npm - @westbayberry/dg - Versions diffs - 1.0.53 → 1.0.56 - Mend

@westbayberry/dg 1.0.53 → 1.0.56

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (64) hide show

package/README.md +5 -1
package/dist/index.mjs +249 -114
package/dist/packages/cli/src/alt-screen.js +36 -0
package/dist/packages/cli/src/api.js +322 -0
package/dist/packages/cli/src/auth.js +218 -0
package/dist/packages/cli/src/bin.js +386 -0
package/dist/packages/cli/src/config.js +228 -0
package/dist/packages/cli/src/discover.js +126 -0
package/dist/packages/cli/src/first-run.js +135 -0
package/dist/packages/cli/src/hook.js +360 -0
package/dist/packages/cli/src/lockfile.js +303 -0
package/dist/packages/cli/src/npm-wrapper.js +218 -0
package/dist/packages/cli/src/pip-wrapper.js +273 -0
package/dist/packages/cli/src/sanitize.js +38 -0
package/dist/packages/cli/src/scan-core.js +144 -0
package/dist/packages/cli/src/setup-status.js +46 -0
package/dist/packages/cli/src/static-output.js +625 -0
package/dist/packages/cli/src/telemetry.js +141 -0
package/dist/packages/cli/src/ui/App.js +137 -0
package/dist/packages/cli/src/ui/InitApp.js +391 -0
package/dist/packages/cli/src/ui/LoginApp.js +51 -0
package/dist/packages/cli/src/ui/NpmWrapperApp.js +73 -0
package/dist/packages/cli/src/ui/PipWrapperApp.js +72 -0
package/dist/packages/cli/src/ui/components/ConfirmPrompt.js +24 -0
package/dist/packages/cli/src/ui/components/DemoScanAnimation.js +26 -0
package/dist/packages/cli/src/ui/components/DurationLine.js +7 -0
package/dist/packages/cli/src/ui/components/ErrorView.js +30 -0
package/dist/packages/cli/src/ui/components/FileSavePrompt.js +210 -0
package/dist/packages/cli/src/ui/components/InteractiveResultsView.js +557 -0
package/dist/packages/cli/src/ui/components/Mascot.js +33 -0
package/dist/packages/cli/src/ui/components/ProgressBar.js +51 -0
package/dist/packages/cli/src/ui/components/ProgressDots.js +35 -0
package/dist/packages/cli/src/ui/components/ProjectSelector.js +60 -0
package/dist/packages/cli/src/ui/components/ResultsView.js +105 -0
package/dist/packages/cli/src/ui/components/ScanResultCard.js +54 -0
package/dist/packages/cli/src/ui/components/ScoreHeader.js +142 -0
package/dist/packages/cli/src/ui/components/SetupBanner.js +17 -0
package/dist/packages/cli/src/ui/components/Spinner.js +11 -0
package/dist/packages/cli/src/ui/hooks/useExpandAnimation.js +44 -0
package/dist/packages/cli/src/ui/hooks/useInit.js +341 -0
package/dist/packages/cli/src/ui/hooks/useLogin.js +121 -0
package/dist/packages/cli/src/ui/hooks/useNpmWrapper.js +192 -0
package/dist/packages/cli/src/ui/hooks/usePipWrapper.js +195 -0
package/dist/packages/cli/src/ui/hooks/useScan.js +202 -0
package/dist/packages/cli/src/ui/hooks/useTerminalSize.js +29 -0
package/dist/packages/cli/src/update-check.js +152 -0
package/dist/packages/cli/src/wizard-demo-data.js +63 -0
package/dist/src/ecosystem.js +2 -0
package/dist/src/lockfile/diff.js +38 -0
package/dist/src/lockfile/parse_package_json.js +41 -0
package/dist/src/lockfile/parse_package_lock.js +55 -0
package/dist/src/lockfile/parse_pipfile_lock.js +69 -0
package/dist/src/lockfile/parse_pnpm_lock.js +62 -0
package/dist/src/lockfile/parse_poetry_lock.js +71 -0
package/dist/src/lockfile/parse_requirements.js +83 -0
package/dist/src/lockfile/parse_yarn_lock.js +66 -0
package/dist/src/logger.js +21 -0
package/dist/src/npm/h2pool.js +161 -0
package/dist/src/npm/registry.js +299 -0
package/dist/src/npm/tarball.js +274 -0
package/dist/src/pypi/registry.js +299 -0
package/dist/src/pypi/tarball.js +361 -0
package/dist/src/types.js +2 -0
package/package.json +6 -3

