@socketsecurity/cli-with-sentry 1.0.20 → 1.0.22

package/dist/cli.js

@@ -22,8 +22,8 @@ var sorts = require('../external/@socketsecurity/registry/lib/sorts');
 var strings = require('../external/@socketsecurity/registry/lib/strings');
 var path$1 = require('../external/@socketsecurity/registry/lib/path');
 var regexps = require('../external/@socketsecurity/registry/lib/regexps');
-var shadowNpmInject = require('./shadow-npm-inject.js');
 var fs$2 = require('../external/@socketsecurity/registry/lib/fs');
+var shadowNpmInject = require('./shadow-npm-inject.js');
 var objects = require('../external/@socketsecurity/registry/lib/objects');
 var shadowNpmBin = require('./shadow-npm-bin.js');
 var require$$7 = require('../external/@socketsecurity/registry/lib/promises');
@@ -591,7 +591,10 @@ ${table}
   } catch (e) {
     process.exitCode = 1;
     logger.logger.fail('There was a problem converting the logs to Markdown, please try the `--json` flag');
-    debug.debugFn('catch: unexpected\n', e);
+    debug.debugFn('error', 'caught: unexpected error');
+    debug.debugDir('inspect', {
+      error: e
+    });
     return 'Failed to generate the markdown report';
   }
 }
@@ -863,7 +866,7 @@ async function run$O(argv, importMeta, {
 async function getDefaultOrgSlug() {
   const defaultOrgResult = utils.getConfigValueOrUndef('defaultOrg');
   if (defaultOrgResult) {
-    debug.debugFn('use: default org', defaultOrgResult);
+    debug.debugFn('notice', 'use: default org', defaultOrgResult);
     return {
       ok: true,
       data: defaultOrgResult
@@ -895,7 +898,7 @@ async function getDefaultOrgSlug() {
       data: `Was unable to determine the default organization for the current API token. Unable to continue.`
     };
   }
-  debug.debugFn('resolve: org', slug);
+  debug.debugFn('notice', 'resolve: org', slug);
   return {
     ok: true,
     message: 'Retrieved default org from server',
@@ -999,7 +1002,10 @@ async function fetchReportData(orgSlug, scanId, includeLicensePolicy) {
         return JSON.parse(line);
       } catch {
         ok = false;
-        debug.debugFn('fail: parse NDJSON\n', line);
+        debug.debugFn('error', 'fail: parse NDJSON');
+        debug.debugDir('inspect', {
+          line
+        });
         return;
       }
     });
@@ -1497,28 +1503,28 @@ sockJson, cwd = process.cwd()) {
     sbt: false
   };
   if (sockJson?.defaults?.manifest?.sbt?.disabled) {
-    debug.debugLog('[DEBUG] - sbt auto-detection is disabled in socket.json');
+    debug.debugLog('notice', '[DEBUG] - sbt auto-detection is disabled in socket.json');
   } else if (fs$1.existsSync(path.join(cwd, 'build.sbt'))) {
-    debug.debugLog('[DEBUG] - Detected a Scala sbt build file');
+    debug.debugLog('notice', '[DEBUG] - Detected a Scala sbt build file');
     output.sbt = true;
     output.count += 1;
   }
   if (sockJson?.defaults?.manifest?.gradle?.disabled) {
-    debug.debugLog('[DEBUG] - gradle auto-detection is disabled in socket.json');
+    debug.debugLog('notice', '[DEBUG] - gradle auto-detection is disabled in socket.json');
   } else if (fs$1.existsSync(path.join(cwd, 'gradlew'))) {
-    debug.debugLog('[DEBUG] - Detected a gradle build file');
+    debug.debugLog('notice', '[DEBUG] - Detected a gradle build file');
     output.gradle = true;
     output.count += 1;
   }
   if (sockJson?.defaults?.manifest?.conda?.disabled) {
-    debug.debugLog('[DEBUG] - conda auto-detection is disabled in socket.json');
+    debug.debugLog('notice', '[DEBUG] - conda auto-detection is disabled in socket.json');
   } else {
     const envyml = path.join(cwd, 'environment.yml');
     const hasEnvyml = fs$1.existsSync(envyml);
     const envyaml = path.join(cwd, 'environment.yaml');
     const hasEnvyaml = !hasEnvyml && fs$1.existsSync(envyaml);
     if (hasEnvyml || hasEnvyaml) {
-      debug.debugLog('[DEBUG] - Detected an environment.yml Conda file');
+      debug.debugLog('notice', '[DEBUG] - Detected an environment.yml Conda file');
       output.conda = true;
       output.count += 1;
     }
@@ -2992,6 +2998,7 @@ function createSocketBranchParser(options) {
     };
   };
 }
+const genericSocketBranchParser = createSocketBranchParser();
 async function getBaseGitBranch(cwd = process.cwd()) {
   // Lazily access constants.ENV properties.
   const {
@@ -3024,17 +3031,17 @@ async function getBaseGitBranch(cwd = process.cwd()) {
 }
 function getSocketBranchFullNameComponent(pkgName) {
   const purlObj = utils.getPurlObject(typeof pkgName === 'string' && !pkgName.startsWith('pkg:') ? vendor.packageurlJsExports.PackageURL.fromString(`pkg:unknown/${pkgName}`) : pkgName);
-  const fmtMaybeNamespace = purlObj.namespace ? `${formatBranchName(purlObj.namespace)}--` : '';
-  return `${fmtMaybeNamespace}${formatBranchName(purlObj.name)}`;
+  const branchMaybeNamespace = purlObj.namespace ? `${formatBranchName(purlObj.namespace)}--` : '';
+  return `${branchMaybeNamespace}${formatBranchName(purlObj.name)}`;
 }
 function getSocketBranchName(purl, newVersion, workspace) {
   const purlObj = utils.getPurlObject(purl);
-  const fmtType = getSocketBranchPurlTypeComponent(purlObj);
-  const fmtWorkspace = getSocketBranchWorkspaceComponent(workspace);
-  const fmtFullName = getSocketBranchFullNameComponent(purlObj);
-  const fmtVersion = getSocketBranchPackageVersionComponent(purlObj.version);
-  const fmtNewVersion = formatBranchName(newVersion);
-  return `socket/${fmtType}/${fmtWorkspace}/${fmtFullName}_${fmtVersion}_${fmtNewVersion}`;
+  const branchType = getSocketBranchPurlTypeComponent(purlObj);
+  const branchWorkspace = getSocketBranchWorkspaceComponent(workspace);
+  const branchFullName = getSocketBranchFullNameComponent(purlObj);
+  const branchVersion = getSocketBranchPackageVersionComponent(purlObj.version);
+  const branchNewVersion = formatBranchName(newVersion);
+  return `socket/${branchType}/${branchWorkspace}/${branchFullName}_${branchVersion}_${branchNewVersion}`;
 }
 function getSocketBranchPackageVersionComponent(version) {
   const purlObj = utils.getPurlObject(typeof version === 'string' && !version.startsWith('pkg:') ? vendor.packageurlJsExports.PackageURL.fromString(`pkg:unknown/unknown@${version}`) : version);
@@ -3112,7 +3119,7 @@ async function gitCreateAndPushBranch(branch, commitMsg, filepaths, options) {
     await spawn.spawn('git', ['push', '--force', '--set-upstream', 'origin', branch], stdioIgnoreOptions);
     return true;
   } catch (e) {
-    debug.debugFn(`catch: git push --force --set-upstream origin ${branch} failed\n`, e);
+    debug.debugFn('error', `caught: git push --force --set-upstream origin ${branch} failed\n`, e);
   }
   try {
     // Will throw with exit code 1 if branch does not exist.
@@ -3146,9 +3153,15 @@ async function gitRepoInfo(cwd = process.cwd()) {
         };
       }
     } catch {}
-    debug.debugFn('git: unmatched git remote URL format', remoteUrl);
+    debug.debugFn('error', 'git: unmatched git remote URL format');
+    debug.debugDir('inspect', {
+      remoteUrl
+    });
   } catch (e) {
-    debug.debugFn('catch: git remote get-url origin failed\n', e);
+    debug.debugFn('error', 'caught: `git remote get-url origin` failed');
+    debug.debugDir('inspect', {
+      error: e
+    });
   }
   return null;
 }
@@ -3174,7 +3187,10 @@ async function gitEnsureIdentity(name, email, cwd = process.cwd()) {
       try {
         await spawn.spawn('git', ['config', prop, value], stdioIgnoreOptions);
       } catch (e) {
-        debug.debugFn(`catch: git config ${prop} ${value} failed\n`, e);
+        debug.debugFn('error', `caught: git config ${prop} ${value} failed`);
+        debug.debugDir('inspect', {
+          error: e
+        });
       }
     }
   }));
@@ -3213,7 +3229,10 @@ async function gitUnstagedModifiedFiles(cwd = process.cwd()) {
       data: rawRelPaths.map(relPath => path$1.normalizePath(relPath))
     };
   } catch (e) {
-    debug.debugFn('catch: git diff --name-only failed\n', e);
+    debug.debugFn('error', 'caught: git diff --name-only failed');
+    debug.debugDir('inspect', {
+      error: e
+    });
     return {
       ok: false,
       message: 'Git Error',
@@ -3222,41 +3241,32 @@ async function gitUnstagedModifiedFiles(cwd = process.cwd()) {
   }
 }
 
