safe-pkg 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Georges Fouejio
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,304 @@
+# 🔒 safe-pkg
+
+**Security-first package installer with multi-layer vulnerability analysis**
+
+`safe-pkg` is a drop-in replacement for `npm install`, `yarn add`, and `pnpm add` that analyzes packages for security risks **before** installing them. It combines industry-standard vulnerability scanning with intelligent heuristics and optional AI enhancement to protect your projects from malicious packages.
+
+---
+
+## ✨ Features
+
+- 🔍 **4-Layer Security Analysis**
+  - NPM Audit integration for known vulnerabilities
+  - Package metadata analysis (downloads, age, maintainers)
+  - Suspicious script detection (postinstall hooks, dangerous commands)
+  - Heuristic pattern matching (typosquatting, malware signatures)
+
+- 🤖 **Optional AI Enhancement**
+  - Natural language security insights powered by Claude
+  - Contextual risk explanations
+  - Smart recommendations
+
+- 🎨 **Beautiful Terminal UI**
+  - Color-coded risk levels (🟢 Safe / 🟡 Caution / 🔴 Dangerous)
+  - Detailed security reports
+  - Interactive confirmation prompts
+
+- 📦 **Universal Package Manager Support**
+  - Auto-detects npm, yarn, or pnpm
+  - Seamlessly forwards commands to your package manager
+  - Works with existing workflows
+
+- 📊 **Project Scanning**
+  - Analyze all existing dependencies at once
+  - Identify risky packages in your codebase
+  - Continuous security monitoring
+
+---
+
+## 🚀 Installation
+
+### Global Installation (Recommended)
+
+```bash
+# Using npm
+npm install -g safe-pkg
+
+# Using pnpm
+pnpm add -g safe-pkg
+
+# Using yarn
+yarn global add safe-pkg
+```
+
+### Local Development
+
+```bash
+git clone https://github.com/joker7blue/safe-install.git
+cd safe-install
+pnpm install
+pnpm build
+pnpm link --global
+```
+
+---
+
+## 📖 Usage
+
+### Install Packages with Security Analysis
+
+```bash
+# Analyze and install a single package
+safe-pkg install express
+
+# Install multiple packages
+safe-pkg install react vue lodash
+
+# Save to devDependencies
+safe-pkg install -D typescript eslint
+
+# Skip analysis (direct install)
+safe-pkg install axios --skip-analysis
+```
+
+### Check a Package Without Installing
+
+```bash
+# Analyze a package before deciding to install
+safe-pkg check suspicious-package-name
+```
+
+### Scan Existing Project Dependencies
+
+```bash
+# Scan production dependencies
+safe-pkg scan
+
+# Include devDependencies
+safe-pkg scan --dev
+```
+
+### Help & Options
+
+```bash
+safe-pkg --help
+safe-pkg install --help
+safe-pkg scan --help
+```
+
+---
+
+## 🔐 Security Layers Explained
+
+### 1. **NPM Audit** (40% weight)
+- Checks for known CVEs and security advisories
+- Identifies critical, high, moderate, and low severity vulnerabilities
+- Uses official npm audit database
+
+### 2. **Metadata Analysis** (25% weight)
+- Weekly download counts (flags packages with <100 downloads)
+- Package age (warns about brand new or abandoned packages)
+- Maintainer count (flags unmaintained packages)
+- License verification
+
+### 3. **Script Detection** (25% weight)
+- Scans package.json scripts for dangerous commands
+- Detects postinstall/preinstall hooks
+- Identifies network calls, file system modifications, eval usage
+- Flags obfuscated code patterns
+
+### 4. **Heuristic Analysis** (10% weight)
+- Typosquatting detection (Levenshtein distance from popular packages)
+- Suspicious keywords ("hack", "crack", "free-premium")
+- Name pattern analysis (excessive hyphens, random characters)
+- Known malware signatures
+
+---
+
+## 🤖 AI Enhancement (Optional)
+
+Enable AI-powered insights by setting your Anthropic API key:
+
+```bash
+# Set environment variable
+export ANTHROPIC_API_KEY="sk-ant-..."
+
+# Or create a config file
+echo '{"anthropicApiKey": "sk-ant-..."}' > ~/.safe-pkgrc
