@controlfront/detect 0.0.1

package/src/commands/scan.js

@@ -0,0 +1,1547 @@
+// --- Shared fetch helper for CI helpers ---
+async function getFetch() {
+  if (globalThis.fetch) return globalThis.fetch;
+  const mod = await import("node-fetch");
+  return mod.default || mod;
+}
+import chalk from "chalk";
+import { execSync, spawnSync } from "child_process";
+import fs from "fs";
+import jwt from "jsonwebtoken";
+import micromatch from "micromatch";
+import path from "path";
+import { fileURLToPath } from "url";
+import { resolveProjectForFolder } from "../utils/resolveProjectForFolder/index.js";
+import { SCANNABLE_EXTENSIONS } from "../utils/fileExtensions.js";
+
+// --- Git network ops memoization (avoid repeated fetch/maintenance during long backfills) ---
+let _cfDidUnshallowFetch = false;
+let _cfDidFetchDefaultBranchRef = false;
+
+// --- Git ops metrics (helps diagnose rare hangs / best-effort fallbacks) ---
+const _cfGitStats = {
+  unshallow: { attempted: 0, ok: 0, failed: 0, timed_out: 0, ms_total: 0 },
+  fetch_branch_ref: {
+    attempted: 0,
+    ok: 0,
+    failed: 0,
+    timed_out: 0,
+    ms_total: 0,
+  },
+  log_since: { attempted: 0, ok: 0, failed: 0, timed_out: 0, ms_total: 0 },
+  log_recent: { attempted: 0, ok: 0, failed: 0, timed_out: 0, ms_total: 0 },
+  best_effort_fallbacks: 0,
+};
+
+// --- Snapshot sync metrics (helps diagnose flaky localhost/network during long backfills) ---
+const _cfSnapshotSyncStats = {
+  attempted: 0,
+  ok: 0,
+  failed: 0,
+  retried: 0,
+  // keep a small sample to avoid log spam
+  failure_samples: [],
+};
+
+function recordSnapshotSyncResult({ ok, attempt, totalAttempts, err } = {}) {
+  _cfSnapshotSyncStats.attempted += 1;
+  if (ok) _cfSnapshotSyncStats.ok += 1;
+  else _cfSnapshotSyncStats.failed += 1;
+
+  if (!ok && attempt && totalAttempts && attempt < totalAttempts) {
+    _cfSnapshotSyncStats.retried += 1;
+  }
+
+  if (!ok && err && _cfSnapshotSyncStats.failure_samples.length < 5) {
+    _cfSnapshotSyncStats.failure_samples.push({
+      message: err?.message || String(err),
+      status: err?.status || null,
+      code: err?.code || err?.errno || null,
+      name: err?.name || null,
+    });
+  }
+}
+
+function printSnapshotSyncSummary(prefix = "🪵") {
+  console.log(`${prefix} Snapshot sync summary`, {
+    attempted: _cfSnapshotSyncStats.attempted,
+    ok: _cfSnapshotSyncStats.ok,
+    failed: _cfSnapshotSyncStats.failed,
+    retried: _cfSnapshotSyncStats.retried,
+    failure_samples: _cfSnapshotSyncStats.failure_samples,
+  });
+}
+
+function isRetryableSnapshotError(err) {
+  const msg = (err?.message || "").toLowerCase();
+  const code = (err?.code || err?.errno || "").toString().toLowerCase();
+
+  // network / socket / DNS / fetch-layer issues
+  const retryableCodes = new Set([
+    "etimedout",
+    "econnreset",
+    "econnrefused",
+    "ehostunreach",
+    "enotfound",
+    "eai_again",
+    "socket hang up",
+  ]);
+
+  if (retryableCodes.has(code)) return true;
+
+  if (
+    msg.includes("fetch failed") ||
+    msg.includes("socket") ||
+    msg.includes("timed out") ||
+    msg.includes("timeout") ||
+    msg.includes("econnreset") ||
+    msg.includes("econnrefused") ||
+    msg.includes("enotfound")
+  ) {
+    return true;
+  }
+
+  // If we encoded an HTTP status into the error message, treat 429/5xx as retryable
+  if (
+    msg.includes(" 429 ") ||
+    msg.includes(" 500 ") ||
+    msg.includes(" 502 ") ||
+    msg.includes(" 503 ") ||
+    msg.includes(" 504 ")
+  ) {
+    return true;
+  }
+
+  return false;
+}
+
+function sleep(ms) {
+  return new Promise((r) => setTimeout(r, ms));
+}
+
+async function postSnapshotDirectWithRetry(
+  args,
+  { attempts = 3, baseDelayMs = 750, progressInfo = null } = {}
+) {
+  let lastErr = null;
+
+  for (let attempt = 1; attempt <= attempts; attempt += 1) {
+    try {
+      if (attempt > 1) {
+        console.log("🪵 postSnapshotDirect:retry", { attempt, attempts });
+      }
+      await postSnapshotDirect({ ...args, progressInfo });
+      recordSnapshotSyncResult({ ok: true, attempt, totalAttempts: attempts });
+      return;
+    } catch (e) {
+      lastErr = e;
+      recordSnapshotSyncResult({
+        ok: false,
+        attempt,
+        totalAttempts: attempts,
+        err: e,
+      });
+
+      const retryable = isRetryableSnapshotError(e);
+      const isLast = attempt === attempts;
+
+      console.warn("⚠️ postSnapshotDirect failed", {
+        attempt,
+        attempts,
+        retryable,
+        message: e?.message || String(e),
+      });
+
+      if (!retryable || isLast) break;
+
+      // backoff with a small cap
+      const delay = Math.min(baseDelayMs * attempt, 4000);
+      await sleep(delay);
+    }
+  }
+
+  throw lastErr;
+}
+
+function recordGitStat(bucket, { ok, ms = 0, errorCode = null } = {}) {
+  const b = _cfGitStats[bucket];
+  if (!b) return;
+  b.attempted += 1;
+  if (ok) b.ok += 1;
+  else b.failed += 1;
+  if (errorCode === "ETIMEDOUT") b.timed_out += 1;
+  if (typeof ms === "number" && ms > 0) b.ms_total += ms;
+}
+
+function printGitOpsSummary(prefix = "🪝") {
+  const fmt = (bucketName) => {
+    const b = _cfGitStats[bucketName];
+    if (!b) return null;
+    const avg = b.ok > 0 ? Math.round(b.ms_total / b.ok) : null;
+    return {
+      bucket: bucketName,
+      attempted: b.attempted,
+      ok: b.ok,
+      failed: b.failed,
+      timed_out: b.timed_out,
+      avg_ms_ok: avg,
+    };
+  };
+
+  const rows = [
+    fmt("unshallow"),
+    fmt("fetch_branch_ref"),
+    fmt("log_since"),
+    fmt("log_recent"),
+  ].filter(Boolean);
+
+  console.log(`${prefix} Git ops summary`, {
+    best_effort_fallbacks: _cfGitStats.best_effort_fallbacks,
+    rows,
+  });
+}
+
+// --- Helper: run git with a hard timeout to prevent rare hangs during long backfills ---
+function runGit(
+  cmd,
