opmsec 0.1.0 → 0.1.4

package/packages/cli/src/commands/push.tsx

@@ -1,10 +1,11 @@
 import React, { useState, useEffect } from 'react';
 import { Box, Text } from 'ink';
-import { getEnvOrThrow, truncateAddress, classifyRisk } from '@opm/core';
+import { getEnvOrThrow, truncateAddress, classifyRisk, txUrl, contractUrl, addressUrl } from '@opm/core';
 import type { AgentEntry } from '@opm/core';
 import { Header } from '../components/Header';
 import { StatusLine, type Status } from '../components/StatusLine';
 import { RiskBadge } from '../components/RiskBadge';
+import { Hyperlink } from '../components/Hyperlink';
 import { computeChecksum, signChecksumAsync } from '../services/signature';
 import { resolveENSName } from '../services/ens';
 import { registerPackageOnChain } from '../services/contract';
@@ -71,7 +72,7 @@ export function PushCommand({ npmToken, otp }: PushCommandProps) {
     if (!name || !version) throw new Error('package.json missing name or version');
     setPkgLabel(`${name}@${version}`);
 
-    const privateKey = getEnvOrThrow('OPM_PRIVATE_KEY');
+    const privateKey = getEnvOrThrow('OPM_SIGNING_KEY', 'OPM_PRIVATE_KEY');
 
     updateStep('pack', 'running');
     const tarball = execSync('npm pack --json 2>/dev/null', { encoding: 'utf-8' });
@@ -242,26 +243,44 @@ export function PushCommand({ npmToken, otp }: PushCommandProps) {
         <Box flexDirection="column" marginTop={1}>
           <Text color="gray">────────────────────────────────────────</Text>
           <Text color="white" bold> Agent Results</Text>
-          {result.agents.map((agent) => (
-            <Box key={agent.agent_id} flexDirection="column" marginLeft={2} marginTop={1}>
-              <Box>
-                <Text color="white" bold>{agent.agent_id}</Text>
-                <Text color="gray"> ({agent.model}) </Text>
-                <Text color={riskColor(agent.result.risk_score)} bold>
-                  {agent.result.risk_score}/100
-                </Text>
-                <Text color="gray"> {agent.result.risk_level}</Text>
-              </Box>
-              <Box marginLeft={2}>
-                <Text color="gray" wrap="wrap">{agent.result.reasoning.slice(0, 200)}</Text>
-              </Box>
-              {agent.result.vulnerabilities.length > 0 && (
+          {result.agents.map((agent) => {
+            const intel = agent.model_intelligence || 0;
+            const coding = agent.model_coding || 0;
+            const weight = agent.model_weight || 0;
+            return (
+              <Box key={agent.agent_id} flexDirection="column" marginLeft={2} marginTop={1}>
+                <Box>
+                  <Text color="white" bold>{agent.agent_id}</Text>
+                  <Text color="gray"> ({agent.model}) </Text>
+                  <Text color={riskColor(agent.result.risk_score)} bold>
+                    {agent.result.risk_score}/100
+                  </Text>
+                  <Text color="gray"> {agent.result.risk_level}</Text>
+                </Box>
                 <Box marginLeft={2}>
-                  <Text color="yellow">{agent.result.vulnerabilities.length} vulnerabilities found</Text>
+                  <Text color="magenta">AI Index: {intel}</Text>
+                  <Text color="gray"> | </Text>
+                  <Text color="blue">Coding: {coding}</Text>
+                  <Text color="gray"> | </Text>
+                  <Text color="cyan">Weight: {weight}</Text>
                 </Box>
-              )}
-            </Box>
-          ))}
+                <Box marginLeft={2}>
+                  <Text color="gray" wrap="wrap">{agent.result.reasoning.slice(0, 200)}</Text>
+                </Box>
+                {agent.result.vulnerabilities.length > 0 && (
+                  <Box marginLeft={2}>
+                    <Text color="yellow">{agent.result.vulnerabilities.length} vulnerabilities found</Text>
+                  </Box>
+                )}
+                {agent.score_tx_hash && (
+                  <Box marginLeft={2}>
+                    <Text color="gray">⛓  </Text>
+                    <Hyperlink url={txUrl(agent.score_tx_hash)} label={`score tx ${agent.score_tx_hash.slice(0, 10)}…`} color="cyan" />
+                  </Box>
+                )}
+              </Box>
+            );
+          })}
         </Box>
       )}
 
