npmguard-cli 1.1.2 → 1.1.4

package/README.md

@@ -7,7 +7,7 @@ engine before it touches your `node_modules`.
 npx npmguard-cli install express
 ```
 
-- **SAFE** → installs immediately
+- **SAFE** → installs immediately from the configured source
 - **DANGEROUS** → warns, shows findings, asks before installing
 - **No audit yet** → offers to pay for one (Stripe or crypto), then streams
   the results in real time
@@ -55,12 +55,31 @@ lockfiles and runs the correct add command (`npm install`, `pnpm add`,
    (bypass with `--force`)
 5. **Not found** → asks how you want to pay for the audit:
    - Stripe (credit card) — browser checkout via QR
-   - WalletConnect — mobile wallet signs a tx on Base Sepolia (~$0.30)
+   - Browser wallet — MetaMask/Rabby signs in Brave or Chrome
+   - WalletConnect — mobile wallet signs a tx on Base Sepolia
    - Install without audit (yolo)
    - Cancel
-6. Streams audit events live (phases, findings, verdict)
+6. Streams audit events live for Stripe/WalletConnect, or waits for the
+   report when the browser-wallet page owns the live view
 7. Runs the install if the verdict is SAFE, or prompts otherwise
 
+The install source is configurable:
+
+```bash
+# default: audited verdict, then normal registry install
+npmguard install express --install-source npm
+
+# audited verdict, then install the tarball published by NpmGuard on Pinata
+npmguard install express --install-source pinata
+
+# audited verdict, then resolve ENS text records to find the Pinata tarball
+npmguard install express --install-source ens
+```
+
+The source choice never replaces server-side verification. NpmGuard always
+checks the report store first; `pinata` and `ens` only decide where the SAFE
+package bytes come from.
+
 ### `npmguard audit <package>[@version]`
 
 Run a standalone audit without installing. Returns the verdict and exits.
@@ -70,7 +89,9 @@ npmguard audit is-number
 npmguard audit express@5.2.1
 ```
 
-Same payment flow as `install` if the package hasn't been audited yet.
+If the package hasn't been audited yet, the standalone audit command starts
+the Stripe checkout flow. Use `install` for the interactive browser-wallet
+and WalletConnect choices.
 
 ### `npmguard check [--path <dir>]`
 
@@ -87,7 +108,7 @@ npmguard check --path /path/to/other-project
 ## Payment options
 
 When a package hasn't been audited yet, an audit run costs real compute
-(LLM calls, sandbox execution). Two ways to pay:
+(LLM calls, sandbox execution). Three ways to pay:
 
 ### Stripe (fiat)
 
@@ -95,11 +116,26 @@ Opens a Stripe checkout page in the browser. After payment, the engine
 triggers the audit automatically. Works from any machine, no wallet
 required.
 
+### Browser wallet (crypto)
+
+The CLI prints a `https://npmguard.com/pay?...` URL and can open it in your
+default browser. Open that page in Brave or Chrome with MetaMask/Rabby
+enabled, connect the wallet, and confirm the Base Sepolia transaction. The
+browser starts the server-side audit with the tx hash, while the CLI waits
+for the persisted report before deciding whether to install.
+
+This is the desktop-friendly flow for extension wallets.
+
 ### WalletConnect (crypto)
 
 The CLI generates a WalletConnect v2 QR code in the terminal. Scan it with
 any mobile wallet (MetaMask, Rainbow, Coinbase Wallet, etc.) and confirm
-the transaction.
+the transaction. It also prints the raw WalletConnect URI for desktop
+wallets that support a "connect by URI" flow.
+
+Browser extension wallets do not automatically connect to a terminal
+process. If your wallet only works as a Brave/Chrome extension, use the
+browser wallet option instead.
 
 - **Chain**: Base Sepolia (testnet — free ETH from
   [Alchemy faucet](https://www.alchemy.com/faucets/base-sepolia))
@@ -108,7 +144,7 @@ the transaction.
 
