npmguard-cli 1.0.1 → 1.1.0

package/dist/api.js

@@ -30,6 +30,13 @@ export async function startAudit(apiUrl, stripeSessionId) {
         body: JSON.stringify({ stripeSessionId }),
     });
 }
+export async function startAuditWithTxHash(apiUrl, packageName, version, txHash) {
+    return request(`${apiUrl}/audit/stream`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ packageName, version, txHash, chain: "base-sepolia" }),
+    });
+}
 export async function startAuditFree(apiUrl, packageName, version) {
     return request(`${apiUrl}/audit/stream`, {
         method: "POST",

package/dist/commands/audit.js

@@ -4,35 +4,16 @@ import qrcode from "qrcode-terminal";
 import EventSource from "eventsource";
 import * as api from "../api.js";
 import { renderVerdict, renderFinding, renderPhase } from "../render.js";
-function parsePackageArg(pkg) {
-    // Handle scoped packages: @scope/name@version
-    if (pkg.startsWith("@")) {
-        const slashIndex = pkg.indexOf("/");
-        if (slashIndex === -1) {
-            throw new Error(`Invalid scoped package name: ${pkg}`);
-        }
-        const rest = pkg.slice(slashIndex + 1);
-        const atIndex = rest.lastIndexOf("@");
-        if (atIndex > 0) {
-            return {
-                name: pkg.slice(0, slashIndex + 1 + atIndex),
-                version: rest.slice(atIndex + 1),
-            };
-        }
-        return { name: pkg };
-    }
-    // Handle unscoped packages: name@version
-    const atIndex = pkg.lastIndexOf("@");
-    if (atIndex > 0) {
-        return {
-            name: pkg.slice(0, atIndex),
-            version: pkg.slice(atIndex + 1),
-        };
-    }
-    return { name: pkg };
-}
+import { parsePackageArg } from "../utils.js";
 export async function auditCommand(pkg, opts) {
     const apiUrl = opts.api;
+    const shouldExit = opts.exit !== false;
+    const done = (code) => {
+        if (shouldExit)
+            process.exit(code);
+        if (code !== 0)
+            throw new Error(`Audit aborted (code ${code})`);
+    };
     // 1. Parse package name and version
     let parsed;
     try {
@@ -40,7 +21,7 @@ export async function auditCommand(pkg, opts) {
     }
     catch {
         console.error(chalk.red(`Invalid package: ${pkg}`));
-        process.exit(1);
+        return done(1);
     }
     console.log(chalk.bold(`Auditing ${parsed.name}`) +
         (parsed.version ? chalk.gray(`@${parsed.version}`) : ""));
@@ -54,7 +35,7 @@ export async function auditCommand(pkg, opts) {
         renderVerdict(verdict, existing.report?.capabilities ?? [], existing.report?.proofs?.length ?? 0);
         console.log();
         console.log(chalk.dim(`View full report: ${apiUrl}/package/${encodeURIComponent(parsed.name)}/report`));
-        process.exit(verdict === "SAFE" ? 0 : 1);
+        return done(verdict === "SAFE" ? 0 : 1);
     }
     // 2. Try checkout — if payments not configured (501), go straight to free audit
     const spinner = ora("Connecting...").start();
@@ -66,7 +47,7 @@ export async function auditCommand(pkg, opts) {
     catch (err) {
         spinner.fail("Failed to create checkout session: " +
             (err instanceof Error ? err.message : String(err)));
-        process.exit(1);
+        return done(1);
     }
     if (checkoutResult.status === 501 || !checkoutResult.data) {
         // Payments not configured — start audit directly (dev/free mode)
@@ -78,7 +59,7 @@ export async function auditCommand(pkg, opts) {
         catch (err) {
             spinner.fail("Failed to start audit: " +
                 (err instanceof Error ? err.message : String(err)));
-            process.exit(1);
+            return done(1);
         }
     }
     else {
@@ -112,7 +93,7 @@ export async function auditCommand(pkg, opts) {
         catch (err) {
             spinner.fail("Payment polling failed: " +
                 (err instanceof Error ? err.message : String(err)));
-            process.exit(1);
+            return done(1);
         }
         spinner.text = "Payment confirmed. Starting audit...";
         if (status.auditId) {
@@ -126,7 +107,7 @@ export async function auditCommand(pkg, opts) {
             catch (err) {
                 spinner.fail("Failed to start audit: " +
                     (err instanceof Error ? err.message : String(err)));
-                process.exit(1);
+                return done(1);
             }
         }
     }
@@ -191,5 +172,5 @@ export async function auditCommand(pkg, opts) {
             }
         };
     });
-    process.exit(exitCode);
+    return done(exitCode);
 }

