npm - @westbayberry/dg - Versions diffs - 1.0.5 → 1.0.7 - Mend

@westbayberry/dg 1.0.5 → 1.0.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -1,6 +1,6 @@
 # @westbayberry/dg
-Supply chain security scanner for npm dependencies. Detects malicious packages, typosquatting, dependency confusion, and 20+ attack patterns before they reach production.
+Supply chain security scanner for npm and Python dependencies. Detects malicious packages, typosquatting, dependency confusion, and 20+ attack patterns before they reach production.
 ## Install
@@ -8,44 +8,42 @@ Supply chain security scanner for npm dependencies. Detects malicious packages,
 npm install -g @westbayberry/dg
 ```
-Or run without installing:
-```bash
-npx @westbayberry/dg scan
-```
 ## Quick Start
-1. Get your API key at [westbayberry.com/dashboard](https://westbayberry.com/dashboard)
-2. Run a scan:
 ```bash
-export DG_API_KEY=dg_live_your_key_here
+dg login
 dg scan
 ```
-That's it. The CLI auto-detects changed packages by diffing your lockfile against the base branch.
+The CLI auto-discovers projects in your directory tree — npm lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml) and Python dependency files (requirements.txt, Pipfile.lock, poetry.lock). If multiple projects are found, you pick which ones to scan.
-## Usage
+## Commands
 ```
-dg scan [options]
+dg scan [options]        Scan dependencies (auto-discovers npm + Python projects)
+dg npm install <pkg>     Scan packages before installing
+dg login                 Authenticate with your WestBayBerry account
+dg logout                Remove saved credentials
+dg hook install          Install git pre-commit hook to scan lockfile changes
+dg hook uninstall        Remove the pre-commit hook
+dg update                Check for and install the latest version
+dg wrap                  Show instructions to alias npm to dg
 ```
-### Options
-| Flag | Env Var | Default | Description |
-|------|---------|---------|-------------|
-| `--api-key <key>` | `DG_API_KEY` | *required* | Your API key |
-| `--mode <mode>` | `DG_MODE` | `warn` | `block` / `warn` / `off` |
-| `--block-threshold <n>` | | `70` | Score threshold for blocking |
-| `--warn-threshold <n>` | | `60` | Score threshold for warnings |
-| `--max-packages <n>` | | `200` | Max packages per scan |
-| `--allowlist <pkgs>` | `DG_ALLOWLIST` | | Comma-separated packages to skip |
-| `--json` | | | Output JSON for CI parsing |
-| `--scan-all` | | | Scan all packages, not just changed |
-| `--base-lockfile <path>` | | | Explicit base lockfile for diff |
-| `--api-url <url>` | `DG_API_URL` | `https://api.westbayberry.com` | API endpoint |
+### Scan Options
+| Flag | Default | Description |
+|------|---------|-------------|
+| `--mode <mode>` | `warn` | `block` / `warn` / `off` |
+| `--block-threshold <n>` | `70` | Score threshold for blocking |
+| `--warn-threshold <n>` | `60` | Score threshold for warnings |
+| `--max-packages <n>` | `200` | Max packages per scan |
+| `--allowlist <pkgs>` | | Comma-separated packages to skip |
+| `--json` | | Output JSON for CI parsing |
+| `--scan-all` | | Scan all packages, not just changed |
+| `--base-lockfile <path>` | | Explicit base lockfile for diff |
+| `--workspace <dir>` | | Scan a specific workspace subdirectory |
+| `--debug` | | Show diagnostic output |
 ### Exit Codes
@@ -54,37 +52,54 @@ dg scan [options]
 | `0` | Pass | Continue |
 | `1` | Warning | Advisory — review recommended |
 | `2` | Block | Fail the pipeline |
+| `3` | Error | Internal error |
+## CI Setup
-## CI Examples
+Authenticate first, then add the scan to your pipeline:
-### GitHub Actions CI
+### GitHub Actions
 ```yaml
 - name: Scan dependencies
-  run: npx @westbayberry/dg scan --mode block
-  env:
-    DG_API_KEY: ${{ secrets.DG_API_KEY }}
+  run: |
+    npx @westbayberry/dg login
+    npx @westbayberry/dg scan --mode block --json
 ```
-### GitLab CI
+### Any CI
-```yaml
-dependency-scan:
-  script:
-    - npx @westbayberry/dg scan --mode block
-  variables:
-    DG_API_KEY: $DG_API_KEY
+```bash
+npx @westbayberry/dg login
+npx @westbayberry/dg scan --mode block --json
 ```
-### Any CI
+## Git Hook
+Block commits that introduce risky dependencies:
 ```bash
-export DG_API_KEY="$DG_API_KEY"
-npx @westbayberry/dg scan --mode block --json
+dg hook install
+```
+This installs a pre-commit hook that runs `dg scan --mode block` whenever a lockfile change is staged. Use `dg hook uninstall` to remove it.
+## npm Wrapper
+Scan packages before installing:
+```bash
+dg npm install express lodash
+```
+Use `--dg-force` to bypass a block. Or alias npm globally:
+```bash
+echo 'alias npm="dg npm"' >> ~/.zshrc
 ```
 ## Links
-- [Dashboard & API Keys](https://westbayberry.com/dashboard)
+- [Dashboard](https://westbayberry.com/dashboard)
 - [Documentation](https://westbayberry.com/docs)
 - [Pricing](https://westbayberry.com/pricing)

package/dist/index.mjs CHANGED Viewed

@@ -39,6 +39,194 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
   mod
 ));
+// src/config.ts
+var config_exports = {};
+__export(config_exports, {
+  USAGE: () => USAGE,
+  getVersion: () => getVersion,
+  parseConfig: () => parseConfig
+});
+import { parseArgs } from "node:util";
+import { readFileSync, existsSync } from "node:fs";
+import { join } from "node:path";
+import { homedir } from "node:os";
+function loadDgrc() {
+  const candidates = [
+    join(process.cwd(), ".dgrc.json"),
+    join(homedir(), ".dgrc.json")
+  ];
+  for (const filepath of candidates) {
+    if (existsSync(filepath)) {
+      try {
+        return JSON.parse(readFileSync(filepath, "utf-8"));
+      } catch {
+        process.stderr.write(`Warning: Failed to parse ${filepath}, ignoring.
