mitnick-cli 1.0.0

package/dist/registry/tarball.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Tarball download and extraction for npm packages.
+ *
+ * Downloads a .tgz from the npm registry, extracts it to a temp directory,
+ * and provides cleanup. All npm tarballs contain a top-level `package/`
+ * directory which is stripped during extraction.
+ */
+export interface TarballSuccess {
+    readonly ok: true;
+    /** Absolute path to the directory containing extracted package files. */
+    readonly extractedPath: string;
+    /** Call this to clean up the temp directory when analysis is done. */
+    readonly cleanup: () => Promise<void>;
+}
+export interface TarballError {
+    readonly ok: false;
+    readonly error: TarballErrorKind;
+    readonly message: string;
+}
+export type TarballResult = TarballSuccess | TarballError;
+export type TarballErrorKind = 'download_failed' | 'extraction_failed' | 'io_error' | 'size_exceeded';
+/**
+ * Download a tarball from the given URL and extract it to a temp directory.
+ *
+ * npm tarballs contain a `package/` top-level directory. We strip one level
+ * so the extracted path directly contains the package files.
+ *
+ * @param tarballUrl - Full URL to the .tgz file on the npm registry
+ * @param packageName - Package name (for logging)
+ * @returns A discriminated union with the extracted path and cleanup function,
+ *          or an error description.
+ */
+export declare function downloadAndExtract(tarballUrl: string, packageName: string): Promise<TarballResult>;
+//# sourceMappingURL=tarball.d.ts.map

package/dist/registry/tarball.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tarball.d.ts","sourceRoot":"","sources":["../../src/registry/tarball.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAWH,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC;IAClB,yEAAyE;IACzE,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,sEAAsE;IACtE,QAAQ,CAAC,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CACvC;AAED,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,EAAE,EAAE,KAAK,CAAC;IACnB,QAAQ,CAAC,KAAK,EAAE,gBAAgB,CAAC;IACjC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,MAAM,aAAa,GAAG,cAAc,GAAG,YAAY,CAAC;AAE1D,MAAM,MAAM,gBAAgB,GACxB,iBAAiB,GACjB,mBAAmB,GACnB,UAAU,GACV,eAAe,CAAC;AAMpB;;;;;;;;;;GAUG;AACH,wBAAsB,kBAAkB,CACtC,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,aAAa,CAAC,CAkFxB"}

package/dist/registry/tarball.js

@@ -0,0 +1,103 @@
+/**
+ * Tarball download and extraction for npm packages.
+ *
+ * Downloads a .tgz from the npm registry, extracts it to a temp directory,
+ * and provides cleanup. All npm tarballs contain a top-level `package/`
+ * directory which is stripped during extraction.
+ */
+import { writeFile, mkdir } from 'node:fs/promises';
+import { join } from 'node:path';
+import * as tar from 'tar';
+import { createTempDir, cleanupTempDir } from '../utils/fs.js';
+import { fetchBuffer } from '../utils/http.js';
+import { logger } from '../utils/logger.js';
+const MAX_TARBALL_SIZE = 100 * 1024 * 1024; // 100MB
+// ─── Download & Extract ───────────────────────────────────
+/**
+ * Download a tarball from the given URL and extract it to a temp directory.
+ *
+ * npm tarballs contain a `package/` top-level directory. We strip one level
+ * so the extracted path directly contains the package files.
+ *
+ * @param tarballUrl - Full URL to the .tgz file on the npm registry
+ * @param packageName - Package name (for logging)
+ * @returns A discriminated union with the extracted path and cleanup function,
+ *          or an error description.
+ */
+export async function downloadAndExtract(tarballUrl, packageName) {
+    let tempDir;
+    try {
+        // Create temp directory
+        tempDir = await createTempDir();
+        logger.debug(`Created temp directory: ${tempDir}`);
+        // Download tarball
+        logger.debug(`Downloading tarball for ${packageName}`, { url: tarballUrl });
+        const downloadResult = await fetchBuffer(tarballUrl, { timeout: 60_000 });
+        if (!downloadResult.ok) {
+            await cleanupTempDir(tempDir);
+            return {
+                ok: false,
+                error: 'download_failed',
+                message: `Failed to download tarball for ${packageName}: ${downloadResult.message}`,
+            };
+        }
+        // Check tarball size before writing to disk
+        if (downloadResult.data.byteLength > MAX_TARBALL_SIZE) {
+            await cleanupTempDir(tempDir);
+            return {
+                ok: false,
+                error: 'size_exceeded',
+                message: `Tarball for ${packageName} exceeds maximum allowed size of ${MAX_TARBALL_SIZE} bytes`,
+            };
+        }
+        const tgzPath = join(tempDir, 'package.tgz');
+        await writeFile(tgzPath, downloadResult.data);
+        // Extract tarball
+        const extractPath = join(tempDir, 'extracted');
+        await mkdir(extractPath, { recursive: true });
+        logger.debug(`Extracting tarball to ${extractPath}`);
+        try {
+            await tar.extract({
+                file: tgzPath,
+                cwd: extractPath,
+                strip: 1, // Remove the top-level `package/` directory
+                // Prevent path traversal
+                filter: (path) => {
+                    const normalized = path.replace(/\\/g, '/');
+                    return !normalized.includes('..') && !normalized.startsWith('/');
+                },
+            });
+        }
+        catch (extractError) {
+            await cleanupTempDir(tempDir);
+            const message = extractError instanceof Error ? extractError.message : String(extractError);
+            return {
+                ok: false,
+                error: 'extraction_failed',
+                message: `Failed to extract tarball for ${packageName}: ${message}`,
+            };
+        }
+        logger.debug(`Successfully extracted ${packageName} to ${extractPath}`);
+        const capturedTempDir = tempDir;
+        return {
+            ok: true,
+            extractedPath: extractPath,
+            cleanup: async () => {
+                logger.debug(`Cleaning up temp directory: ${capturedTempDir}`);
+                await cleanupTempDir(capturedTempDir);
+            },
+        };
+    }
+    catch (error) {
+        if (tempDir !== undefined) {
+            await cleanupTempDir(tempDir);
+        }
+        const message = error instanceof Error ? error.message : String(error);
+        return {
+            ok: false,
+            error: 'io_error',
+            message: `Unexpected error processing tarball for ${packageName}: ${message}`,
+        };
+    }
+}
+//# sourceMappingURL=tarball.js.map