-function getActiveBranchesForPackage(ciEnv, partialPurl, openPrs) {
-  if (!ciEnv) {
+function getPrsForPurl(fixEnv, partialPurl) {
+  if (!fixEnv) {
     return [];
   }
-  const activeBranches = [];
+  const prs = [];
   const partialPurlObj = utils.getPurlObject(partialPurl);
   const branchFullName = getSocketBranchFullNameComponent(partialPurlObj);
   const branchPurlType = getSocketBranchPurlTypeComponent(partialPurlObj);
-  for (const pr of openPrs) {
-    const parsedBranch = ciEnv.branchParser(pr.headRefName);
+  for (const pr of fixEnv.prs) {
+    const parsedBranch = genericSocketBranchParser(pr.headRefName);
     if (branchPurlType === parsedBranch?.type && branchFullName === parsedBranch?.fullName) {
-      activeBranches.push(parsedBranch);
+      prs.push(pr);
     }
   }
-  if (debug.isDebug()) {
+  if (debug.isDebug('notice,inspect')) {
     const fullName = packages.resolvePackageName(partialPurlObj);
-    if (activeBranches.length) {
-      debug.debugFn(`found: ${activeBranches.length} active branches for ${fullName}\n`, activeBranches);
-    } else if (openPrs.length) {
-      debug.debugFn(`miss: 0 active branches found for ${fullName}`);
+    if (prs.length) {
+      debug.debugFn('notice', `found: ${prs.length} PRs for ${fullName}`);
+      debug.debugDir('inspect', {
+        prs
+      });
+    } else if (fixEnv.prs.length) {
+      debug.debugFn('notice', `miss: 0 PRs found for ${fullName}`);
     }
   }
-  return activeBranches;
-}
-
-async function getActualTree(cwd = process.cwd()) {
-  // @npmcli/arborist DOES have partial support for pnpm structured node_modules
-  // folders. However, support is iffy resulting in unhappy path errors and hangs.
-  // So, to avoid the unhappy path, we restrict our usage to --dry-run loading
-  // of the node_modules folder.
-  const arb = new shadowNpmInject.Arborist({
-    path: cwd,
-    ...shadowNpmInject.SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES
-  });
-  return await arb.loadActual();
+  return prs;
 }
 
 let _octokit;
@@ -3267,7 +3277,7 @@ function getOctokit() {
       SOCKET_CLI_GITHUB_TOKEN
     } = constants.ENV;
     if (!SOCKET_CLI_GITHUB_TOKEN) {
-      debug.debugFn('miss: SOCKET_CLI_GITHUB_TOKEN env var');
+      debug.debugFn('notice', 'miss: SOCKET_CLI_GITHUB_TOKEN env var');
     }
     _octokit = new vendor.Octokit({
       auth: SOCKET_CLI_GITHUB_TOKEN
@@ -3283,7 +3293,7 @@ function getOctokitGraphql() {
       SOCKET_CLI_GITHUB_TOKEN
     } = constants.ENV;
     if (!SOCKET_CLI_GITHUB_TOKEN) {
-      debug.debugFn('miss: SOCKET_CLI_GITHUB_TOKEN env var');
+      debug.debugFn('notice', 'miss: SOCKET_CLI_GITHUB_TOKEN env var');
     }
     _octokitGraphql = vendor.graphql2.defaults({
       headers: {
@@ -3333,8 +3343,8 @@ async function writeCache(key, data) {
   }
   await fs$2.writeJson(cacheJsonPath, data);
 }
-async function cleanupOpenPrs(owner, repo, options) {
-  const contextualMatches = await getOpenSocketPrsWithContext(owner, repo, options);
+async function cleanupPrs(owner, repo, options) {
+  const contextualMatches = await getSocketPrsWithContext(owner, repo, options);
   if (!contextualMatches.length) {
     return [];
   }
@@ -3367,14 +3377,14 @@ async function cleanupOpenPrs(owner, repo, options) {
           pull_number: prNum,
           state: 'closed'
         });
-        debug.debugFn(`close: ${prRef} for ${prToVersion}`);
+        debug.debugFn('notice', `close: ${prRef} for ${prToVersion}`);
         // Remove entry from parent object.
         context.parent.splice(context.index, 1);
         // Mark cache to be saved.
         cachesToSave.set(context.cacheKey, context.data);
         return null;
       } catch (e) {
-        debug.debugFn(`fail: close ${prRef} for ${prToVersion}\n`, e?.message || 'unknown error');
+        debug.debugFn('error', `fail: close ${prRef} for ${prToVersion}\n`, e?.message || 'unknown error');
       }
     }
     // Update stale PRs.
@@ -3387,7 +3397,7 @@ async function cleanupOpenPrs(owner, repo, options) {
           base: match.headRefName,
           head: match.baseRefName
         });
-        debug.debugFn('update: stale', prRef);
+        debug.debugFn('notice', 'update: stale', prRef);
         // Update entry entry.
         if (context.apiType === 'graphql') {
           context.entry.mergeStateStatus = 'CLEAN';
@@ -3398,7 +3408,7 @@ async function cleanupOpenPrs(owner, repo, options) {
         cachesToSave.set(context.cacheKey, context.data);
       } catch (e) {
         const message = e?.message || 'Unknown error';
-        debug.debugFn(`fail: update ${prRef} - ${message}`);
+        debug.debugFn('error', `fail: update ${prRef} - ${message}`);
       }
     }
     return match;
@@ -3453,30 +3463,30 @@ async function enablePrAutoMerge({
     enabled: false
   };
 }
-async function getOpenSocketPrs(owner, repo, options) {
-  return (await getOpenSocketPrsWithContext(owner, repo, options)).map(d => d.match);
+async function getSocketPrs(owner, repo, options) {
+  return (await getSocketPrsWithContext(owner, repo, options)).map(d => d.match);
 }
-async function getOpenSocketPrsWithContext(owner, repo, options_) {
-  const options = {
+async function getSocketPrsWithContext(owner, repo, options) {
+  const {
+    author,
+    states: statesValue = 'all'
+  } = {
     __proto__: null,
-    ...options_
+    ...options
   };
-  const {
-    author
-  } = options;
   const checkAuthor = strings.isNonEmptyString(author);
   const octokit = getOctokit();
   const octokitGraphql = getOctokitGraphql();
-  const branchPattern = getSocketBranchPattern(options);
   const contextualMatches = [];
+  const states = (typeof statesValue === 'string' ? statesValue.toLowerCase() === 'all' ? ['OPEN', 'CLOSED', 'MERGED'] : [statesValue] : statesValue).map(s => s.toUpperCase());
   try {
     // Optimistically fetch only the first 50 open PRs using GraphQL to minimize
     // API quota usage. Fallback to REST if no matching PRs are found.
     const gqlCacheKey = `${repo}-pr-graphql-snapshot`;
     const gqlResp = await cacheFetch(gqlCacheKey, () => octokitGraphql(`
-          query($owner: String!, $repo: String!) {
+          query($owner: String!, $repo: String!, $states: [PullRequestState!]) {
             repository(owner: $owner, name: $repo) {
-              pullRequests(first: 50, states: OPEN, orderBy: {field: CREATED_AT, direction: DESC}) {
+              pullRequests(first: 50, states: $states, orderBy: {field: CREATED_AT, direction: DESC}) {
                 nodes {
                   author {
                     login
@@ -3485,6 +3495,7 @@ async function getOpenSocketPrsWithContext(owner, repo, options_) {
                   headRefName
                   mergeStateStatus
                   number
+                  state
                   title
                 }
               }
@@ -3492,7 +3503,8 @@ async function getOpenSocketPrsWithContext(owner, repo, options_) {
           }
           `, {
       owner,
-      repo
+      repo,
+      states
     }));
     const nodes = gqlResp?.repository?.pullRequests?.nodes ?? [];
     for (let i = 0, {
@@ -3501,8 +3513,8 @@ async function getOpenSocketPrsWithContext(owner, repo, options_) {
       const node = nodes[i];
       const login = node.author?.login;
       const matchesAuthor = checkAuthor ? login === author : true;
-      const matchesBranch = branchPattern.test(node.headRefName);
-      if (matchesAuthor && matchesBranch) {
+      const parsedBranch = genericSocketBranchParser(node.headRefName);
+      if (matchesAuthor && parsedBranch) {
         contextualMatches.push({
           context: {
             apiType: 'graphql',
@@ -3514,7 +3526,8 @@ async function getOpenSocketPrsWithContext(owner, repo, options_) {
           },
           match: {
             ...node,
-            author: login ?? '<unknown>'
+            author: login ?? '<unknown>',
+            parsedBranch
           }
         });
       }
@@ -3525,44 +3538,52 @@ async function getOpenSocketPrsWithContext(owner, repo, options_) {
   }
 