package/dist/commands/install.js

@@ -0,0 +1,201 @@
+import chalk from "chalk";
+import ora from "ora";
+import { spawnSync } from "node:child_process";
+import { formatEther } from "viem";
+import * as api from "../api.js";
+import { parsePackageArg, prompt, resolveLatestVersion, detectPackageManager, } from "../utils.js";
+import { auditCommand } from "./audit.js";
+import { payViaWalletConnect, readAuditFee } from "../wallet/walletconnect.js";
+import { streamAuditEvents } from "../stream.js";
+/**
+ * Run the correct "add this package" command for the detected package manager.
+ * `npm install <pkg>` adds the package. `pnpm add <pkg>` / `yarn add <pkg>` do
+ * the same. Crucially, `yarn install <pkg>` would ignore <pkg> in yarn classic.
+ */
+function runInstall(packageSpec) {
+    const pm = detectPackageManager();
+    const verb = pm === "npm" ? "install" : "add";
+    console.log(chalk.gray(`\n  Running: ${pm} ${verb} ${packageSpec}\n`));
+    const res = spawnSync(pm, [verb, packageSpec], { stdio: "inherit" });
+    return res.status ?? 1;
+}
+function extractVerdict(report) {
+    const nested = report.report?.verdict;
+    return (nested ?? report.verdict ?? "UNKNOWN").toUpperCase();
+}
+function extractCapabilities(report) {
+    const nested = report.report
+        ?.capabilities;
+    return nested ?? report.capabilities ?? [];
+}
+export async function installCommand(packageSpec, opts) {
+    const apiUrl = opts.api;
+    let parsed;
+    try {
+        parsed = parsePackageArg(packageSpec);
+    }
+    catch {
+        console.error(chalk.red(`Invalid package: ${packageSpec}`));
+        process.exit(1);
+    }
+    let { name, version } = parsed;
+    if (!version) {
+        const spinner = ora(`Resolving latest version of ${name}...`).start();
+        const resolved = await resolveLatestVersion(name);
+        if (!resolved) {
+            spinner.fail("Could not resolve version from npm registry.");
+            process.exit(1);
+        }
+        version = resolved;
+        spinner.succeed(`Resolved ${name}@${version}`);
+    }
+    const fullSpec = `${name}@${version}`;
+    console.log();
+    console.log(chalk.bold(`  ${fullSpec}`));
+    console.log();
+    const spinner = ora("Checking NpmGuard audit...").start();
+    let report;
+    try {
+        report = await api.getPackageReport(apiUrl, name, version);
+    }
+    catch (err) {
+        spinner.fail("Could not reach NpmGuard API: " +
+            (err instanceof Error ? err.message : String(err)));
+        process.exit(1);
+    }
+    spinner.stop();
+    if (report) {
+        handleExistingReport(report, name, fullSpec, apiUrl, opts);
+        return;
+    }
+    // No audit found — ask how to pay
+    console.log(chalk.gray("  NOT AUDITED — no NpmGuard record for this version."));
+    console.log();
+    console.log(chalk.bold("  How do you want to pay for the audit?"));
+    console.log("    1) Stripe (credit card)");
+    console.log("    2) WalletConnect — ETH on Base Sepolia");
+    console.log("    3) Install without audit (at your own risk)");
+    console.log("    4) Cancel");
+    console.log();
+    const choice = await prompt("  Choice [1/2/3/4]: ");
+    if (choice === "1") {
+        await runStripeAuditAndInstall(fullSpec, name, version, apiUrl);
+        return;
+    }
+    if (choice === "2") {
+        await runCryptoAuditAndInstall(fullSpec, name, version, apiUrl);
+        return;
+    }
+    if (choice === "3") {
+        console.log(chalk.yellow("  Installing without audit. Proceed at your own risk."));
+        process.exit(runInstall(fullSpec));
+    }
+    console.log(chalk.gray("  Cancelled."));
+    process.exit(0);
+}
+function handleExistingReport(report, name, fullSpec, apiUrl, opts) {
+    const verdict = extractVerdict(report);
+    const capabilities = extractCapabilities(report);
+    if (verdict === "SAFE") {
+        console.log(chalk.green("  ✓ SAFE — audited by NpmGuard"));
+        if (capabilities.length > 0) {
+            console.log(chalk.gray(`  Capabilities: ${capabilities.join(", ")}`));
+        }
+        process.exit(runInstall(fullSpec));
