depfix-ai 0.1.1

package/dist/commands/audit.d.ts

@@ -0,0 +1,7 @@
+import { Severity } from "../lib/audit/summarize";
+export interface AuditFlags {
+    json: boolean;
+    severity?: Severity;
+    fail: boolean;
+}
+export declare function runAuditCommand(argv?: string[]): Promise<void>;

package/dist/commands/audit.js

@@ -0,0 +1,86 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runAuditCommand = runAuditCommand;
+const npmAudit_1 = require("../lib/audit/npmAudit");
+const summarize_1 = require("../lib/audit/summarize");
+const log_1 = require("../lib/ui/log");
+function parseArgs(argv) {
+    const flags = {
+        json: false,
+        fail: false,
+    };
+    for (let i = 0; i < argv.length; i++) {
+        const arg = argv[i];
+        switch (arg) {
+            case "--json":
+                flags.json = true;
+                break;
+            case "--severity": {
+                const value = argv[i + 1];
+                if (value && ["low", "moderate", "high", "critical"].includes(value)) {
+                    flags.severity = value;
+                    i++;
+                }
+                else {
+                    (0, log_1.logError)("Invalid value for --severity. Use one of: low, moderate, high, critical.");
+                }
+                break;
+            }
+            case "--fail":
+                flags.fail = true;
+                break;
+            default:
+                (0, log_1.logError)(`Unknown flag or argument: ${arg}`);
+                break;
+        }
+    }
+    return flags;
+}
+async function runAuditCommand(argv = []) {
+    const flags = parseArgs(argv);
+    const severity = flags.severity ?? "low";
+    const { pm, rawJson, exitCode } = await (0, npmAudit_1.runNpmAuditJson)();
+    if (pm !== "npm") {
+        (0, log_1.logInfo)(`Audit is only implemented for npm right now. Detected ${pm}.`);
+        return;
+    }
+    if (!rawJson) {
+        (0, log_1.logError)("npm audit did not return JSON output.");
+        if (typeof exitCode === "number") {
+            process.exitCode = exitCode;
+        }
+        return;
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(rawJson);
+    }
+    catch {
+        (0, log_1.logError)("Failed to parse npm audit JSON output.");
+        if (flags.json) {
+            // Still honour the request for raw output.
+            // eslint-disable-next-line no-console
+            console.log(rawJson);
+        }
+        if (typeof exitCode === "number") {
+            process.exitCode = exitCode;
+        }
+        return;
+    }
+    const summaryOptions = { minSeverity: severity };
+    const summary = (0, summarize_1.summarizeNpmAudit)(parsed, summaryOptions);
+    (0, summarize_1.printAuditSummary)(summary);
+    if (flags.json) {
+        // eslint-disable-next-line no-console
+        console.log(rawJson);
+    }
+    if (flags.fail) {
+        const hasIssuesAboveThreshold = summary.counts.critical > 0 ||
+            (severity !== "critical" && summary.counts.high > 0) ||
+            (["low", "moderate"].includes(severity) && summary.counts.moderate > 0) ||
+            (severity === "low" && summary.counts.low > 0);
+        if (hasIssuesAboveThreshold) {
+            process.exitCode = 1;
+        }
+    }
+}

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export declare function main(argv?: string[]): Promise<void>;