 Flow:
 
-1. CLI reads the fee from the contract
+1. CLI asks the engine for public crypto config (contract + fee), with a direct contract-read fallback
 2. You approve the tx in your wallet
 3. Engine verifies the receipt on Base Sepolia via Alchemy
 4. Audit starts, CLI streams events
@@ -120,20 +156,44 @@ against your request before launching the audit.
 ## Configuration
 
 The CLI talks to `https://npmguard.com` by default. You can override the
-API URL for local development:
+API URL and the web app URL for local development:
 
 ```bash
 # via flag
-npmguard --api http://localhost:8000 install lodash
+npmguard --api http://localhost:8000 --web http://localhost:3000 install lodash
 
 # via env
 export NPMGUARD_API_URL=http://localhost:8000
+export NPMGUARD_WEB_URL=http://localhost:3000
 npmguard install lodash
 ```
 
-No blockchain config is required from the user — the CLI reads the
-contract address + chain from its own code. Your wallet's RPC handles the
-broadcast.
+Install source:
+
+```bash
+# via flag
+npmguard install lodash --install-source ens
+
+# via env
+export NPMGUARD_INSTALL_SOURCE=pinata
+export NPMGUARD_ENS_ROOT_DOMAIN=npmguard-demo.eth
+export NPMGUARD_ENS_RPC_URL=https://ethereum-sepolia-rpc.publicnode.com
+npmguard install lodash
+```
+
+Available values:
+
+| Source | Behavior |
+|---|---|
+| `npm` | Installs `<package>@<version>` from the normal npm registry |
+| `pinata` | Reads `/package/<name>/storage?version=<version>` from NpmGuard and installs the pinned tarball URL |
+| `ens` | Resolves Sepolia ENS `npmguard.*` text records and installs the announced Pinata tarball |
+
+No private key or paid RPC config is required from the user. For the
+WalletConnect path, the CLI uses `viem` with a public Base Sepolia RPC to
+read/confirm the transaction for local UX; your wallet broadcasts the tx,
+and the engine re-verifies the receipt with its own RPC before starting the
+audit.
 
 ## Exit codes
 

package/dist/api.js

@@ -10,6 +10,9 @@ async function request(url, options) {
     }
     return res.json();
 }
+export async function getPublicConfig(apiUrl) {
+    return request(`${apiUrl}/config/public`);
+}
 export async function checkout(apiUrl, packageName, version) {
     const body = { packageName };
     if (version)
@@ -75,3 +78,16 @@ export async function getPackageReport(apiUrl, packageName, version) {
         throw err;
     }
 }
+export async function getPackageStorage(apiUrl, packageName, version) {
+    const query = `?version=${encodeURIComponent(version)}`;
+    const url = `${apiUrl}/package/${encodeURIComponent(packageName)}/storage${query}`;
+    try {
+        return await request(url);
+    }
+    catch (err) {
+        if (err instanceof Error && err.message.startsWith("HTTP 404")) {
+            return null;
+        }
+        throw err;
+    }
+}

