bastion-scan 0.1.3 → 0.2.1

package/README.md

@@ -1,6 +1,6 @@
 <p align="center">
   <strong>BASTION</strong><br/>
-  <em>Security scanner for web projects. Runs locally. Explains what it finds.</em>
+  <em>Security scanner for Cursor-generated code. Runs locally. Explains what it finds.</em>
 </p>
 
 <p align="center">
@@ -16,7 +16,7 @@
 
 Bastion scans your code for security issues and tells you how to fix them. It runs on your machine, never uploads your code, and works with any Node.js project.
 
-AI tools help you build fast, but they regularly ship hardcoded secrets, missing headers, and injection vectors. Enterprise scanners cost £300+/mo and drown you in jargon. Bastion is the middle ground: it catches the stuff that actually matters and explains it in plain English.
+Cursor (and other AI coding tools) help you build fast, but they regularly ship hardcoded secrets, missing headers, and injection vectors. Enterprise scanners cost £300+/mo and drown you in jargon. Bastion is the middle ground: it catches the stuff that actually matters and explains it in plain English.
 
 Every finding comes with a prompt you can paste into Claude, ChatGPT, or Copilot to get a fix tailored to your stack.
 
@@ -25,10 +25,7 @@ Every finding comes with a prompt you can paste into Claude, ChatGPT, or Copilot
 ## Quick Start
 
 ```bash
-# Install globally
-npm install -g bastion-scan
-
-# Scan your project
+# Scan your project (no install required)
 npx bastion-scan scan
 
 # Scan a live URL (headers, SSL, security.txt)
@@ -41,6 +38,35 @@ npx bastion-scan scan --format json
 npx bastion-scan scan --generate-configs
 ```
 
+If you run scans frequently, install globally:
+
+```bash
+npm install -g bastion-scan
+bastion scan
+```
+
+---
+
+## Tuned for Cursor users
+
+Bastion includes detection rules tuned for patterns that Cursor's AI tends to produce: env vars exposed in client components, missing helmet middleware, Supabase service role keys leaked client-side, placeholder auth that looks real but verifies nothing. Other scanners use generic OWASP rules. Bastion knows what Cursor writes.
+
+Works with Lovable, Replit, Bolt, v0, and any other AI coding tool too — the checks are universal.
+
+### Cursor users: add this to `.cursorignore` first
+
+`.gitignore` stops secrets from being committed, but Cursor's codebase indexer still reads `.gitignore`d files by default. Add a `.cursorignore` file to prevent Cursor from ever seeing your secrets:
+
+```
+.env
+.env.*
+*.pem
+*.key
+secrets/
+```
+
+This single step prevents your keys from leaking into Cursor's context window — and into any AI-generated code that references them.
+
 ---
 
 ## What it checks
@@ -59,6 +85,9 @@ npx bastion-scan scan --generate-configs
 | Rate limiting | Looks for `express-rate-limit`, `@upstash/ratelimit`, etc. |
 | Auth method | Flags hand-rolled auth, suggests Clerk/Supabase/NextAuth |
 | `security.txt` URL | Fetches and validates the remote file |
+| Cookie security | Checks `Set-Cookie` flags: `HttpOnly`, `Secure`, `SameSite` |
+| Server disclosure | Flags `Server` headers that leak software versions |
+| DMARC record | Verifies email authentication policy via DNS |
 
 ### Stack detection
 
@@ -124,16 +153,16 @@ The web dashboard lives at [bastion.wiki](https://bastion.wiki).
 | | Free | Pro | Team |
 |---|---|---|---|
 | **Price** | £0 | £4/mo or £39/yr | £15/mo or £119/yr |
-| CLI checks | 5 | All 12 | All 12 |
-| URL scans | 1/day | Unlimited | Unlimited |
-| AI prompts | 3/scan | Unlimited | Unlimited |
-| Config generators | | Yes | Yes |
-| Security badge | | Yes | Yes |
-| GitHub Action | | Public repos | All repos |
+| URL scans | Unlimited | Unlimited | Unlimited |
+| CLI scans | 10/month | Unlimited | Unlimited |
+| AI fix prompts | — | Unlimited | Unlimited |
+| Config generators | — | Yes | Yes |
+| Security badge | — | Yes | Yes |
+| GitHub Action | — | Public repos | All repos |
 | Projects | 1 | 3 | Unlimited |
-| Compliance reports | | | Yes |
-| CVE alerts | | | Yes |
-| Score history | | | Yes |
+| Compliance reports | — | — | Yes |
+| CVE alerts | — | — | Yes |
+| Score history | — | — | Yes |
 
 Annual plans save 2 months. All plans come with a 14-day free trial.
 
@@ -193,7 +222,7 @@ Floor is 0. Only `fail` results deduct. `warn`, `skip`, and `pass` don't affect
 ```
 bastion/
 ├── packages/
-│   ├── cli/          # npx bastion-scan scan, 12 checks, 3 reporters
+│   ├── cli/          # npx bastion-scan scan, 15 checks, 3 reporters
 │   ├── shared/       # Types, checklist data, OWASP data, tools
 │   └── web/          # Next.js 14 dashboard
 └── docs/playbooks/   # Stack-specific security guides

package/dist/index.js

@@ -5,13 +5,15 @@ import { createRequire } from "module";
 
 // src/cli.ts
 import { Command, Option } from "commander";
-import chalk2 from "chalk";
+import chalk3 from "chalk";
 import ora from "ora";
-import { OUTPUT_FORMATS } from "bastion-shared";
+
+// ../shared/dist/types.js
+var OUTPUT_FORMATS = ["terminal", "json", "markdown"];
 
 // src/scanner.ts
-import { readdir, readFile as readFile9, stat } from "fs/promises";
-import { resolve, join as join10, relative } from "path";
+import { readdir as readdir3, readFile as readFile13, stat } from "fs/promises";
+import { resolve, join as join14, relative } from "path";
 
 // src/checks/gitignore.ts
 import { readFile } from "fs/promises";
@@ -196,7 +198,7 @@ var SCANNABLE_EXTENSIONS = /* @__PURE__ */ new Set([
 ]);
 var IGNORED_DIRS = /* @__PURE__ */ new Set(["node_modules", "dist", "build", ".git", "tests", "__tests__", "test", "fixtures"]);
 var SECRET_PATTERNS = [
-  // ── OpenAI ──────────────────────────────────────────────────────────────
+  // -- OpenAI ------------------------------------------------------------------
   {
     name: "OpenAI API key (project)",
     regex: /sk-proj-[a-zA-Z0-9_-]{20,}/,
@@ -215,7 +217,7 @@ var SECRET_PATTERNS = [
     description: "OpenAI API key detected",
     severity: "critical"
   },
-  // ── Anthropic ───────────────────────────────────────────────────────────
+  // -- Anthropic ---------------------------------------------------------------
   {
     name: "Anthropic API key",
     regex: /sk-ant-api[0-9]{2}-[a-zA-Z0-9_-]{40,}/,
@@ -228,7 +230,7 @@ var SECRET_PATTERNS = [
     description: "Anthropic admin API key detected",
     severity: "critical"
   },
-  // ── GitHub ──────────────────────────────────────────────────────────────
+  // -- GitHub ------------------------------------------------------------------
   {
     name: "GitHub PAT (classic)",
     regex: /ghp_[a-zA-Z0-9]{36}/,
@@ -259,7 +261,7 @@ var SECRET_PATTERNS = [
