vanguard-cli 3.0.0

package/.release-it.json

@@ -0,0 +1,27 @@
+{
+    "hooks": {
+        "before:init": [
+            "npm test"
+        ]
+    },
+    "git": {
+        "commitMessage": "chore: release v${version}",
+        "tagName": "v${version}",
+        "requireCleanWorkingDir": true
+    },
+    "github": {
+        "release": true,
+        "releaseName": "v${version}",
+        "tokenRef": "GITHUB_TOKEN"
+    },
+    "npm": {
+        "publish": true,
+        "skipChecks": false
+    },
+    "plugins": {
+        "@release-it/conventional-changelog": {
+            "preset": "angular",
+            "infile": "CHANGELOG.md"
+        }
+    }
+}

package/CODE_OF_CONDUCT.md

@@ -0,0 +1,44 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment include:
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+* The use of sexualized language or imagery and unwelcome sexual attention or advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
+
+Maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project maintainers at [your-email-here]. All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4

package/CONTRIBUTING.md

@@ -0,0 +1,48 @@
+# Contributing to Vanguard 🛡️
+
+First off, thank you for helping make the software supply chain safer! We welcome contributors of all skill levels.
+
+## 🛡️ Security First
+Vanguard is a security tool. When contributing code, please ensure:
+1. **No new dependencies** are added unless absolutely necessary.
+2. **AI Logic** is updated in `lib/services/scanner.js` with professional prompt engineering if you add new detection capabilities.
+3. **Every new feature** MUST include unit tests in `test/`.
+
+## 🧪 Development Workflow
+1. **Fork & Clone**:
+   ```bash
+   git clone https://github.com/bazobehram/vanguard.git
+   cd vanguard
+   npm install
+   ```
+2. **Standardize**:
+   ```bash
+   npm run format  # Prettier
+   npm run lint    # ESLint Flat Config
+   ```
+3. **Verify**:
+   ```bash
+   npm test               # Run Vitest suite
+   node scripts/qa-wizard.js # Run interactive stress tests
+   ```
+
+## 🧠 Improving Intelligence
+The "Brain" of Vanguard lives in `lib/threats.json` and the `VanguardScanner` system instructions.
+- If you find a bypass, please submit a PR with an updated prompt or threat signature.
+- Specify which model you tested with (e.g., Gemini 2.0, Qwen 2.5 7B).
+
+## 🚀 How to Release
+Maintainers can trigger a synchronized release (Version bump, Tags, GitHub Release, Changelog, and NPM) using:
+
+1. **Ensure environment**: You must have a `GITHUB_TOKEN` with `repo` permissions in your shell.
+2. **Execute**:
+   ```bash
+   npm run release
+   ```
+3. **Dry Run**: To verify changes without side effects:
+   ```bash
+   npm run release:dry
+   ```
+
+---
+☕ Support the research: [Buy Me a Coffee](https://buymeacoffee.com/bazobehram)

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Behram Bazo
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,99 @@
+<div align="center">
+
+# 🛡️ Vanguard: AI Supply Chain Firewall
+### The Enterprise-Grade Security Layer for Git
+
+[![npm version](https://img.shields.io/npm/v/vanguard-cli.svg?style=flat-square)](https://www.npmjs.com/package/vanguard-cli)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg?style=flat-square)](https://opensource.org/licenses/MIT)
+[![AI Power](https://img.shields.io/badge/AI-Gemini%202.0%20%7C%20Ollama-blue?style=flat-square)](https://deepmind.google/technologies/gemini/)
+[![Build Status](https://img.shields.io/github/actions/workflow/status/bazobehram/vanguard/ci.yml?style=flat-square)](https://github.com/bazobehram/vanguard/actions)
+
+<p align="center">
+  <b>Intercepts</b> <code>git clone</code> & <code>git pull</code> to detect malware, backdoors, and vulnerabilities <br>
+  <b>BEFORE</b> they reach your disk. Powered by Hybrid Intelligence.
+</p>
+
+[Installation](#-installation) • [Quick Start](#-quick-start) • [How It Works](#🏗️-architecture) • [Configuration](#⚙️-configuration)
+
+</div>
+
+---
+
+## 🚀 Why Vanguard?
+
+Modern software supply chain attacks are sophisticated. Traditional antiviruses miss them. **Vanguard** acts as a firewall between the internet and your codebase.
+
+*   🧠 **Hybrid Intelligence:** Combines **Google Gemini 2.0**'s reasoning with a curated **Threat Intelligence DB** and **OSV.dev** vulnerability data.
+*   ⚡ **Zero-Latency Caching:** Uses SHA-256 hashing to memorize safe files. Re-scanning a project takes milliseconds.
+*   🔒 **Privacy First:** Supports **Local Ollama**. Your code never leaves your machine if you choose local models.
+*   🛡️ **Proactive Defense:** It doesn't just scan; it intercepts Git commands to prevent bad code from reaching your machine.
+
+---
+
+## 🏗️ Architecture
+
+Vanguard operates as a protective layer between your command line and the remote repository, combining local heuristics with global intelligence.
+
+```mermaid
+graph TD
+    User["User Command (clone/pull)"] --> CLI["Vanguard CLI"]
+    CLI --> Cache{"Cache Check (SHA-256)"}
+    Cache -- "Hit (Safe)" --> Finish["Verdict: PASS"]
+    Cache -- "Miss" --> Sync["Sync Intelligence"]
+    Sync --> DB["GitHub Threat DB"]
+    Sync --> OSV["OSV.dev API"]
+    DB --> Analysis["AI Analysis"]
+    OSV --> Analysis
+    Analysis -- "Gemini 2.0 / Ollama" --> Verdict{"Verdict"}
+    Verdict -- "Malicious" --> Block["Verdict: BLOCK"]
+    Verdict -- "Clean" --> SaveCache["Save to Cache"]
+    SaveCache --> Finish
+```
+
+---
+
+## 📦 Installation
+
+Ensure you have Node.js (v18+) installed.
+
+```bash
+npm install -g vanguard-cli
+```
+
+---
+
+## 🚀 Quick Start
+
+### ⚙️ Configuration
+Setup your Gemini API key or local Ollama endpoint:
+```bash
+vanguard config
+```
+
+### 📥 Secure Clone
+Audit and clone any repository in a single command. Vanguard isolates the repo in a sandbox first.
+```bash
+vanguard clone <repository-url>
+```
+
+### 🔄 Secure Pull
+Safely update your local codebase. Vanguard audits the diff before merging.
+```bash
+vanguard pull
+```
+
+---
+
+## 🤝 Contribution
+
+We welcome contributors! Please see our [CONTRIBUTING.md](CONTRIBUTING.md) for local setup instructions and the [CODE_OF_CONDUCT.md](CODE_of_CONDUCT.md) for community guidelines.
+
+## 🔐 Security
+
+To report a vulnerability or an exploit bypass, please follow the protocol in [SECURITY.md](SECURITY.md).
+
+---
+
+## ⚖️ License
+
+MIT © 2026 [Behram Bazo](https://github.com/bazob)

