toolip 1.0.6 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (308) hide show
  1. package/README.md +189 -448
  2. package/dist/src/analyzers/ast/ast-security-analyzer.d.ts +6 -0
  3. package/dist/src/analyzers/ast/ast-security-analyzer.js +64 -0
  4. package/dist/src/analyzers/ast/ast-security-analyzer.js.map +1 -0
  5. package/dist/src/analyzers/ast/rules.d.ts +48 -0
  6. package/dist/src/analyzers/ast/rules.js +39 -0
  7. package/dist/src/analyzers/ast/rules.js.map +1 -0
  8. package/dist/src/analyzers/ast/source-analysis.d.ts +2 -0
  9. package/dist/src/analyzers/ast/source-analysis.js +225 -0
  10. package/dist/src/analyzers/ast/source-analysis.js.map +1 -0
  11. package/dist/src/analyzers/dependency-confusion/analyzer.d.ts +9 -0
  12. package/dist/src/analyzers/dependency-confusion/analyzer.js +98 -0
  13. package/dist/src/analyzers/dependency-confusion/analyzer.js.map +1 -0
  14. package/dist/src/analyzers/docker/analyzer.d.ts +6 -0
  15. package/dist/src/analyzers/docker/analyzer.js +103 -0
  16. package/dist/src/analyzers/docker/analyzer.js.map +1 -0
  17. package/dist/src/analyzers/git-history/analyzer.d.ts +8 -0
  18. package/dist/src/analyzers/git-history/analyzer.js +157 -0
  19. package/dist/src/analyzers/git-history/analyzer.js.map +1 -0
  20. package/dist/src/analyzers/git-history/secret-patterns.d.ts +7 -0
  21. package/dist/src/analyzers/git-history/secret-patterns.js +33 -0
  22. package/dist/src/analyzers/git-history/secret-patterns.js.map +1 -0
  23. package/dist/src/analyzers/install-scripts/install-script-analyzer.d.ts +6 -0
  24. package/dist/src/analyzers/install-scripts/install-script-analyzer.js +135 -0
  25. package/dist/src/analyzers/install-scripts/install-script-analyzer.js.map +1 -0
  26. package/dist/src/analyzers/reachability/import-graph.d.ts +9 -0
  27. package/dist/src/analyzers/reachability/import-graph.js +110 -0
  28. package/dist/src/analyzers/reachability/import-graph.js.map +1 -0
  29. package/dist/src/analyzers/reachability/reachability-analyzer.d.ts +16 -0
  30. package/dist/src/analyzers/reachability/reachability-analyzer.js +95 -0
  31. package/dist/src/analyzers/reachability/reachability-analyzer.js.map +1 -0
  32. package/dist/src/analyzers/vulnerability/osv-analyzer.d.ts +9 -0
  33. package/dist/src/analyzers/vulnerability/osv-analyzer.js +94 -0
  34. package/dist/src/analyzers/vulnerability/osv-analyzer.js.map +1 -0
  35. package/dist/src/analyzers/vulnerability/severity.d.ts +3 -0
  36. package/dist/src/analyzers/vulnerability/severity.js +13 -0
  37. package/dist/src/analyzers/vulnerability/severity.js.map +1 -0
  38. package/dist/src/application/analyzer-runner.d.ts +12 -0
  39. package/dist/src/application/analyzer-runner.js +45 -0
  40. package/dist/src/application/analyzer-runner.js.map +1 -0
  41. package/dist/src/commands/alternatives.d.ts +2 -0
  42. package/dist/src/commands/alternatives.js +17 -0
  43. package/dist/src/commands/alternatives.js.map +1 -0
  44. package/dist/src/commands/announce.d.ts +2 -0
  45. package/dist/src/commands/announce.js +27 -0
  46. package/dist/src/commands/announce.js.map +1 -0
  47. package/dist/src/commands/ast-scan.d.ts +2 -0
  48. package/dist/src/commands/ast-scan.js +86 -0
  49. package/dist/src/commands/ast-scan.js.map +1 -0
  50. package/dist/src/commands/audit-repo.d.ts +2 -0
  51. package/dist/src/commands/audit-repo.js +20 -0
  52. package/dist/src/commands/audit-repo.js.map +1 -0
  53. package/dist/src/commands/compare.d.ts +2 -0
  54. package/dist/src/commands/compare.js +19 -0
  55. package/dist/src/commands/compare.js.map +1 -0
  56. package/dist/src/commands/config.d.ts +2 -0
  57. package/dist/src/commands/config.js +69 -0
  58. package/dist/src/commands/config.js.map +1 -0
  59. package/dist/src/commands/dependency-confusion.d.ts +2 -0
  60. package/dist/src/commands/dependency-confusion.js +37 -0
  61. package/dist/src/commands/dependency-confusion.js.map +1 -0
  62. package/dist/src/commands/diff.d.ts +2 -0
  63. package/dist/src/commands/diff.js +24 -0
  64. package/dist/src/commands/diff.js.map +1 -0
  65. package/dist/src/commands/docker-scan.d.ts +2 -0
  66. package/dist/src/commands/docker-scan.js +34 -0
  67. package/dist/src/commands/docker-scan.js.map +1 -0
  68. package/dist/src/commands/doctor.d.ts +2 -0
  69. package/dist/src/commands/doctor.js +42 -0
  70. package/dist/src/commands/doctor.js.map +1 -0
  71. package/dist/src/commands/git-audit.d.ts +2 -0
  72. package/dist/src/commands/git-audit.js +37 -0
  73. package/dist/src/commands/git-audit.js.map +1 -0
  74. package/dist/src/commands/git-history.d.ts +2 -0
  75. package/dist/src/commands/git-history.js +40 -0
  76. package/dist/src/commands/git-history.js.map +1 -0
  77. package/dist/src/commands/history.d.ts +2 -0
  78. package/dist/src/commands/history.js +69 -0
  79. package/dist/src/commands/history.js.map +1 -0
  80. package/dist/src/commands/hook.d.ts +2 -0
  81. package/dist/src/commands/hook.js +16 -0
  82. package/dist/src/commands/hook.js.map +1 -0
  83. package/dist/src/commands/inspect.d.ts +2 -0
  84. package/dist/src/commands/inspect.js +24 -0
  85. package/dist/src/commands/inspect.js.map +1 -0
  86. package/dist/src/commands/install-scripts.d.ts +2 -0
  87. package/dist/src/commands/install-scripts.js +52 -0
  88. package/dist/src/commands/install-scripts.js.map +1 -0
  89. package/dist/src/commands/learn.d.ts +2 -0
  90. package/dist/src/commands/learn.js +42 -0
  91. package/dist/src/commands/learn.js.map +1 -0
  92. package/dist/src/commands/licenses.d.ts +2 -0
  93. package/dist/src/commands/licenses.js +40 -0
  94. package/dist/src/commands/licenses.js.map +1 -0
  95. package/dist/src/commands/mcp.d.ts +2 -0
  96. package/dist/src/commands/mcp.js +10 -0
