gate-cli 0.1.0__py3-none-any.whl

gate/__init__.py

@@ -0,0 +1 @@
+__version__ = "0.1.0"

gate/checks/cve.py

@@ -0,0 +1,42 @@
+import json
+import urllib.request
+import urllib.error
+
+OSV_API = "https://api.osv.dev/v1/query"
+
+
+def check_cve(name: str, version: str, ecosystem: str) -> list[dict]:
+    payload = json.dumps({
+        "package": {"name": name, "ecosystem": ecosystem},
+        "version": version,
+    }).encode()
+
+    req = urllib.request.Request(
+        OSV_API,
+        data=payload,
+        headers={"Content-Type": "application/json"},
+        method="POST",
+    )
+
+    try:
+        with urllib.request.urlopen(req, timeout=10) as resp:
+            data = json.loads(resp.read())
+    except Exception:
+        return []
+
+    seen: set[str] = set()
+    vulns = []
+    for vuln in data.get("vulns", []):
+        cve_id = next(
+            (a for a in vuln.get("aliases", []) if a.startswith("CVE-")),
+            vuln.get("id", ""),
+        )
+        if cve_id in seen:
+            continue
+        seen.add(cve_id)
+        vulns.append({
+            "id": cve_id,
+            "summary": vuln.get("summary", "No description"),
+        })
+
+    return vulns

gate/checks/integrity.py

@@ -0,0 +1,59 @@
+def check_integrity(local: str, remote: str) -> dict:
+    """
+    Compare a locally stored integrity hash against the value from the registry.
+
+    Both values are expected in standard format:
+      npm:  "sha512-<base64>"
+      PyPI: "sha256:<hex>"
+    """
+    if not local or not remote:
+        return {"ok": True, "skipped": True, "message": "No hash to compare"}
+
+    match = local.strip() == remote.strip()
+    return {
+        "ok": match,
+        "skipped": False,
+        "local": local,
+        "remote": remote,
+        "message": None if match else "Hash mismatch — package may have been tampered with",
+    }
+
+
+def parse_requirements_hashes(path) -> dict[str, dict[str, str]]:
+    """
+    Parse hashes from a requirements.txt file that was generated with
+    pip-compile --generate-hashes or pip install --require-hashes.
+
+    Returns: {package_name_lower: {version: "sha256:<hex>"}}
+
+    Example line:
+        requests==2.28.0 \\
+            --hash=sha256:ae72a32d...
+    """
+    import re
+    from pathlib import Path
+
+    text = Path(path).read_text(encoding="utf-8")
+    # Join continuation lines
+    text = re.sub(r"\\\n\s*", " ", text)
+
+    result: dict[str, dict[str, str]] = {}
+    for line in text.splitlines():
+        line = line.strip()
+        if not line or line.startswith("#"):
+            continue
+        if "==" not in line:
+            continue
+
+        # Extract name==version
+        spec_part = line.split()[0]
+        name, version = spec_part.split("==", 1)
+        name = name.strip().lower()
+        version = version.strip()
+
+        # Extract first sha256 hash
+        match = re.search(r"--hash=sha256:([a-f0-9]+)", line)
+        if match:
+            result.setdefault(name, {})[version] = f"sha256:{match.group(1)}"
+
+    return result

gate/checks/maintainer.py

@@ -0,0 +1,32 @@
+def check_maintainer_change(
+    current: list[str],
+    previous: list[str],
+) -> dict:
+    """
+    Compare maintainer lists between two versions.
+    Returns a dict describing any changes found.
+    """
+    current_set = set(current)
+    previous_set = set(previous)
+
+    added = current_set - previous_set
+    removed = previous_set - current_set
+
+    if not added and not removed:
+        return {"ok": True, "added": [], "removed": []}
+
+    return {
+        "ok": False,
+        "added": sorted(added),
+        "removed": sorted(removed),
+        "message": _format_message(added, removed),
+    }
+
+
+def _format_message(added: set[str], removed: set[str]) -> str:
+    parts = []
+    if added:
+        parts.append(f"new maintainer(s): {', '.join(sorted(added))}")
+    if removed:
+        parts.append(f"removed maintainer(s): {', '.join(sorted(removed))}")
+    return "; ".join(parts)

gate/checks/quarantine.py

@@ -0,0 +1,18 @@
+from datetime import datetime, timezone
+
+
+def check_quarantine(published: datetime | None, quarantine_days: int = 7) -> dict:
+    if published is None:
+        return {"ok": True, "days_old": None, "message": None}
+
+    now = datetime.now(timezone.utc)
+    days_old = (now - published).days
+
+    if days_old < quarantine_days:
+        return {
+            "ok": False,
+            "days_old": days_old,
+            "message": f"Published {days_old} day(s) ago (quarantine window: {quarantine_days} days)",
+        }
+
+    return {"ok": True, "days_old": days_old, "message": None}