     description: "GitHub refresh token detected",
     severity: "critical"
   },
-  // ── Stripe ──────────────────────────────────────────────────────────────
+  // -- Stripe ------------------------------------------------------------------
   {
     name: "Stripe secret key",
     regex: /sk_live_[a-zA-Z0-9]{24,}/,
@@ -284,21 +286,21 @@ var SECRET_PATTERNS = [
     description: "Stripe test secret key detected",
     severity: "high"
   },
-  // ── AWS ─────────────────────────────────────────────────────────────────
+  // -- AWS ---------------------------------------------------------------------
   {
     name: "AWS access key",
     regex: /AKIA[0-9A-Z]{16}/,
     description: "AWS access key ID detected",
     severity: "critical"
   },
-  // ── Google ──────────────────────────────────────────────────────────────
+  // -- Google ------------------------------------------------------------------
   {
     name: "Google API key",
     regex: /AIza[a-zA-Z0-9_-]{35}/,
     description: "Google API key detected",
     severity: "critical"
   },
-  // ── Slack ───────────────────────────────────────────────────────────────
+  // -- Slack -------------------------------------------------------------------
   {
     name: "Slack bot token",
     regex: /xoxb-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24,}/,
@@ -317,7 +319,7 @@ var SECRET_PATTERNS = [
     description: "Slack incoming webhook URL detected",
     severity: "high"
   },
-  // ── Generic ─────────────────────────────────────────────────────────────
+  // -- Generic -----------------------------------------------------------------
   {
     name: "Generic API key assignment",
     regex: /(?:api[_-]?key|apikey|api[_-]?secret)\s*[:=]\s*['"][A-Za-z0-9_\-/.]{8,}['"]/i,
@@ -856,7 +858,7 @@ function isConnectionError(error) {
   return CONNECTION_ERROR_PATTERNS.some((code) => combined.includes(code));
 }
 function delay(ms) {
-  return new Promise((resolve2) => setTimeout(resolve2, ms));
+  return new Promise((resolve3) => setTimeout(resolve3, ms));
 }
 async function fetchWithRetry(url, init) {
   for (let attempt = 1; attempt <= 2; attempt++) {
@@ -1154,7 +1156,7 @@ var CONNECTION_ERRORS = /* @__PURE__ */ new Set([
   "EHOSTUNREACH"
 ]);
 function verifyCertificate(hostname, port) {
-  return new Promise((resolve2, reject) => {
+  return new Promise((resolve3, reject) => {
     let settled = false;
     const socket = tlsConnect(
       { host: hostname, port, servername: hostname, rejectUnauthorized: true },
@@ -1162,7 +1164,7 @@ function verifyCertificate(hostname, port) {
         if (settled) return;
         settled = true;
         socket.destroy();
-        resolve2();
+        resolve3();
       }
     );
     socket.setTimeout(TIMEOUT_MS);
@@ -1181,7 +1183,7 @@ function verifyCertificate(hostname, port) {
   });
 }
 function checkHttpsRedirect(hostname) {
-  return new Promise((resolve2) => {
+  return new Promise((resolve3) => {
     let settled = false;
     const req = httpRequest(
       { hostname, port: 80, method: "HEAD", path: "/" },
@@ -1191,27 +1193,27 @@ function checkHttpsRedirect(hostname) {
         const status = res.statusCode ?? 0;
         const location = res.headers.location ?? "";
         const isRedirect = status >= 300 && status < 400;
-        resolve2(isRedirect && location.startsWith("https://"));
+        resolve3(isRedirect && location.startsWith("https://"));
       }
     );
     req.setTimeout(TIMEOUT_MS);
     req.on("timeout", () => {
       if (settled) return;
       settled = true;
-      resolve2(false);
+      resolve3(false);
       req.destroy();
     });
     req.on("error", () => {
       if (settled) return;
       settled = true;
-      resolve2(false);
+      resolve3(false);
     });
     req.end();
   });
 }
 var RETRY_DELAY_MS2 = 2e3;
 function delay2(ms) {
-  return new Promise((resolve2) => setTimeout(resolve2, ms));
+  return new Promise((resolve3) => setTimeout(resolve3, ms));
 }
 async function verifyCertificateWithRetry(hostname, port) {
   try {
@@ -1983,7 +1985,7 @@ var auth_default = authCheck;
 var CHECK_ID8 = "cookies";
 var CATEGORY4 = "cookies";
 function parseCookie(raw) {
-  const name = raw.split("=")[0].trim();
+  const name = (raw.split("=")[0] ?? "").trim();
   const lower = raw.toLowerCase();
   return {
     name,
@@ -2236,7 +2238,7 @@ var dmarcCheck = async (context) => {
     }];
   }
   const policyMatch = dmarc.match(/;\s*p\s*=\s*(reject|quarantine|none)/i);
-  const policy = policyMatch ? policyMatch[1].toLowerCase() : "unknown";
+  const policy = policyMatch?.[1]?.toLowerCase() ?? "unknown";
   if (policy === "reject") {
     return [{
       id: CHECK_ID10,
@@ -2272,6 +2274,593 @@ var dmarcCheck = async (context) => {
 };
 var dmarc_default = dmarcCheck;
 
+// src/checks/supply-chain/ignore-scripts.ts
+import { readFile as readFile9 } from "fs/promises";
+import { join as join10 } from "path";
+var CHECK_ID11 = "ignore-scripts";
+var CHECK_NAME4 = "ignore-scripts protection";
+var CATEGORY7 = "supply-chain";
+function parseNpmrc(content) {
+  const result = {};
+  for (const line of content.split(/\r?\n/)) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#") || trimmed.startsWith(";")) {
+      continue;
+    }
+    const eqIndex = trimmed.indexOf("=");
+    if (eqIndex === -1) continue;
+    const key = trimmed.slice(0, eqIndex).trim();
+    const value = trimmed.slice(eqIndex + 1).trim();
+    if (key) {
+      result[key] = value;
+    }
+  }
+  return result;
+}
+var ignoreScriptsCheck = async (context) => {
+  let content;
+  try {
+    content = await readFile9(join10(context.projectPath, ".npmrc"), "utf-8");
+  } catch (error) {
+    const isNotFound = error instanceof Error && "code" in error && error.code === "ENOENT";
+    if (isNotFound) {
+      return [
+        {
+          id: CHECK_ID11,
+          name: CHECK_NAME4,
+          status: "warn",
+          severity: "medium",
+          category: CATEGORY7,
+          location: ".npmrc",
+          description: "No .npmrc file found. Without ignore-scripts=true, malicious postinstall scripts in dependencies will execute during npm install. This was the primary attack vector for Shai-Hulud and similar worm-style attacks.",
+          fix: "Create .npmrc in the project root and add:\n  ignore-scripts=true",
+          aiPrompt: "My project has no .npmrc file. Create one with ignore-scripts=true to prevent malicious postinstall scripts from running during npm install. Explain what legitimate postinstall scripts I might need to run manually after installing with this setting enabled."