  97. package/dist/src/commands/mcp.js.map +1 -0
  98. package/dist/src/commands/monorepo.d.ts +2 -0
  99. package/dist/src/commands/monorepo.js +21 -0
  100. package/dist/src/commands/monorepo.js.map +1 -0
  101. package/dist/src/commands/package-health.d.ts +2 -0
  102. package/dist/src/commands/package-health.js +50 -0
  103. package/dist/src/commands/package-health.js.map +1 -0
  104. package/dist/src/commands/pre-commit.d.ts +2 -0
  105. package/dist/src/commands/pre-commit.js +37 -0
  106. package/dist/src/commands/pre-commit.js.map +1 -0
  107. package/dist/src/commands/profile.d.ts +2 -0
  108. package/dist/src/commands/profile.js +18 -0
  109. package/dist/src/commands/profile.js.map +1 -0
  110. package/dist/src/commands/publish.d.ts +2 -0
  111. package/dist/src/commands/publish.js +25 -0
  112. package/dist/src/commands/publish.js.map +1 -0
  113. package/dist/src/commands/reachability.d.ts +2 -0
  114. package/dist/src/commands/reachability.js +47 -0
  115. package/dist/src/commands/reachability.js.map +1 -0
  116. package/dist/src/commands/sbom.d.ts +2 -0
  117. package/dist/src/commands/sbom.js +33 -0
  118. package/dist/src/commands/sbom.js.map +1 -0
  119. package/dist/src/commands/scan.d.ts +2 -0
  120. package/dist/src/commands/scan.js +48 -0
  121. package/dist/src/commands/scan.js.map +1 -0
  122. package/dist/src/commands/score.d.ts +2 -0
  123. package/dist/src/commands/score.js +24 -0
  124. package/dist/src/commands/score.js.map +1 -0
  125. package/dist/src/commands/self-test.d.ts +2 -0
  126. package/dist/src/commands/self-test.js +63 -0
  127. package/dist/src/commands/self-test.js.map +1 -0
  128. package/dist/src/commands/tree.d.ts +2 -0
  129. package/dist/src/commands/tree.js +21 -0
  130. package/dist/src/commands/tree.js.map +1 -0
  131. package/dist/src/commands/upgrade-pr.d.ts +2 -0
  132. package/dist/src/commands/upgrade-pr.js +15 -0
  133. package/dist/src/commands/upgrade-pr.js.map +1 -0
  134. package/dist/src/commands/vault.d.ts +2 -0
  135. package/dist/src/commands/vault.js +86 -0
  136. package/dist/src/commands/vault.js.map +1 -0
  137. package/dist/src/commands/vulnerabilities.d.ts +2 -0
  138. package/dist/src/commands/vulnerabilities.js +42 -0
  139. package/dist/src/commands/vulnerabilities.js.map +1 -0
  140. package/dist/src/commands/watch.d.ts +2 -0
  141. package/dist/src/commands/watch.js +34 -0
  142. package/dist/src/commands/watch.js.map +1 -0
  143. package/dist/src/config/version.d.ts +6 -0
  144. package/dist/src/config/version.js +29 -0
  145. package/dist/src/config/version.js.map +1 -0
  146. package/dist/src/contracts/analyzer.d.ts +23 -0
  147. package/dist/src/contracts/analyzer.js +2 -0
  148. package/dist/src/contracts/analyzer.js.map +1 -0
  149. package/dist/src/contracts/finding.d.ts +35 -0
  150. package/dist/src/contracts/finding.js +13 -0
  151. package/dist/src/contracts/finding.js.map +1 -0
  152. package/dist/src/contracts/report.d.ts +30 -0
  153. package/dist/src/contracts/report.js +2 -0
  154. package/dist/src/contracts/report.js.map +1 -0
  155. package/dist/src/contracts/rule.d.ts +12 -0
  156. package/dist/src/contracts/rule.js +7 -0
  157. package/dist/src/contracts/rule.js.map +1 -0
  158. package/dist/src/core/alternatives.d.ts +8 -0
  159. package/dist/src/core/alternatives.js +35 -0
  160. package/dist/src/core/alternatives.js.map +1 -0
  161. package/dist/src/core/analyze-package.d.ts +2 -0
  162. package/dist/src/core/analyze-package.js +49 -0
  163. package/dist/src/core/analyze-package.js.map +1 -0
  164. package/dist/src/core/announce/generate.d.ts +9 -0
  165. package/dist/src/core/announce/generate.js +19 -0
  166. package/dist/src/core/announce/generate.js.map +1 -0
  167. package/dist/src/core/compare-packages.d.ts +7 -0
  168. package/dist/src/core/compare-packages.js +19 -0
  169. package/dist/src/core/compare-packages.js.map +1 -0
  170. package/dist/src/core/config/load.d.ts +3 -0
  171. package/dist/src/core/config/load.js +21 -0
  172. package/dist/src/core/config/load.js.map +1 -0
  173. package/dist/src/core/config/policy.d.ts +3 -0
  174. package/dist/src/core/config/policy.js +48 -0
  175. package/dist/src/core/config/policy.js.map +1 -0
  176. package/dist/src/core/config/schema.d.ts +172 -0
  177. package/dist/src/core/config/schema.js +84 -0
  178. package/dist/src/core/config/schema.js.map +1 -0
  179. package/dist/src/core/dependencies/inventory.d.ts +9 -0
  180. package/dist/src/core/dependencies/inventory.js +43 -0
  181. package/dist/src/core/dependencies/inventory.js.map +1 -0
  182. package/dist/src/core/dependency-scan.d.ts +17 -0
  183. package/dist/src/core/dependency-scan.js +70 -0
  184. package/dist/src/core/dependency-scan.js.map +1 -0
  185. package/dist/src/core/dependency-tree.d.ts +16 -0
  186. package/dist/src/core/dependency-tree.js +19 -0
  187. package/dist/src/core/dependency-tree.js.map +1 -0
  188. package/dist/src/core/dependency-types.d.ts +17 -0
  189. package/dist/src/core/dependency-types.js +2 -0
  190. package/dist/src/core/dependency-types.js.map +1 -0
  191. package/dist/src/core/diff/security-diff.d.ts +10 -0
  192. package/dist/src/core/diff/security-diff.js +20 -0
  193. package/dist/src/core/diff/security-diff.js.map +1 -0
  194. package/dist/src/core/file-walker.d.ts +6 -0
  195. package/dist/src/core/file-walker.js +27 -0
  196. package/dist/src/core/file-walker.js.map +1 -0
  197. package/dist/src/core/git-audit.d.ts +12 -0
  198. package/dist/src/core/git-audit.js +111 -0
  199. package/dist/src/core/git-audit.js.map +1 -0
  200. package/dist/src/core/github/remote-audit.d.ts +5 -0
  201. package/dist/src/core/github/remote-audit.js +28 -0
  202. package/dist/src/core/github/remote-audit.js.map +1 -0
