@rainy-updates/cli 0.5.1 → 0.5.2-rc.1

package/CHANGELOG.md

@@ -1,7 +1,74 @@
-# Changelog
+# CHANGELOG
 
 All notable changes to this project are documented in this file.
 
+## [0.5.2] - 2026-02-27
+
+### Added
+
+- **New `unused` command**: Detect unused and missing npm dependencies by statically scanning source files.
+  - Walks `src/` (configurable via `--src`) and extracts all import/require specifiers (ESM static, ESM dynamic, CJS, re-exports).
+  - Cross-references against `package.json` `dependencies`, `devDependencies`, and `optionalDependencies`.
+  - Reports two problem classes: `declared-not-imported` (unused bloat) and `imported-not-declared` (missing declarations).
+  - `--fix` — removes unused entries from `package.json` atomically (with `--dry-run` preview).
+  - `--no-dev` — skip `devDependencies` from the unused scan.
+  - `--json-file <path>` — write structured JSON report for CI pipelines.
+  - Exit code `1` when unused or missing dependencies are found.
+
+- **New `resolve` command**: Pure-TS in-memory peer dependency conflict detector — **no `npm install` subprocess spawned**.
+  - Builds a `PeerGraph` from declared dependencies, enriched with `peerDependencies` fetched in parallel from the registry (cache-first — instant on warm cache, offline-capable).
+  - Performs a single-pass O(n × peers) BFS traversal using the new `satisfies()` semver util.
+  - Classifies conflicts as `error` (ERESOLVE-level, different major) or `warning` (soft peer incompatibility).
+  - Generates human-readable fix suggestions per conflict.
+  - `--after-update` — simulates proposed `rup check` updates in-memory _before_ writing anything, showing you peer conflicts before they happen.
+  - `--safe` — exits non-zero on any error-level conflict.
+  - `--json-file <path>` — write structured JSON conflict report.
+  - Exit code `1` when error-level conflicts are detected.
+
+- **New `licenses` command**: SPDX license compliance scanning with SBOM generation.
+  - Fetches the `license` field from each dependency's npm packument in parallel.
+  - Normalizes raw license strings to SPDX 2.x identifiers.
+  - `--allow <spdx,...>` — allowlist mode: flag any package not in the list.
+  - `--deny <spdx,...>` — denylist mode: flag any package matching these identifiers.
+  - `--sbom <path>` — generate a standards-compliant **SPDX 2.3 JSON SBOM** document (`DESCRIBES` + `DEPENDS_ON` relationship graph, required by CISA/EU CRA mandates).
+  - `--json-file <path>` — write full license report as JSON.
+  - Exit code `1` when license violations are detected.
+
+- **New `snapshot` command**: Save, list, restore, and diff dependency state snapshots.
+  - `rup snapshot save [--label <name>]` — captures `package.json` contents and lockfile hashes for all workspace packages into a lightweight JSON store (`.rup-snapshots.json`).
+  - `rup snapshot list` — shows all saved snapshots with timestamp and label.
+  - `rup snapshot restore <id|label>` — writes back captured `package.json` files atomically; prompts to re-run the package manager install.
+  - `rup snapshot diff <id|label>` — shows dependency version changes since the snapshot.
+  - JSON-file store (no SQLite dependency), human-readable and git-committable.
+  - `--store <path>` — custom store file location.
+
+- **Impact Score engine** (`src/core/impact.ts`): Per-update risk assessment.
+  - Computes a 0–100 composite score: `diffTypeWeight` (patch=10, minor=25, major=55) + CVE presence bonus (+35) + workspace spread (up to +20).
+  - Ranks each update as `critical`, `high`, `medium`, or `low`.
+  - `applyImpactScores()` batch helper for the check/upgrade pipeline.
+  - ANSI `impactBadge()` for terminal table rendering (wired to `--show-impact` flag, coming in a follow-up).
+
+- **`satisfies(version, range)` utility** (`src/utils/semver.ts`): Pure-TS semver range checker.
+  - Handles `^`, `~`, `>=`, `<=`, `>`, `<`, exact, `*`/empty (always true).
+  - Supports compound AND ranges (`>=1.0.0 <2.0.0`) and OR union ranges (`^16 || ^18`).
+  - Falls through gracefully on non-semver inputs (e.g., `workspace:*`, `latest`) — no false-positive conflicts.
+  - Used by `rup resolve` peer graph resolver.
+
+### Architecture
+
+- `unused`, `resolve`, `licenses`, and `snapshot` are fully isolated modules under `src/commands/`. All are lazy-loaded (dynamic `import()`) on first invocation — zero startup cost penalty.
+- `src/core/options.ts` dispatches all 4 new commands to their isolated sub-parsers. `KNOWN_COMMANDS` now contains **13 entries**.
+- `ParsedCliArgs` union extended with 4 new command variants.
+- `src/types/index.ts` extended with: `ImpactScore`, `PeerNode`, `PeerGraph`, `PeerConflict`, `PeerConflictSeverity`, `UnusedKind`, `UnusedDependency`, `UnusedOptions`, `UnusedResult`, `PackageLicense`, `SbomDocument`, `SbomPackage`, `SbomRelationship`, `LicenseOptions`, `LicenseResult`, `SnapshotEntry`, `SnapshotAction`, `SnapshotOptions`, `SnapshotResult`, `ResolveOptions`, `ResolveResult`.
+- `PackageUpdate` extended with optional `impactScore?: ImpactScore` and `homepage?: string` fields.
+
+### Changed
+
+- CLI global help updated to list all **13 commands** including `unused`, `resolve`, `licenses`, and `snapshot`.
+- `src/bin/cli.ts` exit codes: `unused` exits `1` on any unused/missing dep; `resolve` exits `1` on error-level peer conflicts; `licenses` exits `1` on violations; `snapshot` exits `1` on store errors.
+
+---
+
 ## [0.5.1] - 2026-02-27
 
