@westbayberry/dg 1.0.53 → 1.0.56

package/dist/packages/cli/src/bin.js

@@ -0,0 +1,386 @@
+#!/usr/bin/env node
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+const telemetry_1 = require("./telemetry");
+const config_1 = require("./config");
+const npm_wrapper_1 = require("./npm-wrapper");
+const update_check_1 = require("./update-check");
+const CLI_VERSION = (0, config_1.getVersion)();
+(0, telemetry_1.initTelemetry)(CLI_VERSION);
+// tiny Levenshtein for "did you mean" — closest match within distance 3
+function closestCommand(input, commands) {
+    let best = "", bestDist = Infinity;
+    for (const cmd of commands) {
+        const m = input.length, n = cmd.length;
+        const dp = Array.from({ length: m + 1 }, () => new Array(n + 1));
+        for (let i = 0; i <= m; i++)
+            dp[i][0] = i;
+        for (let j = 0; j <= n; j++)
+            dp[0][j] = j;
+        for (let i = 1; i <= m; i++)
+            for (let j = 1; j <= n; j++)
+                dp[i][j] = input[i - 1] === cmd[j - 1]
+                    ? dp[i - 1][j - 1]
+                    : 1 + Math.min(dp[i - 1][j], dp[i][j - 1], dp[i - 1][j - 1]);
+        if (dp[m][n] < bestDist) {
+            bestDist = dp[m][n];
+            best = cmd;
+        }
+    }
+    return bestDist <= 3 ? best : null;
+}
+const alt_screen_1 = require("./alt-screen");
+process.on("SIGINT", () => {
+    (0, alt_screen_1.leaveAltScreen)();
+    process.stderr.write("\n");
+    process.exit(130);
+});
+process.on("SIGTERM", () => {
+    (0, alt_screen_1.leaveAltScreen)();
+    process.exit(143);
+});
+const isInteractive = process.stdout.isTTY === true &&
+    !process.env.CI &&
+    !process.env.NO_COLOR;
+async function main() {
+    const rawCommand = process.argv[2];
+    // Help and version are positional commands first, with the conventional
+    // double-dash forms preserved as aliases since users WILL type --help.
+    if (!rawCommand ||
+        rawCommand === "help" ||
+        rawCommand === "--help" ||
+        rawCommand === "-h") {
+        const { USAGE } = await Promise.resolve().then(() => __importStar(require("./config")));
+        process.stdout.write(USAGE);
+        return;
+    }
+    if (rawCommand === "version" ||
+        rawCommand === "--version" ||
+        rawCommand === "-v") {
+        process.stdout.write(`dependency-guardian v${CLI_VERSION}\n`);
+        return;
+    }
+    // Reject unknown commands BEFORE the first-run wizard check. If the user
+    // made a typo they should see the correction immediately, not walk through
+    // a guided tour and THEN get told their command doesn't exist.
+    const KNOWN_COMMANDS = ["scan", "npm", "pip", "wrap", "login", "logout", "status", "hook", "update", "kitty", "help", "version"];
+    if (rawCommand && !rawCommand.startsWith("-") && !KNOWN_COMMANDS.includes(rawCommand)) {
+        const chalk = (await Promise.resolve().then(() => __importStar(require("chalk")))).default;
+        const best = closestCommand(rawCommand, KNOWN_COMMANDS);
+        const hint = best ? ` Did you mean '${best}'?` : "";
+        process.stderr.write(`\n  ${chalk.bold.red("Error:")} Unknown command '${rawCommand}'.${hint}\n`);
+        process.stderr.write(chalk.dim(`  Run 'dg --help' for available commands.\n\n`));
+        process.exit(1);
+    }
+    // `dg kitty` — manually re-run the guided tour. The user can run this any
+    // time they want the cat back; it's the documented way to refresh on the
+    // commands or rerun setup after they've changed projects.
+    if (rawCommand === "kitty") {
+        if (isInteractive) {
+            const { render } = await Promise.resolve().then(() => __importStar(require("ink")));
+            const React = await Promise.resolve().then(() => __importStar(require("react")));
+            const { InitApp } = await Promise.resolve().then(() => __importStar(require("./ui/InitApp")));
+            (0, alt_screen_1.enterAltScreen)();
+            try {
+                const { waitUntilExit } = render(React.createElement(InitApp, { firstRun: true, returning: true }));
+                await waitUntilExit();
+            }
+            finally {
+                (0, alt_screen_1.leaveAltScreen)();
+            }
+            // Mark the sentinel so the auto-wizard doesn't fire on the next
+            // command if the user happened to run kitty before anything else.