  203. package/dist/src/core/github/upgrade-pr.d.ts +4 -0
  204. package/dist/src/core/github/upgrade-pr.js +41 -0
  205. package/dist/src/core/github/upgrade-pr.js.map +1 -0
  206. package/dist/src/core/history/git-metadata.d.ts +5 -0
  207. package/dist/src/core/history/git-metadata.js +37 -0
  208. package/dist/src/core/history/git-metadata.js.map +1 -0
  209. package/dist/src/core/history/store.d.ts +5 -0
  210. package/dist/src/core/history/store.js +65 -0
  211. package/dist/src/core/history/store.js.map +1 -0
  212. package/dist/src/core/history/types.d.ts +27 -0
  213. package/dist/src/core/history/types.js +2 -0
  214. package/dist/src/core/history/types.js.map +1 -0
  215. package/dist/src/core/hooks.d.ts +1 -0
  216. package/dist/src/core/hooks.js +14 -0
  217. package/dist/src/core/hooks.js.map +1 -0
  218. package/dist/src/core/learn.d.ts +11 -0
  219. package/dist/src/core/learn.js +163 -0
  220. package/dist/src/core/learn.js.map +1 -0
  221. package/dist/src/core/license-analysis.d.ts +18 -0
  222. package/dist/src/core/license-analysis.js +98 -0
  223. package/dist/src/core/license-analysis.js.map +1 -0
  224. package/dist/src/core/load-toolip-ignore.d.ts +5 -0
  225. package/dist/src/core/load-toolip-ignore.js +35 -0
  226. package/dist/src/core/load-toolip-ignore.js.map +1 -0
  227. package/dist/src/core/monorepo/discover.d.ts +7 -0
  228. package/dist/src/core/monorepo/discover.js +49 -0
  229. package/dist/src/core/monorepo/discover.js.map +1 -0
  230. package/dist/src/core/npm-registry.d.ts +3 -0
  231. package/dist/src/core/npm-registry.js +5 -0
  232. package/dist/src/core/npm-registry.js.map +1 -0
  233. package/dist/src/core/pre-commit.d.ts +11 -0
  234. package/dist/src/core/pre-commit.js +22 -0
  235. package/dist/src/core/pre-commit.js.map +1 -0
  236. package/dist/src/core/profile-project.d.ts +23 -0
  237. package/dist/src/core/profile-project.js +119 -0
  238. package/dist/src/core/profile-project.js.map +1 -0
  239. package/dist/src/core/publish/html.d.ts +6 -0
  240. package/dist/src/core/publish/html.js +44 -0
  241. package/dist/src/core/publish/html.js.map +1 -0
  242. package/dist/src/core/read-dependencies.d.ts +2 -0
  243. package/dist/src/core/read-dependencies.js +24 -0
  244. package/dist/src/core/read-dependencies.js.map +1 -0
  245. package/dist/src/core/report-writer.d.ts +5 -0
  246. package/dist/src/core/report-writer.js +61 -0
  247. package/dist/src/core/report-writer.js.map +1 -0
  248. package/dist/src/core/report.d.ts +34 -0
  249. package/dist/src/core/report.js +26 -0
  250. package/dist/src/core/report.js.map +1 -0
  251. package/dist/src/core/risk-score.d.ts +5 -0
  252. package/dist/src/core/risk-score.js +14 -0
  253. package/dist/src/core/risk-score.js.map +1 -0
  254. package/dist/src/core/sbom/generate.d.ts +2 -0
  255. package/dist/src/core/sbom/generate.js +120 -0
  256. package/dist/src/core/sbom/generate.js.map +1 -0
  257. package/dist/src/core/scanner-context.d.ts +12 -0
  258. package/dist/src/core/scanner-context.js +27 -0
  259. package/dist/src/core/scanner-context.js.map +1 -0
  260. package/dist/src/core/score.d.ts +13 -0
  261. package/dist/src/core/score.js +44 -0
  262. package/dist/src/core/score.js.map +1 -0
  263. package/dist/src/core/security-doctor.d.ts +12 -0
  264. package/dist/src/core/security-doctor.js +158 -0
  265. package/dist/src/core/security-doctor.js.map +1 -0
  266. package/dist/src/core/security-patterns.d.ts +14 -0
  267. package/dist/src/core/security-patterns.js +139 -0
  268. package/dist/src/core/security-patterns.js.map +1 -0
  269. package/dist/src/core/typosquat.d.ts +6 -0
  270. package/dist/src/core/typosquat.js +50 -0
  271. package/dist/src/core/typosquat.js.map +1 -0
  272. package/dist/src/core/vault.d.ts +48 -0
  273. package/dist/src/core/vault.js +127 -0
  274. package/dist/src/core/vault.js.map +1 -0
  275. package/dist/src/core/watch/watch.d.ts +5 -0
  276. package/dist/src/core/watch/watch.js +49 -0
  277. package/dist/src/core/watch/watch.js.map +1 -0
  278. package/dist/src/errors/toolip-error.d.ts +8 -0
  279. package/dist/src/errors/toolip-error.js +11 -0
  280. package/dist/src/errors/toolip-error.js.map +1 -0
  281. package/dist/src/index.d.ts +2 -0
  282. package/dist/src/index.js +89 -0
  283. package/dist/src/index.js.map +1 -0
  284. package/dist/src/mcp/server.d.ts +1 -0
  285. package/dist/src/mcp/server.js +64 -0
  286. package/dist/src/mcp/server.js.map +1 -0
  287. package/dist/src/providers/depsdev/client.d.ts +71 -0
  288. package/dist/src/providers/depsdev/client.js +44 -0
  289. package/dist/src/providers/depsdev/client.js.map +1 -0
  290. package/dist/src/providers/osv/client.d.ts +15 -0
  291. package/dist/src/providers/osv/client.js +51 -0
  292. package/dist/src/providers/osv/client.js.map +1 -0
  293. package/dist/src/providers/osv/types.d.ts +38 -0
  294. package/dist/src/providers/osv/types.js +2 -0
  295. package/dist/src/providers/osv/types.js.map +1 -0
  296. package/dist/src/storage/memory-cache.d.ts +7 -0
  297. package/dist/src/storage/memory-cache.js +25 -0
  298. package/dist/src/storage/memory-cache.js.map +1 -0
  299. package/dist/src/utils/error-handler.d.ts +1 -0
  300. package/dist/src/utils/error-handler.js +24 -0
  301. package/dist/src/utils/error-handler.js.map +1 -0
  302. package/dist/src/utils/output.d.ts +6 -0
  303. package/dist/src/utils/output.js +72 -0
  304. package/dist/src/utils/output.js.map +1 -0
  305. package/dist/src/utils/package-output.d.ts +4 -0
  306. package/dist/src/utils/package-output.js +40 -0
  307. package/dist/src/utils/package-output.js.map +1 -0
  308. package/package.json +13 -8
package/README.md CHANGED
@@ -1,599 +1,340 @@
1
1
  # Toolip
2
2
 