package/dist/registry/tarball.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tarball.js","sourceRoot":"","sources":["../../src/registry/tarball.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,KAAK,GAAG,MAAM,KAAK,CAAC;AAC3B,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAC/D,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AA0B5C,MAAM,gBAAgB,GAAG,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,QAAQ;AAEpD,6DAA6D;AAE7D;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,UAAkB,EAClB,WAAmB;IAEnB,IAAI,OAA2B,CAAC;IAEhC,IAAI,CAAC;QACH,wBAAwB;QACxB,OAAO,GAAG,MAAM,aAAa,EAAE,CAAC;QAChC,MAAM,CAAC,KAAK,CAAC,2BAA2B,OAAO,EAAE,CAAC,CAAC;QAEnD,mBAAmB;QACnB,MAAM,CAAC,KAAK,CAAC,2BAA2B,WAAW,EAAE,EAAE,EAAE,GAAG,EAAE,UAAU,EAAE,CAAC,CAAC;QAC5E,MAAM,cAAc,GAAG,MAAM,WAAW,CAAC,UAAU,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;QAE1E,IAAI,CAAC,cAAc,CAAC,EAAE,EAAE,CAAC;YACvB,MAAM,cAAc,CAAC,OAAO,CAAC,CAAC;YAC9B,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,iBAAiB;gBACxB,OAAO,EAAE,kCAAkC,WAAW,KAAK,cAAc,CAAC,OAAO,EAAE;aACpF,CAAC;QACJ,CAAC;QAED,4CAA4C;QAC5C,IAAI,cAAc,CAAC,IAAI,CAAC,UAAU,GAAG,gBAAgB,EAAE,CAAC;YACtD,MAAM,cAAc,CAAC,OAAO,CAAC,CAAC;YAC9B,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,eAAe;gBACtB,OAAO,EAAE,eAAe,WAAW,oCAAoC,gBAAgB,QAAQ;aAChG,CAAC;QACJ,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QAC7C,MAAM,SAAS,CAAC,OAAO,EAAE,cAAc,CAAC,IAAI,CAAC,CAAC;QAE9C,kBAAkB;QAClB,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;QAC/C,MAAM,KAAK,CAAC,WAAW,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC9C,MAAM,CAAC,KAAK,CAAC,yBAAyB,WAAW,EAAE,CAAC,CAAC;QAErD,IAAI,CAAC;YACH,MAAM,GAAG,CAAC,OAAO,CAAC;gBAChB,IAAI,EAAE,OAAO;gBACb,GAAG,EAAE,WAAW;gBAChB,KAAK,EAAE,CAAC,EAAE,4CAA4C;gBACtD,yBAAyB;gBACzB,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;oBACf,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;oBAC5C,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;gBACnE,CAAC;aACF,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,YAAqB,EAAE,CAAC;YAC/B,MAAM,cAAc,CAAC,OAAO,CAAC,CAAC;YAC9B,MAAM,OAAO,GAAG,YAAY,YAAY,KAAK,CAAC,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;YAC5F,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,mBAAmB;gBAC1B,OAAO,EAAE,iCAAiC,WAAW,KAAK,OAAO,EAAE;aACpE,CAAC;QACJ,CAAC;QAED,MAAM,CAAC,KAAK,CAAC,0BAA0B,WAAW,OAAO,WAAW,EAAE,CAAC,CAAC;QAExE,MAAM,eAAe,GAAG,OAAO,CAAC;QAChC,OAAO;YACL,EAAE,EAAE,IAAI;YACR,aAAa,EAAE,WAAW;YAC1B,OAAO,EAAE,KAAK,IAAI,EAAE;gBAClB,MAAM,CAAC,KAAK,CAAC,+BAA+B,eAAe,EAAE,CAAC,CAAC;gBAC/D,MAAM,cAAc,CAAC,eAAe,CAAC,CAAC;YACxC,CAAC;SACF,CAAC;IACJ,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACxB,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;YAC1B,MAAM,cAAc,CAAC,OAAO,CAAC,CAAC;QAChC,CAAC;QACD,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvE,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE,UAAU;YACjB,OAAO,EAAE,2CAA2C,WAAW,KAAK,OAAO,EAAE;SAC9E,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/utils/ast.d.ts