package/dist/commands/install.js

@@ -3,22 +3,51 @@ import ora from "ora";
 import { spawnSync } from "node:child_process";
 import { formatEther } from "viem";
 import * as api from "../api.js";
-import { parsePackageArg, prompt, resolveLatestVersion, detectPackageManager, } from "../utils.js";
+import { parsePackageArg, prompt, resolveLatestVersion, detectPackageManager, openExternalUrl, } from "../utils.js";
 import { auditCommand } from "./audit.js";
 import { payViaWalletConnect, readAuditFee } from "../wallet/walletconnect.js";
 import { streamAuditEvents } from "../stream.js";
+import { defaultEnsRootDomain, defaultEnsRpcUrl, normalizeInstallSource, resolveEnsInstallSpec, resolvePinataInstallSpec, } from "../install-source.js";
 /**
  * Run the correct "add this package" command for the detected package manager.
  * `npm install <pkg>` adds the package. `pnpm add <pkg>` / `yarn add <pkg>` do
  * the same. Crucially, `yarn install <pkg>` would ignore <pkg> in yarn classic.
  */
-function runInstall(packageSpec) {
+function runInstall(packageSpec, label) {
     const pm = detectPackageManager();
     const verb = pm === "npm" ? "install" : "add";
-    console.log(chalk.gray(`\n  Running: ${pm} ${verb} ${packageSpec}\n`));
+    console.log(chalk.gray(`\n  Running: ${pm} ${verb} ${packageSpec}${label ? `\n  Source: ${label}` : ""}\n`));
     const res = spawnSync(pm, [verb, packageSpec], { stdio: "inherit" });
     return res.status ?? 1;
 }
+async function resolveInstallTarget(fullSpec, packageName, version, opts) {
+    const source = normalizeInstallSource(opts.installSource);
+    if (source === "npm") {
+        return { spec: fullSpec, detail: "npm registry" };
+    }
+    if (source === "pinata") {
+        return resolvePinataInstallSpec(opts.api, packageName, version);
+    }
+    return resolveEnsInstallSpec({
+        packageName,
+        version,
+        rootDomain: opts.ensRoot ?? defaultEnsRootDomain(),
+        rpcUrl: opts.ensRpc ?? defaultEnsRpcUrl(),
+    });
+}
+async function installSafePackage(fullSpec, packageName, version, opts) {
+    let target;
+    try {
+        target = await resolveInstallTarget(fullSpec, packageName, version, opts);
+    }
+    catch (err) {
+        console.error(chalk.red("Could not resolve install source: " +
+            (err instanceof Error ? err.message : String(err))));
+        console.log(chalk.gray("  Retry with --install-source npm to install from the npm registry."));
+        process.exit(1);
+    }
+    process.exit(runInstall(target.spec, target.detail));
+}
 function extractVerdict(report) {
     const nested = report.report?.verdict;
     return (nested ?? report.verdict ?? "UNKNOWN").toUpperCase();
@@ -30,6 +59,7 @@ function extractCapabilities(report) {
 }
 export async function installCommand(packageSpec, opts) {
     const apiUrl = opts.api;
+    const webUrl = opts.web;
     let parsed;
     try {
         parsed = parsePackageArg(packageSpec);
@@ -65,7 +95,7 @@ export async function installCommand(packageSpec, opts) {
     }
     spinner.stop();
     if (report) {
-        handleExistingReport(report, name, fullSpec, apiUrl, opts);
+        await handleExistingReport(report, name, version, fullSpec, apiUrl, opts);
         return;
     }
     // No audit found — ask how to pay
@@ -73,27 +103,32 @@ export async function installCommand(packageSpec, opts) {
     console.log();
     console.log(chalk.bold("  How do you want to pay for the audit?"));
     console.log("    1) Stripe (credit card)");
-    console.log("    2) WalletConnect — ETH on Base Sepolia");
-    console.log("    3) Install without audit (at your own risk)");
-    console.log("    4) Cancel");
+    console.log("    2) Browser wallet — MetaMask/Rabby in Brave or Chrome");
+    console.log("    3) WalletConnect — QR/mobile wallet");
+    console.log("    4) Install without audit (at your own risk)");
+    console.log("    5) Cancel");
     console.log();
-    const choice = await prompt("  Choice [1/2/3/4]: ");
+    const choice = await prompt("  Choice [1/2/3/4/5]: ");
     if (choice === "1") {
-        await runStripeAuditAndInstall(fullSpec, name, version, apiUrl);
+        await runStripeAuditAndInstall(fullSpec, name, version, apiUrl, opts);
         return;
     }
     if (choice === "2") {
-        await runCryptoAuditAndInstall(fullSpec, name, version, apiUrl);
+        await runBrowserWalletAuditAndInstall(fullSpec, name, version, apiUrl, webUrl, opts);
         return;
     }
     if (choice === "3") {