package/SECURITY.md

@@ -0,0 +1,34 @@
+# Security Policy 🛡️
+
+## Supported Versions
+
+We provide security updates for the following versions:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 3.0.x   | ✅ Yes             |
+| 2.x.x   | ❌ No              |
+| 1.x.x   | ❌ No              |
+
+## Reporting a Vulnerability
+
+Vanguard is a security tool designed to protect developers. We take security vulnerabilities very seriously.
+
+**If you discover a vulnerability or an exploit bypass, please DO NOT open a public issue.**
+
+Instead, please report it privately via email to:
+**[behrambazo@gmail.com](mailto:behrambazo@gmail.com)**
+
+Please include:
+- A detailed description of the vulnerability.
+- Steps to reproduce (a Proof of Concept).
+- Possible remediation steps if known.
+
+We will acknowledge your report within 48 hours and provide a timeline for a patch.
+
+## Disclosure Policy
+
+- We follow a responsible disclosure policy.
+- We ask you not to share the vulnerability publicly until we have had a chance to fix it and release a security advisory.
+
+Thank you for helping us keep Vanguard secure! 🦾🛡️

package/bin/vanguard.js

@@ -0,0 +1,67 @@
+#!/usr/bin/env node
+
+import { Command } from 'commander';
+import inquirer from 'inquirer';
+import { runConfigWizard } from '../lib/commands/config.js';
+import { handlePull, handleClone } from '../lib/commands/scan.js';
+import { showBanner, showFooter } from '../lib/utils/ui.js';
+import config from '../lib/utils/config.js';
+
+const program = new Command();
+
+async function handleAction(actionName, logicFn) {
+    showBanner();
+    const options = program.opts();
+    config.set('VERBOSE', !!options.verbose);
+
+    const { proceed } = await inquirer.prompt([
+        {
+            type: 'confirm',
+            name: 'proceed',
+            message: `🛡️ Vanguard Enterprise Edition detected a ${actionName}. Activate Hybrid Intelligence?`,
+            default: true,
+        },
+    ]);
+
+    if (!proceed) {
+        console.log('⚠️  Skipping protection. Proceeding at your own risk.');
+        return;
+    }
+
+    if (config.get('AI_PROVIDER') === 'gemini' && !config.get('GEMINI_KEY')) {
+        console.log('❌ Gemini not configured.');
+        await runConfigWizard();
+    }
+
+    await logicFn();
+    showFooter();
+}
+
+program
+    .name('vanguard')
+    .description('Enterprise-Grade AI Supply Chain Firewall')
+    .version('3.0.0-enterprise')
+    .option('-m, --model <name>', 'Override AI model')
+    .option('-v, --verbose', 'Show verbose connection logs')
+    .option('--clear-cache', 'Flush local audit cache');
+
+program.command('config').description('Configure AI providers').action(runConfigWizard);
+
+program
+    .command('pull')
+    .description('Audit and pull upstream changes')
+    .option('-f, --force', 'Force merge even if threats are detected')
+    .action(async (cmdOptions) => {
+        await handleAction('PULL', () => handlePull(cmdOptions, program.opts()));
+    });
+
+program
+    .command('clone')
+    .description('Deep audit a repository during clone')
+    .argument('<url>', 'Git URL')
+    .argument('[directory]', 'Target directory')
+    .action(async (url, directory) => {
+        await handleAction('CLONE', () => handleClone(url, directory, program.opts()));
+    });
+
+program.parse(process.argv);