@@ -269,7 +288,7 @@ export function PushCommand({ npmToken, otp }: PushCommandProps) {
         <Box flexDirection="column" marginTop={1}>
           <Text color="gray">────────────────────────────────────────</Text>
           <Box>
-            <Text color="white" bold> Aggregate Risk: </Text>
+            <Text color="white" bold> Aggregate Risk (intelligence-weighted): </Text>
             <RiskBadge level={classifyRisk(result.riskScore)} score={result.riskScore} />
           </Box>
         </Box>
@@ -294,6 +313,18 @@ export function PushCommand({ npmToken, otp }: PushCommandProps) {
             </Box>
           )}
           <StatusLine label="Register on-chain" status={steps.register} detail={result.txHash?.slice(0, 16)} />
+          {result.txHash && (
+            <Box flexDirection="column" marginLeft={4}>
+              <Box>
+                <Text color="gray">⛓  </Text>
+                <Hyperlink url={txUrl(result.txHash)} label={`tx ${result.txHash.slice(0, 10)}…`} color="green" />
+              </Box>
+              <Box>
+                <Text color="gray">📋 </Text>
+                <Hyperlink url={contractUrl()} label="OPM Registry Contract" color="cyan" />
+              </Box>
+            </Box>
+          )}
         </>
       )}
 
@@ -309,7 +340,7 @@ export function PushCommand({ npmToken, otp }: PushCommandProps) {
           </Box>
           {!result.reportURI.startsWith('local://') && (
             <Box marginLeft={2}>
-              <Text color="blue">{result.reportURI}</Text>
+              <Hyperlink url={result.reportURI} />
             </Box>
           )}
         </Box>