package/dist/packages/cli/src/static-output.js ADDED Viewed

@@ -0,0 +1,625 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.renderResultStatic = renderResultStatic;
+exports.runStatic = runStatic;
+exports.runStaticNpm = runStaticNpm;
+exports.runStaticPip = runStaticPip;
+exports.runStaticLogin = runStaticLogin;
+const chalk_1 = __importDefault(require("chalk"));
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const api_1 = require("./api");
+const auth_1 = require("./auth");
+const lockfile_1 = require("./lockfile");
+const npm_wrapper_1 = require("./npm-wrapper");
+const pip_wrapper_1 = require("./pip-wrapper");
+// ── JSON output handling ────────────────────────────────────
+function writeJsonFile(filepath, json) {
+    const resolved = (0, node_path_1.resolve)(filepath);
+    try {
+        (0, node_fs_1.writeFileSync)(resolved, json + "\n");
+        process.stderr.write(chalk_1.default.green(`  \u2713 Saved to ${resolved}\n\n`));
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        process.stderr.write(chalk_1.default.red(`  Error saving file: ${msg}\n\n`));
+    }
+}
+async function handleJsonOutput(result, config) {
+    if (!config.json)
+        return false;
+    const json = JSON.stringify(result, null, 2);
+    // Explicit --output: save directly (works in any context)
+    if (config.outputFile) {
+        writeJsonFile(config.outputFile, json);
+        return true;
+    }
+    // Non-TTY (piped): raw JSON to stdout
+    if (!process.stdout.isTTY) {
+        process.stdout.write(json + "\n");
+        return true;
+    }
+    // TTY interactive: launch file save TUI
+    const localDate = new Date().toLocaleDateString("sv-SE");
+    const defaultName = `dg-scan-${localDate}`;
+    const { render } = await Promise.resolve().then(() => __importStar(require("ink")));
+    const React = await Promise.resolve().then(() => __importStar(require("react")));
+    const { FileSavePrompt } = await Promise.resolve().then(() => __importStar(require("./ui/components/FileSavePrompt")));
+    await new Promise((resolve) => {
+        const inkInstance = render(React.createElement(FileSavePrompt, {
+            defaultName,
+            directory: process.cwd(),
+            score: result.score,
+            action: result.action,
+            packageCount: result.packages.length,
+            json,
+            onSaved: (filepath) => {
+                inkInstance.unmount();
+                process.stderr.write(chalk_1.default.green(`  \u2713 Saved to ${filepath}\n\n`));
+                resolve();
+            },
+            onCancel: () => {
+                inkInstance.unmount();
+                process.stderr.write(chalk_1.default.dim("  Cancelled.\n\n"));
+                resolve();
+            },
+        }));
+    });
+    return true;
+}
+// ── Helpers ─────────────────────────────────────────────────
+function printTrialBanner(result) {
+    if (result.trialScansRemaining === undefined)
+        return;
+    process.stderr.write(chalk_1.default.dim(`  Free tier \u00b7 Run \`dg login\` for higher scan limits.\n`));
+}
+function handleTrialExhausted(error, jsonMode = false) {
+    if (error instanceof api_1.TrialExhaustedError) {
+        // Check if user has stored credentials — if so, their key is likely invalid
+        let hasKey = false;
+        try {
+            hasKey = !!(0, auth_1.getStoredApiKey)();
+        }
+        catch { /* ignore — best-effort */ }
+        const message = hasKey
+            ? "Your API key may be invalid or expired. Run `dg logout` then `dg login` to re-authenticate."