package/lib/commands/config.js

@@ -0,0 +1,81 @@
+import inquirer from 'inquirer';
+import chalk from 'chalk';
+import config from '../utils/config.js';
+import { createSpinner } from '../utils/spinner.js';
+import { showBanner } from '../utils/ui.js';
+
+export async function runConfigWizard() {
+    showBanner();
+    console.log('🛰️  Vanguard Configuration Wizard\n');
+
+    const { providerSelection } = await inquirer.prompt([
+        {
+            type: 'list',
+            name: 'providerSelection',
+            message: 'Select AI Provider:',
+            choices: [
+                { name: 'Google Gemini 2.0 (Cloud - Fast & Smart)', value: 'gemini' },
+                { name: 'Local Ollama (Private - Offline)', value: 'ollama' },
+            ],
+        },
+    ]);
+
+    config.set('AI_PROVIDER', providerSelection);
+
+    if (providerSelection === 'gemini') {
+        const { apiKey } = await inquirer.prompt([
+            {
+                type: 'password',
+                name: 'apiKey',
+                message: 'Enter your Gemini API Key:',
+                default: config.get('GEMINI_KEY'),
+                validate: (val) => val.length > 0 || 'Key is required',
+            },
+        ]);
+        config.set('GEMINI_KEY', apiKey);
+        console.log('✅ Gemini 2.0 configured and saved.');
+    } else {
+        const spinner = createSpinner('🔍 Detecting local Ollama models...').start();
+        try {
+            const res = await fetch(`${config.get('OLLAMA_URL')}/api/tags`);
+            if (!res.ok) throw new Error();
+            const data = await res.json();
+            spinner.stop();
+
+            const models = data.models.map((m) => m.name);
+            if (models.length === 0) {
+                console.log('❌ No local models found. Run "ollama pull qwen2.5-coder" first.');
+                return;
+            }
+
+            console.log(
+                chalk.blue('\n💡 Tip: For security auditing, we recommend models with strong coding logic.')
+            );
+            console.log(chalk.dim('   Recommended: qwen2.5-coder (7b+), codellama, llama3.1 (8b+)\n'));
+
+            const choices = models.map((name) => {
+                const isRecommended = ['qwen', 'llama3', 'coder', 'deepseek'].some((kw) =>
+                    name.toLowerCase().includes(kw)
+                );
+                return {
+                    name: isRecommended ? `${name} ${chalk.green.bold('(Recommended)')}` : name,
+                    value: name,
+                };
+            });
+
+            const { model } = await inquirer.prompt([
+                {
+                    type: 'list',
+                    name: 'model',
+                    message: 'Select your preferred local model:',
+                    choices: choices,
+                    default: config.get('OLLAMA_MODEL'),
+                },
+            ]);
+            config.set('OLLAMA_MODEL', model);
+            console.log(`✅ Ollama configured with model: ${model}`);
+        } catch {
+            spinner.fail('❌ Ollama not detected. Run "ollama serve" first.');
+        }
+    }
+}