+```
+
+The AI layer provides:
+- Natural language security explanations
+- Context-aware risk assessment
+- Actionable recommendations
+- Human-readable insights
+
+---
+
+## 📊 Example Output
+
+```bash
+$ safe-pkg install tiny-package-that-doesnt-exist-12345
+
+ℹ Using package manager: pnpm
+
+🔒 Security Analysis
+====================
+
+ℹ Analyzing tiny-package-that-doesnt-exist-12345...
+
+================================================================================
+📦 tiny-package-that-doesnt-exist-12345 (unknown)
+================================================================================
+
+Risk Score: 6/10
+Risk Level:  CAUTION 
+
+Recommendation:
+  ⚠️  PROCEED WITH CAUTION - Review security warnings carefully
+
+Warnings: (4)
+  🟡 MEDIUM - Low weekly downloads (0)
+     Source: metadata
+  🟠 HIGH - Package has no maintainers
+     Source: metadata
+  🟡 MEDIUM - Package has no license
+     Source: metadata
+  🟡 MEDIUM - Pattern warnings: Excessive hyphens (5)
+     Source: heuristic
+
+Analysis Details:
+  Audit: 0 vulnerabilities - Score: 0/10
+  Metadata: 0 weekly downloads, 0 days old - Score: 8/10
+     Maintainers: 0, License: No
+  Scripts: Clean - Score: 0/10
+  Heuristics: Clean - Score: 1/10
+     Patterns: Excessive hyphens (5)
+
+⚠️  Package "tiny-package-that-doesnt-exist-12345" has warnings (score: 6/10). Continue? › (y/N)
+```
+
+---
+
+## ⚙️ Configuration
+
+Create a `.safe-pkgrc` file in your project root or home directory:
+
+```json
+{
+  "anthropicApiKey": "sk-ant-...",
+  "riskThreshold": 7,
+  "autoConfirm": false
+}
+```
+
+**Options:**
+- `anthropicApiKey` - Your Anthropic API key for AI insights
+- `riskThreshold` - Minimum risk score to trigger warnings (default: 7)
+- `autoConfirm` - Skip confirmation for safe packages (default: false)
+
+---
+
+## 🛠️ Development
+
+```bash
+# Clone repository
+git clone https://github.com/joker7blue/safe-install.git
+cd safe-install
+
+# Install dependencies
+pnpm install
+
+# Build TypeScript
+pnpm build
+
+# Run linter
+pnpm check
+
+# Run tests
+pnpm test
+
+# Link globally for testing
+pnpm link --global
+```
+
+### Project Structure
+
+```
+src/
+├── cli/            # Command-line interface
+├── config/         # Configuration loader
+├── detector/       # Package manager detection
+├── executor/       # Command execution
+├── scanner/        # Security analyzers
+│   ├── auditAnalyzer.ts
+│   ├── metadataAnalyzer.ts
+│   ├── scriptAnalyzer.ts
+│   ├── heuristicAnalyzer.ts
+│   ├── aiAnalyzer.ts
+│   └── analyzePackage.ts
+├── scanner-project/  # Project dependency scanning
+├── ui/              # Terminal UI components
+└── types.ts         # TypeScript definitions
+```
+
+---
+
+## 🤝 Contributing
+
+Contributions are welcome! Please:
+
+1. Fork the repository
+2. Create a feature branch (`git checkout -b feat/amazing-feature`)
+3. Commit your changes (`git commit -m 'feat: add amazing feature'`)
+4. Push to the branch (`git push origin feat/amazing-feature`)
+5. Open a Pull Request
+
+---
+
+## 📝 License
+
+MIT © Georges Fouejio
+
+---
+
+## 🙏 Acknowledgments
+
+- Built with [TypeScript](https://www.typescriptlang.org/)
+- Styled with [Chalk](https://github.com/chalk/chalk)
+- CLI powered by [Commander.js](https://github.com/tj/commander.js)
+- AI enhancement via [Anthropic Claude](https://www.anthropic.com/)
+
+---
+
+## 🔗 Links
+
+- [GitHub Repository](https://github.com/joker7blue/safe-install)
+- [Issue Tracker](https://github.com/joker7blue/safe-install/issues)
+- [NPM Package](https://www.npmjs.com/package/safe-pkg) *(coming soon)*
+
+---
+
+## ⚠️ Disclaimer
+
+While `safe-pkg` provides multiple layers of security analysis, no automated tool can guarantee 100% protection against all security threats. Always review package source code for critical applications and report suspicious packages to the npm security team.