@@ -0,0 +1,74 @@
+/**
+ * AST parsing and traversal helpers using @typescript-eslint/typescript-estree.
+ *
+ * All functions handle parse errors gracefully — they return empty results
+ * rather than throwing, since malformed files should not crash analysis.
+ */
+import { type AST } from '@typescript-eslint/typescript-estree';
+type TSESTreeNode = AST<{
+    range: true;
+    loc: true;
+}>;
+/** A generic AST node — we use Record to avoid `any`. */
+type ASTNode = Record<string, unknown> & {
+    readonly type: string;
+    readonly loc?: {
+        readonly start: {
+            readonly line: number;
+            readonly column: number;
+        };
+        readonly end: {
+            readonly line: number;
+            readonly column: number;
+        };
+    };
+};
+/** Callback for the AST walker. Return `false` to skip children. */
+type WalkCallback = (node: ASTNode) => boolean | void;
+interface ParseResult {
+    readonly ok: true;
+    readonly ast: TSESTreeNode;
+}
+interface ParseFailure {
+    readonly ok: false;
+    readonly error: string;
+}
+type ParseOutcome = ParseResult | ParseFailure;
+/**
+ * Parse JavaScript or TypeScript source code into an AST.
+ * Returns a discriminated union so callers can check `ok` before using the AST.
+ */
+export declare function parseSource(source: string, filePath?: string): ParseOutcome;
+/**
+ * Recursively walk all nodes in an AST, calling the visitor for each.
+ * If the visitor returns `false`, children of that node are skipped.
+ */
+export declare function walkAST(node: unknown, visitor: WalkCallback): void;
+/**
+ * Extract all string literal values from source code.
+ * Includes regular string literals and template literal quasis.
+ * Returns an empty array on parse failure.
+ */
+export declare function extractStringLiterals(source: string, filePath?: string): readonly string[];
+/**
+ * Get the line number of an AST node, or undefined if location info is missing.
+ */
+export declare function getNodeLine(node: ASTNode): number | undefined;
+/**
+ * Check if a node is a call expression calling a specific function name.
+ * Handles both simple calls (`eval(...)`) and member calls (`process.exit(...)`).
+ */
+export declare function isCallTo(node: ASTNode, name: string): boolean;
+/**
+ * Check if a node is a member expression accessing a specific property.
+ * E.g., `process.env` where property name is "env".
+ */
+/**
+ * Build an optional line property for a Finding, omitting it when undefined.
+ */
+export declare function optionalLine(line: number | undefined): {
+    readonly line: number;
+} | Record<string, never>;
+export declare function isMemberAccess(node: ASTNode, objectName: string, propertyName: string): boolean;
+export {};
+//# sourceMappingURL=ast.d.ts.map

