safe-pkg 1.0.0

package/dist/scanner-project/readDependencies.js

@@ -0,0 +1,28 @@
+import { readFileSync } from "node:fs";
+import { join } from "node:path";
+/**
+ * Read dependencies from package.json in the project
+ */
+export function readDependencies(cwd) {
+    const packageJsonPath = join(cwd, "package.json");
+    try {
+        const content = readFileSync(packageJsonPath, "utf-8");
+        const packageJson = JSON.parse(content);
+        const deps = packageJson.dependencies || {};
+        const devDeps = packageJson.devDependencies || {};
+        return {
+            dependencies: deps,
+            devDependencies: devDeps,
+            total: Object.keys(deps).length + Object.keys(devDeps).length,
+        };
+    }
+    catch (error) {
+        // If package.json doesn't exist or can't be read, return empty
+        return {
+            dependencies: {},
+            devDependencies: {},
+            total: 0,
+        };
+    }
+}
+//# sourceMappingURL=readDependencies.js.map

package/dist/scanner-project/readDependencies.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"readDependencies.js","sourceRoot":"","sources":["../../src/scanner-project/readDependencies.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAGjC;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,GAAW;IAC3C,MAAM,eAAe,GAAG,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC;IAElD,IAAI,CAAC;QACJ,MAAM,OAAO,GAAG,YAAY,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;QACvD,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAGrC,CAAC;QAEF,MAAM,IAAI,GAAG,WAAW,CAAC,YAAY,IAAI,EAAE,CAAC;QAC5C,MAAM,OAAO,GAAG,WAAW,CAAC,eAAe,IAAI,EAAE,CAAC;QAElD,OAAO;YACN,YAAY,EAAE,IAAI;YAClB,eAAe,EAAE,OAAO;YACxB,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM;SAC7D,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QAChB,+DAA+D;QAC/D,OAAO;YACN,YAAY,EAAE,EAAE;YAChB,eAAe,EAAE,EAAE;YACnB,KAAK,EAAE,CAAC;SACR,CAAC;IACH,CAAC;AACF,CAAC"}

package/dist/scanner-project/scanNodeModules.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/scanner-project/scanNodeModules.js

@@ -0,0 +1,4 @@
+export {};
+// Scan node_modules directory
+// Will be implemented in Phase 5
+//# sourceMappingURL=scanNodeModules.js.map

package/dist/scanner-project/scanNodeModules.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanNodeModules.js","sourceRoot":"","sources":["../../src/scanner-project/scanNodeModules.ts"],"names":[],"mappings":";AAAA,8BAA8B;AAC9B,iCAAiC"}

package/dist/scanner-project/scanProject.d.ts

@@ -0,0 +1,5 @@
+import type { Config, ProjectScanResult } from "../types.js";
+/**
+ * Scan all dependencies in the current project
+ */
+export declare function scanProject(cwd: string, config: Config, includeDevDeps?: boolean): Promise<ProjectScanResult>;

package/dist/scanner-project/scanProject.js

@@ -0,0 +1,69 @@
+import chalk from "chalk";
+import { analyzePackage } from "../scanner/analyzePackage.js";
+import { logError, logStep, logSuccess, logWarning } from "../ui/logger.js";
+import { readDependencies } from "./readDependencies.js";
+/**
+ * Scan all dependencies in the current project
+ */
+export async function scanProject(cwd, config, includeDevDeps = false) {
+    logStep("Reading project dependencies...");
+    const deps = readDependencies(cwd);
+    const allDeps = {
+        ...deps.dependencies,
+        ...(includeDevDeps ? deps.devDependencies : {}),
+    };
+    const packageNames = Object.keys(allDeps);
+    if (packageNames.length === 0) {
+        logWarning("No dependencies found in package.json");
+        return {
+            totalPackages: 0,
+            scannedPackages: 0,
+            highRiskCount: 0,
+            criticalVulnerabilities: 0,
+            reports: [],
+            summary: {
+                safe: 0,
+                caution: 0,
+                dangerous: 0,
+            },
+            scannedAt: new Date(),
+        };
+    }
+    logStep(`Analyzing ${packageNames.length} packages...\n`);
+    const reports = [];
+    let analyzed = 0;
+    // Analyze packages sequentially to avoid rate limits
+    for (const packageName of packageNames) {
+        try {
+            analyzed++;
+            process.stdout.write(chalk.gray(`  [${analyzed}/${packageNames.length}] Analyzing ${packageName}...\r`));
+            const report = await analyzePackage(packageName, config);
+            reports.push(report);
+        }
+        catch (error) {
+            // Log error but continue with other packages
+            logError(`Failed to analyze ${packageName}: ${error instanceof Error ? error.message : String(error)}`);
+        }
+    }
+    // Clear progress line
+    process.stdout.write(`${" ".repeat(80)}\r`);
+    // Count by risk level
+    const safePackages = reports.filter((r) => r.riskLevel === "safe").length;
+    const cautionPackages = reports.filter((r) => r.riskLevel === "caution").length;
+    const dangerousPackages = reports.filter((r) => r.riskLevel === "dangerous").length;
+    logSuccess(`Analyzed ${reports.length}/${packageNames.length} packages`);
+    return {
+        totalPackages: packageNames.length,
+        scannedPackages: reports.length,
+        highRiskCount: cautionPackages + dangerousPackages,
+        criticalVulnerabilities: dangerousPackages,
+        reports,
+        summary: {
+            safe: safePackages,
+            caution: cautionPackages,
+            dangerous: dangerousPackages,
+        },
+        scannedAt: new Date(),
+    };
+}
+//# sourceMappingURL=scanProject.js.map