 ### Added

package/README.md

@@ -1,8 +1,8 @@
 # @rainy-updates/cli
 
-Agentic CLI to detect, control, and apply dependency updates across npm/pnpm projects and monorepos.
+The fastest DevOps-first dependency CLI. Checks, audits, upgrades, bisects, and automates npm/pnpm dependencies in CI.
 
-`@rainy-updates/cli` is built for teams that need fast dependency intelligence, policy-aware upgrades, and automation-ready output for CI/CD and pull request workflows.
+`@rainy-updates/cli` is built for teams that need fast dependency intelligence, security auditing, policy-aware upgrades, and automation-ready output for CI/CD and pull request workflows.
 
 ## Why this package
 
@@ -15,47 +15,104 @@ Agentic CLI to detect, control, and apply dependency updates across npm/pnpm pro
 ## Install
 
 ```bash
-npm i -D @rainy-updates/cli
+# As a project dev dependency (recommended for teams)
+npm install --save-dev @rainy-updates/cli
 # or
 pnpm add -D @rainy-updates/cli
 ```
 
-## Core commands
+Once installed, three binary aliases are available in your `node_modules/.bin/`:
 
-- `check`: analyze dependencies and report available updates.
-- `upgrade`: rewrite dependency ranges in manifests, optionally install lockfile updates.
-- `ci`: run CI-focused dependency automation (warm cache, check/upgrade, policy gates).
-- `warm-cache`: prefetch package metadata for fast and offline checks.
-- `baseline`: save and compare dependency baseline snapshots.
+| Alias           | Use case                                    |
+| --------------- | ------------------------------------------- |
+| `rup`           | Power-user shortcut — `rup ci`, `rup audit` |
+| `rainy-up`      | Human-friendly — `rainy-up check`           |
+| `rainy-updates` | Backwards-compatible (safe in CI scripts)   |
+
+```bash
+# All three are identical — use whichever you prefer:
+rup check
+rainy-up check
+rainy-updates check
+```
+
+### One-off usage with npx (no install required)
+
+```bash
+# Always works without installing:
+npx @rainy-updates/cli check
+npx @rainy-updates/cli audit --severity high
+npx @rainy-updates/cli ci --workspace --mode strict
+```
+
+> **Note:** The short aliases (`rup`, `rainy-up`) only work after installing the package. For one-off `npx` runs, use `npx @rainy-updates/cli <command>`.
+
+## Commands
+
+### Dependency management
+
+- `check` — analyze dependencies and report available updates
+- `upgrade` — rewrite dependency ranges in manifests, optionally install lockfile updates
+- `ci` — run CI-focused dependency automation (warm cache, check/upgrade, policy gates)
+- `warm-cache` — prefetch package metadata for fast and offline checks
+- `baseline` — save and compare dependency baseline snapshots
+
+### Security & health (_new in v0.5.1_)
+
+- `audit` — scan dependencies for CVEs using [OSV.dev](https://osv.dev) (Google's open vulnerability database)
+- `health` — detect stale, deprecated, and unmaintained packages before they become liabilities
+- `bisect` — binary-search across semver versions to find the exact version that broke your tests
 