package/dist/cli/index.d.ts

@@ -0,0 +1,5 @@
+#!/usr/bin/env node
+/**
+ * Main CLI orchestrator
+ */
+export declare function main(): Promise<void>;

package/dist/cli/index.js

@@ -0,0 +1,135 @@
+#!/usr/bin/env node
+import chalk from "chalk";
+import { loadConfig } from "../config/loadConfig.js";
+import { detectPackageManager } from "../detector/detectPackageManager.js";
+import { runInstallCommand } from "../executor/runCommand.js";
+import { scanProject } from "../scanner-project/scanProject.js";
+import { analyzePackage } from "../scanner/analyzePackage.js";
+import { logError, logHeader, logNewline, logStep, logSuccess, } from "../ui/logger.js";
+import { askUserConfirmation } from "../ui/promptUser.js";
+import { displayRiskReport } from "../ui/riskReporter.js";
+import { parseArguments } from "./parser.js";
+/**
+ * Main CLI orchestrator
+ */
+export async function main() {
+    try {
+        // Parse command line arguments
+        const command = parseArguments(process.argv);
+        // Load configuration
+        const config = loadConfig();
+        // Handle different commands
+        if (command.action === "scan") {
+            await handleScanCommand(config, command.options);
+        }
+        else if (command.action === "check") {
+            await handleCheckCommand(command.packages[0] || "", config);
+        }
+        else if (command.action === "install") {
+            await handleInstallCommand(command.packages, config, command.options);
+        }
+        else {
+            logError("Unknown command");
+            process.exit(1);
+        }
+    }
+    catch (error) {
+        logError(`Fatal error: ${error instanceof Error ? error.message : String(error)}`);
+        process.exit(1);
+    }
+}
+/**
+ * Handle scan command - analyze existing project dependencies
+ */
+async function handleScanCommand(config, options) {
+    logHeader("🔍 Scanning Project Dependencies");
+    logNewline();
+    const result = await scanProject(process.cwd(), config, Boolean(options.dev));
+    // Display summary
+    logNewline();
+    logHeader("Scan Results");
+    console.log(`Total packages: ${chalk.bold(result.totalPackages)}`);
+    console.log(`${chalk.green("✓")} Safe: ${chalk.green.bold(result.summary.safe)}`);
+    console.log(`${chalk.yellow("⚠")} Caution: ${chalk.yellow.bold(result.summary.caution)}`);
+    console.log(`${chalk.red("✖")} Dangerous: ${chalk.red.bold(result.summary.dangerous)}`);
+    // Show detailed reports for risky packages
+    const riskyPackages = result.reports.filter((r) => r.riskLevel !== "safe");
+    if (riskyPackages.length > 0) {
+        logNewline();
+        logHeader("⚠️  Packages Requiring Attention");
+        for (const report of riskyPackages) {
+            displayRiskReport(report);
+        }
+    }
+    else {
+        logNewline();
+        logSuccess("All packages are safe! ✨");
+    }
+}
+/**
+ * Handle check command - analyze a single package
+ */
+async function handleCheckCommand(packageName, config) {
+    if (!packageName) {
+        logError("Package name required for check command");
+        process.exit(1);
+    }
+    logHeader(`🔍 Analyzing ${packageName}`);
+    logNewline();
+    const report = await analyzePackage(packageName, config);
+    displayRiskReport(report);
+}
+/**
+ * Handle install command - analyze and install packages
+ */
+async function handleInstallCommand(packages, config, options) {
+    if (packages.length === 0) {
+        logError("No packages specified");
+        process.exit(1);
+    }
+    // Detect package manager
+    const packageManager = (await detectPackageManager(process.cwd())) || "npm";
+    logStep(`Using package manager: ${chalk.cyan(packageManager)}`);
+    logNewline();
+    // Skip analysis if requested
+    if (options.skipAnalysis) {
+        await runInstallCommand(packageManager, packages, options);
+        return;
+    }
+    // Analyze each package
+    logHeader("🔒 Security Analysis");
+    logNewline();
+    const packagesToInstall = [];
+    for (const packageName of packages) {
+        logStep(`Analyzing ${chalk.cyan(packageName)}...`);
+        const report = await analyzePackage(packageName, config);
+        displayRiskReport(report);
+        logNewline();
+        // Check if user approves
+        const shouldInstall = config.autoConfirm && report.riskLevel === "safe"
+            ? true
+            : await askUserConfirmation(packageName, report.riskLevel, report.riskScore);
+        if (shouldInstall) {
+            packagesToInstall.push(packageName);
+        }
+        else {
+            logError(`Skipping ${packageName}`);
+        }
+        logNewline();
+    }
+    // Install approved packages
+    if (packagesToInstall.length > 0) {
+        logHeader("📦 Installing Packages");
+        logNewline();
+        await runInstallCommand(packageManager, packagesToInstall, options);
+    }
+    else {
+        logError("No packages approved for installation");
+        process.exit(1);
+    }
+}
+// Run CLI if executed directly
+if (import.meta.url === `file://${process.argv[1]}`) {
+    main();
+}
+//# sourceMappingURL=index.js.map

