@westbayberry/dg 1.0.52 → 1.0.56

package/dist/packages/cli/src/discover.js

@@ -0,0 +1,126 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.discoverProjects = discoverProjects;
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const SKIP_DIRS = new Set([
+    "node_modules", ".venv", "venv", "__pycache__", ".git",
+    ".tox", ".eggs", "dist", "build", ".next", ".nuxt",
+    "coverage", ".cache", ".pytest_cache", ".mypy_cache",
+    "validation-results", "test-fixtures", "fixtures",
+]);
+const NPM_LOCKFILES = ["package-lock.json", "yarn.lock", "pnpm-lock.yaml", "npm-shrinkwrap.json"];
+const PYTHON_DEPFILES = ["requirements.txt", "Pipfile.lock", "poetry.lock"];
+const MAX_DEPTH = 8;
+function discoverProjects(root) {
+    const projects = [];
+    walk(root, root, 0, projects);
+    return projects.sort((a, b) => a.relativePath.localeCompare(b.relativePath));
+}
+function walk(dir, root, depth, out) {
+    if (depth > MAX_DEPTH)
+        return;
+    // Check for npm project
+    for (const lockfile of NPM_LOCKFILES) {
+        const lockPath = (0, node_path_1.join)(dir, lockfile);
+        if ((0, node_fs_1.existsSync)(lockPath)) {
+            const count = countNpmPackages(lockPath);
+            if (count > 0) {
+                out.push({
+                    path: dir,
+                    relativePath: (0, node_path_1.relative)(root, dir) || ".",
+                    ecosystem: "npm",
+                    depFile: lockfile,
+                    packageCount: count,
+                });
+            }
+            break; // one npm project per directory
+        }
+    }
+    // Check for python project
+    for (const depFile of PYTHON_DEPFILES) {
+        const depPath = (0, node_path_1.join)(dir, depFile);
+        if ((0, node_fs_1.existsSync)(depPath)) {
+            const count = countPythonPackages(depPath, depFile);
+            if (count > 0) {
+                out.push({
+                    path: dir,
+                    relativePath: (0, node_path_1.relative)(root, dir) || ".",
+                    ecosystem: "pypi",
+                    depFile,
+                    packageCount: count,
+                });
+            }
+            break; // one python project per directory
+        }
+    }
+    // Recurse into subdirectories
+    let entries;
+    try {
+        entries = (0, node_fs_1.readdirSync)(dir);
+    }
+    catch {
+        return;
+    }
+    for (const entry of entries) {
+        if (SKIP_DIRS.has(entry) || entry.startsWith("."))
+            continue;
+        const full = (0, node_path_1.join)(dir, entry);
+        try {
+            const st = (0, node_fs_1.lstatSync)(full);
+            if (st.isDirectory() && !st.isSymbolicLink()) {
+                walk(full, root, depth + 1, out);
+            }
+        }
+        catch { /* ignore — unreadable entry */ }
+    }
+}
+function countNpmPackages(lockPath) {
+    try {
+        const name = (0, node_path_1.basename)(lockPath);
+        const content = (0, node_fs_1.readFileSync)(lockPath, "utf-8");
+        if (name === "yarn.lock") {
+            // Count package header lines (non-indented, ending with :)
+            return (content.match(/^\S.*:$/gm) || []).length;
+        }
+        if (name === "pnpm-lock.yaml") {
+            // Count package entries
+            return (content.match(/^\s{2}'?[/@]/gm) || []).length || estimateLines(content, 200);
+        }
+        // package-lock.json / npm-shrinkwrap.json
+        const parsed = JSON.parse(content);
+        if (parsed.packages) {
+            return Object.keys(parsed.packages).filter(k => k !== "").length;
+        }
+        if (parsed.dependencies) {
+            return Object.keys(parsed.dependencies).length;
+        }
+        return 0;
+    }
+    catch {
+        return 0;
+    }
+}
+function countPythonPackages(depPath, depFile) {
+    try {
+        const content = (0, node_fs_1.readFileSync)(depPath, "utf-8");
+        if (depFile === "Pipfile.lock") {
+            const parsed = JSON.parse(content);
+            const defaultCount = Object.keys(parsed.default || {}).length;
+            const devCount = Object.keys(parsed.develop || {}).length;
+            return defaultCount + devCount;
+        }
+        if (depFile === "poetry.lock") {
+            return (content.match(/^\[\[package\]\]/gm) || []).length;
+        }
+        // requirements.txt — count non-empty, non-comment lines
+        return content.split("\n").filter(line => line.trim() && !line.trim().startsWith("#") && !line.trim().startsWith("-")).length;
+    }
+    catch {
+        return 0;
+    }
+}
+function estimateLines(content, fallback) {
+    const lines = content.split("\n").length;
+    return lines > 20 ? Math.floor(lines / 4) : fallback;
+}

package/dist/packages/cli/src/first-run.js

@@ -0,0 +1,135 @@
+"use strict";
+// First-run wizard orchestration.