+  { timeoutMs = 30000, stdio = "ignore", encoding = "utf8", env = {} } = {}
+) {
+  const start = Date.now();
+  const res = spawnSync(cmd, {
+    shell: true,
+    timeout: timeoutMs,
+    stdio,
+    encoding,
+    env: {
+      ...process.env,
+      // Never allow interactive prompts during CLI runs
+      GIT_TERMINAL_PROMPT: "0",
+      // Fail fast on SSH prompts / connectivity issues
+      GIT_SSH_COMMAND:
+        process.env.GIT_SSH_COMMAND ||
+        "ssh -o BatchMode=yes -o ConnectTimeout=10",
+      ...env,
+    },
+    maxBuffer: 50 * 1024 * 1024,
+  });
+
+  const ms = Date.now() - start;
+
+  if (res.error) {
+    // spawnSync sets error.code === 'ETIMEDOUT' when the timeout is hit
+    const msg = res.error?.message || String(res.error);
+    const err = new Error(`Command failed: ${cmd}`);
+    err.meta = { ms, message: msg, code: res.error?.code || null };
+    throw err;
+  }
+
+  if (res.status !== 0) {
+    const stderr = typeof res.stderr === "string" ? res.stderr.trim() : "";
+    const err = new Error(`Command failed: ${cmd}`);
+    err.meta = { ms, status: res.status, stderr: stderr || null };
+    throw err;
+  }
+
+  return { stdout: res.stdout, ms };
+}
+
+// detect CSS imports in TS/JS files
+function findCssImports(filePath, content) {
+  const regex = /import\s+["']([^"']+\.(css|scss|less))["'];?/g;
+  const imports = [];
+  let match;
+  while ((match = regex.exec(content)) !== null) {
+    const rawImport = match[1];
+    let resolved;
+    if (rawImport.startsWith(".") || rawImport.startsWith("/")) {
+      resolved = path.resolve(path.dirname(filePath), rawImport);
+    } else if (rawImport.startsWith("@workspace/")) {
+      const parts = rawImport.split("/");
+      const pkg = parts[1];
+      const rest = parts.slice(2).join("/");
+      resolved = path.resolve(process.cwd(), "packages", pkg, rest);
+    }
+    if (resolved && fs.existsSync(resolved)) {
+      imports.push(resolved);
+      console.log(`📂 Including imported CSS: ${resolved}`);
+    }
+  }
+  return imports;
+}
+
+// --- CLI version helper ---
+function getCliVersion() {
+  try {
+    const pkgPath = path.resolve(__dirname, "../../package.json");
+    const raw = fs.readFileSync(pkgPath, "utf8");
+    const json = JSON.parse(raw);
+    return json.version || "0.0.0";
+  } catch (e) {
+    return "0.0.0";
+  }
+}
+
+// --- Helper: Get ALL commits since N days ago (oldest -> newest) ---
+function getCommitsSinceDays(days = 90) {
+  try {
+    // Determine the default branch name dynamically
+    let defaultBranch = "main";
+    try {
+      const remoteShow = execSync("git remote show origin", {
+        encoding: "utf8",
+      });
+      const match = remoteShow.match(/HEAD branch: (.+)/);
+      if (match && match[1]) defaultBranch = match[1].trim();
+    } catch {
+      defaultBranch = "main";
+    }
+
+    // Check if HEAD is detached
+    let isDetached = false;
+    try {
+      execSync("git symbolic-ref -q HEAD", { stdio: "ignore" });
+      isDetached = false;
+    } catch {
+      isDetached = true;
+    }
+
+    const since = `${days} days ago`;
+    let output;
+
+    if (isDetached) {
+      const headSha = (() => {
+        try {
+          return execSync("git rev-parse HEAD", { encoding: "utf8" }).trim();
+        } catch {
+          return null;
+        }
+      })();
+
+      const start = Date.now();
+      console.log(
+        `🪝 Detached HEAD detected — retrieving commits from origin/${defaultBranch} (since ${since})`,
+        { headSha, days }
+      );
+
+      // Ensure we have full history where possible (only once per process)
+      if (!_cfDidUnshallowFetch) {
+        try {
+          const t0 = Date.now();
+          console.log("🪝 git(fetch --unshallow):start");
+          const r = runGit(
+            `git -c maintenance.auto=false -c gc.auto=0 fetch --unshallow`,
+            {
+              timeoutMs: 20000,
+              stdio: "ignore",
+            }
+          );
+          recordGitStat("unshallow", { ok: true, ms: r.ms });
+          console.log("🪝 git(fetch --unshallow):ok", { ms: r.ms });
+        } catch (e) {
+          recordGitStat("unshallow", {
+            ok: false,
+            ms: e?.meta?.ms ?? 0,
+            errorCode: e?.meta?.code ?? null,
+          });
+          _cfGitStats.best_effort_fallbacks += 1;
+          console.log("🪝 git(fetch --unshallow):best-effort-continue");
+          console.log("🪝 git(fetch --unshallow):skip/fail", {
+            ms: e?.meta?.ms ?? Date.now() - start,
+            code: e?.meta?.code ?? null,
+            message: e?.message || String(e),
+          });
+        } finally {
+          _cfDidUnshallowFetch = true;
+        }
+      }
+
+      // Ensure the remote branch ref exists locally (only once per process)
+      if (!_cfDidFetchDefaultBranchRef) {
+        try {
+          const t1 = Date.now();
+          const cmd = `git -c maintenance.auto=false -c gc.auto=0 fetch origin ${defaultBranch}:${defaultBranch}`;
+          console.log("🪝 git(fetch origin branch):start", { cmd });
+          const r = runGit(cmd, {
+            timeoutMs: 30000,
+            stdio: "ignore",
+          });
+          recordGitStat("fetch_branch_ref", { ok: true, ms: r.ms });
+          console.log("🪝 git(fetch origin branch):ok", { ms: r.ms });
+        } catch (e) {
+          recordGitStat("fetch_branch_ref", {
+            ok: false,
+            ms: e?.meta?.ms ?? 0,
+            errorCode: e?.meta?.code ?? null,
+          });
+          _cfGitStats.best_effort_fallbacks += 1;
+          console.log("🪝 git(fetch origin branch):best-effort-continue");
+          console.warn(
+            `⚠️ Could not fetch origin/${defaultBranch} as local ref; commit history may be incomplete.`,
+            {
+              message: e?.message || String(e),
+            }
+          );