package/lib/commands/scan.js

@@ -0,0 +1,135 @@
+import fs from 'fs/promises';
+import path from 'path';
+import chalk from 'chalk';
+import inquirer from 'inquirer';
+import { createSpinner } from '../utils/spinner.js';
+import { showAlert } from '../utils/ui.js';
+import { VanguardScanner } from '../services/scanner.js';
+import { IntelligenceEngine } from '../services/intelligence.js';
+import { CacheManager } from '../utils/cache.js';
+import { walkProject } from '../utils/walker.js';
+import {
+    fetchUpstream,
+    getUpstreamDiff,
+    mergeUpstream,
+    createSandboxClone,
+    finalizeClone,
+    cleanupSandbox,
+} from '../services/git.js';
+
+export async function handlePull(cmdOptions, programOptions) {
+    if (programOptions.clearCache) CacheManager.clear();
+
+    const intel = new IntelligenceEngine(programOptions.verbose);
+    const spinner = createSpinner('🚀 Syncing intelligence & probing connections...').start();
+
+    const pkgContent = await fs.readFile(path.join(process.cwd(), 'package.json'), 'utf-8').catch(() => null);
+    const context = await intel.sync(pkgContent);
+
+    spinner.text = '🔍 Auditing diff for supply chain threats...';
+    await fetchUpstream();
+    const diff = await getUpstreamDiff();
+
+    if (!diff || diff.trim() === '') {
+        spinner.succeed('✅ No upstream changes to audit.');
+        await mergeUpstream();
+        return;
+    }
+
+    const scanner = new VanguardScanner(programOptions.model, context);
+    const analysis = await scanner.scan('git_diff', diff);
+    spinner.stop();
+
+    showAlert(analysis);
+
+    if (analysis.verdict === 'SAFE') {
+        console.log('✅ Integrity verified. Merging changes.');
+        await mergeUpstream();
+    } else {
+        const { force } = cmdOptions.force
+            ? { force: true }
+            : await inquirer.prompt([
+                {
+                    type: 'confirm',
+                    name: 'force',
+                    message: '⚠️ BLOCK VERDICT. Force override merge?',
+                    default: false,
+                },
+            ]);
+        if (force) {
+            await mergeUpstream();
+            console.log('🎉 Forced merge completed.');
+        } else {
+            console.log('❌ Operation aborted to protect your codebase.');
+        }
+    }
+}
+
+export async function handleClone(url, directory, programOptions) {
+    const targetPath = directory || path.basename(url, '.git');
+
+    const intel = new IntelligenceEngine(programOptions.verbose);
+    const spinner = createSpinner('⬇️  Isolating repository in sandbox...').start();
+
+    const tempPath = await createSandboxClone(url);
+    spinner.text = '🔄 Building intelligence & dependency map...';
+
+    const pkgContent = await fs.readFile(path.join(tempPath, 'package.json'), 'utf-8').catch(() => null);
+    const context = await intel.sync(pkgContent);
+
+    const files = await walkProject(tempPath);
+    spinner.stop();
+
+    console.log(chalk.cyan(`\n📑 Batch Audit: ${files.length} files identified.`));
+
+    const scanner = new VanguardScanner(programOptions.model, context);
+    let finalVerdict = 'SAFE';
+    let allThreats = [];
+    let cachedCount = 0;
+    let skippedCount = 0;
+
+    const scanSpinner = createSpinner(`🧠 Auditing ${files.length} files...`).start();
+
+    for (const file of files) {
+        const stats = await fs.stat(file);
+
+        // Enterprise Filtering
+        if (scanner.shouldSkip(file, stats)) {
+            skippedCount++;
+            continue;
+        }
+
+        const content = await fs.readFile(file, 'utf-8').catch(() => '');
+        const cached = CacheManager.check(file, content);
+
+        if (cached) {
+            cachedCount++;
+            continue;
+        }
+
+        const result = await scanner.scan(file, content);
+        if (result.verdict === 'BLOCK') {
+            finalVerdict = 'BLOCK';
+            allThreats.push(
+                ...result.threats.map((t) => ({ ...t, file: path.relative(tempPath, file) }))
+            );
+        } else {
+            CacheManager.save(file, content, 'SAFE');
+        }
+    }
+
+    scanSpinner.succeed(`Audit Complete: ${files.length} identified (${cachedCount} cached, ${skippedCount} skipped).`);
+
+    if (finalVerdict === 'BLOCK') {
+        showAlert({
+            verdict: 'BLOCK',
+            risk_score: 99,
+            threats: allThreats,
+            summary: 'Enterprise Deep Audit identified multiple high-risk vectors.',
+        });
+        await cleanupSandbox(tempPath);
+    } else {
+        console.log(chalk.green(`\n✅ Deep Audit Passed. Finalizing clone to ${targetPath}...`));
+        await finalizeClone(tempPath, targetPath);
+    }
+}

package/lib/services/git.js

@@ -0,0 +1,72 @@
+import simpleGit from 'simple-git';
+import path from 'path';
+import fs from 'fs/promises';
+
+
+export const git = simpleGit();
+
+/**
+ * Fetches changes from upstream without merging.
+ */
+export async function fetchUpstream() {
+  await git.fetch();
+}
+
+/**
+ * Gets the diff string for scanning.
+ */
+export async function getUpstreamDiff() {
+  // Compare HEAD vs FETCH_HEAD (which is what was just fetched)
+  return await git.diff(['HEAD..FETCH_HEAD']);
+}
+
+/**
+ * Merges FETCH_HEAD into the current branch.
+ */
+export async function mergeUpstream() {
+  await git.merge(['FETCH_HEAD']);
+}
+
+/**
+ * Clones into a temporary sandbox.
+ */
+export async function createSandboxClone(url) {
+  const tempPath = path.join(process.cwd(), '.vanguard_temp');
+
+  // Cleanup if exists
+  await fs.rm(tempPath, { recursive: true, force: true }).catch(() => { });
+  await fs.mkdir(tempPath, { recursive: true });
+
+  const tempGit = simpleGit(tempPath);
+  await tempGit.clone(url, '.');
+  return tempPath;
+}
+
+/**
+ * Moves files from sandbox to target and cleans up.
+ * Improved for Windows EPERM stability.
+ */
+export async function finalizeClone(tempPath, targetPath) {
+  const absTemp = path.resolve(tempPath);
+  const absTarget = path.resolve(targetPath);
+
+  try {
+    await fs.rename(absTemp, absTarget);
+  } catch (e) {
+    if (e.code === 'EPERM' || e.code === 'EXDEV' || e.code === 'EACCES') {
+      // Fallback: Force purge target if it exists, then copy
+      await fs.rm(absTarget, { recursive: true, force: true }).catch(() => { });
+      await fs.cp(absTemp, absTarget, { recursive: true, force: true });
+      await fs.rm(absTemp, { recursive: true, force: true });
+    } else {
+      throw e;
+    }
+  }
+}
+
+/**
+ * Completely removes the sandbox.
+ */
+export async function cleanupSandbox(tempPath) {
+  await fs.rm(tempPath, { recursive: true, force: true }).catch(() => { });
+}