+            try {
+                const { markFirstRunComplete } = await Promise.resolve().then(() => __importStar(require("./auth")));
+                markFirstRunComplete();
+            }
+            catch { /* best-effort */ }
+        }
+        else {
+            const chalk = (await Promise.resolve().then(() => __importStar(require("chalk")))).default;
+            process.stderr.write(chalk.yellow("  dg kitty needs an interactive terminal.\n"));
+        }
+        return;
+    }
+    // First-run guided tour. On a fresh machine running any in-scope command,
+    // mounts the InitApp wizard at the `greet` phase and walks the user through
+    // setup before their original command runs. The helper owns the skip-list
+    // (update / logout / kitty / help / version / hook) and the TTY check;
+    // it's a no-op if the user has already seen the wizard or if we're in CI.
+    const { maybeOfferFirstRunWizard } = await Promise.resolve().then(() => __importStar(require("./first-run")));
+    await maybeOfferFirstRunWizard({ rawCommand, isInteractive });
+    if (rawCommand === "wrap") {
+        (0, npm_wrapper_1.handleWrapCommand)();
+        return;
+    }
+    if (rawCommand === "login") {
+        if (isInteractive) {
+            const { render } = await Promise.resolve().then(() => __importStar(require("ink")));
+            const React = await Promise.resolve().then(() => __importStar(require("react")));
+            const { LoginApp } = await Promise.resolve().then(() => __importStar(require("./ui/LoginApp")));
+            const { waitUntilExit } = render(React.createElement(LoginApp));
+            await waitUntilExit();
+        }
+        else {
+            const { runStaticLogin } = await Promise.resolve().then(() => __importStar(require("./static-output")));
+            await runStaticLogin();
+        }
+        return;
+    }
+    if (rawCommand === "status") {
+        const { getStoredApiKey } = await Promise.resolve().then(() => __importStar(require("./auth")));
+        const chalk = (await Promise.resolve().then(() => __importStar(require("chalk")))).default;
+        const apiKey = getStoredApiKey();
+        if (!apiKey) {
+            process.stderr.write(chalk.yellow(`  Not authenticated.`) + chalk.dim(` Run \`dg login\` to sign in.\n`));
+            return;
+        }
+        process.stderr.write(chalk.green(`  Authenticated\n`));
+        try {
+            const { parseConfig } = await Promise.resolve().then(() => __importStar(require("./config")));
+            const config = parseConfig(process.argv, false);
+            const resp = await globalThis.fetch(`${config.apiUrl}/v1/auth/status`, {
+                headers: { "Authorization": `Bearer ${apiKey}` },
+            });
+            if (resp.ok) {
+                const data = await resp.json();
+                process.stderr.write(`  Tier: ${chalk.bold(data.tier)}  \u2502  Scans: ${data.scansUsed}/${data.scansLimit} this month\n`);
+            }
+            else if (resp.status === 401) {
+                process.stderr.write(chalk.yellow(`  Key invalid or expired. Run \`dg logout\` then \`dg login\`.\n`));
+            }
+        }
+        catch {
+            process.stderr.write(chalk.dim(`  Could not reach API.\n`));
+        }
+        return;
+    }
+    if (rawCommand === "hook") {
+        const { handleHookCommand } = await Promise.resolve().then(() => __importStar(require("./hook")));
+        handleHookCommand(process.argv.slice(3));
+        return;
+    }
+    if (rawCommand === "update") {
+        await (0, update_check_1.runUpdate)(CLI_VERSION);
+        return;
+    }
+    if (rawCommand === "logout") {
+        const { getStoredApiKey, clearCredentials } = await Promise.resolve().then(() => __importStar(require("./auth")));
+        const chalk = (await Promise.resolve().then(() => __importStar(require("chalk")))).default;
+        const apiKey = getStoredApiKey();
+        if (apiKey) {
+            // Revoke the key server-side before deleting locally. Honor --api-url / DG_API_URL
+            // so self-hosted users don't leak test keys to production.
