opmsec 0.1.3 → 0.1.4

package/.husky/pre-commit

@@ -0,0 +1 @@
+cd packages/web && bun run build

package/bun.lock

@@ -12,10 +12,10 @@
         "react": "^18.3.1",
         "react-devtools-core": "^5.3.2",
         "terminal-image": "^4.2.0",
-        "viem": "^2.47.2",
+        "viem": "^2.47.4",
       },
       "devDependencies": {
-        "bun-types": "latest",
+        "bun-types": "^1.3.10",
       },
     },
     "packages/cli": {
@@ -317,7 +317,7 @@
 
     "opm": ["opm@workspace:packages/cli"],
 
-    "ox": ["ox@0.14.0", "", { "dependencies": { "@adraffy/ens-normalize": "^1.11.0", "@noble/ciphers": "^1.3.0", "@noble/curves": "1.9.1", "@noble/hashes": "^1.8.0", "@scure/bip32": "^1.7.0", "@scure/bip39": "^1.6.0", "abitype": "^1.2.3", "eventemitter3": "5.0.1" }, "peerDependencies": { "typescript": ">=5.4.0" }, "optionalPeers": ["typescript"] }, "sha512-WLOB7IKnmI3Ol6RAqY7CJdZKl8QaI44LN91OGF1061YIeN6bL5IsFcdp7+oQShRyamE/8fW/CBRWhJAOzI35Dw=="],
+    "ox": ["ox@0.14.5", "", { "dependencies": { "@adraffy/ens-normalize": "^1.11.0", "@noble/ciphers": "^1.3.0", "@noble/curves": "1.9.1", "@noble/hashes": "^1.8.0", "@scure/bip32": "^1.7.0", "@scure/bip39": "^1.6.0", "abitype": "^1.2.3", "eventemitter3": "5.0.1" }, "peerDependencies": { "typescript": ">=5.4.0" }, "optionalPeers": ["typescript"] }, "sha512-HgmHmBveYO40H/R3K6TMrwYtHsx/u6TAB+GpZlgJCoW0Sq5Ttpjih0IZZiwGQw7T6vdW4IAyobYrE2mdAvyF8Q=="],
 
     "pako": ["pako@2.1.0", "", {}, "sha512-w+eufiZ1WuJYgPXbV/PO3NCMEc3xqylkKHzp8bxp1uW4qaSNQUkwmLLEc3kKsfz8lpV1F8Ht3U1Cm+9Srog2ug=="],
 
@@ -427,7 +427,7 @@
 
     "utif2": ["utif2@4.1.0", "", { "dependencies": { "pako": "^1.0.11" } }, "sha512-+oknB9FHrJ7oW7A2WZYajOcv4FcDR4CfoGB0dPNfxbi4GO05RRnFmt5oa23+9w32EanrYcSJWspUiJkLMs+37w=="],
 
-    "viem": ["viem@2.47.2", "", { "dependencies": { "@noble/curves": "1.9.1", "@noble/hashes": "1.8.0", "@scure/bip32": "1.7.0", "@scure/bip39": "1.6.0", "abitype": "1.2.3", "isows": "1.0.7", "ox": "0.14.0", "ws": "8.18.3" }, "peerDependencies": { "typescript": ">=5.0.4" }, "optionalPeers": ["typescript"] }, "sha512-etDIwDgmDiGaPg8rUbJtUFuC3/nAJCbhMYyfh5dOcqNNkzBWTNcS2VluPSM5JVo+9U3b2hle2RkBEq3+xyvlvg=="],
+    "viem": ["viem@2.47.4", "", { "dependencies": { "@noble/curves": "1.9.1", "@noble/hashes": "1.8.0", "@scure/bip32": "1.7.0", "@scure/bip39": "1.6.0", "abitype": "1.2.3", "isows": "1.0.7", "ox": "0.14.5", "ws": "8.18.3" }, "peerDependencies": { "typescript": ">=5.0.4" }, "optionalPeers": ["typescript"] }, "sha512-h0Wp/SYmJO/HB4B/em1OZ3W1LaKrmr7jzaN7talSlZpo0LCn0V6rZ5g923j6sf4VUSrqp/gUuWuHFc7UcoIp8A=="],
 
