npmguard-cli 0.5.6 → 1.0.0

package/README.md

@@ -1,155 +1,9 @@
-# npmguard-cli
+# NpmGuard CLI
 
-CLI that checks npm packages against on-chain audit records before installing. Published on npm as [`npmguard-cli`](https://www.npmjs.com/package/npmguard-cli).
+> **TODO** — CLI will talk to the NpmGuard API server (not ENS/IPFS). Not yet implemented.
 
-## `npmguard-cli check`
+Planned features:
 
-Scans your `package.json`, queries the npm registry for available updates, then resolves each package version against ENS on Sepolia to find audit records.
-
-```bash
-npx npmguard-cli check --path /your/project
-```
-
-```mermaid
-flowchart LR
-    A[package.json] -->|read deps| B[npm registry]
-    B -->|latest version| C{ENS Sepolia}
-    C -->|resolve 1-7-9.axios.npmguard.eth| D[Text Records]
-    D -->|verdict, score, capabilities, CIDs| E[Terminal output]
-```
-
-What happens:
-
-1. Reads `package.json` and extracts all dependencies
-2. For each dependency, fetches `https://registry.npmjs.org/{package}/latest` to get the latest version
-3. Constructs the ENS name: `{version}.{package}.npmguard.eth` (e.g. `1-7-9.axios.npmguard.eth`)
-4. Resolves these ENS text records on Sepolia via a public RPC:
-   - `npmguard.verdict` — SAFE / CRITICAL
-   - `npmguard.score` — 0 to 100
-   - `npmguard.capabilities` — network, filesystem, process_spawn, etc.
-   - `npmguard.report_cid` — IPFS CID of the full audit report
-   - `npmguard.source_cid` — IPFS CID of the audited source code
-5. Displays a table with verdict and capabilities per package
-6. Lists clickable IPFS links to the full audit reports
-
-Example output:
-
-```
-NpmGuard Dependency Audit
-
-┌─────────┬───────────┬────────┬──────────────┬──────────────┐
-│ Package │ Installed │ Latest │ Verdict      │ Capabilities │
-├─────────┼───────────┼────────┼──────────────┼──────────────┤
-│ axios   │ 1.6.0     │ 1.7.9  │ SAFE (96)    │ network      │
-├─────────┼───────────┼────────┼──────────────┼──────────────┤
-│ lodash  │ 4.17.21   │ 4.18.1 │ CRITICAL (12)│ network, ... │
-├─────────┼───────────┼────────┼──────────────┼──────────────┤
-│ chalk   │ 5.6.2     │ 5.6.2  │ NOT AUDITED  │ -            │
-└─────────┴───────────┴────────┴──────────────┴──────────────┘
-
-  1 safe | 1 critical | 1 not audited
-
-  axios@1.7.9 report: https://gateway.pinata.cloud/ipfs/bafkrei...
-  lodash@4.18.1 report: https://gateway.pinata.cloud/ipfs/bafkrei...
-```
-
-## `npmguard-cli install`
-
-Installs a package from IPFS instead of the npm registry when an audit record exists on ENS.
-
-```bash
-npx npmguard-cli install axios
-npx npmguard-cli install axios@1.7.9
-```
-
-```mermaid
-flowchart TD
-    A[npmguard-cli install axios] --> B{ENS Sepolia}
-    B -->|resolve 1-7-9.axios.npmguard.eth| C[Get verdict + sourceCid]
-    C --> D{Verdict?}
-    D -->|SAFE / WARNING| E[npm install from IPFS gateway]
-    D -->|CRITICAL| F[Installation blocked]
-    F -->|--force| E
-    E -->|tarball from gateway.pinata.cloud/ipfs/sourceCid| G[node_modules/]
-```
-
-What happens:
-
-1. If no version specified, fetches the latest version from npm registry
-2. Resolves `{version}.{package}.npmguard.eth` on Sepolia ENS
-3. Reads the `npmguard.source_cid` text record — the IPFS CID of the audited source tarball
-4. Runs `npm install https://gateway.pinata.cloud/ipfs/{sourceCid}`
-5. npm downloads the tarball directly from IPFS and installs it
-
-The result in `package-lock.json`:
-
-```json
-"node_modules/axios": {
-  "version": "1.7.9",
-  "resolved": "https://gateway.pinata.cloud/ipfs/bafkrei...",
-  "integrity": "sha512-..."
-}
-```
-
-The `resolved` field points to IPFS, not npm. Anyone running `npm install` on this project gets the exact same IPFS-verified code.
-
-If the package is flagged **CRITICAL**, installation is blocked:
-
-```
-  lodash@4.18.1
-
-  CRITICAL (score: 12)
-  Capabilities: network, filesystem, process_spawn
-  Report: https://gateway.pinata.cloud/ipfs/bafkrei...
-
-  Installation blocked. This package has critical security issues.
-  Use --force to install anyway.
-```
-
-If no audit record exists on ENS, falls back to standard `npm install`.
-
-## ENS structure
-
-```mermaid
-graph TD
-    A[npmguard.eth] --> B[axios.npmguard.eth]
-    A --> C[lodash.npmguard.eth]
-    B --> D[1-7-9.axios.npmguard.eth]
-    B --> E[1-8-0.axios.npmguard.eth]
-    D --> F["npmguard.verdict = safe<br/>npmguard.score = 96<br/>npmguard.capabilities = network<br/>npmguard.report_cid = bafkrei...<br/>npmguard.source_cid = bafkrei..."]
-    E --> G["npmguard.verdict = critical<br/>npmguard.score = 66"]
-```
-
-## Project structure
-
-```
-cli/
-├── src/
-│   ├── index.ts              # Entry point — commander setup
-│   ├── audit-source.ts       # AuditSource interface
-│   ├── ens-source.ts         # Reads ENS text records on Sepolia via viem
-│   ├── mock-source.ts        # Mock data for testing without ENS
-│   ├── scanner.ts            # Reads package.json + fetches npm for updates
-│   └── commands/
-│       ├── check.ts          # npmguard-cli check
-│       └── install.ts        # npmguard-cli install
-├── reports/                  # Sample audit reports (uploaded to IPFS)
-├── package.json
-└── tsconfig.json
-```
-
-## Development
-
-```bash
-cd cli && npm install
-
-# Run locally
-npx tsx src/index.ts check --path /tmp/test-project
-npx tsx src/index.ts install axios@1.7.9
-
-# Build
-npm run build
-
-# Publish
-npm publish
-```
+- `npmguard check <package>` — run a security audit via the API
+- `npmguard install <package>` — audit-then-install workflow
+- Machine-readable JSON output for CI/CD integration

