npx-ray 1.0.0

package/dist/registry.js

@@ -0,0 +1,229 @@
+/**
+ * npm registry API client for npx-ray.
+ *
+ * Fetches package metadata from the npm registry, supporting:
+ * - Unscoped packages: `chalk`
+ * - Scoped packages: `@anthropic-ai/sdk`
+ * - Pinned versions: `chalk@5.4.0`
+ * - Local tarballs: `./my-package-1.0.0.tgz`
+ */
+import { createReadStream } from 'node:fs';
+import { resolve } from 'node:path';
+import { createGunzip } from 'node:zlib';
+import { pipeline } from 'node:stream/promises';
+const NPM_REGISTRY = 'https://registry.npmjs.org';
+/**
+ * Parse a target string into a package name and optional version.
+ *
+ * Handles scoped packages correctly:
+ *   `@scope/name`         -> { name: '@scope/name', version: undefined }
+ *   `@scope/name@1.2.3`   -> { name: '@scope/name', version: '1.2.3' }
+ *   `lodash`              -> { name: 'lodash', version: undefined }
+ *   `lodash@4.17.21`      -> { name: 'lodash', version: '4.17.21' }
+ */
+function parseTarget(target) {
+    // Local tarball detection
+    if (target.startsWith('./') ||
+        target.startsWith('/') ||
+        target.startsWith('../') ||
+        target.endsWith('.tgz') ||
+        target.endsWith('.tar.gz')) {
+        return { name: target, isLocal: true };
+    }
+    // Scoped package: @scope/name or @scope/name@version
+    if (target.startsWith('@')) {
+        const lastAt = target.lastIndexOf('@');
+        // If the only '@' is at position 0, there's no version specifier
+        if (lastAt === 0) {
+            return { name: target, version: undefined, isLocal: false };
+        }
+        // '@scope/name@version' — lastAt points to the version separator
+        const name = target.slice(0, lastAt);
+        const version = target.slice(lastAt + 1);
+        return { name, version, isLocal: false };
+    }
+    // Unscoped package: name or name@version
+    const atIndex = target.indexOf('@');
+    if (atIndex === -1) {
+        return { name: target, version: undefined, isLocal: false };
+    }
+    const name = target.slice(0, atIndex);
+    const version = target.slice(atIndex + 1);
+    return { name, version, isLocal: false };
+}
+/**
+ * Extract a package.json from a local .tgz tarball and build minimal metadata.
+ *
+ * npm tarballs contain files under a `package/` prefix, so the package.json
+ * is at `package/package.json`.
+ */
+async function metadataFromLocalTarball(filePath) {
+    const absPath = resolve(filePath);
+    const chunks = [];
+    let foundPackageJson = false;
+    // We'll manually parse the tar stream to find package/package.json.
+    // tar v7 uses a stream-based API. We read the gzipped tarball and look for
+    // the package.json entry.
+    const { Parser } = await import('tar');
+    const parser = new Parser({
+        filter: (path) => {
+            // npm tarballs have package/package.json
+            return path === 'package/package.json' || path === './package/package.json';
+        },
+        onReadEntry: (entry) => {
+            foundPackageJson = true;
+            entry.on('data', (chunk) => {
+                chunks.push(chunk);
+            });
+        },
+    });
+    const gunzip = createGunzip();
+    const fileStream = createReadStream(absPath);
+    await pipeline(fileStream, gunzip, parser);
+    if (!foundPackageJson || chunks.length === 0) {
+        throw new Error(`No package.json found in tarball: ${filePath}`);
+    }
+    const pkgJson = JSON.parse(Buffer.concat(chunks).toString('utf-8'));
+    // Extract repository URL from package.json repository field
+    let repositoryUrl = '';
+    if (typeof pkgJson.repository === 'string') {
+        repositoryUrl = pkgJson.repository;
+    }
+    else if (pkgJson.repository?.url) {
+        repositoryUrl = pkgJson.repository.url
+            .replace(/^git\+/, '')
+            .replace(/\.git$/, '');
+    }
+    // Extract license
+    let license = '';
+    if (typeof pkgJson.license === 'string') {
+        license = pkgJson.license;
+    }
+    else if (pkgJson.license?.type) {
+        license = pkgJson.license.type;
+    }
+    return {
+        name: pkgJson.name || 'unknown',
+        version: pkgJson.version || '0.0.0',
+        description: pkgJson.description || '',
+        license,
+        publisher: pkgJson.author
