feat: add PyPI registry support (#19)

* feat: add PyPI registry support

- Add PypiClient for fetching metadata and downloading packages from PyPI
- Support both sdist (.tar.gz) and wheel (.whl) formats
- Add Python-specific capability detection (requests, subprocess, os.environ, etc.)
- Update CVE scanner to support PyPI ecosystem via OSV API
- Add Python dependency file parsing (requirements.txt, pyproject.toml, Pipfile)
- Update worker to dispatch scans based on registry type
- Add PyPI metadata structs (PypiPackageMetadata, PypiReleaseInfo, PypiMaintainer)
- Calculate trust score based on PyPI-specific signals (author, classifiers, etc.)

Co-authored-by: Cursor <cursoragent@cursor.com>

* feat: add PyPI seed support and switch to Claude Sonnet

- Add --registry flag to seed script (npm/pypi)
- Add fetch_top_pypi_packages() for PyPI stats
- Add PYPI_AI_PACKAGES list for Python AI ecosystem
- Update fetch_cve_packages() to accept ecosystem param
- Switch agentic scan model from kimi-k2.5 to claude-sonnet-4-5
- Bump version to v0.1.5

Co-authored-by: Cursor <cursoragent@cursor.com>

* chore: update Rust version to 1.88 in Dockerfiles

Required by time@0.3.46 which needs rustc 1.88.0

Co-authored-by: Cursor <cursoragent@cursor.com>

* feat: add PyPI auto-detection to CLI

- Add project.rs with shared ProjectType/PackageManager detection
- Auto-detect Python projects (requirements.txt, pyproject.toml, etc.)
- Auto-detect package manager (pip, poetry, pipenv, uv)
- Update add.rs to use project detection and pass registry to API
- Handle Python version syntax (==, >=, etc.)
- Refactor scan.rs to use shared project module

Co-authored-by: Cursor <cursoragent@cursor.com>

---------

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: homanp

Cargo.toml

@@ -11,7 +11,7 @@ members = [
 ]
 
 [workspace.package]
-version = "0.1.4"
+version = "0.1.5"
 edition = "2021"
 authors = ["sus contributors"]
 license = "MIT"
@@ -56,6 +56,7 @@ url = { version = "2.5", features = ["serde"] }
 semver = { version = "1.0", features = ["serde"] }
 flate2 = "1.0"
 tar = "0.4"
+zip = "2.2"
 tempfile = "3.14"
 dotenvy = "0.15"
 async-trait = "0.1"

Dockerfile.api

@@ -1,5 +1,5 @@
 # Stage 1: Chef setup
-FROM rust:1.85-alpine AS chef
+FROM rust:1.88-alpine AS chef
 RUN apk add --no-cache musl-dev openssl-dev openssl-libs-static
 RUN cargo install cargo-chef
 WORKDIR /app

Dockerfile.cve

@@ -1,5 +1,5 @@
 # Stage 1: Chef setup
-FROM rust:1.85-alpine AS chef
+FROM rust:1.88-alpine AS chef
 RUN apk add --no-cache musl-dev openssl-dev openssl-libs-static
 RUN cargo install cargo-chef
 WORKDIR /app

Dockerfile.watcher

@@ -1,5 +1,5 @@
 # Stage 1: Chef setup
-FROM rust:1.85-alpine AS chef
+FROM rust:1.88-alpine AS chef
 RUN apk add --no-cache musl-dev openssl-dev openssl-libs-static
 RUN cargo install cargo-chef
 WORKDIR /app

Dockerfile.worker

@@ -1,5 +1,5 @@
 # Stage 1: Chef setup
-FROM rust:1.85-alpine AS chef
+FROM rust:1.88-alpine AS chef
 RUN apk add --no-cache musl-dev openssl-dev openssl-libs-static
 RUN cargo install cargo-chef
 WORKDIR /app

README.md

@@ -232,7 +232,7 @@ if you're building an agent that installs packages, sus is for you.
 ## roadmap
 
 - [x] npm support
-- [ ] pypi support
+- [x] pypi support
 - [ ] crates.io support
 - [ ] go modules support
 - [ ] private registry support

crates/cli/src/api_client.rs

@@ -2,7 +2,8 @@
 
 use anyhow::{Context, Result};
 use common::{
-    BulkLookupRequest, PackageResponse, PackageVersionPair, ScanRequest, ScanRequestResponse,
+    BulkLookupRequest, PackageResponse, PackageVersionPair, Registry, ScanRequest,
+    ScanRequestResponse,
 };
 use reqwest::Client;
 