package/dist/api.js

@@ -0,0 +1,66 @@
+async function request(url, options) {
+    const res = await fetch(url, options);
+    if (!res.ok) {
+        const body = await res.text().catch(() => "");
+        throw new Error(`HTTP ${res.status}: ${body || res.statusText}`);
+    }
+    return res.json();
+}
+export async function checkout(apiUrl, packageName, version) {
+    const body = { packageName };
+    if (version)
+        body.version = version;
+    return request(`${apiUrl}/checkout`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(body),
+    });
+}
+export async function pollCheckoutStatus(apiUrl, sessionId) {
+    return request(`${apiUrl}/checkout/${encodeURIComponent(sessionId)}/status`);
+}
+export async function startAudit(apiUrl, stripeSessionId) {
+    return request(`${apiUrl}/audit/stream`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ stripeSessionId }),
+    });
+}
+export async function startAuditFree(apiUrl, packageName, version) {
+    return request(`${apiUrl}/audit/stream`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ packageName, ...(version && { version }) }),
+    });
+}
+export async function checkoutRaw(apiUrl, packageName, version) {
+    const body = { packageName };
+    if (version)
+        body.version = version;
+    const res = await fetch(`${apiUrl}/checkout`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(body),
+    });
+    if (res.status === 501) {
+        return { status: 501, data: null };
+    }
+    if (!res.ok) {
+        const text = await res.text().catch(() => "");
+        throw new Error(`HTTP ${res.status}: ${text || res.statusText}`);
+    }
+    return { status: res.status, data: (await res.json()) };
+}
+export async function getPackageReport(apiUrl, packageName, version) {
+    const query = version ? `?version=${encodeURIComponent(version)}` : "";
+    const url = `${apiUrl}/package/${encodeURIComponent(packageName)}/report${query}`;
+    try {
+        return await request(url);
+    }
+    catch (err) {
+        if (err instanceof Error && err.message.startsWith("HTTP 404")) {
+            return null;
+        }
+        throw err;
+    }
+}