+            ? typeof pkgJson.author === 'string'
+                ? pkgJson.author
+                : pkgJson.author.name || ''
+            : '',
+        publishedAt: '',
+        tarballUrl: `file://${absPath}`,
+        repositoryUrl,
+        homepage: pkgJson.homepage || '',
+        fileCount: 0,
+        unpackedSize: 0,
+        dependencies: pkgJson.dependencies || {},
+        optionalDependencies: pkgJson.optionalDependencies || {},
+        scripts: pkgJson.scripts || {},
+        maintainers: pkgJson.maintainers || [],
+    };
+}
+/**
+ * Fetch full package metadata from the npm registry.
+ *
+ * @param target - Package specifier: `name`, `name@version`, or a local tarball path.
+ * @returns Resolved package metadata.
+ * @throws If the package is not found or the registry request fails.
+ */
+export async function fetchPackageMetadata(target) {
+    const { name, version, isLocal } = parseTarget(target);
+    // Handle local tarballs
+    if (isLocal) {
+        return metadataFromLocalTarball(name);
+    }
+    // Fetch the full packument from the registry.
+    // Scoped packages need the scope URL-encoded (@ -> %40, / -> %2f),
+    // but npm registry also accepts the raw form for scoped packages.
+    const url = `${NPM_REGISTRY}/${encodeURIComponent(name).replace('%40', '@')}`;
+    const response = await fetch(url, {
+        headers: {
+            Accept: 'application/json',
+        },
+    });
+    if (!response.ok) {
+        if (response.status === 404) {
+            throw new Error(`Package not found: ${name}`);
+        }
+        throw new Error(`npm registry error: ${response.status} ${response.statusText} for ${name}`);
+    }
+    const packument = (await response.json());
+    // Resolve the version
+    const distTags = packument['dist-tags'];
+    const resolvedVersion = version || distTags?.latest;
+    if (!resolvedVersion) {
+        throw new Error(`Cannot determine version for ${name}: no dist-tags.latest found`);
+    }
+    const versions = packument.versions;
+    if (!versions) {
+        throw new Error(`No versions found in packument for ${name}`);
+    }
+    const manifest = versions[resolvedVersion];
+    if (!manifest) {
+        const available = Object.keys(versions).slice(-5).join(', ');
+        throw new Error(`Version ${resolvedVersion} not found for ${name}. Recent versions: ${available}`);
+    }
+    // Extract dist info
+    const dist = manifest.dist;
+    const tarballUrl = dist?.tarball || '';
+    const fileCount = dist?.fileCount || 0;
+    const unpackedSize = dist?.unpackedSize || 0;
+    // Extract repository URL
+    let repositoryUrl = '';
+    const repo = manifest.repository;
+    if (typeof repo === 'string') {
+        repositoryUrl = repo;
+    }
+    else if (repo && typeof repo === 'object') {
+        const repoObj = repo;
+        const rawUrl = repoObj.url || '';
+        repositoryUrl = rawUrl
+            .replace(/^git\+/, '')
+            .replace(/\.git$/, '');
+    }
+    // Extract license
+    let license = '';
+    const lic = manifest.license;
+    if (typeof lic === 'string') {
+        license = lic;
+    }
+    else if (lic && typeof lic === 'object') {
+        license = lic.type || '';
+    }
+    // Extract publisher info
+    let publisher = '';
+    const npmUser = manifest._npmUser;
+    if (npmUser?.name) {
+        publisher = npmUser.name;
+    }
+    // Extract publish date from the time field
+    const timeMap = packument.time;
+    const publishedAt = timeMap?.[resolvedVersion] || '';
+    // Extract maintainers — fall back to packument-level maintainers
+    const maintainers = manifest.maintainers ||
+        packument.maintainers ||
+        [];
+    return {
+        name: manifest.name || name,
+        version: manifest.version || resolvedVersion,
+        description: manifest.description || '',
+        license,
+        publisher,
+        publishedAt,
+        tarballUrl,
+        repositoryUrl,
+        homepage: manifest.homepage || '',
+        fileCount,
+        unpackedSize,
+        dependencies: manifest.dependencies || {},
+        optionalDependencies: manifest.optionalDependencies || {},
+        scripts: manifest.scripts || {},
+        maintainers,
+    };
+}
+//# sourceMappingURL=registry.js.map

