depsentinel 0.1.2

package/README.md

@@ -0,0 +1,55 @@
+# depsentinel
+
+**JS/TS supply-chain hardening CLI.** Detect your package manager, evaluate risk, and apply secure defaults — in one command.
+
+## Quick start
+
+```bash
+npx depsentinel scan          # diagnose your project
+npx depsentinel init --write  # generate secure baseline
+npx depsentinel ci --json     # fail CI if critical policies violated
+npx depsentinel install express  # check package safety before adding it
+npx depsentinel doctor        # full 26-point security diagnosis
+```
+
+## Commands
+
+| Command | Purpose |
+|---|---|
+| `scan` | Detect PM, lockfile, framework; return `risk_score` + `remediation_commands` |
+| `init --write` | Generate `.npmrc`, `.npmignore`, CI workflow, PM-specific configs |
+| `ci --json` | Policy gate for CI pipelines; exits non-zero on critical findings |
+| `install <pkg>` | Preflight check before adding a dependency (`allow\|warn\|block`) |
+| `doctor` | Diagnose project against 26 npm security best practices |
+| `fix --write` | Auto-apply known remediations (`.npmrc`, scripts, configs) |
+| `trust add\|remove\|list` | Manage allow/ignore build-script trust per package manager |
+| `override add\|remove\|list` | Manage policy exceptions with reason and expiration |
+
+## What it enforces
+
+- **Disable post-install scripts** — `.npmrc` `ignore-scripts=true`
+- **Block git-based dependencies** — `.npmrc` `allow-git=none`
+- **Package cooldown** — `.npmrc` `min-release-age=3` (3 days)
+- **pnpm hardening** — `minimumReleaseAge`, `trustPolicy: no-downgrade`, `blockExoticSubdeps`, `strictDepBuilds`
+- **Deterministic CI installs** — frozen lockfile per package manager
+- **Advisory checks** — critical vulnerability matching
+- **Tool adapters** — optional `npq`, `sfw`, `lockfile-lint` integration
+- **Override system** — time-bound exceptions with documented reasons
+
+Supports **npm**, **pnpm**, **yarn**, and **bun** — auto-detected. Unknown frameworks degrade gracefully to universal JS/TS baseline.
+
+## Install
+
+```bash
+npm install -g depsentinel
+# or
+pnpm add -g depsentinel
+```
+
+## Docs
+
+Full security best-practices guide with 26-point coverage matrix: [`docs/security-best-practices.md`](docs/security-best-practices.md)
+
+## License
+
+MIT

package/dist/advisories/fixture-source.js

@@ -0,0 +1,25 @@
+const FIXTURE_CRITICAL_ADVISORIES = [
+    {
+        packageName: "vulnerable-lib",
+        affectedVersion: "1.0.0",
+        advisoryId: "DSA-2026-0001",
+        title: "Remote code execution in vulnerable-lib"
+    }
+];
+function matchFixture(facts, fixtures) {
+    for (const fixture of fixtures) {
+        const dependencyVersion = facts.dependencies[fixture.packageName];
+        if (dependencyVersion === fixture.affectedVersion) {
+            return {
+                packageName: fixture.packageName,
+                affectedVersion: fixture.affectedVersion,
+                advisoryId: fixture.advisoryId,
+                title: fixture.title
+            };
+        }
+    }
+    return null;
+}
+export const fixtureAdvisorySource = {
+    findCriticalMatch: (facts) => matchFixture(facts, FIXTURE_CRITICAL_ADVISORIES)
+};