+        } finally {
+          _cfDidFetchDefaultBranchRef = true;
+        }
+      }
+
+      const t2 = Date.now();
+      const cmd = `git log ${defaultBranch} --since='${since}' --pretty="format:%H|%cI|%an"`;
+      console.log("🪝 git(log defaultBranch since):start", { cmd });
+      try {
+        const r = runGit(cmd, { timeoutMs: 20000, stdio: "pipe" });
+        output = r.stdout;
+        recordGitStat("log_since", { ok: true, ms: r.ms });
+        console.log("🪝 git(log defaultBranch since):ok", {
+          ms: r.ms,
+          bytes: typeof output === "string" ? output.length : null,
+        });
+      } catch (e) {
+        recordGitStat("log_since", {
+          ok: false,
+          ms: e?.meta?.ms ?? 0,
+          errorCode: e?.meta?.code ?? null,
+        });
+        _cfGitStats.best_effort_fallbacks += 1;
+        console.warn(
+          "⚠️ git log failed in detached mode; continuing best-effort with empty commit list.",
+          {
+            message: e?.message || String(e),
+          }
+        );
+        output = "";
+      }
+
+      console.log("🪝 Detached HEAD commits since:done", {
+        ms: Date.now() - start,
+      });
+    } else {
+      const t = Date.now();
+      try {
+        output = execSync(
+          `git log ${defaultBranch} --since='${since}' --pretty="format:%H|%cI|%an"`,
+          { encoding: "utf8" }
+        );
+        recordGitStat("log_since", { ok: true, ms: Date.now() - t });
+      } catch (e) {
+        recordGitStat("log_since", {
+          ok: false,
+          ms: Date.now() - t,
+          errorCode: null,
+        });
+        _cfGitStats.best_effort_fallbacks += 1;
+        console.warn(
+          "⚠️ git log failed; continuing best-effort with empty commit list.",
+          {
+            message: e?.message || String(e),
+          }
+        );
+        output = "";
+      }
+    }
+
+    const commits = output
+      .split("\n")
+      .map((line) => line.trim())
+      .filter(Boolean)
+      .map((line) => {
+        const [sha, date, author] = line.split("|");
+        return { sha: sha?.trim(), date: date?.trim(), author: author?.trim() };
+      })
+      .filter((c) => c.sha && c.date);
+
+    // git log returns newest-first; backfill should run oldest -> newest
+    return commits.reverse();
+  } catch (err) {
+    console.warn("⚠️ Failed to get commits since days:", err?.message || err);
+    return [];
+  }
+}
+
+function getCurrentCommitSHA() {
+  try {
+    return execSync("git rev-parse HEAD", { encoding: "utf8" }).trim();
+  } catch {
+    return null;
+  }
+}
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+
+function getAllFiles(
+  dir,
+  exts = SCANNABLE_EXTENSIONS,
+  files = [],
+  excludePatterns = []
+) {
+  const baseDir = process.cwd();
+  const entries = fs.readdirSync(dir, { withFileTypes: true });
+
+  for (const entry of entries) {
+    const fullPath = path.join(dir, entry.name);
+    const relativePath = path.relative(baseDir, fullPath).replace(/\\/g, "/");
+
+    if (excludePatterns.length) {
+      const isExcluded = micromatch.isMatch(relativePath, excludePatterns, {
+        nocase: true,
+      });
+      // console.log(`Checking ${relativePath}, excluded: ${isExcluded}`);
+      if (isExcluded) {
+        continue;
+      }
+    }
+
+    if (entry.isDirectory()) {
+      getAllFiles(fullPath, exts, files, excludePatterns);
+    } else if (exts.includes(path.extname(entry.name))) {
+      files.push(fullPath);
+    }
+  }
+
+  return files;
+}
+
+// --- CI direct baseline sync helper ---
+async function postBaselineDirect({
+  baseline,
+  workspaceId,
+  projectId,
+  appUrl,
+  ingestToken,
+  targetCommit,
+  overwrite = false,
+}) {
+  if (!projectId) {
+    throw new Error("CF_PROJECT_ID is required in CI mode");
+  }
+  if (!appUrl) {
+    throw new Error("CF_APP_URL or NEXT_PUBLIC_APP_URL is required in CI mode");
+  }
+  const fetchFn = await getFetch();
+  const payload = {
+    baseline: {
+      ...baseline,
+      workspace_id: workspaceId || null,
+      project_id: projectId,
+      project_root: baseline.projectRoot ?? baseline.project_root ?? null,
+      commit_sha: targetCommit || null,
+      ...(overwrite ? { overwrite: true } : {}),
+    },
+  };
+  console.log("🪵 postBaselineDirect using ingestToken:", ingestToken);
+  console.log(
+    "🪵 posting to:",
+    `${appUrl.replace(/\/$/, "")}/api/baselines${
+      overwrite ? "?overwrite=true" : ""
+    }`
+  );
+  const res = await fetchFn(
+    `${appUrl.replace(/\/$/, "")}/api/baselines${
+      overwrite ? "?overwrite=true" : ""
+    }`,
+    {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+        ...(ingestToken ? { authorization: `Bearer ${ingestToken}` } : {}),
+        ...(overwrite ? { "x-cf-overwrite": "true" } : {}),
+      },
+      body: JSON.stringify(payload),
+    }
+  );
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new Error(
+      `Baseline sync failed: ${res.status} ${res.statusText} ${text}`
+    );
+  }
+}
+
+// --- CI direct snapshot sync helper ---
+async function postSnapshotDirect({
+  snapshot,
+  workspaceId,
+  projectId,
+  appUrl,
+  ingestToken,
+  targetCommit,
+  overwrite = false,
+  progressInfo = null,
+}) {
+  if (!projectId) {
+    throw new Error("CF_PROJECT_ID is required in CI mode");
+  }
+  if (!appUrl) {
+    throw new Error("CF_APP_URL or NEXT_PUBLIC_APP_URL is required in CI mode");
+  }
+  const fetchFn = await getFetch();
+  const payload = {
+    snapshot: {
+      ...snapshot,
+      workspace_id: workspaceId || null,
+      project_id: projectId,
+      project_root: snapshot.projectRoot ?? snapshot.project_root ?? null,
+      commit_sha: targetCommit || null,
+      ...(overwrite ? { overwrite: true } : {}),
+    },
+  };
+  const base = appUrl.replace(/\/$/, "");
+  const url = `${base}/api/snapshots${overwrite ? "?overwrite=true" : ""}`;
