trust-npm 0.1.1 → 0.1.2

package/README.md

@@ -38,6 +38,7 @@ This will:
 
 - create/update `.trust-npm.json` from `package-lock.json`
 - persist alias `npm -> trust-npm` in your shell profile
+- add/update `AGENTS.md` with trust-npm usage policy
 
 You can force shell target:
 
@@ -51,7 +52,7 @@ trust-npm init --shell zsh
 
 ### `trust-npm init`
 
-Initializes `.trust-npm.json` using lockfile dependencies and sets a persistent shell alias (`npm -> trust-npm`).
+Initializes `.trust-npm.json`, sets shell alias, and writes agent guidance.
 
 ```bash
 trust-npm init

package/dist/cli.js

@@ -1,7 +1,11 @@
 #!/usr/bin/env node
 "use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 const commander_1 = require("commander");
+const package_json_1 = __importDefault(require("../package.json"));
 const init_1 = require("./commands/init");
 const install_1 = require("./commands/install");
 const approve_1 = require("./commands/approve");
@@ -10,7 +14,7 @@ const program = new commander_1.Command();
 program
     .name("trust-npm")
     .description("Secure wrapper around npm install with trust baseline checks")
-    .version("0.1.0");
+    .version(package_json_1.default.version);
 program
     .command("init")
     .description("Create .trust-npm.json and auto-alias npm -> trust-npm")

package/dist/commands/init.js

@@ -24,6 +24,8 @@ async function runInit(options = {}) {
     const storePath = (0, trustStore_1.trustStorePath)(projectRoot);
     console.log(`Initialized trust store: ${storePath}`);
     console.log(`Trusted packages imported: ${trustedFromLockfile.size}`);
+    ensureAgentGuidance(projectRoot);
+    console.log("Agent guidance added: AGENTS.md updated with trust-npm policy.");
     if (!options.skipAlias) {
         const shell = detectShell(options.shell);
         const profilePath = ensureAliasInProfile(shell);
@@ -38,6 +40,27 @@ async function runInit(options = {}) {
         console.log("  Set-Alias npm trust-npm");
     }
 }
+function ensureAgentGuidance(projectRoot) {
+    const agentsPath = path_1.default.join(projectRoot, "AGENTS.md");
+    const startMarker = "<!-- trust-npm policy start -->";
+    const endMarker = "<!-- trust-npm policy end -->";
+    const block = `${startMarker}
+## trust-npm Policy
+
+Use \`trust-npm\` for dependency installs and approvals in this repo.
+
+- Always run \`trust-npm install ...\`, never plain \`npm install ...\`.
+- For blocked packages, use \`trust-npm approve <package>\` only after review.
+- Use \`trust-npm status\` to inspect trust state.
+
+${endMarker}
+`;
+    if (!fs_1.default.existsSync(agentsPath)) {
+        fs_1.default.writeFileSync(agentsPath, `${block}\n`, "utf8");
+        return;
+    }
+    appendBlockIfMissing(agentsPath, startMarker, block);
+}
 function detectShell(requested) {
     if (requested) {
         return requested;

package/dist/core/npm.js

@@ -7,7 +7,11 @@ async function runNpm(args) {
     return new Promise((resolve, reject) => {
         const child = (0, child_process_1.spawn)(npmCommand, args, {
             stdio: "inherit",
-            shell: false
+            shell: false,
+            env: {
+                ...process.env,
+                TRUST_NPM_ACTIVE: "1"
+            }
         });
         child.on("error", (error) => reject(error));
         child.on("close", (code) => resolve(code ?? 1));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "trust-npm",
-  "version": "0.1.1",
+  "version": "0.1.2",
   "description": "A safe npm wrapper that blocks untrusted dependencies by default.",
   "type": "commonjs",
   "main": "dist/cli.js",