@westbayberry/dg 1.3.3 → 2.0.0

package/LICENSE

@@ -1,201 +1 @@
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for describing the origin of the Work and
-      reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Support. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or support.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed" page as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright 2026 WestBayBerry
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
+UNLICENSED

package/NOTICE

@@ -1,4 +1 @@
-Dependency Guardian CLI
-Copyright 2026 WestBayBerry
-
-This product includes software developed at WestBayBerry (https://westbayberry.com).
+Dependency Guardian dg CLI

package/README.md

@@ -0,0 +1,293 @@
+# @westbayberry/dg
+
+Dependency Guardian's command-line scanner. It checks the packages you are
+about to install or publish and tells you whether Dependency Guardian
+verified them, flagged them, or blocked them — before they reach your machine.
+
+## Install
+
+```bash
+npm install -g @westbayberry/dg
+```
+
+Requires Node.js >= 22.14. The npm package is zero-footprint on install: it
+adds only the `dg` binary and runs no install lifecycle scripts. Persistent
+shell/shim changes happen only when you run `dg setup` explicitly.
+
+## Quickstart
+
+Scan the project in the current directory:
+
+```bash
+dg scan
+```
+
+`dg scan` shows a full-screen results browser in an interactive terminal and
+prints plain text or machine output otherwise. Exit code 0 means DG verified
+the project, 2 means DG blocked it.
+
+## Core concepts
+
+**Verdicts.** Every result is one of three states: **PASS** (DG verified),
+**WARN** (DG flagged — review advised), or **BLOCK** (DG blocked — do not
+install). The exit code follows the verdict.
+
+**The server is the verdict source.** For authenticated registry checks and the
+install firewall, the Dependency Guardian scanner returns the verdict and the
+CLI displays it; the CLI never derives a verdict from a local score. If the
+server is unreachable, `dg scan` falls back to local heuristics and marks the
+report as such (`scannerUnavailable` in JSON output) rather than failing
+silently.
+
+**The install firewall.** Prefix a package-manager command with `dg`
+(`dg npm install left-pad`) to route the install through Dependency Guardian.
+The CLI streams the package manager's live output, computes each artifact's
+SHA-256, asks the scanner for a verdict, and blocks the bytes before delivery
+on a BLOCK verdict. A block exits 2 and prints the override command; a warn
+prompts `Proceed? [y/N]` (default No) in a TTY. Passthrough commands (those
+that fetch nothing) run without a proxy.
+
+## Common examples
+
+Scan only staged files in a pre-commit context:
+
+```bash
+dg scan --staged
+```
+
+Verify a specific published package against the scanner:
+
+```bash
+dg verify npm:left-pad@1.3.0
+```
+
+Install a package through the firewall:
+
+```bash
+dg npm install is-number@7.0.0
+```
+
+Check what you are about to publish for leaked secrets and risky lifecycle
+scripts, fully locally:
+
+```bash
+dg audit . --local
+```
+
+Produce CI-friendly machine output:
+
+```bash
+dg scan --sarif --output dg-scan.sarif
+```
+
+Protect every commit in a repository:
+
+```bash
+dg guard-commit install
+```
+
+## Command reference
+
+### dg scan [path]
+
+Scans package manifests and supported lockfiles for the project at `path` (the
+current directory by default). Reads manifests only — it never runs package
+scripts, installs dependencies, loads project-local config, or changes setup
+state.
+
+- Flags: `--staged`, `--json`, `--sarif`, `--output <file>`.
+- Output: TUI in a rich TTY, text or machine output otherwise.
+- Exit codes: 0 PASS, 1 WARN (strict mode upgrades WARN to 2), 2 BLOCK,
+  4 analysis incomplete, 10 nothing to scan. Server unreachable falls back to
+  local heuristics and sets `scannerUnavailable` in JSON.
+
+### dg verify <spec | path | lockfile>
+
+Two paths, one exit-code contract.
+
+- `dg verify npm:<pkg>` / `dg verify pypi:<pkg>` runs an authenticated scanner