   // Fallback to REST if GraphQL found no matching PRs.
-  let allOpenPrs;
-  const cacheKey = `${repo}-open-prs`;
+  let allPrs;
+  const cacheKey = `${repo}-pull-requests`;
   try {
-    allOpenPrs = await cacheFetch(cacheKey, async () => await octokit.paginate(octokit.pulls.list, {
+    allPrs = await cacheFetch(cacheKey, async () => await octokit.paginate(octokit.pulls.list, {
       owner,
       repo,
-      state: 'open',
+      state: 'all',
       per_page: 100
     }));
   } catch {}
-  if (!allOpenPrs) {
+  if (!allPrs) {
     return contextualMatches;
   }
   for (let i = 0, {
       length
-    } = allOpenPrs; i < length; i += 1) {
-    const pr = allOpenPrs[i];
+    } = allPrs; i < length; i += 1) {
+    const pr = allPrs[i];
     const login = pr.user?.login;
+    const headRefName = pr.head.ref;
     const matchesAuthor = checkAuthor ? login === author : true;
-    const matchesBranch = branchPattern.test(pr.head.ref);
-    if (matchesAuthor && matchesBranch) {
+    const parsedBranch = genericSocketBranchParser(headRefName);
+    if (matchesAuthor && parsedBranch) {
+      // Upper cased mergeable_state is equivalent to mergeStateStatus.
+      // https://docs.github.com/en/rest/pulls/pulls?apiVersion=2022-11-28#get-a-pull-request
+      const mergeStateStatus = pr.mergeable_state?.toUpperCase?.() ?? 'UNKNOWN';
+      // The REST API does not have a distinct merged state for pull requests.
+      // Instead, a merged pull request is represented as a closed pull request
+      // with a non-null merged_at timestamp.
+      const state = pr.merged_at ? 'MERGED' : pr.state.toUpperCase();
       contextualMatches.push({
         context: {
           apiType: 'rest',
           cacheKey,
-          data: allOpenPrs,
+          data: allPrs,
           entry: pr,
           index: i,
-          parent: allOpenPrs
+          parent: allPrs
         },
         match: {
           author: login ?? '<unknown>',
           baseRefName: pr.base.ref,
-          headRefName: pr.head.ref,
-          // Upper cased mergeable_state is equivalent to mergeStateStatus.
-          // https://docs.github.com/en/rest/pulls/pulls?apiVersion=2022-11-28#get-a-pull-request
-          mergeStateStatus: pr.mergeable_state?.toUpperCase?.() ?? 'UNKNOWN',
+          headRefName,
+          mergeStateStatus,
           number: pr.number,
+          parsedBranch,
+          state,
           title: pr.title
         }
       });
@@ -3596,26 +3617,10 @@ async function openPr(owner, repo, branch, purl, newVersion, options) {
       const details = errors.map(d => `- ${d.message?.trim() ?? `${d.resource}.${d.field} (${d.code})`}`).join('\n');
       message += `:\n${details}`;
     }
-    debug.debugFn(message);
+    debug.debugFn('error', message);
   }
   return null;
 }
-async function prExistForBranch(owner, repo, branch) {
-  const octokit = getOctokit();
-  try {
-    const {
-      data: prs
-    } = await octokit.pulls.list({
-      owner,
-      repo,
-      head: `${owner}:${branch}`,
-      state: 'open',
-      per_page: 1
-    });
-    return prs.length > 0;
-  } catch {}
-  return false;
-}
 async function setGitRemoteGithubRepoUrl(owner, repo, token, cwd = process.cwd()) {
   const stdioIgnoreOptions = {
     cwd,
@@ -3625,8 +3630,72 @@ async function setGitRemoteGithubRepoUrl(owner, repo, token, cwd = process.cwd()
   try {
     await spawn.spawn('git', ['remote', 'set-url', 'origin', url], stdioIgnoreOptions);
   } catch (e) {
-    debug.debugFn('catch: unexpected\n', e);
+    debug.debugFn('error', 'caught: unexpected error');
+    debug.debugDir('inspect', {
+      error: e
+    });
+  }
+}
+
+function ciRepoInfo() {
+  // Lazily access constants.ENV.GITHUB_REPOSITORY.
+  const {
+    GITHUB_REPOSITORY
+  } = constants.ENV;
+  if (!GITHUB_REPOSITORY) {
+    debug.debugFn('notice', 'miss: GITHUB_REPOSITORY env var');
   }
+  const ownerSlashRepo = GITHUB_REPOSITORY;
+  const slashIndex = ownerSlashRepo.indexOf('/');
+  if (slashIndex === -1) {
+    return null;
+  }
+  return {
+    owner: ownerSlashRepo.slice(0, slashIndex),
+    repo: ownerSlashRepo.slice(slashIndex + 1)
+  };
+}
+async function getFixEnv() {
+  const baseBranch = await getBaseGitBranch();
+  const gitEmail = constants.ENV.SOCKET_CLI_GIT_USER_EMAIL;
+  const gitUser = constants.ENV.SOCKET_CLI_GIT_USER_NAME;
+  const githubToken = constants.ENV.SOCKET_CLI_GITHUB_TOKEN;
+  const isCi = !!(constants.ENV.CI && gitEmail && gitUser && githubToken);
+  let repoInfo = null;
+  if (isCi) {
+    repoInfo = ciRepoInfo();
+  }
+  if (!repoInfo) {
+    if (isCi) {
+      debug.debugFn('notice', 'falling back to `git remote get-url origin`');
+    }
+    repoInfo = await gitRepoInfo();
+  }
+  const prs = isCi && repoInfo ? await getSocketPrs(repoInfo.owner, repoInfo.repo, {
+    author: gitUser,
+    states: 'all'
+  }) : [];
+  return {
+    baseBranch,
+    gitEmail,
+    githubToken,
+    gitUser,
+    isCi,
+    prs,
+    repoInfo
+  };
+}
+
+async function getActualTree(cwd = process.cwd()) {
+  // @npmcli/arborist DOES have partial support for pnpm structured node_modules
+  // folders. However, support is iffy resulting in unhappy path errors and hangs.
+  // So, to avoid the unhappy path, we restrict our usage to --dry-run loading
+  // of the node_modules folder.
+  const arb = new shadowNpmInject.Arborist({
+    path: cwd,
+    ...shadowNpmInject.SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES
+  });
+  return await arb.loadActual();
 }
 
 const {
@@ -3717,10 +3786,11 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
   // eslint-disable-next-line sort-destructure-keys/sort-destructure-keys
   afterInstall = noopHandler,
   revertInstall = noopHandler
-}, ciEnv, openPrs, fixConfig) {
+}, fixConfig) {
   const {
     pkgPath: rootPath
   } = pkgEnvDetails;
+  const fixEnv = await getFixEnv();
   const {
     autoMerge,
     cwd,
@@ -3733,17 +3803,19 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
   } = fixConfig;
   let count = 0;
   const infoByPartialPurl = utils.getCveInfoFromAlertsMap(alertsMap, {
-    limit: Math.max(limit, openPrs.length)
+    exclude: {
+      upgradable: true
+    }
   });
   if (!infoByPartialPurl) {
     spinner?.stop();
     logger.logger.info('No fixable vulns found.');
     if (alertsMap.size) {
-      debug.debugFn('inspect:', {
+      debug.debugDir('inspect', {
         alertsMap
       });
     } else {
-      debug.debugFn('inspect: { alertsMap: Map(0) {} }');
+      debug.debugFn('inspect', '{ alertsMap: Map(0) {} }');
     }
     return {
       ok: true,
@@ -3752,8 +3824,17 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
       }
     };
   }
-  if (debug.isDebug()) {
-    debug.debugFn('found: cves for', Array.from(infoByPartialPurl.keys()));
+  if (debug.isDebug('notice,inspect')) {
+    spinner?.stop();
+    const partialPurls = Array.from(infoByPartialPurl.keys());
+    const {
+      length: purlsCount
+    } = partialPurls;
+    debug.debugFn('notice', `found: ${purlsCount} ${words.pluralize('PURL', purlsCount)} with CVEs`);
+    debug.debugDir('inspect', {
+      partialPurls
+    });
+    spinner?.start();
   }
 