package/dist/advisories/live-source.js

@@ -0,0 +1,83 @@
+const DEFAULT_TTL_MS = 60 * 60 * 1000;
+const GRACE_MS = 15 * 60 * 1000;
+export function createLiveAdvisorySource(options) {
+    const ttl = options.ttlMs ?? DEFAULT_TTL_MS;
+    const fallback = options.fallbackSource ?? null;
+    let cache = null;
+    let refreshInFlight = null;
+    function isFresh() {
+        if (!cache)
+            return false;
+        return Date.now() - cache.fetchedAt < ttl;
+    }
+    function isGraceStale() {
+        if (!cache)
+            return false;
+        return Date.now() - cache.fetchedAt < ttl + GRACE_MS;
+    }
+    async function refresh() {
+        if (refreshInFlight)
+            return refreshInFlight;
+        refreshInFlight = (async () => {
+            try {
+                const controller = new AbortController();
+                const to = setTimeout(() => controller.abort(), 10000);
+                const res = await fetch(options.endpoint, { signal: controller.signal });
+                clearTimeout(to);
+                if (!res.ok)
+                    return false;
+                const data = (await res.json());
+                cache = { advisories: data.advisories ?? [], fetchedAt: Date.now() };
+                return true;
+            }
+            catch {
+                return false;
+            }
+            finally {
+                refreshInFlight = null;
+            }
+        })();
+        return refreshInFlight;
+    }
+    function findCriticalMatch(facts) {
+        if (cache && isFresh()) {
+            return matchAdvisories(facts, cache.advisories);
+        }
+        if (cache && isGraceStale()) {
+            void refresh();
+            return matchAdvisories(facts, cache.advisories);
+        }
+        if (fallback) {
+            const match = fallback.findCriticalMatch(facts);
+            void refresh();
+            return match;
+        }
+        void refresh();
+        return null;
+    }
+    function getStatus() {
+        return {
+            source: options.endpoint,
+            lastFetched: cache?.fetchedAt ?? null,
+            cachedCount: cache?.advisories.length ?? 0,
+            ttlMs: ttl
+        };
+    }
+    return { findCriticalMatch, refresh, getStatus };
+}
+function matchAdvisories(facts, advisories) {
+    for (const adv of advisories) {
+        if (adv.severity !== "critical")
+            continue;
+        const version = facts.dependencies[adv.packageName];
+        if (version && version === adv.affectedVersion) {
+            return {
+                packageName: adv.packageName,
+                affectedVersion: adv.affectedVersion,
+                advisoryId: adv.advisoryId,
+                title: adv.title
+            };
+        }
+    }
+    return null;
+}

package/dist/advisories/source.js

@@ -0,0 +1 @@
+export {};