package/dist/utils/ast.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ast.d.ts","sourceRoot":"","sources":["../../src/utils/ast.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAS,KAAK,GAAG,EAAE,MAAM,sCAAsC,CAAC;AAIvE,KAAK,YAAY,GAAG,GAAG,CAAC;IAAE,KAAK,EAAE,IAAI,CAAC;IAAC,GAAG,EAAE,IAAI,CAAA;CAAE,CAAC,CAAC;AAEpD,yDAAyD;AACzD,KAAK,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG;IACvC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,GAAG,CAAC,EAAE;QACb,QAAQ,CAAC,KAAK,EAAE;YAAE,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;YAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;SAAE,CAAC;QACnE,QAAQ,CAAC,GAAG,EAAE;YAAE,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;YAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;SAAE,CAAC;KAClE,CAAC;CACH,CAAC;AAEF,oEAAoE;AAEpE,KAAK,YAAY,GAAG,CAAC,IAAI,EAAE,OAAO,KAAK,OAAO,GAAG,IAAI,CAAC;AAItD,UAAU,WAAW;IACnB,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC;IAClB,QAAQ,CAAC,GAAG,EAAE,YAAY,CAAC;CAC5B;AAED,UAAU,YAAY;IACpB,QAAQ,CAAC,EAAE,EAAE,KAAK,CAAC;IACnB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;CACxB;AAED,KAAK,YAAY,GAAG,WAAW,GAAG,YAAY,CAAC;AAE/C;;;GAGG;AACH,wBAAgB,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,YAAY,CAkB3E;AAID;;;GAGG;AACH,wBAAgB,OAAO,CAAC,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,YAAY,GAAG,IAAI,CAgBlE;AAID;;;;GAIG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CA8B1F;AAgBD;;GAEG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,OAAO,GAAG,MAAM,GAAG,SAAS,CAE7D;AAED;;;GAGG;AACH,wBAAgB,QAAQ,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAoB7D;AAED;;;GAGG;AACH;;GAEG;AACH,wBAAgB,YAAY,CAC1B,IAAI,EAAE,MAAM,GAAG,SAAS,GACvB;IAAE,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAEnD;AAED,wBAAgB,cAAc,CAAC,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAc/F"}

package/dist/utils/ast.js

@@ -0,0 +1,150 @@
+/**
+ * AST parsing and traversal helpers using @typescript-eslint/typescript-estree.
+ *
+ * All functions handle parse errors gracefully — they return empty results
+ * rather than throwing, since malformed files should not crash analysis.
+ */
+import { parse } from '@typescript-eslint/typescript-estree';
+/**
+ * Parse JavaScript or TypeScript source code into an AST.
+ * Returns a discriminated union so callers can check `ok` before using the AST.
+ */
+export function parseSource(source, filePath) {
+    try {
+        const ast = parse(source, {
+            range: true,
+            loc: true,
+            jsx: true,
+            // Allow any syntax — we're analyzing, not compiling
+            allowInvalidAST: true,
+            suppressDeprecatedPropertyWarnings: true,
+        });
+        return { ok: true, ast };
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        return {
+            ok: false,
+            error: `Parse error${filePath !== undefined ? ` in ${filePath}` : ''}: ${message}`,
+        };
+    }
+}
+// ─── Walk ─────────────────────────────────────────────────
+/**
+ * Recursively walk all nodes in an AST, calling the visitor for each.
+ * If the visitor returns `false`, children of that node are skipped.
+ */
+export function walkAST(node, visitor) {
+    if (!isASTNode(node))
+        return;
+    const shouldDescend = visitor(node);
+    if (shouldDescend === false)
+        return;
+    for (const key of Object.keys(node)) {
+        const value = node[key];
+        if (Array.isArray(value)) {
+            for (const child of value) {
+                walkAST(child, visitor);
+            }
+        }
+        else if (isASTNode(value)) {
+            walkAST(value, visitor);
+        }
+    }
+}
+// ─── String Extraction ───────────────────────────────────
+/**
+ * Extract all string literal values from source code.
+ * Includes regular string literals and template literal quasis.
+ * Returns an empty array on parse failure.
+ */
+export function extractStringLiterals(source, filePath) {
+    const result = parseSource(source, filePath);
+    if (!result.ok)
+        return [];
+    const strings = [];
+    walkAST(result.ast, (node) => {
+        if (node.type === 'Literal' && typeof node['value'] === 'string') {
+            strings.push(node['value']);
+        }
+        if (node.type === 'TemplateLiteral') {
+            const quasis = node['quasis'];
+            if (Array.isArray(quasis)) {
+                for (const quasi of quasis) {
+                    if (isASTNode(quasi)) {
+                        const value = quasi['value'];
+                        if (value !== null && typeof value === 'object') {
+                            const raw = value['raw'];
+                            if (typeof raw === 'string' && raw.length > 0) {
+                                strings.push(raw);
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    });
+    return strings;
+}
+// ─── Utilities ────────────────────────────────────────────
+/**
+ * Check whether a value looks like an AST node (has a `type` string property).
+ */
+function isASTNode(value) {
+    return (value !== null &&
+        typeof value === 'object' &&
+        'type' in value &&
+        typeof value['type'] === 'string');
+}
+/**
+ * Get the line number of an AST node, or undefined if location info is missing.
+ */
+export function getNodeLine(node) {
+    return node.loc?.start.line;
+}
+/**
+ * Check if a node is a call expression calling a specific function name.
+ * Handles both simple calls (`eval(...)`) and member calls (`process.exit(...)`).
+ */
+export function isCallTo(node, name) {
+    if (node.type !== 'CallExpression')
+        return false;
+    const callee = node['callee'];
+    if (!isASTNode(callee))
+        return false;
+    // Simple identifier: eval(...)
+    if (callee.type === 'Identifier' && callee['name'] === name) {
+        return true;
+    }
+    // Member expression: obj.method(...)
+    if (callee.type === 'MemberExpression') {
+        const property = callee['property'];
+        if (isASTNode(property) && property.type === 'Identifier' && property['name'] === name) {
+            return true;
+        }
+    }
+    return false;
+}
+/**
+ * Check if a node is a member expression accessing a specific property.
+ * E.g., `process.env` where property name is "env".
+ */
+/**
+ * Build an optional line property for a Finding, omitting it when undefined.
+ */
+export function optionalLine(line) {
+    return line !== undefined ? { line } : {};
+}
+export function isMemberAccess(node, objectName, propertyName) {
+    if (node.type !== 'MemberExpression')
+        return false;
+    const object = node['object'];
+    const property = node['property'];
+    if (!isASTNode(object) || !isASTNode(property))
+        return false;
+    return (object.type === 'Identifier' &&
+        object['name'] === objectName &&
+        property.type === 'Identifier' &&
+        property['name'] === propertyName);
+}
+//# sourceMappingURL=ast.js.map