+  console.log("🪵 postSnapshotDirect using ingestToken:", ingestToken);
+  
+  let progressStr = "";
+  if (progressInfo) {
+    const { index, total, elapsedMin, elapsedSec } = progressInfo;
+    progressStr = ` (${index}/${total} - ${elapsedMin}m${elapsedSec}s elapsed)`;
+  }
+  console.log(`🪵 posting to: ${url}${progressStr}`);
+  const res = await fetchFn(url, {
+    method: "POST",
+    headers: {
+      "content-type": "application/json",
+      ...(ingestToken ? { authorization: `Bearer ${ingestToken}` } : {}),
+      ...(overwrite ? { "x-cf-overwrite": "true" } : {}),
+    },
+    body: JSON.stringify(payload),
+  });
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new Error(
+      `Snapshot sync failed: ${res.status} ${res.statusText} ${text}`
+    );
+  }
+}
+
+function formatElapsed(startMs) {
+  const elapsedMs = Date.now() - startMs;
+  const elapsedMin = Math.floor(elapsedMs / 60000);
+  const elapsedSec = Math.floor((elapsedMs % 60000) / 1000);
+  return { elapsedMs, elapsedMin, elapsedSec };
+}
+
+// Helper: get commits between two SHAs (inclusive, oldest → newest)
+function getCommitsInRange(fromSha, toSha) {
+  try {
+    // Get all commits between fromSha and toSha (inclusive)
+    const output = execSync(
+      `git log ${fromSha}^..${toSha} --pretty="format:%H|%cI|%an" --reverse`,
+      { encoding: "utf8" }
+    );
+    return output
+      .split("\n")
+      .map((line) => line.trim())
+      .filter(Boolean)
+      .map((line) => {
+        const [sha, date, author] = line.split("|");
+        return { sha: sha?.trim(), date: date?.trim(), author: author?.trim() };
+      })
+      .filter((c) => c.sha && c.date);
+  } catch (err) {
+    console.warn("⚠️ Failed to get commits in range:", err?.message || err);
+    return [];
+  }
+}
+
+// Helper: get commits between two dates (inclusive, oldest → newest)
+function getCommitsInDateRange(fromDate, toDate) {
+  try {
+    // Determine the default branch name dynamically
+    let defaultBranch = "main";
+    try {
+      const remoteShow = execSync("git remote show origin", {
+        encoding: "utf8",
+      });
+      const match = remoteShow.match(/HEAD branch: (.+)/);
+      if (match && match[1]) defaultBranch = match[1].trim();
+    } catch {
+      defaultBranch = "main";
+    }
+
+    console.log(`🔍 Fetching latest commits from origin/${defaultBranch}...`);
+    
+    // Fetch latest commits to ensure we have the full history
+    try {
+      execSync(`git fetch origin ${defaultBranch}`, { stdio: 'inherit' });
+    } catch (e) {
+      console.warn("⚠️ Failed to fetch latest commits:", e.message);
+    }
+
+    // Get commits using ISO date format for precise matching
+    // Use YYYY-MM-DD format which git handles reliably
+    console.log(`🔍 Searching for commits between ${fromDate} and ${toDate} on ${defaultBranch}`);
+    
+    const output = execSync(
+      `git log origin/${defaultBranch} --since="${fromDate} 00:00:00" --until="${toDate} 23:59:59" --pretty="format:%H|%cI|%an" --reverse`,
+      { encoding: "utf8" }
+    );
+    
+    const commits = output
+      .split("\n")
+      .map((line) => line.trim())
+      .filter(Boolean)
+      .map((line) => {
+        const [sha, date, author] = line.split("|");
+        return { sha: sha?.trim(), date: date?.trim(), author: author?.trim() };
+      })
+      .filter((c) => c.sha && c.date);
+    
+    console.log(`📊 Found ${commits.length} commits in date range`);
+    
+    return commits;
+  } catch (err) {
+    console.warn("⚠️ Failed to get commits in date range:", err?.message || err);
+    return [];
+  }
+}
+
+// DRY backfill for days or range
+async function runBackfill({
+  days,
+  syncBackfill,
+  slugBackfill,
+  rangeFromSha,
+  rangeToSha,
+  rangeFromDate,
+  rangeToDate,
+}) {
+  let commits = [];
+  let rangeDescription = "";
+  
+  if (days) {
+    commits = getCommitsSinceDays(days);
+    rangeDescription = `in the last ${days} days`;
+  } else if (rangeFromSha && rangeToSha) {
+    commits = getCommitsInRange(rangeFromSha, rangeToSha);
+    rangeDescription = `in range ${rangeFromSha}..${rangeToSha}`;
+  } else if (rangeFromDate && rangeToDate) {
+    commits = getCommitsInDateRange(rangeFromDate, rangeToDate);
+    rangeDescription = `between ${rangeFromDate} and ${rangeToDate}`;
+  }
+  
+  if (!commits.length) {
+    console.log(`ℹ️  No commits found ${rangeDescription}.`);
+    printGitOpsSummary();
+    printSnapshotSyncSummary();
+    process.exit(0);
+  }
+
+  console.log(`🧾 Found ${commits.length} commits ${rangeDescription}.`);
+
+  let backfillIndex = 0;
+  const backfillTotal = commits.length;
+  const backfillStart = Date.now();
+
+  for (const c of commits) {
+    backfillIndex += 1;
+    const { elapsedMin, elapsedSec } = formatElapsed(backfillStart);
+    const day = c.date.slice(0, 10);
+
+    console.log(
+      `🕒 Backfill scan ${backfillIndex}/${backfillTotal} ` +
+        `(${elapsedMin}m ${elapsedSec}s elapsed) ` +
+        `for ${day} @ ${c.sha}`
+    );
+
+    try {
+      execSync(`git checkout ${c.sha}`, { stdio: "inherit" });
+    } catch (err) {
+      console.warn(`⚠️ Failed to checkout commit ${c.sha}:`, err.message);
+      continue;
+    }
+
+    await runScan({
+      sync: syncBackfill,
+      openWeb: false,
+      slug: slugBackfill ?? "historical",
+      snapshot: true,
+      makeBaseline: false,
+      effectiveDate: c.date,
+      forceOverwrite: true,
+      commitOverride: c.sha,
+      isBackfillChild: true,
+      backfillProgress: {
+        index: backfillIndex,
+        total: backfillTotal,
+        elapsedMin,
+        elapsedSec,
+      },
+    });
+  }
+
+  let completionMessage = "";
+  if (days) {
+    completionMessage = `--last-${days}-days-all`;
+  } else if (rangeFromSha && rangeToSha) {