     "which": ["which@2.0.2", "", { "dependencies": { "isexe": "^2.0.0" }, "bin": { "node-which": "./bin/node-which" } }, "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA=="],
 

package/docs/mint.json

@@ -2,8 +2,8 @@
   "$schema": "https://mintlify.com/schema.json",
   "name": "OPM Documentation",
   "logo": {
-    "dark": "/logo/dark.svg",
-    "light": "/logo/light.svg"
+    "dark": "/favicon.svg",
+    "light": "/favicon.svg"
   },
   "favicon": "/favicon.svg",
   "colors": {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opmsec",
-  "version": "0.1.3",
+  "version": "0.1.4",
   "private": false,
   "bin": {
     "opm": "packages/cli/src/index.tsx"
@@ -14,7 +14,8 @@
     "build:contracts": "cd packages/contracts && npx hardhat compile",
     "deploy:contracts": "cd packages/contracts && npx hardhat run scripts/deploy.ts --network baseSepolia",
     "test:contracts": "cd packages/contracts && npx hardhat test",
-    "scan": "bun run packages/scanner/src/index.ts"
+    "scan": "bun run packages/scanner/src/index.ts",
+    "prepare": "husky || true"
   },
   "dependencies": {
     "@ensdomains/ensjs": "^4.2.2",
@@ -25,15 +26,15 @@
     "react": "^18.3.1",
     "react-devtools-core": "^5.3.2",
     "terminal-image": "^4.2.0",
-    "viem": "^2.47.2"
+    "viem": "^2.47.4"
   },
   "devDependencies": {
-    "bun-types": "latest"
+    "bun-types": "^1.3.10"
   },
   "opm": {
-    "signature": "0xacf623c584df3b03a13588107cb0024212b50a20078a74d3a19394ea7378f2b23c679f3e351fd27393c5212f09ead8c826af1f103f535b9a802944e27b5ffa081b",
+    "signature": "0xf469749982344b8aee24fadd624cad2b5262dd48964ceb0de8d79d2d256343a04aef4e99682b3e48c8468191bb1ff2076615b49006e9c83cd0de2bd696aa92e91b",
     "author": "0x2a3942EbDd8c5ea3E66D3fC4301F56d0F15d4bE2",
     "ensName": "djpaiethg.eth",
-    "checksum": "0x5e73c81a9f22b1381766bbea30dee60a945ece4d320f3c4f65597beb0bc19269"
+    "checksum": "0x3c9a3dfc1e62fd2b36611988cf642d34e6bc7de352c903d4dc6968253cfe1b61"
   }
 }

package/packages/cli/src/commands/install.tsx

@@ -10,7 +10,8 @@ import { verifyChecksum } from '../services/signature';
 import { resolveENSName } from '../services/ens';
 import { checkPackageWithChainPatrol } from '../services/chainpatrol';
 import { queryOSV, getOSVSeverity, getFixedVersion, type OSVVulnerability } from '../services/osv';
-import { resolveVersion } from '../services/version';
+import { resolveVersion, findSafeVersion, isENSVersion, type ResolvedVersion } from '../services/version';
+import { resolveAddress } from '../services/ens';
 import { execSync } from 'child_process';
 import * as fs from 'fs';
 import * as path from 'path';
@@ -19,6 +20,7 @@ type StepStatus = 'pending' | 'running' | 'done' | 'error' | 'skip';
 