+            : "Monthly scan limit reached. Run `dg login` to create a free account for higher limits.";
+        if (jsonMode) {
+            process.stdout.write(JSON.stringify({
+                error: true,
+                code: "trial_exhausted",
+                message,
+                scansUsed: error.scansUsed,
+                maxScans: error.maxScans,
+            }, null, 2) + "\n");
+        }
+        else {
+            if (hasKey) {
+                process.stderr.write(chalk_1.default.yellow(`\n  ${message}\n\n`));
+            }
+            else {
+                process.stderr.write(chalk_1.default.yellow("\n  Monthly scan limit reached (1,000 scans/month on free tier).\n") +
+                    chalk_1.default.white("  Run `dg login` for higher limits, or upgrade at westbayberry.com/pricing\n\n"));
+            }
+        }
+        process.exit(1);
+        return true;
+    }
+    return false;
+}
+function actionColor(action) {
+    if (action === "block")
+        return chalk_1.default.red;
+    if (action === "warn")
+        return chalk_1.default.yellow;
+    return chalk_1.default.green;
+}
+function pad(s, len) {
+    return s + " ".repeat(Math.max(0, len - s.length));
+}
+function truncate(s, max) {
+    if (s.length <= max)
+        return s;
+    return s.slice(0, max - 1) + "\u2026";
+}
+function groupPackages(packages) {
+    const map = new Map();
+    for (const pkg of packages) {
+        const fingerprint = pkg.findings.length === 0
+            ? `__clean_${pkg.score}`
+            : pkg.findings
+                .map((f) => `${f.category ?? ""}:${f.severity}`)
+                .sort()
+                .join("|") + `|score:${pkg.score}`;
+        const group = map.get(fingerprint) ?? [];
+        group.push(pkg);
+        map.set(fingerprint, group);
+    }
+    return [...map.values()]
+        .map((pkgs) => ({ packages: pkgs, key: pkgs[0].name }))
+        .sort((a, b) => b.packages[0].score - a.packages[0].score);
+}
+function actionBadge(score) {
+    if (score >= 70)
+        return { label: "Block", color: chalk_1.default.red };
+    if (score >= 60)
+        return { label: "Warn", color: chalk_1.default.yellow };
+    return { label: "Pass", color: chalk_1.default.green };
+}
+function renderResultStatic(result, _config) {
+    const lines = [];
+    const actionStr = result.action.toUpperCase();
+    const colorAction = actionColor(result.action);
+    // Header
+    lines.push("");
+    lines.push(`  ${chalk_1.default.bold("Dependency Guardian")}`);
+    lines.push(`  Score: ${chalk_1.default.bold(String(result.score))}${" ".repeat(Math.max(1, 50 - String(result.score).length))}${colorAction(actionStr)}`);
+    lines.push("");
+    // Summary
+    const flagged = result.packages.filter((p) => p.score > 0);
+    const clean = result.packages.filter((p) => p.score === 0);
+    const total = result.packages.length;
+    if (flagged.length > 0) {
+        lines.push(`  ${total} package${total !== 1 ? "s" : ""} scanned ${chalk_1.default.dim("\u2502")} ${chalk_1.default.yellow(`${flagged.length} flagged`)} \u2502 ${chalk_1.default.green(`${clean.length} clean`)}`);
+    }
+    else {
+        lines.push(`  ${total} package${total !== 1 ? "s" : ""} scanned ${chalk_1.default.dim("\u2502")} ${chalk_1.default.green("all clean")}`);
+    }
+    // License summary
+    const licensedPkgs = result.packages.filter((p) => p.license);
+    const licenseIssues = licensedPkgs.filter((p) => p.license && p.license.riskCategory !== "permissive");
+    if (licenseIssues.length > 0) {
+        lines.push(`  ${chalk_1.default.dim("Licenses:")} ${chalk_1.default.yellow(`${licenseIssues.length} need review`)} \u2502 ${chalk_1.default.green(`${licensedPkgs.length - licenseIssues.length} permissive`)}`);
+    }
+    lines.push("");
+    if (total === 0) {
+        lines.push("  No packages to scan.");
+        lines.push("");
+        return lines.join("\n");
+    }
+    // Group flagged packages
