npm - opmsec - Versions diffs - 0.1.5 → 0.1.52 - Mend

opmsec 0.1.5 → 0.1.52

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (71) hide show

package/.env.example CHANGED Viewed

@@ -21,5 +21,4 @@ FILEVERSE_API_KEY=                  # from ddocs.new → Settings → Developer
 # ETH_SEPOLIA_RPC_URL=https://ethereum-sepolia-rpc.publicnode.com
 # FILEVERSE_API_URL=http://localhost:8001
 # CHAINPATROL_API_KEY=             # optional, for blocklist checks
-# ARTIFICIAL_ANALYSIS_API_KEY=     # optional, for model-weighted scoring
-PINATA_JWT=your_pinata_jwt_here
+# ARTIFICIAL_ANALYSIS_API_KEY=     # optional, for model-weighted scoring

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "opmsec",
-  "version": "0.1.5",
+  "version": "0.1.52",
   "private": false,
   "bin": {
     "opm": "packages/cli/src/index.tsx"
@@ -32,9 +32,9 @@
     "bun-types": "latest"
   },
   "opm": {
-    "signature": "0xe975b8c26bb6dc450a51c01fa1e5cb2f04b35d7535cde3432def8b4ee209c31158a4743c7477d45b1da6445c3ad11608e515fff40850aba8848d22d01aaf64621b",
+    "signature": "0xa1c1b29e1b878ba3cee4cd14d75e79e5a7e683bbd57ef7cc2917c2693f2310400aaae5dccfb655498cb26e2e6ced586fd3d987ca484f82b8721e480836e88fa61b",
     "author": "0x2a3942EbDd8c5ea3E66D3fC4301F56d0F15d4bE2",
     "ensName": "djpaiethg.eth",
-    "checksum": "0x2633d7353118b1451f120ebb71a31c2c18901388f37ac9943090bb57a3c5e454"
+    "checksum": "0x0ce8eaad637d74e4172c3b9de6af85ec600bb0726dd53bc3d1520615542daa64"
   }
 }