package/lib/services/intelligence.js

@@ -0,0 +1,89 @@
+import fetch from 'node-fetch';
+import chalk from 'chalk';
+import Table from 'cli-table3';
+
+const THREAT_DB_URL = 'https://raw.githubusercontent.com/bazobehram/vanguard-db/main/threats.json';
+
+export class IntelligenceEngine {
+  constructor(verbose = false) {
+    this.verbose = verbose;
+    this.curatedRules = [];
+    this.vulnerabilities = [];
+  }
+
+  async sync(pkgJson = null) {
+    await Promise.allSettled([this.fetchCuratedRules(), this.queryOSV(pkgJson)]);
+
+    return this.generateContext();
+  }
+
+  async fetchCuratedRules() {
+    try {
+      if (this.verbose) console.log(chalk.dim(`📡 Fetching threat DB from: ${THREAT_DB_URL}`));
+      const res = await fetch(THREAT_DB_URL, { timeout: 5000 });
+      if (!res.ok) throw new Error(`HTTP ${res.status}`);
+
+      const data = await res.json();
+      this.curatedRules = data.ai_instructions || [];
+
+      console.log(
+        chalk.green(
+          `  ✔ Threat DB Sync: ${this.curatedRules.length} rules loaded (Version: ${data.version || 'v1'})`
+        )
+      );
+    } catch {
+      console.log(chalk.yellow('  ⚠️ Using Local Rules Only (Offline Fallback)'));
+    }
+  }
+
+  async queryOSV(pkgJson) {
+    if (!pkgJson) return;
+    try {
+      const pkg = JSON.parse(pkgJson);
+      const deps = { ...pkg.dependencies, ...pkg.devDependencies };
+      const queries = Object.entries(deps).map(([name, version]) => ({
+        package: { name, ecosystem: 'npm' },
+        version: version.replace(/[\^~]/g, ''),
+      }));
+
+      if (queries.length === 0) return;
+
+      const res = await fetch('https://api.osv.dev/v1/querybatch', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ queries: queries.slice(0, 50) }),
+      });
+
+      const data = await res.json();
+
+      const table = new Table({
+        head: [chalk.cyan('Dependency'), chalk.cyan('Status'), chalk.cyan('Vulnerabilities')],
+        colWidths: [20, 10, 20],
+      });
+
+      data.results.forEach((r, i) => {
+        const depName = queries[i].package.name;
+        table.push([depName, res.status, r.vulns ? chalk.red(r.vulns.length) : chalk.green('0')]);
+        if (r.vulns) this.vulnerabilities.push(...r.vulns);
+      });
+
+      console.log(chalk.bold('\n📦 OSV.dev Dependency Audit:'));
+      console.log(table.toString());
+    } catch (e) {
+      if (this.verbose) console.log(chalk.red(`  ✘ OSV Audit Failed: ${e.message}`));
+    }
+  }
+
+  generateContext() {
+    let ctx = '\n### 🚨 LIVE THREAT INTELLIGENCE:\n';
+    if (this.curatedRules.length > 0) {
+      ctx += 'Curated Rules:\n' + this.curatedRules.map((r) => `- ${r}`).join('\n') + '\n';
+    }
+    if (this.vulnerabilities.length > 0) {
+      ctx +=
+        'Known Vulnerabilities in dependencies:\n' +
+        this.vulnerabilities.map((v) => `- ${v.id}: ${v.summary}`).join('\n');
+    }
+    return ctx;
+  }
+}

