mitnick-cli 1.0.0

package/dist/cli/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":";AAEA;;;;;GAKG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EACL,eAAe,GAIhB,MAAM,kBAAkB,CAAC;AAE1B,4DAA4D;AAE5D,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC/C,MAAM,WAAW,GAAG,OAAO,CAAC,oBAAoB,CAAwB,CAAC;AAEzE,4DAA4D;AAE5D,SAAS,eAAe,CAAC,KAAa;IACpC,OAAQ,eAAqC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AAChE,CAAC;AAED,SAAS,aAAa,CAAC,KAAa;IAClC,MAAM,KAAK,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;IAClC,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,qBAAqB,KAAK,sBAAsB,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAChG,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,4DAA4D;AAE5D,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,SAAS,CAAC;KACf,WAAW,CAAC,oDAAoD,CAAC;KACjE,OAAO,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;AAEhC,OAAO;KACJ,OAAO,CAAC,OAAO,CAAC;KAChB,WAAW,CAAC,8DAA8D,CAAC;KAC3E,QAAQ,CAAC,eAAe,EAAE,oDAAoD,CAAC;KAC/E,MAAM,CAAC,QAAQ,EAAE,wBAAwB,EAAE,KAAK,CAAC;KACjD,MAAM,CAAC,SAAS,EAAE,uCAAuC,EAAE,KAAK,CAAC;KACjE,MAAM,CACL,sBAAsB,EACtB,uFAAuF,CACxF;KACA,MAAM,CAAC,WAAW,EAAE,kCAAkC,EAAE,KAAK,CAAC;KAC9D,MAAM,CACL,KAAK,EACH,QAAkB,EAClB,UAKC,EACD,EAAE;IACF,0BAA0B;IAC1B,IAAI,MAAM,GAAiB,UAAU,CAAC;IACtC,IAAI,UAAU,CAAC,IAAI,EAAE,CAAC;QACpB,MAAM,GAAG,MAAM,CAAC;IAClB,CAAC;SAAM,IAAI,UAAU,CAAC,KAAK,EAAE,CAAC;QAC5B,MAAM,GAAG,OAAO,CAAC;IACnB,CAAC;IAED,kBAAkB;IAClB,IAAI,MAA4B,CAAC;IACjC,IAAI,UAAU,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QACpC,MAAM,GAAG,aAAa,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IAC5C,CAAC;IAED,MAAM,WAAW,GAAG;QAClB,QAAQ;QACR,MAAM;QACN,OAAO,EAAE,UAAU,CAAC,OAAO;KAC5B,CAAC;IAEF,MAAM,OAAO,GAAiB,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,GAAG,WAAW,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC;IAE9F,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;IAE3C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CACF,CAAC;AAEJ,4DAA4D;AAE5D,OAAO,CAAC,YAAY,EAAE,CAAC;AAEvB,KAAK,UAAU,IAAI;IACjB,IAAI,CAAC;QACH,MAAM,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IACzC,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACxB,+DAA+D;QAC/D,IAAI,KAAK,YAAY,KAAK,IAAI,MAAM,IAAI,KAAK,EAAE,CAAC;YAC9C,MAAM,IAAI,GAAI,KAAkC,CAAC,IAAI,CAAC;YACtD,IAAI,IAAI,KAAK,yBAAyB,IAAI,IAAI,KAAK,mBAAmB,EAAE,CAAC;gBACvE,OAAO;YACT,CAAC;QACH,CAAC;QAED,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvE,OAAO,CAAC,KAAK,CAAC,YAAY,OAAO,IAAI,CAAC,CAAC;QACvC,OAAO,CAAC,KAAK,CAAC,+CAA+C,CAAC,CAAC;QAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED,KAAK,IAAI,EAAE,CAAC"}

package/dist/core/engine.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Analysis engine that orchestrates all security analyzers.
+ *
+ * Accepts analyzers via constructor injection (DI) and runs them
+ * in parallel using Promise.allSettled. Individual analyzer failures
+ * are caught without stopping the remaining analyzers.
+ */
+import type { Analyzer } from '../analyzers/analyzer.interface.js';
+import type { AnalysisContext, SecurityReport } from './types.js';
+export declare class AnalysisEngine {
+    private readonly analyzers;
+    constructor(analyzers: readonly Analyzer[]);
+    /**
+     * Run all registered analyzers against the given context in parallel.
+     *
+     * - Uses Promise.allSettled so one failure does not cancel others
+     * - Failed analyzers produce an empty result with zero findings
+     * - Measures total wall-clock duration
+     * - Computes aggregate score via the scorer module
+     */
+    analyze(context: AnalysisContext): Promise<SecurityReport>;
+}
+//# sourceMappingURL=engine.d.ts.map

package/dist/core/engine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../../src/core/engine.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,oCAAoC,CAAC;AACnE,OAAO,KAAK,EAAE,eAAe,EAAkB,cAAc,EAAE,MAAM,YAAY,CAAC;AAGlF,qBAAa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAsB;gBAEpC,SAAS,EAAE,SAAS,QAAQ,EAAE;IAI1C;;;;;;;OAOG;IACG,OAAO,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,cAAc,CAAC;CA0CjE"}