 interface Steps {
   resolve: StepStatus;
+  ens: StepStatus;
   cve: StepStatus;
   onchain: StepStatus;
   signature: StepStatus;
@@ -31,6 +33,7 @@ interface SecurityResult {
   name: string;
   version: string;
   resolvedVersion: string;
+  resolved?: ResolvedVersion;
   cves: OSVVulnerability[];
   info?: OnChainPackageInfo;
   signatureValid?: boolean;
@@ -40,6 +43,9 @@ interface SecurityResult {
   warning: boolean;
   blockReason?: string;
   safestVersion?: string;
+  autoBumped?: boolean;
+  autoBumpedFrom?: string;
+  autoBumpReason?: string;
 }
 
 interface InstallCommandProps {
@@ -76,12 +82,16 @@ export function InstallCommand({ packageName, version }: InstallCommandProps) {
 // ─── Single package install with full security pipeline ───────────────────────
 
 function SingleInstall({ packageName, version }: { packageName: string; version?: string }) {
+  const isEns = version ? isENSVersion(version) : false;
+
   const [steps, setSteps] = useState<Steps>({
-    resolve: 'pending', cve: 'pending', onchain: 'pending',
+    resolve: 'pending', ens: isEns ? 'pending' : 'skip',
+    cve: 'pending', onchain: 'pending',
     signature: 'pending', chainpatrol: 'pending', report: 'pending',
     install: 'pending',
   });
   const [result, setResult] = useState<SecurityResult | null>(null);
+  const [ensDetail, setEnsDetail] = useState<string | undefined>(undefined);
   const [error, setError] = useState<string | null>(null);
   const [done, setDone] = useState(false);
 
@@ -99,11 +109,35 @@ function SingleInstall({ packageName, version }: { packageName: string; version?
       blocked: false, warning: false,
     };
 
-    update('resolve', 'running');
-    r.resolvedVersion = await resolveVersion(packageName, r.version);
-    setResult({ ...r });
-    update('resolve', 'done');
+    // ── Resolve version (+ ENS if applicable) ──
+    if (isEns) {
+      update('resolve', 'done');
+      update('ens', 'running');
+      try {
+        const resolved = await resolveVersion(packageName, r.version, (msg) => setEnsDetail(msg));
+        r.resolved = resolved;
+        r.resolvedVersion = resolved.version;
+        r.ensName = resolved.ensName;
+        setResult({ ...r });
+        setEnsDetail(`${resolved.ensName} → v${resolved.version} (${resolved.reason})`);
+        update('ens', 'done');
+      } catch (err: any) {
+        setEnsDetail(err?.message || 'ENS resolution failed');
+        update('ens', 'error');
+        setError(err?.message || 'ENS resolution failed');
+        update('install', 'error');
+        return;
+      }
+    } else {
+      update('resolve', 'running');
+      const resolved = await resolveVersion(packageName, r.version);
+      r.resolved = resolved;
+      r.resolvedVersion = resolved.version;
+      setResult({ ...r });
+      update('resolve', 'done');
+    }
 
+    // ── CVE check ──
     update('cve', 'running');
     r.cves = await queryOSV(packageName, r.resolvedVersion);
     const cveCounts = categorizeCVEs(r.cves);
@@ -116,6 +150,7 @@ function SingleInstall({ packageName, version }: { packageName: string; version?
     setResult({ ...r });
     update('cve', 'done');
 
+    // ── On-chain registry lookup ──
     update('onchain', 'running');
     try {
       const info = await getPackageInfo(packageName, r.resolvedVersion);
@@ -133,12 +168,35 @@ function SingleInstall({ packageName, version }: { packageName: string; version?
     setResult({ ...r });
     update('onchain', 'done');
 
