osv-security-cli 0.1.0

package/dist/bin/osv-security.js

@@ -0,0 +1,1268 @@
+#!/usr/bin/env node
+
+// bin/osv-security.ts
+import { Command } from "commander";
+import { writeFile } from "fs/promises";
+import { resolve as resolve2 } from "path";
+
+// src/config/loader.ts
+import { readFile } from "fs/promises";
+import { resolve } from "path";
+import { parse } from "yaml";
+
+// src/config/schema.ts
+import { z } from "zod";
+var ProtectedPackageSchema = z.object({
+  package: z.string(),
+  constraint: z.string(),
+  reason: z.string()
+});
+var RuntimeConfigSchema = z.object({
+  php: z.string(),
+  laravel: z.string(),
+  node: z.string(),
+  package_manager_php: z.string(),
+  package_manager_js: z.string(),
+  execution: z.enum(["docker", "local"]),
+  docker_service: z.string(),
+  test_command: z.string(),
+  build_commands: z.object({
+    frontend: z.string(),
+    backend: z.string()
+  })
+});
+var SafeUpdatePolicySchema = z.object({
+  allow_patch_and_minor_within_constraints: z.boolean(),
+  require_authorization_for_constraint_change: z.boolean(),
+  authorization_format: z.string()
+});
+var ProjectConfigSchema = z.object({
+  project: z.object({
+    name: z.string(),
+    client: z.string()
+  }),
+  runtime: RuntimeConfigSchema,
+  protected_packages: z.object({
+    composer: z.array(ProtectedPackageSchema),
+    npm: z.array(ProtectedPackageSchema)
+  }),
+  safe_update_policy: SafeUpdatePolicySchema,
+  conflict_resolution: z.string()
+});
+
+// src/utils/errors.ts
+var ConfigLoadError = class extends Error {
+  constructor(message, path) {
+    super(message);
+    this.path = path;
+    this.name = "ConfigLoadError";
+  }
+};
+var EnvironmentError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "EnvironmentError";
+  }
+};
+var PhaseError = class extends Error {
+  constructor(message, phase, cause) {
+    super(message);
+    this.phase = phase;
+    this.cause = cause;
+    this.name = "PhaseError";
+  }
+};
+var GateValidationError = class extends Error {
+  constructor(message, gate, errors) {
+    super(message);
+    this.gate = gate;
+    this.errors = errors;
+    this.name = "GateValidationError";
+  }
+};
+
+// src/config/loader.ts
+var DEFAULT_CONFIG_PATH = ".github/agents/project-config.yml";
+async function loadConfig(configPath, cwd = process.cwd()) {
+  const absolutePath = resolve(cwd, configPath);
+  let raw;
+  try {
+    raw = await readFile(absolutePath, "utf-8");
+  } catch (err) {
+    throw new ConfigLoadError(
+      `Cannot read config file: ${absolutePath}`,
+      absolutePath
+    );
+  }
+  let parsed;
+  try {
+    parsed = parse(raw);
+  } catch (err) {
+    throw new ConfigLoadError(
+      `Invalid YAML in config file: ${absolutePath}`,
+      absolutePath
+    );
+  }
+  const result = ProjectConfigSchema.safeParse(parsed);
+  if (!result.success) {
+    const issues = result.error.issues.map((i) => `  ${i.path.join(".")}: ${i.message}`).join("\n");
+    throw new ConfigLoadError(
+      `Config validation failed in ${absolutePath}:
+${issues}`,
+      absolutePath
+    );
+  }
+  return result.data;
+}
+
+// src/config/generator.ts
+import { stringify } from "yaml";
+function generateConfigYaml(opts = {}) {
+  const config = {
+    project: {
+      name: opts.projectName ?? "My Laravel Project",
+      client: opts.client ?? "Client Name"
+    },
+    runtime: {
+      php: opts.phpVersion ?? "8.2",
+      laravel: opts.laravelVersion ?? "10.x",
+      node: opts.nodeVersion ?? "20.x",
+      package_manager_php: "composer",
+      package_manager_js: "npm",
+      execution: opts.execution ?? "docker",
+      docker_service: opts.dockerService ?? "app",
+      test_command: opts.testCommand ?? "php artisan test --compact",
+      build_commands: {
+        frontend: opts.frontendBuildCommand ?? "npm run development-frontend",
+        backend: opts.backendBuildCommand ?? "npm run development-backend"
+      }
+    },
+    protected_packages: {
+      composer: [
+        {
+          package: "laravel/framework",
+          constraint: "^10.0",
+          reason: "Major upgrade to Laravel 11 requires a dedicated project"
+        },
+        {
+          package: "livewire/livewire",
+          constraint: "^2.12",
+          reason: "Livewire 3 has breaking API changes; do not migrate without a project"
+        }
+      ],
+      npm: [
+        {
+          package: "alpinejs",
+          constraint: "^3.10.2",
+          reason: "Alpine v4 may have breaking syntax changes"
+        },
+        {
+          package: "tailwindcss",
+          constraint: "^3.3.3",
+          reason: "Tailwind v4 has breaking config and migration requirements"
+        }
+      ]
+    },
+    safe_update_policy: {
+      allow_patch_and_minor_within_constraints: true,
+      require_authorization_for_constraint_change: true,
+      authorization_format: "sim, confirmo breaking changes para [vendor/pacote]"
+    },
+    conflict_resolution: "stop_and_ask"
+  };
+  const header = [
+    "# OSV Security CLI \u2014 project configuration",
+    "# Generated by: osv-security init",
+    "# Documentation: https://github.com/google/osv-scanner",
+    "#",
+    "# - protected_packages: packages that must never be auto-upgraded beyond their constraint",
+    "# - safe_update_policy: patch/minor within constraints are auto-safe; constraint changes require authorization",
+    ""
+  ].join("\n");
+  return header + stringify(config, { lineWidth: 0 });
+}
+
+// src/executor/local-executor.ts
+import { execa } from "execa";
+var LocalExecutor = class {
+  dryRun;
+  environment = "local";
+  constructor(options = {}) {
+    this.dryRun = options.dryRun ?? false;
+  }