package/dist/utils/ast.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ast.js","sourceRoot":"","sources":["../../src/utils/ast.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,KAAK,EAAY,MAAM,sCAAsC,CAAC;AAiCvE;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,MAAc,EAAE,QAAiB;IAC3D,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,KAAK,CAAC,MAAM,EAAE;YACxB,KAAK,EAAE,IAAI;YACX,GAAG,EAAE,IAAI;YACT,GAAG,EAAE,IAAI;YACT,oDAAoD;YACpD,eAAe,EAAE,IAAI;YACrB,kCAAkC,EAAE,IAAI;SACzC,CAAC,CAAC;QACH,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC;IAC3B,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACxB,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvE,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE,cAAc,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,OAAO,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,OAAO,EAAE;SACnF,CAAC;IACJ,CAAC;AACH,CAAC;AAED,6DAA6D;AAE7D;;;GAGG;AACH,MAAM,UAAU,OAAO,CAAC,IAAa,EAAE,OAAqB;IAC1D,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;QAAE,OAAO;IAE7B,MAAM,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACpC,IAAI,aAAa,KAAK,KAAK;QAAE,OAAO;IAEpC,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACpC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;QACxB,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,KAAK,MAAM,KAAK,IAAI,KAAK,EAAE,CAAC;gBAC1B,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;YAC1B,CAAC;QACH,CAAC;aAAM,IAAI,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5B,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;AACH,CAAC;AAED,4DAA4D;AAE5D;;;;GAIG;AACH,MAAM,UAAU,qBAAqB,CAAC,MAAc,EAAE,QAAiB;IACrE,MAAM,MAAM,GAAG,WAAW,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC7C,IAAI,CAAC,MAAM,CAAC,EAAE;QAAE,OAAO,EAAE,CAAC;IAE1B,MAAM,OAAO,GAAa,EAAE,CAAC;IAE7B,OAAO,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,IAAI,EAAE,EAAE;QAC3B,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,IAAI,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;YACjE,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;QAC9B,CAAC;QAED,IAAI,IAAI,CAAC,IAAI,KAAK,iBAAiB,EAAE,CAAC;YACpC,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC9B,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC1B,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;oBAC3B,IAAI,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC;wBACrB,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;wBAC7B,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;4BAChD,MAAM,GAAG,GAAI,KAAiC,CAAC,KAAK,CAAC,CAAC;4BACtD,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gCAC9C,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;4BACpB,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,6DAA6D;AAE7D;;GAEG;AACH,SAAS,SAAS,CAAC,KAAc;IAC/B,OAAO,CACL,KAAK,KAAK,IAAI;QACd,OAAO,KAAK,KAAK,QAAQ;QACzB,MAAM,IAAK,KAAiC;QAC5C,OAAQ,KAAiC,CAAC,MAAM,CAAC,KAAK,QAAQ,CAC/D,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,IAAa;IACvC,OAAO,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC;AAC9B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,QAAQ,CAAC,IAAa,EAAE,IAAY;IAClD,IAAI,IAAI,CAAC,IAAI,KAAK,gBAAgB;QAAE,OAAO,KAAK,CAAC;IAEjD,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC9B,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IAErC,+BAA+B;IAC/B,IAAI,MAAM,CAAC,IAAI,KAAK,YAAY,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;QAC5D,OAAO,IAAI,CAAC;IACd,CAAC;IAED,qCAAqC;IACrC,IAAI,MAAM,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;QACvC,MAAM,QAAQ,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC;QACpC,IAAI,SAAS,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,IAAI,KAAK,YAAY,IAAI,QAAQ,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;YACvF,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH;;GAEG;AACH,MAAM,UAAU,YAAY,CAC1B,IAAwB;IAExB,OAAO,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;AAC5C,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,IAAa,EAAE,UAAkB,EAAE,YAAoB;IACpF,IAAI,IAAI,CAAC,IAAI,KAAK,kBAAkB;QAAE,OAAO,KAAK,CAAC;IAEnD,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC9B,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC;IAElC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC;QAAE,OAAO,KAAK,CAAC;IAE7D,OAAO,CACL,MAAM,CAAC,IAAI,KAAK,YAAY;QAC5B,MAAM,CAAC,MAAM,CAAC,KAAK,UAAU;QAC7B,QAAQ,CAAC,IAAI,KAAK,YAAY;QAC9B,QAAQ,CAAC,MAAM,CAAC,KAAK,YAAY,CAClC,CAAC;AACJ,CAAC"}