   // Lazily access constants.packumentCache.
@@ -3788,13 +3869,14 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
     const name = packages.resolvePackageName(partialPurlObj);
     const infos = Array.from(infoEntry[1].values());
     if (!infos.length) {
+      debug.debugFn('notice', `miss: CVEs expected, but not found, for ${name}`);
       continue infoEntriesLoop;
     }
-    logger.logger.log(`Processing vulns for ${name}:`);
+    logger.logger.log(`Processing vulns for ${name}`);
     logger.logger.indent();
     spinner?.indent();
     if (registry.getManifestData(partialPurlObj.type, name)) {
-      debug.debugFn(`found: Socket Optimize variant for ${name}`);
+      debug.debugFn('notice', `found: Socket Optimize variant for ${name}`);
     }
     // eslint-disable-next-line no-await-in-loop
     const packument = await packages.fetchPackagePackument(name);
@@ -3803,8 +3885,8 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
       cleanupInfoEntriesLoop();
       continue infoEntriesLoop;
     }
-    const activeBranches = getActiveBranchesForPackage(ciEnv, infoEntry[0], openPrs);
     const availableVersions = Object.keys(packument.versions);
+    const prs = getPrsForPurl(fixEnv, infoEntry[0]);
     const warningsForAfter = new Set();
 
     // eslint-disable-next-line no-unused-labels
@@ -3816,15 +3898,14 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
       const pkgPath = path.dirname(pkgJsonPath);
       const isWorkspaceRoot = pkgJsonPath === pkgEnvDetails.editablePkgJson.filename;
       const workspace = isWorkspaceRoot ? 'root' : path.relative(rootPath, pkgPath);
-      const branchWorkspace = ciEnv ? getSocketBranchWorkspaceComponent(workspace) : '';
-
+      const branchWorkspace = fixEnv.isCi ? getSocketBranchWorkspaceComponent(workspace) : '';
       // actualTree may not be defined on the first iteration of pkgJsonPathsLoop.
       if (!actualTree) {
-        if (!ciEnv) {
+        if (!fixEnv.isCi) {
           // eslint-disable-next-line no-await-in-loop
           await utils.removeNodeModules(cwd);
         }
-        const maybeActualTree = ciEnv && fs$1.existsSync(path.join(rootPath, 'node_modules')) ?
+        const maybeActualTree = fixEnv.isCi && fs$1.existsSync(path.join(rootPath, 'node_modules')) ?
         // eslint-disable-next-line no-await-in-loop
         await getActualTree(cwd) :
         // eslint-disable-next-line no-await-in-loop
@@ -3845,7 +3926,7 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
       }
       const oldVersions = arrays.arrayUnique(shadowNpmInject.findPackageNodes(actualTree, name).map(n => n.version).filter(Boolean));
       if (!oldVersions.length) {
-        debug.debugFn(`skip: ${name} not found\n`);
+        debug.debugFn('notice', `skip: ${name} not found\n`);
         // Skip to next package.
         cleanupInfoEntriesLoop();
         continue infoEntriesLoop;
@@ -3860,8 +3941,8 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
       const seenVersions = new Set();
       let hasAnnouncedWorkspace = false;
       let workspaceLogCallCount = logger.logger.logCallCount;
-      if (debug.isDebug()) {
-        debug.debugFn(`check: workspace ${workspace}`);
+      if (debug.isDebug('notice')) {
+        debug.debugFn('notice', `check: workspace ${workspace}`);
         hasAnnouncedWorkspace = true;
         workspaceLogCallCount = logger.logger.logCallCount;
       }
@@ -3870,7 +3951,7 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
         const oldPurl = utils.idToPurl(oldId, partialPurlObj.type);
         const node = shadowNpmInject.findPackageNode(actualTree, name, oldVersion);
         if (!node) {
-          debug.debugFn(`skip: ${oldId} not found`);
+          debug.debugFn('notice', `skip: ${oldId} not found`);
           continue oldVersionsLoop;
         }
         infosLoop: for (const {
@@ -3890,11 +3971,25 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
             continue infosLoop;
           }
           if (vendor.semverExports.gte(oldVersion, newVersion)) {
-            debug.debugFn(`skip: ${oldId} is >= ${newVersion}`);
+            debug.debugFn('silly', `skip: ${oldId} is >= ${newVersion}`);
             continue infosLoop;
           }
-          if (activeBranches.find(b => b.workspace === branchWorkspace && b.newVersion === newVersion)) {
-            debug.debugFn(`skip: open PR found for ${name}@${newVersion}`);
+          const branch = getSocketBranchName(oldPurl, newVersion, workspace);
+          const pr = prs.find(({
+            parsedBranch: b
+          }) => b.workspace === branchWorkspace && b.newVersion === newVersion);
+          if (pr) {
+            debug.debugFn('notice', `skip: PR #${pr.number} for ${name} exists`);
+            if (++count >= limit) {
+              cleanupInfoEntriesLoop();
+              break infoEntriesLoop;
+            }
+            continue infosLoop;
+          }
+          if (fixEnv.isCi && (
+          // eslint-disable-next-line no-await-in-loop
+          await gitRemoteBranchExists(branch, cwd))) {
+            debug.debugFn('notice', `skip: remote branch "${branch}" exists`);
             if (++count >= limit) {
               cleanupInfoEntriesLoop();
               break infoEntriesLoop;
@@ -3913,17 +4008,26 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
           }
 
           // eslint-disable-next-line no-await-in-loop
-          await beforeInstall(editablePkgJson, name, oldVersion, newVersion, vulnerableVersionRange, fixConfig);
+          await beforeInstall(editablePkgJson, packument, oldVersion, newVersion, vulnerableVersionRange, fixConfig);
           shadowNpmInject.updatePackageJsonFromNode(editablePkgJson, actualTree, node, newVersion, rangeStyle);
+
           // eslint-disable-next-line no-await-in-loop
-          if (!(await editablePkgJson.save({
+          await editablePkgJson.save({
             ignoreWhitespace: true
-          }))) {
-            debug.debugFn(`skip: ${workspace}/package.json unchanged`);
+          });
+
+          // eslint-disable-next-line no-await-in-loop
+          const unstagedCResult = await gitUnstagedModifiedFiles(cwd);
+          const moddedFilepaths = unstagedCResult.ok ? unstagedCResult.data.filter(filepath => {
+            const basename = path.basename(filepath);
+            return basename === 'package.json' || basename === pkgEnvDetails.lockName;
+          }) : [];
+          if (!moddedFilepaths.length) {
+            logger.logger.warn('Unexpected condition: Nothing to commit, skipping PR creation.');
             // Reset things just in case.
-            if (ciEnv) {
+            if (fixEnv.isCi) {
               // eslint-disable-next-line no-await-in-loop
-              await gitResetAndClean(ciEnv.baseBranch, cwd);
+              await gitResetAndClean(fixEnv.baseBranch, cwd);
             }
             continue infosLoop;
           }
@@ -3948,7 +4052,7 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
             if (maybeActualTree && maybeLockSrc) {
               actualTree = maybeActualTree;
               // eslint-disable-next-line no-await-in-loop
-              await afterInstall(editablePkgJson, name, oldVersion, newVersion, vulnerableVersionRange, fixConfig);
+              await afterInstall(editablePkgJson, packument, oldVersion, newVersion, vulnerableVersionRange, fixConfig);
               if (test) {
                 spinner?.info(`Testing ${newId} in ${workspace}.`);
                 // eslint-disable-next-line no-await-in-loop
@@ -3969,47 +4073,18 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
           spinner?.stop();
 