+    // ── Auto-bump: try to find a safe version instead of blocking ──
+    if (r.blocked && !isEns) {
+      const safe = await findSafeVersion(packageName, r.resolvedVersion, r.cves);
+      if (safe) {
+        r.autoBumped = true;
+        r.autoBumpedFrom = r.resolvedVersion;
+        r.autoBumpReason = safe.reason;
+        r.resolvedVersion = safe.version;
+        r.blocked = false;
+        r.blockReason = undefined;
+        r.warning = true;
+
+        r.cves = await queryOSV(packageName, safe.version).catch(() => []);
+        try {
+          const newInfo = await getPackageInfo(packageName, safe.version);
+          if (newInfo.exists) r.info = newInfo;
+        } catch { /* keep existing */ }
+
+        setResult({ ...r });
+      }
+    }
+
+    // ── Signature verification ──
     if (r.info?.exists) {
       update('signature', 'running');
       r.signatureValid = r.info.signature !== '0x'
         ? verifyChecksum(r.info.checksum, r.info.signature, r.info.author)
         : false;
-      if (r.info.author) {
+      if (r.info.author && !r.ensName) {
         r.ensName = await resolveENSName(r.info.author).catch(() => null) || undefined;
       }
       setResult({ ...r });
@@ -147,6 +205,7 @@ function SingleInstall({ packageName, version }: { packageName: string; version?
       update('signature', 'skip');
     }
 
+    // ── ChainPatrol check ──
     if (!r.info?.exists) {
       update('chainpatrol', 'running');
       const cp = await checkPackageWithChainPatrol(packageName).catch(() => null);
@@ -161,12 +220,14 @@ function SingleInstall({ packageName, version }: { packageName: string; version?
       update('chainpatrol', 'skip');
     }
 
+    // ── Fileverse report ──
     if (r.info?.reportURI && !r.info.reportURI.startsWith('local://')) {
       update('report', 'done');
     } else {
       update('report', 'skip');
     }
 
+    // ── Block or install ──
     if (r.blocked) {
       setError(`Blocked: ${r.blockReason || 'security risk detected'}`);
       update('install', 'error');
@@ -175,7 +236,7 @@ function SingleInstall({ packageName, version }: { packageName: string; version?
 
     update('install', 'running');
     try {
-      const target = `${packageName}${version ? `@${version}` : ''}`;
+      const target = `${packageName}@${r.resolvedVersion}`;
       execSync(`npm install ${target}`, { encoding: 'utf-8', stdio: 'pipe', cwd: process.cwd() });
     } catch { /* non-fatal */ }
     update('install', 'done');
@@ -191,12 +252,43 @@ function SingleInstall({ packageName, version }: { packageName: string; version?
   return (
     <Box flexDirection="column">
       <Header subtitle="install" />
-      {result && <Text color="white" bold> {result.name}@{result.resolvedVersion}</Text>}
+      {result && (
+        <Box>
+          <Text color="white" bold> {result.name}@{result.resolvedVersion}</Text>
+          {result.ensName && result.resolved?.source === 'ens' && (
+            <Text color="cyan"> via {result.ensName}</Text>
+          )}
+          {result.autoBumped && (
+            <Text color="yellow"> (bumped from {result.autoBumpedFrom})</Text>
+          )}
+        </Box>
+      )}
       <Text> </Text>
 
       <StatusLine label="Resolve version" status={steps.resolve}
         detail={steps.resolve === 'done' ? result?.resolvedVersion : undefined} />
 
+      {isEns && (
+        <StatusLine label="Resolve ENS author" status={steps.ens} detail={ensDetail} />
+      )}
+      {steps.ens === 'done' && result?.resolved?.source === 'ens' && (
+        <Box flexDirection="column" marginLeft={4}>
+          <Box>
+            <Text color="gray">Author:  </Text>
+            <Text color="green">{result.ensName}</Text>
+            {result.resolved.authorAddress && (
+              <Text color="gray"> ({truncateAddress(result.resolved.authorAddress)})</Text>
+            )}
+            <Text color="green"> ✓ on-chain</Text>
+          </Box>
+          <Box>
+            <Text color="gray">Version: </Text>
+            <Text color="cyan">{result.resolvedVersion}</Text>
+            <Text color="gray"> (safest on-chain version)</Text>
+          </Box>
+        </Box>
+      )}
+
       <StatusLine label="Query CVE database (OSV)" status={steps.cve}
         detail={steps.cve === 'done'
           ? (result?.cves.length
@@ -231,6 +323,22 @@ function SingleInstall({ packageName, version }: { packageName: string; version?
         </Box>
       )}
 
