opmsec 0.1.0 → 0.1.3

package/packages/cli/src/components/AgentScores.tsx

@@ -17,13 +17,27 @@ export function AgentScores({ agents }: AgentScoresProps) {
         const level = classifyRisk(agent.result.risk_score);
         const color = RISK_COLORS[level];
         const connector = i === agents.length - 1 ? '└──' : '├──';
+        const intel = agent.model_intelligence || 0;
+        const coding = agent.model_coding || 0;
+        const weight = agent.model_weight || 0;
         return (
-          <Box key={agent.agent_id}>
-            <Text color="gray">{connector} </Text>
-            <Text color="cyan">{agent.agent_id}</Text>
-            <Text color="gray"> ({agent.model}): </Text>
-            <Text color={color} bold>{agent.result.risk_score}/100</Text>
-            <Text color="gray"> - {agent.result.recommendation}</Text>
+          <Box key={agent.agent_id} flexDirection="column">
+            <Box>
+              <Text color="gray">{connector} </Text>
+              <Text color="cyan">{agent.agent_id}</Text>
+              <Text color="gray"> ({agent.model}) </Text>
+              <Text color={color} bold>{agent.result.risk_score}/100</Text>
+              <Text color="gray"> {agent.result.recommendation}</Text>
+            </Box>
+            {(intel > 0 || coding > 0) && (
+              <Box marginLeft={4}>
+                <Text color="magenta">AI: {intel}</Text>
+                <Text color="gray"> | </Text>
+                <Text color="blue">Code: {coding}</Text>
+                <Text color="gray"> | </Text>
+                <Text color="cyan">W: {weight}</Text>
+              </Box>
+            )}
           </Box>
         );
       })}

package/packages/cli/src/components/Hyperlink.tsx

@@ -0,0 +1,30 @@
+import React from 'react';
+import { Text } from 'ink';
+
+interface HyperlinkProps {
+  url: string;
+  label?: string;
+  color?: string;
+}
+
+export function Hyperlink({ url, label, color = 'cyan' }: HyperlinkProps) {
+  const display = label || shortenUrl(url);
+  const ansi = `\x1b]8;;${url}\x07${display}\x1b]8;;\x07`;
+  return <Text color={color as any}>{ansi}</Text>;
+}
+
+function shortenUrl(url: string): string {
+  try {
+    const u = new URL(url);
+    const pathParts = u.pathname.split('/').filter(Boolean);
+    const hash = u.hash;
+    if (pathParts.length >= 2) {
+      const id = pathParts[pathParts.length - 1];
+      const shortHash = hash.length > 20 ? hash.slice(0, 20) + '...' : hash;
+      return `${u.host}/.../${id}${shortHash}`;
+    }
+    return url.length > 60 ? url.slice(0, 57) + '...' : url;
+  } catch {
+    return url;
+  }
+}

package/packages/cli/src/components/ScanReport.tsx

@@ -1,6 +1,7 @@
 import React from 'react';
 import { Box, Text } from 'ink';
 import type { ScanReport as ScanReportType } from '@opm/core';
+import { Hyperlink } from './Hyperlink';
 
 interface ScanReportProps {
   report?: ScanReportType | null;
@@ -21,10 +22,10 @@ export function ScanReport({ report, reportURI }: ScanReportProps) {
   return (
     <Box flexDirection="column" marginLeft={2}>
       <Text bold color="white"> Scan Report</Text>
-      {reportURI && (
+      {reportURI && !reportURI.startsWith('local://') && (
         <Box>
           <Text color="gray">  Link: </Text>
-          <Text color="blue" underline>{reportURI}</Text>
+          <Hyperlink url={reportURI} />
         </Box>
       )}
       {report && (