package/dist/commands/audit.js

@@ -0,0 +1,195 @@
+import chalk from "chalk";
+import ora from "ora";
+import qrcode from "qrcode-terminal";
+import EventSource from "eventsource";
+import * as api from "../api.js";
+import { renderVerdict, renderFinding, renderPhase } from "../render.js";
+function parsePackageArg(pkg) {
+    // Handle scoped packages: @scope/name@version
+    if (pkg.startsWith("@")) {
+        const slashIndex = pkg.indexOf("/");
+        if (slashIndex === -1) {
+            throw new Error(`Invalid scoped package name: ${pkg}`);
+        }
+        const rest = pkg.slice(slashIndex + 1);
+        const atIndex = rest.lastIndexOf("@");
+        if (atIndex > 0) {
+            return {
+                name: pkg.slice(0, slashIndex + 1 + atIndex),
+                version: rest.slice(atIndex + 1),
+            };
+        }
+        return { name: pkg };
+    }
+    // Handle unscoped packages: name@version
+    const atIndex = pkg.lastIndexOf("@");
+    if (atIndex > 0) {
+        return {
+            name: pkg.slice(0, atIndex),
+            version: pkg.slice(atIndex + 1),
+        };
+    }
+    return { name: pkg };
+}
+export async function auditCommand(pkg, opts) {
+    const apiUrl = opts.api;
+    // 1. Parse package name and version
+    let parsed;
+    try {
+        parsed = parsePackageArg(pkg);
+    }
+    catch {
+        console.error(chalk.red(`Invalid package: ${pkg}`));
+        process.exit(1);
+    }
+    console.log(chalk.bold(`Auditing ${parsed.name}`) +
+        (parsed.version ? chalk.gray(`@${parsed.version}`) : ""));
+    console.log();
+    // 1b. Check if already audited
+    const existing = await api.getPackageReport(apiUrl, parsed.name, parsed.version);
+    if (existing) {
+        console.log(chalk.yellow("This package has already been audited."));
+        console.log();
+        const verdict = existing.report?.verdict ?? existing.verdict ?? "UNKNOWN";
+        renderVerdict(verdict, existing.report?.capabilities ?? [], existing.report?.proofs?.length ?? 0);
+        console.log();
+        console.log(chalk.dim(`View full report: ${apiUrl}/package/${encodeURIComponent(parsed.name)}/report`));
+        process.exit(verdict === "SAFE" ? 0 : 1);
+    }
+    // 2. Try checkout — if payments not configured (501), go straight to free audit
+    const spinner = ora("Connecting...").start();
+    let auditId;
+    let checkoutResult;
+    try {
+        checkoutResult = await api.checkoutRaw(apiUrl, parsed.name, parsed.version);
+    }
+    catch (err) {
+        spinner.fail("Failed to create checkout session: " +
+            (err instanceof Error ? err.message : String(err)));
+        process.exit(1);
+    }
+    if (checkoutResult.status === 501 || !checkoutResult.data) {
+        // Payments not configured — start audit directly (dev/free mode)
+        spinner.text = "Starting audit (no payment required)...";
+        try {
+            const auditRes = await api.startAuditFree(apiUrl, parsed.name, parsed.version);
+            auditId = auditRes.auditId;
+        }
+        catch (err) {
+            spinner.fail("Failed to start audit: " +
+                (err instanceof Error ? err.message : String(err)));
+            process.exit(1);
+        }
+    }
+    else {
+        // Payment required — show URL + QR + poll
+        spinner.stop();
+        const link = chalk.blue.underline(checkoutResult.data.url);
+        console.log(chalk.bold("Pay to start the audit:"));
+        console.log(link);
+        console.log();
+        qrcode.generate(checkoutResult.data.url, { small: true });
+        console.log();
+        spinner.start("Waiting for payment...");
+        let status;
+        try {
+            status = await new Promise((resolve, reject) => {
+                const interval = setInterval(async () => {
+                    try {
+                        const s = await api.pollCheckoutStatus(apiUrl, checkoutResult.data.sessionId);
+                        if (s.paid) {
+                            clearInterval(interval);
+                            resolve(s);
+                        }
+                    }
+                    catch (err) {
+                        clearInterval(interval);
+                        reject(err);
+                    }
+                }, 3000);
+            });
+        }
+        catch (err) {
+            spinner.fail("Payment polling failed: " +
+                (err instanceof Error ? err.message : String(err)));
+            process.exit(1);
+        }
+        spinner.text = "Payment confirmed. Starting audit...";
+        if (status.auditId) {
+            auditId = status.auditId;
+        }
+        else {
+            try {
+                const auditRes = await api.startAudit(apiUrl, checkoutResult.data.sessionId);
+                auditId = auditRes.auditId;
+            }
+            catch (err) {
+                spinner.fail("Failed to start audit: " +
+                    (err instanceof Error ? err.message : String(err)));
+                process.exit(1);
+            }
+        }
+    }
+    spinner.text = "Audit in progress...";
+    // 9. Connect to SSE
+    const eventsUrl = `${apiUrl}/audit/${encodeURIComponent(auditId)}/events`;
+    const es = new EventSource(eventsUrl);
+    let exitCode = 0;
+    await new Promise((resolve) => {
+        es.addEventListener("phase_started", (event) => {
+            try {
+                const data = JSON.parse(event.data);
+                spinner.text = renderPhase(data.phase ?? data.name ?? "");
+            }
+            catch {
+                // ignore parse errors
+            }
+        });
+        es.addEventListener("finding_discovered", (event) => {
+            try {
+                const data = JSON.parse(event.data);
+                const finding = data.finding ?? data;
+                spinner.stop();
+                renderFinding(finding);
+                spinner.start();
+            }
+            catch {
+                // ignore parse errors
+            }
+        });
+        es.addEventListener("verdict_reached", (event) => {
+            try {
+                const data = JSON.parse(event.data);
+                spinner.stop();
+                renderVerdict(data.verdict ?? "UNKNOWN", data.capabilities ?? [], data.proofCount ?? data.findings?.length ?? 0);
+                exitCode = data.verdict?.toUpperCase() === "SAFE" ? 0 : 1;
+            }
+            catch {
+                spinner.stop();
+            }
+            es.close();
+            resolve();
+        });
+        es.addEventListener("audit_error", (event) => {
+            try {
+                const data = JSON.parse(event.data);
+                spinner.fail(chalk.red("Audit error: " + (data.error ?? event.data)));
+            }
+            catch {
+                spinner.fail(chalk.red("Audit error: " + event.data));
+            }
+            exitCode = 1;
+            es.close();
+            resolve();
+        });
+        es.onerror = () => {
+            // EventSource will auto-reconnect; if it closes, we resolve
+            if (es.readyState === EventSource.CLOSED) {
+                spinner.stop();
+                es.close();
+                resolve();
+            }
+        };
+    });
+    process.exit(exitCode);
+}