3
- <p align="center">
4
- <strong>Developer-First Supply Chain Security, Security Hygiene, and Secrets Management CLI</strong>
5
- </p>
3
+ Developer-first supply-chain security, dependency intelligence, security auditing, Git safety, and encrypted local secrets management from the terminal.
6
4
 
7
- <p align="center">
8
- Dependency Intelligence • Security Auditing • Secret Detection • Git Security • Learning Mode • Encrypted Vault
9
- </p>
5
+ Toolip helps developers inspect what enters their applications, identify risky code and configuration, protect credentials, understand dependency health, and improve project security without requiring a hosted account or dashboard.
10
6
 
11
- ---
7
+ ## Status
12
8
 
13
- ## Overview
9
+ The latest stable release is Toolip v2.0.0.
14
10
 
15
- Toolip is a TypeScript-powered developer security companion designed to help developers build safer software.
11
+ Toolip v2.0.0 is the current stable release. It combines local vulnerability intelligence, AST-based security analysis, supply-chain auditing, Git security, container checks, SBOM generation, configurable policy, shareable reports, GitHub workflows, and a read-only MCP server.
16
12
 
17
- Modern development relies heavily on third-party packages, environment variables, cloud credentials, CI/CD pipelines, and Git workflows. While security tooling often targets enterprise security teams, developers are frequently left with tools that identify problems without explaining them.
13
+ ## Why Toolip Exists
18
14
 
19
- Toolip takes a different approach.
15
+ Modern applications rely on large dependency graphs, external services, environment secrets, package lifecycle scripts, Git history, containers, and automated delivery pipelines. Security issues often enter through ordinary development decisions rather than obviously malicious code.
20
16
 
21
- Instead of simply reporting findings, Toolip focuses on education, remediation guidance, and practical developer workflows.
17
+ Toolip brings security checks closer to the developer. It is designed to explain findings, distinguish confidence levels, provide practical remediation, and operate locally by default.
22
18
 
23
- Toolip combines:
19
+ Toolip does not aim to replace enterprise security platforms. It focuses on useful, understandable checks developers can run during normal development.
24
20
 
25
- * Supply Chain Security
26
- * Dependency Intelligence
27
- * Developer Security Auditing
28
- * Secret Detection
29
- * Git Security
30
- * Security Scorecards
31
- * Encrypted Local Secret Storage
32
- * Security Learning Resources
21
+ ## Design Principles
33
22
 