package/dist/core/engine.js

@@ -0,0 +1,55 @@
+/**
+ * Analysis engine that orchestrates all security analyzers.
+ *
+ * Accepts analyzers via constructor injection (DI) and runs them
+ * in parallel using Promise.allSettled. Individual analyzer failures
+ * are caught without stopping the remaining analyzers.
+ */
+import { calculateScore } from './scorer.js';
+export class AnalysisEngine {
+    analyzers;
+    constructor(analyzers) {
+        this.analyzers = analyzers;
+    }
+    /**
+     * Run all registered analyzers against the given context in parallel.
+     *
+     * - Uses Promise.allSettled so one failure does not cancel others
+     * - Failed analyzers produce an empty result with zero findings
+     * - Measures total wall-clock duration
+     * - Computes aggregate score via the scorer module
+     */
+    async analyze(context) {
+        const startTime = performance.now();
+        const settled = await Promise.allSettled(this.analyzers.map((analyzer) => analyzer.analyze(context)));
+        const results = settled.map((outcome, index) => {
+            if (outcome.status === 'fulfilled') {
+                return outcome.value;
+            }
+            // Analyzer threw — produce a graceful empty result
+            const analyzer = this.analyzers[index];
+            const analyzerName = analyzer?.name ?? `unknown-analyzer-${index}`;
+            const errorMessage = outcome.reason instanceof Error ? outcome.reason.message : String(outcome.reason);
+            console.error(`[mitnick] Analyzer "${analyzerName}" failed: ${errorMessage}`);
+            return {
+                analyzer: analyzerName,
+                findings: [],
+                duration: 0,
+            };
+        });
+        const duration = Math.round(performance.now() - startTime);
+        const { score, grade, totalFindings, findingsBySeverity } = calculateScore(results);
+        return {
+            packageName: context.packageName,
+            version: context.version,
+            score,
+            grade,
+            results,
+            totalFindings,
+            findingsBySeverity,
+            analyzedAt: new Date().toISOString(),
+            duration,
+        };
+    }
+}
+//# sourceMappingURL=engine.js.map

package/dist/core/engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.js","sourceRoot":"","sources":["../../src/core/engine.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE7C,MAAM,OAAO,cAAc;IACR,SAAS,CAAsB;IAEhD,YAAY,SAA8B;QACxC,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC7B,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,OAAO,CAAC,OAAwB;QACpC,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;QAEpC,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CACtC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAC5D,CAAC;QAEF,MAAM,OAAO,GAAqB,OAAO,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,KAAK,EAAE,EAAE;YAC/D,IAAI,OAAO,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;gBACnC,OAAO,OAAO,CAAC,KAAK,CAAC;YACvB,CAAC;YAED,mDAAmD;YACnD,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;YACvC,MAAM,YAAY,GAAG,QAAQ,EAAE,IAAI,IAAI,oBAAoB,KAAK,EAAE,CAAC;YACnE,MAAM,YAAY,GAChB,OAAO,CAAC,MAAM,YAAY,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;YAEpF,OAAO,CAAC,KAAK,CAAC,uBAAuB,YAAY,aAAa,YAAY,EAAE,CAAC,CAAC;YAE9E,OAAO;gBACL,QAAQ,EAAE,YAAY;gBACtB,QAAQ,EAAE,EAAE;gBACZ,QAAQ,EAAE,CAAC;aACa,CAAC;QAC7B,CAAC,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,CAAC;QAC3D,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,aAAa,EAAE,kBAAkB,EAAE,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;QAEpF,OAAO;YACL,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,KAAK;YACL,KAAK;YACL,OAAO;YACP,aAAa;YACb,kBAAkB;YAClB,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACpC,QAAQ;SACT,CAAC;IACJ,CAAC;CACF"}

package/dist/core/scorer.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Security scoring engine.
+ *
+ * Pure functions that compute a security score and grade
+ * from analyzer findings. No side effects.
+ */
+import { type AnalyzerResult, type Grade, type Severity } from './types.js';
+export interface ScoreResult {
+    readonly score: number;
+    readonly grade: Grade;
+    readonly totalFindings: number;
+    readonly findingsBySeverity: Readonly<Record<Severity, number>>;
+}
+/**
+ * Calculate a complete security score from analyzer results.
+ *
+ * - Starts at 100
+ * - Deducts points per finding based on severity
+ * - Clamps to [0, 100]
+ * - Maps to letter grade (A/B/C/D/F)
+ *
+ * This is a pure function with no side effects.
+ */
+export declare function calculateScore(results: readonly AnalyzerResult[]): ScoreResult;
+/**
+ * Check whether any finding meets or exceeds the given severity threshold.
+ * Used by --fail-on to determine exit code.
+ */
+export declare function hasFindsAtOrAbove(results: readonly AnalyzerResult[], threshold: Severity): boolean;
+//# sourceMappingURL=scorer.d.ts.map

package/dist/core/scorer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scorer.d.ts","sourceRoot":"","sources":["../../src/core/scorer.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAIL,KAAK,cAAc,EAEnB,KAAK,KAAK,EACV,KAAK,QAAQ,EACd,MAAM,YAAY,CAAC;AAIpB,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC;IACtB,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,kBAAkB,EAAE,QAAQ,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC;CACjE;AA4DD;;;;;;;;;GASG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,SAAS,cAAc,EAAE,GAAG,WAAW,CAa9E;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,SAAS,cAAc,EAAE,EAClC,SAAS,EAAE,QAAQ,GAClB,OAAO,CAKT"}