           // Check repoInfo to make TypeScript happy.
-          if (!errored && ciEnv?.repoInfo) {
+          if (!errored && fixEnv.isCi && fixEnv.repoInfo) {
             try {
-              // eslint-disable-next-line no-await-in-loop
-              const unstagedCResult = await gitUnstagedModifiedFiles(cwd);
-              if (!unstagedCResult.ok) {
-                logger.logger.warn('Unexpected condition: Nothing to commit, skipping PR creation.');
-                continue;
-              }
-              const moddedFilepaths = unstagedCResult.data.filter(filepath => {
-                const basename = path.basename(filepath);
-                return basename === 'package.json' || basename === pkgEnvDetails.lockName;
-              });
-              if (!moddedFilepaths.length) {
-                logger.logger.warn('Unexpected condition: Nothing to commit, skipping PR creation.');
-                continue infosLoop;
-              }
-              const branch = getSocketBranchName(oldPurl, newVersion, workspace);
-              let skipPr = false;
               if (
               // eslint-disable-next-line no-await-in-loop
-              await prExistForBranch(ciEnv.repoInfo.owner, ciEnv.repoInfo.repo, branch)) {
-                skipPr = true;
-                debug.debugFn(`skip: branch "${branch}" exists`);
-              }
-              // eslint-disable-next-line no-await-in-loop
-              else if (await gitRemoteBranchExists(branch, cwd)) {
-                skipPr = true;
-                debug.debugFn(`skip: remote branch "${branch}" exists`);
-              } else if (
-              // eslint-disable-next-line no-await-in-loop
               !(await gitCreateAndPushBranch(branch, getSocketCommitMessage(oldPurl, newVersion, workspace), moddedFilepaths, {
                 cwd,
-                email: ciEnv.gitEmail,
-                user: ciEnv.gitUser
+                email: fixEnv.gitEmail,
+                user: fixEnv.gitUser
               }))) {
-                skipPr = true;
                 logger.logger.warn('Unexpected condition: Push failed, skipping PR creation.');
-              }
-              if (skipPr) {
                 // eslint-disable-next-line no-await-in-loop
-                await gitResetAndClean(ciEnv.baseBranch, cwd);
+                await gitResetAndClean(fixEnv.baseBranch, cwd);
                 // eslint-disable-next-line no-await-in-loop
                 const maybeActualTree = await installer(pkgEnvDetails, {
                   cwd,
@@ -4027,14 +4102,14 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
               }
 
               // eslint-disable-next-line no-await-in-loop
-              await Promise.allSettled([setGitRemoteGithubRepoUrl(ciEnv.repoInfo.owner, ciEnv.repoInfo.repo, ciEnv.githubToken, cwd), cleanupOpenPrs(ciEnv.repoInfo.owner, ciEnv.repoInfo.repo, {
+              await Promise.allSettled([setGitRemoteGithubRepoUrl(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, fixEnv.githubToken, cwd), cleanupPrs(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, {
                 newVersion,
                 purl: oldPurl,
                 workspace
               })]);
               // eslint-disable-next-line no-await-in-loop
-              const prResponse = await openPr(ciEnv.repoInfo.owner, ciEnv.repoInfo.repo, branch, oldPurl, newVersion, {
-                baseBranch: ciEnv.baseBranch,
+              const prResponse = await openPr(fixEnv.repoInfo.owner, fixEnv.repoInfo.repo, branch, oldPurl, newVersion, {
+                baseBranch: fixEnv.baseBranch,
                 cwd,
                 workspace
               });
@@ -4067,10 +4142,10 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
               errored = true;
             }
           }
-          if (ciEnv) {
+          if (fixEnv.isCi) {
             spinner?.start();
             // eslint-disable-next-line no-await-in-loop
-            await gitResetAndClean(ciEnv.baseBranch, cwd);
+            await gitResetAndClean(fixEnv.baseBranch, cwd);
             // eslint-disable-next-line no-await-in-loop
             const maybeActualTree = await installer(pkgEnvDetails, {
               cwd,
@@ -4084,10 +4159,10 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
             }
           }
           if (errored) {
-            if (!ciEnv) {
+            if (!fixEnv.isCi) {
               spinner?.start();
               // eslint-disable-next-line no-await-in-loop
-              await revertInstall(editablePkgJson, name, oldVersion, newVersion, vulnerableVersionRange, fixConfig);
+              await revertInstall(editablePkgJson, packument, oldVersion, newVersion, vulnerableVersionRange, fixConfig);
               // eslint-disable-next-line no-await-in-loop
               await Promise.all([utils.removeNodeModules(cwd), editablePkgJson.save({
                 ignoreWhitespace: true
@@ -4111,8 +4186,7 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
               cause: `Update failed for ${oldId} in ${workspace}${error ? '; ' + error : ''}`
             };
           }
-          debug.debugFn('name:', name);
-          debug.debugFn('increment: count', count + 1);
+          debug.debugFn('notice', 'increment: count', count + 1);
           if (++count >= limit) {
             cleanupInfoEntriesLoop();
             break infoEntriesLoop;
@@ -4142,57 +4216,8 @@ async function agentFix(pkgEnvDetails, actualTree, alertsMap, installer, {
   };
 }
 