 ## Quick usage
 
+> Commands work with `npx` (no install) **or** with the `rup` / `rainy-up` shortcut if the package is installed.
+
 ```bash
 # 1) Detect updates
 npx @rainy-updates/cli check --format table
+rup check --format table                      # if installed
 
 # 2) Strict CI mode (non-zero when updates exist)
 npx @rainy-updates/cli check --workspace --ci --format json --json-file .artifacts/updates.json
+rup check --workspace --ci --format json --json-file .artifacts/updates.json
 
-# 2b) CI orchestration mode
-npx @rainy-updates/cli ci --workspace --mode strict --format github --json-file .artifacts/updates.json
+# 3) CI orchestration with policy gates
+npx @rainy-updates/cli ci --workspace --mode strict --format github
+rup ci --workspace --mode strict --format github
 
-# 2c) Batch fix branches by scope
+# 4) Batch fix branches by scope (enterprise)
 npx @rainy-updates/cli ci --workspace --mode enterprise --group-by scope --fix-pr --fix-pr-batch-size 2
+rup ci --workspace --mode enterprise --group-by scope --fix-pr --fix-pr-batch-size 2
 
-# 3) Apply upgrades with workspace sync
+# 5) Apply upgrades with workspace sync
 npx @rainy-updates/cli upgrade --target latest --workspace --sync --install
+rup upgrade --target latest --workspace --sync --install
 
-# 3b) Generate a fix branch + commit for CI automation
-npx @rainy-updates/cli check --workspace --fix-pr --fix-branch chore/rainy-updates
-
-# 4) Warm cache for deterministic offline checks
+# 6) Warm cache → deterministic offline CI check
 npx @rainy-updates/cli warm-cache --workspace --concurrency 32
 npx @rainy-updates/cli check --workspace --offline --ci
 
-# 5) Save and compare baseline drift in CI
+# 7) Save and compare baseline drift
 npx @rainy-updates/cli baseline --save --file .artifacts/deps-baseline.json --workspace
 npx @rainy-updates/cli baseline --check --file .artifacts/deps-baseline.json --workspace --ci
+
+# 8) Scan for known CVEs  ── NEW in v0.5.1
+npx @rainy-updates/cli audit
+npx @rainy-updates/cli audit --severity high
+npx @rainy-updates/cli audit --fix          # prints the patching npm install command
+rup audit --severity high                   # if installed
+
+# 9) Check dependency maintenance health  ── NEW in v0.5.1
+npx @rainy-updates/cli health
+npx @rainy-updates/cli health --stale 6m   # flag packages with no release in 6 months
+npx @rainy-updates/cli health --stale 180d # same but in days
+rup health --stale 6m                       # if installed
+
+# 10) Find which version introduced a breaking change  ── NEW in v0.5.1
+npx @rainy-updates/cli bisect axios --cmd "bun test"
+npx @rainy-updates/cli bisect react --range "18.0.0..19.0.0" --cmd "npm test"
+npx @rainy-updates/cli bisect lodash --cmd "npm run test:unit" --dry-run
+rup bisect axios --cmd "bun test"           # if installed
 ```
 
 ## What it does in production
@@ -119,17 +176,16 @@ npx @rainy-updates/cli check --policy-file .rainyupdates-policy.json
 
 These outputs are designed for CI pipelines, security tooling, and PR review automation.
 
-
 ## Automatic CI bootstrap
 
 Generate a workflow in the target project automatically:
 
 ```bash
-# strict mode (recommended)
-npx @rainy-updates/cli init-ci --mode enterprise --schedule weekly
+# enterprise mode (recommended)
+rup init-ci --mode enterprise --schedule weekly
 
 # lightweight mode
-npx @rainy-updates/cli init-ci --mode minimal --schedule daily
+rup init-ci --mode minimal --schedule daily
 ```
 
 Generated file:
@@ -208,9 +264,13 @@ Configuration can be loaded from:
 ## CLI help
 
 ```bash
+rup --help
+rup <command> --help
+rup --version
+
+# or with the full name:
 rainy-updates --help
-rainy-updates <command> --help
-rainy-updates --version
+npx @rainy-updates/cli --help
 ```
 
 ## Reliability characteristics
@@ -230,7 +290,6 @@ This package ships with production CI/CD pipelines in the repository:
 - Tag-driven release pipeline for npm publishing with provenance.
 - Release preflight validation for npm auth/scope checks before publishing.
 
-
 ## Product roadmap
 
 The long-term roadmap is maintained in [`ROADMAP.md`](./ROADMAP.md).

package/dist/bin/cli.js

@@ -85,6 +85,32 @@ async function main() {
             process.exitCode = result.totalFlagged > 0 ? 1 : 0;
             return;
         }
+        // ─── v0.5.2 commands ─────────────────────────────────────────────────────
+        if (parsed.command === "unused") {
+            const { runUnused } = await import("../commands/unused/runner.js");
+            const result = await runUnused(parsed.options);
+            process.exitCode =
+                result.totalUnused > 0 || result.totalMissing > 0 ? 1 : 0;
+            return;
+        }
+        if (parsed.command === "resolve") {
+            const { runResolve } = await import("../commands/resolve/runner.js");
+            const result = await runResolve(parsed.options);
+            process.exitCode = result.errorConflicts > 0 ? 1 : 0;
+            return;
+        }
+        if (parsed.command === "licenses") {
+            const { runLicenses } = await import("../commands/licenses/runner.js");
+            const result = await runLicenses(parsed.options);
+            process.exitCode = result.totalViolations > 0 ? 1 : 0;
+            return;
+        }
+        if (parsed.command === "snapshot") {
+            const { runSnapshot } = await import("../commands/snapshot/runner.js");
+            const result = await runSnapshot(parsed.options);
+            process.exitCode = result.errors.length > 0 ? 1 : 0;
+            return;
+        }
         const result = await runCommand(parsed);
         if (parsed.options.fixPr &&
             (parsed.command === "check" ||
@@ -317,6 +343,10 @@ Commands:
   audit       Scan dependencies for CVEs (OSV.dev)
   health      Detect stale/deprecated/unmaintained packages
   bisect      Find which version of a dep introduced a failure
+  unused      Detect unused or missing npm dependencies
+  resolve     Check peer dependency conflicts (pure-TS, no subprocess)
+  licenses    Scan dependency licenses and generate SPDX SBOM
+  snapshot    Save, list, restore, and diff dependency state snapshots
 
 Global options:
   --cwd <path>

package/dist/commands/audit/mapper.js

@@ -46,7 +46,7 @@ export function renderAuditTable(advisories) {
     };
     const sorted = [...advisories].sort((a, b) => SEVERITY_RANK[b.severity] - SEVERITY_RANK[a.severity]);
     const lines = [
-        `Found ${advisories.length} vulnerability${advisories.length === 1 ? "" : "ies"}:\n`,
+        `Found ${advisories.length} ${advisories.length === 1 ? "vulnerability" : "vulnerabilities"}:\n`,
         "Package".padEnd(30) + "Severity".padEnd(20) + "CVE".padEnd(22) + "Patch",
         "─".repeat(90),
     ];

package/dist/commands/licenses/parser.d.ts

@@ -0,0 +1,2 @@
+import type { LicenseOptions } from "../../types/index.js";
+export declare function parseLicensesArgs(args: string[]): LicenseOptions;

package/dist/commands/licenses/parser.js

@@ -0,0 +1,116 @@
+export function parseLicensesArgs(args) {
+    const options = {
+        cwd: process.cwd(),
+        workspace: false,
+        allow: undefined,
+        deny: undefined,
+        sbomFile: undefined,
+        jsonFile: undefined,
+        diffMode: false,
+        concurrency: 12,
+        registryTimeoutMs: 10_000,
+        cacheTtlSeconds: 3600,
+    };
+    for (let i = 0; i < args.length; i++) {
+        const current = args[i];
+        const next = args[i + 1];
+        if (current === "--cwd" && next) {
+            options.cwd = next;
+            i++;
+            continue;
+        }
+        if (current === "--cwd")
+            throw new Error("Missing value for --cwd");
+        if (current === "--workspace") {
+            options.workspace = true;
+            continue;
+        }
+        if (current === "--diff") {
+            options.diffMode = true;
+            continue;
+        }
+        if (current === "--allow" && next) {
+            options.allow = next
+                .split(",")
+                .map((s) => s.trim())
+                .filter(Boolean);
+            i++;
+            continue;
+        }
+        if (current === "--allow")
+            throw new Error("Missing value for --allow");
+        if (current === "--deny" && next) {
+            options.deny = next
+                .split(",")
+                .map((s) => s.trim())
+                .filter(Boolean);
+            i++;
+            continue;
+        }
+        if (current === "--deny")
+            throw new Error("Missing value for --deny");
+        if (current === "--sbom" && next) {
+            options.sbomFile = next;
+            i++;
+            continue;
+        }
+        if (current === "--sbom")
+            throw new Error("Missing value for --sbom");
+        if (current === "--json-file" && next) {
+            options.jsonFile = next;
+            i++;
+            continue;
+        }
+        if (current === "--json-file")
+            throw new Error("Missing value for --json-file");
+        if (current === "--concurrency" && next) {
+            const n = Number(next);
+            if (!Number.isInteger(n) || n <= 0)
+                throw new Error("--concurrency must be a positive integer");
+            options.concurrency = n;
+            i++;
+            continue;
+        }
+        if (current === "--concurrency")
+            throw new Error("Missing value for --concurrency");
+        if (current === "--timeout" && next) {
+            const ms = Number(next);
+            if (!Number.isFinite(ms) || ms <= 0)
+                throw new Error("--timeout must be a positive number");
+            options.registryTimeoutMs = ms;
+            i++;
+            continue;
+        }
+        if (current === "--timeout")
+            throw new Error("Missing value for --timeout");
+        if (current === "--help" || current === "-h") {
+            process.stdout.write(LICENSES_HELP);
+            process.exit(0);
+        }
+        if (current.startsWith("-"))
+            throw new Error(`Unknown option: ${current}`);
+    }
+    return options;
+}
+const LICENSES_HELP = `
+rup licenses — Scan dependency licenses and generate SPDX SBOM
+
+Usage:
+  rup licenses [options]
+
+Options:
+  --allow <spdx,...>     Allow only these SPDX identifiers (e.g. MIT,Apache-2.0)
+  --deny <spdx,...>      Deny these SPDX identifiers (e.g. GPL-3.0)
+  --sbom <path>          Write SPDX 2.3 SBOM JSON to file
+  --json-file <path>     Write JSON report to file
+  --diff                 Show only packages with a different license than last scan
+  --workspace            Scan all workspace packages
+  --timeout <ms>         Registry request timeout (default: 10000)
+  --concurrency <n>      Parallel registry requests (default: 12)
+  --cwd <path>           Working directory (default: cwd)
+  --help                 Show this help
+
+Exit codes:
+  0  No violations
+  1  License violations detected
+`.trimStart();

package/dist/commands/licenses/runner.d.ts

@@ -0,0 +1,9 @@
+import type { LicenseOptions, LicenseResult } from "../../types/index.js";
+/**
+ * Entry point for `rup licenses`. Lazy-loaded by cli.ts.
+ *
+ * Fetches the SPDX license field from each dependency's packument,
+ * checks it against --allow/--deny lists, and optionally generates
+ * an SPDX 2.3 SBOM JSON document.
+ */
+export declare function runLicenses(options: LicenseOptions): Promise<LicenseResult>;

package/dist/commands/licenses/runner.js

@@ -0,0 +1,163 @@
+import process from "node:process";
+import { discoverPackageDirs } from "../../workspace/discover.js";
+import { readManifest, collectDependencies, } from "../../parsers/package-json.js";
+import { asyncPool } from "../../utils/async-pool.js";
+import { stableStringify } from "../../utils/stable-json.js";
+import { writeFileAtomic } from "../../utils/io.js";
+import { generateSbom } from "./sbom.js";
+/**
+ * Entry point for `rup licenses`. Lazy-loaded by cli.ts.
+ *
+ * Fetches the SPDX license field from each dependency's packument,
+ * checks it against --allow/--deny lists, and optionally generates
+ * an SPDX 2.3 SBOM JSON document.
+ */
+export async function runLicenses(options) {
+    const result = {
+        packages: [],
+        violations: [],
+        totalViolations: 0,
+        errors: [],
+        warnings: [],
+    };
+    const packageDirs = await discoverPackageDirs(options.cwd, options.workspace);
+    const allDeps = new Map(); // name → resolved version
+    for (const packageDir of packageDirs) {
+        let manifest;
+        try {
+            manifest = await readManifest(packageDir);
+        }
+        catch (err) {
+            result.errors.push(`${packageDir}: ${String(err)}`);
+            continue;
+        }
+        const deps = collectDependencies(manifest, [
+            "dependencies",
+            "devDependencies",
+            "optionalDependencies",
+        ]);
+        for (const dep of deps) {
+            if (!allDeps.has(dep.name)) {
+                const bare = dep.range.replace(/^[~^>=<]/, "").split(" ")[0] ?? dep.range;
+                allDeps.set(dep.name, bare);
+            }
+        }
+    }
+    // Fetch license info from npm registry in parallel
+    const names = Array.from(allDeps.keys());
+    const fetchTasks = names.map((name) => async () => {
+        const version = allDeps.get(name) ?? "latest";
+        return fetchLicenseInfo(name, version, options.registryTimeoutMs);
+    });
+    const licenseInfos = await asyncPool(options.concurrency, fetchTasks);
+    for (const info of licenseInfos) {
+        if (!info || info instanceof Error)
+            continue;
+        result.packages.push(info);
+    }
+    // Evaluate allow/deny lists
+    for (const pkg of result.packages) {
+        if (isViolation(pkg, options)) {
+            result.violations.push(pkg);
+        }
+    }
+    result.totalViolations = result.violations.length;
+    // Render
+    process.stdout.write(renderLicenseTable(result) + "\n");
+    // SBOM output
+    if (options.sbomFile) {
+        const sbom = generateSbom(result.packages, options.cwd);
+        await writeFileAtomic(options.sbomFile, stableStringify(sbom, 2) + "\n");
+        process.stderr.write(`[licenses] SBOM written to ${options.sbomFile}\n`);
+    }
+    // JSON output
+    if (options.jsonFile) {
+        await writeFileAtomic(options.jsonFile, stableStringify(result, 2) + "\n");
+        process.stderr.write(`[licenses] JSON report written to ${options.jsonFile}\n`);
+    }
+    return result;
+}
+async function fetchLicenseInfo(name, version, timeoutMs) {
+    try {
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), timeoutMs);
+        const url = `https://registry.npmjs.org/${encodeURIComponent(name)}/${encodeURIComponent(version)}`;
+        const res = await fetch(url, {
+            signal: controller.signal,
+            headers: { accept: "application/json" },
+        });
+        clearTimeout(timer);
+        if (!res.ok)
+            return null;
+        const data = (await res.json());
+        const rawLicense = data.license ?? "UNKNOWN";
+        const repo = typeof data.repository === "object"
+            ? data.repository?.url
+            : data.repository;
+        return {
+            name,
+            version,
+            license: rawLicense,
+            spdxExpression: normalizeSpdx(rawLicense),
+            homepage: data.homepage,
+            repository: repo,
+        };
+    }
+    catch {
+        return null;
+    }
+}
+/** Normalizes common license strings to SPDX identifiers. */
+function normalizeSpdx(raw) {
+    const known = {
+        MIT: "MIT",
+        ISC: "ISC",
+        "Apache-2.0": "Apache-2.0",
+        "BSD-2-Clause": "BSD-2-Clause",
+        "BSD-3-Clause": "BSD-3-Clause",
+        "GPL-3.0": "GPL-3.0",
+        "GPL-2.0": "GPL-2.0",
+        "LGPL-2.1": "LGPL-2.1",
+        "LGPL-3.0": "LGPL-3.0",
+        "MPL-2.0": "MPL-2.0",
+        "CC0-1.0": "CC0-1.0",
+        Unlicense: "Unlicense",
+        "AGPL-3.0": "AGPL-3.0",
+    };
+    return known[raw.trim()] ?? (raw.includes("-") ? raw : null);
+}
+function isViolation(pkg, options) {
+    const spdx = pkg.spdxExpression ?? pkg.license;
+    if (options.deny && options.deny.includes(spdx))
+        return true;
+    if (options.allow &&
+        options.allow.length > 0 &&
+        !options.allow.includes(spdx))
+        return true;
+    return false;
+}
+function renderLicenseTable(result) {
+    const lines = [];
+    if (result.violations.length > 0) {
+        lines.push(`\n✖ License violations (${result.violations.length}):\n`);
+        for (const pkg of result.violations) {
+            lines.push(`  \x1b[31m✖\x1b[0m ${pkg.name.padEnd(35)} ${pkg.spdxExpression ?? pkg.license}`);
+        }
+        lines.push("");
+    }
+    lines.push(`📄 ${result.packages.length} packages scanned:\n`);
+    lines.push("  " + "Package".padEnd(35) + "Version".padEnd(12) + "License");
+    lines.push("  " + "─".repeat(60));
+    for (const pkg of result.packages) {
+        const isViolating = result.violations.some((v) => v.name === pkg.name);
+        const prefix = isViolating ? "\x1b[31m" : "";
+        const suffix = isViolating ? "\x1b[0m" : "";
+        lines.push("  " +
+            prefix +
+            pkg.name.padEnd(35) +
+            pkg.version.padEnd(12) +
+            (pkg.spdxExpression ?? pkg.license) +
+            suffix);
+    }
+    return lines.join("\n");
+}

package/dist/commands/licenses/sbom.d.ts

@@ -0,0 +1,10 @@
+import type { PackageLicense, SbomDocument } from "../../types/index.js";
+/**
+ * Generates an SPDX 2.3 compliant SBOM JSON document from a list of
+ * scanned package licenses.
+ *
+ * SPDX 2.3 spec: https://spdx.github.io/spdx-spec/v2.3/
+ * Required by: CISA SBOM mandate, EU Cyber Resilience Act, many enterprise
+ * security standards.
+ */
+export declare function generateSbom(packages: PackageLicense[], projectName: string): SbomDocument;