package/dist/index.js

@@ -0,0 +1,49 @@
+#!/usr/bin/env node
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.main = main;
+const audit_1 = require("./commands/audit");
+const summarize_1 = require("./lib/audit/summarize");
+const write_1 = require("./lib/env/write");
+const backup_1 = require("./lib/safety/backup");
+const log_1 = require("./lib/ui/log");
+async function main(argv = process.argv.slice(2)) {
+    const [command, subcommand, ...rest] = argv;
+    try {
+        switch (command) {
+            case "audit":
+                await (0, audit_1.runAuditCommand)(rest);
+                break;
+            case "fix":
+                await (0, summarize_1.runFix)();
+                break;
+            case "env":
+                if (subcommand === "generate") {
+                    await (0, write_1.runEnvGenerate)(rest);
+                }
+                else {
+                    (0, log_1.logError)('Usage: depfix-ai env generate');
+                }
+                break;
+            case "onboard":
+                await (0, backup_1.runOnboard)();
+                break;
+            default:
+                (0, log_1.logInfo)("depfix-ai CLI");
+                (0, log_1.logInfo)("Available commands:");
+                (0, log_1.logInfo)("  audit");
+                (0, log_1.logInfo)("  fix");
+                (0, log_1.logInfo)("  env generate");
+                (0, log_1.logInfo)("  onboard");
+                break;
+        }
+    }
+    catch (err) {
+        (0, log_1.logError)("Unexpected error", err);
+        process.exitCode = 1;
+    }
+}
+if (require.main === module) {
+    // eslint-disable-next-line @typescript-eslint/no-floating-promises
+    main();
+}

package/dist/lib/audit/npmAudit.d.ts

@@ -0,0 +1,12 @@
+export interface NpmAuditResult {
+    pm: "npm" | string;
+    rawJson: string | undefined;
+    exitCode: number | undefined;
+}
+/**
+ * Run an npm audit in JSON mode.
+ *
+ * For v0.1.0 we only support npm; if another package manager
+ * is detected we return early without running anything.
+ */
+export declare function runNpmAuditJson(cwd?: string): Promise<NpmAuditResult>;

package/dist/lib/audit/npmAudit.js

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runNpmAuditJson = runNpmAuditJson;
+const detect_1 = require("../pm/detect");
+const run_1 = require("../pm/run");
+/**
+ * Run an npm audit in JSON mode.
+ *
+ * For v0.1.0 we only support npm; if another package manager
+ * is detected we return early without running anything.
+ */
+async function runNpmAuditJson(cwd = process.cwd()) {
+    const pm = (0, detect_1.detectPackageManager)(cwd);
+    if (pm !== "npm") {
+        return { pm, rawJson: undefined, exitCode: undefined };
+    }
+    const { stdout, exitCode } = await (0, run_1.runPmCommand)(pm, ["audit", "--json"], {
+        cwd,
+    });
+    return {
+        pm,
+        rawJson: stdout,
+        exitCode,
+    };
+}

package/dist/lib/audit/summarize.d.ts

@@ -0,0 +1,29 @@
+export type Severity = "low" | "moderate" | "high" | "critical";
+export interface AuditSummaryOptions {
+    /**
+     * Minimum severity to include in the summary.
+     * Vulnerabilities below this level will be ignored.
+     */
+    minSeverity?: Severity;
+}
+export interface SeverityCounts {
+    low: number;
+    moderate: number;
+    high: number;
+    critical: number;
+}
+export interface PackageImpact {
+    name: string;
+    count: number;
+}
+export interface AuditSummary {
+    counts: SeverityCounts;
+    impactedPackages: PackageImpact[];
+}
+/**
+ * Normalise npm audit JSON into a simple summary that is reasonably
+ * robust across npm versions (v6/v7+).
+ */
+export declare function summarizeNpmAudit(data: unknown, options?: AuditSummaryOptions): AuditSummary;
+export declare function printAuditSummary(summary: AuditSummary): void;
+export declare function runFix(): Promise<void>;

