@socketsecurity/cli-with-sentry 1.1.96 → 1.1.98

package/dist/cli.js

@@ -15,17 +15,18 @@ var words = require('../external/@socketsecurity/registry/lib/words');
 var fs$1 = require('node:fs');
 var arrays = require('../external/@socketsecurity/registry/lib/arrays');
 var prompts = require('../external/@socketsecurity/registry/lib/prompts');
+var bin = require('../external/@socketsecurity/registry/lib/bin');
+var childProcess = require('node:child_process');
+var os = require('node:os');
 var spawn = require('../external/@socketsecurity/registry/lib/spawn');
 var fs$2 = require('../external/@socketsecurity/registry/lib/fs');
 var strings = require('../external/@socketsecurity/registry/lib/strings');
-var os = require('node:os');
 var path$1 = require('../external/@socketsecurity/registry/lib/path');
 var require$$11 = require('../external/@socketsecurity/registry/lib/objects');
 var registry = require('../external/@socketsecurity/registry');
 var packages = require('../external/@socketsecurity/registry/lib/packages');
 var require$$12 = require('../external/@socketsecurity/registry/lib/promises');
 var regexps = require('../external/@socketsecurity/registry/lib/regexps');
-var childProcess = require('node:child_process');
 var require$$1 = require('node:util');
 var promises = require('node:stream/promises');
 
@@ -331,9 +332,9 @@ const hidden$x = false;
 const cmdAnalytics = {
   description: description$F,
   hidden: hidden$x,
-  run: run$S
+  run: run$T
 };
-async function run$S(argv, importMeta, {
+async function run$T(argv, importMeta, {
   parentName
 }) {
   const config = {
@@ -754,9 +755,9 @@ const hidden$w = false;
 const cmdAuditLog = {
   description: description$E,
   hidden: hidden$w,
-  run: run$R
+  run: run$S
 };
-async function run$R(argv, importMeta, {
+async function run$S(argv, importMeta, {
   parentName
 }) {
   const config = {
@@ -1850,6 +1851,7 @@ async function detectManifestActions(
 // regardless of local socket.json status. Sometimes we want that.
 sockJson, cwd = process.cwd()) {
   const output = {
+    bazel: false,
     cdxgen: false,
     // TODO
     count: 0,
@@ -1857,6 +1859,13 @@ sockJson, cwd = process.cwd()) {
     gradle: false,
     sbt: false
   };
+  if (sockJson?.defaults?.manifest?.bazel?.disabled) {
+    require$$9.debugLog('notice', `[DEBUG] - bazel auto-detection is disabled in ${constants.SOCKET_JSON}`);
+  } else if (fs$1.existsSync(path.join(cwd, 'MODULE.bazel')) || fs$1.existsSync(path.join(cwd, 'WORKSPACE')) || fs$1.existsSync(path.join(cwd, 'WORKSPACE.bazel'))) {
+    require$$9.debugLog('notice', '[DEBUG] - Detected a Bazel workspace');
+    output.bazel = true;
+    output.count += 1;
+  }
   if (sockJson?.defaults?.manifest?.sbt?.disabled) {
     require$$9.debugLog('notice', `[DEBUG] - sbt auto-detection is disabled in ${constants.SOCKET_JSON}`);
   } else if (fs$1.existsSync(path.join(cwd, 'build.sbt'))) {
@@ -1884,7 +1893,1168 @@ sockJson, cwd = process.cwd()) {
       output.count += 1;
     }
   }
-  return output;
+  return output;
+}
+
+/**
+ * Resolve the bazel binary to invoke for `socket manifest bazel`.
+ *
+ * Resolution order:
+ *   1. If `explicit` is provided, return it iff it exists on disk; else throw.
+ *   2. Look up `bazelisk` on PATH (preferred — respects `.bazelversion`).
+ *   3. Fall back to `bazel` on PATH.
+ *   4. If neither is found, throw InputError with install instructions.
+ */
+async function resolveBazelBinary(explicit) {
+  if (explicit) {
+    if (!fs$1.existsSync(explicit)) {
+      throw new utils.InputError(`--bazel path does not exist: ${explicit}. Install bazelisk or bazel, or pass an existing path via --bazel.`);
+    }
+    return explicit;
+  }
+  // Prefer bazelisk: respects .bazelversion in the workspace.
+  const bazelisk = await bin.whichBin('bazelisk', {
+    nothrow: true
+  });
+  if (bazelisk) {
+    return bazelisk;
+  }
+  const bazel = await bin.whichBin('bazel', {
+    nothrow: true
+  });
+  if (bazel) {
+    return bazel;
+  }
+  throw new utils.InputError('Could not find bazelisk or bazel on PATH. ' + 'Install bazelisk (recommended; https://github.com/bazelbuild/bazelisk) ' + 'or bazel, or pass --bazel <path>.');
+}
+
+/**
+ * Parse `bazel query --output=build` text and `unsorted_deps.json` files
+ * (rules_jvm_external) into a uniform `ExtractedArtifact` shape consumed by
+ * the converter.
+ *
+ * Security gate: every regex uses bounded character classes to prevent
+ * catastrophic backtracking on hostile bazel-query output. Rules without
+ * `maven_coordinates=` are skipped. Caller is responsible for size-capping
+ * the input string.
+ */
+
+// Per-rule block matcher: matches `<kind>(...)` where kind is jvm_import or
+// aar_import, bounded by `^)` (closing paren on its own line) — Bazel
+// `--output=build` output convention. Body length capped at 8 KiB; real
+// rules are ~500 bytes, so the cap is 16x normal. Prevents pathological
+// backtracking on hostile input.
+const RULE_RE = /^(jvm_import|aar_import)\(([\s\S]{0,8192}?)^\)/gm;
+
+// Cache for per-attribute regexes — avoids recompiling the same pattern on
+// every rule block. Keyed by attr name; all attr names are safe alphanumeric
+// identifiers so no escaping is needed beyond the bounded character class.
+const ATTR_RE_CACHE = new Map();
+
+// Cache for per-tag-key regexes used by extractTagValue.
+const TAG_RE_CACHE = new Map();
+function extractAttr(body, attr) {
+  // Match `<attr> = "VALUE"` — quoted-string attrs only.
+  // Quoted value capped at 4 KiB; canonical Maven URLs are ~150 bytes.
+  let re = ATTR_RE_CACHE.get(attr);
+  if (!re) {
+    re = new RegExp(`\\b${attr}\\s*=\\s*"([^"\\n]{0,4096})"`);
+    ATTR_RE_CACHE.set(attr, re);
+  }
+  const m = re.exec(body);
+  return m?.[1];
+}
+
+// Extracts a `key=value` pair from inside a Bazel `tags = [...]` attribute
+// (rules_jvm_external encodes maven_sha256, maven_coordinates etc. this way).
+// Pattern: `"maven_sha256=<hex>"` inside the tags list.
+// Returns undefined when the tag is absent or malformed.
+function extractTagValue(body, tagKey) {
+  // Match the full tags = [...] block (bounded at 8 KiB).
+  const tagsM = /\btags\s*=\s*\[([\s\S]{0,8192}?)\]/m.exec(body);
+  if (!tagsM) {
+    return undefined;
+  }
+  const tagsBlob = tagsM[1];
+  // Within the blob, look for "<tagKey>=<value>" inside a quoted string.
+  // Bounded at 512 bytes per tag entry (sha256 hex is 64 chars; URLs ~150).
+  let tagRe = TAG_RE_CACHE.get(tagKey);
+  if (!tagRe) {
+    tagRe = new RegExp(`"${tagKey}=([^"\\n]{0,512})"`);
+    TAG_RE_CACHE.set(tagKey, tagRe);
+  }
+  const m = tagRe.exec(tagsBlob);
+  return m?.[1];
+}
+function extractDeps(body) {
+  // Match `deps = ["a", "b", ...]`. Body length capped at 16 KiB; real
+  // dep lists are <2 KiB.
+  const m = /\bdeps\s*=\s*\[([\s\S]{0,16384}?)\]/m.exec(body);
+  if (!m) {
+    return [];
+  }
+  const out = [];
+  // Per-label cap at 512 bytes; real Bazel labels are <100 bytes.
+  for (const q of m[1].matchAll(/"([^"\n]{0,512})"/g)) {
+    out.push(q[1]);
+  }
+  return out;
+}
+
+/**
+ * Parse `bazel query --output=build` stdout into `ExtractedArtifact[]`.
+ * Skips rules without a `maven_coordinates` attribute (those aren't
+ * rules_jvm_external lockfile rules).
+ */
+function parseBazelBuildOutput(text) {
+  const results = [];
+  for (const m of text.matchAll(RULE_RE)) {
+    const ruleKind = m[1];
+    const body = m[2];
+    const ruleName = extractAttr(body, 'name');
+    // maven_coordinates can be:
+    //   (a) a top-level rule attribute: `maven_coordinates = "g:a:v"` (newer rje)
+    //   (b) inside tags = [...]: `"maven_coordinates=g:a:v"` (older rje, e.g. ray)
+    const coords = extractAttr(body, 'maven_coordinates') ?? extractTagValue(body, 'maven_coordinates');
+    if (!ruleName || !coords) {
+      continue;
+    }
+    // maven_sha256 is encoded inside tags = [...] as "maven_sha256=<hex>" by
+    // rules_jvm_external; try tags first, fall back to standalone attr for
+    // older rule shapes that may declare it as a top-level attribute.