+    const groups = groupPackages(flagged);
+    // Flagged packages table (only non-zero scores)
+    if (flagged.length > 0) {
+        lines.push(`  ${chalk_1.default.bold("Flagged Packages")}`);
+        lines.push(`  ${chalk_1.default.dim("\u2500".repeat(60))}`);
+        for (const group of groups) {
+            const rep = group.packages[0];
+            const { label, color } = actionBadge(rep.score);
+            const names = group.packages.length === 1
+                ? rep.name
+                : group.packages.length <= 3
+                    ? group.packages.map((p) => p.name).join(", ")
+                    : `${group.packages[0].name} + ${group.packages.length - 1} similar`;
+            const lcInfo = rep.license;
+            const lcStr = lcInfo ? truncate(lcInfo.spdx ?? lcInfo.raw ?? "", 14) : "";
+            const lcColor = !lcInfo ? chalk_1.default.dim
+                : lcInfo.riskCategory === "permissive" ? chalk_1.default.green
+                    : (lcInfo.riskCategory === "no-license" || lcInfo.riskCategory === "unlicensed" || lcInfo.riskCategory === "network-copyleft") ? chalk_1.default.red
+                        : chalk_1.default.yellow;
+            lines.push(`    ${color(pad(label, 7))}${chalk_1.default.bold(pad(truncate(names, 36), 38))}${lcColor(pad(lcStr, 16))}${chalk_1.default.dim(`score ${rep.score}`)}`);
+        }
+        lines.push("");
+    }
+    // Clean packages (collapsed to single line)
+    if (clean.length > 0) {
+        lines.push(`  ${chalk_1.default.green("\u2713")} ${chalk_1.default.dim(`${clean.length} package${clean.length !== 1 ? "s" : ""} passed with score 0`)}`);
+        lines.push("");
+    }
+    // Duration
+    if (result.durationMs) {
+        lines.push(`  ${chalk_1.default.dim(`Completed in ${(result.durationMs / 1000).toFixed(1)}s`)}`);
+        lines.push("");
+    }
+    return lines.join("\n");
+}
+async function runStatic(config) {
+    const dbg = (msg) => {
+        if (config.debug)
+            process.stderr.write(chalk_1.default.dim(`  [debug] ${msg}\n`));
+    };
+    if (config.mode === "off") {
+        process.stderr.write(chalk_1.default.dim("  Dependency Guardian: mode is off — skipping.\n"));
+        process.exit(0);
+    }
+    dbg(`mode=${config.mode} max=${config.maxPackages}`);
+    dbg(`api=${config.apiUrl}`);
+    // Discover packages
+    process.stderr.write(chalk_1.default.dim("  Discovering package changes...\n"));
+    let discovery = (0, lockfile_1.discoverChanges)(process.cwd(), config);
+    dbg(`discovery method: ${discovery.method}`);
+    if (discovery.pythonPackages.length > 0) {
+        dbg(`python packages: ${discovery.pythonPackages.length}`);
+    }
+    if (discovery.packages.length === 0 && discovery.pythonPackages.length === 0) {
+        // Monorepo: auto-discover and scan all subprojects
+        const { discoverProjects } = await Promise.resolve().then(() => __importStar(require("./discover")));
+        const subProjects = discoverProjects(process.cwd());
+        if (subProjects.length === 0) {
+            process.stderr.write(chalk_1.default.dim("  No package changes detected.\n"));
+            process.exit(0);
+        }
+        const totalPkgs = subProjects.reduce((s, p) => s + p.packageCount, 0);
+        process.stderr.write(chalk_1.default.dim(`  Found ${subProjects.length} projects (${totalPkgs} packages total):\n`));
+        for (const proj of subProjects) {
+            process.stderr.write(chalk_1.default.dim(`    ${proj.ecosystem}  ${proj.relativePath} (${proj.packageCount})\n`));
+        }
+        process.stderr.write("\n");
+        // Scan each project and merge results
+        const allNpmPkgs = [];
+        const allPyPkgs = [];
+        const seen = new Set();
+        for (const proj of subProjects) {
+            try {
+                const projConfig = { ...config, workspace: proj.relativePath };
+                const projDisc = (0, lockfile_1.discoverChanges)(process.cwd(), projConfig);