gate/checks/scripts.py

@@ -0,0 +1,51 @@
+import re
+
+# Patterns that indicate a script is doing something suspicious
+_SUSPICIOUS: list[tuple[str, str]] = [
+    (r"\bcurl\b",           "network fetch (curl)"),
+    (r"\bwget\b",           "network fetch (wget)"),
+    (r"\bfetch\b",          "network fetch (fetch)"),
+    (r"\bbase64\b",         "base64 encoding"),
+    (r"atob\s*\(",          "base64 decode (atob)"),
+    (r"Buffer\.from\b",     "binary decoding (Buffer.from)"),
+    (r"\beval\s*\(",        "eval execution"),
+    (r"Function\s*\(",      "dynamic code execution (Function)"),
+    (r"\bexec\s*\(",        "shell execution (exec)"),
+    (r"\bspawn\s*\(",       "shell execution (spawn)"),
+    (r"\bchild_process\b",  "child process usage"),
+    (r"https?://",          "hardcoded URL"),
+    (r"\b(?:\d{1,3}\.){3}\d{1,3}\b", "hardcoded IP address"),
+    (r"\bpowershell\b",     "PowerShell execution"),
+    (r"\bchmod\b",          "permission change"),
+    (r"process\.env\b",     "environment variable access"),
+]
+
+
+def analyze_script(script: str) -> list[str]:
+    """Return a list of suspicious pattern descriptions found in the script."""
+    found = []
+    for pattern, description in _SUSPICIOUS:
+        if re.search(pattern, script, re.IGNORECASE):
+            found.append(description)
+    return found
+
+
+def check_install_scripts(install_scripts: dict[str, str]) -> dict:
+    """
+    Analyze install scripts for suspicious patterns.
+    Returns a dict with 'ok', 'findings' (per script), and 'suspicious' flag.
+    """
+    if not install_scripts:
+        return {"ok": True, "findings": {}}
+
+    findings: dict[str, list[str]] = {}
+    for script_name, script_body in install_scripts.items():
+        patterns = analyze_script(script_body)
+        if patterns:
+            findings[script_name] = patterns
+
+    return {
+        "ok": len(findings) == 0,
+        "findings": findings,
+        "raw": install_scripts,
+    }