-async function getEnvRepoInfo(cwd) {
-  // Lazily access constants.ENV.GITHUB_REPOSITORY.
-  const {
-    GITHUB_REPOSITORY
-  } = constants.ENV;
-  if (!GITHUB_REPOSITORY) {
-    debug.debugFn('miss: GITHUB_REPOSITORY env var');
-  }
-  const ownerSlashRepo = GITHUB_REPOSITORY;
-  const slashIndex = ownerSlashRepo.indexOf('/');
-  if (slashIndex !== -1) {
-    return {
-      owner: ownerSlashRepo.slice(0, slashIndex),
-      repo: ownerSlashRepo.slice(slashIndex + 1)
-    };
-  }
-  return await gitRepoInfo(cwd);
-}
-async function getCiEnv() {
-  const gitEmail = constants.ENV.SOCKET_CLI_GIT_USER_EMAIL;
-  const gitUser = constants.ENV.SOCKET_CLI_GIT_USER_NAME;
-  const githubToken = constants.ENV.SOCKET_CLI_GITHUB_TOKEN;
-  const isCi = !!(constants.ENV.CI && gitEmail && gitUser && githubToken);
-  if (!isCi) {
-    return null;
-  }
-  const baseBranch = await getBaseGitBranch();
-  if (!baseBranch) {
-    return null;
-  }
-  const repoInfo = await getEnvRepoInfo();
-  if (!repoInfo) {
-    return null;
-  }
-  return {
-    gitEmail,
-    gitUser,
-    githubToken,
-    repoInfo,
-    baseBranch,
-    branchParser: createSocketBranchParser()
-  };
-}
-async function getOpenPrsForEnvironment(env) {
-  return env ? await getOpenSocketPrs(env.repoInfo.owner, env.repoInfo.repo, {
-    author: env.gitUser
-  }) : [];
-}
-
 const CMD_NAME$1 = 'socket fix';
-function getAlertsMapOptions(options = {}) {
+function getFixAlertsMapOptions(options = {}) {
   return {
     __proto__: null,
     consolidate: true,
@@ -4221,7 +4246,7 @@ async function install$1(pkgEnvDetails, options) {
     await utils.runAgentInstall(pkgEnvDetails, {
       args,
       spinner,
-      stdio: debug.isDebug() ? 'inherit' : 'ignore'
+      stdio: debug.isDebug('stdio') ? 'inherit' : 'ignore'
     });
     return await getActualTree(cwd);
   } catch {}
@@ -4229,59 +4254,35 @@ async function install$1(pkgEnvDetails, options) {
 }
 async function npmFix(pkgEnvDetails, fixConfig) {
   const {
-    limit,
     purls,
     spinner
   } = fixConfig;
   spinner?.start();
-  const ciEnv = await getCiEnv();
-  const openPrs = ciEnv ? await getOpenPrsForEnvironment(ciEnv) : [];
+  let arb;
   let actualTree;
   let alertsMap;
   try {
     if (purls.length) {
-      alertsMap = await utils.getAlertsMapFromPurls(purls, getAlertsMapOptions({
-        limit: Math.max(limit, openPrs.length)
-      }));
+      alertsMap = await utils.getAlertsMapFromPurls(purls, getFixAlertsMapOptions());
     } else {
-      const npmPath = path.resolve(fs$1.realpathSync(pkgEnvDetails.agentExecPath), '../..');
-      const config = new vendor.libExports$2({
-        argv: [],
-        cwd: process.cwd(),
-        definitions: vendor.definitionsExports.definitions,
-        // Lazily access constants.execPath.
-        execPath: constants.execPath,
-        env: {
-          ...process.env
-        },
-        flatten: vendor.definitionsExports.flatten,
-        npmPath,
-        platform: process.platform,
-        shorthands: vendor.definitionsExports.shorthands
+      const flatConfig = await utils.getNpmConfig({
+        npmVersion: pkgEnvDetails.agentVersion
       });
-      await config.load();
-      const flatConfig = {
-        __proto__: null,
-        ...config.flat
-      };
-      flatConfig.nodeVersion = constants.NODE_VERSION;
-      flatConfig.npmVersion = pkgEnvDetails.agentVersion.toString();
-      flatConfig.npmCommand = 'install';
-      const arb = new shadowNpmInject.Arborist({
+      arb = new shadowNpmInject.Arborist({
         path: pkgEnvDetails.pkgPath,
-        ...flatConfig,
-        ...shadowNpmInject.SAFE_ARBORIST_REIFY_OPTIONS_OVERRIDES
+        ...flatConfig
       });
       actualTree = await arb.reify();
       // Calling arb.reify() creates the arb.diff object, nulls-out arb.idealTree,
       // and populates arb.actualTree.
-      alertsMap = await shadowNpmInject.getAlertsMapFromArborist(arb, getAlertsMapOptions({
-        limit: Math.max(limit, openPrs.length)
-      }));
+      alertsMap = await shadowNpmInject.getAlertsMapFromArborist(arb, getFixAlertsMapOptions());
     }
   } catch (e) {
     spinner?.stop();
-    debug.debugFn('catch: PURL API\n', e);
+    debug.debugFn('error', 'caught: PURL API');
+    debug.debugDir('inspect', {
+      error: e
+    });
     return {
       ok: false,
       message: 'API Error',
@@ -4290,7 +4291,7 @@ async function npmFix(pkgEnvDetails, fixConfig) {
   }
   let revertData;
   return await agentFix(pkgEnvDetails, actualTree, alertsMap, install$1, {
-    async beforeInstall(editablePkgJson) {
+    async beforeInstall(editablePkgJson, packument, oldVersion, newVersion) {
       revertData = {
         ...(editablePkgJson.content.dependencies && {
           dependencies: {
@@ -4308,13 +4309,19 @@ async function npmFix(pkgEnvDetails, fixConfig) {
           }
         })
       };
+      const idealTree = await arb.buildIdealTree();
+      const node = shadowNpmInject.findPackageNode(idealTree, packument.name, oldVersion);
+      if (node) {
+        shadowNpmInject.updateNode(node, newVersion, packument.versions[newVersion]);
+        await arb.reify();
+      }
     },
     async revertInstall(editablePkgJson) {
       if (revertData) {
         editablePkgJson.update(revertData);
       }
     }
-  }, ciEnv, openPrs, fixConfig);
+  }, fixConfig);
 }
 
 async function outputFixResult(result, outputKind) {
@@ -4356,7 +4363,7 @@ async function install(pkgEnvDetails, options) {
       // https://github.com/pnpm/pnpm/issues/6778
       '--config.confirmModulesPurge=false'],
       spinner,
-      stdio: debug.isDebug() ? 'inherit' : 'ignore'
+      stdio: debug.isDebug('stdio') ? 'inherit' : 'ignore'
     });
     return await getActualTree(cwd);
   } catch {}
@@ -4365,7 +4372,6 @@ async function install(pkgEnvDetails, options) {
 async function pnpmFix(pkgEnvDetails, fixConfig) {
   const {
     cwd,
-    limit,
     purls,
     spinner
   } = fixConfig;
@@ -4403,18 +4409,15 @@ async function pnpmFix(pkgEnvDetails, fixConfig) {
       cause: 'Required pnpm-lock.yaml not found or usable'
     };
   }
-  const ciEnv = await getCiEnv();
-  const openPrs = ciEnv ? await getOpenPrsForEnvironment(ciEnv) : [];
   let alertsMap;
   try {
-    alertsMap = purls.length ? await utils.getAlertsMapFromPurls(purls, getAlertsMapOptions({
-      limit: Math.max(limit, openPrs.length)
-    })) : await utils.getAlertsMapFromPnpmLockfile(lockfile, getAlertsMapOptions({
-      limit: Math.max(limit, openPrs.length)
-    }));
+    alertsMap = purls.length ? await utils.getAlertsMapFromPurls(purls, getFixAlertsMapOptions()) : await utils.getAlertsMapFromPnpmLockfile(lockfile, getFixAlertsMapOptions());
   } catch (e) {
     spinner?.stop();
-    debug.debugFn('catch: PURL API\n', e);
+    debug.debugFn('error', 'caught: PURL API');
+    debug.debugDir('inspect', {
+      error: e
+    });
     return {
       ok: false,
       message: 'API Error',
@@ -4425,14 +4428,14 @@ async function pnpmFix(pkgEnvDetails, fixConfig) {
   let revertOverrides;
   let revertOverridesSrc;
   return await agentFix(pkgEnvDetails, actualTree, alertsMap, install, {
-    async beforeInstall(editablePkgJson, name, oldVersion, newVersion, vulnerableVersionRange, options) {
+    async beforeInstall(editablePkgJson, packument, oldVersion, newVersion, vulnerableVersionRange, options) {
       const isWorkspaceRoot = editablePkgJson.path === pkgEnvDetails.editablePkgJson.filename;
       // Get current overrides for revert logic.
       const {
         overrides: oldOverrides
       } = getOverridesDataPnpm(pkgEnvDetails, editablePkgJson.content);
       const oldPnpmSection = editablePkgJson.content[PNPM$7];
-      const overrideKey = `${name}@${vulnerableVersionRange}`;
+      const overrideKey = `${packument.name}@${vulnerableVersionRange}`;
       revertOverrides = undefined;
       revertOverridesSrc = utils.extractOverridesFromPnpmLockSrc(lockSrc);
       if (isWorkspaceRoot) {
@@ -4496,7 +4499,7 @@ async function pnpmFix(pkgEnvDetails, fixConfig) {
         editablePkgJson.update(revertData);
       }
     }
-  }, ciEnv, openPrs, fixConfig);
+  }, fixConfig);
 }
 
 const {
@@ -4532,7 +4535,8 @@ async function handleFix({
         ghsas = utils.cmdFlagValueToArray(/(?<=Vulnerabilities found: )[^\n]+/.exec(autoCResult.data)?.[0]);
         ghsasCount = ghsas.length;
       } else {
-        debug.debugFn('coana fail:', {
+        debug.debugFn('error', 'fail: Coana CLI');
+        debug.debugDir('inspect', {
           message: autoCResult.message,
           cause: autoCResult.cause
         });
@@ -4549,7 +4553,8 @@ async function handleFix({
       });
       spinner?.stop();
       if (!applyFixesCResult.ok) {
-        debug.debugFn('coana fail:', {
+        debug.debugFn('error', 'fail: Coana CLI');
+        debug.debugDir('inspect', {
           message: applyFixesCResult.message,
           cause: applyFixesCResult.cause
         });
@@ -4819,9 +4824,9 @@ async function setupTabCompletion(targetName) {
 
