@westbayberry/dg 1.0.52 → 1.0.56

package/dist/packages/cli/src/ui/hooks/usePipWrapper.js

@@ -0,0 +1,195 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.usePipWrapper = usePipWrapper;
+const react_1 = require("react");
+const pip_wrapper_1 = require("../../pip-wrapper");
+const api_1 = require("../../api");
+const static_output_1 = require("../../static-output");
+function reducer(_state, action) {
+    switch (action.type) {
+        case "PASSTHROUGH":
+            return { phase: "passthrough" };
+        case "RESOLVING":
+            return { phase: "resolving", count: action.count };
+        case "SCANNING":
+            return { phase: "scanning", count: action.count };
+        case "PASS":
+            return { phase: "pass", count: action.count };
+        case "WARN":
+            return { phase: "warn", result: action.result };
+        case "BLOCKED":
+            return { phase: "blocked", result: action.result, dgForce: action.dgForce };
+        case "INSTALLING":
+            return { phase: "installing" };
+        case "DONE":
+            return { phase: "done", exitCode: action.exitCode };
+        case "ERROR":
+            return { phase: "error", message: action.message, proceed: action.proceed };
+        case "TRIAL_EXHAUSTED":
+            return { phase: "trial_exhausted" };
+    }
+}
+function usePipWrapper(pipArgs, config, exit) {
+    const [state, dispatch] = (0, react_1.useReducer)(reducer, { phase: "resolving", count: 0 });
+    const started = (0, react_1.useRef)(false);
+    const parsedRef = (0, react_1.useRef)((0, pip_wrapper_1.parsePipArgs)(pipArgs));
+    const pendingInstall = (0, react_1.useRef)(null);
+    const rejectRef = (0, react_1.useRef)(null);
+    const confirmInstall = () => {
+        if (pendingInstall.current) {
+            pendingInstall.current();
+            pendingInstall.current = null;
+            rejectRef.current = null;
+        }
+    };
+    const rejectInstall = () => {
+        if (rejectRef.current) {
+            rejectRef.current();
+            pendingInstall.current = null;
+            rejectRef.current = null;
+        }
+    };
+    (0, react_1.useEffect)(() => {
+        if (started.current)
+            return;
+        started.current = true;
+        const parsed = parsedRef.current;
+        (async () => {
+            try {
+                // Non-install commands: passthrough
+                if (!parsed.shouldScan) {
+                    dispatch({ type: "PASSTHROUGH" });
+                    const code = await (0, pip_wrapper_1.runPip)(parsed.rawArgs);
+                    dispatch({ type: "DONE", exitCode: code });
+                    return;
+                }
+                // Determine packages to resolve
+                let specs;
+                if (parsed.packages.length === 0 && parsed.requirementsFile) {
+                    // -r requirements.txt
+                    specs = (0, pip_wrapper_1.parseRequirementsFile)(parsed.requirementsFile);
+                    if (specs.length === 0) {
+                        dispatch({ type: "PASSTHROUGH" });
+                        const code = await (0, pip_wrapper_1.runPip)(parsed.rawArgs);
+                        dispatch({ type: "DONE", exitCode: code });
+                        return;
+                    }
+                }
+                else if (parsed.packages.length === 0) {
+                    // No packages specified and no requirements file — passthrough
+                    dispatch({ type: "PASSTHROUGH" });
+                    const code = await (0, pip_wrapper_1.runPip)(parsed.rawArgs);
+                    dispatch({ type: "DONE", exitCode: code });
+                    return;
+                }
+                else {
+                    specs = parsed.packages;
+                }
+                dispatch({ type: "RESOLVING", count: specs.length });
+                // Resolve versions via PyPI API