package/dist/cli.js

@@ -0,0 +1,133 @@
+#!/usr/bin/env node
+import { cac } from "cac";
+import { runCi } from "./commands/ci.js";
+import { runDoctor } from "./commands/doctor.js";
+import { runFix } from "./commands/fix.js";
+import { runInit } from "./commands/init.js";
+import { runInstall } from "./commands/install.js";
+import { runScan } from "./commands/scan.js";
+import { runTrust } from "./commands/trust.js";
+import { overrideAdd, overrideList, overrideRemove } from "./core/overrides.js";
+export function createCli() {
+    const cli = cac("depsentinel");
+    cli
+        .command("scan", "Run dependency risk scan")
+        .option("--json", "Emit machine-readable JSON")
+        .action((options) => {
+        const result = runScan({ json: Boolean(options.json) });
+        process.stdout.write(`${result.output}\n`);
+        const hasCritical = result.envelope.result.findings.some((finding) => finding.severity === "critical");
+        if (hasCritical) {
+            process.exitCode = 1;
+        }
+    });
+    cli
+        .command("ci", "Run CI policy gate")
+        .option("--json", "Emit machine-readable JSON")
+        .action((options) => {
+        const result = runCi({ json: Boolean(options.json) });
+        process.stdout.write(`${result.output}\n`);
+        if (result.shouldFail) {
+            process.exitCode = 1;
+        }
+    });
+    cli
+        .command("init", "Initialize depsentinel policy artifacts")
+        .option("--preset <preset>", "Preset to initialize (base|expo)")
+        .option("--write", "Apply changes (default is dry-run)")
+        .option("--json", "Emit machine-readable JSON")
+        .action((options) => {
+        const result = runInit({
+            preset: options.preset,
+            dryRun: !Boolean(options.write),
+            json: Boolean(options.json)
+        });
+        process.stdout.write(`${result.output}\n`);
+    });
+    cli
+        .command("install <package>", "Evaluate and execute safe dependency install")
+        .option("--force", "Override block/warn decision")
+        .option("--json", "Emit machine-readable JSON")
+        .action((pkg, options) => {
+        const result = runInstall({
+            packageName: pkg,
+            force: Boolean(options.force),
+            json: Boolean(options.json)
+        });
+        process.stdout.write(`${result.output}\n`);
+        process.exitCode = result.exitCode;
+    });
+    cli
+        .command("doctor", "Diagnose project against 26 security best practices")
+        .option("--json", "Emit machine-readable JSON")
+        .action((options) => {
+        const result = runDoctor({ json: Boolean(options.json) });
+        process.stdout.write(`${result.output}\n`);
+        if (result.envelope.result.failed > 0) {
+            process.exitCode = 1;
+        }
+    });
+    cli
+        .command("fix", "Apply known remediations for detected gaps (dry-run by default)")
+        .option("--write", "Apply changes")
+        .option("--json", "Emit machine-readable JSON")
+        .action((options) => {
+        const result = runFix({ dryRun: !options.write, json: Boolean(options.json) });
+        process.stdout.write(`${result.output}\n`);
+    });
+    cli
+        .command("trust <action> [package]", "Manage package-manager trust lists")
+        .option("--mode <mode>", "Mode: allow-build | ignore-build")
+        .option("--pm <pm>", "Package manager override")
+        .option("--write", "Apply changes (default is dry-run)")
+        .option("--json", "Emit machine-readable JSON")
+        .action((action, packageName, options) => {
+        const result = runTrust({
+            action,
+            packageName,
+            mode: options.mode,
+            manager: options.pm,
+            dryRun: !Boolean(options.write),
+            json: Boolean(options.json)
+        });
+        process.stdout.write(`${result.output}\n`);
+        process.exitCode = result.exitCode;
+    });
+    cli
+        .command("override <action> [ruleId]", "Manage policy overrides (add | remove | list)")
+        .option("--reason <reason>", "Reason for the override")
+        .option("--expires <date>", "Expiration date (YYYY-MM-DD)")
+        .action((action, ruleId, options) => {
+        if (action === "list") {
+            const store = overrideList();
+            process.stdout.write(JSON.stringify(store, null, 2) + "\n");
+            return;
+        }
+        if (!ruleId) {
+            process.stderr.write("ruleId is required for add/remove\n");
+            process.exitCode = 1;
+            return;
+        }
+        if (action === "remove") {
+            const store = overrideRemove(ruleId);
+            process.stdout.write(JSON.stringify(store, null, 2) + "\n");
+            return;
+        }
+        if (action === "add") {
+            if (!options.reason || !options.expires) {
+                process.stderr.write("--reason and --expires are required for add\n");
+                process.exitCode = 1;
+                return;
+            }
+            const store = overrideAdd({ ruleId, reason: options.reason, expires: options.expires });
+            process.stdout.write(JSON.stringify(store, null, 2) + "\n");
+            return;
+        }
+        process.stderr.write(`Unknown action: ${action}\n`);
+        process.exitCode = 1;
+    });
+    return cli;
+}
+const cli = createCli();
+cli.help();
+cli.parse();

package/dist/commands/ci.js

@@ -0,0 +1,59 @@
+import { formatScanJson } from "../formatters/json.js";
+import { runScan } from "./scan.js";
+function buildDiagnostics(envelope) {
+    const diagnostics = [];
+    if (envelope.facts.packageManager === "unknown") {
+        diagnostics.push("No lockfile detected. Add one of: package-lock.json, pnpm-lock.yaml, yarn.lock, bun.lockb.");
+    }
+    if (envelope.facts.framework === "unknown") {
+        diagnostics.push("Framework not detected. Running universal JS/TS baseline checks only.");
+    }
+    return diagnostics;
+}
+function formatCiHuman(envelope) {
+    const findingLines = envelope.result.findings.length
+        ? envelope.result.findings.map((finding) => `- [${finding.severity}] ${finding.ruleId}: ${finding.message}`).join("\n")
+        : "- none";
+    const remediationLines = envelope.result.remediation_commands.length
+        ? envelope.result.remediation_commands.map((command) => `- ${command}`).join("\n")
+        : "- none";
+    const diagnosticLines = envelope.result.diagnostics.length
+        ? envelope.result.diagnostics.map((message) => `- ${message}`).join("\n")
+        : "- none";
+    return [
+        "depsentinel ci",
+        `risk score: ${envelope.result.risk_score}`,
+        `gate: ${envelope.result.failed_critical_policy ? "fail" : "pass"}`,
+        `package manager: ${envelope.facts.packageManager}`,
+        `framework hint: ${envelope.facts.framework}`,
+        "findings:",
+        findingLines,
+        "remediation:",
+        remediationLines,
+        "diagnostics:",
+        diagnosticLines
+    ].join("\n");
+}
+export function runCi(options = {}) {
+    const scan = runScan({ cwd: options.cwd, json: true });
+    const failedCriticalPolicy = scan.envelope.result.findings.some((finding) => finding.severity === "critical");
+    const envelope = {
+        schemaVersion: "1.0.0",
+        command: "ci",
+        facts: scan.envelope.facts,
+        result: {
+            risk_score: scan.envelope.result.risk_score,
+            proposed_diff: scan.envelope.result.proposed_diff,
+            remediation_commands: scan.envelope.result.remediation_commands,
+            findings: scan.envelope.result.findings,
+            failed_critical_policy: failedCriticalPolicy,
+            diagnostics: []
+        }
+    };
+    envelope.result.diagnostics = buildDiagnostics(envelope);
+    return {
+        envelope,
+        output: options.json ? formatScanJson(envelope) : formatCiHuman(envelope),
+        shouldFail: failedCriticalPolicy
+    };
+}

package/dist/commands/doctor.js

@@ -0,0 +1,79 @@
+import { detectProjectFacts } from "../core/detector.js";
+import { collectDiagnoses } from "../core/doctor-checks.js";
+import { computeRiskScore } from "../core/risk-score.js";
+function buildRemediationCommands(facts) {
+    const install = facts.packageManager === "pnpm"
+        ? "pnpm install --frozen-lockfile"
+        : facts.packageManager === "yarn"
+            ? "yarn install --immutable"
+            : facts.packageManager === "bun"
+                ? "bun install --frozen-lockfile"
+                : facts.packageManager === "npm"
+                    ? "npm ci"
+                    : "corepack enable && pnpm install --frozen-lockfile";
+    return [install, "depsentinel init --write", "depsentinel ci --json"];
+}
+function formatDoctorHuman(facts, diagnoses) {
+    const byCategory = new Map();
+    for (const d of diagnoses) {
+        const list = byCategory.get(d.category) ?? [];
+        list.push(d);
+        byCategory.set(d.category, list);
+    }
+    const statusIcon = (s) => (s === "pass" ? "PASS" : s === "fail" ? "FAIL" : "SKIP");
+    const severityFlag = (sv) => (sv === "critical" ? "!! " : sv === "high" ? "! " : "");
+    const lines = ["depsentinel doctor", `package manager: ${facts.packageManager}`, `framework hint: ${facts.framework}`, ""];
+    const order = ["config", "dependencies", "ci", "maintainer"];
+    for (const cat of order) {
+        const items = byCategory.get(cat) ?? [];
+        if (items.length === 0)
+            continue;
+        const fails = items.filter((d) => d.status === "fail").length;
+        const passes = items.filter((d) => d.status === "pass").length;
+        const skips = items.filter((d) => d.status === "skipped").length;
+        lines.push(`--- ${cat.toUpperCase()} (${passes} pass, ${fails} fail, ${skips} skip) ---`);
+        for (const d of items) {
+            lines.push(`  [${statusIcon(d.status)}] ${severityFlag(d.severity)}${d.title}`);
+            if (d.status === "fail") {
+                lines.push(`    Why: ${d.detail}`);
+                lines.push(`    Fix: ${d.remediation}`);
+            }
+            if (d.status === "skipped") {
+                lines.push(`    Note: ${d.detail}`);
+                lines.push(`    Action: ${d.remediation}`);
+            }
+        }
+        lines.push("");
+    }
+    return lines.join("\n");
+}
+export function runDoctor(options = {}) {
+    const cwd = options.cwd ?? process.cwd();
+    const facts = detectProjectFacts(cwd);
+    const diagnoses = collectDiagnoses(cwd, facts);
+    const passed = diagnoses.filter((d) => d.status === "pass").length;
+    const failed = diagnoses.filter((d) => d.status === "fail").length;
+    const skipped = diagnoses.filter((d) => d.status === "skipped").length;
+    const riskFindings = diagnoses.filter((d) => d.status === "fail").map((d) => ({
+        ruleId: d.id,
+        severity: d.severity,
+        message: d.title
+    }));
+    const score = computeRiskScore(riskFindings);
+    const envelope = {
+        schemaVersion: "1.0.0",
+        command: "doctor",
+        facts,
+        result: {
+            risk_score: score,
+            diagnoses,
+            passed,
+            failed,
+            skipped
+        }
+    };
+    return {
+        envelope,
+        output: options.json ? JSON.stringify(envelope, null, 2) : formatDoctorHuman(facts, diagnoses)
+    };
+}

package/dist/commands/fix.js

@@ -0,0 +1,101 @@
+import { existsSync, readFileSync } from "node:fs";
+import path from "node:path";
+import { detectProjectFacts } from "../core/detector.js";
+import { planSafeFile, applySafePlan } from "../core/safe-write.js";
+function readJsonSafe(filePath) {
+    if (!existsSync(filePath))
+        return {};
+    try {
+        return JSON.parse(readFileSync(filePath, "utf8"));
+    }
+    catch {
+        return {};
+    }
+}
+function collectFixPlans(cwd) {
+    const facts = detectProjectFacts(cwd);
+    const plans = [];
+    // .npmrc
+    const npmrcPath = path.join(cwd, ".npmrc");
+    const npmrcContent = [
+        "# depsentinel npm security baseline",
+        "ignore-scripts=true",
+        "allow-git=none",
+        "min-release-age=3",
+        ""
+    ].join("\n");
+    plans.push(planSafeFile(npmrcPath, npmrcContent));
+    // .npmignore
+    const npmignorePath = path.join(cwd, ".npmignore");
+    const npmignoreContent = "# depsentinel secure npmignore\n.env\n*.log\ncoverage/\nnode_modules/\n";
+    plans.push(planSafeFile(npmignorePath, npmignoreContent));
+    // .gitignore
+    const gitignorePath = path.join(cwd, ".gitignore");
+    if (!existsSync(gitignorePath)) {
+        plans.push(planSafeFile(gitignorePath, "# depsentinel\ndist/\nnode_modules/\n.env\n*.log\n"));
+    }
+    // Accumulate package.json changes in memory
+    const pkgPath = path.join(cwd, "package.json");
+    const pkg = readJsonSafe(pkgPath);
+    let pkgDirty = false;
+    // files allowlist
+    if (pkg.name && !pkg.private && !pkg.files) {
+        pkg.files = ["dist"];
+        pkgDirty = true;
+    }
+    // lint:lockfile script
+    if (!pkg.scripts)
+        pkg.scripts = {};
+    if (!pkg.scripts["lint:lockfile"]) {
+        pkg.scripts["lint:lockfile"] = "lockfile-lint --path package-lock.json --type npm --allowed-hosts npm --validate-https";
+        pkgDirty = true;
+    }
+    // sbom script
+    if (!pkg.scripts["sbom"] && !pkg.scripts["generate:sbom"]) {
+        pkg.scripts["sbom"] = "npx @cyclonedx/cyclonedx-npm --validate > sbom.json";
+        pkgDirty = true;
+    }
+    if (pkgDirty) {
+        plans.push(planSafeFile(pkgPath, JSON.stringify(pkg, null, 2) + "\n"));
+    }
+    // Bunfig
+    if (facts.packageManager === "bun") {
+        const bunfigPath = path.join(cwd, "bunfig.toml");
+        const bunfigContent = "[install]\nminimumReleaseAge = 259200\n";
+        plans.push(planSafeFile(bunfigPath, bunfigContent));
+    }
+    // Yarnrc
+    if (facts.packageManager === "yarn") {
+        const yarnrcPath = path.join(cwd, ".yarnrc.yml");
+        const yarnrcContent = "npmMinimalAgeGate: \"3d\"\n";
+        plans.push(planSafeFile(yarnrcPath, yarnrcContent));
+    }
+    return { plans, facts };
+}
+function buildEntries(plans) {
+    return plans.map((p) => ({
+        path: path.basename(p.path),
+        status: (p.status === "noop" ? "noop" : p.status === "create" ? "created" : "applied"),
+        backupPath: p.backupPath ? path.basename(p.backupPath) : undefined,
+        reason: p.status === "update" ? "content updated" : p.status === "create" ? "new file" : "already current"
+    }));
+}
+export function runFix(options = {}) {
+    const cwd = options.cwd ?? process.cwd();
+    const dryRun = options.dryRun ?? true;
+    const { plans } = collectFixPlans(cwd);
+    const applied = applySafePlan(plans, { dryRun });
+    const entries = buildEntries(plans);
+    const outputLines = [
+        "depsentinel fix",
+        `Mode: ${dryRun ? "dry-run" : "apply"}`,
+        ...entries.map((e) => {
+            const backup = e.backupPath ? ` (backup: ${e.backupPath})` : "";
+            return `- ${e.path}: ${e.status} — ${e.reason}${backup}`;
+        })
+    ];
+    const output = options.json
+        ? JSON.stringify({ command: "fix", dryRun, entries }, null, 2)
+        : outputLines.join("\n");
+    return { entries, dryRun, output };
+}