   // Target dir is something like ~/.local/share/socket/settings/completion (linux)
   const targetDir = path.dirname(targetPath);
-  debug.debugFn('target: path + dir', targetPath, targetDir);
+  debug.debugFn('notice', 'target: path + dir', targetPath, targetDir);
   if (!fs$1.existsSync(targetDir)) {
-    debug.debugFn('create: target dir');
+    debug.debugFn('notice', 'create: target dir');
     fs$1.mkdirSync(targetDir, {
       recursive: true
     });
@@ -5419,6 +5424,8 @@ const arrayToLower = arg => arg.map(toLower);
 //   [choices: "appsec", "research", "operational", "threat-modeling", "license-compliance", "generic", "machine-learning",
 //                                                        "ml", "deep-learning", "ml-deep", "ml-tiny"] [default: "generic"]
 //       --exclude                Additional glob pattern(s) to ignore                                              [array]
+//       --export-proto           Serialize and export BOM as protobuf binary.  [boolean] [default: false]
+//       --proto-bin-file         Path for the serialized protobuf binary.  [default: "bom.cdx"]
 //       --include-formulation    Generate formulation section with git metadata and build tools. Defaults to false.
 //                                                                                               [boolean] [default: false]
 //       --include-crypto         Include crypto libraries as components.                        [boolean] [default: false]
@@ -5474,7 +5481,7 @@ const yargsConfig = {
     //'deps-slices-file': 'deps.slices.json', // hidden
     //evidence: false,
     //'exclude-type': [],
-    //'export-proto': true, // hidden
+    //'export-proto': false,
     //'fail-on-error': isSecureMode,
     //'feature-flags': [], // hidden
     //'include-crypto': false,
@@ -5485,7 +5492,7 @@ const yargsConfig = {
     //output: 'bom.json',
     //profile: 'generic',
     //'project-version': '',
-    //'proto-bin-file': 'bom.cdx', // hidden
+    //'proto-bin-file': 'bom.cdx',
     //recurse: true,
     //'skip-dt-tls-check': false,
     //'semantics-slices-file': 'semantics.slices.json',
@@ -5537,9 +5544,7 @@ const yargsConfig = {
   }],
   boolean: ['auto-compositions', 'babel', 'banner',
   // hidden
-  'deep', 'evidence', 'export-proto',
-  // hidden
-  'fail-on-error', 'generate-key-and-sign', 'help', 'include-crypto', 'include-formulation', 'install-deps', 'json-pretty', 'print', 'recurse', 'required-only', 'resolve-class', 'skip-dt-tls-check', 'server', 'validate', 'version',
+  'deep', 'evidence', 'export-proto', 'fail-on-error', 'generate-key-and-sign', 'help', 'include-crypto', 'include-formulation', 'install-deps', 'json-pretty', 'print', 'recurse', 'required-only', 'resolve-class', 'skip-dt-tls-check', 'server', 'validate', 'version',
   // The --yes flag and -y alias map to the corresponding flag and alias of npx.
   // https://docs.npmjs.com/cli/v7/commands/npx#compatibility-with-older-npx-versions
   'yes'],
@@ -5553,9 +5558,7 @@ const yargsConfig = {
   // number
   'openapi-spec-file',
   // hidden
-  'output', 'parent-project-id', 'profile', 'project-group', 'project-name', 'project-version', 'project-id', 'proto-bin-file',
-  // hidden
-  'reachables-slices-file',
+  'output', 'parent-project-id', 'profile', 'project-group', 'project-name', 'project-version', 'project-id', 'proto-bin-file', 'reachables-slices-file',
   // hidden
   'semantics-slices-file',
   // hidden
@@ -5697,7 +5700,9 @@ async function run$B(argv, importMeta, {
   }
   const sockJson = await utils.readOrDefaultSocketJson(cwd);
   const detected = await detectManifestActions(sockJson, cwd);
-  debug.debugLog('[DEBUG]', detected);
+  debug.debugDir('inspect', {
+    detected
+  });
   if (cli.flags['dryRun']) {
     logger.logger.log(DRY_RUN_BAILING_NOW$A);
     return;
@@ -5962,7 +5967,7 @@ async function run$z(argv, importMeta, {
   // If given path is absolute then cwd should not affect it.
   cwd = path.resolve(process.cwd(), cwd);
   const sockJson = await utils.readOrDefaultSocketJson(cwd);
-  debug.debugFn('override: socket.json gradle', sockJson?.defaults?.manifest?.gradle);
+  debug.debugFn('inspect', 'override: socket.json gradle', sockJson?.defaults?.manifest?.gradle);
 
   // Set defaults for any flag/arg that is not given. Check socket.json first.
   if (!bin) {
@@ -6119,7 +6124,7 @@ async function run$y(argv, importMeta, {
   // If given path is absolute then cwd should not affect it.
   cwd = path.resolve(process.cwd(), cwd);
   const sockJson = await utils.readOrDefaultSocketJson(cwd);
-  debug.debugFn('override: socket.json gradle', sockJson?.defaults?.manifest?.gradle);
+  debug.debugFn('inspect', 'override: socket.json gradle', sockJson?.defaults?.manifest?.gradle);
 
   // Set defaults for any flag/arg that is not given. Check socket.json first.
   if (!bin) {
@@ -6285,7 +6290,7 @@ async function run$x(argv, importMeta, {
   // If given path is absolute then cwd should not affect it.
   cwd = path.resolve(process.cwd(), cwd);
   const sockJson = await utils.readOrDefaultSocketJson(cwd);
-  debug.debugFn('override: socket.json sbt', sockJson?.defaults?.manifest?.sbt);
+  debug.debugFn('inspect', 'override: socket.json sbt', sockJson?.defaults?.manifest?.sbt);
 
   // Set defaults for any flag/arg that is not given. Check socket.json first.
   if (!bin) {
@@ -6379,7 +6384,9 @@ async function outputManifestSetup(result) {
 
 async function setupManifestConfig(cwd, defaultOnReadError = false) {
   const detected = await detectManifestActions(null, cwd);
-  debug.debugLog('[DEBUG]', detected);
+  debug.debugDir('inspect', {
+    detected
+  });
 
   // - repeat
   //   - give the user an option to configure one of the supported targets
@@ -7602,7 +7609,10 @@ async function updateLockfile(pkgEnvDetails, options) {
     }
   } catch (e) {
     spinner?.stop();
-    debug.debugFn('fail: update\n', e);
+    debug.debugFn('error', 'fail: update');
+    debug.debugDir('inspect', {
+      error: e
+    });
     return {
       ok: false,
       message: 'Update failed',
@@ -8922,7 +8932,7 @@ function formatReportCard(artifact, color) {
   };
   const alertString = getAlertString(artifact.alerts, !color);
   if (!artifact.ecosystem) {
-    debug.debugFn('miss: artifact ecosystem', artifact);
+    debug.debugFn('notice', 'miss: artifact ecosystem', artifact);
   }
   const purl = `pkg:${artifact.ecosystem}/${artifact.name}${artifact.version ? '@' + artifact.version : ''}`;
   return ['Package: ' + (color ? vendor.yoctocolorsCjsExports.bold(purl) : purl), '', ...Object.entries(scoreResult).map(score => `- ${score[0]}:`.padEnd(20, ' ') + `  ${formatScore(score[1], !color, true)}`), alertString].join('\n');
@@ -9700,19 +9710,22 @@ async function fetchListAllRepos({
       };
     }
     // eslint-disable-next-line no-await-in-loop
-    const result = await utils.handleApiCall(sockSdk.getOrgRepoList(orgSlug, {
+    const orgRepoListCResult = await utils.handleApiCall(sockSdk.getOrgRepoList(orgSlug, {
       sort,
       direction,
       per_page: String(100),
       // max
       page: String(nextPage)
     }), 'list of repositories');
-    if (!result.ok) {
-      debug.debugFn('fail: fetch repo\n', result);
-      return result;
+    if (!orgRepoListCResult.ok) {
+      debug.debugFn('error', 'fail: fetch repo');
+      debug.debugDir('inspect', {
+        orgRepoListCResult
+      });
+      return orgRepoListCResult;
     }
-    result.data.results.forEach(row => rows.push(row));
-    nextPage = result.data.nextPage ?? -1;
+    orgRepoListCResult.data.results.forEach(row => rows.push(row));
+    nextPage = orgRepoListCResult.data.nextPage ?? -1;
   }
   return {
     ok: true,
@@ -11253,7 +11266,7 @@ async function scanOneRepo(repoSlug, {
     };
   }
   const tmpDir = fs$1.mkdtempSync(path.join(os.tmpdir(), repoSlug));
-  debug.debugFn('init: temp dir for scan root', tmpDir);
+  debug.debugFn('notice', 'init: temp dir for scan root', tmpDir);
   const downloadResult = await testAndDownloadManifestFiles({
     files,
     tmpDir,
@@ -11366,9 +11379,9 @@ async function testAndDownloadManifestFile({
   repoApiUrl,
   tmpDir
 }) {
-  debug.debugFn('testing: file', file);
+  debug.debugFn('notice', 'testing: file', file);
   if (!SUPPORTED_FILE_PATTERNS.some(regex => regex.test(file))) {
-    debug.debugFn('  - skip: not a known pattern');
+    debug.debugFn('notice', '  - skip: not a known pattern');
     // Not an error.
     return {
       ok: true,
@@ -11377,7 +11390,7 @@ async function testAndDownloadManifestFile({
       }
     };
   }
-  debug.debugFn('found: manifest file, going to attempt to download it;', file);
+  debug.debugFn('notice', 'found: manifest file, going to attempt to download it;', file);
   const result = await downloadManifestFile({
     file,
     tmpDir,
@@ -11399,18 +11412,18 @@ async function downloadManifestFile({
   repoApiUrl,
   tmpDir
 }) {
-  debug.debugFn('request: download url from GitHub');
+  debug.debugFn('notice', 'request: download url from GitHub');
   const fileUrl = `${repoApiUrl}/contents/${file}?ref=${defaultBranch}`;
-  debug.debugFn('url: file', fileUrl);
+  debug.debugFn('inspect', 'url: file', fileUrl);
   const downloadUrlResponse = await fetch(fileUrl, {
     method: 'GET',
     headers: {
       Authorization: `Bearer ${githubToken}`
     }
   });
-  debug.debugFn('complete: request');
+  debug.debugFn('notice', 'complete: request');
   const downloadUrlText = await downloadUrlResponse.text();
-  debug.debugFn('response: raw download url', downloadUrlText);
+  debug.debugFn('inspect', 'response: raw download url', downloadUrlText);
   let downloadUrl;
   try {
     downloadUrl = JSON.parse(downloadUrlText).download_url;
@@ -11423,7 +11436,7 @@ async function downloadManifestFile({
     };
   }
   const localPath = path.join(tmpDir, file);
-  debug.debugFn('download: manifest file started', downloadUrl, '->', localPath);
+  debug.debugFn('notice', 'download: manifest file started', downloadUrl, '->', localPath);
 
