Metadata-Version: 2.4
Name: kryptorious-depguard
Version: 1.1.0
Summary: Cross-ecosystem dependency auditor for Python + Node: catches undeclared imports, unused deps, unpinned specifiers, and lockfile drift in one offline, CI-ready command.
Author: Kryptorious Quantum Biosciences
License: MIT
Project-URL: Homepage, https://github.com/CodeGero/kryptorious-depguard
Project-URL: Repository, https://github.com/CodeGero/kryptorious-depguard
Project-URL: Premium, https://kryptorious.gumroad.com/l/jbvet
Keywords: dependencies,audit,ci,python,node,sarif,supply-chain
Classifier: Development Status :: 4 - Beta
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Classifier: Topic :: Software Development :: Quality Assurance
Requires-Python: >=3.10
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: click>=8.1
Requires-Dist: rich>=13.0
Requires-Dist: tomli>=2.0; python_version < "3.11"
Dynamic: license-file

# kryptorious-depguard

**Cross-ecosystem dependency auditor for Python + Node.** One command, offline, CI-ready — catches the dependency problems your linter can't see:

- **Undeclared imports** — code imports a package you never declared (`import requests` with no `requests` in `requirements.txt`). Breaks in a clean install.
- **Unused dependencies** — declared in `requirements.txt` / `package.json` but never imported. Bloats installs and attack surface.
- **Unpinned specifiers** — `numpy` (any) or `^1.2.3` (floating). Non-reproducible builds.
- **Lockfile drift** — `package.json` disagrees with `package-lock.json` / `yarn.lock`.

## Why this exists

`node-depcheck` is Node-only. `pipreqs` regenerates a requirements file but doesn't *audit* it. `pyflakes` F401 only catches unused *local* names. **No lightweight, offline, single-tool audits both ecosystems and emits SARIF** for GitHub code-scanning in one pass. `depguard` does.

## Install

```bash
pip install kryptorious-depguard
```

## Usage

Audit the current directory (both ecosystems):

```bash
depguard check .
```

Python only, fail CI on any high-severity finding:

```bash
depguard check . --python --no-node --fail-on high
```

Emit SARIF for GitHub code-scanning:

```bash
depguard check . --format sarif --output depguard.sarif
```

JSON for custom pipelines:

```bash
depguard check . --format json
```

### GitHub Action (inline)

```yaml
- name: Dependency audit
  run: |
    pip install kryptorious-depguard
    depguard check . --format sarif --output depguard.sarif --fail-on high
- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: depguard.sarif
```

## Exit codes

`--fail-on {high,medium,low,never}` controls the CI gate. Default `high`: exits `1` when any high-severity finding exists (undeclared imports).

## Premium

Free tier includes everything above. Premium ($9 lifetime) adds cloud SARIF upload to code-scanning dashboards, scheduled baseline diffs, and HTML trend reports: **https://kryptorious.gumroad.com/l/jbvet**

## License

MIT — Kryptorious Quantum Biosciences, Inc.