package/lib/services/scanner.js

@@ -0,0 +1,155 @@
+import { GoogleGenerativeAI } from '@google/generative-ai';
+import config from '../utils/config.js';
+import fetch from 'node-fetch';
+import fs from 'fs/promises';
+import path from 'path';
+import { fileURLToPath } from 'url';
+import chalk from 'chalk';
+import pLimit from 'p-limit';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const THREATS_PATH = path.join(__dirname, '../threats.json');
+
+const limit = pLimit(3); // Enterprise concurrency limit: 3 files at a time
+
+export class VanguardScanner {
+  constructor(modelOverride, intelligenceContext = '') {
+    this.provider = config.get('AI_PROVIDER');
+    this.modelOverride = modelOverride;
+    this.intelligenceContext = intelligenceContext;
+  }
+
+  /**
+   * Enterprise Filtering Logic: Skip binaries, images, and massive files.
+   */
+  shouldSkip(filePath, stats) {
+    const ext = path.extname(filePath).toLowerCase();
+    const binaryExtensions = [
+      '.exe',
+      '.dll',
+      '.so',
+      '.bin',
+      '.png',
+      '.jpg',
+      '.jpeg',
+      '.gif',
+      '.pdf',
+      '.zip',
+      '.gz',
+    ];
+
+    if (binaryExtensions.includes(ext)) return true;
+    if (stats.size > 100 * 1024) return true; // 100KB limit
+    if (filePath.includes('node_modules')) return true;
+
+    return false;
+  }
+
+  async getSystemInstruction() {
+    const threatsData = await fs.readFile(THREATS_PATH, 'utf-8');
+    const threats = JSON.parse(threatsData);
+
+    const categoriesListing = threats
+      .map((t, i) => `${i + 1}. **${t.name}:** ${t.description}`)
+      .join('\n');
+
+    return `
+You are a Senior Security Architect & Auditor. YOUR MISSION: Prevent Supply Chain Attacks.
+Analyze the provided code/diff with extreme scrutiny.
+
+YOU MUST BLOCK IF YOU DETECT ANY OF THESE CATEGORIES:
+${categoriesListing}
+
+${this.intelligenceContext}
+
+TASK: Combine the code analysis with the latest intelligence and vulnerability data above.
+If OSV reports a critical vulnerability or the remote rules flag a new pattern, YOU MUST VERDICT: BLOCK.
+
+JSON OUTPUT RULES:
+- risk_score: 0-100 (Be aggressive).
+- verdict: "BLOCK" (if risk found) or "SAFE".
+- threats: Array of objects: { "file": "filename", "line": number, "threat": "category", "reason": "why" }
+- summary: Clear high-level explanation for a developer.
+
+RESPONSE FORMAT (JSON ONLY):
+{ "risk_score": 95, "verdict": "BLOCK", "threats": [{ "file": "lib/utils.js", "line": 42, "threat": "Secret Exfiltration", "reason": "Accesses .env and sends to remote server." }], "summary": "Critical vulnerability found." }
+`;
+  }
+
+  async scan(filePath, content) {
+    return limit(() => this.scanWithRetry(filePath, content));
+  }
+
+  async scanWithRetry(filePath, content, retries = 3) {
+    for (let i = 0; i < retries; i++) {
+      try {
+        if (this.provider === 'gemini') {
+          return await this.scanWithGemini(content);
+        } else {
+          return await this.scanWithOllama(content);
+        }
+      } catch (error) {
+        const isRateLimit =
+          error.message.includes('429') || error.message.includes('Too Many Requests');
+        if (isRateLimit && i < retries - 1) {
+          const delay = Math.pow(2, i) * 1000;
+          if (config.get('VERBOSE'))
+            console.log(chalk.yellow(`  ⚠ Rate limited. Retrying in ${delay}ms...`));
+          await new Promise((res) => setTimeout(res, delay));
+          continue;
+        }
+        throw error;
+      }
+    }
+  }
+
+  async scanWithGemini(content) {
+    const apiKey = config.get('GEMINI_KEY');
+    if (!apiKey) throw new Error('Gemini API Key missing. Run "vanguard config"');
+
+    const genAI = new GoogleGenerativeAI(apiKey);
+    const model = genAI.getGenerativeModel({ model: 'gemini-2.0-flash-exp' });
+    const instruction = await this.getSystemInstruction();
+
+    const result = await model.generateContent({
+      contents: [
+        { role: 'user', parts: [{ text: `${instruction}\n\nFILE CONTENT:\n${content}` }] },
+      ],
+    });
+
+    const response = await result.response;
+    return this.parseResponse(response.text());
+  }
+
+  async scanWithOllama(content) {
+    const model = this.modelOverride || config.get('OLLAMA_MODEL');
+    const url = `${config.get('OLLAMA_URL')}/api/generate`;
+    const instruction = await this.getSystemInstruction();
+
+    const response = await fetch(url, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        model: model,
+        prompt: `${instruction}\n\nFILE CONTENT:\n${content}`,
+        stream: false,
+        format: 'json',
+      }),
+    });
+
+    if (!response.ok) throw new Error(`Ollama error: ${response.statusText}`);
+    const data = await response.json();
+    return this.parseResponse(data.response);
+  }
+
+  parseResponse(text) {
+    try {
+      const start = text.indexOf('{');
+      const end = text.lastIndexOf('}');
+      if (start === -1 || end === -1) throw new Error('No JSON object found');
+      return JSON.parse(text.substring(start, end + 1));
+    } catch (e) {
+      throw new Error(`Invalid AI JSON format: ${e.message}`);
+    }
+  }
+}

