mitnick-cli 1.0.0

package/dist/cli/commands/check.js

@@ -0,0 +1,204 @@
+/**
+ * "check" command handler.
+ *
+ * Parses package specifiers, fetches metadata and tarballs from the
+ * npm registry, runs the analysis engine, and outputs formatted results.
+ */
+import { readFile, stat } from 'node:fs/promises';
+import { join } from 'node:path';
+import ora from 'ora';
+import { TerminalFormatter } from '../formatters/terminal.js';
+import { JsonFormatter } from '../formatters/json.js';
+import { SarifFormatter } from '../formatters/sarif.js';
+import { AnalysisEngine } from '../../core/engine.js';
+import { hasFindsAtOrAbove } from '../../core/scorer.js';
+import { createAnalyzers } from '../../analyzers/analyzer.registry.js';
+import { fetchPackageMetadata } from '../../registry/client.js';
+import { downloadAndExtract } from '../../registry/tarball.js';
+import { logger } from '../../utils/logger.js';
+const MAX_PACKAGE_JSON_SIZE = 5 * 1024 * 1024; // 5MB
+// ─── Package Specifier Parsing ───────────────────────────
+/**
+ * Parse a package specifier string into name and optional version.
+ *
+ * Handles:
+ * - "express"          -> { name: "express" }
+ * - "express@4.19.2"   -> { name: "express", version: "4.19.2" }
+ * - "@scope/pkg"       -> { name: "@scope/pkg" }
+ * - "@scope/pkg@1.0.0" -> { name: "@scope/pkg", version: "1.0.0" }
+ */
+function parsePackageSpecifier(specifier) {
+    const trimmed = specifier.trim();
+    if (trimmed.startsWith('@')) {
+        // Scoped package: @scope/name or @scope/name@version
+        const slashIndex = trimmed.indexOf('/');
+        if (slashIndex === -1) {
+            return { name: trimmed };
+        }
+        const afterSlash = trimmed.slice(slashIndex + 1);
+        const atIndex = afterSlash.indexOf('@');
+        if (atIndex === -1) {
+            return { name: trimmed };
+        }
+        const name = trimmed.slice(0, slashIndex + 1 + atIndex);
+        const version = afterSlash.slice(atIndex + 1);
+        if (version === '') {
+            logger.warn(`Trailing "@" in specifier "${trimmed}" — defaulting to latest version`);
+            return { name };
+        }
+        return { name, version };
+    }
+    // Unscoped package: name or name@version
+    const atIndex = trimmed.indexOf('@');
+    if (atIndex <= 0) {
+        return { name: trimmed };
+    }
+    const name = trimmed.slice(0, atIndex);
+    const version = trimmed.slice(atIndex + 1);
+    if (version === '') {
+        logger.warn(`Trailing "@" in specifier "${trimmed}" — defaulting to latest version`);
+        return { name };
+    }
+    return { name, version };
+}
+// ─── Formatter Factory ───────────────────────────────────
+function createFormatter(format) {
+    switch (format) {
+        case 'json':
+            return new JsonFormatter();
+        case 'sarif':
+            return new SarifFormatter();
+        case 'terminal':
+            return new TerminalFormatter();
+    }
+}
+// ─── Command Handler ────────────────────────────────────
+/**
+ * Execute the "check" command for one or more packages.
+ *
+ * For each package:
+ * 1. Fetch metadata from npm registry
+ * 2. Download and extract tarball to temp directory
+ * 3. Run all analyzers via the engine
+ * 4. Format and output results
+ *
+ * Returns true if all packages pass (no findings at or above --fail-on),
+ * false if any package fails the threshold check.
+ */
+export async function executeCheck(options) {
+    const { packages, format, failOn, verbose } = options;
+    const formatter = createFormatter(format);
+    const analyzers = createAnalyzers();
+    const engine = new AnalysisEngine(analyzers);
+    const isTerminal = format === 'terminal';
+    let allPassed = true;
+    for (const specifier of packages) {
+        const parsed = parsePackageSpecifier(specifier);
+        let tarballCleanup;
+        try {
+            // Fetch metadata
+            const metadataSpinner = isTerminal
+                ? ora(`Fetching metadata for ${parsed.name}...`).start()
+                : undefined;
+            const registryResult = await fetchPackageMetadata(parsed.name, parsed.version);
+            if (!registryResult.ok) {
+                metadataSpinner?.fail(`Failed to fetch metadata for ${parsed.name}`);
+                const pkg = parsed.version !== undefined ? `${parsed.name}@${parsed.version}` : parsed.name;
+                console.error(`\n  Error: ${registryResult.message} (${pkg})\n`);
+                allPassed = false;
+                continue;
+            }
+            const { metadata, tarballUrl } = registryResult;
+            metadataSpinner?.succeed(`Fetched metadata for ${metadata.name}@${metadata.version}`);
+            // Download and extract tarball
+            const tarballSpinner = isTerminal
+                ? ora(`Downloading ${metadata.name}@${metadata.version}...`).start()
+                : undefined;
+            const tarballResult = await downloadAndExtract(tarballUrl, metadata.name);
+            if (!tarballResult.ok) {
+                tarballSpinner?.fail(`Failed to download ${metadata.name}@${metadata.version}`);
+                console.error(`\n  Error: ${tarballResult.message}\n`);
+                allPassed = false;
+                continue;
+            }
+            tarballCleanup = tarballResult.cleanup;
+            tarballSpinner?.succeed(`Extracted ${metadata.name}@${metadata.version}`);
+            // Read package.json from extracted tarball
+            const packageJsonPath = join(tarballResult.extractedPath, 'package.json');
+            let packageJsonRaw;
+            try {
+                const packageJsonStat = await stat(packageJsonPath);
+                if (packageJsonStat.size > MAX_PACKAGE_JSON_SIZE) {
+                    const pkg = `${metadata.name}@${metadata.version}`;
+                    console.error(`\n  Error: package.json for ${pkg} exceeds maximum allowed size of ${MAX_PACKAGE_JSON_SIZE} bytes\n`);
+                    allPassed = false;
+                    continue;
+                }
+                packageJsonRaw = await readFile(packageJsonPath, 'utf-8');
+            }
+            catch (readError) {
+                const pkg = `${metadata.name}@${metadata.version}`;
+                const msg = readError instanceof Error ? readError.message : String(readError);
+                console.error(`\n  Error: Failed to read package.json for ${pkg}: ${msg}\n`);
+                allPassed = false;
+                continue;
+            }
+            let packageJson;
+            try {
+                packageJson = JSON.parse(packageJsonRaw);
+            }
+            catch {
+                const pkg = `${metadata.name}@${metadata.version}`;
+                console.error(`\n  Error: Malformed package.json for ${pkg}\n`);
+                allPassed = false;
+                continue;
+            }
+            // Build analysis context
+            const context = {
+                packageName: metadata.name,
+                version: metadata.version,
+                packageJson,
+                extractedPath: tarballResult.extractedPath,
+                registryMetadata: metadata,
+            };
+            // Run analysis
+            const analysisSpinner = isTerminal ? ora('Running security analysis...').start() : undefined;
+            const report = await engine.analyze(context);
+            analysisSpinner?.stop();
+            // Output results
+            const output = formatter.format(report);
+            console.log(output);
+            // Check fail-on threshold
+            if (failOn !== undefined && hasFindsAtOrAbove(report.results, failOn)) {
+                allPassed = false;
+                if (isTerminal) {
+                    console.error(`\n  Findings at or above "${failOn}" severity detected. Failing.\n`);
+                }
+            }
+            // Log verbose info
+            if (verbose && isTerminal) {
+                console.log(`  Analyzers run: ${report.results.length}`);
+                console.log(`  Total findings: ${report.totalFindings}`);
+                console.log(`  Analysis duration: ${report.duration}ms\n`);
+            }
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            const pkg = parsed.version !== undefined ? `${parsed.name}@${parsed.version}` : parsed.name;
+            if (isTerminal) {
+                console.error(`\n  Error analyzing ${pkg}: ${message}\n`);
+            }
+            else {
+                console.error(JSON.stringify({ error: message, package: pkg }));
+            }
+            allPassed = false;
+        }
+        finally {
+            if (tarballCleanup) {
+                await tarballCleanup();
+            }
+        }
+    }
+    return allPassed;
+}
+//# sourceMappingURL=check.js.map

