trawly 0.0.1

package/dist/cli.js

@@ -0,0 +1,1316 @@
+#!/usr/bin/env node
+
+// src/cli.ts
+import { Command, InvalidArgumentError } from "commander";
+import kleur4 from "kleur";
+
+// src/commands/add.ts
+import kleur from "kleur";
+
+// src/sources/osv.ts
+var OSV_QUERYBATCH_URL = "https://api.osv.dev/v1/querybatch";
+var OSV_VULN_URL = "https://api.osv.dev/v1/vulns";
+var QUERY_CHUNK_SIZE = 500;
+var REQUEST_TIMEOUT_MS = 15e3;
+var MAX_RETRIES = 2;
+function dedupeForQuery(packages) {
+  const seen = /* @__PURE__ */ new Set();
+  const out = [];
+  for (const pkg of packages) {
+    const key = `${pkg.name}@${pkg.version}`;
+    if (seen.has(key)) continue;
+    seen.add(key);
+    out.push({ name: pkg.name, version: pkg.version });
+  }
+  return out;
+}
+async function queryOsv(packages, deps = {}) {
+  const fetchImpl = deps.fetchImpl ?? fetch;
+  const unique = dedupeForQuery(packages);
+  if (unique.length === 0) return [];
+  const idsByPackage = /* @__PURE__ */ new Map();
+  for (const chunk of chunked(unique, QUERY_CHUNK_SIZE)) {
+    const body = {
+      queries: chunk.map((q) => ({
+        package: { ecosystem: "npm", name: q.name },
+        version: q.version
+      }))
+    };
+    const res = await postJson(
+      fetchImpl,
+      OSV_QUERYBATCH_URL,
+      body
+    );
+    res.results.forEach((result, i) => {
+      const q = chunk[i];
+      if (!q) return;
+      const key = `${q.name}@${q.version}`;
+      if (!result.vulns || result.vulns.length === 0) return;
+      const ids = idsByPackage.get(key) ?? /* @__PURE__ */ new Set();
+      for (const v of result.vulns) ids.add(v.id);
+      idsByPackage.set(key, ids);
+    });
+  }
+  const allIds = /* @__PURE__ */ new Set();
+  for (const ids of idsByPackage.values()) {
+    for (const id of ids) allIds.add(id);
+  }
+  const detailsById = /* @__PURE__ */ new Map();
+  for (const id of allIds) {
+    try {
+      const detail = await getJson(
+        fetchImpl,
+        `${OSV_VULN_URL}/${encodeURIComponent(id)}`
+      );
+      detailsById.set(id, detail);
+    } catch {
+    }
+  }
+  const findings = [];
+  for (const pkg of packages) {
+    const key = `${pkg.name}@${pkg.version}`;
+    const ids = idsByPackage.get(key);
+    if (!ids) continue;
+    for (const id of ids) {
+      const detail = detailsById.get(id);
+      findings.push(buildFinding(pkg, id, detail));
+    }
+  }
+  return findings;
+}
+function buildFinding(pkg, id, detail) {
+  const severity = detail ? parseSeverity(detail) : "unknown";
+  const summary = detail?.summary ?? detail?.details ?? id;
+  return {
+    id,
+    source: "osv",
+    type: "vulnerability",
+    severity,
+    packageName: pkg.name,
+    installedVersion: pkg.version,
+    summary: truncate(summary, 240),
+    url: pickAdvisoryUrl(detail) ?? `https://osv.dev/vulnerability/${id}`,
+    fixedVersions: detail ? collectFixedVersions(detail, pkg.name) : [],
+    affectedPaths: [pkg.path]
+  };
+}
+function parseSeverity(detail) {
+  const dbSpecific = detail.database_specific?.severity?.toLowerCase();
+  if (dbSpecific === "critical" || dbSpecific === "high" || dbSpecific === "moderate" || dbSpecific === "low") {
+    return dbSpecific;
+  }
+  if (dbSpecific === "medium") return "moderate";
+  const cvss = detail.severity?.find((s) => s.type?.startsWith("CVSS_"));
+  if (cvss) {
+    const score = parseCvssScore(cvss.score);
+    if (score === void 0) return "unknown";
+    if (score >= 9) return "critical";
+    if (score >= 7) return "high";
+    if (score >= 4) return "moderate";
+    if (score > 0) return "low";
+  }
+  return "unknown";
+}
+function parseCvssScore(vector) {
+  const direct = Number.parseFloat(vector);
+  if (!Number.isNaN(direct) && vector.trim() !== "") return direct;
+  return void 0;
+}
+function pickAdvisoryUrl(detail) {
+  if (!detail?.references) return void 0;
+  const advisory = detail.references.find((r) => r.type === "ADVISORY");
+  return advisory?.url ?? detail.references[0]?.url;
+}
+function collectFixedVersions(detail, packageName) {
+  const out = /* @__PURE__ */ new Set();
+  for (const aff of detail.affected ?? []) {
+    if (aff.package?.name && aff.package.name !== packageName) continue;
+    for (const range of aff.ranges ?? []) {
+      for (const event of range.events ?? []) {
+        if (event.fixed) out.add(event.fixed);
+      }
+    }
+  }
+  return [...out];
+}
+function* chunked(items, size) {
+  for (let i = 0; i < items.length; i += size) {
+    yield items.slice(i, i + size);
+  }
+}
+async function postJson(fetchImpl, url, body) {
+  return withRetry(async () => {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS);
+    try {
+      const res = await fetchImpl(url, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify(body),
+        signal: controller.signal
+      });
+      if (!res.ok) {
+        throw new HttpError(`OSV ${res.status}: ${res.statusText}`, res.status);
+      }
+      return await res.json();
+    } finally {
+      clearTimeout(timer);
+    }
+  });
+}
+async function getJson(fetchImpl, url) {
+  return withRetry(async () => {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS);
+    try {
+      const res = await fetchImpl(url, { signal: controller.signal });
+      if (!res.ok) {
+        throw new HttpError(`OSV ${res.status}: ${res.statusText}`, res.status);
+      }
+      return await res.json();
+    } finally {
+      clearTimeout(timer);
+    }
+  });
+}
+var HttpError = class extends Error {
+  constructor(message, status) {
+    super(message);
+    this.status = status;
+  }
+  status;
+};
+async function withRetry(fn) {
+  let lastErr;
+  for (let attempt = 0; attempt <= MAX_RETRIES; attempt++) {
+    try {
+      return await fn();