package/lib/threats.json

@@ -0,0 +1,57 @@
+[
+  {
+    "id": "CREDENTIAL_HYGIENE",
+    "name": "Secret Exfiltration",
+    "description": "Detection of hardcoded secrets (.env, API keys, SSH keys) being accessed and transmitted to external endpoints (Credential Hygiene Abuse)."
+  },
+  {
+    "id": "FINANCIAL_FRAUD",
+    "name": "Web3/Wallet Draining",
+    "description": "Unauthorized access to cryptocurrency wallets (window.ethereum, private keys) or triggering of fraudulent transactions."
+  },
+  {
+    "id": "DATA_HARVESTING",
+    "name": "Spyware/Harvesting",
+    "description": "Unnecessary collection of system metadata, user information, browser history, or network topology (Information Gathering)."
+  },
+  {
+    "id": "PIPELINE_POISONING",
+    "name": "Malicious Installers",
+    "description": "Abuse of package lifecycle scripts (postinstall, preinstall) to download and execute arbitrary remote binaries (PPE)."
+  },
+  {
+    "id": "DETECTION_EVASION",
+    "name": "Obfuscation & Evasion",
+    "description": "Heavy use of eval(), nested encoding (Base64/Hex), or polymorphic code designed to bypass static analysis and firewalls."
+  },
+  {
+    "id": "REVERSE_SHELL",
+    "name": "Reverse Shells/Backdoors",
+    "description": "Opening outbound persistent connections (sockets, SSH) or spawning interactive shells to remote Command & Control (C2) servers."
+  },
+  {
+    "id": "DEPENDENCY_ABUSE",
+    "name": "Dependency Hijacking/Confusion",
+    "description": "Exploiting package manager resolution to inject malicious versions of private or public dependencies (Dependency Chain Abuse)."
+  },
+  {
+    "id": "SYSTEM_PERSISTENCE",
+    "name": "Persistence Mechanisms",
+    "description": "Attempts to establish long-term access by modifying startup scripts, Cron jobs, systemd units, or OS registries."
+  },
+  {
+    "id": "GATED_EXECUTION",
+    "name": "Logic/Time Bombs",
+    "description": "Gating malicious activity behind specific dates, system conditions, or external triggers to evade initial analysis."
+  },
+  {
+    "id": "IMPACT_DESTRUCTION",
+    "name": "Ransomware/Wiping",
+    "description": "Unauthorized mass modification, encryption (Ransomware), or deletion (Wiping) of localized data and configurations."
+  },
+  {
+    "id": "QA_MOCK_THREAT",
+    "name": "QA Mock Threat (PROJECT_OMEGA)",
+    "description": "A specialized signature for manual QA stress testing. Verifies that the audit engine can target and block specific strings used in behavioral simulations."
+  }
+]

package/lib/utils/cache.js

@@ -0,0 +1,42 @@
+import crypto from 'crypto';
+import Conf from 'conf';
+
+const cacheStore = new Conf({ projectName: 'vanguard-enterprise-cache' });
+
+export class CacheManager {
+  /**
+   * Calculate SHA-256 hash of file content.
+   */
+  static getHash(content) {
+    return crypto.createHash('sha256').update(content).digest('hex');
+  }
+
+  /**
+   * Check if file is already verified as SAFE.
+   */
+  static check(filePath, content) {
+    const hash = this.getHash(content);
+    const cached = cacheStore.get(hash);
+
+    if (cached && cached.verdict === 'SAFE') {
+      return cached;
+    }
+    return null;
+  }
+
+  /**
+   * Save verification verdict for a file hash.
+   */
+  static save(filePath, content, verdict) {
+    const hash = this.getHash(content);
+    cacheStore.set(hash, {
+      path: filePath,
+      verdict,
+      timestamp: Date.now(),
+    });
+  }
+
+  static clear() {
+    cacheStore.clear();
+  }
+}

package/lib/utils/config.js

@@ -0,0 +1,25 @@
+import Conf from 'conf';
+
+const schema = {
+  AI_PROVIDER: {
+    type: 'string',
+    default: 'gemini',
+    enum: ['gemini', 'ollama'],
+  },
+  GEMINI_KEY: {
+    type: 'string',
+    default: '',
+  },
+  OLLAMA_MODEL: {
+    type: 'string',
+    default: 'qwen2.5:7b',
+  },
+  OLLAMA_URL: {
+    type: 'string',
+    default: 'http://localhost:11434',
+  },
+};
+
+const config = new Conf({ projectName: 'vanguard', schema });
+
+export default config;

package/lib/utils/logger.js

@@ -0,0 +1,13 @@
+import chalk from 'chalk';
+
+const VERBOSE = process.env.VANGUARD_VERBOSE === 'true';
+
+export const logger = {
+  info: (msg) => console.log(chalk.blue(`ℹ ${msg}`)),
+  success: (msg) => console.log(chalk.green(`✔ ${msg}`)),
+  warn: (msg) => console.log(chalk.yellow(`⚠ ${msg}`)),
+  error: (msg) => console.log(chalk.red(`✘ ${msg}`)),
+  debug: (msg) => {
+    if (VERBOSE) console.log(chalk.dim(`DEBUG: ${msg}`));
+  },
+};

package/lib/utils/spinner.js

@@ -0,0 +1,9 @@
+import ora from 'ora';
+
+export function createSpinner(text) {
+    return ora({
+        text: text,
+        color: 'yellow',
+        spinner: 'dots',
+    });
+}

