@rainy-updates/cli 0.6.0 → 0.6.2

package/CHANGELOG.md

@@ -2,6 +2,117 @@
 
 All notable changes to this project are documented in this file.
 
+## [0.6.2] - 2026-03-04
+
+Dashboard hardening, cross-platform execution cleanup, and portable release operations for the next `v0.6` patch.
+
+### Added
+
+- **Portable operator entrypoints**:
+  - added a root `Makefile` for common build/check/release flows,
+  - added a `ga` package script so readiness checks can be invoked consistently from Bun scripts and `make`.
+- **Shared shell invocation layer** for Windows, macOS, and Linux command execution in verification and bisect flows.
+- **Dedicated binary release workflow**:
+  - GitHub Releases now have a separate workflow from npm publishing,
+  - tag builds can produce standalone binaries for Linux, macOS, and Windows,
+  - packaged archives are uploaded with SHA-256 checksum files.
+- **Distribution manifest generator**:
+  - generates a Homebrew formula from release asset checksums,
+  - generates a Scoop manifest from the Windows release asset checksum,
+  - release artifacts now include copy-ready Homebrew and Scoop metadata.
+- **New test coverage** for:
+  - shared shell invocation behavior across POSIX and Windows,
+  - dashboard startup state derived from `--view` and `--focus`,
+  - updated doctor dashboard-first recommendations,
+  - GA readiness checks for automation entrypoints.
+
+### Changed
+
+- Dashboard review operations were tightened for larger queues and cross-platform operators:
+  - initial dashboard focus and detail tabs now respect `--view` and `--focus`,
+  - the Ink queue renderer now windows large result sets instead of rendering the full queue every frame,
+  - bulk actions now include actionable/review selection in addition to safe and blocked flows,
+  - keyboard navigation now works cleanly with arrows and `hjkl`,
+  - terminal sizing is handled more defensively for smaller shells,
+  - the dashboard TUI was split into smaller focused components to reduce maintenance overhead.
+- Doctor findings now point operators to the dashboard-first workflow instead of the older `review --interactive` wording.
+- Verification and bisect shell execution are now portable across Windows, macOS, and Linux by routing command execution through a shared shell invocation layer.
+- Release automation scripts were made portable:
+  - `clean` no longer depends on `rm -rf`,
+  - `test:prod` no longer depends on POSIX `test -x`,
+  - build and production validation now work with compiled Bun artifacts on Windows (`dist/rup.exe`) as well as POSIX (`dist/rup`).
+- Release automation is now intentionally split:
+  - one workflow publishes the npm package,
+  - one workflow creates and uploads GitHub binary assets for standalone installation.
+- `ga` readiness checks now also verify:
+  - portable automation entrypoints,
+  - obvious platform-specific script risks,
+  - compiled runtime artifacts in either POSIX or Windows form.
+
+### Tests
+
+- Validation completed for `0.6.2`:
+  - `bun run lint`
+  - `bun run build`
+  - `bun run check`
+  - `bun run test:prod`
+  - `bun run ga`
+  - `bun run perf:check`
+  - `npx -y react-doctor@latest . --verbose --diff` (`99/100`)
+
+## [0.6.1] - 2026-03-03
+
+Compatibility, git-aware workspace scoping, and release-readiness stabilization for the `v0.6` line.
+
+### Added
+
+- **First-class package-manager profile layer**:
+  - detection now prefers `package.json.packageManager` before falling back to lockfiles,
+  - additive package-manager metadata for lockfile source and Yarn flavor detection,
+  - centralized install, add, and test command construction for npm, pnpm, Bun, and Yarn.
+- **Git-aware workspace scoping**:
+  - `--affected`,
+  - `--staged`,
+  - `--base <ref>`,
+  - `--head <ref>`,
+  - `--since <ref>`.
+- **Workspace dependent expansion for affected scans**:
+  - changed packages can now expand to dependent workspace packages instead of stopping at direct file matches.