+      {result?.autoBumped && (
+        <Box flexDirection="column" marginLeft={4} marginTop={0}>
+          <Box>
+            <Text color="yellow">↑ Auto-bumped: </Text>
+            <Text color="red">{result.autoBumpedFrom}</Text>
+            <Text color="yellow"> → </Text>
+            <Text color="green" bold>{result.resolvedVersion}</Text>
+          </Box>
+          {result.autoBumpReason && (
+            <Box marginLeft={2}>
+              <Text color="gray">{result.autoBumpReason}</Text>
+            </Box>
+          )}
+        </Box>
+      )}
+
       <StatusLine label="On-chain registry lookup" status={steps.onchain}
         detail={steps.onchain === 'done' && result?.info?.exists
           ? `${result.info.aggregateScore}/100 (${classifyRisk(result.info.aggregateScore)})`
@@ -269,14 +377,30 @@ function SingleInstall({ packageName, version }: { packageName: string; version?
         <Box flexDirection="column" marginTop={1}>
           <Text color="gray">────────────────────────────────────────</Text>
           <Text color="white" bold> Security Summary</Text>
+          {result.resolved?.source === 'ens' && (
+            <Box marginLeft={2}>
+              <Text color="gray">Resolved: </Text>
+              <Text color="green">{result.ensName}</Text>
+              <Text color="gray"> → </Text>
+              <Text color="cyan">{result.resolvedVersion}</Text>
+            </Box>
+          )}
+          {result.autoBumped && (
+            <Box marginLeft={2}>
+              <Text color="gray">Bumped:   </Text>
+              <Text color="red">{result.autoBumpedFrom}</Text>
+              <Text color="gray"> → </Text>
+              <Text color="green">{result.resolvedVersion}</Text>
+            </Box>
+          )}
           {result.info?.exists && (
             <Box marginLeft={2}>
-              <Text color="gray">Risk: </Text>
+              <Text color="gray">Risk:     </Text>
               <RiskBadge level={classifyRisk(result.info.aggregateScore)} score={result.info.aggregateScore} />
             </Box>
           )}
           <Box marginLeft={2}>
-            <Text color="gray">CVEs: </Text>
+            <Text color="gray">CVEs:     </Text>
             {result.cves.length > 0 ? (
               <Text color={severeCount > 0 ? 'red' : 'yellow'}>
                 {result.cves.length} known ({cveCounts.critical > 0 ? `${cveCounts.critical} critical, ` : ''}{cveCounts.high} high, {cveCounts.medium} medium, {cveCounts.low} low)
@@ -287,19 +411,19 @@ function SingleInstall({ packageName, version }: { packageName: string; version?
           </Box>
           {result.info?.exists && (
             <Box marginLeft={2}>
-              <Text color="gray">Signature: </Text>
+              <Text color="gray">Signature:</Text>
               <Text color={result.signatureValid ? 'green' : 'red'}>
-                {result.signatureValid ? 'verified' : 'unverified'}
+                {' '}{result.signatureValid ? 'verified' : 'unverified'}
               </Text>
             </Box>
           )}
           {result.ensName && (
             <Box marginLeft={2}>
-              <Text color="gray">Author: </Text>
+              <Text color="gray">Author:   </Text>
               <Text color="green">{result.ensName}</Text>
             </Box>
           )}
-          {result.warning && !result.blocked && (
+          {result.warning && !result.blocked && !result.autoBumped && (
             <Box marginLeft={2}>
               <Text color="yellow">⚠ Vulnerabilities detected — review before using in production</Text>
             </Box>
@@ -311,7 +435,7 @@ function SingleInstall({ packageName, version }: { packageName: string; version?
               <Text color="yellow"> to fix known CVEs</Text>
             </Box>
           )}
-          {result.warning && result.safestVersion && (
+          {result.warning && result.safestVersion && !result.autoBumped && (
             <Box marginLeft={2}>
               <Text color="yellow">⚠ Consider using safest on-chain version: {result.safestVersion}</Text>
             </Box>
@@ -338,6 +462,11 @@ interface BulkDepResult {
   blocked: boolean;
   blockReason?: string;
   suggestedUpgrade?: string;
+  ensResolved?: boolean;
+  ensName?: string;
+  autoBumped?: boolean;
+  originalVersion?: string;
+  autoBumpReason?: string;
 }
 