package/dist/registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.js","sourceRoot":"","sources":["../src/registry.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,gBAAgB,EAAE,MAAM,SAAS,CAAC;AAC3C,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAIhD,MAAM,YAAY,GAAG,4BAA4B,CAAC;AAElD;;;;;;;;GAQG;AACH,SAAS,WAAW,CAAC,MAAc;IACjC,0BAA0B;IAC1B,IACE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;QACvB,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC;QACtB,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC;QACxB,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC;QACvB,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,EAC1B,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IACzC,CAAC;IAED,qDAAqD;IACrD,IAAI,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC3B,MAAM,MAAM,GAAG,MAAM,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QACvC,iEAAiE;QACjE,IAAI,MAAM,KAAK,CAAC,EAAE,CAAC;YACjB,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;QAC9D,CAAC;QACD,iEAAiE;QACjE,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QACrC,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QACzC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAC3C,CAAC;IAED,yCAAyC;IACzC,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,OAAO,KAAK,CAAC,CAAC,EAAE,CAAC;QACnB,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAC9D,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IACtC,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC;IAC1C,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AAC3C,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,wBAAwB,CAAC,QAAgB;IACtD,MAAM,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAClC,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,gBAAgB,GAAG,KAAK,CAAC;IAE7B,oEAAoE;IACpE,2EAA2E;IAC3E,0BAA0B;IAC1B,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,KAAK,CAAC,CAAC;IAEvC,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC;QACxB,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;YACvB,yCAAyC;YACzC,OAAO,IAAI,KAAK,sBAAsB,IAAI,IAAI,KAAK,wBAAwB,CAAC;QAC9E,CAAC;QACD,WAAW,EAAE,CAAC,KAAK,EAAE,EAAE;YACrB,gBAAgB,GAAG,IAAI,CAAC;YACxB,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;gBACjC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACrB,CAAC,CAAC,CAAC;QACL,CAAC;KACF,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,YAAY,EAAE,CAAC;IAC9B,MAAM,UAAU,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;IAE7C,MAAM,QAAQ,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;IAE3C,IAAI,CAAC,gBAAgB,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CAAC,qCAAqC,QAAQ,EAAE,CAAC,CAAC;IACnE,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;IAEpE,4DAA4D;IAC5D,IAAI,aAAa,GAAG,EAAE,CAAC;IACvB,IAAI,OAAO,OAAO,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;QAC3C,aAAa,GAAG,OAAO,CAAC,UAAU,CAAC;IACrC,CAAC;SAAM,IAAI,OAAO,CAAC,UAAU,EAAE,GAAG,EAAE,CAAC;QACnC,aAAa,GAAG,OAAO,CAAC,UAAU,CAAC,GAAG;aACnC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC;aACrB,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;IAC3B,CAAC;IAED,kBAAkB;IAClB,IAAI,OAAO,GAAG,EAAE,CAAC;IACjB,IAAI,OAAO,OAAO,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;QACxC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;IAC5B,CAAC;SAAM,IAAI,OAAO,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC;QACjC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC;IACjC,CAAC;IAED,OAAO;QACL,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,SAAS;QAC/B,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,OAAO;QACnC,WAAW,EAAE,OAAO,CAAC,WAAW,IAAI,EAAE;QACtC,OAAO;QACP,SAAS,EAAE