+        }
+      ];
+    }
+    return [
+      {
+        id: CHECK_ID11,
+        name: CHECK_NAME4,
+        status: "skip",
+        severity: "info",
+        category: CATEGORY7,
+        description: `Check failed: ${error instanceof Error ? error.message : String(error)}`
+      }
+    ];
+  }
+  const config = parseNpmrc(content);
+  if (config["ignore-scripts"] === "true") {
+    return [
+      {
+        id: CHECK_ID11,
+        name: CHECK_NAME4,
+        status: "pass",
+        severity: "info",
+        category: CATEGORY7,
+        location: ".npmrc",
+        description: "ignore-scripts=true is configured \u2014 postinstall scripts are blocked by default"
+      }
+    ];
+  }
+  return [
+    {
+      id: CHECK_ID11,
+      name: CHECK_NAME4,
+      status: "warn",
+      severity: "medium",
+      category: CATEGORY7,
+      location: ".npmrc",
+      description: "Project does not have ignore-scripts=true configured. Without this setting, malicious postinstall scripts in dependencies will execute during npm install. This was the primary attack vector for Shai-Hulud and similar worm-style attacks.",
+      fix: "Edit .npmrc in the project root and add:\n  ignore-scripts=true",
+      aiPrompt: "My project .npmrc does not have ignore-scripts=true. Update it to add this setting. Explain what legitimate postinstall scripts I might need to run manually after installing with this setting enabled, and how to allowlist specific packages if needed."
+    }
+  ];
+};
+var ignore_scripts_default = ignoreScriptsCheck;
+
+// src/checks/supply-chain/compromised-deps.ts
+import { readFile as readFile10 } from "fs/promises";
+import { join as join11 } from "path";
+import { satisfies } from "semver";
+
+// src/data/compromised-packages.ts
+var COMPROMISED_PACKAGES = [
+  // 1. event-stream -- cryptocurrency wallet theft (2018)
+  {
+    name: "event-stream",
+    versionRange: "=3.3.6",
+    advisoryId: "GHSA-mh6f-8j2x-4483",
+    source: "manual",
+    dateAdded: "2026-05-23",
+    description: "Backdoor injected via flatmap-stream dependency targeting Copay bitcoin wallet private keys."
+  },
+  // 2. ua-parser-js -- account takeover, cryptominer (2021)
+  {
+    name: "ua-parser-js",
+    versionRange: "=0.7.29 || =0.8.0 || =1.0.0",
+    advisoryId: "GHSA-pjwm-rvh2-c87w",
+    source: "manual",
+    dateAdded: "2026-05-23",
+    description: "npm account compromised; three versions published with cryptominer and password stealer."
+  },
+  // 3. coa -- credential harvesting (2021)
+  {
+    name: "coa",
+    versionRange: "=2.0.3 || =2.0.4 || =2.1.1 || =2.1.3 || =3.0.1 || =3.1.3",
+    advisoryId: "GHSA-73qr-pfmq-6rp8",
+    source: "manual",
+    dateAdded: "2026-05-23",
+    description: "npm account compromised; six malicious versions published with credential-harvesting payload."
+  },
+  // 4. rc -- credential harvesting (2021, same campaign as coa)
+  {
+    name: "rc",
+    versionRange: "=1.2.9 || =1.3.9 || =2.3.9",
+    advisoryId: "GHSA-g2q5-5433-rhrf",
+    source: "manual",
+    dateAdded: "2026-05-23",
+    description: "npm account compromised in the same campaign as coa; three malicious versions with credential-harvesting payload."
+  },
+  // 5. node-ipc -- destructive protestware (2022)
+  {
+    name: "node-ipc",
+    versionRange: ">=10.1.1 <10.1.3",
+    advisoryId: "GHSA-97m3-w2cp-4xx6",
+    source: "manual",
+    dateAdded: "2026-05-23",
+    description: "Maintainer added code to overwrite files with heart emojis on systems with Russian or Belarusian IP addresses."
+  },
+  // 6. node-ipc -- hidden functionality (2022, same maintainer)
+  {
+    name: "node-ipc",
+    versionRange: "=9.2.2",
+    advisoryId: "GHSA-8gr3-2gjw-jj7g",
+    source: "manual",
+    dateAdded: "2026-05-23",
+    description: "Hidden functionality added by maintainer in a separate version line from the destructive 10.1.x protestware."
+  },
+  // 7. faker -- sabotaged by maintainer (2022)
+  {
+    name: "faker",
+    versionRange: "=6.6.6",
+    advisoryId: "GHSA-5w9c-rv96-fr7g",
+    source: "manual",
+    dateAdded: "2026-05-23",
+    description: "Maintainer replaced all functional code with empty exports as a protest. Still live on npm as latest. Use @faker-js/faker instead."
+  }
+];
+
+// src/checks/supply-chain/compromised-deps.ts
+var CHECK_ID12 = "compromised-deps";
+var CHECK_NAME5 = "Compromised package detection";
+var CATEGORY8 = "supply-chain";
+function getDirectDeps(packageJson) {
+  const deps = packageJson["dependencies"] ?? {};
+  const devDeps = packageJson["devDependencies"] ?? {};
+  return [...Object.keys(deps), ...Object.keys(devDeps)];
+}
+function resolveVersionFromLockfile(lockfile, packageName) {
+  const packages = lockfile["packages"];
+  if (!packages) return void 0;
+  const entry = packages[`node_modules/${packageName}`];
+  if (!entry) return void 0;
+  const version = entry["version"];
+  return typeof version === "string" ? version : void 0;
+}
+function findCompromisedMatch(packageName, installedVersion, list = COMPROMISED_PACKAGES) {
+  return list.find(
+    (entry) => entry.name === packageName && satisfies(installedVersion, entry.versionRange)
+  );
+}
+var compromisedDepsCheck = async (context) => {
+  if (!context.packageJson) {
+    return [
+      {
+        id: CHECK_ID12,
+        name: CHECK_NAME5,
+        status: "skip",
+        severity: "info",
+        category: CATEGORY8,
+        description: "No package.json found \u2014 skipping compromised dependency check."