+                const { resolved } = await (0, pip_wrapper_1.resolvePackages)(specs);
+                if (resolved.length === 0) {
+                    // Could not resolve any packages — passthrough
+                    dispatch({ type: "PASSTHROUGH" });
+                    const code = await (0, pip_wrapper_1.runPip)(parsed.rawArgs);
+                    dispatch({ type: "DONE", exitCode: code });
+                    return;
+                }
+                dispatch({ type: "SCANNING", count: resolved.length });
+                // Call PyPI analyze API
+                const result = await (0, api_1.callPyPIAnalyzeAPI)(resolved, config);
+                // Route based on action
+                if (result.action === "pass") {
+                    if (exit)
+                        exit();
+                    const chalk = (await Promise.resolve().then(() => __importStar(require("chalk")))).default;
+                    process.stderr.write(chalk.green(`  \u2713 ${resolved.length} package${resolved.length !== 1 ? "s" : ""} scanned \u2014 all clear\n`));
+                    process.stderr.write("\n");
+                    const code = await (0, pip_wrapper_1.runPip)(parsed.rawArgs);
+                    process.exit(code);
+                    return;
+                }
+                if (result.action === "warn") {
+                    if (exit)
+                        exit();
+                    process.stdout.write((0, static_output_1.renderResultStatic)(result, config) + "\n");
+                    const chalk = (await Promise.resolve().then(() => __importStar(require("chalk")))).default;
+                    process.stderr.write(chalk.yellow("  Warnings detected. Proceeding with install.\n\n"));
+                    const code = await (0, pip_wrapper_1.runPip)(parsed.rawArgs);
+                    process.exit(code);
+                    return;
+                }
+                if (result.action === "block") {
+                    process.stdout.write((0, static_output_1.renderResultStatic)(result, config) + "\n");
+                    if (parsed.dgForce) {
+                        dispatch({ type: "BLOCKED", result, dgForce: true });
+                        dispatch({ type: "INSTALLING" });
+                        const code = await (0, pip_wrapper_1.runPip)(parsed.rawArgs);
+                        dispatch({ type: "DONE", exitCode: code });
+                        return;
+                    }
+                    // Prompt user
+                    dispatch({ type: "BLOCKED", result, dgForce: false });
+                    const shouldProceed = await new Promise((resolve) => {
+                        pendingInstall.current = () => resolve(true);
+                        rejectRef.current = () => resolve(false);
+                    });
+                    if (shouldProceed) {
+                        dispatch({ type: "INSTALLING" });
+                        const code = await (0, pip_wrapper_1.runPip)(parsed.rawArgs);
+                        dispatch({ type: "DONE", exitCode: code });
+                    }
+                    else {
+                        dispatch({ type: "DONE", exitCode: 2 });
+                    }
+                    return;
+                }
+            }
+            catch (error) {
+                if (error instanceof api_1.TrialExhaustedError) {
+                    dispatch({ type: "TRIAL_EXHAUSTED" });
+                    return;
+                }
+                const message = error instanceof Error ? error.message : String(error);
+                dispatch({ type: "ERROR", message, proceed: true });
+                dispatch({ type: "INSTALLING" });
+                const code = await (0, pip_wrapper_1.runPip)(parsedRef.current.rawArgs);
+                dispatch({ type: "DONE", exitCode: code });
+            }
+        })();
+    }, [pipArgs, config]);
+    return { state, confirmInstall, rejectInstall };
+}