,OAAO,CAAC,MAAM;YACvB,CAAC,CAAC,OAAO,OAAO,CAAC,MAAM,KAAK,QAAQ;gBAClC,CAAC,CAAC,OAAO,CAAC,MAAM;gBAChB,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,IAAI,EAAE;YAC7B,CAAC,CAAC,EAAE;QACN,WAAW,EAAE,EAAE;QACf,UAAU,EAAE,UAAU,OAAO,EAAE;QAC/B,aAAa;QACb,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,EAAE;QAChC,SAAS,EAAE,CAAC;QACZ,YAAY,EAAE,CAAC;QACf,YAAY,EAAE,OAAO,CAAC,YAAY,IAAI,EAAE;QACxC,oBAAoB,EAAE,OAAO,CAAC,oBAAoB,IAAI,EAAE;QACxD,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,EAAE;QAC9B,WAAW,EAAE,OAAO,CAAC,WAAW,IAAI,EAAE;KACvC,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,MAAc;IACvD,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;IAEvD,wBAAwB;IACxB,IAAI,OAAO,EAAE,CAAC;QACZ,OAAO,wBAAwB,CAAC,IAAI,CAAC,CAAC;IACxC,CAAC;IAED,8CAA8C;IAC9C,mEAAmE;IACnE,kEAAkE;IAClE,MAAM,GAAG,GAAG,GAAG,YAAY,IAAI,kBAAkB,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,EAAE,CAAC;IAC9E,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAChC,OAAO,EAAE;YACP,MAAM,EAAE,kBAAkB;SAC3B;KACF,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,sBAAsB,IAAI,EAAE,CAAC,CAAC;QAChD,CAAC;QACD,MAAM,IAAI,KAAK,CACb,uBAAuB,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,QAAQ,IAAI,EAAE,CAC5E,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4B,CAAC;IAErE,sBAAsB;IACtB,MAAM,QAAQ,GAAG,SAAS,CAAC,WAAW,CAAuC,CAAC;IAC9E,MAAM,eAAe,GAAG,OAAO,IAAI,QAAQ,EAAE,MAAM,CAAC;IAEpD,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,gCAAgC,IAAI,6BAA6B,CAAC,CAAC;IACrF,CAAC;IAED,MAAM,QAAQ,GAAG,SAAS,CAAC,QAA+D,CAAC;IAC3F,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,sCAAsC,IAAI,EAAE,CAAC,CAAC;IAChE,CAAC;IAED,MAAM,QAAQ,GAAG,QAAQ,CAAC,eAAe,CAAC,CAAC;IAC3C,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7D,MAAM,IAAI,KAAK,CACb,WAAW,eAAe,kBAAkB,IAAI,sBAAsB,SAAS,EAAE,CAClF,CAAC;IACJ,CAAC;IAED,oBAAoB;IACpB,MAAM,IAAI,GAAG,QAAQ,CAAC,IAA2C,CAAC;IAClE,MAAM,UAAU,GAAI,IAAI,EAAE,OAAkB,IAAI,EAAE,CAAC;IACnD,MAAM,SAAS,GAAI,IAAI,EAAE,SAAoB,IAAI,CAAC,CAAC;IACnD,MAAM,YAAY,GAAI,IAAI,EAAE,YAAuB,IAAI,CAAC,CAAC;IAEzD,yBAAyB;IACzB,IAAI,aAAa,GAAG,EAAE,CAAC;IACvB,MAAM,IAAI,GAAG,QAAQ,CAAC,UAAU,CAAC;IACjC,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC7B,aAAa,GAAG,IAAI,CAAC;IACvB,CAAC;SAAM,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC5C,MAAM,OAAO,GAAG,IAA+B,CAAC;QAChD,MAAM,MAAM,GAAI,OAAO,CAAC,GAAc,IAAI,EAAE,CAAC;QAC7C,aAAa,GAAG,MAAM;aACnB,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC;aACrB,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;IAC3B,CAAC;IAED,kBAAkB;IAClB,IAAI,OAAO,GAAG,EAAE,CAAC;IACjB,MAAM,GAAG,GAAG,QAAQ,CAAC,OAAO,CAAC;IAC7B,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,OAAO,GAAG,GAAG,CAAC;IAChB,CAAC;SAAM,IAAI,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC1C,OAAO,GAAI,GAA+B,CAAC,IAAc,IAAI,EAAE,CAAC;IAClE,CAAC;IAED,yBAAyB;IACzB,IAAI,SAAS,GAAG,EAAE,CAAC;IACnB,MAAM,OAAO,GAAG,QAAQ,CAAC,QAA8C,CAAC;IACxE,IAAI,OAAO,EAAE,IAAI,EAAE,CAAC;QAClB,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC;IAC3B,CAAC;IAED,2CAA2C;IAC3C,MAAM,OAAO,GAAG,SAAS,CAAC,IAA0C,CAAC;IACrE,MAAM,WAAW,GAAG,OAAO,EAAE,CAAC,eAAe,CAAC,IAAI,EAAE,CAAC;IAErD,iEAAiE;IACjE,MAAM,WAAW,GACd,QAAQ,CAAC,WAAuD;QAChE,SAAS,CAAC,WAAuD;QAClE,EAAE,CAAC;IAEL,OAAO;QACL,IAAI,EAAG,QAAQ,CAAC,IAAe,IAAI,IAAI;QACvC,OAAO,EAAG,QAAQ,CAAC,OAAkB,IAAI,eAAe;QACxD,WAAW,EAAG,QAAQ,CAAC,WAAsB,IAAI,EAAE;QACnD,OAAO;QACP,SAAS;QACT,WAAW;QACX,UAAU;QACV,aAAa;QACb,QAAQ,EAAG,QAAQ,CAAC,QAAmB,IAAI,EAAE;QAC7C,SAAS;QACT,YAAY;QACZ,YAAY,EAAG,QAAQ,CAAC,YAAuC,IAAI,EAAE;QACrE,oBAAoB,EAAG,QAAQ,CAAC,oBAA+C,IAAI,EAAE;QACrF,OAAO,EAAG,QAAQ,CAAC,OAAkC,IAAI,EAAE;QAC3D,WAAW;KACZ,CAAC;AACJ,CAAC"}