gate/cli.py

@@ -0,0 +1,283 @@
+import argparse
+import json
+import sys
+from pathlib import Path
+
+from gate import __version__
+from gate.config import load_config, Config
+from gate.registry import pypi, npm
+from gate.checks.quarantine import check_quarantine
+from gate.checks.cve import check_cve
+from gate.checks.scripts import check_install_scripts
+from gate.checks.maintainer import check_maintainer_change
+from gate.checks.integrity import check_integrity, parse_requirements_hashes
+from gate.hooks.precommit import install_hook, uninstall_hook
+from gate import sbom as sbom_mod
+import gate.output as out
+
+
+# ── Result helpers ────────────────────────────────────────────────────────────
+
+def _check_package(
+    name: str,
+    version: str | None,
+    ecosystem: str,
+    config: Config,
+    local_integrity: str | None = None,
+) -> dict:
+    result: dict = {"errors": [], "warnings": [], "version": None}
+
+    if ecosystem == "PyPI":
+        info = pypi.get_package_info(name, version)
+    else:
+        info = npm.get_package_info(name, version)
+
+    if info is None:
+        result["errors"].append("Package not found in registry")
+        return result
+
+    result["version"] = info["version"]
+
+    # Quarantine
+    q = check_quarantine(info.get("published"), config.quarantine_days)
+    if not q["ok"]:
+        if "recent_release" in config.fail_on:
+            result["errors"].append(q["message"])
+        else:
+            result["warnings"].append(q["message"])
+
+    # CVE
+    for v in check_cve(name, info["version"], ecosystem):
+        result["errors"].append(f"{v['id']}: {v['summary'][:72]}")
+
+    # Maintainer change
+    current_m = info.get("maintainers") or []
+    previous_m = info.get("previous_maintainers")
+    if previous_m is not None:
+        m = check_maintainer_change(current_m, previous_m)
+        if not m["ok"]:
+            if "maintainer_change" in config.fail_on:
+                result["errors"].append(f"maintainer change: {m['message']}")
+            else:
+                result["warnings"].append(f"maintainer change: {m['message']}")
+
+    # Integrity / hash verification
+    remote_integrity = info.get("remote_integrity")
+    if local_integrity and remote_integrity:
+        integ = check_integrity(local_integrity, remote_integrity)
+        if not integ["ok"] and not integ.get("skipped"):
+            result["errors"].append(integ["message"])
+            result["errors"].append(f"  local:  {local_integrity}")
+            result["errors"].append(f"  remote: {remote_integrity}")
+
+    # Install scripts (npm)
+    if ecosystem == "npm":
+        script_result = check_install_scripts(info.get("install_scripts", {}))
+        if not script_result["ok"]:
+            for script_name, patterns in script_result["findings"].items():
+                cmd = script_result["raw"][script_name]
+                msg = f"install script [{script_name}]: {cmd[:60]}"
+                detail = f"  suspicious: {', '.join(patterns)}"
+                if "install_script" in config.fail_on:
+                    result["errors"].append(msg)
+                    result["errors"].append(detail)
+                else:
+                    result["warnings"].append(msg)
+                    result["warnings"].append(detail)
+        elif info.get("install_scripts"):
+            # Has install scripts but no suspicious patterns — still worth noting
+            for script_name, cmd in info["install_scripts"].items():
+                result["warnings"].append(f"install script [{script_name}]: {cmd[:60]}")
+
+    return result
+
+
+def _print_result(name: str, result: dict) -> None:
+    ver = result.get("version") or ""
+    label = out.bold(name) + (f" {out.dim(ver)}" if ver else "")
+
+    if result["errors"]:
+        out.fail(label)
+        for msg in result["errors"]:
+            out.error(msg)
+    elif result["warnings"]:
+        out.warn(label)
+        for msg in result["warnings"]:
+            out.warning(msg)
+    else:
+        out.ok(label)
+
+
+# ── Parsers ───────────────────────────────────────────────────────────────────
+
+def _parse_requirements(path: Path) -> list[tuple[str, str | None]]:
+    packages = []
+    for line in path.read_text(encoding="utf-8").splitlines():
+        line = line.strip()
+        if not line or line.startswith(("#", "-", "git+", "http")):
+            continue
+        for sep in ("==", ">=", "<=", "~=", "!=", ">", "<"):
+            if sep in line:
+                name = line.split(sep)[0].strip()
+                version = line.split("==")[1].strip() if "==" in line else None
+                packages.append((name, version))
+                break
+        else:
+            packages.append((line, None))
+    return packages
+
+
+def _parse_package_lock(path: Path) -> list[tuple[str, str | None, str | None]]:
+    data = json.loads(path.read_text(encoding="utf-8"))
+    packages = []
+    for pkg_path, pkg_data in data.get("packages", {}).items():