+    }
+    if (verdict === "DANGEROUS" || verdict === "CRITICAL" || verdict === "WARNING") {
+        console.log(chalk.bgRed.white.bold(`  ${verdict}  `));
+        if (capabilities.length > 0) {
+            console.log(chalk.red("  Capabilities: ") +
+                capabilities.map((c) => chalk.yellow(c)).join(", "));
+        }
+        console.log(chalk.dim(`  Full report: ${apiUrl}/package/${encodeURIComponent(name)}/report`));
+        console.log();
+        if (opts.force) {
+            console.log(chalk.yellow("  --force passed, installing anyway..."));
+            process.exit(runInstall(fullSpec));
+        }
+        promptAndInstallIfAccepted(fullSpec, "  Install anyway? This package is flagged. (y/N) ");
+        return;
+    }
+    console.log(chalk.yellow(`  Verdict: ${verdict}`));
+    promptAndInstallIfAccepted(fullSpec, "  Proceed with install? (y/N) ");
+}
+async function promptAndInstallIfAccepted(fullSpec, question) {
+    const answer = await prompt(chalk.red.bold(question));
+    if (answer === "y" || answer === "yes") {
+        process.exit(runInstall(fullSpec));
+    }
+    console.log(chalk.gray("  Aborted."));
+    process.exit(1);
+}
+async function runStripeAuditAndInstall(fullSpec, name, version, apiUrl) {
+    try {
+        await auditCommand(fullSpec, { api: apiUrl, exit: false });
+    }
+    catch (err) {
+        console.error(chalk.red("Audit failed: " + (err instanceof Error ? err.message : String(err))));
+        process.exit(1);
+    }
+    await finalizeAfterAudit(fullSpec, name, version, apiUrl);
+}
+async function runCryptoAuditAndInstall(fullSpec, name, version, apiUrl) {
+    // 1. Read current fee from contract
+    let feeWei;
+    try {
+        feeWei = await readAuditFee();
+    }
+    catch (err) {
+        console.error(chalk.red("Could not read fee from contract: " +
+            (err instanceof Error ? err.message : String(err))));
+        process.exit(1);
+    }
+    const feeDisplay = `${formatEther(feeWei)} ETH`;
+    const confirm = await prompt(chalk.yellow(`  Pay ${feeDisplay} on Base Sepolia? (y/N) `));
+    if (confirm !== "y" && confirm !== "yes") {
+        console.log(chalk.gray("  Cancelled."));
+        process.exit(0);
+    }
+    // 2. WalletConnect → user signs → we get txHash
+    const result = await payViaWalletConnect(name, version, feeWei, feeDisplay);
+    if (!result.paid || !result.txHash) {
+        console.log(chalk.red("  Payment failed, aborting."));
+        process.exit(1);
+    }
+    // 3. Engine verifies txHash + returns auditId
+    const startSpinner = ora("  Starting audit on engine...").start();
+    let auditId;
+    try {
+        const res = await api.startAuditWithTxHash(apiUrl, name, version, result.txHash);
+        auditId = res.auditId;
+        startSpinner.succeed(`Audit started (id: ${auditId})`);
+    }
+    catch (err) {
+        startSpinner.fail("Engine rejected txHash: " +
+            (err instanceof Error ? err.message : String(err)));
+        process.exit(1);
+    }
+    // 4. Stream the audit we just paid for (do NOT call auditCommand — that
+    //    would trigger a second, unpaid audit via /checkout).
+    await streamAuditEvents(apiUrl, auditId);
+    // 5. Fetch the persisted report and decide whether to install
+    await finalizeAfterAudit(fullSpec, name, version, apiUrl);
+}
+async function finalizeAfterAudit(fullSpec, name, version, apiUrl) {
+    const freshReport = await api.getPackageReport(apiUrl, name, version);
+    if (!freshReport) {
+        console.log(chalk.red("  Audit finished but report not found."));
+        process.exit(1);
+    }
+    const verdict = extractVerdict(freshReport);
+    if (verdict === "SAFE") {
+        console.log(chalk.green("\n  ✓ SAFE — proceeding with install"));
+        process.exit(runInstall(fullSpec));
+    }
+    console.log(chalk.red(`\n  Audit verdict: ${verdict}`));
+    const confirm = await prompt(chalk.red.bold("  Install anyway? (y/N) "));
+    if (confirm === "y" || confirm === "yes") {
+        process.exit(runInstall(fullSpec));
+    }
+    process.exit(1);
+}

