npm - pkgxray - Versions diffs - 0.1.0 → 0.2.0 - Mend

pkgxray 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/bin/audit.js CHANGED Viewed

@@ -5,6 +5,7 @@ const fs = require("node:fs");
 const { auditEvidence, renderMarkdown } = require("../src/auditor");
 const { guardExtension } = require("../src/quarantine");
 const { reasonAbout } = require("../src/reasoner");
+const { detectAvailableProvider, reasoningSetupHint } = require("../src/providers");
 function printUsage() {
   process.stderr.write(
@@ -19,11 +20,11 @@ function printUsage() {
       "Evidence JSON fields:",
       "  packageName, npmMetadata, githubMetadata, webPresence, sourceFiles",
       "",
-      "--reason consults an LLM as an authoritative verdict on top of the static",
-      "heuristics. Provider auto-detected from --reason-model, or pass",
-      "--reason-provider <anthropic|openai|gemini>. Defaults: anthropic +",
-      "claude-opus-4-7. Each provider needs its own env key (ANTHROPIC_API_KEY,",
-      "OPENAI_API_KEY, GEMINI_API_KEY) and SDK installed.",
+      "LLM reasoning runs automatically when any of ANTHROPIC_API_KEY,",
+      "OPENAI_API_KEY, or GEMINI_API_KEY is set AND the matching SDK is",
+      "installed (@anthropic-ai/sdk, openai, or @google/generative-ai).",
+      "Use --no-reason to force static-only, --reason-provider <name> to pin a",
+      "provider, --reason-model <id> to pin a model.",
       ""
     ].join("\n")
   );
@@ -59,6 +60,9 @@ function parseArgs(argv) {
       options.vulnerabilityCheck = false;
     } else if (arg === "--reason") {
       options.reason = true;
+    } else if (arg === "--no-reason") {
+      options.reason = false;
+      options.reasonExplicitOff = true;
     } else if (arg === "--reason-model") {
       options.reasonModel = argv[++i];
     } else if (arg === "--reason-provider") {
@@ -82,11 +86,21 @@ function readInput(file) {
   return fs.readFileSync(0, "utf8");
 }
-async function maybeReason(evidence, options) {
-  if (!options.reason) return null;
+function resolveReasonMode(options) {
+  if (options.reasonExplicitOff) return { enabled: false, autoDetected: false };
+  if (options.reason) return { enabled: true, autoDetected: false };
+  const detected = detectAvailableProvider();
+  if (detected) {
+    return { enabled: true, autoDetected: true, detectedProvider: detected.name };
+  }
+  return { enabled: false, autoDetected: false };
+}
+async function maybeReason(evidence, options, mode) {
+  if (!mode || !mode.enabled) return null;
   try {
     return await reasonAbout(evidence, {
-      provider: options.reasonProvider,
+      provider: options.reasonProvider || mode.detectedProvider,
       model: options.reasonModel,
       maxFiles: options.reasonMaxFiles
     });
@@ -114,7 +128,8 @@ async function main() {
       throw new Error("guard requires an extension reference");
     }
     const result = await guardExtension(options.reference, options);
-    if (options.reason) {
+    const reasonMode = resolveReasonMode(options);
+    if (reasonMode.enabled) {
       const evidenceForReason = {
         packageName: result.resolved && result.resolved.packageName,
         npmMetadata: result.resolved && result.resolved.npmMetadata,
@@ -122,7 +137,7 @@ async function main() {
         webPresence: null,
         sourceFiles: result.sourceFiles || {}
       };
-      const reasoning = await maybeReason(evidenceForReason, options);
+      const reasoning = await maybeReason(evidenceForReason, options, reasonMode);
       result.reasoning = reasoning;
       if (reasoning && !reasoning.error && reasoning.verdict) {
         result.decision = reasoning.verdict === "block"
@@ -131,6 +146,8 @@ async function main() {
             ? "allow"
             : "review";
       }
+    } else {
+      result.reasoningHint = reasoningSetupHint();
     }
     if (options.format === "json") {
       process.stdout.write(`${JSON.stringify(result, null, 2)}\n`);
@@ -148,14 +165,22 @@ async function main() {
   const evidence = JSON.parse(raw);
   const report = auditEvidence(evidence);
-  const reasoning = await maybeReason(evidence, options);
+  const reasonMode = resolveReasonMode(options);
+  const reasoning = await maybeReason(evidence, options, reasonMode);
+  const hint = reasonMode.enabled ? null : reasoningSetupHint();
-  const payload = reasoning ? { report, reasoning } : report;
+  const payload = reasoning
+    ? { report, reasoning }
+    : hint
+      ? { report, reasoningHint: hint }
+      : report;
   if (options.format === "json") {
     process.stdout.write(`${JSON.stringify(payload, null, 2)}\n`);
   } else if (reasoning) {
     process.stdout.write(`${renderMarkdown(report)}\n\n---\n\n${renderReasoningMarkdown(reasoning)}\n`);
+  } else if (hint) {
+    process.stdout.write(`${renderMarkdown(report)}\n\n💡 ${hint}\n`);
   } else {
     process.stdout.write(`${renderMarkdown(report)}\n`);
   }
@@ -182,6 +207,8 @@ function renderGuardMarkdown(result) {
   if (result.reasoning) {
     lines.push("", "---", "", renderReasoningMarkdown(result.reasoning));
+  } else if (result.reasoningHint) {
+    lines.push("", `💡 ${result.reasoningHint}`);
   }
   return lines.join("\n");