package/lib/utils/ui.js

@@ -0,0 +1,68 @@
+import figlet from 'figlet';
+import chalk from 'chalk';
+import boxen from 'boxen';
+import ora from 'ora';
+
+export function showBanner() {
+  console.log(chalk.cyan(figlet.textSync('VANGUARD', { horizontalLayout: 'full' })));
+  console.log(chalk.dim('🛡️  Software Supply Chain Firewall | AI-Powered Security 🛡️\n'));
+}
+
+export function showAlert(analysis) {
+  const color = analysis.verdict === 'BLOCK' ? 'red' : 'green';
+  const title = analysis.verdict === 'BLOCK' ? '⚠️ HIGH RISK DETECTED' : '✅ SAFE';
+
+  const threats = analysis.threats || [];
+  const riskScore = analysis.risk_score ?? analysis.riskScore ?? 0;
+  const verdict = analysis.verdict || 'UNKNOWN';
+  const summary = analysis.summary || 'No summary provided.';
+
+  const content = [
+    chalk.bold(`Verdict: ${verdict}`),
+    chalk.bold(`Risk Score: ${riskScore}/100`),
+    '',
+    chalk.bold('🚨 Detailed Threat Audit:'),
+    ...(threats.length > 0
+      ? threats.map((t) => {
+        const loc = t.file ? chalk.yellow(`[${t.file}${t.line ? `:${t.line}` : ''}] `) : '';
+        const tag = t.threat ? chalk.red(`(${t.threat})`) : '';
+        return `• ${loc}${tag}\n  ${chalk.dim(t.reason || t)}`;
+      })
+      : [chalk.dim('• No targeted threats identified.')]),
+    '',
+    chalk.bold('📝 Auditor Summary:'),
+    summary,
+  ].join('\n');
+
+  console.log(
+    boxen(content, {
+      padding: 1,
+      margin: 1,
+      borderStyle: 'double',
+      borderColor: color,
+      title: title,
+      titleAlignment: 'center',
+    })
+  );
+}
+
+
+
+export function showFooter() {
+  console.log(
+    chalk.dim('\n----------------------------------------------------------------------')
+  );
+  console.log(
+    chalk.yellow('⭐ Star on GitHub: ') + chalk.underline('https://github.com/bazob/vanguard')
+  );
+  console.log(
+    chalk.green('🤝 Contribute: ') + chalk.underline('https://github.com/bazob/vanguard/pulls')
+  );
+  console.log(
+    chalk.cyan('☕ Support the project: ') +
+    chalk.underline('https://www.buymeacoffee.com/bazobehram')
+  );
+  console.log(
+    chalk.dim('----------------------------------------------------------------------\n')
+  );
+}

package/lib/utils/walker.js

@@ -0,0 +1,39 @@
+import fs from 'fs/promises';
+import path from 'path';
+
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', 'venv', '.env'];
+const IGNORE_EXTENSIONS = [
+  '.png',
+  '.jpg',
+  '.jpeg',
+  '.gif',
+  '.svg',
+  '.mp4',
+  '.zip',
+  '.exe',
+  '.dll',
+  '.lock',
+];
+const MAX_FILE_SIZE = 100 * 1024; // 100KB
+
+export async function walkProject(dir) {
+  let results = [];
+  const list = await fs.readdir(dir);
+
+  for (const file of list) {
+    const fullPath = path.join(dir, file);
+    const stat = await fs.stat(fullPath);
+
+    if (stat.isDirectory()) {
+      if (IGNORE_DIRS.includes(file)) continue;
+      results = results.concat(await walkProject(fullPath));
+    } else {
+      const ext = path.extname(file).toLowerCase();
+      if (IGNORE_EXTENSIONS.includes(ext)) continue;
+      if (stat.size > MAX_FILE_SIZE) continue;
+      results.push(fullPath);
+    }
+  }
+
+  return results;
+}

package/package.json

@@ -0,0 +1,50 @@
+{
+  "name": "vanguard-cli",
+  "version": "3.0.0",
+  "description": "AI-Powered Supply Chain Firewall for Git",
+  "type": "module",
+  "bin": {
+    "vanguard": "./bin/vanguard.js"
+  },
+  "scripts": {
+    "test": "vitest run",
+    "format": "prettier --write .",
+    "lint": "eslint .",
+    "release": "release-it",
+    "release:dry": "release-it --dry-run"
+  },
+  "keywords": [],
+  "author": "Behram Bazo",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/bazob/vanguard.git"
+  },
+  "dependencies": {
+    "@google/generative-ai": "^0.21.0",
+    "boxen": "^8.0.1",
+    "chalk": "^4.1.2",
+    "cli-table3": "^0.6.5",
+    "commander": "^13.1.0",
+    "conf": "^12.0.0",
+    "crypto-js": "^4.2.0",
+    "figlet": "^1.8.0",
+    "inquirer": "^8.2.4",
+    "node-fetch": "^2.7.0",
+    "ora": "^8.1.1",
+    "p-limit": "^7.2.0",
+    "simple-git": "^3.27.0"
+  },
+  "devDependencies": {
+    "@eslint/js": "^9.39.2",
+    "@release-it/conventional-changelog": "^10.0.4",
+    "eslint": "^9.39.2",
+    "eslint-config-prettier": "^10.1.8",
+    "eslint-plugin-node": "^11.1.0",
+    "globals": "^17.1.0",
+    "nock": "^14.0.10",
+    "prettier": "^3.8.1",
+    "release-it": "^19.2.4",
+    "vitest": "^4.0.18"
+  }
+}