xploitscan 1.0.2 → 1.0.4

package/dist/{api-ZNWEMMEL.js → api-HTHCG6QE.js}

@@ -12,7 +12,7 @@ import {
   storeToken,
   syncUser,
   uploadScanResults
-} from "./chunk-IHRV7UHG.js";
+} from "./chunk-RJUUWD2F.js";
 export {
   checkUsage,
   clearProRulesCache,
@@ -27,4 +27,4 @@ export {
   syncUser,
   uploadScanResults
 };
-//# sourceMappingURL=api-ZNWEMMEL.js.map
+//# sourceMappingURL=api-HTHCG6QE.js.map

package/dist/{chunk-IHRV7UHG.js → chunk-RJUUWD2F.js}

@@ -10,6 +10,7 @@ var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require
 import { readFileSync, writeFileSync, mkdirSync, existsSync, unlinkSync } from "fs";
 import { join } from "path";
 import { homedir } from "os";
+import { createHash } from "crypto";
 var CONFIG_DIR = join(homedir(), ".xploitscan");
 var TOKEN_FILE = join(CONFIG_DIR, "token.json");
 var PRO_RULES_FILE = join(CONFIG_DIR, "pro-rules.cjs");
@@ -17,7 +18,10 @@ var PRO_RULES_META = join(CONFIG_DIR, "pro-rules-meta.json");
 var API_BASE = process.env.XPLOITSCAN_API_URL ?? "https://api.xploitscan.com";
 var WEB_BASE = process.env.XPLOITSCAN_WEB_URL ?? "https://xploitscan.com";
 if (API_BASE.startsWith("http://") && !API_BASE.includes("localhost") && !API_BASE.includes("127.0.0.1")) {
-  console.warn("WARNING: API URL is not using HTTPS. This is insecure.");
+  throw new Error("API URL must use HTTPS for security. Set XPLOITSCAN_API_URL to an https:// URL.");
+}
+if (WEB_BASE.startsWith("http://") && !WEB_BASE.includes("localhost") && !WEB_BASE.includes("127.0.0.1")) {
+  throw new Error("Web URL must use HTTPS for security. Set XPLOITSCAN_WEB_URL to an https:// URL.");
 }
 function getStoredToken() {
   try {
@@ -67,7 +71,9 @@ async function checkUsage() {
     return { allowed: true, plan: "anonymous", remaining: -1, limit: -1 };
   }
   try {
-    const res = await apiRequest("/api/usage/check");
+    const res = await fetch(`${WEB_BASE}/api/cli/usage`, {
+      headers: { Authorization: `Bearer ${token.token}` }
+    });
     if (!res.ok) {
       return { allowed: true, plan: "unknown", remaining: -1, limit: -1 };
     }
@@ -96,11 +102,15 @@ async function uploadScanResults(result) {
   }
 }
 async function syncUser() {
+  const token = getStoredToken();
+  if (!token) return null;
   try {
-    const res = await apiRequest("/api/users/sync", { method: "POST" });
+    const res = await fetch(`${WEB_BASE}/api/cli/usage`, {
+      headers: { Authorization: `Bearer ${token.token}` }
+    });
     if (!res.ok) return null;
     const data = await res.json();
-    return data.user;
+    return { plan: data.plan, email: token.email };
   } catch {
     return null;
   }
@@ -126,11 +136,16 @@ async function downloadProRulesBundle() {
     if (!res.ok) return false;
     const bundle = await res.text();
     if (!bundle || bundle.length < 100) return false;
+    if (!bundle.includes("proOnlyRules") || !bundle.includes("exports")) {
+      return false;
+    }
+    const hash = createHash("sha256").update(bundle).digest("hex");
     mkdirSync(CONFIG_DIR, { recursive: true, mode: 448 });
     writeFileSync(PRO_RULES_FILE, bundle, { mode: 384 });
     writeFileSync(PRO_RULES_META, JSON.stringify({
       cachedAt: Date.now(),
-      expiresAt: Date.now() + PRO_RULES_CACHE_HOURS * 60 * 60 * 1e3
+      expiresAt: Date.now() + PRO_RULES_CACHE_HOURS * 60 * 60 * 1e3,
+      sha256: hash
     }), { mode: 384 });
     return true;