package/dist/lib/audit/summarize.js

@@ -0,0 +1,84 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.summarizeNpmAudit = summarizeNpmAudit;
+exports.printAuditSummary = printAuditSummary;
+exports.runFix = runFix;
+const log_1 = require("../ui/log");
+const severityOrder = ["low", "moderate", "high", "critical"];
+function severityAtLeast(a, min) {
+    return severityOrder.indexOf(a) >= severityOrder.indexOf(min);
+}
+function emptyCounts() {
+    return { low: 0, moderate: 0, high: 0, critical: 0 };
+}
+/**
+ * Normalise npm audit JSON into a simple summary that is reasonably
+ * robust across npm versions (v6/v7+).
+ */
+function summarizeNpmAudit(data, options = {}) {
+    const minSeverity = options.minSeverity ?? "low";
+    const counts = emptyCounts();
+    const pkgCounts = new Map();
+    const anyData = data;
+    // Prefer the modern `vulnerabilities` shape if present.
+    if (anyData && typeof anyData === "object" && anyData.vulnerabilities) {
+        const vulns = anyData.vulnerabilities;
+        for (const [pkgName, vuln] of Object.entries(vulns)) {
+            const severity = vuln.severity;
+            if (!severity || !severityAtLeast(severity, minSeverity))
+                continue;
+            counts[severity] += 1;
+            pkgCounts.set(pkgName, (pkgCounts.get(pkgName) ?? 0) + 1);
+        }
+    }
+    else if (anyData && typeof anyData === "object" && anyData.advisories) {
+        // Legacy npm audit format with `advisories`.
+        const advisories = anyData.advisories;
+        for (const adv of Object.values(advisories)) {
+            const severity = adv.severity;
+            const moduleName = adv.module_name;
+            if (!severity || !moduleName || !severityAtLeast(severity, minSeverity))
+                continue;
+            counts[severity] += 1;
+            pkgCounts.set(moduleName, (pkgCounts.get(moduleName) ?? 0) + 1);
+        }
+    }
+    else if (anyData && anyData.metadata && anyData.metadata.vulnerabilities) {
+        // Fallback: just lift counts from metadata if available.
+        const metaCounts = anyData.metadata.vulnerabilities;
+        for (const sev of severityOrder) {
+            const value = metaCounts[sev];
+            if (typeof value === "number" && severityAtLeast(sev, minSeverity)) {
+                counts[sev] += value;
+            }
+        }
+    }
+    const impactedPackages = Array.from(pkgCounts.entries())
+        .map(([name, count]) => ({ name, count }))
+        .sort((a, b) => b.count - a.count)
+        .slice(0, 5);
+    return { counts, impactedPackages };
+}
+function printAuditSummary(summary) {
+    const { counts, impactedPackages } = summary;
+    (0, log_1.logInfo)("Vulnerability summary:");
+    (0, log_1.logInfo)(`  low: ${counts.low}, moderate: ${counts.moderate}, high: ${counts.high}, critical: ${counts.critical}`);
+    if (impactedPackages.length > 0) {
+        (0, log_1.logInfo)("Top affected packages:");
+        for (const pkg of impactedPackages) {
+            (0, log_1.logInfo)(`  ${pkg.name}: ${pkg.count} issue(s)`);
+        }
+    }
+    else {
+        (0, log_1.logInfo)("No vulnerable packages found at or above the selected severity.");
+    }
+    (0, log_1.logInfo)("What to do next:");
+    (0, log_1.logInfo)("  - Run `npm audit fix` to apply safe automatic fixes.");
+    (0, log_1.logInfo)("  - For remaining issues, review advisories and consider upgrading major versions or replacing packages.");
+    (0, log_1.logInfo)("  - If you cannot upgrade immediately, consider using overrides/resolutions with care and track them for cleanup.");
+}
+// Temporary placeholder to keep the existing `fix` command wired up.
+// This can later be replaced with a real remediation flow.
+async function runFix() {
+    (0, log_1.logInfo)("Running depfix-ai fix (not implemented yet).");
+}

package/dist/lib/audit/types.d.ts

@@ -0,0 +1,19 @@
+export type Severity = "low" | "moderate" | "high" | "critical";
+export interface SeverityCounts {
+    low: number;
+    moderate: number;
+    high: number;
+    critical: number;
+}
+export interface PackageSummary {
+    name: string;
+    count: number;
+    highestSeverity: Severity;
+}
+export interface AuditSummary {
+    severityCounts: SeverityCounts;
+    topPackages: PackageSummary[];
+}
+export interface SummarizeOptions {
+    minSeverity?: Severity;
+}

package/dist/lib/audit/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/lib/config/store.d.ts

