@westbayberry/dg 1.0.6 → 1.0.7

package/README.md

@@ -1,6 +1,6 @@
 # @westbayberry/dg
 
-Supply chain security scanner for npm dependencies. Detects malicious packages, typosquatting, dependency confusion, and 20+ attack patterns before they reach production.
+Supply chain security scanner for npm and Python dependencies. Detects malicious packages, typosquatting, dependency confusion, and 20+ attack patterns before they reach production.
 
 ## Install
 
@@ -8,44 +8,42 @@ Supply chain security scanner for npm dependencies. Detects malicious packages,
 npm install -g @westbayberry/dg
 ```
 
-Or run without installing:
-
-```bash
-npx @westbayberry/dg scan
-```
-
 ## Quick Start
 
-1. Get your API key at [westbayberry.com/dashboard](https://westbayberry.com/dashboard)
-2. Run a scan:
-
 ```bash
-export DG_API_KEY=dg_live_your_key_here
+dg login
 dg scan
 ```
 
-That's it. The CLI auto-detects changed packages by diffing your lockfile against the base branch.
+The CLI auto-discovers projects in your directory tree — npm lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml) and Python dependency files (requirements.txt, Pipfile.lock, poetry.lock). If multiple projects are found, you pick which ones to scan.
 
-## Usage
+## Commands
 
 ```
-dg scan [options]
+dg scan [options]        Scan dependencies (auto-discovers npm + Python projects)
+dg npm install <pkg>     Scan packages before installing
+dg login                 Authenticate with your WestBayBerry account
+dg logout                Remove saved credentials
+dg hook install          Install git pre-commit hook to scan lockfile changes
+dg hook uninstall        Remove the pre-commit hook
+dg update                Check for and install the latest version
+dg wrap                  Show instructions to alias npm to dg
 ```
 
-### Options
-
-| Flag | Env Var | Default | Description |
-|------|---------|---------|-------------|
-| `--api-key <key>` | `DG_API_KEY` | *required* | Your API key |
-| `--mode <mode>` | `DG_MODE` | `warn` | `block` / `warn` / `off` |
-| `--block-threshold <n>` | | `70` | Score threshold for blocking |
-| `--warn-threshold <n>` | | `60` | Score threshold for warnings |
-| `--max-packages <n>` | | `200` | Max packages per scan |
-| `--allowlist <pkgs>` | `DG_ALLOWLIST` | | Comma-separated packages to skip |
-| `--json` | | | Output JSON for CI parsing |
-| `--scan-all` | | | Scan all packages, not just changed |
-| `--base-lockfile <path>` | | | Explicit base lockfile for diff |
-| `--api-url <url>` | `DG_API_URL` | `https://api.westbayberry.com` | API endpoint |
+### Scan Options
+
+| Flag | Default | Description |
+|------|---------|-------------|
+| `--mode <mode>` | `warn` | `block` / `warn` / `off` |
+| `--block-threshold <n>` | `70` | Score threshold for blocking |
+| `--warn-threshold <n>` | `60` | Score threshold for warnings |
+| `--max-packages <n>` | `200` | Max packages per scan |
+| `--allowlist <pkgs>` | | Comma-separated packages to skip |
+| `--json` | | Output JSON for CI parsing |
+| `--scan-all` | | Scan all packages, not just changed |
+| `--base-lockfile <path>` | | Explicit base lockfile for diff |
+| `--workspace <dir>` | | Scan a specific workspace subdirectory |
+| `--debug` | | Show diagnostic output |
 
 ### Exit Codes
 
@@ -54,37 +52,54 @@ dg scan [options]
 | `0` | Pass | Continue |
 | `1` | Warning | Advisory — review recommended |
 | `2` | Block | Fail the pipeline |
+| `3` | Error | Internal error |
+
+## CI Setup
 
-## CI Examples
+Authenticate first, then add the scan to your pipeline:
 
-### GitHub Actions CI
+### GitHub Actions
 
 ```yaml
 - name: Scan dependencies
-  run: npx @westbayberry/dg scan --mode block
-  env:
-    DG_API_KEY: ${{ secrets.DG_API_KEY }}
+  run: |
+    npx @westbayberry/dg login
+    npx @westbayberry/dg scan --mode block --json
 ```
 
-### GitLab CI
+### Any CI
 
-```yaml
-dependency-scan:
-  script:
-    - npx @westbayberry/dg scan --mode block
-  variables:
-    DG_API_KEY: $DG_API_KEY
+```bash
+npx @westbayberry/dg login
+npx @westbayberry/dg scan --mode block --json
 ```
 
-### Any CI
+## Git Hook
+
+Block commits that introduce risky dependencies:
 
 ```bash
-export DG_API_KEY="$DG_API_KEY"
-npx @westbayberry/dg scan --mode block --json
+dg hook install
+```
+
+This installs a pre-commit hook that runs `dg scan --mode block` whenever a lockfile change is staged. Use `dg hook uninstall` to remove it.
+
+## npm Wrapper
+
+Scan packages before installing:
+
+```bash
+dg npm install express lodash
+```
+
+Use `--dg-force` to bypass a block. Or alias npm globally:
+
+```bash
+echo 'alias npm="dg npm"' >> ~/.zshrc
 ```
 
 ## Links
 
-- [Dashboard & API Keys](https://westbayberry.com/dashboard)
+- [Dashboard](https://westbayberry.com/dashboard)
 - [Documentation](https://westbayberry.com/docs)
 - [Pricing](https://westbayberry.com/pricing)

package/dist/index.mjs

@@ -39,6 +39,194 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
   mod
 ));
 