+`);
+      }
+    }
+  }
+  return {};
+}
+function getVersion() {
+  try {
+    const pkg = JSON.parse(
+      readFileSync(join(__dirname, "..", "package.json"), "utf-8")
+    );
+    return pkg.version ?? "1.0.0";
+  } catch {
+    return "1.0.0";
+  }
+}
+function parseConfig(argv) {
+  const { values, positionals } = parseArgs({
+    args: argv.slice(2),
+    options: {
+      "api-url": { type: "string" },
+      mode: { type: "string" },
+      "block-threshold": { type: "string" },
+      "warn-threshold": { type: "string" },
+      "max-packages": { type: "string" },
+      allowlist: { type: "string" },
+      json: { type: "boolean", default: false },
+      "scan-all": { type: "boolean", default: false },
+      "base-lockfile": { type: "string" },
+      workspace: { type: "string", short: "w" },
+      debug: { type: "boolean", default: false },
+      "no-config": { type: "boolean", default: false },
+      help: { type: "boolean", default: false },
+      version: { type: "boolean", default: false }
+    },
+    allowPositionals: true,
+    strict: false
+  });
+  if (values.help) {
+    process.stdout.write(USAGE);
+    process.exit(0);
+  }
+  if (values.version) {
+    process.stdout.write(`dependency-guardian v${getVersion()}
+`);
+    process.exit(0);
+  }
+  const command = positionals[0] ?? "scan";
+  const noConfig = values["no-config"];
+  const dgrc = noConfig ? {} : loadDgrc();
+  const apiKey = dgrc.apiKey ?? "";
+  if (!apiKey) {
+    process.stderr.write(
+      "Error: Not logged in. Run `dg login` to authenticate.\n"
+    );
+    process.exit(1);
+  }
+  const modeRaw = values.mode ?? process.env.DG_MODE ?? dgrc.mode ?? "warn";
+  if (!["block", "warn", "off"].includes(modeRaw)) {
+    process.stderr.write(
+      `Error: Invalid mode "${modeRaw}". Must be block, warn, or off.
+`
+    );
+    process.exit(1);
+  }
+  const allowlistRaw = values.allowlist ?? process.env.DG_ALLOWLIST ?? "";
+  const blockThreshold = Number(values["block-threshold"] ?? dgrc.blockThreshold ?? "70");
+  const warnThreshold = Number(values["warn-threshold"] ?? dgrc.warnThreshold ?? "60");
+  const maxPackages = Number(values["max-packages"] ?? dgrc.maxPackages ?? "200");
+  const debug = values.debug || process.env.DG_DEBUG === "1";
+  if (isNaN(blockThreshold) || blockThreshold < 0 || blockThreshold > 100) {
+    process.stderr.write("Error: --block-threshold must be a number between 0 and 100\n");
+    process.exit(1);
+  }
+  if (isNaN(warnThreshold) || warnThreshold < 0 || warnThreshold > 100) {
+    process.stderr.write("Error: --warn-threshold must be a number between 0 and 100\n");
+    process.exit(1);
+  }
+  if (isNaN(maxPackages) || maxPackages < 1 || maxPackages > 1e4) {
+    process.stderr.write("Error: --max-packages must be a number between 1 and 10000\n");
+    process.exit(1);
+  }
+  return {
+    apiKey,
+    apiUrl: values["api-url"] ?? process.env.DG_API_URL ?? dgrc.apiUrl ?? "https://api.westbayberry.com",
+    mode: modeRaw,
+    blockThreshold,
+    warnThreshold,
+    maxPackages,
+    allowlist: allowlistRaw ? allowlistRaw.split(",").map((s) => s.trim()).filter(Boolean) : dgrc.allowlist ?? [],
+    json: values.json,
+    scanAll: values["scan-all"],
+    baseLockfile: values["base-lockfile"] ?? null,
+    workspace: values.workspace ?? process.env.DG_WORKSPACE ?? null,
+    command,
+    debug
+  };
+}
+var USAGE;
+var init_config = __esm({
+  "src/config.ts"() {
+    "use strict";
+    USAGE = `
+  Dependency Guardian \u2014 Supply chain security scanner
+  Usage:
+    dependency-guardian scan [options]
+    dg scan [options]
+    dg npm install <pkg> [npm-flags]
+    dg wrap
+  Commands:
+    scan            Scan dependencies (auto-discovers npm + Python projects)
+    npm             Wrap npm commands \u2014 scans packages before installing
+    hook install    Install git pre-commit hook to scan lockfile changes
+    hook uninstall  Remove the pre-commit hook
+    update          Check for and install the latest version
+    login           Authenticate with your WestBayBerry account
+    logout          Remove saved credentials
+    wrap            Show instructions to alias npm to dg
+  Options:
+    --api-url <url>          API base URL (default: https://api.westbayberry.com)
+    --mode <mode>            block | warn | off (default: warn)
+    --block-threshold <n>    Score threshold for blocking (default: 70)
+    --warn-threshold <n>     Score threshold for warnings (default: 60)
+    --max-packages <n>       Max packages per scan (default: 200)
+    --allowlist <pkgs>       Comma-separated package names to skip
+    --json                   Output JSON for CI parsing
+    --scan-all               Scan all packages, not just changed
+    --base-lockfile <path>   Path to base lockfile for explicit diff
+    --workspace <dir>        Scan a specific workspace subdirectory
+    --debug                  Show diagnostic output (discovery, batches, timing)
+    --no-config              Skip loading .dgrc.json config file
+    --help                   Show this help message
+    --version                Show version number
+  Config File:
+    Place a .dgrc.json in your project root or home directory.
