evidence.length, evidenceLimit); i++) {
-            lines.push(`  ${" ".repeat(10)}${(0, color_1.dim)(truncate(finding.evidence[i], 80))}`);
-        }
-        if (finding.evidence.length > evidenceLimit) {
-            lines.push(`  ${" ".repeat(10)}${(0, color_1.dim)(`... and ${finding.evidence.length - evidenceLimit} more`)}`);
-        }
-        lines.push("");
-    }
-    if (safeVersion) {
-        lines.push(`  ${(0, color_1.green)(`Safe version: ${pkg.name}@${safeVersion}`)}`);
-        lines.push("");
-    }
-    return lines.join("\n");
-}
-function truncate(s, max) {
-    if (s.length <= max)
-        return s;
-    return s.slice(0, max - 1) + "\u2026";
-}
-
-
-/***/ }),
-
-/***/ 229:
-/***/ ((__unused_webpack_module, exports) => {
-
-
-Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.diffLockfiles = diffLockfiles;
-function diffLockfiles(base, head, maxPackages, directDeps) {
-    const allChanges = [];
-    for (const [name, headEntry] of head.packages) {
-        const baseEntry = base?.packages.get(name);
-        if (!baseEntry) {
-            allChanges.push({
-                name,
-                oldVersion: null,
-                newVersion: headEntry.version,
-                isDirect: directDeps?.has(name) ?? false,
-                isDev: headEntry.dev ?? false,
-            });
-        }
-        else if (baseEntry.version !== headEntry.version) {
-            allChanges.push({
-                name,
-                oldVersion: baseEntry.version,
-                newVersion: headEntry.version,
-                isDirect: directDeps?.has(name) ?? false,
-                isDev: headEntry.dev ?? false,
-            });
-        }
-    }
-    allChanges.sort((a, b) => {
-        if (a.isDirect !== b.isDirect)
-            return a.isDirect ? -1 : 1;
-        return a.name.localeCompare(b.name);
-    });
-    if (allChanges.length <= maxPackages) {
-        return { changes: allChanges, skipped: [] };
-    }
-    const changes = allChanges.slice(0, maxPackages);
-    const skipped = allChanges.slice(maxPackages).map((c) => c.name);
-    return { changes, skipped };
-}
-
-
-/***/ }),
-
-/***/ 417:
-/***/ ((__unused_webpack_module, exports) => {
-
-
-Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.diffPackageJsons = diffPackageJsons;
-function diffPackageJsons(baseContent, headContent, maxPackages) {
-    const head = JSON.parse(headContent);
-    const headDeps = {
-        ...head.dependencies,
-        ...head.devDependencies,
-    };
-    let baseDeps = {};
-    if (baseContent) {
-        const base = JSON.parse(baseContent);
-        baseDeps = { ...base.dependencies, ...base.devDependencies };
-    }
-    const changes = [];
-    for (const [name, version] of Object.entries(headDeps)) {
-        if (changes.length >= maxPackages)
-            break;
-        const baseVersion = baseDeps[name];
-        const isDev = !!(head.devDependencies && head.devDependencies[name]);
-        if (!baseVersion) {
-            changes.push({
-                name,
-                oldVersion: null,
-                newVersion: version,
-                isDirect: true,
-                isDev,
-            });
-        }
-        else if (baseVersion !== version) {
-            changes.push({
-                name,
-                oldVersion: baseVersion,
-                newVersion: version,
-                isDirect: true,
-                isDev,
-            });
-        }
-    }
-    return { changes };
-}
-
-
-/***/ }),
-
-/***/ 88:
-/***/ ((__unused_webpack_module, exports) => {
-
-
-Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.parseLockfile = parseLockfile;
-function parseLockfile(content) {
-    const json = JSON.parse(content);