+    const mavenSha256 = extractTagValue(body, 'maven_sha256') ?? extractAttr(body, 'maven_sha256');
+    results.push({
+      ruleKind,
+      ruleName,
+      mavenCoordinates: coords,
+      mavenUrl: extractAttr(body, 'maven_url'),
+      mavenSha256,
+      deps: extractDeps(body)
+    });
+  }
+  return results;
+}
+function ruleNameFromCoordinate(c) {
+  return c.replace(/[^A-Za-z0-9]/g, '_');
+}
+
+/**
+ * Parse supported `external/<repo>/unsorted_deps.json` shapes emitted by
+ * rules_jvm_external. Older files use an artifact array with full coordinates;
+ * newer v2 lock-file-shaped files use artifact/dependency maps keyed by
+ * `group:artifact`. Caller MUST size-cap the input because JSON.parse is
+ * unbounded by default.
+ */
+function parseUnsortedDepsJson(json) {
+  let parsed;
+  try {
+    parsed = JSON.parse(json);
+  } catch {
+    return [];
+  }
+  const maybe = parsed;
+  if (Array.isArray(maybe.artifacts)) {
+    const out = [];
+    for (const a of maybe.artifacts) {
+      if (typeof a?.coordinates !== 'string') {
+        continue;
+      }
+      const deps = [];
+      if (Array.isArray(a.deps)) {
+        for (const d of a.deps) {
+          if (typeof d === 'string') {
+            deps.push(d);
+          }
+        }
+      }
+      out.push({
+        ruleKind: 'jvm_import',
+        ruleName: ruleNameFromCoordinate(a.coordinates),
+        mavenCoordinates: a.coordinates,
+        mavenUrl: typeof a.url === 'string' ? a.url : undefined,
+        mavenSha256: typeof a.sha256 === 'string' ? a.sha256 : undefined,
+        deps
+      });
+    }
+    return out;
+  }
+  if (!maybe.artifacts || typeof maybe.artifacts !== 'object') {
+    return [];
+  }
+  const dependencies = maybe.dependencies ?? {};
+  const out = [];
+  for (const [groupArtifact, artifact] of Object.entries(maybe.artifacts)) {
+    if (!artifact || typeof artifact.version !== 'string') {
+      continue;
+    }
+    const shasums = artifact.shasums ?? {};
+    const jarSha = shasums['jar'];
+    if (typeof jarSha === 'string' || Object.keys(shasums).length === 0) {
+      out.push(v2Artifact(groupArtifact, artifact.version, jarSha, dependencies));
+    }
+    for (const [classifier, sha256] of Object.entries(shasums)) {
+      if (classifier === 'jar' || typeof sha256 !== 'string') {
+        continue;
+      }
+      const classifierKey = `${groupArtifact}:jar:${classifier}`;
+      out.push(v2Artifact(classifierKey, artifact.version, sha256, dependencies));
+    }
+  }
+  return out;
+}
+function v2Artifact(artifactKey, version, sha256, dependencies) {
+  return {
+    ruleKind: 'jvm_import',
+    ruleName: ruleNameFromCoordinate(artifactKey),
+    mavenCoordinates: `${artifactKey}:${version}`,
+    mavenSha256: sha256,
+    deps: Array.isArray(dependencies[artifactKey]) ? dependencies[artifactKey].filter(d => typeof d === 'string') : []
+  };
+}
+
+let probed = false;
+
+// Verifies `java` is functional in the current execution environment. Bazel
+// JVM manifest extraction (rules_jvm_external → Coursier) requires a real
+// JDK; the CLI does not attempt to discover Homebrew installs or mutate the
+// caller's PATH/JAVA_HOME. If `java -version` fails we throw with an
+// actionable message so the surfaced error names the prerequisite directly
+// instead of relying on Bazel's downstream diagnostic.
+function ensureJavaOnPath() {
+  if (probed) {
+    return;
+  }
+  try {
+    childProcess.execSync('java -version', {
+      stdio: 'ignore'
+    });
+    probed = true;
+  } catch {
+    throw new Error('Java is required for Bazel JVM manifest extraction ' + '(rules_jvm_external invokes Coursier, which needs a JDK). ' + 'Install a JDK (e.g. Temurin or OpenJDK) and ensure `java` is on PATH.');
+  }
+}
+
+// Validates that --bazel-output-base is a path we can use as Bazel's output_base.
+// Throws InputError if:
+//   - the input contains `..` segments (path traversal guard)
+//   - the existing path is not writable
+//   - the path cannot be created (parent not writable)
+function validateOutputBase(outputBase, cwd) {
+  // Path traversal guard: reject any literal `..` segment in user input.
+  // After path.resolve these are normalised away, so we check the raw input.
+  // Split on both separators. On Windows `path.sep === '\\'`, so
+  // input like `foo/../etc` would not contain a `..` segment under the
+  // platform-specific split, bypassing the guard — yet path.resolve below
+  // would still normalise the `..` and a traversal target could materialise.
+  const segments = outputBase.split(/[\\/]/);
+  if (segments.includes('..')) {
+    throw new utils.InputError(`--bazel-output-base must not contain '..' segments: ${outputBase}`);
+  }
+  const resolved = path.resolve(cwd, outputBase);
+  if (fs$1.existsSync(resolved)) {
+    try {
+      fs$1.accessSync(resolved, fs$1.constants.W_OK);
+    } catch {
+      throw new utils.InputError(`--bazel-output-base is not writable: ${resolved}`);
+    }
+    return;
+  }
+  // Path does not exist yet — try to create it so bazel can populate it.
+  try {
+    fs$1.mkdirSync(resolved, {
+      recursive: true
+    });
+  } catch (e) {
+    throw new utils.InputError(`--bazel-output-base could not be created at ${resolved}: ${utils.getErrorCause(e)}`);
+  }
+}
+
+// Stable shim dir name — same process will get the same dir; concurrent
+// socket-cli invocations on the same machine share it. The symlink target
+// is whatever python3 resolves to NOW; if PATH changes between invocations
+// we replace the symlink.
+const SHIM_SUBDIR = 'socket-cli-bazel-python-shim';
+
+// Cache the result for the lifetime of this process.
+let cached = null;
+
+// Safe wrapper around whichBin that returns null instead of throwing when
+// nothrow semantics are broken in older registry versions (realpath 'null' bug).
+async function safeWhichBin(name) {
+  try {
+    return (await bin.whichBin(name, {
+      nothrow: true
+    })) ?? null;
+  } catch {
+    return null;
+  }
+}
+async function provisionPythonShim() {
+  if (cached) {
+    return cached;
+  }
+  const pythonOnPath = await safeWhichBin('python');
+  if (pythonOnPath) {
+    cached = {
+      augmentedEnv: undefined,
+      shimDir: undefined
+    };
+    return cached;
+  }
+  const python3OnPath = await safeWhichBin('python3');
+  if (!python3OnPath) {
+    throw new utils.InputError('Neither `python` nor `python3` found on PATH. Older versions of ' + 'rules_jvm_external require a `python` interpreter for repository ' + 'rules. Install Python 3 and ensure it is on PATH, then retry.');
+  }
+  const shimDir = path.join(os.tmpdir(), SHIM_SUBDIR);
+  fs$1.mkdirSync(shimDir, {
+    recursive: true
+  });
+  const linkPath = path.join(shimDir, 'python');
+  // Replace the symlink defensively in case python3's resolved path moved.
+  if (fs$1.existsSync(linkPath)) {
+    try {
+      fs$1.unlinkSync(linkPath);
+    } catch {
+      // Tolerate races; the next symlinkSync may still succeed.
+    }
+  }
+  // The shim dir is process-shared (os.tmpdir()/socket-cli-bazel-python-shim),
+  // so a concurrent socket-cli invocation may re-create the link between our
+  // unlinkSync and symlinkSync. Tolerate EEXIST when the link is back: the
+  // other process won the race and left a usable shim in place.
+  try {
+    fs$1.symlinkSync(python3OnPath, linkPath);
+  } catch (e) {
+    if (e.code === 'EEXIST' && fs$1.existsSync(linkPath)) ; else {
+      throw e;
+    }
+  }
+  const augmentedEnv = {
+    ...process.env,
+    PATH: `${shimDir}${path.delimiter}${process.env['PATH'] ?? ''}`
+  };
+  cached = {
+    augmentedEnv,
+    shimDir
+  };
+  return cached;
+}
+
+// Default per-invocation timeout for bazel queries. Bazel cold-cache starts
+// can take several minutes; 10 minutes is generous while still bounding CI hangs.
+const BAZEL_QUERY_TIMEOUT_MS = 600_000;
+
+// Splits the user-supplied --bazel-flags string on whitespace.