+      }
+    ];
+  }
+  let lockfileContent;
+  try {
+    lockfileContent = await readFile10(join11(context.projectPath, "package-lock.json"), "utf-8");
+  } catch (error) {
+    const isNotFound = error instanceof Error && "code" in error && error.code === "ENOENT";
+    if (isNotFound) {
+      return [
+        {
+          id: CHECK_ID12,
+          name: CHECK_NAME5,
+          status: "skip",
+          severity: "info",
+          category: CATEGORY8,
+          description: "No package-lock.json found \u2014 skipping compromised dependency check. This check requires an npm lockfile to resolve installed versions."
+        }
+      ];
+    }
+    return [
+      {
+        id: CHECK_ID12,
+        name: CHECK_NAME5,
+        status: "skip",
+        severity: "info",
+        category: CATEGORY8,
+        description: `Check failed: ${error instanceof Error ? error.message : String(error)}`
+      }
+    ];
+  }
+  let lockfile;
+  try {
+    lockfile = JSON.parse(lockfileContent);
+  } catch {
+    return [
+      {
+        id: CHECK_ID12,
+        name: CHECK_NAME5,
+        status: "skip",
+        severity: "info",
+        category: CATEGORY8,
+        description: "package-lock.json contains malformed JSON \u2014 cannot check dependencies."
+      }
+    ];
+  }
+  if (COMPROMISED_PACKAGES.length === 0) {
+    return [
+      {
+        id: CHECK_ID12,
+        name: CHECK_NAME5,
+        status: "pass",
+        severity: "info",
+        category: CATEGORY8,
+        description: "Compromised package list is empty \u2014 no packages to check against."
+      }
+    ];
+  }
+  const directDeps = getDirectDeps(context.packageJson);
+  const findings = [];
+  for (const depName of directDeps) {
+    const installedVersion = resolveVersionFromLockfile(lockfile, depName);
+    if (!installedVersion) continue;
+    const match = findCompromisedMatch(depName, installedVersion);
+    if (match) {
+      findings.push({
+        id: CHECK_ID12,
+        name: CHECK_NAME5,
+        status: "fail",
+        severity: "high",
+        category: CATEGORY8,
+        location: `package-lock.json (${depName}@${installedVersion})`,
+        description: `Compromised package detected: ${depName}@${installedVersion}. Match: ${match.versionRange} (${match.source}, ${match.advisoryId}). Date added to list: ${match.dateAdded}. ${match.description}`,
+        fix: `Remove ${depName} or pin to a version outside the compromised range (${match.versionRange}). Run \`npm audit\` for additional details.`,
+        aiPrompt: `My project depends on ${depName}@${installedVersion} which is flagged as compromised (${match.advisoryId}). Help me find a safe alternative or a patched version. Explain what the compromise does and whether my project is affected.`
+      });
+    }
+  }
+  if (findings.length === 0) {
+    return [
+      {
+        id: CHECK_ID12,
+        name: CHECK_NAME5,
+        status: "pass",
+        severity: "info",
+        category: CATEGORY8,
+        description: `No compromised packages found among ${directDeps.length} direct dependencies.`
+      }
+    ];
+  }
+  return findings;
+};
+var compromised_deps_default = compromisedDepsCheck;
+
+// src/checks/supply-chain/npm-ci.ts
+import { readFile as readFile11, readdir } from "fs/promises";
+import { join as join12 } from "path";
+import { parse as parseYaml } from "yaml";
+var CHECK_ID13 = "npm-ci";
+var CHECK_NAME6 = "npm ci in CI workflows";
+var CATEGORY9 = "supply-chain";
+function isProblematicNpmCommand(cmdLine) {
+  const trimmed = cmdLine.trim();
+  const hasNpmInstall = /\bnpm\s+install\b/.test(trimmed) || /\bnpm\s+i\b/.test(trimmed);
+  if (!hasNpmInstall) return false;
+  if (/\s-g\b/.test(trimmed) || /\s--global\b/.test(trimmed)) return false;
+  return true;
+}
+function extractRunCommands(parsedYaml) {
+  if (!parsedYaml || typeof parsedYaml !== "object") return [];
+  const workflow = parsedYaml;
+  const jobs = workflow["jobs"];
+  if (!jobs || typeof jobs !== "object") return [];
+  const results = [];
+  for (const job of Object.values(jobs)) {
+    if (!job || typeof job !== "object") continue;
+    const steps = job["steps"];
+    if (!Array.isArray(steps)) continue;
+    for (const step of steps) {
+      if (!step || typeof step !== "object") continue;
+      const stepObj = step;
+      const run = stepObj["run"];
+      if (typeof run !== "string") continue;
+      const stepName = typeof stepObj["name"] === "string" ? stepObj["name"] : void 0;
+      for (const line of run.split(/\r?\n/)) {
+        const trimmed = line.trim();
+        if (trimmed) {
+          results.push({ stepName, command: trimmed });
+        }
+      }
+    }
+  }
+  return results;
+}
+var npmCiCheck = async (context) => {
+  const workflowsDir = join12(context.projectPath, ".github", "workflows");
+  let filenames;
+  try {
+    const entries = await readdir(workflowsDir);
+    filenames = entries.filter((f) => f.endsWith(".yml") || f.endsWith(".yaml"));
+  } catch (error) {
+    const isNotFound = error instanceof Error && "code" in error && error.code === "ENOENT";
+    if (isNotFound) {
+      return [
+        {
+          id: CHECK_ID13,
+          name: CHECK_NAME6,
+          status: "skip",
+          severity: "info",
+          category: CATEGORY9,
+          description: "No .github/workflows/ directory found \u2014 skipping CI workflow check."
+        }
+      ];
+    }
+    return [
+      {
+        id: CHECK_ID13,
+        name: CHECK_NAME6,
+        status: "skip",
+        severity: "info",
+        category: CATEGORY9,
+        description: `Check failed: ${error instanceof Error ? error.message : String(error)}`
+      }
+    ];
+  }
+  if (filenames.length === 0) {
+    return [
+      {
+        id: CHECK_ID13,
+        name: CHECK_NAME6,
+        status: "skip",
+        severity: "info",
+        category: CATEGORY9,
+        description: "No workflow files found in .github/workflows/ \u2014 skipping CI workflow check."