+                for (const pkg of projDisc.packages) {
+                    const key = `${pkg.name}@${pkg.version}`;
+                    if (!seen.has(key)) {
+                        seen.add(key);
+                        allNpmPkgs.push(pkg);
+                    }
+                }
+                for (const pkg of projDisc.pythonPackages) {
+                    const key = `${pkg.name}@${pkg.version}`;
+                    if (!seen.has(key)) {
+                        seen.add(key);
+                        allPyPkgs.push(pkg);
+                    }
+                }
+            }
+            catch {
+                // Skip projects that fail to parse (e.g. corrupted lockfiles)
+            }
+        }
+        if (allNpmPkgs.length === 0 && allPyPkgs.length === 0) {
+            process.stderr.write(chalk_1.default.dim("  No package changes detected across projects.\n"));
+            process.exit(0);
+        }
+        // Replace discovery with merged results and fall through to normal scan path
+        discovery = {
+            packages: allNpmPkgs,
+            pythonPackages: allPyPkgs,
+            method: "scan-all",
+            skipped: [],
+        };
+    }
+    const packages = discovery.packages;
+    const totalToScan = packages.length + discovery.pythonPackages.length;
+    process.stderr.write(chalk_1.default.dim(`  Scanning ${totalToScan} package${totalToScan !== 1 ? "s" : ""}${discovery.pythonPackages.length > 0 ? ` (${packages.length} npm + ${discovery.pythonPackages.length} Python)` : ""} (${discovery.method})...\n`));
+    if (discovery.skipped.length > 0 && config.maxPackages < 10000) {
+        process.stderr.write(chalk_1.default.dim(`  Note: ${discovery.skipped.length} package(s) not scanned (--max-packages=${config.maxPackages})\n`));
+    }
+    dbg(`packages to scan: ${packages
+        .map((p) => `${p.name}@${p.version}`)
+        .slice(0, 10)
+        .join(", ")}${packages.length > 10 ? ` (+${packages.length - 10} more)` : ""}`);
+    // Call Detection API (npm)
+    let result;
+    try {
+        const startMs = Date.now();
+        if (packages.length > 0) {
+            result = await (0, api_1.callAnalyzeAPI)(packages, config, (done, total) => {
+                process.stderr.write(chalk_1.default.dim(`  Analyzed ${done}/${total}...\n`));
+            });
+        }
+        else {
+            result = { score: 0, action: "pass", packages: [], safeVersions: {}, durationMs: 0 };
+        }
+        // Scan Python packages if found
+        if (discovery.pythonPackages.length > 0) {
+            process.stderr.write(chalk_1.default.dim(`  Scanning ${discovery.pythonPackages.length} Python package${discovery.pythonPackages.length !== 1 ? "s" : ""}...\n`));
+            const pyResult = await (0, api_1.callPyPIAnalyzeAPI)(discovery.pythonPackages, config);
+            // Merge Python results into npm results
+            result.packages.push(...pyResult.packages);
+            result.score = Math.max(result.score, pyResult.score);
+            if (pyResult.action === "block" || (pyResult.action === "warn" && result.action === "pass")) {
+                result.action = pyResult.action;
+            }
+            if (pyResult.trialScansRemaining !== undefined) {
+                result.trialScansRemaining = pyResult.trialScansRemaining;
+            }
+        }
+        dbg(`API responded in ${Date.now() - startMs}ms, action=${result.action}, score=${result.score}`);
+    }
+    catch (error) {
+        if (handleTrialExhausted(error, config.json))
+            return;
+        throw error;
+    }
+    // Handle JSON output (interactive prompt, pipe, or --output)
+    const jsonHandled = await handleJsonOutput(result, config);
+    if (jsonHandled) {
+        printTrialBanner(result);
+        if (result.action === "block" && config.mode === "block")
+            process.exit(2);
+        else if (result.action === "block" || result.action === "warn")