+// Empty / undefined returns []. No shell parsing — quoted args with embedded
+// whitespace are not supported (documented limitation; same trust model as
+// gradleOpts).
+function splitBazelFlags(flags) {
+  if (!flags) {
+    return [];
+  }
+  return flags.split(/\s+/).filter(Boolean);
+}
+function buildBazelModShowVisibleReposArgv(opts) {
+  const startup = [];
+  if (opts.bazelRc) {
+    startup.push(`--bazelrc=${opts.bazelRc}`);
+  }
+  if (opts.bazelOutputBase) {
+    startup.push(`--output_base=${opts.bazelOutputBase}`);
+  }
+  const userFlags = splitBazelFlags(opts.bazelFlags);
+  return [...startup, 'mod', 'show_repo', '--all_visible_repos', '--output=streamed_jsonproto', ...userFlags];
+}
+function buildBazelArgv(queryStr, opts) {
+  // Startup flags MUST precede the `query` subcommand.
+  // Bazel argv shape: <startup> query <queryFlags> <invocationFlags> <queryStr> --output=build <userFlags>
+  const startup = [];
+  if (opts.bazelRc) {
+    startup.push(`--bazelrc=${opts.bazelRc}`);
+  }
+  if (opts.bazelOutputBase) {
+    startup.push(`--output_base=${opts.bazelOutputBase}`);
+  }
+  // Keep query output stable and avoid updating Bazel lockfiles while extracting.
+  const queryFlags = ['--lockfile_mode=off', '--noshow_progress'];
+  const userFlags = splitBazelFlags(opts.bazelFlags);
+  return [...startup, 'query', ...queryFlags, ...opts.invocationFlags, queryStr, '--output=build', ...userFlags];
+}
+function stringField(value) {
+  return typeof value === 'string' ? value : '';
+}
+function numericExitCode(value) {
+  return typeof value === 'number' && Number.isFinite(value) ? value : undefined;
+}
+function normalizeSpawnError(error) {
+  const e = error;
+  return {
+    code: numericExitCode(e?.code) ?? numericExitCode(e?.status) ?? -1,
+    stderr: stringField(e?.stderr),
+    stdout: stringField(e?.stdout)
+  };
+}
+
+/**
+ * Run `bazel query` with the standardized argv shape and capture
+ * stdout/stderr/code. Wraps the call in a spinner that resolves on success
+ * and fails on non-zero exit. Rejected spawn calls are normalized into a
+ * BazelQueryResult so retry/skip handling can inspect stderr.
+ */
+async function runBazelQuery(queryStr, opts) {
+  const argv = buildBazelArgv(queryStr, opts);
+  if (opts.verbose) {
+    logger.logger.log('[VERBOSE] Executing:', opts.bin, ', args:', argv);
+  }
+  const {
+    spinner
+  } = constants.default;
+  let result;
+  try {
+    spinner.start(`Running bazel query (${queryStr.slice(0, 80)})...`);
+    const output = await spawn.spawn(opts.bin, argv, {
+      cwd: opts.cwd,
+      timeout: BAZEL_QUERY_TIMEOUT_MS,
+      ...(opts.env ? {
+        env: opts.env
+      } : {})
+    });
+    const {
+      code,
+      stderr,
+      stdout
+    } = output;
+    result = {
+      code,
+      stdout,
+      stderr
+    };
+    return result;
+  } catch (e) {
+    result = normalizeSpawnError(e);
+    return result;
+  } finally {
+    const truncated = queryStr.slice(0, 80);
+    if (result?.code === 0) {
+      spinner.successAndStop(`bazel query completed (${truncated}).`);
+    } else {
+      spinner.failAndStop(`bazel query failed (${truncated}).`);
+    }
+  }
+}
+
+/**
+ * Bzlmod-native visible repository enumeration. This is only a candidate
+ * source; callers must still validate each returned apparent repo name with a
+ * semantic query for generated JVM Maven rules.
+ */
+async function runBazelModShowVisibleRepos(opts) {
+  const argv = buildBazelModShowVisibleReposArgv(opts);
+  if (opts.verbose) {
+    logger.logger.log('[VERBOSE] Executing:', opts.bin, ', args:', argv);
+  }
+  try {
+    const output = await spawn.spawn(opts.bin, argv, {
+      cwd: opts.cwd,
+      timeout: BAZEL_QUERY_TIMEOUT_MS,
+      ...(opts.env ? {
+        env: opts.env
+      } : {})
+    });
+    const {
+      code,
+      stderr,
+      stdout
+    } = output;
+    return {
+      code,
+      stdout,
+      stderr
+    };
+  } catch (e) {
+    return normalizeSpawnError(e);
+  }
+}
+
+/**
+ * Build a `RepoProbe` (compatible with bazel-repo-discovery) bound to opts.
+ * Used by `discoverMavenRepos` to validate candidate Maven repo
+ * names against the running workspace.
+ */
+function buildProbeFor(opts) {
+  return async repoName => {
+    const queryStr = `kind("jvm_import rule|aar_import rule", @${repoName}//:*)`;
+    const result = await runBazelQuery(queryStr, opts);
+    return {
+      stdout: result.stdout,
+      code: result.code
+    };
+  };
+}
+
+// Maximum size (bytes) we will read for any single Bazel workspace file.
+// Prevents DoS via maliciously large MODULE.bazel / WORKSPACE / .bzl files.
+const MAX_WORKSPACE_FILE_BYTES = 5 * 1024 * 1024;
+
+// Maximum candidate count we will return (deduped) before truncating.
+// Real repos have <20; this is a hard ceiling against pathological inputs.
+const MAX_CANDIDATES = 256;
+
+// Regex strategy: anchored, bounded character classes, no nested quantifiers.
+// Match `use_repo(maven, "X", "Y", ...)` with a bounded arg-list window to
+// avoid catastrophic backtracking on hostile input.
+
+// Bzlmod use_repo(maven, "name1", "name2"...).
+// Bounded: matches up to ~4KB of arg list to avoid catastrophic backtracking.
+const USE_REPO_RE = /use_repo\s*\(\s*maven\s*,([^)]{0,4096})\)/g;
+const BAZEL_REPO_NAME_PATTERN = '[A-Za-z0-9._+-]{1,129}';
+const BAZEL_REPO_NAME_RE = new RegExp(`^${BAZEL_REPO_NAME_PATTERN}$`);
+// Quoted-name extractor inside the captured argument blob.
+const QUOTED_NAME_RE = new RegExp(`"(${BAZEL_REPO_NAME_PATTERN})"`, 'g');
+
+// Legacy maven_install(name = "X", ...) on a single statement.
+// Match the name= keyword arg specifically; bounded.
+const MAVEN_INSTALL_NAME_RE = new RegExp(`maven_install\\s*\\([^)]{0,8192}?\\bname\\s*=\\s*"(${BAZEL_REPO_NAME_PATTERN})"`, 'g');
+const MAVEN_COORDINATES_MARKER_RE = /\bmaven_coordinates\s*=/;
+
+// Reads file contents, refusing files that exceed MAX_WORKSPACE_FILE_BYTES.
+// Returns null when the file is missing, oversized, or unreadable.
+function safeReadFile(file) {
+  if (!fs$1.existsSync(file)) {
+    return null;
+  }
+  try {
+    const stat = fs$1.statSync(file);
+    if (stat.size > MAX_WORKSPACE_FILE_BYTES) {
+      return null;
+    }
+    return fs$1.readFileSync(file, 'utf8');
+  } catch {
+    return null;
+  }
+}
+
+// Walks workspace root for legacy Starlark sources we can scan: WORKSPACE
+// (and WORKSPACE.bazel) plus top-level .bzl files. Non-recursive by design;
+// Phase 1 explicitly avoids static Starlark parsing at depth.
+function listLegacyStarlarkFiles(cwd) {
+  const files = [];
+  const candidates = ['WORKSPACE', 'WORKSPACE.bazel'];
+  for (const c of candidates) {
+    const p = path.join(cwd, c);
+    if (fs$1.existsSync(p)) {
+      files.push(p);
+    }
+  }
+  // Top-level .bzl files only.
+  try {
+    for (const entry of fs$1.readdirSync(cwd)) {
+      if (entry.endsWith('.bzl')) {
+        files.push(path.join(cwd, entry));
+      }
+    }
+  } catch {
+    // Ignore unreadable cwd.
+  }
+  return files;
+}
+
+// Returns deduplicated, sorted list of items, capped at MAX_CANDIDATES.
+function uniqueSorted(items) {
+  const seen = new Set();
+  const out = [];
+  for (const item of items) {
+    if (!seen.has(item)) {
+      seen.add(item);
+      out.push(item);
+      if (out.length >= MAX_CANDIDATES) {
+        break;
+      }
+    }
+  }
+  return out.sort();
+}
+function apparentNameFromJsonValue(value) {
+  if (!value || typeof value !== 'object') {
+    return undefined;
+  }
+  const obj = value;
+  const direct = obj['apparentName'] ?? obj['apparent_name'];
+  if (typeof direct === 'string') {
+    return direct;
+  }
+  for (const nested of Object.values(obj)) {
+    const found = apparentNameFromJsonValue(nested);
+    if (found) {
+      return found;
+    }
+  }
+  return undefined;
+}
+function normalizeRepoName(name) {
+  const repo = name.startsWith('@') ? name.slice(1) : name;
+  return BAZEL_REPO_NAME_RE.test(repo) ? repo : undefined;
+}
+
+// Parse `bazel mod show_repo --all_visible_repos --output=streamed_jsonproto`
+// output. Bazel's JSON proto field casing may vary by formatter; accept both
+// lowerCamel and snake_case, and tolerate wrapper objects around Repository.