@@ -70,18 +71,28 @@ impl SusClient {
             .context("Failed to parse API response")
     }
 
-    /// Request a scan for a package
+    /// Request a scan for a package (defaults to npm registry)
     pub async fn request_scan(
         &self,
         name: &str,
         version: Option<&str>,
+    ) -> Result<ScanRequestResponse> {
+        self.request_scan_with_registry(name, version, None).await
+    }
+
+    /// Request a scan for a package with a specific registry
+    pub async fn request_scan_with_registry(
+        &self,
+        name: &str,
+        version: Option<&str>,
+        registry: Option<Registry>,
     ) -> Result<ScanRequestResponse> {
         let url = format!("{}/v1/scan", self.base_url);
 
         let request = ScanRequest {
             name: name.to_string(),
             version: version.map(String::from),
-            registry: None, // Default to npm
+            registry,
         };
 
         let response = self

crates/cli/src/commands/add.rs

@@ -3,58 +3,52 @@
 use crate::agents_md;
 use crate::api_client::SusClient;
 use crate::config;
+use crate::project::{self, NpmPackageManager, ProjectType, PypiPackageManager};
 use crate::ui::{self, print_capabilities, print_risk};
 use anyhow::Result;
 use colored::Colorize;
 use common::RiskLevel;
 use dialoguer::Confirm;
 use std::process::Command;
 
-/// Parse a package string into name and optional version
-fn parse_package_spec(spec: &str) -> (&str, Option<&str>) {
-    // Handle scoped packages like @types/node@1.0.0
-    if let Some(rest) = spec.strip_prefix('@') {
-        // Find the second @ for version
-        if let Some(idx) = rest.find('@') {
-            let idx = idx + 1; // Adjust for the @ prefix
-            return (&spec[..idx], Some(&spec[idx + 1..]));
-        }
-        return (spec, None);
-    }
-
-    // Regular package like lodash@4.17.0
-    if let Some(idx) = spec.find('@') {
-        return (&spec[..idx], Some(&spec[idx + 1..]));
-    }
-
-    (spec, None)
-}
-
 /// Run the add command
 pub async fn run(
     client: &SusClient,
     packages: Vec<String>,
     yolo: bool,
     strict: bool,
 ) -> Result<()> {
+    // Detect project type
+    let project_type = match project::detect_project_type() {
+        Some(pt) => pt,
+        None => {
+            anyhow::bail!(
+                "No supported project files found.\n\
+                 Supported files:\n\
+                 - npm: package.json, pnpm-lock.yaml, yarn.lock, bun.lockb\n\
+                 - python: requirements.txt, pyproject.toml, Pipfile, setup.py"
+            );
+        }
+    };
+
     // Check if AGENTS.md docs feature is enabled
     let agents_md_enabled = config::is_agents_md_enabled();
 
     for package_spec in &packages {
-        let (name, version) = parse_package_spec(package_spec);
-        let display_name = if let Some(v) = version {
-            format!("{}@{}", name, v)
+        let (name, version) = project::parse_package_spec(package_spec, &project_type);
+        let display_name = if let Some(ref v) = version {
+            format_display_name(&name, v, &project_type)
         } else {
-            name.to_string()
+            name.clone()
         };
 
         let pb = ui::spinner(&format!("checking {}...", display_name));
 
         // Fetch assessment from API
-        let assessment = match if let Some(v) = version {
-            client.get_package_version(name, v).await
+        let assessment = match if let Some(ref v) = version {
+            client.get_package_version(&name, v).await
         } else {
-            client.get_package(name).await
+            client.get_package(&name).await
         } {
             Ok(a) => {
                 ui::finish_spinner(&pb, a.risk_level.emoji(), &display_name);
@@ -68,7 +62,11 @@ pub async fn run(
                         display_name.yellow()
                     );
 
-                    match client.request_scan(name, version).await {
+                    let registry = project_type.registry();
+                    match client
+                        .request_scan_with_registry(&name, version.as_deref(), Some(registry))
+                        .await
+                    {
                         Ok(resp) => {
                             println!(
                                 "  scan queued (job {}), try again in ~{}s",
@@ -92,7 +90,7 @@ pub async fn run(
                     }
 