package/dist/cli/commands/check.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"check.js","sourceRoot":"","sources":["../../../src/cli/commands/check.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,GAAG,MAAM,KAAK,CAAC;AAEtB,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AACzD,OAAO,EAAE,eAAe,EAAE,MAAM,sCAAsC,CAAC;AACvE,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAS/C,MAAM,qBAAqB,GAAG,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,MAAM;AAErD,4DAA4D;AAE5D;;;;;;;;GAQG;AACH,SAAS,qBAAqB,CAAC,SAAiB;IAC9C,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC;IAEjC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5B,qDAAqD;QACrD,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACxC,IAAI,UAAU,KAAK,CAAC,CAAC,EAAE,CAAC;YACtB,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;QAC3B,CAAC;QAED,MAAM,UAAU,GAAG,OAAO,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC;QACjD,MAAM,OAAO,GAAG,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAExC,IAAI,OAAO,KAAK,CAAC,CAAC,EAAE,CAAC;YACnB,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;QAC3B,CAAC;QAED,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC;QACxD,MAAM,OAAO,GAAG,UAAU,CAAC,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC;QAE9C,IAAI,OAAO,KAAK,EAAE,EAAE,CAAC;YACnB,MAAM,CAAC,IAAI,CAAC,8BAA8B,OAAO,kCAAkC,CAAC,CAAC;YACrF,OAAO,EAAE,IAAI,EAAE,CAAC;QAClB,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;IAC3B,CAAC;IAED,yCAAyC;IACzC,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAErC,IAAI,OAAO,IAAI,CAAC,EAAE,CAAC;QACjB,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;IAC3B,CAAC;IAED,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IACvC,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC;IAE3C,IAAI,OAAO,KAAK,EAAE,EAAE,CAAC;QACnB,MAAM,CAAC,IAAI,CAAC,8BAA8B,OAAO,kCAAkC,CAAC,CAAC;QACrF,OAAO,EAAE,IAAI,EAAE,CAAC;IAClB,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AAC3B,CAAC;AAED,4DAA4D;AAE5D,SAAS,eAAe,CAAC,MAAoB;IAC3C,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,MAAM;YACT,OAAO,IAAI,aAAa,EAAE,CAAC;QAC7B,KAAK,OAAO;YACV,OAAO,IAAI,cAAc,EAAE,CAAC;QAC9B,KAAK,UAAU;YACb,OAAO,IAAI,iBAAiB,EAAE,CAAC;IACnC,CAAC;AACH,CAAC;AAED,2DAA2D;AAE3D;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,OAAqB;IACtD,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC;IACtD,MAAM,SAAS,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;IAC1C,MAAM,SAAS,GAAG,eAAe,EAAE,CAAC;IACpC,MAAM,MAAM,GAAG,IAAI,cAAc,CAAC,SAAS,CAAC,CAAC;IAC7C,MAAM,UAAU,GAAG,MAAM,KAAK,UAAU,CAAC;IAEzC,IAAI,SAAS,GAAG,IAAI,CAAC;IAErB,KAAK,MAAM,SAAS,IAAI,QAAQ,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,qBAAqB,CAAC,SAAS,CAAC,CAAC;QAChD,IAAI,cAAiD,CAAC;QAEtD,IAAI,CAAC;YACH,iBAAiB;YACjB,MAAM,eAAe,GAAG,UAAU;gBAChC,CAAC,CAAC,GAAG,CAAC,yBAAyB,MAAM,CAAC,IAAI,KAAK,CAAC,CAAC,KAAK,EAAE;gBACxD,CAAC,CAAC,SAAS,CAAC;YAEd,MAAM,cAAc,GAAG,MAAM,oBAAoB,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC;YAE/E,IAAI,CAAC,cAAc,CAAC,EAAE,EAAE,CAAC;gBACvB,eAAe,EAAE,IAAI,CAAC,gCAAgC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;gBACrE,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC;gBAC5F,OAAO,CAAC,KAAK,CAAC,cAAc,cAAc,CAAC,OAAO,KAAK,GAAG,KAAK,CAAC,CAAC;gBACjE,SAAS,GAAG,KAAK,CAAC;gBAClB,SAAS;YACX,CAAC;YAED,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,cAAc,CAAC;YAChD,eAAe,EAAE,OAAO,CAAC,wBAAwB,QAAQ,CAAC,IAAI,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC,CAAC;YAEtF,+BAA+B;YAC/B,MAAM,cAAc,GAAG,UAAU;gBAC/B,CAAC,CAAC,GAAG,CAAC,eAAe,QAAQ,CAAC,IAAI,IAAI,QAAQ,CAAC,OAAO,KAAK,CAAC,CAAC,KAAK,EAAE;gBACpE,CAAC,CAAC,SAAS,CAAC;YAEd,MAAM,aAAa,GAAG,MAAM,kBAAkB,CAAC,UAAU,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC;YAE1E,IAAI,CAAC,aAAa,CAAC,EAAE,EAAE,CAAC;gBACtB,cAAc,EAAE,IAAI,CAAC,sBAAsB,QAAQ,CAAC,IAAI,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC,CAAC;gBAChF,OAAO,CAAC,KAAK,CAAC,cAAc,aAAa,CAAC,OAAO,IAAI,CAAC,CAAC;gBACvD,SAAS,GAAG,KAAK,CAAC;gBAClB,SAAS;YACX,CAAC;YAED,cAAc,GAAG,aAAa,CAAC,OAAO,CAAC;YACvC,cAAc,EAAE,OAAO,CAAC,aAAa,QAAQ,CAAC,IAAI,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC,CAAC;YAE1E,2CAA2C;YAC3C,MAAM,eAAe,GAAG,IAAI,CAAC,aAAa,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC;YAE1E,IAAI,cAAsB,CAAC;YAC3B,IAAI,CAAC;gBACH,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,CAAC;gBACpD,IAAI,eAAe,CAAC,IAAI,GAAG,qBAAqB,EAAE,CAAC;oBACjD,MAAM,GAAG,GAAG,GAAG,QAAQ,CAAC,IAAI,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;oBACnD,OAAO,CAAC,KAAK,CACX,+BAA+B,GAAG,oCAAoC,qBAAqB,UAAU,CACtG,CAAC;oBACF,SAAS,GAAG,KAAK,CAAC;oBAClB,SAAS;gBACX,CAAC;gBACD,cAAc,GAAG,MAAM,QAAQ,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;YAC5D,CAAC;YAAC,OAAO,SAAkB,EAAE,CAAC;gBAC5B,MAAM,GAAG,GAAG,GAAG,QAAQ,CAAC,IAAI,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;gBACnD,MAAM,GAAG,GAAG,SAAS,YAAY,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;gBAC/E,OAAO,CAAC,KAAK,CAAC,8CAA8C,GAAG,KAAK,GAAG,IAAI,CAAC,CAAC;gBAC7E,SAAS,GAAG,KAAK,CAAC;gBAClB,SAAS;YACX,CAAC;YAED,IAAI,WAAoC,CAAC;YACzC,IAAI,CAAC;gBACH,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,cAAc,CAA4B,CAAC;YACtE,CAAC;YAAC,MAAM,CAAC;gBACP,MAAM,GAAG,GAAG,GAAG,QAAQ,CAAC,IAAI,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;gBACnD,OAAO,CAAC,KAAK,CAAC,yCAAyC,GAAG,IAAI,CAAC,CAAC;gBAChE,SAAS,GAAG,KAAK,CAAC;gBAClB,SAAS;YACX,CAAC;YAED,yBAAyB;YACzB,MAAM,OAAO,GAAoB;gBAC/B,WAAW,EAAE,QAAQ,CAAC,IAAI;gBAC1B,OAAO,EAAE,QAAQ,CAAC,OAAO;gBACzB,WAAW;gBACX,aAAa,EAAE,aAAa,CAAC,aAAa;gBAC1C,gBAAgB,EAAE,QAAQ;aAC3B,CAAC;YAEF,eAAe;YACf,MAAM,eAAe,GAAG,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;YAE7F,MAAM,MAAM,GAAmB,MAAM,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;YAC7D,eAAe,EAAE,IAAI,EAAE,CAAC;YAExB,iBAAiB;YACjB,MAAM,MAAM,GAAG,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YACxC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YAEpB,0BAA0B;YAC1B,IAAI,MAAM,KAAK,SAAS,IAAI,iBAAiB,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE,CAAC;gBACtE,SAAS,GAAG,KAAK,CAAC;gBAElB,IAAI,UAAU,EAAE,CAAC;oBACf,OAAO,CAAC,KAAK,CAAC,6BAA6B,MAAM,iCAAiC,CAAC,CAAC;gBACtF,CAAC;YACH,CAAC;YAED,mBAAmB;YACnB,IAAI,OAAO,IAAI,UAAU,EAAE,CAAC;gBAC1B,OAAO,CAAC,GAAG,CAAC,oBAAoB,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;gBACzD,OAAO,CAAC,GAAG,CAAC,qBAAqB,MAAM,CAAC,aAAa,EAAE,CAAC,CAAC;gBACzD,OAAO,CAAC,GAAG,CAAC,wBAAwB,MAAM,CAAC,QAAQ,MAAM,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC;QAAC,OAAO,KAAc,EAAE,CAAC;YACxB,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC;YAE5F,IAAI,UAAU,EAAE,CAAC;gBACf,OAAO,CAAC,KAAK,CAAC,uBAAuB,GAAG,KAAK,OAAO,IAAI,CAAC,CAAC;YAC5D,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC;YAClE,CAAC;YAED,SAAS,GAAG,KAAK,CAAC;QACpB,CAAC;gBAAS,CAAC;YACT,IAAI,cAAc,EAAE,CAAC;gBACnB,MAAM,cAAc,EAAE,CAAC;YACzB,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/cli/formatters/formatter.interface.d.ts

