@rainy-updates/cli 0.6.0 → 0.6.2

package/dist/commands/unused/scanner.js

@@ -1,37 +1,63 @@
-import { promises as fs } from "node:fs";
 import path from "node:path";
+import { parseSync } from "oxc-parser";
 /**
- * Extracts all imported package names from a single source file.
+ * Extracts all imported package names from a single source file using AST.
  *
  * Handles:
  *   - ESM static:  import ... from "pkg"
  *   - ESM dynamic: import("pkg")
  *   - CJS:         require("pkg")
+ *   - ESM re-export: export ... from "pkg"
  *
  * Strips subpath imports (e.g. "lodash/merge" → "lodash"),
  * skips relative imports and node: builtins.
  */
 export function extractImportsFromSource(source) {
     const names = new Set();
-    // ESM static import: from "pkg" or from 'pkg'
-    const staticImport = /from\s+['"]([^'"]+)['"]/g;
-    for (const match of source.matchAll(staticImport)) {
-        addPackageName(names, match[1]);
-    }
-    // ESM dynamic import: import("pkg") or import('pkg')
-    const dynamicImport = /\bimport\s*\(\s*['"]([^'"]+)['"]\s*\)/g;
-    for (const match of source.matchAll(dynamicImport)) {
-        addPackageName(names, match[1]);
-    }
-    // CJS require: require("pkg") or require('pkg')
-    const cjsRequire = /\brequire\s*\(\s*['"]([^'"]+)['"]\s*\)/g;
-    for (const match of source.matchAll(cjsRequire)) {
-        addPackageName(names, match[1]);
+    try {
+        const parseResult = parseSync("unknown.ts", source, {
+            sourceType: "module",
+        });
+        const walk = (node) => {
+            if (!node)
+                return;
+            if (node.type === "ImportDeclaration" && node.source?.value) {
+                addPackageName(names, node.source.value);
+            }
+            else if (node.type === "ExportNamedDeclaration" && node.source?.value) {
+                addPackageName(names, node.source.value);
+            }
+            else if (node.type === "ExportAllDeclaration" && node.source?.value) {
+                addPackageName(names, node.source.value);
+            }
+            else if (node.type === "ImportExpression" && node.source?.value) {
+                addPackageName(names, node.source.value);
+            }
+            else if (node.type === "CallExpression") {
+                if (node.callee?.type === "Identifier" &&
+                    node.callee.name === "require" &&
+                    node.arguments?.[0]?.type === "StringLiteral") {
+                    addPackageName(names, node.arguments[0].value);
+                }
+            }
+            // Traverse children
+            for (const key in node) {
+                if (node[key] && typeof node[key] === "object") {
+                    if (Array.isArray(node[key])) {
+                        for (const child of node[key]) {
+                            walk(child);
+                        }
+                    }
+                    else {
+                        walk(node[key]);
+                    }
+                }
+            }
+        };
+        walk(parseResult.program);
     }
-    // export ... from "pkg"
-    const reExport = /\bexport\s+(?:\*|\{[^}]*\})\s+from\s+['"]([^'"]+)['"]/g;
-    for (const match of source.matchAll(reExport)) {
-        addPackageName(names, match[1]);
+    catch (err) {
+        // Fallback or ignore parse errors
     }
     return names;
 }
@@ -87,40 +113,30 @@ const IGNORED_DIRS = new Set([
  */
 export async function scanDirectory(dir) {
     const allImports = new Set();
-    await walkDirectory(dir, allImports);
-    return allImports;
-}
-async function walkDirectory(dir, collector) {
-    let entries;
-    try {
-        entries = await fs.readdir(dir, { withFileTypes: true });
-    }
-    catch {
-        return;
-    }
+    const glob = new Bun.Glob("**/*.{ts,tsx,js,jsx,mjs,cjs,mts,cts}");
     const tasks = [];
-    for (const entry of entries) {
-        const entryName = entry.name;
-        if (IGNORED_DIRS.has(entryName))
-            continue;
-        const fullPath = path.join(dir, entryName);
-        if (entry.isDirectory()) {
-            tasks.push(walkDirectory(fullPath, collector));
+    for await (const file of glob.scan(dir)) {
+        // Bun.Glob returns relative paths
+        const fullPath = path.join(dir, file);
+        // Quick check to ignore certain directories in the path
+        if (fullPath.includes("/node_modules/") ||
+            fullPath.includes("/.git/") ||
+            fullPath.includes("/dist/") ||
+            fullPath.includes("/build/") ||
+            fullPath.includes("/out/") ||
+            fullPath.includes("/.next/") ||
+            fullPath.includes("/.nuxt/")) {
             continue;
         }
-        if (!entry.isFile())
-            continue;
-        const ext = path.extname(entryName).toLowerCase();
-        if (!SOURCE_EXTENSIONS.has(ext))
-            continue;
         tasks.push(Bun.file(fullPath)
             .text()
             .then((source) => {
             for (const name of extractImportsFromSource(source)) {
-                collector.add(name);
+                allImports.add(name);
             }
         })
             .catch(() => undefined));
     }
     await Promise.all(tasks);
+    return allImports;
 }