34
- Everything runs locally.
35
-
36
- No accounts.
37
-
38
- No dashboards.
39
-
40
- No SaaS.
41
-
42
- No subscriptions.
43
-
44
- ---
45
-
46
- ## Why Toolip?
47
-
48
- Most tools stop at:
49
-
50
- ```text
51
- Security issue found.
52
- ```
53
-
54
- Toolip goes further:
55
-
56
- * What is wrong?
57
- * Why does it matter?
58
- * How risky is it?
59
- * How do you fix it?
60
- * What alternatives exist?
61
- * How can you prevent it in future?
62
-
63
- The goal is to help developers understand security while improving security posture.
64
-
65
- ---
23
+ - Local-first and privacy-conscious
24
+ - Free and useful without an account
25
+ - Deterministic analysis where possible
26
+ - Explicit confidence for heuristic findings
27
+ - Stable, machine-readable output
28
+ - Actionable remediation
29
+ - Bounded resource usage
30
+ - Opt-in remote integrations
31
+ - Verified npm release artifacts
32
+ - One shared analysis engine across every interface
66
33
 
67
34
  ## Installation
68
35
 
69
- ### npm
36
+ Install the latest stable release globally:
70
37
 
71
38
  ```bash
72
39
  npm install -g toolip
73
40
  ```
74
41
 
75
- Verify installation:
42
+ Verify the installation:
76
43
 
77
44
  ```bash
78
45
  toolip --version
46
+ toolip self-test
47
+ toolip --help
79
48
  ```
80
49
 
81
- ---
82
-
83
50
  ## Quick Start
84
51
 
85
- Analyze a project:
52
+ Profile the current project:
86
53
 
87
54
  ```bash
88
55
  toolip profile
56
+ ```
89
57
 
90
- toolip scan
58
+ Scan dependencies and project security:
91
59
 
60
+ ```bash
61
+ toolip scan
92
62
  toolip doctor
93
-
94
63
  toolip score
95
64
  ```
96
65
 
97
- Review Git hygiene:
66
+ Audit Git safety:
98
67
 
99
68
  ```bash
100
69
  toolip git-audit
101
-
102
70
  toolip pre-commit
103
71
  ```
104
72
 
105
- Inspect packages:
73
+ Inspect dependency choices:
106
74
 
107
75
  ```bash
108
76
  toolip inspect express
109
-
110
77
  toolip compare axios got
111
-
78
+ toolip licenses
79
+ toolip tree
112
80
  toolip alternatives request
113
81
  ```
114
82
 
115
- Manage secrets:
83
+ Use the local encrypted vault:
116
84
 
117
85
  ```bash
118
86
  toolip vault init
119
-
120
87
  toolip vault set DATABASE_URL
121
-
88
+ toolip vault list
122
89
  toolip vault get DATABASE_URL
123
90
  ```
124
91
 
125
- ---
126
-
127
- # Features
128
-
129
- ---
130
-
131
- ## Project Fingerprinting
132
-
133
- ```bash
134
- toolip profile
135
- ```
136
-
137
- Detects technologies used within a project.
138
-
139
- Examples:
140
-
141
- * Node.js
142
- * TypeScript
143
- * Fastify
144
- * Express
145
- * React
146
- * PostgreSQL
147
- * MongoDB
148
- * Redis
149
-
150
- Provides technology-aware recommendations.
151
-
152
- ---
153
-
154
- ## Dependency Scanning
92
+ Learn security concepts from the terminal:
155
93
 
156
94
  ```bash
157
- toolip scan
95
+ toolip learn cors
96
+ toolip learn jwt
97
+ toolip learn dependencies
158
98
  ```
159
99
 
160
- Analyzes project dependencies.
161
-
162
- Detects:
163
-
164
- * Deprecated packages
165
- * Outdated packages
166
- * High-risk packages
167
- * Dependency bloat
168
- * Supply chain concerns
169
-
170
- Provides actionable recommendations.
171
-
172
- ---
173
-
174
- ## Package Inspection
100
+ ## Current Commands
101
+
102
+ | Command | Purpose |
103
+ | --- | --- |
104
+ | `toolip self-test` | Run internal diagnostics |
105
+ | `toolip profile` | Detect project technologies and structure |
106
+ | `toolip scan` | Analyze dependency and project risk |
107
+ | `toolip vulnerabilities` | Match resolved npm dependencies against OSV.dev |
108
+ | `toolip ast-scan` | Analyze JavaScript and TypeScript through the TypeScript Compiler API |
109
+ | `toolip reachability` | Show package usage observed in source imports |
110
+ | `toolip install-scripts` | Inspect npm lifecycle scripts for suspicious behavior indicators |
111
+ | `toolip sbom` | Generate CycloneDX 1.5 or SPDX 2.3 JSON |
112
+ | `toolip history` | Inspect local security history and score trends |
113
+ | `toolip config` | Initialize and validate Toolip policy configuration |
114
+ | `toolip package-health <package> <version>` | Inspect package metadata and provenance through deps.dev |
115
+ | `toolip dependency-confusion` | Check internal-looking package names against public npm |
116
+ | `toolip git-history` | Scan local Git history for deleted or historical secrets |
117
+ | `toolip doctor` | Run security hygiene checks |
118
+ | `toolip score` | Calculate a project security score |
119
+ | `toolip inspect <package>` | Inspect npm package metadata and risk signals |
120
+ | `toolip compare <packages...>` | Compare package health and maintenance signals |
121
+ | `toolip licenses` | Analyze dependency licenses |
122
+ | `toolip alternatives <package>` | Suggest maintained package alternatives |
123
+ | `toolip tree` | Display dependency relationships |
124
+ | `toolip vault` | Manage encrypted local secrets |
125
+ | `toolip git-audit` | Audit repository and ignore-file safety |
126
+ | `toolip pre-commit` | Run blocking security checks before commit |
127
+ | `toolip hook install` | Install the Toolip pre-commit hook |
128
+ | `toolip learn [topic]` | Read secure-development lessons |
129
+ | `toolip docker-scan` | Scan Dockerfiles for risky container patterns |
130
+ | `toolip monorepo` | Discover npm and pnpm workspace packages |
131
+ | `toolip audit-repo <url>` | Audit a public GitHub repository through `gh` |
132
+ | `toolip upgrade-pr <package> <version>` | Create a tested dependency-upgrade PR |
133
+ | `toolip diff <base> [head]` | Summarize security-relevant Git changes |
134
+ | `toolip publish` | Generate a static HTML security report |
135
+ | `toolip watch` | Continuously rerun security checks as files change |
136
+ | `toolip announce` | Generate a deterministic security update summary |
137
+ | `toolip mcp` | Start the read-only Toolip MCP server over stdio |
138
+
139
+ Use command-specific help for current options:
175
140
 