package/packages/cli/src/index.tsx

@@ -6,7 +6,10 @@ import { InstallCommand } from './commands/install';
 import { AuditCommand } from './commands/audit';
 import { InfoCommand } from './commands/info';
 import { AuthorViewCommand } from './commands/author-view';
+import { CheckCommand } from './commands/check';
+import { FixCommand } from './commands/fix';
 import { PassthroughCommand } from './commands/passthrough';
+import { RegisterAgentCommand } from './commands/register-agent';
 import { Header } from './components/Header';
 
 const args = process.argv.slice(2);
@@ -56,11 +59,38 @@ function App() {
       if (!name) return <Help />;
       return <InfoCommand packageName={name} version={version} />;
     }
+    case 'check':
+      return <CheckCommand />;
+    case 'fix':
+      return <FixCommand />;
     case 'whois': {
       if (!rest[0]) return <Help />;
       const ensArg = rest[0].endsWith('.eth') ? rest[0] : `${rest[0]}.eth`;
       return <AuthorViewCommand ensName={ensArg} />;
     }
+    case 'register-agent': {
+      const nameIdx = rest.findIndex((a) => a === '--name');
+      const modelIdx = rest.findIndex((a) => a === '--model');
+      const promptIdx = rest.findIndex((a) => a === '--system-prompt');
+      const agentName = nameIdx >= 0 ? rest[nameIdx + 1] : undefined;
+      const agentModel = modelIdx >= 0 ? rest[modelIdx + 1] : undefined;
+      const systemPrompt = promptIdx >= 0 ? rest[promptIdx + 1] : undefined;
+      if (!agentName || !agentModel) {
+        return (
+          <Box flexDirection="column">
+            <Header />
+            <Text color="red">Usage: opm register-agent --name {'<name>'} --model {'<model>'} [--system-prompt {'<prompt>'}]</Text>
+            <Text color="gray">  --name          Agent identifier (e.g. my-security-agent)</Text>
+            <Text color="gray">  --model         LLM model to use (e.g. anthropic/claude-sonnet-4-20250514)</Text>
+            <Text color="gray">  --system-prompt Custom system prompt (defaults to OPM security auditor prompt)</Text>
+            <Text> </Text>
+            <Text color="gray">The agent will be benchmarked against 10 labeled security test cases.</Text>
+            <Text color="gray">A ZK proof of 100% accuracy is required for registration.</Text>
+          </Box>
+        );
+      }
+      return <RegisterAgentCommand agentName={agentName} model={agentModel} systemPrompt={systemPrompt} />;
+    }
     default:
       if (command && PASSTHROUGH.has(command)) {
         return <PassthroughCommand command={command} args={rest} />;
@@ -77,11 +107,19 @@ function Help() {
         <Text color="cyan" bold>Security commands:</Text>
         <Text>  opm push [--token t] [--otp c]  Sign, scan, publish, register</Text>
         <Text>  opm install [pkg]       Install with on-chain security verification</Text>
+        <Text>  opm check               Scan all deps: typosquats, CVEs, AI analysis</Text>
+        <Text>  opm fix                 Auto-fix typosquats and vulnerable versions</Text>
         <Text>  opm audit               Scan all deps against on-chain security data</Text>
         <Text>  opm info {'<pkg>'}            Show on-chain security info for a package</Text>
         <Text>  opm view {'<name.eth>'}      Show author profile, packages, and risk scores</Text>
         <Text>  opm whois {'<name>'}          Look up an ENS identity on OPM</Text>
         <Text> </Text>
+        <Text color="cyan" bold>Agent commands:</Text>
+        <Text>  opm register-agent          Register a new security agent (ZK-verified)</Text>
+        <Text>    --name {'<name>'}             Agent identifier</Text>
+        <Text>    --model {'<model>'}           LLM model (e.g. anthropic/claude-sonnet-4-20250514)</Text>
+        <Text>    --system-prompt {'<p>'}       Custom system prompt (optional)</Text>
+        <Text> </Text>
         <Text color="cyan" bold>Standard commands (npm passthrough):</Text>
         <Text>  opm init                Initialize a new package</Text>
         <Text>  opm run {'<script>'}         Run a package script</Text>
@@ -98,11 +136,9 @@ function Help() {
         <Text color="gray">Aliases:  i/add → install, rm → uninstall, ls → list</Text>
         <Text color="gray">          view name.eth → author profile, view pkg → info</Text>
         <Text> </Text>
-        <Text color="cyan" bold>Environment:</Text>
-        <Text>  OPM_PRIVATE_KEY        Author signing key</Text>
-        <Text>  CONTRACT_ADDRESS       OPMRegistry contract on Base Sepolia</Text>
-        <Text>  OPENAI_API_KEY         For AI security scanning</Text>
-        <Text>  NPM_TOKEN              npm automation token (alt to --token)</Text>
+        <Text color="cyan" bold>Environment (install/audit/info/view need no config):</Text>
+        <Text>  OPM_SIGNING_KEY        Author signing key (for push only)</Text>
+        <Text>  NPM_TOKEN              npm automation token (for push only)</Text>
       </Box>
     </Box>
   );