package/dist/core/check.js

@@ -18,7 +18,11 @@ export async function check(options) {
     let registryMs = 0;
     const discoveryStartedAt = Date.now();
     const packageManager = await detectPackageManager(options.cwd);
-    const packageDirs = await discoverPackageDirs(options.cwd, options.workspace);
+    const packageDirs = await discoverPackageDirs(options.cwd, options.workspace, {
+        git: options,
+        includeKinds: options.includeKinds,
+        includeDependents: options.affected === true,
+    });
     discoveryMs += Date.now() - discoveryStartedAt;
     const cache = await VersionCache.create();
     const registryClient = new NpmRegistryClient(options.cwd, {

package/dist/core/doctor/findings.js

@@ -11,7 +11,7 @@ export function buildDoctorFindings(review) {
             summary: error,
             details: "Execution errors make the scan incomplete or require operator review.",
             help: "Resolve execution and registry issues before treating the run as clean.",
-            recommendedAction: "Run `rup review --interactive` after fixing execution failures.",
+            recommendedAction: "Run `rup dashboard --mode review` after fixing execution failures.",
             evidence: [error],
         });
     }
@@ -43,7 +43,7 @@ export function buildDoctorFindings(review) {
                 summary: `${item.update.name} has ${item.update.peerConflictSeverity} peer conflicts after the proposed upgrade.`,
                 details: item.peerConflicts[0]?.suggestion,
                 help: "Inspect peer dependency requirements before applying the update.",
-                recommendedAction: item.update.recommendedAction ?? "Review peer requirements in `rup review --interactive`.",
+                recommendedAction: item.update.recommendedAction ?? "Review peer requirements in `rup dashboard --mode review`.",
                 evidence: item.peerConflicts.map((conflict) => `${conflict.requester} -> ${conflict.peer}@${conflict.requiredRange}`),
             });
         }
@@ -59,7 +59,7 @@ export function buildDoctorFindings(review) {
                 summary: `${item.update.name} violates the current license policy.`,
                 details: item.license?.license,
                 help: "Keep denied licenses out of the approved update set.",
-                recommendedAction: item.update.recommendedAction ?? "Block this package in `rup review --interactive`.",
+                recommendedAction: item.update.recommendedAction ?? "Block this package in `rup dashboard --mode review --focus blocked`.",
             });
         }
         if ((item.update.advisoryCount ?? 0) > 0) {
@@ -106,7 +106,7 @@ export function buildDoctorFindings(review) {
                 workspace,
                 summary: `${item.update.name} is a major version upgrade.`,
                 help: "Major upgrades should be reviewed explicitly before being applied.",
-                recommendedAction: item.update.recommendedAction ?? "Review major changes in `rup review --interactive`.",
+                recommendedAction: item.update.recommendedAction ?? "Review major changes in `rup dashboard --mode review --focus major`.",
             });
         }
         if (item.update.healthStatus === "stale" || item.update.healthStatus === "archived") {