package/dist/commands/check.js

@@ -1,130 +1,81 @@
+import { readFile } from "node:fs/promises";
+import { resolve } from "node:path";
 import chalk from "chalk";
-import Table from "cli-table3";
-import ora from "ora";
-import { scanProject } from "../scanner.js";
-const IPFS_GATEWAY = "https://gateway.pinata.cloud/ipfs";
-function verdictLabel(verdict, score) {
-    switch (verdict) {
-        case "SAFE":
-            return chalk.green(`SAFE (${score})`);
-        case "WARNING":
-            return chalk.yellow(`WARNING (${score})`);
-        case "CRITICAL":
-            return chalk.red(`CRITICAL (${score})`);
-        case "DANGEROUS":
-            return chalk.red.bold(`DANGEROUS (${score})`);
-        default:
-            return chalk.gray("UNKNOWN");
+import * as api from "../api.js";
+export async function checkCommand(opts) {
+    const apiUrl = opts.api;
+    const pkgPath = resolve(opts.path, "package.json");
+    // 1. Read package.json
+    let pkgJson;
+    try {
+        const raw = await readFile(pkgPath, "utf-8");
+        pkgJson = JSON.parse(raw);
     }
-}
-function capsLabel(caps) {
-    if (caps.length === 0)
-        return chalk.gray("none");
-    return caps
-        .map((c) => {
-        if (["process_spawn", "binary_download", "eval_usage", "obfuscated_code"].includes(c)) {
-            return chalk.red(c);
-        }
-        if (["filesystem"].includes(c)) {
-            return chalk.yellow(c);
+    catch (err) {
+        console.error(chalk.red(`Failed to read ${pkgPath}: `) +
+            (err instanceof Error ? err.message : String(err)));
+        process.exit(1);
+    }
+    // 2. Collect dependency names
+    const deps = new Set([
+        ...Object.keys(pkgJson.dependencies ?? {}),
+        ...Object.keys(pkgJson.devDependencies ?? {}),
+    ]);
+    if (deps.size === 0) {
+        console.log(chalk.yellow("No dependencies found in package.json."));
+        return;
+    }
+    console.log(chalk.bold(`Checking ${deps.size} dependencies...\n`));
+    // 3. Check each dependency
+    const results = [];
+    for (const name of deps) {
+        const versionSpec = pkgJson.dependencies?.[name] ?? pkgJson.devDependencies?.[name] ?? "";
+        try {
+            const report = await api.getPackageReport(apiUrl, name);
+            results.push({
+                name,
+                version: report?.version ?? versionSpec,
+                verdict: report?.verdict ?? null,
+            });
         }
-        return chalk.gray(c);
-    })
-        .join(", ");
-}
-function shortCid(cid) {
-    return cid.slice(0, 8) + "..." + cid.slice(-4);
-}
-export async function checkCommand(projectPath, auditSource) {
-    const spinner = ora("Scanning project dependencies...").start();
-    const deps = await scanProject(projectPath);
-    spinner.text = `Found ${deps.length} dependencies. Checking audits...`;
-    const table = new Table({
-        head: [
-            chalk.bold("Package"),
-            chalk.bold("Installed"),
-            chalk.bold("Latest"),
-            chalk.bold("Verdict"),
-            chalk.bold("Capabilities"),
-        ],
-        style: { head: [], border: [] },
-    });
-    let safeCount = 0;
-    let warningCount = 0;
-    let criticalCount = 0;
-    let notAuditedCount = 0;
-    const links = [];
-    for (const dep of deps) {
-        const versionToCheck = dep.latest ?? dep.installed;
-        let audit;
-        if (dep.installed.startsWith("http")) {
-            // IPFS/URL installs: audit against the latest registry version
-            audit = await auditSource.getAudit(dep.name, versionToCheck);
+        catch {
+            results.push({ name, version: versionSpec, verdict: null });
         }
-        else if (!dep.hasUpdate) {