+  async run(command, options = {}) {
+    if (this.dryRun) {
+      return {
+        stdout: "",
+        stderr: "",
+        exitCode: 0,
+        command,
+        dryRun: true
+      };
+    }
+    try {
+      const result = await execa(command, {
+        shell: true,
+        cwd: options.cwd,
+        timeout: options.timeout,
+        env: options.env ? { ...process.env, ...options.env } : process.env,
+        reject: false
+      });
+      return {
+        stdout: result.stdout ?? "",
+        stderr: result.stderr ?? "",
+        exitCode: result.exitCode ?? 1,
+        command,
+        dryRun: false
+      };
+    } catch (err) {
+      return {
+        stdout: "",
+        stderr: err instanceof Error ? err.message : String(err),
+        exitCode: 1,
+        command,
+        dryRun: false
+      };
+    }
+  }
+};
+
+// src/executor/docker-executor.ts
+import { execa as execa2 } from "execa";
+var DockerExecutor = class {
+  constructor(service, options = {}) {
+    this.service = service;
+    this.dryRun = options.dryRun ?? false;
+  }
+  dryRun;
+  environment = "docker";
+  async run(command, options = {}) {
+    const dockerCommand = `docker-compose exec -T ${this.service} sh -c "${command.replace(/"/g, '\\"')}"`;
+    if (this.dryRun) {
+      return {
+        stdout: "",
+        stderr: "",
+        exitCode: 0,
+        command: dockerCommand,
+        dryRun: true
+      };
+    }
+    try {
+      const result = await execa2(dockerCommand, {
+        shell: true,
+        cwd: options.cwd,
+        timeout: options.timeout,
+        env: options.env ? { ...process.env, ...options.env } : process.env,
+        reject: false
+      });
+      return {
+        stdout: result.stdout ?? "",
+        stderr: result.stderr ?? "",
+        exitCode: result.exitCode ?? 1,
+        command: dockerCommand,
+        dryRun: false
+      };
+    } catch (err) {
+      return {
+        stdout: "",
+        stderr: err instanceof Error ? err.message : String(err),
+        exitCode: 1,
+        command: dockerCommand,
+        dryRun: false
+      };
+    }
+  }
+};
+
+// src/utils/logger.ts
+var LEVELS = {
+  debug: 0,
+  info: 1,
+  warn: 2,
+  error: 3
+};
+var currentLevel = "info";
+function setLogLevel(level) {
+  currentLevel = level;
+}
+function shouldLog(level) {
+  return LEVELS[level] >= LEVELS[currentLevel];
+}
+function format(level, message) {
+  const prefix = {
+    debug: "[DEBUG]",
+    info: "[INFO] ",
+    warn: "[WARN] ",
+    error: "[ERROR]"
+  };
+  return `${prefix[level]} ${message}`;
+}
+var logger = {
+  debug(message) {
+    if (shouldLog("debug")) process.stderr.write(format("debug", message) + "\n");
+  },
+  info(message) {
+    if (shouldLog("info")) process.stderr.write(format("info", message) + "\n");
+  },
+  warn(message) {
+    if (shouldLog("warn")) process.stderr.write(format("warn", message) + "\n");
+  },
+  error(message) {
+    if (shouldLog("error")) process.stderr.write(format("error", message) + "\n");
+  }
+};
+
+// src/environment/detector.ts
+async function detectEnvironment(preferredEnv, dockerService, cwd, dryRun = false) {
+  if (preferredEnv === "local") {
+    logger.debug("Using local execution (configured preference)");
+    return new LocalExecutor({ dryRun });
+  }
+  const probe = new LocalExecutor();
+  const result = await probe.run(
+    `docker-compose ps ${dockerService} 2>/dev/null | grep -c "Up"`,
+    { cwd }
+  );
+  if (result.exitCode === 0 && parseInt(result.stdout.trim(), 10) > 0) {
+    logger.debug(`Using Docker execution (service: ${dockerService})`);
+    return new DockerExecutor(dockerService, { dryRun });
+  }
+  logger.warn(`Docker service "${dockerService}" not running \u2014 falling back to local execution`);
+  return new LocalExecutor({ dryRun });
+}
+
+// src/gates/validator.ts
+import { z as z2 } from "zod";
+var EcosystemScanResultSchema = z2.object({
+  vulnerabilities_total: z2.number(),
+  auto_safe: z2.number(),
+  breaking: z2.number(),
+  manual: z2.number(),
+  auto_safe_packages: z2.array(z2.string()),
+  breaking_packages: z2.array(z2.string()),
+  manual_packages: z2.array(z2.string())
+});
+var ScanResultSchema = z2.object({
+  $schema: z2.literal("osv-scan-result/v1"),
+  agent: z2.literal("osv-scanner"),
+  status: z2.enum(["success", "error", "skipped"]),
+  environment: z2.enum(["docker", "local"]),
+  php: EcosystemScanResultSchema,
+  npm: EcosystemScanResultSchema,
+  error: z2.string().nullable()
+});
+var UpdateResultSchema = z2.object({
+  $schema: z2.literal("osv-update-result/v1"),
+  agent: z2.enum(["composer-safe-update", "npm-safe-update"]),
+  status: z2.enum(["success", "error", "skipped"]),
+  packages_updated: z2.array(z2.string()),
+  packages_skipped: z2.array(z2.string()),
+  packages_pending_breaking: z2.array(z2.string()),
+  tests: z2.enum(["pass", "fail", "skipped"]),
+  tests_detail: z2.string(),
+  build_status: z2.enum(["pass", "fail", "skipped"]).optional(),
+  build_detail: z2.string().optional(),
+  error: z2.string().nullable()
+});
+function validateGateA(data) {
+  const result = ScanResultSchema.safeParse(data);
+  if (!result.success) {
+    return {
+      valid: false,
+      gate: "A",
+      errors: result.error.issues.map((i) => `${i.path.join(".")}: ${i.message}`)
+    };
+  }
+  if (result.data.status === "error") {
+    return {
+      valid: false,
+      gate: "A",
+      errors: [`Scanner returned error: ${result.data.error ?? "unknown"}`]
+    };
+  }
+  return { valid: true, gate: "A", errors: [] };
+}
+function validateGateB(data) {
+  const result = UpdateResultSchema.safeParse(data);
+  if (!result.success) {
+    return {
+      valid: false,