+    } catch (err) {
+      lastErr = err;
+      if (!isRetryable(err) || attempt === MAX_RETRIES) break;
+      await new Promise((r) => setTimeout(r, 250 * 2 ** attempt));
+    }
+  }
+  throw lastErr;
+}
+function isRetryable(err) {
+  if (err instanceof HttpError) return err.status >= 500;
+  return true;
+}
+function truncate(s, max) {
+  if (s.length <= max) return s;
+  return `${s.slice(0, max - 1)}\u2026`;
+}
+
+// src/scanner.ts
+import { existsSync, statSync } from "fs";
+import { resolve as resolve2, join } from "path";
+
+// src/extractors/npm-package-lock.ts
+import { readFileSync } from "fs";
+import { resolve } from "path";
+function parseNpmPackageLock(filePath) {
+  const absolute = resolve(filePath);
+  const raw = readFileSync(absolute, "utf8");
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch (err) {
+    throw new Error(
+      `Failed to parse ${absolute}: ${err.message}`
+    );
+  }
+  if (parsed.lockfileVersion !== 2 && parsed.lockfileVersion !== 3) {
+    throw new Error(
+      `Unsupported npm lockfileVersion ${String(
+        parsed.lockfileVersion
+      )} in ${absolute}. Only v2 and v3 are supported.`
+    );
+  }
+  const packages = parsed.packages;
+  if (!packages || typeof packages !== "object") {
+    throw new Error(
+      `Lockfile ${absolute} has no "packages" map; cannot extract installed versions.`
+    );
+  }
+  const directDeps = collectDirectDependencyNames(packages[""] ?? {});
+  const instances = [];
+  for (const [path, entry] of Object.entries(packages)) {
+    if (path === "") continue;
+    if (entry.link) continue;
+    const name = packagePathToName(path);
+    if (!name) continue;
+    if (!entry.version) continue;
+    instances.push({
+      name,
+      version: entry.version,
+      ecosystem: "npm",
+      path,
+      direct: directDeps.has(name) && isTopLevelInstance(path),
+      dev: Boolean(entry.dev || entry.devOptional),
+      optional: Boolean(entry.optional || entry.devOptional),
+      resolved: entry.resolved,
+      integrity: entry.integrity
+    });
+  }
+  return instances;
+}
+function collectDirectDependencyNames(rootEntry) {
+  const names = /* @__PURE__ */ new Set();
+  for (const key of [
+    "dependencies",
+    "devDependencies",
+    "optionalDependencies",
+    "peerDependencies"
+  ]) {
+    const block = rootEntry[key];
+    if (!block) continue;
+    for (const name of Object.keys(block)) names.add(name);
+  }
+  return names;
+}
+function packagePathToName(path) {
+  const marker = "node_modules/";
+  const idx = path.lastIndexOf(marker);
+  if (idx === -1) return null;
+  const tail = path.slice(idx + marker.length);
+  if (!tail) return null;
+  if (tail.startsWith("@")) {
+    const firstSlash = tail.indexOf("/");
+    if (firstSlash === -1) return null;
+    const secondSlash = tail.indexOf("/", firstSlash + 1);
+    return secondSlash === -1 ? tail : tail.slice(0, secondSlash);
+  }
+  const next = tail.indexOf("/");
+  return next === -1 ? tail : tail.slice(0, next);
+}
+function isTopLevelInstance(path) {
+  const first = path.indexOf("node_modules/");
+  if (first === -1) return false;
+  return path.indexOf("node_modules/", first + 1) === -1;
+}
+
+// src/types.ts
+var SEVERITY_RANK = {
+  critical: 4,
+  high: 3,
+  moderate: 2,
+  low: 1,
+  unknown: 0
+};
+
+// src/scanner.ts
+async function scanProject(options = {}) {
+  const cwd = resolve2(options.cwd ?? process.cwd());
+  const lockfilePath = options.lockfile ? resolve2(cwd, options.lockfile) : detectLockfile(cwd);
+  if (!lockfilePath) {
+    throw new ScanInputError(
+      `No npm lockfile found in ${cwd}. Pass --lockfile or run in a directory with package-lock.json.`
+    );
+  }
+  return scanLockfile({
+    lockfilePath,
+    includeDev: options.includeDev,
+    prodOnly: options.prodOnly,
+    fetchImpl: options.fetchImpl
+  });
+}
+async function scanLockfile(options) {
+  const { lockfilePath } = options;
+  if (!existsSync(lockfilePath)) {
+    throw new ScanInputError(`Lockfile does not exist: ${lockfilePath}`);
+  }
+  const stat = statSync(lockfilePath);
+  if (!stat.isFile()) {
+    throw new ScanInputError(`Lockfile path is not a file: ${lockfilePath}`);
+  }
+  const allInstances = parseNpmPackageLock(lockfilePath);
+  const instances = filterInstances(allInstances, options);
+  const errors = [];
+  let findings = [];
+  try {
+    findings = await queryOsv(instances, { fetchImpl: options.fetchImpl });
+  } catch (err) {
+    errors.push({
+      message: "Failed to query OSV advisory database",
+      cause: err.message
+    });
+  }
+  findings.sort(compareFindings);
+  return {
+    scannedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    packagesScanned: instances.length,
+    findings,
+    summary: summarize(findings),
+    errors
+  };
+}
+var ScanInputError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "ScanInputError";
+  }
+};
+function detectLockfile(cwd) {
+  const candidate = join(cwd, "package-lock.json");
+  return existsSync(candidate) ? candidate : void 0;
+}
+function filterInstances(instances, options) {
+  const includeDev = options.prodOnly ? false : options.includeDev !== false;
+  if (includeDev) return instances;
+  return instances.filter((p) => !p.dev);
+}
+function compareFindings(a, b) {
+  const sev = SEVERITY_RANK[b.severity] - SEVERITY_RANK[a.severity];
+  if (sev !== 0) return sev;
+  if (a.packageName !== b.packageName) {
+    return a.packageName.localeCompare(b.packageName);
+  }
+  if (a.installedVersion !== b.installedVersion) {
+    return a.installedVersion.localeCompare(b.installedVersion);
+  }
+  return a.id.localeCompare(b.id);
+}
+function summarize(findings) {
+  const summary = {
+    critical: 0,
+    high: 0,