+//
+// Called from bin.ts at the top of main(), before any command dispatches.
+// Decides whether to mount the InitApp wizard based on:
+//   1. Skip-list (commands like `update` and `logout` never trigger setup)
+//   2. TTY (CI / piped output never gets the wizard)
+//   3. Sentinel (`firstRunCompletedAt` in ~/.dgrc.json — sticky once set)
+//
+// Three contracts after the wizard mounts:
+//   - The sentinel is marked as soon as the wizard mounts successfully.
+//     Once the user has SEEN the offer they should never be re-prompted,
+//     regardless of whether they finished, said no, or Ctrl+C'd out.
+//   - If the wizard is dismissed before reaching the `done` phase
+//     (Ctrl+C, q, escape) we exit the whole process here. The user's
+//     original command does NOT run after a quit — surfacing `dg scan`'s
+//     UI right after they bailed on the wizard is jarring.
+//   - If the wizard ran a scan (the user said yes and walked through
+//     result_first_scan) AND the user's original command is `scan`, we
+//     exit cleanly. The wizard's scan already showed them what they came
+//     to see; running it again would force them through a project picker
+//     and double the work.
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.maybeOfferFirstRunWizard = maybeOfferFirstRunWizard;
+const auth_1 = require("./auth");
+// Commands that should never trigger the auto-wizard:
+//   update / logout — meta actions, see D17
+//   kitty           — already mounts the wizard explicitly via bin.ts
+//   help / version  — info queries, handled by their own early returns,
+//                      listed here defensively in case dispatch order changes
+//   hook            — meta-operation on setup itself (install / uninstall).
+//                      A user running `dg hook install` or `dg hook uninstall`
+//                      is already familiar enough with DG to know what hooks
+//                      are; offering them the guided tour is incoherent and
+//                      blocks the destructive `uninstall` they actually asked
+//                      for. Sentinel stays unset so the next normal command
+//                      still gets the wizard.
+const SKIP_LIST = new Set([
+    "update",
+    "logout",
+    "kitty",
+    "help",
+    "version",
+    "hook",
+]);
+async function maybeOfferFirstRunWizard(opts) {
+    if (SKIP_LIST.has(opts.rawCommand))
+        return;
+    if (!opts.isInteractive)
+        return;
+    if ((0, auth_1.getFirstRunCompletedAt)() !== null)
+        return;
+    let mounted = false;
+    let reachedDone = false;
+    let scanRanInWizard = false;
+    try {
+        const { render } = await Promise.resolve().then(() => __importStar(require("ink")));
+        const React = await Promise.resolve().then(() => __importStar(require("react")));
+        const { InitApp } = await Promise.resolve().then(() => __importStar(require("./ui/InitApp")));
+        const { enterAltScreen, leaveAltScreen } = await Promise.resolve().then(() => __importStar(require("./alt-screen")));
+        enterAltScreen();
+        try {
+            const { waitUntilExit } = render(React.createElement(InitApp, {
+                firstRun: true,
+                onReachedDone: () => {
+                    reachedDone = true;
+                },
+                onScanRan: () => {
+                    scanRanInWizard = true;
+                },
+            }));
+            mounted = true;
+            await waitUntilExit();
+        }
+        finally {
+            leaveAltScreen();
+        }
+    }
+    catch {
+        // Mount failed — let the original command run, don't mark the sentinel.
+        return;
+    }
+    if (mounted) {
+        try {
+            (0, auth_1.markFirstRunComplete)();
+        }
+        catch {
+            // Best-effort. Worst case: prompted again next invocation.
+        }
+    }
+    if (mounted && !reachedDone) {
+        // User dismissed the wizard before finishing. Don't run their original
+        // command — exit cleanly with the conventional Ctrl+C exit code.
