@westbayberry/dg 1.0.58 → 1.0.60

package/dist/index.mjs

@@ -29172,6 +29172,8 @@ var init_esm5 = __esm({
     init_logger();
     init_instrument();
     init_sdk();
+    init_onuncaughtexception();
+    init_onunhandledrejection();
     init_addOriginToSpan();
     init_getRequestUrl();
     init_nodeVersion();
@@ -46144,6 +46146,7 @@ var init_esm6 = __esm({
   "node_modules/@sentry/node/build/esm/index.js"() {
     init_sdk2();
     init_esm3();
+    init_esm5();
   }
 });
 
@@ -46158,6 +46161,18 @@ function initTelemetry(version) {
       // TODO: reduce sample rate when CLI usage exceeds ~10k DAU
       sampleRate: 1,
       sendDefaultPii: false,
+      // Sentry's default Node integrations patch `fs`, which collides
+      // with node-sqlite3-wasm's NODEFS layer — every Database open
+      // returned "unable to open database file" and the local scan
+      // cache stayed empty (0 rows even after thousands of scans).
+      // Opt out of the default integrations entirely; we keep crash +
+      // unhandled-rejection reporting via the two explicit integrations
+      // below, which don't touch fs.
+      defaultIntegrations: false,
+      integrations: [
+        onUncaughtExceptionIntegration({ exitEvenIfOtherHandlersAreRegistered: false }),
+        onUnhandledRejectionIntegration()
+      ],
       beforeSend(event) {
         if (event.exception?.values?.some(
           (ex) => ex.value && /\.(invalid|test|example|localhost)\b/i.test(ex.value)
@@ -47020,6 +47035,20 @@ var init_config = __esm({
 });
 
 // src/commands/npm-wrapper.ts
+var npm_wrapper_exports = {};
+__export(npm_wrapper_exports, {
+  handleWrapCommand: () => handleWrapCommand,
+  parseNpmArgs: () => parseNpmArgs,
+  parsePackageSpec: () => parsePackageSpec,
+  pinTopLevelArgs: () => pinTopLevelArgs,
+  readBareInstallPackages: () => readBareInstallPackages,
+  readBareInstallPackagesTyped: () => readBareInstallPackagesTyped,
+  readLockfilePins: () => readLockfilePins,
+  resolvePackages: () => resolvePackages,
+  resolveTreeNpm: () => resolveTreeNpm,
+  resolveVersion: () => resolveVersion,
+  runNpm: () => runNpm
+});
 import { spawn as spawn2 } from "node:child_process";
 import { readFileSync as readFileSync4, existsSync as existsSync4, mkdtempSync, writeFileSync as writeFileSync2, rmSync } from "node:fs";
 import { join as join6 } from "node:path";
@@ -84502,7 +84531,9 @@ var init_local_cache = __esm({
 // src/api/client.ts
 var client_exports = {};
 __export(client_exports, {
+  ANON_BATCH_SIZE: () => ANON_BATCH_SIZE,
   APIError: () => APIError,
+  BATCH_SIZE: () => BATCH_SIZE,
   ClientOutdatedError: () => ClientOutdatedError,
   TrialExhaustedError: () => TrialExhaustedError,
   callAnalyzeAPI: () => callAnalyzeAPI,
@@ -85073,8 +85104,8 @@ var init_client3 = __esm({
         this.name = "ClientOutdatedError";
       }
     };
-    BATCH_SIZE = 200;
-    ANON_BATCH_SIZE = 200;
+    BATCH_SIZE = 50;
+    ANON_BATCH_SIZE = 50;
     MAX_RETRIES = 2;
     RETRY_DELAY_MS = 5e3;
     DEFAULT_BATCH_CONCURRENCY = 4;
@@ -85129,6 +85160,19 @@ async function scanProjectAtPath(cwd2, config3, onProgress) {
       cumulativeDone += pyPackages.length;
     }
     const allPackages = responses.flatMap((r) => r.packages);
+    if (allPackages.length === 0) {
+      const elapsed = elapsedMs();
+      return {
+        status: "api_returned_empty",
+        result: {
+          result: { score: 0, action: "pass", packages: [], safeVersions: {}, durationMs: elapsed },
+          durationMs: elapsed,
+          scannedCount: 0,
+          skippedCount: discovery.skipped?.length ?? 0
+        },
+        message: `Analyze API returned 0 results for ${totalDiscovered} discovered packages (npm: ${npmPackages.length}, pypi: ${pyPackages.length}). This is not a 'nothing to scan' state \u2014 the API call succeeded but returned an empty packages list. Check API status and re-run.`
+      };
+    }
     const maxScore = allPackages.length > 0 ? Math.max(0, ...allPackages.map((p) => p.score)) : 0;
     const anyIncomplete = responses.some((r) => r.action === "analysis_incomplete") || allPackages.some((p) => Array.isArray(p.findings) && p.findings.some((f) => f?.id === "analysis_incomplete"));
     const action = maxScore >= 70 ? "block" : maxScore >= 60 ? "warn" : anyIncomplete ? "analysis_incomplete" : "pass";
@@ -85578,12 +85622,24 @@ var init_protect = __esm({
 #   echo 'source ~/.dependency-guardian/aliases.sh' >> ~/.zshrc   # or ~/.bashrc
 # To turn it off, remove that line.
 