package/dist/cli/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":";AAEA,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AACrD,OAAO,EAAE,oBAAoB,EAAE,MAAM,qCAAqC,CAAC;AAC3E,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,WAAW,EAAE,MAAM,mCAAmC,CAAC;AAChE,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAE9D,OAAO,EACN,QAAQ,EACR,SAAS,EACT,UAAU,EACV,OAAO,EACP,UAAU,GACV,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE7C;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,IAAI;IACzB,IAAI,CAAC;QACJ,+BAA+B;QAC/B,MAAM,OAAO,GAAG,cAAc,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAE7C,qBAAqB;QACrB,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;QAE5B,4BAA4B;QAC5B,IAAI,OAAO,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC/B,MAAM,iBAAiB,CAAC,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;QAClD,CAAC;aAAM,IAAI,OAAO,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;YACvC,MAAM,kBAAkB,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,MAAM,CAAC,CAAC;QAC7D,CAAC;aAAM,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YACzC,MAAM,oBAAoB,CAAC,OAAO,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;QACvE,CAAC;aAAM,CAAC;YACP,QAAQ,CAAC,iBAAiB,CAAC,CAAC;YAC5B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;IACF,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QAChB,QAAQ,CACP,gBAAgB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACxE,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACjB,CAAC;AACF,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,iBAAiB,CAC/B,MAAc,EACd,OAAgC;IAEhC,SAAS,CAAC,kCAAkC,CAAC,CAAC;IAC9C,UAAU,EAAE,CAAC;IAEb,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;IAE9E,kBAAkB;IAClB,UAAU,EAAE,CAAC;IACb,SAAS,CAAC,cAAc,CAAC,CAAC;IAC1B,OAAO,CAAC,GAAG,CAAC,mBAAmB,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC;IACnE,OAAO,CAAC,GAAG,CACV,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CACpE,CAAC;IACF,OAAO,CAAC,GAAG,CACV,GAAG,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,aAAa,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAC5E,CAAC;IACF,OAAO,CAAC,GAAG,CACV,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,eAAe,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAC1E,CAAC;IAEF,2CAA2C;IAC3C,MAAM,aAAa,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,MAAM,CAAC,CAAC;IAE3E,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,UAAU,EAAE,CAAC;QACb,SAAS,CAAC,kCAAkC,CAAC,CAAC;QAC9C,KAAK,MAAM,MAAM,IAAI,aAAa,EAAE,CAAC;YACpC,iBAAiB,CAAC,MAAM,CAAC,CAAC;QAC3B,CAAC;IACF,CAAC;SAAM,CAAC;QACP,UAAU,EAAE,CAAC;QACb,UAAU,CAAC,0BAA0B,CAAC,CAAC;IACxC,CAAC;AACF,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,kBAAkB,CAChC,WAAmB,EACnB,MAAc;IAEd,IAAI,CAAC,WAAW,EAAE,CAAC;QAClB,QAAQ,CAAC,yCAAyC,CAAC,CAAC;QACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACjB,CAAC;IAED,SAAS,CAAC,gBAAgB,WAAW,EAAE,CAAC,CAAC;IACzC,UAAU,EAAE,CAAC;IAEb,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;IACzD,iBAAiB,CAAC,MAAM,CAAC,CAAC;AAC3B,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,oBAAoB,CAClC,QAAkB,EAClB,MAAc,EACd,OAAgC;IAEhC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3B,QAAQ,CAAC,uBAAuB,CAAC,CAAC;QAClC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACjB,CAAC;IAED,yBAAyB;IACzB,MAAM,cAAc,GAAG,CAAC,MAAM,oBAAoB,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC,IAAI,KAAK,CAAC;IAC5E,OAAO,CAAC,0BAA0B,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE,CAAC,CAAC;IAChE,UAAU,EAAE,CAAC;IAEb,6BAA6B;IAC7B,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;QAC1B,MAAM,iBAAiB,CAAC,cAAc,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC3D,OAAO;IACR,CAAC;IAED,uBAAuB;IACvB,SAAS,CAAC,sBAAsB,CAAC,CAAC;IAClC,UAAU,EAAE,CAAC;IAEb,MAAM,iBAAiB,GAAa,EAAE,CAAC;IAEvC,KAAK,MAAM,WAAW,IAAI,QAAQ,EAAE,CAAC;QACpC,OAAO,CAAC,aAAa,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;QACnD,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QAEzD,iBAAiB,CAAC,MAAM,CAAC,CAAC;QAC1B,UAAU,EAAE,CAAC;QAEb,yBAAyB;QACzB,MAAM,aAAa,GAClB,MAAM,CAAC,WAAW,IAAI,MAAM,CAAC,SAAS,KAAK,MAAM;YAChD,CAAC,CAAC,IAAI;YACN,CAAC,CAAC,MAAM,mBAAmB,CACzB,WAAW,EACX,MAAM,CAAC,SAAS,EAChB,MAAM,CAAC,SAAS,CAChB,CAAC;QAEL,IAAI,aAAa,EAAE,CAAC;YACnB,iBAAiB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACrC,CAAC;aAAM,CAAC;YACP,QAAQ,CAAC,YAAY,WAAW,EAAE,CAAC,CAAC;QACrC,CAAC;QAED,UAAU,EAAE,CAAC;IACd,CAAC;IAED,4BAA4B;IAC5B,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClC,SAAS,CAAC,wBAAwB,CAAC,CAAC;QACpC,UAAU,EAAE,CAAC;QACb,MAAM,iBAAiB,CAAC,cAAc,EAAE,iBAAiB,EAAE,OAAO,CAAC,CAAC;IACrE,CAAC;SAAM,CAAC;QACP,QAAQ,CAAC,uCAAuC,CAAC,CAAC;QAClD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACjB,CAAC;AACF,CAAC;AAED,+BAA+B;AAC/B,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,UAAU,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;IACrD,IAAI,EAAE,CAAC;AACR,CAAC"}