+            const { parseConfig } = await Promise.resolve().then(() => __importStar(require("./config")));
+            const config = parseConfig(process.argv, false);
+            try {
+                await fetch(`${config.apiUrl}/v1/auth/revoke`, {
+                    method: "POST",
+                    headers: { Authorization: `Bearer ${apiKey}` },
+                    signal: AbortSignal.timeout(5000),
+                });
+            }
+            catch { /* ignore — best-effort, still clear locally */ }
+        }
+        clearCredentials();
+        process.stderr.write(chalk.green("  Logged out.\n"));
+        return;
+    }
+    const strictFlags = rawCommand !== "npm" && rawCommand !== "pip";
+    const config = (0, config_1.parseConfig)(process.argv, strictFlags);
+    const updatePromise = (0, update_check_1.checkForUpdate)(CLI_VERSION).catch(() => null);
+    // Scan command: interactive TUI in TTY, static output for CI/pipes/--json
+    if (rawCommand !== "npm" && rawCommand !== "pip") {
+        if (config.json || !isInteractive) {
+            const { runStatic } = await Promise.resolve().then(() => __importStar(require("./static-output")));
+            await runStatic(config);
+        }
+        else {
+            if (config.mode === "off") {
+                const chalk = (await Promise.resolve().then(() => __importStar(require("chalk")))).default;
+                process.stderr.write(chalk.dim("  Dependency Guardian: mode is off — skipping.\n"));
+                process.exit(0);
+            }
+            const { getStoredApiKey, maskKey } = await Promise.resolve().then(() => __importStar(require("./auth")));
+            const apiKey = getStoredApiKey();
+            let userStatus = "not signed in \u00b7 dg login";
+            let scanUsage = "free tier";
+            if (apiKey) {
+                try {
+                    const resp = await globalThis.fetch(`${config.apiUrl}/v1/auth/status`, {
+                        headers: { "Authorization": `Bearer ${apiKey}` },
+                        signal: AbortSignal.timeout(3000),
+                    });
+                    if (resp.ok) {
+                        const chalk = (await Promise.resolve().then(() => __importStar(require("chalk")))).default;
+                        const data = await resp.json();
+                        const name = data.name || "authenticated";
+                        const tier = data.tier || "free";
+                        const tierColor = tier === "free" ? chalk.yellow(tier) : chalk.green(tier);
+                        userStatus = `${name} \u00b7 ${tierColor}`;
+                        if (data.scansLimit === null || data.scansLimit === undefined) {
+                            scanUsage = "unlimited scans";
+                        }
+                        else {
+                            const used = data.scansUsed ?? 0;
+                            const limit = data.scansLimit;
+                            const remaining = limit - used;
+                            scanUsage = `${remaining}/${limit} scans left`;
+                        }
+                    }
+                    else {
+                        userStatus = "key invalid \u00b7 dg login";
+                    }
+                }
+                catch {
+                    userStatus = maskKey(apiKey);
+                }
+            }
+            // Compute setup-incomplete state so the scan UI can surface a banner.
+            // Cheap (one fs check + one credential read) — fine to run every scan.
+            const { getSetupIssues } = await Promise.resolve().then(() => __importStar(require("./setup-status")));
+            const setupIssues = getSetupIssues(process.cwd());
+            const { render } = await Promise.resolve().then(() => __importStar(require("ink")));
+            const React = await Promise.resolve().then(() => __importStar(require("react")));
+            const { App } = await Promise.resolve().then(() => __importStar(require("./ui/App")));
+            const { waitUntilExit } = render(React.createElement(App, { config, userStatus, scanUsage, setupIssues }));
+            await waitUntilExit();
+        }
+        const updateMsg = await updatePromise;
+        if (updateMsg) {
+            const chalk = (await Promise.resolve().then(() => __importStar(require("chalk")))).default;
+            process.stderr.write(chalk.dim(updateMsg));
+        }
+        return;
+    }
+    // npm/pip wrappers: use Ink for spinners when TTY, static otherwise
+    if (config.json || !isInteractive) {
+        if (rawCommand === "npm") {
+            const { runStaticNpm } = await Promise.resolve().then(() => __importStar(require("./static-output")));
+            await runStaticNpm(process.argv.slice(3), config);
+        }
+        else {
+            const { runStaticPip } = await Promise.resolve().then(() => __importStar(require("./static-output")));
+            await runStaticPip(process.argv.slice(3), config);
+        }
+        const updateMsg = await updatePromise;
+        if (updateMsg) {
+            const chalk = (await Promise.resolve().then(() => __importStar(require("chalk")))).default;
+            process.stderr.write(chalk.dim(updateMsg));
+        }
+        return;
+    }
+    const { render } = await Promise.resolve().then(() => __importStar(require("ink")));
+    const React = await Promise.resolve().then(() => __importStar(require("react")));
+    if (rawCommand === "npm") {
+        const { NpmWrapperApp } = await Promise.resolve().then(() => __importStar(require("./ui/NpmWrapperApp")));
+        const { waitUntilExit } = render(React.createElement(NpmWrapperApp, { config, npmArgs: process.argv.slice(3) }));
+        await waitUntilExit();
+    }
+    else {
+        const { PipWrapperApp } = await Promise.resolve().then(() => __importStar(require("./ui/PipWrapperApp")));
+        const { waitUntilExit } = render(React.createElement(PipWrapperApp, { config, pipArgs: process.argv.slice(3) }));
+        await waitUntilExit();
+    }
+    const updateMsg = await updatePromise;
+    if (updateMsg) {
+        const chalk = (await Promise.resolve().then(() => __importStar(require("chalk")))).default;
+        process.stderr.write(chalk.dim(updateMsg));
+    }
+}
+main().catch(async (err) => {
+    // Report to Sentry before exiting
+    let isAuthed = false;
+    try {
+        const { getStoredApiKey } = await Promise.resolve().then(() => __importStar(require("./auth")));
+        isAuthed = !!getStoredApiKey();
+    }
+    catch { /* ignore — best-effort */ }
+    // Version-floor errors from the server are expected operator behavior, not crashes —
+    // tag them so the alerting rule can filter them out.
+    const { ClientOutdatedError } = await Promise.resolve().then(() => __importStar(require("./api")));
+    if (err instanceof ClientOutdatedError) {
+        (0, telemetry_1.captureError)(err, {
+            command: process.argv[2] || "unknown",
+            nodeVersion: process.version,
+            cliVersion: CLI_VERSION,
+            authenticated: isAuthed,
+        });
+        await (0, telemetry_1.flush)();
+        const chalk = (await Promise.resolve().then(() => __importStar(require("chalk")))).default;
+        const color = err.securityRelease ? chalk.bold.red : chalk.yellow;
+        if (process.argv.includes("--json")) {
+            process.stdout.write(JSON.stringify({
+                error: true,
+                code: "client_outdated",
+                message: err.message,
+                minVersion: err.minVersion,
+                currentVersion: err.currentVersion,
+                securityRelease: err.securityRelease,
+                recovery: "Run `dg update` to install the required version.",
+            }, null, 2) + "\n");
+        }
+        else {
+            process.stderr.write(`\n  ${color(" Update required:")} ${err.message}\n` +
+                `  Run \`dg update\` to install ${err.minVersion} or newer.\n\n`);
+        }
+        process.exit(3);
+    }
+    (0, telemetry_1.captureError)(err, {
+        command: process.argv[2] || "unknown",
+        nodeVersion: process.version,
+        cliVersion: CLI_VERSION,
+        authenticated: isAuthed,
+    });
+    await (0, telemetry_1.flush)();
+    if (process.argv.includes("--json")) {
+        process.stdout.write(JSON.stringify({
+            error: true,
+            code: err.statusCode ? "api_error" : "internal_error",
+            message: err.message,
+        }, null, 2) + "\n");
+    }
+    else {
+        try {
+            const chalkMod = await Promise.resolve().then(() => __importStar(require("chalk")));
+            process.stderr.write(`\n  ${chalkMod.default.bold.red("Error:")} ${err.message}\n\n`);
+        }
+        catch {
+            process.stderr.write(`\n  Error: ${err.message}\n\n`);
+        }
+    }
+    process.exit(3);
+});

package/dist/packages/cli/src/config.js

@@ -0,0 +1,228 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.USAGE = void 0;
+exports.parseConfig = parseConfig;
+exports.getVersion = getVersion;
+const node_util_1 = require("node:util");
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const node_url_1 = require("node:url");
+const node_os_1 = require("node:os");
+const auth_1 = require("./auth");
+function loadDgrc() {
+    // Load project-level config first, then home-level.
+    // SECURITY: apiKey and apiUrl are ONLY read from ~/ to prevent a malicious
+    // repo's .dgrc.json from redirecting credentials to an attacker's server.