-# Only alias if dg is on PATH (avoids breaking the shell when dg is uninstalled).
-if command -v dg >/dev/null 2>&1; then
+# Only alias if a real dg binary is on PATH.
+#
+# We use \`type -p\` (bash + zsh) rather than POSIX \`command -v\`
+# because command -v ALSO returns true for shell functions and
+# aliases. If your rc defines a wrapper function like
+#   dg() { ... command dg "$@"; }
+# command -v passes even when the dg binary isn't installed \u2014 and
+# the npm alias below then rewrites every \`npm install\` into a
+# command that fails silently. type -p returns ONLY the path of
+# an external executable, so this check is honest about whether
+# dg is actually reachable.
+__dg_bin=$(type -p dg 2>/dev/null)
+if [ -n "$__dg_bin" ] && [ -x "$__dg_bin" ]; then
   alias npm='dg npm'
   alias pip='dg pip'
   alias pip3='dg pip'
 fi
+unset __dg_bin
 `;
     USAGE3 = `
   dg protect \u2014 opt-in low-friction protection for a project
@@ -86003,18 +86059,26 @@ function useInit(opts = {}) {
       const maxScore = allPackages.length > 0 ? Math.max(0, ...allPackages.map((p) => p.score)) : 0;
       const action = maxScore >= 70 ? "block" : maxScore >= 60 ? "warn" : "pass";
       if (totalScanned === 0) {
-        dispatch({
-          type: "scan_done",
-          outcome: {
-            status: "no_packages",
-            result: {
-              result: { score: 0, action: "pass", packages: [], safeVersions: {}, durationMs: totalDuration },
-              durationMs: totalDuration,
-              scannedCount: 0,
-              skippedCount: 0
+        const errOutcome = allOutcomes.find((o) => o.status === "error");
+        const emptyApiOutcome = allOutcomes.find((o) => o.status === "api_returned_empty");
+        const trialOutcome = allOutcomes.find((o) => o.status === "trial_exhausted");
+        const meaningful = errOutcome ?? emptyApiOutcome ?? trialOutcome;
+        if (meaningful) {
+          dispatch({ type: "scan_done", outcome: meaningful });
+        } else {
+          dispatch({
+            type: "scan_done",
+            outcome: {
+              status: "no_packages",
+              result: {
+                result: { score: 0, action: "pass", packages: [], safeVersions: {}, durationMs: totalDuration },
+                durationMs: totalDuration,
+                scannedCount: 0,
+                skippedCount: 0
+              }
             }
-          }
-        });
+          });
+        }
       } else {
         dispatch({
           type: "scan_done",
@@ -89096,6 +89160,12 @@ var init_ScanResultCard = __esm({
           score = 0;
           packages = [];
           extraNote = "Nothing to scan yet. I'll catch new packages as you add them.";
+        } else if (o.status === "api_returned_empty") {
+          verdict = "EMPTY";
+          verdictColor = "yellow";
+          score = 0;
+          packages = [];
+          extraNote = o.message ?? "Analyze API returned no results for discovered packages.";
         } else if (o.status === "trial_exhausted") {
           verdict = "EMPTY";
           verdictColor = "yellow";
@@ -89848,6 +89918,7 @@ var init_InitApp = __esm({
           return "happy";
         }
         if (r.status === "no_packages") return "happy";
+        if (r.status === "api_returned_empty") return "alert";
         return "idle";
       })();
       const content = (() => {
@@ -90258,6 +90329,7 @@ var init_InitApp = __esm({
             const r = state.scanResult;
             const okScan = r?.status === "ok" && r.result;
             const empty = r?.status === "no_packages";
+            const apiEmpty = r?.status === "api_returned_empty";
             const resultBody = [
               /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { bold: true, children: "Scan complete." }, "hdr"),
               /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { children: " " }, "sp1"),
@@ -90265,6 +90337,10 @@ var init_InitApp = __esm({