 function BulkInstall() {
@@ -346,6 +475,9 @@ function BulkInstall() {
   const [error, setError] = useState<string | null>(null);
   const [installStatus, setInstallStatus] = useState<StepStatus>('pending');
   const [total, setTotal] = useState(0);
+  const [ensCount, setEnsCount] = useState(0);
+  const [ensResolvingStatus, setEnsResolvingStatus] = useState<StepStatus>('skip');
+  const [ensResolvedCount, setEnsResolvedCount] = useState(0);
 
   useEffect(() => {
     runBulk().catch((err) => setError(String(err)));
@@ -368,15 +500,79 @@ function BulkInstall() {
       return;
     }
 
+    // ── Phase 1: Batch-resolve all ENS names in parallel ──
+    const ensEntries = entries.filter(([, ver]) => isENSVersion(String(ver)));
+    setEnsCount(ensEntries.length);
+
+    const ensCache = new Map<string, { address: string; version: string }>();
+
+    if (ensEntries.length > 0) {
+      setEnsResolvingStatus('running');
+
+      const uniqueEnsNames = [...new Set(ensEntries.map(([, v]) => String(v)))];
+      const ensResults = await Promise.allSettled(
+        uniqueEnsNames.map(async (ensName) => {
+          const addr = await resolveAddress(ensName);
+          return { ensName, address: addr };
+        }),
+      );
+
+      const ensAddresses = new Map<string, string>();
+      for (const result of ensResults) {
+        if (result.status === 'fulfilled' && result.value.address) {
+          ensAddresses.set(result.value.ensName, result.value.address);
+        }
+      }
+
+      const ensVersionResults = await Promise.allSettled(
+        ensEntries.map(async ([name, ensName]) => {
+          const addr = ensAddresses.get(String(ensName));
+          if (!addr) return null;
+          const resolved = await resolveVersion(name, String(ensName));
+          return { name, ensName: String(ensName), resolved };
+        }),
+      );
+
+      for (const result of ensVersionResults) {
+        if (result.status === 'fulfilled' && result.value) {
+          const { name, ensName, resolved } = result.value;
+          ensCache.set(name, {
+            address: resolved.authorAddress || '',
+            version: resolved.version,
+          });
+          setEnsResolvedCount((c) => c + 1);
+        }
+      }
+
+      setEnsResolvingStatus('done');
+    }
+
+    // ── Phase 2: Scan each dependency ──
     const checked: BulkDepResult[] = [];
 
     for (const [name, verRange] of entries) {
-      const rawVersion = String(verRange).replace(/^[\^~]/, '');
+      const rawVerStr = String(verRange);
+      const isEns = isENSVersion(rawVerStr);
+
+      let rawVersion: string;
+      let ensName: string | undefined;
+      let ensResolved = false;
+
+      if (isEns && ensCache.has(name)) {
+        const cached = ensCache.get(name)!;
+        rawVersion = cached.version;
+        ensName = rawVerStr;
+        ensResolved = true;
+      } else {
+        rawVersion = rawVerStr.replace(/^[\^~]/, '');
+      }
+
       const entry: BulkDepResult = {
         name, version: rawVersion,
         cves: [], cvesCritical: 0, cvesHigh: 0,
         onChain: false, score: null,
         blocked: false,
+        ensResolved, ensName,
       };
 
       const [osvResult, infoResult] = await Promise.allSettled([
@@ -406,6 +602,25 @@ function BulkInstall() {
         }
       }
 