-    const lockfileVersion = json.lockfileVersion ?? 1;
-    const packages = new Map();
-    if (lockfileVersion >= 2 && json.packages) {
-        for (const [path, entry] of Object.entries(json.packages)) {
-            if (path === "")
-                continue;
-            const name = extractPackageName(path);
-            if (name && !packages.has(name)) {
-                const e = entry;
-                packages.set(name, {
-                    version: e.version ?? "",
-                    resolved: e.resolved,
-                    integrity: e.integrity,
-                    dev: e.dev,
-                });
-            }
-        }
-    }
-    else if (json.dependencies) {
-        parseLegacyDeps(json.dependencies, packages);
-    }
-    return { lockfileVersion, packages };
-}
-function extractPackageName(nodePath) {
-    const prefix = "node_modules/";
-    const lastIdx = nodePath.lastIndexOf(prefix);
-    if (lastIdx === -1)
-        return null;
-    const name = nodePath.slice(lastIdx + prefix.length);
-    return name || null;
-}
-function parseLegacyDeps(deps, packages, parentPrefix = "") {
-    for (const [name, value] of Object.entries(deps)) {
-        const fullName = parentPrefix ? `${parentPrefix}/${name}` : name;
-        const entry = value;
-        packages.set(fullName, {
-            version: entry.version ?? "",
-            resolved: entry.resolved,
-            integrity: entry.integrity,
-            dev: entry.dev,
-        });
-        if (entry.dependencies) {
-            parseLegacyDeps(entry.dependencies, packages);
-        }
-    }
-}
-
-
-/***/ }),
-
-/***/ 421:
-/***/ ((module) => {
-
-module.exports = require("node:child_process");
-
-/***/ }),
-
-/***/ 24:
-/***/ ((module) => {
-
-module.exports = require("node:fs");
-
-/***/ }),
-
-/***/ 161:
-/***/ ((module) => {
-
-module.exports = require("node:os");
-
-/***/ }),
-
-/***/ 760:
-/***/ ((module) => {
-
-module.exports = require("node:path");
-
-/***/ }),
-
-/***/ 975:
-/***/ ((module) => {
-
-module.exports = require("node:util");
-
-/***/ })
-
-/******/ 	});
-/************************************************************************/
-/******/ 	// The module cache
-/******/ 	var __webpack_module_cache__ = {};
-/******/ 	
-/******/ 	// The require function
-/******/ 	function __nccwpck_require__(moduleId) {
-/******/ 		// Check if module is in cache
-/******/ 		var cachedModule = __webpack_module_cache__[moduleId];
-/******/ 		if (cachedModule !== undefined) {
-/******/ 			return cachedModule.exports;
-/******/ 		}
-/******/ 		// Create a new module (and put it into the cache)
-/******/ 		var module = __webpack_module_cache__[moduleId] = {
-/******/ 			// no module.id needed
-/******/ 			// no module.loaded needed
-/******/ 			exports: {}
-/******/ 		};
-/******/ 	
-/******/ 		// Execute the module function
-/******/ 		var threw = true;
-/******/ 		try {
-/******/ 			__webpack_modules__[moduleId](module, module.exports, __nccwpck_require__);
-/******/ 			threw = false;
-/******/ 		} finally {
-/******/ 			if(threw) delete __webpack_module_cache__[moduleId];
-/******/ 		}
-/******/ 	
-/******/ 		// Return the exports of the module
-/******/ 		return module.exports;
-/******/ 	}
-/******/ 	
-/************************************************************************/
-/******/ 	/* webpack/runtime/compat */
-/******/ 	
-/******/ 	if (typeof __nccwpck_require__ !== 'undefined') __nccwpck_require__.ab = __dirname + "/";
-/******/ 	
-/************************************************************************/
-var __webpack_exports__ = {};
-// This entry need to be wrapped in an IIFE because it uses a non-standard name for the exports (exports).