+      }
+    ];
+  }
+  const findings = [];
+  for (const filename of filenames) {
+    let content;
+    try {
+      content = await readFile11(join12(workflowsDir, filename), "utf-8");
+    } catch {
+      continue;
+    }
+    let parsed;
+    try {
+      parsed = parseYaml(content);
+    } catch {
+      continue;
+    }
+    const commands = extractRunCommands(parsed);
+    for (const { stepName, command } of commands) {
+      if (isProblematicNpmCommand(command)) {
+        findings.push({
+          id: CHECK_ID13,
+          name: CHECK_NAME6,
+          status: "warn",
+          severity: "medium",
+          category: CATEGORY9,
+          location: `.github/workflows/${filename}`,
+          description: `CI workflow uses \`npm install\` instead of \`npm ci\`: ${filename}. Step: ${stepName ?? "(unnamed)"}. Command: \`${command}\`. npm install can mutate package-lock.json, bypassing lockfile integrity.`,
+          fix: "Replace `npm install` with `npm ci` which enforces lockfile-based installs.",
+          aiPrompt: `My GitHub Actions workflow ${filename} uses \`npm install\` instead of \`npm ci\`. Explain the security implications of npm install mutating the lockfile in CI, and help me update the workflow to use npm ci correctly. Note any cases where npm install might still be needed (e.g., global tool installs).`
+        });
+      }
+    }
+  }
+  if (findings.length === 0) {
+    return [
+      {
+        id: CHECK_ID13,
+        name: CHECK_NAME6,
+        status: "pass",
+        severity: "info",
+        category: CATEGORY9,
+        description: `All ${filenames.length} workflow file(s) use npm ci or have no npm install commands.`
+      }
+    ];
+  }
+  return findings;
+};
+var npm_ci_default = npmCiCheck;
+
+// src/checks/supply-chain/self-hosted-runner.ts
+import { readFile as readFile12, readdir as readdir2 } from "fs/promises";
+import { join as join13 } from "path";
+import { parse as parseYaml2 } from "yaml";
+var CHECK_ID14 = "self-hosted-runner";
+var CHECK_NAME7 = "Self-hosted runner detection";
+var CATEGORY10 = "supply-chain";
+var GITHUB_HOSTED_REGEX = /^(ubuntu|macos|windows)(-(latest|\d+(\.\d+)?))?$/;
+var IOC_PATTERNS = ["sha1hulud", "shai-hulud", "sha1-hulud", "hulud"];
+function categorizeRunner(label) {
+  const trimmed = label.trim();
+  const lower = trimmed.toLowerCase();
+  if (IOC_PATTERNS.some((pattern) => lower.includes(pattern))) {
+    return "ioc-match";
+  }
+  if (lower.includes("self-hosted")) {
+    return "self-hosted";
+  }
+  if (GITHUB_HOSTED_REGEX.test(trimmed)) {
+    return "github-hosted";
+  }
+  return "unknown";
+}
+function extractRunsOn(parsedYaml) {
+  if (!parsedYaml || typeof parsedYaml !== "object") return [];
+  const workflow = parsedYaml;
+  const jobs = workflow["jobs"];
+  if (!jobs || typeof jobs !== "object") return [];
+  const results = [];
+  for (const [jobName, job] of Object.entries(jobs)) {
+    if (!job || typeof job !== "object") continue;
+    const runsOn = job["runs-on"];
+    if (!runsOn) continue;
+    if (typeof runsOn === "string") {
+      results.push({ jobName, runsOn: [runsOn] });
+    } else if (Array.isArray(runsOn)) {
+      const labels = runsOn.filter((item) => typeof item === "string");
+      if (labels.length > 0) {
+        results.push({ jobName, runsOn: labels });
+      }
+    }
+  }
+  return results;
+}
+var CATEGORY_PRIORITY = {
+  "ioc-match": 3,
+  "self-hosted": 2,
+  "unknown": 1,
+  "github-hosted": 0
+};
+function highestCategory(labels) {
+  let highest = "github-hosted";
+  for (const label of labels) {
+    const cat = categorizeRunner(label);
+    if (CATEGORY_PRIORITY[cat] > CATEGORY_PRIORITY[highest]) {
+      highest = cat;
+    }
+  }
+  return highest;
+}
+var selfHostedRunnerCheck = async (context) => {
+  const workflowsDir = join13(context.projectPath, ".github", "workflows");
+  let filenames;
+  try {
+    const entries = await readdir2(workflowsDir);
+    filenames = entries.filter((f) => f.endsWith(".yml") || f.endsWith(".yaml"));
+  } catch (error) {
+    const isNotFound = error instanceof Error && "code" in error && error.code === "ENOENT";
+    if (isNotFound) {
+      return [
+        {
+          id: CHECK_ID14,
+          name: CHECK_NAME7,
+          status: "skip",
+          severity: "info",
+          category: CATEGORY10,
+          description: "No .github/workflows/ directory found \u2014 skipping runner detection."
+        }
+      ];
+    }
+    return [
+      {
+        id: CHECK_ID14,
+        name: CHECK_NAME7,
+        status: "skip",
+        severity: "info",
+        category: CATEGORY10,
+        description: `Check failed: ${error instanceof Error ? error.message : String(error)}`
+      }
+    ];
+  }
+  if (filenames.length === 0) {
+    return [
+      {
+        id: CHECK_ID14,
+        name: CHECK_NAME7,
+        status: "skip",
+        severity: "info",
+        category: CATEGORY10,
+        description: "No workflow files found in .github/workflows/ \u2014 skipping runner detection."