176
141
  ```bash
177
- toolip inspect express
142
+ toolip doctor --help
143
+ toolip scan --help
144
+ toolip vault --help
178
145
  ```
179
146
 
180
- Displays:
147
+ ## Core Capabilities
181
148
 
182
- * Latest version
183
- * Maintainer information
184
- * Deprecation status
185
- * Package metadata
186
- * Risk score
149
+ ### Dependency Intelligence
187
150
 
188
- Useful when evaluating new dependencies.
151
+ Toolip reads project manifests and lockfiles, identifies outdated or deprecated dependencies, inspects package metadata, compares alternatives, reports license distribution, and visualizes dependency relationships.
189
152
 
190
- ---
153
+ ### AST Security Analysis
191
154
 
192
- ## Package Comparison
155
+ Toolip uses the TypeScript Compiler API for semantic dangerous-code checks. It resolves supported imports and call targets instead of treating every matching method name as the same operation.
193
156
 
194
- ```bash
195
- toolip compare axios got
196
- ```
157
+ This prevents regular-expression calls such as `RegExp.exec()` from being reported as shell execution while retaining detection of resolved `child_process.exec()`, `execSync()`, `eval()`, and dynamic `Function` construction.
197
158
 
198
- Compare multiple packages based on:
159
+ See [docs/AST-SECURITY.md](docs/AST-SECURITY.md).
199
160
 
200
- * Dependency count
201
- * Risk indicators
202
- * Maintenance activity
203
- * General package health
161
+ ### Reachability Analysis
204
162
 
205
- Useful when choosing between alternatives.
163
+ Toolip maps resolved npm packages to JavaScript and TypeScript imports. It reports observed, possibly reachable, and not-observed states without claiming that static absence proves safety.
206
164
 
207
- ---
165
+ See [docs/REACHABILITY.md](docs/REACHABILITY.md).
208
166
 
209
- ## Package Alternatives
167
+ ### Install-Script Analysis
210
168
 
211
- ```bash
212
- toolip alternatives request
213
- ```
169
+ Toolip inspects npm lifecycle scripts without executing them. It reports network access, shell execution, filesystem changes, obfuscation, and environment-access indicators with explicit confidence.
214
170
 
215
- Suggests safer or more modern replacements for packages that are:
171
+ See [docs/INSTALL-SCRIPT-ANALYSIS.md](docs/INSTALL-SCRIPT-ANALYSIS.md).
216
172
 
217
- * Deprecated
218
- * Legacy
219
- * Poorly maintained
173
+ ### Software Bill of Materials
220
174
 
221
- ---
175
+ Toolip generates CycloneDX 1.5 and SPDX 2.3 JSON documents from resolved npm dependencies.
222
176
 
223
- ## Dependency Tree Analysis
177
+ See [docs/SBOM.md](docs/SBOM.md).
224
178
 
225
- ```bash
226
- toolip tree
227
- ```
179
+ ### Security Auditing
228
180
 
229
- Provides visibility into dependency structure.
181
+ Toolip checks source and configuration files for secret exposure, unsafe execution, weak security configuration, open CORS policies, JWT risks, missing security-header verification, and other security hygiene concerns.
230
182
 
231
- Displays:
183
+ ### Git Safety
232
184
 
233
- * Dependency hierarchy
234
- * Dependency depth
235
- * Transitive relationships
185
+ Toolip audits sensitive file patterns, ignore rules, committed artifacts, and pre-commit risks. Git hooks can run Toolip checks before changes enter repository history.
236
186
 
237
- Useful when investigating package risk.
187
+ ### Local Secrets Management
238
188
 
239
- ---
189
+ Toolip Vault provides password-protected local encryption for development secrets. Vault data remains on the user's machine and does not require accounts, synchronization, or hosted storage.
240
190
 
241
- ## License Analysis
191
+ ### Security Education
242
192
 
243
- ```bash
244
- toolip licenses
245
- ```
246
-
247
- Analyzes project licensing.
248
-
249
- Provides:
250
-
251
- * License inventory
252
- * License distribution
253
- * Restrictive license warnings
193
+ Learning mode explains security concepts, common mistakes, practical risks, secure alternatives, and recommended development practices.
254
194
 
255
- ---
195
+ ### Reports
256
196
 
257
- # Security Doctor
197
+ Commands can produce terminal output and machine-readable reports for automation. Toolip v2 introduces a versioned report schema shared across scanning, history, diffs, publishing, watch mode, and MCP tools.
258
198
 
259
- ```bash
260
- toolip doctor
261
- ```
199
+ ## Architecture
262
200
 
263
- Runs a comprehensive project security audit.
201
+ Toolip v2 separates interfaces, application services, analyzers, providers, contracts, reporting, and storage.
264
202
 
265
- Checks for:
203
+ Commands handle input and presentation. Application services orchestrate work. Analyzers return normalized findings. Providers isolate Git, filesystem, package registry, vulnerability database, and GitHub access. Storage implementations manage cache, policy, history, and baselines.
266
204
 
267
- ### Secret Exposure
205
+ This structure allows CLI commands, future watch mode, HTML reports, GitHub automation, and the MCP server to reuse one security engine.
268
206
 