@@ -0,0 +1,14 @@
+import type { SecurityReport } from '../../core/types.js';
+/**
+ * Contract for output formatters.
+ *
+ * Formatters transform a SecurityReport into a string representation
+ * suitable for a specific output target (terminal, JSON file, CI system).
+ */
+export interface Formatter {
+    /** Format identifier */
+    readonly name: string;
+    /** Transform a security report into formatted string output */
+    format(report: SecurityReport): string;
+}
+//# sourceMappingURL=formatter.interface.d.ts.map

package/dist/cli/formatters/formatter.interface.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"formatter.interface.d.ts","sourceRoot":"","sources":["../../../src/cli/formatters/formatter.interface.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAE1D;;;;;GAKG;AACH,MAAM,WAAW,SAAS;IACxB,wBAAwB;IACxB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAEtB,+DAA+D;IAC/D,MAAM,CAAC,MAAM,EAAE,cAAc,GAAG,MAAM,CAAC;CACxC"}

package/dist/cli/formatters/formatter.interface.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=formatter.interface.js.map

package/dist/cli/formatters/formatter.interface.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"formatter.interface.js","sourceRoot":"","sources":["../../../src/cli/formatters/formatter.interface.ts"],"names":[],"mappings":""}

package/dist/cli/formatters/json.d.ts

@@ -0,0 +1,12 @@
+/**
+ * JSON formatter — outputs SecurityReport as pretty-printed JSON.
+ *
+ * Suitable for programmatic consumption and piping to other tools.
+ */
+import type { Formatter } from './formatter.interface.js';
+import type { SecurityReport } from '../../core/types.js';
+export declare class JsonFormatter implements Formatter {
+    readonly name: "json";
+    format(report: SecurityReport): string;
+}
+//# sourceMappingURL=json.d.ts.map

package/dist/cli/formatters/json.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"json.d.ts","sourceRoot":"","sources":["../../../src/cli/formatters/json.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,0BAA0B,CAAC;AAC1D,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAE1D,qBAAa,aAAc,YAAW,SAAS;IAC7C,QAAQ,CAAC,IAAI,EAAG,MAAM,CAAU;IAEhC,MAAM,CAAC,MAAM,EAAE,cAAc,GAAG,MAAM;CAGvC"}

package/dist/cli/formatters/json.js

@@ -0,0 +1,12 @@
+/**
+ * JSON formatter — outputs SecurityReport as pretty-printed JSON.
+ *
+ * Suitable for programmatic consumption and piping to other tools.
+ */
+export class JsonFormatter {
+    name = 'json';
+    format(report) {
+        return JSON.stringify(report, null, 2);
+    }
+}
+//# sourceMappingURL=json.js.map

package/dist/cli/formatters/json.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"json.js","sourceRoot":"","sources":["../../../src/cli/formatters/json.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAKH,MAAM,OAAO,aAAa;IACf,IAAI,GAAG,MAAe,CAAC;IAEhC,MAAM,CAAC,MAAsB;QAC3B,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IACzC,CAAC;CACF"}

package/dist/cli/formatters/sarif.d.ts

@@ -0,0 +1,13 @@
+/**
+ * SARIF v2.1.0 formatter — outputs SecurityReport in Static Analysis
+ * Results Interchange Format for CI/CD integration (e.g., GitHub Security tab).
+ *
+ * Specification: https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html
+ */
+import type { Formatter } from './formatter.interface.js';
+import type { SecurityReport } from '../../core/types.js';
+export declare class SarifFormatter implements Formatter {
+    readonly name: "sarif";
+    format(report: SecurityReport): string;
+}
+//# sourceMappingURL=sarif.d.ts.map

package/dist/cli/formatters/sarif.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sarif.d.ts","sourceRoot":"","sources":["../../../src/cli/formatters/sarif.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,0BAA0B,CAAC;AAC1D,OAAO,KAAK,EAAW,cAAc,EAAY,MAAM,qBAAqB,CAAC;AA+I7E,qBAAa,cAAe,YAAW,SAAS;IAC9C,QAAQ,CAAC,IAAI,EAAG,OAAO,CAAU;IAEjC,MAAM,CAAC,MAAM,EAAE,cAAc,GAAG,MAAM;CAwBvC"}