+    Precedence: CLI flags > env vars > .dgrc.json > defaults
+  Environment Variables:
+    DG_API_URL               API base URL
+    DG_MODE                  Mode (block/warn/off)
+    DG_ALLOWLIST             Comma-separated allowlist
+    DG_DEBUG                 Enable debug output (set to 1)
+    DG_WORKSPACE             Workspace subdirectory to scan
+  Exit Codes:
+    0  pass    \u2014 No risks detected
+    1  warn    \u2014 Risks detected (advisory)
+    2  block   \u2014 High-risk packages detected
+    3  error   \u2014 Internal error (API failure, config error)
+  Examples:
+    dg scan
+    dg scan --json
+    dg scan --scan-all --mode block
+    dg scan --base-lockfile ./main-lockfile.json
+    dg npm install express lodash
+    dg npm install @scope/pkg@^2.0.0
+    dg npm install risky-pkg --dg-force
+`.trimStart();
+  }
+});
 // src/npm-wrapper.ts
 import { spawn } from "node:child_process";
 import { readFileSync as readFileSync2, existsSync as existsSync2 } from "node:fs";
@@ -3106,11 +3294,11 @@ var require_react_development = __commonJS({
           }
           return dispatcher.useContext(Context);
         }
-        function useState6(initialState) {
+        function useState5(initialState) {
           var dispatcher = resolveDispatcher();
           return dispatcher.useState(initialState);
         }
-        function useReducer4(reducer4, initialArg, init) {
+        function useReducer5(reducer4, initialArg, init) {
           var dispatcher = resolveDispatcher();
           return dispatcher.useReducer(reducer4, initialArg, init);
         }
@@ -3118,7 +3306,7 @@ var require_react_development = __commonJS({
           var dispatcher = resolveDispatcher();
           return dispatcher.useRef(initialValue);
         }
-        function useEffect11(create2, deps) {
+        function useEffect12(create2, deps) {
           var dispatcher = resolveDispatcher();
           return dispatcher.useEffect(create2, deps);
         }
@@ -3901,15 +4089,15 @@ var require_react_development = __commonJS({
         exports.useContext = useContext7;
         exports.useDebugValue = useDebugValue;
         exports.useDeferredValue = useDeferredValue;
-        exports.useEffect = useEffect11;
+        exports.useEffect = useEffect12;
         exports.useId = useId;
         exports.useImperativeHandle = useImperativeHandle;
         exports.useInsertionEffect = useInsertionEffect;
         exports.useLayoutEffect = useLayoutEffect2;
         exports.useMemo = useMemo4;
-        exports.useReducer = useReducer4;
+        exports.useReducer = useReducer5;
         exports.useRef = useRef6;
-        exports.useState = useState6;
+        exports.useState = useState5;
         exports.useSyncExternalStore = useSyncExternalStore;
         exports.useTransition = useTransition;
         exports.version = ReactVersion;
@@ -4282,47 +4470,6 @@ var init_base = __esm({
 });
 // node_modules/ansi-escapes/index.js
-var ansi_escapes_exports = {};
-__export(ansi_escapes_exports, {
-  ConEmu: () => ConEmu,
-  beep: () => beep,
-  beginSynchronizedOutput: () => beginSynchronizedOutput,
-  clearScreen: () => clearScreen,
-  clearTerminal: () => clearTerminal,
-  clearViewport: () => clearViewport,
-  cursorBackward: () => cursorBackward,
-  cursorDown: () => cursorDown,
-  cursorForward: () => cursorForward,
-  cursorGetPosition: () => cursorGetPosition,
-  cursorHide: () => cursorHide,
-  cursorLeft: () => cursorLeft,
-  cursorMove: () => cursorMove,
-  cursorNextLine: () => cursorNextLine,
-  cursorPrevLine: () => cursorPrevLine,
-  cursorRestorePosition: () => cursorRestorePosition,
-  cursorSavePosition: () => cursorSavePosition,
-  cursorShow: () => cursorShow,
-  cursorTo: () => cursorTo,
-  cursorUp: () => cursorUp,
-  default: () => base_exports,
-  endSynchronizedOutput: () => endSynchronizedOutput,
-  enterAlternativeScreen: () => enterAlternativeScreen,
-  eraseDown: () => eraseDown,
-  eraseEndLine: () => eraseEndLine,
-  eraseLine: () => eraseLine,
-  eraseLines: () => eraseLines,
-  eraseScreen: () => eraseScreen,
-  eraseStartLine: () => eraseStartLine,
-  eraseUp: () => eraseUp,
-  exitAlternativeScreen: () => exitAlternativeScreen,
-  iTerm: () => iTerm,
-  image: () => image,
-  link: () => link,
-  scrollDown: () => scrollDown,
-  scrollUp: () => scrollUp,
-  setCwd: () => setCwd,
-  synchronizedOutput: () => synchronizedOutput
-});
 var init_ansi_escapes = __esm({
   "node_modules/ansi-escapes/index.js"() {
     init_base();
@@ -35809,9 +35956,6 @@ var init_build2 = __esm({
 // src/auth.ts
 var auth_exports = {};
 __export(auth_exports, {
-  MAX_POLL_ATTEMPTS: () => MAX_POLL_ATTEMPTS,
-  POLL_INTERVAL_MS: () => POLL_INTERVAL_MS,
-  WEB_BASE: () => WEB_BASE,
   clearCredentials: () => clearCredentials,
   createAuthSession: () => createAuthSession,
   getStoredApiKey: () => getStoredApiKey,
@@ -35842,7 +35986,6 @@ async function createAuthSession() {
   const json = await res.json();
   return {
     sessionId: json.session_id,
-    userCode: json.user_code,
     verifyUrl: json.verify_url,
     expiresIn: json.expires_in
   };
@@ -35930,13 +36073,11 @@ function openBrowser(url) {
   exec2(cmd, () => {
   });
 }
-var WEB_BASE, POLL_INTERVAL_MS, MAX_POLL_ATTEMPTS, CONFIG_FILE;
+var WEB_BASE, CONFIG_FILE;
 var init_auth = __esm({
   "src/auth.ts"() {
     "use strict";
     WEB_BASE = "https://westbayberry.com";
-    POLL_INTERVAL_MS = 2e3;
-    MAX_POLL_ATTEMPTS = 150;
     CONFIG_FILE = ".dgrc.json";
   }
 });
@@ -35947,7 +36088,7 @@ function reducer(_state, action) {
     case "ALREADY_LOGGED_IN":
       return { phase: "already_logged_in", apiKey: action.apiKey };
     case "SESSION_CREATED":
-      return { phase: "waiting", userCode: action.userCode, verifyUrl: action.verifyUrl };
+      return { phase: "waiting", verifyUrl: action.verifyUrl };
     case "AUTH_COMPLETE":
       return { phase: "success", email: action.email };
     case "AUTH_EXPIRED":
@@ -35982,13 +36123,12 @@ function useLogin() {
         }
         dispatch({
           type: "SESSION_CREATED",
-          userCode: session.userCode,
           verifyUrl: session.verifyUrl
         });