+      // ── Auto-bump blocked deps ──
+      if (entry.blocked && !ensResolved) {
+        const safe = await findSafeVersion(name, rawVersion, entry.cves);
+        if (safe) {
+          entry.autoBumped = true;
+          entry.originalVersion = rawVersion;
+          entry.autoBumpReason = safe.reason;
+          entry.version = safe.version;
+          entry.blocked = false;
+          entry.blockReason = undefined;
+
+          const newCves = await queryOSV(name, safe.version).catch(() => []);
+          entry.cves = newCves;
+          const newCounts = categorizeCVEs(newCves);
+          entry.cvesCritical = newCounts.critical;
+          entry.cvesHigh = newCounts.high;
+        }
+      }
+
       checked.push(entry);
       setDeps([...checked]);
     }
@@ -419,16 +634,24 @@ function BulkInstall() {
       return;
     }
 
+    // Build npm install command with correct versions
+    const bumpedDeps = checked.filter((d) => d.autoBumped || d.ensResolved);
     setInstallStatus('running');
     try {
-      execSync('npm install', { encoding: 'utf-8', stdio: 'pipe', cwd: process.cwd() });
+      if (bumpedDeps.length > 0) {
+        const args = checked.map((d) => `${d.name}@${d.version}`).join(' ');
+        execSync(`npm install ${args}`, { encoding: 'utf-8', stdio: 'pipe', cwd: process.cwd() });
+      } else {
+        execSync('npm install', { encoding: 'utf-8', stdio: 'pipe', cwd: process.cwd() });
+      }
     } catch { /* non-fatal */ }
     setInstallStatus('done');
   }
 
   const blockedDeps = deps.filter((d) => d.blocked);
-  const warnDeps = deps.filter((d) => !d.blocked && (d.cvesHigh > 0 || (d.score !== null && d.score >= MEDIUM_RISK_THRESHOLD)));
-  const safeDeps = deps.filter((d) => !d.blocked && d.cvesHigh === 0 && (d.score === null || d.score < MEDIUM_RISK_THRESHOLD));
+  const bumpedDeps = deps.filter((d) => d.autoBumped || d.ensResolved);
+  const warnDeps = deps.filter((d) => !d.blocked && !d.autoBumped && !d.ensResolved && (d.cvesHigh > 0 || (d.score !== null && d.score >= MEDIUM_RISK_THRESHOLD)));
+  const safeDeps = deps.filter((d) => !d.blocked && !d.autoBumped && !d.ensResolved && d.cvesHigh === 0 && (d.score === null || d.score < MEDIUM_RISK_THRESHOLD));
   const totalCves = deps.reduce((s, d) => s + d.cves.length, 0);
 
   return (
@@ -436,13 +659,48 @@ function BulkInstall() {
       <Header subtitle="install" />
       <Text> </Text>
 
+      {ensCount > 0 && (
+        <StatusLine label={`Resolve ${ensCount} ENS author(s)`} status={ensResolvingStatus}
+          detail={ensResolvingStatus === 'done' ? `${ensResolvedCount} resolved` : ensResolvingStatus === 'running' ? 'resolving...' : undefined} />
+      )}
+
       <StatusLine label={`Scanning ${total} dependencies`} status={scanning ? 'running' : 'done'}
         detail={!scanning ? `${deps.length} checked` : `${deps.length}/${total}`} />
 