package/packages/cli/src/commands/audit.tsx CHANGED Viewed

@@ -1,6 +1,7 @@
 import React, { useState, useEffect } from 'react';
 import { Box, Text } from 'ink';
 import { HIGH_RISK_THRESHOLD, MEDIUM_RISK_THRESHOLD, truncateAddress, classifyRisk } from '@opm/core';
+import type { DepGraphResult, FlaggedPath } from '@opm/core';
 import { Header } from '../components/Header';
 import { RiskBadge } from '../components/RiskBadge';
 import { StatusLine } from '../components/StatusLine';
@@ -8,6 +9,7 @@ import { getPackageInfo } from '../services/contract';
 import { checkPackageWithChainPatrol } from '../services/chainpatrol';
 import { queryOSV, getOSVSeverity } from '../services/osv';
 import { resolveVersion } from '../services/version';
+import { resolveAndScanDepGraph } from '../services/dep-graph';
 import * as fs from 'fs';
 import * as path from 'path';
@@ -22,8 +24,12 @@ interface DepResult {
   cveHighCount: number;
 }
+type Phase = 'graph' | 'direct' | 'done';
 export function AuditCommand() {
-  const [status, setStatus] = useState<'running' | 'done'>('running');
+  const [phase, setPhase] = useState<Phase>('graph');
+  const [graphStatus, setGraphStatus] = useState('Resolving...');
+  const [graph, setGraph] = useState<DepGraphResult | null>(null);
   const [results, setResults] = useState<DepResult[]>([]);
   const [error, setError] = useState<string | null>(null);
@@ -32,6 +38,16 @@ export function AuditCommand() {
   }, []);
   async function runAudit() {
+    let graphResult: DepGraphResult | null = null;
+    try {
+      graphResult = await resolveAndScanDepGraph(process.cwd(), (msg) => setGraphStatus(msg));
+      setGraph(graphResult);
+    } catch {
+      setGraphStatus('Lockfile not found — direct deps only');
+    }
+    setPhase('direct');
     const pkgPath = path.resolve('package.json');
     if (!fs.existsSync(pkgPath)) throw new Error('No package.json found');
@@ -40,7 +56,7 @@ export function AuditCommand() {
     const entries = Object.entries(deps) as [string, string][];
     if (entries.length === 0) {
-      setStatus('done');
+      setPhase('done');
       return;
     }
@@ -76,7 +92,7 @@ export function AuditCommand() {
       setResults([...checked]);
     }
-    setStatus('done');
+    setPhase('done');
   }
   const high = results.filter((r) => r.score !== null && r.score >= HIGH_RISK_THRESHOLD);
@@ -88,8 +104,17 @@ export function AuditCommand() {
   return (
     <Box flexDirection="column">
       <Header subtitle="audit" />
-      <StatusLine label={`Checking ${results.length} dependencies`} status={status === 'done' ? 'done' : 'running'} />
+      <StatusLine label="Resolving dependency tree"
+        status={phase === 'graph' ? 'running' : 'done'}
+        detail={phase === 'graph' ? graphStatus : graph
+          ? `${graph.totalDeps} deps (${graph.directDeps} direct, ${graph.transitiveDeps} transitive)`
+          : 'direct deps only'} />
+      <StatusLine label={`Checking ${results.length} direct dependencies`}
+        status={phase === 'done' ? 'done' : 'running'} />
       <Text> </Text>
       {results.map((r) => (
         <Box key={r.name} marginLeft={2}>
           <Box width={30}>
@@ -113,7 +138,38 @@ export function AuditCommand() {
           )}
         </Box>
       ))}
-      {status === 'done' && (
+      {/* Transitive flagged paths from dep graph */}
+      {phase === 'done' && graph && graph.flaggedPaths.length > 0 && (
+        <Box flexDirection="column" marginTop={1}>
+          <Text color="gray">────────────────────────────────────────</Text>
+          <Text color="white" bold> Transitive Risk Paths ({graph.flaggedPaths.length})</Text>
+          {graph.flaggedPaths.slice(0, 10).map((fp, i) => {
+            const sevColor = fp.severity === 'CRITICAL' || fp.severity === 'HIGH' ? 'red' : 'yellow';
+            const chain = fp.path.slice(1).join(' → ');
+            return (
+              <Box key={i} marginLeft={2} flexDirection="column">
+                <Box>
+                  <Text color={sevColor}>{fp.severity === 'CRITICAL' || fp.severity === 'HIGH' ? '✖' : '⚠'} </Text>
+                  <Text color={sevColor} bold>{fp.severity.padEnd(9)}</Text>
+                  <Text color="white">{chain}</Text>
+                </Box>
+                <Box marginLeft={12}>
+                  <Text color="gray">{fp.reason}</Text>
+                  {fp.fix && <Text color="green"> → {fp.fix}</Text>}
+                </Box>
+              </Box>
+            );
+          })}
+          {graph.flaggedPaths.length > 10 && (
+            <Box marginLeft={2}>
+              <Text color="gray">... and {graph.flaggedPaths.length - 10} more</Text>
+            </Box>
+          )}
+        </Box>
+      )}
+      {phase === 'done' && (
         <Box flexDirection="column" marginTop={1}>
           <Text color="gray">────────────────────────────────────────</Text>
           <Box>
@@ -131,6 +187,17 @@ export function AuditCommand() {
               </>
             )}
           </Box>
+          {graph && (
+            <Box marginTop={0}>
+              <Text color="gray">📦 {graph.totalDeps} total ({graph.directDeps} direct, {graph.transitiveDeps} transitive)</Text>
+              {graph.flaggedPaths.length > 0 && (
+                <Text color="yellow"> · {graph.flaggedPaths.length} transitive risk paths</Text>
+              )}
+            </Box>
+          )}
+          {graph && (
+            <Text color="gray">🔗 Merkle root: {graph.merkleRoot.slice(0, 18)}...</Text>
+          )}
           {high.length > 0 && (
             <Text color="red" bold>⚠ {high.length} package(s) above risk threshold!</Text>
           )}