+    moderate: 0,
+    low: 0,
+    unknown: 0
+  };
+  for (const f of findings) summary[f.severity]++;
+  return summary;
+}
+function meetsThreshold(findings, threshold) {
+  if (threshold === "none") return false;
+  const min = SEVERITY_RANK[threshold];
+  return findings.some((f) => SEVERITY_RANK[f.severity] >= min);
+}
+
+// src/installer/pm-detect.ts
+import { existsSync as existsSync2, readFileSync as readFileSync2 } from "fs";
+import { join as join2 } from "path";
+var LOCKFILES = [
+  { file: "pnpm-lock.yaml", pm: "pnpm" },
+  { file: "yarn.lock", pm: "yarn" },
+  { file: "bun.lockb", pm: "bun" },
+  { file: "bun.lock", pm: "bun" },
+  { file: "package-lock.json", pm: "npm" },
+  { file: "npm-shrinkwrap.json", pm: "npm" }
+];
+function detectPackageManager(opts = {}) {
+  if (opts.override) return opts.override;
+  const cwd = opts.cwd ?? process.cwd();
+  const fromField = readPackageManagerField(cwd);
+  if (fromField) return fromField;
+  for (const { file, pm } of LOCKFILES) {
+    if (existsSync2(join2(cwd, file))) return pm;
+  }
+  return "npm";
+}
+function readPackageManagerField(cwd) {
+  const pkgPath = join2(cwd, "package.json");
+  if (!existsSync2(pkgPath)) return void 0;
+  try {
+    const pkg = JSON.parse(readFileSync2(pkgPath, "utf8"));
+    if (typeof pkg.packageManager !== "string") return void 0;
+    const name = pkg.packageManager.split("@")[0];
+    if (name === "npm" || name === "pnpm" || name === "yarn" || name === "bun") {
+      return name;
+    }
+  } catch {
+  }
+  return void 0;
+}
+function buildAddCommand(pm, packages, flags) {
+  switch (pm) {
+    case "npm":
+      return { bin: "npm", args: ["install", ...flags, ...packages] };
+    case "pnpm":
+      return { bin: "pnpm", args: ["add", ...flags, ...packages] };
+    case "yarn":
+      return { bin: "yarn", args: ["add", ...flags, ...packages] };
+    case "bun":
+      return { bin: "bun", args: ["add", ...flags, ...packages] };
+  }
+}
+function buildInstallCommand(pm, flags) {
+  return { bin: pm, args: ["install", ...flags] };
+}
+function buildRemoveCommand(pm, packages, flags) {
+  switch (pm) {
+    case "npm":
+      return { bin: "npm", args: ["uninstall", ...flags, ...packages] };
+    case "pnpm":
+      return { bin: "pnpm", args: ["remove", ...flags, ...packages] };
+    case "yarn":
+      return { bin: "yarn", args: ["remove", ...flags, ...packages] };
+    case "bun":
+      return { bin: "bun", args: ["remove", ...flags, ...packages] };
+  }
+}
+
+// src/installer/runner.ts
+import { spawn } from "child_process";
+function runPackageManager(cmd, opts = {}) {
+  return new Promise((resolve3, reject) => {
+    const child = spawn(cmd.bin, cmd.args, {
+      cwd: opts.cwd,
+      stdio: "inherit",
+      shell: process.platform === "win32"
+    });
+    child.on("error", reject);
+    child.on("close", (code) => resolve3(code ?? 0));
+  });
+}
+
+// src/installer/spec-parser.ts
+var URL_PROTOCOLS = ["http:", "https:", "git:", "git+ssh:", "git+https:", "git+http:"];
+function parseSpec(raw) {
+  const trimmed = raw.trim();
+  if (trimmed === "") {
+    return { raw, name: "", unsupported: "invalid" };
+  }
+  if (trimmed.startsWith("file:")) return { raw, name: trimmed, unsupported: "file" };
+  if (trimmed.startsWith("workspace:")) {
+    return { raw, name: trimmed, unsupported: "workspace" };
+  }
+  if (URL_PROTOCOLS.some((p) => trimmed.startsWith(p))) {
+    const reason = trimmed.includes("git") ? "git" : "url";
+    return { raw, name: trimmed, unsupported: reason };
+  }
+  if (/^[^@/].*@npm:/.test(trimmed) || /^@[^/]+\/[^@]+@npm:/.test(trimmed)) {
+    return { raw, name: trimmed, unsupported: "alias" };
+  }
+  if (trimmed.startsWith("@")) {
+    const slash = trimmed.indexOf("/");
+    if (slash === -1) return { raw, name: trimmed, unsupported: "invalid" };
+    const rest = trimmed.slice(slash + 1);
+    const at2 = rest.indexOf("@");
+    if (at2 === -1) {
+      return { raw, name: trimmed };
+    }
+    const subname = rest.slice(0, at2);
+    const requested2 = rest.slice(at2 + 1);
+    if (subname === "" || requested2 === "") {
+      return { raw, name: trimmed, unsupported: "invalid" };
+    }
+    return { raw, name: `${trimmed.slice(0, slash)}/${subname}`, requested: requested2 };
+  }
+  const at = trimmed.indexOf("@");
+  if (at === -1) return { raw, name: trimmed };
+  const name = trimmed.slice(0, at);
+  const requested = trimmed.slice(at + 1);
+  if (name === "" || requested === "") {
+    return { raw, name: trimmed, unsupported: "invalid" };
+  }
+  return { raw, name, requested };
+}
+function partitionArgs(args) {
+  const specs = [];
+  const flags = [];
+  for (const arg of args) {
+    if (arg.startsWith("-")) {
+      flags.push(arg);
+      continue;
+    }
+    specs.push(parseSpec(arg));
+  }
+  return { specs, flags };
+}
+
+// src/installer/version-resolver.ts
+var REGISTRY_URL = "https://registry.npmjs.org";
+var REQUEST_TIMEOUT_MS2 = 15e3;
+var EXACT_VERSION_RE = /^\d+\.\d+\.\d+(?:[-+][\w.+-]+)?$/;
+var RANGE_CHARS_RE = /[\^~><=|\s*x]/i;
+async function resolveVersion(name, requested, deps = {}) {
+  const fetchImpl = deps.fetchImpl ?? fetch;
+  const registry = deps.registryUrl ?? REGISTRY_URL;
+  const packument = await fetchPackument(fetchImpl, registry, name);
+  const distTags = packument["dist-tags"] ?? {};
+  const latest = distTags.latest;
+  if (!requested) {
+    if (!latest) {
+      throw new VersionResolveError(
+        `Package ${name} has no "latest" dist-tag in the registry.`
+      );
+    }
+    return { version: latest, source: "dist-tag", requested: "latest" };
+  }
+  if (EXACT_VERSION_RE.test(requested)) {
+    if (packument.versions && !packument.versions[requested]) {