       {deps.length > 0 && (
         <Box flexDirection="column" marginTop={1}>
-          {blockedDeps.length > 0 && (
+          {bumpedDeps.length > 0 && (
             <Box flexDirection="column">
+              <Text color="cyan" bold> ENS / AUTO-BUMPED ({bumpedDeps.length})</Text>
+              {bumpedDeps.map((d) => (
+                <Box key={d.name} flexDirection="column" marginLeft={2}>
+                  <Box>
+                    {d.ensResolved ? (
+                      <Text color="cyan">◈ </Text>
+                    ) : (
+                      <Text color="yellow">↑ </Text>
+                    )}
+                    <Text color="white" bold>{d.name}</Text>
+                    <Text color="green">@{d.version}</Text>
+                    {d.ensResolved && d.ensName && (
+                      <Text color="cyan">  via {d.ensName}</Text>
+                    )}
+                    {d.autoBumped && d.originalVersion && (
+                      <Text color="yellow">  bumped from {d.originalVersion}</Text>
+                    )}
+                  </Box>
+                  {d.autoBumpReason && (
+                    <Box marginLeft={4}>
+                      <Text color="gray">{d.autoBumpReason}</Text>
+                    </Box>
+                  )}
+                </Box>
+              ))}
+            </Box>
+          )}
+
+          {blockedDeps.length > 0 && (
+            <Box flexDirection="column" marginTop={bumpedDeps.length > 0 ? 1 : 0}>
               <Text color="red" bold> BLOCKED ({blockedDeps.length})</Text>
               {blockedDeps.map((d) => (
                 <Box key={d.name} flexDirection="column" marginLeft={2}>
@@ -476,7 +734,7 @@ function BulkInstall() {
           )}
 
           {warnDeps.length > 0 && (
-            <Box flexDirection="column" marginTop={blockedDeps.length > 0 ? 1 : 0}>
+            <Box flexDirection="column" marginTop={(blockedDeps.length + bumpedDeps.length) > 0 ? 1 : 0}>
               <Text color="yellow" bold> WARNING ({warnDeps.length})</Text>
               {warnDeps.map((d) => (
                 <Box key={d.name} marginLeft={2}>
@@ -491,7 +749,7 @@ function BulkInstall() {
           )}
 
           {safeDeps.length > 0 && (
-            <Box flexDirection="column" marginTop={(blockedDeps.length + warnDeps.length) > 0 ? 1 : 0}>
+            <Box flexDirection="column" marginTop={(blockedDeps.length + warnDeps.length + bumpedDeps.length) > 0 ? 1 : 0}>
               <Text color="green" bold> SAFE ({safeDeps.length})</Text>
               {safeDeps.map((d) => (
                 <Box key={d.name} marginLeft={2}>
@@ -518,7 +776,7 @@ function BulkInstall() {
 
           <Box marginTop={1}>
             <Text color={blockedDeps.length > 0 ? 'red' : totalCves > 0 ? 'yellow' : 'green'} bold>
-              {deps.length} packages scanned: {blockedDeps.length} blocked, {warnDeps.length} warnings, {totalCves} CVEs
+              {deps.length} packages scanned: {blockedDeps.length} blocked, {bumpedDeps.length} resolved, {warnDeps.length} warnings, {totalCves} CVEs
             </Text>
           </Box>
 

package/packages/cli/src/index.tsx

@@ -106,7 +106,8 @@ function Help() {
       <Box flexDirection="column" marginLeft={2}>
         <Text color="cyan" bold>Security commands:</Text>
         <Text>  opm push [--token t] [--otp c]  Sign, scan, publish, register</Text>
-        <Text>  opm install [pkg]       Install with on-chain security verification</Text>
+        <Text>  opm install [pkg[@ver]] Install with on-chain security verification</Text>
+        <Text>  opm install pkg@ens.eth Install safest version by ENS author</Text>
         <Text>  opm check               Scan all deps: typosquats, CVEs, AI analysis</Text>
         <Text>  opm fix                 Auto-fix typosquats and vulnerable versions</Text>
         <Text>  opm audit               Scan all deps against on-chain security data</Text>
@@ -135,6 +136,7 @@ function Help() {
         <Text> </Text>
         <Text color="gray">Aliases:  i/add → install, rm → uninstall, ls → list</Text>
         <Text color="gray">          view name.eth → author profile, view pkg → info</Text>
+        <Text color="gray">          pkg@name.eth → ENS-resolved safest version by author</Text>
         <Text> </Text>
         <Text color="cyan" bold>Environment (install/audit/info/view need no config):</Text>
         <Text>  OPM_SIGNING_KEY        Author signing key (for push only)</Text>