package/packages/cli/src/services/avatar.ts

@@ -1,10 +1,47 @@
-import terminalImage from 'terminal-image';
+import { Jimp, intToRGBA } from 'jimp';
 
-export async function renderAvatar(url: string, width = 16): Promise<string | null> {
+const PIXEL = '\u2584';
+
+export async function renderAvatar(url: string, width = 24): Promise<string | null> {
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), 5000);
   try {
-    const res = await fetch(url, { redirect: 'follow' });
+    const res = await fetch(url, { redirect: 'follow', signal: controller.signal });
+    clearTimeout(timeout);
     if (!res.ok) return null;
     const buffer = Buffer.from(await res.arrayBuffer());
-    return await terminalImage.buffer(buffer, { width, preserveAspectRatio: true, preferNativeRender: false });
-  } catch { return null; }
-}
+    return renderImageToAnsi(buffer, width);
+  } catch {
+    clearTimeout(timeout);
+    return null;
+  }
+}
+
+async function renderImageToAnsi(buffer: Buffer, targetWidth: number): Promise<string | null> {
+  const image = await Jimp.fromBuffer(buffer);
+  const { width: origW, height: origH } = image;
+
+  const ratio = origH / origW;
+  const w = targetWidth;
+  const h = Math.max(2, Math.round(w * ratio));
+
+  image.resize({ w, h });
+
+  const lines: string[] = [];
+  for (let y = 0; y < h - 1; y += 2) {
+    let line = '';
+    for (let x = 0; x < w; x++) {
+      const top = intToRGBA(image.getPixelColor(x, y));
+      const bot = intToRGBA(image.getPixelColor(x, y + 1));
+
+      if (top.a === 0) {
+        line += `\x1b[0m\x1b[38;2;${bot.r};${bot.g};${bot.b}m${PIXEL}\x1b[0m`;
+      } else {
+        line += `\x1b[48;2;${top.r};${top.g};${top.b}m\x1b[38;2;${bot.r};${bot.g};${bot.b}m${PIXEL}\x1b[0m`;
+      }
+    }
+    lines.push(line);
+  }
+
+  return lines.join('\n');
+}

package/packages/cli/src/services/chainpatrol.ts

@@ -1,25 +1,28 @@
-import { CHAINPATROL_API_URL, getEnvOrThrow } from '@opm/core';
+import { CHAINPATROL_API_URL } from '@opm/core';
 import type { ChainPatrolResult } from '@opm/core';
 
 export async function checkPackageWithChainPatrol(packageName: string): Promise<ChainPatrolResult> {
-  const apiKey = getEnvOrThrow('CHAINPATROL_API_KEY');
+  const apiKey = process.env.CHAINPATROL_API_KEY;
+  if (!apiKey) return { status: 'UNKNOWN', source: 'skipped' };
 