-            audit = await auditSource.getAudit(dep.name, dep.installed);
+    }
+    // 4. Print summary table
+    const nameWidth = Math.max(12, ...results.map((r) => r.name.length)) + 2;
+    const versionWidth = Math.max(10, ...results.map((r) => r.version.length)) + 2;
+    const header = chalk.bold("Package".padEnd(nameWidth)) +
+        chalk.bold("Version".padEnd(versionWidth)) +
+        chalk.bold("Verdict");
+    console.log(header);
+    console.log("─".repeat(nameWidth + versionWidth + 12));
+    for (const r of results) {
+        const nameCol = r.name.padEnd(nameWidth);
+        const versionCol = r.version.padEnd(versionWidth);
+        let verdictCol;
+        if (r.verdict === null) {
+            verdictCol = chalk.gray("not audited");
         }
-        else {
-            audit = await auditSource.getAudit(dep.name, versionToCheck);
+        else if (r.verdict.toUpperCase() === "SAFE") {
+            verdictCol = chalk.green("SAFE");
         }
-        let verdictCol;
-        let capsCol;
-        if (audit) {
-            verdictCol = verdictLabel(audit.verdict, audit.score);
-            capsCol = capsLabel(audit.capabilities);
-            if (audit.verdict === "SAFE")
-                safeCount++;
-            else if (audit.verdict === "WARNING")
-                warningCount++;
-            else if (audit.verdict === "CRITICAL")
-                criticalCount++;
-            if (audit.reportCid) {
-                links.push(`  ${dep.name}@${versionToCheck} report: ${IPFS_GATEWAY}/${audit.reportCid}`);
-            }
+        else if (r.verdict.toUpperCase() === "DANGEROUS") {
+            verdictCol = chalk.red("DANGEROUS");
         }
         else {
-            verdictCol = chalk.gray("NOT AUDITED");
-            capsCol = chalk.gray("-");
-            notAuditedCount++;
-        }
-        // Truncate long IPFS URLs so the table stays readable
-        const installedCol = dep.installed.startsWith("http")
-            ? chalk.yellow("IPFS " + shortCid(dep.installed.split("/").pop()))
-            : dep.installed;
-        table.push([
-            dep.name,
-            installedCol,
-            dep.latest ?? dep.installed,
-            verdictCol,
-            capsCol,
-        ]);
-    }
-    spinner.stop();
-    console.log();
-    console.log(chalk.bold("NpmGuard Dependency Audit"));
-    console.log();
-    console.log(table.toString());
-    console.log();
-    // Summary
-    const parts = [];
-    if (safeCount > 0)
-        parts.push(chalk.green(`${safeCount} safe`));
-    if (warningCount > 0)
-        parts.push(chalk.yellow(`${warningCount} warnings`));
-    if (criticalCount > 0)
-        parts.push(chalk.red(`${criticalCount} critical`));
-    if (notAuditedCount > 0)
-        parts.push(chalk.gray(`${notAuditedCount} not audited`));
-    console.log(`  ${parts.join(" | ")}`);
-    if (links.length > 0) {
-        console.log();
-        for (const link of links) {
-            console.log(chalk.gray(link));
+            verdictCol = chalk.yellow(r.verdict);
         }
-    }
-    if (criticalCount > 0) {
-        console.log();
-        console.log(chalk.red.bold(`  ${criticalCount} package(s) flagged as CRITICAL — do not update without reviewing the report.`));
+        console.log(nameCol + versionCol + verdictCol);
     }
     console.log();
+    // Count stats
+    const safe = results.filter((r) => r.verdict?.toUpperCase() === "SAFE").length;
+    const dangerous = results.filter((r) => r.verdict?.toUpperCase() === "DANGEROUS").length;
+    const notAudited = results.filter((r) => r.verdict === null).length;
+    console.log(chalk.green(`${safe} safe`) +
+        " | " +
+        chalk.red(`${dangerous} dangerous`) +
+        " | " +
+        chalk.gray(`${notAudited} not audited`));
 }