   } catch {
@@ -145,6 +160,14 @@ function loadCachedProRules() {
       clearProRulesCache();
       return null;
     }
+    if (meta.sha256) {
+      const fileContent = readFileSync(PRO_RULES_FILE, "utf-8");
+      const currentHash = createHash("sha256").update(fileContent).digest("hex");
+      if (currentHash !== meta.sha256) {
+        clearProRulesCache();
+        return null;
+      }
+    }
     const mod = __require(PRO_RULES_FILE);
     return mod.proOnlyRules || null;
   } catch {
@@ -173,4 +196,4 @@ export {
   loadCachedProRules,
   clearProRulesCache
 };
-//# sourceMappingURL=chunk-IHRV7UHG.js.map
+//# sourceMappingURL=chunk-RJUUWD2F.js.map

package/dist/chunk-RJUUWD2F.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/utils/api.ts"],"sourcesContent":["import { readFileSync, writeFileSync, mkdirSync, existsSync, unlinkSync } from \"node:fs\";\nimport { join } from \"node:path\";\nimport { homedir } from \"node:os\";\nimport { createHash } from \"node:crypto\";\n\nconst CONFIG_DIR = join(homedir(), \".xploitscan\");\nconst TOKEN_FILE = join(CONFIG_DIR, \"token.json\");\nconst PRO_RULES_FILE = join(CONFIG_DIR, \"pro-rules.cjs\");\nconst PRO_RULES_META = join(CONFIG_DIR, \"pro-rules-meta.json\");\n\nconst API_BASE = process.env.XPLOITSCAN_API_URL ?? \"https://api.xploitscan.com\";\nconst WEB_BASE = process.env.XPLOITSCAN_WEB_URL ?? \"https://xploitscan.com\";\n\nif (API_BASE.startsWith(\"http://\") && !API_BASE.includes(\"localhost\") && !API_BASE.includes(\"127.0.0.1\")) {\n  throw new Error(\"API URL must use HTTPS for security. Set XPLOITSCAN_API_URL to an https:// URL.\");\n}\nif (WEB_BASE.startsWith(\"http://\") && !WEB_BASE.includes(\"localhost\") && !WEB_BASE.includes(\"127.0.0.1\")) {\n  throw new Error(\"Web URL must use HTTPS for security. Set XPLOITSCAN_WEB_URL to an https:// URL.\");\n}\n\ninterface TokenData {\n  token: string;\n  userId: string;\n  email: string;\n  expiresAt?: number;\n}\n\nexport function getStoredToken(): TokenData | null {\n  try {\n    if (!existsSync(TOKEN_FILE)) return null;\n    const data = JSON.parse(readFileSync(TOKEN_FILE, \"utf-8\"));\n    if (data.expiresAt && Date.now() > data.expiresAt) {\n      // Token expired\n      unlinkSync(TOKEN_FILE);\n      return null;\n    }\n    return data;\n  } catch {\n    return null;\n  }\n}\n\nexport function storeToken(data: TokenData): void {\n  mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });\n  writeFileSync(TOKEN_FILE, JSON.stringify(data, null, 2), { mode: 0o600 });\n}\n\nexport function clearToken(): void {\n  try {\n    if (existsSync(TOKEN_FILE)) {\n      unlinkSync(TOKEN_FILE);\n    }\n  } catch {\n    // ignore\n  }\n}\n\nexport function isAuthenticated(): boolean {\n  return getStoredToken() !== null;\n}\n\nasync function apiRequest(\n  path: string,\n  options: RequestInit = {},\n): Promise<Response> {\n  const token = getStoredToken();\n  const headers: Record<string, string> = {\n    \"Content-Type\": \"application/json\",\n    ...