   // Now stream the file to that file...
   const result = await streamDownloadWithFetch(localPath, downloadUrl);
@@ -11432,7 +11445,7 @@ async function downloadManifestFile({
     logger.logger.fail(`Failed to download manifest file, skipping to next file. File: ${file}`);
     return result;
   }
-  debug.debugFn('download: manifest file completed');
+  debug.debugFn('notice', 'download: manifest file completed');
   return {
     ok: true,
     data: undefined
@@ -11484,8 +11497,9 @@ async function streamDownloadWithFetch(localPath, downloadUrl) {
     };
   } catch (error) {
     logger.logger.fail('An error was thrown while trying to download a manifest file... url:', downloadUrl);
-    debug.debugFn('Raw error:');
-    debug.debugFn(error);
+    debug.debugFn('inspect', {
+      error
+    });
 
     // If an error occurs and fileStream was created, attempt to clean up.
     if (fs$1.existsSync(localPath)) {
@@ -11507,7 +11521,7 @@ async function streamDownloadWithFetch(localPath, downloadUrl) {
       // If error was due to bad HTTP status
       detailedError += ` (HTTP Status: ${response.status} ${response.statusText})`;
     }
-    debug.debugFn(detailedError);
+    debug.debugFn('error', detailedError);
     return {
       ok: false,
       message: 'Download Failed',
@@ -11524,14 +11538,14 @@ async function getLastCommitDetails({
 }) {
   logger.logger.info(`Requesting last commit for default branch ${defaultBranch} for ${orgGithub}/${repoSlug}...`);
   const commitApiUrl = `${repoApiUrl}/commits?sha=${defaultBranch}&per_page=1`;
-  debug.debugFn('url: commit', commitApiUrl);
+  debug.debugFn('inspect', 'url: commit', commitApiUrl);
   const commitResponse = await fetch(commitApiUrl, {
     headers: {
       Authorization: `Bearer ${githubToken}`
     }
   });
   const commitText = await commitResponse.text();
-  debug.debugFn('response: commit', commitText);
+  debug.debugFn('inspect', 'response: commit', commitText);
   let lastCommit;
   try {
     lastCommit = JSON.parse(commitText)?.[0];
@@ -11618,7 +11632,7 @@ async function getRepoDetails({
   repoSlug
 }) {
   const repoApiUrl = `${githubApiUrl}/repos/${orgGithub}/${repoSlug}`;
-  debug.debugFn('url: repo', repoApiUrl);
+  debug.debugFn('inspect', 'url: repo', repoApiUrl);
   const repoDetailsResponse = await fetch(repoApiUrl, {
     method: 'GET',
     headers: {
@@ -11627,7 +11641,7 @@ async function getRepoDetails({
   });
   logger.logger.success(`Request completed.`);
   const repoDetailsText = await repoDetailsResponse.text();
-  debug.debugFn('response: repo', repoDetailsText);
+  debug.debugFn('inspect', 'response: repo', repoDetailsText);
   let repoDetails;
   try {
     repoDetails = JSON.parse(repoDetailsText);
@@ -11666,7 +11680,7 @@ async function getRepoBranchTree({
 }) {
   logger.logger.info(`Requesting default branch file tree; branch \`${defaultBranch}\`, repo \`${orgGithub}/${repoSlug}\`...`);
   const treeApiUrl = `${repoApiUrl}/git/trees/${defaultBranch}?recursive=1`;
-  debug.debugFn('url: tree', treeApiUrl);
+  debug.debugFn('inspect', 'url: tree', treeApiUrl);
   const treeResponse = await fetch(treeApiUrl, {
     method: 'GET',
     headers: {
@@ -11674,7 +11688,7 @@ async function getRepoBranchTree({
     }
   });
   const treeText = await treeResponse.text();
-  debug.debugFn('response: tree', treeText);
+  debug.debugFn('inspect', 'response: tree', treeText);
   let treeDetails;
   try {
     treeDetails = JSON.parse(treeText);
@@ -11703,7 +11717,7 @@ async function getRepoBranchTree({
     };
   }
   if (!treeDetails.tree || !Array.isArray(treeDetails.tree)) {
-    debug.debugFn('treeDetails.tree:', treeDetails.tree);
+    debug.debugFn('inspect', 'treeDetails.tree:', treeDetails.tree);
     return {
       ok: false,
       message: `Tree response for default branch ${defaultBranch} for ${orgGithub}/${repoSlug} was not a list`
@@ -12983,7 +12997,10 @@ async function fetchScan(orgSlug, scanId) {
       return JSON.parse(line);
     } catch {
       ok = false;
-      debug.debugFn('fail: parse NDJSON\n', line);
+      debug.debugFn('error', 'fail: parse NDJSON');
+      debug.debugDir('inspect', {
+        line
+      });
       return null;
     }
   });
@@ -13863,7 +13880,10 @@ Do you want to install "safe npm" (this will create an alias to the socket-npm c
       }
     }
   } catch (e) {
-    debug.debugFn('fail: setup tab completion\n', e);
+    debug.debugFn('error', 'fail: setup tab completion');
+    debug.debugDir('inspect', {
+      error: e
+    });
     // Ignore. Skip tab completion setup.
   }
   if (!updatedTabCompletion) {
@@ -14177,8 +14197,10 @@ void (async () => {
     });
   } catch (e) {
     process.exitCode = 1;
-    debug.debugFn('Uncaught error (BAD!):');
-    debug.debugFn(e);
+    debug.debugFn('error', 'Uncaught error (BAD!):');
+    debug.debugDir('inspect', {
+      error: e
+    });
 
     // Try to parse the flags, find out if --json or --markdown is set.
     let isJson = false;
@@ -14220,12 +14242,13 @@ void (async () => {
       logger.logger.error('\n'); // Any-spinner-newline
       logger.logger.fail(utils.failMsgWithBadge(errorTitle, errorMessage));
       if (errorBody) {
-        // Explicitly use debugLog here.
-        debug.debugLog(errorBody);
+        debug.debugDir('inspect', {
+          errorBody
+        });
       }
     }
     await utils.captureException(e);
   }
 })();
-//# debugId=22ea4fe2-a3e7-46a5-b720-03c98211a8ec
+//# debugId=4ba13438-a655-4a29-bba0-7fa82f66b9c1
 //# sourceMappingURL=cli.js.map