package/dist/utils/fs.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Filesystem utilities for temp directory management and file operations.
+ */
+/**
+ * Check whether a file path has an analyzable JavaScript/TypeScript extension.
+ */
+export declare function isAnalyzableFile(filePath: string): boolean;
+/**
+ * Create a temporary directory for package extraction.
+ * Returns the absolute path to the created directory.
+ */
+export declare function createTempDir(): Promise<string>;
+/**
+ * Remove a temporary directory and all its contents.
+ * Silently ignores errors (directory may already be cleaned up).
+ */
+export declare function cleanupTempDir(dirPath: string): Promise<void>;
+/**
+ * Recursively walk a directory, yielding absolute file paths.
+ * Skips `node_modules` and hidden directories (starting with `.`).
+ */
+export declare function walkDirectory(dirPath: string): AsyncGenerator<string>;
+/**
+ * Read a file's contents as UTF-8 text.
+ * Returns null if the file cannot be read (missing, permission denied, etc.).
+ */
+export declare function readFileSafe(filePath: string): Promise<string | null>;
+//# sourceMappingURL=fs.d.ts.map

package/dist/utils/fs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fs.d.ts","sourceRoot":"","sources":["../../src/utils/fs.ts"],"names":[],"mappings":"AAAA;;GAEG;AAUH;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAI1D;AAMD;;;GAGG;AACH,wBAAsB,aAAa,IAAI,OAAO,CAAC,MAAM,CAAC,CAErD;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAMnE;AAID;;;GAGG;AACH,wBAAuB,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,cAAc,CAAC,MAAM,CAAC,CAoB5E;AAID;;;GAGG;AACH,wBAAsB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAM3E"}

package/dist/utils/fs.js

@@ -0,0 +1,78 @@
+/**
+ * Filesystem utilities for temp directory management and file operations.
+ */
+import { mkdtemp, rm, readFile, readdir } from 'node:fs/promises';
+import { join } from 'node:path';
+import { tmpdir } from 'node:os';
+// ─── Analyzable File Extensions ───────────────────────────
+const ANALYZABLE_EXTENSIONS = new Set(['.js', '.ts', '.mjs', '.cjs', '.mts', '.cts']);
+/**
+ * Check whether a file path has an analyzable JavaScript/TypeScript extension.
+ */
+export function isAnalyzableFile(filePath) {
+    const dotIdx = filePath.lastIndexOf('.');
+    if (dotIdx === -1)
+        return false;
+    return ANALYZABLE_EXTENSIONS.has(filePath.slice(dotIdx));
+}
+// ─── Temp Directory ───────────────────────────────────────
+const TEMP_PREFIX = 'mitnick-';
+/**
+ * Create a temporary directory for package extraction.
+ * Returns the absolute path to the created directory.
+ */
+export async function createTempDir() {
+    return mkdtemp(join(tmpdir(), TEMP_PREFIX));
+}
+/**
+ * Remove a temporary directory and all its contents.
+ * Silently ignores errors (directory may already be cleaned up).
+ */
+export async function cleanupTempDir(dirPath) {
+    try {
+        await rm(dirPath, { recursive: true, force: true });
+    }
+    catch {
+        // Best-effort cleanup — ignore errors
+    }
+}
+// ─── Directory Walking ────────────────────────────────────
+/**
+ * Recursively walk a directory, yielding absolute file paths.
+ * Skips `node_modules` and hidden directories (starting with `.`).
+ */
+export async function* walkDirectory(dirPath) {
+    let entries;
+    try {
+        entries = await readdir(dirPath, { withFileTypes: true });
+    }
+    catch {
+        return;
+    }
+    for (const entry of entries) {
+        const fullPath = join(dirPath, entry.name);
+        if (entry.isDirectory()) {
+            if (entry.name === 'node_modules' || entry.name.startsWith('.')) {
+                continue;
+            }
+            yield* walkDirectory(fullPath);
+        }
+        else if (entry.isFile()) {
+            yield fullPath;
+        }
+    }
+}
+// ─── Safe File Read ───────────────────────────────────────
+/**
+ * Read a file's contents as UTF-8 text.
+ * Returns null if the file cannot be read (missing, permission denied, etc.).
+ */
+export async function readFileSafe(filePath) {
+    try {
+        return await readFile(filePath, 'utf-8');
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=fs.js.map