package/dist/cli/formatters/sarif.js

@@ -0,0 +1,101 @@
+/**
+ * SARIF v2.1.0 formatter — outputs SecurityReport in Static Analysis
+ * Results Interchange Format for CI/CD integration (e.g., GitHub Security tab).
+ *
+ * Specification: https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html
+ */
+import { createRequire } from 'node:module';
+const require = createRequire(import.meta.url);
+const pkg = require('../../../package.json');
+// ─── Severity Mapping ────────────────────────────────────
+const SEVERITY_TO_SARIF_LEVEL = {
+    critical: 'error',
+    high: 'error',
+    medium: 'warning',
+    low: 'note',
+    info: 'none',
+};
+// ─── Helpers ─────────────────────────────────────────────
+function buildRuleId(finding) {
+    const sanitized = finding.analyzer.replace(/[^a-zA-Z0-9-]/g, '-');
+    const titleSlug = finding.title.replace(/[^a-zA-Z0-9-]/g, '-').substring(0, 50);
+    return `${sanitized}/${titleSlug}`;
+}
+function buildRules(findings) {
+    const ruleMap = new Map();
+    for (let i = 0; i < findings.length; i++) {
+        const finding = findings[i];
+        if (!finding)
+            continue;
+        const ruleId = buildRuleId(finding);
+        const rule = {
+            id: ruleId,
+            shortDescription: { text: finding.title },
+            defaultConfiguration: {
+                level: SEVERITY_TO_SARIF_LEVEL[finding.severity],
+            },
+        };
+        if (finding.description !== '') {
+            ruleMap.set(ruleId, {
+                ...rule,
+                fullDescription: { text: finding.description },
+            });
+        }
+        else {
+            ruleMap.set(ruleId, rule);
+        }
+    }
+    return [...ruleMap.values()];
+}
+function buildResults(findings) {
+    return findings.map((finding) => {
+        const ruleId = buildRuleId(finding);
+        const level = SEVERITY_TO_SARIF_LEVEL[finding.severity];
+        const result = {
+            ruleId,
+            level,
+            message: {
+                text: finding.description !== '' ? finding.description : finding.title,
+            },
+            ...(finding.file !== undefined
+                ? {
+                    locations: [
+                        {
+                            physicalLocation: {
+                                artifactLocation: { uri: finding.file },
+                                ...(finding.line !== undefined ? { region: { startLine: finding.line } } : {}),
+                            },
+                        },
+                    ],
+                }
+                : {}),
+        };
+        return result;
+    });
+}
+// ─── Formatter ───────────────────────────────────────────
+export class SarifFormatter {
+    name = 'sarif';
+    format(report) {
+        const allFindings = report.results.flatMap((r) => r.findings);
+        const sarifLog = {
+            $schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json',
+            version: '2.1.0',
+            runs: [
+                {
+                    tool: {
+                        driver: {
+                            name: 'mitnick',
+                            version: pkg.version,
+                            informationUri: 'https://github.com/mitnick-cli/mitnick',
+                            rules: buildRules(allFindings),
+                        },
+                    },
+                    results: buildResults(allFindings),
+                },
+            ],
+        };
+        return JSON.stringify(sarifLog, null, 2);
+    }
+}
+//# sourceMappingURL=sarif.js.map

package/dist/cli/formatters/sarif.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sarif.js","sourceRoot":"","sources":["../../../src/cli/formatters/sarif.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAI5C,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC/C,MAAM,GAAG,GAAG,OAAO,CAAC,uBAAuB,CAAwB,CAAC;AA8DpE,4DAA4D;AAE5D,MAAM,uBAAuB,GAAqD;IAChF,QAAQ,EAAE,OAAO;IACjB,IAAI,EAAE,OAAO;IACb,MAAM,EAAE,SAAS;IACjB,GAAG,EAAE,MAAM;IACX,IAAI,EAAE,MAAM;CACb,CAAC;AAEF,4DAA4D;AAE5D,SAAS,WAAW,CAAC,OAAgB;IACnC,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,gBAAgB,EAAE,GAAG,CAAC,CAAC;IAClE,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,gBAAgB,EAAE,GAAG,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAChF,OAAO,GAAG,SAAS,IAAI,SAAS,EAAE,CAAC;AACrC,CAAC;AAED,SAAS,UAAU,CAAC,QAA4B;IAC9C,MAAM,OAAO,GAAG,IAAI,GAAG,EAAoC,CAAC;IAE5D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACzC,MAAM,OAAO,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;QAC5B,IAAI,CAAC,OAAO;YAAE,SAAS;QACvB,MAAM,MAAM,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;QAEpC,MAAM,IAAI,GAA6B;YACrC,EAAE,EAAE,MAAM;YACV,gBAAgB,EAAE,EAAE,IAAI,EAAE,OAAO,CAAC,KAAK,EAAE;YACzC,oBAAoB,EAAE;gBACpB,KAAK,EAAE,uBAAuB,CAAC,OAAO,CAAC,QAAQ,CAAC;aACjD;SACF,CAAC;QAEF,IAAI,OAAO,CAAC,WAAW,KAAK,EAAE,EAAE,CAAC;YAC/B,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE;gBAClB,GAAG,IAAI;gBACP,eAAe,EAAE,EAAE,IAAI,EAAE,OAAO,CAAC,WAAW,EAAE;aAC/C,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC;IAED,OAAO,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;AAC/B,CAAC;AAED,SAAS,YAAY,CAAC,QAA4B;IAChD,OAAO,QAAQ,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE;QAC9B,MAAM,MAAM,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;QACpC,MAAM,KAAK,GAAG,uBAAuB,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAExD,MAAM,MAAM,GAAgB;YAC1B,MAAM;YACN,KAAK;YACL,OAAO,EAAE;gBACP,IAAI,EAAE,OAAO,CAAC,WAAW,KAAK,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK;aACvE;YACD,GAAG,CAAC,OAAO,CAAC,IAAI,KAAK,SAAS;gBAC5B,CAAC,CAAC;oBACE,SAAS,EAAE;wBACT;4BACE,gBAAgB,EAAE;gCAChB,gBAAgB,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,IAAI,EAAE;gCACvC,GAAG,CAAC,OAAO,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,SAAS,EAAE,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;6BAC/E;yBACF;qBACF;iBACF;gBACH,CAAC,CAAC,EAAE,CAAC;SACR,CAAC;QAEF,OAAO,MAAM,CAAC;IAChB,CAAC,CAAC,CAAC;AACL,CAAC;AAED,4DAA4D;AAE5D,MAAM,OAAO,cAAc;IAChB,IAAI,GAAG,OAAgB,CAAC;IAEjC,MAAM,CAAC,MAAsB;QAC3B,MAAM,WAAW,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QAE9D,MAAM,QAAQ,GAAa;YACzB,OAAO,EACL,sGAAsG;YACxG,OAAO,EAAE,OAAO;YAChB,IAAI,EAAE;gBACJ;oBACE,IAAI,EAAE;wBACJ,MAAM,EAAE;4BACN,IAAI,EAAE,SAAS;4BACf,OAAO,EAAE,GAAG,CAAC,OAAO;4BACpB,cAAc,EAAE,wCAAwC;4BACxD,KAAK,EAAE,UAAU,CAAC,WAAW,CAAC;yBAC/B;qBACF;oBACD,OAAO,EAAE,YAAY,CAAC,WAAW,CAAC;iBACnC;aACF;SACF,CAAC;QAEF,OAAO,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IAC3C,CAAC;CACF"}