+            process.exit(1);
+        process.exit(0);
+    }
+    // Render human-readable output
+    const output = renderResultStatic(result, config);
+    process.stdout.write(output + "\n");
+    printTrialBanner(result);
+    // Exit code
+    if (result.action === "block" && config.mode === "block") {
+        process.exit(2);
+    }
+    else if (result.action === "block" || result.action === "warn") {
+        process.exit(1);
+    }
+    process.exit(0);
+}
+async function runStaticNpm(npmArgs, config) {
+    const parsed = (0, npm_wrapper_1.parseNpmArgs)(npmArgs);
+    // Non-install commands: pass through directly
+    if (!parsed.shouldScan) {
+        const code = await (0, npm_wrapper_1.runNpm)(parsed.rawArgs);
+        process.exit(code);
+    }
+    // No packages specified (e.g. bare `npm install` from package.json)
+    if (parsed.packages.length === 0) {
+        const bareSpecs = (0, npm_wrapper_1.readBareInstallPackages)(process.cwd());
+        if (bareSpecs.length === 0) {
+            process.stderr.write(chalk_1.default.dim("  Dependency Guardian: no packages to scan, passing through to npm.\n"));
+            const code = await (0, npm_wrapper_1.runNpm)(parsed.rawArgs);
+            process.exit(code);
+        }
+        process.stderr.write(chalk_1.default.dim(`  Resolving ${bareSpecs.length} package${bareSpecs.length !== 1 ? "s" : ""} from package.json...\n`));
+        const { resolved, failed } = await (0, npm_wrapper_1.resolvePackages)(bareSpecs);
+        if (failed.length > 0 && config.debug) {
+            process.stderr.write(chalk_1.default.dim(`  [debug] Could not resolve: ${failed
+                .slice(0, 5)
+                .join(", ")}${failed.length > 5 ? ` (+${failed.length - 5} more)` : ""}\n`));
+        }
+        return scanAndInstallStatic(resolved, parsed, config);
+    }
+    // Resolve versions
+    process.stderr.write(chalk_1.default.dim(`  Resolving ${parsed.packages.length} package${parsed.packages.length !== 1 ? "s" : ""}...\n`));
+    const { resolved, failed } = await (0, npm_wrapper_1.resolvePackages)(parsed.packages);
+    if (failed.length > 0) {
+        process.stderr.write(chalk_1.default.yellow(`  Warning: Could not resolve versions for: ${failed.join(", ")}\n`));
+    }
+    if (resolved.length === 0) {
+        process.stderr.write(chalk_1.default.dim("  No packages to scan. Passing through to npm.\n"));
+        const code = await (0, npm_wrapper_1.runNpm)(parsed.rawArgs);
+        process.exit(code);
+    }
+    return scanAndInstallStatic(resolved, parsed, config);
+}
+async function scanAndInstallStatic(resolved, parsed, config) {
+    // Scan
+    process.stderr.write(chalk_1.default.dim(`  Scanning ${resolved.length} package${resolved.length !== 1 ? "s" : ""}...\n`));
+    let result;
+    try {
+        const startMs = Date.now();
+        result = await (0, api_1.callAnalyzeAPI)(resolved, config);
+        const elapsed = Date.now() - startMs;
+        if (config.debug) {
+            process.stderr.write(chalk_1.default.dim(`  [debug] API responded in ${elapsed}ms, action=${result.action}, score=${result.score}\n`));
+        }
+    }
+    catch (error) {
+        if (handleTrialExhausted(error, config.json))
+            return;
+        // API unavailable — warn and proceed
+        const msg = error instanceof Error ? error.message : String(error);
+        process.stderr.write(chalk_1.default.yellow(`  Warning: Scan failed (${msg}). Proceeding with install.\n`));
+        const code = await (0, npm_wrapper_1.runNpm)(parsed.rawArgs);
+        process.exit(code);
+        return;
+    }
+    // Handle result
+    if (result.action === "pass") {
+        process.stderr.write(chalk_1.default.green(`  ${chalk_1.default.bold("\u2713")} ${resolved.length} package${resolved.length !== 1 ? "s" : ""} scanned \u2014 all clear\n`));
+        printTrialBanner(result);
+        process.stderr.write("\n");
+        const code = await (0, npm_wrapper_1.runNpm)(parsed.rawArgs);