+      }
+    ];
+  }
+  const findings = [];
+  for (const filename of filenames) {
+    let content;
+    try {
+      content = await readFile12(join13(workflowsDir, filename), "utf-8");
+    } catch {
+      continue;
+    }
+    let parsed;
+    try {
+      parsed = parseYaml2(content);
+    } catch {
+      continue;
+    }
+    const jobsRunsOn = extractRunsOn(parsed);
+    for (const { jobName, runsOn } of jobsRunsOn) {
+      const category = highestCategory(runsOn);
+      const labelsDisplay = runsOn.join(", ");
+      if (category === "ioc-match") {
+        findings.push({
+          id: CHECK_ID14,
+          name: CHECK_NAME7,
+          status: "fail",
+          severity: "high",
+          category: CATEGORY10,
+          location: `.github/workflows/${filename}`,
+          description: `Suspicious runner label matches known IoC: ${filename}. Job: ${jobName}. Runs-on: ${labelsDisplay}. This label matches known indicators of compromise from the Shai-Hulud / SHA1-Hulud worm.`,
+          fix: "IMMEDIATE ACTION: Inspect this repository's recent commits, workflow files, and any associated infrastructure. This may be evidence of active compromise. Remove the suspicious runner and audit all recent workflow runs.",
+          aiPrompt: `My GitHub Actions workflow ${filename} has a runner label "${labelsDisplay}" that matches known IoC patterns from the Shai-Hulud worm. Help me investigate: what should I check for signs of compromise, how do I audit recent workflow runs, and what remediation steps should I take immediately?`
+        });
+      } else if (category === "self-hosted") {
+        findings.push({
+          id: CHECK_ID14,
+          name: CHECK_NAME7,
+          status: "warn",
+          severity: "medium",
+          category: CATEGORY10,
+          location: `.github/workflows/${filename}`,
+          description: `Self-hosted runner in workflow: ${filename}. Job: ${jobName}. Runs-on: ${labelsDisplay}. Self-hosted runners can be a persistence vector for supply-chain attacks.`,
+          fix: "Verify this runner was intentionally configured. If not, this may indicate compromise. Ensure self-hosted runners are hardened, regularly patched, and use ephemeral instances where possible.",
+          aiPrompt: `My GitHub Actions workflow ${filename} uses a self-hosted runner (${labelsDisplay}). Explain the supply-chain security risks of self-hosted runners, best practices for hardening them, and how to verify this configuration is intentional and safe.`
+        });
+      } else if (category === "unknown") {
+        findings.push({
+          id: CHECK_ID14,
+          name: CHECK_NAME7,
+          status: "pass",
+          severity: "info",
+          category: CATEGORY10,
+          location: `.github/workflows/${filename}`,
+          description: `Custom/unrecognized runner label: ${filename}. Job: ${jobName}. Runs-on: ${labelsDisplay}. This label doesn't match standard GitHub-hosted runner patterns. If this is intentional (e.g., self-hosted with a custom name), document it.`
+        });
+      }
+    }
+  }
+  if (findings.length === 0) {
+    return [
+      {
+        id: CHECK_ID14,
+        name: CHECK_NAME7,
+        status: "pass",
+        severity: "info",
+        category: CATEGORY10,
+        description: `All ${filenames.length} workflow file(s) use standard GitHub-hosted runners.`
+      }
+    ];
+  }
+  return findings;
+};
+var self_hosted_runner_default = selfHostedRunnerCheck;
+
 // src/checks/index.ts
 function getAllChecks() {
   return [
@@ -2289,7 +2878,11 @@ function getAllChecks() {
     auth_default,
     cookies_default,
     server_disclosure_default,
-    dmarc_default
+    dmarc_default,
+    ignore_scripts_default,
+    compromised_deps_default,
+    npm_ci_default,
+    self_hosted_runner_default
   ];
 }
 function getUrlOnlyChecks() {
@@ -2511,7 +3104,7 @@ var corsPrompt = (result, context) => {
   const framework = context.stack.framework ?? "my web application";
   return `${stack}${loc} ${result.description.split(".")[0]}. Help me fix this by: (1) replacing the wildcard origin with my specific domain(s), (2) showing the correct CORS configuration for ${framework}, (3) handling preflight OPTIONS requests properly, and (4) configuring credentials mode safely. Show me the complete working code.`;
 };
-var rateLimitPrompt = (result, context) => {
+var rateLimitPrompt = (_result, context) => {
   const stack = buildStackDescription(context.stack);
   const framework = context.stack.framework;
   const pkg2 = getRateLimitPackage(context.stack);
@@ -2643,18 +3236,30 @@ function detectProjectType(packageJson, files) {
 }
 async function buildContext(options) {
   const projectPath = resolve(options.path);
+  if (options.urlOnly) {
+    return {
+      projectPath,
+      url: options.url,
+      stack: { language: "unknown" },
+      files: [],
+      verbose: options.verbose,
+      projectType: "static",
+      projectTypeSource: "auto",
+      urlOnly: true
+    };
+  }
   const info = await stat(projectPath).catch(() => null);
   if (!info?.isDirectory()) {
     throw new Error(`Not a directory: ${projectPath}`);
   }
   let packageJson;
   try {
-    const raw = await readFile9(join10(projectPath, "package.json"), "utf-8");
+    const raw = await readFile13(join14(projectPath, "package.json"), "utf-8");
     packageJson = JSON.parse(raw);
   } catch {
   }
-  const entries = await readdir(projectPath, { recursive: true, withFileTypes: true });
-  const files = entries.filter((e) => e.isFile()).map((e) => relative(projectPath, join10(e.parentPath, e.name))).filter((f) => !f.split("/").some((segment) => EXCLUDED_DIRS.has(segment)));
+  const entries = await readdir3(projectPath, { recursive: true, withFileTypes: true });
+  const files = entries.filter((e) => e.isFile()).map((e) => relative(projectPath, join14(e.parentPath, e.name))).filter((f) => !f.split("/").some((segment) => EXCLUDED_DIRS.has(segment)));
   const stack = detectStack(packageJson, files);
   const typeOverride = options.type ?? "auto";
   const projectType = typeOverride === "auto" ? detectProjectType(packageJson, files) : typeOverride;
@@ -2697,17 +3302,17 @@ async function runChecks(context, checks) {
 }
 var PROJECT_INDICATORS = ["package.json", ".gitignore", ".git", "src", "lib"];
 var CODE_EXTENSIONS2 = /\.(ts|js|tsx|jsx)$/;
-function hasProjectFiles(files, projectPath, packageJson) {
+function hasProjectFiles(files, _projectPath, packageJson) {
   if (packageJson) return true;
   for (const f of files) {
-    const first = f.split("/")[0];
+    const first = f.split("/")[0] ?? "";
     if (PROJECT_INDICATORS.includes(first)) return true;
     if (CODE_EXTENSIONS2.test(f)) return true;
   }
   return false;
 }
 async function scan(context) {
-  const isUrlOnly = context.url && !hasProjectFiles(context.files, context.projectPath, context.packageJson);