package/dist/cli/formatters/terminal.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Terminal formatter — beautiful human-readable output using chalk.
+ *
+ * Displays analyzer results with status icons, a findings table
+ * sorted by severity, the overall score with color coding, and duration.
+ */
+import type { Formatter } from './formatter.interface.js';
+import { type SecurityReport } from '../../core/types.js';
+export declare class TerminalFormatter implements Formatter {
+    readonly name: "terminal";
+    format(report: SecurityReport): string;
+}
+//# sourceMappingURL=terminal.d.ts.map

package/dist/cli/formatters/terminal.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"terminal.d.ts","sourceRoot":"","sources":["../../../src/cli/formatters/terminal.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,0BAA0B,CAAC;AAC1D,OAAO,EAKL,KAAK,cAAc,EAEpB,MAAM,qBAAqB,CAAC;AA4G7B,qBAAa,iBAAkB,YAAW,SAAS;IACjD,QAAQ,CAAC,IAAI,EAAG,UAAU,CAAU;IAEpC,MAAM,CAAC,MAAM,EAAE,cAAc,GAAG,MAAM;CA8BvC"}

package/dist/cli/formatters/terminal.js

@@ -0,0 +1,110 @@
+/**
+ * Terminal formatter — beautiful human-readable output using chalk.
+ *
+ * Displays analyzer results with status icons, a findings table
+ * sorted by severity, the overall score with color coding, and duration.
+ */
+import chalk from 'chalk';
+import { SEVERITY_ORDER, } from '../../core/types.js';
+// ─── Constants ───────────────────────────────────────────
+const SEVERITY_COLORS = {
+    critical: chalk.bgRed.white.bold,
+    high: chalk.red.bold,
+    medium: chalk.yellow,
+    low: chalk.blue,
+    info: chalk.gray,
+};
+const GRADE_COLORS = {
+    A: chalk.green.bold,
+    B: chalk.green,
+    C: chalk.yellow,
+    D: chalk.red,
+    F: chalk.red.bold,
+};
+const CHECK_MARK = chalk.green('\u2713');
+const CROSS_MARK = chalk.red('\u2717');
+// ─── Helpers ─────────────────────────────────────────────
+function padRight(text, width) {
+    return text.length >= width ? text : text + ' '.repeat(width - text.length);
+}
+function formatDuration(ms) {
+    if (ms < 1000) {
+        return `${ms}ms`;
+    }
+    return `${(ms / 1000).toFixed(1)}s`;
+}
+function formatAnalyzerLine(result) {
+    const icon = result.findings.length > 0 ? CROSS_MARK : CHECK_MARK;
+    const name = padRight(result.analyzer, 28);
+    const count = result.findings.length;
+    const suffix = count === 1 ? 'finding' : 'findings';
+    const countText = count > 0 ? chalk.yellow(`${count} ${suffix}`) : chalk.gray(`0 ${suffix}`);
+    return `  ${icon} ${name} ${countText}`;
+}
+function sortFindingsBySeverity(findings) {
+    return [...findings].sort((a, b) => {
+        const orderA = SEVERITY_ORDER[a.severity];
+        const orderB = SEVERITY_ORDER[b.severity];
+        return orderA - orderB;
+    });
+}
+function buildFindingsTable(findings) {
+    if (findings.length === 0) {
+        return `\n  ${chalk.green('No findings — package looks clean!')}\n`;
+    }
+    const sorted = sortFindingsBySeverity(findings);
+    // Calculate column widths
+    const sevWidth = 10;
+    const analyzerWidth = Math.max(10, ...sorted.map((f) => f.analyzer.length)) + 2;
+    const titleWidth = Math.max(20, ...sorted.map((f) => f.title.length));
+    const headerSev = padRight('Severity', sevWidth);
+    const headerAnalyzer = padRight('Analyzer', analyzerWidth);
+    const headerFinding = padRight('Finding', titleWidth);
+    const dividerSev = '\u2500'.repeat(sevWidth);
+    const dividerAnalyzer = '\u2500'.repeat(analyzerWidth);
+    const dividerFinding = '\u2500'.repeat(titleWidth);
+    const lines = [];
+    lines.push('');
+    lines.push(`  \u250c${'\u2500'.repeat(sevWidth + 1)}\u252c${'\u2500'.repeat(analyzerWidth + 1)}\u252c${'\u2500'.repeat(titleWidth + 1)}\u2510`);
+    lines.push(`  \u2502 ${chalk.bold(headerSev)}\u2502 ${chalk.bold(headerAnalyzer)}\u2502 ${chalk.bold(headerFinding)}\u2502`);
+    lines.push(`  \u251c${dividerSev}\u2500\u253c${dividerAnalyzer}\u2500\u253c${dividerFinding}\u2500\u2524`);
+    for (const finding of sorted) {
+        const sevLabel = finding.severity.toUpperCase();
+        const colorize = SEVERITY_COLORS[finding.severity];
+        const sevCell = padRight(colorize(sevLabel), sevWidth + (colorize(sevLabel).length - sevLabel.length));
+        const analyzerCell = padRight(finding.analyzer, analyzerWidth);
+        const titleCell = padRight(finding.title, titleWidth);
+        lines.push(`  \u2502 ${sevCell}\u2502 ${analyzerCell}\u2502 ${titleCell}\u2502`);
+    }
+    lines.push(`  \u2514${'\u2500'.repeat(sevWidth + 1)}\u2534${'\u2500'.repeat(analyzerWidth + 1)}\u2534${'\u2500'.repeat(titleWidth + 1)}\u2518`);
+    return lines.join('\n');
+}
+// ─── Formatter ───────────────────────────────────────────
+export class TerminalFormatter {
+    name = 'terminal';
+    format(report) {
+        const lines = [];
+        // Header
+        lines.push('');
+        lines.push(`  ${chalk.bold.cyan('mitnick')} — Security Analysis`);
+        lines.push('');
+        lines.push(`  Checking ${chalk.bold(`${report.packageName}@${report.version}`)}...`);
+        lines.push('');
+        // Analyzer results
+        for (const result of report.results) {
+            lines.push(formatAnalyzerLine(result));
+        }
+        // Score
+        const gradeColor = GRADE_COLORS[report.grade];
+        lines.push('');
+        lines.push(`  Score: ${gradeColor(`${report.score}/100`)} (${gradeColor(report.grade)})`);
+        // Findings table
+        const allFindings = report.results.flatMap((r) => r.findings);
+        lines.push(buildFindingsTable(allFindings));
+        // Duration
+        lines.push(`  Analyzed in ${formatDuration(report.duration)}`);
+        lines.push('');
+        return lines.join('\n');
+    }
+}
+//# sourceMappingURL=terminal.js.map