+- **New `hook` command**:
+  - `rup hook install`,
+  - `rup hook uninstall`,
+  - `rup hook doctor`.
+- **Rainy-managed git hooks**:
+  - `pre-commit` runs `rup unused --workspace --staged` and `rup resolve --workspace --staged`,
+  - `pre-push` runs `rup audit --workspace --affected --report summary`.
+- **New test coverage** for:
+  - package-manager field precedence and Yarn Berry behavior,
+  - git-scoped workspace discovery,
+  - hook install/doctor/uninstall lifecycle,
+  - scoped standalone parser support.
+
+### Changed
+
+- `init-ci` workflow generation now uses the centralized package-manager profile layer instead of special-casing npm/pnpm/Bun only.
+- Yarn support is now explicit in generated workflows:
+  - Corepack enablement for Yarn/pnpm repos,
+  - Yarn Berry uses immutable installs,
+  - Yarn package adds no longer fall back to npm command construction.
+- `verification`, `audit --fix`, and `bisect` now reuse the same package-manager command model as `upgrade`.
+- `ga` package-manager reporting now includes detection source details and respects the git-scoped workspace discovery flow.
+- `check`, `warm-cache`, `audit`, `unused`, `resolve`, `health`, `licenses`, `snapshot`, and `ga` now share the same git-aware workspace scoping path.
+- Command help and parser support were aligned so git-scoping flags are consistently accepted across the primary and standalone command surfaces.
+
+### Tests
+
+- Full release validation passed:
+  - `pnpm -s exec tsc --noEmit`
+  - `bun test`
+  - `pnpm run build`
+  - `bun run build:exe`
+  - `bun run test:prod`
+  - `bun ./dist/bin/cli.js ga --workspace`
+
 ## [0.6.0] - 2026-03-01
 
 Dashboard-first release candidate for the `v0.6` series, focused on unifying the interactive surface, introducing replayable decision plans, tightening CI/apply verification flows, and undergoing a complete native Bun performance optimization.

package/README.md

@@ -79,6 +79,18 @@ pnpm add -D @rainy-updates/cli
 bun add -d @rainy-updates/cli
 ```
 
+### Standalone binaries from GitHub Releases
+
+If you do not want to depend on global npm or a project-local `node_modules`, use the standalone compiled binaries from GitHub Releases.
+
+Release assets are published for:
+
+- Linux x64
+- Linux arm64
+- macOS x64
+- macOS arm64
+- Windows x64
+
 Once installed, three binary aliases are available in your `node_modules/.bin/`:
 
 | Alias           | Use case                                    |

package/dist/bin/cli.js

@@ -1,134 +1,19 @@
 #!/usr/bin/env node
-import { readFileSync } from "node:fs";
-import { parseCliArgs } from "../core/options.js";
-import { applyFixPr } from "../core/fix-pr.js";
-import { applyFixPrBatches } from "../core/fix-pr-batch.js";
-import { createRunId, writeArtifactManifest } from "../core/artifacts.js";
-import { renderResult } from "../output/format.js";
-import { writeGitHubOutput } from "../output/github.js";
-import { createSarifReport } from "../output/sarif.js";
-import { renderPrReport } from "../output/pr-report.js";
-import { writeFileAtomic } from "../utils/io.js";
-import { resolveFailReason } from "../core/summary.js";
-import { stableStringify } from "../utils/stable-json.js";
-import { getRuntimeArgv, setRuntimeExitCode, writeStderr, writeStdout, } from "../utils/runtime.js";
-import { handleDirectCommand, runPrimaryCommand } from "./dispatch.js";
-import { renderHelp } from "./help.js";
+import { spawnSync } from "node:child_process";
+import { fileURLToPath } from "node:url";
+import { runCli } from "./main.js";
 async function main() {
-    try {
-        const argv = getRuntimeArgv();
-        if (argv.includes("--version") || argv.includes("-v")) {
-            writeStdout((await readPackageVersion()) + "\n");
-            return;
-        }
-        if (argv.includes("--help") || argv.includes("-h")) {
-            writeStdout(renderHelp(argv[0]) + "\n");
-            return;
-        }
-        const parsed = await parseCliArgs(argv);
-        if (await handleDirectCommand(parsed))
-            return;
-        if (parsed.command !== "check" &&
-            parsed.command !== "upgrade" &&
-            parsed.command !== "warm-cache" &&
-            parsed.command !== "ci") {
-            throw new Error(`Unhandled command: ${parsed.command}`);
-        }
-        const result = await runPrimaryCommand(parsed);
-        result.summary.runId = createRunId(parsed.command, parsed.options, result);
-        if (parsed.options.fixPr &&
-            (parsed.command === "check" ||
-                parsed.command === "upgrade" ||
-                parsed.command === "ci")) {
-            result.summary.fixPrApplied = false;
-            result.summary.fixBranchName =
-                parsed.options.fixBranch ?? "chore/rainy-updates";
-            result.summary.fixCommitSha = "";
-            result.summary.fixPrBranchesCreated = 0;
-            if (parsed.command === "ci") {
-                const batched = await applyFixPrBatches(parsed.options, result);
-                result.summary.fixPrApplied = batched.applied;
-                result.summary.fixBranchName =
-                    batched.branches[0] ??
-                        parsed.options.fixBranch ??
-                        "chore/rainy-updates";
-                result.summary.fixCommitSha = batched.commits[0] ?? "";
-                result.summary.fixPrBranchesCreated = batched.branches.length;
-                if (batched.branches.length > 1) {
-                    result.warnings.push(`Created ${batched.branches.length} fix-pr batch branches.`);
-                }
-            }
-            else {
-                const fixResult = await applyFixPr(parsed.options, result, []);
-                result.summary.fixPrApplied = fixResult.applied;
-                result.summary.fixBranchName = fixResult.branchName ?? "";
-                result.summary.fixCommitSha = fixResult.commitSha ?? "";
-                result.summary.fixPrBranchesCreated = fixResult.applied ? 1 : 0;
-            }
-        }
-        if (parsed.options.prReportFile) {
-            const markdown = renderPrReport(result);
-            await writeFileAtomic(parsed.options.prReportFile, markdown + "\n");
-        }
-        const artifactManifest = await writeArtifactManifest(parsed.command, parsed.options, result);
-        if (artifactManifest) {
-            result.summary.artifactManifest = artifactManifest.artifactManifestPath;
-        }
-        result.summary.failReason = resolveFailReason(result.updates, result.errors, parsed.options.failOn, parsed.options.maxUpdates, parsed.options.ci);
-        const renderStartedAt = Date.now();
-        let rendered = renderResult(result, parsed.options.format, {
-            showImpact: parsed.options.showImpact,
-            showHomepage: parsed.options.showHomepage,
+    if (typeof Bun === "undefined") {
+        const currentFile = fileURLToPath(import.meta.url);
+        const result = spawnSync("bun", [currentFile, ...process.argv.slice(2)], {
+            stdio: "inherit",
         });
-        result.summary.durationMs.render = Math.max(0, Date.now() - renderStartedAt);
-        if (parsed.options.format === "json" ||
-            parsed.options.format === "metrics") {
-            rendered = renderResult(result, parsed.options.format, {
-                showImpact: parsed.options.showImpact,
-                showHomepage: parsed.options.showHomepage,
-            });
-        }
-        if (parsed.options.onlyChanged &&
-            result.updates.length === 0 &&
-            result.errors.length === 0 &&
-            result.warnings.length === 0 &&
-            (parsed.options.format === "table" ||
-                parsed.options.format === "minimal" ||
-                parsed.options.format === "github")) {
-            rendered = "";
-        }
-        if (parsed.options.jsonFile) {
-            await writeFileAtomic(parsed.options.jsonFile, stableStringify(result, 2) + "\n");
+        if (result.error) {
+            process.stderr.write("rainy-updates (rup): Bun is required to run the published JavaScript entrypoint. Install Bun or use the compiled binary release.\n");
+            process.exit(1);
         }
-        if (parsed.options.githubOutputFile) {
-            await writeGitHubOutput(parsed.options.githubOutputFile, result);
-        }
-        if (parsed.options.sarifFile) {
-            const sarif = createSarifReport(result);
-            await writeFileAtomic(parsed.options.sarifFile, stableStringify(sarif, 2) + "\n");
-        }
-        writeStdout(rendered + "\n");
-        setRuntimeExitCode(resolveExitCode(result, result.summary.failReason));
-    }
-    catch (error) {
-        writeStderr(`rainy-updates (rup): ${String(error)}\n`);
-        setRuntimeExitCode(2);
+        process.exit(result.status ?? 1);
     }
+    await runCli();
 }
 void main();
-async function readPackageVersion() {
-    try {
-        const packageJson = JSON.parse(readFileSync(new URL("../../package.json", import.meta.url), "utf8"));
-        return packageJson.version ?? "0.0.0";
-    }
-    catch {
-        return "0.0.0";
-    }
-}
-function resolveExitCode(result, failReason) {
-    if (result.errors.length > 0)
-        return 2;
-    if (failReason !== "none")
-        return 1;
-    return 0;
-}

package/dist/bin/dispatch.js

@@ -108,6 +108,12 @@ export async function handleDirectCommand(parsed) {
         setRuntimeExitCode(result.ready ? 0 : 1);
         return true;
     }
+    if (parsed.command === "hook") {
+        const { runHook } = await import("../commands/hook/runner.js");
+        const result = await runHook(parsed.options);
+        setRuntimeExitCode(result.errors.length > 0 ? 1 : 0);
+        return true;
+    }
     if (parsed.options.interactive &&
         (parsed.command === "check" ||
             parsed.command === "upgrade" ||

package/dist/bin/help.js

@@ -40,6 +40,11 @@ Options:
   --cooldown-days <n>
   --pr-limit <n>
   --only-changed
+  --affected
+  --staged
+  --base <ref>
+  --head <ref>
+  --since <ref>
   --interactive
   --plan-file <path>
   --verify none|install|test|install,test
@@ -123,6 +128,11 @@ Options:
   --cooldown-days <n>
   --pr-limit <n>
   --only-changed
+  --affected
+  --staged
+  --base <ref>
+  --head <ref>
+  --since <ref>
   --offline
   --concurrency <n>
   --registry-timeout-ms <n>
@@ -180,6 +190,11 @@ Scan dependencies for CVEs using OSV.dev and GitHub Advisory Database.
 
 Options:
   --workspace
+  --affected
+  --staged
+  --base <ref>
+  --head <ref>
+  --since <ref>
   --severity critical|high|medium|low
   --summary
   --report table|summary|json
@@ -200,6 +215,12 @@ Use it to inspect risk, security, peer, license, and policy context before apply
 
 Options:
   --workspace
+  --only-changed
+  --affected
+  --staged
+  --base <ref>
+  --head <ref>
+  --since <ref>
   --interactive
   --security-only
   --risk critical|high|medium|low
@@ -220,6 +241,12 @@ Produce a fast summary verdict and point the operator to review when action is n
 
 Options:
   --workspace
+  --only-changed
+  --affected
+  --staged
+  --base <ref>
+  --head <ref>
+  --since <ref>
   --verdict-only
   --include-changelog
   --json-file <path>`;
@@ -231,6 +258,13 @@ Open the primary interactive dependency operations console.
 
 Options:
   --workspace
+  --only-changed
+  --affected
+  --staged
+  --base <ref>
+  --head <ref>
+  --since <ref>
+  --view dependencies|security|health
   --mode check|review|upgrade
   --focus all|security|risk|major|blocked|workspace
   --apply-selected
@@ -248,6 +282,14 @@ Audit release and CI readiness for Rainy Updates.
 Options:
   --workspace
   --json-file <path>
+  --cwd <path>`;
+    }
+    if (isCommand && command === "hook") {
+        return `rainy-updates hook <install|uninstall|doctor> [options]
+
+Install, remove, or inspect Rainy-managed git hooks.
+
+Options:
   --cwd <path>`;
     }
     return `rainy-updates (rup / rainy-up) <command> [options]
@@ -270,6 +312,7 @@ Commands:
   licenses    Scan dependency licenses and generate SPDX SBOM
   snapshot    Save, list, restore, and diff dependency state snapshots
   ga          Audit GA and CI readiness for this checkout
+  hook        Install or inspect Rainy-managed git hooks
 
 Global options:
   --cwd <path>
@@ -288,6 +331,11 @@ Global options:
   --cooldown-days <n>
   --pr-limit <n>
   --only-changed
+  --affected
+  --staged
+  --base <ref>
+  --head <ref>
+  --since <ref>
   --interactive
   --show-impact
   --show-links

package/dist/bin/main.d.ts

@@ -0,0 +1 @@
+export declare function runCli(): Promise<void>;

package/dist/bin/main.js

@@ -0,0 +1,126 @@
+import { parseCliArgs } from "../core/options.js";
+import { createRunId, writeArtifactManifest } from "../core/artifacts.js";
+import { renderResult } from "../output/format.js";
+import { writeGitHubOutput } from "../output/github.js";
+import { createSarifReport } from "../output/sarif.js";
+import { renderPrReport } from "../output/pr-report.js";
+import { writeFileAtomic } from "../utils/io.js";
+import { resolveFailReason } from "../core/summary.js";
+import { stableStringify } from "../utils/stable-json.js";
+import { getRuntimeArgv, setRuntimeExitCode, writeStderr, writeStdout, } from "../utils/runtime.js";
+import { CLI_VERSION } from "../generated/version.js";
+import { handleDirectCommand, runPrimaryCommand } from "./dispatch.js";
+import { renderHelp } from "./help.js";
+export async function runCli() {
+    try {
+        const argv = getRuntimeArgv();
+        if (argv.includes("--version") || argv.includes("-v")) {
+            writeStdout((await readPackageVersion()) + "\n");
+            return;
+        }
+        if (argv.includes("--help") || argv.includes("-h")) {
+            writeStdout(renderHelp(argv[0]) + "\n");
+            return;
+        }
+        const parsed = await parseCliArgs(argv);
+        if (await handleDirectCommand(parsed))
+            return;
+        if (parsed.command !== "check" &&
+            parsed.command !== "upgrade" &&
+            parsed.command !== "warm-cache" &&
+            parsed.command !== "ci") {
+            throw new Error(`Unhandled command: ${parsed.command}`);
+        }
+        const result = await runPrimaryCommand(parsed);
+        result.summary.runId = createRunId(parsed.command, parsed.options, result);
+        if (parsed.options.fixPr &&
+            (parsed.command === "check" ||
+                parsed.command === "upgrade" ||
+                parsed.command === "ci")) {
+            result.summary.fixPrApplied = false;
+            result.summary.fixBranchName =
+                parsed.options.fixBranch ?? "chore/rainy-updates";
+            result.summary.fixCommitSha = "";
+            result.summary.fixPrBranchesCreated = 0;
+            if (parsed.command === "ci") {
+                const { applyFixPrBatches } = await import("../core/fix-pr-batch.js");
+                const batched = await applyFixPrBatches(parsed.options, result);
+                result.summary.fixPrApplied = batched.applied;
+                result.summary.fixBranchName =
+                    batched.branches[0] ??
+                        parsed.options.fixBranch ??
+                        "chore/rainy-updates";
+                result.summary.fixCommitSha = batched.commits[0] ?? "";
+                result.summary.fixPrBranchesCreated = batched.branches.length;
+                if (batched.branches.length > 1) {
+                    result.warnings.push(`Created ${batched.branches.length} fix-pr batch branches.`);
+                }
+            }
+            else {
+                const { applyFixPr } = await import("../core/fix-pr.js");
+                const fixResult = await applyFixPr(parsed.options, result, []);
+                result.summary.fixPrApplied = fixResult.applied;
+                result.summary.fixBranchName = fixResult.branchName ?? "";
+                result.summary.fixCommitSha = fixResult.commitSha ?? "";
+                result.summary.fixPrBranchesCreated = fixResult.applied ? 1 : 0;
+            }
+        }
+        if (parsed.options.prReportFile) {
+            const markdown = renderPrReport(result);
+            await writeFileAtomic(parsed.options.prReportFile, markdown + "\n");
+        }
+        const artifactManifest = await writeArtifactManifest(parsed.command, parsed.options, result);
+        if (artifactManifest) {
+            result.summary.artifactManifest = artifactManifest.artifactManifestPath;
+        }
+        result.summary.failReason = resolveFailReason(result.updates, result.errors, parsed.options.failOn, parsed.options.maxUpdates, parsed.options.ci);
+        const renderStartedAt = Date.now();
+        let rendered = renderResult(result, parsed.options.format, {
+            showImpact: parsed.options.showImpact,
+            showHomepage: parsed.options.showHomepage,
+        });
+        result.summary.durationMs.render = Math.max(0, Date.now() - renderStartedAt);
+        if (parsed.options.format === "json" ||
+            parsed.options.format === "metrics") {
+            rendered = renderResult(result, parsed.options.format, {
+                showImpact: parsed.options.showImpact,
+                showHomepage: parsed.options.showHomepage,
+            });
+        }
+        if (parsed.options.onlyChanged &&
+            result.updates.length === 0 &&
+            result.errors.length === 0 &&
+            result.warnings.length === 0 &&
+            (parsed.options.format === "table" ||
+                parsed.options.format === "minimal" ||
+                parsed.options.format === "github")) {
+            rendered = "";
+        }
+        if (parsed.options.jsonFile) {
+            await writeFileAtomic(parsed.options.jsonFile, stableStringify(result, 2) + "\n");
+        }
+        if (parsed.options.githubOutputFile) {
+            await writeGitHubOutput(parsed.options.githubOutputFile, result);
+        }
+        if (parsed.options.sarifFile) {
+            const sarif = createSarifReport(result);
+            await writeFileAtomic(parsed.options.sarifFile, stableStringify(sarif, 2) + "\n");
+        }
+        writeStdout(rendered + "\n");
+        setRuntimeExitCode(resolveExitCode(result, result.summary.failReason));
+    }
+    catch (error) {
+        writeStderr(`rainy-updates (rup): ${String(error)}\n`);
+        setRuntimeExitCode(2);
+    }
+}
+async function readPackageVersion() {
+    return CLI_VERSION;
+}
+function resolveExitCode(result, failReason) {
+    if (result.errors.length > 0)
+        return 2;
+    if (failReason !== "none")
+        return 1;
+    return 0;
+}

package/dist/commands/audit/parser.js

@@ -12,6 +12,11 @@ export function parseAuditArgs(args) {
     const options = {
         cwd: getRuntimeCwd(),
         workspace: false,
+        affected: false,
+        staged: false,
+        baseRef: undefined,
+        headRef: undefined,
+        sinceRef: undefined,
         severity: undefined,
         fix: false,
         dryRun: false,
@@ -39,6 +44,37 @@ export function parseAuditArgs(args) {
             index += 1;
             continue;
         }
+        if (current === "--affected") {
+            options.affected = true;
+            index += 1;
+            continue;
+        }
+        if (current === "--staged") {
+            options.staged = true;
+            index += 1;
+            continue;
+        }
+        if (current === "--base" && next) {
+            options.baseRef = next;
+            index += 2;
+            continue;
+        }
+        if (current === "--base")
+            throw new Error("Missing value for --base");
+        if (current === "--head" && next) {
+            options.headRef = next;
+            index += 2;
+            continue;
+        }
+        if (current === "--head")
+            throw new Error("Missing value for --head");
+        if (current === "--since" && next) {
+            options.sinceRef = next;
+            index += 2;
+            continue;
+        }
+        if (current === "--since")
+            throw new Error("Missing value for --since");
         if (current === "--severity" && next) {
             options.severity = parseSeverity(next);
             index += 2;

package/dist/commands/audit/runner.js

@@ -1,5 +1,5 @@
 import { collectDependencies, readManifest, } from "../../parsers/package-json.js";
-import { detectPackageManager as detectProjectPackageManager, resolvePackageManager, } from "../../pm/detect.js";
+import { buildAddInvocation, createPackageManagerProfile, detectPackageManagerDetails, } from "../../pm/detect.js";
 import { discoverPackageDirs } from "../../workspace/discover.js";
 import { writeFileAtomic } from "../../utils/io.js";
 import { stableStringify } from "../../utils/stable-json.js";
@@ -28,7 +28,15 @@ export async function runAudit(options) {
             unresolved: 0,
         },
     };
-    const packageDirs = await discoverPackageDirs(options.cwd, options.workspace);
+    const packageDirs = await discoverPackageDirs(options.cwd, options.workspace, {
+        git: options,
+        includeKinds: [
+            "dependencies",
+            "devDependencies",
+            "optionalDependencies",
+        ],
+        includeDependents: options.affected === true,
+    });
     const depsByDir = new Map();
     for (const dir of packageDirs) {
         let manifest;
@@ -121,10 +129,10 @@ async function applyFix(advisories, options) {
     const patchMap = buildPatchMap(advisories);
     if (patchMap.size === 0)
         return;
-    const detected = await detectProjectPackageManager(options.cwd);
-    const pm = resolvePackageManager(options.packageManager, detected);
-    const installArgs = buildInstallArgs(pm, patchMap);
-    const installCmd = `${pm} ${installArgs.join(" ")}`;
+    const detected = await detectPackageManagerDetails(options.cwd);
+    const profile = createPackageManagerProfile(options.packageManager, detected);
+    const install = buildInstallArgs(profile, patchMap);
+    const installCmd = install.display;
     if (options.dryRun) {
         if (!options.silent) {
             writeStderr(`[audit] --dry-run: would execute:\n  ${installCmd}\n`);
@@ -140,7 +148,7 @@ async function applyFix(advisories, options) {
         writeStderr(`  → ${installCmd}\n`);
     }
     try {
-        await runCommand(pm, installArgs, options.cwd);
+        await runCommand(install.command, install.args, options.cwd);
     }
     catch (err) {
         if (!options.silent) {
@@ -158,18 +166,9 @@ async function applyFix(advisories, options) {
         writeStderr(`[audit] Tip: run with --commit to automatically commit the changes.\n`);
     }
 }
-function buildInstallArgs(pm, patchMap) {
+function buildInstallArgs(profile, patchMap) {
     const packages = [...patchMap.entries()].map(([n, v]) => `${n}@${v}`);
-    switch (pm) {
-        case "pnpm":
-            return ["add", ...packages];
-        case "bun":
-            return ["add", ...packages];
-        case "yarn":
-            return ["add", ...packages];
-        default:
-            return ["install", ...packages]; // npm
-    }
+    return buildAddInvocation(profile, packages);
 }
 async function commitFix(patchMap, cwd, silent) {
     const msg = buildCommitMessage(patchMap);