+      gate: "B",
+      errors: result.error.issues.map((i) => `${i.path.join(".")}: ${i.message}`)
+    };
+  }
+  if (result.data.agent !== "npm-safe-update") {
+    return {
+      valid: false,
+      gate: "B",
+      errors: [`Expected agent "npm-safe-update", got "${result.data.agent}"`]
+    };
+  }
+  if (result.data.status === "error") {
+    return {
+      valid: false,
+      gate: "B",
+      errors: [`npm updater returned error: ${result.data.error ?? "unknown"}`]
+    };
+  }
+  return { valid: true, gate: "B", errors: [] };
+}
+function validateGateC(data) {
+  const result = UpdateResultSchema.safeParse(data);
+  if (!result.success) {
+    return {
+      valid: false,
+      gate: "C",
+      errors: result.error.issues.map((i) => `${i.path.join(".")}: ${i.message}`)
+    };
+  }
+  if (result.data.agent !== "composer-safe-update") {
+    return {
+      valid: false,
+      gate: "C",
+      errors: [`Expected agent "composer-safe-update", got "${result.data.agent}"`]
+    };
+  }
+  if (result.data.status === "error") {
+    return {
+      valid: false,
+      gate: "C",
+      errors: [`Composer updater returned error: ${result.data.error ?? "unknown"}`]
+    };
+  }
+  return { valid: true, gate: "C", errors: [] };
+}
+
+// src/utils/osv-commands.ts
+var OSV = {
+  scanAll: "osv-scanner --lockfile composer.lock --lockfile package-lock.json --format json",
+  scanPhp: "osv-scanner --lockfile composer.lock --format json",
+  scanNpm: "osv-scanner --lockfile package-lock.json --format json",
+  fixNpm: "osv-scanner fix --strategy=in-place -L package-lock.json",
+  checkAvailable: "osv-scanner --version"
+};
+
+// src/phases/scanner.ts
+function emptyEcosystem() {
+  return {
+    vulnerabilities_total: 0,
+    auto_safe: 0,
+    breaking: 0,
+    manual: 0,
+    auto_safe_packages: [],
+    breaking_packages: [],
+    manual_packages: []
+  };
+}
+function extractSafeVersion(vulnerabilities) {
+  for (const vuln of vulnerabilities) {
+    for (const affected of vuln.affected ?? []) {
+      for (const range of affected.ranges ?? []) {
+        for (const event of range.events ?? []) {
+          if (event.fixed) return event.fixed;
+        }
+      }
+    }
+  }
+  return null;
+}
+function classifyPackageIntoEcosystem(pkgName, pkgVersion, ecosystem, safeVersion, protectedComposer, protectedNpm, php, npm) {
+  const isPhp = ecosystem === "packagist" || ecosystem === "composer";
+  const isNpm = ecosystem === "npm";
+  const target = isPhp ? php : isNpm ? npm : null;
+  if (!target) return;
+  const isProtected = (isPhp ? protectedComposer : protectedNpm).has(pkgName);
+  const packageRef = `${pkgName}@${pkgVersion}`;
+  target.vulnerabilities_total++;
+  if (!safeVersion || isProtected) {
+    target.breaking++;
+    target.breaking_packages.push(packageRef);
+  } else {
+    target.auto_safe++;
+    target.auto_safe_packages.push(packageRef);
+  }
+}
+function parseOsvJsonOutput(stdout, config) {
+  const data = JSON.parse(stdout);
+  const php = emptyEcosystem();
+  const npm = emptyEcosystem();
+  if (!data.results) return { php, npm };
+  const protectedComposer = new Set(config.protected_packages.composer.map((p) => p.package));
+  const protectedNpm = new Set(config.protected_packages.npm.map((p) => p.package));
+  for (const result of data.results) {
+    for (const pkg of result.packages ?? []) {
+      const pkgName = pkg.package?.name ?? "";
+      const pkgVersion = pkg.package?.version ?? "";
+      const ecosystem = pkg.package?.ecosystem?.toLowerCase() ?? "";
+      const safeVersion = extractSafeVersion(pkg.vulnerabilities ?? []);
+      classifyPackageIntoEcosystem(
+        pkgName,
+        pkgVersion,
+        ecosystem,
+        safeVersion,
+        protectedComposer,
+        protectedNpm,
+        php,
+        npm
+      );
+    }
+  }
+  return { php, npm };
+}
+async function assertOsvScannerAvailable(runner, cwd) {
+  const result = await runner.run(OSV.checkAvailable, { cwd });
+  if (result.exitCode !== 0) {
+    throw new EnvironmentError(
+      "osv-scanner not found. Install it with: brew install osv-scanner (macOS) or see https://github.com/google/osv-scanner"
+    );
+  }
+}
+async function executeScan(runner, cwd) {
+  logger.debug(`Running: ${OSV.scanAll}`);
+  return runner.run(OSV.scanAll, { cwd });
+}
+async function runScanner(runner, config, cwd) {
+  logger.info("Phase 1: Running OSV vulnerability scan...");
+  const base = {
+    $schema: "osv-scan-result/v1",
+    agent: "osv-scanner",
+    status: "success",
+    environment: runner.environment,
+    php: emptyEcosystem(),
+    npm: emptyEcosystem(),
+    error: null
+  };
+  try {
+    await assertOsvScannerAvailable(runner, cwd);
+    if (runner.dryRun) {
+      logger.info(`[DRY-RUN] Would execute: ${OSV.scanAll}`);
+      return base;
+    }
+    const scanResult = await executeScan(runner, cwd);
+    if (scanResult.exitCode !== 0 && !scanResult.stdout) {
+      return {
+        ...base,
+        status: "error",
+        error: `Scan failed (exit ${scanResult.exitCode}): ${scanResult.stderr}`
+      };
+    }
+    const parsed = parseOsvJsonOutput(scanResult.stdout, config);
+    return { ...base, ...parsed };
+  } catch (err) {
+    if (err instanceof EnvironmentError) throw err;
+    throw new PhaseError(
+      `OSV scanner phase failed: ${err instanceof Error ? err.message : String(err)}`,
+      "scanner",
+      err
+    );
+  }
+}
+
+// src/utils/git.ts
+async function revertFiles(runner, files, cwd) {
+  if (files.length === 0) return;
+  const fileList = files.join(" ");
+  await runner.run(`git checkout -- ${fileList}`, { cwd });
+}
+async function isWorkingTreeClean(runner, files, cwd) {