package/dist/cli/formatters/terminal.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"terminal.js","sourceRoot":"","sources":["../../../src/cli/formatters/terminal.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,MAAM,OAAO,CAAC;AAE1B,OAAO,EACL,cAAc,GAMf,MAAM,qBAAqB,CAAC;AAE7B,4DAA4D;AAE5D,MAAM,eAAe,GAAyD;IAC5E,QAAQ,EAAE,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI;IAChC,IAAI,EAAE,KAAK,CAAC,GAAG,CAAC,IAAI;IACpB,MAAM,EAAE,KAAK,CAAC,MAAM;IACpB,GAAG,EAAE,KAAK,CAAC,IAAI;IACf,IAAI,EAAE,KAAK,CAAC,IAAI;CACjB,CAAC;AAEF,MAAM,YAAY,GAAsD;IACtE,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,IAAI;IACnB,CAAC,EAAE,KAAK,CAAC,KAAK;IACd,CAAC,EAAE,KAAK,CAAC,MAAM;IACf,CAAC,EAAE,KAAK,CAAC,GAAG;IACZ,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,IAAI;CAClB,CAAC;AAEF,MAAM,UAAU,GAAG,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;AACzC,MAAM,UAAU,GAAG,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;AAEvC,4DAA4D;AAE5D,SAAS,QAAQ,CAAC,IAAY,EAAE,KAAa;IAC3C,OAAO,IAAI,CAAC,MAAM,IAAI,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;AAC9E,CAAC;AAED,SAAS,cAAc,CAAC,EAAU;IAChC,IAAI,EAAE,GAAG,IAAI,EAAE,CAAC;QACd,OAAO,GAAG,EAAE,IAAI,CAAC;IACnB,CAAC;IACD,OAAO,GAAG,CAAC,EAAE,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC;AACtC,CAAC;AAED,SAAS,kBAAkB,CAAC,MAAsB;IAChD,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC;IAClE,MAAM,IAAI,GAAG,QAAQ,CAAC,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;IAC3C,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC;IACrC,MAAM,MAAM,GAAG,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,UAAU,CAAC;IACpD,MAAM,SAAS,GAAG,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,KAAK,IAAI,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,MAAM,EAAE,CAAC,CAAC;IAE7F,OAAO,KAAK,IAAI,IAAI,IAAI,IAAI,SAAS,EAAE,CAAC;AAC1C,CAAC;AAED,SAAS,sBAAsB,CAAC,QAA4B;IAC1D,OAAO,CAAC,GAAG,QAAQ,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACjC,MAAM,MAAM,GAAG,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QAC1C,OAAO,MAAM,GAAG,MAAM,CAAC;IACzB,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,kBAAkB,CAAC,QAA4B;IACtD,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,OAAO,KAAK,CAAC,KAAK,CAAC,oCAAoC,CAAC,IAAI,CAAC;IACtE,CAAC;IAED,MAAM,MAAM,GAAG,sBAAsB,CAAC,QAAQ,CAAC,CAAC;IAEhD,0BAA0B;IAC1B,MAAM,QAAQ,GAAG,EAAE,CAAC;IACpB,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC;IAChF,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;IAEtE,MAAM,SAAS,GAAG,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;IACjD,MAAM,cAAc,GAAG,QAAQ,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;IAC3D,MAAM,aAAa,GAAG,QAAQ,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IAEtD,MAAM,UAAU,GAAG,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAC7C,MAAM,eAAe,GAAG,QAAQ,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;IACvD,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAEnD,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CACR,WAAW,QAAQ,CAAC,MAAM,CAAC,QAAQ,GAAG,CAAC,CAAC,SAAS,QAAQ,CAAC,MAAM,CAAC,aAAa,GAAG,CAAC,CAAC,SAAS,QAAQ,CAAC,MAAM,CAAC,UAAU,GAAG,CAAC,CAAC,QAAQ,CACpI,CAAC;IACF,KAAK,CAAC,IAAI,CACR,YAAY,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,UAAU,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,UAAU,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,QAAQ,CACjH,CAAC;IACF,KAAK,CAAC,IAAI,CACR,WAAW,UAAU,eAAe,eAAe,eAAe,cAAc,cAAc,CAC/F,CAAC;IAEF,KAAK,MAAM,OAAO,IAAI,MAAM,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QAChD,MAAM,QAAQ,GAAG,eAAe,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QACnD,MAAM,OAAO,GAAG,QAAQ,CACtB,QAAQ,CAAC,QAAQ,CAAC,EAClB,QAAQ,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC,CACzD,CAAC;QACF,MAAM,YAAY,GAAG,QAAQ,CAAC,OAAO,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;QAC/D,MAAM,SAAS,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QAEtD,KAAK,CAAC,IAAI,CAAC,YAAY,OAAO,UAAU,YAAY,UAAU,SAAS,QAAQ,CAAC,CAAC;IACnF,CAAC;IAED,KAAK,CAAC,IAAI,CACR,WAAW,QAAQ,CAAC,MAAM,CAAC,QAAQ,GAAG,CAAC,CAAC,SAAS,QAAQ,CAAC,MAAM,CAAC,aAAa,GAAG,CAAC,CAAC,SAAS,QAAQ,CAAC,MAAM,CAAC,UAAU,GAAG,CAAC,CAAC,QAAQ,CACpI,CAAC;IAEF,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,4DAA4D;AAE5D,MAAM,OAAO,iBAAiB;IACnB,IAAI,GAAG,UAAmB,CAAC;IAEpC,MAAM,CAAC,MAAsB;QAC3B,MAAM,KAAK,GAAa,EAAE,CAAC;QAE3B,SAAS;QACT,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,KAAK,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,sBAAsB,CAAC,CAAC;QAClE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,cAAc,KAAK,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,WAAW,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,KAAK,CAAC,CAAC;QACrF,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAEf,mBAAmB;QACnB,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACpC,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC,CAAC;QACzC,CAAC;QAED,QAAQ;QACR,MAAM,UAAU,GAAG,YAAY,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC9C,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,YAAY,UAAU,CAAC,GAAG,MAAM,CAAC,KAAK,MAAM,CAAC,KAAK,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAE1F,iBAAiB;QACjB,MAAM,WAAW,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QAC9D,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,WAAW,CAAC,CAAC,CAAC;QAE5C,WAAW;QACX,KAAK,CAAC,IAAI,CAAC,iBAAiB,cAAc,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;QAC/D,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAEf,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;CACF"}