+function parseVisibleRepoCandidates(output) {
+  const candidates = [];
+  for (const line of output.split(/\r?\n/)) {
+    const trimmed = line.trim();
+    if (!trimmed) {
+      continue;
+    }
+    try {
+      const parsed = JSON.parse(trimmed);
+      const apparentName = apparentNameFromJsonValue(parsed);
+      if (apparentName) {
+        const repo = normalizeRepoName(apparentName);
+        if (repo) {
+          candidates.push(repo);
+        }
+      }
+    } catch {
+      // Ignore malformed lines; caller will fall back to static discovery when
+      // no usable visible repo names are found.
+    }
+  }
+  return uniqueSorted(candidates);
+}
+
+// Step 1: parse candidate Maven repo names from Bzlmod and legacy entry points.
+function parseMavenRepoCandidates(cwd, verbose) {
+  const candidates = [];
+
+  // Bzlmod path: parse MODULE.bazel for use_repo(maven, ...).
+  const moduleBazel = path.join(cwd, 'MODULE.bazel');
+  const moduleContent = safeReadFile(moduleBazel);
+  if (moduleContent) {
+    const bzlmodHits = [];
+    for (const m of moduleContent.matchAll(USE_REPO_RE)) {
+      const argBlob = m[1] ?? '';
+      for (const n of argBlob.matchAll(QUOTED_NAME_RE)) {
+        bzlmodHits.push(n[1]);
+      }
+    }
+    candidates.push(...bzlmodHits);
+    if (verbose) {
+      logger.logger.log('[VERBOSE] discovery: scanned', moduleBazel, `(${bzlmodHits.length} use_repo match(es))`);
+    }
+  } else if (verbose) {
+    logger.logger.log('[VERBOSE] discovery:', moduleBazel, 'not present (skipping bzlmod scan)');
+  }
+
+  // Legacy path: scan WORKSPACE + top-level .bzl files for maven_install(name=...).
+  const legacyFiles = listLegacyStarlarkFiles(cwd);
+  if (verbose) {
+    logger.logger.log('[VERBOSE] discovery: legacy files considered:', legacyFiles.length ? legacyFiles : '(none)');
+  }
+  for (const file of legacyFiles) {
+    const content = safeReadFile(file);
+    if (!content) {
+      continue;
+    }
+    const fileHits = [];
+    for (const m of content.matchAll(MAVEN_INSTALL_NAME_RE)) {
+      fileHits.push(m[1]);
+    }
+    candidates.push(...fileHits);
+    if (verbose) {
+      logger.logger.log('[VERBOSE] discovery: scanned', file, `(${fileHits.length} maven_install name match(es))`);
+    }
+  }
+  const deduped = uniqueSorted(candidates);
+  if (verbose) {
+    logger.logger.log('[VERBOSE] discovery: candidate set (pre-seed):', deduped);
+  }
+  return deduped;
+}
+// Step 2: validate a candidate by running the probe and confirming
+// `maven_coordinates=` appears in stdout (the marker emitted by jvm_import /
+// aar_import rules generated by rules_jvm_external). Returns the probe
+// stdout alongside the verdict so the caller can cache it and reuse it
+// instead of running an identical extraction query.
+async function validateMavenRepo(repoName, probe, verbose) {
+  try {
+    const result = await probe(repoName);
+    if (result.code !== 0) {
+      if (verbose) {
+        logger.logger.log(`[VERBOSE] discovery: probe @${repoName}: REJECT (code=${result.code})`);
+      }
+      return {
+        valid: false,
+        stdout: result.stdout
+      };
+    }
+    const valid = MAVEN_COORDINATES_MARKER_RE.test(result.stdout);
+    if (verbose) {
+      logger.logger.log(`[VERBOSE] discovery: probe @${repoName}:`, valid ? 'ACCEPT (maven_coordinates marker found)' : 'REJECT (no maven_coordinates marker in probe stdout)');
+    }
+    return {
+      valid,
+      stdout: result.stdout
+    };
+  } catch (e) {
+    if (verbose) {
+      logger.logger.log(`[VERBOSE] discovery: probe @${repoName}: REJECT (probe threw):`, utils.getErrorCause(e));
+    }
+    return {
+      valid: false,
+      stdout: ''
+    };
+  }
+}
+
+// The default maven_install repo name when no explicit `name=` is given.
+// Included as a seed so repos that define maven_install in a subdirectory
+// .bzl file (not scanned by parseMavenRepoCandidates) are still discovered.
+const DEFAULT_MAVEN_REPO_SEED = 'maven';
+
+// Composition: parse, then validate each candidate; return validated subset
+// as a Map keyed by repo name with the validated probe stdout as value.
+// Map iteration order matches insertion order, so callers that just want
+// the list of repo names can call `Array.from(repos.keys())`. Callers that
+// want to skip re-running the same `bazel query` during extraction can read
+// the cached stdout off the Map and parse it directly.
+//
+// Always seeds with the default `@maven` repo name so repos whose
+// maven_install is defined in a sub-directory .bzl file (not reachable by
+// the top-level static scan) can still be discovered via probe validation.
+async function discoverMavenRepos(cwd, probe, nativeCandidates, verbose) {
+  const parsed = nativeCandidates && nativeCandidates.length ? nativeCandidates : parseMavenRepoCandidates(cwd, verbose);
+  if (verbose) {
+    logger.logger.log('[VERBOSE] discovery: candidate source:', nativeCandidates && nativeCandidates.length ? `bzlmod visible-repos (${nativeCandidates.length})` : `static parse (${parsed.length})`);
+  }
+  // Seed with the default repo name first (so it appears first in output if
+  // validated). Dedup via Set before validation.
+  const seen = new Set([DEFAULT_MAVEN_REPO_SEED]);
+  const candidates = [DEFAULT_MAVEN_REPO_SEED];
+  for (const c of parsed) {
+    if (!seen.has(c)) {
+      seen.add(c);
+      candidates.push(c);
+    }
+  }
+  if (verbose) {
+    logger.logger.log('[VERBOSE] discovery: candidate set to probe (seed-first, deduped):', candidates);
+  }
+  const validated = new Map();
+  for (const c of candidates) {
+    // eslint-disable-next-line no-await-in-loop
+    const result = await validateMavenRepo(c, probe, verbose);
+    if (result.valid) {
+      validated.set(c, result.stdout);
+    }
+  }
+  if (verbose) {
+    logger.logger.log('[VERBOSE] discovery: validated repos:', Array.from(validated.keys()));
+  }
+  return validated;
+}
+
+// Detects whether the given Bazel workspace uses Bzlmod (MODULE.bazel),
+// legacy WORKSPACE (WORKSPACE or WORKSPACE.bazel), or both (migration).
+// Throws InputError when neither marker file is present.
+function detectWorkspaceMode(cwd) {
+  const moduleBazel = fs$1.existsSync(path.join(cwd, 'MODULE.bazel'));
+  const workspaceFile = fs$1.existsSync(path.join(cwd, 'WORKSPACE')) || fs$1.existsSync(path.join(cwd, 'WORKSPACE.bazel'));
+  if (!moduleBazel && !workspaceFile) {
+    throw new utils.InputError(`No Bazel workspace found at ${cwd} (looked for MODULE.bazel, WORKSPACE, WORKSPACE.bazel).`);
+  }
+  return {
+    bzlmod: moduleBazel,
+    workspace: workspaceFile
+  };
+}
+
+// Returns the bazel CLI flags needed to invoke the correct workspace mode.
+// Bzlmod-only or migration-window: rely on Bazel 7+ default (Bzlmod on).
+// Legacy-only: explicitly disable Bzlmod and enable WORKSPACE.
+function getBazelInvocationFlags(mode) {
+  if (mode.bzlmod) {
+    // Bzlmod-only or migration: Bzlmod wins; no flags needed (Bazel 7+ default).
+    return [];
+  }
+  // Legacy-only: explicitly switch to WORKSPACE mode.
+  return ['--noenable_bzlmod', '--enable_workspace'];
+}
+
+// Splits "g:a:v" -> { groupArtifact: "g:a", version: "v" }.
+// Returns null on malformed input.
+function splitCoord(c) {
+  const lastColon = c.lastIndexOf(':');
+  if (lastColon < 1) {
+    return null;
+  }
+  return {
+    groupArtifact: c.slice(0, lastColon),
+    version: c.slice(lastColon + 1)
+  };
+}
+// Builds a lookup from rule label suffix (e.g. ":com_google_guava_guava") to canonical coord.