+        process.exit(130);
+    }
+    // If the wizard ran a scan and the user's original command is `dg scan`,
+    // we'd otherwise re-run the same scan and force them through a project
+    // picker. Skip the duplicate cleanly.
+    if (mounted && reachedDone && scanRanInWizard && opts.rawCommand === "scan") {
+        process.exit(0);
+    }
+}

package/dist/packages/cli/src/hook.js

@@ -0,0 +1,360 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectHookFramework = detectHookFramework;
+exports.previewHookInstall = previewHookInstall;
+exports.installHookForFramework = installHookForFramework;
+exports.handleHookCommand = handleHookCommand;
+const node_child_process_1 = require("node:child_process");
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const HOOK_MARKER = "# dependency-guardian-hook";
+const MARKER_START = "# dependency-guardian-hook-start";
+const MARKER_END = "# dependency-guardian-hook-end";
+const LEFTHOOK_MARKER = "dependency-guardian"; // used inside lefthook.yml command name
+const HOOK_SCRIPT = `#!/bin/sh
+${HOOK_MARKER} — installed by \`dg hook install\`
+
+# Check if any lockfiles are staged
+STAGED=""
+for f in package-lock.json npm-shrinkwrap.json yarn.lock pnpm-lock.yaml; do
+  if git diff --cached --name-only | grep -q "^\${f}$"; then
+    STAGED="yes"
+    break
+  fi
+done
+
+if [ -z "$STAGED" ]; then
+  exit 0
+fi
+
+# Find dg binary
+DG_BIN=$(command -v dg 2>/dev/null || command -v dependency-guardian 2>/dev/null)
+if [ -z "$DG_BIN" ]; then
+  echo "Warning: dg not found in PATH. Skipping dependency scan." >&2
+  exit 0
+fi
+
+echo "Dependency Guardian: lockfile change detected, scanning..." >&2
+NO_COLOR=1 "$DG_BIN" scan --mode block
+EXIT_CODE=$?
+
+if [ "$EXIT_CODE" -eq 2 ]; then
+  echo "" >&2
+  echo "Commit blocked by Dependency Guardian (high-risk packages detected)." >&2
+  echo "Run \\\`dg scan --scan-all\\\` for details, or \\\`git commit --no-verify\\\` to bypass." >&2
+  exit 1
+fi
+
+if [ "$EXIT_CODE" -eq 3 ]; then
+  echo "Warning: dg scan encountered an error. Allowing commit." >&2
+fi
+
+exit 0
+`;
+const HOOK_SECTION = `
+${MARKER_START}
+${HOOK_SCRIPT.split("\n").slice(1).join("\n")}${MARKER_END}
+`;
+// One-line snippet appended to .husky/pre-commit. Husky pre-commit files are
+// shell scripts (the v9+ format dropped the husky.sh shim — they're now plain
+// scripts with no special header). We append a one-liner that invokes dg.
+const HUSKY_SNIPPET = `
+${MARKER_START}
+${HOOK_MARKER} — installed by \`dg hook install\`
+DG_BIN=$(command -v dg 2>/dev/null || command -v dependency-guardian 2>/dev/null)
+if [ -n "$DG_BIN" ]; then
+  if git diff --cached --name-only | grep -qE '^(package-lock\\.json|npm-shrinkwrap\\.json|yarn\\.lock|pnpm-lock\\.yaml)$'; then
+    echo "Dependency Guardian: lockfile change detected, scanning..." >&2
+    NO_COLOR=1 "$DG_BIN" scan --mode block
+    DG_EXIT=$?
+    if [ "$DG_EXIT" -eq 2 ]; then
+      echo "Commit blocked by Dependency Guardian. Use 'git commit --no-verify' to bypass." >&2
+      exit 1
+    fi
+  fi
+fi
+${MARKER_END}
+`;
+// One lefthook command entry appended to lefthook.yml's pre-commit.commands map.
+// The key name embeds LEFTHOOK_MARKER so we can detect existing installs.