-  const res = await fetch(`${CHAINPATROL_API_URL}/asset/check`, {
-    method: 'POST',
-    headers: {
-      'Content-Type': 'application/json',
-      'X-API-KEY': apiKey,
-    },
-    body: JSON.stringify({ content: `npm:${packageName}` }),
-  });
+  try {
+    const res = await fetch(`${CHAINPATROL_API_URL}/asset/check`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'X-API-KEY': apiKey,
+      },
+      body: JSON.stringify({ content: `npm:${packageName}` }),
+    });
 
-  if (!res.ok) {
+    if (!res.ok) return { status: 'UNKNOWN', source: 'error' };
+
+    const data = await res.json() as { status: string; source: string };
+    return {
+      status: (data.status as ChainPatrolResult['status']) || 'UNKNOWN',
+      source: data.source || 'chainpatrol',
+    };
+  } catch {
     return { status: 'UNKNOWN', source: 'error' };
   }
-
-  const data = await res.json() as { status: string; source: string };
-  return {
-    status: (data.status as ChainPatrolResult['status']) || 'UNKNOWN',
-    source: data.source || 'chainpatrol',
-  };
 }

package/packages/cli/src/services/contract.ts

@@ -1,20 +1,22 @@
 import { ethers } from 'ethers';
-import { OPM_REGISTRY_ABI, getEnvOrThrow, getEnvOrDefault, BASE_SEPOLIA_RPC } from '@opm/core';
+import { OPM_REGISTRY_ABI, getEnvOrThrow, getEnvOrDefault, BASE_SEPOLIA_RPC, DEFAULT_CONTRACT_ADDRESS } from '@opm/core';
 import type { OnChainPackageInfo, AuthorProfile } from '@opm/core';
 
+function getContractAddress(): string {
+  return getEnvOrDefault('CONTRACT_ADDRESS', DEFAULT_CONTRACT_ADDRESS);
+}
+
 function getReadContract() {
   const rpc = getEnvOrDefault('BASE_SEPOLIA_RPC_URL', BASE_SEPOLIA_RPC);
   const provider = new ethers.JsonRpcProvider(rpc);
-  const address = getEnvOrThrow('CONTRACT_ADDRESS');
-  return new ethers.Contract(address, OPM_REGISTRY_ABI, provider);
+  return new ethers.Contract(getContractAddress(), OPM_REGISTRY_ABI, provider);
 }
 
 function getWriteContract() {
   const rpc = getEnvOrDefault('BASE_SEPOLIA_RPC_URL', BASE_SEPOLIA_RPC);
   const provider = new ethers.JsonRpcProvider(rpc);
-  const wallet = new ethers.Wallet(getEnvOrThrow('OPM_PRIVATE_KEY'), provider);
-  const address = getEnvOrThrow('CONTRACT_ADDRESS');
-  return new ethers.Contract(address, OPM_REGISTRY_ABI, wallet);
+  const wallet = new ethers.Wallet(getEnvOrThrow('OPM_SIGNING_KEY', 'OPM_PRIVATE_KEY'), provider);
+  return new ethers.Contract(getContractAddress(), OPM_REGISTRY_ABI, wallet);
 }
 
 export async function getPackageInfo(name: string, version: string): Promise<OnChainPackageInfo> {
@@ -105,8 +107,7 @@ export interface AuthorPackageSummary {
 export async function getPackagesByAuthor(authorAddress: string): Promise<AuthorPackageSummary[]> {
   const rpc = getEnvOrDefault('BASE_SEPOLIA_RPC_URL', BASE_SEPOLIA_RPC);
   const provider = new ethers.JsonRpcProvider(rpc);
-  const contractAddr = getEnvOrThrow('CONTRACT_ADDRESS');
-  const contract = new ethers.Contract(contractAddr, OPM_REGISTRY_ABI, provider);
+  const contract = new ethers.Contract(getContractAddress(), OPM_REGISTRY_ABI, provider);
 
   const packageMap = new Map<string, { name: string; version: string }>();
 