                 "I scanned ",
                 /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { bold: true, color: "cyan", children: projectName }),
                 "."
+              ] }, "line") : apiEmpty ? /* @__PURE__ */ (0, import_jsx_runtime6.jsxs)(Text, { children: [
+                "I found packages in ",
+                /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { bold: true, color: "cyan", children: projectName }),
+                " but the analyze API returned nothing back. This is a server-side problem, not your project."
               ] }, "line") : empty ? /* @__PURE__ */ (0, import_jsx_runtime6.jsxs)(Text, { children: [
                 "I didn't find any packages to scan in ",
                 /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { bold: true, color: "cyan", children: projectName }),
@@ -90276,6 +90352,13 @@ var init_InitApp = __esm({
               ] }, "line"),
               /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { children: " " }, "sp2")
             ];
+            if (apiEmpty && r?.message) {
+              resultBody.push(
+                /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { color: "yellow", children: r.message }, "api-empty-detail")
+              );
+              resultBody.push(/* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { dimColor: true, children: "Check westbayberry.com/status and re-run." }, "api-empty-hint"));
+              resultBody.push(/* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { children: " " }, "api-empty-sp"));
+            }
             if (state.scanResult) {
               resultBody.push(
                 /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(ScanResultCard, { maxWidth: cardMaxWidth, outcome: { kind: "real", outcome: state.scanResult } }, "card")
@@ -90618,6 +90701,8 @@ var init_InitApp = __esm({
                   scan.result?.durationMs ?? 0,
                   "ms)"
                 ] }, "scan-empty"));
+              } else if (scan.status === "api_returned_empty") {
+                scanLine.push(/* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { color: "yellow", children: "\u26A0 Analyze API returned no results \u2014 try again or check status" }, "scan-api-empty"));
               } else if (scan.status === "trial_exhausted") {
                 scanLine.push(/* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { color: "yellow", children: "\u26A0 Free trial scans used up \u2014 `dg login` to continue" }, "scan-trial"));
               } else if (scan.status === "error") {
@@ -97238,7 +97323,15 @@ async function main() {
   const strictFlags = rawCommand !== "npm" && rawCommand !== "pip";
   const config3 = parseConfig(process.argv, strictFlags);
   const updatePromise = checkForUpdate(CLI_VERSION).catch(() => null);
-  if (rawCommand === "scan" || rawCommand === "npm" || rawCommand === "pip") {
+  let needsTermsGate = rawCommand === "scan";
+  if (rawCommand === "npm") {
+    const { parseNpmArgs: parseNpmArgs2 } = await Promise.resolve().then(() => (init_npm_wrapper(), npm_wrapper_exports));
+    needsTermsGate = parseNpmArgs2(process.argv.slice(3)).shouldScan;
+  } else if (rawCommand === "pip") {
+    const { parsePipArgs: parsePipArgs2 } = await Promise.resolve().then(() => (init_pip_wrapper(), pip_wrapper_exports));
+    needsTermsGate = parsePipArgs2(process.argv.slice(3)).shouldScan;
+  }
+  if (needsTermsGate) {
     const { gateOrExit: gateOrExit2 } = await Promise.resolve().then(() => (init_terms_gate(), terms_gate_exports));
     await gateOrExit2();
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@westbayberry/dg",
-  "version": "1.0.58",
+  "version": "1.0.60",
   "description": "Supply chain security scanner for npm and Python dependencies — 35 behavioral detectors catch zero-day attacks CVE databases miss. 99.66% catch rate on 155K packages.",
   "bin": {
     "dependency-guardian": "dist/index.mjs",