+    completionMessage = `--range-sha ${rangeFromSha},${rangeToSha}`;
+  } else if (rangeFromDate && rangeToDate) {
+    completionMessage = `--range-date ${rangeFromDate},${rangeToDate}`;
+  }
+  
+  console.log(`✅ Completed ${completionMessage} backfill.`);
+  printGitOpsSummary();
+  printSnapshotSyncSummary();
+  process.exit(0);
+}
+
+export async function runScan({
+  sync = false,
+  openWeb = true,
+  slug,
+  snapshot,
+  makeBaseline = false,
+  baseline,
+  effectiveDate, // ISO string – used for historical backfill
+  forceOverwrite = false,
+  commitOverride,
+  isBackfillChild = false,
+  rangeFromSha,
+  rangeToSha,
+  rangeFromDate,
+  rangeToDate,
+  backfillProgress = null,
+  // CI shorthand: snapshot HEAD (GITHUB_SHA) + sync, backfills blocked
+  lastCommit = false,
+} = {}) {
+  const ciMode =
+    process.env.CF_CI_MODE === "true" || process.env.GITHUB_ACTIONS === "true";
+  const sessionToken = process.env.CF_SESSION_TOKEN || "";
+  const ingestToken = process.env.CF_INGEST_TOKEN || "";
+  let ciProjectId = process.env.CF_PROJECT_ID || "";
+  let ciWorkspaceId = process.env.CF_WORKSPACE_ID || "";
+  
+  // Import baseUrl helpers
+  const { resolveBaseUrl, getStoredEnvironment } = await import("../config/baseUrl.js");
+  const appUrlEnv = resolveBaseUrl();
+
+  // --- DRY backfill dispatch (blocked in --last-commit CI mode) ---
+  if (!isBackfillChild && !lastCommit && process.argv.includes("--last-90-days-all")) {
+    const syncBackfill = process.argv.includes("--sync");
+    let slugBackfill;
+    for (const arg of process.argv) {
+      if (arg.startsWith("--slug=")) slugBackfill = arg.split("=")[1];
+    }
+    await runBackfill({ days: 90, syncBackfill, slugBackfill });
+  }
+
+  if (!isBackfillChild && !lastCommit && process.argv.includes("--last-180-days-all")) {
+    const syncBackfill = process.argv.includes("--sync");
+    let slugBackfill;
+    for (const arg of process.argv) {
+      if (arg.startsWith("--slug=")) slugBackfill = arg.split("=")[1];
+    }
+    await runBackfill({ days: 180, syncBackfill, slugBackfill });
+  }
+
+  // --- Backfill over a commit SHA range ---
+  if (
+    !isBackfillChild &&
+    !lastCommit &&
+    typeof rangeFromSha === "string" &&
+    typeof rangeToSha === "string"
+  ) {
+    const syncBackfill = process.argv.includes("--sync");
+    let slugBackfill;
+    for (const arg of process.argv) {
+      if (arg.startsWith("--slug=")) slugBackfill = arg.split("=")[1];
+    }
+    await runBackfill({
+      syncBackfill,
+      slugBackfill,
+      rangeFromSha,
+      rangeToSha,
+    });
+  }
+
+  // --- Backfill over a date range ---
+  if (
+    !isBackfillChild &&
+    !lastCommit &&
+    typeof rangeFromDate === "string" &&
+    typeof rangeToDate === "string"
+  ) {
+    const syncBackfill = process.argv.includes("--sync");
+    let slugBackfill;
+    for (const arg of process.argv) {
+      if (arg.startsWith("--slug=")) slugBackfill = arg.split("=")[1];
+    }
+    await runBackfill({
+      syncBackfill,
+      slugBackfill,
+      rangeFromDate,
+      rangeToDate,
+    });
+  }
+
+  // ---------------------------
+  // Determine target commit properly
+  // ---------------------------
+  // ----------------------------------------
+  // Commit argument parser: supports BOTH:
+  // --commit=SHA   and   --commit SHA
+  // ----------------------------------------
+  let argCommit = null;
+
+  for (let i = 0; i < process.argv.length; i++) {
+    const arg = process.argv[i];
+
+    // Format 1: --commit=SHA
+    if (arg.startsWith("--commit=")) {
+      argCommit = arg.split("=")[1];
+      break;
+    }
+
+    // Format 2: --commit SHA
+    if (arg === "--commit" && process.argv[i + 1]) {
+      argCommit = process.argv[i + 1];
+      break;
+    }
+  }
+
+  const envCommit =
+    process.env.CF_COMMIT_SHA ||
+    process.env.INPUT_COMMIT_SHA ||
+    process.env.GITHUB_SHA;
+
+  let targetCommit = null;
+  const hasCommitArg = !!argCommit;
+
+  // --- commitOverride logic for backfill ---
+  if (commitOverride) {
+    targetCommit = commitOverride;
+    console.log("🎯 Target commit (override):", targetCommit);
+  } else {
+    if (hasCommitArg) {
+      // Respect user-supplied commit always
+      targetCommit = argCommit;
+      try {
+        execSync(`git cat-file -e ${targetCommit}`, { stdio: "ignore" });
+        console.log(`✔ Commit ${targetCommit} exists locally`);
+      } catch {
+        console.log(
+          `🔄 Commit ${targetCommit} not found locally — attempting targeted fetch...`
+        );
+        try {
+          execSync(`git fetch origin ${targetCommit}`, { stdio: "inherit" });
+          console.log(`✔ Commit ${targetCommit} fetched successfully`);
+        } catch (err) {
+          console.error(
+            `❌ Failed to fetch commit ${targetCommit}:`,
+            err.message
+          );
+          process.exit(1);
+        }
+      }
+    } else {
+      // No CLI arg → fall back to env or HEAD
+      targetCommit = envCommit || getCurrentCommitSHA();
+      if (!targetCommit) {
+        console.error("❌ No commit could be determined.");
+        process.exit(1);
+      }
+
+      try {
+        execSync(`git cat-file -e ${targetCommit}`, { stdio: "ignore" });
+        console.log(`✔ Commit ${targetCommit} exists locally`);
+      } catch {
+        console.log(
+          `🔄 Commit ${targetCommit} not found locally — attempting targeted fetch...`
+        );
+        try {
+          execSync(`git fetch origin ${targetCommit}`, { stdio: "inherit" });
+          console.log(`✔ Commit ${targetCommit} fetched successfully`);
+        } catch (err) {
+          console.error(
+            `❌ Failed to fetch commit ${targetCommit}:`,
+            err.message
+          );
+          process.exit(1);
+        }
+      }
+    }
+  }
+  // Do NOT override targetCommit later based on recent commits.
