npmguard-cli 1.1.4 → 1.1.5

package/README.md

@@ -50,7 +50,7 @@ lockfiles and runs the correct add command (`npm install`, `pnpm add`,
 
 1. Resolves the version (`latest` if omitted)
 2. Asks the engine if the package has an existing audit
-3. **Found + SAFE** → runs `<pm> add <pkg>` directly
+3. **Found + SAFE** → installs from the configured source
 4. **Found + DANGEROUS** → shows findings + capabilities, prompts `y/N`
    (bypass with `--force`)
 5. **Not found** → asks how you want to pay for the audit:
@@ -63,9 +63,16 @@ lockfiles and runs the correct add command (`npm install`, `pnpm add`,
    report when the browser-wallet page owns the live view
 7. Runs the install if the verdict is SAFE, or prompts otherwise
 
-The install source is configurable:
+The install source defaults to `auto`: after a SAFE verdict the CLI waits
+briefly for NpmGuard publication, then tries ENS, then the NpmGuard Pinata
+storage API, and only falls back to npm if no publication is available.
+
+The source is configurable:
 
 ```bash
+# default: audited verdict, then ENS/Pinata when available
+npmguard install express --install-source auto
+
 # default: audited verdict, then normal registry install
 npmguard install express --install-source npm
 
@@ -175,7 +182,7 @@ Install source:
 npmguard install lodash --install-source ens
 
 # via env
-export NPMGUARD_INSTALL_SOURCE=pinata
+export NPMGUARD_INSTALL_SOURCE=ens
 export NPMGUARD_ENS_ROOT_DOMAIN=npmguard-demo.eth
 export NPMGUARD_ENS_RPC_URL=https://ethereum-sepolia-rpc.publicnode.com
 npmguard install lodash
@@ -185,6 +192,7 @@ Available values:
 
 | Source | Behavior |
 |---|---|
+| `auto` | Tries ENS, then NpmGuard's Pinata storage API, then npm fallback |
 | `npm` | Installs `<package>@<version>` from the normal npm registry |
 | `pinata` | Reads `/package/<name>/storage?version=<version>` from NpmGuard and installs the pinned tarball URL |
 | `ens` | Resolves Sepolia ENS `npmguard.*` text records and installs the announced Pinata tarball |

package/dist/commands/install.js

@@ -7,7 +7,8 @@ import { parsePackageArg, prompt, resolveLatestVersion, detectPackageManager, op
 import { auditCommand } from "./audit.js";
 import { payViaWalletConnect, readAuditFee } from "../wallet/walletconnect.js";
 import { streamAuditEvents } from "../stream.js";
-import { defaultEnsRootDomain, defaultEnsRpcUrl, normalizeInstallSource, resolveEnsInstallSpec, resolvePinataInstallSpec, } from "../install-source.js";
+import { defaultEnsRootDomain, defaultEnsRpcUrl, normalizeInstallSource, resolveEnsInstallSpec, resolvePinataInstallSpec, resolvePublishedInstallSpec, } from "../install-source.js";
+const POST_AUDIT_STORAGE_WAIT_MS = Number(process.env.NPMGUARD_STORAGE_WAIT_MS ?? 90_000);
 /**
  * Run the correct "add this package" command for the detected package manager.