package/packages/cli/src/commands/register-agent.tsx

@@ -0,0 +1,227 @@
+import React, { useState, useEffect } from 'react';
+import { Box, Text } from 'ink';
+import { txUrl, contractUrl, addressUrl } from '@opm/core';
+import { Header } from '../components/Header';
+import { StatusLine, type Status } from '../components/StatusLine';
+import { Hyperlink } from '../components/Hyperlink';
+import { registerAgentOnChain } from '../services/contract';
+import { runBenchmarkSuite, type BenchmarkRunResult } from '@opm/scanner';
+
+type StepStatus = Status;
+
+interface Steps {
+  validate: StepStatus;
+  benchmark: StepStatus;
+  zkproof: StepStatus;
+  register: StepStatus;
+}
+
+interface RegisterResult {
+  agentName?: string;
+  model?: string;
+  benchmarkResult?: BenchmarkRunResult;
+  txHash?: string;
+  agentAddress?: string;
+  rejected?: boolean;
+  rejectReason?: string;
+}
+
+interface RegisterAgentCommandProps {
+  agentName: string;
+  model: string;
+  systemPrompt?: string;
+}
+
+export function RegisterAgentCommand({ agentName, model, systemPrompt }: RegisterAgentCommandProps) {
+  const [steps, setSteps] = useState<Steps>({
+    validate: 'pending',
+    benchmark: 'pending',
+    zkproof: 'pending',
+    register: 'pending',
+  });
+  const [result, setResult] = useState<RegisterResult>({});
+  const [error, setError] = useState<string | null>(null);
+  const [logs, setLogs] = useState<string[]>([]);
+
+  const updateStep = (key: keyof Steps, status: StepStatus) =>
+    setSteps((prev) => ({ ...prev, [key]: status }));
+
+  useEffect(() => {
+    runRegistration().catch((err) => setError(String(err)));
+  }, []);
+
+  async function runRegistration() {
+    setResult({ agentName, model });
+
+    updateStep('validate', 'running');
+
+    if (!agentName || agentName.length < 2) {
+      throw new Error('Agent name must be at least 2 characters');
+    }
+    if (!model) {
+      throw new Error('Model identifier is required (e.g. anthropic/claude-sonnet-4-20250514)');
+    }
+
+    if (!process.env.AGENT_PRIVATE_KEY) {
+      throw new Error('AGENT_PRIVATE_KEY required — this wallet becomes the agent identity');
+    }
+    if (!process.env.OPENROUTER_API_KEY && !process.env.OPENAI_API_KEY) {
+      throw new Error('OPENROUTER_API_KEY or OPENAI_API_KEY required to run benchmarks');
+    }
+
+    updateStep('validate', 'done');
+
+    updateStep('benchmark', 'running');
+    const benchResult = await runBenchmarkSuite(
+      { name: agentName, model, systemPrompt },
+      (msg) => setLogs((prev) => [...prev.slice(-12), msg]),
+    );
+    setResult((r) => ({ ...r, benchmarkResult: benchResult }));
+
+    if (!benchResult.zkProof.passed || benchResult.accuracyPct < 100) {
+      updateStep('benchmark', 'error');
+      updateStep('zkproof', 'error');
+      updateStep('register', 'blocked');
+      setResult((r) => ({
+        ...r,
+        rejected: true,
+        rejectReason: `Agent achieved ${benchResult.accuracyPct}% accuracy (100% required). ` +
+          `Failed ${benchResult.failed}/${benchResult.total} benchmark cases.`,
+      }));
+      return;
+    }
+    updateStep('benchmark', 'done');
+
+    updateStep('zkproof', 'running');
+    if (!benchResult.verified) {
+      updateStep('zkproof', 'error');
+      updateStep('register', 'blocked');
+      setResult((r) => ({
+        ...r,
+        rejected: true,
+        rejectReason: 'ZK proof verification failed — integrity check did not pass',
+      }));
+      return;
+    }
+    setLogs((prev) => [...prev, `ZK proof hash: ${benchResult.zkProof.accuracyProof.slice(0, 24)}…`]);
+    updateStep('zkproof', 'done');
+
+    updateStep('register', 'running');
+    try {
+      const proofStr = benchResult.zkProof.accuracyProof;
+      const promptStr = systemPrompt || 'default-opm-security-prompt';
+      const txHash = await registerAgentOnChain(agentName, model, promptStr, proofStr);
+      setResult((r) => ({ ...r, txHash }));
+      setLogs((prev) => [...prev, `Agent registered on-chain ✓`]);
+    } catch (err: any) {
+      const msg = err?.shortMessage || err?.message || 'failed';
+      setLogs((prev) => [...prev, `Registration: ${msg}`]);
+      if (msg.includes('already')) {
+        setResult((r) => ({ ...r, rejected: true, rejectReason: 'Agent wallet is already registered' }));
+        updateStep('register', 'error');
+        return;
+      }
+    }
+    updateStep('register', 'done');