         openBrowser(session.verifyUrl);
-        for (let i = 0; i < MAX_POLL_ATTEMPTS2; i++) {
+        for (let i = 0; i < MAX_POLL_ATTEMPTS; i++) {
           if (cancelled) return;
-          await new Promise((r) => setTimeout(r, POLL_INTERVAL_MS2));
+          await new Promise((r) => setTimeout(r, POLL_INTERVAL_MS));
           if (cancelled) return;
           try {
             const result = await pollAuthSession(session.sessionId);
@@ -36018,14 +36158,14 @@ function useLogin() {
   }, []);
   return state;
 }
-var import_react22, POLL_INTERVAL_MS2, MAX_POLL_ATTEMPTS2;
+var import_react22, POLL_INTERVAL_MS, MAX_POLL_ATTEMPTS;
 var init_useLogin = __esm({
   "src/ui/hooks/useLogin.ts"() {
     "use strict";
     import_react22 = __toESM(require_react());
     init_auth();
-    POLL_INTERVAL_MS2 = 2e3;
-    MAX_POLL_ATTEMPTS2 = 150;
+    POLL_INTERVAL_MS = 2e3;
+    MAX_POLL_ATTEMPTS = 150;
   }
 });
@@ -38697,13 +38837,6 @@ var init_LoginApp = __esm({
           ] });
         case "waiting":
           return /* @__PURE__ */ (0, import_jsx_runtime2.jsxs)(Box_default, { flexDirection: "column", paddingLeft: 1, children: [
-            /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(Text, { children: " " }),
-            /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(Text, { bold: true, children: "Your verification code:" }),
-            /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(Text, { children: " " }),
-            /* @__PURE__ */ (0, import_jsx_runtime2.jsxs)(Text, { bold: true, color: "green", children: [
-              "  ",
-              state.userCode
-            ] }),
             /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(Text, { children: " " }),
             /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(Text, { children: "Opening browser to authenticate..." }),
             /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(Text, { dimColor: true, children: "If it didn't open, visit:" }),
@@ -38843,7 +38976,7 @@ async function callAnalyzeBatch(packages, config) {
   clearTimeout(timeoutId);
   if (response.status === 401) {
     throw new APIError(
-      "Invalid API key. Check your --api-key or DG_API_KEY value.\nGet your key at https://westbayberry.com/dashboard",
+      "Invalid API key. Run `dg logout` then `dg login` to re-authenticate.",
       401,
       ""
     );
@@ -38923,7 +39056,7 @@ async function callPyPIBatch(packages, config) {
   clearTimeout(timeoutId);
   if (response.status === 401) {
     throw new APIError(
-      "Invalid API key. Check your --api-key or DG_API_KEY value.\nGet your key at https://westbayberry.com/dashboard",
+      "Invalid API key. Run `dg logout` then `dg login` to re-authenticate.",
       401,
       ""
     );
@@ -39799,7 +39932,7 @@ async function runStaticLogin() {
     process.exit(1);
   }
   process.stderr.write(`
-  Your verification code: ${import_chalk4.default.bold.green(session.userCode)}
+  Opening browser to authenticate...
 `);
   process.stderr.write(`  Visit: ${import_chalk4.default.cyan(session.verifyUrl)}
@@ -40156,13 +40289,10 @@ function useNpmWrapper(npmArgs, config) {
         }
       } catch (error) {
         const message = error instanceof Error ? error.message : String(error);
-        const proceed = true;
-        dispatch({ type: "ERROR", message, proceed });
-        if (proceed) {
-          dispatch({ type: "INSTALLING" });
-          const code = await runNpm(parsedRef.current.rawArgs);
-          dispatch({ type: "DONE", exitCode: code });
-        }
+        dispatch({ type: "ERROR", message, proceed: true });
+        dispatch({ type: "INSTALLING" });
+        const code = await runNpm(parsedRef.current.rawArgs);
+        dispatch({ type: "DONE", exitCode: code });
       }
     })();
   }, [npmArgs, config]);
@@ -40468,7 +40598,7 @@ function getHint(error) {
   if (typeof statusCode !== "number") return null;
   switch (statusCode) {
     case 401:
-      return "Check your --api-key";
+      return "Not authenticated. Run `dg login` to sign in.";
     case 429:
       return "Rate limit exceeded. Upgrade at westbayberry.com/pricing";
     case 504:
@@ -40759,7 +40889,10 @@ var init_discover = __esm({
       "coverage",
       ".cache",
       ".pytest_cache",
-      ".mypy_cache"
+      ".mypy_cache",
+      "validation-results",
+      "test-fixtures",
+      "fixtures"
     ]);
     NPM_LOCKFILES = ["package-lock.json", "yarn.lock", "pnpm-lock.yaml", "npm-shrinkwrap.json"];
     PYTHON_DEPFILES = ["requirements.txt", "Pipfile.lock", "poetry.lock"];
@@ -40772,6 +40905,8 @@ function reducer3(_state, action) {
   switch (action.type) {
     case "PROJECTS_FOUND":
       return { phase: "selecting", projects: action.projects };
+    case "RESTART_SELECTION":
+      return { phase: "selecting", projects: action.projects };
     case "DISCOVERY_COMPLETE":
       return { phase: "scanning", done: 0, total: action.packages.length, currentBatch: [] };
     case "DISCOVERY_EMPTY":
@@ -40787,6 +40922,7 @@ function reducer3(_state, action) {
 function useScan(config) {
   const [state, dispatch] = (0, import_react27.useReducer)(reducer3, { phase: "discovering" });
   const started = (0, import_react27.useRef)(false);
+  const discoveredProjects = (0, import_react27.useRef)(null);
   (0, import_react27.useEffect)(() => {
     if (started.current) return;
     started.current = true;
@@ -40802,6 +40938,7 @@ function useScan(config) {
       runNpmScan(packages, discovery.skipped.length, config, dispatch);
     } catch {
       const projects = discoverProjects(process.cwd());
+      discoveredProjects.current = projects.length > 1 ? projects : null;
       if (projects.length === 0) {
         dispatch({ type: "DISCOVERY_EMPTY", message: "No dependency files found." });
         return;
@@ -40818,7 +40955,15 @@ function useScan(config) {
     dispatch({ type: "DISCOVERY_COMPLETE", packages: [], skippedCount: 0 });
     scanProjects(projects, config, dispatch);
   }, [config]);
-  return { state, scanSelectedProjects };
+  const restartSelection = (0, import_react27.useCallback)(() => {
+    if (!discoveredProjects.current) return;