package/dist/core/scorer.js

@@ -0,0 +1,88 @@
+/**
+ * Security scoring engine.
+ *
+ * Pure functions that compute a security score and grade
+ * from analyzer findings. No side effects.
+ */
+import { GRADE_THRESHOLDS, SEVERITY_DEDUCTIONS, SEVERITY_LEVELS, } from './types.js';
+// ─── Helpers ─────────────────────────────────────────────
+/**
+ * Collect all findings from analyzer results into a flat array.
+ */
+function collectFindings(results) {
+    return results.flatMap((r) => r.findings);
+}
+/**
+ * Count findings grouped by severity level.
+ */
+function countBySeverity(findings) {
+    const counts = {
+        critical: 0,
+        high: 0,
+        medium: 0,
+        low: 0,
+        info: 0,
+    };
+    for (const finding of findings) {
+        counts[finding.severity] += 1;
+    }
+    return counts;
+}
+/**
+ * Compute raw score by deducting points per finding severity.
+ * Clamped to [0, 100].
+ */
+function computeScore(findings) {
+    let score = 100;
+    for (const finding of findings) {
+        score -= SEVERITY_DEDUCTIONS[finding.severity];
+    }
+    return Math.max(0, Math.min(100, score));
+}
+/**
+ * Map a numeric score to a letter grade using GRADE_THRESHOLDS.
+ */
+function computeGrade(score) {
+    for (const threshold of GRADE_THRESHOLDS) {
+        if (score >= threshold.min) {
+            return threshold.grade;
+        }
+    }
+    // GRADE_THRESHOLDS always includes min: 0, so this is unreachable.
+    // Satisfy the compiler with a fallback.
+    return 'F';
+}
+// ─── Public API ──────────────────────────────────────────
+/**
+ * Calculate a complete security score from analyzer results.
+ *
+ * - Starts at 100
+ * - Deducts points per finding based on severity
+ * - Clamps to [0, 100]
+ * - Maps to letter grade (A/B/C/D/F)
+ *
+ * This is a pure function with no side effects.
+ */
+export function calculateScore(results) {
+    const findings = collectFindings(results);
+    const score = computeScore(findings);
+    const grade = computeGrade(score);
+    const findingsBySeverity = countBySeverity(findings);
+    const totalFindings = findings.length;
+    return {
+        score,
+        grade,
+        totalFindings,
+        findingsBySeverity,
+    };
+}
+/**
+ * Check whether any finding meets or exceeds the given severity threshold.
+ * Used by --fail-on to determine exit code.
+ */
+export function hasFindsAtOrAbove(results, threshold) {
+    const thresholdIndex = SEVERITY_LEVELS.indexOf(threshold);
+    const findings = collectFindings(results);
+    return findings.some((f) => SEVERITY_LEVELS.indexOf(f.severity) <= thresholdIndex);
+}
+//# sourceMappingURL=scorer.js.map

package/dist/core/scorer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scorer.js","sourceRoot":"","sources":["../../src/core/scorer.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EACL,gBAAgB,EAChB,mBAAmB,EACnB,eAAe,GAKhB,MAAM,YAAY,CAAC;AAWpB,4DAA4D;AAE5D;;GAEG;AACH,SAAS,eAAe,CAAC,OAAkC;IACzD,OAAO,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;AAC5C,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,QAA4B;IACnD,MAAM,MAAM,GAA6B;QACvC,QAAQ,EAAE,CAAC;QACX,IAAI,EAAE,CAAC;QACP,MAAM,EAAE,CAAC;QACT,GAAG,EAAE,CAAC;QACN,IAAI,EAAE,CAAC;KACR,CAAC;IAEF,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAChC,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,SAAS,YAAY,CAAC,QAA4B;IAChD,IAAI,KAAK,GAAG,GAAG,CAAC;IAEhB,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,KAAK,IAAI,mBAAmB,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACjD,CAAC;IAED,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,KAAa;IACjC,KAAK,MAAM,SAAS,IAAI,gBAAgB,EAAE,CAAC;QACzC,IAAI,KAAK,IAAI,SAAS,CAAC,GAAG,EAAE,CAAC;YAC3B,OAAO,SAAS,CAAC,KAAK,CAAC;QACzB,CAAC;IACH,CAAC;IACD,mEAAmE;IACnE,wCAAwC;IACxC,OAAO,GAAG,CAAC;AACb,CAAC;AAED,4DAA4D;AAE5D;;;;;;;;;GASG;AACH,MAAM,UAAU,cAAc,CAAC,OAAkC;IAC/D,MAAM,QAAQ,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IAC1C,MAAM,KAAK,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;IACrC,MAAM,KAAK,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IAClC,MAAM,kBAAkB,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAC;IACrD,MAAM,aAAa,GAAG,QAAQ,CAAC,MAAM,CAAC;IAEtC,OAAO;QACL,KAAK;QACL,KAAK;QACL,aAAa;QACb,kBAAkB;KACnB,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAC/B,OAAkC,EAClC,SAAmB;IAEnB,MAAM,cAAc,GAAG,eAAe,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAC1D,MAAM,QAAQ,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IAE1C,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,cAAc,CAAC,CAAC;AACrF,CAAC"}