(options.headers as Record<string, string>),\n  };\n\n  if (token) {\n    headers.Authorization = `Bearer ${token.token}`;\n  }\n\n  return fetch(`${API_BASE}${path}`, {\n    ...options,\n    headers,\n  });\n}\n\nexport async function checkUsage(): Promise<{\n  allowed: boolean;\n  plan: string;\n  remaining: number;\n  limit: number;\n}> {\n  const token = getStoredToken();\n  if (!token) {\n    // Unauthenticated users get limited local scans\n    return { allowed: true, plan: \"anonymous\", remaining: -1, limit: -1 };\n  }\n\n  try {\n    // Use web app API for real subscription lookup\n    const res = await fetch(`${WEB_BASE}/api/cli/usage`, {\n      headers: { Authorization: `Bearer ${token.token}` },\n    });\n    if (!res.ok) {\n      return { allowed: true, plan: \"unknown\", remaining: -1, limit: -1 };\n    }\n    return await res.json();\n  } catch {\n    // Network error — allow local scan\n    return { allowed: true, plan: \"offline\", remaining: -1, limit: -1 };\n  }\n}\n\nexport async function incrementUsage(): Promise<void> {\n  const token = getStoredToken();\n  if (!token) return;\n\n  try {\n    await apiRequest(\"/api/usage/increment\", { method: \"POST\" });\n  } catch {\n    // Silent fail — don't block scan\n  }\n}\n\nexport async function uploadScanResults(result: {\n  directory: string;\n  filesScanned: number;\n  findings: unknown[];\n  duration: number;\n}): Promise<void> {\n  const token = getStoredToken();\n  if (!token) return;\n\n  try {\n    await apiRequest(\"/api/scans\", {\n      method: \"POST\",\n      body: JSON.stringify(result),\n    });\n  } catch {\n    // Silent fail\n  }\n}\n\nexport async function syncUser(): Promise<{ plan: string; email: string } | null> {\n  const token = getStoredToken();\n  if (!token) return null;\n  try {\n    const res = await fetch(`${WEB_BASE}/api/cli/usage`, {\n      headers: { Authorization: `Bearer ${token.token}` },\n    });\n    if (!res.ok) return null;\n    const data = await res.json();\n    return { plan: data.plan, email: token.email };\n  } catch {\n    return null;\n  }\n}\n\nexport async function getCheckoutUrl(): Promise<string | null> {\n  try {\n    const res = await apiRequest(\"/api/billing/checkout\", { method: \"POST\" });\n    if (!res.ok) return null;\n    const data = await res.json();\n    return data.url;\n  } catch {\n    return null;\n  }\n}\n\n// ── Pro Rules Bundle (Server-Side Delivery) ──────────────────────────────\n\nconst PRO_RULES_CACHE_HOURS = 24;\n\nexport async function downloadProRulesBundle(): Promise<boolean> {\n  const token = getStoredToken();\n  if (!token) return false;\n\n  try {\n    const res = await fetch(`${WEB_BASE}/api/cli/rules-bundle`, {\n      headers: { Authorization: `Bearer ${token.token}` },\n    });\n    if (!res.ok) return false;\n\n    const bundle = await res.text();\n    if (!bundle || bundle.length < 100) return false;\n\n    // Basic integrity check: verify bundle contains expected exports\n    if (!bundle.includes(\"proOnlyRules\") || !bundle.includes(\"exports\")) {\n      return false;\n    }\n\n    const hash = createHash(\"sha256\").update(bundle).digest(\"hex\");\n    mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });\n    writeFileSync(PRO_RULES_FILE, bundle, { mode: 0o600 });\n    writeFileSync(PRO_RULES_META, JSON.stringify({\n      cachedAt: Date.now(),\n      expiresAt: Date.now() + PRO_RULES_CACHE_HOURS * 60 * 60 * 1000,\n      sha256: hash,\n    }), { mode: 0o600 });\n    return true;\n  } catch {\n    return false;\n  }\n}\n\nexport function loadCachedProRules(): unknown[] | null {\n  try {\n    if (!existsSync(PRO_RULES_FILE) || !existsSync(PRO_RULES_META)) return null;\n\n    const meta = JSON.parse(readFileSync(PRO_RULES_META, \"utf-8\"));\n    if (Date.now() > meta.expiresAt) {\n      clearProRulesCache();\n      return null;\n    }\n\n    // Verify integrity before loading\n    if (meta.sha256) {\n      const fileContent = readFileSync(PRO_RULES_FILE, \"utf-8\");\n      const currentHash = createHash(\"sha256\").update(fileContent).digest(\"hex\");\n      if (currentHash !