package/dist/core/init-ci.js

@@ -1,6 +1,6 @@
 import { mkdir } from "node:fs/promises";
 import path from "node:path";
-import { detectPackageManager } from "../pm/detect.js";
+import { buildInstallInvocation, buildTestCommand, createPackageManagerProfile, detectPackageManagerDetails, } from "../pm/detect.js";
 export async function initCiWorkflow(cwd, force, options) {
     const workflowPath = path.join(cwd, ".github", "workflows", "rainy-updates.yml");
     try {
@@ -13,8 +13,8 @@ export async function initCiWorkflow(cwd, force, options) {
     catch {
         // missing file, continue create
     }
-    const detected = await detectPackageManager(cwd);
-    const packageManager = detected === "unknown" || detected === "yarn" ? "npm" : detected;
+    const detected = await detectPackageManagerDetails(cwd);
+    const packageManager = createPackageManagerProfile("auto", detected);
     const scheduleBlock = renderScheduleBlock(options.schedule);
     const workflow = options.mode === "minimal"
         ? minimalWorkflowTemplate(scheduleBlock, packageManager)
@@ -32,32 +32,34 @@ function renderScheduleBlock(schedule) {
     const cron = schedule === "daily" ? "0 8 * * *" : "0 8 * * 1";
     return `  schedule:\n    - cron: '${cron}'\n  workflow_dispatch:`;
 }
-function installStep(packageManager) {
-    if (packageManager === "bun") {
-        return `      - name: Install dependencies\n        run: bun install`;
+function installStep(profile) {
+    const install = buildInstallInvocation(profile, { frozen: true, ci: true });
+    return `      - name: Install dependencies\n        run: ${install.display}`;
+}
+function runtimeSetupSteps(profile) {
+    const lines = [
+        `      - name: Checkout\n        uses: actions/checkout@v4`,
+    ];
+    if (profile.manager !== "bun") {
+        lines.push(`      - name: Setup Node\n        uses: actions/setup-node@v4\n        with:\n          node-version: 22`);
+    }
+    lines.push(`      - name: Setup Bun\n        uses: oven-sh/setup-bun@v1`);
+    if (profile.manager === "pnpm" || profile.manager === "yarn") {
+        lines.push(`      - name: Enable Corepack\n        run: corepack enable`);
     }
-    if (packageManager === "pnpm") {
-        return `      - name: Setup pnpm\n        uses: pnpm/action-setup@v4\n        with:\n          version: 9\n\n      - name: Install dependencies\n        run: pnpm install --frozen-lockfile`;
+    if (profile.manager === "pnpm") {
+        lines.push(`      - name: Prepare pnpm\n        run: corepack prepare pnpm@9 --activate`);
     }
-    return `      - name: Install dependencies\n        run: npm ci`;
+    return lines.join("\n\n");
 }
-function minimalWorkflowTemplate(scheduleBlock, packageManager) {
-    return `name: Rainy Updates\n\non:\n${scheduleBlock}\n\njobs:\n  dependency-check:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n\n      - name: Setup Bun\n        uses: oven-sh/setup-bun@v1\n\n${installStep(packageManager)}\n\n      - name: Run dependency check\n        run: |\n          bunx --bun @rainy-updates/cli ci \\\n            --workspace \\\n            --mode minimal \\\n            --gate check \\\n            --ci \\\n            --stream \\\n            --registry-timeout-ms 12000 \\\n            --registry-retries 4 \\\n            --format table\n`;
+function minimalWorkflowTemplate(scheduleBlock, profile) {
+    return `name: Rainy Updates\n\non:\n${scheduleBlock}\n\njobs:\n  dependency-check:\n    runs-on: ubuntu-latest\n    steps:\n${runtimeSetupSteps(profile)}\n\n${installStep(profile)}\n\n      - name: Run dependency check\n        run: |\n          bunx --bun @rainy-updates/cli ci \\\n            --workspace \\\n            --mode minimal \\\n            --gate check \\\n            --ci \\\n            --stream \\\n            --registry-timeout-ms 12000 \\\n            --registry-retries 4 \\\n            --format table\n`;
 }
-function strictWorkflowTemplate(scheduleBlock, packageManager) {