+  console.log("🎯 Target commit for scan:", targetCommit);
+  // --- Commit checkout logic (safe: stash before checkout) ---
+  let originalRef = null;
+  let hadLocalChanges = false;
+  let switchedToCommit = false;
+
+  if (hasCommitArg) {
+    try {
+      // Detect uncommitted changes
+      const status = execSync("git status --porcelain", { encoding: "utf8" });
+      if (status.trim().length > 0) {
+        hadLocalChanges = true;
+        console.log("💾 Stashing local changes before checkout...");
+        execSync(`git stash push -u -m "cf-scan-temp-stash"`, {
+          stdio: "inherit",
+        });
+      }
+    } catch (e) {
+      console.warn("⚠️ Could not determine git status:", e.message);
+    }
+
+    try {
+      originalRef = execSync("git rev-parse --abbrev-ref HEAD", {
+        encoding: "utf8",
+      }).trim();
+
+      console.log(`🕒 Checking out commit ${targetCommit} for scan...`);
+      execSync(`git checkout ${targetCommit}`, { stdio: "inherit" });
+      switchedToCommit = true;
+    } catch (err) {
+      console.warn("⚠️ Failed to checkout target commit:", err.message);
+    }
+  }
+
+  // Derive project/workspace IDs from session token if needed in CI mode
+  if (ciMode && !ciProjectId && sessionToken) {
+    try {
+      const decoded = jwt.decode(sessionToken);
+      if (decoded && typeof decoded === "object") {
+        if (decoded.project_id) ciProjectId = decoded.project_id;
+        if (decoded.workspace_id) ciWorkspaceId = decoded.workspace_id;
+        console.log(
+          "🪵 Derived project/workspace IDs from session token:",
+          "project_id =",
+          ciProjectId,
+          "workspace_id =",
+          ciWorkspaceId
+        );
+      }
+    } catch (e) {
+      console.warn(
+        "⚠️ Failed to decode session token for project/workspace IDs:",
+        e?.message || e
+      );
+    }
+  }
+
+  const cwd = process.cwd();
+  const cliVersion = getCliVersion();
+
+  // Read environment directly from config file
+  const configPath = path.join(process.env.HOME || process.env.USERPROFILE, ".cf", "config.json");
+  let currentEnv = "dev";
+  if (fs.existsSync(configPath)) {
+    try {
+      const config = JSON.parse(fs.readFileSync(configPath, "utf8"));
+      currentEnv = config.environment || "dev";
+    } catch (e) {
+      // Silently fall back to dev
+    }
+  }
+  
+  const envDisplay = currentEnv === 'prod' ? '🌐 Production' : '🏠 Development';
+  
+  console.log(`ControlFront CLI v${cliVersion}`);
+  console.log(`Environment: ${envDisplay} - ${appUrlEnv}`);
+
+  // Print engine info
+  if (ciMode) {
+    // In CI mode, print bundle engine version (if available)
+    let bundleEngineVersion = null;
+    if (process.env.CF_BUNDLE_ENGINE_VERSION) {
+      bundleEngineVersion = process.env.CF_BUNDLE_ENGINE_VERSION;
+    }
+    console.log(
+      `Engine: server bundle v${bundleEngineVersion || "unspecified"}`
+    );
+  } else {
+    // Local mode
+    console.log(`Engine: local (core rules)`);
+  }
+
+  // Default exclude patterns (since no YAML)
+  const excludePatterns = [
+    // build + vendor dirs
+    "**/node_modules/**",
+    "**/dist/**",
+    "**/build/**",
+    "**/.next/**",
+    "**/.turbo/**",
+    "**/coverage/**",
+    "**/.git/**",
+    "**/public/**",
+    "**/.cache/**",
+    "**/out/**",
+
+    // tests + stories
+    "**/*.test.*",
+    "**/*.spec.*",
+    "**/*.stories.*",
+    "**/*.d.ts",
+    "**/__mocks__/**",
+    "**/__tests__/**",
+
+    // CF artifacts
+    "scan-report.json",
+    "insights.json",
+    "cf-violations.json",
+    ".cf/**",
+
+    // logs + env
+    "*.log",
+    ".env",
+    ".env.*",
+
+    // lockfiles
+    "package-lock.json",
+    "yarn.lock",
+    "pnpm-lock.yaml",
+
+    // big config JSONs (skip, not relevant to UI/CD)
+    "turbo.json",
+    "tsconfig*.json",
+    "package.json",
+
+    // misc config not relevant
+    "vite.config.*",
+    "next.config.*",
+    "tailwind.config.*",
+    "babel.config.*",
+    "postcss.config.*",
+    ".eslintrc.*",
+    ".prettierrc.*",
+    ".stylelintrc.*",
+    ".npmrc",
+    ".nvmrc",
+    ".DS_Store",
+  ];
+  console.log("📂 Excluding patterns:", excludePatterns);
+  const files = getAllFiles(
+    cwd,
+    SCANNABLE_EXTENSIONS,
+    [],
+    excludePatterns
+  );
+  console.log(`📄 Scanned ${files.length} files`);
+  // Detect CSS imports inside JS/TS files and include them
+  const cssImports = [];
+  for (const f of files) {
+    if (/\.(t|j)sx?$/.test(f)) {
+      const content = fs.readFileSync(f, "utf8");
+      cssImports.push(...findCssImports(f, content));
+    }
+  }
+
+  // Deduplicate
+  const allFiles = Array.from(new Set([...files, ...cssImports]));
+  console.log(
+    `📄 Final file list includes ${allFiles.length} files (with CSS imports)`
+  );
+
+  if (baseline) {
+    console.error(
+      "❌ Legacy baseline scans are no longer supported. Use `cf scan --snapshot --make-baseline` instead."