+  check and nudges you to sign in when logged out. Flags: `--json`, `--output`,
+  `--verbose`.
+- `dg verify <path | lockfile>` runs a local advisory check on a package
+  directory, workspace, lockfile, or `.tgz`/`.tar.gz`/`.zip`/`.whl` archive.
+  Archive verification computes SHA-256 and checks archive paths before reading;
+  it never extracts to disk or runs package code. Flags: `--json`, `--sarif`,
+  `--output`.
+- Exit codes (both paths): 0 PASS, 1 WARN (or scan error on the advisory path),
+  2 BLOCK, 4 analysis incomplete (registry path).
+
+### dg audit [path]
+
+Inspects exactly the resolved publish set of one package — never the whole
+repo — for leaked secrets, private keys, source-control and build-artifact
+leakage, and suspicious lifecycle-script strings. Basic checks run 100% locally
+and upload nothing. On a paid plan, with org policy allowing it and only after
+explicit consent, the deep audit uploads a packed copy of an npm package to the
+scanner for a behavioral scan: no lifecycle scripts are run, raw bytes are never
+retained, and only the verdict plus redacted findings reach your dashboard.
+
+- Flags: `--json`, `--output`/`-o`, `--local` (skip the deep upload),
+  `--require-deep` (fail if the deep audit could not run), `--fail-on
+  <warn | block>`.
+- Exit codes: 0 clean (WARN counts as clean under the default `--fail-on
+  block`), 1 WARN with `--fail-on warn`, 2 BLOCK, 3 deep audit required but
+  unavailable, 4 analysis incomplete.
+
+### dg licenses [path]
+
+Reports license metadata from local manifests and supported lockfiles without
+calling package managers or loading project-local config.
+
+- Flags: `--json`, `--csv`, `--output <file>`, `--fail-on <risk[,risk...]>`,
+  `--deny-license <id>`.
+- Exit codes: 0 clean, 1 when a license gate trips.
+
+### Package-manager prefixes (the install firewall)
+
+`dg npm`, `dg npx`, `dg pnpm`, `dg pnpx`, `dg yarn`, `dg pip`, `dg pipx`,
+`dg uv`, `dg uvx`, `dg cargo` route protected install/fetch commands through
+the per-invocation proxy. `dg yarn` claims Yarn classic only; `dg bun`,
+`dg conda`, and `dg mamba` and Yarn Berry remain gated and fail visibly before
+spawning.
+
+- Live output and stdin pass through; the install decision renders after the
+  child exits.
+- A BLOCK exits 2 with an override hint. Override with `--dg-force-install`,
+  which is gated by `policy.allowForceOverride` and audited.
+- A WARN prompts `Proceed? [y/N]` (default No) in a TTY.
+- Signal deaths exit `128 + n`.
+
+### dg guard-commit
+
+Installs a per-repo, reversible git pre-commit hook that scans staged changes.
+
+- Subcommands/flags: `install`, `off` (`remove`/`uninstall`), `--check`,
+  `--print`, `--yes`.
+- Chains any pre-existing pre-commit hook; `dg guard-commit off` removes only
+  the dg-owned hook.
+
+### dg setup / dg uninstall / dg doctor
+
+- `dg setup` (POSIX only; `win32` exits 69) writes dg-owned package-manager
+  shims under `~/.dg/shims` and a sentinel block in your shell rc, recording
+  every write in the cleanup registry. `--print` shows the plan without
+  changing files; `--yes` applies it; `--service` opts into service mode.
+- `dg uninstall` reverses dg-owned writes and leaves user content untouched.
+  Flags: `--yes`, `--keep-config`, `--all`, `--service`. `--all` conflicts
+  with `--keep-config`.
+- `dg doctor` reports local setup health and prints concrete unavailable
+  status for optional gates (Windows, Python `.pth` hook, git hooks, Bun, Yarn
+  Berry, conda, mamba) instead of claiming them. `--json` for machine output.
+
+### dg service
+
+Explicit, reversible service mode: `dg service start | stop | restart | status
+| doctor | uninstall`, plus consent-gated `dg service trust install |
+uninstall`. Trust records store only public certificate fingerprints, provider,
+target, and timestamps — never private keys. `dg service status`/`doctor`
+detect stale runtime state and `dg service restart` clears it.
+
+### dg login / dg logout
+
+`dg login` stores a user-local auth token under the dg config directory and