package/dist/reporter.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Output formatting for npx-ray scan results.
+ *
+ * Provides both human-readable (chalk-colored) and machine-readable (JSON)
+ * output formats for scan reports.
+ */
+import type { ScanReport } from './types.js';
+/**
+ * Generate a human-readable, chalk-colored report.
+ *
+ * @param report  - The complete scan report.
+ * @param verbose - Whether to show individual findings.
+ * @returns Formatted string ready for console output.
+ */
+export declare function reportPretty(report: ScanReport, verbose: boolean): string;
+/**
+ * Generate a machine-readable JSON report.
+ *
+ * @param report - The complete scan report.
+ * @returns Pretty-printed JSON string.
+ */
+export declare function reportJson(report: ScanReport): string;
+//# sourceMappingURL=reporter.d.ts.map

package/dist/reporter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"reporter.d.ts","sourceRoot":"","sources":["../src/reporter.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EAAE,UAAU,EAA0B,MAAM,YAAY,CAAC;AAqGrE;;;;;;GAMG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,OAAO,GAAG,MAAM,CAmGzE;AAED;;;;;GAKG;AACH,wBAAgB,UAAU,CAAC,MAAM,EAAE,UAAU,GAAG,MAAM,CAErD"}

package/dist/reporter.js

@@ -0,0 +1,208 @@
+/**
+ * Output formatting for npx-ray scan results.
+ *
+ * Provides both human-readable (chalk-colored) and machine-readable (JSON)
+ * output formats for scan reports.
+ */
+import chalk from 'chalk';
+/** Format bytes into a human-readable string. */
+function formatBytes(bytes) {
+    if (bytes === 0)
+        return '0 B';
+    const units = ['B', 'KB', 'MB', 'GB'];
+    const i = Math.floor(Math.log(bytes) / Math.log(1024));
+    const value = bytes / Math.pow(1024, i);
+    return `${value.toFixed(i === 0 ? 0 : 1)} ${units[i]}`;
+}
+/** Format milliseconds into a human-readable duration. */
+function formatDuration(ms) {
+    if (ms < 1000)
+        return `${ms}ms`;
+    const seconds = (ms / 1000).toFixed(1);
+    return `${seconds}s`;
+}
+/** Get the status icon for a scanner result. */
+function statusIcon(result) {
+    const hasCritical = result.findings.some(f => f.severity === 'critical');
+    const hasWarning = result.findings.some(f => f.severity === 'warning');
+    if (hasCritical)
+        return chalk.red('\u274c');
+    if (hasWarning)
+        return chalk.yellow('\u26a0\ufe0f');
+    return chalk.green('\u2705');
+}
+/** Get the colored label for a severity level. */
+function severityLabel(severity) {
+    switch (severity) {
+        case 'critical':
+            return chalk.red.bold('CRITICAL');
+        case 'warning':
+            return chalk.yellow('WARNING');
+        case 'info':
+            return chalk.blue('INFO');
+    }
+}
+/** Color a score based on its grade. */
+function colorScore(score, grade) {
+    const label = `${score}/100 (${grade})`;
+    switch (grade) {
+        case 'A':
+        case 'B':
+            return chalk.green.bold(label);
+        case 'C':
+            return chalk.yellow.bold(label);
+        case 'D':
+        case 'F':
+            return chalk.red.bold(label);
+        default:
+            return label;
+    }
+}
+/** Color a verdict string based on its prefix. */
+function colorVerdict(verdict) {
+    if (verdict.startsWith('CLEAN'))
+        return chalk.green.bold(verdict);
+    if (verdict.startsWith('CAUTION'))
+        return chalk.yellow.bold(verdict);
+    if (verdict.startsWith('DANGER'))
+        return chalk.red.bold(verdict);
+    return chalk.bold(verdict);
+}
+/** Capitalize the first letter of a scanner name for display. */
+function scannerDisplayName(name) {
+    return name.charAt(0).toUpperCase() + name.slice(1);
+}
+/**
+ * Render a finding as a single line for verbose output.
+ */
+function renderFinding(finding) {
+    const location = finding.file
+        ? finding.line
+            ? chalk.dim(` ${finding.file}:${finding.line}`)
+            : chalk.dim(` ${finding.file}`)
+        : '';
+    return `    ${severityLabel(finding.severity)} ${finding.message}${location}`;
+}
+/**
+ * Render a scanner section in the pretty report.
+ */
+function renderScannerSection(result, verbose) {
+    const lines = [];
+    const icon = statusIcon(result);
+    const name = scannerDisplayName(result.name);
+    lines.push(`  ${icon} ${chalk.bold(name)}: ${result.summary}`);
+    if (verbose && result.findings.length > 0) {
+        for (const finding of result.findings) {
+            lines.push(renderFinding(finding));