+    );
+    process.exit(1);
+  }
+
+  // --- Standalone snapshot mode (Option A) ---
+  if (snapshot) {
+    const { runSnapshot } = await import("./snapshot.js");
+
+    // Run snapshot analysis on the same file list used for scans
+    const snapshotResult = await runSnapshot({ files: allFiles });
+
+    // Optional sync
+    if (sync) {
+      if (ciMode) {
+        if (effectiveDate) {
+          snapshotResult.commit_timestamp = effectiveDate;
+        }
+        try {
+          await postSnapshotDirectWithRetry(
+            {
+              snapshot: snapshotResult,
+              workspaceId: ciWorkspaceId || null,
+              projectId: ciProjectId,
+              appUrl: appUrlEnv,
+              ingestToken: sessionToken || ingestToken,
+              targetCommit,
+              overwrite: forceOverwrite === true,
+            },
+            { attempts: 3, progressInfo: backfillProgress }
+          );
+        } catch (e) {
+          const msg = e?.message || String(e);
+          console.error("❌ Snapshot sync failed:", msg);
+
+          // Never fail the entire 90-day backfill because of a transient network/API failure.
+          if (isBackfillChild) {
+            console.warn(
+              "⚠️ Continuing backfill despite snapshot sync failure (best-effort)."
+            );
+            return snapshotResult;
+          }
+
+          process.exit(1);
+        }
+      } else {
+        const configPath = path.join(
+          process.env.HOME || process.env.USERPROFILE,
+          ".cf",
+          "config.json"
+        );
+        if (!fs.existsSync(configPath)) {
+          console.log("🔐 You are not logged in. Run `cf login`.");
+          process.exit(1);
+        }
+        const localToken = JSON.parse(
+          fs.readFileSync(configPath, "utf8")
+        ).token;
+        let projectInfo = await resolveProjectForFolder();
+        if (!projectInfo?.workspace?.id || !projectInfo?.project?.id) {
+          console.error(
+            "❌ This folder is not linked to a ControlFront project. Please run `cf init`."
+          );
+          process.exit(1);
+        }
+        try {
+          if (effectiveDate) {
+            snapshotResult.commit_timestamp = effectiveDate;
+          }
+          await postSnapshotDirectWithRetry(
+            {
+              snapshot: snapshotResult,
+              workspaceId: projectInfo.workspace.id,
+              projectId: projectInfo.project.id,
+              appUrl: appUrlEnv,
+              ingestToken: localToken,
+              targetCommit,
+              overwrite: forceOverwrite === true,
+            },
+            { attempts: 3, progressInfo: backfillProgress }
+          );
+
+          // Success path for initial snapshot sync
+          console.log(
+            `✅ Snapshot synced successfully for commit ${targetCommit}.`
+          );
+          if (makeBaseline) {
+            console.log("📌 Promoting this snapshot to active baseline…");
+
+            const promoteUrl = `${appUrlEnv.replace(/\/$/, "")}/api/baselines`;
+
+            const promotePayload = {
+              project_id: ciProjectId || projectInfo?.project?.id,
+              snapshot_commit: targetCommit,
+            };
+
+            let fetchFn = globalThis.fetch;
+            if (!fetchFn) {
+              const mod = await import("node-fetch");
+              fetchFn = mod.default || mod;
+            }
+
+            const promoteRes = await fetchFn(promoteUrl, {
+              method: "POST",
+              headers: {
+                "content-type": "application/json",
+                authorization: `Bearer ${
+                  sessionToken || ingestToken || localToken
+                }`,
+              },
+              body: JSON.stringify(promotePayload),
+            });
+
+            if (!promoteRes.ok) {
+              const text = await promoteRes.text().catch(() => "");
+              console.error("❌ Failed to promote baseline:", text);
+              process.exit(1);
+            }
+
+            console.log("✅ Snapshot promoted to active baseline.");
+          }
+        } catch (e) {
+          const msg = e?.message || "";
+
+          const isDuplicate =
+            msg.includes("409") ||
+            msg.toLowerCase().includes("duplicate") ||
+            msg.toLowerCase().includes("already exists");
+
+          if (isDuplicate && !forceOverwrite) {
+            // If forceOverwrite, skip prompt and immediately overwrite
+            if (forceOverwrite === true) {
+              console.log(
+                chalk.blue("🔁 Overwriting existing snapshot (forced)…")
+              );
+              try {
+                if (effectiveDate) {
+                  snapshotResult.commit_timestamp = effectiveDate;
+                }
+                await postSnapshotDirectWithRetry(
+                  {
+                    snapshot: snapshotResult,
+                    workspaceId: projectInfo.workspace.id,
+                    projectId: projectInfo.project.id,
+                    appUrl: appUrlEnv,
+                    ingestToken: localToken,
+                    targetCommit,
+                    overwrite: true,
+                  },
+                  { attempts: 3, progressInfo: backfillProgress }
+                );
+                console.log("✅ Snapshot overwritten successfully.");
+                if (makeBaseline) {
+                  console.log("📌 Promoting this snapshot to active baseline…");
+
+                  const promoteUrl = `${appUrlEnv.replace(
+                    /\/$/,
+                    ""
+                  )}/api/baselines`;
+
+                  const promotePayload = {
+                    project_id: projectInfo.project.id,
+                    snapshot_commit: targetCommit,
+                  };
+
+                  let fetchFn = globalThis.fetch;
+                  if (!fetchFn) {
+                    const mod = await import("node-fetch");
+                    fetchFn = mod.default || mod;
+                  }
+
+                  const promoteRes = await fetchFn(promoteUrl, {
+                    method: "POST",
+                    headers: {
+                      "content-type": "application/json",
+                      authorization: `Bearer ${localToken}`,
+                    },
+                    body: JSON.stringify(promotePayload),
+                  });
+
+                  if (!promoteRes.ok) {
+                    const text = await promoteRes.text().catch(() => "");
+                    console.error("❌ Failed to promote baseline:", text);
+                    process.exit(1);
+                  }
+
+                  console.log("✅ Snapshot promoted to active baseline.");
+                }
+              } catch (e2) {
+                console.error("❌ Overwrite failed:", e2?.message || e2);
+                if (isBackfillChild) {
+                  console.warn(
+                    "⚠️ Continuing backfill despite snapshot overwrite failure (best-effort)."