== meta.sha256) {\n        clearProRulesCache();\n        return null;\n      }\n    }\n\n    // Dynamic require of the cached CJS bundle\n    const mod = require(PRO_RULES_FILE);\n    return mod.proOnlyRules || null;\n  } catch {\n    return null;\n  }\n}\n\nexport function clearProRulesCache(): void {\n  try {\n    if (existsSync(PRO_RULES_FILE)) unlinkSync(PRO_RULES_FILE);\n    if (existsSync(PRO_RULES_META)) unlinkSync(PRO_RULES_META);\n  } catch { /* ignore */ }\n}\n"],"mappings":";;;;;;;;;AAAA,SAAS,cAAc,eAAe,WAAW,YAAY,kBAAkB;AAC/E,SAAS,YAAY;AACrB,SAAS,eAAe;AACxB,SAAS,kBAAkB;AAE3B,IAAM,aAAa,KAAK,QAAQ,GAAG,aAAa;AAChD,IAAM,aAAa,KAAK,YAAY,YAAY;AAChD,IAAM,iBAAiB,KAAK,YAAY,eAAe;AACvD,IAAM,iBAAiB,KAAK,YAAY,qBAAqB;AAE7D,IAAM,WAAW,QAAQ,IAAI,sBAAsB;AACnD,IAAM,WAAW,QAAQ,IAAI,sBAAsB;AAEnD,IAAI,SAAS,WAAW,SAAS,KAAK,CAAC,SAAS,SAAS,WAAW,KAAK,CAAC,SAAS,SAAS,WAAW,GAAG;AACxG,QAAM,IAAI,MAAM,iFAAiF;AACnG;AACA,IAAI,SAAS,WAAW,SAAS,KAAK,CAAC,SAAS,SAAS,WAAW,KAAK,CAAC,SAAS,SAAS,WAAW,GAAG;AACxG,QAAM,IAAI,MAAM,iFAAiF;AACnG;AASO,SAAS,iBAAmC;AACjD,MAAI;AACF,QAAI,CAAC,WAAW,UAAU,EAAG,QAAO;AACpC,UAAM,OAAO,KAAK,MAAM,aAAa,YAAY,OAAO,CAAC;AACzD,QAAI,KAAK,aAAa,KAAK,IAAI,IAAI,KAAK,WAAW;AAEjD,iBAAW,UAAU;AACrB,aAAO;AAAA,IACT;AACA,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,WAAW,MAAuB;AAChD,YAAU,YAAY,EAAE,WAAW,MAAM,MAAM,IAAM,CAAC;AACtD,gBAAc,YAAY,KAAK,UAAU,MAAM,MAAM,CAAC,GAAG,EAAE,MAAM,IAAM,CAAC;AAC1E;AAEO,SAAS,aAAmB;AACjC,MAAI;AACF,QAAI,WAAW,UAAU,GAAG;AAC1B,iBAAW,UAAU;AAAA,IACvB;AAAA,EACF,QAAQ;AAAA,EAER;AACF;AAEO,SAAS,kBAA2B;AACzC,SAAO,eAAe,MAAM;AAC9B;AAEA,eAAe,WACb,MACA,UAAuB,CAAC,GACL;AACnB,QAAM,QAAQ,eAAe;AAC7B,QAAM,UAAkC;AAAA,IACtC,gBAAgB;AAAA,IAChB,GAAI,QAAQ;AAAA,EACd;AAEA,MAAI,OAAO;AACT,YAAQ,gBAAgB,UAAU,MAAM,KAAK;AAAA,EAC/C;AAEA,SAAO,MAAM,GAAG,QAAQ,GAAG,IAAI,IAAI;AAAA,IACjC,GAAG;AAAA,IACH;AAAA,EACF,CAAC;AACH;AAEA,eAAsB,aAKnB;AACD,QAAM,QAAQ,eAAe;AAC7B,MAAI,CAAC,OAAO;AAEV,WAAO,EAAE,SAAS,MAAM,MAAM,aAAa,WAAW,IAAI,OAAO,GAAG;AAAA,EACtE;AAEA,MAAI;AAEF,UAAM,MAAM,MAAM,MAAM,GAAG,QAAQ,kBAAkB;AAAA,MACnD,SAAS,EAAE,eAAe,UAAU,MAAM,KAAK,GAAG;AAAA,IACpD,CAAC;AACD,QAAI,CAAC,IAAI,IAAI;AACX,aAAO,EAAE,SAAS,MAAM,MAAM,WAAW,WAAW,IAAI,OAAO,GAAG;AAAA,IACpE;AACA,WAAO,MAAM,IAAI,KAAK;AAAA,EACxB,QAAQ;AAEN,WAAO,EAAE,SAAS,MAAM,MAAM,WAAW,WAAW,IAAI,OAAO,GAAG;AAAA,EACpE;AACF;AAEA,eAAsB,iBAAgC;AACpD,QAAM,QAAQ,eAAe;AAC7B,MAAI,CAAC,MAAO;AAEZ,MAAI;AACF,UAAM,WAAW,wBAAwB,EAAE,QAAQ,OAAO,CAAC;AAAA,EAC7D,QAAQ;AAAA,EAER;AACF;AAEA,eAAsB,kBAAkB,QAKtB;AAChB,QAAM,QAAQ,eAAe;AAC7B,MAAI,CAAC,MAAO;AAEZ,MAAI;AACF,UAAM,WAAW,cAAc;AAAA,MAC7B,QAAQ;AAAA,MACR,MAAM,KAAK,UAAU,MAAM;AAAA,IAC7B,CAAC;AAAA,EACH,QAAQ;AAAA,EAER;AACF;AAEA,eAAsB,WAA4D;AAChF,QAAM,QAAQ,eAAe;AAC7B,MAAI,CAAC,MAAO,QAAO;AACnB,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,QAAQ,kBAAkB;AAAA,MACnD,SAAS,EAAE,eAAe,UAAU,MAAM,KAAK,GAAG;AAAA,IACpD,CAAC;AACD,QAAI,CAAC,IAAI,GAAI,QAAO;AACpB,UAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,WAAO,EAAE,MAAM,KAAK,MAAM,OAAO,MAAM,MAAM;AAAA,EAC/C,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,iBAAyC;AAC7D,MAAI;AACF,UAAM,MAAM,MAAM,WAAW,yBAAyB,EAAE,QAAQ,OAAO,CAAC;AACxE,QAAI,CAAC,IAAI,GAAI,QAAO;AACpB,UAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