package/packages/cli/src/commands/check.tsx CHANGED Viewed

@@ -1,11 +1,12 @@
 import React, { useState, useEffect } from 'react';
 import { Box, Text } from 'ink';
 import { CHECK_SYSTEM_PROMPT, buildCheckPrompt, classifyRisk, getModelRankingFor } from '@opm/core';
-import type { DepEntry, CheckReport, CheckDepResult, CheckAgentResult } from '@opm/core';
+import type { DepEntry, CheckReport, CheckDepResult, CheckAgentResult, DepGraphResult, FlaggedPath } from '@opm/core';
 import { Header } from '../components/Header';
 import { StatusLine } from '../components/StatusLine';
 import { RiskBadge } from '../components/RiskBadge';
 import { Hyperlink } from '../components/Hyperlink';
+import { resolveAndScanDepGraph } from '../services/dep-graph';
 import { queryOSV, getOSVSeverity, getFixedVersion } from '../services/osv';
 import { getPackageInfo } from '../services/contract';
 import { detectTyposquatBatch } from '../services/typosquat';
@@ -13,10 +14,12 @@ import { callLLMRaw, getAgentConfigs, uploadCheckReportToFileverse } from '@opm/
 import * as fs from 'fs';
 import * as path from 'path';
-type Phase = 'scanning' | 'agents' | 'upload' | 'done';
+type Phase = 'graph' | 'scanning' | 'agents' | 'upload' | 'done';
 export function CheckCommand() {
-  const [phase, setPhase] = useState<Phase>('scanning');
+  const [phase, setPhase] = useState<Phase>('graph');
+  const [graphStatus, setGraphStatus] = useState('Resolving...');
+  const [graph, setGraph] = useState<DepGraphResult | null>(null);
   const [report, setReport] = useState<CheckReport | null>(null);
   const [reportLink, setReportLink] = useState<string | null>(null);
   const [uploadError, setUploadError] = useState<string | null>(null);
@@ -34,6 +37,16 @@ export function CheckCommand() {
     const projectName = pkgJson.name || path.basename(process.cwd());
     const deps = Object.entries(pkgJson.dependencies || {}) as [string, string][];
     const devDeps = Object.entries(pkgJson.devDependencies || {}) as [string, string][];
+    let graphResult: DepGraphResult | null = null;
+    try {
+      graphResult = await resolveAndScanDepGraph(process.cwd(), (msg) => setGraphStatus(msg));
+      setGraph(graphResult);
+    } catch {
+      setGraphStatus('Lockfile not found — scanning direct deps only');
+    }
+    setPhase('scanning');
     const allEntries = [
       ...deps.map(([n, v]) => ({ n, v: clean(v) })),
       ...devDeps.map(([n, v]) => ({ n, v: clean(v) })),
@@ -120,10 +133,8 @@ export function CheckCommand() {
     };
     setReport(checkReport);
-    setPhase('upload');
-    if (!process.env.FILEVERSE_API_KEY) {
-      setUploadError('FILEVERSE_API_KEY not set');
-    } else {
+    if (process.env.FILEVERSE_API_KEY) {
+      setPhase('upload');
       try {
         const uploadResult = await uploadCheckReportToFileverse(checkReport);
         setReportLink(uploadResult.link);
@@ -154,22 +165,46 @@ export function CheckCommand() {
       <Header subtitle="check" />
       <Text> </Text>
-      <StatusLine label={`Scanning ${report?.totalDeps || '...'} dependencies`}
-        status={phase === 'scanning' ? 'running' : 'done'}
-        detail={phase === 'scanning' ? 'typosquats + CVEs + on-chain (parallel)' : `${report?.totalDeps} checked`} />
+      <StatusLine label="Resolving dependency tree"
+        status={phase === 'graph' ? 'running' : 'done'}
+        detail={phase === 'graph' ? graphStatus : graph
+          ? `${graph.totalDeps} deps (${graph.directDeps} direct, ${graph.transitiveDeps} transitive)`
+          : 'direct deps only'} />
+      {phase !== 'graph' && (
+        <StatusLine label={`Scanning ${report?.totalDeps || '...'} direct dependencies`}
+          status={phase === 'scanning' ? 'running' : 'done'}
+          detail={phase === 'scanning' ? 'typosquats + CVEs + on-chain' : `${report?.totalDeps} checked`} />
+      )}
-      {phase !== 'scanning' && (