package/dist/core/types.d.ts

@@ -0,0 +1,76 @@
+/**
+ * Core type definitions for the Mitnick security analysis engine.
+ *
+ * All types use readonly properties and discriminated unions
+ * to enforce immutability and type safety throughout the system.
+ */
+export declare const SEVERITY_LEVELS: readonly ["critical", "high", "medium", "low", "info"];
+export type Severity = (typeof SEVERITY_LEVELS)[number];
+export declare const SEVERITY_ORDER: Readonly<Record<Severity, number>>;
+export declare const SEVERITY_DEDUCTIONS: Readonly<Record<Severity, number>>;
+export type Grade = 'A' | 'B' | 'C' | 'D' | 'F';
+export declare const GRADE_THRESHOLDS: readonly {
+    readonly min: number;
+    readonly grade: Grade;
+}[];
+export interface Finding {
+    readonly analyzer: string;
+    readonly severity: Severity;
+    readonly title: string;
+    readonly description: string;
+    readonly file?: string;
+    readonly line?: number;
+    readonly recommendation?: string;
+}
+export interface AnalyzerResult {
+    readonly analyzer: string;
+    readonly findings: readonly Finding[];
+    readonly duration: number;
+}
+export interface MaintainerInfo {
+    readonly name: string;
+    readonly email?: string;
+}
+export interface RegistryMetadata {
+    readonly name: string;
+    readonly version: string;
+    readonly description?: string;
+    readonly license?: string;
+    readonly maintainers: readonly MaintainerInfo[];
+    readonly publishedAt?: string;
+    readonly versions: readonly string[];
+    readonly timeMap: Readonly<Record<string, string>>;
+    readonly distTags: Readonly<Record<string, string>>;
+    readonly homepage?: string;
+    readonly repository?: string;
+}
+export interface AnalysisContext {
+    readonly packageName: string;
+    readonly version: string;
+    readonly packageJson: Readonly<Record<string, unknown>>;
+    readonly extractedPath: string;
+    readonly registryMetadata: RegistryMetadata;
+}
+export interface SecurityReport {
+    readonly packageName: string;
+    readonly version: string;
+    readonly score: number;
+    readonly grade: Grade;
+    readonly results: readonly AnalyzerResult[];
+    readonly totalFindings: number;
+    readonly findingsBySeverity: Readonly<Record<Severity, number>>;
+    readonly analyzedAt: string;
+    readonly duration: number;
+}
+export type OutputFormat = 'terminal' | 'json' | 'sarif';
+export interface CheckOptions {
+    readonly packages: readonly string[];
+    readonly format: OutputFormat;
+    readonly failOn?: Severity;
+    readonly verbose: boolean;
+}
+export interface PackageSpecifier {
+    readonly name: string;
+    readonly version?: string;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/core/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/core/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,eAAO,MAAM,eAAe,wDAAyD,CAAC;AAEtF,MAAM,MAAM,QAAQ,GAAG,CAAC,OAAO,eAAe,CAAC,CAAC,MAAM,CAAC,CAAC;AAExD,eAAO,MAAM,cAAc,EAAE,QAAQ,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,CAMpD,CAAC;AAEX,eAAO,MAAM,mBAAmB,EAAE,QAAQ,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,CAMzD,CAAC;AAIX,MAAM,MAAM,KAAK,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,CAAC;AAEhD,eAAO,MAAM,gBAAgB,EAAE,SAAS;IAAE,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAA;CAAE,EAM7E,CAAC;AAIX,MAAM,WAAW,OAAO;IACtB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC;IAC5B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;CAClC;AAID,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,QAAQ,EAAE,SAAS,OAAO,EAAE,CAAC;IACtC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;CAC3B;AAID,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,WAAW,EAAE,SAAS,cAAc,EAAE,CAAC;IAChD,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,QAAQ,EAAE,SAAS,MAAM,EAAE,CAAC;IACrC,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IACnD,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IACpD,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;CAC9B;AAID,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,WAAW,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;IACxD,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,gBAAgB,EAAE,gBAAgB,CAAC;CAC7C;AAID,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC;IACtB,QAAQ,CAAC,OAAO,EAAE,SAAS,cAAc,EAAE,CAAC;IAC5C,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,kBAAkB,EAAE,QAAQ,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC;IAChE,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;CAC3B;AAID,MAAM,MAAM,YAAY,GAAG,UAAU,GAAG,MAAM,GAAG,OAAO,CAAC;AAEzD,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,QAAQ,EAAE,SAAS,MAAM,EAAE,CAAC;IACrC,QAAQ,CAAC,MAAM,EAAE,YAAY,CAAC;IAC9B,QAAQ,CAAC,MAAM,CAAC,EAAE,QAAQ,CAAC;IAC3B,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;CAC3B;AAID,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;CAC3B"}

package/dist/core/types.js

@@ -0,0 +1,30 @@
+/**
+ * Core type definitions for the Mitnick security analysis engine.
+ *
+ * All types use readonly properties and discriminated unions
+ * to enforce immutability and type safety throughout the system.
+ */
+// ─── Severity ──────────────────────────────────────────────
+export const SEVERITY_LEVELS = ['critical', 'high', 'medium', 'low', 'info'];
+export const SEVERITY_ORDER = {
+    critical: 0,
+    high: 1,
+    medium: 2,
+    low: 3,
+    info: 4,
+};
+export const SEVERITY_DEDUCTIONS = {
+    critical: 25,
+    high: 15,
+    medium: 8,
+    low: 3,
+    info: 0,
+};
+export const GRADE_THRESHOLDS = [
+    { min: 90, grade: 'A' },
+    { min: 80, grade: 'B' },
+    { min: 70, grade: 'C' },
+    { min: 50, grade: 'D' },
+    { min: 0, grade: 'F' },
+];
+//# sourceMappingURL=types.js.map