@@ -0,0 +1,5 @@
+export interface Config {
+    dryRun: boolean;
+}
+export declare function getConfig(): Config;
+export declare function setConfig(next: Partial<Config>): void;

package/dist/lib/config/store.js

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getConfig = getConfig;
+exports.setConfig = setConfig;
+let currentConfig = {
+    dryRun: false,
+};
+function getConfig() {
+    return currentConfig;
+}
+function setConfig(next) {
+    currentConfig = { ...currentConfig, ...next };
+}

package/dist/lib/env/render.d.ts

@@ -0,0 +1,2 @@
+import { EnvScanResult } from "./scan";
+export declare function renderEnv(result: EnvScanResult): string;

package/dist/lib/env/render.js

@@ -0,0 +1,37 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.renderEnv = renderEnv;
+const GROUPS = [
+    { prefix: "DB_", heading: "Database" },
+    { prefix: "REDIS_", heading: "Redis" },
+    { prefix: "AWS_", heading: "AWS" },
+    { prefix: "SMTP_", heading: "SMTP" },
+    { prefix: "NEXT_PUBLIC_", heading: "Next.js public env" },
+    { prefix: "VITE_", heading: "Vite env" },
+];
+function renderEnv(result) {
+    const remaining = new Set(result.keys);
+    const groups = [];
+    for (const { prefix, heading } of GROUPS) {
+        const keys = result.keys.filter((k) => k.startsWith(prefix));
+        if (keys.length === 0)
+            continue;
+        keys.forEach((k) => remaining.delete(k));
+        groups.push({ heading, keys });
+    }
+    if (remaining.size > 0) {
+        groups.push({
+            heading: "Other",
+            keys: Array.from(remaining).sort(),
+        });
+    }
+    const lines = [];
+    for (const group of groups) {
+        lines.push(`# ${group.heading}`);
+        for (const key of group.keys) {
+            lines.push(`${key}=`);
+        }
+        lines.push("");
+    }
+    return lines.join("\n").trimEnd() + (lines.length ? "\n" : "");
+}

package/dist/lib/env/scan.d.ts

@@ -0,0 +1,4 @@
+export interface EnvScanResult {
+    keys: string[];
+}
+export declare function scanEnv(cwd?: string): Promise<EnvScanResult>;

package/dist/lib/env/scan.js

@@ -0,0 +1,42 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.scanEnv = scanEnv;
+const promises_1 = __importDefault(require("node:fs/promises"));
+const fast_glob_1 = __importDefault(require("fast-glob"));
+const INCLUDE_GLOBS = [
+    "src/**/*.{js,jsx,ts,tsx}",
+    "app/**/*.{js,jsx,ts,tsx}",
+    "server/**/*.{js,jsx,ts,tsx}",
+    "pages/**/*.{js,jsx,ts,tsx}",
+];
+const EXCLUDE_GLOBS = ["**/node_modules/**", "**/dist/**", "**/.next/**", "**/build/**", "**/coverage/**"];
+const PROCESS_ENV_REGEX = /process\.env\.([A-Z0-9_]+)/g;
+const IMPORT_META_ENV_REGEX = /import\.meta\.env\.([A-Z0-9_]+)/g;
+async function scanEnv(cwd = process.cwd()) {
+    const files = await (0, fast_glob_1.default)(INCLUDE_GLOBS, {
+        cwd,
+        ignore: EXCLUDE_GLOBS,
+        absolute: true,
+    });
+    const keys = new Set();
+    for (const file of files) {
+        let content;
+        try {
+            content = await promises_1.default.readFile(file, "utf8");
+        }
+        catch {
+            continue;
+        }
+        let match;
+        while ((match = PROCESS_ENV_REGEX.exec(content)) !== null) {
+            keys.add(match[1]);
+        }
+        while ((match = IMPORT_META_ENV_REGEX.exec(content)) !== null) {
+            keys.add(match[1]);
+        }
+    }
+    return { keys: Array.from(keys).sort() };
+}

package/dist/lib/env/write.d.ts

@@ -0,0 +1 @@
+export declare function runEnvGenerate(argv?: string[]): Promise<void>;

package/dist/lib/env/write.js

@@ -0,0 +1,110 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runEnvGenerate = runEnvGenerate;
+const promises_1 = __importDefault(require("node:fs/promises"));
+const node_path_1 = __importDefault(require("node:path"));
+const scan_1 = require("./scan");
+const render_1 = require("./render");
+const log_1 = require("../ui/log");
+function parseEnvArgs(argv) {
+    const flags = {
+        out: ".env.example",
+        create: false,
+        force: false,
+        check: false,
+    };
+    for (let i = 0; i < argv.length; i++) {
+        const arg = argv[i];
+        switch (arg) {
+            case "--out":
+                if (argv[i + 1]) {
+                    flags.out = argv[i + 1];
+                    i++;
+                }
+                else {
+                    (0, log_1.logError)("Missing value for --out");
+                }
+                break;
+            case "--create":
+                flags.create = true;
+                break;
+            case "--force":
+                flags.force = true;
+                break;
+            case "--check":
+                flags.check = true;
+                break;
+            default:
+                (0, log_1.logError)(`Unknown flag or argument: ${arg}`);
+                break;
+        }
+    }
+    return flags;
+}
+async function fileExists(p) {
+    try {
+        await promises_1.default.stat(p);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+function parseEnvKeysFromExample(content) {
+    const keys = new Set();
+    const lines = content.split(/\r?\n/);
+    for (const line of lines) {
+        const trimmed = line.trim();
+        if (!trimmed || trimmed.startsWith("#"))
+            continue;
+        const eqIndex = trimmed.indexOf("=");
+        if (eqIndex <= 0)
+            continue;
+        const key = trimmed.slice(0, eqIndex).trim();
+        if (key)
+            keys.add(key);
+    }
+    return keys;
+}
+async function runEnvGenerate(argv = []) {
+    const flags = parseEnvArgs(argv);
+    const cwd = process.cwd();
+    const outPath = node_path_1.default.resolve(cwd, flags.out);
+    const envPath = node_path_1.default.resolve(cwd, ".env");
+    const scanResult = await (0, scan_1.scanEnv)(cwd);
+    if (flags.check) {
+        if (!(await fileExists(outPath))) {
+            (0, log_1.logError)(`${flags.out} does not exist. Run 'depfix-ai env generate' to create it.`);
+            process.exitCode = 1;
+            return;
+        }
+        const existing = await promises_1.default.readFile(outPath, "utf8");
+        const existingKeys = parseEnvKeysFromExample(existing);
+        const missing = scanResult.keys.filter((k) => !existingKeys.has(k));
+        if (missing.length > 0) {
+            (0, log_1.logError)(`${flags.out} is missing the following environment variables: ${missing.join(", ")}`);
+            process.exitCode = 1;
+            return;
+        }
+        (0, log_1.logInfo)(`${flags.out} contains all required environment variables.`);
+        return;
+    }
+    // Always (re)write the template example file.
+    const exampleContent = (0, render_1.renderEnv)(scanResult);
+    await promises_1.default.writeFile(outPath, exampleContent, "utf8");
+    (0, log_1.logInfo)(`Wrote environment template to ${outPath}`);
+    if (flags.create) {
+        const envExists = await fileExists(envPath);
+        if (envExists && !flags.force) {
+            (0, log_1.logInfo)(`.env already exists; not overwriting. Use --force to overwrite.`);
+        }
+        else {
+            const envContent = scanResult.keys.map((k) => `${k}=`).join("\n") + "\n";
+            await promises_1.default.writeFile(envPath, envContent, "utf8");
+            (0, log_1.logInfo)(`Wrote ${envExists ? "updated" : "new"} .env file to ${envPath}`);
+        }
+    }
+}

package/dist/lib/git/commit.d.ts

@@ -0,0 +1 @@
+export declare function gitCommitAll(message: string, cwd?: string): Promise<void>;

package/dist/lib/git/commit.js

@@ -0,0 +1,8 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.gitCommitAll = gitCommitAll;
+const execa_1 = require("execa");
+async function gitCommitAll(message, cwd = process.cwd()) {
+    await (0, execa_1.execa)("git", ["add", "-A"], { cwd, stdio: "inherit" });
+    await (0, execa_1.execa)("git", ["commit", "-m", message], { cwd, stdio: "inherit" });
+}

package/dist/lib/git/stash.d.ts

@@ -0,0 +1 @@
+export declare function gitStashSave(message?: string, cwd?: string): Promise<void>;

package/dist/lib/git/stash.js

@@ -0,0 +1,7 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.gitStashSave = gitStashSave;
+const execa_1 = require("execa");
+async function gitStashSave(message = "depfix-ai backup", cwd = process.cwd()) {
+    await (0, execa_1.execa)("git", ["stash", "push", "-m", message], { cwd, stdio: "inherit" });
+}

package/dist/lib/git/status.d.ts

@@ -0,0 +1 @@
+export declare function gitStatusShort(cwd?: string): Promise<string>;

package/dist/lib/git/status.js

@@ -0,0 +1,8 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.gitStatusShort = gitStatusShort;
+const execa_1 = require("execa");
+async function gitStatusShort(cwd = process.cwd()) {
+    const { stdout } = await (0, execa_1.execa)("git", ["status", "--short"], { cwd });
+    return stdout;
+}

package/dist/lib/pm/detect.d.ts

@@ -0,0 +1,2 @@
+import { PackageManager } from "./types";
+export declare function detectPackageManager(cwd?: string): PackageManager;

package/dist/lib/pm/detect.js

@@ -0,0 +1,25 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectPackageManager = detectPackageManager;
+const node_fs_1 = __importDefault(require("node:fs"));
+const node_path_1 = __importDefault(require("node:path"));
+function detectPackageManager(cwd = process.cwd()) {
+    // Priority:
+    // 1. pnpm (pnpm-lock.yaml)
+    // 2. yarn (yarn.lock)
+    // 3. npm (package-lock.json)
+    // 4. bun (bun.lockb)
+    if (node_fs_1.default.existsSync(node_path_1.default.join(cwd, "pnpm-lock.yaml")))
+        return "pnpm";
+    if (node_fs_1.default.existsSync(node_path_1.default.join(cwd, "yarn.lock")))
+        return "yarn";
+    if (node_fs_1.default.existsSync(node_path_1.default.join(cwd, "package-lock.json")))
+        return "npm";
+    if (node_fs_1.default.existsSync(node_path_1.default.join(cwd, "bun.lockb")))
+        return "bun";
+    // Fallback to npm if no known lockfile is present.
+    return "npm";
+}

package/dist/lib/pm/detect.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/lib/pm/detect.test.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const detect_1 = require("./detect");
+(0, vitest_1.describe)("detectPackageManager", () => {
+    (0, vitest_1.it)("returns npm for this repository", () => {
+        const pm = (0, detect_1.detectPackageManager)();
+        (0, vitest_1.expect)(pm).toBe("npm");
+    });
+});

package/dist/lib/pm/run.d.ts

@@ -0,0 +1,2 @@
+import { PackageManager, RunOptions, RunResult } from "./types";
+export declare function runPmCommand(pm: PackageManager, args: string[], options?: RunOptions): Promise<RunResult>;

package/dist/lib/pm/run.js

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runPmCommand = runPmCommand;
+const execa_1 = require("execa");
+async function runPmCommand(pm, args, options = {}) {
+    const { stdout, stderr, exitCode } = await (0, execa_1.execa)(pm, args, {
+        cwd: options.cwd,
+        stdio: options.stdio ?? "pipe",
+        // Never throw on non‑zero exit codes; always resolve with the result.
+        reject: false,
+    });
+    return { stdout, stderr, exitCode };
+}

package/dist/lib/pm/types.d.ts

@@ -0,0 +1,10 @@
+export type PackageManager = "npm" | "yarn" | "pnpm" | "bun";
+export interface RunOptions {
+    cwd?: string;
+    stdio?: "inherit" | "pipe";
+}
+export interface RunResult {
+    stdout?: string;
+    stderr?: string;
+    exitCode?: number;
+}

package/dist/lib/pm/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/lib/safety/backup.d.ts

@@ -0,0 +1 @@
+export declare function runOnboard(): Promise<void>;

package/dist/lib/safety/backup.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runOnboard = runOnboard;
+const stash_1 = require("../git/stash");
+const log_1 = require("../ui/log");
+async function runOnboard() {
+    (0, log_1.logInfo)("Onboarding project with depfix-ai (minimal stub).");
+    await (0, stash_1.gitStashSave)("depfix-ai onboarding backup");
+    (0, log_1.logInfo)("Created git stash as a safety backup.");
+}

package/dist/lib/safety/dryRun.d.ts

@@ -0,0 +1,2 @@
+export declare function startDryRun(): void;
+export declare function endDryRun(): void;

package/dist/lib/safety/dryRun.js

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.startDryRun = startDryRun;
+exports.endDryRun = endDryRun;
+const log_1 = require("../ui/log");
+function startDryRun() {
+    (0, log_1.logInfo)("Starting dry run (no changes will be written).");
+}
+function endDryRun() {
+    (0, log_1.logInfo)("Finished dry run.");
+}

package/dist/lib/ui/log.d.ts

@@ -0,0 +1,2 @@
+export declare function logInfo(message: string, ...rest: unknown[]): void;
+export declare function logError(message: string, ...rest: unknown[]): void;

package/dist/lib/ui/log.js

@@ -0,0 +1,14 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.logInfo = logInfo;
+exports.logError = logError;
+const chalk_1 = __importDefault(require("chalk"));
+function logInfo(message, ...rest) {
+    console.log(chalk_1.default.cyan("[depfix-ai]"), message, ...rest);
+}
+function logError(message, ...rest) {
+    console.error(chalk_1.default.red("[depfix-ai]"), message, ...rest);
+}

package/dist/lib/ui/spinner.d.ts

@@ -0,0 +1 @@
+export declare function createSpinner(text: string): import("ora").Ora;

package/dist/lib/ui/spinner.js

@@ -0,0 +1,10 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createSpinner = createSpinner;
+const ora_1 = __importDefault(require("ora"));
+function createSpinner(text) {
+    return (0, ora_1.default)({ text });
+}

package/package.json

@@ -0,0 +1,32 @@
+{
+  "name": "depfix-ai",
+  "version": "0.1.1",
+  "scripts": {
+    "build": "tsc -b",
+    "test": "vitest run",
+    "prepack": "npm run build",
+    "version:patch": "npm version patch",
+    "version:minor": "npm version minor",
+    "version:major": "npm version major"
+  },
+  "files": [
+    "dist/**"
+  ],
+  "bin": {
+    "depfix-ai": "dist/index.js"
+  },
+  "dependencies": {
+    "chalk": "^5.6.2",
+    "execa": "^9.6.1",
+    "fast-glob": "^3.3.3",
+    "ora": "^9.3.0",
+    "semver": "^7.7.3"
+  },
+  "devDependencies": {
+    "@types/node": "^25.2.0",
+    "eslint": "^9.39.2",
+    "prettier": "^3.8.1",
+    "typescript": "^5.9.3",
+    "vitest": "^4.0.18"
+  }
+}