package/dist/cli/parser.d.ts

@@ -0,0 +1,5 @@
+import type { CommandConfig } from "../types.js";
+/**
+ * Parse CLI arguments and return structured command config
+ */
+export declare function parseArguments(argv: string[]): CommandConfig;

package/dist/cli/parser.js

@@ -0,0 +1,61 @@
+import { Command } from "commander";
+/**
+ * Parse CLI arguments and return structured command config
+ */
+export function parseArguments(argv) {
+    const program = new Command();
+    let commandConfig = {
+        action: "help",
+        packages: [],
+        options: {},
+    };
+    program
+        .name("safe-pkg")
+        .description("Secure package installer with built-in security analysis")
+        .version("0.0.1");
+    // Install command (default action)
+    program
+        .command("install [packages...]", { isDefault: true })
+        .alias("i")
+        .alias("add")
+        .description("Install packages after security analysis")
+        .option("-D, --save-dev", "Save to devDependencies")
+        .option("-g, --global", "Install globally")
+        .option("--skip-analysis", "Skip security analysis")
+        .option("--auto-yes", "Automatically proceed with safe packages")
+        .action((packages, options) => {
+        commandConfig = {
+            action: "install",
+            packages,
+            options,
+        };
+    });
+    // Scan command
+    program
+        .command("scan")
+        .description("Scan existing project dependencies")
+        .option("--dev", "Include devDependencies")
+        .option("--json", "Output as JSON")
+        .action((options) => {
+        commandConfig = {
+            action: "scan",
+            packages: [],
+            options,
+        };
+    });
+    // Check command
+    program
+        .command("check <package>")
+        .description("Check a single package without installing")
+        .action((packageName) => {
+        commandConfig = {
+            action: "check",
+            packages: [packageName],
+            options: {},
+        };
+    });
+    // Parse argv
+    program.parse(argv);
+    return commandConfig;
+}
+//# sourceMappingURL=parser.js.map