+        }
+    }
+    return lines.join('\n');
+}
+/**
+ * Generate a human-readable, chalk-colored report.
+ *
+ * @param report  - The complete scan report.
+ * @param verbose - Whether to show individual findings.
+ * @returns Formatted string ready for console output.
+ */
+export function reportPretty(report, verbose) {
+    const lines = [];
+    // Header
+    lines.push('');
+    lines.push(chalk.cyan.bold('npx-ray v1.0.0 \u2014 X-ray vision for npm packages'));
+    lines.push(chalk.dim('\u2500'.repeat(55)));
+    // Package info block
+    const pkg = report.package;
+    lines.push('');
+    lines.push(chalk.bold('Package: ') + `${pkg.name}@${pkg.version}`);
+    lines.push(chalk.bold('Publisher: ') + (pkg.publisher || chalk.dim('unknown')));
+    lines.push(chalk.bold('Published: ') + (pkg.publishedAt || chalk.dim('unknown')));
+    lines.push(chalk.bold('License: ') + (pkg.license || chalk.dim('none')));
+    lines.push(chalk.bold('Files: ') + pkg.fileCount.toString());
+    lines.push(chalk.bold('Size: ') + formatBytes(pkg.unpackedSize));
+    // Risk score
+    lines.push('');
+    lines.push(chalk.dim('\u2500'.repeat(55)));
+    lines.push(`  Risk Score: ${colorScore(report.score, report.grade)}`);
+    lines.push(chalk.dim('\u2500'.repeat(55)));
+    // Scanner sections
+    lines.push('');
+    lines.push(chalk.bold.underline('Scan Results'));
+    lines.push('');
+    for (const result of report.scanners) {
+        lines.push(renderScannerSection(result, verbose));
+    }
+    // GitHub section
+    if (report.github) {
+        lines.push('');
+        lines.push(chalk.bold.underline('GitHub'));
+        lines.push('');
+        const gh = report.github;
+        if (!gh.found) {
+            lines.push(`  ${chalk.yellow('\u26a0\ufe0f')} No GitHub repository found`);
+        }
+        else {
+            const repoIcon = gh.archived ? chalk.yellow('\u26a0\ufe0f') : chalk.green('\u2705');
+            lines.push(`  ${repoIcon} ${chalk.bold('Repository:')} ${gh.fullName}`);
+            lines.push(`    Stars: ${gh.stars} | Forks: ${gh.forks} | Open Issues: ${gh.openIssues}`);
+            lines.push(`    Created: ${gh.createdAt} | Last Push: ${gh.lastPush}`);
+            if (gh.archived) {
+                lines.push(`    ${chalk.yellow('Repository is archived')}`);
+            }
+            if (!gh.publisherMatchesOwner) {
+                lines.push(`    ${chalk.yellow('npm publisher does not match GitHub owner')}`);
+            }
+        }
+    }
+    // Diff section
+    if (report.diff) {
+        lines.push('');
+        lines.push(chalk.bold.underline('Source Diff'));
+        lines.push('');
+        const diff = report.diff;
+        if (!diff.performed) {
+            lines.push(`  ${chalk.dim('\u2014')} Diff not performed${diff.error ? `: ${diff.error}` : ''}`);
+        }
+        else if (diff.unexpectedFiles.length === 0 && diff.modifiedFiles.length === 0) {
+            lines.push(`  ${chalk.green('\u2705')} Source matches published package`);
+        }
+        else {
+            if (diff.unexpectedFiles.length > 0) {
+                lines.push(`  ${chalk.red('\u274c')} ${diff.unexpectedFiles.length} unexpected file(s) in npm package:`);
+                if (verbose) {
+                    for (const file of diff.unexpectedFiles) {
+                        lines.push(`    ${chalk.red('\u2022')} ${file}`);
+                    }
+                }
+            }
+            if (diff.modifiedFiles.length > 0) {
+                lines.push(`  ${chalk.yellow('\u26a0\ufe0f')} ${diff.modifiedFiles.length} modified file(s):`);
+                if (verbose) {
+                    for (const file of diff.modifiedFiles) {
+                        lines.push(`    ${chalk.yellow('\u2022')} ${file}`);
+                    }
+                }
+            }
+        }
+    }
+    // Final verdict
+    lines.push('');
+    lines.push(chalk.dim('\u2500'.repeat(55)));
+    lines.push(`  Verdict: ${colorVerdict(report.verdict)}`);
+    lines.push(chalk.dim('\u2500'.repeat(55)));
+    // Duration
+    lines.push('');
+    lines.push(chalk.dim(`Scan completed in ${formatDuration(report.duration)}`));
+    lines.push('');
+    return lines.join('\n');
+}
+/**
+ * Generate a machine-readable JSON report.
+ *
+ * @param report - The complete scan report.
+ * @returns Pretty-printed JSON string.
+ */
+export function reportJson(report) {
+    return JSON.stringify(report, null, 2);
+}
+//# sourceMappingURL=reporter.js.map

package/dist/reporter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"reporter.js","sourceRoot":"","sources":["../src/reporter.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,MAAM,OAAO,CAAC;AAG1B,iDAAiD;AACjD,SAAS,WAAW,CAAC,KAAa;IAChC,IAAI,KAAK,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC9B,MAAM,KAAK,GAAG,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;IACtC,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC;IACvD,MAAM,KAAK,GAAG,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IACxC,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;AACzD,CAAC;AAED,0DAA0D;AAC1D,SAAS,cAAc,CAAC,EAAU;IAChC,IAAI,EAAE,GAAG,IAAI;QAAE,OAAO,GAAG,EAAE,IAAI,CAAC;IAChC,MAAM,OAAO,GAAG,CAAC,EAAE,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;IACvC,OAAO,GAAG,OAAO,GAAG,CAAC;AACvB,CAAC;AAED,gDAAgD;AAChD,SAAS,UAAU,CAAC,MAAqB;IACvC,MAAM,WAAW,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC;IACzE,MAAM,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC;IAEvE,IAAI,WAAW;QAAE,OAAO,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC5C,IAAI,UAAU;QAAE,OAAO,KAAK,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;IACpD,OAAO,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;AAC/B,CAAC;AAED,kDAAkD;AAClD,SAAS,aAAa,CAAC,QAA6B;IAClD,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,UAAU;YACb,OAAO,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACpC,KAAK,SAAS;YACZ,OAAO,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACjC,KAAK,MAAM;YACT,OAAO,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC9B,CAAC;AACH,CAAC;AAED,wCAAwC;AACxC,SAAS,UAAU,CAAC,KAAa,EAAE,KAAa;IAC9C,MAAM,KAAK,GAAG,GAAG,KAAK,SAAS,KAAK,GAAG,CAAC;IACxC,QAAQ,KAAK,EAAE,CAAC;QACd,KAAK,GAAG,CAAC;QACT,KAAK,GAAG;YACN,OAAO,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACjC,KAAK,GAAG;YACN,OAAO,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAClC,KAAK,GAAG,CAAC;QACT,KAAK,GAAG;YACN,OAAO,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC/B;YACE,OAAO,KAAK,CAAC;IACjB,CAAC;AACH,CAAC;AAED,kDAAkD;AAClD,SAAS,YAAY,CAAC,OAAe;IACnC,IAAI,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAClE,IAAI,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACrE,IAAI,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC;QAAE,OAAO,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACjE,OAAO,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AAC7B,CAAC;AAED,iEAAiE;AACjE,SAAS,kBAAkB,CAAC,IAAY;IACtC,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AACtD,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,OAAgB;IACrC,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI;QAC3B,CAAC,CAAC,OAAO,CAAC,IAAI;YACZ,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YAC/C,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;QACjC,CAAC,CAAC,EAAE,CAAC;IACP,OAAO,OAAO,aAAa,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,OAAO,GAAG,QAAQ,EAAE,CAAC;AAChF,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAAC,MAAqB,EAAE,OAAgB;IACnE,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,MAAM,IAAI,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;IAChC,MAAM,IAAI,GAAG,kBAAkB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAE7C,KAAK,CAAC,IAAI,CAAC,KAAK,IAAI,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;IAE/D,IAAI,OAAO,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1C,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACtC,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC;QACrC,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,YAAY,CAAC,MAAkB,EAAE,OAAgB;IAC/D,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,SAAS;IACT,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC,CAAC;IACnF,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAE3C,qBAAqB;IACrB,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,GAAG,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;IACnE,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,IAAI,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IAChF,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,IAAI,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IAClF,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,IAAI,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IACzE,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,GAAG,CAAC,SAAS,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC7D,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,WAAW,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC;IAEjE,aAAa;IACb,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC3C,KAAK,CAAC,IAAI,CAAC,iBAAiB,UAAU,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACtE,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAE3C,mBAAmB;IACnB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC,CAAC;IACjD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACrC,KAAK,CAAC,IAAI,CAAC,oBAAoB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;IACpD,CAAC;IAED,iBAAiB;IACjB,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAClB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC;QAC3C,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAEf,MAAM,EAAE,GAAG,MAAM,CAAC,MAAM,CAAC;QACzB,IAAI,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YACd,KAAK,CAAC,IAAI,CAAC,KAAK,KAAK,CAAC,MAAM,CAAC,cAAc,CAAC,6BAA6B,CAAC,CAAC;QAC7E,CAAC;aAAM,CAAC;YACN,MAAM,QAAQ,GAAG,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;YACpF,KAAK,CAAC,IAAI,CAAC,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,CAAC,QAAQ,EAAE,CAAC,CAAC;YACxE,KAAK,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC,KAAK,aAAa,EAAE,CAAC,KAAK,mBAAmB,EAAE,CAAC,UAAU,EAAE,CAAC,CAAC;YAC1F,KAAK,CAAC,IAAI,CAAC,gBAAgB,EAAE,CAAC,SAAS,iBAAiB,EAAE,CAAC,QAAQ,EAAE,CAAC,CAAC;YACvE,IAAI,EAAE,CAAC,QAAQ,EAAE,CAAC;gBAChB,KAAK,CAAC,IAAI,CAAC,OAAO,KAAK,CAAC,MAAM,CAAC,wBAAwB,CAAC,EAAE,CAAC,CAAC;YAC9D,CAAC;YACD,IAAI,CAAC,EAAE,CAAC,qBAAqB,EAAE,CAAC;gBAC9B,KAAK,CAAC,IAAI,CAAC,OAAO,KAAK,CAAC,MAAM,CAAC,2CAA2C,CAAC,EAAE,CAAC,CAAC;YACjF,CAAC;QACH,CAAC;IACH,CAAC;IAED,eAAe;IACf,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;QAChB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,CAAC;QAChD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAEf,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;QACzB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YACpB,KAAK,CAAC,IAAI,CAAC,KAAK,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,sBAAsB,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAClG,CAAC;aAAM,IAAI,IAAI,CAAC,eAAe,CAAC,MAAM,KAAK,CAAC,IAAI,IAAI,CAAC,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAChF,KAAK,CAAC,IAAI,CAAC,KAAK,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,mCAAmC,CAAC,CAAC;QAC5E,CAAC;aAAM,CAAC;YACN,IAAI,IAAI,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACpC,KAAK,CAAC,IAAI,CAAC,KAAK,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,eAAe,CAAC,MAAM,qCAAqC,CAAC,CAAC;gBACzG,IAAI,OAAO,EAAE,CAAC;oBACZ,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;wBACxC,KAAK,CAAC,IAAI,CAAC,OAAO,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;oBACnD,CAAC;gBACH,CAAC;YACH,CAAC;YACD,IAAI,IAAI,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAClC,KAAK,CAAC,IAAI,CAAC,KAAK,KAAK,CAAC,MAAM,CAAC,cAAc,CAAC,IAAI,IAAI,CAAC,aAAa,CAAC,MAAM,oBAAoB,CAAC,CAAC;gBAC/F,IAAI,OAAO,EAAE,CAAC;oBACZ,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;wBACtC,KAAK,CAAC,IAAI,CAAC,OAAO,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;oBACtD,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,gBAAgB;IAChB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC3C,KAAK,CAAC,IAAI,CAAC,cAAc,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IACzD,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAE3C,WAAW;IACX,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,qBAAqB,cAAc,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC;IAC9E,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,UAAU,CAAC,MAAkB;IAC3C,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AACzC,CAAC"}

package/dist/scanners/binaries.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Binary file scanner.
+ *
+ * Detects binary and native addon files that cannot be source-reviewed:
+ * .node, .so, .dll, .dylib, .exe, .bin, .wasm
+ */
+import type { ScannerResult } from '../types.js';
+/**
+ * Scan for binary and native addon files.
+ */
+export declare function scanBinaries(pkgDir: string): Promise<ScannerResult>;
+//# sourceMappingURL=binaries.d.ts.map

package/dist/scanners/binaries.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"binaries.d.ts","sourceRoot":"","sources":["../../src/scanners/binaries.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EAAE,aAAa,EAAW,MAAM,aAAa,CAAC;AAe1D;;GAEG;AACH,wBAAsB,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CA4DzE"}

package/dist/scanners/binaries.js

@@ -0,0 +1,80 @@
+/**
+ * Binary file scanner.
+ *
+ * Detects binary and native addon files that cannot be source-reviewed:
+ * .node, .so, .dll, .dylib, .exe, .bin, .wasm
+ */
+import { promises as fs } from 'node:fs';
+import { join, relative, extname } from 'node:path';
+const SCANNER_NAME = 'binaries';
+/** Binary/native addon extensions to flag. */
+const BINARY_EXTENSIONS = new Set([
+    '.node',
+    '.so',
+    '.dll',
+    '.dylib',
+    '.exe',
+    '.bin',
+    '.wasm',
+]);
+/**
+ * Scan for binary and native addon files.
+ */
+export async function scanBinaries(pkgDir) {
+    const findings = [];
+    let entries;
+    try {
+        entries = await fs.readdir(pkgDir, { withFileTypes: true, recursive: true });
+    }
+    catch {
+        return {
+            name: SCANNER_NAME,
+            passed: true,
+            findings: [],
+            summary: 'Unable to read package directory',
+        };
+    }
+    for (const entry of entries) {
+        if (!entry.isFile())
+            continue;
+        const ext = extname(entry.name).toLowerCase();
+        if (!BINARY_EXTENSIONS.has(ext))
+            continue;
+        const parentPath = entry.parentPath ?? entry.path ?? pkgDir;
+        const fullPath = join(parentPath, entry.name);
+        const relPath = relative(pkgDir, fullPath);
+        // Skip node_modules
+        if (relPath.includes('node_modules'))
+            continue;
+        findings.push({
+            scanner: SCANNER_NAME,
+            severity: 'warning',
+            message: `Binary file found: ${ext} (cannot be source-reviewed)`,
+            file: relPath,
+            evidence: entry.name,
+        });
+    }
+    const passed = findings.length === 0;
+    let summary;
+    if (findings.length === 0) {
+        summary = 'No binary files found';
+    }
+    else {
+        const extCounts = new Map();
+        for (const f of findings) {
+            const ext = extname(f.file || '').toLowerCase();
+            extCounts.set(ext, (extCounts.get(ext) || 0) + 1);
+        }
+        const extSummary = [...extCounts.entries()]
+            .map(([ext, count]) => `${count} ${ext}`)
+            .join(', ');
+        summary = `${findings.length} binary file(s): ${extSummary}`;
+    }
+    return {
+        name: SCANNER_NAME,
+        passed,
+        findings,
+        summary,
+    };
+}
+//# sourceMappingURL=binaries.js.map

package/dist/scanners/binaries.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"binaries.js","sourceRoot":"","sources":["../../src/scanners/binaries.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAGpD,MAAM,YAAY,GAAG,UAAU,CAAC;AAEhC,8CAA8C;AAC9C,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;IAChC,OAAO;IACP,KAAK;IACL,MAAM;IACN,QAAQ;IACR,MAAM;IACN,MAAM;IACN,OAAO;CACR,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,MAAc;IAC/C,MAAM,QAAQ,GAAc,EAAE,CAAC;IAE/B,IAAI,OAAmC,CAAC;IACxC,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAA0C,CAAC;IACxH,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,IAAI,EAAE,YAAY;YAClB,MAAM,EAAE,IAAI;YACZ,QAAQ,EAAE,EAAE;YACZ,OAAO,EAAE,kCAAkC;SAC5C,CAAC;IACJ,CAAC;IAED,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE;YAAE,SAAS;QAE9B,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QAC9C,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,SAAS;QAE1C,MAAM,UAAU,GAAI,KAAa,CAAC,UAAU,IAAK,KAAa,CAAC,IAAI,IAAI,MAAM,CAAC;QAC9E,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QAC9C,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAE3C,oBAAoB;QACpB,IAAI,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC;YAAE,SAAS;QAE/C,QAAQ,CAAC,IAAI,CAAC;YACZ,OAAO,EAAE,YAAY;YACrB,QAAQ,EAAE,SAAS;YACnB,OAAO,EAAE,sBAAsB,GAAG,8BAA8B;YAChE,IAAI,EAAE,OAAO;YACb,QAAQ,EAAE,KAAK,CAAC,IAAI;SACrB,CAAC,CAAC;IACL,CAAC;IAED,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,KAAK,CAAC,CAAC;IAErC,IAAI,OAAe,CAAC;IACpB,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,GAAG,uBAAuB,CAAC;IACpC,CAAC;SAAM,CAAC;QACN,MAAM,SAAS,GAAG,IAAI,GAAG,EAAkB,CAAC;QAC5C,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACzB,MAAM,GAAG,GAAG,OAAO,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;YAChD,SAAS,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QACpD,CAAC;QACD,MAAM,UAAU,GAAG,CAAC,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC;aACxC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,IAAI,GAAG,EAAE,CAAC;aACxC,IAAI,CAAC,IAAI,CAAC,CAAC;QACd,OAAO,GAAG,GAAG,QAAQ,CAAC,MAAM,oBAAoB,UAAU,EAAE,CAAC;IAC/D,CAAC;IAED,OAAO;QACL,IAAI,EAAE,YAAY;QAClB,MAAM;QACN,QAAQ;QACR,OAAO;KACR,CAAC;AACJ,CAAC"}

package/dist/scanners/dependencies.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Dependency analysis scanner.
+ *
+ * Analyzes package.json dependencies for:
+ * - Dependency count (bloat detection)
+ * - Git URL dependencies (not pinned to registry)
+ * - Wildcard/unpinned version ranges
+ */
+import type { ScannerResult } from '../types.js';
+/**
+ * Scan package.json dependencies.
+ */
+export declare function scanDependencies(pkgDir: string): Promise<ScannerResult>;
+//# sourceMappingURL=dependencies.d.ts.map

package/dist/scanners/dependencies.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dependencies.d.ts","sourceRoot":"","sources":["../../src/scanners/dependencies.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,OAAO,KAAK,EAAE,aAAa,EAAW,MAAM,aAAa,CAAC;AAkB1D;;GAEG;AACH,wBAAsB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CA4F7E"}