package/dist/packages/cli/src/ui/hooks/useScan.js

@@ -0,0 +1,202 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.useScan = useScan;
+const react_1 = require("react");
+const lockfile_1 = require("../../lockfile");
+const api_1 = require("../../api");
+const discover_1 = require("../../discover");
+const telemetry_1 = require("../../telemetry");
+const lockfile_2 = require("../../lockfile");
+function reducer(_state, action) {
+    switch (action.type) {
+        case "PROJECTS_FOUND":
+            return { phase: "selecting", projects: action.projects };
+        case "RESTART_SELECTION":
+            return { phase: "selecting", projects: action.projects };
+        case "DISCOVERY_COMPLETE":
+            return { phase: "scanning", done: 0, total: action.packages.length, currentBatch: [] };
+        case "DISCOVERY_EMPTY":
+            return { phase: "empty", message: action.message };
+        case "SCAN_PROGRESS":
+            return { phase: "scanning", done: action.done, total: action.total, currentBatch: action.currentBatch };
+        case "SCAN_COMPLETE":
+            return { phase: "results", result: action.result, durationMs: action.durationMs, skippedCount: action.skippedCount, discoveredTotal: action.discoveredTotal };
+        case "ERROR":
+            return { phase: "error", error: action.error };
+        case "TRIAL_EXHAUSTED":
+            return { phase: "trial_exhausted", scansUsed: action.scansUsed, maxScans: action.maxScans };
+    }
+}
+function useScan(config) {
+    const [state, dispatch] = (0, react_1.useReducer)(reducer, { phase: "discovering" });
+    const started = (0, react_1.useRef)(false);
+    const [multiProjects, setMultiProjects] = (0, react_1.useState)(null);
+    (0, react_1.useEffect)(() => {
+        if (started.current)
+            return;
+        started.current = true;
+        // Always discover projects for the back button
+        const projects = (0, discover_1.discoverProjects)(process.cwd());
+        if (projects.length > 1)
+            setMultiProjects(projects);
+        // Multiple projects — always show the project selector first
+        if (projects.length > 1) {
+            dispatch({ type: "PROJECTS_FOUND", projects });
+            return;
+        }
+        try {
+            // Single project or none — try lockfile-based discovery
+            const discovery = (0, lockfile_1.discoverChanges)(process.cwd(), config);
+            const packages = discovery.packages;
+            if (packages.length === 0) {
+                dispatch({ type: "DISCOVERY_EMPTY", message: "No package changes detected." });
+                return;
+            }
+            // Single project with packages — scan directly
+            dispatch({ type: "DISCOVERY_COMPLETE", packages, skippedCount: discovery.skipped.length });
+            runNpmScan(packages, discovery.skipped.length, config, dispatch);
+        }
+        catch {
+            if (projects.length === 0) {
+                dispatch({ type: "DISCOVERY_EMPTY", message: "No dependency files found." });
+                return;
+            }
+            // Single project — skip selection, go straight to scan
+            dispatch({ type: "DISCOVERY_COMPLETE", packages: [], skippedCount: 0 });
+            scanProjects(projects, config, dispatch);
+        }
+    }, [config]);
+    const scanSelectedProjects = (0, react_1.useCallback)((projects) => {
+        dispatch({ type: "DISCOVERY_COMPLETE", packages: [], skippedCount: 0 });
+        scanProjects(projects, config, dispatch);
+    }, [config]);
+    const restartSelection = (0, react_1.useCallback)(() => {
+        if (!multiProjects)
+            return;
+        dispatch({ type: "RESTART_SELECTION", projects: multiProjects });
+    }, [multiProjects]);
+    return {
+        state,
+        scanSelectedProjects,
+        restartSelection: multiProjects ? restartSelection : null,
+    };
+}
+async function runNpmScan(packages, skippedCount, config, dispatch) {
+    try {
+        const startMs = Date.now();
+        const result = await (0, api_1.callAnalyzeAPI)(packages, config, (done, total) => {
+            const batchStart = Math.max(0, done - 15);
+            const currentBatch = packages.slice(batchStart, done).map((p) => p.name);
+            dispatch({ type: "SCAN_PROGRESS", done, total, currentBatch });
+        });
+        dispatch({ type: "SCAN_COMPLETE", result, durationMs: Date.now() - startMs, skippedCount });
+    }
+    catch (error) {
+        if (error instanceof api_1.TrialExhaustedError) {
+            dispatch({ type: "TRIAL_EXHAUSTED", scansUsed: error.scansUsed, maxScans: error.maxScans });
+            return;
+        }