package/dist/contract.js

@@ -0,0 +1,60 @@
+// NpmGuardAuditRequest — deployed on Base Sepolia
+// Deploy script: contracts/deploy.sh
+// Source: contracts/src/NpmGuardAuditRequest.sol
+export const AUDIT_REQUEST_ADDRESS_BASE_SEPOLIA = "0xBF562626e4Afb883423Ec719e0270DB232bcB9eD";
+// Base mainnet — not deployed yet
+export const AUDIT_REQUEST_ADDRESS_BASE = "0x";
+export const BASE_SEPOLIA_CHAIN_ID = 84532;
+export const BASE_CHAIN_ID = 8453;
+export const AUDIT_REQUEST_ABI = [
+    {
+        type: "constructor",
+        inputs: [{ name: "_auditFee", type: "uint256" }],
+        stateMutability: "nonpayable",
+    },
+    {
+        type: "function",
+        name: "requestAudit",
+        inputs: [
+            { name: "packageName", type: "string" },
+            { name: "version", type: "string" },
+        ],
+        outputs: [],
+        stateMutability: "payable",
+    },
+    {
+        type: "function",
+        name: "isRequested",
+        inputs: [
+            { name: "packageName", type: "string" },
+            { name: "version", type: "string" },
+        ],
+        outputs: [{ name: "", type: "bool" }],
+        stateMutability: "view",
+    },
+    {
+        type: "function",
+        name: "auditFee",
+        inputs: [],
+        outputs: [{ name: "", type: "uint256" }],
+        stateMutability: "view",
+    },
+    {
+        type: "function",
+        name: "owner",
+        inputs: [],
+        outputs: [{ name: "", type: "address" }],
+        stateMutability: "view",
+    },
+    {
+        type: "event",
+        name: "AuditRequested",
+        inputs: [
+            { name: "packageName", type: "string", indexed: false },
+            { name: "version", type: "string", indexed: false },
+            { name: "requester", type: "address", indexed: true },
+            { name: "feePaid", type: "uint256", indexed: false },
+        ],
+        anonymous: false,
+    },
+];