+        await runCryptoAuditAndInstall(fullSpec, name, version, apiUrl, opts);
+        return;
+    }
+    if (choice === "4") {
         console.log(chalk.yellow("  Installing without audit. Proceed at your own risk."));
-        process.exit(runInstall(fullSpec));
+        process.exit(runInstall(fullSpec, "npm registry (audit skipped)"));
     }
     console.log(chalk.gray("  Cancelled."));
     process.exit(0);
 }
-function handleExistingReport(report, name, fullSpec, apiUrl, opts) {
+async function handleExistingReport(report, name, version, fullSpec, apiUrl, opts) {
     const verdict = extractVerdict(report);
     const capabilities = extractCapabilities(report);
     if (verdict === "SAFE") {
@@ -101,7 +136,8 @@ function handleExistingReport(report, name, fullSpec, apiUrl, opts) {
         if (capabilities.length > 0) {
             console.log(chalk.gray(`  Capabilities: ${capabilities.join(", ")}`));
         }
-        process.exit(runInstall(fullSpec));
+        await installSafePackage(fullSpec, name, version, opts);
+        return;
     }
     if (verdict === "DANGEROUS" || verdict === "CRITICAL" || verdict === "WARNING") {
         console.log(chalk.bgRed.white.bold(`  ${verdict}  `));
@@ -113,23 +149,24 @@ function handleExistingReport(report, name, fullSpec, apiUrl, opts) {
         console.log();
         if (opts.force) {
             console.log(chalk.yellow("  --force passed, installing anyway..."));
-            process.exit(runInstall(fullSpec));
+            await installSafePackage(fullSpec, name, version, opts);
+            return;
         }
-        promptAndInstallIfAccepted(fullSpec, "  Install anyway? This package is flagged. (y/N) ");
+        await promptAndInstallIfAccepted(fullSpec, name, version, opts, "  Install anyway? This package is flagged. (y/N) ");
         return;
     }
     console.log(chalk.yellow(`  Verdict: ${verdict}`));
-    promptAndInstallIfAccepted(fullSpec, "  Proceed with install? (y/N) ");
+    await promptAndInstallIfAccepted(fullSpec, name, version, opts, "  Proceed with install? (y/N) ");
 }
-async function promptAndInstallIfAccepted(fullSpec, question) {
+async function promptAndInstallIfAccepted(fullSpec, name, version, opts, question) {
     const answer = await prompt(chalk.red.bold(question));
     if (answer === "y" || answer === "yes") {
-        process.exit(runInstall(fullSpec));
+        await installSafePackage(fullSpec, name, version, opts);
     }
     console.log(chalk.gray("  Aborted."));
     process.exit(1);
 }
-async function runStripeAuditAndInstall(fullSpec, name, version, apiUrl) {
+async function runStripeAuditAndInstall(fullSpec, name, version, apiUrl, opts) {
     try {
         await auditCommand(fullSpec, { api: apiUrl, exit: false });
     }
@@ -137,19 +174,89 @@ async function runStripeAuditAndInstall(fullSpec, name, version, apiUrl) {
         console.error(chalk.red("Audit failed: " + (err instanceof Error ? err.message : String(err))));
         process.exit(1);
     }
-    await finalizeAfterAudit(fullSpec, name, version, apiUrl);
+    await finalizeAfterAudit(fullSpec, name, version, apiUrl, opts);
 }
-async function runCryptoAuditAndInstall(fullSpec, name, version, apiUrl) {
-    // 1. Read current fee from contract
-    let feeWei;
+function buildBrowserWalletUrl(webUrl, packageName, version) {
+    const url = new URL("/pay", webUrl.replace(/\/+$/, ""));
+    url.searchParams.set("packageName", packageName);
+    url.searchParams.set("version", version);
+    url.searchParams.set("source", "cli");
+    return url.toString();
+}
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+async function waitForPackageReport(apiUrl, packageName, version, timeoutMs) {
+    const deadline = Date.now() + timeoutMs;
+    while (Date.now() < deadline) {
+        const report = await api.getPackageReport(apiUrl, packageName, version);
+        if (report)
+            return report;
+        await sleep(3000);
+    }
+    return null;
+}
+async function runBrowserWalletAuditAndInstall(fullSpec, name, version, apiUrl, webUrl, opts) {
+    const paymentUrl = buildBrowserWalletUrl(webUrl, name, version);
+    console.log();
+    console.log(chalk.bold("  Open this URL in Brave or Chrome with MetaMask/Rabby:"));
+    console.log(chalk.blue.underline(`  ${paymentUrl}`));
+    console.log();
+    console.log(chalk.gray("  The browser page will connect your wallet, sign the Base Sepolia tx, and start the audit."));
+    console.log(chalk.gray("  Keep this terminal open; it will continue when the report is ready."));
+    console.log();