package/dist/scanner-project/scanProject.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanProject.js","sourceRoot":"","sources":["../../src/scanner-project/scanProject.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAE9D,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC5E,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAEzD;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAChC,GAAW,EACX,MAAc,EACd,cAAc,GAAG,KAAK;IAEtB,OAAO,CAAC,iCAAiC,CAAC,CAAC;IAE3C,MAAM,IAAI,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;IACnC,MAAM,OAAO,GAAG;QACf,GAAG,IAAI,CAAC,YAAY;QACpB,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,CAAC;KAC/C,CAAC;IAEF,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAE1C,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,UAAU,CAAC,uCAAuC,CAAC,CAAC;QACpD,OAAO;YACN,aAAa,EAAE,CAAC;YAChB,eAAe,EAAE,CAAC;YAClB,aAAa,EAAE,CAAC;YAChB,uBAAuB,EAAE,CAAC;YAC1B,OAAO,EAAE,EAAE;YACX,OAAO,EAAE;gBACR,IAAI,EAAE,CAAC;gBACP,OAAO,EAAE,CAAC;gBACV,SAAS,EAAE,CAAC;aACZ;YACD,SAAS,EAAE,IAAI,IAAI,EAAE;SACrB,CAAC;IACH,CAAC;IAED,OAAO,CAAC,aAAa,YAAY,CAAC,MAAM,gBAAgB,CAAC,CAAC;IAE1D,MAAM,OAAO,GAAiB,EAAE,CAAC;IACjC,IAAI,QAAQ,GAAG,CAAC,CAAC;IAEjB,qDAAqD;IACrD,KAAK,MAAM,WAAW,IAAI,YAAY,EAAE,CAAC;QACxC,IAAI,CAAC;YACJ,QAAQ,EAAE,CAAC;YACX,OAAO,CAAC,MAAM,CAAC,KAAK,CACnB,KAAK,CAAC,IAAI,CACT,MAAM,QAAQ,IAAI,YAAY,CAAC,MAAM,eAAe,WAAW,OAAO,CACtE,CACD,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;YACzD,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACtB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,6CAA6C;YAC7C,QAAQ,CACP,qBAAqB,WAAW,KAAK,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAC7F,CAAC;QACH,CAAC;IACF,CAAC;IAED,sBAAsB;IACtB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;IAE5C,sBAAsB;IACtB,MAAM,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;IAC1E,MAAM,eAAe,GAAG,OAAO,CAAC,MAAM,CACrC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,SAAS,CAChC,CAAC,MAAM,CAAC;IACT,MAAM,iBAAiB,GAAG,OAAO,CAAC,MAAM,CACvC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,WAAW,CAClC,CAAC,MAAM,CAAC;IAET,UAAU,CAAC,YAAY,OAAO,CAAC,MAAM,IAAI,YAAY,CAAC,MAAM,WAAW,CAAC,CAAC;IAEzE,OAAO;QACN,aAAa,EAAE,YAAY,CAAC,MAAM;QAClC,eAAe,EAAE,OAAO,CAAC,MAAM;QAC/B,aAAa,EAAE,eAAe,GAAG,iBAAiB;QAClD,uBAAuB,EAAE,iBAAiB;QAC1C,OAAO;QACP,OAAO,EAAE;YACR,IAAI,EAAE,YAAY;YAClB,OAAO,EAAE,eAAe;YACxB,SAAS,EAAE,iBAAiB;SAC5B;QACD,SAAS,EAAE,IAAI,IAAI,EAAE;KACrB,CAAC;AACH,CAAC"}