+const LEFTHOOK_ENTRY = `  pre-commit:
+    commands:
+      ${LEFTHOOK_MARKER}:
+        glob: "{package-lock.json,yarn.lock,pnpm-lock.yaml,npm-shrinkwrap.json}"
+        run: dg scan --mode block
+`;
+const USAGE = `
+  dg hook — manage git pre-commit hook
+
+  Usage:
+    dg hook install    Install pre-commit hook to scan lockfile changes
+    dg hook uninstall  Remove the pre-commit hook
+
+  The hook runs \`dg scan --mode block\` when lockfile changes are committed.
+  If high-risk packages are detected, the commit is blocked.
+
+  Detection: dg hook install detects existing hook frameworks in your
+  project and integrates with them instead of fighting them:
+
+    .husky/pre-commit    → appends a DG block (Husky v9+)
+    lefthook.yml         → adds a pre-commit command entry
+    (none)               → installs into .git/hooks/pre-commit directly
+`;
+function findGitDir() {
+    try {
+        return (0, node_child_process_1.execFileSync)("git", ["rev-parse", "--git-dir"], {
+            encoding: "utf-8",
+            stdio: ["pipe", "pipe", "pipe"],
+        }).trim();
+    }
+    catch {
+        throw new Error("Not a git repository. Run this from inside a git project.");
+    }
+}
+function findRepoRoot() {
+    try {
+        return (0, node_child_process_1.execFileSync)("git", ["rev-parse", "--show-toplevel"], {
+            encoding: "utf-8",
+            stdio: ["pipe", "pipe", "pipe"],
+        }).trim();
+    }
+    catch {
+        throw new Error("Not a git repository. Run this from inside a git project.");
+    }
+}
+/** Detect which pre-commit framework (if any) the project uses.
+ *  Husky takes precedence over lefthook if both are present (rare). */
+function detectHookFramework(repoRoot) {
+    const root = repoRoot ?? findRepoRoot();
+    const huskyHook = (0, node_path_1.join)(root, ".husky", "pre-commit");
+    const lefthookConfig = (0, node_path_1.join)(root, "lefthook.yml");
+    const lefthookConfigYaml = (0, node_path_1.join)(root, "lefthook.yaml");
+    const gitDir = findGitDir();
+    const bareHook = (0, node_path_1.join)(gitDir, "hooks", "pre-commit");
+    // Husky check — the file at .husky/pre-commit is the canonical husky setup
+    if ((0, node_fs_1.existsSync)(huskyHook)) {
+        const content = (0, node_fs_1.readFileSync)(huskyHook, "utf-8");
+        return {
+            framework: "husky",
+            targetFile: huskyHook,
+            alreadyInstalled: content.includes(HOOK_MARKER),
+        };
+    }
+    // Lefthook check — yml or yaml
+    for (const cfg of [lefthookConfig, lefthookConfigYaml]) {
+        if ((0, node_fs_1.existsSync)(cfg)) {
+            const content = (0, node_fs_1.readFileSync)(cfg, "utf-8");
+            // Match the dependency-guardian command name inside the pre-commit section.
+            // We look for the marker as a yaml key — must be at indent 6 (inside commands:)
+            const installed = /^\s+dependency-guardian\s*:/m.test(content);
+            return {
+                framework: "lefthook",
+                targetFile: cfg,
+                alreadyInstalled: installed,
+            };
+        }
+    }
+    // Bare git hook fallback
+    let installed = false;
+    if ((0, node_fs_1.existsSync)(bareHook)) {
+        installed = (0, node_fs_1.readFileSync)(bareHook, "utf-8").includes(HOOK_MARKER);
+    }
+    return {
+        framework: "bare",
+        targetFile: bareHook,
+        alreadyInstalled: installed,
+    };
+}
+/** Render the diff that will be applied for the given framework, without
+ *  actually writing anything. Used by `dg init --dry-run` and the wizard's
+ *  "show me the change" prompt. */
+function previewHookInstall(info) {
+    if (info.alreadyInstalled) {
+        return `(already installed in ${info.targetFile} — no changes needed)`;
+    }
+    switch (info.framework) {
+        case "husky":
+            return `Will append to ${info.targetFile}:\n${HUSKY_SNIPPET}`;
+        case "lefthook":
+            return `Will add to ${info.targetFile}:\n\n${LEFTHOOK_ENTRY}`;
+        case "bare":
+            if ((0, node_fs_1.existsSync)(info.targetFile)) {
+                return `Will append to existing hook at ${info.targetFile}:\n${HOOK_SECTION}`;
+            }
+            return `Will create new hook at ${info.targetFile}:\n${HOOK_SCRIPT}`;
+    }
+}
+function installHuskyHook(targetFile) {
+    const existing = (0, node_fs_1.readFileSync)(targetFile, "utf-8");
+    if (existing.includes(HOOK_MARKER)) {
+        process.stderr.write("  Hook already installed in Husky.\n");
+        return;
+    }
+    (0, node_fs_1.writeFileSync)(targetFile, existing.trimEnd() + "\n" + HUSKY_SNIPPET);
+    // Husky hook files are executable; preserve that
+    try {
+        (0, node_fs_1.chmodSync)(targetFile, 0o755);
+    }
+    catch { /* ignore — chmod may fail on some FS */ }
+    process.stderr.write(`  Appended Dependency Guardian to ${targetFile}\n`);
+}
+function installLefthookHook(targetFile) {
+    const existing = (0, node_fs_1.readFileSync)(targetFile, "utf-8");
+    if (/^\s+dependency-guardian\s*:/m.test(existing)) {
+        process.stderr.write("  Hook already installed in lefthook.\n");
+        return;
+    }
+    // Lefthook config is YAML. We need to add a pre-commit.commands.dependency-guardian
+    // entry. The simplest approach: detect whether `pre-commit:` already exists at
+    // the top level and either append our command under it, or add the whole block.