                     // If yolo, proceed without assessment
-                    install_package(package_spec).await?;
+                    install_package(package_spec, &project_type)?;
                     continue;
                 } else {
                     ui::finish_spinner(&pb, "❌", &display_name);
@@ -151,52 +149,78 @@ pub async fn run(
         }
 
         // Install the package
-        install_package(package_spec).await?;
+        install_package(package_spec, &project_type)?;
         println!("{}", "📦 installed".green());
 
         // Save docs and update AGENTS.md index if enabled
         if agents_md_enabled {
             if let Some(skill_md) = &assessment.skill_md {
-                save_package_docs(name, skill_md);
+                save_package_docs(&name, skill_md);
             }
         }
     }
 
     Ok(())
 }
 
-/// Install a package using npm/pnpm/yarn
-async fn install_package(package: &str) -> Result<()> {
-    // Detect package manager
-    let pm = detect_package_manager();
+/// Format display name based on project type
+fn format_display_name(name: &str, version: &str, project_type: &ProjectType) -> String {
+    match project_type {
+        ProjectType::Npm(_) => format!("{}@{}", name, version),
+        ProjectType::Pypi(_) => format!("{}=={}", name, version),
+    }
+}
 
-    let status = Command::new(&pm)
-        .args(["add", package])
+/// Install a package using the appropriate package manager
+fn install_package(package: &str, project_type: &ProjectType) -> Result<()> {
+    match project_type {
+        ProjectType::Npm(pm) => install_npm_package(package, *pm),
+        ProjectType::Pypi(pm) => install_pypi_package(package, *pm),
+    }
+}
+
+/// Install an npm package
+fn install_npm_package(package: &str, pm: NpmPackageManager) -> Result<()> {
+    let cmd = pm.command();
+    let install_cmd = pm.install_cmd();
+
+    let status = Command::new(cmd)
+        .args([install_cmd, package])
         .status()
-        .map_err(|e| anyhow::anyhow!("Failed to run {}: {}", pm, e))?;
+        .map_err(|e| anyhow::anyhow!("Failed to run {}: {}", cmd, e))?;
 
     if !status.success() {
-        anyhow::bail!("{} add failed with exit code {:?}", pm, status.code());
+        anyhow::bail!(
+            "{} {} failed with exit code {:?}",
+            cmd,
+            install_cmd,
+            status.code()
+        );
     }
 
     Ok(())
 }
 
-/// Detect which package manager to use
-fn detect_package_manager() -> String {
-    // Check for lockfiles in order of preference
-    if std::path::Path::new("pnpm-lock.yaml").exists() {
-        return "pnpm".to_string();
-    }
-    if std::path::Path::new("yarn.lock").exists() {
-        return "yarn".to_string();
-    }
-    if std::path::Path::new("bun.lockb").exists() {
-        return "bun".to_string();
+/// Install a PyPI package
+fn install_pypi_package(package: &str, pm: PypiPackageManager) -> Result<()> {
+    let cmd = pm.command();
+    let install_cmd = pm.install_cmd();
+
+    let status = Command::new(cmd)
+        .args([install_cmd, package])
+        .status()
+        .map_err(|e| anyhow::anyhow!("Failed to run {}: {}", cmd, e))?;
+
+    if !status.success() {
+        anyhow::bail!(
+            "{} {} failed with exit code {:?}",
+            cmd,
+            install_cmd,
+            status.code()
+        );
     }
 
-    // Default to npm
-    "npm".to_string()
+    Ok(())
 }
 
 /// Save package documentation to .sus-docs/ and update AGENTS.md index
@@ -226,16 +250,17 @@ mod tests {
     use super::*;
 
     #[test]
-    fn test_parse_package_spec() {
-        assert_eq!(parse_package_spec("lodash"), ("lodash", None));
+    fn test_format_display_name() {
+        let npm = ProjectType::Npm(NpmPackageManager::Npm);
+        let pypi = ProjectType::Pypi(PypiPackageManager::Pip);
+
         assert_eq!(
-            parse_package_spec("lodash@4.17.0"),
-            ("lodash", Some("4.17.0"))
+            format_display_name("lodash", "4.17.0", &npm),
+            "lodash@4.17.0"
         );
-        assert_eq!(parse_package_spec("@types/node"), ("@types/node", None));
         assert_eq!(
-            parse_package_spec("@types/node@18.0.0"),
-            ("@types/node", Some("18.0.0"))
+            format_display_name("requests", "2.31.0", &pypi),
+            "requests==2.31.0"
         );
     }
 }