,WAAO,KAAK;AAAA,EACd,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAIA,IAAM,wBAAwB;AAE9B,eAAsB,yBAA2C;AAC/D,QAAM,QAAQ,eAAe;AAC7B,MAAI,CAAC,MAAO,QAAO;AAEnB,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,QAAQ,yBAAyB;AAAA,MAC1D,SAAS,EAAE,eAAe,UAAU,MAAM,KAAK,GAAG;AAAA,IACpD,CAAC;AACD,QAAI,CAAC,IAAI,GAAI,QAAO;AAEpB,UAAM,SAAS,MAAM,IAAI,KAAK;AAC9B,QAAI,CAAC,UAAU,OAAO,SAAS,IAAK,QAAO;AAG3C,QAAI,CAAC,OAAO,SAAS,cAAc,KAAK,CAAC,OAAO,SAAS,SAAS,GAAG;AACnE,aAAO;AAAA,IACT;AAEA,UAAM,OAAO,WAAW,QAAQ,EAAE,OAAO,MAAM,EAAE,OAAO,KAAK;AAC7D,cAAU,YAAY,EAAE,WAAW,MAAM,MAAM,IAAM,CAAC;AACtD,kBAAc,gBAAgB,QAAQ,EAAE,MAAM,IAAM,CAAC;AACrD,kBAAc,gBAAgB,KAAK,UAAU;AAAA,MAC3C,UAAU,KAAK,IAAI;AAAA,MACnB,WAAW,KAAK,IAAI,IAAI,wBAAwB,KAAK,KAAK;AAAA,MAC1D,QAAQ;AAAA,IACV,CAAC,GAAG,EAAE,MAAM,IAAM,CAAC;AACnB,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,qBAAuC;AACrD,MAAI;AACF,QAAI,CAAC,WAAW,cAAc,KAAK,CAAC,WAAW,cAAc,EAAG,QAAO;AAEvE,UAAM,OAAO,KAAK,MAAM,aAAa,gBAAgB,OAAO,CAAC;AAC7D,QAAI,KAAK,IAAI,IAAI,KAAK,WAAW;AAC/B,yBAAmB;AACnB,aAAO;AAAA,IACT;AAGA,QAAI,KAAK,QAAQ;AACf,YAAM,cAAc,aAAa,gBAAgB,OAAO;AACxD,YAAM,cAAc,WAAW,QAAQ,EAAE,OAAO,WAAW,EAAE,OAAO,KAAK;AACzE,UAAI,gBAAgB,KAAK,QAAQ;AAC/B,2BAAmB;AACnB,eAAO;AAAA,MACT;AAAA,IACF;AAGA,UAAM,MAAM,UAAQ,cAAc;AAClC,WAAO,IAAI,gBAAgB;AAAA,EAC7B,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,qBAA2B;AACzC,MAAI;AACF,QAAI,WAAW,cAAc,EAAG,YAAW,cAAc;AACzD,QAAI,WAAW,cAAc,EAAG,YAAW,cAAc;AAAA,EAC3D,QAAQ;AAAA,EAAe;AACzB;","names":[]}

package/dist/index.js

@@ -11,7 +11,7 @@ import {
   storeToken,
   syncUser,
   uploadScanResults
-} from "./chunk-IHRV7UHG.js";
+} from "./chunk-RJUUWD2F.js";
 
 // src/index.ts
 import { Command } from "commander";
@@ -1806,13 +1806,15 @@ function chunkFiles(files, maxChars) {
   let current = [];
   let currentSize = 0;
   for (const file of files) {
-    if (currentSize + file.content.length > maxChars && current.length > 0) {
+    const truncatedContent = file.content.length > maxChars ? file.content.slice(0, maxChars) + "\n// ... truncated for analysis" : file.content;
+    const entry = { path: file.path, content: truncatedContent };
+    if (currentSize + entry.content.length > maxChars && current.length > 0) {
       chunks.push(current);
       current = [];
       currentSize = 0;
     }
-    current.push(file);
-    currentSize += file.content.length;
+    current.push(entry);
+    currentSize += entry.content.length;
   }
   if (current.length > 0) chunks.push(current);
   return chunks;
@@ -3001,13 +3003,13 @@ function renderSarifReport(result) {
           }
         },
         results: result.findings.map((f) => {
-          const entry = {
+          const messageText = f.fix ? `${f.title}: ${f.description}
+Suggested fix: ${f.fix}` : `${f.title}: ${f.description}`;
+          return {
             ruleId: f.rule,
             ruleIndex: ruleIndex.get(f.rule) ?? 0,
             level: SEVERITY_TO_SARIF[f.severity],
-            message: {
-              text: `${f.title}: ${f.description}`
-            },
+            message: { text: messageText },
             locations: [
               {
                 physicalLocation: {
@@ -3020,10 +3022,6 @@ function renderSarifReport(result) {
               }
             ]
           };
-          if (f.fix) {
-            entry.fixes = [{ description: { text: f.fix } }];
-          }
-          return entry;
         })
       }
     ]