+    let updated;
+    const preCommitMatch = existing.match(/^pre-commit\s*:\s*$/m);
+    if (preCommitMatch) {
+        // pre-commit: already exists. Insert our command under its commands: subkey.
+        // We assume there's a `commands:` key under it. If not, this is too complex
+        // to merge automatically and we error out so the user can do it manually.
+        if (/^\s{2}commands\s*:\s*$/m.test(existing)) {
+            // Insert under the existing commands: line.
+            updated = existing.replace(/^(\s{2}commands\s*:\s*)$/m, `$1\n    ${LEFTHOOK_MARKER}:\n      glob: "{package-lock.json,yarn.lock,pnpm-lock.yaml,npm-shrinkwrap.json}"\n      run: dg scan --mode block`);
+        }
+        else {
+            throw new Error(`Could not auto-merge into ${targetFile}: pre-commit: section exists but has no commands: subkey. ` +
+                `Add this manually under your pre-commit.commands:\n      ${LEFTHOOK_MARKER}:\n        glob: "{package-lock.json,...}"\n        run: dg scan --mode block`);
+        }
+    }
+    else {
+        // No pre-commit: section. Append the whole block.
+        updated = existing.trimEnd() + "\n\n" + LEFTHOOK_ENTRY;
+    }
+    (0, node_fs_1.writeFileSync)(targetFile, updated);
+    process.stderr.write(`  Added Dependency Guardian to ${targetFile}\n`);
+}
+function installBareHook(targetFile) {
+    const hooksDir = (0, node_path_1.dirname)(targetFile);
+    (0, node_fs_1.mkdirSync)(hooksDir, { recursive: true });
+    if ((0, node_fs_1.existsSync)(targetFile)) {
+        const existing = (0, node_fs_1.readFileSync)(targetFile, "utf-8");
+        if (existing.includes(HOOK_MARKER)) {
+            process.stderr.write("  Hook already installed.\n");
+            return;
+        }
+        (0, node_fs_1.writeFileSync)(targetFile, existing.trimEnd() + "\n" + HOOK_SECTION);
+        (0, node_fs_1.chmodSync)(targetFile, 0o755);
+        process.stderr.write(`  Appended Dependency Guardian hook to existing ${targetFile}\n`);
+        return;
+    }
+    (0, node_fs_1.writeFileSync)(targetFile, HOOK_SCRIPT);
+    (0, node_fs_1.chmodSync)(targetFile, 0o755);
+    process.stderr.write(`  Installed git pre-commit hook at ${targetFile}\n`);
+}
+/** Top-level installer that dispatches to the right framework-specific helper.