-(() => {
-var exports = __webpack_exports__;
-
-Object.defineProperty(exports, "__esModule", ({ value: true }));
-const config_1 = __nccwpck_require__(973);
-const lockfile_1 = __nccwpck_require__(746);
-const api_1 = __nccwpck_require__(879);
-const output_1 = __nccwpck_require__(202);
-const color_1 = __nccwpck_require__(988);
-const npm_wrapper_1 = __nccwpck_require__(124);
-async function main() {
-    // Check for `dg npm ...` or `dg wrap` before full config parsing
-    const rawCommand = process.argv[2];
-    if (rawCommand === "npm") {
-        // Parse config but don't require lockfile discovery
-        const config = (0, config_1.parseConfig)(process.argv);
-        await (0, npm_wrapper_1.handleNpmCommand)(process.argv.slice(3), config);
-        return;
-    }
-    if (rawCommand === "wrap") {
-        (0, npm_wrapper_1.handleWrapCommand)();
-        return;
-    }
-    const config = (0, config_1.parseConfig)(process.argv);
-    const dbg = (msg) => {
-        if (config.debug)
-            process.stderr.write((0, color_1.dim)(`  [debug] ${msg}\n`));
-    };
-    if (config.mode === "off") {
-        process.stderr.write((0, color_1.dim)("  Dependency Guardian: mode is off — skipping.\n"));
-        process.exit(0);
-    }
-    dbg(`mode=${config.mode} block=${config.blockThreshold} warn=${config.warnThreshold} max=${config.maxPackages}`);
-    dbg(`api=${config.apiUrl}`);
-    // Discover packages
-    process.stderr.write((0, color_1.dim)("  Discovering package changes...\n"));
-    const discovery = (0, lockfile_1.discoverChanges)(process.cwd(), config);
-    dbg(`discovery method: ${discovery.method}`);
-    if (discovery.packages.length === 0) {
-        process.stderr.write((0, color_1.dim)("  No package changes detected.\n"));
-        process.exit(0);
-    }
-    // Filter allowlist
-    const packages = discovery.packages.filter((p) => !config.allowlist.includes(p.name));
-    if (packages.length === 0) {
-        process.stderr.write((0, color_1.dim)("  All changed packages are allowlisted.\n"));
-        process.exit(0);
-    }
-    process.stderr.write((0, color_1.dim)(`  Scanning ${packages.length} package${packages.length !== 1 ? "s" : ""} (${discovery.method})...\n`));
-    if (discovery.skipped.length > 0) {
-        process.stderr.write((0, color_1.yellow)(`  Warning: ${discovery.skipped.length} package(s) skipped (max-packages=${config.maxPackages})\n`));
-    }
-    dbg(`packages to scan: ${packages.map(p => `${p.name}@${p.version}`).slice(0, 10).join(", ")}${packages.length > 10 ? ` (+${packages.length - 10} more)` : ""}`);
-    // Call Detection API
-    const startMs = Date.now();
-    const result = await (0, api_1.callAnalyzeAPI)(packages, config, (done, total) => {
-        process.stderr.write((0, color_1.dim)(`  Analyzed ${done}/${total}...\n`));
-    });
-    dbg(`API responded in ${Date.now() - startMs}ms, action=${result.action}, score=${result.score}`);
-    // Render output
-    const output = (0, output_1.renderResult)(result, config);
-    process.stdout.write(output + "\n");
-    // Exit code
-    if (result.action === "block" && config.mode === "block") {
-        process.exit(2);
-    }
-    else if (result.action === "block" || result.action === "warn") {
-        process.exit(1);
-    }
-    process.exit(0);
-}
-main().catch((err) => {
-    process.stderr.write(`\n  ${(0, color_1.bold)((0, color_1.red)("Error:"))} ${err.message}\n\n`);
-    process.exit(3); // Exit 3 = internal error (distinct from exit 1 = warnings)
-});
-
-})();
-
-module.exports = __webpack_exports__;
-/******/ })()
-;