+    const openAnswer = await prompt("  Open it now in your default browser? (Y/n) ");
+    if (openAnswer !== "n" && openAnswer !== "no") {
+        const opened = openExternalUrl(paymentUrl);
+        if (!opened) {
+            console.log(chalk.yellow("  Could not open automatically. Copy the URL above."));
+        }
+    }
+    const spinner = ora("  Waiting for browser payment and audit report...").start();
+    let report = null;
     try {
-        feeWei = await readAuditFee();
+        report = await waitForPackageReport(apiUrl, name, version, 30 * 60 * 1000);
     }
     catch (err) {
-        console.error(chalk.red("Could not read fee from contract: " +
-            (err instanceof Error ? err.message : String(err))));
+        spinner.fail("Could not read report: " +
+            (err instanceof Error ? err.message : String(err)));
         process.exit(1);
     }
+    if (!report) {
+        spinner.fail("Timed out waiting for the browser audit report.");
+        console.log(chalk.gray(`  Check ${webUrl.replace(/\/+$/, "")}/package/${encodeURIComponent(name)}`));
+        process.exit(1);
+    }
+    spinner.succeed("Audit report received");
+    await finalizeWithReport(fullSpec, name, version, report, opts);
+}
+async function runCryptoAuditAndInstall(fullSpec, name, version, apiUrl, opts) {
+    // 1. Read current fee from the engine's public config, then fall back to
+    // direct contract read if the engine is older or config is unavailable.
+    let feeWei;
+    let contractAddress;
+    try {
+        const publicConfig = await api.getPublicConfig(apiUrl);
+        const contract = publicConfig.crypto?.contract;
+        const auditFeeWei = publicConfig.crypto?.auditFeeWei;
+        if (contract && /^0x[0-9a-fA-F]{40}$/.test(contract) && auditFeeWei) {
+            contractAddress = contract;
+            feeWei = BigInt(auditFeeWei);
+        }
+        else {
+            feeWei = await readAuditFee();
+        }
+    }
+    catch (err) {
+        try {
+            feeWei = await readAuditFee();
+        }
+        catch {
+            console.error(chalk.red("Could not read fee from engine or contract: " +
+                (err instanceof Error ? err.message : String(err))));
+            process.exit(1);
+        }
+    }
     const feeDisplay = `${formatEther(feeWei)} ETH`;
     const confirm = await prompt(chalk.yellow(`  Pay ${feeDisplay} on Base Sepolia? (y/N) `));
     if (confirm !== "y" && confirm !== "yes") {
@@ -157,7 +264,7 @@ async function runCryptoAuditAndInstall(fullSpec, name, version, apiUrl) {
         process.exit(0);
     }
     // 2. WalletConnect → user signs → we get txHash
-    const result = await payViaWalletConnect(name, version, feeWei, feeDisplay);
+    const result = await payViaWalletConnect(name, version, feeWei, feeDisplay, contractAddress);
     if (!result.paid || !result.txHash) {
         console.log(chalk.red("  Payment failed, aborting."));
         process.exit(1);
@@ -181,23 +288,26 @@ async function runCryptoAuditAndInstall(fullSpec, name, version, apiUrl) {
     //    would trigger a second, unpaid audit via /checkout).
     await streamAuditEvents(apiUrl, auditId);
     // 5. Fetch the persisted report and decide whether to install
-    await finalizeAfterAudit(fullSpec, name, version, apiUrl);
+    await finalizeAfterAudit(fullSpec, name, version, apiUrl, opts);
 }
-async function finalizeAfterAudit(fullSpec, name, version, apiUrl) {
+async function finalizeAfterAudit(fullSpec, name, version, apiUrl, opts) {
     const freshReport = await api.getPackageReport(apiUrl, name, version);
     if (!freshReport) {
         console.log(chalk.red("  Audit finished but report not found."));
         process.exit(1);
     }
-    const verdict = extractVerdict(freshReport);
+    await finalizeWithReport(fullSpec, name, version, freshReport, opts);
+}
+async function finalizeWithReport(fullSpec, name, version, report, opts) {
+    const verdict = extractVerdict(report);
     if (verdict === "SAFE") {
         console.log(chalk.green("\n  ✓ SAFE — proceeding with install"));
-        process.exit(runInstall(fullSpec));
+        await installSafePackage(fullSpec, name, version, opts);
     }
     console.log(chalk.red(`\n  Audit verdict: ${verdict}`));
     const confirm = await prompt(chalk.red.bold("  Install anyway? (y/N) "));
     if (confirm === "y" || confirm === "yes") {
-        process.exit(runInstall(fullSpec));
+        await installSafePackage(fullSpec, name, version, opts);
     }
     process.exit(1);
 }