269
- Detects:
207
+ See [docs/ARCHITECTURE.md](docs/ARCHITECTURE.md) for the architectural model and [docs/ENGINEERING.md](docs/ENGINEERING.md) for development standards.
270
208
 
271
- * GitHub tokens
272
- * API keys
273
- * JWT secrets
274
- * AWS credentials
275
- * Private keys
276
- * Hardcoded passwords
209
+ ## Toolip v2 Capabilities
277
210
 
278
- ### Dangerous Code Patterns
211
+ Toolip v2.0.0 includes:
279
212
 
280
- Detects:
213
+ - OSV-backed CVE and vulnerability matching
214
+ - AST-based JavaScript and TypeScript security analysis
215
+ - package reachability evidence
216
+ - npm lifecycle-script inspection
217
+ - CycloneDX and SPDX SBOM generation
218
+ - historical security trends
219
+ - project policy and severity configuration
220
+ - deps.dev package intelligence
221
+ - dependency-confusion detection
222
+ - full Git-history secret scanning
223
+ - Dockerfile and container configuration analysis
224
+ - monorepo-aware discovery
225
+ - remote public repository audits
226
+ - tested dependency-upgrade pull requests
227
+ - security diffs between commits and branches
228
+ - static HTML report generation
229
+ - real-time terminal watch mode
230
+ - deterministic release-summary generation
231
+ - a read-only MCP server
281
232
 
282
- * eval()
283
- * Function constructor usage
284
- * Unsafe shell execution
285
- * Dangerous runtime patterns
233
+ Remote repository audits and pull-request creation remain opt-in and use the user's own GitHub authorization.
286
234
 
287
- ### Configuration Risks
235
+ ## Configuration
288
236
 
289
- Checks for:
237
+ Toolip currently supports `.toolipignore` for scan exclusions.
290
238
 
291
- * Open CORS policies
292
- * Insecure configuration patterns
293
- * Weak environment practices
239
+ Toolip v2 will introduce a versioned `toolip.config.json` schema supporting path policies, rule severity overrides, test-fixture treatment, suppressions with reasons and expiry dates, provider settings, cache controls, and monorepo behavior.
294
240
 
295
- ### Security Headers
241
+ ## Output and Automation
296
242
 
297
- Identifies missing:
243
+ Toolip commands use non-zero exit codes for blocking failures where appropriate. Machine-readable reports are intended for CI, review workflows, historical comparison, and integration with other tools.
298
244
 
299
- * Content-Security-Policy
300
- * X-Frame-Options
301
- * X-Content-Type-Options
302
- * Strict-Transport-Security
245
+ Toolip v2 reports include:
303
246
 
304
- ---
247
+ - report schema version
248
+ - Toolip version
249
+ - project identity
250
+ - summary counts
251
+ - normalized findings
252
+ - analyzer metadata
253
+ - provider status
254
+ - generation timestamp
305
255
 
306
- # Git Security
256
+ ## Development
307
257
 
308
- ---
309
-
310
- ## Git Audit
258
+ Install dependencies:
311
259
 
312
260
  ```bash
313
- toolip git-audit
261
+ npm ci
314
262
  ```
315
263
 
316
- Analyzes Git hygiene.
317
-
318
- Checks for:
319
-
320
- * Sensitive files
321
- * Weak ignore rules
322
- * Dangerous artifacts
323
- * Common security mistakes
324
-
325
- ---
326
-
327
- ## Pre-Commit Checks
264
+ Run the complete verification suite:
328
265
 
329
266
  ```bash
330
- toolip pre-commit
267
+ npm run verify
331
268
  ```
332
269
 
333
- Runs blocking security checks before commits.
334
-
335
- Detects:
336
-
337
- * Secrets
338
- * Credentials
339
- * Security violations
340
- * Dangerous files
341
-
342
- Designed to stop mistakes before they reach Git history.
343
-
344
- ---
345
-
346
- ## Git Hook Installation
270
+ Run the CLI from source:
347
271
 
348
272
  ```bash
349
- toolip hook install
273
+ npm run dev -- --help
350
274
  ```
351
275
 
352
- Installs Toolip-powered Git hooks.
353
-
354
- Allows security checks to run automatically before commits.
355
-
356
- ---
357
-
358
- # Security Scorecards
276
+ Build and execute the compiled CLI:
359
277
 
360
278
  ```bash
361
- toolip score
362
- ```
363
-
364
- Calculates a security score based on:
365
-
366
- * Dependency Health
367
- * Secret Hygiene
368
- * Configuration Security
369
- * Git Safety
370
-
371
- Example:
372
-
373
- ```text
374
- Dependency Health .... 91
375
- Secret Hygiene ....... 84
376
- Configuration ........ 88
377
- Git Safety ........... 95
378
-
379
- Overall Score ........ 89
380
- Grade ................ A
279
+ npm run build
280
+ node dist/src/index.js --help
381
281
  ```
382
282
 
383
- ---
384
-
385
- # Learning Mode
386
-
387
- One of Toolip's signature features.
283
+ Verify the exact npm release candidate:
388
284
 
389
285
  ```bash
390
- toolip learn cors
286
+ npm run release:check
391
287
  ```
392
288
 
393
- Toolip teaches while it scans.
394
-
395
- Available topics include:
396
-
397
- * CORS
398
- * JWT
399
- * XSS
400
- * CSRF
401
- * Authentication
402
- * Authorization
403
- * Secrets Management
404
- * Dependency Security
405
-
406
- Each lesson includes:
407
-
408
- * Explanation
409
- * Risks
410
- * Common mistakes
411
- * Secure examples
412
- * Best practices
413
-
414
- Designed for developers learning secure software engineering.
289
+ The release check performs type checking, tests, a clean production build, package verification, npm packing, isolated tarball installation, and packaged CLI execution.
415
290
 