package/dist/index.js

@@ -2,6 +2,7 @@
 import { Command } from "commander";
 import { auditCommand } from "./commands/audit.js";
 import { checkCommand } from "./commands/check.js";
+import { installCommand } from "./commands/install.js";
 const program = new Command();
 program
     .name("npmguard")
@@ -16,6 +17,15 @@ program
     const apiUrl = program.opts().api;
     await auditCommand(pkg, { api: apiUrl });
 });
+program
+    .command("install")
+    .description("Install an npm package with NpmGuard security check")
+    .argument("<package>", "Package name, optionally with version (e.g. express@4.18.0)")
+    .option("-f, --force", "Install even if the package is flagged as dangerous")
+    .action(async (pkg, cmdOpts) => {
+    const apiUrl = program.opts().api;
+    await installCommand(pkg, { api: apiUrl, force: cmdOpts.force });
+});
 program
     .command("check")
     .description("Check all dependencies of a project against existing audits")

package/dist/stream.js

@@ -0,0 +1,72 @@
+import chalk from "chalk";
+import ora from "ora";
+import EventSource from "eventsource";
+import { renderVerdict, renderFinding, renderPhase } from "./render.js";
+/**
+ * Connect to the engine SSE stream for an existing audit and render events
+ * until a verdict or error arrives. Does not exit the process.
+ */
+export async function streamAuditEvents(apiUrl, auditId) {
+    const eventsUrl = `${apiUrl}/audit/${encodeURIComponent(auditId)}/events`;
+    const es = new EventSource(eventsUrl);
+    const spinner = ora("Audit in progress...").start();
+    let verdict = "UNKNOWN";
+    let exitCode = 0;
+    await new Promise((resolve) => {
+        es.addEventListener("phase_started", (event) => {
+            try {
+                const data = JSON.parse(event.data);
+                spinner.text = renderPhase(data.phase ?? data.name ?? "");
+            }
+            catch {
+                // ignore
+            }
+        });
+        es.addEventListener("finding_discovered", (event) => {
+            try {
+                const data = JSON.parse(event.data);
+                const finding = data.finding ?? data;
+                spinner.stop();
+                renderFinding(finding);
+                spinner.start();
+            }
+            catch {
+                // ignore
+            }
+        });
+        es.addEventListener("verdict_reached", (event) => {
+            try {
+                const data = JSON.parse(event.data);
+                spinner.stop();
+                verdict = (data.verdict ?? "UNKNOWN").toString().toUpperCase();
+                renderVerdict(verdict, data.capabilities ?? [], data.proofCount ?? data.findings?.length ?? 0);
+                exitCode = verdict === "SAFE" ? 0 : 1;
+            }
+            catch {
+                spinner.stop();
+            }
+            es.close();
+            resolve();
+        });
+        es.addEventListener("audit_error", (event) => {
+            try {
+                const data = JSON.parse(event.data);
+                spinner.fail(chalk.red("Audit error: " + (data.error ?? event.data)));
+            }
+            catch {
+                spinner.fail(chalk.red("Audit error: " + event.data));
+            }
+            exitCode = 1;
+            es.close();
+            resolve();
+        });
+        es.onerror = () => {
+            if (es.readyState === EventSource.CLOSED) {
+                spinner.stop();
+                es.close();
+                resolve();
+            }
+        };
+    });
+    return { verdict, exitCode };
+}