package/dist/index.js

@@ -4,6 +4,7 @@ import { readFileSync } from "node:fs";
 import { auditCommand } from "./commands/audit.js";
 import { checkCommand } from "./commands/check.js";
 import { installCommand } from "./commands/install.js";
+import { defaultEnsRootDomain, defaultEnsRpcUrl, normalizeInstallSource } from "./install-source.js";
 function readPackageVersion() {
     try {
         const pkg = JSON.parse(readFileSync(new URL("../package.json", import.meta.url), "utf-8"));
@@ -18,7 +19,8 @@ program
     .name("npmguard")
     .description("NpmGuard CLI — audit npm packages for security issues")
     .version(readPackageVersion())
-    .option("--api <url>", "NpmGuard engine API URL", process.env.NPMGUARD_API_URL ?? "https://npmguard.com");
+    .option("--api <url>", "NpmGuard engine API URL", process.env.NPMGUARD_API_URL ?? "https://npmguard.com")
+    .option("--web <url>", "NpmGuard web app URL for browser wallet payments", process.env.NPMGUARD_WEB_URL ?? "https://npmguard.com");
 program
     .command("audit")
     .description("Pay for and run a security audit on an npm package")
@@ -32,9 +34,19 @@ program
     .description("Install an npm package with NpmGuard security check")
     .argument("<package>", "Package name, optionally with version (e.g. express@4.18.0)")
     .option("-f, --force", "Install even if the package is flagged as dangerous")
+    .option("--install-source <source>", "Install SAFE packages from npm, pinata, or ens", process.env.NPMGUARD_INSTALL_SOURCE ?? "npm")
+    .option("--ens-root <name>", "ENS root domain for --install-source ens", defaultEnsRootDomain())
+    .option("--ens-rpc <url>", "Sepolia RPC URL for --install-source ens", defaultEnsRpcUrl())
     .action(async (pkg, cmdOpts) => {
-    const apiUrl = program.opts().api;
-    await installCommand(pkg, { api: apiUrl, force: cmdOpts.force });
+    const opts = program.opts();
+    await installCommand(pkg, {
+        api: opts.api,
+        web: opts.web,
+        force: cmdOpts.force,
+        installSource: normalizeInstallSource(cmdOpts.installSource),
+        ensRoot: cmdOpts.ensRoot,
+        ensRpc: cmdOpts.ensRpc,
+    });
 });
 program
     .command("check")