+        if not pkg_path:
+            continue
+        name = pkg_path.removeprefix("node_modules/")
+        packages.append((name, pkg_data.get("version"), pkg_data.get("integrity")))
+    return packages
+
+
+def _detect_project() -> tuple[list[tuple[str, str | None, str | None]], str] | None:
+    if Path("requirements.txt").exists():
+        req_path = Path("requirements.txt")
+        hashes = parse_requirements_hashes(req_path)
+        packages = []
+        for name, version in _parse_requirements(req_path):
+            local_hash = hashes.get(name.lower(), {}).get(version) if version else None
+            packages.append((name, version, local_hash))
+        return packages, "PyPI"
+    if Path("package-lock.json").exists():
+        return _parse_package_lock(Path("package-lock.json")), "npm"
+    return None
+
+
+# ── Commands ──────────────────────────────────────────────────────────────────
+
+def cmd_init(args: argparse.Namespace) -> None:
+    ok_flag, msg = install_hook()
+    if ok_flag:
+        out.ok(msg)
+    else:
+        print(out.red(f"✗ {msg}"), file=sys.stderr)
+        sys.exit(1)
+
+
+def cmd_uninstall(args: argparse.Namespace) -> None:
+    ok_flag, msg = uninstall_hook()
+    if ok_flag:
+        out.ok(msg)
+    else:
+        out.warn(msg)
+
+
+def cmd_check(args: argparse.Namespace) -> None:
+    config = load_config()
+    ecosystem = "npm" if args.npm else "PyPI"
+
+    if "==" in args.package:
+        name, version = args.package.split("==", 1)
+    else:
+        name, version = args.package, None
+
+    print()
+    result = _check_package(name, version, ecosystem, config)
+    _print_result(name, result)
+    print()
+
+    if result["errors"] and not args.force:
+        sys.exit(1)
+
+
+def cmd_scan(args: argparse.Namespace) -> None:
+    config = load_config()
+    detected = _detect_project()
+
+    if detected is None:
+        out.warn("No requirements.txt or package-lock.json found")
+        sys.exit(0)
+
+    packages, ecosystem = detected
+
+    if not args.hook:
+        print(f"\nScanning {out.bold(str(len(packages)))} {ecosystem} packages...\n")
+
+    errors = 0
+    warnings = 0
+    sbom_entries: list[dict] = []
+
+    for name, version, local_integrity in packages:
+        result = _check_package(name, version, ecosystem, config, local_integrity)
+        _print_result(name, result)
+        errors += len(result["errors"])
+        warnings += len(result["warnings"])
+        if args.sbom is not None:
+            sbom_entries.append({"name": name, **result})
+
+    print()
+    if errors:
+        print(out.red(f"✗ {errors} error(s)") + f", {warnings} warning(s)")
+        print(out.dim("Use --force to override and proceed anyway"))
+        if not args.force:
+            if args.sbom is not None:
+                _write_sbom(sbom_entries, ecosystem, args.sbom)
+            sys.exit(1)
+    elif warnings:
+        print(out.green("✓ 0 errors") + f", {out.yellow(f'{warnings} warning(s)')}")
+    else:
+        print(out.green(f"✓ All {len(packages)} packages passed"))
+
+    if args.sbom is not None:
+        _write_sbom(sbom_entries, ecosystem, args.sbom)
+
+
+def _write_sbom(entries: list[dict], ecosystem: str, path: str) -> None:
+    doc = sbom_mod.generate(entries, ecosystem)
+    output_path = path if path else None
+    sbom_mod.write(doc, output_path)
+    if output_path:
+        print(out.dim(f"SBOM written to {output_path}"))
+
+
+# ── Entry point ───────────────────────────────────────────────────────────────
+
+def main() -> None:
+    parser = argparse.ArgumentParser(
+        prog="gate",
+        description="Supply chain security scanner for npm and pip packages",
+    )
+    parser.add_argument("--version", action="version", version=f"gate {__version__}")
+    sub = parser.add_subparsers(dest="command", required=True)
+
+    sub.add_parser("init", help="Install git pre-commit hook")
+    sub.add_parser("uninstall", help="Remove git pre-commit hook")
+
+    p_check = sub.add_parser("check", help="Check a single package")
+    p_check.add_argument("package", help="Package name or name==version")
+    p_check.add_argument("--npm", action="store_true", help="Treat as npm package")
+    p_check.add_argument("--force", action="store_true", help="Exit 0 even on errors")
+
+    p_scan = sub.add_parser("scan", help="Scan all packages in lock file")
+    p_scan.add_argument("--force", action="store_true", help="Exit 0 even on errors")
+    p_scan.add_argument("--hook", action="store_true", help=argparse.SUPPRESS)
+    p_scan.add_argument(
+        "--sbom",
+        nargs="?",
+        const="",
+        metavar="FILE",
+        help="Export CycloneDX SBOM (optional: path to output file, default: stdout)",
+    )
+
+    args = parser.parse_args()
+
+    commands = {
+        "init": cmd_init,
+        "uninstall": cmd_uninstall,
+        "check": cmd_check,
+        "scan": cmd_scan,
+    }
+    commands[args.command](args)
+
+
+if __name__ == "__main__":
+    main()