+        process.exit(code);
+    }
+    // Render findings
+    const output = renderResultStatic(result, config);
+    process.stdout.write(output + "\n");
+    printTrialBanner(result);
+    if (result.action === "warn") {
+        process.stderr.write(chalk_1.default.yellow("  Warnings detected. Proceeding with install.\n\n"));
+        const code = await (0, npm_wrapper_1.runNpm)(parsed.rawArgs);
+        process.exit(code);
+    }
+    // Block
+    if (result.action === "block") {
+        if (parsed.dgForce) {
+            process.stderr.write(chalk_1.default.yellow(chalk_1.default.bold("  --dg-force: Bypassing block. Install at your own risk.\n\n")));
+            const code = await (0, npm_wrapper_1.runNpm)(parsed.rawArgs);
+            process.exit(code);
+        }
+        process.stderr.write(chalk_1.default.red(chalk_1.default.bold("  BLOCKED: ")) +
+            chalk_1.default.red("High-risk packages detected. Install aborted.\n"));
+        process.stderr.write(chalk_1.default.dim("  Use --dg-force to bypass this check.\n\n"));
+        process.exit(2);
+    }
+}
+async function runStaticPip(pipArgs, config) {
+    const parsed = (0, pip_wrapper_1.parsePipArgs)(pipArgs);
+    // Non-install commands: pass through directly
+    if (!parsed.shouldScan) {
+        const code = await (0, pip_wrapper_1.runPip)(parsed.rawArgs);
+        process.exit(code);
+    }
+    // Collect package specs
+    let specs = parsed.packages;
+    if (specs.length === 0 && parsed.requirementsFile) {
+        specs = (0, pip_wrapper_1.parseRequirementsFile)(parsed.requirementsFile);
+    }
+    if (specs.length === 0) {
+        process.stderr.write(chalk_1.default.dim("  Dependency Guardian: no packages to scan, passing through to pip.\n"));
+        const code = await (0, pip_wrapper_1.runPip)(parsed.rawArgs);
+        process.exit(code);
+    }
+    // Resolve versions via PyPI API
+    process.stderr.write(chalk_1.default.dim(`  Resolving ${specs.length} package${specs.length !== 1 ? "s" : ""} from PyPI...\n`));
+    const { resolved, failed } = await (0, pip_wrapper_1.resolvePackages)(specs);
+    if (failed.length > 0) {
+        process.stderr.write(chalk_1.default.yellow(`  Warning: Could not resolve versions for: ${failed.join(", ")}\n`));
+    }
+    if (resolved.length === 0) {
+        process.stderr.write(chalk_1.default.dim("  No packages to scan. Passing through to pip.\n"));
+        const code = await (0, pip_wrapper_1.runPip)(parsed.rawArgs);
+        process.exit(code);
+    }
+    // Scan
+    process.stderr.write(chalk_1.default.dim(`  Scanning ${resolved.length} Python package${resolved.length !== 1 ? "s" : ""}...\n`));
+    let result;
+    try {
+        result = await (0, api_1.callPyPIAnalyzeAPI)(resolved, config);
+    }
+    catch (error) {
+        if (handleTrialExhausted(error, config.json))
+            return;
+        const msg = error instanceof Error ? error.message : String(error);
+        process.stderr.write(chalk_1.default.yellow(`  Warning: Scan failed (${msg}). Proceeding with install.\n`));
+        const code = await (0, pip_wrapper_1.runPip)(parsed.rawArgs);
+        process.exit(code);
+        return;
+    }
+    // Handle result
+    if (result.action === "pass") {
+        process.stderr.write(chalk_1.default.green(`  ${chalk_1.default.bold("\u2713")} ${resolved.length} package${resolved.length !== 1 ? "s" : ""} scanned \u2014 all clear\n`));
+        printTrialBanner(result);
+        process.stderr.write("\n");
+        const code = await (0, pip_wrapper_1.runPip)(parsed.rawArgs);
+        process.exit(code);
+    }
+    const output = renderResultStatic(result, config);
+    process.stdout.write(output + "\n");
+    printTrialBanner(result);
+    if (result.action === "warn") {
+        process.stderr.write(chalk_1.default.yellow("  Warnings detected. Proceeding with install.\n\n"));
+        const code = await (0, pip_wrapper_1.runPip)(parsed.rawArgs);
+        process.exit(code);