@@ -3093,8 +3091,8 @@ async function scanCommand(directory, options) {
   if (options.diff) {
     const base = typeof options.diff === "string" ? options.diff : "main";
     try {
-      const { execSync } = await import("child_process");
-      const changedFiles = execSync(`git diff --name-only ${base}`, { cwd: dir, encoding: "utf-8" }).trim().split("\n").filter(Boolean);
+      const { execSync: execSync2 } = await import("child_process");
+      const changedFiles = execSync2(`git diff --name-only ${base}`, { cwd: dir, encoding: "utf-8" }).trim().split("\n").filter(Boolean);
       files = files.filter((f) => changedFiles.some((cf) => f.endsWith(cf) || cf.endsWith(f)));
       if (!isSilent) {
         spinner.info(chalk2.gray(`  Diff mode: scanning ${files.length} changed files vs ${base}`));
@@ -3414,32 +3412,8 @@ async function waitForBrowserLogin() {
         }
       } else if (url.pathname === "/login") {
         const callbackUrl = `http://localhost:${server.address().port}/callback`;
-        if (process.env.NODE_ENV === "development" && process.env.XPLOITSCAN_DEV_AUTH === "true") {
-          res.writeHead(200, { "Content-Type": "text/html" });
-          res.end(`
-            <html>
-              <body style="font-family: system-ui; display: flex; justify-content: center; align-items: center; height: 100vh; margin: 0; background: #0a0a0f; color: #e0e0e0;">
-                <div style="text-align: center;">
-                  <h1 style="color: #00d4ff;">xploitscan</h1>
-                  <p>Redirecting to login (dev mode)...</p>
-                  <script>
-                    const params = new URLSearchParams({
-                      token: 'dev_token_' + Date.now(),
-                      email: 'dev@xploitscan.com',
-                      user_id: 'user_dev_' + Date.now(),
-                      state: '${expectedState}'
-                    });
-                    setTimeout(() => {
-                      window.location.href = '/callback?' + params.toString();
-                    }, 1000);
-                  </script>
-                </div>
-              </body>
-            </html>
-          `);
-        } else {
-          res.writeHead(200, { "Content-Type": "text/html" });
-          res.end(`
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end(`
             <html>
               <body style="font-family: system-ui; display: flex; justify-content: center; align-items: center; height: 100vh; margin: 0; background: #0a0a0f; color: #e0e0e0;">
                 <div style="text-align: center;">
@@ -3450,7 +3424,6 @@ async function waitForBrowserLogin() {
               </body>
             </html>
           `);
-        }
       } else {
         res.writeHead(302, { Location: "/login" });
         res.end();
@@ -3474,11 +3447,152 @@ Open this URL in your browser to log in:`));
   });
 }
 
+// src/commands/hook.ts
+import { execSync } from "child_process";
+import {
+  existsSync as existsSync4,
+  readFileSync as readFileSync3,
+  writeFileSync,
+  chmodSync,
+  unlinkSync
+} from "fs";
+import { join as join6 } from "path";
+import chalk4 from "chalk";
+var HOOK_START_MARKER = "# xploitscan-hook-start";
+var HOOK_END_MARKER = "# xploitscan-hook-end";
+var HOOK_CONTENT = `${HOOK_START_MARKER}
+# Installed by XploitScan CLI \u2014 do not edit this block manually
+echo ""
+echo "\u{1F6E1}  Running XploitScan security check..."