+      throw new VersionResolveError(
+        `Version ${requested} of ${name} is not published.`
+      );
+    }
+    return { version: requested, source: "exact" };
+  }
+  if (!RANGE_CHARS_RE.test(requested) && distTags[requested]) {
+    return {
+      version: distTags[requested],
+      source: "dist-tag",
+      requested
+    };
+  }
+  if (!latest) {
+    throw new VersionResolveError(
+      `Cannot resolve ${name}@${requested}: no "latest" dist-tag available to fall back on.`
+    );
+  }
+  return { version: latest, source: "fallback-latest", requested };
+}
+var VersionResolveError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "VersionResolveError";
+  }
+};
+async function fetchPackument(fetchImpl, registry, name) {
+  const url = `${registry.replace(/\/$/, "")}/${encodePackageName(name)}`;
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS2);
+  try {
+    const res = await fetchImpl(url, {
+      signal: controller.signal,
+      headers: { accept: "application/json" }
+    });
+    if (res.status === 404) {
+      throw new VersionResolveError(`Package ${name} not found in registry.`);
+    }
+    if (!res.ok) {
+      throw new VersionResolveError(
+        `Registry ${res.status} for ${name}: ${res.statusText}`
+      );
+    }
+    return await res.json();
+  } finally {
+    clearTimeout(timer);
+  }
+}
+function encodePackageName(name) {
+  if (name.startsWith("@")) {
+    const slash = name.indexOf("/");
+    if (slash !== -1) {
+      return `${encodeURIComponent(name.slice(0, slash))}%2F${encodeURIComponent(name.slice(slash + 1))}`;
+    }
+  }
+  return encodeURIComponent(name);
+}
+
+// src/commands/add.ts
+async function runAdd(args, options) {
+  const { specs, flags } = partitionArgs(args);
+  const skipped = [];
+  const resolvable = [];
+  for (const spec of specs) {
+    if (spec.unsupported) {
+      skipped.push({ spec, reason: spec.unsupported });
+    } else {
+      resolvable.push(spec);
+    }
+  }
+  const resolved = [];
+  const errored = [];
+  await Promise.all(
+    resolvable.map(async (spec) => {
+      try {
+        const r = await resolveVersion(spec.name, spec.requested, {
+          fetchImpl: options.fetchImpl
+        });
+        resolved.push({ spec, resolved: r, findings: [] });
+      } catch (err) {
+        const message = err instanceof VersionResolveError ? err.message : `Registry error: ${err.message}`;
+        errored.push({ spec, message });
+      }
+    })
+  );
+  let findings = [];
+  if (resolved.length > 0) {
+    const instances = resolved.map((r) => ({
+      name: r.spec.name,
+      version: r.resolved.version,
+      ecosystem: "npm",
+      path: r.spec.raw,
+      direct: true,
+      dev: false,
+      optional: false
+    }));
+    try {
+      findings = await queryOsv(instances, { fetchImpl: options.fetchImpl });
+    } catch (err) {
+      const message = `OSV query failed: ${err.message}`;
+      for (const r of resolved) errored.push({ spec: r.spec, message });
+      resolved.length = 0;
+    }
+  }
+  for (const f of findings) {
+    const owner = resolved.find(
+      (r) => r.spec.name === f.packageName && r.resolved.version === f.installedVersion
+    );
+    if (owner) owner.findings.push(f);
+  }
+  const blocked = [];
+  const installed = [];
+  for (const r of resolved) {
+    if (shouldBlock(r.findings, options)) {
+      blocked.push({ ...r, reason: "vulnerable" });
+    } else {
+      installed.push(r);
+    }
+  }
+  findings.sort(compareFindings);
+  let pmExitCode;
+  if (installed.length > 0) {
+    const pm = detectPackageManager({ override: options.pm, cwd: options.cwd });
+    const cmd = buildAddCommand(
+      pm,
+      installed.map((r) => r.spec.raw),
+      flags
+    );
+    process.stdout.write(
+      kleur.gray(`> ${cmd.bin} ${cmd.args.join(" ")}
+`)
+    );
+    const runner = options.runner ?? runPackageManager;
+    pmExitCode = await runner(cmd, { cwd: options.cwd });
+  }
+  return { installed, blocked, skipped, errored, findings, pmExitCode };
+}
+function reportAdd(result) {
+  const lines = [];
+  if (result.skipped.length > 0) {
+    for (const s of result.skipped) {
+      lines.push(
+        kleur.yellow(
+          `~ Skipped ${s.spec.raw}: ${describeUnsupported(s.reason)} (cannot scan; not forwarded to install)`
+        )
+      );
+    }
+  }
+  if (result.errored.length > 0) {
+    for (const e of result.errored) {
+      lines.push(kleur.red(`! ${e.spec.raw}: ${e.message}`));
+    }
+  }
+  if (result.blocked.length > 0) {
+    for (const b of result.blocked) {
+      const sev = summarize(b.findings);
+      const counts = describeSeverityCounts(sev);
+      lines.push(
+        kleur.red(
+          `\u2717 Blocked ${b.spec.name}@${b.resolved.version}: ${counts}`
+        )
+      );
+      if (b.resolved.source === "fallback-latest") {
+        lines.push(
+          kleur.gray(
+            `  (scanned latest because we don't resolve semver ranges yet; you asked for "${b.resolved.requested}")`
+          )
+        );
+      }
+      for (const f of b.findings) {
+        lines.push(
+          `  - [${colorSeverity(f.severity)}] ${f.id} : ${f.summary}`
+        );
+        if (f.fixedVersions.length > 0) {
+          lines.push(kleur.gray(`    fixed in: ${f.fixedVersions.join(", ")}`));
+        }
+        if (f.url) lines.push(kleur.gray(`    ${f.url}`));
+      }
+    }
+  }
+  if (result.installed.length > 0) {
+    const names = result.installed.map((r) => `${r.spec.name}@${r.resolved.version}`).join(", ");
+    lines.push(kleur.green(`\u2713 Installing: ${names}`));
+  } else if (result.blocked.length > 0) {
+    lines.push(
+      kleur.red("Nothing installed : all requested packages were blocked.")