package/dist/cli/parser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"parser.js","sourceRoot":"","sources":["../../src/cli/parser.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAGpC;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,IAAc;IAC5C,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;IAE9B,IAAI,aAAa,GAAkB;QAClC,MAAM,EAAE,MAAM;QACd,QAAQ,EAAE,EAAE;QACZ,OAAO,EAAE,EAAE;KACX,CAAC;IAEF,OAAO;SACL,IAAI,CAAC,UAAU,CAAC;SAChB,WAAW,CAAC,0DAA0D,CAAC;SACvE,OAAO,CAAC,OAAO,CAAC,CAAC;IAEnB,mCAAmC;IACnC,OAAO;SACL,OAAO,CAAC,uBAAuB,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;SACrD,KAAK,CAAC,GAAG,CAAC;SACV,KAAK,CAAC,KAAK,CAAC;SACZ,WAAW,CAAC,0CAA0C,CAAC;SACvD,MAAM,CAAC,gBAAgB,EAAE,yBAAyB,CAAC;SACnD,MAAM,CAAC,cAAc,EAAE,kBAAkB,CAAC;SAC1C,MAAM,CAAC,iBAAiB,EAAE,wBAAwB,CAAC;SACnD,MAAM,CAAC,YAAY,EAAE,0CAA0C,CAAC;SAChE,MAAM,CAAC,CAAC,QAAkB,EAAE,OAAgC,EAAE,EAAE;QAChE,aAAa,GAAG;YACf,MAAM,EAAE,SAAS;YACjB,QAAQ;YACR,OAAO;SACP,CAAC;IACH,CAAC,CAAC,CAAC;IAEJ,eAAe;IACf,OAAO;SACL,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,oCAAoC,CAAC;SACjD,MAAM,CAAC,OAAO,EAAE,yBAAyB,CAAC;SAC1C,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;SAClC,MAAM,CAAC,CAAC,OAAgC,EAAE,EAAE;QAC5C,aAAa,GAAG;YACf,MAAM,EAAE,MAAM;YACd,QAAQ,EAAE,EAAE;YACZ,OAAO;SACP,CAAC;IACH,CAAC,CAAC,CAAC;IAEJ,gBAAgB;IAChB,OAAO;SACL,OAAO,CAAC,iBAAiB,CAAC;SAC1B,WAAW,CAAC,2CAA2C,CAAC;SACxD,MAAM,CAAC,CAAC,WAAmB,EAAE,EAAE;QAC/B,aAAa,GAAG;YACf,MAAM,EAAE,OAAO;YACf,QAAQ,EAAE,CAAC,WAAW,CAAC;YACvB,OAAO,EAAE,EAAE;SACX,CAAC;IACH,CAAC,CAAC,CAAC;IAEJ,aAAa;IACb,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAEpB,OAAO,aAAa,CAAC;AACtB,CAAC"}

package/dist/config/index.d.ts

@@ -0,0 +1 @@
+export * from "./loadConfig.js";

package/dist/config/index.js

@@ -0,0 +1,3 @@
+// Config barrel exports
+export * from "./loadConfig.js";
+//# sourceMappingURL=index.js.map

package/dist/config/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/config/index.ts"],"names":[],"mappings":"AAAA,wBAAwB;AACxB,cAAc,iBAAiB,CAAC"}