+npx --yes xploitscan scan . --no-ai --diff HEAD
+HOOK_EXIT=$?
+if [ $HOOK_EXIT -ne 0 ]; then
+  echo ""
+  echo "\u274C XploitScan found security issues. Commit blocked."
+  echo "   Fix the issues above, or use 'git commit --no-verify' to skip."
+  exit 1
+fi
+${HOOK_END_MARKER}`;
+function getGitRoot() {
+  try {
+    const root = execSync("git rev-parse --show-toplevel", {
+      encoding: "utf-8",
+      stdio: ["pipe", "pipe", "ignore"]
+    }).trim();
+    return root || null;
+  } catch {
+    return null;
+  }
+}
+function removeExistingBlock(content) {
+  const startIdx = content.indexOf(HOOK_START_MARKER);
+  const endIdx = content.indexOf(HOOK_END_MARKER);
+  if (startIdx === -1 || endIdx === -1 || endIdx < startIdx) {
+    return content;
+  }
+  const before = content.slice(0, startIdx).replace(/\n+$/, "");
+  const after = content.slice(endIdx + HOOK_END_MARKER.length).replace(/^\n+/, "");
+  if (before && after) return `${before}
+
+${after}
+`;
+  if (before) return `${before}
+`;
+  if (after) return `${after}
+`;
+  return "";
+}
+async function installHookCommand(options) {
+  const gitRoot = getGitRoot();
+  if (!gitRoot) {
+    console.log(chalk4.red("\u2717 Not a git repository."));
+    console.log(chalk4.gray("  Run this command from inside a git repo."));
+    process.exit(1);
+  }
+  const hooksDir = join6(gitRoot, ".git", "hooks");
+  const hookPath = join6(hooksDir, "pre-commit");
+  let existingContent = "";
+  let hadExisting = false;
+  if (existsSync4(hookPath)) {
+    existingContent = readFileSync3(hookPath, "utf-8");
+    hadExisting = true;
+    const alreadyInstalled = existingContent.includes(HOOK_START_MARKER) && existingContent.includes(HOOK_END_MARKER);
+    if (alreadyInstalled && !options.force) {
+      console.log(chalk4.yellow("\u26A0  XploitScan hook is already installed."));
+      console.log(chalk4.gray("  Use --force to reinstall, or `xploitscan hook uninstall` to remove it."));
+      return;
+    }
+    if (alreadyInstalled && options.force) {
+      existingContent = removeExistingBlock(existingContent);
+    }
+  }
+  let newContent;
+  if (hadExisting && existingContent.trim()) {
+    const trimmed = existingContent.replace(/\n+$/, "");
+    newContent = `${trimmed}
+
+${HOOK_CONTENT}
+`;
+  } else {
+    newContent = `#!/bin/sh
+
+${HOOK_CONTENT}
+`;
+  }
+  try {
+    writeFileSync(hookPath, newContent, "utf-8");
+    chmodSync(hookPath, 493);
+  } catch (err) {
+    console.log(chalk4.red(`\u2717 Failed to write pre-commit hook: ${err.message}`));
+    process.exit(1);
+  }
+  console.log(chalk4.green("\u2713 XploitScan pre-commit hook installed."));
+  console.log("");
+  console.log(chalk4.gray("  XploitScan will now scan your code before every commit."));
+  console.log(chalk4.gray("  To skip a scan, use: ") + chalk4.cyan("git commit --no-verify"));
+  console.log(chalk4.gray("  To remove: ") + chalk4.cyan("xploitscan hook uninstall"));
+}
+async function uninstallHookCommand() {
+  const gitRoot = getGitRoot();
+  if (!gitRoot) {
+    console.log(chalk4.red("\u2717 Not a git repository."));
+    console.log(chalk4.gray("  Run this command from inside a git repo."));
+    process.exit(1);
+  }
+  const hookPath = join6(gitRoot, ".git", "hooks", "pre-commit");
+  if (!existsSync4(hookPath)) {
+    console.log(chalk4.yellow("\u26A0  No pre-commit hook found. Nothing to uninstall."));
+    return;
+  }
+  const content = readFileSync3(hookPath, "utf-8");
+  if (!content.includes(HOOK_START_MARKER)) {
+    console.log(chalk4.yellow("\u26A0  XploitScan hook not found in pre-commit file."));
+    console.log(chalk4.gray("  Nothing to remove."));
+    return;
+  }
+  const stripped = removeExistingBlock(content).trim();