+  }
+
+  const riskColor = (pct: number) => (pct >= 100 ? 'green' : pct >= 70 ? 'yellow' : 'red');
+
+  return (
+    <Box flexDirection="column">
+      <Header subtitle="register-agent" />
+      <Text color="white" bold> Registering agent: {agentName}</Text>
+      <Text color="gray"> Model: {model}</Text>
+      <Text> </Text>
+
+      <StatusLine label="Validate configuration" status={steps.validate} />
+      <StatusLine label="Run benchmark suite (10 cases)" status={steps.benchmark} />
+
+      {logs.length > 0 && (
+        <Box flexDirection="column" marginLeft={4}>
+          {logs.map((log, i) => (
+            <Text key={i} color="gray">{log}</Text>
+          ))}
+        </Box>
+      )}
+
+      {result.benchmarkResult && (
+        <Box flexDirection="column" marginTop={1}>
+          <Text color="gray">────────────────────────────────────────</Text>
+          <Text color="white" bold> Benchmark Results</Text>
+          <Box flexDirection="column" marginLeft={2} marginTop={1}>
+            {result.benchmarkResult.results.map((r) => (
+              <Box key={r.caseId}>
+                <Text color={r.verdict === 'PASS' ? 'green' : 'red'}>
+                  {r.verdict === 'PASS' ? '✓' : '✗'}{' '}
+                </Text>
+                <Text color="white">{r.category}</Text>
+                <Text color="gray"> — expected {r.expectedLevel}, got {r.actualLevel}</Text>
+                <Text color="gray"> (score: {r.actualScore})</Text>
+              </Box>
+            ))}
+          </Box>
+          <Box marginLeft={2} marginTop={1}>
+            <Text color={riskColor(result.benchmarkResult.accuracyPct)} bold>
+              Accuracy: {result.benchmarkResult.passed}/{result.benchmarkResult.total}{' '}
+              ({result.benchmarkResult.accuracyPct}%)
+            </Text>
+          </Box>
+        </Box>
+      )}
+
+      <Text> </Text>
+      <StatusLine label="ZK proof verification" status={steps.zkproof} />
+      {result.benchmarkResult?.zkProof && steps.zkproof === 'done' && (
+        <Box flexDirection="column" marginLeft={4}>
+          <Text color="gray">Commitment: {result.benchmarkResult.zkProof.commitment.expectedHash.slice(0, 24)}…</Text>
+          <Text color="gray">Proof:      {result.benchmarkResult.zkProof.accuracyProof.slice(0, 24)}…</Text>
+          <Text color="green">✓ Zero-knowledge proof verified — accuracy proven without revealing test data</Text>
+        </Box>
+      )}
+
+      <StatusLine label="Register agent on-chain" status={steps.register} />
+      {result.txHash && (
+        <Box flexDirection="column" marginLeft={4}>
+          <Box>
+            <Text color="gray">⛓  </Text>
+            <Hyperlink url={txUrl(result.txHash)} label={`tx ${result.txHash.slice(0, 10)}…`} color="green" />
+          </Box>
+          <Box>
+            <Text color="gray">📋 </Text>
+            <Hyperlink url={contractUrl()} label="OPM Registry Contract" color="cyan" />
+          </Box>
+        </Box>
+      )}
+
+      {result.rejected && (
+        <Box flexDirection="column" marginTop={1}>
+          <Text color="gray">────────────────────────────────────────</Text>
+          <Text color="red" bold>✗ REGISTRATION REJECTED</Text>
+          <Box marginLeft={2}>
+            <Text color="red" wrap="wrap">{result.rejectReason}</Text>
+          </Box>
+          {result.benchmarkResult && result.benchmarkResult.failureReasons.length > 0 && (
+            <Box flexDirection="column" marginLeft={2} marginTop={1}>
+              <Text color="yellow" bold>Failure details:</Text>
+              {result.benchmarkResult.failureReasons.map((reason, i) => (
+                <Text key={i} color="yellow" wrap="wrap">  • {reason}</Text>
+              ))}
+            </Box>
+          )}
+        </Box>
+      )}
+
+      {!result.rejected && steps.register === 'done' && (
+        <Box flexDirection="column" marginTop={1}>
+          <Text color="gray">────────────────────────────────────────</Text>
+          <Text color="green" bold>✓ Agent "{agentName}" registered successfully</Text>
+          <Text color="gray">  Your agent is now authorized to submit security scores on-chain.</Text>
+          <Text color="gray">  It will participate in the next package scan alongside existing agents.</Text>
+        </Box>
+      )}
+
+      {error && <Text color="red">Error: {error}</Text>}
+    </Box>
+  );
+}