+                  );
+                  return snapshotResult;
+                }
+                process.exit(1);
+              }
+            } else {
+              // Interactive prompt (legacy behavior)
+              if (!forceOverwrite) {
+                console.log(
+                  chalk.yellow(
+                    `⚠️ Snapshot for commit ${targetCommit} already exists on server.`
+                  )
+                );
+
+                const readline = await import("readline");
+                const rl = readline.createInterface({
+                  input: process.stdin,
+                  output: process.stdout,
+                });
+
+                const ask = (q) =>
+                  new Promise((resolve) =>
+                    rl.question(q, (ans) => resolve(ans.trim()))
+                  );
+
+                const ans = await ask(
+                  chalk.yellow("Overwrite existing snapshot? (y/N): ")
+                );
+                rl.close();
+
+                if (ans.toLowerCase() === "y") {
+                  console.log(chalk.blue("🔁 Overwriting existing snapshot…"));
+
+                  try {
+                    if (effectiveDate) {
+                      snapshotResult.commit_timestamp = effectiveDate;
+                    }
+                    await postSnapshotDirectWithRetry(
+                      {
+                        snapshot: snapshotResult,
+                        workspaceId: projectInfo.workspace.id,
+                        projectId: projectInfo.project.id,
+                        appUrl: appUrlEnv,
+                        ingestToken: localToken,
+                        targetCommit,
+                        overwrite: true,
+                      },
+                      { attempts: 3, progressInfo: backfillProgress }
+                    );
+                    console.log("✅ Snapshot overwritten successfully.");
+                    if (makeBaseline) {
+                      console.log(
+                        "📌 Promoting this snapshot to active baseline…"
+                      );
+
+                      const promoteUrl = `${appUrlEnv.replace(
+                        /\/$/,
+                        ""
+                      )}/api/baselines`;
+
+                      const promotePayload = {
+                        project_id: projectInfo.project.id,
+                        snapshot_commit: targetCommit,
+                      };
+
+                      let fetchFn = globalThis.fetch;
+                      if (!fetchFn) {
+                        const mod = await import("node-fetch");
+                        fetchFn = mod.default || mod;
+                      }
+
+                      const promoteRes = await fetchFn(promoteUrl, {
+                        method: "POST",
+                        headers: {
+                          "content-type": "application/json",
+                          authorization: `Bearer ${localToken}`,
+                        },
+                        body: JSON.stringify(promotePayload),
+                      });
+
+                      if (!promoteRes.ok) {
+                        const text = await promoteRes.text().catch(() => "");
+                        console.error("❌ Failed to promote baseline:", text);
+                        process.exit(1);
+                      }
+
+                      console.log("✅ Snapshot promoted to active baseline.");
+                    }
+                  } catch (e2) {
+                    console.error("❌ Overwrite failed:", e2?.message || e2);
+                    if (isBackfillChild) {
+                      console.warn(
+                        "⚠️ Continuing backfill despite snapshot overwrite failure (best-effort)."
+                      );
+                      return snapshotResult;
+                    }
+                    process.exit(1);
+                  }
+                } else {
+                  console.log("❌ Snapshot not overwritten. Exiting.");
+                  process.exit(1);
+                }
+              } else {
+                // Should never reach here, but guarantees no prompt
+                throw e;
+              }
+            }
+          } else {
+            console.error("❌ Snapshot sync failed:", msg);
+            if (isBackfillChild) {
+              console.warn(
+                "⚠️ Continuing backfill despite snapshot sync failure (best-effort)."
+              );
+              return snapshotResult;
+            }
+            process.exit(1);
+          }
+        }
+      }
+
+      // Restore git state just like baseline mode
+      if (hasCommitArg && switchedToCommit) {
+        try {
+          console.log(
+            "↩️ Restoring your previous branch with `git checkout -`…"
+          );
+          execSync("git checkout -", { stdio: "inherit" });
+
+          if (hadLocalChanges) {
+            console.log("💾 Restoring stashed changes…");
+            try {
+              execSync("git stash pop", { stdio: "inherit" });
+            } catch (e) {
+              console.warn("⚠️ Failed to pop stash:", e.message);
+            }
+          }
+        } catch (err) {
+          console.warn("⚠️ Failed to restore previous branch:", err.message);
+        }
+      }
+
+      return snapshotResult;
+    }
+
+    // --- CI direct sync path ---
+    if (ciMode) {
+      if (!ciProjectId) {
+        console.error("❌ CF_PROJECT_ID is required in CI mode");
+        process.exit(1);
+      }
+      if (!appUrlEnv) {
+        console.error(
+          "❌ CF_APP_URL or NEXT_PUBLIC_APP_URL is required in CI mode"
+        );
+        process.exit(1);
+      }
+
+      if (!sessionToken && !ingestToken) {
+        console.warn(
+          "⚠️ No session or ingest token provided. Scan will not be posted to ControlFront."
+        );
+      } else {
+        try {
+          console.log(
+            "\n📡 CI mode detected. Posting scan directly to ControlFront..."
+          );
+          if (effectiveDate) {
+            console.log("📅 Setting commit timestamp for snapshot:", effectiveDate);
+          }
+          const payload = {
+            scan: {
+              ...report,
+              // Normalize names expected by the API/DB
+              workspace_id: ciWorkspaceId || null,
+              project_id: ciProjectId,
+              project_root: report.projectRoot ?? report.project_root ?? null,
+              slug: report.slug || "ci",
+              github: {
+                run_id: process.env.GITHUB_RUN_ID || null,
+                run_number: process.env.GITHUB_RUN_NUMBER || null,
+                repository: process.env.GITHUB_REPOSITORY || null,
+                ref: report.commit_branch || process.env.GITHUB_REF || null,
+                sha: report.commit_sha || process.env.GITHUB_SHA || null,
+                actor: report.commit_author || process.env.GITHUB_ACTOR || null,
+                workflow: process.env.GITHUB_WORKFLOW || null,
+              },
+            },
+          };
+
+          const url = `${appUrlEnv.replace(/\/$/, "")}/api/scans`;
+          const fetchFn = await getFetch();
+          const res = await fetchFn(url, {
+            method: "POST",
+            headers: {
+              "content-type": "application/json",
+              ...(ingestToken ? { authorization: `Bearer ${ingestToken}` } : {}),
+            },
+            body: JSON.stringify(payload),
+          });
+
+          if (!res.ok) {
+            const text = await res.text().catch(() => "");
+            throw new Error(
+              `Scan sync failed: ${res.status} ${res.statusText} ${text}`
+            );
+          }
+
+          console.log("✅ Scan posted successfully.");
+        } catch (e) {
+          console.error("❌ CI scan sync failed:", e.message);
+          process.exit(1);
+        }
+      }
+
+      return;
+    }
+  }
+}