-    return `name: Rainy Updates\n\non:\n${scheduleBlock}\n\npermissions:\n  contents: read\n  security-events: write\n\njobs:\n  dependency-check:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n\n      - name: Setup Bun\n        uses: oven-sh/setup-bun@v1\n\n${installStep(packageManager)}\n\n      - name: Warm cache\n        run: bunx --bun @rainy-updates/cli warm-cache --workspace --concurrency 32 --registry-timeout-ms 12000 --registry-retries 4\n\n      - name: Generate reviewed decision plan\n        run: |\n          bunx --bun @rainy-updates/cli ci \\\n            --workspace \\\n            --mode strict \\\n            --gate review \\\n            --plan-file .artifacts/decision-plan.json \\\n            --ci \\\n            --concurrency 32 \\\n            --stream \\\n            --registry-timeout-ms 12000 \\\n            --registry-retries 4 \\\n            --format github \\\n            --json-file .artifacts/deps-report.json \\\n            --pr-report-file .artifacts/deps-report.md \\\n            --sarif-file .artifacts/deps-report.sarif \\\n            --github-output $GITHUB_OUTPUT\n\n      - name: Upload report artifacts\n        uses: actions/upload-artifact@v4\n        with:\n          name: rainy-updates-report\n          path: .artifacts/\n\n      - name: Upload SARIF\n        uses: github/codeql-action/upload-sarif@v3\n        with:\n          sarif_file: .artifacts/deps-report.sarif\n`;
+function strictWorkflowTemplate(scheduleBlock, profile) {
+    return `name: Rainy Updates\n\non:\n${scheduleBlock}\n\npermissions:\n  contents: read\n  security-events: write\n\njobs:\n  dependency-check:\n    runs-on: ubuntu-latest\n    steps:\n${runtimeSetupSteps(profile)}\n\n${installStep(profile)}\n\n      - name: Warm cache\n        run: bunx --bun @rainy-updates/cli warm-cache --workspace --concurrency 32 --registry-timeout-ms 12000 --registry-retries 4\n\n      - name: Generate reviewed decision plan\n        run: |\n          bunx --bun @rainy-updates/cli ci \\\n            --workspace \\\n            --mode strict \\\n            --gate review \\\n            --plan-file .artifacts/decision-plan.json \\\n            --ci \\\n            --concurrency 32 \\\n            --stream \\\n            --registry-timeout-ms 12000 \\\n            --registry-retries 4 \\\n            --format github \\\n            --json-file .artifacts/deps-report.json \\\n            --pr-report-file .artifacts/deps-report.md \\\n            --sarif-file .artifacts/deps-report.sarif \\\n            --github-output $GITHUB_OUTPUT\n\n      - name: Upload report artifacts\n        uses: actions/upload-artifact@v4\n        with:\n          name: rainy-updates-report\n          path: .artifacts/\n\n      - name: Upload SARIF\n        uses: github/codeql-action/upload-sarif@v3\n        with:\n          sarif_file: .artifacts/deps-report.sarif\n`;
 }
-function enterpriseWorkflowTemplate(scheduleBlock, packageManager) {
-    let detectedPmInstall = "npm ci";
-    let testCmd = "npm test";
-    if (packageManager === "pnpm") {
-        detectedPmInstall =
-            "corepack enable && corepack prepare pnpm@9 --activate && pnpm install --frozen-lockfile";
-        testCmd = "pnpm test";
-    }
-    else if (packageManager === "bun") {
-        detectedPmInstall = "bun install";
-        testCmd = "bun test";
-    }
-    return `name: Rainy Updates Enterprise\n\non:\n${scheduleBlock}\n\npermissions:\n  contents: read\n  security-events: write\n  actions: read\n\nconcurrency:\n  group: rainy-updates-\${{ github.ref }}\n  cancel-in-progress: false\n\njobs:\n  dependency-check:\n    runs-on: ubuntu-latest\n    strategy:\n      fail-fast: false\n      matrix:\n        node: [20, 22]\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n\n      - name: Setup Node\n        uses: actions/setup-node@v4\n        with:\n          node-version: \${{ matrix.node }}\n\n      - name: Setup Bun\n        uses: oven-sh/setup-bun@v1\n\n      - name: Install dependencies\n        run: ${detectedPmInstall}\n\n      - name: Warm cache\n        run: bunx --bun @rainy-updates/cli warm-cache --workspace --concurrency 32 --registry-timeout-ms 12000 --registry-retries 4\n\n      - name: Generate reviewed decision plan\n        run: |\n          bunx --bun @rainy-updates/cli ci \\\n            --workspace \\\n            --mode enterprise \\\n            --gate review \\\n            --plan-file .artifacts/decision-plan.json \\\n            --concurrency 32 \\\n            --stream \\\n            --registry-timeout-ms 