+    const cwdPath = (0, node_path_1.join)(process.cwd(), ".dgrc.json");
+    const homePath = (0, node_path_1.join)((0, node_os_1.homedir)(), ".dgrc.json");
+    let config = {};
+    // Home config (trusted — may contain apiKey, apiUrl)
+    if ((0, node_fs_1.existsSync)(homePath)) {
+        try {
+            config = JSON.parse((0, node_fs_1.readFileSync)(homePath, "utf-8"));
+        }
+        catch {
+            process.stderr.write(`Warning: Failed to parse ${homePath}, ignoring.\n`);
+        }
+    }
+    // CWD config (untrusted — project settings only, no secrets)
+    if ((0, node_fs_1.existsSync)(cwdPath) && cwdPath !== homePath) {
+        try {
+            const cwd = JSON.parse((0, node_fs_1.readFileSync)(cwdPath, "utf-8"));
+            // Only merge non-sensitive keys from CWD config
+            const { apiKey: _k, apiUrl: _u, ...safeKeys } = cwd;
+            Object.assign(config, safeKeys);
+        }
+        catch {
+            process.stderr.write(`Warning: Failed to parse ${cwdPath}, ignoring.\n`);
+        }
+    }
+    return config;
+}
+const USAGE = `
+  Dependency Guardian — Supply chain security scanner
+
+  Usage:
+    dg scan [options]
+    dg npm install <pkg> [npm-flags]
+    dg pip install <pkg> [pip-flags]
+
+  Commands:
+    scan            Scan dependencies (auto-discovers npm + Python projects)
+    npm             Wrap npm commands — scans packages before installing
+    pip             Wrap pip commands — scans packages before installing
+    hook install    Install git pre-commit hook to scan lockfile changes
+    hook uninstall  Remove the pre-commit hook
+    login           Authenticate with your WestBayBerry account
+    logout          Remove saved credentials
+    status          Show auth + scan usage
+    update          Check for and install the latest version
+    wrap            Show instructions to alias npm to dg
+    kitty           Re-run the guided tour with the cat
+    help            Show this help message
+    version         Show version number
+
+  First-run setup runs automatically the first time you invoke any
+  command on a fresh machine — no need to remember a setup command.
+  Forgot something later? Run \`dg kitty\` for the tour again.
+
+  Options:
+    --api-url <url>          API base URL (default: https://api.westbayberry.com)
+    --mode <mode>            block | warn | off (default: warn)
+    --max-packages <n>       Max packages per scan (default: 10000)
+    --json                   Output JSON for CI parsing
+    --scan-all               Scan all packages (default)
+    --changed-only           Only scan packages changed since base lockfile
+    --base-lockfile <path>   Path to base lockfile for explicit diff
+    --workspace <dir>        Scan a specific workspace subdirectory
+    --output, -o <file>      Save JSON results to file (use with --json)
+    --debug                  Show diagnostic output (discovery, batches, timing)
+
+  Config File:
+    Place a .dgrc.json in your project root or home directory.
+    Precedence: CLI flags > env vars > .dgrc.json > defaults
+
+  Environment Variables:
+    DG_API_URL               API base URL
+    DG_MODE                  Mode (block/warn/off)
+    DG_DEBUG                 Enable debug output (set to 1)
+    DG_WORKSPACE             Workspace subdirectory to scan
+    DG_TELEMETRY=0           Disable anonymous error reporting
+
+  Exit Codes:
+    0  pass    — No risks detected
+    1  warn    — Risks detected (advisory)
+    2  block   — High-risk packages detected
+    3  error   — Internal error (API failure, config error)
+
+  Examples:
+    dg scan
+    dg scan --json
+    dg scan --scan-all --mode block
+    dg scan --base-lockfile ./main-lockfile.json
+    dg npm install express lodash
+    dg npm install @scope/pkg@^2.0.0
+    dg npm install risky-pkg --dg-force
+`.trimStart();
+exports.USAGE = USAGE;
+function validateApiUrl(url) {
+    try {
+        const parsed = new URL(url);
+        // Node's URL returns IPv6 hosts in bracketed form, e.g. "[::1]" — strip the brackets
+        // before range-matching so we can compare against the bare address.
+        const rawHost = parsed.hostname;
+        const host = rawHost.startsWith("[") && rawHost.endsWith("]")
+            ? rawHost.slice(1, -1)
+            : rawHost;
+        const isLocal = host === "localhost" ||
+            // IPv4: loopback, RFC 1918, CGNAT. Proper octet regex — not prefix matching,
+            // which would wrongly accept `192.1680.0.1` or `100.1.2.3` (public).