package/dist/test.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Test script for safe-pkg analysis engine
+ * Run with: node --loader ts-node/esm src/test.ts
+ * Or compile first: pnpm run build && node dist/test.js
+ */
+export {};

package/dist/test.js

@@ -0,0 +1,153 @@
+/**
+ * Test script for safe-pkg analysis engine
+ * Run with: node --loader ts-node/esm src/test.ts
+ * Or compile first: pnpm run build && node dist/test.js
+ */
+import { analyzePackage } from "./scanner/analyzePackage.js";
+// ============================================
+// HARDCODE YOUR ANTHROPIC API KEY HERE FOR TESTING
+// ============================================
+const ANTHROPIC_API_KEY = ""; // Add your key here: "sk-ant-..."
+// Test configuration
+const config = {
+    anthropicApiKey: ANTHROPIC_API_KEY || undefined,
+    riskThreshold: 7,
+    autoConfirm: false,
+};
+// Packages to test (mix of safe, risky, and unknown)
+const TEST_PACKAGES = [
+    // Popular, well-maintained packages (should be safe)
+    "react",
+    "express",
+    "chalk",
+    // Less popular packages (might have warnings)
+    "tiny-package-that-doesnt-exist-12345",
+    // Package with potential security concerns (if any)
+    // Add any specific packages you want to test here
+];
+/**
+ * Format and display risk report
+ */
+function displayReport(packageName, report) {
+    console.log(`\n${"=".repeat(80)}`);
+    console.log(`📦 Package: ${packageName}`);
+    console.log("=".repeat(80));
+    console.log(`\n🎯 Risk Score: ${report.riskScore}/10`);
+    console.log(`📊 Risk Level: ${report.riskLevel.toUpperCase()}`);
+    console.log(`✅ Version: ${report.version}`);
+    console.log(`🕐 Analyzed: ${report.analyzedAt.toISOString()}`);
+    // Display recommendation
+    console.log(`\n💡 Recommendation:\n   ${report.recommendation}`);
+    // Display warnings
+    if (report.warnings.length > 0) {
+        console.log(`\n⚠️  Warnings (${report.warnings.length}):`);
+        for (const warning of report.warnings) {
+            const icon = warning.severity === "critical"
+                ? "🔴"
+                : warning.severity === "high"
+                    ? "🟠"
+                    : warning.severity === "medium"
+                        ? "🟡"
+                        : "🔵";
+            console.log(`   ${icon} [${warning.severity.toUpperCase()}] ${warning.message}`);
+            console.log(`      Source: ${warning.source}`);
+        }
+    }
+    // Display analyzer details
+    console.log("\n📋 Analyzer Results:");
+    if (report.analyzers.audit) {
+        const audit = report.analyzers.audit;
+        console.log(`   • Audit: ${audit.vulnerabilityCount} vulnerabilities (score: ${audit.riskScore}/10)`);
+        if (audit.criticalCount > 0 || audit.highCount > 0) {
+            console.log(`     - ${audit.criticalCount} critical, ${audit.highCount} high`);
+        }
+    }
+    else {
+        console.log("   • Audit: N/A (failed or skipped)");
+    }
+    if (report.analyzers.metadata) {
+        const meta = report.analyzers.metadata;
+        console.log(`   • Metadata: ${meta.downloads.toLocaleString()} weekly downloads (score: ${meta.riskScore}/10)`);
+        console.log(`     - Age: ${meta.packageAge} days, Maintainers: ${meta.maintainerCount}, License: ${meta.hasLicense ? "Yes" : "No"}`);
+    }
+    else {
+        console.log("   • Metadata: N/A (failed or skipped)");
+    }
+    if (report.analyzers.script) {
+        const script = report.analyzers.script;
+        console.log(`   • Scripts: ${script.hasSuspiciousScripts ? "⚠️  Suspicious" : "✓ Clean"} (score: ${script.riskScore}/10)`);
+        if (script.suspiciousScripts.length > 0) {
+            console.log(`     - Found: ${script.suspiciousScripts.join(", ")}`);
+        }
+    }
+    else {
+        console.log("   • Scripts: N/A (failed or skipped)");
+    }
+    if (report.analyzers.heuristic) {
+        const heuristic = report.analyzers.heuristic;
+        console.log(`   • Heuristics: ${heuristic.isPotentialTyposquat ? "⚠️  Typosquat risk" : "✓ Clean"} (score: ${heuristic.riskScore}/10)`);
+        if (heuristic.suspiciousPatterns.length > 0) {
+            console.log(`     - Patterns: ${heuristic.suspiciousPatterns.join(", ")}`);
+        }
+    }
+    else {
+        console.log("   • Heuristics: N/A");
+    }
+    // Display AI insights if available
+    if (report.analyzers.aiInsights) {
+        console.log("\n🤖 AI Insights:");
+        console.log(`   ${report.analyzers.aiInsights.replace(/\n/g, "\n   ")}`);
+    }
+    else if (ANTHROPIC_API_KEY) {
+        console.log("\n🤖 AI Insights: N/A (enhancement failed)");
+    }
+    else {
+        console.log("\n🤖 AI Insights: Disabled (set ANTHROPIC_API_KEY to enable)");
+    }
+}
+/**
+ * Run tests on all packages
+ */
+async function runTests() {
+    console.log("🚀 Starting safe-pkg Analysis Engine Tests");
+    console.log(`🔑 Anthropic API: ${ANTHROPIC_API_KEY ? "✓ Enabled" : "✗ Disabled"}`);
+    console.log(`📦 Testing ${TEST_PACKAGES.length} packages...\n`);
+    const results = [];
+    for (const packageName of TEST_PACKAGES) {
+        try {
+            console.log(`\n⏳ Analyzing ${packageName}...`);
+            const report = await analyzePackage(packageName, config);
+            displayReport(packageName, report);
+            results.push({ package: packageName, success: true });
+        }
+        catch (error) {
+            console.error(`\n❌ Error analyzing ${packageName}:`, error);
+            results.push({
+                package: packageName,
+                success: false,
+                error: error instanceof Error ? error.message : String(error),
+            });
+        }
+    }
+    // Summary
+    console.log(`\n${"=".repeat(80)}`);
+    console.log("📊 TEST SUMMARY");
+    console.log("=".repeat(80));
+    const successful = results.filter((r) => r.success).length;
+    const failed = results.filter((r) => !r.success).length;
+    console.log(`✅ Successful: ${successful}/${TEST_PACKAGES.length}`);
+    console.log(`❌ Failed: ${failed}/${TEST_PACKAGES.length}`);
+    if (failed > 0) {
+        console.log("\nFailed packages:");
+        for (const result of results.filter((r) => !r.success)) {
+            console.log(`   • ${result.package}: ${result.error}`);
+        }
+    }
+    console.log("\n✨ Tests completed!\n");
+}
+// Run tests
+runTests().catch((error) => {
+    console.error("Fatal error running tests:", error);
+    process.exit(1);
+});
+//# sourceMappingURL=test.js.map