12000 \\\n            --registry-retries 4 \\\n            --lockfile-mode preserve \\\n            --format github \\\n            --fail-on minor \\\n            --max-updates 50 \\\n            --json-file .artifacts/deps-report-node-\${{ matrix.node }}.json \\\n            --pr-report-file .artifacts/deps-report-node-\${{ matrix.node }}.md \\\n            --sarif-file .artifacts/deps-report-node-\${{ matrix.node }}.sarif \\\n            --github-output $GITHUB_OUTPUT\n\n      - name: Replay approved plan with verification\n        run: |\n          bunx --bun @rainy-updates/cli ci \\\n            --workspace \\\n            --mode enterprise \\\n            --gate upgrade \\\n            --from-plan .artifacts/decision-plan.json \\\n            --verify test \\\n            --test-command "${testCmd}" \\\n            --verification-report-file .artifacts/verification-node-\${{ matrix.node }}.json\n\n      - name: Upload report artifacts\n        uses: actions/upload-artifact@v4\n        with:\n          name: rainy-updates-report-node-\${{ matrix.node }}\n          path: .artifacts/\n          retention-days: 14\n\n      - name: Upload SARIF\n        uses: github/codeql-action/upload-sarif@v3\n        with:\n          sarif_file: .artifacts/deps-report-node-\${{ matrix.node }}.sarif\n`;
+function enterpriseWorkflowTemplate(scheduleBlock, profile) {
+    const install = buildInstallInvocation(profile, { frozen: true, ci: true });
+    const testCmd = buildTestCommand(profile);
+    return `name: Rainy Updates Enterprise\n\non:\n${scheduleBlock}\n\npermissions:\n  contents: read\n  security-events: write\n  actions: read\n\nconcurrency:\n  group: rainy-updates-\${{ github.ref }}\n  cancel-in-progress: false\n\njobs:\n  dependency-check:\n    runs-on: ubuntu-latest\n    strategy:\n      fail-fast: false\n      matrix:\n        node: [20, 22]\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n\n      - name: Setup Node\n        uses: actions/setup-node@v4\n        with:\n          node-version: \${{ matrix.node }}\n\n      - name: Setup Bun\n        uses: oven-sh/setup-bun@v1\n\n${profile.manager === "pnpm" || profile.manager === "yarn" ? '      - name: Enable Corepack\n        run: corepack enable\n\n' : ""}${profile.manager === "pnpm" ? '      - name: Prepare pnpm\n        run: corepack prepare pnpm@9 --activate\n\n' : ""}      - name: Install dependencies\n        run: ${install.display}\n\n      - name: Warm cache\n        run: bunx --bun @rainy-updates/cli warm-cache --workspace --concurrency 32 --registry-timeout-ms 12000 --registry-retries 4\n\n      - name: Generate reviewed decision plan\n        run: |\n          bunx --bun @rainy-updates/cli ci \\\n            --workspace \\\n            --mode enterprise \\\n            --gate review \\\n            --plan-file .artifacts/decision-plan.json \\\n            --concurrency 32 \\\n            --stream \\\n            --registry-timeout-ms 12000 \\\n            --registry-retries 4 \\\n            --lockfile-mode preserve \\\n            --format github \\\n            --fail-on minor \\\n            --max-updates 50 \\\n            --json-file .artifacts/deps-report-node-\${{ matrix.node }}.json \\\n            --pr-report-file .artifacts/deps-report-node-\${{ matrix.node }}.md \\\n            --sarif-file .artifacts/deps-report-node-\${{ matrix.node }}.sarif \\\n            --github-output $GITHUB_OUTPUT\n\n      - name: Replay approved plan with verification\n        run: |\n          bunx --bun @rainy-updates/cli ci \\\n            --workspace \\\n            --mode enterprise \\\n            --gate upgrade \\\n            --from-plan .artifacts/decision-plan.json \\\n            --verify test \\\n            --test-command "${testCmd}" \\\n            --verification-report-file .artifacts/verification-node-\${{ matrix.node }}.json\n\n      - name: Upload report artifacts\n        uses: actions/upload-artifact@v4\n        with:\n          name: rainy-updates-report-node-\${{ matrix.node }}\n          path: .artifacts/\n          retention-days: 14\n\n      - name: Upload SARIF\n        uses: github/codeql-action/upload-sarif@v3\n        with:\n          sarif_file: .artifacts/deps-report-node-\${{ matrix.node }}.sarif\n`;
 }