@@ -154,6 +155,38 @@ export async function getPackagesByAuthor(authorAddress: string): Promise<Author
   return results;
 }
 
+export async function registerAgentOnChain(
+  name: string,
+  model: string,
+  systemPromptHash: string,
+  proofHash: string,
+): Promise<string> {
+  const rpc = getEnvOrDefault('BASE_SEPOLIA_RPC_URL', BASE_SEPOLIA_RPC);
+  const provider = new ethers.JsonRpcProvider(rpc);
+  const wallet = new ethers.Wallet(getEnvOrThrow('AGENT_PRIVATE_KEY'), provider);
+  const contract = new ethers.Contract(getContractAddress(), OPM_REGISTRY_ABI, wallet);
+
+  const tx = await contract.registerAgent(
+    name,
+    model,
+    ethers.keccak256(ethers.toUtf8Bytes(systemPromptHash)),
+    ethers.keccak256(ethers.toUtf8Bytes(proofHash)),
+  );
+  const receipt = await tx.wait();
+  return receipt.hash;
+}
+
+export async function getRegisteredAgent(agentAddress: string): Promise<any> {
+  const contract = getReadContract();
+  return contract.getRegisteredAgent(agentAddress);
+}
+
+export async function getAgentCount(): Promise<number> {
+  const contract = getReadContract();
+  const count = await contract.getAgentCount();
+  return Number(count);
+}
+
 export async function getPackagesByAuthorDirect(
   authorAddress: string,
   knownPackageNames: string[],

package/packages/cli/src/services/ens.ts

@@ -4,21 +4,19 @@ import { addEnsContracts } from '@ensdomains/ensjs';
 import { getName } from '@ensdomains/ensjs/public';
 import { getRecords } from '@ensdomains/ensjs/public';
 import { getAddressRecord } from '@ensdomains/ensjs/public';
-import { getEnvOrDefault } from '@opm/core';
+import { getEnvOrDefault, ETH_SEPOLIA_RPC, ETH_MAINNET_RPC } from '@opm/core';
 
 function getSepoliaClient() {
-  const rpc = getEnvOrDefault('ETH_SEPOLIA_RPC_URL', 'https://ethereum-sepolia-rpc.publicnode.com');
   return createPublicClient({
     chain: addEnsContracts(sepolia),
-    transport: http(rpc),
+    transport: http(getEnvOrDefault('ETH_SEPOLIA_RPC_URL', ETH_SEPOLIA_RPC)),
   });
 }
 
 function getMainnetClient() {
-  const rpc = getEnvOrDefault('ETH_MAINNET_RPC_URL', 'https://eth.llamarpc.com');
   return createPublicClient({
     chain: addEnsContracts(mainnet),
-    transport: http(rpc),
+    transport: http(getEnvOrDefault('ETH_MAINNET_RPC_URL', ETH_MAINNET_RPC)),
   });
 }
 

package/packages/cli/src/services/fileverse.ts

@@ -1,24 +1,23 @@
 import type { ScanReport } from '@opm/core';
-import { getEnvOrDefault, safeJsonParse } from '@opm/core';
-
-const DEFAULT_API_URL = 'http://localhost:8001';
+import { getEnvOrDefault, safeJsonParse, FILEVERSE_DEFAULT_URL } from '@opm/core';
 
 export async function fetchReportFromFileverse(reportURI: string): Promise<ScanReport | null> {
   if (!reportURI || reportURI.startsWith('local://')) return null;
 
   const apiKey = process.env.FILEVERSE_API_KEY;
-  const apiUrl = getEnvOrDefault('FILEVERSE_API_URL', DEFAULT_API_URL);
+  if (!apiKey) return null;
 