416
- ---
291
+ ## Release Safety
417
292
 
418
- # Toolip Vault
293
+ Toolip v1.0.6 exposed an important release-engineering failure: the published npm package did not contain the compiled CLI. Toolip now verifies releases from the packed artifact rather than assuming a successful local build means the package is valid.
419
294
 
420
- Toolip includes a lightweight encrypted local secrets manager.
295
+ A release is blocked unless the tarball contains:
421
296
 
422
- ---
423
-
424
- ## Initialize Vault
425
-
426
- ```bash
427
- toolip vault init
428
- ```
429
-
430
- Creates an encrypted local vault.
431
-
432
- ---
433
-
434
- ## Store Secrets
435
-
436
- ```bash
437
- toolip vault set DATABASE_URL
438
- ```
439
-
440
- Stores secrets securely.
441
-
442
- ---
443
-
444
- ## Retrieve Secrets
445
-
446
- ```bash
447
- toolip vault get DATABASE_URL
448
- ```
449
-
450
- Returns decrypted values after authentication.
451
-
452
- ---
453
-
454
- ## List Secrets
455
-
456
- ```bash
457
- toolip vault list
458
- ```
459
-
460
- Displays secret names without revealing values.
461
-
462
- ---
463
-
464
- ## Delete Secrets
465
-
466
- ```bash
467
- toolip vault delete DATABASE_URL
297
+ ```text
298
+ package/package.json
299
+ package/README.md
300
+ package/LICENSE
301
+ package/dist/src/index.js
468
302
  ```
469
303
 
470
- Removes stored secrets.
471
-
472
- ---
473
-
474
- ## Export Environment Variables
304
+ The packed CLI must also successfully run:
475
305
 
476
306
  ```bash
477
- toolip vault export --env development
307
+ toolip --version
308
+ toolip self-test
309
+ toolip --help
478
310
  ```
479
311
 
480
- Supports:
481
-
482
- * development
483
- * staging
484
- * production
485
-
486
- ---
487
-
488
- ## Vault Security Features
312
+ See [RELEASING.md](RELEASING.md) for the complete release policy.
489
313
 
490
- * AES-256 Encryption
491
- * Password Protection
492
- * Local Storage Only
493
- * Offline Operation
314
+ ## Security
494
315
 
495
- No cloud storage.
316
+ Toolip handles sensitive source files and credentials. Findings redact evidence by default, and remote operations must be explicitly authorized.
496
317
 
497
- No synchronization.
318
+ Please report suspected Toolip vulnerabilities privately according to [SECURITY.md](SECURITY.md).
498
319
 
499
- No accounts.
320
+ ## Contributing
500
321
 
501
- No remote services.
322
+ Contributions should include tests, clear tradeoffs, and accurate security claims. Analyzer changes require regression coverage and must use the shared finding contracts.
502
323
 
503
- ---
324
+ See [CONTRIBUTING.md](CONTRIBUTING.md).
504
325
 
505
- # Command Reference
326
+ ## Changelog
506
327
 
507
- | Command | Description |
508
- | ------------------- | ---------------------------------- |
509
- | toolip profile | Fingerprint project technologies |
510
- | toolip scan | Analyze dependencies |
511
- | toolip doctor | Perform security audit |
512
- | toolip score | Generate security scorecard |
513
- | toolip inspect | Inspect package metadata |
514
- | toolip compare | Compare packages |
515
- | toolip alternatives | Suggest replacements |
516
- | toolip licenses | Analyze licenses |
517
- | toolip tree | Analyze dependency hierarchy |
518
- | toolip git-audit | Audit Git hygiene |
519
- | toolip pre-commit | Run pre-commit security checks |
520
- | toolip hook install | Install Git hooks |
521
- | toolip learn | Security education mode |
522
- | toolip vault | Encrypted local secrets management |
328
+ Release history and unreleased changes are maintained in [CHANGELOG.md](CHANGELOG.md).
523
329
 
524
- ---
525
-
526
- # Design Principles
527
-
528
- Toolip follows several guiding principles:
529
-
530
- * Developer First
531
- * CLI First
532
- * Security Education
533
- * Local Development Friendly
534
- * CI/CD Friendly
535
- * Framework Agnostic
536
- * Actionable Guidance
537
- * Secure by Default
538
-
539
- ---
540
-
541
- # Technology Stack
542
-
543
- Built with:
544
-
545
- * TypeScript
546
- * Node.js
547
- * Commander.js
548
- * Vitest
549
- * Chalk
550
- * Ora
551
- * Zod
552
- * npm Registry APIs
553
- * Git Integration
554
- * Node Crypto APIs
555
-
556
- ---
557
-
558
- # Use Cases
559
-
560
- Toolip is useful for:
561
-
562
- * Backend Engineers
563
- * Platform Engineers
564
- * DevOps Engineers
565
- * Open Source Maintainers
566
- * Startup Teams
567
- * Full Stack Developers
568
- * Students Learning Security
569
-
570
- ---
571
-
572
- # Portfolio Positioning
573
-
574
- Toolip demonstrates experience with:
575
-
576
- * TypeScript Engineering
577
- * CLI Development
578
- * Security Engineering Concepts
579
- * Supply Chain Security
580
- * Secret Management
581
- * Static Analysis
582
- * Git Integration
583
- * Risk Scoring Systems
584
- * Developer Experience Design
585
- * Secure Development Workflows
586
-
587
- ---
588
-
589
- # Author
590
-
591
- **Ashibuogwu Williams (wbizmo)**
330
+ ## Author
592
331
 
593
332
  GitHub: https://github.com/wbizmo
594
333
 
595
- ---
334
+ ## License
335
+
336
+ Toolip is available under the MIT License.
596
337
 
597
- # License
338
+ ## Vulnerability Intelligence
598
339
 
599
- MIT License
340
+ Toolip matches resolved npm dependencies against OSV.dev. See [docs/VULNERABILITY-INTELLIGENCE.md](docs/VULNERABILITY-INTELLIGENCE.md).