+  const result = await runner.run(`git status --porcelain -- ${files.join(" ")}`, { cwd });
+  return result.exitCode === 0 && result.stdout.trim() === "";
+}
+
+// src/phases/npm-updater.ts
+var NPM_FILES = ["package.json", "package-lock.json"];
+async function checkCurrentState(runner, cwd) {
+  logger.debug("Running npm outdated and npm audit (informational)...");
+  await runner.run("npm outdated", { cwd });
+  await runner.run("npm audit", { cwd });
+}
+async function applyOsvFix(runner, cwd) {
+  logger.info(`Applying OSV in-place fix: ${OSV.fixNpm}`);
+  const result = await runner.run(OSV.fixNpm, { cwd });
+  if (result.exitCode !== 0) {
+    logger.warn(`osv-scanner fix exited with ${result.exitCode}: ${result.stderr}`);
+  }
+}
+async function runNpmUpdate(runner, cwd) {
+  logger.info("Running npm update...");
+  return runner.run("npm update", { cwd });
+}
+async function validateBuilds(runner, config, cwd) {
+  logger.info("Validating frontend build...");
+  const frontend = await runner.run(config.runtime.build_commands.frontend, { cwd });
+  logger.info("Validating backend build...");
+  const backend = await runner.run(config.runtime.build_commands.backend, { cwd });
+  return { frontend, backend };
+}
+async function revertNpmChanges(runner, cwd) {
+  await revertFiles(runner, NPM_FILES, cwd);
+  await runner.run("npm install", { cwd });
+}
+async function verifyResidualVulnerabilities(runner, cwd) {
+  logger.info(`Running post-update OSV verification: ${OSV.scanNpm}`);
+  await runner.run(OSV.scanNpm, { cwd });
+}
+async function runNpmUpdater(runner, config, scanResult, cwd) {
+  logger.info("Phase 2: Running npm safe updates...");
+  const base = {
+    $schema: "osv-update-result/v1",
+    agent: "npm-safe-update",
+    status: "success",
+    packages_updated: [],
+    packages_skipped: [],
+    packages_pending_breaking: scanResult.npm.breaking_packages,
+    tests: "skipped",
+    tests_detail: "Build validated; unit tests not applicable to npm phase",
+    build_status: "skipped",
+    build_detail: "",
+    error: null
+  };
+  if (runner.dryRun) {
+    logger.info(`[DRY-RUN] Would execute: ${OSV.fixNpm}`);
+    logger.info("[DRY-RUN] Would execute: npm update");
+    logger.info(`[DRY-RUN] Would execute: ${config.runtime.build_commands.frontend}`);
+    logger.info(`[DRY-RUN] Would execute: ${config.runtime.build_commands.backend}`);
+    logger.info(`[DRY-RUN] Would execute: ${OSV.scanNpm}`);
+    return { ...base, build_status: "pass", build_detail: "Dry-run \u2014 not executed" };
+  }
+  try {
+    const isClean = await isWorkingTreeClean(runner, NPM_FILES, cwd);
+    if (!isClean) {
+      return {
+        ...base,
+        status: "error",
+        error: "package.json or package-lock.json has uncommitted changes \u2014 aborting to prevent data loss on revert"
+      };
+    }
+    await checkCurrentState(runner, cwd);
+    await applyOsvFix(runner, cwd);
+    const updateResult = await runNpmUpdate(runner, cwd);
+    if (updateResult.exitCode !== 0) {
+      return {
+        ...base,
+        status: "error",
+        build_status: "fail",
+        error: `npm update failed: ${updateResult.stderr}`
+      };
+    }
+    const { frontend, backend } = await validateBuilds(runner, config, cwd);
+    if (frontend.exitCode !== 0) {
+      logger.error("Frontend build failed \u2014 reverting...");
+      await revertNpmChanges(runner, cwd);
+      return {
+        ...base,
+        status: "error",
+        build_status: "fail",
+        build_detail: `Frontend build failed: ${frontend.stderr}`,
+        error: "Frontend build failed after npm update \u2014 changes reverted"
+      };
+    }
+    if (backend.exitCode !== 0) {
+      logger.error("Backend build failed \u2014 reverting...");
+      await revertNpmChanges(runner, cwd);
+      return {
+        ...base,
+        status: "error",
+        build_status: "fail",
+        build_detail: `Backend build failed: ${backend.stderr}`,
+        error: "Backend build failed after npm update \u2014 changes reverted"
+      };
+    }
+    await verifyResidualVulnerabilities(runner, cwd);
+    return {
+      ...base,
+      packages_updated: scanResult.npm.auto_safe_packages,
+      build_status: "pass",
+      build_detail: "Frontend and backend builds passed after update"
+    };
+  } catch (err) {
+    throw new PhaseError(
+      `npm updater phase failed: ${err instanceof Error ? err.message : String(err)}`,
+      "npm-updater",
+      err
+    );
+  }
+}
+
+// src/phases/composer-updater.ts
+var COMPOSER_FILES = ["composer.json", "composer.lock"];
+function extractPackageNames(packageRefs) {
+  return packageRefs.map((ref) => {
+    const atIndex = ref.lastIndexOf("@");
+    return atIndex > 0 ? ref.slice(0, atIndex) : ref;
+  });
+}
+async function checkCurrentState2(runner, cwd) {
+  logger.debug("Running composer outdated --direct (informational)...");
+  await runner.run("composer outdated --direct", { cwd });
+}
+async function applyComposerUpdate(runner, packageNames, cwd) {
+  const pkgList = packageNames.join(" ");
+  logger.info(`Updating packages: ${pkgList}`);
+  return runner.run(`composer update ${pkgList} --no-interaction`, { cwd });
+}
+async function runTestSuite(runner, testCommand, cwd) {
+  logger.info(`Running tests: ${testCommand}`);
+  return runner.run(testCommand, { cwd });
+}
+async function revertComposerChanges(runner, cwd) {
+  await revertFiles(runner, COMPOSER_FILES, cwd);
+  await runner.run("composer install --no-interaction", { cwd });
+}
+async function verifyResidualVulnerabilities2(runner, cwd) {
+  logger.info(`Running post-update OSV verification: ${OSV.scanPhp}`);