+  const apiUrl = getEnvOrDefault('FILEVERSE_API_URL', FILEVERSE_DEFAULT_URL);
   const ddocId = extractDdocId(reportURI);
-  if (ddocId && apiKey) {
-    try {
-      const res = await fetch(`${apiUrl}/api/ddocs/${ddocId}?apiKey=${encodeURIComponent(apiKey)}`);
-      if (res.ok) {
-        const doc = await res.json() as { content: string };
-        return safeJsonParse<ScanReport>(doc.content);
-      }
-    } catch { /* local API not running */ }
-  }
+  if (!ddocId) return null;
+
+  try {
+    const res = await fetch(`${apiUrl}/api/ddocs/${ddocId}?apiKey=${encodeURIComponent(apiKey)}`);
+    if (res.ok) {
+      const doc = await res.json() as { content: string };
+      return safeJsonParse<ScanReport>(doc.content);
+    }
+  } catch { /* local API not running */ }
 
   return null;
 }

package/packages/cli/src/services/typosquat.ts

@@ -0,0 +1,166 @@
+const NPM_BULK_DL = 'https://api.npmjs.org/downloads/point/last-week';
+const NPM_SEARCH = 'https://registry.npmjs.org/-/v1/search';
+
+export interface TyposquatResult {
+  suspect: string;
+  likelyTarget: string | null;
+  confidence: 'high' | 'medium' | 'low' | 'none';
+  reason: string;
+  targetDownloads: number;
+  suspectDownloads: number;
+}
+
+export async function detectTyposquatBatch(names: string[]): Promise<TyposquatResult[]> {
+  if (names.length === 0) return [];
+
+  const dlMap = await fetchBulkDownloads(names);
+
+  const searchResults = await Promise.all(
+    names.map((n) => searchSimilar(stripScope(n)).catch(() => [] as SearchHit[])),
+  );
+
+  const candidateNames = new Set<string>();
+  for (const hits of searchResults) {
+    for (const h of hits) candidateNames.add(h.name);
+  }
+  const extraNames = [...candidateNames].filter((n) => !dlMap.has(n));
+  if (extraNames.length > 0) {
+    const extra = await fetchBulkDownloads(extraNames);
+    for (const [k, v] of extra) dlMap.set(k, v);
+  }
+
+  return names.map((name, idx) => {
+    const bare = stripScope(name);
+    const suspectDl = dlMap.get(name) || 0;
+    const hits = searchResults[idx] || [];
+    let best: TyposquatResult = {
+      suspect: name, likelyTarget: null, confidence: 'none',
+      reason: '', targetDownloads: 0, suspectDownloads: suspectDl,
+    };
+
+    for (const h of hits) {
+      if (h.name === name || h.name === bare) continue;
+      const cBare = stripScope(h.name);
+      const d = levenshtein(bare, cBare);
+      if (d === 0 || d > 2) continue;
+      if (d === 2 && bare.length < 5) continue;
+
+      const cDl = dlMap.get(h.name) || 0;
+      const ratio = cDl / Math.max(suspectDl, 1);
+
+      if (d === 1 && ratio >= 100) {
+        return {
+          suspect: name, likelyTarget: h.name, confidence: 'high' as const,
+          reason: `${h.name} has ${fmt(cDl)} weekly downloads vs ${fmt(suspectDl)}`,
+          targetDownloads: cDl, suspectDownloads: suspectDl,
+        };
+      }
+      if (d <= 2 && ratio >= 500 && rankHigher(best, 'medium')) {
+        best = {
+          suspect: name, likelyTarget: h.name, confidence: 'medium',
+          reason: `similar to ${h.name} (${fmt(cDl)} weekly downloads)`,
+          targetDownloads: cDl, suspectDownloads: suspectDl,
+        };
+      }
+      if (d === 1 && ratio >= 10 && rankHigher(best, 'low')) {
+        best = {
+          suspect: name, likelyTarget: h.name, confidence: 'low',