package/dist/core/options.d.ts

@@ -1,4 +1,4 @@
-import type { BaselineOptions, CheckOptions, UpgradeOptions, AuditOptions, BisectOptions, HealthOptions, UnusedOptions, ResolveOptions, LicenseOptions, SnapshotOptions, ReviewOptions, DoctorOptions, RiskLevel, DashboardOptions, GaOptions } from "../types/index.js";
+import type { BaselineOptions, CheckOptions, UpgradeOptions, AuditOptions, BisectOptions, HealthOptions, UnusedOptions, ResolveOptions, LicenseOptions, SnapshotOptions, ReviewOptions, DoctorOptions, RiskLevel, DashboardOptions, GaOptions, HookOptions } from "../types/index.js";
 import type { InitCiMode, InitCiSchedule } from "./init-ci.js";
 export type ParsedCliArgs = {
     command: "check";
@@ -58,6 +58,9 @@ export type ParsedCliArgs = {
 } | {
     command: "ga";
     options: GaOptions;
+} | {
+    command: "hook";
+    options: HookOptions;
 };
 export declare function parseCliArgs(argv: string[]): Promise<ParsedCliArgs>;
 export declare function ensureRiskLevel(value: string): RiskLevel;

package/dist/core/options.js

@@ -25,6 +25,7 @@ const KNOWN_COMMANDS = [
     "doctor",
     "dashboard",
     "ga",
+    "hook",
 ];
 export async function parseCliArgs(argv) {
     const firstArg = argv[0];
@@ -82,6 +83,10 @@ export async function parseCliArgs(argv) {
         const { parseGaArgs } = await import("../commands/ga/parser.js");
         return { command, options: parseGaArgs(args) };
     }
+    if (command === "hook") {
+        const { parseHookArgs } = await import("../commands/hook/parser.js");
+        return { command, options: parseHookArgs(args) };
+    }
     const base = {
         cwd: getRuntimeCwd(),
         target: "latest",
@@ -117,6 +122,11 @@ export async function parseCliArgs(argv) {
         cooldownDays: undefined,
         prLimit: undefined,
         onlyChanged: false,
+        affected: false,
+        staged: false,
+        baseRef: undefined,
+        headRef: undefined,
+        sinceRef: undefined,
         ciProfile: "minimal",
         lockfileMode: "preserve",
         interactive: false,
@@ -457,6 +467,38 @@ export async function parseCliArgs(argv) {
             base.onlyChanged = true;
             continue;
         }
+        if (current === "--affected") {
+            base.affected = true;
+            continue;
+        }
+        if (current === "--staged") {
+            base.staged = true;
+            continue;
+        }
+        if (current === "--base" && next) {
+            base.baseRef = next;
+            index += 1;
+            continue;
+        }
+        if (current === "--base") {
+            throw new Error("Missing value for --base");
+        }
+        if (current === "--head" && next) {
+            base.headRef = next;
+            index += 1;
+            continue;
+        }
+        if (current === "--head") {
+            throw new Error("Missing value for --head");
+        }
+        if (current === "--since" && next) {
+            base.sinceRef = next;
+            index += 1;
+            continue;
+        }
+        if (current === "--since") {
+            throw new Error("Missing value for --since");
+        }
         if (current === "--interactive") {
             base.interactive = true;
             continue;
@@ -726,6 +768,21 @@ function applyConfig(base, config) {
     if (typeof config.onlyChanged === "boolean") {
         base.onlyChanged = config.onlyChanged;
     }
+    if (typeof config.affected === "boolean") {
+        base.affected = config.affected;
+    }
+    if (typeof config.staged === "boolean") {
+        base.staged = config.staged;
+    }
+    if (typeof config.baseRef === "string" && config.baseRef.length > 0) {
+        base.baseRef = config.baseRef;
+    }
+    if (typeof config.headRef === "string" && config.headRef.length > 0) {
+        base.headRef = config.headRef;
+    }
+    if (typeof config.sinceRef === "string" && config.sinceRef.length > 0) {
+        base.sinceRef = config.sinceRef;
+    }
     if (typeof config.ciProfile === "string") {
         base.ciProfile = ensureCiProfile(config.ciProfile);
     }

package/dist/core/verification.js

@@ -1,8 +1,8 @@
-import { detectPackageManager, resolvePackageManager } from "../pm/detect.js";
+import { buildInstallInvocation, buildTestCommand, createPackageManagerProfile, detectPackageManagerDetails, } from "../pm/detect.js";
 import { installDependencies } from "../pm/install.js";
 import { stableStringify } from "../utils/stable-json.js";
 import { writeFileAtomic } from "../utils/io.js";
-import { readEnv } from "../utils/runtime.js";
+import { buildShellInvocation } from "../utils/shell.js";
 export async function runVerification(options) {
     const mode = options.verify;
     if (mode === "none") {
@@ -15,15 +15,17 @@ export async function runVerification(options) {
         return result;
     }
     const checks = [];
-    const detected = await detectPackageManager(options.cwd);
+    const detected = await detectPackageManagerDetails(options.cwd);
+    const profile = createPackageManagerProfile(options.packageManager, detected, "bun");
     if (includesInstall(mode)) {
-        checks.push(await runCheck("install", `${resolvePackageManager(options.packageManager, detected)} install`, async () => {
+        const installInvocation = buildInstallInvocation(profile);
+        checks.push(await runCheck("install", installInvocation.display, async () => {
             await installDependencies(options.cwd, options.packageManager, detected);
         }));
     }
     if (includesTest(mode)) {
         const command = options.testCommand ??
-            defaultTestCommand(options.packageManager, detected);
+            defaultTestCommand(profile);
         checks.push(await runShellCheck(options.cwd, command));
     }
     const result = {
@@ -40,14 +42,14 @@ function includesInstall(mode) {
 function includesTest(mode) {
     return mode === "test" || mode === "install,test";
 }
-function defaultTestCommand(packageManager, detected) {
-    return `${resolvePackageManager(packageManager, detected, "bun")} test`;
+function defaultTestCommand(profile) {
+    return buildTestCommand(profile);
 }
 async function runShellCheck(cwd, command) {
     const startedAt = Date.now();
     try {
-        const shell = readEnv("SHELL") || "sh";
-        const proc = Bun.spawn([shell, "-lc", command], {
+        const invocation = buildShellInvocation(command);
+        const proc = Bun.spawn([invocation.shell, ...invocation.args], {
             cwd,
             stdin: "inherit",
             stdout: "inherit",