+  await runner.run(OSV.scanPhp, { cwd });
+}
+async function runComposerUpdater(runner, config, scanResult, cwd) {
+  logger.info("Phase 3: Running Composer safe updates...");
+  const base = {
+    $schema: "osv-update-result/v1",
+    agent: "composer-safe-update",
+    status: "success",
+    packages_updated: [],
+    packages_skipped: [],
+    packages_pending_breaking: scanResult.php.breaking_packages,
+    tests: "skipped",
+    tests_detail: "",
+    error: null
+  };
+  const autoSafePackageNames = extractPackageNames(scanResult.php.auto_safe_packages);
+  if (autoSafePackageNames.length === 0) {
+    return { ...base, tests_detail: "No auto-safe packages to update" };
+  }
+  if (runner.dryRun) {
+    logger.info(`[DRY-RUN] Would execute: composer update ${autoSafePackageNames.join(" ")} --no-interaction`);
+    logger.info(`[DRY-RUN] Would execute: ${config.runtime.test_command}`);
+    logger.info(`[DRY-RUN] Would execute: ${OSV.scanPhp}`);
+    return {
+      ...base,
+      packages_updated: scanResult.php.auto_safe_packages,
+      tests_detail: "Dry-run \u2014 not executed"
+    };
+  }
+  try {
+    const isClean = await isWorkingTreeClean(runner, COMPOSER_FILES, cwd);
+    if (!isClean) {
+      return {
+        ...base,
+        status: "error",
+        error: "composer.json or composer.lock has uncommitted changes \u2014 aborting to prevent data loss on revert"
+      };
+    }
+    await checkCurrentState2(runner, cwd);
+    const updateResult = await applyComposerUpdate(runner, autoSafePackageNames, cwd);
+    if (updateResult.exitCode !== 0) {
+      return {
+        ...base,
+        status: "error",
+        tests: "skipped",
+        error: `composer update failed: ${updateResult.stderr}`
+      };
+    }
+    const testResult = await runTestSuite(runner, config.runtime.test_command, cwd);
+    if (testResult.exitCode !== 0) {
+      logger.error("Tests failed \u2014 reverting Composer updates...");
+      await revertComposerChanges(runner, cwd);
+      return {
+        ...base,
+        status: "error",
+        tests: "fail",
+        tests_detail: testResult.stdout || testResult.stderr,
+        error: "Tests failed after composer update \u2014 changes reverted"
+      };
+    }
+    await verifyResidualVulnerabilities2(runner, cwd);
+    const testDetail = testResult.stdout.trim().split("\n").slice(-2).join(" ");
+    return {
+      ...base,
+      packages_updated: scanResult.php.auto_safe_packages,
+      tests: "pass",
+      tests_detail: testDetail || "Tests passed"
+    };
+  } catch (err) {
+    throw new PhaseError(
+      `Composer updater phase failed: ${err instanceof Error ? err.message : String(err)}`,
+      "composer-updater",
+      err
+    );
+  }
+}
+
+// src/phases/orchestrator.ts
+function shouldRunPhase(phase, options) {
+  if (!options.phases) return true;
+  return options.phases.includes(phase);
+}
+async function runOrchestrator(runner, config, options) {
+  const result = {
+    scan: null,
+    npmUpdate: null,
+    composerUpdate: null,
+    overallStatus: "success"
+  };
+  if (!shouldRunPhase("scan", options)) {
+    logger.warn('Skipping scan phase \u2014 phases option does not include "scan"');
+    result.overallStatus = "skipped";
+    return result;
+  }
+  logger.info("=== Phase 1: Vulnerability Scan ===");
+  const scanResult = await runScanner(runner, config, options.cwd);
+  result.scan = scanResult;
+  const gateA = validateGateA(scanResult);
+  if (!gateA.valid) {
+    throw new GateValidationError(
+      `Gate A validation failed: ${gateA.errors.join(", ")}`,
+      "A",
+      gateA.errors
+    );
+  }
+  logger.info(
+    `Scan complete: ${scanResult.php.vulnerabilities_total} PHP vulns (${scanResult.php.auto_safe} auto-safe, ${scanResult.php.breaking} breaking), ${scanResult.npm.vulnerabilities_total} npm vulns (${scanResult.npm.auto_safe} auto-safe, ${scanResult.npm.breaking} breaking)`
+  );
+  const hasNpmUpdates = scanResult.npm.auto_safe > 0;
+  const hasPhpUpdates = scanResult.php.auto_safe > 0;
+  if (!hasNpmUpdates && !hasPhpUpdates) {
+    logger.info("No auto-safe vulnerabilities found \u2014 no updates needed");
+    return result;
+  }
+  if (shouldRunPhase("npm", options) && hasNpmUpdates) {
+    logger.info("=== Phase 2: npm Safe Updates ===");
+    const npmResult = await runNpmUpdater(runner, config, scanResult, options.cwd);
+    result.npmUpdate = npmResult;
+    const gateB = validateGateB(npmResult);
+    if (!gateB.valid) {
+      throw new GateValidationError(
+        `Gate B validation failed: ${gateB.errors.join(", ")}`,
+        "B",
+        gateB.errors
+      );
+    }
+    if (npmResult.build_status === "fail") {
+      logger.error("npm build failed \u2014 stopping before Composer phase");
+      result.overallStatus = "error";
+      return result;
+    }
+    logger.info(
+      `npm update complete: ${npmResult.packages_updated.length} packages updated`
+    );
+  } else if (!hasNpmUpdates) {
+    logger.info("Phase 2: Skipping npm update \u2014 no auto-safe npm vulnerabilities");
+  }
+  if (shouldRunPhase("composer", options) && hasPhpUpdates) {
+    logger.info("=== Phase 3: Composer Safe Updates ===");
+    const composerResult = await runComposerUpdater(runner, config, scanResult, options.cwd);
+    result.composerUpdate = composerResult;
+    const gateC = validateGateC(composerResult);
+    if (!gateC.valid) {
+      throw new GateValidationError(
+        `Gate C validation failed: ${gateC.errors.join(", ")}`,
+        "C",
+        gateC.errors
+      );
+    }
+    if (composerResult.tests === "fail") {
+      logger.error("Composer tests failed \u2014 workflow stopped");
+      result.overallStatus = "error";