+    );
+  }
+  return `${lines.join("\n")}
+`;
+}
+function shouldBlock(findings, options) {
+  if (options.allowVulnerable) return false;
+  if (options.failOn === "none") return false;
+  const threshold = SEVERITY_RANK[options.failOn];
+  return findings.some((f) => SEVERITY_RANK[f.severity] >= threshold);
+}
+function describeUnsupported(reason) {
+  switch (reason) {
+    case "git":
+      return "git specs cannot be scanned against OSV";
+    case "url":
+      return "URL specs cannot be scanned against OSV";
+    case "file":
+      return "local file specs cannot be scanned against OSV";
+    case "alias":
+      return "npm aliases are not supported in v1";
+    case "workspace":
+      return "workspace protocol specs are not scanned";
+    case "invalid":
+      return "could not parse spec";
+  }
+}
+function describeSeverityCounts(summary) {
+  const parts = [];
+  for (const sev of ["critical", "high", "moderate", "low", "unknown"]) {
+    if (summary[sev] > 0) parts.push(`${summary[sev]} ${sev}`);
+  }
+  return parts.length === 0 ? "no advisories" : `${parts.join(", ")} advisor${total(summary) === 1 ? "y" : "ies"}`;
+}
+function total(summary) {
+  return Object.values(summary).reduce((a, b) => a + b, 0);
+}
+function colorSeverity(sev) {
+  switch (sev) {
+    case "critical":
+      return kleur.bold().red(sev);
+    case "high":
+      return kleur.red(sev);
+    case "moderate":
+      return kleur.yellow(sev);
+    case "low":
+      return kleur.cyan(sev);
+    case "unknown":
+      return kleur.gray(sev);
+  }
+}
+
+// src/reporters/json.ts
+function reportJson(result) {
+  return JSON.stringify(result, null, 2);
+}
+
+// src/reporters/table.ts
+import kleur3 from "kleur";
+
+// src/reporters/banner.ts
+import kleur2 from "kleur";
+var BORDER = {
+  tl: "\u250C",
+  tr: "\u2510",
+  bl: "\u2514",
+  br: "\u2518",
+  h: "\u2500",
+  v: "\u2502"
+};
+var TITLE = "trawly";
+var SIDE_PAD = 1;
+var MIN_TITLE_FILLER = 4;
+function renderBanner(props) {
+  const contentRows = [props.metrics, props.timestamp];
+  const titleSegment = ` ${TITLE} `;
+  const minTitleWidth = 1 + titleSegment.length + MIN_TITLE_FILLER;
+  const innerWidth = Math.max(
+    ...contentRows.map((r) => r.length + SIDE_PAD * 2),
+    minTitleWidth
+  );
+  const top = renderTop(innerWidth);
+  const bottom = renderBottom(innerWidth);
+  const metricsLine = renderRow(innerWidth, props.metrics, kleur2.bold);
+  const timestampLine = renderRow(innerWidth, props.timestamp, kleur2.gray);
+  return [top, metricsLine, timestampLine, bottom].join("\n");
+}
+function renderTop(innerWidth) {
+  const titleSegment = ` ${kleur2.bold().cyan(TITLE)} `;
+  const titleVisibleLen = TITLE.length + 2;
+  const fillerCount = innerWidth - 1 - titleVisibleLen;
+  return kleur2.gray(BORDER.tl) + kleur2.gray(BORDER.h) + titleSegment + kleur2.gray(BORDER.h.repeat(Math.max(MIN_TITLE_FILLER, fillerCount))) + kleur2.gray(BORDER.tr);
+}
+function renderBottom(innerWidth) {
+  return kleur2.gray(`${BORDER.bl}${BORDER.h.repeat(innerWidth)}${BORDER.br}`);
+}
+function renderRow(innerWidth, content, colorize) {
+  const fill = Math.max(0, innerWidth - SIDE_PAD * 2 - content.length);
+  return kleur2.gray(BORDER.v) + " ".repeat(SIDE_PAD) + colorize(content) + " ".repeat(fill + SIDE_PAD) + kleur2.gray(BORDER.v);
+}
+
+// src/reporters/table.ts
+var SEVERITY_COLOR = {
+  critical: (s) => kleur3.bold().red(s),
+  high: (s) => kleur3.red(s),
+  moderate: (s) => kleur3.yellow(s),
+  low: (s) => kleur3.cyan(s),
+  unknown: (s) => kleur3.gray(s)
+};
+var SEVERITY_ORDER = [
+  "critical",
+  "high",
+  "moderate",
+  "low",
+  "unknown"
+];
+function reportTable(result, options = {}) {
+  const view = options.view ?? (options.details ? "details" : "grouped");
+  const lines = [];
+  if (options.brand) {
+    const { metricsLine, timestamp } = headerParts(result);
+    lines.push(renderBanner({ metrics: metricsLine, timestamp }));
+  } else {
+    lines.push(kleur3.bold(formatHeader(result)));
+  }
+  if (result.errors.length > 0) {
+    for (const err of result.errors) {
+      lines.push(
+        kleur3.red(`! ${err.message}${err.cause ? ` (${err.cause})` : ""}`)
+      );
+    }
+  }
+  if (result.findings.length === 0) {
+    lines.push(kleur3.green("\u2713 No known advisories found."));
+    lines.push(
+      kleur3.gray(
+        "  Note: this only checks known advisories. It cannot prove a package is safe."