+          reason: `name close to ${h.name}`,
+          targetDownloads: cDl, suspectDownloads: suspectDl,
+        };
+      }
+      if (detectSeparatorTrick(bare, cBare) && ratio >= 50 && rankHigher(best, 'medium')) {
+        best = {
+          suspect: name, likelyTarget: h.name, confidence: 'medium',
+          reason: `separator variation of ${h.name} (${fmt(cDl)} downloads)`,
+          targetDownloads: cDl, suspectDownloads: suspectDl,
+        };
+      }
+    }
+    return best;
+  });
+}
+
+interface SearchHit { name: string }
+
+async function searchSimilar(name: string): Promise<SearchHit[]> {
+  const res = await fetch(`${NPM_SEARCH}?text=${encodeURIComponent(name)}&size=10`);
+  if (!res.ok) return [];
+  const data = await res.json() as {
+    objects: Array<{ package: { name: string } }>;
+  };
+  return data.objects.map((o) => ({ name: o.package.name }));
+}
+
+async function fetchBulkDownloads(names: string[]): Promise<Map<string, number>> {
+  const map = new Map<string, number>();
+  const scoped: string[] = [];
+  const unscoped: string[] = [];
+  for (const n of names) (n.startsWith('@') ? scoped : unscoped).push(n);
+
+  if (unscoped.length > 0) {
+    const chunks = chunkArray(unscoped, 128);
+    const fetches = await Promise.allSettled(
+      chunks.map(async (chunk) => {
+        const res = await fetch(`${NPM_BULK_DL}/${chunk.join(',')}`);
+        if (!res.ok) return;
+        const data = await res.json() as Record<string, { downloads: number } | null>;
+        for (const [pkg, info] of Object.entries(data)) {
+          if (info?.downloads) map.set(pkg, info.downloads);
+        }
+      }),
+    );
+  }
+
+  const scopedFetches = await Promise.allSettled(
+    scoped.map(async (n) => {
+      const res = await fetch(`${NPM_BULK_DL}/${encodeURIComponent(n)}`);
+      if (!res.ok) return;
+      const data = await res.json() as { downloads: number };
+      if (data.downloads) map.set(n, data.downloads);
+    }),
+  );
+
+  return map;
+}
+
+function chunkArray<T>(arr: T[], size: number): T[][] {
+  const result: T[][] = [];
+  for (let i = 0; i < arr.length; i += size) result.push(arr.slice(i, i + size));
+  return result;
+}
+
+function stripScope(name: string): string {
+  return name.startsWith('@') ? name.split('/').pop() || name : name;
+}
+
+function levenshtein(a: string, b: string): number {
+  const m = a.length, n = b.length;
+  const dp: number[][] = Array.from({ length: m + 1 }, () => Array(n + 1).fill(0));
+  for (let i = 0; i <= m; i++) dp[i][0] = i;
+  for (let j = 0; j <= n; j++) dp[0][j] = j;
+  for (let i = 1; i <= m; i++) {
+    for (let j = 1; j <= n; j++) {
+      dp[i][j] = a[i - 1] === b[j - 1]
+        ? dp[i - 1][j - 1]
+        : 1 + Math.min(dp[i - 1][j], dp[i][j - 1], dp[i - 1][j - 1]);
+    }
+  }
+  return dp[m][n];
+}
+
+function detectSeparatorTrick(a: string, b: string): boolean {
+  const norm = (s: string) => s.replace(/[-_.]/g, '');
+  return norm(a) === norm(b) && a !== b;
+}
+
+const RANK = { none: 0, low: 1, medium: 2, high: 3 } as const;
+function rankHigher(current: TyposquatResult, level: TyposquatResult['confidence']): boolean {
+  return RANK[level] > RANK[current.confidence];
+}
+
+function fmt(n: number): string {
+  if (n >= 1_000_000) return `${(n / 1_000_000).toFixed(1)}M`;
+  if (n >= 1_000) return `${(n / 1_000).toFixed(1)}K`;
+  return String(n);
+}