package/packages/cli/src/components/AgentScores.tsx

@@ -17,13 +17,27 @@ export function AgentScores({ agents }: AgentScoresProps) {
         const level = classifyRisk(agent.result.risk_score);
         const color = RISK_COLORS[level];
         const connector = i === agents.length - 1 ? '└──' : '├──';
+        const intel = agent.model_intelligence || 0;
+        const coding = agent.model_coding || 0;
+        const weight = agent.model_weight || 0;
         return (
-          <Box key={agent.agent_id}>
-            <Text color="gray">{connector} </Text>
-            <Text color="cyan">{agent.agent_id}</Text>
-            <Text color="gray"> ({agent.model}): </Text>
-            <Text color={color} bold>{agent.result.risk_score}/100</Text>
-            <Text color="gray"> - {agent.result.recommendation}</Text>
+          <Box key={agent.agent_id} flexDirection="column">
+            <Box>
+              <Text color="gray">{connector} </Text>
+              <Text color="cyan">{agent.agent_id}</Text>
+              <Text color="gray"> ({agent.model}) </Text>
+              <Text color={color} bold>{agent.result.risk_score}/100</Text>
+              <Text color="gray"> {agent.result.recommendation}</Text>
+            </Box>
+            {(intel > 0 || coding > 0) && (
+              <Box marginLeft={4}>
+                <Text color="magenta">AI: {intel}</Text>
+                <Text color="gray"> | </Text>
+                <Text color="blue">Code: {coding}</Text>
+                <Text color="gray"> | </Text>
+                <Text color="cyan">W: {weight}</Text>
+              </Box>
+            )}
           </Box>
         );
       })}

package/packages/cli/src/components/Hyperlink.tsx

@@ -0,0 +1,30 @@
+import React from 'react';
+import { Text } from 'ink';
+
+interface HyperlinkProps {
+  url: string;
+  label?: string;
+  color?: string;
+}
+
+export function Hyperlink({ url, label, color = 'cyan' }: HyperlinkProps) {
+  const display = label || shortenUrl(url);
+  const ansi = `\x1b]8;;${url}\x07${display}\x1b]8;;\x07`;
+  return <Text color={color as any}>{ansi}</Text>;
+}
+
+function shortenUrl(url: string): string {
+  try {
+    const u = new URL(url);
+    const pathParts = u.pathname.split('/').filter(Boolean);
+    const hash = u.hash;
+    if (pathParts.length >= 2) {
+      const id = pathParts[pathParts.length - 1];
+      const shortHash = hash.length > 20 ? hash.slice(0, 20) + '...' : hash;
+      return `${u.host}/.../${id}${shortHash}`;
+    }
+    return url.length > 60 ? url.slice(0, 57) + '...' : url;
+  } catch {
+    return url;
+  }
+}

package/packages/cli/src/components/ScanReport.tsx

@@ -1,6 +1,7 @@
 import React from 'react';
 import { Box, Text } from 'ink';
 import type { ScanReport as ScanReportType } from '@opm/core';
+import { Hyperlink } from './Hyperlink';
 
 interface ScanReportProps {
   report?: ScanReportType | null;
@@ -21,10 +22,10 @@ export function ScanReport({ report, reportURI }: ScanReportProps) {
   return (
     <Box flexDirection="column" marginLeft={2}>
       <Text bold color="white"> Scan Report</Text>
-      {reportURI && (
+      {reportURI && !reportURI.startsWith('local://') && (
         <Box>
           <Text color="gray">  Link: </Text>
-          <Text color="blue" underline>{reportURI}</Text>
+          <Hyperlink url={reportURI} />
         </Box>
       )}
       {report && (

package/packages/cli/src/index.tsx

@@ -6,7 +6,10 @@ import { InstallCommand } from './commands/install';
 import { AuditCommand } from './commands/audit';
 import { InfoCommand } from './commands/info';
 import { AuthorViewCommand } from './commands/author-view';
+import { CheckCommand } from './commands/check';
+import { FixCommand } from './commands/fix';
 import { PassthroughCommand } from './commands/passthrough';
+import { RegisterAgentCommand } from './commands/register-agent';
 import { Header } from './components/Header';
 