package/dist/test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"test.js","sourceRoot":"","sources":["../src/test.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAG7D,+CAA+C;AAC/C,mDAAmD;AACnD,+CAA+C;AAC/C,MAAM,iBAAiB,GAAG,EAAE,CAAC,CAAC,kCAAkC;AAEhE,qBAAqB;AACrB,MAAM,MAAM,GAAW;IACtB,eAAe,EAAE,iBAAiB,IAAI,SAAS;IAC/C,aAAa,EAAE,CAAC;IAChB,WAAW,EAAE,KAAK;CAClB,CAAC;AAEF,qDAAqD;AACrD,MAAM,aAAa,GAAG;IACrB,qDAAqD;IACrD,OAAO;IACP,SAAS;IACT,OAAO;IAEP,8CAA8C;IAC9C,sCAAsC;IAEtC,oDAAoD;IACpD,kDAAkD;CAClD,CAAC;AAEF;;GAEG;AACH,SAAS,aAAa,CAAC,WAAmB,EAAE,MAAkB;IAC7D,OAAO,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;IACnC,OAAO,CAAC,GAAG,CAAC,eAAe,WAAW,EAAE,CAAC,CAAC;IAC1C,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;IAE5B,OAAO,CAAC,GAAG,CAAC,oBAAoB,MAAM,CAAC,SAAS,KAAK,CAAC,CAAC;IACvD,OAAO,CAAC,GAAG,CAAC,kBAAkB,MAAM,CAAC,SAAS,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;IAChE,OAAO,CAAC,GAAG,CAAC,cAAc,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;IAC5C,OAAO,CAAC,GAAG,CAAC,gBAAgB,MAAM,CAAC,UAAU,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;IAE/D,yBAAyB;IACzB,OAAO,CAAC,GAAG,CAAC,4BAA4B,MAAM,CAAC,cAAc,EAAE,CAAC,CAAC;IAEjE,mBAAmB;IACnB,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChC,OAAO,CAAC,GAAG,CAAC,mBAAmB,MAAM,CAAC,QAAQ,CAAC,MAAM,IAAI,CAAC,CAAC;QAC3D,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACvC,MAAM,IAAI,GACT,OAAO,CAAC,QAAQ,KAAK,UAAU;gBAC9B,CAAC,CAAC,IAAI;gBACN,CAAC,CAAC,OAAO,CAAC,QAAQ,KAAK,MAAM;oBAC5B,CAAC,CAAC,IAAI;oBACN,CAAC,CAAC,OAAO,CAAC,QAAQ,KAAK,QAAQ;wBAC9B,CAAC,CAAC,IAAI;wBACN,CAAC,CAAC,IAAI,CAAC;YACX,OAAO,CAAC,GAAG,CACV,MAAM,IAAI,KAAK,OAAO,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,OAAO,CAAC,OAAO,EAAE,CACnE,CAAC;YACF,OAAO,CAAC,GAAG,CAAC,iBAAiB,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;QAChD,CAAC;IACF,CAAC;IAED,2BAA2B;IAC3B,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;IAEtC,IAAI,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC;QAC5B,MAAM,KAAK,GAAG,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC;QACrC,OAAO,CAAC,GAAG,CACV,eAAe,KAAK,CAAC,kBAAkB,4BAA4B,KAAK,CAAC,SAAS,MAAM,CACxF,CAAC;QACF,IAAI,KAAK,CAAC,aAAa,GAAG,CAAC,IAAI,KAAK,CAAC,SAAS,GAAG,CAAC,EAAE,CAAC;YACpD,OAAO,CAAC,GAAG,CACV,UAAU,KAAK,CAAC,aAAa,cAAc,KAAK,CAAC,SAAS,OAAO,CACjE,CAAC;QACH,CAAC;IACF,CAAC;SAAM,CAAC;QACP,OAAO,CAAC,GAAG,CAAC,qCAAqC,CAAC,CAAC;IACpD,CAAC;IAED,IAAI,MAAM,CAAC,SAAS,CAAC,QAAQ,EAAE,CAAC;QAC/B,MAAM,IAAI,GAAG,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC;QACvC,OAAO,CAAC,GAAG,CACV,kBAAkB,IAAI,CAAC,SAAS,CAAC,cAAc,EAAE,6BAA6B,IAAI,CAAC,SAAS,MAAM,CAClG,CAAC;QACF,OAAO,CAAC,GAAG,CACV,eAAe,IAAI,CAAC,UAAU,uBAAuB,IAAI,CAAC,eAAe,cAAc,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CACvH,CAAC;IACH,CAAC;SAAM,CAAC;QACP,OAAO,CAAC,GAAG,CAAC,wCAAwC,CAAC,CAAC;IACvD,CAAC;IAED,IAAI,MAAM,CAAC,SAAS,CAAC,MAAM,EAAE,CAAC;QAC7B,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC;QACvC,OAAO,CAAC,GAAG,CACV,iBAAiB,MAAM,CAAC,oBAAoB,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,SAAS,YAAY,MAAM,CAAC,SAAS,MAAM,CAC7G,CAAC;QACF,IAAI,MAAM,CAAC,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzC,OAAO,CAAC,GAAG,CAAC,iBAAiB,MAAM,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACrE,CAAC;IACF,CAAC;SAAM,CAAC;QACP,OAAO,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;IACtD,CAAC;IAED,IAAI,MAAM,CAAC,SAAS,CAAC,SAAS,EAAE,CAAC;QAChC,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC,SAAS,CAAC;QAC7C,OAAO,CAAC,GAAG,CACV,oBAAoB,SAAS,CAAC,oBAAoB,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,SAAS,YAAY,SAAS,CAAC,SAAS,MAAM,CAC1H,CAAC;QACF,IAAI,SAAS,CAAC,kBAAkB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC7C,OAAO,CAAC,GAAG,CACV,oBAAoB,SAAS,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC7D,CAAC;QACH,CAAC;IACF,CAAC;SAAM,CAAC;QACP,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;IACrC,CAAC;IAED,mCAAmC;IACnC,IAAI,MAAM,CAAC,SAAS,CAAC,UAAU,EAAE,CAAC;QACjC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;QACjC,OAAO,CAAC,GAAG,CAAC,MAAM,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;IAC1E,CAAC;SAAM,IAAI,iBAAiB,EAAE,CAAC;QAC9B,OAAO,CAAC,GAAG,CAAC,4CAA4C,CAAC,CAAC;IAC3D,CAAC;SAAM,CAAC;QACP,OAAO,CAAC,GAAG,CAAC,8DAA8D,CAAC,CAAC;IAC7E,CAAC;AACF,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,QAAQ;IACtB,OAAO,CAAC,GAAG,CAAC,4CAA4C,CAAC,CAAC;IAC1D,OAAO,CAAC,GAAG,CACV,qBAAqB,iBAAiB,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,YAAY,EAAE,CACrE,CAAC;IACF,OAAO,CAAC,GAAG,CAAC,cAAc,aAAa,CAAC,MAAM,gBAAgB,CAAC,CAAC;IAEhE,MAAM,OAAO,GAIR,EAAE,CAAC;IAER,KAAK,MAAM,WAAW,IAAI,aAAa,EAAE,CAAC;QACzC,IAAI,CAAC;YACJ,OAAO,CAAC,GAAG,CAAC,iBAAiB,WAAW,KAAK,CAAC,CAAC;YAC/C,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;YACzD,aAAa,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;YACnC,OAAO,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;QACvD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,OAAO,CAAC,KAAK,CAAC,uBAAuB,WAAW,GAAG,EAAE,KAAK,CAAC,CAAC;YAC5D,OAAO,CAAC,IAAI,CAAC;gBACZ,OAAO,EAAE,WAAW;gBACpB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;aAC7D,CAAC,CAAC;QACJ,CAAC;IACF,CAAC;IAED,UAAU;IACV,OAAO,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;IACnC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IAC/B,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;IAC5B,MAAM,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;IAC3D,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;IACxD,OAAO,CAAC,GAAG,CAAC,iBAAiB,UAAU,IAAI,aAAa,CAAC,MAAM,EAAE,CAAC,CAAC;IACnE,OAAO,CAAC,GAAG,CAAC,aAAa,MAAM,IAAI,aAAa,CAAC,MAAM,EAAE,CAAC,CAAC;IAE3D,IAAI,MAAM,GAAG,CAAC,EAAE,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;QAClC,KAAK,MAAM,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;YACxD,OAAO,CAAC,GAAG,CAAC,QAAQ,MAAM,CAAC,OAAO,KAAK,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;QACxD,CAAC;IACF,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;AACvC,CAAC;AAED,YAAY;AACZ,QAAQ,EAAE,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;IAC1B,OAAO,CAAC,KAAK,CAAC,4BAA4B,EAAE,KAAK,CAAC,CAAC;IACnD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACjB,CAAC,CAAC,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,133 @@
+/**
+ * Supported package managers
+ */