  * `npm install <pkg>` adds the package. `pnpm add <pkg>` / `yarn add <pkg>` do
@@ -20,25 +21,44 @@ function runInstall(packageSpec, label) {
     const res = spawnSync(pm, [verb, packageSpec], { stdio: "inherit" });
     return res.status ?? 1;
 }
-async function resolveInstallTarget(fullSpec, packageName, version, opts) {
+async function resolveInstallTarget(fullSpec, packageName, version, opts, waitForPublishedMs = 0) {
     const source = normalizeInstallSource(opts.installSource);
+    const rootDomain = opts.ensRoot ?? defaultEnsRootDomain();
+    const rpcUrl = opts.ensRpc ?? defaultEnsRpcUrl();
+    if (source === "auto") {
+        const deadline = Date.now() + waitForPublishedMs;
+        do {
+            const published = await resolvePublishedInstallSpec({
+                apiUrl: opts.api,
+                packageName,
+                version,
+                rootDomain,
+                rpcUrl,
+            });
+            if (published)
+                return published;
+            if (Date.now() < deadline)
+                await delay(3000);
+        } while (Date.now() < deadline);
+        return { spec: fullSpec, detail: "npm registry (ENS/Pinata publication not available yet)" };
+    }
     if (source === "npm") {
         return { spec: fullSpec, detail: "npm registry" };
     }
     if (source === "pinata") {
-        return resolvePinataInstallSpec(opts.api, packageName, version);
+        return retryInstallSource(() => resolvePinataInstallSpec(opts.api, packageName, version), waitForPublishedMs);
     }
-    return resolveEnsInstallSpec({
+    return retryInstallSource(() => resolveEnsInstallSpec({
         packageName,
         version,
-        rootDomain: opts.ensRoot ?? defaultEnsRootDomain(),
-        rpcUrl: opts.ensRpc ?? defaultEnsRpcUrl(),
-    });
+        rootDomain,
+        rpcUrl,
+    }), waitForPublishedMs);
 }
-async function installSafePackage(fullSpec, packageName, version, opts) {
+async function installSafePackage(fullSpec, packageName, version, opts, waitForPublishedMs = 0) {
     let target;
     try {
-        target = await resolveInstallTarget(fullSpec, packageName, version, opts);
+        target = await resolveInstallTarget(fullSpec, packageName, version, opts, waitForPublishedMs);
     }
     catch (err) {
         console.error(chalk.red("Could not resolve install source: " +
@@ -48,6 +68,24 @@ async function installSafePackage(fullSpec, packageName, version, opts) {
     }
     process.exit(runInstall(target.spec, target.detail));
 }
+function delay(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+async function retryInstallSource(resolve, waitMs) {
+    const deadline = Date.now() + waitMs;
+    let lastError;
+    do {
+        try {
+            return await resolve();
+        }
+        catch (err) {
+            lastError = err;
+            if (Date.now() < deadline)
+                await delay(3000);
+        }
+    } while (Date.now() < deadline);
+    throw lastError instanceof Error ? lastError : new Error(String(lastError));
+}
 function extractVerdict(report) {
     const nested = report.report?.verdict;
     return (nested ?? report.verdict ?? "UNKNOWN").toUpperCase();
@@ -184,7 +222,7 @@ function buildBrowserWalletUrl(webUrl, packageName, version) {
     return url.toString();
 }
 function sleep(ms) {
-    return new Promise((resolve) => setTimeout(resolve, ms));
+    return delay(ms);
 }
 async function waitForPackageReport(apiUrl, packageName, version, timeoutMs) {
     const deadline = Date.now() + timeoutMs;
@@ -228,7 +266,7 @@ async function runBrowserWalletAuditAndInstall(fullSpec, name, version, apiUrl,
         process.exit(1);
     }
     spinner.succeed("Audit report received");
-    await finalizeWithReport(fullSpec, name, version, report, opts);
+    await finalizeWithReport(fullSpec, name, version, report, opts, POST_AUDIT_STORAGE_WAIT_MS);
 }
 async function runCryptoAuditAndInstall(fullSpec, name, version, apiUrl, opts) {
     // 1. Read current fee from the engine's public config, then fall back to
@@ -296,13 +334,13 @@ async function finalizeAfterAudit(fullSpec, name, version, apiUrl, opts) {
         console.log(chalk.red("  Audit finished but report not found."));
         process.exit(1);
     }
-    await finalizeWithReport(fullSpec, name, version, freshReport, opts);