 const args = process.argv.slice(2);
@@ -56,11 +59,38 @@ function App() {
       if (!name) return <Help />;
       return <InfoCommand packageName={name} version={version} />;
     }
+    case 'check':
+      return <CheckCommand />;
+    case 'fix':
+      return <FixCommand />;
     case 'whois': {
       if (!rest[0]) return <Help />;
       const ensArg = rest[0].endsWith('.eth') ? rest[0] : `${rest[0]}.eth`;
       return <AuthorViewCommand ensName={ensArg} />;
     }
+    case 'register-agent': {
+      const nameIdx = rest.findIndex((a) => a === '--name');
+      const modelIdx = rest.findIndex((a) => a === '--model');
+      const promptIdx = rest.findIndex((a) => a === '--system-prompt');
+      const agentName = nameIdx >= 0 ? rest[nameIdx + 1] : undefined;
+      const agentModel = modelIdx >= 0 ? rest[modelIdx + 1] : undefined;
+      const systemPrompt = promptIdx >= 0 ? rest[promptIdx + 1] : undefined;
+      if (!agentName || !agentModel) {
+        return (
+          <Box flexDirection="column">
+            <Header />
+            <Text color="red">Usage: opm register-agent --name {'<name>'} --model {'<model>'} [--system-prompt {'<prompt>'}]</Text>
+            <Text color="gray">  --name          Agent identifier (e.g. my-security-agent)</Text>
+            <Text color="gray">  --model         LLM model to use (e.g. anthropic/claude-sonnet-4-20250514)</Text>
+            <Text color="gray">  --system-prompt Custom system prompt (defaults to OPM security auditor prompt)</Text>
+            <Text> </Text>
+            <Text color="gray">The agent will be benchmarked against 10 labeled security test cases.</Text>
+            <Text color="gray">A ZK proof of 100% accuracy is required for registration.</Text>
+          </Box>
+        );
+      }
+      return <RegisterAgentCommand agentName={agentName} model={agentModel} systemPrompt={systemPrompt} />;
+    }
     default:
       if (command && PASSTHROUGH.has(command)) {
         return <PassthroughCommand command={command} args={rest} />;
@@ -76,12 +106,21 @@ function Help() {
       <Box flexDirection="column" marginLeft={2}>
         <Text color="cyan" bold>Security commands:</Text>
         <Text>  opm push [--token t] [--otp c]  Sign, scan, publish, register</Text>
-        <Text>  opm install [pkg]       Install with on-chain security verification</Text>
+        <Text>  opm install [pkg[@ver]] Install with on-chain security verification</Text>
+        <Text>  opm install pkg@ens.eth Install safest version by ENS author</Text>
+        <Text>  opm check               Scan all deps: typosquats, CVEs, AI analysis</Text>
+        <Text>  opm fix                 Auto-fix typosquats and vulnerable versions</Text>
         <Text>  opm audit               Scan all deps against on-chain security data</Text>
         <Text>  opm info {'<pkg>'}            Show on-chain security info for a package</Text>
         <Text>  opm view {'<name.eth>'}      Show author profile, packages, and risk scores</Text>
         <Text>  opm whois {'<name>'}          Look up an ENS identity on OPM</Text>
         <Text> </Text>
+        <Text color="cyan" bold>Agent commands:</Text>
+        <Text>  opm register-agent          Register a new security agent (ZK-verified)</Text>
+        <Text>    --name {'<name>'}             Agent identifier</Text>
+        <Text>    --model {'<model>'}           LLM model (e.g. anthropic/claude-sonnet-4-20250514)</Text>
+        <Text>    --system-prompt {'<p>'}       Custom system prompt (optional)</Text>
+        <Text> </Text>
         <Text color="cyan" bold>Standard commands (npm passthrough):</Text>
         <Text>  opm init                Initialize a new package</Text>
         <Text>  opm run {'<script>'}         Run a package script</Text>
@@ -97,12 +136,11 @@ function Help() {
         <Text> </Text>
         <Text color="gray">Aliases:  i/add → install, rm → uninstall, ls → list</Text>
         <Text color="gray">          view name.eth → author profile, view pkg → info</Text>
+        <Text color="gray">          pkg@name.eth → ENS-resolved safest version by author</Text>
         <Text> </Text>
-        <Text color="cyan" bold>Environment:</Text>
-        <Text>  OPM_PRIVATE_KEY        Author signing key</Text>
-        <Text>  CONTRACT_ADDRESS       OPMRegistry contract on Base Sepolia</Text>
-        <Text>  OPENAI_API_KEY         For AI security scanning</Text>
-        <Text>  NPM_TOKEN              npm automation token (alt to --token)</Text>
+        <Text color="cyan" bold>Environment (install/audit/info/view need no config):</Text>
+        <Text>  OPM_SIGNING_KEY        Author signing key (for push only)</Text>
+        <Text>  NPM_TOKEN              npm automation token (for push only)</Text>
       </Box>
     </Box>
   );

package/packages/cli/src/services/avatar.ts

@@ -1,10 +1,47 @@
-import terminalImage from 'terminal-image';
+import { Jimp, intToRGBA } from 'jimp';
 