package/README.md

@@ -1,129 +0,0 @@
-# @westbayberry/dg
-
-Behavioral supply chain security for npm and Python. Reads what packages
-actually do — install hooks, credential access, network exfiltration,
-obfuscation — and gates risky installs before they touch your machine.
-
-**53 detectors · 95.20% npm / 93.88% PyPI catch rate on 17,874 packages · 0.44% npm / 0.29% PyPI FPR** —
-[published methodology](https://westbayberry.com/benchmark).
-
-## What `dg` actually does
-
-| Surface | What it does | Default mode |
-|---|---|---|
-| `dg npm install <pkg>` | Resolves the full dependency tree (top-level + transitive) without running install scripts, scans every package, then invokes the real `npm install` only if the verdict permits. Top-level versions are pinned to the exact version we scanned. Bare `dg npm install` honors `package-lock.json` pinned versions. | **block** |
-| `dg pip install <pkg>` | Resolves the full pip tree via `pip install --dry-run --report=-` (pip ≥ 23.0); scans the full set before invoking real `pip install`. On older pip, transitive scan is reported as unavailable and (in block mode) the install is refused. | **block** |
-| `dg scan` | Read-only audit. Diffs lockfiles and reports findings. Does **not** block anything by default. | warn |
-| `dg hook install` | Adds a pre-commit hook that runs `dg scan --mode block` when a lockfile change is staged. Quiet when nothing is wrong. | block |
-
-For maximum protection in CI/build pipelines, add `--strict` to the install
-wrapper. `--strict` implies `--dg-no-scripts` and refuses any partial-coverage
-scan (transitive enumeration must succeed).
-
-DG only activates when you intentionally invoke it, install the hook, or
-run it in CI. It does not globally hijack `npm`/`pip`.
-
-## Install
-
-```bash
-npm install -g @westbayberry/dg
-```
-
-Requires Node.js 18+.
-
-## Quick Start
-
-```bash
-dg login
-dg scan          # read-only audit of the current project
-```
-
-Scope-truthful output: a clean project shows
-`✓ Dependency Guardian checked 142 packages. No risky behavior found.`
-A flagged install shows only the warn/block packages with one-line
-reasons and a clear next step.
-
-Supports `package-lock.json`, `yarn.lock`, `pnpm-lock.yaml`,
-`requirements.txt`, `Pipfile.lock`, and `poetry.lock`.
-
-## Commands
-
-```
-dg scan              Read-only audit of the project's lockfiles
-dg status            Show your auth state, plan tier, and whether protection is on
-dg login / logout    Manage authentication
-dg npm install <pkg> Protective install wrapper (default mode: block)
-dg pip install <pkg> Protective install wrapper (default mode: block)
-dg protect           Opt this project in to auto-protection on every install
-dg protect off       Disable opt-in protection in this project
-dg wrap              Print the shell-alias snippet without writing a project marker
-dg hook install      Install a git pre-commit hook that gates lockfile diffs
-dg hook uninstall    Remove the git pre-commit hook
-dg publish-check     Self-scan before `npm publish` / `pip upload`
-dg update            Check for and install the latest version
-```
-
-Full reference: <https://westbayberry.com/docs/cli-reference>
-
-## Common Options
-
-| Flag | Default | Description |
-|------|---------|-------------|
-| `--mode <mode>` | `warn` for `scan`, `block` for install wrappers | `block` / `warn` / `off` |
-| `--details` | off | Verbose table view (the older format) |
-| `--explain` | off | Plain-English explanation of findings |
-| `--json` | off | Stable machine-readable JSON (CI) |
-| `--ci` | auto when `CI=1` | Deterministic output, no spinners |
-| `--dg-force` | off | Bypass a block (visible in output, audit-friendly) |
-| `--dg-no-scripts` | off | Pass `--ignore-scripts` to the real install |
-| `--strict` | off | Refuse partial-coverage scans + auto `--dg-no-scripts` |
-| `--quiet` | off | Suppress login + update nudges (still prints findings) |
-| `--workspace <dir>` | | Scan a specific workspace subdirectory |
-
-## Exit Codes
-
-| Code | Meaning |
-|------|---------|
-| `0` | Pass |
-| `1` | Warning |
-| `2` | Block |
-| `3` | Error |
-
-## CI
-
-```bash
-npx @westbayberry/dg login
-npx @westbayberry/dg scan --mode block --json
-```
-
-Wire exit code `2` into your pipeline to fail the build.
-
-## Configuration
-
-Settings come from CLI flags, environment variables, or a `.dgrc.json` file in the project or home directory. CLI flags take precedence.
-
-```json
-{
-  "apiKey": "dg_...",
-  "mode": "block"
-}
-```
-
-## Telemetry
-
-The CLI sends anonymous crash reports to Sentry (error message, stack trace, Node version, OS, CLI version). It never sends package names, file paths, API keys, or scan results. API keys and home directory paths are redacted before transmission.
-
-Opt out:
-
-```bash
-export DG_TELEMETRY=0      # or
-export DO_NOT_TRACK=1
-```
-
-## Links
-
-- [Dashboard](https://westbayberry.com/dashboard)
-- [Documentation](https://westbayberry.com/docs) — setup walkthrough
-- [CLI reference](https://westbayberry.com/docs/cli-reference) — every command and flag
-- [Pricing](https://westbayberry.com/pricing)
-- [Changelog](https://github.com/WestBayBerry/dependency-guardian-action/blob/main/CHANGELOG.md)