package/dist/core/warm-cache.js

@@ -14,7 +14,11 @@ export async function warmCache(options) {
     let registryMs = 0;
     const discoveryStartedAt = Date.now();
     const packageManager = await detectPackageManager(options.cwd);
-    const packageDirs = await discoverPackageDirs(options.cwd, options.workspace);
+    const packageDirs = await discoverPackageDirs(options.cwd, options.workspace, {
+        git: options,
+        includeKinds: options.includeKinds,
+        includeDependents: options.affected === true,
+    });
     discoveryMs += Date.now() - discoveryStartedAt;
     const cache = await VersionCache.create();
     const registryClient = new NpmRegistryClient(options.cwd, {

package/dist/generated/version.d.ts

@@ -0,0 +1 @@
+export declare const CLI_VERSION = "0.6.2";

package/dist/generated/version.js

@@ -0,0 +1,2 @@
+// This file is generated by scripts/sync-version.mjs.
+export const CLI_VERSION = "0.6.2";

package/dist/git/scope.d.ts

@@ -0,0 +1,19 @@
+import type { DependencyKind } from "../types/index.js";
+export interface GitScopeOptions {
+    onlyChanged?: boolean;
+    affected?: boolean;
+    staged?: boolean;
+    baseRef?: string;
+    headRef?: string;
+    sinceRef?: string;
+}
+export interface ScopedPackageDirsResult {
+    packageDirs: string[];
+    warnings: string[];
+    changedFiles: string[];
+}
+export declare function hasGitScope(options: GitScopeOptions): boolean;
+export declare function scopePackageDirsByGit(cwd: string, packageDirs: string[], options: GitScopeOptions, config?: {
+    includeKinds?: DependencyKind[];
+    includeDependents?: boolean;
+}): Promise<ScopedPackageDirsResult>;