package/dist/core/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/core/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,8DAA8D;AAE9D,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAU,CAAC;AAItF,MAAM,CAAC,MAAM,cAAc,GAAuC;IAChE,QAAQ,EAAE,CAAC;IACX,IAAI,EAAE,CAAC;IACP,MAAM,EAAE,CAAC;IACT,GAAG,EAAE,CAAC;IACN,IAAI,EAAE,CAAC;CACC,CAAC;AAEX,MAAM,CAAC,MAAM,mBAAmB,GAAuC;IACrE,QAAQ,EAAE,EAAE;IACZ,IAAI,EAAE,EAAE;IACR,MAAM,EAAE,CAAC;IACT,GAAG,EAAE,CAAC;IACN,IAAI,EAAE,CAAC;CACC,CAAC;AAMX,MAAM,CAAC,MAAM,gBAAgB,GAA+D;IAC1F,EAAE,GAAG,EAAE,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE;IACvB,EAAE,GAAG,EAAE,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE;IACvB,EAAE,GAAG,EAAE,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE;IACvB,EAAE,GAAG,EAAE,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE;IACvB,EAAE,GAAG,EAAE,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE;CACd,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Mitnick — Public programmatic API.
+ *
+ * Provides the core analysis engine, types, and utilities
+ * so consumers can use mitnick as a library, not just a CLI.
+ *
+ * @example
+ * ```ts
+ * import { AnalysisEngine, createAnalyzers, fetchPackageMetadata, downloadAndExtract } from 'mitnick';
+ *
+ * const result = await fetchPackageMetadata('express');
+ * if (result.ok) {
+ *   const tarball = await downloadAndExtract(result.tarballUrl, result.metadata.name);
+ *   if (tarball.ok) {
+ *     const engine = new AnalysisEngine(createAnalyzers());
+ *     const report = await engine.analyze({ ... });
+ *     await tarball.cleanup();
+ *   }
+ * }
+ * ```
+ */
+export { AnalysisEngine } from './core/engine.js';
+export { calculateScore, hasFindsAtOrAbove } from './core/scorer.js';
+export type { ScoreResult } from './core/scorer.js';
+export type { Severity, Grade, Finding, AnalyzerResult, AnalysisContext, SecurityReport, RegistryMetadata, MaintainerInfo, PackageSpecifier, OutputFormat, CheckOptions, } from './core/types.js';
+export { SEVERITY_LEVELS, SEVERITY_ORDER, SEVERITY_DEDUCTIONS, GRADE_THRESHOLDS, } from './core/types.js';
+export type { Analyzer } from './analyzers/analyzer.interface.js';
+export { createAnalyzers } from './analyzers/analyzer.registry.js';
+export { fetchPackageMetadata } from './registry/client.js';
+export type { RegistryResult, RegistrySuccess, RegistryError, RegistryErrorKind, } from './registry/client.js';
+export { downloadAndExtract } from './registry/tarball.js';
+export type { TarballResult, TarballSuccess, TarballError, TarballErrorKind, } from './registry/tarball.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAGH,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrE,YAAY,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAGpD,YAAY,EACV,QAAQ,EACR,KAAK,EACL,OAAO,EACP,cAAc,EACd,eAAe,EACf,cAAc,EACd,gBAAgB,EAChB,cAAc,EACd,gBAAgB,EAChB,YAAY,EACZ,YAAY,GACb,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EACL,eAAe,EACf,cAAc,EACd,mBAAmB,EACnB,gBAAgB,GACjB,MAAM,iBAAiB,CAAC;AAGzB,YAAY,EAAE,QAAQ,EAAE,MAAM,mCAAmC,CAAC;AAClE,OAAO,EAAE,eAAe,EAAE,MAAM,kCAAkC,CAAC;AAGnE,OAAO,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAC5D,YAAY,EACV,cAAc,EACd,eAAe,EACf,aAAa,EACb,iBAAiB,GAClB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,YAAY,EACV,aAAa,EACb,cAAc,EACd,YAAY,EACZ,gBAAgB,GACjB,MAAM,uBAAuB,CAAC"}

package/dist/index.js

@@ -0,0 +1,30 @@
+/**
+ * Mitnick — Public programmatic API.
+ *
+ * Provides the core analysis engine, types, and utilities
+ * so consumers can use mitnick as a library, not just a CLI.
+ *
+ * @example
+ * ```ts
+ * import { AnalysisEngine, createAnalyzers, fetchPackageMetadata, downloadAndExtract } from 'mitnick';
+ *
+ * const result = await fetchPackageMetadata('express');
+ * if (result.ok) {
+ *   const tarball = await downloadAndExtract(result.tarballUrl, result.metadata.name);
+ *   if (tarball.ok) {
+ *     const engine = new AnalysisEngine(createAnalyzers());
+ *     const report = await engine.analyze({ ... });
+ *     await tarball.cleanup();
+ *   }
+ * }
+ * ```
+ */
+// ─── Core ─────────────────────────────────────────────────
+export { AnalysisEngine } from './core/engine.js';
+export { calculateScore, hasFindsAtOrAbove } from './core/scorer.js';
+export { SEVERITY_LEVELS, SEVERITY_ORDER, SEVERITY_DEDUCTIONS, GRADE_THRESHOLDS, } from './core/types.js';
+export { createAnalyzers } from './analyzers/analyzer.registry.js';
+// ─── Registry ─────────────────────────────────────────────
+export { fetchPackageMetadata } from './registry/client.js';
+export { downloadAndExtract } from './registry/tarball.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,6DAA6D;AAC7D,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAkBrE,OAAO,EACL,eAAe,EACf,cAAc,EACd,mBAAmB,EACnB,gBAAgB,GACjB,MAAM,iBAAiB,CAAC;AAIzB,OAAO,EAAE,eAAe,EAAE,MAAM,kCAAkC,CAAC;AAEnE,6DAA6D;AAC7D,OAAO,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAQ5D,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC"}