gate/config.py

@@ -0,0 +1,27 @@
+from dataclasses import dataclass, field
+from pathlib import Path
+import tomllib
+
+
+@dataclass
+class Config:
+    quarantine_days: int = 7
+    fail_on: list[str] = field(default_factory=lambda: ["critical_cve", "install_script"])
+    warn_on: list[str] = field(default_factory=lambda: ["recent_release", "maintainer_change"])
+
+
+def load_config(path: Path | None = None) -> Config:
+    if path is None:
+        path = Path(".gate.toml")
+
+    if not path.exists():
+        return Config()
+
+    with path.open("rb") as f:
+        data = tomllib.load(f)
+
+    return Config(
+        quarantine_days=data.get("quarantine_days", 7),
+        fail_on=data.get("fail_on", ["critical_cve", "install_script"]),
+        warn_on=data.get("warn_on", ["recent_release"]),
+    )

gate/hooks/precommit.py

@@ -0,0 +1,56 @@
+import stat
+from pathlib import Path
+
+GATE_MARKER = "# gate pre-commit hook"
+HOOK_SCRIPT = f"""{GATE_MARKER}
+if git diff --cached --name-only | grep -qE '(package-lock\\.json|requirements\\.txt|Pipfile\\.lock|poetry\\.lock|pyproject\\.toml)'; then
+    gate scan --hook || exit 1
+fi
+"""
+
+
+def install_hook() -> tuple[bool, str]:
+    git_dir = Path(".git")
+    if not git_dir.exists():
+        return False, "Not a git repository"
+
+    hook_path = git_dir / "hooks" / "pre-commit"
+
+    if hook_path.exists():
+        content = hook_path.read_text()
+        if GATE_MARKER in content:
+            return True, "Hook already installed"
+        with hook_path.open("a") as f:
+            f.write("\n" + HOOK_SCRIPT)
+    else:
+        hook_path.write_text("#!/bin/sh\n" + HOOK_SCRIPT)
+
+    current = hook_path.stat().st_mode
+    hook_path.chmod(current | stat.S_IXUSR | stat.S_IXGRP | stat.S_IXOTH)
+
+    return True, "Hook installed"
+
+
+def uninstall_hook() -> tuple[bool, str]:
+    hook_path = Path(".git") / "hooks" / "pre-commit"
+    if not hook_path.exists():
+        return False, "No pre-commit hook found"
+
+    content = hook_path.read_text()
+    if GATE_MARKER not in content:
+        return False, "Gate hook not found in pre-commit"
+
+    lines = content.splitlines(keepends=True)
+    filtered = []
+    skip = False
+    for line in lines:
+        if GATE_MARKER in line:
+            skip = True
+        if skip and line.strip() == "fi":
+            skip = False
+            continue
+        if not skip:
+            filtered.append(line)
+
+    hook_path.write_text("".join(filtered))
+    return True, "Hook removed"

gate/output.py

@@ -0,0 +1,59 @@
+import sys
+
+# ANSI escape codes — stdlib only, zero dependencies
+_RED = "\033[31m"
+_GREEN = "\033[32m"
+_YELLOW = "\033[33m"
+_BOLD = "\033[1m"
+_DIM = "\033[2m"
+_RESET = "\033[0m"
+
+_COLOR = sys.stdout.isatty()
+
+
+def _c(code: str, text: str) -> str:
+    return f"{code}{text}{_RESET}" if _COLOR else text
+
+
+def red(text: str) -> str:
+    return _c(_RED, text)
+
+
+def green(text: str) -> str:
+    return _c(_GREEN, text)
+
+
+def yellow(text: str) -> str:
+    return _c(_YELLOW, text)
+
+
+def bold(text: str) -> str:
+    return _c(_BOLD, text)
+
+
+def dim(text: str) -> str:
+    return _c(_DIM, text)
+
+
+def ok(msg: str) -> None:
+    print(f"  {green('✓')} {msg}")
+
+
+def warn(msg: str) -> None:
+    print(f"  {yellow('⚠')} {msg}")
+
+
+def fail(msg: str) -> None:
+    print(f"  {red('✗')} {msg}")
+
+
+def info(msg: str) -> None:
+    print(f"    {dim(msg)}")
+
+
+def error(msg: str) -> None:
+    print(f"    {red(msg)}")
+
+
+def warning(msg: str) -> None:
+    print(f"    {yellow(msg)}")

gate/registry/npm.py

@@ -0,0 +1,85 @@
+import json
+import urllib.request
+import urllib.error
+from datetime import datetime, timezone
+
+
+def get_package_info(name: str, version: str | None = None) -> dict | None:
+    encoded = name.replace("/", "%2F")
+    url = f"https://registry.npmjs.org/{encoded}"
+    try:
+        with urllib.request.urlopen(url, timeout=10) as resp:
+            data = json.loads(resp.read())
+    except urllib.error.HTTPError:
+        return None
+    except Exception:
+        return None
+
+    if version is None:
+        version = data.get("dist-tags", {}).get("latest")
+
+    if not version or version not in data.get("versions", {}):
+        return None
+
+    version_data = data["versions"][version]
+    time_str = data.get("time", {}).get(version)
+    published = None
+    if time_str:
+        published = datetime.fromisoformat(time_str.replace("Z", "+00:00"))
+
+    all_scripts = version_data.get("scripts", {})
+    install_scripts = {
+        k: v for k, v in all_scripts.items()
+        if k in ("install", "preinstall", "postinstall", "preuninstall", "postuninstall")
+    }
+
+    current_maintainers = _extract_maintainers(version_data.get("maintainers", []))
+    previous_maintainers = _get_previous_maintainers(data, version)
+
+    # dist.integrity is the canonical hash from the registry
+    remote_integrity = version_data.get("dist", {}).get("integrity")
+
+    return {
+        "name": data["name"],
+        "version": version,
+        "published": published,
+        "install_scripts": install_scripts,
+        "maintainers": current_maintainers,
+        "previous_maintainers": previous_maintainers,
+        "remote_integrity": remote_integrity,
+    }
+
+
+def _extract_maintainers(maintainers: list) -> list[str]:
+    return [
+        m["name"] if isinstance(m, dict) else str(m)
+        for m in maintainers
+    ]
+
+
+def _get_previous_maintainers(data: dict, current_version: str) -> list[str] | None:
+    """Return maintainer list from the version published just before current_version."""
+    times: dict[str, str] = data.get("time", {})
+    versions_with_time = {
+        v: t for v, t in times.items()
+        if v not in ("created", "modified") and v in data.get("versions", {})
+    }
+
+    if not versions_with_time:
+        return None
+
+    current_time = versions_with_time.get(current_version)
+    if not current_time:
+        return None
+
+    earlier = [
+        v for v, t in versions_with_time.items()
+        if t < current_time and v != current_version
+    ]
+
+    if not earlier:
+        return None
+
+    prev_version = max(earlier, key=lambda v: versions_with_time[v])
+    prev_data = data["versions"].get(prev_version, {})
+    return _extract_maintainers(prev_data.get("maintainers", []))