+    dispatch({ type: "RESTART_SELECTION", projects: discoveredProjects.current });
+  }, []);
+  return {
+    state,
+    scanSelectedProjects,
+    restartSelection: discoveredProjects.current ? restartSelection : null
+  };
 }
 async function runNpmScan(packages, skippedCount, config, dispatch) {
   try {
@@ -41054,6 +41199,16 @@ function affectsLine(group) {
   if (names.length <= 5) return names.join(", ");
   return names.slice(0, 5).join(", ") + ` + ${names.length - 5} more`;
 }
+function viewReducer(_state, action) {
+  switch (action.type) {
+    case "MOVE":
+      return { ..._state, cursor: action.cursor, viewport: action.viewport };
+    case "EXPAND":
+      return { ..._state, expandedIndex: action.expandedIndex, expandLevel: action.expandLevel, viewport: action.viewport };
+    case "MOVE_EXPAND":
+      return { cursor: action.cursor, expandedIndex: action.expandedIndex, expandLevel: action.expandLevel, viewport: action.viewport };
+  }
+}
 var import_react29, import_chalk10, import_jsx_runtime10, SEVERITY_LABELS3, SEVERITY_COLORS, EVIDENCE_LIMIT2, FIXED_CHROME, InteractiveResultsView, T, FindingsSummary, FindingsDetail;
 var init_InteractiveResultsView = __esm({
   async "src/ui/components/InteractiveResultsView.tsx"() {
@@ -41084,8 +41239,16 @@ var init_InteractiveResultsView = __esm({
       result,
       config,
       durationMs,
-      onExit
+      onExit,
+      onBack
     }) => {
+      (0, import_react29.useEffect)(() => {
+        if (!process.stdout.isTTY) return;
+        process.stdout.write("\x1B[?1049h");
+        return () => {
+          process.stdout.write("\x1B[?1049l");
+        };
+      }, []);
       const flagged = (0, import_react29.useMemo)(
         () => result.packages.filter((p) => p.score > 0),
         [result.packages]
@@ -41096,45 +41259,41 @@ var init_InteractiveResultsView = __esm({
       );
       const total = result.packages.length;
       const groups = (0, import_react29.useMemo)(() => groupPackages3(flagged), [flagged]);
-      const [cursorIndex, setCursorIndex] = (0, import_react29.useState)(0);
-      const [expandLevel, setExpandLevel] = (0, import_react29.useState)(null);
-      const [expandedIndex, setExpandedIndex] = (0, import_react29.useState)(null);
-      const [viewportStart, setViewportStart] = (0, import_react29.useState)(0);
-      const cursorRef = (0, import_react29.useRef)(cursorIndex);
-      const expandLevelRef = (0, import_react29.useRef)(expandLevel);
-      const expandedIdxRef = (0, import_react29.useRef)(expandedIndex);
-      const viewportRef = (0, import_react29.useRef)(viewportStart);
-      cursorRef.current = cursorIndex;
-      expandLevelRef.current = expandLevel;
-      expandedIdxRef.current = expandedIndex;
-      viewportRef.current = viewportStart;
+      const [view, dispatchView] = (0, import_react29.useReducer)(viewReducer, {
+        cursor: 0,
+        expandLevel: null,
+        expandedIndex: null,
+        viewport: 0
+      });
+      const viewRef = (0, import_react29.useRef)(view);
+      viewRef.current = view;
       const { stdout } = use_stdout_default();
       const termCols = stdout?.columns ?? process.stdout.columns ?? 80;
       const termRows = stdout?.rows ?? process.stdout.rows ?? 24;
       const availableRows = Math.max(5, termRows - FIXED_CHROME);
       const innerWidth = Math.max(40, termCols - 6);
       const getLevel = (idx) => {
-        return expandedIndex === idx ? expandLevel : null;
+        return view.expandedIndex === idx ? view.expandLevel : null;
       };
       const expandTargetHeight = (0, import_react29.useMemo)(() => {
-        if (expandedIndex === null || expandLevel === null) return 0;
-        const group = groups[expandedIndex];
+        if (view.expandedIndex === null || view.expandLevel === null) return 0;
+        const group = groups[view.expandedIndex];
         if (!group) return 0;
-        if (expandLevel === "summary") return findingsSummaryHeight(group);
+        if (view.expandLevel === "summary") return findingsSummaryHeight(group);
         return findingsDetailHeight(group, result.safeVersions);
-      }, [expandedIndex, expandLevel, groups, result.safeVersions]);
+      }, [view.expandedIndex, view.expandLevel, groups, result.safeVersions]);
       const { visibleLines: animVisibleLines } = useExpandAnimation(
         expandTargetHeight,
-        expandedIndex !== null
+        view.expandedIndex !== null
       );
       const animatedGroupHeight = (group, level, idx) => {
         if (level === null) return 1;
-        if (idx === expandedIndex) return 1 + animVisibleLines;
+        if (idx === view.expandedIndex) return 1 + animVisibleLines;
         return groupRowHeight(group, level, result.safeVersions);
       };
       const visibleEnd = (0, import_react29.useMemo)(() => {
         let consumed = 0;
-        let end = viewportStart;
+        let end = view.viewport;
         while (end < groups.length) {
           const level = getLevel(end);
           const h = animatedGroupHeight(groups[end], level, end);
@@ -41142,9 +41301,9 @@ var init_InteractiveResultsView = __esm({
           consumed += h;
           end++;
         }
-        if (end === viewportStart && groups.length > 0) end = viewportStart + 1;
+        if (end === view.viewport && groups.length > 0) end = view.viewport + 1;
         return end;
-      }, [viewportStart, groups, expandedIndex, expandLevel, animVisibleLines, availableRows, result.safeVersions]);
+      }, [view.viewport, groups, view.expandedIndex, view.expandLevel, animVisibleLines, availableRows, result.safeVersions]);
       const adjustViewport = (cursor, expIdx, expLvl, currentStart) => {
         if (cursor < currentStart) return cursor;
         const getLvl = (i) => expIdx === i ? expLvl : null;
@@ -41169,43 +41328,39 @@ var init_InteractiveResultsView = __esm({
           if (input === "q" || key.return) onExit();
           return;
         }
-        const cursor = cursorRef.current;
-        const expLvl = expandLevelRef.current;
-        const expIdx = expandedIdxRef.current;
-        const vpStart = viewportRef.current;
+        const { cursor, expandLevel: expLvl, expandedIndex: expIdx, viewport: vpStart } = viewRef.current;