+function buildLabelToCoordMap(artifacts) {
+  const fullLabels = new Map();
+  const suffixToCoords = new Map();
+  for (const a of artifacts) {
+    // The rule name (e.g. "com_google_guava_guava") becomes the path under @<repo>//:<name>.
+    // We record by ":<name>" suffix so we can look up regardless of repo name.
+    const suffix = `:${a.ruleName}`;
+    const coords = suffixToCoords.get(suffix) ?? new Set();
+    coords.add(a.mavenCoordinates);
+    suffixToCoords.set(suffix, coords);
+    if (a.sourceRepo) {
+      fullLabels.set(`@${a.sourceRepo}//${suffix}`, a.mavenCoordinates);
+    }
+  }
+  return {
+    fullLabels,
+    suffixToCoords
+  };
+}
+
+// Converts a Bazel dep label to a Maven coordinate, using the label-to-coord map.
+// Returns null when the label is not recognised.
+function depLabelToCoord(label, labelToCoord) {
+  // label may be "@maven//:com_google_guava_failureaccess".
+  const colon = label.lastIndexOf(':');
+  if (colon < 0) {
+    return null;
+  }
+  const fullMatch = labelToCoord.fullLabels.get(label);
+  if (fullMatch) {
+    return fullMatch;
+  }
+  const key = label.slice(colon);
+  const suffixMatches = labelToCoord.suffixToCoords.get(key);
+  if (!suffixMatches) {
+    return null;
+  }
+  if (suffixMatches.size > 1) {
+    throw new Error(`Ambiguous Bazel dependency label ${label} maps rule suffix ${key} to multiple Maven coordinates: ${Array.from(suffixMatches).sort().join(', ')}. The generated maven_install.json cannot resolve this dependency label losslessly.`);
+  }
+  return Array.from(suffixMatches)[0] ?? null;
+}
+function normalizeToMavenInstallJson(artifacts) {
+  const labelToCoord = buildLabelToCoordMap(artifacts);
+  const out = {
+    artifacts: {},
+    dependencies: {}
+  };
+  const versionsByGroupArtifact = new Map();
+  const dependencySets = new Map();
+  for (const a of artifacts) {
+    const split = splitCoord(a.mavenCoordinates);
+    if (!split) {
+      continue;
+    }
+    const existingVersion = versionsByGroupArtifact.get(split.groupArtifact);
+    if (existingVersion && existingVersion !== split.version) {
+      throw new Error(`Conflicting versions for ${split.groupArtifact}: ${existingVersion}, ${split.version}. The generated maven_install.json cannot represent multiple versions for the same group:artifact losslessly.`);
+    }
+    if (!existingVersion) {
+      versionsByGroupArtifact.set(split.groupArtifact, split.version);
+      out.artifacts[split.groupArtifact] = {
+        shasums: a.mavenSha256 ? {
+          jar: a.mavenSha256
+        } : {},
+        version: split.version
+      };
+    } else if (a.mavenSha256 && !out.artifacts[split.groupArtifact]?.shasums.jar) {
+      out.artifacts[split.groupArtifact] = {
+        shasums: {
+          jar: a.mavenSha256
+        },
+        version: split.version
+      };
+    }
+    // Dependency keys in maven_install.json use "g:a" (no version),
+    // matching the canonical rules_jvm_external lockfile shape.
+    // Only emit an entry when there are actual dependencies (lockfile omits
+    // artifacts with an empty dep list).
+    const depKey = split.groupArtifact;
+    const depCoords = dependencySets.get(depKey) ?? new Set();
+    for (const depLabel of a.deps) {
+      // First try our rule-label lookup (the common case for --output=build text).
+      const c = depLabelToCoord(depLabel, labelToCoord);
+      if (c) {
+        // c is "g:a:v"; strip the version to produce "g:a" per lockfile shape.
+        const cs = splitCoord(c);
+        depCoords.add(cs ? cs.groupArtifact : c);
+      } else if (depLabel.includes(':') && !depLabel.startsWith('@') && !depLabel.startsWith(':')) {
+        // unsorted_deps.json deps may be "g:a:v" in older files or
+        // "g:a" in v2 lock-file-shaped maps. Strip only when a version is
+        // present.
+        const parts = depLabel.split(':');
+        depCoords.add(parts.length >= 3 ? parts.slice(0, -1).join(':') : depLabel);
+      }
+    }
+    if (depCoords.size) {
+      dependencySets.set(depKey, depCoords);
+    }
+  }
+  for (const [depKey, depCoords] of dependencySets) {
+    out.dependencies[depKey] = Array.from(depCoords);
+  }
+  return out;
+}
+
+// Resolves the bazel `external/` dir for the given workspace.
+//
+// Bazel's `bazel-out/` convenience symlink points at
+// `<output_base>/execroot/<workspace>/bazel-out/`; the `external/` dir we
+// want is at `<output_base>/external/`. `path.join` is purely lexical and
+// would collapse `bazel-out/..` to the cwd itself, which is the wrong place
+// Resolve the symlink at the filesystem level and walk up to
+// `<output_base>` instead.
+function bazelExternalDir(cwd, outputBase) {
+  if (outputBase) {
+    return path.join(outputBase, 'external');
+  }
+  const bazelOutLink = path.join(cwd, 'bazel-out');
+  if (!fs$1.existsSync(bazelOutLink)) {
+    return null;
+  }
+  try {
+    // realpath follows symlinks: .../<output_base>/execroot/<workspace>/bazel-out
+    const real = fs$1.realpathSync(bazelOutLink);
+    // Walk up bazel-out -> <workspace> -> execroot -> <output_base>, then into external/.
+    return path.join(real, '..', '..', '..', 'external');
+  } catch {
+    return null;
+  }
+}
+
+// Internal diagnostic: when truthy, skip the unsorted_deps.json fast path
+// and force the bazel-query regex fallback. Used by bazel-bench to
+// deterministically exercise parseBazelBuildOutput on every CI run. Truthy
+// values are '1', 'true', 'yes' (case-insensitive); anything else (unset,
+// '', '0', 'false') is treated as off. Not exposed as a user-facing CLI
+// flag, so it is read here rather than added to constants.mts.
+function isForceQueryFallbackEnabled() {
+  const raw = process.env['SOCKET_BAZEL_FORCE_QUERY_FALLBACK'];
+  if (!raw) {
+    return false;
+  }
+  const normalized = raw.toLowerCase();
+  return normalized === '1' || normalized === 'true' || normalized === 'yes';
+}
+
+// Tries `external/<repo>/unsorted_deps.json` first; falls back to parsing the
+// probe stdout the caller already captured during discovery. Discovery runs
+// the same `kind("jvm_import rule|aar_import rule", @<repo>//:*)` query that
+// extraction needs, so reusing its stdout skips one bazel-query invocation
+// per repo on the unpinned path (where unsorted_deps.json isn't on disk).
+async function extractFromOneRepo(repoName, queryOpts, cachedProbeStdout) {
+  const verbose = queryOpts.verbose;
+  // unsorted_deps.json lives under the bazel external dir.
+  // When --output_base is set, it's under that; otherwise under the workspace's
+  // bazel-out symlink (resolved via realpath, NOT lexical path.join — the
+  // lexical form would collapse `bazel-out/..` to cwd and miss the file).
+  const externalDir = bazelExternalDir(queryOpts.cwd, queryOpts.bazelOutputBase);
+  if (verbose) {
+    logger.logger.log(`[VERBOSE] @${repoName}: external dir:`, externalDir ?? '(unresolved — bazel-out symlink absent)');
+  }
+  const forceFallback = isForceQueryFallbackEnabled();
+  if (forceFallback && verbose) {
+    logger.logger.log(`[VERBOSE] @${repoName}: SOCKET_BAZEL_FORCE_QUERY_FALLBACK set; skipping unsorted_deps.json fast path.`);
+  }
+  const candidates = forceFallback ? [] : externalDir ? [path.join(externalDir, repoName, 'unsorted_deps.json')] : [];
+  for (const c of candidates) {
+    if (fs$1.existsSync(c)) {
+      // Bound the read to 1GB to prevent OOM on hostile content while allowing large real-world lockfiles.
+      // eslint-disable-next-line no-await-in-loop
+      const stat = await fs$1.promises.stat(c);
+      if (stat.size > 1024 * 1024 * 1024) {
+        logger.logger.warn(`Skipping oversized ${c} (${stat.size} bytes); falling back to cached probe stdout.`);
+        break;
+      }
+      const json = fs$1.readFileSync(c, 'utf8');
+      const parsed = parseUnsortedDepsJson(json);
+      if (parsed.length) {
+        if (verbose) {
+          logger.logger.log(`[VERBOSE] @${repoName}: source=unsorted_deps.json (${c}, ${parsed.length} artifact(s))`);
+        }
+        return parsed.map(a => ({
+          ...a,
+          sourceRepo: repoName
+        }));
+      }
+    } else if (verbose) {
+      logger.logger.log(`[VERBOSE] @${repoName}: unsorted_deps.json miss at`, c);
+    }
+  }
+  // Reuse the probe stdout that discovery already captured for this repo.