gate/registry/pypi.py

@@ -0,0 +1,81 @@
+import json
+import urllib.request
+import urllib.error
+from datetime import datetime, timezone
+
+
+def get_package_info(name: str, version: str | None = None) -> dict | None:
+    url = f"https://pypi.org/pypi/{name}/json"
+    try:
+        with urllib.request.urlopen(url, timeout=10) as resp:
+            data = json.loads(resp.read())
+    except urllib.error.HTTPError:
+        return None
+    except Exception:
+        return None
+
+    if version is None:
+        version = data["info"]["version"]
+
+    releases = data.get("releases", {})
+    if version not in releases or not releases[version]:
+        return None
+
+    files = releases[version]
+    upload_time = min(
+        datetime.fromisoformat(f["upload_time"]).replace(tzinfo=timezone.utc)
+        for f in files
+        if f.get("upload_time")
+    )
+
+    # PyPI exposes the uploader username per file
+    uploaders = list({f["uploader"] for f in files if f.get("uploader")})
+
+    # Prefer the source distribution hash, fall back to first wheel
+    remote_integrity = None
+    sdist = next((f for f in files if f.get("packagetype") == "sdist"), None)
+    ref = sdist or files[0]
+    sha256 = ref.get("digests", {}).get("sha256")
+    if sha256:
+        remote_integrity = f"sha256:{sha256}"
+
+    previous_uploaders = _get_previous_uploaders(releases, version)
+
+    return {
+        "name": data["info"]["name"],
+        "version": version,
+        "published": upload_time,
+        "home_page": data["info"].get("home_page"),
+        "maintainers": uploaders,
+        "previous_maintainers": previous_uploaders,
+        "remote_integrity": remote_integrity,
+    }
+
+
+def _get_previous_uploaders(releases: dict, current_version: str) -> list[str] | None:
+    """Return uploaders from the release published just before current_version."""
+    def earliest_upload(files: list) -> datetime | None:
+        times = [
+            datetime.fromisoformat(f["upload_time"]).replace(tzinfo=timezone.utc)
+            for f in files
+            if f.get("upload_time")
+        ]
+        return min(times) if times else None
+
+    current_time = earliest_upload(releases.get(current_version, []))
+    if not current_time:
+        return None
+
+    candidates = []
+    for ver, files in releases.items():
+        if ver == current_version or not files:
+            continue
+        t = earliest_upload(files)
+        if t and t < current_time:
+            candidates.append((t, files))
+
+    if not candidates:
+        return None
+
+    _, prev_files = max(candidates, key=lambda x: x[0])
+    return list({f["uploader"] for f in prev_files if f.get("uploader")}) or None