+      return result;
+    }
+    logger.info(
+      `Composer update complete: ${composerResult.packages_updated.length} packages updated`
+    );
+  } else if (!hasPhpUpdates) {
+    logger.info("Phase 3: Skipping Composer update \u2014 no auto-safe PHP vulnerabilities");
+  }
+  const hasPendingItems = scanResult.php.breaking > 0 || scanResult.npm.breaking > 0 || scanResult.php.manual > 0 || scanResult.npm.manual > 0;
+  if (hasPendingItems) {
+    result.overallStatus = "error";
+  }
+  return result;
+}
+
+// src/report/consolidated.ts
+function generateConsolidatedReport(data) {
+  const lines = [];
+  lines.push(`# Security Report \u2014 ${data.projectName}`);
+  lines.push(`**Date:** ${data.date}`);
+  lines.push(`**Environment:** ${data.environment}`);
+  lines.push("");
+  lines.push("## Vulnerabilities Found");
+  const scan = data.scan;
+  const totalVulns = scan.php.vulnerabilities_total + scan.npm.vulnerabilities_total;
+  lines.push(`- **Total:** ${totalVulns}`);
+  lines.push(
+    `- **PHP (auto-safe/breaking/manual):** ${scan.php.auto_safe}/${scan.php.breaking}/${scan.php.manual}`
+  );
+  lines.push(
+    `- **npm (auto-safe/breaking/manual):** ${scan.npm.auto_safe}/${scan.npm.breaking}/${scan.npm.manual}`
+  );
+  lines.push("");
+  lines.push("## Fixes Applied");
+  if (data.npmUpdate && data.npmUpdate.packages_updated.length > 0) {
+    lines.push("### npm");
+    for (const pkg of data.npmUpdate.packages_updated) {
+      lines.push(`- ${pkg}`);
+    }
+  } else {
+    lines.push("### npm");
+    lines.push("- No packages updated");
+  }
+  lines.push("");
+  if (data.composerUpdate && data.composerUpdate.packages_updated.length > 0) {
+    lines.push("### Composer (PHP)");
+    for (const pkg of data.composerUpdate.packages_updated) {
+      lines.push(`- ${pkg}`);
+    }
+  } else {
+    lines.push("### Composer (PHP)");
+    lines.push("- No packages updated");
+  }
+  lines.push("");
+  lines.push("## Validation After Updates");
+  if (data.composerUpdate) {
+    const testStatus = data.composerUpdate.tests === "pass" ? "\u2705 PASS" : data.composerUpdate.tests === "fail" ? "\u274C FAIL" : "\u2014 skipped";
+    lines.push(`- PHP test suite: ${testStatus}`);
+    if (data.composerUpdate.tests_detail) {
+      lines.push(`  ${data.composerUpdate.tests_detail}`);
+    }
+  }
+  if (data.npmUpdate) {
+    const buildStatus = data.npmUpdate.build_status === "pass" ? "\u2705 PASS" : data.npmUpdate.build_status === "fail" ? "\u274C FAIL" : "\u2014 skipped";
+    lines.push(`- npm build: ${buildStatus}`);
+    if (data.npmUpdate.build_detail) {
+      lines.push(`  ${data.npmUpdate.build_detail}`);
+    }
+  }
+  lines.push("");
+  const pendingBreaking = [
+    ...scan.php.breaking_packages.map((p) => `[PHP] ${p}`),
+    ...scan.npm.breaking_packages.map((p) => `[npm] ${p}`)
+  ];
+  const pendingManual = [
+    ...scan.php.manual_packages.map((p) => `[PHP] ${p}`),
+    ...scan.npm.manual_packages.map((p) => `[npm] ${p}`)
+  ];
+  if (pendingBreaking.length > 0 || pendingManual.length > 0) {
+    lines.push("## Pending \u2014 Require Manual Action");
+    if (pendingBreaking.length > 0) {
+      lines.push("### Require BREAKING CHANGE (awaiting per-package authorization)");
+      for (const pkg of pendingBreaking) {
+        lines.push(`- ${pkg}`);
+        lines.push(
+          `  To authorize: "sim, confirmo breaking changes para [package]"`
+        );
+      }
+      lines.push("");
+    }
+    if (pendingManual.length > 0) {
+      lines.push("### No safe version within current constraint");
+      for (const pkg of pendingManual) {
+        lines.push(`- ${pkg}`);
+      }
+      lines.push("");
+    }
+  }
+  return lines.join("\n");
+}
+
+// src/report/executive.ts
+function monthName(date) {
+  return date.toLocaleString("en-US", { month: "long" });
+}
+function monthNamePt(date) {
+  const months = [
+    "Janeiro",
+    "Fevereiro",
+    "Mar\xE7o",
+    "Abril",
+    "Maio",
+    "Junho",
+    "Julho",
+    "Agosto",
+    "Setembro",
+    "Outubro",
+    "Novembro",
+    "Dezembro"
+  ];
+  return months[date.getMonth()];
+}
+function zeroPad(n) {
+  return String(n).padStart(2, "0");
+}
+function generateExecutiveReport(opts) {
+  const now = /* @__PURE__ */ new Date();
+  const year = now.getFullYear();
+  const month = zeroPad(now.getMonth() + 1);
+  const monthFull = monthNamePt(now);
+  const npmFixed = opts.npmUpdate?.packages_updated ?? [];
+  const composerFixed = opts.composerUpdate?.packages_updated ?? [];
+  const allFixed = [...composerFixed.map((p) => ({ type: "Composer", pkg: p })), ...npmFixed.map((p) => ({ type: "npm", pkg: p }))];
+  const npmBreaking = opts.scanBefore.npm.breaking_packages;
+  const phpBreaking = opts.scanBefore.php.breaking_packages;
+  const allPending = [
+    ...phpBreaking.map((p) => ({ type: "Composer", pkg: p })),
+    ...npmBreaking.map((p) => ({ type: "npm", pkg: p }))
+  ];
+  const hasFixed = allFixed.length > 0;
+  const hasPending = allPending.length > 0;
+  const noneFound = opts.scanBefore.php.vulnerabilities_total === 0 && opts.scanBefore.npm.vulnerabilities_total === 0;
+  const lines = [];
+  lines.push(`Cliente: ${opts.client}`);
+  lines.push(`Projeto: ${opts.project}`);
+  lines.push(`Per\xEDodo: ${monthFull} ${year}`);
+  lines.push("");
+  lines.push("---");
+  lines.push("");
+  lines.push("Tarefa");
+  lines.push("");
+  lines.push("Manuten\xE7\xE3o de Seguran\xE7a \u2014 OSV Scanner (rotina mensal)");
+  lines.push("");
+  lines.push(
+    "Verifica\xE7\xE3o mensal das depend\xEAncias instaladas (PHP/Composer e npm) para identificar pacotes com vulnerabilidades conhecidas e aplicar corre\xE7\xF5es dispon\xEDveis."