         if (key.upArrow) {
           const next = Math.max(0, cursor - 1);
           const newVp = adjustViewport(next, expIdx, expLvl, vpStart < next ? vpStart : next);
-          setCursorIndex(next);
-          setViewportStart(newVp);
+          dispatchView({ type: "MOVE", cursor: next, viewport: newVp });
         } else if (key.downArrow) {
           const next = Math.min(groups.length - 1, cursor + 1);
           const newVp = adjustViewport(next, expIdx, expLvl, vpStart);
-          setCursorIndex(next);
-          setViewportStart(newVp);
+          dispatchView({ type: "MOVE", cursor: next, viewport: newVp });
         } else if (key.return) {
           let newExpIdx;
           let newExpLvl;
-          if (expIdx !== cursor) {
-            newExpIdx = cursor;
-            newExpLvl = "summary";
-          } else if (expLvl === "summary") {
-            newExpIdx = cursor;
-            newExpLvl = "detail";
-          } else {
+          if (expIdx === cursor && expLvl !== null) {
             newExpIdx = null;
             newExpLvl = null;
+          } else {
+            newExpIdx = cursor;
+            newExpLvl = "summary";
           }
-          setExpandedIndex(newExpIdx);
-          setExpandLevel(newExpLvl);
           const newVp = adjustViewport(cursor, newExpIdx, newExpLvl, vpStart);
-          setViewportStart(newVp);
+          dispatchView({ type: "EXPAND", expandedIndex: newExpIdx, expandLevel: newExpLvl, viewport: newVp });
+        } else if (input === "e") {
+          if (expIdx === cursor && expLvl === "detail") return;
+          const newVp = adjustViewport(cursor, cursor, "detail", vpStart);
+          dispatchView({ type: "EXPAND", expandedIndex: cursor, expandLevel: "detail", viewport: newVp });
+        } else if (input === "b" && onBack) {
+          onBack();
         } else if (input === "q") {
           onExit();
         }
       });
-      const visibleGroups = groups.slice(viewportStart, visibleEnd);
-      const aboveCount = viewportStart;
+      const visibleGroups = groups.slice(view.viewport, visibleEnd);
+      const aboveCount = view.viewport;
       const belowCount = groups.length - visibleEnd;
       const nameCol = Math.max(20, innerWidth - 22);
       return /* @__PURE__ */ (0, import_jsx_runtime10.jsxs)(Box_default, { flexDirection: "column", children: [
@@ -41244,8 +41399,8 @@ var init_InteractiveResultsView = __esm({
                 " more above"
               ] }),
               visibleGroups.map((group, visIdx) => {
-                const globalIdx = viewportStart + visIdx;
-                const isCursor = globalIdx === cursorIndex;
+                const globalIdx = view.viewport + visIdx;
+                const isCursor = globalIdx === view.cursor;
                 const level = getLevel(globalIdx);
                 const rep = group.packages[0];
                 const { label, color } = actionBadge4(rep.score, config);
@@ -41264,7 +41419,7 @@ var init_InteractiveResultsView = __esm({
                     {
                       group,
                       maxWidth: innerWidth - 8,
-                      maxLines: globalIdx === expandedIndex ? animVisibleLines : void 0
+                      maxLines: globalIdx === view.expandedIndex ? animVisibleLines : void 0
                     }
                   ),
                   level === "detail" && /* @__PURE__ */ (0, import_jsx_runtime10.jsx)(
@@ -41273,7 +41428,7 @@ var init_InteractiveResultsView = __esm({
                       group,
                       safeVersion: result.safeVersions[rep.name],
                       maxWidth: innerWidth - 8,
-                      maxLines: globalIdx === expandedIndex ? animVisibleLines : void 0
+                      maxLines: globalIdx === view.expandedIndex ? animVisibleLines : void 0
                     }
                   )
                 ] }, group.key);
@@ -41320,13 +41475,23 @@ var init_InteractiveResultsView = __esm({
             " navigate",
             "  ",
             import_chalk10.default.cyan("\u23CE"),
-            " expand/collapse",
+            " toggle",
+            "  ",
+            import_chalk10.default.cyan("e"),
+            " detail",
             "  ",
+            onBack && /* @__PURE__ */ (0, import_jsx_runtime10.jsxs)(import_jsx_runtime10.Fragment, { children: [
+              import_chalk10.default.cyan("b"),
+              " back",
+              "  "
+            ] }),
             import_chalk10.default.cyan("q"),
             " quit"
           ] }) : /* @__PURE__ */ (0, import_jsx_runtime10.jsxs)(import_jsx_runtime10.Fragment, { children: [
             "Press ",
             import_chalk10.default.cyan("q"),
+            " or ",
+            import_chalk10.default.cyan("Enter"),
             " to exit"
           ] })
         ] })
@@ -41334,13 +41499,9 @@ var init_InteractiveResultsView = __esm({
     };
     T = {
       branch: import_chalk10.default.dim("\u251C\u2500\u2500"),
-      // ├──
       last: import_chalk10.default.dim("\u2514\u2500\u2500"),
-      // └──
       pipe: import_chalk10.default.dim("\u2502"),
-      // │
       blank: " "
-      //
     };
     FindingsSummary = ({ group, maxWidth, maxLines }) => {
       const rep = group.packages[0];
@@ -41506,12 +41667,7 @@ var init_ProjectSelector = __esm({
           return /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { bold: isCursor, inverse: isCursor, children: line }, i);
         }),
         /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { children: "" }),
-        /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { dimColor: true, children: [
-          selected.size,
-          " of ",
-          projects.length,
-          " selected"
-        ] })
+        /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { dimColor: true, children: selected.size === 0 ? "Select at least 1 project to scan" : `${selected.size} of ${projects.length} selected` })
       ] });
     };
   }
@@ -41536,7 +41692,7 @@ var init_App2 = __esm({
     await init_ProjectSelector();
     import_jsx_runtime12 = __toESM(require_jsx_runtime());
     App2 = ({ config }) => {