+      )
+    );
+    return lines.join("\n");
+  }
+  if (view === "summary") {
+    lines.push(formatSummary(result.summary));
+    lines.push(reminder());
+    return lines.join("\n");
+  }
+  lines.push("");
+  lines.push(formatSummary(result.summary));
+  lines.push("");
+  if (view === "details") {
+    lines.push(formatDetailRows(sortFindings(result.findings)));
+  } else {
+    const groups = groupByPackage(result.findings);
+    lines.push(formatGroupedRows(groups));
+    lines.push("");
+    lines.push(
+      kleur3.gray("Run `trawly scan --details` to see individual advisories.")
+    );
+  }
+  lines.push("");
+  lines.push(reminder());
+  return lines.join("\n");
+}
+function formatHeader(result) {
+  const { metricsLine, timestamp } = headerParts(result);
+  return `trawly: ${metricsLine} (${timestamp})`;
+}
+function headerParts(result) {
+  const vulnerable = new Set(
+    result.findings.map((f) => `${f.packageName}@${f.installedVersion}`)
+  ).size;
+  const advisories = result.findings.length;
+  const metricsLine = [
+    `${result.packagesScanned} packages`,
+    `${vulnerable} vulnerable`,
+    `${advisories} ${advisories === 1 ? "advisory" : "advisories"}`
+  ].join(" \xB7 ");
+  return { metricsLine, timestamp: result.scannedAt };
+}
+function formatSummary(summary) {
+  const parts = [];
+  for (const sev of SEVERITY_ORDER) {
+    const count = summary[sev];
+    if (count === 0) continue;
+    parts.push(SEVERITY_COLOR[sev](`${sev}: ${count}`));
+  }
+  if (parts.length === 0) return kleur3.green("No findings.");
+  return `Findings : ${parts.join("  ")}`;
+}
+function reminder() {
+  return kleur3.gray(
+    "Reminder: trawly reports known advisories only. Absence of findings is not proof of safety."
+  );
+}
+function sortFindings(findings) {
+  return [...findings].sort((a, b) => {
+    const sev = SEVERITY_RANK[b.severity] - SEVERITY_RANK[a.severity];
+    if (sev !== 0) return sev;
+    const name = a.packageName.localeCompare(b.packageName);
+    if (name !== 0) return name;
+    return a.id.localeCompare(b.id);
+  });
+}
+function groupByPackage(findings) {
+  const map = /* @__PURE__ */ new Map();
+  for (const f of findings) {
+    const key = `${f.packageName}@${f.installedVersion}`;
+    let group = map.get(key);
+    if (!group) {
+      group = {
+        packageName: f.packageName,
+        installedVersion: f.installedVersion,
+        topSeverity: f.severity,
+        counts: { critical: 0, high: 0, moderate: 0, low: 0, unknown: 0 },
+        findings: [],
+        recommendedFix: null
+      };
+      map.set(key, group);
+    }
+    group.findings.push(f);
+    group.counts[f.severity] += 1;
+    if (SEVERITY_RANK[f.severity] > SEVERITY_RANK[group.topSeverity]) {
+      group.topSeverity = f.severity;
+    }
+  }
+  for (const group of map.values()) {
+    group.recommendedFix = pickRecommendedFix(group.findings);
+  }
+  return [...map.values()].sort((a, b) => {
+    const sev = SEVERITY_RANK[b.topSeverity] - SEVERITY_RANK[a.topSeverity];
+    if (sev !== 0) return sev;
+    const totalA = a.findings.length;
+    const totalB = b.findings.length;
+    if (totalA !== totalB) return totalB - totalA;
+    return a.packageName.localeCompare(b.packageName);
+  });
+}
+function formatGroupedRows(groups) {
+  const rows = [
+    ["PACKAGE", "VERSION", "SEVERITY", "FIX"]
+  ];
+  for (const g of groups) {
+    rows.push([
+      g.packageName,
+      g.installedVersion,
+      formatSeverityCounts(g.counts),
+      g.recommendedFix ? `>=${g.recommendedFix}` : ":"
+    ]);
+  }
+  return renderTable(rows, (rowIdx, _row, cells) => {
+    if (rowIdx === 0) return kleur3.bold().underline(cells.join("  "));
+    return cells.join("  ");
+  });
+}
+function formatDetailRows(findings) {
+  const rows = [
+    ["SEV", "PACKAGE", "VERSION", "ID", "FIXED IN", "SUMMARY"]
+  ];
+  for (const f of findings) {
+    rows.push([
+      f.severity,
+      f.packageName,
+      f.installedVersion,
+      f.id,
+      f.fixedVersions.length ? f.fixedVersions.join(", ") : ":",
+      truncate2(f.summary, 70)
+    ]);
+  }
+  return renderTable(rows, (rowIdx, row, cells) => {
+    if (rowIdx === 0) return kleur3.bold().underline(cells.join("  "));
+    const sev = row[0];
+    const colorize = SEVERITY_COLOR[sev] ?? ((s) => s);
+    cells[0] = colorize(cells[0]);
+    return cells.join("  ");
+  });
+}
+function formatSeverityCounts(counts) {
+  const parts = [];
+  for (const sev of SEVERITY_ORDER) {
+    const n = counts[sev];
+    if (n === 0) continue;
+    parts.push(SEVERITY_COLOR[sev](`${n} ${sev}`));
+  }
+  return parts.join(", ");
+}
+function renderTable(rows, format) {
+  const widths = rows[0].map(