+  const isUrlOnly = context.urlOnly || !!context.url && !hasProjectFiles(context.files, context.projectPath, context.packageJson);
   if (isUrlOnly) {
     const report2 = await runChecks(context, getUrlOnlyChecks());
     return { ...report2, urlOnly: true, projectType: context.projectType, projectTypeSource: context.projectTypeSource };
@@ -2877,7 +3482,7 @@ function formatJsonReport(report, metadata) {
 
 // src/generators/config.ts
 import { writeFile, mkdir } from "fs/promises";
-import { join as join11 } from "path";
+import { join as join15 } from "path";
 function expressHelmetConfig() {
   return {
     name: "Helmet.js Security Headers",
@@ -3398,21 +4003,211 @@ async function writeConfigFiles(snippets, outputDir) {
   await mkdir(outputDir, { recursive: true });
   const paths = [];
   for (const snippet of snippets) {
-    const filePath = join11(outputDir, snippet.filename);
+    const filePath = join15(outputDir, snippet.filename);
     await writeFile(filePath, snippet.code + "\n", "utf-8");
     paths.push(filePath);
   }
   return paths;
 }
 
+// src/generators/security-txt.ts
+import { mkdir as mkdir2, writeFile as writeFile2 } from "fs/promises";
+import { createInterface } from "readline";
+import { dirname, join as join16, resolve as resolve2 } from "path";
+import chalk2 from "chalk";
+function generateSecurityTxt(fields) {
+  const lines = [
+    "# security.txt \u2014 generated by Bastion",
+    "# https://securitytxt.org/ | RFC 9116",
+    "",
+    `Contact: ${fields.contact}`,
+    `Expires: ${fields.expires}`
+  ];
+  if (fields.preferredLanguages) {
+    lines.push(`Preferred-Languages: ${fields.preferredLanguages}`);
+  }
+  if (fields.policy) {
+    lines.push(`Policy: ${fields.policy}`);
+  }
+  if (fields.acknowledgments) {
+    lines.push(`Acknowledgments: ${fields.acknowledgments}`);
+  }
+  lines.push("");
+  return lines.join("\n");
+}
+function defaultExpiresDate() {
+  const date = /* @__PURE__ */ new Date();
+  date.setFullYear(date.getFullYear() + 1);
+  return date.toISOString();
+}
+function normalizeContact(value) {
+  const trimmed = value.trim();
+  if (!trimmed.startsWith("mailto:") && !trimmed.startsWith("https://") && trimmed.includes("@")) {
+    return `mailto:${trimmed}`;
+  }
+  return trimmed;
+}
+function validateContact(value) {
+  const trimmed = value.trim();
+  if (!trimmed) {
+    return "Contact is required";
+  }
+  if (!trimmed.startsWith("mailto:") && !trimmed.startsWith("https://") && !trimmed.includes("@")) {
+    return "Contact must be an email address, mailto: URI, or https:// URL";
+  }
+  return null;
+}
+function validateExpires(value) {
+  const date = new Date(value);
+  if (isNaN(date.getTime())) {
+    return "Invalid date format. Use ISO 8601 (e.g., 2027-04-15T00:00:00.000Z)";
+  }
+  if (date.getTime() <= Date.now()) {
+    return "Expires date must be in the future";
+  }
+  return null;
+}
+function promptField(rl, question, defaultValue) {
+  const suffix = defaultValue ? ` [${defaultValue}]` : "";
+  return new Promise((res) => {
+    rl.question(`  ${question}${suffix}: `, (answer) => {
+      res(answer.trim() || defaultValue || "");
+    });
+  });
+}
+async function promptForFields(rl) {
+  console.log();
+  console.log(chalk2.bold.cyan("  security.txt Generator"));
+  console.log(chalk2.dim("  Creates a valid security.txt file per RFC 9116"));
+  console.log();
+  let contact = "";
+  while (!contact) {
+    const raw = await promptField(rl, "Contact email or URL");
+    const error = validateContact(raw);
+    if (error) {
+      console.log(chalk2.red(`  ${error}`));
+    } else {
+      contact = normalizeContact(raw);
+    }
+  }
+  const expires = await promptField(rl, "Expires date (ISO 8601)", defaultExpiresDate());
+  const preferredLanguages = await promptField(rl, "Preferred-Languages", "en");
+  const policy = await promptField(rl, "Policy URL (optional)");
+  const acknowledgments = await promptField(rl, "Acknowledgments URL (optional)");
+  const rootAnswer = await promptField(rl, "Also create at project root? (y/N)");
+  const writeToRoot = rootAnswer.toLowerCase() === "y" || rootAnswer.toLowerCase() === "yes";
+  return {
+    fields: {
+      contact,
+      expires,
+      preferredLanguages,
+      ...policy ? { policy } : {},
+      ...acknowledgments ? { acknowledgments } : {}
+    },
+    writeToRoot
+  };
+}
+async function writeSecurityTxtFiles(projectPath, content, locations) {
+  const written = [];
+  for (const location of locations) {
+    const fullPath = join16(projectPath, location);
+    await mkdir2(dirname(fullPath), { recursive: true });
+    await writeFile2(fullPath, content, "utf-8");
+    written.push(fullPath);
+  }
+  return written;
+}
+function printResult(content, paths) {
+  console.log();
+  console.log(chalk2.bold.green("  \u2713 security.txt generated"));
+  console.log();
+  console.log(chalk2.dim("  Contents:"));
+  console.log();
+  for (const line of content.split("\n")) {
+    if (line) {
+      console.log(`    ${line}`);
+    }
+  }
+  console.log();
+  for (const p of paths) {
+    console.log(`  ${chalk2.dim("Saved:")} ${p}`);
+  }
+  console.log();
+}
+async function runSecurityTxtGenerator(options) {
+  const projectPath = resolve2(options.path);
+  try {
+    let fields;
+    let writeToRoot = false;
+    if (options.contact) {
+      const contact = normalizeContact(options.contact);
+      const contactError = validateContact(contact);
+      if (contactError) {
+        console.error(chalk2.red(`
+  Error: ${contactError}
+`));
+        process.exitCode = 1;
+        return;
+      }
+      const expires = options.expires ?? defaultExpiresDate();
+      const expiresError = validateExpires(expires);
+      if (expiresError) {
+        console.error(chalk2.red(`
+  Error: ${expiresError}
+`));
+        process.exitCode = 1;
+        return;
+      }
+      fields = {
+        contact,
+        expires,
+        preferredLanguages: options.languages ?? "en",
+        ...options.policy ? { policy: options.policy } : {},
+        ...options.acknowledgments ? { acknowledgments: options.acknowledgments } : {}
+      };
+    } else {
+      const rl = createInterface({
+        input: process.stdin,
+        output: process.stdout
+      });
+      try {
+        const result = await promptForFields(rl);
+        fields = result.fields;
+        writeToRoot = result.writeToRoot;
+      } finally {
+        rl.close();
+      }
+    }
+    const content = generateSecurityTxt(fields);
+    const locations = [".well-known/security.txt"];
+    if (writeToRoot) {
+      locations.push("security.txt");
+    }
+    const written = await writeSecurityTxtFiles(projectPath, content, locations);
+    printResult(content, written);
+  } catch (error) {
+    console.error(