+export type PackageManager = "npm" | "yarn" | "pnpm";
+/**
+ * Risk levels for package analysis
+ */
+export type RiskLevel = "safe" | "caution" | "dangerous";
+/**
+ * Analyzer type that performed the analysis
+ */
+export type AnalyzerType = "audit" | "metadata" | "script" | "heuristic" | "ai";
+/**
+ * Individual warning from an analyzer
+ */
+export interface Warning {
+    message: string;
+    severity: "low" | "medium" | "high" | "critical";
+    source: AnalyzerType;
+}
+/**
+ * Result from npm audit analysis
+ */
+export interface AuditResult {
+    vulnerabilityCount: number;
+    criticalCount: number;
+    highCount: number;
+    moderateCount: number;
+    lowCount: number;
+    vulnerabilities: Array<{
+        name: string;
+        severity: "low" | "moderate" | "high" | "critical";
+        via: string;
+    }>;
+    riskScore: number;
+}
+/**
+ * Result from package metadata analysis
+ */
+export interface MetadataScore {
+    version: string;
+    downloads: number;
+    lastPublishDate: Date;
+    maintainerCount: number;
+    hasLicense: boolean;
+    packageAge: number;
+    riskScore: number;
+}
+/**
+ * Result from script detection analysis
+ */
+export interface ScriptRisk {
+    hasSuspiciousScripts: boolean;
+    suspiciousScripts: string[];
+    dangerousCommands: string[];
+    riskScore: number;
+}
+/**
+ * Result from heuristic analysis
+ */
+export interface HeuristicScore {
+    suspiciousPatterns: string[];
+    isPotentialTyposquat: boolean;
+    riskScore: number;
+}
+/**
+ * Complete risk report for a package
+ */
+export interface RiskReport {
+    packageName: string;
+    version: string;
+    riskScore: number;
+    riskLevel: RiskLevel;
+    warnings: Warning[];
+    recommendation: string;
+    analyzers: {
+        audit?: AuditResult;
+        metadata?: MetadataScore;
+        script?: ScriptRisk;
+        heuristic?: HeuristicScore;
+        aiInsights?: string;
+    };
+    analyzedAt: Date;
+}
+/**
+ * Analysis result (can include errors)
+ */
+export interface AnalysisResult {
+    success: boolean;
+    report?: RiskReport;
+    error?: string;
+}
+/**
+ * Parsed command configuration
+ */
+export interface CommandConfig {
+    action: "install" | "scan" | "check" | "help";
+    packages: string[];
+    options: Record<string, unknown>;
+    packageManager?: PackageManager;
+}
+/**
+ * List of dependencies from package.json
+ */
+export interface DependencyList {
+    dependencies: Record<string, string>;
+    devDependencies: Record<string, string>;
+    total: number;
+}
+/**
+ * Result from project scan
+ */
+export interface ProjectScanResult {
+    totalPackages: number;
+    scannedPackages: number;
+    highRiskCount: number;
+    criticalVulnerabilities: number;
+    reports: RiskReport[];
+    summary: {
+        safe: number;
+        caution: number;
+        dangerous: number;
+    };
+    scannedAt: Date;
+}
+/**
+ * Configuration loaded from env or file
+ */
+export interface Config {
+    anthropicApiKey?: string;
+    riskThreshold: number;
+    autoConfirm: boolean;
+}