package/dist/config/loadConfig.d.ts

@@ -0,0 +1,5 @@
+import type { Config } from "../types.js";
+/**
+ * Load configuration from environment variables or config file
+ */
+export declare function loadConfig(): Config;

package/dist/config/loadConfig.js

@@ -0,0 +1,49 @@
+import { existsSync, readFileSync } from "node:fs";
+import { homedir } from "node:os";
+import { join } from "node:path";
+/**
+ * Load configuration from environment variables or config file
+ */
+export function loadConfig() {
+    // Default config
+    const config = {
+        riskThreshold: 7,
+        autoConfirm: false,
+    };
+    // Check for API key in environment variable
+    const envApiKey = process.env.ANTHROPIC_API_KEY;
+    if (envApiKey) {
+        config.anthropicApiKey = envApiKey;
+    }
+    // Try to load from config file if no env var
+    if (!config.anthropicApiKey) {
+        const configFromFile = loadConfigFile();
+        if (configFromFile.anthropicApiKey) {
+            config.anthropicApiKey = configFromFile.anthropicApiKey;
+        }
+    }
+    return config;
+}
+/**
+ * Load configuration from file (.safe-pkgrc or ~/.safe-pkgrc)
+ */
+function loadConfigFile() {
+    const configPaths = [
+        join(process.cwd(), ".safe-pkgrc"),
+        join(homedir(), ".safe-pkgrc"),
+    ];
+    for (const configPath of configPaths) {
+        if (existsSync(configPath)) {
+            try {
+                const content = readFileSync(configPath, "utf-8");
+                const config = JSON.parse(content);
+                return config;
+            }
+            catch (error) {
+                // Invalid JSON or read error, skip to next file
+            }
+        }
+    }
+    return {};
+}
+//# sourceMappingURL=loadConfig.js.map

package/dist/config/loadConfig.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"loadConfig.js","sourceRoot":"","sources":["../../src/config/loadConfig.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAGjC;;GAEG;AACH,MAAM,UAAU,UAAU;IACzB,iBAAiB;IACjB,MAAM,MAAM,GAAW;QACtB,aAAa,EAAE,CAAC;QAChB,WAAW,EAAE,KAAK;KAClB,CAAC;IAEF,4CAA4C;IAC5C,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IAChD,IAAI,SAAS,EAAE,CAAC;QACf,MAAM,CAAC,eAAe,GAAG,SAAS,CAAC;IACpC,CAAC;IAED,6CAA6C;IAC7C,IAAI,CAAC,MAAM,CAAC,eAAe,EAAE,CAAC;QAC7B,MAAM,cAAc,GAAG,cAAc,EAAE,CAAC;QACxC,IAAI,cAAc,CAAC,eAAe,EAAE,CAAC;YACpC,MAAM,CAAC,eAAe,GAAG,cAAc,CAAC,eAAe,CAAC;QACzD,CAAC;IACF,CAAC;IAED,OAAO,MAAM,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAS,cAAc;IACtB,MAAM,WAAW,GAAG;QACnB,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,aAAa,CAAC;QAClC,IAAI,CAAC,OAAO,EAAE,EAAE,aAAa,CAAC;KAC9B,CAAC;IAEF,KAAK,MAAM,UAAU,IAAI,WAAW,EAAE,CAAC;QACtC,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC5B,IAAI,CAAC;gBACJ,MAAM,OAAO,GAAG,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;gBAClD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;gBACnC,OAAO,MAAyB,CAAC;YAClC,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBAChB,gDAAgD;YACjD,CAAC;QACF,CAAC;IACF,CAAC;IAED,OAAO,EAAE,CAAC;AACX,CAAC"}

package/dist/detector/detectPackageManager.d.ts

@@ -0,0 +1,14 @@
+import type { PackageManager } from "../types.js";
+/**
+ * Detect package manager from lock files in the given directory
+ * Priority: pnpm > yarn > npm
+ */
+export declare function detectPackageManager(cwd?: string): Promise<PackageManager>;
+/**
+ * Check if a specific package manager is available
+ */
+export declare function isPackageManagerAvailable(manager: PackageManager): Promise<boolean>;
+/**
+ * Get the version of a package manager
+ */
+export declare function getPackageManagerVersion(manager: PackageManager): Promise<string | null>;