package/dist/utils/fs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fs.js","sourceRoot":"","sources":["../../src/utils/fs.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAClE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAEjC,6DAA6D;AAE7D,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;AAEtF;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,QAAgB;IAC/C,MAAM,MAAM,GAAG,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACzC,IAAI,MAAM,KAAK,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAChC,OAAO,qBAAqB,CAAC,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;AAC3D,CAAC;AAED,6DAA6D;AAE7D,MAAM,WAAW,GAAG,UAAU,CAAC;AAE/B;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa;IACjC,OAAO,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,WAAW,CAAC,CAAC,CAAC;AAC9C,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,OAAe;IAClD,IAAI,CAAC;QACH,MAAM,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACtD,CAAC;IAAC,MAAM,CAAC;QACP,sCAAsC;IACxC,CAAC;AACH,CAAC;AAED,6DAA6D;AAE7D;;;GAGG;AACH,MAAM,CAAC,KAAK,SAAS,CAAC,CAAC,aAAa,CAAC,OAAe;IAClD,IAAI,OAAO,CAAC;IACZ,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,OAAO,CAAC,OAAO,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IAC5D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;IACT,CAAC;IAED,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QAE3C,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;YACxB,IAAI,KAAK,CAAC,IAAI,KAAK,cAAc,IAAI,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;gBAChE,SAAS;YACX,CAAC;YACD,KAAK,CAAC,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;QACjC,CAAC;aAAM,IAAI,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC;YAC1B,MAAM,QAAQ,CAAC;QACjB,CAAC;IACH,CAAC;AACH,CAAC;AAED,6DAA6D;AAE7D;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,QAAgB;IACjD,IAAI,CAAC;QACH,OAAO,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/utils/http.d.ts

@@ -0,0 +1,40 @@
+/**
+ * HTTP client wrapper using native fetch (Node 18+).
+ *
+ * Provides typed fetch helpers with timeout support and
+ * structured error handling via discriminated unions.
+ */
+interface HttpSuccess<T> {
+    readonly ok: true;
+    readonly data: T;
+    readonly status: number;
+}
+interface HttpError {
+    readonly ok: false;
+    readonly error: HttpErrorKind;
+    readonly message: string;
+    readonly status?: number;
+}
+export type HttpResult<T> = HttpSuccess<T> | HttpError;
+type HttpErrorKind = 'network' | 'timeout' | 'not_found' | 'rate_limited' | 'server_error' | 'parse_error';
+interface FetchOptions {
+    readonly timeout?: number;
+    readonly headers?: Readonly<Record<string, string>>;
+    readonly method?: string;
+    readonly body?: string;
+}
+/**
+ * Fetch JSON from a URL with timeout support and typed response.
+ * Returns a discriminated union so callers handle errors explicitly.
+ *
+ * **Note:** The generic type parameter `T` is applied via an `as T` cast on the
+ * parsed JSON. Callers are responsible for validating the returned `data`
+ * (e.g., with zod) before relying on its shape.
+ */
+export declare function fetchJson<T>(url: string, options?: FetchOptions): Promise<HttpResult<T>>;
+/**
+ * Fetch raw bytes from a URL. Used for tarball downloads.
+ */
+export declare function fetchBuffer(url: string, options?: FetchOptions): Promise<HttpResult<Buffer>>;
+export {};
+//# sourceMappingURL=http.d.ts.map