-      const { state, scanSelectedProjects } = useScan(config);
+      const { state, scanSelectedProjects, restartSelection } = useScan(config);
       const { exit } = use_app_default();
       const handleResultsExit = (0, import_react31.useCallback)(() => {
         if (state.phase === "results") {
@@ -41603,7 +41759,8 @@ var init_App2 = __esm({
               result: state.result,
               config,
               durationMs: state.durationMs,
-              onExit: handleResultsExit
+              onExit: handleResultsExit,
+              onBack: restartSelection ?? void 0
             }
           );
         case "empty":
@@ -41615,191 +41772,8 @@ var init_App2 = __esm({
   }
 });
-// src/config.ts
-import { parseArgs } from "node:util";
-import { readFileSync, existsSync } from "node:fs";
-import { join } from "node:path";
-import { homedir } from "node:os";
-function loadDgrc() {
-  const candidates = [
-    join(process.cwd(), ".dgrc.json"),
-    join(homedir(), ".dgrc.json")
-  ];
-  for (const filepath of candidates) {
-    if (existsSync(filepath)) {
-      try {
-        return JSON.parse(readFileSync(filepath, "utf-8"));
-      } catch {
-        process.stderr.write(`Warning: Failed to parse ${filepath}, ignoring.
-`);
-      }
-    }
-  }
-  return {};
-}
-var USAGE = `
-  Dependency Guardian \u2014 Supply chain security scanner
-  Usage:
-    dependency-guardian scan [options]
-    dg scan [options]
-    dg npm install <pkg> [npm-flags]
-    dg wrap
-  Commands:
-    scan            Scan dependencies (auto-discovers npm + Python projects)
-    npm             Wrap npm commands \u2014 scans packages before installing
-    hook install    Install git pre-commit hook to scan lockfile changes
-    hook uninstall  Remove the pre-commit hook
-    update          Check for and install the latest version
-    login           Authenticate with your WestBayBerry account
-    logout          Remove saved credentials
-    wrap            Show instructions to alias npm to dg
-  Options:
-    --api-key <key>          API key (or set DG_API_KEY env var)
-    --api-url <url>          API base URL (default: https://api.westbayberry.com)
-    --mode <mode>            block | warn | off (default: warn)
-    --block-threshold <n>    Score threshold for blocking (default: 70)
-    --warn-threshold <n>     Score threshold for warnings (default: 60)
-    --max-packages <n>       Max packages per scan (default: 200)
-    --allowlist <pkgs>       Comma-separated package names to skip
-    --json                   Output JSON for CI parsing
-    --scan-all               Scan all packages, not just changed
-    --base-lockfile <path>   Path to base lockfile for explicit diff
-    --workspace <dir>        Scan a specific workspace subdirectory
-    --debug                  Show diagnostic output (discovery, batches, timing)
-    --no-config              Skip loading .dgrc.json config file
-    --help                   Show this help message
-    --version                Show version number
-  Config File:
-    Place a .dgrc.json in your project root or home directory.
-    Precedence: CLI flags > env vars > .dgrc.json > defaults
-  Environment Variables:
-    DG_API_KEY               API key
-    DG_API_URL               API base URL
-    DG_MODE                  Mode (block/warn/off)
-    DG_ALLOWLIST             Comma-separated allowlist
-    DG_DEBUG                 Enable debug output (set to 1)
-    DG_WORKSPACE             Workspace subdirectory to scan
-  Exit Codes:
-    0  pass    \u2014 No risks detected
-    1  warn    \u2014 Risks detected (advisory)
-    2  block   \u2014 High-risk packages detected
-    3  error   \u2014 Internal error (API failure, config error)
-  Examples:
-    DG_API_KEY=dg_live_xxx dg scan
-    dg scan --api-key dg_live_xxx --json
-    dg scan --scan-all --mode block
-    dg scan --base-lockfile ./main-lockfile.json
-    dg npm install express lodash
-    dg npm install @scope/pkg@^2.0.0
-    dg npm install risky-pkg --dg-force
-`.trimStart();
-function getVersion() {
-  try {
-    const pkg = JSON.parse(
-      readFileSync(join(__dirname, "..", "package.json"), "utf-8")
-    );
-    return pkg.version ?? "1.0.0";
-  } catch {
-    return "1.0.0";
-  }
-}
-function parseConfig(argv) {
-  const { values, positionals } = parseArgs({
-    args: argv.slice(2),
-    options: {
-      "api-key": { type: "string" },
-      "api-url": { type: "string" },
-      mode: { type: "string" },
-      "block-threshold": { type: "string" },
-      "warn-threshold": { type: "string" },
-      "max-packages": { type: "string" },
-      allowlist: { type: "string" },
-      json: { type: "boolean", default: false },
-      "scan-all": { type: "boolean", default: false },
-      "base-lockfile": { type: "string" },
-      workspace: { type: "string", short: "w" },
-      debug: { type: "boolean", default: false },
-      "no-config": { type: "boolean", default: false },
-      help: { type: "boolean", default: false },
-      version: { type: "boolean", default: false }
-    },
-    allowPositionals: true,
-    strict: false
-  });
-  if (values.help) {
-    process.stdout.write(USAGE);
-    process.exit(0);
-  }
-  if (values.version) {
-    process.stdout.write(`dependency-guardian v${getVersion()}
-`);
-    process.exit(0);
-  }
-  const command = positionals[0] ?? "scan";
-  const noConfig = values["no-config"];
-  const dgrc = noConfig ? {} : loadDgrc();
-  if (values["api-key"]) {
-    process.stderr.write(
-      "Warning: --api-key is deprecated (visible in process list). Use DG_API_KEY env var instead.\n"
-    );
-  }
-  const apiKey = values["api-key"] ?? process.env.DG_API_KEY ?? dgrc.apiKey ?? "";
-  if (!apiKey) {
-    process.stderr.write(
-      "Error: API key required. Run `dg login` to authenticate,\nor set the DG_API_KEY environment variable.\nGet your key at https://westbayberry.com/dashboard\n"
-    );
-    process.exit(1);
-  }
-  const modeRaw = values.mode ?? process.env.DG_MODE ?? dgrc.mode ?? "warn";
-  if (!["block", "warn", "off"].includes(modeRaw)) {
-    process.stderr.write(
-      `Error: Invalid mode "${modeRaw}". Must be block, warn, or off.