package/dist/cli/index.d.ts

@@ -0,0 +1,9 @@
+#!/usr/bin/env node
+/**
+ * Mitnick CLI entry point.
+ *
+ * Uses Commander.js to define the program structure, commands,
+ * and options. Handles errors with user-friendly messages.
+ */
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/cli/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":";AAEA;;;;;GAKG"}

package/dist/cli/index.js

@@ -0,0 +1,86 @@
+#!/usr/bin/env node
+/**
+ * Mitnick CLI entry point.
+ *
+ * Uses Commander.js to define the program structure, commands,
+ * and options. Handles errors with user-friendly messages.
+ */
+import { Command } from 'commander';
+import { createRequire } from 'node:module';
+import { executeCheck } from './commands/check.js';
+import { SEVERITY_LEVELS, } from '../core/types.js';
+// ─── Version ─────────────────────────────────────────────
+const require = createRequire(import.meta.url);
+const packageJson = require('../../package.json');
+// ─── Validation ──────────────────────────────────────────
+function isValidSeverity(value) {
+    return SEVERITY_LEVELS.includes(value);
+}
+function parseSeverity(value) {
+    const lower = value.toLowerCase();
+    if (!isValidSeverity(lower)) {
+        throw new Error(`Invalid severity "${value}". Must be one of: ${SEVERITY_LEVELS.join(', ')}`);
+    }
+    return lower;
+}
+// ─── Program ─────────────────────────────────────────────
+const program = new Command();
+program
+    .name('mitnick')
+    .description('Pre-install security analysis CLI for npm packages')
+    .version(packageJson.version);
+program
+    .command('check')
+    .description('Analyze npm packages for security issues before installation')
+    .argument('<packages...>', 'Package specifiers (e.g., express, lodash@4.17.21)')
+    .option('--json', 'Output results as JSON', false)
+    .option('--sarif', 'Output results in SARIF v2.1.0 format', false)
+    .option('--fail-on <severity>', 'Exit with code 1 if findings at or above severity (critical, high, medium, low, info)')
+    .option('--verbose', 'Show additional analysis details', false)
+    .action(async (packages, cmdOptions) => {
+    // Determine output format
+    let format = 'terminal';
+    if (cmdOptions.json) {
+        format = 'json';
+    }
+    else if (cmdOptions.sarif) {
+        format = 'sarif';
+    }
+    // Parse --fail-on
+    let failOn;
+    if (cmdOptions.failOn !== undefined) {
+        failOn = parseSeverity(cmdOptions.failOn);
+    }
+    const baseOptions = {
+        packages,
+        format,
+        verbose: cmdOptions.verbose,
+    };
+    const options = failOn !== undefined ? { ...baseOptions, failOn } : baseOptions;
+    const passed = await executeCheck(options);
+    if (!passed) {
+        process.exit(1);
+    }
+});
+// ─── Error Handling ──────────────────────────────────────
+program.exitOverride();
+async function main() {
+    try {
+        await program.parseAsync(process.argv);
+    }
+    catch (error) {
+        // Commander throws for --help and --version, which is expected
+        if (error instanceof Error && 'code' in error) {
+            const code = error.code;
+            if (code === 'commander.helpDisplayed' || code === 'commander.version') {
+                return;
+            }
+        }
+        const message = error instanceof Error ? error.message : String(error);
+        console.error(`\nError: ${message}\n`);
+        console.error('Run "mitnick --help" for usage information.\n');
+        process.exit(1);
+    }
+}
+void main();
+//# sourceMappingURL=index.js.map