+  const shebangOnly = stripped === "#!/bin/sh" || stripped === "#!/usr/bin/env sh" || stripped === "";
+  try {
+    if (shebangOnly) {
+      unlinkSync(hookPath);
+      console.log(chalk4.green("\u2713 XploitScan hook removed. Pre-commit file deleted (was empty after removal)."));
+    } else {
+      writeFileSync(hookPath, stripped + "\n", "utf-8");
+      chmodSync(hookPath, 493);
+      console.log(chalk4.green("\u2713 XploitScan hook removed."));
+      console.log(chalk4.gray("  Other hook content was preserved."));
+    }
+  } catch (err) {
+    console.log(chalk4.red(`\u2717 Failed to uninstall hook: ${err.message}`));
+    process.exit(1);
+  }
+}
+
 // src/index.ts
 var program = new Command();
 program.name("xploitscan").description(
   "AI security scanner for vibe-coded apps. Find vulnerabilities before attackers do."
-).version("0.8.0");
+).version("1.0.4");
 program.command("scan").description("Scan a directory for security vulnerabilities").argument("[directory]", "Directory to scan", ".").option("--no-ai", "Skip AI-powered analysis").option("-f, --format <format>", "Output format: terminal, json, sarif", "terminal").option("-v, --verbose", "Show detailed output", false).option("--diff [base]", "Scan only files changed vs base branch (default: main)").option("-w, --watch", "Watch for file changes and re-scan automatically", false).action(async (directory, opts) => {
   await scanCommand(directory, {
     directory,
@@ -3493,26 +3607,31 @@ var auth = program.command("auth").description("Manage authentication");
 auth.command("login").description("Log in to your XploitScan account").action(loginCommand);
 auth.command("logout").description("Log out of your XploitScan account").action(logoutCommand);
 auth.command("whoami").description("Show current logged-in user").action(whoamiCommand);
+var hook = program.command("hook").description("Manage git pre-commit hooks for automatic scanning");
+hook.command("install").description("Install a git pre-commit hook that runs XploitScan on every commit").option("-f, --force", "Overwrite existing XploitScan hook without prompting", false).action(async (opts) => {
+  await installHookCommand({ force: opts.force });
+});
+hook.command("uninstall").description("Remove the XploitScan pre-commit hook").action(uninstallHookCommand);
 program.command("upgrade").description("Upgrade to XploitScan Pro for unlimited scans").action(async () => {
-  const { getStoredToken: getStoredToken2, getCheckoutUrl } = await import("./api-ZNWEMMEL.js");
-  const chalk4 = (await import("chalk")).default;
+  const { getStoredToken: getStoredToken2, getCheckoutUrl } = await import("./api-HTHCG6QE.js");
+  const chalk5 = (await import("chalk")).default;
   const token = getStoredToken2();
   if (!token) {
-    console.log(chalk4.yellow("Please log in first: xploitscan auth login"));
+    console.log(chalk5.yellow("Please log in first: xploitscan auth login"));
     return;
   }
-  console.log(chalk4.cyan("Creating checkout session..."));
+  console.log(chalk5.cyan("Creating checkout session..."));
   const url = await getCheckoutUrl();
   if (url) {
-    console.log(chalk4.green(`
+    console.log(chalk5.green(`
 Open this URL to upgrade:`));
-    console.log(chalk4.bold.underline(url));
+    console.log(chalk5.bold.underline(url));
     const { execFile: execFile4 } = await import("child_process");
     const openCmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
     execFile4(openCmd, [url], () => {
     });
   } else {
-    console.log(chalk4.red("Failed to create checkout session. Please try again."));
+    console.log(chalk5.red("Failed to create checkout session. Please try again."));
   }
 });
 program.parse();