-`
-    );
-    process.exit(1);
-  }
-  const allowlistRaw = values.allowlist ?? process.env.DG_ALLOWLIST ?? "";
-  const blockThreshold = Number(values["block-threshold"] ?? dgrc.blockThreshold ?? "70");
-  const warnThreshold = Number(values["warn-threshold"] ?? dgrc.warnThreshold ?? "60");
-  const maxPackages = Number(values["max-packages"] ?? dgrc.maxPackages ?? "200");
-  const debug = values.debug || process.env.DG_DEBUG === "1";
-  if (isNaN(blockThreshold) || blockThreshold < 0 || blockThreshold > 100) {
-    process.stderr.write("Error: --block-threshold must be a number between 0 and 100\n");
-    process.exit(1);
-  }
-  if (isNaN(warnThreshold) || warnThreshold < 0 || warnThreshold > 100) {
-    process.stderr.write("Error: --warn-threshold must be a number between 0 and 100\n");
-    process.exit(1);
-  }
-  if (isNaN(maxPackages) || maxPackages < 1 || maxPackages > 1e4) {
-    process.stderr.write("Error: --max-packages must be a number between 1 and 10000\n");
-    process.exit(1);
-  }
-  return {
-    apiKey,
-    apiUrl: values["api-url"] ?? process.env.DG_API_URL ?? dgrc.apiUrl ?? "https://api.westbayberry.com",
-    mode: modeRaw,
-    blockThreshold,
-    warnThreshold,
-    maxPackages,
-    allowlist: allowlistRaw ? allowlistRaw.split(",").map((s) => s.trim()).filter(Boolean) : dgrc.allowlist ?? [],
-    json: values.json,
-    scanAll: values["scan-all"],
-    baseLockfile: values["base-lockfile"] ?? null,
-    workspace: values.workspace ?? process.env.DG_WORKSPACE ?? null,
-    command,
-    debug
-  };
-}
 // src/bin.ts
+init_config();
 init_npm_wrapper();
 // src/update-check.ts
@@ -41861,8 +41835,7 @@ function spawnBackgroundUpdate(version) {
   try {
     const child = spawn2("npm", ["install", "-g", `${PKG_NAME}@${version}`], {
       detached: true,
-      stdio: "ignore",
-      shell: true
+      stdio: "ignore"
     });
     child.unref();
   } catch {
@@ -41924,10 +41897,20 @@ async function runUpdate(currentVersion) {
 }
 // src/bin.ts
-var CLI_VERSION = "1.0.4";
+var CLI_VERSION = getVersion();
 var isInteractive = process.stdout.isTTY === true && !process.env.CI && !process.env.NO_COLOR;
 async function main() {
   const rawCommand = process.argv[2];
+  if (!rawCommand || rawCommand === "--help" || rawCommand === "-h") {
+    const { USAGE: USAGE3 } = await Promise.resolve().then(() => (init_config(), config_exports));
+    process.stdout.write(USAGE3);
+    return;
+  }
+  if (rawCommand === "--version" || rawCommand === "-v") {
+    process.stdout.write(`dependency-guardian v${CLI_VERSION}
+`);
+    return;
+  }
   if (rawCommand === "wrap") {
     handleWrapCommand();
     return;
@@ -41958,7 +41941,7 @@ async function main() {
     const { clearCredentials: clearCredentials2 } = await Promise.resolve().then(() => (init_auth(), auth_exports));
     clearCredentials2();
     const chalk9 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
-    process.stderr.write(chalk9.green("  Logged out.") + chalk9.dim(" API key removed from ~/.dgrc.json\n"));
+    process.stderr.write(chalk9.green("  Logged out.\n"));
     return;
   }
   const config = parseConfig(process.argv);
@@ -41993,18 +41976,10 @@ async function main() {
       process.exit(0);
     }
     const { App: App3 } = await init_App2().then(() => App_exports);
-    const { enterAlternativeScreen: enterAlternativeScreen2, exitAlternativeScreen: exitAlternativeScreen2 } = await Promise.resolve().then(() => (init_ansi_escapes(), ansi_escapes_exports));
-    const MOUSE_ON = "\x1B[?1000h\x1B[?1003h\x1B[?1006h";
-    const MOUSE_OFF = "\x1B[?1006l\x1B[?1003l\x1B[?1000l";
-    process.stdout.write(enterAlternativeScreen2 + MOUSE_ON);
-    try {
-      const { waitUntilExit } = render2(
-        React16.createElement(App3, { config })
-      );
-      await waitUntilExit();
-    } finally {
-      process.stdout.write(MOUSE_OFF + exitAlternativeScreen2);
-    }
+    const { waitUntilExit } = render2(
+      React16.createElement(App3, { config })
+    );
+    await waitUntilExit();
   }
   const updateMsg = await updatePromise;
   if (updateMsg) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@westbayberry/dg",
-  "version": "1.0.5",
+  "version": "1.0.7",
   "description": "Supply chain security scanner — scan npm dependencies in any CI or terminal",
   "bin": {
     "dependency-guardian": "dist/index.mjs",