package/dist/utils.js

@@ -0,0 +1,56 @@
+import { createInterface } from "node:readline";
+import { existsSync } from "node:fs";
+import { join } from "node:path";
+export function parsePackageArg(pkg) {
+    if (pkg.startsWith("@")) {
+        const slashIndex = pkg.indexOf("/");
+        if (slashIndex === -1) {
+            throw new Error(`Invalid scoped package name: ${pkg}`);
+        }
+        const rest = pkg.slice(slashIndex + 1);
+        const atIndex = rest.lastIndexOf("@");
+        if (atIndex > 0) {
+            return {
+                name: pkg.slice(0, slashIndex + 1 + atIndex),
+                version: rest.slice(atIndex + 1),
+            };
+        }
+        return { name: pkg };
+    }
+    const atIndex = pkg.lastIndexOf("@");
+    if (atIndex > 0) {
+        return {
+            name: pkg.slice(0, atIndex),
+            version: pkg.slice(atIndex + 1),
+        };
+    }
+    return { name: pkg };
+}
+export function prompt(question) {
+    const rl = createInterface({ input: process.stdin, output: process.stdout });
+    return new Promise((resolve) => {
+        rl.question(question, (answer) => {
+            rl.close();
+            resolve(answer.trim().toLowerCase());
+        });
+    });
+}
+export async function resolveLatestVersion(packageName) {
+    try {
+        const res = await fetch(`https://registry.npmjs.org/${packageName}/latest`);
+        if (!res.ok)
+            return null;
+        const data = (await res.json());
+        return data.version ?? null;
+    }
+    catch {
+        return null;
+    }
+}
+export function detectPackageManager(cwd = process.cwd()) {
+    if (existsSync(join(cwd, "pnpm-lock.yaml")))
+        return "pnpm";
+    if (existsSync(join(cwd, "yarn.lock")))
+        return "yarn";
+    return "npm";
+}