package/dist/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":""}

package/dist/ui/index.d.ts

@@ -0,0 +1,4 @@
+export * from "./logger.js";
+export * from "./riskReporter.js";
+export * from "./promptUser.js";
+export * from "./scanReporter.js";

package/dist/ui/index.js

@@ -0,0 +1,6 @@
+// UI barrel exports
+export * from "./logger.js";
+export * from "./riskReporter.js";
+export * from "./promptUser.js";
+export * from "./scanReporter.js";
+//# sourceMappingURL=index.js.map

package/dist/ui/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/ui/index.ts"],"names":[],"mappings":"AAAA,oBAAoB;AACpB,cAAc,aAAa,CAAC;AAC5B,cAAc,mBAAmB,CAAC;AAClC,cAAc,iBAAiB,CAAC;AAChC,cAAc,mBAAmB,CAAC"}

package/dist/ui/logger.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Log a step/info message
+ */
+export declare function logStep(message: string): void;
+/**
+ * Log a success message
+ */
+export declare function logSuccess(message: string): void;
+/**
+ * Log a warning message
+ */
+export declare function logWarning(message: string): void;
+/**
+ * Log an error message
+ */
+export declare function logError(message: string): void;
+/**
+ * Log a section header
+ */
+export declare function logHeader(message: string): void;
+/**
+ * Log blank line for spacing
+ */
+export declare function logNewline(): void;

package/dist/ui/logger.js

@@ -0,0 +1,39 @@
+import chalk from "chalk";
+/**
+ * Log a step/info message
+ */
+export function logStep(message) {
+    console.log(chalk.blue("ℹ"), message);
+}
+/**
+ * Log a success message
+ */
+export function logSuccess(message) {
+    console.log(chalk.green("✔"), message);
+}
+/**
+ * Log a warning message
+ */
+export function logWarning(message) {
+    console.log(chalk.yellow("⚠"), message);
+}
+/**
+ * Log an error message
+ */
+export function logError(message) {
+    console.log(chalk.red("✖"), message);
+}
+/**
+ * Log a section header
+ */
+export function logHeader(message) {
+    console.log(`\n${chalk.bold.cyan(message)}`);
+    console.log(chalk.gray("=".repeat(Math.min(message.length, 80))));
+}
+/**
+ * Log blank line for spacing
+ */
+export function logNewline() {
+    console.log();
+}
+//# sourceMappingURL=logger.js.map

package/dist/ui/logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.js","sourceRoot":"","sources":["../../src/ui/logger.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAE1B;;GAEG;AACH,MAAM,UAAU,OAAO,CAAC,OAAe;IACtC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,OAAO,CAAC,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,OAAe;IACzC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,OAAO,CAAC,CAAC;AACxC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,OAAe;IACzC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,OAAO,CAAC,CAAC;AACzC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,QAAQ,CAAC,OAAe;IACvC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,OAAO,CAAC,CAAC;AACtC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,SAAS,CAAC,OAAe;IACxC,OAAO,CAAC,GAAG,CAAC,KAAK,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAC7C,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;AACnE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,UAAU;IACzB,OAAO,CAAC,GAAG,EAAE,CAAC;AACf,CAAC"}

package/dist/ui/promptUser.d.ts

@@ -0,0 +1,12 @@
+import type { RiskLevel } from "../types.js";
+/**
+ * Ask user for confirmation before installing a package
+ */
+export declare function askUserConfirmation(packageName: string, riskLevel: RiskLevel, riskScore: number): Promise<boolean>;
+/**
+ * Ask user which packages to install from a list
+ */
+export declare function selectPackagesToInstall(packages: Array<{
+    name: string;
+    safe: boolean;
+}>): Promise<string[]>;