package/dist/utils/http.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http.d.ts","sourceRoot":"","sources":["../../src/utils/http.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,UAAU,WAAW,CAAC,CAAC;IACrB,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC;IAClB,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;IACjB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED,UAAU,SAAS;IACjB,QAAQ,CAAC,EAAE,EAAE,KAAK,CAAC;IACnB,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC;IAC9B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,MAAM,UAAU,CAAC,CAAC,IAAI,WAAW,CAAC,CAAC,CAAC,GAAG,SAAS,CAAC;AAEvD,KAAK,aAAa,GACd,SAAS,GACT,SAAS,GACT,WAAW,GACX,cAAc,GACd,cAAc,GACd,aAAa,CAAC;AAIlB,UAAU,YAAY;IACpB,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,OAAO,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IACpD,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;CACxB;AAwBD;;;;;;;GAOG;AACH,wBAAsB,SAAS,CAAC,CAAC,EAC/B,GAAG,EAAE,MAAM,EACX,OAAO,GAAE,YAAiB,GACzB,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CA+CxB;AAED;;GAEG;AACH,wBAAsB,WAAW,CAC/B,GAAG,EAAE,MAAM,EACX,OAAO,GAAE,YAAiB,GACzB,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CA+B7B"}

package/dist/utils/http.js

@@ -0,0 +1,116 @@
+/**
+ * HTTP client wrapper using native fetch (Node 18+).
+ *
+ * Provides typed fetch helpers with timeout support and
+ * structured error handling via discriminated unions.
+ */
+const DEFAULT_TIMEOUT = 30_000;
+// ─── Helpers ──────────────────────────────────────────────
+function classifyStatus(status) {
+    if (status >= 200 && status < 300)
+        return null;
+    if (status === 404)
+        return 'not_found';
+    if (status === 429)
+        return 'rate_limited';
+    if (status >= 500)
+        return 'server_error';
+    return 'network';
+}
+function classifyError(error) {
+    if (error instanceof DOMException && error.name === 'AbortError') {
+        return { ok: false, error: 'timeout', message: 'Request timed out' };
+    }
+    const message = error instanceof Error ? error.message : String(error);
+    return { ok: false, error: 'network', message };
+}
+// ─── Typed Fetch ──────────────────────────────────────────
+/**
+ * Fetch JSON from a URL with timeout support and typed response.
+ * Returns a discriminated union so callers handle errors explicitly.
+ *
+ * **Note:** The generic type parameter `T` is applied via an `as T` cast on the
+ * parsed JSON. Callers are responsible for validating the returned `data`
+ * (e.g., with zod) before relying on its shape.
+ */
+export async function fetchJson(url, options = {}) {
+    const { timeout = DEFAULT_TIMEOUT, headers, method, body } = options;
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), timeout);
+    try {
+        const init = {
+            method: method ?? 'GET',
+            headers: {
+                Accept: 'application/json',
+                ...headers,
+            },
+            signal: controller.signal,
+        };
+        if (body !== undefined) {
+            init.body = body;
+        }
+        const response = await fetch(url, init);
+        const errorKind = classifyStatus(response.status);
+        if (errorKind !== null) {
+            const text = await response.text().catch(() => '');
+            return {
+                ok: false,
+                error: errorKind,
+                message: text !== '' ? text : `HTTP ${response.status}`,
+                status: response.status,
+            };
+        }
+        try {
+            const data = (await response.json());
+            return { ok: true, data, status: response.status };
+        }
+        catch {
+            return {
+                ok: false,
+                error: 'parse_error',
+                message: 'Failed to parse JSON response',
+                status: response.status,
+            };
+        }
+    }
+    catch (error) {
+        return classifyError(error);
+    }
+    finally {
+        clearTimeout(timer);
+    }
+}
+/**
+ * Fetch raw bytes from a URL. Used for tarball downloads.
+ */
+export async function fetchBuffer(url, options = {}) {
+    const { timeout = DEFAULT_TIMEOUT, headers, method } = options;
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), timeout);
+    try {
+        const response = await fetch(url, {
+            method: method ?? 'GET',
+            headers: { ...headers },
+            signal: controller.signal,
+        });
+        const errorKind = classifyStatus(response.status);
+        if (errorKind !== null) {
+            const text = await response.text().catch(() => '');
+            return {
+                ok: false,
+                error: errorKind,
+                message: text !== '' ? text : `HTTP ${response.status}`,
+                status: response.status,
+            };
+        }
+        const arrayBuffer = await response.arrayBuffer();
+        return { ok: true, data: Buffer.from(arrayBuffer), status: response.status };
+    }
+    catch (error) {
+        return classifyError(error);
+    }
+    finally {
+        clearTimeout(timer);
+    }
+}
+//# sourceMappingURL=http.js.map