package/dist/commands/init.js

@@ -0,0 +1,143 @@
+import path from "node:path";
+import { applySafePlan, planSafeFile } from "../core/safe-write.js";
+import { detectProjectFacts } from "../core/detector.js";
+function buildDepsentinelConfig(preset) {
+    return JSON.stringify({
+        schemaVersion: "1.0.0",
+        preset,
+        policyCatalog: "v1",
+        failOn: ["critical"],
+        overrides: []
+    }, null, 2);
+}
+function buildNpmRc() {
+    return [
+        "# depsentinel npm security baseline",
+        "ignore-scripts=true",
+        "allow-git=none",
+        "min-release-age=3",
+        ""
+    ].join("\n");
+}
+function buildPnpmWorkspace() {
+    return [
+        "packages:",
+        "  - \".\"",
+        "",
+        "# depsentinel pnpm security baseline",
+        "minimumReleaseAge: 43200",
+        "trustPolicy: no-downgrade",
+        "blockExoticSubdeps: true",
+        "strictDepBuilds: true",
+        "allowBuilds:",
+        "  esbuild: true",
+        "  rolldown: true",
+        "  unrs-resolver: true",
+        ""
+    ].join("\n");
+}
+function buildBunfig() {
+    return [
+        "[install]",
+        "minimumReleaseAge = 259200",
+        ""
+    ].join("\n");
+}
+function buildYarnRc() {
+    return [
+        "npmMinimalAgeGate: \"3d\"",
+        ""
+    ].join("\n");
+}
+function buildNpmIgnore() {
+    return [
+        "# depsentinel secure npmignore",
+        ".env",
+        "*.log",
+        "coverage/",
+        "node_modules/",
+        ""
+    ].join("\n");
+}
+function buildCiWorkflow() {
+    return [
+        "name: depsentinel-ci",
+        "",
+        "on:",
+        "  pull_request:",
+        "  push:",
+        "    branches: [main]",
+        "",
+        "jobs:",
+        "  policy-gate:",
+        "    runs-on: ubuntu-latest",
+        "    steps:",
+        "      - uses: actions/checkout@v4",
+        "      - uses: pnpm/action-setup@v4",
+        "      - uses: actions/setup-node@v4",
+        "        with:",
+        "          node-version: 22",
+        "          cache: pnpm",
+        "      - name: Install dependencies",
+        "        run: |",
+        "          if [ -f pnpm-lock.yaml ]; then corepack enable && pnpm install --frozen-lockfile;",
+        "          elif [ -f yarn.lock ]; then corepack enable && yarn install --immutable;",
+        "          elif [ -f bun.lockb ]; then bun install --frozen-lockfile;",
+        "          elif [ -f package-lock.json ]; then npm ci;",
+        "          else corepack enable && pnpm install; fi",
+        "      - name: Build depsentinel CLI",
+        "        run: pnpm build",
+        "      - name: Run depsentinel CI gate",
+        "        run: node dist/cli.js ci --json"
+    ].join("\n");
+}
+function toFilePlan(result) {
+    return {
+        path: path.basename(result.path),
+        status: result.status,
+        backupPath: result.backupPath ? path.basename(result.backupPath) : undefined
+    };
+}
+export function runInit(options = {}) {
+    const cwd = options.cwd ?? process.cwd();
+    const preset = options.preset ?? "base";
+    const dryRun = options.dryRun ?? true;
+    const facts = detectProjectFacts(cwd);
+    const planned = [
+        planSafeFile(path.join(cwd, "depsentinel.json"), `${buildDepsentinelConfig(preset)}\n`),
+        planSafeFile(path.join(cwd, ".npmrc"), buildNpmRc()),
+        planSafeFile(path.join(cwd, ".npmignore"), buildNpmIgnore()),
+        planSafeFile(path.join(cwd, ".github", "workflows", "depsentinel-ci.yml"), `${buildCiWorkflow()}\n`)
+    ];
+    if (facts.packageManager === "pnpm" || facts.packageManager === "unknown") {
+        planned.push(planSafeFile(path.join(cwd, "pnpm-workspace.yaml"), buildPnpmWorkspace()));
+    }
+    if (facts.packageManager === "bun") {
+        planned.push(planSafeFile(path.join(cwd, "bunfig.toml"), buildBunfig()));
+    }
+    if (facts.packageManager === "yarn") {
+        planned.push(planSafeFile(path.join(cwd, ".yarnrc.yml"), buildYarnRc()));
+    }
+    const applied = applySafePlan(planned, { dryRun });
+    const files = applied.map(toFilePlan);
+    const envelope = {
+        schemaVersion: "1.0.0",
+        command: "init",
+        result: {
+            preset,
+            dryRun,
+            files
+        }
+    };
+    const output = options.json
+        ? JSON.stringify(envelope, null, 2)
+        : [
+            `Init preset: ${preset}`,
+            `Mode: ${dryRun ? "dry-run" : "apply"}`,
+            ...files.map((file) => {
+                const backup = file.backupPath ? ` (backup: ${file.backupPath})` : "";
+                return `- ${file.path}: ${file.status}${backup}`;
+            })
+        ].join("\n");
+    return { envelope, output };
+}