package/dist/ui/promptUser.js

@@ -0,0 +1,50 @@
+import chalk from "chalk";
+import prompts from "prompts";
+/**
+ * Ask user for confirmation before installing a package
+ */
+export async function askUserConfirmation(packageName, riskLevel, riskScore) {
+    // Auto-deny for dangerous packages
+    if (riskLevel === "dangerous") {
+        const response = await prompts({
+            type: "confirm",
+            name: "proceed",
+            message: chalk.red.bold(`Package "${packageName}" is DANGEROUS (score: ${riskScore}/10). Install anyway?`),
+            initial: false,
+        });
+        return response.proceed ?? false;
+    }
+    // Warn for caution packages
+    if (riskLevel === "caution") {
+        const response = await prompts({
+            type: "confirm",
+            name: "proceed",
+            message: chalk.yellow(`Package "${packageName}" has warnings (score: ${riskScore}/10). Continue?`),
+            initial: false,
+        });
+        return response.proceed ?? false;
+    }
+    // Auto-proceed for safe packages (but can be overridden by config)
+    return true;
+}
+/**
+ * Ask user which packages to install from a list
+ */
+export async function selectPackagesToInstall(packages) {
+    const choices = packages.map((pkg) => ({
+        title: pkg.safe
+            ? `${chalk.green("✓")} ${pkg.name}`
+            : `${chalk.red("✖")} ${pkg.name}`,
+        value: pkg.name,
+        selected: pkg.safe,
+    }));
+    const response = await prompts({
+        type: "multiselect",
+        name: "packages",
+        message: "Select packages to install:",
+        choices,
+        hint: "Space to select, Enter to confirm",
+    });
+    return response.packages ?? [];
+}
+//# sourceMappingURL=promptUser.js.map

package/dist/ui/promptUser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"promptUser.js","sourceRoot":"","sources":["../../src/ui/promptUser.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,OAAO,MAAM,SAAS,CAAC;AAG9B;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACxC,WAAmB,EACnB,SAAoB,EACpB,SAAiB;IAEjB,mCAAmC;IACnC,IAAI,SAAS,KAAK,WAAW,EAAE,CAAC;QAC/B,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC;YAC9B,IAAI,EAAE,SAAS;YACf,IAAI,EAAE,SAAS;YACf,OAAO,EAAE,KAAK,CAAC,GAAG,CAAC,IAAI,CACtB,YAAY,WAAW,0BAA0B,SAAS,uBAAuB,CACjF;YACD,OAAO,EAAE,KAAK;SACd,CAAC,CAAC;QACH,OAAO,QAAQ,CAAC,OAAO,IAAI,KAAK,CAAC;IAClC,CAAC;IAED,4BAA4B;IAC5B,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC;YAC9B,IAAI,EAAE,SAAS;YACf,IAAI,EAAE,SAAS;YACf,OAAO,EAAE,KAAK,CAAC,MAAM,CACpB,YAAY,WAAW,0BAA0B,SAAS,iBAAiB,CAC3E;YACD,OAAO,EAAE,KAAK;SACd,CAAC,CAAC;QACH,OAAO,QAAQ,CAAC,OAAO,IAAI,KAAK,CAAC;IAClC,CAAC;IAED,mEAAmE;IACnE,OAAO,IAAI,CAAC;AACb,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC5C,QAAgD;IAEhD,MAAM,OAAO,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QACtC,KAAK,EAAE,GAAG,CAAC,IAAI;YACd,CAAC,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,IAAI,EAAE;YACnC,CAAC,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,IAAI,EAAE;QAClC,KAAK,EAAE,GAAG,CAAC,IAAI;QACf,QAAQ,EAAE,GAAG,CAAC,IAAI;KAClB,CAAC,CAAC,CAAC;IAEJ,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC;QAC9B,IAAI,EAAE,aAAa;QACnB,IAAI,EAAE,UAAU;QAChB,OAAO,EAAE,6BAA6B;QACtC,OAAO;QACP,IAAI,EAAE,mCAAmC;KACzC,CAAC,CAAC;IAEH,OAAO,QAAQ,CAAC,QAAQ,IAAI,EAAE,CAAC;AAChC,CAAC"}

package/dist/ui/riskReporter.d.ts

@@ -0,0 +1,5 @@
+import type { RiskReport } from "../types.js";
+/**
+ * Display a comprehensive risk report for a single package
+ */
+export declare function displayRiskReport(report: RiskReport): void;