+    (_, col) => Math.max(...rows.map((r) => visibleLength(r[col])))
+  );
+  return rows.map((row, i) => {
+    const cells = row.map((cell, col) => padEndVisible(cell, widths[col]));
+    return format(i, row, cells);
+  }).join("\n");
+}
+function pickRecommendedFix(findings) {
+  const candidates = [];
+  for (const f of findings) {
+    for (const v of f.fixedVersions) candidates.push(v);
+  }
+  if (candidates.length === 0) return null;
+  const unique = [...new Set(candidates)];
+  unique.sort(compareSemver);
+  return unique[unique.length - 1] ?? null;
+}
+function compareSemver(a, b) {
+  const pa = parseSemverParts(a);
+  const pb = parseSemverParts(b);
+  for (let i = 0; i < 3; i++) {
+    const diff = (pa[i] ?? 0) - (pb[i] ?? 0);
+    if (diff !== 0) return diff;
+  }
+  return a.localeCompare(b);
+}
+function parseSemverParts(v) {
+  const m = v.match(/(\d+)\.(\d+)\.(\d+)/);
+  if (!m) return [0, 0, 0];
+  return [Number(m[1]), Number(m[2]), Number(m[3])];
+}
+function truncate2(s, max) {
+  if (s.length <= max) return s;
+  return `${s.slice(0, max - 1)}\u2026`;
+}
+var ANSI_RE = /\u001B\[[0-9;]*m/g;
+function visibleLength(s) {
+  return s.replace(ANSI_RE, "").length;
+}
+function padEndVisible(s, width) {
+  const pad = Math.max(0, width - visibleLength(s));
+  return s + " ".repeat(pad);
+}
+
+// src/cli.ts
+var FAIL_ON_VALUES = [
+  "critical",
+  "high",
+  "moderate",
+  "low",
+  "none"
+];
+var FORMAT_VALUES = ["table", "json"];
+var PM_VALUES = ["npm", "pnpm", "yarn", "bun"];
+var EXIT = {
+  ok: 0,
+  findings: 1,
+  operational: 2,
+  invalidInput: 3
+};
+function parseFailOn(value) {
+  if (!FAIL_ON_VALUES.includes(value)) {
+    throw new InvalidArgumentError(
+      `must be one of: ${FAIL_ON_VALUES.join(", ")}`
+    );
+  }
+  return value;
+}
+function parseFormat(value) {
+  if (!FORMAT_VALUES.includes(value)) {
+    throw new InvalidArgumentError(
+      `must be one of: ${FORMAT_VALUES.join(", ")}`
+    );
+  }
+  return value;
+}
+function parsePm(value) {
+  if (!PM_VALUES.includes(value)) {
+    throw new InvalidArgumentError(`must be one of: ${PM_VALUES.join(", ")}`);
+  }
+  return value;
+}
+var TRAWLY_VERSION = "0.1.0";
+var program = new Command();
+program.name("trawly").description(
+  "Dependency sanity scanner. Checks installed npm packages against the OSV advisory database."
+).version(TRAWLY_VERSION).enablePositionalOptions().exitOverride((err) => {
+  if (err.code === "commander.helpDisplayed" || err.code === "commander.help") {
+    process.exit(EXIT.ok);
+  }
+  if (err.code === "commander.version") process.exit(EXIT.ok);
+  process.exit(EXIT.invalidInput);
+});
+program.command("scan", { isDefault: true }).description(
+  "Scan a project and gate on findings. Exits non-zero when --fail-on is met. Use `inspect` for a log-only run."
+).argument("[path]", "Project directory to scan", ".").option("--lockfile <path>", "Explicit path to package-lock.json").option(
+  "--format <format>",
+  "Output format: table | json",
+  parseFormat,
+  "table"
+).option(
+  "--fail-on <level>",
+  `Exit non-zero when a finding meets this severity (${FAIL_ON_VALUES.join("|")})`,
+  parseFailOn,
+  "high"
+).option("--prod", "Only scan production dependencies (excludes dev)").option("--include-dev", "Include dev dependencies (default)").option("--no-cache", "Bypass any local cache").option(
+  "-v, --details",
+  "Show one row per advisory (full table). Default groups by package."
+).option(
+  "-q, --summary",
+  "Show only the one-line severity summary. Mutually exclusive with --details."
+).action(async (path, opts) => {
+  await runScanCommand(path, opts, { gate: true });
+});
+program.command("inspect").description(
+  "Scan a project and print findings without gating. Always exits 0 unless an operational error occurs. Use `scan` for CI gating."
+).argument("[path]", "Project directory to scan", ".").option("--lockfile <path>", "Explicit path to package-lock.json").option(
+  "--format <format>",
+  "Output format: table | json",
+  parseFormat,
+  "table"
+).option("--prod", "Only scan production dependencies (excludes dev)").option("--include-dev", "Include dev dependencies (default)").option("--no-cache", "Bypass any local cache").option(
+  "-v, --details",
+  "Show one row per advisory (full table). Default groups by package."
+).option(
+  "-q, --summary",
+  "Show only the one-line severity summary. Mutually exclusive with --details."
+).action(async (path, opts) => {
+  await runScanCommand(
+    path,
+    { ...opts, failOn: "none" },
+    { gate: false }
+  );
+});
+program.command("add").description(
+  "Resolve, scan, and install packages. Vulnerable packages are blocked; clean ones are forwarded to your package manager."