gate/sbom.py

@@ -0,0 +1,86 @@
+import json
+import uuid
+from datetime import datetime, timezone
+
+from gate import __version__
+
+
+def _purl(name: str, version: str, ecosystem: str) -> str:
+    """Generate a Package URL (purl) per the purl spec."""
+    if ecosystem == "npm":
+        # Scoped packages: @scope/name → pkg:npm/%40scope%2Fname@version
+        encoded = name.replace("@", "%40").replace("/", "%2F")
+        return f"pkg:npm/{encoded}@{version}"
+    return f"pkg:pypi/{name.lower()}@{version}"
+
+
+def generate(
+    packages: list[dict],
+    ecosystem: str,
+) -> dict:
+    """
+    Generate a CycloneDX 1.6 SBOM document.
+
+    Each entry in packages is a result dict from _check_package(), extended with
+    'name' and 'version' keys added by cmd_scan before calling this function.
+    """
+    now = datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
+    serial = f"urn:uuid:{uuid.uuid4()}"
+
+    components = []
+    vulnerabilities = []
+
+    for pkg in packages:
+        name = pkg["name"]
+        version = pkg.get("version") or "unknown"
+        ref = f"urn:cdx:{uuid.uuid4()}"
+
+        component: dict = {
+            "type": "library",
+            "bom-ref": ref,
+            "name": name,
+            "version": version,
+            "purl": _purl(name, version, ecosystem),
+        }
+        components.append(component)
+
+        # Attach CVEs as top-level vulnerabilities linked to this component
+        for msg in pkg.get("errors", []) + pkg.get("warnings", []):
+            # Extract CVE/GHSA IDs from error messages like "CVE-2023-xxx: ..."
+            for prefix in ("CVE-", "GHSA-"):
+                if msg.startswith(prefix):
+                    vuln_id = msg.split(":")[0].strip()
+                    description = msg.split(":", 1)[1].strip() if ":" in msg else ""
+                    vulnerabilities.append({
+                        "id": vuln_id,
+                        "description": description,
+                        "affects": [{"ref": ref}],
+                    })
+                    break
+
+    doc = {
+        "bomFormat": "CycloneDX",
+        "specVersion": "1.6",
+        "serialNumber": serial,
+        "version": 1,
+        "metadata": {
+            "timestamp": now,
+            "tools": [{"name": "gate", "version": __version__}],
+        },
+        "components": components,
+    }
+
+    if vulnerabilities:
+        doc["vulnerabilities"] = vulnerabilities
+
+    return doc
+
+
+def write(doc: dict, path: str | None) -> None:
+    """Write SBOM to file or stdout."""
+    output = json.dumps(doc, indent=2)
+    if path:
+        with open(path, "w", encoding="utf-8") as f:
+            f.write(output)
+    else:
+        print(output)

gate_cli-0.1.0.dist-info/METADATA

@@ -0,0 +1,149 @@
+Metadata-Version: 2.4
+Name: gate-cli
+Version: 0.1.0
+Summary: Supply chain security scanner for npm and pip packages
+Project-URL: Homepage, https://github.com/Mhacker1020/gate
+Project-URL: Repository, https://github.com/Mhacker1020/gate
+Project-URL: Issues, https://github.com/Mhacker1020/gate/issues
+License: MIT
+License-File: LICENSE
+Keywords: cve,npm,pip,sbom,security,supply-chain
+Classifier: Development Status :: 3 - Alpha
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Libraries :: Python Modules
+Requires-Python: >=3.12
+Provides-Extra: dev
+Requires-Dist: pytest; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# gate
+
+Supply chain security scanner for npm and pip packages.
+
+Checks packages for known CVEs, quarantines newly published versions, and warns about suspicious install scripts — before they hit your project.
+
+```
+  ✓ flask 3.1.1
+  ✗ requests 2.28.0
+    CVE-2023-32681: Unintended leak of Proxy-Authorization header
+  ⚠ urllib3 2.3.0
+    Published 2 day(s) ago (quarantine window: 7 days)
+```
+
+## Why
+
+Supply chain attacks increasingly target the window between a package being published and being detected as malicious. Existing tools (Trivy, Snyk, Dependabot) catch *known* CVEs but miss:
+
+- Newly published malicious versions not yet in any database
+- Install scripts that run arbitrary code on `pip install`
+
+Gate adds a quarantine window — new versions are flagged until the community has had time to catch problems.
+
+**Zero runtime dependencies.** A supply chain security tool that trusts its own supply chain is not a security tool.
+
+## Checks
+
+| Check | What it catches |
+|-------|----------------|
+| CVE scan | Known vulnerabilities via OSV.dev |
+| Quarantine window | Versions published within N days |
+| Install scripts | npm packages running suspicious install hooks |
+| Hash verification | Detects tampered packages via lock file integrity checks |
+| Maintainer change | Flags when a package owner has changed between versions |
+| SBOM export | Generates a CycloneDX 1.6 Software Bill of Materials |
+
+## Installation
+
+```bash
+pip install gate-cli
+```
+
+Requires Python 3.12+.
+
+## Usage
+
+### Check a single package
+
+```bash
+gate check requests
+gate check requests==2.28.0
+gate check lodash --npm
+gate check lodash==4.17.15 --npm
+```
+
+### Scan all packages in a project
+
+Automatically detects `requirements.txt` or `package-lock.json`:
+
+```bash
+gate scan
+```
+
+Exit code is non-zero if errors are found — suitable for CI pipelines.
+
+### Export a CycloneDX SBOM
+
+```bash
+gate scan --sbom                  # print to stdout
+gate scan --sbom report.cdx.json  # write to file
+```
+
+### Install as a git pre-commit hook
+
+```bash
+gate init
+```
+
+Gate will run automatically on every `git commit` when lock files change. To remove:
+
+```bash
+gate uninstall
+```
+
+## Configuration
+
+Create `.gate.toml` in your project root to override defaults:
+
+```toml
+quarantine_days = 14
+
+fail_on = ["critical_cve", "install_script"]
+warn_on = ["recent_release"]
+```
+
+| Option | Default | Description |
+|--------|---------|-------------|
+| `quarantine_days` | `7` | Days a new release must age before passing |
+| `fail_on` | `["critical_cve", "install_script"]` | Conditions that block the commit / exit 1 |
+| `warn_on` | `["recent_release"]` | Conditions that warn but allow through |
+
+Move `recent_release` from `warn_on` to `fail_on` to enforce the quarantine window strictly.
+
+## Supported ecosystems
+
+| Ecosystem | Lock file | Registry |
+|-----------|-----------|----------|
+| PyPI | `requirements.txt` | pypi.org |
+| npm | `package-lock.json` | registry.npmjs.org |
+
+CVE data is sourced from [OSV.dev](https://osv.dev) — Google's open vulnerability database.
+
+## Contributing
+
+Gate is open source and built for the community. Contributions welcome.
+
+```bash
+git clone https://github.com/Mhacker1020/gate
+cd gate
+pip install -e ".[dev]"
+python -m pytest
+```
+
+## License
+
+MIT