+    await finalizeWithReport(fullSpec, name, version, freshReport, opts, POST_AUDIT_STORAGE_WAIT_MS);
 }
-async function finalizeWithReport(fullSpec, name, version, report, opts) {
+async function finalizeWithReport(fullSpec, name, version, report, opts, waitForPublishedMs = 0) {
     const verdict = extractVerdict(report);
     if (verdict === "SAFE") {
         console.log(chalk.green("\n  ✓ SAFE — proceeding with install"));
-        await installSafePackage(fullSpec, name, version, opts);
+        await installSafePackage(fullSpec, name, version, opts, waitForPublishedMs);
     }
     console.log(chalk.red(`\n  Audit verdict: ${verdict}`));
     const confirm = await prompt(chalk.red.bold("  Install anyway? (y/N) "));

package/dist/index.js

@@ -34,9 +34,9 @@ program
     .description("Install an npm package with NpmGuard security check")
     .argument("<package>", "Package name, optionally with version (e.g. express@4.18.0)")
     .option("-f, --force", "Install even if the package is flagged as dangerous")
-    .option("--install-source <source>", "Install SAFE packages from npm, pinata, or ens", process.env.NPMGUARD_INSTALL_SOURCE ?? "npm")
-    .option("--ens-root <name>", "ENS root domain for --install-source ens", defaultEnsRootDomain())
-    .option("--ens-rpc <url>", "Sepolia RPC URL for --install-source ens", defaultEnsRpcUrl())
+    .option("--install-source <source>", "Install SAFE packages from auto, npm, pinata, or ens", process.env.NPMGUARD_INSTALL_SOURCE ?? "auto")
+    .option("--ens-root <name>", "ENS root domain for auto/ens install resolution", defaultEnsRootDomain())
+    .option("--ens-rpc <url>", "Sepolia RPC URL for auto/ens install resolution", defaultEnsRpcUrl())
     .action(async (pkg, cmdOpts) => {
     const opts = program.opts();
     await installCommand(pkg, {

package/dist/install-source.js

@@ -12,10 +12,10 @@ const resolverAbi = parseAbi([
     "function text(bytes32 node, string key) view returns (string)",
 ]);
 export function normalizeInstallSource(value) {
-    const source = (value ?? "npm").toLowerCase();
-    if (source === "npm" || source === "pinata" || source === "ens")
+    const source = (value ?? "auto").toLowerCase();
+    if (source === "auto" || source === "npm" || source === "pinata" || source === "ens")
         return source;
-    throw new Error(`Invalid install source "${value}". Expected npm, pinata, or ens.`);
+    throw new Error(`Invalid install source "${value}". Expected auto, npm, pinata, or ens.`);
 }
 export function defaultEnsRootDomain() {
     return process.env.NPMGUARD_ENS_ROOT_DOMAIN ?? DEFAULT_ENS_ROOT_DOMAIN;
@@ -119,13 +119,32 @@ export async function resolveEnsInstallSpec(options) {
             continue;
         const directTarball = records["npmguard.tarball_uri"] ?? records["npmguard.latest_tarball_uri"];
         if (directTarball)
-            return { spec: directTarball, detail: `ENS ${name} → Pinata tarball` };
+            return { spec: directTarball, detail: `ENS ${name} -> Pinata tarball` };
         const manifestUrl = records["npmguard.manifest_uri"] ?? records["npmguard.latest_manifest_uri"];
         if (manifestUrl) {
             const tarballUrl = await tarballFromManifest(manifestUrl);
             if (tarballUrl)
-                return { spec: tarballUrl, detail: `ENS ${name} → manifest → Pinata tarball` };
+                return { spec: tarballUrl, detail: `ENS ${name} -> manifest -> Pinata tarball` };
         }
     }
     throw new Error(`No installable ENS tarball record found for ${options.packageName}@${options.version}`);
 }
+export async function resolvePublishedInstallSpec(options) {
+    try {
+        return await resolveEnsInstallSpec({
+            packageName: options.packageName,
+            version: options.version,
+            rootDomain: options.rootDomain,
+            rpcUrl: options.rpcUrl,
+        });
+    }
+    catch {
+        // Fall through to the API-backed Pinata publication.
+    }
+    try {
+        return await resolvePinataInstallSpec(options.apiUrl, options.packageName, options.version);
+    }
+    catch {
+        return null;
+    }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "npmguard-cli",
-  "version": "1.1.4",
+  "version": "1.1.5",
   "type": "module",
   "description": "NpmGuard CLI — check npm packages against NpmGuard security audits",
   "main": "dist/index.js",