+prints only a redacted preview. `dg logout --yes` removes that auth file
+without touching setup state or user config.
+
+### dg config
+
+`dg config set <key> <value>`, `dg config get <key>`, `dg config list`
+(`--json`). Keys: `api.baseUrl`, `org.id`, `policy.mode`,
+`policy.trustProjectAllowlists`, `policy.allowForceOverride`,
+`policy.scriptHardening`, `telemetry.enabled`, `webhooks.enabled`.
+
+### dg update / dg upgrade
+
+Check the latest published version when registry metadata is available and
+print the exact `npm install -g @westbayberry/dg@<version>` command. They never
+run the package manager themselves. `upgrade` is an alias of `update`; `--json`
+for machine output.
+
+### dg status / dg explain / dg completion
+
+- `dg status` reports auth, API, and prefix-mode state for the current machine.
+- `dg explain <id>` returns the explanation and next step for a firewall cause
+  or local scan finding.
+- `dg completion <bash | zsh | fish>` prints a shell completion script.
+
+## Configuration
+
+Config lives in `~/.dg/config.json` (mode 0600). Set values with `dg config
+set`.
+
+| Key | Purpose |
+| --- | --- |
+| `api.baseUrl` | Dependency Guardian API endpoint |
+| `org.id` | Organization the CLI reports to |
+| `policy.mode` | `off`, `warn`, `block`, or `strict` |
+| `policy.trustProjectAllowlists` | Whether project-local allowlists are trusted |
+| `policy.allowForceOverride` | Whether `--dg-force-install` is permitted |
+| `policy.scriptHardening` | Preserve script-disabling flags; never re-enable scripts |
+| `telemetry.enabled` | Telemetry (off by default) |
+| `webhooks.enabled` | Webhook outbox delivery |
+
+Project-local allowlists never suppress an install firewall block unless
+user-global or org policy explicitly trusts them.
+
+### Environment variables
+
+- `DG_API_TOKEN` — auth token; overrides the token stored in the config file.
+- `DG_PRIVATE_REGISTRY_HOSTS` — comma-separated hosts whose URL-fallback
+  artifacts are eligible for private-registry scan upload.
+- `DG_SCAN_TARBALL_UPLOAD` — set to `1` to enable private-registry artifact
+  upload to `/v1/scan-tarball` (requires `DG_API_TOKEN`).
+- `DG_SERVICE_TRUST_STORE_BACKEND` / `DG_SERVICE_TRUST_STORE_DIR` — for
+  CI/Docker, set the backend to `file` and a directory to copy the active
+  public CA certificate into an image-local trust directory without touching
+  the host OS trust store.
+- `NO_COLOR` / `FORCE_COLOR` — disable or force ANSI color output.
+
+## Exit codes
+
+Codes shared by every command:
+
+| Code | Meaning |
+| --- | --- |
+| 0 | PASS / clean |
+| 1 | WARN |
+| 2 | BLOCK, or a usage error |
+| 4 | analysis incomplete |
+| 69 | command unavailable or gated on this platform |
+| 70 | internal error |
+| 128 + n | child killed by signal n (firewall installs) |
+| 130 / 143 | interrupted (SIGINT / SIGTERM) |
+
+Per-command specifics:
+
+- `dg scan`: strict mode upgrades WARN (1) to BLOCK (2); 10 means nothing to
+  scan.
+- `dg audit`: 3 means a deep audit was required but unavailable; under the
+  default `--fail-on block`, WARN exits 0.
+- `dg verify` (registry path): 4 means analysis incomplete; the advisory path
+  reports a scan error as 1.
+
+## Troubleshooting
+
+Run `dg doctor` first — it reports Node version, package health, config
+readability, shim/PATH state, and which optional gates are unavailable.
+
+- "Scanner unavailable" / `scannerUnavailable` in JSON: the API was
+  unreachable and `dg scan` fell back to local heuristics. Check `api.baseUrl`
+  and network access.
+- A safe package was blocked: confirm `policy.mode`; `strict` upgrades WARN to
+  BLOCK. Use `dg explain <id>` to see the cause.
+- An install firewall block you need to override: rerun with
+  `--dg-force-install`, allowed only when `policy.allowForceOverride` is set;
+  the override is audited.
+- `dg setup` exits 69 on Windows: setup is POSIX-only.
+- An older `dg` runs instead of the installed one: run `which -a dg` and fix
+  PATH precedence.
+
+## Links
+
+- Documentation: https://westbayberry.com/docs
+- Pricing: https://westbayberry.com/pricing