+        const err = error instanceof Error ? error : new Error(String(error));
+        (0, telemetry_1.captureError)(err, { command: "scan", nodeVersion: process.version, cliVersion: "", authenticated: !!config.apiKey });
+        dispatch({ type: "ERROR", error: err });
+    }
+}
+async function scanProjects(projects, config, dispatch) {
+    try {
+        const npmProjects = projects.filter((p) => p.ecosystem === "npm");
+        const pypiProjects = projects.filter((p) => p.ecosystem === "pypi");
+        // Multi-project selector always scans all packages (not just git-changed)
+        const fullScanConfig = { ...config, scanAll: true };
+        // Collect all packages across projects, deduplicating by name@version
+        const npmPackages = [];
+        const pypiPackages = [];
+        const seenNpm = new Set();
+        const seenPypi = new Set();
+        for (const proj of npmProjects) {
+            try {
+                const discovery = (0, lockfile_1.discoverChanges)(proj.path, fullScanConfig);
+                for (const pkg of discovery.packages) {
+                    const key = `${pkg.name}@${pkg.version}`;
+                    if (!seenNpm.has(key)) {
+                        seenNpm.add(key);
+                        npmPackages.push(pkg);
+                    }
+                }
+            }
+            catch { /* ignore — skip unparseable project */ }
+        }
+        for (const proj of pypiProjects) {
+            try {
+                const packages = (0, lockfile_2.parsePythonDepFile)(proj.path, proj.depFile);
+                for (const pkg of packages) {
+                    const key = `${pkg.name}@${pkg.version}`;
+                    if (!seenPypi.has(key)) {
+                        seenPypi.add(key);
+                        pypiPackages.push(pkg);
+                    }
+                }
+            }
+            catch { /* ignore — skip unparseable project */ }
+        }
+        const discoveredTotal = npmPackages.length + pypiPackages.length;
+        // Batching is handled by the API client — no client-side cap needed
+        const totalPackages = npmPackages.length + pypiPackages.length;
+        if (totalPackages === 0) {
+            dispatch({ type: "DISCOVERY_EMPTY", message: "No packages to scan." });
+            return;
+        }
+        const startMs = Date.now();
+        const results = [];
+        let completed = 0;
+        if (npmPackages.length > 0) {
+            const npmResult = await (0, api_1.callAnalyzeAPI)(npmPackages, config, (done) => {
+                completed = done;
+                dispatch({
+                    type: "SCAN_PROGRESS",
+                    done: completed,
+                    total: totalPackages,
+                    currentBatch: npmPackages.slice(Math.max(0, done - 15), done).map((p) => p.name),
+                });
+            });
+            completed = npmPackages.length;
+            results.push(npmResult);
+        }
+        if (pypiPackages.length > 0) {
+            const pypiResult = await (0, api_1.callPyPIAnalyzeAPI)(pypiPackages, config, (done) => {
+                dispatch({
+                    type: "SCAN_PROGRESS",
+                    done: completed + done,
+                    total: totalPackages,
+                    currentBatch: pypiPackages.slice(Math.max(0, done - 15), done).map((p) => p.name),
+                });
+            });
+            results.push(pypiResult);
+        }
+        // Merge results
+        const allPackages = results.flatMap((r) => r.packages);
+        const maxScore = Math.max(0, ...allPackages.map((p) => p.score));
+        const action = maxScore >= 70 ? "block"
+            : maxScore >= 60 ? "warn"
+                : "pass";
+        const safeVersions = {};
+        for (const r of results)
+            Object.assign(safeVersions, r.safeVersions);
+        const merged = {
+            score: maxScore,
+            action,
+            packages: allPackages,
+            safeVersions,
+            durationMs: Date.now() - startMs,
+        };
+        dispatch({ type: "SCAN_COMPLETE", result: merged, durationMs: merged.durationMs, skippedCount: 0, discoveredTotal });
+    }
+    catch (error) {
+        if (error instanceof api_1.TrialExhaustedError) {
+            dispatch({ type: "TRIAL_EXHAUSTED", scansUsed: error.scansUsed, maxScans: error.maxScans });
+            return;
+        }
+        const err = error instanceof Error ? error : new Error(String(error));
+        (0, telemetry_1.captureError)(err, { command: "scan", nodeVersion: process.version, cliVersion: "", authenticated: !!config.apiKey });
+        dispatch({ type: "ERROR", error: err });
+    }
+}