+  );
+  lines.push("");
+  lines.push("---");
+  lines.push("");
+  lines.push("Resolu\xE7\xE3o");
+  lines.push("");
+  if (noneFound) {
+    lines.push(
+      "Nenhuma vulnerabilidade foi identificada nas depend\xEAncias PHP ou npm. O projeto est\xE1 atualizado e seguro."
+    );
+  } else if (hasFixed) {
+    lines.push(
+      "Ap\xF3s a execu\xE7\xE3o da varredura, os seguintes problemas foram encontrados e corrigidos:"
+    );
+    lines.push("");
+    lines.push(
+      "| Tipo | Pacote | Vers\xE3o Corrigida | Risco |"
+    );
+    lines.push("|------|--------|-----------------|-------|");
+    for (const { type, pkg } of allFixed) {
+      lines.push(`| ${type} | ${pkg} | \u2014 | \u2014 |`);
+    }
+  }
+  if (hasPending) {
+    lines.push("");
+    lines.push(
+      "As seguintes vulnerabilidades n\xE3o puderam ser corrigidas automaticamente e permanecem pendentes:"
+    );
+    lines.push("");
+    lines.push("| Tipo | Pacote | Vers\xE3o Atual | Motivo |");
+    lines.push("|------|--------|-------------|--------|");
+    for (const { type, pkg } of allPending) {
+      lines.push(`| ${type} | ${pkg} | \u2014 | Requer mudan\xE7a disruptiva |`);
+    }
+  }
+  lines.push("");
+  lines.push("---");
+  lines.push("");
+  lines.push("Resumo");
+  lines.push("");
+  if (noneFound) {
+    lines.push(
+      "Nenhuma vulnerabilidade foi identificada nas depend\xEAncias PHP ou npm. O projeto est\xE1 atualizado e seguro."
+    );
+  } else if (hasFixed && !hasPending) {
+    lines.push(
+      "Todas as vulnerabilidades identificadas foram corrigidas. O projeto est\xE1 atualizado e seguro em rela\xE7\xE3o \xE0s suas depend\xEAncias."
+    );
+  } else if (hasFixed && hasPending) {
+    lines.push(
+      "Todas as vulnerabilidades que puderam ser corrigidas sem mudan\xE7as disruptivas foram aplicadas. Os itens listados acima requerem avalia\xE7\xE3o ou autoriza\xE7\xE3o de vers\xE3o principal."
+    );
+  } else {
+    lines.push(
+      "Vulnerabilidades identificadas requerem a\xE7\xE3o manual \u2014 nenhuma corre\xE7\xE3o autom\xE1tica foi aplicada."
+    );
+  }
+  return lines.join("\n");
+}
+function executiveReportFilename(client, project) {
+  const now = /* @__PURE__ */ new Date();
+  const year = now.getFullYear();
+  const month = String(now.getMonth() + 1).padStart(2, "0");
+  const monthEn = monthName(now);
+  return `[${client} ${project}] Report OSV Scanner - ${year}-${month} - ${monthEn}.md`;
+}
+
+// bin/osv-security.ts
+var program = new Command();
+program.name("osv-security").description("OSV vulnerability scanning and safe dependency update CLI").version("0.1.0");
+var commonOptions = (cmd) => cmd.option("-c, --config <path>", "Path to project-config.yml", DEFAULT_CONFIG_PATH).option("--cwd <path>", "Working directory", process.cwd()).option("--dry-run", "Show commands without executing", false).option("-v, --verbose", "Verbose output", false).option("-q, --quiet", "Suppress all output except errors and final report", false).option("--json", "Output results as JSON", false).option("-o, --output <path>", "Write report to file");
+program.command("init").description("Generate a project-config.yml template in the current project").option("--project-name <name>", "Project name").option("--client <name>", "Client name").option("--execution <mode>", "Execution mode: docker or local", "docker").option("--docker-service <service>", "Docker Compose service name", "app").option("--php-version <version>", "PHP version", "8.2").option("--laravel-version <version>", "Laravel version", "10.x").option("--node-version <version>", "Node.js version", "20.x").option("--test-command <cmd>", "Test command", "php artisan test --compact").option("--cwd <path>", "Working directory", process.cwd()).option("--output <path>", "Output path (default: .github/agents/project-config.yml)").option("--force", "Overwrite existing file", false).action(async (opts) => {
+  const { access, mkdir } = await import("fs/promises");
+  const { dirname } = await import("path");
+  const outputPath = opts.output ? resolve2(opts.cwd, opts.output) : resolve2(opts.cwd, DEFAULT_CONFIG_PATH);
+  if (!opts.force) {
+    try {
+      await access(outputPath);
+      process.stderr.write(
+        `File already exists: ${outputPath}
+Use --force to overwrite.