+// src/config.ts
+var config_exports = {};
+__export(config_exports, {
+  USAGE: () => USAGE,
+  getVersion: () => getVersion,
+  parseConfig: () => parseConfig
+});
+import { parseArgs } from "node:util";
+import { readFileSync, existsSync } from "node:fs";
+import { join } from "node:path";
+import { homedir } from "node:os";
+function loadDgrc() {
+  const candidates = [
+    join(process.cwd(), ".dgrc.json"),
+    join(homedir(), ".dgrc.json")
+  ];
+  for (const filepath of candidates) {
+    if (existsSync(filepath)) {
+      try {
+        return JSON.parse(readFileSync(filepath, "utf-8"));
+      } catch {
+        process.stderr.write(`Warning: Failed to parse ${filepath}, ignoring.
+`);
+      }
+    }
+  }
+  return {};
+}
+function getVersion() {
+  try {
+    const pkg = JSON.parse(
+      readFileSync(join(__dirname, "..", "package.json"), "utf-8")
+    );
+    return pkg.version ?? "1.0.0";
+  } catch {
+    return "1.0.0";
+  }
+}
+function parseConfig(argv) {
+  const { values, positionals } = parseArgs({
+    args: argv.slice(2),
+    options: {
+      "api-url": { type: "string" },
+      mode: { type: "string" },
+      "block-threshold": { type: "string" },
+      "warn-threshold": { type: "string" },
+      "max-packages": { type: "string" },
+      allowlist: { type: "string" },
+      json: { type: "boolean", default: false },
+      "scan-all": { type: "boolean", default: false },
+      "base-lockfile": { type: "string" },
+      workspace: { type: "string", short: "w" },
+      debug: { type: "boolean", default: false },
+      "no-config": { type: "boolean", default: false },
+      help: { type: "boolean", default: false },
+      version: { type: "boolean", default: false }
+    },
+    allowPositionals: true,
+    strict: false
+  });
+  if (values.help) {
+    process.stdout.write(USAGE);
+    process.exit(0);
+  }
+  if (values.version) {
+    process.stdout.write(`dependency-guardian v${getVersion()}
+`);
+    process.exit(0);
+  }
+  const command = positionals[0] ?? "scan";
+  const noConfig = values["no-config"];
+  const dgrc = noConfig ? {} : loadDgrc();
+  const apiKey = dgrc.apiKey ?? "";
+  if (!apiKey) {
+    process.stderr.write(
+      "Error: Not logged in. Run `dg login` to authenticate.\n"
+    );
+    process.exit(1);
+  }
+  const modeRaw = values.mode ?? process.env.DG_MODE ?? dgrc.mode ?? "warn";
+  if (!["block", "warn", "off"].includes(modeRaw)) {
+    process.stderr.write(
+      `Error: Invalid mode "${modeRaw}". Must be block, warn, or off.
+`
+    );
+    process.exit(1);
+  }
+  const allowlistRaw = values.allowlist ?? process.env.DG_ALLOWLIST ?? "";
+  const blockThreshold = Number(values["block-threshold"] ?? dgrc.blockThreshold ?? "70");
+  const warnThreshold = Number(values["warn-threshold"] ?? dgrc.warnThreshold ?? "60");
+  const maxPackages = Number(values["max-packages"] ?? dgrc.maxPackages ?? "200");
+  const debug = values.debug || process.env.DG_DEBUG === "1";
+  if (isNaN(blockThreshold) || blockThreshold < 0 || blockThreshold > 100) {
+    process.stderr.write("Error: --block-threshold must be a number between 0 and 100\n");
+    process.exit(1);
+  }
+  if (isNaN(warnThreshold) || warnThreshold < 0 || warnThreshold > 100) {
+    process.stderr.write("Error: --warn-threshold must be a number between 0 and 100\n");
+    process.exit(1);
+  }
+  if (isNaN(maxPackages) || maxPackages < 1 || maxPackages > 1e4) {
+    process.stderr.write("Error: --max-packages must be a number between 1 and 10000\n");
+    process.exit(1);
+  }
+  return {
+    apiKey,
+    apiUrl: values["api-url"] ?? process.env.DG_API_URL ?? dgrc.apiUrl ?? "https://api.westbayberry.com",
+    mode: modeRaw,
+    blockThreshold,
+    warnThreshold,
+    maxPackages,
+    allowlist: allowlistRaw ? allowlistRaw.split(",").map((s) => s.trim()).filter(Boolean) : dgrc.allowlist ?? [],
+    json: values.json,
+    scanAll: values["scan-all"],
+    baseLockfile: values["base-lockfile"] ?? null,
+    workspace: values.workspace ?? process.env.DG_WORKSPACE ?? null,
+    command,
+    debug
+  };
+}
+var USAGE;
+var init_config = __esm({
+  "src/config.ts"() {
+    "use strict";
+    USAGE = `
+  Dependency Guardian \u2014 Supply chain security scanner
+
+  Usage:
+    dependency-guardian scan [options]
+    dg scan [options]
+    dg npm install <pkg> [npm-flags]
+    dg wrap
+
+  Commands:
+    scan            Scan dependencies (auto-discovers npm + Python projects)
+    npm             Wrap npm commands \u2014 scans packages before installing
+    hook install    Install git pre-commit hook to scan lockfile changes
+    hook uninstall  Remove the pre-commit hook
+    update          Check for and install the latest version
+    login           Authenticate with your WestBayBerry account
+    logout          Remove saved credentials
+    wrap            Show instructions to alias npm to dg
+
+  Options:
+    --api-url <url>          API base URL (default: https://api.westbayberry.com)
+    --mode <mode>            block | warn | off (default: warn)
+    --block-threshold <n>    Score threshold for blocking (default: 70)
+    --warn-threshold <n>     Score threshold for warnings (default: 60)
+    --max-packages <n>       Max packages per scan (default: 200)
+    --allowlist <pkgs>       Comma-separated package names to skip
+    --json                   Output JSON for CI parsing
+    --scan-all               Scan all packages, not just changed
+    --base-lockfile <path>   Path to base lockfile for explicit diff
+    --workspace <dir>        Scan a specific workspace subdirectory
+    --debug                  Show diagnostic output (discovery, batches, timing)
+    --no-config              Skip loading .dgrc.json config file
+    --help                   Show this help message
+    --version                Show version number
+
+  Config File:
+    Place a .dgrc.json in your project root or home directory.
+    Precedence: CLI flags > env vars > .dgrc.json > defaults
+
+  Environment Variables:
+    DG_API_URL               API base URL
+    DG_MODE                  Mode (block/warn/off)
+    DG_ALLOWLIST             Comma-separated allowlist
+    DG_DEBUG                 Enable debug output (set to 1)
+    DG_WORKSPACE             Workspace subdirectory to scan
+
+  Exit Codes:
+    0  pass    \u2014 No risks detected
+    1  warn    \u2014 Risks detected (advisory)
+    2  block   \u2014 High-risk packages detected
+    3  error   \u2014 Internal error (API failure, config error)
+
+  Examples:
+    dg scan
+    dg scan --json
+    dg scan --scan-all --mode block
+    dg scan --base-lockfile ./main-lockfile.json
+    dg npm install express lodash
+    dg npm install @scope/pkg@^2.0.0
+    dg npm install risky-pkg --dg-force
+`.trimStart();
+  }
+});
+
 // src/npm-wrapper.ts
 import { spawn } from "node:child_process";
 import { readFileSync as readFileSync2, existsSync as existsSync2 } from "node:fs";
@@ -3106,11 +3294,11 @@ var require_react_development = __commonJS({
           }
           return dispatcher.useContext(Context);
         }
-        function useState6(initialState) {
+        function useState5(initialState) {
           var dispatcher = resolveDispatcher();
           return dispatcher.useState(initialState);
         }
-        function useReducer4(reducer4, initialArg, init) {
+        function useReducer5(reducer4, initialArg, init) {
           var dispatcher = resolveDispatcher();
           return dispatcher.useReducer(reducer4, initialArg, init);
         }
@@ -3907,9 +4095,9 @@ var require_react_development = __commonJS({
         exports.useInsertionEffect = useInsertionEffect;
         exports.useLayoutEffect = useLayoutEffect2;
         exports.useMemo = useMemo4;
-        exports.useReducer = useReducer4;
+        exports.useReducer = useReducer5;
         exports.useRef = useRef6;
-        exports.useState = useState6;
+        exports.useState = useState5;
         exports.useSyncExternalStore = useSyncExternalStore;
         exports.useTransition = useTransition;
         exports.version = ReactVersion;
@@ -35768,9 +35956,6 @@ var init_build2 = __esm({
 // src/auth.ts
 var auth_exports = {};
 __export(auth_exports, {
-  MAX_POLL_ATTEMPTS: () => MAX_POLL_ATTEMPTS,
-  POLL_INTERVAL_MS: () => POLL_INTERVAL_MS,
-  WEB_BASE: () => WEB_BASE,
   clearCredentials: () => clearCredentials,
   createAuthSession: () => createAuthSession,
   getStoredApiKey: () => getStoredApiKey,
@@ -35801,7 +35986,6 @@ async function createAuthSession() {
   const json = await res.json();
   return {
     sessionId: json.session_id,
-    userCode: json.user_code,
     verifyUrl: json.verify_url,
     expiresIn: json.expires_in
   };
@@ -35889,13 +36073,11 @@ function openBrowser(url) {
   exec2(cmd, () => {
   });
 }
-var WEB_BASE, POLL_INTERVAL_MS, MAX_POLL_ATTEMPTS, CONFIG_FILE;
+var WEB_BASE, CONFIG_FILE;
 var init_auth = __esm({
   "src/auth.ts"() {
     "use strict";
     WEB_BASE = "https://westbayberry.com";
-    POLL_INTERVAL_MS = 2e3;
-    MAX_POLL_ATTEMPTS = 150;
     CONFIG_FILE = ".dgrc.json";
   }
 });
@@ -35906,7 +36088,7 @@ function reducer(_state, action) {
     case "ALREADY_LOGGED_IN":
       return { phase: "already_logged_in", apiKey: action.apiKey };
     case "SESSION_CREATED":
-      return { phase: "waiting", userCode: action.userCode, verifyUrl: action.verifyUrl };
+      return { phase: "waiting", verifyUrl: action.verifyUrl };
     case "AUTH_COMPLETE":
       return { phase: "success", email: action.email };
     case "AUTH_EXPIRED":
@@ -35941,13 +36123,12 @@ function useLogin() {
         }
         dispatch({
           type: "SESSION_CREATED",
-          userCode: session.userCode,
           verifyUrl: session.verifyUrl
         });
         openBrowser(session.verifyUrl);
-        for (let i = 0; i < MAX_POLL_ATTEMPTS2; i++) {
+        for (let i = 0; i < MAX_POLL_ATTEMPTS; i++) {
           if (cancelled) return;
-          await new Promise((r) => setTimeout(r, POLL_INTERVAL_MS2));
+          await new Promise((r) => setTimeout(r, POLL_INTERVAL_MS));
           if (cancelled) return;
           try {
             const result = await pollAuthSession(session.sessionId);
@@ -35977,14 +36158,14 @@ function useLogin() {
   }, []);
   return state;
 }
-var import_react22, POLL_INTERVAL_MS2, MAX_POLL_ATTEMPTS2;
+var import_react22, POLL_INTERVAL_MS, MAX_POLL_ATTEMPTS;
 var init_useLogin = __esm({
   "src/ui/hooks/useLogin.ts"() {
     "use strict";
     import_react22 = __toESM(require_react());
     init_auth();
-    POLL_INTERVAL_MS2 = 2e3;
-    MAX_POLL_ATTEMPTS2 = 150;
+    POLL_INTERVAL_MS = 2e3;
+    MAX_POLL_ATTEMPTS = 150;
   }
 });
 
@@ -38656,13 +38837,6 @@ var init_LoginApp = __esm({
           ] });
         case "waiting":
           return /* @__PURE__ */ (0, import_jsx_runtime2.jsxs)(Box_default, { flexDirection: "column", paddingLeft: 1, children: [
-            /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(Text, { children: " " }),
-            /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(Text, { bold: true, children: "Your verification code:" }),
-            /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(Text, { children: " " }),
-            /* @__PURE__ */ (0, import_jsx_runtime2.jsxs)(Text, { bold: true, color: "green", children: [
-              "  ",
-              state.userCode
-            ] }),
             /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(Text, { children: " " }),
             /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(Text, { children: "Opening browser to authenticate..." }),
             /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(Text, { dimColor: true, children: "If it didn't open, visit:" }),
@@ -39758,7 +39932,7 @@ async function runStaticLogin() {
     process.exit(1);
   }
   process.stderr.write(`
-  Your verification code: ${import_chalk4.default.bold.green(session.userCode)}
+  Opening browser to authenticate...
 `);
   process.stderr.write(`  Visit: ${import_chalk4.default.cyan(session.verifyUrl)}
 
@@ -40115,13 +40289,10 @@ function useNpmWrapper(npmArgs, config) {
         }
       } catch (error) {
         const message = error instanceof Error ? error.message : String(error);
-        const proceed = true;
-        dispatch({ type: "ERROR", message, proceed });
-        if (proceed) {
-          dispatch({ type: "INSTALLING" });
-          const code = await runNpm(parsedRef.current.rawArgs);
-          dispatch({ type: "DONE", exitCode: code });
-        }
+        dispatch({ type: "ERROR", message, proceed: true });
+        dispatch({ type: "INSTALLING" });
+        const code = await runNpm(parsedRef.current.rawArgs);
+        dispatch({ type: "DONE", exitCode: code });
       }
     })();
   }, [npmArgs, config]);
@@ -40427,7 +40598,7 @@ function getHint(error) {
   if (typeof statusCode !== "number") return null;
   switch (statusCode) {
     case 401:
-      return "Check your --api-key";
+      return "Not authenticated. Run `dg login` to sign in.";
     case 429:
       return "Rate limit exceeded. Upgrade at westbayberry.com/pricing";
     case 504:
@@ -40734,6 +40905,8 @@ function reducer3(_state, action) {
   switch (action.type) {
     case "PROJECTS_FOUND":
       return { phase: "selecting", projects: action.projects };
+    case "RESTART_SELECTION":
+      return { phase: "selecting", projects: action.projects };
     case "DISCOVERY_COMPLETE":
       return { phase: "scanning", done: 0, total: action.packages.length, currentBatch: [] };
     case "DISCOVERY_EMPTY":
@@ -40749,6 +40922,7 @@ function reducer3(_state, action) {
 function useScan(config) {
   const [state, dispatch] = (0, import_react27.useReducer)(reducer3, { phase: "discovering" });
   const started = (0, import_react27.useRef)(false);
+  const discoveredProjects = (0, import_react27.useRef)(null);
   (0, import_react27.useEffect)(() => {
     if (started.current) return;
     started.current = true;
@@ -40764,6 +40938,7 @@ function useScan(config) {
       runNpmScan(packages, discovery.skipped.length, config, dispatch);
     } catch {
       const projects = discoverProjects(process.cwd());
+      discoveredProjects.current = projects.length > 1 ? projects : null;
       if (projects.length === 0) {
         dispatch({ type: "DISCOVERY_EMPTY", message: "No dependency files found." });
         return;
@@ -40780,7 +40955,15 @@ function useScan(config) {
     dispatch({ type: "DISCOVERY_COMPLETE", packages: [], skippedCount: 0 });
     scanProjects(projects, config, dispatch);
   }, [config]);
-  return { state, scanSelectedProjects };
+  const restartSelection = (0, import_react27.useCallback)(() => {
+    if (!discoveredProjects.current) return;
+    dispatch({ type: "RESTART_SELECTION", projects: discoveredProjects.current });
+  }, []);
+  return {
+    state,
+    scanSelectedProjects,
+    restartSelection: discoveredProjects.current ? restartSelection : null
+  };
 }
 async function runNpmScan(packages, skippedCount, config, dispatch) {
   try {
@@ -41016,7 +41199,17 @@ function affectsLine(group) {
   if (names.length <= 5) return names.join(", ");
   return names.slice(0, 5).join(", ") + ` + ${names.length - 5} more`;
 }
-var import_react29, import_chalk10, import_jsx_runtime10, SEVERITY_LABELS3, SEVERITY_COLORS, EVIDENCE_LIMIT2, FIXED_CHROME, MOUSE_ON, MOUSE_OFF, InteractiveResultsView, T, FindingsSummary, FindingsDetail;
+function viewReducer(_state, action) {
+  switch (action.type) {
+    case "MOVE":
+      return { ..._state, cursor: action.cursor, viewport: action.viewport };
+    case "EXPAND":
+      return { ..._state, expandedIndex: action.expandedIndex, expandLevel: action.expandLevel, viewport: action.viewport };
+    case "MOVE_EXPAND":
+      return { cursor: action.cursor, expandedIndex: action.expandedIndex, expandLevel: action.expandLevel, viewport: action.viewport };
+  }
+}
+var import_react29, import_chalk10, import_jsx_runtime10, SEVERITY_LABELS3, SEVERITY_COLORS, EVIDENCE_LIMIT2, FIXED_CHROME, InteractiveResultsView, T, FindingsSummary, FindingsDetail;
 var init_InteractiveResultsView = __esm({
   async "src/ui/components/InteractiveResultsView.tsx"() {
     "use strict";
@@ -41042,19 +41235,18 @@ var init_InteractiveResultsView = __esm({
     };
     EVIDENCE_LIMIT2 = 2;
     FIXED_CHROME = 16;
-    MOUSE_ON = "\x1B[?1000h\x1B[?1003h\x1B[?1006h";
-    MOUSE_OFF = "\x1B[?1006l\x1B[?1003l\x1B[?1000l";
     InteractiveResultsView = ({
       result,
       config,
       durationMs,
-      onExit
+      onExit,
+      onBack
     }) => {
       (0, import_react29.useEffect)(() => {
         if (!process.stdout.isTTY) return;
-        process.stdout.write("\x1B[?1049h" + MOUSE_ON);
+        process.stdout.write("\x1B[?1049h");
         return () => {
-          process.stdout.write(MOUSE_OFF + "\x1B[?1049l");
+          process.stdout.write("\x1B[?1049l");
         };
       }, []);
       const flagged = (0, import_react29.useMemo)(
@@ -41067,45 +41259,41 @@ var init_InteractiveResultsView = __esm({
       );
       const total = result.packages.length;
       const groups = (0, import_react29.useMemo)(() => groupPackages3(flagged), [flagged]);
-      const [cursorIndex, setCursorIndex] = (0, import_react29.useState)(0);
-      const [expandLevel, setExpandLevel] = (0, import_react29.useState)(null);
-      const [expandedIndex, setExpandedIndex] = (0, import_react29.useState)(null);
-      const [viewportStart, setViewportStart] = (0, import_react29.useState)(0);
-      const cursorRef = (0, import_react29.useRef)(cursorIndex);
-      const expandLevelRef = (0, import_react29.useRef)(expandLevel);
-      const expandedIdxRef = (0, import_react29.useRef)(expandedIndex);
-      const viewportRef = (0, import_react29.useRef)(viewportStart);
-      cursorRef.current = cursorIndex;
-      expandLevelRef.current = expandLevel;
-      expandedIdxRef.current = expandedIndex;
-      viewportRef.current = viewportStart;
+      const [view, dispatchView] = (0, import_react29.useReducer)(viewReducer, {
+        cursor: 0,
+        expandLevel: null,
+        expandedIndex: null,
+        viewport: 0
+      });
+      const viewRef = (0, import_react29.useRef)(view);
+      viewRef.current = view;
       const { stdout } = use_stdout_default();
       const termCols = stdout?.columns ?? process.stdout.columns ?? 80;
       const termRows = stdout?.rows ?? process.stdout.rows ?? 24;
       const availableRows = Math.max(5, termRows - FIXED_CHROME);
       const innerWidth = Math.max(40, termCols - 6);
       const getLevel = (idx) => {
-        return expandedIndex === idx ? expandLevel : null;
+        return view.expandedIndex === idx ? view.expandLevel : null;
       };
       const expandTargetHeight = (0, import_react29.useMemo)(() => {
-        if (expandedIndex === null || expandLevel === null) return 0;
-        const group = groups[expandedIndex];
+        if (view.expandedIndex === null || view.expandLevel === null) return 0;
+        const group = groups[view.expandedIndex];
         if (!group) return 0;
-        if (expandLevel === "summary") return findingsSummaryHeight(group);
+        if (view.expandLevel === "summary") return findingsSummaryHeight(group);
         return findingsDetailHeight(group, result.safeVersions);
-      }, [expandedIndex, expandLevel, groups, result.safeVersions]);
+      }, [view.expandedIndex, view.expandLevel, groups, result.safeVersions]);
       const { visibleLines: animVisibleLines } = useExpandAnimation(
         expandTargetHeight,
-        expandedIndex !== null
+        view.expandedIndex !== null
       );
       const animatedGroupHeight = (group, level, idx) => {
         if (level === null) return 1;
-        if (idx === expandedIndex) return 1 + animVisibleLines;
+        if (idx === view.expandedIndex) return 1 + animVisibleLines;
         return groupRowHeight(group, level, result.safeVersions);
       };
       const visibleEnd = (0, import_react29.useMemo)(() => {
         let consumed = 0;
-        let end = viewportStart;
+        let end = view.viewport;
         while (end < groups.length) {
           const level = getLevel(end);
           const h = animatedGroupHeight(groups[end], level, end);
@@ -41113,9 +41301,9 @@ var init_InteractiveResultsView = __esm({
           consumed += h;
           end++;
         }
-        if (end === viewportStart && groups.length > 0) end = viewportStart + 1;
+        if (end === view.viewport && groups.length > 0) end = view.viewport + 1;
         return end;
-      }, [viewportStart, groups, expandedIndex, expandLevel, animVisibleLines, availableRows, result.safeVersions]);
+      }, [view.viewport, groups, view.expandedIndex, view.expandLevel, animVisibleLines, availableRows, result.safeVersions]);
       const adjustViewport = (cursor, expIdx, expLvl, currentStart) => {
         if (cursor < currentStart) return cursor;
         const getLvl = (i) => expIdx === i ? expLvl : null;
@@ -41140,43 +41328,39 @@ var init_InteractiveResultsView = __esm({
           if (input === "q" || key.return) onExit();
           return;
         }
-        const cursor = cursorRef.current;
-        const expLvl = expandLevelRef.current;
-        const expIdx = expandedIdxRef.current;
-        const vpStart = viewportRef.current;
+        const { cursor, expandLevel: expLvl, expandedIndex: expIdx, viewport: vpStart } = viewRef.current;
         if (key.upArrow) {
           const next = Math.max(0, cursor - 1);
           const newVp = adjustViewport(next, expIdx, expLvl, vpStart < next ? vpStart : next);
-          setCursorIndex(next);
-          setViewportStart(newVp);
+          dispatchView({ type: "MOVE", cursor: next, viewport: newVp });
         } else if (key.downArrow) {
           const next = Math.min(groups.length - 1, cursor + 1);
           const newVp = adjustViewport(next, expIdx, expLvl, vpStart);
-          setCursorIndex(next);
-          setViewportStart(newVp);
+          dispatchView({ type: "MOVE", cursor: next, viewport: newVp });
         } else if (key.return) {
           let newExpIdx;
           let newExpLvl;
-          if (expIdx !== cursor) {
-            newExpIdx = cursor;
-            newExpLvl = "summary";
-          } else if (expLvl === "summary") {
-            newExpIdx = cursor;
-            newExpLvl = "detail";
-          } else {
+          if (expIdx === cursor && expLvl !== null) {
             newExpIdx = null;
             newExpLvl = null;
+          } else {
+            newExpIdx = cursor;
+            newExpLvl = "summary";
           }
-          setExpandedIndex(newExpIdx);
-          setExpandLevel(newExpLvl);
           const newVp = adjustViewport(cursor, newExpIdx, newExpLvl, vpStart);
-          setViewportStart(newVp);
+          dispatchView({ type: "EXPAND", expandedIndex: newExpIdx, expandLevel: newExpLvl, viewport: newVp });
+        } else if (input === "e") {
+          if (expIdx === cursor && expLvl === "detail") return;
+          const newVp = adjustViewport(cursor, cursor, "detail", vpStart);
+          dispatchView({ type: "EXPAND", expandedIndex: cursor, expandLevel: "detail", viewport: newVp });
+        } else if (input === "b" && onBack) {
+          onBack();
         } else if (input === "q") {
           onExit();
         }
       });
-      const visibleGroups = groups.slice(viewportStart, visibleEnd);
-      const aboveCount = viewportStart;
+      const visibleGroups = groups.slice(view.viewport, visibleEnd);
+      const aboveCount = view.viewport;
       const belowCount = groups.length - visibleEnd;
       const nameCol = Math.max(20, innerWidth - 22);
       return /* @__PURE__ */ (0, import_jsx_runtime10.jsxs)(Box_default, { flexDirection: "column", children: [
@@ -41215,8 +41399,8 @@ var init_InteractiveResultsView = __esm({
                 " more above"
               ] }),
               visibleGroups.map((group, visIdx) => {
-                const globalIdx = viewportStart + visIdx;
-                const isCursor = globalIdx === cursorIndex;
+                const globalIdx = view.viewport + visIdx;
+                const isCursor = globalIdx === view.cursor;
                 const level = getLevel(globalIdx);
                 const rep = group.packages[0];
                 const { label, color } = actionBadge4(rep.score, config);
@@ -41235,7 +41419,7 @@ var init_InteractiveResultsView = __esm({
                     {
                       group,
                       maxWidth: innerWidth - 8,
-                      maxLines: globalIdx === expandedIndex ? animVisibleLines : void 0
+                      maxLines: globalIdx === view.expandedIndex ? animVisibleLines : void 0
                     }
                   ),
                   level === "detail" && /* @__PURE__ */ (0, import_jsx_runtime10.jsx)(
@@ -41244,7 +41428,7 @@ var init_InteractiveResultsView = __esm({
                       group,
                       safeVersion: result.safeVersions[rep.name],
                       maxWidth: innerWidth - 8,
-                      maxLines: globalIdx === expandedIndex ? animVisibleLines : void 0
+                      maxLines: globalIdx === view.expandedIndex ? animVisibleLines : void 0
                     }
                   )
                 ] }, group.key);
@@ -41291,13 +41475,23 @@ var init_InteractiveResultsView = __esm({
             " navigate",
             "  ",
             import_chalk10.default.cyan("\u23CE"),
-            " expand/collapse",
+            " toggle",
             "  ",
+            import_chalk10.default.cyan("e"),
+            " detail",
+            "  ",
+            onBack && /* @__PURE__ */ (0, import_jsx_runtime10.jsxs)(import_jsx_runtime10.Fragment, { children: [
+              import_chalk10.default.cyan("b"),
+              " back",
+              "  "
+            ] }),
             import_chalk10.default.cyan("q"),
             " quit"
           ] }) : /* @__PURE__ */ (0, import_jsx_runtime10.jsxs)(import_jsx_runtime10.Fragment, { children: [
             "Press ",
             import_chalk10.default.cyan("q"),
+            " or ",
+            import_chalk10.default.cyan("Enter"),
             " to exit"
           ] })
         ] })
@@ -41305,13 +41499,9 @@ var init_InteractiveResultsView = __esm({
     };
     T = {
       branch: import_chalk10.default.dim("\u251C\u2500\u2500"),
-      // ├──
       last: import_chalk10.default.dim("\u2514\u2500\u2500"),
-      // └──
       pipe: import_chalk10.default.dim("\u2502"),
-      // │
       blank: " "
-      //
     };
     FindingsSummary = ({ group, maxWidth, maxLines }) => {
       const rep = group.packages[0];
@@ -41477,12 +41667,7 @@ var init_ProjectSelector = __esm({
           return /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { bold: isCursor, inverse: isCursor, children: line }, i);
         }),
         /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { children: "" }),
-        /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { dimColor: true, children: [
-          selected.size,
-          " of ",
-          projects.length,
-          " selected"
-        ] })
+        /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { dimColor: true, children: selected.size === 0 ? "Select at least 1 project to scan" : `${selected.size} of ${projects.length} selected` })
       ] });
     };
   }
@@ -41507,7 +41692,7 @@ var init_App2 = __esm({
     await init_ProjectSelector();
     import_jsx_runtime12 = __toESM(require_jsx_runtime());
     App2 = ({ config }) => {
-      const { state, scanSelectedProjects } = useScan(config);
+      const { state, scanSelectedProjects, restartSelection } = useScan(config);
       const { exit } = use_app_default();
       const handleResultsExit = (0, import_react31.useCallback)(() => {
         if (state.phase === "results") {
@@ -41574,7 +41759,8 @@ var init_App2 = __esm({
               result: state.result,
               config,
               durationMs: state.durationMs,
-              onExit: handleResultsExit
+              onExit: handleResultsExit,
+              onBack: restartSelection ?? void 0
             }
           );
         case "empty":
@@ -41586,183 +41772,8 @@ var init_App2 = __esm({
   }
 });
 
-// src/config.ts
-import { parseArgs } from "node:util";
-import { readFileSync, existsSync } from "node:fs";
-import { join } from "node:path";
-import { homedir } from "node:os";
-function loadDgrc() {
-  const candidates = [
-    join(process.cwd(), ".dgrc.json"),
-    join(homedir(), ".dgrc.json")
-  ];
-  for (const filepath of candidates) {
-    if (existsSync(filepath)) {
-      try {
-        return JSON.parse(readFileSync(filepath, "utf-8"));
-      } catch {
-        process.stderr.write(`Warning: Failed to parse ${filepath}, ignoring.
-`);
-      }
-    }
-  }
-  return {};
-}
-var USAGE = `
-  Dependency Guardian \u2014 Supply chain security scanner
-
-  Usage:
-    dependency-guardian scan [options]
-    dg scan [options]
-    dg npm install <pkg> [npm-flags]
-    dg wrap
-
-  Commands:
-    scan            Scan dependencies (auto-discovers npm + Python projects)
-    npm             Wrap npm commands \u2014 scans packages before installing
-    hook install    Install git pre-commit hook to scan lockfile changes
-    hook uninstall  Remove the pre-commit hook
-    update          Check for and install the latest version
-    login           Authenticate with your WestBayBerry account
-    logout          Remove saved credentials
-    wrap            Show instructions to alias npm to dg
-
-  Options:
-    --api-url <url>          API base URL (default: https://api.westbayberry.com)
-    --mode <mode>            block | warn | off (default: warn)
-    --block-threshold <n>    Score threshold for blocking (default: 70)
-    --warn-threshold <n>     Score threshold for warnings (default: 60)
-    --max-packages <n>       Max packages per scan (default: 200)
-    --allowlist <pkgs>       Comma-separated package names to skip
-    --json                   Output JSON for CI parsing
-    --scan-all               Scan all packages, not just changed
-    --base-lockfile <path>   Path to base lockfile for explicit diff
-    --workspace <dir>        Scan a specific workspace subdirectory
-    --debug                  Show diagnostic output (discovery, batches, timing)
-    --no-config              Skip loading .dgrc.json config file
-    --help                   Show this help message
-    --version                Show version number
-
-  Config File:
-    Place a .dgrc.json in your project root or home directory.
-    Precedence: CLI flags > env vars > .dgrc.json > defaults
-
-  Environment Variables:
-    DG_API_URL               API base URL
-    DG_MODE                  Mode (block/warn/off)
-    DG_ALLOWLIST             Comma-separated allowlist
-    DG_DEBUG                 Enable debug output (set to 1)
-    DG_WORKSPACE             Workspace subdirectory to scan
-
-  Exit Codes:
-    0  pass    \u2014 No risks detected
-    1  warn    \u2014 Risks detected (advisory)
-    2  block   \u2014 High-risk packages detected
-    3  error   \u2014 Internal error (API failure, config error)
-
-  Examples:
-    dg scan
-    dg scan --json
-    dg scan --scan-all --mode block
-    dg scan --base-lockfile ./main-lockfile.json
-    dg npm install express lodash
-    dg npm install @scope/pkg@^2.0.0
-    dg npm install risky-pkg --dg-force
-`.trimStart();
-function getVersion() {
-  try {
-    const pkg = JSON.parse(
-      readFileSync(join(__dirname, "..", "package.json"), "utf-8")
-    );
-    return pkg.version ?? "1.0.0";
-  } catch {
-    return "1.0.0";
-  }
-}
-function parseConfig(argv) {
-  const { values, positionals } = parseArgs({
-    args: argv.slice(2),
-    options: {
-      "api-url": { type: "string" },
-      mode: { type: "string" },
-      "block-threshold": { type: "string" },
-      "warn-threshold": { type: "string" },
-      "max-packages": { type: "string" },
-      allowlist: { type: "string" },
-      json: { type: "boolean", default: false },
-      "scan-all": { type: "boolean", default: false },
-      "base-lockfile": { type: "string" },
-      workspace: { type: "string", short: "w" },
-      debug: { type: "boolean", default: false },
-      "no-config": { type: "boolean", default: false },
-      help: { type: "boolean", default: false },
-      version: { type: "boolean", default: false }
-    },
-    allowPositionals: true,
-    strict: false
-  });
-  if (values.help) {
-    process.stdout.write(USAGE);
-    process.exit(0);
-  }
-  if (values.version) {
-    process.stdout.write(`dependency-guardian v${getVersion()}
-`);
-    process.exit(0);
-  }
-  const command = positionals[0] ?? "scan";
-  const noConfig = values["no-config"];
-  const dgrc = noConfig ? {} : loadDgrc();
-  const apiKey = dgrc.apiKey ?? "";
-  if (!apiKey) {
-    process.stderr.write(
-      "Error: Not logged in. Run `dg login` to authenticate.\n"
-    );
-    process.exit(1);
-  }
-  const modeRaw = values.mode ?? process.env.DG_MODE ?? dgrc.mode ?? "warn";
-  if (!["block", "warn", "off"].includes(modeRaw)) {
-    process.stderr.write(
-      `Error: Invalid mode "${modeRaw}". Must be block, warn, or off.
-`
-    );
-    process.exit(1);
-  }
-  const allowlistRaw = values.allowlist ?? process.env.DG_ALLOWLIST ?? "";
-  const blockThreshold = Number(values["block-threshold"] ?? dgrc.blockThreshold ?? "70");
-  const warnThreshold = Number(values["warn-threshold"] ?? dgrc.warnThreshold ?? "60");
-  const maxPackages = Number(values["max-packages"] ?? dgrc.maxPackages ?? "200");
-  const debug = values.debug || process.env.DG_DEBUG === "1";
-  if (isNaN(blockThreshold) || blockThreshold < 0 || blockThreshold > 100) {
-    process.stderr.write("Error: --block-threshold must be a number between 0 and 100\n");
-    process.exit(1);
-  }
-  if (isNaN(warnThreshold) || warnThreshold < 0 || warnThreshold > 100) {
-    process.stderr.write("Error: --warn-threshold must be a number between 0 and 100\n");
-    process.exit(1);
-  }
-  if (isNaN(maxPackages) || maxPackages < 1 || maxPackages > 1e4) {
-    process.stderr.write("Error: --max-packages must be a number between 1 and 10000\n");
-    process.exit(1);
-  }
-  return {
-    apiKey,
-    apiUrl: values["api-url"] ?? process.env.DG_API_URL ?? dgrc.apiUrl ?? "https://api.westbayberry.com",
-    mode: modeRaw,
-    blockThreshold,
-    warnThreshold,
-    maxPackages,
-    allowlist: allowlistRaw ? allowlistRaw.split(",").map((s) => s.trim()).filter(Boolean) : dgrc.allowlist ?? [],
-    json: values.json,
-    scanAll: values["scan-all"],
-    baseLockfile: values["base-lockfile"] ?? null,
-    workspace: values.workspace ?? process.env.DG_WORKSPACE ?? null,
-    command,
-    debug
-  };
-}
-
 // src/bin.ts
+init_config();
 init_npm_wrapper();
 
 // src/update-check.ts
@@ -41824,8 +41835,7 @@ function spawnBackgroundUpdate(version) {
   try {
     const child = spawn2("npm", ["install", "-g", `${PKG_NAME}@${version}`], {
       detached: true,
-      stdio: "ignore",
-      shell: true
+      stdio: "ignore"
     });
     child.unref();
   } catch {
@@ -41887,10 +41897,20 @@ async function runUpdate(currentVersion) {
 }
 
 // src/bin.ts
-var CLI_VERSION = "1.0.4";
+var CLI_VERSION = getVersion();
 var isInteractive = process.stdout.isTTY === true && !process.env.CI && !process.env.NO_COLOR;
 async function main() {
   const rawCommand = process.argv[2];
+  if (!rawCommand || rawCommand === "--help" || rawCommand === "-h") {
+    const { USAGE: USAGE3 } = await Promise.resolve().then(() => (init_config(), config_exports));
+    process.stdout.write(USAGE3);
+    return;
+  }
+  if (rawCommand === "--version" || rawCommand === "-v") {
+    process.stdout.write(`dependency-guardian v${CLI_VERSION}
+`);
+    return;
+  }
   if (rawCommand === "wrap") {
     handleWrapCommand();
     return;
@@ -41921,7 +41941,7 @@ async function main() {
     const { clearCredentials: clearCredentials2 } = await Promise.resolve().then(() => (init_auth(), auth_exports));
     clearCredentials2();
     const chalk9 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
-    process.stderr.write(chalk9.green("  Logged out.") + chalk9.dim(" API key removed from ~/.dgrc.json\n"));
+    process.stderr.write(chalk9.green("  Logged out.\n"));
     return;
   }
   const config = parseConfig(process.argv);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@westbayberry/dg",
-  "version": "1.0.6",
+  "version": "1.0.7",
   "description": "Supply chain security scanner — scan npm dependencies in any CI or terminal",
   "bin": {
     "dependency-guardian": "dist/index.mjs",