package/dist/packages/cli/src/ui/hooks/useTerminalSize.js

@@ -0,0 +1,29 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.useTerminalSize = useTerminalSize;
+const react_1 = require("react");
+const ink_1 = require("ink");
+function useTerminalSize() {
+    const { stdout } = (0, ink_1.useStdout)();
+    const [size, setSize] = (0, react_1.useState)({
+        rows: stdout?.rows ?? process.stdout.rows ?? 24,
+        cols: stdout?.columns ?? process.stdout.columns ?? 80,
+    });
+    (0, react_1.useEffect)(() => {
+        const handle = () => {
+            const rows = process.stdout.rows ?? 24;
+            const cols = process.stdout.columns ?? 80;
+            if (process.stdout.isTTY) {
+                process.stdout.write("\x1b[2J\x1b[H");
+            }
+            setSize({ rows, cols });
+        };
+        process.stdout.setMaxListeners(process.stdout.getMaxListeners() + 1);
+        process.stdout.on("resize", handle);
+        return () => {
+            process.stdout.off("resize", handle);
+            process.stdout.setMaxListeners(Math.max(0, process.stdout.getMaxListeners() - 1));
+        };
+    }, []);
+    return size;
+}

package/dist/packages/cli/src/update-check.js

@@ -0,0 +1,152 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isNewer = isNewer;
+exports.checkForUpdate = checkForUpdate;
+exports.runUpdate = runUpdate;
+const node_fs_1 = require("node:fs");
+const node_os_1 = require("node:os");
+const node_path_1 = require("node:path");
+const node_child_process_1 = require("node:child_process");
+const PKG_NAME = "@westbayberry/dg";
+const CACHE_FILE = (0, node_path_1.join)((0, node_os_1.homedir)(), ".dg-update-check.json");
+const CHECK_INTERVAL_MS = 24 * 60 * 60 * 1000;
+function readCache() {
+    try {
+        const raw = (0, node_fs_1.readFileSync)(CACHE_FILE, "utf-8");
+        const data = JSON.parse(raw);
+        if (typeof data.latest === "string" && typeof data.checkedAt === "number") {
+            return data;
+        }
+    }
+    catch { /* ignore — cache is best-effort */ }
+    return null;
+}
+function writeCache(entry) {
+    try {
+        (0, node_fs_1.writeFileSync)(CACHE_FILE, JSON.stringify(entry), "utf-8");
+    }
+    catch { /* ignore — cache is best-effort */ }
+}
+async function fetchLatestVersion() {
+    try {
+        const controller = new AbortController();
+        const timeoutId = setTimeout(() => controller.abort(), 5000);
+        const res = await fetch(`https://registry.npmjs.org/${encodeURIComponent(PKG_NAME)}/latest`, { headers: { Accept: "application/json" }, signal: controller.signal });
+        clearTimeout(timeoutId);
+        if (!res.ok)
+            return null;
+        const data = (await res.json());
+        return typeof data.version === "string" ? data.version : null;
+    }
+    catch {
+        return null;
+    }
+}
+function parseVersion(v) {
+    return v.replace(/^v/, "").split(".").map(Number);
+}
+// isNewer(a, b) returns true iff `a` is strictly newer than `b`.
+// Used by the server-driven version floor (api.ts): isNewer(minClientVersion, currentVersion)
+// means "the required minimum is newer than what's running" — the condition we must throw on.
+// Argument order matters: reversing = silent security-gate failure.
+function isNewer(a, b) {
+    const aParts = parseVersion(a);
+    const bParts = parseVersion(b);
+    for (let i = 0; i < Math.max(aParts.length, bParts.length); i++) {
+        const x = aParts[i] ?? 0;
+        const y = bParts[i] ?? 0;
+        if (x > y)
+            return true;
+        if (x < y)
+            return false;
+    }
+    return false;
+}
+function formatBanner(current, latest) {
+    return `\n  \u26A0 Update available: ${current} \u2192 ${latest}\n    Run \`dg update\` to upgrade\n\n`;
+}
+/**
+ * Check npm registry for a newer version. Returns a plain banner string (no color),
+ * or null if no update / if running in CI or --json mode.
+ * The caller is responsible for wrapping the string in chalk.dim() when printing.
+ *
+ * Does NOT spawn `npm install -g` — users must run `dg update` explicitly.
+ * Silent auto-update was removed as a self-inflicted supply-chain vector.
+ */
+async function checkForUpdate(currentVersion) {
+    // Skip in CI and --json mode — no interactive banner makes sense there,
+    // and CI pipelines should not reach out to the npm registry on every scan.
+    if (process.env.CI || process.argv.includes("--json"))
+        return null;
+    const cached = readCache();
+    if (cached && Date.now() - cached.checkedAt < CHECK_INTERVAL_MS) {
+        if (isNewer(cached.latest, currentVersion)) {
+            return formatBanner(currentVersion, cached.latest);
+        }
+        return null;
+    }
+    const latest = await fetchLatestVersion();
+    if (!latest)
+        return null;
+    writeCache({ latest, checkedAt: Date.now() });
+    if (isNewer(latest, currentVersion)) {
+        return formatBanner(currentVersion, latest);
+    }
+    return null;
+}
+async function runUpdate(currentVersion) {
+    const chalk = (await Promise.resolve().then(() => __importStar(require("chalk")))).default;
+    process.stderr.write(chalk.dim("  Checking for updates...\n"));
+    const latest = await fetchLatestVersion();
+    if (!latest) {
+        process.stderr.write(chalk.red("  Could not reach npm registry.\n"));
+        process.exit(1);
+    }
+    if (!isNewer(latest, currentVersion)) {
+        process.stderr.write(chalk.green(`  Already on latest version (${currentVersion}).\n`));
+        return;
+    }
+    process.stderr.write(chalk.dim(`  Installing ${PKG_NAME}@${latest}...\n`));
+    try {
+        (0, node_child_process_1.execFileSync)("npm", ["install", "-g", `${PKG_NAME}@${latest}`], { stdio: "inherit" });
+        writeCache({ latest, checkedAt: Date.now() });
+        process.stderr.write(chalk.green(`\n  Updated ${currentVersion} → ${latest}\n`));
+    }
+    catch {
+        process.stderr.write(chalk.red(`\n  Update failed. Try manually: npm i -g ${PKG_NAME}@${latest}\n`));
+        process.exit(1);
+    }
+}