+    }
+    if (result.action === "block") {
+        if (parsed.dgForce) {
+            process.stderr.write(chalk_1.default.yellow(chalk_1.default.bold("  --dg-force: Bypassing block. Install at your own risk.\n\n")));
+            const code = await (0, pip_wrapper_1.runPip)(parsed.rawArgs);
+            process.exit(code);
+        }
+        process.stderr.write(chalk_1.default.red(chalk_1.default.bold("  BLOCKED: ")) +
+            chalk_1.default.red("High-risk packages detected. Install aborted.\n"));
+        process.stderr.write(chalk_1.default.dim("  Use --dg-force to bypass this check.\n\n"));
+        process.exit(2);
+    }
+}
+async function runStaticLogin() {
+    const { createAuthSession, pollAuthSession, saveCredentials, openBrowser, getStoredApiKey, } = await Promise.resolve().then(() => __importStar(require("./auth")));
+    const apiUrl = process.env.DG_API_URL || "https://api.westbayberry.com";
+    // Check if already logged in with a valid key
+    const existing = getStoredApiKey();
+    if (existing) {
+        // Verify the key is still valid on the server
+        try {
+            const resp = await fetch(`${apiUrl}/v1/auth/status`, {
+                headers: { Authorization: `Bearer ${existing}` },
+                signal: AbortSignal.timeout(5000),
+            });
+            if (resp.ok) {
+                process.stderr.write(chalk_1.default.yellow("  Already authenticated.\n") +
+                    chalk_1.default.dim("  Run `dg logout` first to re-authenticate.\n"));
+                return;
+            }
+        }
+        catch { }
+        // Key is invalid — clear it and proceed with fresh login
+        process.stderr.write(chalk_1.default.dim("  Stored key is invalid. Starting fresh login...\n"));
+        saveCredentials("");
+    }
+    process.stderr.write(chalk_1.default.dim("  Creating login session...\n"));
+    let session;
+    try {
+        session = await createAuthSession();
+    }
+    catch (err) {
+        process.stderr.write(chalk_1.default.red(`  Error: ${err instanceof Error ? err.message : String(err)}\n`));
+        process.exit(1);
+    }
+    process.stderr.write(`\n  Authenticate your account at:\n`);
+    process.stderr.write(`  ${chalk_1.default.cyan(session.verifyUrl)}\n\n`);
+    process.stderr.write(chalk_1.default.dim("  Press ENTER to open in the browser...\n"));
+    await new Promise((resolve) => {
+        const onData = () => {
+            process.stdin.removeListener("data", onData);
+            if (process.stdin.unref)
+                process.stdin.unref();
+            resolve();
+        };
+        process.stdin.setEncoding("utf-8");
+        process.stdin.resume();
+        process.stdin.on("data", onData);
+    });
+    try {
+        openBrowser(session.verifyUrl);
+    }
+    catch {
+        // Browser open is best-effort
+    }
+    process.stderr.write(chalk_1.default.dim("  Waiting for authorization...\n"));
+    const POLL_INTERVAL = 2000;
+    const MAX_ATTEMPTS = 150;
+    for (let i = 0; i < MAX_ATTEMPTS; i++) {
+        await new Promise((r) => setTimeout(r, POLL_INTERVAL));
+        try {
+            const result = await pollAuthSession(session.sessionId);
+            if (result.status === "complete" && result.apiKey) {
+                saveCredentials(result.apiKey);
+                process.stderr.write(chalk_1.default.green(`\n  Logged in as ${result.email ?? "unknown"}\n`) +
+                    chalk_1.default.dim("  Credentials saved.\n\n"));
+                return;
+            }
+            if (result.status === "expired") {
+                process.stderr.write(chalk_1.default.yellow("\n  Session expired. Run `dg login` to try again.\n"));
+                process.exit(1);
+            }
+        }
+        catch {
+            // Transient network error — continue polling
+        }
+    }
+    process.stderr.write(chalk_1.default.yellow("\n  Timed out waiting for authorization.\n"));
+    process.exit(1);
+}