+      chalk2.red(
+        `
+  Error: ${error instanceof Error ? error.message : String(error)}
+`
+      )
+    );
+    process.exitCode = 1;
+  }
+}
+
 // src/cli.ts
+function computeUrlOnly(options, command) {
+  return !!options.url && command.getOptionValueSource("path") === "default";
+}
 function createProgram(version) {
   const program = new Command();
-  program.name("bastion").description("Privacy-first security checker for AI-era builders").version(version);
+  program.name("bastion").description("Privacy-first security checker for web projects").version(version);
   program.command("scan").description("Scan a project for security issues").option("-p, --path <dir>", "path to project directory", ".").option("-f, --format <type>", "output format (terminal, json, markdown)", "terminal").option("-v, --verbose", "show detailed output", false).option("-u, --url <url>", "URL for HTTP-based checks").option("-o, --output <file>", "output file path (for markdown/json formats)").option("--generate-configs", "generate security config snippets for detected stack", false).option("--output-dir <dir>", "write generated config files to directory").addOption(
     new Option("-t, --type <type>", "project type override").choices(["auto", "static", "api", "fullstack"]).default("auto")
-  ).action(async (options) => {
-    await runScan(options, version);
+  ).action(async (options, command) => {
+    await runScan({ ...options, urlOnly: computeUrlOnly(options, command) }, version);
   });
   const generate = program.command("generate").description("Generate security configuration files");
   generate.command("security-txt").description("Create a valid security.txt file (RFC 9116)").option("-c, --contact <value>", "contact email or URL (enables non-interactive mode)").option("-e, --expires <date>", "expires date in ISO 8601 (default: 1 year from now)").option("-l, --languages <langs>", "preferred languages (default: en)").option("--policy <url>", "policy URL").option("--acknowledgments <url>", "acknowledgments URL").option("-p, --path <dir>", "project directory", ".").action(async (options) => {
@@ -3427,21 +4222,21 @@ async function runScan(options, version) {
   }
   if (!isValidFormat(options.format)) {
     console.error(
-      chalk2.red(`
+      chalk3.red(`
   Error: Invalid format "${options.format}". Use: ${OUTPUT_FORMATS.join(", ")}`)
     );
     process.exitCode = 1;
     return;
   }
   if (!isJson && options.verbose) {
-    const { resolve: resolve2 } = await import("path");
-    console.log(chalk2.dim(`  Path:   ${resolve2(options.path)}`));
-    console.log(chalk2.dim(`  Format: ${options.format}`));
+    const { resolve: resolve3 } = await import("path");
+    console.log(chalk3.dim(`  Path:   ${resolve3(options.path)}`));
+    console.log(chalk3.dim(`  Format: ${options.format}`));
     if (options.url) {
-      console.log(chalk2.dim(`  URL:    ${options.url}`));
+      console.log(chalk3.dim(`  URL:    ${options.url}`));
     }
     if (options.type !== "auto") {
-      console.log(chalk2.dim(`  Type:   ${options.type} (manual override)`));
+      console.log(chalk3.dim(`  Type:   ${options.type} (manual override)`));
     }
     console.log();
   }
@@ -3451,7 +4246,8 @@ async function runScan(options, version) {
       path: options.path,
       url: options.url,
       verbose: options.verbose,
-      type: options.type
+      type: options.type,
+      urlOnly: options.urlOnly
     });
     const report = await scan(context);
     if (isJson) {
@@ -3467,16 +4263,16 @@ async function runScan(options, version) {
     } else {
       spinner?.succeed(`Scan complete (${report.duration}ms)`);
       if (report.urlOnly) {
-        console.log(chalk2.yellow("\n  URL-only scan \u2014 6 HTTP checks performed."));
-        console.log(chalk2.dim("  Point --path at your source code for a full 15-check audit.\n"));
+        console.log(chalk3.yellow("\n  URL-only scan \u2014 6 HTTP checks performed."));
+        console.log(chalk3.dim("  Point --path at your source code for a full 15-check audit.\n"));
       }
       if (report.projectType && report.projectType !== "unknown") {
         const source = report.projectTypeSource === "manual" ? "manual" : "auto-detected";
-        console.log(chalk2.dim(`
+        console.log(chalk3.dim(`
   Project type: ${report.projectType} (${source})`));
       }
       if (report.projectType === "static" && report.summary.notApplicable > 0) {
-        console.log(chalk2.dim(`  Static site detected \u2014 ${report.summary.notApplicable} checks not applicable`));
+        console.log(chalk3.dim(`  Static site detected \u2014 ${report.summary.notApplicable} checks not applicable`));
       }
       console.log(formatTerminalReport(report, options.verbose));
     }
@@ -3485,10 +4281,10 @@ async function runScan(options, version) {
       if (options.outputDir) {
         const paths = await writeConfigFiles(snippets, options.outputDir);
         if (!isJson) {
-          console.log(chalk2.green(`
+          console.log(chalk3.green(`
   \u2713 Wrote ${paths.length} config file${paths.length === 1 ? "" : "s"} to ${options.outputDir}/`));
           for (const p of paths) {
-            console.log(chalk2.dim(`    ${p}`));
+            console.log(chalk3.dim(`    ${p}`));
           }
           console.log();
         }
@@ -3505,7 +4301,7 @@ async function runScan(options, version) {
     } else {
       spinner?.fail("Scan failed");
       console.error(
-        chalk2.red(`
+        chalk3.red(`
   ${error instanceof Error ? error.message : String(error)}
 `)
       );
@@ -3515,8 +4311,8 @@ async function runScan(options, version) {
 }
 function printBanner(version) {
   console.log();
-  console.log(chalk2.bold.cyan("  Bastion") + chalk2.dim(` v${version}`));
-  console.log(chalk2.dim("  Privacy-first security checker"));
+  console.log(chalk3.bold.cyan("  Bastion") + chalk3.dim(` v${version}`));
+  console.log(chalk3.dim("  Privacy-first security checker"));
   console.log();
 }
 function isValidFormat(format) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bastion-scan",
-  "version": "0.1.3",
+  "version": "0.2.1",
   "description": "Privacy-first security checker for web projects. 15 checks, zero data uploaded, actionable fixes.",
   "type": "module",
   "bin": {
@@ -34,15 +34,20 @@
   "license": "MIT",
   "scripts": {
     "build": "tsup",
-    "dev": "tsup --watch"
+    "dev": "tsup --watch",
+    "test": "vitest run --root ../..",
+    "prepublishOnly": "npm run build && npm run test"
   },
   "dependencies": {
-    "bastion-shared": "^0.1.3",
     "chalk": "^5.6.2",
     "commander": "^14.0.3",
-    "ora": "^9.3.0"
+    "ora": "^9.3.0",
+    "semver": "^7.8.0",
+    "yaml": "^2.9.0"
   },
   "devDependencies": {
+    "@bastion/shared": "*",
+    "@types/semver": "^7.7.1",
     "tsup": "^8.0.0"
   }
 }