+ *  Reused by `dg hook install` and the new `dg init` command. */
+function installHookForFramework(info) {
+    switch (info.framework) {
+        case "husky":
+            installHuskyHook(info.targetFile);
+            return;
+        case "lefthook":
+            installLefthookHook(info.targetFile);
+            return;
+        case "bare":
+            installBareHook(info.targetFile);
+            return;
+    }
+}
+function installHook() {
+    const info = detectHookFramework();
+    installHookForFramework(info);
+}
+function uninstallHook() {
+    const gitDir = findGitDir();
+    const hookPath = (0, node_path_1.join)(gitDir, "hooks", "pre-commit");
+    // Try husky first
+    try {
+        const root = findRepoRoot();
+        const huskyPath = (0, node_path_1.join)(root, ".husky", "pre-commit");
+        if ((0, node_fs_1.existsSync)(huskyPath)) {
+            const content = (0, node_fs_1.readFileSync)(huskyPath, "utf-8");
+            if (content.includes(HOOK_MARKER)) {
+                const startIdx = content.indexOf(MARKER_START);
+                const endIdx = content.indexOf(MARKER_END);
+                if (startIdx !== -1 && endIdx !== -1) {
+                    const before = content.slice(0, startIdx).trimEnd();
+                    const after = content.slice(endIdx + MARKER_END.length).trimStart();
+                    const remaining = (before + (after ? "\n" + after : "")).trimEnd() + "\n";
+                    (0, node_fs_1.writeFileSync)(huskyPath, remaining);
+                    process.stderr.write(`  Removed Dependency Guardian section from ${huskyPath}\n`);
+                    return;
+                }
+            }
+        }
+        // Try lefthook
+        for (const cfg of [(0, node_path_1.join)(root, "lefthook.yml"), (0, node_path_1.join)(root, "lefthook.yaml")]) {
+            if ((0, node_fs_1.existsSync)(cfg)) {
+                const content = (0, node_fs_1.readFileSync)(cfg, "utf-8");
+                if (/^\s+dependency-guardian\s*:/m.test(content)) {
+                    // Strip the dependency-guardian command block — match key + 2 indented lines
+                    const stripped = content.replace(/^\s+dependency-guardian\s*:\s*\n(?:\s{6,}.*\n)+/gm, "");
+                    (0, node_fs_1.writeFileSync)(cfg, stripped);
+                    process.stderr.write(`  Removed Dependency Guardian section from ${cfg}\n`);
+                    return;
+                }
+            }
+        }
+    }
+    catch { /* fall through to bare-hook handling */ }
+    if (!(0, node_fs_1.existsSync)(hookPath)) {
+        process.stderr.write("  No hook to remove.\n");
+        return;
+    }
+    const content = (0, node_fs_1.readFileSync)(hookPath, "utf-8");
+    if (!content.includes(HOOK_MARKER)) {
+        process.stderr.write("  No Dependency Guardian hook found in pre-commit.\n");
+        return;
+    }
+    // Check if the file is entirely the DG hook (starts with shebang + marker)
+    if (content.trimStart().startsWith("#!/bin/sh\n" + HOOK_MARKER)) {
+        (0, node_fs_1.unlinkSync)(hookPath);
+        process.stderr.write(`  Removed pre-commit hook at ${hookPath}\n`);
+        return;
+    }
+    // Strip the DG section from a combined hook
+    const startIdx = content.indexOf(MARKER_START);
+    const endIdx = content.indexOf(MARKER_END);
+    if (startIdx !== -1 && endIdx !== -1) {
+        const before = content.slice(0, startIdx).trimEnd();
+        const after = content.slice(endIdx + MARKER_END.length).trimStart();
+        const remaining = (before + (after ? "\n" + after : "")).trimEnd() + "\n";
+        (0, node_fs_1.writeFileSync)(hookPath, remaining);
+        process.stderr.write(`  Removed Dependency Guardian section from ${hookPath}\n`);
+        return;
+    }
+    // Marker found but no start/end pair (standalone install)
+    (0, node_fs_1.unlinkSync)(hookPath);
+    process.stderr.write(`  Removed pre-commit hook at ${hookPath}\n`);
+}
+function handleHookCommand(args) {
+    const subcommand = args[0];
+    if (!subcommand || subcommand === "--help") {
+        process.stderr.write(USAGE);
+        return;
+    }
+    try {
+        if (subcommand === "install") {
+            installHook();
+        }
+        else if (subcommand === "uninstall") {
+            uninstallHook();
+        }
+        else {
+            process.stderr.write(`  Unknown hook command: ${subcommand}\n`);
+            process.stderr.write(USAGE);
+            process.exit(1);
+        }
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        process.stderr.write(`  Error: ${msg}\n`);
+        process.exit(1);
+    }
+}