+  // The probe ran exactly this query during validation and only validated
+  // repos with code === 0 make it into the cache, so retry is unnecessary
+  // — if the probe was flaky, the repo wouldn't be in the map.
+  if (!cachedProbeStdout) {
+    logger.logger.warn(`No cached probe stdout for @${repoName}; skipping. (This shouldn't happen — discovery should have populated it.)`);
+    return [];
+  }
+  if (verbose) {
+    logger.logger.log(`[VERBOSE] @${repoName}: source=cached probe stdout (${cachedProbeStdout.length} bytes)`);
+  }
+  return parseBazelBuildOutput(cachedProbeStdout).map(a => ({
+    ...a,
+    sourceRepo: repoName
+  }));
+}
+async function extractBazelToMaven(opts) {
+  const {
+    cwd,
+    out,
+    verbose
+  } = opts;
+  logger.logger.group('bazel2maven:');
+  logger.logger.info(`- src dir: \`${cwd}\``);
+  logger.logger.info(`- out dir: \`${out}\``);
+  if (!fs$1.existsSync(cwd)) {
+    logger.logger.warn(`Warning: cwd does not exist: ${cwd}`);
+  }
+  logger.logger.groupEnd();
+  try {
+    // Validate caller-provided Bazel filesystem settings before invoking Bazel.
+    if (opts.bazelOutputBase) {
+      validateOutputBase(opts.bazelOutputBase, opts.cwd);
+    }
+    // Java must be available before rules_jvm_external/Coursier runs;
+    // python shim follows so its augmented PATH inherits the JDK prefix.
+    ensureJavaOnPath();
+    const shim = await provisionPythonShim();
+    const baseEnv = shim.augmentedEnv ?? opts.env;
+
+    // Step 1: workspace detection.
+    const mode = detectWorkspaceMode(cwd);
+    logger.logger.info(`Workspace mode: bzlmod=${mode.bzlmod} workspace=${mode.workspace}`);
+    const invocationFlags = getBazelInvocationFlags(mode);
+
+    // Step 2: bazel binary resolution.
+    const bin = await resolveBazelBinary(opts.bin);
+    logger.logger.info(`Using bazel: ${bin}`);
+    if (verbose) {
+      logger.logger.log('[VERBOSE] resolved options:', {
+        bin,
+        bazelRc: opts.bazelRc ?? '(unset)',
+        bazelOutputBase: opts.bazelOutputBase ?? '(unset)',
+        bazelFlags: opts.bazelFlags ?? '(unset)',
+        invocationFlags
+      });
+    }
+
+    // Step 3: build the shared query options object.
+    const queryOpts = {
+      bin,
+      cwd,
+      invocationFlags,
+      ...(opts.bazelRc ? {
+        bazelRc: opts.bazelRc
+      } : {}),
+      ...(opts.bazelFlags ? {
+        bazelFlags: opts.bazelFlags
+      } : {}),
+      ...(opts.bazelOutputBase ? {
+        bazelOutputBase: opts.bazelOutputBase
+      } : {}),
+      ...(baseEnv ? {
+        env: baseEnv
+      } : {}),
+      verbose
+    };
+
+    // Step 4: discover validated Maven repos via the two-step recipe.
+    // Bzlmod has a native visible-repository surface; prefer that over static
+    // MODULE.bazel parsing and keep bounded parsing as the legacy/fallback path.
+    let nativeCandidates;
+    if (mode.bzlmod) {
+      const visibleRepos = await runBazelModShowVisibleRepos(queryOpts);
+      if (visibleRepos.code === 0) {
+        nativeCandidates = parseVisibleRepoCandidates(visibleRepos.stdout);
+        if (verbose) {
+          logger.logger.log('[VERBOSE] Bzlmod visible repo candidates:', nativeCandidates);
+        }
+      } else if (verbose) {
+        logger.logger.log('[VERBOSE] bazel mod show_repo failed; falling back to static candidate parsing:', visibleRepos.stderr);
+      }
+    }
+    // Returns Map<repoName, probeStdout> so extraction can reuse the probe
+    // output and skip running an identical bazel-query a second time.
+    const probe = buildProbeFor(queryOpts);
+    const repos = await discoverMavenRepos(cwd, probe, nativeCandidates, verbose);
+    const repoNames = Array.from(repos.keys());
+    logger.logger.info(`Discovered ${repos.size} Maven repo(s): ${repoNames.join(', ') || '(none)'}`);
+
+    // Step 5: extract artifacts from each repo (preferring unsorted_deps.json).
+    const allArtifacts = [];
+    for (const [repo, probeStdout] of repos) {
+      // eslint-disable-next-line no-await-in-loop
+      const artifacts = await extractFromOneRepo(repo, queryOpts, probeStdout);
+      allArtifacts.push(...artifacts);
+      logger.logger.info(`@${repo}: ${artifacts.length} artifact(s)`);
+    }
+
+    // Step 6: normalize to maven_install.json shape.
+    const normalized = normalizeToMavenInstallJson(allArtifacts);
+
+    // Step 7: write outputs.
+    // Standalone output writes directly to `out`; auto-manifest uses a sibling directory
+    // to avoid colliding with a repo's checked-in rules_jvm_external lockfile and
+    // to avoid repo-root gitignore patterns such as `/maven_install.json`.
+    const layout = opts.outLayout ?? 'standalone';
+    const manifestDir = layout === 'flat' ? path.join(out, '.socket-auto-manifest') : out;
+    fs$1.mkdirSync(manifestDir, {
+      recursive: true
+    });
+    const manifestPath = path.join(manifestDir, 'maven_install.json');
+    await fs$1.promises.writeFile(manifestPath, JSON.stringify(normalized, null, 2), 'utf8');
+    if (verbose) {
+      logger.logger.log('[VERBOSE] outputs:', {
+        artifactCount: allArtifacts.length,
+        generatedManifest: path.relative(out, manifestPath),
+        layout,
+        manifest: manifestPath,
+        mavenRepos: repoNames,
+        tool: 'socket manifest bazel',
+        workspace: {
+          bzlmod: mode.bzlmod,
+          legacyWorkspace: mode.workspace
+        }
+      });
+    }
+    if (!allArtifacts.length) {
+      process.exitCode = 1;
+      logger.logger.fail('No Maven artifacts extracted. See warnings above.');
+      return {
+        artifactCount: 0,
+        manifestPath,
+        ok: false
+      };
+    }
+    logger.logger.success(`Wrote ${allArtifacts.length} artifact(s) to ${path.relative(cwd, manifestPath)}.`);
+    return {
+      artifactCount: allArtifacts.length,
+      manifestPath,
+      ok: true
+    };
+  } catch (e) {
+    process.exitCode = 1;
+    // Always surface the error message; users should not have to
+    // re-run a multi-minute bazel build with --verbose just to see whether
+    // the failure was a missing dependency, permission error, or network blip.
+    logger.logger.fail(`Unexpected error in bazel2maven: ${utils.getErrorCause(e)}`);
+    if (verbose) {
+      logger.logger.group('[VERBOSE] error:');
+      logger.logger.log(e);
+      logger.logger.groupEnd();
+    } else {
+      logger.logger.info('Re-run with --verbose for the full stack.');
+    }
+    return {
+      artifactCount: 0,
+      ok: false
+    };
+  }
 }
 
 async function convertGradleToMaven({
@@ -2326,6 +3496,7 @@ async function generateAutoManifest({
   verbose
 }) {
   const sockJson = utils.readOrDefaultSocketJson(cwd);
+  const generatedFiles = [];
   if (verbose) {
     logger.logger.info(`Using this ${constants.SOCKET_JSON} for defaults:`, sockJson);
   }
@@ -2362,6 +3533,32 @@ async function generateAutoManifest({
       verbose: Boolean(sockJson.defaults?.manifest?.conda?.verbose)
     });
   }
+  if (!sockJson?.defaults?.manifest?.bazel?.disabled && detected.bazel) {
+    const bazelConfig = sockJson?.defaults?.manifest?.bazel;
+    logger.logger.log('Detected a Bazel workspace, extracting Maven dependencies via bazel query...');
+    const bazelResult = await extractBazelToMaven({
+      bazelFlags: bazelConfig?.bazelFlags,
+      bazelOutputBase: bazelConfig?.bazelOutputBase,
+      bazelRc: bazelConfig?.bazelRc,
+      bin: bazelConfig?.bazel ?? bazelConfig?.bin,
+      cwd,
+      // Auto-manifest writes into a sibling directory instead of the repo root
+      // so scan discovery can pick it up without colliding with a checked-in
+      // rules_jvm_external lockfile or repo-root gitignore patterns.
+      out: bazelConfig?.out ?? cwd,
+      outLayout: 'flat',
+      verbose: Boolean(bazelConfig?.verbose) || verbose
+    });
+    if (!bazelResult.ok) {
+      throw new Error('Bazel auto-manifest generation failed');
+    }
+    if (bazelResult.manifestPath) {
+      generatedFiles.push(bazelResult.manifestPath);
+    }
+  }
+  return {
+    generatedFiles
+  };
 }
 
 // Keys for CDX and SPDX in the supported files response.