+            /^(127\.|10\.|192\.168\.|172\.(1[6-9]|2\d|3[01])\.|100\.(6[4-9]|[7-9]\d|1[01]\d|12[0-7])\.)/.test(host) ||
+            // IPv6: loopback and unique local (fc00::/7 → fc** or fd**)
+            host === "::1" ||
+            /^f[cd][0-9a-f]{2}:/i.test(host);
+        if (parsed.protocol !== "https:" && !isLocal) {
+            process.stderr.write(`Error: API URL must use HTTPS (got ${parsed.protocol}). Use localhost for local testing.\n`);
+            process.exit(1);
+        }
+        return url;
+    }
+    catch {
+        process.stderr.write(`Error: Invalid API URL: ${url}\n`);
+        process.exit(1);
+    }
+}
+function getVersion() {
+    try {
+        const thisDir = (0, node_path_1.dirname)((0, node_url_1.fileURLToPath)(import.meta.url));
+        const pkg = JSON.parse((0, node_fs_1.readFileSync)((0, node_path_1.join)(thisDir, "..", "package.json"), "utf-8"));
+        return pkg.version ?? "1.0.0";
+    }
+    catch {
+        return "1.0.0";
+    }
+}
+function parseConfig(argv, strictFlags = true) {
+    let values;
+    let positionals;
+    try {
+        const parsed = (0, node_util_1.parseArgs)({
+            args: argv.slice(2),
+            options: {
+                "api-url": { type: "string" },
+                mode: { type: "string" },
+                "max-packages": { type: "string" },
+                json: { type: "boolean", default: false },
+                "scan-all": { type: "boolean", default: true },
+                "changed-only": { type: "boolean", default: false },
+                "base-lockfile": { type: "string" },
+                workspace: { type: "string", short: "w" },
+                output: { type: "string", short: "o" },
+                debug: { type: "boolean", default: false },
+                help: { type: "boolean", default: false },
+                version: { type: "boolean", default: false },
+                // Recognized but handled server-side via policy dashboard
+                "no-config": { type: "boolean", default: false },
+                allowlist: { type: "string" },
+                "block-threshold": { type: "string" },
+                "warn-threshold": { type: "string" },
+            },
+            allowPositionals: true,
+            strict: strictFlags,
+        });
+        values = parsed.values;
+        positionals = parsed.positionals;
+    }
+    catch (err) {
+        const raw = err instanceof Error ? err.message : String(err);
+        // Node's parseArgs error is verbose — extract just "Unknown option '--foo'"
+        const match = raw.match(/Unknown option '([^']+)'/);
+        const msg = match ? `Unknown option '${match[1]}'.` : raw;
+        process.stderr.write(`\n  Error: ${msg}\n`);
+        process.stderr.write(`  Run 'dg --help' for available options.\n\n`);
+        process.exit(1);
+    }
+    if (values.help) {
+        process.stdout.write(USAGE);
+        process.exit(0);
+    }
+    if (values.version) {
+        process.stdout.write(`dependency-guardian v${getVersion()}\n`);
+        process.exit(0);
+    }
+    const command = positionals[0] ?? "scan";
+    const dgrc = loadDgrc();
+    const apiKey = dgrc.apiKey && typeof dgrc.apiKey === "string" && dgrc.apiKey.startsWith("dg_live_") ? dgrc.apiKey : null;
+    const deviceId = (0, auth_1.getOrCreateDeviceId)();
+    const modeRaw = values.mode ??
+        process.env.DG_MODE ??
+        dgrc.mode ??
+        "warn";
+    if (!["block", "warn", "off"].includes(modeRaw)) {
+        process.stderr.write(`Error: Invalid mode "${modeRaw}". Must be block, warn, or off.\n`);
+        process.exit(1);
+    }
+    const maxPackages = Number(values["max-packages"] ?? dgrc.maxPackages ?? "10000");
+    const debug = values.debug || process.env.DG_DEBUG === "1";
+    if (isNaN(maxPackages) || maxPackages < 1 || maxPackages > 10000) {
+        process.stderr.write("Error: --max-packages must be a number between 1 and 10000\n");
+        process.exit(1);
+    }
+    return {
+        apiKey,
+        deviceId,
+        apiUrl: validateApiUrl(values["api-url"] ??
+            process.env.DG_API_URL ??
+            dgrc.apiUrl ??
+            "https://api.westbayberry.com"),
+        mode: modeRaw,
+        maxPackages,
+        json: values.json,
+        scanAll: values["changed-only"] ? false : values["scan-all"],
+        baseLockfile: values["base-lockfile"] ?? null,
+        workspace: values.workspace ?? process.env.DG_WORKSPACE ?? null,
+        outputFile: values.output ?? null,
+        command,
+        debug,
+    };
+}