package/dist/registry/client.d.ts

@@ -0,0 +1,27 @@
+/**
+ * npm registry API client.
+ *
+ * Fetches package metadata from the public npm registry,
+ * validates responses with zod, and maps them to RegistryMetadata.
+ */
+import type { RegistryMetadata } from '../core/types.js';
+export interface RegistrySuccess {
+    readonly ok: true;
+    readonly metadata: RegistryMetadata;
+    readonly tarballUrl: string;
+}
+export interface RegistryError {
+    readonly ok: false;
+    readonly error: RegistryErrorKind;
+    readonly message: string;
+}
+export type RegistryResult = RegistrySuccess | RegistryError;
+export type RegistryErrorKind = 'not_found' | 'version_not_found' | 'rate_limited' | 'network_error' | 'validation_error';
+/**
+ * Fetch package metadata from the npm registry.
+ *
+ * @param packageName - The npm package name (supports scoped packages)
+ * @param version - Optional version or dist-tag. Defaults to "latest".
+ */
+export declare function fetchPackageMetadata(packageName: string, version?: string): Promise<RegistryResult>;
+//# sourceMappingURL=client.d.ts.map

package/dist/registry/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/registry/client.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EAAE,gBAAgB,EAAkB,MAAM,kBAAkB,CAAC;AA0CzE,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC;IAClB,QAAQ,CAAC,QAAQ,EAAE,gBAAgB,CAAC;IACpC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;CAC7B;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,EAAE,EAAE,KAAK,CAAC;IACnB,QAAQ,CAAC,KAAK,EAAE,iBAAiB,CAAC;IAClC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,MAAM,cAAc,GAAG,eAAe,GAAG,aAAa,CAAC;AAE7D,MAAM,MAAM,iBAAiB,GACzB,WAAW,GACX,mBAAmB,GACnB,cAAc,GACd,eAAe,GACf,kBAAkB,CAAC;AAoFvB;;;;;GAKG;AACH,wBAAsB,oBAAoB,CACxC,WAAW,EAAE,MAAM,EACnB,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC,cAAc,CAAC,CAsFzB"}