+      {phase !== 'graph' && phase !== 'scanning' && (
         <StatusLine label="AI agents analyzing dependency tree"
           status={phase === 'agents' ? 'running' : 'done'}
           detail={report?.agents.length ? `${report.agents.length} agents` : undefined} />
       )}
-      {(phase === 'upload' || phase === 'done') && (
+      {process.env.FILEVERSE_API_KEY && (phase === 'upload' || phase === 'done') && (
         <StatusLine label="Upload report to Fileverse"
           status={phase === 'upload' ? 'running' : reportLink ? 'done' : 'skip'}
           detail={uploadError || undefined} />
       )}
+      {/* Dep graph flagged paths */}
+      {phase === 'done' && graph && graph.flaggedPaths.length > 0 && (
+        <Box flexDirection="column" marginTop={1}>
+          <Text color="gray">────────────────────────────────────────</Text>
+          <Text color="white" bold> Flagged Dependency Paths ({graph.flaggedPaths.length})</Text>
+          {graph.flaggedPaths.slice(0, 15).map((fp, i) => (
+            <FlaggedPathRow key={i} fp={fp} />
+          ))}
+          {graph.flaggedPaths.length > 15 && (
+            <Box marginLeft={2} marginTop={1}>
+              <Text color="gray">... and {graph.flaggedPaths.length - 15} more</Text>
+            </Box>
+          )}
+        </Box>
+      )}
       {phase === 'done' && report && (
         <Box flexDirection="column" marginTop={1}>
           {typosquats.length > 0 && (
@@ -289,12 +324,25 @@ export function CheckCommand() {
             <Text color="gray">────────────────────────────────────────</Text>
             <Text color="white" bold> Summary</Text>
             <Box marginLeft={2} flexDirection="column">
+              {graph && (
+                <Text color="white">
+                  📦 {graph.totalDeps} deps ({graph.directDeps} direct, {graph.transitiveDeps} transitive)
+                </Text>
+              )}
               <Text>{typosquats.length > 0 ? '🔴' : '🟢'} Typosquats: {typosquats.length}</Text>
               <Text>{criticalCves.length > 0 ? '🔴' : cveWarnings.length > 0 ? '🟡' : '🟢'} CVEs: {criticalCves.length + cveWarnings.length} packages ({criticalCves.length} critical)</Text>
               <Text>{highRisk.length > 0 ? '🔴' : '🟢'} On-chain risk: {highRisk.length} high-risk</Text>
               {report.agents.length > 0 && (
                 <Text>{uniqueAgentFlags.length > 0 ? '🟡' : '🟢'} AI agents: {uniqueAgentFlags.length} flagged</Text>
               )}
+              {graph && graph.flaggedPaths.length > 0 && (
+                <Text>
+                  {graph.stats.critical > 0 ? '🔴' : '🟡'} Transitive risks: {graph.flaggedPaths.length} flagged paths
+                </Text>
+              )}
+              {graph && (
+                <Text color="gray">🔗 Merkle root: {graph.merkleRoot.slice(0, 18)}...</Text>
+              )}
             </Box>
             {reportLink && (
               <Box marginLeft={2} marginTop={1}>
@@ -318,6 +366,26 @@ export function CheckCommand() {
   );
 }
+function FlaggedPathRow({ fp }: { fp: FlaggedPath }) {
+  const sevColor = fp.severity === 'CRITICAL' ? 'red' : fp.severity === 'HIGH' ? 'red' : 'yellow';
+  const sevIcon = fp.severity === 'CRITICAL' || fp.severity === 'HIGH' ? '✖' : '⚠';
+  const chain = fp.path.slice(1).join(' → ');
+  return (
+    <Box flexDirection="column" marginLeft={2}>
+      <Box>
+        <Text color={sevColor}>{sevIcon} </Text>
+        <Text color={sevColor} bold>{fp.severity.padEnd(9)}</Text>
+        <Text color="white">{chain}</Text>
+      </Box>
+      <Box marginLeft={12}>
+        <Text color="gray">{fp.reason}</Text>
+        {fp.fix && <Text color="green"> → fix: {fp.fix}</Text>}
+      </Box>
+    </Box>
+  );
+}
 function clean(v: string): string { return String(v).replace(/^[\^~]/, ''); }
 function compareSemver(a: string, b: string): number {

package/packages/cli/src/commands/push.tsx CHANGED Viewed

@@ -10,7 +10,8 @@ import { computeChecksum, signChecksumAsync } from '../services/signature';
 import { resolveENSName } from '../services/ens';
 import { registerPackageOnChain } from '../services/contract';
 import { writeENSRecords, buildOPMRecords, readOPMRecords, createPackageSubname, setENSContenthash, parseFileverseLink, readFileverseContentHash } from '../services/ens-records';
-import { enqueueScan } from '@opm/scanner';
+import { enqueueScan, submitScoreOnChain, setReportURIOnChain } from '@opm/scanner';
+import { resolveAndScanDepGraph } from '../services/dep-graph';
 import * as fs from 'fs';
 import * as path from 'path';
 import { execSync } from 'child_process';
@@ -46,6 +47,7 @@ interface PushResult {
   ensRecordsCount?: number;
   ensSubname?: string;
   ipfsContenthash?: string;
+  merkleRoot?: string;
 }
 interface PushCommandProps {
@@ -105,10 +107,11 @@ export function PushCommand({ npmToken, otp }: PushCommandProps) {
     let finalReportURI: string | undefined;
     let finalRiskScore: number | undefined;
     let finalIpfsHash: string | undefined;
+    let scanAgents: AgentEntry[] = [];
     try {
       const scanResult = await enqueueScan(name, version, (msg) =>
         setScanLogs((prev) => [...prev.slice(-8), msg]),
-        { tarballPath: tarballFile, pkgJsonPath },
+        { local: { tarballPath: tarballFile, pkgJsonPath }, skipOnChainScore: true },
       );
       const riskScore = scanResult.report.aggregate_risk_score;
@@ -116,6 +119,7 @@ export function PushCommand({ npmToken, otp }: PushCommandProps) {
       finalReportURI = scanResult.reportURI;
       finalRiskScore = riskScore;
       finalIpfsHash = scanResult.ipfsHash;
+      scanAgents = scanResult.report.agents || [];
       setResult((r) => ({
         ...r,
@@ -216,11 +220,43 @@ export function PushCommand({ npmToken, otp }: PushCommandProps) {
       const sigBytes = new Uint8Array(Buffer.from(signature.slice(2), 'hex'));
       const txHash = await registerPackageOnChain(name, version, checksum, sigBytes, ensName);
       setResult((r) => ({ ...r, txHash }));
+      // Submit individual agent scores now that the version exists on-chain
+      for (const agent of scanAgents) {
+        try {
+          setScanLogs((prev) => [...prev.slice(-8), `[${agent.agent_id}] Submitting score (${agent.result.risk_score}) to contract...`]);
+          await submitScoreOnChain(name, version, agent.result.risk_score, agent.result.reasoning);
+          setScanLogs((prev) => [...prev.slice(-8), `[${agent.agent_id}] Score submitted on-chain ✓`]);
+        } catch (err: any) {
+          setScanLogs((prev) => [...prev.slice(-8), `[${agent.agent_id}] Score submission: ${err?.shortMessage || err?.message || 'failed'}`]);
+        }
+      }
+      // Set report URI on-chain
+      if (finalReportURI) {
+        try {
+          await setReportURIOnChain(name, version, finalReportURI);
+          setScanLogs((prev) => [...prev.slice(-8), 'Report URI stored on-chain ✓']);
+        } catch (err: any) {
+          setScanLogs((prev) => [...prev.slice(-8), `Report URI: ${err?.shortMessage || err?.message || 'failed'}`]);
+        }
+      }
     } catch (err: any) {
       setScanLogs((prev) => [...prev, `Registration: ${err?.shortMessage || err?.message || 'failed'}`]);
     }
     updateStep('register', 'done');
+    // ── Compute dependency graph Merkle root ──
+    let merkleRoot: string | undefined;
+    try {
+      const graphResult = await resolveAndScanDepGraph(process.cwd());
+      merkleRoot = graphResult.merkleRoot;
+      setResult((r) => ({ ...r, merkleRoot }));
+      setScanLogs((prev) => [...prev.slice(-8), `Dep tree Merkle root: ${merkleRoot!.slice(0, 18)}...`]);
+    } catch {
+      setScanLogs((prev) => [...prev.slice(-8), 'Dep tree: no lockfile — skipped Merkle root']);
+    }
     // ── Write package metadata to ENS text records ──
     if (ensName) {
       updateStep('ensRecords', 'running');
@@ -236,6 +272,7 @@ export function PushCommand({ npmToken, otp }: PushCommandProps) {
           reportURI: finalReportURI,
           riskScore: finalRiskScore,
           existingPackages: existingRecords.packages,
+          merkleRoot,
         });
         const writeResult = await writeENSRecords(
@@ -420,7 +457,7 @@ export function PushCommand({ npmToken, otp }: PushCommandProps) {
               </Box>
               <Box>
                 <Text color="gray">Records: </Text>
-                <Text color="white">url, opm.version, opm.checksum, opm.fileverse, opm.risk_score{result.ipfsContenthash ? ', contenthash' : ''}</Text>
+                <Text color="white">url, opm.version, opm.checksum, opm.fileverse, opm.risk_score{result.merkleRoot ? ', opm.deptree' : ''}{result.ipfsContenthash ? ', contenthash' : ''}</Text>
               </Box>
               {result.ensSubname && (
                 <Box>