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "pkgxray",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "Local CLI and MCP server that audits AI-agent extensions and npm packages for supply-chain risk. Zero-dep static heuristics + sandboxed quarantine + optional multi-provider (Claude / GPT / Gemini) reasoning layer.",
   "license": "MIT",
   "author": "Jack Adams-Lovell",

package/src/providers/index.js CHANGED Viewed

@@ -37,4 +37,61 @@ function resolveProvider({ provider, model } = {}) {
   return anthropic;
 }
-module.exports = { PROVIDERS, listProviders, getProvider, detectProvider, resolveProvider };
+function tryLoadSdk(provider) {
+  try {
+    if (typeof provider._loadSdk === "function") {
+      provider._loadSdk();
+      return true;
+    }
+    // Each provider lazy-loads inside call(); fall back to a probe require here.
+    if (provider.name === "anthropic") require("@anthropic-ai/sdk");
+    else if (provider.name === "openai") require("openai");
+    else if (provider.name === "gemini") require("@google/generative-ai");
+    return true;
+  } catch (error) {
+    return false;
+  }
+}
+function detectAvailableProvider() {
+  // Priority order: anthropic, openai, gemini. First one with both env key set
+  // AND SDK loadable wins.
+  for (const name of ["anthropic", "openai", "gemini"]) {
+    const provider = PROVIDERS[name];
+    const keyPresent = Boolean(process.env[provider.envKey]);
+    if (!keyPresent) continue;
+    if (!tryLoadSdk(provider)) continue;
+    return provider;
+  }
+  return null;
+}
+function reasoningSetupHint() {
+  const missing = [];
+  for (const name of ["anthropic", "openai", "gemini"]) {
+    const provider = PROVIDERS[name];
+    if (process.env[provider.envKey]) {
+      if (!tryLoadSdk(provider)) {
+        const pkg = provider.name === "anthropic"
+          ? "@anthropic-ai/sdk"
+          : provider.name === "openai"
+            ? "openai"
+            : "@google/generative-ai";
+        return `${provider.envKey} is set but ${pkg} is not installed. Run: npm install -g ${pkg}`;
+      }
+    } else {
+      missing.push(provider.envKey);
+    }
+  }
+  return `For LLM-grade verdicts, set one of ${missing.join(" / ")} and install the matching SDK (@anthropic-ai/sdk, openai, or @google/generative-ai).`;
+}
+module.exports = {
+  PROVIDERS,
+  listProviders,
+  getProvider,
+  detectProvider,
+  resolveProvider,
+  detectAvailableProvider,
+  reasoningSetupHint
+};