package/dist/registry/client.js

@@ -0,0 +1,189 @@
+/**
+ * npm registry API client.
+ *
+ * Fetches package metadata from the public npm registry,
+ * validates responses with zod, and maps them to RegistryMetadata.
+ */
+import { z } from 'zod';
+import semver from 'semver';
+import { fetchJson } from '../utils/http.js';
+import { logger } from '../utils/logger.js';
+// ─── Constants ────────────────────────────────────────────
+const NPM_REGISTRY = 'https://registry.npmjs.org';
+// ─── Zod Schemas ──────────────────────────────────────────
+const MaintainerSchema = z.object({
+    name: z.string(),
+    email: z.string().optional(),
+});
+const VersionInfoSchema = z.object({
+    version: z.string(),
+    dist: z.object({
+        tarball: z.string().url(),
+        shasum: z.string().optional(),
+        integrity: z.string().optional(),
+    }),
+});
+const PackageDocumentSchema = z.object({
+    name: z.string(),
+    description: z.string().optional(),
+    'dist-tags': z.record(z.string(), z.string()).default({}),
+    versions: z.record(z.string(), VersionInfoSchema),
+    time: z.record(z.string(), z.string()).optional(),
+    maintainers: z.array(MaintainerSchema).optional(),
+    license: z.string().optional(),
+    homepage: z.string().optional(),
+    repository: z
+        .union([z.string(), z.object({ url: z.string() }).transform((r) => r.url)])
+        .optional(),
+});
+// ─── Client ───────────────────────────────────────────────
+/**
+ * Encode a package name for use in registry URLs.
+ * Scoped packages (@scope/name) become %40scope%2Fname.
+ */
+function encodePackageName(name) {
+    return name.startsWith('@') ? `@${encodeURIComponent(name.slice(1))}` : encodeURIComponent(name);
+}
+/**
+ * Resolve a version specifier to a concrete version string.
+ *
+ * Supports:
+ * - Exact versions: "4.19.2"
+ * - Dist-tags: "latest", "next"
+ * - Semver ranges: "^4.0.0", "~4.17.0", ">=4.0.0 <5.0.0"
+ *
+ * If no version is given, resolves to the `latest` dist-tag.
+ */
+function resolveVersion(doc, requestedVersion) {
+    if (requestedVersion !== undefined) {
+        // Direct version match
+        if (requestedVersion in doc.versions) {
+            return requestedVersion;
+        }
+        // Check dist-tags (e.g., "latest", "next")
+        const tagged = doc['dist-tags'][requestedVersion];
+        if (tagged !== undefined) {
+            return tagged;
+        }
+        // Try semver range resolution
+        const availableVersions = Object.keys(doc.versions);
+        const maxSatisfying = semver.maxSatisfying(availableVersions, requestedVersion);
+        if (maxSatisfying !== null) {
+            return maxSatisfying;
+        }
+        return undefined;
+    }
+    // Default to latest
+    return doc['dist-tags']['latest'];
+}
+/**
+ * Map a validated registry document to our internal RegistryMetadata type.
+ *
+ * Uses Object.assign to conditionally add optional fields, avoiding
+ * assignment of `undefined` (required by exactOptionalPropertyTypes).
+ */
+function toMetadata(doc, version) {
+    const maintainers = doc.maintainers?.map((m) => {
+        if (m.email !== undefined) {
+            return { name: m.name, email: m.email };
+        }
+        return { name: m.name };
+    }) ?? [];
+    const result = {
+        name: doc.name,
+        version,
+        maintainers,
+        versions: Object.keys(doc.versions),
+        timeMap: doc.time ?? {},
+        distTags: doc['dist-tags'],
+        ...(doc.description !== undefined ? { description: doc.description } : {}),
+        ...(doc.license !== undefined ? { license: doc.license } : {}),
+        ...(doc.homepage !== undefined ? { homepage: doc.homepage } : {}),
+        ...(typeof doc.repository === 'string' ? { repository: doc.repository } : {}),
+        ...(doc.time?.[version] !== undefined ? { publishedAt: doc.time[version] } : {}),
+    };
+    return result;
+}
+/**
+ * Fetch package metadata from the npm registry.
+ *
+ * @param packageName - The npm package name (supports scoped packages)
+ * @param version - Optional version or dist-tag. Defaults to "latest".
+ */
+export async function fetchPackageMetadata(packageName, version) {
+    const encodedName = encodePackageName(packageName);
+    const url = `${NPM_REGISTRY}/${encodedName}`;
+    logger.debug(`Fetching registry metadata for ${packageName}`, { url });
+    const result = await fetchJson(url, {
+        headers: {
+            // Abbreviated metadata is faster; we need full doc for time/maintainers
+            Accept: 'application/json',
+        },
+        timeout: 15_000,
+    });
+    if (!result.ok) {
+        logger.debug(`Registry request failed: ${result.message}`);
+        switch (result.error) {
+            case 'not_found':
+                return {
+                    ok: false,
+                    error: 'not_found',
+                    message: `Package "${packageName}" not found on npm registry`,
+                };
+            case 'rate_limited':
+                return {
+                    ok: false,
+                    error: 'rate_limited',
+                    message: 'npm registry rate limit exceeded. Please retry later.',
+                };
+            case 'timeout':
+            case 'network':
+            case 'server_error':
+            case 'parse_error':
+                return {
+                    ok: false,
+                    error: 'network_error',
+                    message: `Failed to fetch package metadata: ${result.message}`,
+                };
+        }
+    }
+    // Validate shape with zod
+    const parsed = PackageDocumentSchema.safeParse(result.data);
+    if (!parsed.success) {
+        logger.debug('Registry response validation failed', {
+            errors: parsed.error.issues.map((i) => i.message),
+        });
+        return {
+            ok: false,
+            error: 'validation_error',
+            message: `Invalid registry response: ${parsed.error.issues.map((i) => i.message).join(', ')}`,
+        };
+    }
+    const doc = parsed.data;
+    const resolvedVersion = resolveVersion(doc, version);
+    if (resolvedVersion === undefined) {
+        return {
+            ok: false,
+            error: 'version_not_found',
+            message: `Version "${version ?? 'latest'}" not found for package "${packageName}"`,
+        };
+    }
+    const versionInfo = doc.versions[resolvedVersion];
+    if (versionInfo === undefined) {
+        return {
+            ok: false,
+            error: 'version_not_found',
+            message: `Version "${resolvedVersion}" not found for package "${packageName}"`,
+        };
+    }
+    const metadata = toMetadata(doc, resolvedVersion);
+    logger.debug(`Resolved ${packageName}@${resolvedVersion}`, {
+        tarball: versionInfo.dist.tarball,
+    });
+    return {
+        ok: true,
+        metadata,
+        tarballUrl: versionInfo.dist.tarball,
+    };
+}
+//# sourceMappingURL=client.js.map