-export async function renderAvatar(url: string, width = 16): Promise<string | null> {
+const PIXEL = '\u2584';
+
+export async function renderAvatar(url: string, width = 24): Promise<string | null> {
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), 5000);
   try {
-    const res = await fetch(url, { redirect: 'follow' });
+    const res = await fetch(url, { redirect: 'follow', signal: controller.signal });
+    clearTimeout(timeout);
     if (!res.ok) return null;
     const buffer = Buffer.from(await res.arrayBuffer());
-    return await terminalImage.buffer(buffer, { width, preserveAspectRatio: true, preferNativeRender: false });
-  } catch { return null; }
-}
+    return renderImageToAnsi(buffer, width);
+  } catch {
+    clearTimeout(timeout);
+    return null;
+  }
+}
+
+async function renderImageToAnsi(buffer: Buffer, targetWidth: number): Promise<string | null> {
+  const image = await Jimp.fromBuffer(buffer);
+  const { width: origW, height: origH } = image;
+
+  const ratio = origH / origW;
+  const w = targetWidth;
+  const h = Math.max(2, Math.round(w * ratio));
+
+  image.resize({ w, h });
+
+  const lines: string[] = [];
+  for (let y = 0; y < h - 1; y += 2) {
+    let line = '';
+    for (let x = 0; x < w; x++) {
+      const top = intToRGBA(image.getPixelColor(x, y));
+      const bot = intToRGBA(image.getPixelColor(x, y + 1));
+
+      if (top.a === 0) {
+        line += `\x1b[0m\x1b[38;2;${bot.r};${bot.g};${bot.b}m${PIXEL}\x1b[0m`;
+      } else {
+        line += `\x1b[48;2;${top.r};${top.g};${top.b}m\x1b[38;2;${bot.r};${bot.g};${bot.b}m${PIXEL}\x1b[0m`;
+      }
+    }
+    lines.push(line);
+  }
+
+  return lines.join('\n');
+}

package/packages/cli/src/services/chainpatrol.ts

@@ -1,25 +1,28 @@
-import { CHAINPATROL_API_URL, getEnvOrThrow } from '@opm/core';
+import { CHAINPATROL_API_URL } from '@opm/core';
 import type { ChainPatrolResult } from '@opm/core';
 
 export async function checkPackageWithChainPatrol(packageName: string): Promise<ChainPatrolResult> {
-  const apiKey = getEnvOrThrow('CHAINPATROL_API_KEY');
+  const apiKey = process.env.CHAINPATROL_API_KEY;
+  if (!apiKey) return { status: 'UNKNOWN', source: 'skipped' };
 
-  const res = await fetch(`${CHAINPATROL_API_URL}/asset/check`, {
-    method: 'POST',
-    headers: {
-      'Content-Type': 'application/json',
-      'X-API-KEY': apiKey,
-    },
-    body: JSON.stringify({ content: `npm:${packageName}` }),
-  });
+  try {
+    const res = await fetch(`${CHAINPATROL_API_URL}/asset/check`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'X-API-KEY': apiKey,
+      },
+      body: JSON.stringify({ content: `npm:${packageName}` }),
+    });
 
-  if (!res.ok) {
+    if (!res.ok) return { status: 'UNKNOWN', source: 'error' };
+
+    const data = await res.json() as { status: string; source: string };
+    return {
+      status: (data.status as ChainPatrolResult['status']) || 'UNKNOWN',
+      source: data.source || 'chainpatrol',
+    };
+  } catch {
     return { status: 'UNKNOWN', source: 'error' };
   }
-
-  const data = await res.json() as { status: string; source: string };
-  return {
-    status: (data.status as ChainPatrolResult['status']) || 'UNKNOWN',
-    source: data.source || 'chainpatrol',
-  };
 }