gate_cli-0.1.0.dist-info/RECORD

@@ -0,0 +1,21 @@
+gate/__init__.py,sha256=kUR5RAFc7HCeiqdlX36dZOHkUI5wI6V_43RpEcD8b-0,22
+gate/cli.py,sha256=CL4zhP1fu9UEr6k9byHgAGHEhrmh_vmpvjGRDB2c5P0,10296
+gate/config.py,sha256=aLkf4kGs4X1XAwelfAeFepFedC8YPRjOR2ayOouCiaY,760
+gate/output.py,sha256=rntZW0A07W-OrzFFKwYrI_AHSLDpQK7uUJrkpehGM4w,973
+gate/sbom.py,sha256=hQNlb_LWiOtjaZPnMRs1oSHF6ZRQBdZazk9sFxk88SU,2643
+gate/checks/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+gate/checks/cve.py,sha256=B9_goX6OpxKWStRA3MuQMPjFi7tlFlXhKEW8O-e04WM,1044
+gate/checks/integrity.py,sha256=JK7wZOdScMm1buFH3QentWwRtKWRhXFAL7GDBDL_cNI,1782
+gate/checks/maintainer.py,sha256=bfbHXkDnH0NuKKCvvfjSRNh-M8lG8L-QQ5u6o9euHoU,889
+gate/checks/quarantine.py,sha256=nHb6Im9rxIRvmqK6P9jsgDwcuO3v9c_nSqmw1UVmnck,580
+gate/checks/scripts.py,sha256=sR4CbOGWpW4TqFWMMzF6pU9s6OhanOGEtOA1oRD_xYY,1903
+gate/hooks/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+gate/hooks/precommit.py,sha256=15t26EBWHYUAsfni370uHYNIuxTJHAov_X2MBkBAg_o,1617
+gate/registry/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+gate/registry/npm.py,sha256=bl-7TVAkDkSpuzSDskqQd81mUXyTIuZDM5ki47Qw8hU,2696
+gate/registry/pypi.py,sha256=HUx5BXRzZddSz80C-NJ2MGJzNm7yW6jK9_apbzHefeI,2608
+gate_cli-0.1.0.dist-info/METADATA,sha256=v9-ylvkqWVZfo4xSxdS515ipGX3pwovalT-ff6WkkXA,4162
+gate_cli-0.1.0.dist-info/WHEEL,sha256=QccIxa26bgl1E6uMy58deGWi-0aeIkkangHcxk2kWfw,87
+gate_cli-0.1.0.dist-info/entry_points.txt,sha256=VD6pWoNQ1iGwnUY9KaUsXgXe4jjzHW9w9O4EHocZW8E,39
+gate_cli-0.1.0.dist-info/licenses/LICENSE,sha256=pbTeGA7N7sxgwJJyrMjNItTfD41_Cze5md-vI0zeAHI,1061
+gate_cli-0.1.0.dist-info/RECORD,,

gate_cli-0.1.0.dist-info/WHEEL

@@ -0,0 +1,4 @@
+Wheel-Version: 1.0
+Generator: hatchling 1.29.0
+Root-Is-Purelib: true
+Tag: py3-none-any

gate_cli-0.1.0.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+gate = gate.cli:main

gate_cli-0.1.0.dist-info/licenses/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Mika
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.