package/dist/registry/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/registry/client.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B,OAAO,EAAE,SAAS,EAAmB,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAE5C,6DAA6D;AAE7D,MAAM,YAAY,GAAG,4BAA4B,CAAC;AAElD,6DAA6D;AAE7D,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IAChC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;IAChB,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC7B,CAAC,CAAC;AAEH,MAAM,iBAAiB,GAAG,CAAC,CAAC,MAAM,CAAC;IACjC,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;IACnB,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;QACb,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;QACzB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC7B,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KACjC,CAAC;CACH,CAAC,CAAC;AAEH,MAAM,qBAAqB,GAAG,CAAC,CAAC,MAAM,CAAC;IACrC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;IAChB,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IACzD,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,iBAAiB,CAAC;IACjD,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACjD,WAAW,EAAE,CAAC,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC,QAAQ,EAAE;IACjD,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC9B,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,UAAU,EAAE,CAAC;SACV,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;SAC1E,QAAQ,EAAE;CACd,CAAC,CAAC;AA2BH,6DAA6D;AAE7D;;;GAGG;AACH,SAAS,iBAAiB,CAAC,IAAY;IACrC,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,kBAAkB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC;AACnG,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,cAAc,CACrB,GAAoB,EACpB,gBAAoC;IAEpC,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;QACnC,uBAAuB;QACvB,IAAI,gBAAgB,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;YACrC,OAAO,gBAAgB,CAAC;QAC1B,CAAC;QAED,2CAA2C;QAC3C,MAAM,MAAM,GAAG,GAAG,CAAC,WAAW,CAAC,CAAC,gBAAgB,CAAC,CAAC;QAClD,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,8BAA8B;QAC9B,MAAM,iBAAiB,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACpD,MAAM,aAAa,GAAG,MAAM,CAAC,aAAa,CAAC,iBAAiB,EAAE,gBAAgB,CAAC,CAAC;QAChF,IAAI,aAAa,KAAK,IAAI,EAAE,CAAC;YAC3B,OAAO,aAAa,CAAC;QACvB,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,oBAAoB;IACpB,OAAO,GAAG,CAAC,WAAW,CAAC,CAAC,QAAQ,CAAC,CAAC;AACpC,CAAC;AAED;;;;;GAKG;AACH,SAAS,UAAU,CAAC,GAAoB,EAAE,OAAe;IACvD,MAAM,WAAW,GACf,GAAG,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC,CAAC,EAAkB,EAAE;QACzC,IAAI,CAAC,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;YAC1B,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC;QAC1C,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IAC1B,CAAC,CAAC,IAAI,EAAE,CAAC;IAEX,MAAM,MAAM,GAAqB;QAC/B,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,OAAO;QACP,WAAW;QACX,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC;QACnC,OAAO,EAAE,GAAG,CAAC,IAAI,IAAI,EAAE;QACvB,QAAQ,EAAE,GAAG,CAAC,WAAW,CAAC;QAC1B,GAAG,CAAC,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1E,GAAG,CAAC,GAAG,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC9D,GAAG,CAAC,GAAG,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACjE,GAAG,CAAC,OAAO,GAAG,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC7E,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACjF,CAAC;IAEF,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,WAAmB,EACnB,OAAgB;IAEhB,MAAM,WAAW,GAAG,iBAAiB,CAAC,WAAW,CAAC,CAAC;IACnD,MAAM,GAAG,GAAG,GAAG,YAAY,IAAI,WAAW,EAAE,CAAC;IAE7C,MAAM,CAAC,KAAK,CAAC,kCAAkC,WAAW,EAAE,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC;IAEvE,MAAM,MAAM,GAAwB,MAAM,SAAS,CAAC,GAAG,EAAE;QACvD,OAAO,EAAE;YACP,wEAAwE;YACxE,MAAM,EAAE,kBAAkB;SAC3B;QACD,OAAO,EAAE,MAAM;KAChB,CAAC,CAAC;IAEH,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,4BAA4B,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;QAE3D,QAAQ,MAAM,CAAC,KAAK,EAAE,CAAC;YACrB,KAAK,WAAW;gBACd,OAAO;oBACL,EAAE,EAAE,KAAK;oBACT,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,YAAY,WAAW,6BAA6B;iBAC9D,CAAC;YACJ,KAAK,cAAc;gBACjB,OAAO;oBACL,EAAE,EAAE,KAAK;oBACT,KAAK,EAAE,cAAc;oBACrB,OAAO,EAAE,uDAAuD;iBACjE,CAAC;YACJ,KAAK,SAAS,CAAC;YACf,KAAK,SAAS,CAAC;YACf,KAAK,cAAc,CAAC;YACpB,KAAK,aAAa;gBAChB,OAAO;oBACL,EAAE,EAAE,KAAK;oBACT,KAAK,EAAE,eAAe;oBACtB,OAAO,EAAE,qCAAqC,MAAM,CAAC,OAAO,EAAE;iBAC/D,CAAC;QACN,CAAC;IACH,CAAC;IAED,0BAA0B;IAC1B,MAAM,MAAM,GAAG,qBAAqB,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC5D,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,CAAC,KAAK,CAAC,qCAAqC,EAAE;YAClD,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;SAClD,CAAC,CAAC;QACH,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE,kBAAkB;YACzB,OAAO,EAAE,8BAA8B,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;SAC9F,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC;IACxB,MAAM,eAAe,GAAG,cAAc,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IAErD,IAAI,eAAe,KAAK,SAAS,EAAE,CAAC;QAClC,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE,mBAAmB;YAC1B,OAAO,EAAE,YAAY,OAAO,IAAI,QAAQ,4BAA4B,WAAW,GAAG;SACnF,CAAC;IACJ,CAAC;IAED,MAAM,WAAW,GAAG,GAAG,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC;IAClD,IAAI,WAAW,KAAK,SAAS,EAAE,CAAC;QAC9B,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE,mBAAmB;YAC1B,OAAO,EAAE,YAAY,eAAe,4BAA4B,WAAW,GAAG;SAC/E,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,UAAU,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC;IAElD,MAAM,CAAC,KAAK,CAAC,YAAY,WAAW,IAAI,eAAe,EAAE,EAAE;QACzD,OAAO,EAAE,WAAW,CAAC,IAAI,CAAC,OAAO;KAClC,CAAC,CAAC;IAEH,OAAO;QACL,EAAE,EAAE,IAAI;QACR,QAAQ;QACR,UAAU,EAAE,WAAW,CAAC,IAAI,CAAC,OAAO;KACrC,CAAC;AACJ,CAAC"}