@@ -2414,6 +3611,7 @@ async function handleCreateNewScan({
   tmp,
   workspace
 }) {
+  let scanTargets = targets;
   require$$9.debugFn('notice', `Creating new scan for ${orgSlug}/${workspace ? `${workspace}/` : ''}${repoName}`);
   require$$9.debugDir('inspect', {
     autoManifest,
@@ -2438,12 +3636,15 @@ async function handleCreateNewScan({
     require$$9.debugDir('inspect', {
       detected
     });
-    await generateAutoManifest({
+    const autoManifestResult = await generateAutoManifest({
       detected,
       cwd,
       outputKind,
       verbose: false
     });
+    if (autoManifestResult.generatedFiles.length) {
+      scanTargets = Array.from(new Set([...targets, ...autoManifestResult.generatedFiles]));
+    }
     logger.logger.info('Auto-generation finished. Proceeding with Scan creation.');
   }
   const {
@@ -2478,7 +3679,7 @@ async function handleCreateNewScan({
     reachabilityOptions: reach,
     target: targets[0]
   });
-  const packagePaths = await utils.getPackageFilesForScan(targets, supportedFiles, {
+  const packagePaths = await utils.getPackageFilesForScan(scanTargets, supportedFiles, {
     additionalIgnores: additionalScaIgnores,
     config: socketConfig,
     cwd
@@ -2545,21 +3746,34 @@ async function handleCreateNewScan({
     scanPaths = [...pathsForScan, ...(reachabilityReport ? [reachabilityReport] : [])];
     tier1ReachabilityScanId = reachResult.data?.tier1ReachabilityScanId;
   }
-  const fullScanCResult = await fetchCreateOrgFullScan(scanPaths, orgSlug, {
-    commitHash,
-    commitMessage,
-    committers,
-    pullRequest,
-    repoName,
-    branchName,
-    scanType: reach.runReachabilityAnalysis ? constants.default.SCAN_TYPE_SOCKET_TIER1 : constants.default.SCAN_TYPE_SOCKET,
-    workspace
-  }, {
-    cwd,
-    defaultBranch,
-    pendingHead,
-    tmp
-  });
+
+  // Brotli-compress any .socket.facts.json paths in scanPaths just before
+  // upload. depscan's api-v0 multipart boundary streams brotli decode based
+  // on the .br filename suffix. Coana keeps writing plain .socket.facts.json
+  // on disk, so the local read paths (extractTier1ReachabilityScanId,
+  // extractReachabilityErrors) stay correct. The cleanup() in the finally
+  // block removes the temp dirs whether the upload succeeded or threw.
+  const compressed = await utils.compressSocketFactsForUpload(scanPaths);
+  let fullScanCResult;
+  try {
+    fullScanCResult = await fetchCreateOrgFullScan(compressed.paths, orgSlug, {
+      commitHash,
+      commitMessage,
+      committers,
+      pullRequest,
+      repoName,
+      branchName,
+      scanType: reach.runReachabilityAnalysis ? constants.default.SCAN_TYPE_SOCKET_TIER1 : constants.default.SCAN_TYPE_SOCKET,
+      workspace
+    }, {
+      cwd,
+      defaultBranch,
+      pendingHead,
+      tmp
+    });
+  } finally {
+    await compressed.cleanup();
+  }
   const scanId = fullScanCResult.ok ? fullScanCResult.data?.id : undefined;
   if (reach && scanId && tier1ReachabilityScanId) {
     await finalizeTier1Scan(tier1ReachabilityScanId, scanId);
@@ -2669,7 +3883,7 @@ async function handleCi(autoManifest) {
   });
 }
 
-const config$k = {
+const config$l = {
   commandName: 'ci',
   description: 'Alias for `socket scan create --report` (creates report and exits with error if unhealthy)',
   hidden: false,
@@ -2687,7 +3901,7 @@ const config$k = {
       $ ${command} [options]
 
     Options
-      ${utils.getFlagListOutput(config$k.flags)}
+      ${utils.getFlagListOutput(config$l.flags)}
 
     This command is intended to use in CI runs to allow automated systems to
     accept or reject a current build. It will use the default org of the
@@ -2705,16 +3919,16 @@ const config$k = {
   `
 };
 const cmdCI = {
-  description: config$k.description,
-  hidden: config$k.hidden,
-  run: run$Q
+  description: config$l.description,
+  hidden: config$l.hidden,
+  run: run$R
 };
-async function run$Q(argv, importMeta, {
+async function run$R(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$k,
+    config: config$l,
     parentName,
     importMeta
   });
@@ -2957,9 +4171,9 @@ const hidden$v = false;
 const cmdConfigAuto = {
   description: description$D,
   hidden: hidden$v,
-  run: run$P
+  run: run$Q
 };
-async function run$P(argv, importMeta, {
+async function run$Q(argv, importMeta, {
   parentName
 }) {
   const config = {
@@ -3063,7 +4277,7 @@ async function handleConfigGet({
   await outputConfigGet(key, result, outputKind);
 }
 
-const config$j = {
+const config$k = {
   commandName: 'get',
   description: 'Get the value of a local CLI config item',
   hidden: false,
@@ -3093,16 +4307,16 @@ ${utils.getSupportedConfigEntries().map(({
   `
 };
 const cmdConfigGet = {
-  description: config$j.description,
-  hidden: config$j.hidden,
-  run: run$O
+  description: config$k.description,
+  hidden: config$k.hidden,
+  run: run$P
 };
-async function run$O(argv, importMeta, {
+async function run$P(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$j,
+    config: config$k,
     importMeta,
     parentName
   });
@@ -3204,7 +4418,7 @@ async function outputConfigList({
   }
 }
 
-const config$i = {
+const config$j = {
   commandName: 'list',
   description: 'Show all local CLI config items and their values',
   hidden: false,
@@ -3229,16 +4443,16 @@ const config$i = {
   `
 };
 const cmdConfigList = {
-  description: config$i.description,
-  hidden: config$i.hidden,
-  run: run$N
+  description: config$j.description,
+  hidden: config$j.hidden,
+  run: run$O
 };
-async function run$N(argv, importMeta, {
+async function run$O(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$i,
+    config: config$j,
     importMeta,
     parentName
   });
@@ -3323,9 +4537,9 @@ const hidden$u = false;
 const cmdConfigSet = {
   description: description$C,
   hidden: hidden$u,
-  run: run$M
+  run: run$N
 };
-async function run$M(argv, importMeta, {
+async function run$N(argv, importMeta, {
   parentName
 }) {
   const config = {
@@ -3450,9 +4664,9 @@ const hidden$t = false;
 const cmdConfigUnset = {
   description: description$B,
   hidden: hidden$t,
-  run: run$L
+  run: run$M
 };
-async function run$L(argv, importMeta, {
+async function run$M(argv, importMeta, {
   parentName
 }) {
   const config = {
@@ -4650,7 +5864,7 @@ const hidden$s = false;
 const cmdFix = {
   description: description$z,
   hidden: hidden$s,
-  run: run$K
+  run: run$L
 };
 const generalFlags$2 = {
   autopilot: {
@@ -4814,7 +6028,7 @@ const hiddenFlags = {
     hidden: true
   }
 };
-async function run$K(argv, importMeta, {
+async function run$L(argv, importMeta, {
   parentName
 }) {
   const config = {
@@ -5131,7 +6345,7 @@ async function handleInstallCompletion(targetName) {
   await outputInstallCompletion(result);
 }
 
-const config$h = {
+const config$i = {
   commandName: 'completion',
   description: 'Install bash completion for Socket CLI',
   hidden: false,
@@ -5168,16 +6382,16 @@ const config$h = {
   `
 };
 const cmdInstallCompletion = {
-  description: config$h.description,
-  hidden: config$h.hidden,
-  run: run$J
+  description: config$i.description,
+  hidden: config$i.hidden,
+  run: run$K
 };
-async function run$J(argv, importMeta, {
+async function run$K(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$h,
+    config: config$i,
     parentName,
     importMeta
   });
@@ -5234,7 +6448,7 @@ async function handleCmdJson(cwd) {
   await outputCmdJson(cwd);
 }
 
-const config$g = {
+const config$h = {
   commandName: 'json',
   description: `Display the \`${constants.SOCKET_JSON}\` that would be applied for target folder`,
   hidden: true,
@@ -5253,16 +6467,16 @@ const config$g = {
   `
 };
 const cmdJson = {
-  description: config$g.description,
-  hidden: config$g.hidden,
-  run: run$I
+  description: config$h.description,
+  hidden: config$h.hidden,
+  run: run$J
 };
-async function run$I(argv, importMeta, {
+async function run$J(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$g,
+    config: config$h,
     parentName,
     importMeta
   });
@@ -5417,9 +6631,9 @@ const hidden$r = false;
 const cmdLogin = {
   description: description$x,
   hidden: hidden$r,
-  run: run$H
+  run: run$I
 };
-async function run$H(argv, importMeta, {
+async function run$I(argv, importMeta, {
   parentName
 }) {
   const config = {
@@ -5497,7 +6711,7 @@ function attemptLogout() {
   }
 }
 
-const config$f = {
+const config$g = {
   commandName: 'logout',
   description: 'Socket API logout',
   hidden: false,
@@ -5515,16 +6729,16 @@ const config$f = {
   `
 };
 const cmdLogout = {
-  description: config$f.description,
-  hidden: config$f.hidden,
-  run: run$G
+  description: config$g.description,
+  hidden: config$g.hidden,
+  run: run$H
 };
-async function run$G(argv, importMeta, {
+async function run$H(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$f,
+    config: config$g,
     importMeta,
     parentName
   });
@@ -5837,7 +7051,7 @@ const yargsConfig = {
   'usages-slices-file' // hidden
   ]
 };
-const config$e = {
+const config$f = {
   commandName: 'cdxgen',
   description: 'Run cdxgen for SBOM generation',
   hidden: false,
@@ -5847,11 +7061,11 @@ const config$e = {
   help: () => ''
 };
 const cmdManifestCdxgen = {
-  description: config$e.description,
-  hidden: config$e.hidden,
-  run: run$F
+  description: config$f.description,
+  hidden: config$f.hidden,
+  run: run$G
 };
-async function run$F(argv, importMeta, context) {
+async function run$G(argv, importMeta, context) {
   const {
     parentName
   } = {
@@ -5861,7 +7075,7 @@ async function run$F(argv, importMeta, context) {
   const cli = utils.meowOrExit({
     // Don't let meow take over --help.