package/dist/install-source.js

@@ -0,0 +1,131 @@
+import { createPublicClient, http, parseAbi, toHex, zeroAddress } from "viem";
+import { sepolia } from "viem/chains";
+import { namehash, packetToBytes } from "viem/ens";
+import * as api from "./api.js";
+const DEFAULT_ENS_RPC_URL = "https://ethereum-sepolia-rpc.publicnode.com";
+const DEFAULT_ENS_ROOT_DOMAIN = "npmguard-demo.eth";
+const UNIVERSAL_RESOLVER = "0xeEeEEEeE14D718C2B47D9923Deab1335E144EeEe";
+const universalResolverAbi = parseAbi([
+    "function findResolver(bytes name) view returns (address resolver, bytes32 node, uint256 offset)",
+]);
+const resolverAbi = parseAbi([
+    "function text(bytes32 node, string key) view returns (string)",
+]);
+export function normalizeInstallSource(value) {
+    const source = (value ?? "npm").toLowerCase();
+    if (source === "npm" || source === "pinata" || source === "ens")
+        return source;
+    throw new Error(`Invalid install source "${value}". Expected npm, pinata, or ens.`);
+}
+export function defaultEnsRootDomain() {
+    return process.env.NPMGUARD_ENS_ROOT_DOMAIN ?? DEFAULT_ENS_ROOT_DOMAIN;
+}
+export function defaultEnsRpcUrl() {
+    return process.env.NPMGUARD_ENS_RPC_URL ?? process.env.SEPOLIA_RPC_URL ?? DEFAULT_ENS_RPC_URL;
+}
+function ensSafeLabel(value) {
+    const label = value
+        .replace(/^@/, "")
+        .replace(/[^a-z0-9-]+/gi, "-")
+        .replace(/^-+|-+$/g, "")
+        .toLowerCase();
+    if (!label)
+        throw new Error(`Cannot derive an ENS label from "${value}"`);
+    return label.slice(0, 63);
+}
+function tarballFromStorage(storage) {
+    return (storage.storage.tarball?.gatewayUrl ??
+        storage.storage.manifest?.value?.tarball?.gatewayUrl ??
+        null);
+}
+export async function resolvePinataInstallSpec(apiUrl, packageName, version) {
+    const publication = await api.getPackageStorage(apiUrl, packageName, version);
+    if (!publication) {
+        throw new Error(`No Pinata publication found for ${packageName}@${version}`);
+    }
+    const tarballUrl = tarballFromStorage(publication);
+    if (!tarballUrl) {
+        throw new Error(`Pinata publication for ${packageName}@${version} has no installable tarball URL`);
+    }
+    return {
+        spec: tarballUrl,
+        detail: publication.storage.ens?.recordName
+            ? `Pinata tarball announced by ${publication.storage.ens.recordName}`
+            : "Pinata tarball from NpmGuard storage API",
+    };
+}
+async function readTextRecords(name, keys, rpcUrl) {
+    const client = createPublicClient({ chain: sepolia, transport: http(rpcUrl) });
+    const found = await client.readContract({
+        address: UNIVERSAL_RESOLVER,
+        abi: universalResolverAbi,
+        functionName: "findResolver",
+        args: [toHex(packetToBytes(name))],
+    });
+    const resolver = found.resolver ?? found[0] ?? zeroAddress;
+    if (!resolver || resolver === zeroAddress)
+        return {};
+    const node = namehash(name);
+    const records = {};
+    for (const key of keys) {
+        try {
+            const value = await client.readContract({
+                address: resolver,
+                abi: resolverAbi,
+                functionName: "text",
+                args: [node, key],
+            });
+            if (value)
+                records[key] = value;
+        }
+        catch {
+            // Some resolvers throw for missing keys; treat that as an empty record.
+        }
+    }
+    return records;
+}
+async function tarballFromManifest(manifestUrl) {
+    const res = await fetch(manifestUrl);
+    if (!res.ok)
+        return null;
+    const manifest = await res.json();
+    return manifest.tarball?.gatewayUrl ?? null;
+}
+export async function resolveEnsInstallSpec(options) {
+    const packageLabel = ensSafeLabel(options.packageName);
+    const versionLabel = ensSafeLabel(options.version || "latest");
+    const root = options.rootDomain.replace(/\.+$/, "");
+    const candidates = [
+        `${versionLabel}.${packageLabel}.${root}`,
+        `${packageLabel}.${root}`,
+        root,
+    ];
+    const keys = [
+        "npmguard.tarball_uri",
+        "npmguard.latest_tarball_uri",
+        "npmguard.manifest_uri",
+        "npmguard.latest_manifest_uri",
+        "npmguard.package",
+        "npmguard.version",
+        "npmguard.latest_version",
+    ];
+    for (const name of candidates) {
+        const records = await readTextRecords(name, keys, options.rpcUrl);
+        const recordPackage = records["npmguard.package"];
+        const recordVersion = records["npmguard.version"] ?? records["npmguard.latest_version"];
+        const packageMatches = !recordPackage || recordPackage === options.packageName;
+        const versionMatches = !recordVersion || recordVersion === options.version;
+        if (!packageMatches || !versionMatches)
+            continue;
+        const directTarball = records["npmguard.tarball_uri"] ?? records["npmguard.latest_tarball_uri"];
+        if (directTarball)
+            return { spec: directTarball, detail: `ENS ${name} → Pinata tarball` };
+        const manifestUrl = records["npmguard.manifest_uri"] ?? records["npmguard.latest_manifest_uri"];
+        if (manifestUrl) {
+            const tarballUrl = await tarballFromManifest(manifestUrl);
+            if (tarballUrl)
+                return { spec: tarballUrl, detail: `ENS ${name} → manifest → Pinata tarball` };
+        }
+    }
+    throw new Error(`No installable ENS tarball record found for ${options.packageName}@${options.version}`);
+}