+`
+      );
+      process.exit(3);
+    } catch {
+    }
+  }
+  const yaml = generateConfigYaml({
+    projectName: opts.projectName,
+    client: opts.client,
+    execution: opts.execution,
+    dockerService: opts.dockerService,
+    phpVersion: opts.phpVersion,
+    laravelVersion: opts.laravelVersion,
+    nodeVersion: opts.nodeVersion,
+    testCommand: opts.testCommand
+  });
+  await mkdir(dirname(outputPath), { recursive: true });
+  await writeFile(outputPath, yaml, "utf-8");
+  process.stdout.write(`Created: ${outputPath}
+`);
+  process.stdout.write(`
+Next steps:
+`);
+  process.stdout.write(`  1. Edit ${outputPath} to match your project
+`);
+  process.stdout.write(`  2. Review protected_packages \u2014 add any packages that must not be auto-upgraded
+`);
+  process.stdout.write(`  3. Run: osv-security scan --cwd <your-project-dir>
+`);
+});
+commonOptions(
+  program.command("scan").description("Run vulnerability scan only (Phase 1)")
+).action(async (opts) => {
+  await runCommand("scan", opts);
+});
+commonOptions(
+  program.command("fix").description("Run full workflow: scan + npm fix + composer fix").option("--phases <phases>", "Comma-separated phases: scan,npm,composer,report", "scan,npm,composer")
+).action(async (opts) => {
+  await runCommand("fix", opts);
+});
+commonOptions(
+  program.command("executive-report").description("Generate executive report (Phase 5)").requiredOption("--client <name>", "Client name").requiredOption("--project <name>", "Project name")
+).action(async (opts) => {
+  await runCommand("executive-report", opts);
+});
+async function runCommand(command, opts) {
+  if (opts.verbose) setLogLevel("debug");
+  if (opts.quiet) setLogLevel("error");
+  let exitCode = 0;
+  try {
+    const config = await loadConfig(opts.config, opts.cwd);
+    const runner = await detectEnvironment(
+      config.runtime.execution,
+      config.runtime.docker_service,
+      opts.cwd,
+      opts.dryRun
+    );
+    if (command === "scan") {
+      const scanResult = await runScanner(runner, config, opts.cwd);
+      const output = opts.json ? JSON.stringify(scanResult, null, 2) : formatScanSummary(scanResult);
+      await writeOutput(output, opts.output);
+      if (scanResult.status === "error") exitCode = 2;
+      else if (scanResult.php.breaking > 0 || scanResult.npm.breaking > 0) exitCode = 1;
+    } else if (command === "fix") {
+      const phases = opts.phases ? opts.phases.split(",") : void 0;
+      const result = await runOrchestrator(runner, config, {
+        configPath: opts.config,
+        cwd: opts.cwd,
+        dryRun: opts.dryRun,
+        verbose: opts.verbose,
+        phases
+      });
+      if (result.scan) {
+        const report = {
+          projectName: config.project.name,
+          date: (/* @__PURE__ */ new Date()).toISOString().split("T")[0],
+          environment: runner.environment,
+          scan: result.scan,
+          npmUpdate: result.npmUpdate,
+          composerUpdate: result.composerUpdate,
+          overallStatus: result.overallStatus
+        };
+        const output = opts.json ? JSON.stringify(result, null, 2) : generateConsolidatedReport(report);
+        await writeOutput(output, opts.output);
+      }
+      if (result.overallStatus === "error") exitCode = 1;
+    } else if (command === "executive-report") {
+      const scanBefore = await runScanner(runner, config, opts.cwd);
+      const orchestratorResult = await runOrchestrator(runner, config, {
+        configPath: opts.config,
+        cwd: opts.cwd,
+        dryRun: opts.dryRun,
+        verbose: opts.verbose
+      });
+      const scanAfter = await runScanner(runner, config, opts.cwd);
+      const report = generateExecutiveReport({
+        client: opts.client,
+        project: opts.project,
+        scanBefore,
+        scanAfter,
+        npmUpdate: orchestratorResult.npmUpdate,
+        composerUpdate: orchestratorResult.composerUpdate
+      });
+      const filename = executiveReportFilename(opts.client, opts.project);
+      const reportDir = resolve2(opts.cwd, ".osv-scanner/reports");
+      const reportPath = opts.output ?? resolve2(reportDir, filename);
+      await writeOutput(report, reportPath);
+      process.stdout.write(`Report saved to: ${reportPath}
+`);
+    }
+  } catch (err) {
+    if (err instanceof ConfigLoadError) {
+      process.stderr.write(`Configuration error: ${err.message}
+`);
+      exitCode = 3;
+    } else if (err instanceof GateValidationError) {
+      process.stderr.write(`Gate ${err.gate} validation failed:
+`);
+      for (const e of err.errors) process.stderr.write(`  - ${e}
+`);
+      exitCode = 2;
+    } else if (err instanceof PhaseError) {
+      process.stderr.write(`Phase "${err.phase}" failed: ${err.message}
+`);
+      exitCode = 2;
+    } else {
+      process.stderr.write(`Unexpected error: ${err instanceof Error ? err.message : String(err)}
+`);
+      exitCode = 2;
+    }
+  }
+  process.exit(exitCode);
+}
+function formatScanSummary(scan) {
+  const lines = [
+    `## OSV Scan Report \u2014 ${(/* @__PURE__ */ new Date()).toISOString().split("T")[0]}`,
+    `**Environment:** ${scan.environment}`,
+    "",
+    "### PHP (composer.lock)",
+    `- Total: ${scan.php.vulnerabilities_total}`,
+    `- Auto-safe: ${scan.php.auto_safe}`,
+    `- Breaking: ${scan.php.breaking}`,
+    `- Manual: ${scan.php.manual}`,
+    "",
+    "### npm (package-lock.json)",
+    `- Total: ${scan.npm.vulnerabilities_total}`,
+    `- Auto-safe: ${scan.npm.auto_safe}`,
+    `- Breaking: ${scan.npm.breaking}`,
+    `- Manual: ${scan.npm.manual}`
+  ];
+  if (scan.error) {
+    lines.push("", `**Warning:** ${scan.error}`);
+  }
+  return lines.join("\n");
+}
+async function writeOutput(content, outputPath) {
+  if (outputPath) {
+    const { mkdir } = await import("fs/promises");
+    const { dirname } = await import("path");
+    await mkdir(dirname(outputPath), { recursive: true });
+    await writeFile(outputPath, content, "utf-8");
+  } else {
+    process.stdout.write(content + "\n");
+  }
+}
+program.parse();
+//# sourceMappingURL=osv-security.js.map