     argv: argv.filter(a => !utils.isHelpFlag(a)),
-    config: config$e,
+    config: config$f,
     importMeta,
     parentName
   });
@@ -5934,6 +7148,181 @@ async function run$F(argv, importMeta, context) {
   await spawnPromise;
 }
 
+const config$e = {
+  commandName: 'bazel',
+  description: '[beta] Bazel JVM SBOM support — generate manifest files (`maven_install.json`) for a Bazel/Maven project',
+  hidden: false,
+  flags: {
+    ...flags.commonFlags,
+    bazel: {
+      type: 'string',
+      description: 'Path to bazel/bazelisk binary; default: $(which bazelisk) || $(which bazel)'
+    },
+    bazelFlags: {
+      type: 'string',
+      description: 'Flags forwarded to every bazel invocation (single quoted string)'
+    },
+    bazelOutputBase: {
+      type: 'string',
+      description: 'Bazel --output_base for read-only-cache CI environments'
+    },
+    bazelRc: {
+      type: 'string',
+      description: 'Path to additional .bazelrc fragments forwarded to bazel'
+    },
+    out: {
+      type: 'string',
+      description: 'Output directory for generated manifests; default: ./.socket/bazel-manifests/'
+    },
+    verbose: {
+      type: 'boolean',
+      description: 'Stream bazel stdout/stderr'
+    }
+  },
+  help: (command, config) => `
+    Usage
+      $ ${command} [options] [CWD=.]
+
+    Options
+      ${utils.getFlagListOutput(config.flags)}
+
+    [beta] Generates Bazel JVM SBOM manifests (\`maven_install.json\`-shaped)
+    by running \`bazel query\` against discovered Maven repos. Output is
+    consumed by \`socket scan create\`'s server-side parser.
+
+    Note: this command generates Maven dependency manifests for Bazel JVM
+    workspaces. It does not run reachability analysis.
+
+    To generate AND upload in one step, use \`socket scan create --auto-manifest\`
+    instead — it detects Bazel workspaces, runs the same extraction, and uploads
+    the result. This subcommand is for generation only.
+
+    Examples
+      $ ${command} .
+      $ ${command} --bazel=/usr/local/bin/bazelisk .
+  `
+};
+const cmdManifestBazel = {
+  description: config$e.description,
+  hidden: config$e.hidden,
+  run: run$F
+};
+async function run$F(argv, importMeta, {
+  parentName
+}) {
+  const cli = utils.meowOrExit({
+    argv,
+    config: config$e,
+    importMeta,
+    parentName
+  });
+  const {
+    json = false,
+    markdown = false
+  } = cli.flags;
+  const dryRun = !!cli.flags['dryRun'];
+
+  // TODO: Implement json/md further.
+  const outputKind = utils.getOutputKind(json, markdown);
+  let [cwd = '.'] = cli.input;
+  // Note: path.resolve vs .join:
+  // If given path is absolute then cwd should not affect it.
+  cwd = path.resolve(process.cwd(), cwd);
+  const sockJson = utils.readOrDefaultSocketJson(cwd);
+  require$$9.debugFn('inspect', `override: ${constants.SOCKET_JSON} bazel`, sockJson?.defaults?.manifest?.bazel);
+  let {
+    bazel,
+    bazelFlags,
+    bazelOutputBase,
+    bazelRc,
+    out,
+    verbose
+  } = cli.flags;
+
+  // Set defaults for any flag/arg that is not given. Check socket.json first.
+  if (!bazel) {
+    const defaultBazel = sockJson.defaults?.manifest?.bazel?.bazel ?? sockJson.defaults?.manifest?.bazel?.bin;
+    if (defaultBazel) {
+      bazel = defaultBazel;
+      logger.logger.info(`Using default --bazel from ${constants.SOCKET_JSON}:`, bazel);
+    }
+    // Otherwise leave undefined; resolveBazelBinary performs the PATH
+    // lookup for bazelisk/bazel.
+  }
+  if (!bazelFlags) {
+    if (sockJson.defaults?.manifest?.bazel?.bazelFlags) {
+      bazelFlags = sockJson.defaults?.manifest?.bazel?.bazelFlags;
+      logger.logger.info(`Using default --bazel-flags from ${constants.SOCKET_JSON}:`, bazelFlags);
+    } else {
+      bazelFlags = '';
+    }
+  }
+  if (!bazelOutputBase) {
+    if (sockJson.defaults?.manifest?.bazel?.bazelOutputBase) {
+      bazelOutputBase = sockJson.defaults?.manifest?.bazel?.bazelOutputBase;
+      logger.logger.info(`Using default --bazel-output-base from ${constants.SOCKET_JSON}:`, bazelOutputBase);
+    }
+  }
+  if (!bazelRc) {
+    if (sockJson.defaults?.manifest?.bazel?.bazelRc) {
+      bazelRc = sockJson.defaults?.manifest?.bazel?.bazelRc;
+      logger.logger.info(`Using default --bazel-rc from ${constants.SOCKET_JSON}:`, bazelRc);
+    }
+  }
+  if (!out) {
+    if (sockJson.defaults?.manifest?.bazel?.out) {
+      out = sockJson.defaults?.manifest?.bazel?.out;
+      logger.logger.info(`Using default --out from ${constants.SOCKET_JSON}:`, out);
+    } else {
+      out = path.join(cwd, '.socket', 'bazel-manifests');
+    }
+  }
+  if (verbose === undefined) {
+    if (sockJson.defaults?.manifest?.bazel?.verbose !== undefined) {
+      verbose = sockJson.defaults?.manifest?.bazel?.verbose;
+      logger.logger.info(`Using default --verbose from ${constants.SOCKET_JSON}:`, verbose);
+    } else {
+      verbose = false;
+    }
+  }
+  if (verbose) {
+    logger.logger.group('- ', parentName, config$e.commandName, ':');
+    logger.logger.group('- flags:', cli.flags);
+    logger.logger.groupEnd();
+    logger.logger.log('- input:', cli.input);
+    logger.logger.groupEnd();
+  }
+  const wasValidInput = utils.checkCommandInput(outputKind, {
+    nook: true,
+    test: cli.input.length <= 1,
+    message: 'Can only accept one DIR (make sure to escape spaces!)',
+    fail: 'received ' + cli.input.length
+  });
+  if (!wasValidInput) {
+    return;
+  }
+  if (verbose) {
+    logger.logger.group();
+    logger.logger.info('- cwd:', cwd);
+    logger.logger.info('- bazel bin:', bazel);
+    logger.logger.info('- out:', out);
+    logger.logger.groupEnd();
+  }
+  if (dryRun) {
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
+    return;
+  }
+  await extractBazelToMaven({
+    bazelFlags: bazelFlags,
+    bazelOutputBase: bazelOutputBase,
+    bazelRc: bazelRc,
+    bin: bazel,
+    cwd,
+    out: out,
+    verbose: Boolean(verbose)
+  });
+}
+
 const config$d = {
   commandName: 'auto',
   description: 'Auto-detect build and attempt to generate manifest file',
@@ -7167,6 +8556,7 @@ async function run$y(argv, importMeta, {
     importMeta,
     subcommands: {
       auto: cmdManifestAuto,
+      bazel: cmdManifestBazel,
       cdxgen: cmdManifestCdxgen,
       conda: cmdManifestConda,
       gradle: cmdManifestGradle,
@@ -15865,5 +17255,5 @@ process.on('unhandledRejection', async (reason, promise) => {
   // eslint-disable-next-line n/no-process-exit
   process.exit(1);
 });
-//# debugId=1acf2006-28da-49e4-9572-412f961998c4
+//# debugId=70895ae2-8c82-49e4-a1fb-3cbc0ccb2c57
 //# sourceMappingURL=cli.js.map