+).argument("<args...>", "Packages to add (e.g. next vitest@1) : PM flags after the first package are passed through").option(
+  "--fail-on <level>",
+  `Block install when a finding meets this severity (${FAIL_ON_VALUES.join("|")})`,
+  parseFailOn,
+  "high"
+).option(
+  "--pm <name>",
+  `Force a package manager (${PM_VALUES.join("|")}). Auto-detected by default.`,
+  parsePm
+).option(
+  "--allow-vulnerable",
+  "Install even if vulnerabilities are found (still prints findings)."
+).passThroughOptions().action(async (args, opts) => {
+  await executeAdd(args, opts);
+});
+program.command("install").alias("i").description(
+  "Run the project's package manager install. With package args, behaves like `add` (gates on vulnerabilities). With none, forwards directly."
+).argument("[args...]", "Optional packages to add").option(
+  "--fail-on <level>",
+  `Block install when a finding meets this severity (${FAIL_ON_VALUES.join("|")})`,
+  parseFailOn,
+  "high"
+).option(
+  "--pm <name>",
+  `Force a package manager (${PM_VALUES.join("|")})`,
+  parsePm
+).option("--allow-vulnerable", "Install even if vulnerabilities are found.").passThroughOptions().action(async (args, opts) => {
+  if (args.length === 0) {
+    const pm = detectPackageManager({ override: opts.pm });
+    const command = buildInstallCommand(pm, []);
+    process.stdout.write(
+      kleur4.gray(`> ${command.bin} ${command.args.join(" ")}
+`)
+    );
+    try {
+      const code = await runPackageManager(command);
+      process.exit(code);
+    } catch (err) {
+      printErr(`trawly: ${err.message}`);
+      process.exit(EXIT.operational);
+    }
+  }
+  await executeAdd(args, opts);
+});
+program.command("remove").alias("uninstall").description(
+  "Remove packages by delegating to the project's package manager (no scan)."
+).argument("<args...>", "Packages to remove").option(
+  "--pm <name>",
+  `Force a package manager (${PM_VALUES.join("|")})`,
+  parsePm
+).passThroughOptions().action(async (args, opts) => {
+  const pm = detectPackageManager({ override: opts.pm });
+  const { specs, flags } = splitArgs(args);
+  const command = buildRemoveCommand(pm, specs, flags);
+  process.stdout.write(
+    kleur4.gray(`> ${command.bin} ${command.args.join(" ")}
+`)
+  );
+  try {
+    const code = await runPackageManager(command);
+    process.exit(code);
+  } catch (err) {
+    printErr(`trawly: ${err.message}`);
+    process.exit(EXIT.operational);
+  }
+});
+async function runScanCommand(path, opts, { gate }) {
+  if (opts.prod && opts.includeDev) {
+    printErr("Cannot combine --prod and --include-dev. Choose one.");
+    process.exit(EXIT.invalidInput);
+  }
+  if (opts.details && opts.summary) {
+    printErr("Cannot combine --details and --summary. Choose one.");
+    process.exit(EXIT.invalidInput);
+  }
+  try {
+    const result = await scanProject({
+      cwd: path,
+      lockfile: opts.lockfile,
+      includeDev: opts.includeDev,
+      prodOnly: opts.prod,
+      cache: opts.cache
+    });
+    if (opts.format === "json") {
+      process.stdout.write(`${reportJson(result)}
+`);
+    } else {
+      const view = opts.summary ? "summary" : opts.details ? "details" : "grouped";
+      const brand = process.stdout.isTTY === true;
+      process.stdout.write(`${reportTable(result, { view, brand })}
+`);
+    }
+    if (result.errors.length > 0) {
+      process.exit(EXIT.operational);
+    }
+    if (!gate) {
+      if (opts.format !== "json" && result.findings.length > 0) {
+        process.stdout.write(
+          `${kleur4.gray(
+            "\u2139 inspect mode: exiting 0 regardless of findings. Run `trawly scan` to gate CI."
+          )}
+`
+        );
+      }
+      process.exit(EXIT.ok);
+    }
+    if (meetsThreshold(result.findings, opts.failOn)) {
+      if (opts.format !== "json") {
+        process.stderr.write(
+          `${kleur4.red(
+            `\xD7 Failing because at least one finding meets --fail-on=${opts.failOn}.`
+          )}
+${kleur4.gray(
+            "  Run `trawly inspect` to log without exiting non-zero, or `trawly scan --fail-on=none` to disable the gate."
+          )}
+`
+        );
+      }
+      process.exit(EXIT.findings);
+    }
+    process.exit(EXIT.ok);
+  } catch (err) {
+    if (err instanceof ScanInputError) {
+      printErr(err.message);
+      process.exit(EXIT.invalidInput);
+    }
+    printErr(`trawly: ${err.message}`);
+    process.exit(EXIT.operational);
+  }
+}
+async function executeAdd(args, opts) {
+  try {
+    const result = await runAdd(args, {
+      failOn: opts.failOn,
+      pm: opts.pm,
+      allowVulnerable: opts.allowVulnerable
+    });
+    process.stdout.write(reportAdd(result));
+    if (result.errored.length > 0) process.exit(EXIT.operational);
+    if (result.pmExitCode !== void 0 && result.pmExitCode !== 0) {
+      process.exit(result.pmExitCode);
+    }
+    if (result.blocked.length > 0) process.exit(EXIT.findings);
+    process.exit(EXIT.ok);
+  } catch (err) {
+    printErr(`trawly: ${err.message}`);
+    process.exit(EXIT.operational);
+  }
+}
+function splitArgs(args) {
+  const specs = [];
+  const flags = [];
+  for (const a of args) {
+    if (a.startsWith("-")) flags.push(a);
+    else specs.push(a);
+  }
+  return { specs, flags };
+}
+function printErr(msg) {
+  process.stderr.write(`${kleur4.red(msg)}
+`);
+}
+await program.parseAsync(process.argv);
+//# sourceMappingURL=cli.js.map