package/dist/index.js

@@ -1,37 +1,27 @@
 #!/usr/bin/env node
-import "dotenv/config";
 import { Command } from "commander";
-import { resolve } from "node:path";
-import { ENSAuditSource } from "./ens-source.js";
-import { MockAuditSource } from "./mock-source.js";
+import { auditCommand } from "./commands/audit.js";
 import { checkCommand } from "./commands/check.js";
-import { installCommand } from "./commands/install.js";
 const program = new Command();
 program
     .name("npmguard")
-    .description("Check npm packages against NpmGuard security audits")
-    .version("0.1.0");
+    .description("NpmGuard CLI — audit npm packages for security issues")
+    .version("1.0.0")
+    .option("--api <url>", "NpmGuard engine API URL", process.env.NPMGUARD_API_URL ?? "https://npmguard.com");
 program
-    .command("check")
-    .description("Scan project dependencies and check audit status for available updates")
-    .option("-p, --path <path>", "Path to project directory", ".")
-    .option("--mock", "Use mock data instead of ENS")
-    .action(async (opts) => {
-    const auditSource = opts.mock
-        ? new MockAuditSource()
-        : new ENSAuditSource();
-    const projectPath = resolve(opts.path);
-    await checkCommand(projectPath, auditSource);
+    .command("audit")
+    .description("Pay for and run a security audit on an npm package")
+    .argument("<package>", "Package name, optionally with version (e.g. express@4.18.0)")
+    .action(async (pkg) => {
+    const apiUrl = program.opts().api;
+    await auditCommand(pkg, { api: apiUrl });
 });
 program
-    .command("install <package>")
-    .description("Install a package after checking its NpmGuard audit status")
-    .option("--force", "Install even if flagged as CRITICAL")
-    .option("--mock", "Use mock data instead of ENS")
-    .action(async (pkg, opts) => {
-    const auditSource = opts.mock
-        ? new MockAuditSource()
-        : new ENSAuditSource();
-    await installCommand(pkg, auditSource, opts.force ?? false);
+    .command("check")
+    .description("Check all dependencies of a project against existing audits")
+    .option("--path <dir>", "Path to project directory", ".")
+    .action(async (cmdOpts) => {
+    const apiUrl = program.opts().api;
+    await checkCommand({ path: cmdOpts.path, api: apiUrl });
 });
 program.parse();