package/packages/cli/src/index.tsx CHANGED Viewed

@@ -16,6 +16,19 @@ const args = process.argv.slice(2);
 const command = args[0];
 const rest = args.slice(1);
+if (command === '--version' || command === '-v' || command === '-V' || command === 'version') {
+  try {
+    const fs = await import('fs');
+    const path = await import('path');
+    const pkgPath = path.resolve(__dirname, '../../../package.json');
+    const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
+    console.log(`opm v${pkg.version}`);
+  } catch {
+    console.log('opm (version unknown)');
+  }
+  process.exit(0);
+}
 function parsePackageArg(pkg?: string) {
   if (!pkg) return {};
   const atIdx = pkg.lastIndexOf('@');
@@ -138,6 +151,9 @@ function Help() {
         <Text color="gray">          view name.eth → author profile + OPM ENS records</Text>
         <Text color="gray">          pkg@name.eth → ENS-resolved safest version by author</Text>
         <Text> </Text>
+        <Text color="cyan" bold>Other:</Text>
+        <Text>  opm --version / -v       Show OPM version</Text>
+        <Text> </Text>
         <Text color="cyan" bold>Environment (install/audit/info/view need no config):</Text>
         <Text>  OPM_SIGNING_KEY        Author signing key (for push only)</Text>
         <Text>  NPM_TOKEN              npm automation token (for push only)</Text>