package/dist/utils.js

@@ -1,6 +1,7 @@
 import { createInterface } from "node:readline";
 import { existsSync } from "node:fs";
 import { join } from "node:path";
+import { spawn } from "node:child_process";
 export function parsePackageArg(pkg) {
     if (pkg.startsWith("@")) {
         const slashIndex = pkg.indexOf("/");
@@ -54,3 +55,27 @@ export function detectPackageManager(cwd = process.cwd()) {
         return "yarn";
     return "npm";
 }
+export function openExternalUrl(url) {
+    try {
+        const platform = process.platform;
+        const command = platform === "darwin"
+            ? "open"
+            : platform === "win32"
+                ? "cmd"
+                : "xdg-open";
+        const args = platform === "win32"
+            ? ["/c", "start", "", url]
+            : [url];
+        const child = spawn(command, args, {
+            detached: true,
+            stdio: "ignore",
+            windowsHide: true,
+        });
+        child.on("error", () => { });
+        child.unref();
+        return true;
+    }
+    catch {
+        return false;
+    }
+}

package/dist/wallet/walletconnect.js

@@ -14,7 +14,7 @@ function generateQrCode(text) {
         });
     });
 }
-export async function payViaWalletConnect(packageName, version, feeWei, feeDisplay) {
+export async function payViaWalletConnect(packageName, version, feeWei, feeDisplay, contractAddress = AUDIT_REQUEST_ADDRESS_BASE_SEPOLIA) {
     const calldata = encodeFunctionData({
         abi: AUDIT_REQUEST_ABI,
         functionName: "requestAudit",
@@ -63,6 +63,10 @@ export async function payViaWalletConnect(packageName, version, feeWei, feeDispl
         console.log();
         await generateQrCode(uri);
         console.log();
+        console.log(chalk.cyan("  Desktop wallet? Paste this WalletConnect URI into your wallet:"));
+        console.log(chalk.gray(`  ${uri}`));
+        console.log(chalk.gray("  Keep it private; it is only for this pairing session."));
+        console.log();
         const pairSpinner = ora("  Waiting for wallet connection...").start();
         const session = await approval();
         const accounts = session.namespaces.eip155?.accounts ?? [];
@@ -84,7 +88,7 @@ export async function payViaWalletConnect(packageName, version, feeWei, feeDispl
                 params: [
                     {
                         from: sender,
-                        to: AUDIT_REQUEST_ADDRESS_BASE_SEPOLIA,
+                        to: contractAddress,
                         data: calldata,
                         value: "0x" + feeWei.toString(16),
                     },
@@ -120,13 +124,13 @@ export async function payViaWalletConnect(packageName, version, feeWei, feeDispl
         setTimeout(() => process.off("uncaughtException", wcErrorHandler), 5000);
     }
 }
-export async function readAuditFee() {
+export async function readAuditFee(contractAddress = AUDIT_REQUEST_ADDRESS_BASE_SEPOLIA) {
     const publicClient = createPublicClient({
         chain: baseSepolia,
         transport: http(),
     });
     return (await publicClient.readContract({
-        address: AUDIT_REQUEST_ADDRESS_BASE_SEPOLIA,
+        address: contractAddress,
         abi: AUDIT_REQUEST_ABI,
         functionName: "auditFee",
     }));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "npmguard-cli",
-  "version": "1.1.2",
+  "version": "1.1.4",
   "type": "module",
   "description": "NpmGuard CLI — check npm packages against NpmGuard security audits",
   "main": "dist/index.js",