package/dist/git/scope.js

@@ -0,0 +1,167 @@
+import path from "node:path";
+import { readManifest } from "../parsers/package-json.js";
+import { buildWorkspaceGraph } from "../workspace/graph.js";
+export function hasGitScope(options) {
+    return (options.onlyChanged === true ||
+        options.affected === true ||
+        options.staged === true ||
+        typeof options.baseRef === "string" ||
+        typeof options.headRef === "string" ||
+        typeof options.sinceRef === "string");
+}
+export async function scopePackageDirsByGit(cwd, packageDirs, options, config = {}) {
+    if (!hasGitScope(options)) {
+        return {
+            packageDirs,
+            warnings: [],
+            changedFiles: [],
+        };
+    }
+    const changedFiles = await listChangedFiles(cwd, options);
+    if ("warnings" in changedFiles) {
+        return {
+            packageDirs,
+            warnings: changedFiles.warnings,
+            changedFiles: [],
+        };
+    }
+    const changedPackageDirs = mapFilesToPackageDirs(cwd, packageDirs, changedFiles.files);
+    if (changedPackageDirs.length === 0) {
+        return {
+            packageDirs: [],
+            warnings: [],
+            changedFiles: changedFiles.files,
+        };
+    }
+    if (!config.includeDependents) {
+        return {
+            packageDirs: changedPackageDirs,
+            warnings: [],
+            changedFiles: changedFiles.files,
+        };
+    }
+    const affectedPackageDirs = await expandToDependents(changedPackageDirs, packageDirs, config.includeKinds ?? ["dependencies", "devDependencies"]);
+    return {
+        packageDirs: affectedPackageDirs,
+        warnings: [],
+        changedFiles: changedFiles.files,
+    };
+}
+async function listChangedFiles(cwd, options) {
+    const primaryArgs = buildGitDiffArgs(options);
+    const diff = await runGit(cwd, primaryArgs);
+    if (!diff.ok) {
+        return {
+            warnings: [
+                `Git scope could not be resolved (${diff.error}). Falling back to full workspace scan.`,
+            ],
+        };
+    }
+    const untracked = await runGit(cwd, ["ls-files", "--others", "--exclude-standard"]);
+    const files = new Set();
+    for (const value of [...diff.lines, ...(untracked.ok ? untracked.lines : [])]) {
+        const trimmed = value.trim();
+        if (trimmed.length === 0)
+            continue;
+        files.add(trimmed);
+    }
+    return {
+        files: Array.from(files).sort((left, right) => left.localeCompare(right)),
+    };
+}
+function buildGitDiffArgs(options) {
+    if (options.staged) {
+        return ["diff", "--name-only", "--cached"];
+    }
+    if (options.baseRef && options.headRef) {
+        return ["diff", "--name-only", `${options.baseRef}...${options.headRef}`];
+    }
+    if (options.baseRef) {
+        return ["diff", "--name-only", `${options.baseRef}...HEAD`];
+    }
+    if (options.sinceRef) {
+        return ["diff", "--name-only", `${options.sinceRef}..HEAD`];
+    }
+    return ["diff", "--name-only", "HEAD"];
+}
+async function runGit(cwd, args) {
+    try {
+        const proc = Bun.spawn(["git", ...args], {
+            cwd,
+            stdout: "pipe",
+            stderr: "pipe",
+        });
+        const [stdout, stderr, exitCode] = await Promise.all([
+            new Response(proc.stdout).text(),
+            new Response(proc.stderr).text(),
+            proc.exited,
+        ]);
+        if (exitCode !== 0) {
+            const message = stderr.trim() || `git ${args.join(" ")} exited with code ${exitCode}`;
+            return { ok: false, error: message };
+        }
+        return {
+            ok: true,
+            lines: stdout.split(/\r?\n/).filter(Boolean),
+        };
+    }
+    catch (error) {
+        return { ok: false, error: String(error) };
+    }
+}
+function mapFilesToPackageDirs(cwd, packageDirs, files) {
+    const sortedDirs = [...packageDirs].sort((left, right) => right.length - left.length);
+    const matched = new Set();
+    for (const file of files) {
+        const absoluteFile = path.resolve(cwd, file);
+        let bestMatch;
+        for (const packageDir of sortedDirs) {
+            const relative = path.relative(packageDir, absoluteFile);
+            if (relative === "" || (!relative.startsWith("..") && !path.isAbsolute(relative))) {
+                bestMatch = packageDir;
+                break;
+            }
+        }
+        if (bestMatch) {
+            matched.add(bestMatch);
+        }
+    }
+    return Array.from(matched).sort((left, right) => left.localeCompare(right));
+}
+async function expandToDependents(changedPackageDirs, packageDirs, includeKinds) {
+    const manifestsByPath = new Map();
+    for (const packageDir of packageDirs) {
+        try {
+            manifestsByPath.set(packageDir, await readManifest(packageDir));
+        }
+        catch {
+            // Skip unreadable manifests; callers already handle manifest read failures.
+        }
+    }
+    const graph = buildWorkspaceGraph(manifestsByPath, includeKinds);
+    const pathByName = new Map(graph.nodes.map((node) => [node.packageName, node.packagePath]));
+    const nameByPath = new Map(graph.nodes.map((node) => [node.packagePath, node.packageName]));
+    const dependents = new Map();
+    for (const node of graph.nodes) {
+        for (const dependency of node.dependsOn) {
+            const list = dependents.get(dependency) ?? [];
+            list.push(node.packageName);
+            dependents.set(dependency, list);
+        }
+    }
+    const selected = new Set(changedPackageDirs);
+    const queue = changedPackageDirs
+        .map((packageDir) => nameByPath.get(packageDir))
+        .filter((value) => typeof value === "string");
+    while (queue.length > 0) {
+        const current = queue.shift();
+        for (const dependent of dependents.get(current) ?? []) {
+            const dependentPath = pathByName.get(dependent);
+            if (!dependentPath || selected.has(dependentPath))
+                continue;
+            selected.add(dependentPath);
+            queue.push(dependent);
+        }
+    }
+    return Array.from(selected).sort((left, right) => left.localeCompare(right));
+}