package/dist/wallet/walletconnect.js

@@ -0,0 +1,133 @@
+import chalk from "chalk";
+import ora from "ora";
+import qrcode from "qrcode-terminal";
+import { SignClient } from "@walletconnect/sign-client";
+import { createPublicClient, http, encodeFunctionData } from "viem";
+import { baseSepolia } from "viem/chains";
+import { AUDIT_REQUEST_ADDRESS_BASE_SEPOLIA, AUDIT_REQUEST_ABI, BASE_SEPOLIA_CHAIN_ID, } from "../contract.js";
+const WALLETCONNECT_PROJECT_ID = process.env.WALLETCONNECT_PROJECT_ID ?? "d5eb170c427570e15ac00ae53acc93ba";
+function generateQrCode(text) {
+    return new Promise((resolve) => {
+        qrcode.generate(text, { small: true }, (code) => {
+            console.log(code);
+            resolve();
+        });
+    });
+}
+export async function payViaWalletConnect(packageName, version, feeWei, feeDisplay) {
+    const calldata = encodeFunctionData({
+        abi: AUDIT_REQUEST_ABI,
+        functionName: "requestAudit",
+        args: [packageName, version],
+    });
+    const publicClient = createPublicClient({
+        chain: baseSepolia,
+        transport: http(),
+    });
+    let signClient = null;
+    // WalletConnect throws late "No matching key" errors when sessions clean up
+    const wcErrorHandler = (err) => {
+        if (err?.message?.includes("No matching key"))
+            return;
+        console.error(err);
+        process.exit(1);
+    };
+    process.on("uncaughtException", wcErrorHandler);
+    try {
+        const initSpinner = ora("  Connecting to WalletConnect...").start();
+        signClient = await SignClient.init({
+            projectId: WALLETCONNECT_PROJECT_ID,
+            metadata: {
+                name: "NpmGuard",
+                description: "NPM package security audit",
+                url: "https://npmguard.com",
+                icons: [],
+            },
+        });
+        initSpinner.stop();
+        const { uri, approval } = await signClient.connect({
+            requiredNamespaces: {
+                eip155: {
+                    methods: ["eth_sendTransaction"],
+                    chains: [`eip155:${BASE_SEPOLIA_CHAIN_ID}`],
+                    events: ["chainChanged", "accountsChanged"],
+                },
+            },
+        });
+        if (!uri) {
+            console.log(chalk.red("  Failed to generate WalletConnect URI"));
+            return { paid: false };
+        }
+        console.log();
+        console.log(chalk.cyan("  Scan with your wallet to connect:"));
+        console.log();
+        await generateQrCode(uri);
+        console.log();
+        const pairSpinner = ora("  Waiting for wallet connection...").start();
+        const session = await approval();
+        const accounts = session.namespaces.eip155?.accounts ?? [];
+        const baseAccount = accounts.find((a) => a.startsWith(`eip155:${BASE_SEPOLIA_CHAIN_ID}:`));
+        const sender = baseAccount
+            ? baseAccount.split(":")[2]
+            : accounts[0]?.split(":")[2];
+        if (!sender) {
+            pairSpinner.fail("Wallet did not approve any accounts");
+            return { paid: false };
+        }
+        pairSpinner.succeed(`Connected: ${sender.slice(0, 6)}...${sender.slice(-4)}`);
+        console.log(chalk.cyan(`  Confirm the ${feeDisplay} transaction in your wallet (Base Sepolia)...`));
+        const txHash = (await signClient.request({
+            topic: session.topic,
+            chainId: `eip155:${BASE_SEPOLIA_CHAIN_ID}`,
+            request: {
+                method: "eth_sendTransaction",
+                params: [
+                    {
+                        from: sender,
+                        to: AUDIT_REQUEST_ADDRESS_BASE_SEPOLIA,
+                        data: calldata,
+                        value: "0x" + feeWei.toString(16),
+                    },
+                ],
+            },
+        }));
+        const confirmSpinner = ora("  Waiting for on-chain confirmation...").start();
+        const receipt = await publicClient.waitForTransactionReceipt({
+            hash: txHash,
+        });
+        if (receipt.status === "success") {
+            confirmSpinner.succeed("Payment confirmed on-chain");
+            console.log(chalk.gray(`  Tx: https://sepolia.basescan.org/tx/${txHash}`));
+            console.log();
+            return { paid: true, txHash, sender };
+        }
+        confirmSpinner.fail("Transaction reverted");
+        return { paid: false };
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        if (msg.includes("rejected") || msg.includes("denied")) {
+            console.log(chalk.yellow("  Transaction rejected by user."));
+        }
+        else {
+            console.log(chalk.red(`  WalletConnect error: ${msg}`));
+        }
+        console.log();
+        return { paid: false };
+    }
+    finally {
+        signClient = null;
+        setTimeout(() => process.off("uncaughtException", wcErrorHandler), 5000);
+    }
+}
+export async function readAuditFee() {
+    const publicClient = createPublicClient({
+        chain: baseSepolia,
+        transport: http(),
+    });
+    return (await publicClient.readContract({
+        address: AUDIT_REQUEST_ADDRESS_BASE_SEPOLIA,
+        abi: AUDIT_REQUEST_ABI,
+        functionName: "auditFee",
+    }));
+}

package/package.json

@@ -1,10 +1,12 @@
 {
   "name": "npmguard-cli",
-  "version": "1.0.1",
+  "version": "1.1.0",
   "type": "module",
   "description": "NpmGuard CLI — check npm packages against NpmGuard security audits",
   "main": "dist/index.js",
-  "files": ["dist"],
+  "files": [
+    "dist"
+  ],
   "bin": {
     "npmguard": "./dist/index.js"
   },
@@ -19,11 +21,13 @@
   ],
   "license": "MIT",
   "dependencies": {
+    "@walletconnect/sign-client": "^2.23.9",
     "chalk": "^5.3.0",
     "commander": "^12.1.0",
     "eventsource": "^2.0.2",
     "ora": "^8.1.0",
-    "qrcode-terminal": "^0.12.0"
+    "qrcode-terminal": "^0.12.0",
+    "viem": "^2.47.17"
   },
   "devDependencies": {
     "@types/node": "^22.0.0",