package/dist/packages/cli/src/wizard-demo-data.js

@@ -0,0 +1,63 @@
+"use strict";
+// Demo fixture for the first-run wizard. Shape mirrors APIPackageResult so
+// ScanResultCard renders demo and real results identically.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEMO_SCAN_TOTAL_MS = exports.DEMO_SCAN_LABELS = exports.DEMO_MALICIOUS_PACKAGE = void 0;
+exports.friendlyCategory = friendlyCategory;
+exports.DEMO_MALICIOUS_PACKAGE = {
+    isDemo: true,
+    score: 91,
+    action: "block",
+    package: {
+        name: "malicious-demo",
+        version: "1.0.0",
+        score: 91,
+        cached: false,
+        findings: [
+            {
+                category: "Steals your passwords and API keys",
+                severity: 5,
+                title: "reads your environment variables on install",
+            },
+            {
+                category: "Hides what it's doing",
+                severity: 5,
+                title: "the code is jumbled so it's hard to read",
+            },
+            {
+                category: "Phones home",
+                severity: 4,
+                title: "downloads more code from the internet and runs it",
+            },
+        ],
+        reasons: [
+            "reads env vars on install",
+            "three layers of obfuscation",
+            "postinstall pipes curl to a shell",
+        ],
+    },
+};
+exports.DEMO_SCAN_LABELS = [
+    "looking at malicious-demo@1.0.0...",
+    "reading the code...",
+    "checking 78 patterns...",
+    "scoring...",
+];
+exports.DEMO_SCAN_TOTAL_MS = 500;
+// Engine category → plain-English label for the wizard.
+const FRIENDLY_CATEGORIES = {
+    "Credential Exfiltration": "Steals passwords and API keys",
+    "Network Exfiltration": "Sends your data to the internet",
+    "Obfuscated Code": "Hides what it's doing",
+    "Code Execution": "Runs arbitrary code",
+    "Install Hook": "Runs code during install",
+    "Postinstall Curl Pipe": "Downloads code and runs it",
+    "Suspicious Network": "Talks to suspicious servers",
+    "Typosquatting": "Pretending to be a popular package",
+    "Sandbox Escape": "Tries to break out of safety checks",
+};
+function friendlyCategory(category) {
+    if (!category)
+        return "Finding";
+    return FRIENDLY_CATEGORIES[category] ?? category;
+}

package/dist/src/ecosystem.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });