@socketsecurity/cli 0.14.60 → 0.14.62

package/dist/require/cli.js

@@ -60,7 +60,7 @@ var tinyglobby = _socketInterop(require('tinyglobby'));
 var promises = require('@socketsecurity/registry/lib/promises');
 var yaml = _socketInterop(require('yaml'));
 var betterAjvErrors = _socketInterop(require('@apideck/better-ajv-errors'));
-var config$A = require('@socketsecurity/config');
+var config$D = require('@socketsecurity/config');
 var assert = require('node:assert');
 var readline = require('node:readline/promises');
 var BoxWidget = _socketInterop(require('blessed/lib/widgets/box'));
@@ -1298,6 +1298,11 @@ function handleUnsuccessfulApiResponse(_name, result) {
   const resultErrorMessage = result.error?.message;
   const message = typeof resultErrorMessage === 'string' ? resultErrorMessage : 'No error message returned';
   if (result.status === 401 || result.status === 403) {
+    // Lazily access constants.spinner.
+    const {
+      spinner
+    } = constants;
+    spinner.stop();
     throw new shadowNpmInject.AuthError(message);
   }
   logger.logger.fail(`${colors.bgRed(colors.white('API returned an error:'))} ${message}`);
@@ -1411,6 +1416,7 @@ async function meowWithSubcommands(subcommands, options) {
   const {
     aliases = {},
     argv,
+    defaultSub,
     importMeta,
     name,
     ...additionalOptions
@@ -1418,7 +1424,11 @@ async function meowWithSubcommands(subcommands, options) {
     __proto__: null,
     ...options
   };
-  const [commandOrAliasName, ...rawCommandArgv] = argv;
+  const [commandOrAliasNamex, ...rawCommandArgv] = argv;
+  let commandOrAliasName = commandOrAliasNamex;
+  if (!commandOrAliasName && defaultSub) {
+    commandOrAliasName = defaultSub;
+  }
   // If we got at least some args, then lets find out if we can find a command.
   if (commandOrAliasName) {
     const alias = aliases[commandOrAliasName];
@@ -1523,7 +1533,7 @@ function emitBanner(name) {
 }
 function getAsciiHeader(command) {
   const cliVersion = // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION_HASH']".
-  "0.14.60:48319f6:78cf0eae:pub";
+  "0.14.62:681c774:be9a8ff8:pub";
   const nodeVersion = process.version;
   const apiToken = shadowNpmInject.getSetting('apiToken');
   const shownToken = apiToken ? getLastFiveOfApiToken(apiToken) : 'no';
@@ -1539,9 +1549,9 @@ function getAsciiHeader(command) {
 // https://github.com/SocketDev/socket-python-cli/blob/6d4fc56faee68d3a4764f1f80f84710635bdaf05/socketsecurity/socketcli.py
 
 const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$y
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$B
 } = constants;
-const config$z = {
+const config$C = {
   commandName: 'action',
   description: 'Socket action command',
   // GitHub Action ?
@@ -1575,23 +1585,23 @@ const config$z = {
   `
 };
 const cmdAction = {
-  description: config$z.description,
-  hidden: config$z.hidden,
-  run: run$z
+  description: config$C.description,
+  hidden: config$C.hidden,
+  run: run$C
 };
-async function run$z(argv, importMeta, {
+async function run$C(argv, importMeta, {
   parentName
 }) {
   const cli = meowOrExit({
     argv,
-    config: config$z,
+    config: config$C,
     importMeta,
     parentName
   });
   const githubEventBefore = String(cli.flags['githubEventBefore'] || '');
   const githubEventAfter = String(cli.flags['githubEventAfter'] || '');
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$y);
+    logger.logger.log(DRY_RUN_BAIL_TEXT$B);
     return;
   }
   await runAction(githubEventBefore, githubEventAfter);
@@ -1676,6 +1686,31 @@ cols) {
   }
   return [div, header, div, body.trim(), div].filter(s => !!s.trim()).join('\n');
 }
+function mdTableOfPairs(arr,
+// This is saying "an array of strings and the strings are a valid key of elements of T"
+// In turn, T is defined above as the audit log event type from our OpenAPI docs.
+cols) {
+  // Max col width required to fit all data in that column
+  const cws = cols.map(col => col.length);
+  for (const [key, val] of arr) {
+    cws[0] = Math.max(cws[0] ?? 0, String(key).length);
+    cws[1] = Math.max(cws[1] ?? 0, String(val ?? '').length);
+  }
+  let div = '|';
+  for (const cw of cws) div += ' ' + '-'.repeat(cw) + ' |';
+  let header = '|';
+  for (let i = 0; i < cols.length; ++i) {
+    header += ' ' + String(cols[i]).padEnd(cws[i] ?? 0, ' ') + ' |';
+  }
+  let body = '';
+  for (const [key, val] of arr) {
+    body += '|';
+    body += ' ' + String(key).padEnd(cws[0] ?? 0, ' ') + ' |';
+    body += ' ' + String(val ?? '').padEnd(cws[1] ?? 0, ' ') + ' |';
+    body += '\n';
+  }
+  return [div, header, div, body.trim(), div].filter(s => !!s.trim()).join('\n');
+}
 
 // Note: Widgets does not seem to actually work as code :'(
 
@@ -1916,9 +1951,9 @@ function renderLineCharts(grid, screen, title, coords, data) {
 }
 
 const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$x
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$A
 } = constants;
-const config$y = {
+const config$B = {
   commandName: 'analytics',
   description: `Look up analytics data`,
   hidden: false,
@@ -1969,16 +2004,16 @@ const config$y = {
   `
 };
 const cmdAnalytics = {
-  description: config$y.description,
-  hidden: config$y.hidden,
-  run: run$y
+  description: config$B.description,
+  hidden: config$B.hidden,
+  run: run$B
 };
-async function run$y(argv, importMeta, {
+async function run$B(argv, importMeta, {
   parentName
 }) {
   const cli = meowOrExit({
     argv,
-    config: config$y,
+    config: config$B,
     importMeta,
     parentName
   });
@@ -2015,7 +2050,7 @@ async function run$y(argv, importMeta, {
     return;
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$x);
+    logger.logger.log(DRY_RUN_BAIL_TEXT$A);
     return;
   }
   return await displayAnalytics({
@@ -2166,9 +2201,9 @@ async function getAuditLogWithToken({
 }
 
 const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$w
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$z
 } = constants;
-const config$x = {
+const config$A = {
   commandName: 'audit-log',
   description: 'Look up the audit log for an organization',
   hidden: false,
@@ -2209,16 +2244,16 @@ const config$x = {
   `
 };
 const cmdAuditLog = {
-  description: config$x.description,
-  hidden: config$x.hidden,
-  run: run$x
+  description: config$A.description,
+  hidden: config$A.hidden,
+  run: run$A
 };
-async function run$x(argv, importMeta, {
+async function run$A(argv, importMeta, {
   parentName
 }) {
   const cli = meowOrExit({
     argv,
-    config: config$x,
+    config: config$A,
     importMeta,
     parentName
   });
@@ -2243,7 +2278,7 @@ async function run$x(argv, importMeta, {
     return;
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$w);
+    logger.logger.log(DRY_RUN_BAIL_TEXT$z);
     return;
   }
   await getAuditLog({
@@ -2360,7 +2395,7 @@ function isHelpFlag(cmdArg) {
 
 // import { meowOrExit } from '../../utils/meow-with-subcommands'
 const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$v
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$y
 } = constants;
 
 // TODO: convert yargs to meow. Or convert all the other things to yargs.
@@ -2437,7 +2472,7 @@ const yargsConfig = {
   'yes'],
   string: ['api-key', 'lifecycle', 'output', 'parent-project-id', 'profile', 'project-group', 'project-name', 'project-version', 'project-id', 'server-host', 'server-port', 'server-url', 'spec-version']
 };
-const config$w = {
+const config$z = {
   commandName: 'cdxgen',
   description: 'Create an SBOM with CycloneDX generator (cdxgen)',
   hidden: false,
@@ -2453,18 +2488,18 @@ const config$w = {
   `
 };
 const cmdCdxgen = {
-  description: config$w.description,
-  hidden: config$w.hidden,
-  run: run$w
+  description: config$z.description,
+  hidden: config$z.hidden,
+  run: run$z
 };
-async function run$w(argv, importMeta, {
+async function run$z(argv, importMeta, {
   parentName
 }) {
   const cli = meowOrExit({
     allowUnknownFlags: true,
     // Don't let meow take over --help.
     argv: argv.filter(a => !isHelpFlag(a)),
-    config: config$w,
+    config: config$z,
     importMeta,
     parentName
   });
@@ -2496,7 +2531,7 @@ async function run$w(argv, importMeta, {
     return;
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$v);
+    logger.logger.log(DRY_RUN_BAIL_TEXT$y);
     return;
   }
   if (yargv.output === undefined) {
@@ -2563,9 +2598,9 @@ async function findDependencies({
 }
 
 const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$u
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$x
 } = constants;
-const config$v = {
+const config$y = {
   commandName: 'dependencies',
   description: 'Search for any dependency that is being used in your organization',
   hidden: false,
@@ -2597,21 +2632,21 @@ const config$v = {
   `
 };
 const cmdScanCreate$1 = {
-  description: config$v.description,
-  hidden: config$v.hidden,
-  run: run$v
+  description: config$y.description,
+  hidden: config$y.hidden,
+  run: run$y
 };
-async function run$v(argv, importMeta, {
+async function run$y(argv, importMeta, {
   parentName
 }) {
   const cli = meowOrExit({
     argv,
-    config: config$v,
+    config: config$y,
     importMeta,
     parentName
   });
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$u);
+    logger.logger.log(DRY_RUN_BAIL_TEXT$x);
     return;
   }
 
@@ -2719,9 +2754,9 @@ async function getDiffScanWithToken({
 }
 
 const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$t
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$w
 } = constants;
-const config$u = {
+const config$x = {
   commandName: 'get',
   description: 'Get a diff scan for an organization',
   hidden: false,
@@ -2773,16 +2808,16 @@ const config$u = {
   `
 };
 const cmdDiffScanGet = {
-  description: config$u.description,
-  hidden: config$u.hidden,
-  run: run$u
+  description: config$x.description,
+  hidden: config$x.hidden,
+  run: run$x
 };
-async function run$u(argv, importMeta, {
+async function run$x(argv, importMeta, {
   parentName
 }) {
   const cli = meowOrExit({
     argv,
-    config: config$u,
+    config: config$x,
     importMeta,
     parentName
   });
@@ -2802,7 +2837,7 @@ async function run$u(argv, importMeta, {
     return;
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$t);
+    logger.logger.log(DRY_RUN_BAIL_TEXT$w);
     return;
   }
   await getDiffScan({
@@ -2815,9 +2850,9 @@ async function run$u(argv, importMeta, {
   });
 }
 
-const description$3 = 'Diff scans related commands';
+const description$5 = 'Diff scans related commands';
 const cmdDiffScan = {
-  description: description$3,
+  description: description$5,
   // Hidden because it was broken all this time (nobody could be using it)
   // and we're not sure if it's useful to anyone in its current state.
   // Until we do, we'll hide this to keep the help tidier.
@@ -2830,7 +2865,7 @@ const cmdDiffScan = {
       get: cmdDiffScanGet
     }, {
       argv,
-      description: description$3,
+      description: description$5,
       importMeta,
       name: parentName + ' diff-scan'
     });
@@ -3206,17 +3241,9 @@ const {
   YARN_CLASSIC: YARN_CLASSIC$6
 } = constants;
 const AGENTS = [BUN$5, NPM$b, PNPM$8, YARN_BERRY$5, YARN_CLASSIC$6, VLT$5];
-const binByAgent = {
-  __proto__: null,
-  [BUN$5]: BUN$5,
-  [NPM$b]: NPM$b,
-  [PNPM$8]: PNPM$8,
-  [YARN_BERRY$5]: YARN,
-  [YARN_CLASSIC$6]: YARN,
-  [VLT$5]: VLT$5
-};
+const binByAgent = new Map([[BUN$5, BUN$5], [NPM$b, NPM$b], [PNPM$8, PNPM$8], [YARN_BERRY$5, YARN], [YARN_CLASSIC$6, YARN], [VLT$5, VLT$5]]);
 async function getAgentExecPath(agent) {
-  const binName = binByAgent[agent];
+  const binName = binByAgent.get(agent);
   return (await which(binName, {
     nothrow: true
   })) ?? binName;
@@ -3224,7 +3251,11 @@ async function getAgentExecPath(agent) {
 async function getAgentVersion(agentExecPath, cwd) {
   let result;
   try {
-    result = semver.coerce(
+    result =
+    // Coerce version output into a valid semver version by passing it through
+    // semver.coerce which strips leading v's, carets (^), comparators (<,<=,>,>=,=),
+    // and tildes (~).
+    semver.coerce(
     // All package managers support the "--version" flag.
     (await spawn.spawn(agentExecPath, ['--version'], {
       cwd
@@ -3265,32 +3296,25 @@ const readLockFileByAgent = (() => {
   }
   const binaryReader = wrapReader(shadowNpmInject.readFileBinary);
   const defaultReader = wrapReader(async lockPath => await shadowNpmInject.readFileUtf8(lockPath));
-  return {
-    [BUN$5]: wrapReader(async (lockPath, agentExecPath) => {
-      const ext = path.extname(lockPath);
-      if (ext === LOCK_EXT$1) {
-        return await defaultReader(lockPath);
-      }
-      if (ext === BINARY_LOCK_EXT) {
-        const lockBuffer = await binaryReader(lockPath);
-        if (lockBuffer) {
-          try {
-            return index_cjs.parse(lockBuffer);
-          } catch {}
-        }
-        // To print a Yarn lockfile to your console without writing it to disk
-        // use `bun bun.lockb`.
-        // https://bun.sh/guides/install/yarnlock
-        return (await spawn.spawn(agentExecPath, [lockPath])).stdout.trim();
+  return new Map([[BUN$5, wrapReader(async (lockPath, agentExecPath) => {
+    const ext = path.extname(lockPath);
+    if (ext === LOCK_EXT$1) {
+      return await defaultReader(lockPath);
+    }
+    if (ext === BINARY_LOCK_EXT) {
+      const lockBuffer = await binaryReader(lockPath);
+      if (lockBuffer) {
+        try {
+          return index_cjs.parse(lockBuffer);
+        } catch {}
       }
-      return undefined;
-    }),
-    [NPM$b]: defaultReader,
-    [PNPM$8]: defaultReader,
-    [VLT$5]: defaultReader,
-    [YARN_BERRY$5]: defaultReader,
-    [YARN_CLASSIC$6]: defaultReader
-  };
+      // To print a Yarn lockfile to your console without writing it to disk
+      // use `bun bun.lockb`.
+      // https://bun.sh/guides/install/yarnlock
+      return (await spawn.spawn(agentExecPath, [lockPath])).stdout.trim();
+    }
+    return undefined;
+  })], [NPM$b, defaultReader], [PNPM$8, defaultReader], [VLT$5, defaultReader], [YARN_BERRY$5, defaultReader], [YARN_CLASSIC$6, defaultReader]]);
 })();
 async function detectPackageEnvironment({
   cwd = process$1.cwd(),
@@ -3315,13 +3339,14 @@ async function detectPackageEnvironment({
   let agent;
   let agentVersion;
   if (pkgManager) {
+    // A valid "packageManager" field value is "<package manager name>@<version>".
+    // https://nodejs.org/api/packages.html#packagemanager
     const atSignIndex = pkgManager.lastIndexOf('@');
     if (atSignIndex !== -1) {
       const name = pkgManager.slice(0, atSignIndex);
       const version = pkgManager.slice(atSignIndex + 1);
       if (version && AGENTS.includes(name)) {
         agent = name;
-        agentVersion = semver.coerce(version) ?? undefined;
       }
     }
   }
@@ -3340,64 +3365,92 @@ async function detectPackageEnvironment({
   if (agent === YARN_CLASSIC$6 && (agentVersion?.major ?? 0) > 1) {
     agent = YARN_BERRY$5;
   }
-  const targets = {
-    browser: false,
-    node: true
-  };
-  let lockSrc;
   // Lazily access constants.maintainedNodeVersions.
-  let minimumNodeVersion = constants.maintainedNodeVersions.last;
+  const {
+    maintainedNodeVersions
+  } = constants;
+  // Lazily access constants.minimumVersionByAgent.
+  const minSupportedAgentVersion = constants.minimumVersionByAgent.get(agent);
+  const minSupportedNodeVersion = maintainedNodeVersions.last;
+  const nodeVersion = semver.coerce(process$1.version);
+  let lockSrc;
+  let pkgAgentRange;
+  let pkgNodeRange;
+  let pkgMinAgentVersion = minSupportedAgentVersion;
+  let pkgMinNodeVersion = minSupportedNodeVersion;
   if (pkgJson) {
-    const browserField = pkgJson.browser;
-    if (strings.isNonEmptyString(browserField) || objects.isObjectObject(browserField)) {
-      targets.browser = true;
-    }
-    const nodeRange = pkgJson.engines?.['node'];
-    if (strings.isNonEmptyString(nodeRange)) {
-      const coerced = semver.coerce(nodeRange);
-      if (coerced && semver.lt(coerced, minimumNodeVersion)) {
-        minimumNodeVersion = coerced.version;
+    const {
+      engines
+    } = pkgJson;
+    const engineAgentRange = engines?.[agent];
+    const engineNodeRange = engines?.['node'];
+    if (strings.isNonEmptyString(engineAgentRange)) {
+      pkgAgentRange = engineAgentRange;
+      // Roughly check agent range as semver.coerce will strip leading
+      // v's, carets (^), comparators (<,<=,>,>=,=), and tildes (~).
+      const coerced = semver.coerce(pkgAgentRange);
+      if (coerced && semver.lt(coerced, pkgMinAgentVersion)) {
+        pkgMinAgentVersion = coerced.version;
+      }
+    }
+    if (strings.isNonEmptyString(engineNodeRange)) {
+      pkgNodeRange = engineNodeRange;
+      // Roughly check Node range as semver.coerce will strip leading
+      // v's, carets (^), comparators (<,<=,>,>=,=), and tildes (~).
+      const coerced = semver.coerce(pkgNodeRange);
+      if (coerced && semver.lt(coerced, pkgMinNodeVersion)) {
+        pkgMinNodeVersion = coerced.version;
       }
     }
     const browserslistQuery = pkgJson['browserslist'];
     if (Array.isArray(browserslistQuery)) {
-      const browserslistTargets = browserslist(browserslistQuery).map(s => s.toLowerCase()).sort(sorts.naturalCompare);
-      const browserslistNodeTargets = browserslistTargets.filter(v => v.startsWith('node ')).map(v => v.slice(5 /*'node '.length*/));
-      if (!targets.browser && browserslistTargets.length) {
-        targets.browser = browserslistTargets.length !== browserslistNodeTargets.length;
-      }
+      // List Node targets in ascending version order.
+      const browserslistNodeTargets = browserslist(browserslistQuery).filter(v => /^node /i.test(v)).map(v => v.slice(5 /*'node '.length*/)).sort(sorts.naturalCompare);
       if (browserslistNodeTargets.length) {
+        // browserslistNodeTargets[0] is the lowest Node target version.
         const coerced = semver.coerce(browserslistNodeTargets[0]);
-        if (coerced && semver.lt(coerced, minimumNodeVersion)) {
-          minimumNodeVersion = coerced.version;
+        if (coerced && semver.lt(coerced, pkgMinNodeVersion)) {
+          pkgMinNodeVersion = coerced.version;
         }
       }
     }
-    // Lazily access constants.maintainedNodeVersions.
-    targets.node = constants.maintainedNodeVersions.some(v => semver.satisfies(v, `>=${minimumNodeVersion}`));
-    lockSrc = typeof lockPath === 'string' ? await readLockFileByAgent[agent](lockPath, agentExecPath) : undefined;
+    lockSrc = typeof lockPath === 'string' ? await readLockFileByAgent.get(agent)(lockPath, agentExecPath) : undefined;
   } else {
     lockName = undefined;
     lockPath = undefined;
   }
-  const pkgSupported = targets.browser || targets.node;
+  // Does the system agent version meet our minimum supported agent version?
+  const agentSupported = !!agentVersion && semver.satisfies(agentVersion, `>=${minSupportedAgentVersion}`);
+
+  // Does the system Node version meet our minimum supported Node version?
+  const nodeSupported = semver.satisfies(nodeVersion, `>=${minSupportedNodeVersion}`);
   const npmBuggyOverrides = agent === NPM$b && !!agentVersion && semver.lt(agentVersion, NPM_BUGGY_OVERRIDES_PATCHED_VERSION$1);
   return {
     agent,
     agentExecPath,
+    agentSupported,
     agentVersion,
+    features: {
+      npmBuggyOverrides
+    },
     lockName,
     lockPath,
     lockSrc,
-    minimumNodeVersion,
+    nodeSupported,
+    nodeVersion,
     npmExecPath,
     pkgJson: editablePkgJson,
     pkgPath,
-    pkgSupported,
-    features: {
-      npmBuggyOverrides
+    pkgRequirements: {
+      agent: pkgAgentRange ?? `>=${pkgMinAgentVersion}`,
+      node: pkgNodeRange ?? `>=${pkgMinNodeVersion}`
     },
-    targets
+    pkgSupports: {
+      // Does our minimum supported agent version meet the package's requirements?
+      agent: semver.satisfies(minSupportedAgentVersion, `>=${pkgMinAgentVersion}`),
+      // Does our supported Node versions meet the package's requirements?
+      node: maintainedNodeVersions.some(v => semver.satisfies(v, `>=${pkgMinNodeVersion}`))
+    }
   };
 }
 async function detectAndValidatePackageEnvironment(cwd, options) {
@@ -3415,12 +3468,32 @@ async function detectAndValidatePackageEnvironment(cwd, options) {
       logger?.warn(cmdPrefixMessage(cmdName, `Unknown package manager${pkgManager ? ` ${pkgManager}` : ''}, defaulting to npm`));
     }
   });
-  if (!details.pkgSupported) {
-    logger?.fail(cmdPrefixMessage(cmdName, 'No supported Node or browser range detected'));
+  const {
+    agent,
+    nodeVersion,
+    pkgRequirements
+  } = details;
+  const agentVersion = details.agentVersion ?? 'unknown';
+  if (!details.agentSupported) {
+    const minVersion = constants.minimumVersionByAgent.get(agent);
+    logger?.fail(cmdPrefixMessage(cmdName, `Requires ${agent} >=${minVersion}. Current version: ${agentVersion}.`));
+    return;
+  }
+  if (!details.nodeSupported) {
+    const minVersion = constants.maintainedNodeVersions.last;
+    logger?.fail(cmdPrefixMessage(cmdName, `Requires Node >=${minVersion}. Current version: ${nodeVersion}.`));
+    return;
+  }
+  if (!details.pkgSupports.agent) {
+    logger?.fail(cmdPrefixMessage(cmdName, `Package engine "${agent}" requires ${pkgRequirements.agent}. Current version: ${agentVersion}`));
+    return;
+  }
+  if (!details.pkgSupports.node) {
+    logger?.fail(cmdPrefixMessage(cmdName, `Package engine "node" requires ${pkgRequirements.node}. Current version: ${nodeVersion}`));
     return;
   }
-  if (details.agent === VLT$5) {
-    logger?.fail(cmdPrefixMessage(cmdName, `${details.agent} does not support overrides. Soon, though ⚡`));
+  if (agent === VLT$5) {
+    logger?.fail(cmdPrefixMessage(cmdName, `${agent} does not support overrides. Soon, though ⚡`));
     return;
   }
   const lockName = details.lockName ?? 'lock file';
@@ -3436,8 +3509,8 @@ async function detectAndValidatePackageEnvironment(cwd, options) {
     logger?.fail(cmdPrefixMessage(cmdName, `No ${PACKAGE_JSON} found`));
     return;
   }
-  if (prod && (details.agent === BUN$5 || details.agent === YARN_BERRY$5)) {
-    logger?.fail(cmdPrefixMessage(cmdName, `--prod not supported for ${details.agent}${details.agentVersion ? `@${details.agentVersion.version}` : ''}`));
+  if (prod && (agent === BUN$5 || agent === YARN_BERRY$5)) {
+    logger?.fail(cmdPrefixMessage(cmdName, `--prod not supported for ${agent}${agentVersion ? `@${agentVersion}` : ''}`));
     return;
   }
   if (details.lockPath && path.relative(cwd, details.lockPath).startsWith('.')) {
@@ -3482,9 +3555,9 @@ async function runFix() {
 }
 
 const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$s
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$v
 } = constants;
-const config$t = {
+const config$w = {
   commandName: 'fix',
   description: 'Fix "fixable" Socket alerts',
   hidden: true,
@@ -3500,21 +3573,21 @@ const config$t = {
   `
 };
 const cmdFix = {
-  description: config$t.description,
-  hidden: config$t.hidden,
-  run: run$t
+  description: config$w.description,
+  hidden: config$w.hidden,
+  run: run$w
 };
-async function run$t(argv, importMeta, {
+async function run$w(argv, importMeta, {
   parentName
 }) {
   const cli = meowOrExit({
     argv,
-    config: config$t,
+    config: config$w,
     importMeta,
     parentName
   });
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$s);
+    logger.logger.log(DRY_RUN_BAIL_TEXT$v);
     return;
   }
   await runFix();
@@ -3671,9 +3744,9 @@ async function getPackageInfo({
 }
 
 const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$r
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$u
 } = constants;
-const config$s = {
+const config$v = {
   commandName: 'info',
   description: 'Look up info regarding a package',
   hidden: false,
@@ -3695,16 +3768,16 @@ const config$s = {
   `
 };
 const cmdInfo = {
-  description: config$s.description,
-  hidden: config$s.hidden,
-  run: run$s
+  description: config$v.description,
+  hidden: config$v.hidden,
+  run: run$v
 };
-async function run$s(argv, importMeta, {
+async function run$v(argv, importMeta, {
   parentName
 }) {
   const cli = meowOrExit({
     argv,
-    config: config$s,
+    config: config$v,
     importMeta,
     parentName
   });
@@ -3729,11 +3802,11 @@ async function run$s(argv, importMeta, {
   const pkgName = versionSeparator < 1 ? rawPkgName : rawPkgName.slice(0, versionSeparator);
   const pkgVersion = versionSeparator < 1 ? 'latest' : rawPkgName.slice(versionSeparator + 1);
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$r);
+    logger.logger.log(DRY_RUN_BAIL_TEXT$u);
     return;
   }
   await getPackageInfo({
-    commandName: `${parentName} ${config$s.commandName}`,
+    commandName: `${parentName} ${config$v.commandName}`,
     includeAllIssues: Boolean(all),
     outputKind: json ? 'json' : markdown ? 'markdown' : 'print',
     pkgName,
@@ -3820,9 +3893,9 @@ async function attemptLogin(apiBaseUrl, apiProxy) {
 }
 
 const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$q
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$t
 } = constants;
-const config$r = {
+const config$u = {
   commandName: 'login',
   description: 'Socket API login',
   hidden: false,
@@ -3852,23 +3925,23 @@ const config$r = {
   `
 };
 const cmdLogin = {
-  description: config$r.description,
-  hidden: config$r.hidden,
-  run: run$r
+  description: config$u.description,
+  hidden: config$u.hidden,
+  run: run$u
 };
-async function run$r(argv, importMeta, {
+async function run$u(argv, importMeta, {
   parentName
 }) {
   const cli = meowOrExit({
     argv,
-    config: config$r,
+    config: config$u,
     importMeta,
     parentName
   });
   const apiBaseUrl = cli.flags['apiBaseUrl'];
   const apiProxy = cli.flags['apiProxy'];
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$q);
+    logger.logger.log(DRY_RUN_BAIL_TEXT$t);
     return;
   }
   if (!isInteractive()) {
@@ -3894,9 +3967,9 @@ function attemptLogout() {
 }
 
 const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$p
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$s
 } = constants;
-const config$q = {
+const config$t = {
   commandName: 'logout',
   description: 'Socket API logout',
   hidden: false,
@@ -3911,21 +3984,21 @@ const config$q = {
   `
 };
 const cmdLogout = {
-  description: config$q.description,
-  hidden: config$q.hidden,
-  run: run$q
+  description: config$t.description,
+  hidden: config$t.hidden,
+  run: run$t
 };
-async function run$q(argv, importMeta, {
+async function run$t(argv, importMeta, {
   parentName
 }) {
   const cli = meowOrExit({
     argv,
-    config: config$q,
+    config: config$t,
     importMeta,
     parentName
   });
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$p);
+    logger.logger.log(DRY_RUN_BAIL_TEXT$s);
     return;
   }
   attemptLogout();
@@ -4030,9 +4103,9 @@ async function convertGradleToMaven(target, bin, _out, verbose, gradleOpts) {
 }
 
 const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$o
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$r
 } = constants;
-const config$p = {
+const config$s = {
   commandName: 'gradle',
   description: '[beta] Use Gradle to generate a manifest file (`pom.xml`) for a Gradle/Java/Kotlin/etc project',
   hidden: false,
@@ -4104,22 +4177,22 @@ const config$p = {
   `
 };
 const cmdManifestGradle = {
-  description: config$p.description,
-  hidden: config$p.hidden,
-  run: run$p
+  description: config$s.description,
+  hidden: config$s.hidden,
+  run: run$s
 };
-async function run$p(argv, importMeta, {
+async function run$s(argv, importMeta, {
   parentName
 }) {
   const cli = meowOrExit({
     argv,
-    config: config$p,
+    config: config$s,
     importMeta,
     parentName
   });
   const verbose = Boolean(cli.flags['verbose']);
   if (verbose) {
-    logger.logger.group('- ', parentName, config$p.commandName, ':');
+    logger.logger.group('- ', parentName, config$s.commandName, ':');
     logger.logger.group('- flags:', cli.flags);
     logger.logger.groupEnd();
     logger.logger.log('- input:', cli.input);
@@ -4167,7 +4240,7 @@ async function run$p(argv, importMeta, {
     gradleOpts = cli.flags['gradleOpts'].split(' ').map(s => s.trim()).filter(Boolean);
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$o);
+    logger.logger.log(DRY_RUN_BAIL_TEXT$r);
     return;
   }
   await convertGradleToMaven(target, bin, out, verbose, gradleOpts);
@@ -4272,9 +4345,9 @@ async function convertSbtToMaven(target, bin, out, verbose, sbtOpts) {
 }
 
 const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$n
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$q
 } = constants;
-const config$o = {
+const config$r = {
   commandName: 'scala',
   description: "[beta] Generate a manifest file (`pom.xml`) from Scala's `build.sbt` file",
   hidden: false,
@@ -4347,22 +4420,22 @@ const config$o = {
   `
 };
 const cmdManifestScala = {
-  description: config$o.description,
-  hidden: config$o.hidden,
-  run: run$o
+  description: config$r.description,
+  hidden: config$r.hidden,
+  run: run$r
 };
-async function run$o(argv, importMeta, {
+async function run$r(argv, importMeta, {
   parentName
 }) {
   const cli = meowOrExit({
     argv,
-    config: config$o,
+    config: config$r,
     importMeta,
     parentName
   });
   const verbose = Boolean(cli.flags['verbose']);
   if (verbose) {
-    logger.logger.group('- ', parentName, config$o.commandName, ':');
+    logger.logger.group('- ', parentName, config$r.commandName, ':');
     logger.logger.group('- flags:', cli.flags);
     logger.logger.groupEnd();
     logger.logger.log('- input:', cli.input);
@@ -4408,16 +4481,16 @@ async function run$o(argv, importMeta, {
     sbtOpts = cli.flags['sbtOpts'].split(' ').map(s => s.trim()).filter(Boolean);
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$n);
+    logger.logger.log(DRY_RUN_BAIL_TEXT$q);
     return;
   }
   await convertSbtToMaven(target, bin, out, verbose, sbtOpts);
 }
 
 const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$m
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$p
 } = constants;
-const config$n = {
+const config$q = {
   commandName: 'auto',
   description: 'Auto-detect build and attempt to generate manifest file',
   hidden: false,
@@ -4447,23 +4520,23 @@ const config$n = {
   `
 };
 const cmdManifestAuto = {
-  description: config$n.description,
-  hidden: config$n.hidden,
-  run: run$n
+  description: config$q.description,
+  hidden: config$q.hidden,
+  run: run$q
 };
-async function run$n(argv, importMeta, {
+async function run$q(argv, importMeta, {
   parentName
 }) {
   const cli = meowOrExit({
     argv,
-    config: config$n,
+    config: config$q,
     importMeta,
     parentName
   });
   const verbose = !!cli.flags['verbose'];
   const cwd = cli.flags['cwd'] ?? process.cwd();
   if (verbose) {
-    logger.logger.group('- ', parentName, config$n.commandName, ':');
+    logger.logger.group('- ', parentName, config$q.commandName, ':');
     logger.logger.group('- flags:', cli.flags);
     logger.logger.groupEnd();
     logger.logger.log('- input:', cli.input);
@@ -4482,7 +4555,7 @@ async function run$n(argv, importMeta, {
     }
     subArgs.push(dir);
     if (cli.flags['dryRun']) {
-      logger.logger.log(DRY_RUN_BAIL_TEXT$m);
+      logger.logger.log(DRY_RUN_BAIL_TEXT$p);
       return;
     }
     await cmdManifestScala.run(subArgs, importMeta, {
@@ -4497,7 +4570,7 @@ async function run$n(argv, importMeta, {
       subArgs.push(cwd);
     }
     if (cli.flags['dryRun']) {
-      logger.logger.log(DRY_RUN_BAIL_TEXT$m);
+      logger.logger.log(DRY_RUN_BAIL_TEXT$p);
       return;
     }
     await cmdManifestGradle.run(subArgs, importMeta, {
@@ -4505,10 +4578,14 @@ async function run$n(argv, importMeta, {
     });
     return;
   }
+  if (cli.flags['dryRun']) {
+    logger.logger.log(DRY_RUN_BAIL_TEXT$p);
+    return;
+  }
 
   // Show new help screen and exit.
   vendor.meow(`
-    $ ${parentName} ${config$n.commandName}
+    $ ${parentName} ${config$q.commandName}
 
     Unfortunately this script did not discover a supported language in the
     current folder.
@@ -4521,13 +4598,13 @@ async function run$n(argv, importMeta, {
     your target language.
   `, {
     argv: [],
-    description: config$n.description,
+    description: config$q.description,
     importMeta
   }).showHelp();
 }
 
 const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$l
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$o
 } = constants;
 
 // TODO: we may want to dedupe some pieces for all gradle languages. I think it
@@ -4535,7 +4612,7 @@ const {
 //       sense for the help panels to note the requested language, rather than
 //       `socket manifest kotlin` to print help screens with `gradle` as the
 //       command. Room for improvement.
-const config$m = {
+const config$p = {
   commandName: 'kotlin',
   description: '[beta] Use Gradle to generate a manifest file (`pom.xml`) for a Kotlin project',
   hidden: false,
@@ -4607,22 +4684,22 @@ const config$m = {
   `
 };
 const cmdManifestKotlin = {
-  description: config$m.description,
-  hidden: config$m.hidden,
-  run: run$m
+  description: config$p.description,
+  hidden: config$p.hidden,
+  run: run$p
 };
-async function run$m(argv, importMeta, {
+async function run$p(argv, importMeta, {
   parentName
 }) {
   const cli = meowOrExit({
     argv,
-    config: config$m,
+    config: config$p,
     importMeta,
     parentName
   });
   const verbose = Boolean(cli.flags['verbose']);
   if (verbose) {
-    logger.logger.group('- ', parentName, config$m.commandName, ':');
+    logger.logger.group('- ', parentName, config$p.commandName, ':');
     logger.logger.group('- flags:', cli.flags);
     logger.logger.groupEnd();
     logger.logger.log('- input:', cli.input);
@@ -4670,13 +4747,13 @@ async function run$m(argv, importMeta, {
     gradleOpts = cli.flags['gradleOpts'].split(' ').map(s => s.trim()).filter(Boolean);
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$l);
+    logger.logger.log(DRY_RUN_BAIL_TEXT$o);
     return;
   }
   await convertGradleToMaven(target, bin, out, verbose, gradleOpts);
 }
 
-const config$l = {
+const config$o = {
   commandName: 'manifest',
   description: 'Generate a dependency manifest for given file or dir',
   hidden: false,
@@ -4684,11 +4761,11 @@ const config$l = {
     ...commonFlags
   }};
 const cmdManifest = {
-  description: config$l.description,
-  hidden: config$l.hidden,
-  run: run$l
+  description: config$o.description,
+  hidden: config$o.hidden,
+  run: run$o
 };
-async function run$l(argv, importMeta, {
+async function run$o(argv, importMeta, {
   parentName
 }) {
   await meowWithSubcommands({
@@ -4700,15 +4777,15 @@ async function run$l(argv, importMeta, {
     argv,
     aliases: {
       yolo: {
-        description: config$l.description,
+        description: config$o.description,
         hidden: true,
         argv: ['auto']
       }
     },
-    description: config$l.description,
+    description: config$o.description,
     importMeta,
-    flags: config$l.flags,
-    name: `${parentName} ${config$l.commandName}`
+    flags: config$o.flags,
+    name: `${parentName} ${config$o.commandName}`
   });
 }
 
@@ -4722,10 +4799,10 @@ async function wrapNpm(argv) {
 }
 
 const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$k,
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$n,
   NPM: NPM$7
 } = constants;
-const config$k = {
+const config$n = {
   commandName: 'npm',
   description: `${NPM$7} wrapper functionality`,
   hidden: false,
@@ -4736,22 +4813,22 @@ const config$k = {
   `
 };
 const cmdNpm = {
-  description: config$k.description,
-  hidden: config$k.hidden,
-  run: run$k
+  description: config$n.description,
+  hidden: config$n.hidden,
+  run: run$n
 };
-async function run$k(argv, importMeta, {
+async function run$n(argv, importMeta, {
   parentName
 }) {
   const cli = meowOrExit({
     allowUnknownFlags: true,
     argv,
-    config: config$k,
+    config: config$n,
     importMeta,
     parentName
   });
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$k);
+    logger.logger.log(DRY_RUN_BAIL_TEXT$n);
     return;
   }
   await wrapNpm(argv);
@@ -4767,10 +4844,10 @@ async function wrapNpx(argv) {
 }
 
 const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$j,
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$m,
   NPX: NPX$1
 } = constants;
-const config$j = {
+const config$m = {
   commandName: 'npx',
   description: `${NPX$1} wrapper functionality`,
   hidden: false,
@@ -4781,31 +4858,31 @@ const config$j = {
   `
 };
 const cmdNpx = {
-  description: config$j.description,
-  hidden: config$j.hidden,
-  run: run$j
+  description: config$m.description,
+  hidden: config$m.hidden,
+  run: run$m
 };
-async function run$j(argv, importMeta, {
+async function run$m(argv, importMeta, {
   parentName
 }) {
   const cli = meowOrExit({
     allowUnknownFlags: true,
     argv,
-    config: config$j,
+    config: config$m,
     importMeta,
     parentName
   });
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$j);
+    logger.logger.log(DRY_RUN_BAIL_TEXT$m);
     return;
   }
   await wrapNpx(argv);
 }
 
 const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$i
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$l
 } = constants;
-const config$i = {
+const config$l = {
   commandName: 'oops',
   description: 'Trigger an intentional error (for development)',
   hidden: true,
@@ -4820,21 +4897,21 @@ const config$i = {
   `
 };
 const cmdOops = {
-  description: config$i.description,
-  hidden: config$i.hidden,
-  run: run$i
+  description: config$l.description,
+  hidden: config$l.hidden,
+  run: run$l
 };
-async function run$i(argv, importMeta, {
+async function run$l(argv, importMeta, {
   parentName
 }) {
   const cli = meowOrExit({
     argv,
-    config: config$i,
+    config: config$l,
     importMeta,
     parentName
   });
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$i);
+    logger.logger.log(DRY_RUN_BAIL_TEXT$l);
     return;
   }
   throw new Error('This error was intentionally left blank');
@@ -5341,10 +5418,12 @@ async function addOverrides(pkgPath, pkgEnvDetails, options) {
   spinner?.setText(`Adding overrides${workspaceName ? ` to ${workspaceName}` : ''}...`);
   const depAliasMap = new Map();
   const depEntries = getDependencyEntries(pkgJson);
-  const nodeRange = `>=${pkgEnvDetails.minimumNodeVersion}`;
   const manifestEntries = manifestNpmOverrides.filter(({
     1: data
-  }) => semver.satisfies(semver.coerce(data.engines.node), nodeRange));
+  }) => semver.satisfies(
+  // Roughly check Node range as semver.coerce will strip leading
+  // v's, carets (^), comparators (<,<=,>,>=,=), and tildes (~).
+  semver.coerce(data.engines.node), pkgEnvDetails.pkgRequirements.node));
 
   // Chunk package names to process them in parallel 3 at a time.
   await promises.pEach(manifestEntries, 3, async ({
@@ -5368,9 +5447,15 @@ async function addOverrides(pkgPath, pkgEnvDetails, options) {
       const origSpec = objects.hasOwn(depObj, origPkgName) ? depObj[origPkgName] : undefined;
       if (origSpec) {
         let thisSpec = origSpec;
-        // Add package aliases for direct dependencies to avoid npm EOVERRIDE errors.
+        // Add package aliases for direct dependencies to avoid npm EOVERRIDE
+        // errors...
         // https://docs.npmjs.com/cli/v8/using-npm/package-spec#aliases
-        if (!(thisSpec.startsWith(sockOverridePrefix) && semver.coerce(npa(thisSpec).rawSpec)?.version)) {
+        if (
+        // ...if the spec doesn't start with a valid Socket override.
+        !(thisSpec.startsWith(sockOverridePrefix) &&
+        // Check the validity of the spec by passing it through npa and
+        // seeing if it will coerce to a version.
+        semver.coerce(npa(thisSpec).rawSpec)?.version)) {
           thisSpec = sockOverrideSpec;
           depObj[origPkgName] = thisSpec;
           state.added.add(sockRegPkgName);
@@ -5414,7 +5499,13 @@ async function addOverrides(pkgPath, pkgEnvDetails, options) {
           } else if (typeof oldSpec === 'string') {
             const thisSpec = oldSpec.startsWith('$') ? depAlias || newSpec : oldSpec || newSpec;
             if (thisSpec.startsWith(sockOverridePrefix)) {
-              if (pin && semver.major(semver.coerce(npa(thisSpec).rawSpec)?.version ?? version) !== major) {
+              if (pin && semver.major(
+              // Check the validity of the spec by passing it through npa
+              // and seeing if it will coerce to a version. semver.coerce
+              // will strip leading v's, carets (^), comparators (<,<=,>,>=,=),
+              // and tildes (~). If not coerced to a valid version then
+              // default to the manifest entry version.
+              semver.coerce(npa(thisSpec).rawSpec)?.version ?? version) !== major) {
                 const otherVersion = (await packages.fetchPackageManifest(thisSpec))?.version;
                 if (otherVersion && otherVersion !== version) {
                   newSpec = `${sockOverridePrefix}${pin ? otherVersion : `^${semver.major(otherVersion)}`}`;
@@ -5551,9 +5642,9 @@ async function applyOptimization(cwd, pin, prod) {
 }
 
 const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$h
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$k
 } = constants;
-const config$h = {
+const config$k = {
   commandName: 'optimize',
   description: 'Optimize dependencies with @socketregistry overrides',
   hidden: false,
@@ -5583,22 +5674,22 @@ const config$h = {
   `
 };
 const cmdOptimize = {
-  description: config$h.description,
-  hidden: config$h.hidden,
-  run: run$h
+  description: config$k.description,
+  hidden: config$k.hidden,
+  run: run$k
 };
-async function run$h(argv, importMeta, {
+async function run$k(argv, importMeta, {
   parentName
 }) {
   const cli = meowOrExit({
     argv,
-    config: config$h,
+    config: config$k,
     importMeta,
     parentName
   });
   const cwd = process$1.cwd();
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$h);
+    logger.logger.log(DRY_RUN_BAIL_TEXT$k);
     return;
   }
   await applyOptimization(cwd, Boolean(cli.flags['pin']), Boolean(cli.flags['prod']));
@@ -5672,10 +5763,10 @@ async function printOrganizationsFromToken(apiToken, format = 'text') {
 }
 
 const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$g
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$j
 } = constants;
-const config$g = {
-  commandName: 'organizations',
+const config$j = {
+  commandName: 'list',
   description: 'List organizations associated with the API key used',
   hidden: false,
   flags: {
@@ -5687,20 +5778,20 @@ const config$g = {
       $ ${command}
 
     Options
-      ${getFlagListOutput(config$g.flags, 6)}
+      ${getFlagListOutput(config$j.flags, 6)}
   `
 };
-const cmdOrganization = {
-  description: config$g.description,
-  hidden: config$g.hidden,
-  run: run$g
+const cmdOrganizationList = {
+  description: config$j.description,
+  hidden: config$j.hidden,
+  run: run$j
 };
-async function run$g(argv, importMeta, {
+async function run$j(argv, importMeta, {
   parentName
 }) {
   const cli = meowOrExit({
     argv,
-    config: config$g,
+    config: config$j,
     importMeta,
     parentName
   });
@@ -5719,115 +5810,366 @@ ${colors.bgRed(colors.white('Input error'))}: Please provide the required fields
     return;
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$g);
+    logger.logger.log(DRY_RUN_BAIL_TEXT$j);
     return;
   }
   await getOrganization(json ? 'json' : markdown ? 'markdown' : 'text');
 }
 
-async function runRawNpm(argv) {
-  const spawnPromise = spawn.spawn(shadowNpmPaths.getNpmBinPath(), argv, {
-    stdio: 'inherit'
-  });
-  // See https://nodejs.org/api/all.html#all_child_process_event-exit.
-  spawnPromise.process.on('exit', (code, signalName) => {
-    if (signalName) {
-      process$1.kill(process$1.pid, signalName);
-    } else if (code !== null) {
-      process$1.exit(code);
-    }
-  });
-  await spawnPromise;
+async function getSecurityPolicy(orgSlug, format) {
+  const apiToken = shadowNpmInject.getDefaultToken();
+  if (!apiToken) {
+    throw new shadowNpmInject.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
+  }
+  await getSecurityPolicyWithToken(apiToken, orgSlug, format);
+}
+async function getSecurityPolicyWithToken(apiToken, orgSlug, format) {
+  // Lazily access constants.spinner.
+  const {
+    spinner
+  } = constants;
+  spinner.start('Fetching organization quota...');
+  const socketSdk = await shadowNpmInject.setupSdk(apiToken);
+  const result = await handleApiCall(socketSdk.getOrgSecurityPolicy(orgSlug), 'looking up organization quota');
+  if (!result.success) {
+    handleUnsuccessfulApiResponse('getOrgSecurityPolicy', result);
+    return;
+  }
+  spinner.stop();
+  switch (format) {
+    case 'json':
+      {
+        logger.logger.log(JSON.stringify(result.data, null, 2));
+        return;
+      }
+    default:
+      {
+        logger.logger.log('# Security policy\n');
+        logger.logger.log(`The default security policy setting is: "${result.data.securityPolicyDefault}"\n`);
+        logger.logger.log('These are the security policies per setting for your organization:\n');
+        const data = result.data;
+        const rules = data.securityPolicyRules;
+        const entries = Object.entries(rules);
+        const mapped = entries.map(([key, value]) => [key, value.action]);
+        mapped.sort(([a], [b]) => a < b ? -1 : a > b ? 1 : 0);
+        logger.logger.log(mdTableOfPairs(mapped, ['name', 'action']));
+      }
+  }
 }
 
 const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$f,
-  NPM
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$i
 } = constants;
-const config$f = {
-  commandName: 'raw-npm',
-  description: `Temporarily disable the Socket ${NPM} wrapper`,
-  hidden: false,
-  flags: {},
-  help: command => `
+
+// TODO: secret toplevel alias `socket security policy`?
+const config$i = {
+  commandName: 'security',
+  description: 'Retrieve the security policy of an organization.',
+  hidden: true,
+  flags: {
+    ...commonFlags,
+    ...outputFlags
+  },
+  help: (command, _config) => `
     Usage
-      $ ${command} <command>
+      $ ${command} <org slug>
+
+    Options
+      ${getFlagListOutput(config$i.flags, 6)}
+
+    Your API token will need the \`security-policy:read\` permission otherwise
+    the request will fail with an authentication error.
 
     Examples
-      $ ${command} install
+      $ ${command} mycorp
+      $ ${command} mycorp --json
   `
 };
-const cmdRawNpm = {
-  description: config$f.description,
-  hidden: config$f.hidden,
-  run: run$f
+const cmdOrganizationPolicyPolicy = {
+  description: config$i.description,
+  hidden: config$i.hidden,
+  run: run$i
 };
-async function run$f(argv, importMeta, {
+async function run$i(argv, importMeta, {
   parentName
 }) {
   const cli = meowOrExit({
-    allowUnknownFlags: true,
     argv,
-    config: config$f,
+    config: config$i,
     importMeta,
     parentName
   });
+  const json = Boolean(cli.flags['json']);
+  const markdown = Boolean(cli.flags['markdown']);
+  const [orgSlug = ''] = cli.input;
+  if (!orgSlug || json && markdown) {
+    // Use exit status of 2 to indicate incorrect usage, generally invalid
+    // options or missing arguments.
+    // https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html
+    process.exitCode = 2;
+    logger.logger.fail(commonTags.stripIndents`
+${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:
+
+  - Org name as the first argument ${!orgSlug ? colors.red('(missing!)') : colors.green('(ok)')}
+  - The json and markdown flags cannot be both set ${json && markdown ? colors.red('(pick one!)') : colors.green('(ok)')}
+    `);
+    return;
+  }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$f);
+    logger.logger.log(DRY_RUN_BAIL_TEXT$i);
     return;
   }
-  await runRawNpm(argv);
+  await getSecurityPolicy(orgSlug, json ? 'json' : markdown ? 'markdown' : 'text');
 }
 
-async function runRawNpx(argv) {
-  const spawnPromise = spawn.spawn(shadowNpmPaths.getNpxBinPath(), argv, {
-    stdio: 'inherit'
-  });
-  // See https://nodejs.org/api/all.html#all_child_process_event-exit.
-  spawnPromise.process.on('exit', (code, signalName) => {
-    if (signalName) {
-      process$1.kill(process$1.pid, signalName);
-    } else if (code !== null) {
-      process$1.exit(code);
-    }
-  });
-  await spawnPromise;
+const description$4 = 'Organization policy details';
+const cmdOrganizationPolicy = {
+  description: description$4,
+  // Hidden because it was broken all this time (nobody could be using it)
+  // and we're not sure if it's useful to anyone in its current state.
+  // Until we do, we'll hide this to keep the help tidier.
+  // And later, we may simply move this under `scan`, anyways.
+  hidden: true,
+  async run(argv, importMeta, {
+    parentName
+  }) {
+    await meowWithSubcommands({
+      security: cmdOrganizationPolicyPolicy
+    }, {
+      argv,
+      description: description$4,
+      defaultSub: 'list',
+      // Backwards compat
+      importMeta,
+      name: parentName + ' policy'
+    });
+  }
+};
+
+async function getQuota(format = 'text') {
+  const apiToken = shadowNpmInject.getDefaultToken();
+  if (!apiToken) {
+    throw new shadowNpmInject.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
+  }
+  await getQuotaWithToken(apiToken, format);
+}
+async function getQuotaWithToken(apiToken, format = 'text') {
+  // Lazily access constants.spinner.
+  const {
+    spinner
+  } = constants;
+  spinner.start('Fetching organization quota...');
+  const socketSdk = await shadowNpmInject.setupSdk(apiToken);
+  const result = await handleApiCall(socketSdk.getQuota(), 'looking up organization quota');
+  if (!result.success) {
+    handleUnsuccessfulApiResponse('getQuota', result);
+    return;
+  }
+  spinner.stop();
+  switch (format) {
+    case 'json':
+      {
+        logger.logger.log(JSON.stringify({
+          quota: result.data.quota
+        }, null, 2));
+        return;
+      }
+    case 'markdown':
+      {
+        logger.logger.log('# Quota\n');
+        logger.logger.log(`Quota left on the current API token: ${result.data.quota}\n`);
+        return;
+      }
+    default:
+      {
+        logger.logger.log(`Quota left on the current API token: ${result.data.quota}\n`);
+      }
+  }
 }
 
 const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$e,
-  NPX
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$h
 } = constants;
-const config$e = {
-  commandName: 'raw-npx',
-  description: `Temporarily disable the Socket ${NPX} wrapper`,
-  hidden: false,
-  flags: {},
-  help: command => `
+const config$h = {
+  commandName: 'quota',
+  description: 'List organizations associated with the API key used',
+  hidden: true,
+  flags: {
+    ...commonFlags,
+    ...outputFlags
+  },
+  help: (command, _config) => `
     Usage
-      $ ${command} <command>
+      $ ${command}
 
-    Examples
-      $ ${command} install
+    Options
+      ${getFlagListOutput(config$h.flags, 6)}
   `
 };
-const cmdRawNpx = {
-  description: config$e.description,
-  hidden: config$e.hidden,
-  run: run$e
+const cmdOrganizationQuota = {
+  description: config$h.description,
+  hidden: config$h.hidden,
+  run: run$h
 };
-async function run$e(argv, importMeta, {
+async function run$h(argv, importMeta, {
+  parentName
+}) {
+  const cli = meowOrExit({
+    argv,
+    config: config$h,
+    importMeta,
+    parentName
+  });
+  const json = Boolean(cli.flags['json']);
+  const markdown = Boolean(cli.flags['markdown']);
+  if (json && markdown) {
+    // Use exit status of 2 to indicate incorrect usage, generally invalid
+    // options or missing arguments.
+    // https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html
+    process.exitCode = 2;
+    logger.logger.fail(commonTags.stripIndents`
+${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:
+
+  - The json and markdown flags cannot be both set, pick one
+    `);
+    return;
+  }
+  if (cli.flags['dryRun']) {
+    logger.logger.log(DRY_RUN_BAIL_TEXT$h);
+    return;
+  }
+  await getQuota(json ? 'json' : markdown ? 'markdown' : 'text');
+}
+
+const description$3 = 'Account details';
+const cmdOrganization = {
+  description: description$3,
+  // Hidden because it was broken all this time (nobody could be using it)
+  // and we're not sure if it's useful to anyone in its current state.
+  // Until we do, we'll hide this to keep the help tidier.
+  // And later, we may simply move this under `scan`, anyways.
+  hidden: true,
+  async run(argv, importMeta, {
+    parentName
+  }) {
+    await meowWithSubcommands({
+      list: cmdOrganizationList,
+      quota: cmdOrganizationQuota,
+      policy: cmdOrganizationPolicy
+    }, {
+      argv,
+      description: description$3,
+      defaultSub: 'list',
+      // Backwards compat
+      importMeta,
+      name: parentName + ' organization'
+    });
+  }
+};
+
+async function runRawNpm(argv) {
+  const spawnPromise = spawn.spawn(shadowNpmPaths.getNpmBinPath(), argv, {
+    stdio: 'inherit'
+  });
+  // See https://nodejs.org/api/all.html#all_child_process_event-exit.
+  spawnPromise.process.on('exit', (code, signalName) => {
+    if (signalName) {
+      process$1.kill(process$1.pid, signalName);
+    } else if (code !== null) {
+      process$1.exit(code);
+    }
+  });
+  await spawnPromise;
+}
+
+const {
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$g,
+  NPM
+} = constants;
+const config$g = {
+  commandName: 'raw-npm',
+  description: `Temporarily disable the Socket ${NPM} wrapper`,
+  hidden: false,
+  flags: {},
+  help: command => `
+    Usage
+      $ ${command} <command>
+
+    Examples
+      $ ${command} install
+  `
+};
+const cmdRawNpm = {
+  description: config$g.description,
+  hidden: config$g.hidden,
+  run: run$g
+};
+async function run$g(argv, importMeta, {
   parentName
 }) {
   const cli = meowOrExit({
     allowUnknownFlags: true,
     argv,
-    config: config$e,
+    config: config$g,
     importMeta,
     parentName
   });
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$e);
+    logger.logger.log(DRY_RUN_BAIL_TEXT$g);
+    return;
+  }
+  await runRawNpm(argv);
+}
+
+async function runRawNpx(argv) {
+  const spawnPromise = spawn.spawn(shadowNpmPaths.getNpxBinPath(), argv, {
+    stdio: 'inherit'
+  });
+  // See https://nodejs.org/api/all.html#all_child_process_event-exit.
+  spawnPromise.process.on('exit', (code, signalName) => {
+    if (signalName) {
+      process$1.kill(process$1.pid, signalName);
+    } else if (code !== null) {
+      process$1.exit(code);
+    }
+  });
+  await spawnPromise;
+}
+
+const {
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$f,
+  NPX
+} = constants;
+const config$f = {
+  commandName: 'raw-npx',
+  description: `Temporarily disable the Socket ${NPX} wrapper`,
+  hidden: false,
+  flags: {},
+  help: command => `
+    Usage
+      $ ${command} <command>
+
+    Examples
+      $ ${command} install
+  `
+};
+const cmdRawNpx = {
+  description: config$f.description,
+  hidden: config$f.hidden,
+  run: run$f
+};
+async function run$f(argv, importMeta, {
+  parentName
+}) {
+  const cli = meowOrExit({
+    allowUnknownFlags: true,
+    argv,
+    config: config$f,
+    importMeta,
+    parentName
+  });
+  if (cli.flags['dryRun']) {
+    logger.logger.log(DRY_RUN_BAIL_TEXT$f);
     return;
   }
   await runRawNpx(argv);
@@ -5876,8 +6218,8 @@ async function createReport(socketConfig, inputPaths, {
 }
 
 async function getSocketConfig(absoluteConfigPath) {
-  const socketConfig = await config$A.readSocketConfig(absoluteConfigPath).catch(cause => {
-    if (cause && typeof cause === 'object' && cause instanceof config$A.SocketValidationError) {
+  const socketConfig = await config$D.readSocketConfig(absoluteConfigPath).catch(cause => {
+    if (cause && typeof cause === 'object' && cause instanceof config$D.SocketValidationError) {
       // Inspired by workbox-build:
       // https://github.com/GoogleChrome/workbox/blob/95f97a207fd51efb3f8a653f6e3e58224183a778/packages/workbox-build/src/lib/validate-options.ts#L68-L71
       const betterErrors = betterAjvErrors.betterAjvErrors({
@@ -5898,12 +6240,13 @@ async function getSocketConfig(absoluteConfigPath) {
 
 const MAX_TIMEOUT_RETRY = 5;
 const HTTP_CODE_TIMEOUT = 524;
-async function fetchReportData(reportId, includeAllIssues, strict) {
+async function fetchReportData$1(reportId, includeAllIssues, strict) {
   // Lazily access constants.spinner.
   const {
     spinner
   } = constants;
-  spinner.start(`Fetching report with ID ${reportId} (this could take a while)`);
+  spinner.log('Fetching report with ID ${reportId} (this could take a while)');
+  spinner.start(`Fetch started... (this could take a while)`);
   const socketSdk = await shadowNpmInject.setupSdk();
   let result;
   for (let retry = 1; !result; ++retry) {
@@ -5912,9 +6255,10 @@ async function fetchReportData(reportId, includeAllIssues, strict) {
       result = await handleApiCall(socketSdk.getReport(reportId), 'fetching report');
     } catch (err) {
       if (retry >= MAX_TIMEOUT_RETRY || !(err instanceof Error) || err.cause?.cause?.response?.statusCode !== HTTP_CODE_TIMEOUT) {
-        spinner.stop();
+        spinner.stop(`Failed to fetch report`);
         throw err;
       }
+      spinner?.fail(`Retrying report fetch ${retry} / ${MAX_TIMEOUT_RETRY}`);
     }
   }
   if (!result.success) {
@@ -5939,17 +6283,20 @@ async function fetchReportData(reportId, includeAllIssues, strict) {
   return result.data;
 }
 
-function formatReportDataOutput(reportId, data, commandName, outputJson, outputMarkdown, strict) {
-  if (outputJson) {
+function formatReportDataOutput(reportId, data, commandName, outputKind, strict, artifacts) {
+  if (outputKind === 'json') {
     logger.logger.log(JSON.stringify(data, undefined, 2));
   } else {
-    const format = new shadowNpmInject.ColorOrMarkdown(outputMarkdown);
+    const format = new shadowNpmInject.ColorOrMarkdown(outputKind === 'markdown');
     logger.logger.log(commonTags.stripIndents`
       Detailed info on socket.dev: ${format.hyperlink(reportId, data.url, {
       fallbackToUrl: true
     })}`);
-    if (!outputMarkdown) {
+    if (outputKind === 'print') {
+      logger.logger.log(data);
       logger.logger.log(colors.dim(`Or rerun ${colors.italic(commandName)} using the ${colors.italic('--json')} flag to get full JSON output`));
+      logger.logger.log('The scan:');
+      logger.logger.log(artifacts);
     }
   }
   if (strict && !data.healthy) {
@@ -5957,23 +6304,55 @@ function formatReportDataOutput(reportId, data, commandName, outputJson, outputM
   }
 }
 
+async function getFullScan(orgSlug, fullScanId) {
+  // Lazily access constants.spinner.
+  const {
+    spinner
+  } = constants;
+  const apiToken = shadowNpmInject.getDefaultToken();
+  if (!apiToken) {
+    throw new shadowNpmInject.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
+  }
+  spinner.start('Fetching full-scan...');
+  const response = await queryAPI(`orgs/${orgSlug}/full-scans/${encodeURIComponent(fullScanId)}`, apiToken);
+  spinner.stop('Fetch complete.');
+  if (!response.ok) {
+    const err = await handleAPIError(response.status);
+    logger.logger.fail(`${colors.bgRed(colors.white(response.statusText))}: Fetch error: ${err}`);
+    return;
+  }
+
+  // This is nd-json; each line is a json object
+  const jsons = await response.text();
+  const lines = jsons.split('\n').filter(Boolean);
+  const data = lines.map(line => {
+    try {
+      return JSON.parse(line);
+    } catch {
+      console.error('At least one line item was returned that could not be parsed as JSON...');
+      return {};
+    }
+  });
+  return data;
+}
+
 async function viewReport(reportId, {
   all,
   commandName,
-  json,
-  markdown,
+  outputKind,
   strict
 }) {
-  const result = await fetchReportData(reportId, all, strict);
+  const result = await fetchReportData$1(reportId, all, strict);
+  const artifacts = await getFullScan('socketdev', reportId);
   if (result) {
-    formatReportDataOutput(reportId, result, commandName, json, markdown, strict);
+    formatReportDataOutput(reportId, result, commandName, outputKind, strict, artifacts);
   }
 }
 
 const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$d
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$e
 } = constants;
-const config$d = {
+const config$e = {
   commandName: 'create',
   description: '[Deprecated] Create a project report',
   hidden: false,
@@ -5994,21 +6373,21 @@ const config$d = {
     }
   },
   help: () => `
-    This command is deprecated in favor of \`socket scan create\`.
+    This command is deprecated in favor of \`socket scan view\`.
     It will be removed in the next major release of the CLI.
   `
 };
 const cmdReportCreate = {
-  description: config$d.description,
-  hidden: config$d.hidden,
-  run: run$d
+  description: config$e.description,
+  hidden: config$e.hidden,
+  run: run$e
 };
-async function run$d(argv, importMeta, {
+async function run$e(argv, importMeta, {
   parentName
 }) {
   const cli = meowOrExit({
     argv,
-    config: config$d,
+    config: config$e,
     importMeta,
     parentName
   });
@@ -6025,7 +6404,7 @@ async function run$d(argv, importMeta, {
 
   // Note exiting earlier to skirt a hidden auth requirement
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$d);
+    logger.logger.log(DRY_RUN_BAIL_TEXT$e);
     return;
   }
   const socketConfig = await getSocketConfig(absoluteConfigPath);
@@ -6033,15 +6412,14 @@ async function run$d(argv, importMeta, {
     cwd,
     dryRun
   });
-  const commandName = `${parentName} ${config$d.commandName}`;
+  const commandName = `${parentName} ${config$e.commandName}`;
   if (result?.success) {
     if (view) {
       const reportId = result.data.id;
       await viewReport(reportId, {
         all: includeAllIssues,
         commandName,
-        json,
-        markdown,
+        outputKind: json ? 'json' : markdown ? 'markdown' : 'print',
         strict
       });
     } else if (json) {
@@ -6056,9 +6434,9 @@ async function run$d(argv, importMeta, {
 }
 
 const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$c
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$d
 } = constants;
-const config$c = {
+const config$d = {
   commandName: 'view',
   description: '[Deprecated] View a project report',
   hidden: false,
@@ -6073,16 +6451,16 @@ const config$c = {
   `
 };
 const cmdReportView = {
-  description: config$c.description,
-  hidden: config$c.hidden,
-  run: run$c
+  description: config$d.description,
+  hidden: config$d.hidden,
+  run: run$d
 };
-async function run$c(argv, importMeta, {
+async function run$d(argv, importMeta, {
   parentName
 }) {
   const cli = meowOrExit({
     argv,
-    config: config$c,
+    config: config$d,
     importMeta,
     parentName
   });
@@ -6102,14 +6480,13 @@ async function run$c(argv, importMeta, {
     return;
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$c);
+    logger.logger.log(DRY_RUN_BAIL_TEXT$d);
     return;
   }
   await viewReport(reportId, {
     all: Boolean(cli.flags['all']),
-    commandName: `${parentName} ${config$c.commandName}`,
-    json: Boolean(cli.flags['json']),
-    markdown: Boolean(cli.flags['markdown']),
+    commandName: `${parentName} ${config$d.commandName}`,
+    outputKind: cli.flags['json'] ? 'json' : cli.flags['markdown'] ? 'markdown' : 'print',
     strict: Boolean(cli.flags['strict'])
   });
 }
@@ -6186,9 +6563,9 @@ async function createRepoWithToken({
 }
 
 const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$b
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$c
 } = constants;
-const config$b = {
+const config$c = {
   commandName: 'create',
   description: 'Create a repository in an organization',
   hidden: false,
@@ -6237,16 +6614,16 @@ const config$b = {
   `
 };
 const cmdReposCreate = {
-  description: config$b.description,
-  hidden: config$b.hidden,
-  run: run$b
+  description: config$c.description,
+  hidden: config$c.hidden,
+  run: run$c
 };
-async function run$b(argv, importMeta, {
+async function run$c(argv, importMeta, {
   parentName
 }) {
   const cli = meowOrExit({
     argv,
-    config: config$b,
+    config: config$c,
     importMeta,
     parentName
   });
@@ -6265,7 +6642,7 @@ async function run$b(argv, importMeta, {
     return;
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$b);
+    logger.logger.log(DRY_RUN_BAIL_TEXT$c);
     return;
   }
   await createRepo({
@@ -6301,9 +6678,9 @@ async function deleteRepoWithToken(orgSlug, repoName, apiToken) {
 }
 
 const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$a
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$b
 } = constants;
-const config$a = {
+const config$b = {
   commandName: 'del',
   description: 'Delete a repository in an organization',
   hidden: false,
@@ -6322,16 +6699,16 @@ const config$a = {
   `
 };
 const cmdReposDel = {
-  description: config$a.description,
-  hidden: config$a.hidden,
-  run: run$a
+  description: config$b.description,
+  hidden: config$b.hidden,
+  run: run$b
 };
-async function run$a(argv, importMeta, {
+async function run$b(argv, importMeta, {
   parentName
 }) {
   const cli = meowOrExit({
     argv,
-    config: config$a,
+    config: config$b,
     importMeta,
     parentName
   });
@@ -6351,7 +6728,7 @@ async function run$a(argv, importMeta, {
     return;
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$a);
+    logger.logger.log(DRY_RUN_BAIL_TEXT$b);
     return;
   }
   await deleteRepo(orgSlug, repoName);
@@ -6439,9 +6816,9 @@ async function listReposWithToken({
 }
 
 const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$9
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$a
 } = constants;
-const config$9 = {
+const config$a = {
   commandName: 'list',
   description: 'List repositories in an organization',
   hidden: false,
@@ -6484,16 +6861,16 @@ const config$9 = {
   `
 };
 const cmdReposList = {
-  description: config$9.description,
-  hidden: config$9.hidden,
-  run: run$9
+  description: config$a.description,
+  hidden: config$a.hidden,
+  run: run$a
 };
-async function run$9(argv, importMeta, {
+async function run$a(argv, importMeta, {
   parentName
 }) {
   const cli = meowOrExit({
     argv,
-    config: config$9,
+    config: config$a,
     importMeta,
     parentName
   });
@@ -6511,7 +6888,7 @@ async function run$9(argv, importMeta, {
     return;
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$9);
+    logger.logger.log(DRY_RUN_BAIL_TEXT$a);
     return;
   }
   await listRepos({
@@ -6577,9 +6954,9 @@ async function updateRepoWithToken({
 }
 
 const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$8
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$9
 } = constants;
-const config$8 = {
+const config$9 = {
   commandName: 'update',
   description: 'Update a repository in an organization',
   hidden: false,
@@ -6628,16 +7005,16 @@ const config$8 = {
   `
 };
 const cmdReposUpdate = {
-  description: config$8.description,
-  hidden: config$8.hidden,
-  run: run$8
+  description: config$9.description,
+  hidden: config$9.hidden,
+  run: run$9
 };
-async function run$8(argv, importMeta, {
+async function run$9(argv, importMeta, {
   parentName
 }) {
   const cli = meowOrExit({
     argv,
-    config: config$8,
+    config: config$9,
     importMeta,
     parentName
   });
@@ -6658,7 +7035,7 @@ async function run$8(argv, importMeta, {
     return;
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$8);
+    logger.logger.log(DRY_RUN_BAIL_TEXT$9);
     return;
   }
   await updateRepo({
@@ -6741,9 +7118,9 @@ async function viewRepoWithToken(orgSlug, repoName, apiToken, outputKind) {
 }
 
 const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$7
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$8
 } = constants;
-const config$7 = {
+const config$8 = {
   commandName: 'view',
   description: 'View repositories in an organization',
   hidden: false,
@@ -6768,16 +7145,16 @@ const config$7 = {
   `
 };
 const cmdReposView = {
-  description: config$7.description,
-  hidden: config$7.hidden,
-  run: run$7
+  description: config$8.description,
+  hidden: config$8.hidden,
+  run: run$8
 };
-async function run$7(argv, importMeta, {
+async function run$8(argv, importMeta, {
   parentName
 }) {
   const cli = meowOrExit({
     argv,
-    config: config$7,
+    config: config$8,
     importMeta,
     parentName
   });
@@ -6798,7 +7175,7 @@ async function run$7(argv, importMeta, {
     return;
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$7);
+    logger.logger.log(DRY_RUN_BAIL_TEXT$8);
     return;
   }
   await viewRepo(orgSlug, repoName, cli.flags['json'] ? 'json' : cli.flags['markdown'] ? 'markdown' : 'print');
@@ -7109,9 +7486,9 @@ async function createFullScan({
 }
 
 const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$6
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$7
 } = constants;
-const config$6 = {
+const config$7 = {
   commandName: 'create',
   description: 'Create a scan',
   hidden: false,
@@ -7216,16 +7593,16 @@ const config$6 = {
   `
 };
 const cmdScanCreate = {
-  description: config$6.description,
-  hidden: config$6.hidden,
-  run: run$6
+  description: config$7.description,
+  hidden: config$7.hidden,
+  run: run$7
 };
-async function run$6(argv, importMeta, {
+async function run$7(argv, importMeta, {
   parentName
 }) {
   const cli = meowOrExit({
     argv,
-    config: config$6,
+    config: config$7,
     importMeta,
     parentName
   });
@@ -7263,7 +7640,7 @@ async function run$6(argv, importMeta, {
 
   // Note exiting earlier to skirt a hidden auth requirement
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$6);
+    logger.logger.log(DRY_RUN_BAIL_TEXT$7);
     return;
   }
   await createFullScan({
@@ -7306,9 +7683,9 @@ async function deleteOrgFullScanWithToken(orgSlug, fullScanId, apiToken) {
 }
 
 const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$5
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$6
 } = constants;
-const config$5 = {
+const config$6 = {
   commandName: 'del',
   description: 'Delete a scan',
   hidden: false,
@@ -7328,16 +7705,16 @@ const config$5 = {
   `
 };
 const cmdScanDel = {
-  description: config$5.description,
-  hidden: config$5.hidden,
-  run: run$5
+  description: config$6.description,
+  hidden: config$6.hidden,
+  run: run$6
 };
-async function run$5(argv, importMeta, {
+async function run$6(argv, importMeta, {
   parentName
 }) {
   const cli = meowOrExit({
     argv,
-    config: config$5,
+    config: config$6,
     importMeta,
     parentName
   });
@@ -7355,7 +7732,7 @@ async function run$5(argv, importMeta, {
     return;
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$5);
+    logger.logger.log(DRY_RUN_BAIL_TEXT$6);
     return;
   }
   await deleteOrgFullScan(orgSlug, fullScanId);
@@ -7449,11 +7826,11 @@ async function listFullScansWithToken({
 }
 
 const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$4
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$5
 } = constants;
-const config$4 = {
+const config$5 = {
   commandName: 'list',
-  description: 'List the full scans for an organization',
+  description: 'List the scans for an organization',
   hidden: false,
   flags: {
     ...commonFlags,
@@ -7507,16 +7884,16 @@ const config$4 = {
   `
 };
 const cmdScanList = {
-  description: config$4.description,
-  hidden: config$4.hidden,
-  run: run$4
+  description: config$5.description,
+  hidden: config$5.hidden,
+  run: run$5
 };
-async function run$4(argv, importMeta, {
+async function run$5(argv, importMeta, {
   parentName
 }) {
   const cli = meowOrExit({
     argv,
-    config: config$4,
+    config: config$5,
     importMeta,
     parentName
   });
@@ -7532,7 +7909,7 @@ async function run$4(argv, importMeta, {
     return;
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$4);
+    logger.logger.log(DRY_RUN_BAIL_TEXT$5);
     return;
   }
   await listFullScans({
@@ -7587,11 +7964,11 @@ async function getOrgScanMetadataWithToken(orgSlug, scanId, apiToken, outputKind
 }
 
 const {
-  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$3
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$4
 } = constants;
-const config$3 = {
+const config$4 = {
   commandName: 'metadata',
-  description: "Get a full scan's metadata",
+  description: "Get a scan's metadata",
   hidden: false,
   flags: {
     ...commonFlags,
@@ -7609,16 +7986,16 @@ const config$3 = {
   `
 };
 const cmdScanMetadata = {
-  description: config$3.description,
-  hidden: config$3.hidden,
-  run: run$3
+  description: config$4.description,
+  hidden: config$4.hidden,
+  run: run$4
 };
-async function run$3(argv, importMeta, {
+async function run$4(argv, importMeta, {
   parentName
 }) {
   const cli = meowOrExit({
     argv,
-    config: config$3,
+    config: config$4,
     importMeta,
     parentName
   });
@@ -7636,33 +8013,588 @@ async function run$3(argv, importMeta, {
     return;
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$3);
+    logger.logger.log(DRY_RUN_BAIL_TEXT$4);
     return;
   }
   await getOrgScanMetadata(orgSlug, fullScanId, cli.flags['json'] ? 'json' : cli.flags['markdown'] ? 'markdown' : 'print');
 }
 
-async function streamFullScan(orgSlug, fullScanId, file) {
+/**
+ * This fetches all the relevant pieces of data to generate a report, given a
+ * full scan ID.
+ * It can optionally only fetch the security or license side of things.
+ */
+async function fetchReportData(orgSlug, fullScanId,
+// includeLicensePolicy: boolean,
+includeSecurityPolicy) {
+  let haveScan = false;
+  // let haveLicensePolicy = false
+  let haveSecurityPolicy = false;
+
   // Lazily access constants.spinner.
   const {
     spinner
   } = constants;
+  function updateProgress() {
+    const needs = [!haveScan ? 'scan' : undefined,
+    // includeLicensePolicy && !haveLicensePolicy ? 'license policy' : undefined,
+    includeSecurityPolicy && !haveSecurityPolicy ? 'security policy' : undefined].filter(Boolean);
+    if (needs.length > 2) {
+      // .toOxford()
+      needs[needs.length - 1] = `and ${needs[needs.length - 1]}`;
+    }
+    const haves = [haveScan ? 'scan' : undefined,
+    // includeLicensePolicy && haveLicensePolicy ? 'license policy' : undefined,
+    includeSecurityPolicy && haveSecurityPolicy ? 'security policy' : undefined].filter(Boolean);
+    if (haves.length > 2) {
+      // .toOxford()
+      haves[haves.length - 1] = `and ${haves[haves.length - 1]}`;
+    }
+    if (needs.length) {
+      spinner.start(`Fetching ${needs.join(needs.length > 2 ? ', ' : ' and ')}...${haves.length ? ` Completed fetching ${haves.join(haves.length > 2 ? ', ' : ' and ')}.` : ''}`);
+    } else {
+      spinner?.successAndStop(`Completed fetching ${haves.join(haves.length > 2 ? ', ' : ' and ')}.`);
+    }
+  }
   const apiToken = shadowNpmInject.getDefaultToken();
   if (!apiToken) {
     throw new shadowNpmInject.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
   }
-  spinner.start('Fetching scan...');
+  updateProgress();
   const socketSdk = await shadowNpmInject.setupSdk(apiToken);
-  const data = await handleApiCall(socketSdk.getOrgFullScan(orgSlug, fullScanId, file === '-' ? undefined : file), 'Fetching a scan');
-  if (!data?.success) {
-    handleUnsuccessfulApiResponse('getOrgFullScan', data);
+
+  // @ts-ignore
+  const [scan,
+  // licensePolicyMaybe,
+  securityPolicyMaybe] = await Promise.all([(async () => {
+    try {
+      const response = await queryAPI(`orgs/${orgSlug}/full-scans/${encodeURIComponent(fullScanId)}`, apiToken);
+      haveScan = true;
+      updateProgress();
+      if (!response.ok) {
+        const err = await handleAPIError(response.status);
+        logger.logger.fail(`${colors.bgRed(colors.white(response.statusText))}: Fetch error: ${err}`);
+        return undefined;
+      }
+      const jsons = await response.text();
+      const lines = jsons.split('\n').filter(Boolean);
+      const data = lines.map(line => {
+        try {
+          return JSON.parse(line);
+        } catch {
+          console.error('At least one line item was returned that could not be parsed as JSON...');
+          return;
+        }
+      });
+      return data;
+    } catch (e) {
+      spinner.errorAndStop('There was an issue while fetching full scan data.');
+      throw e;
+    }
+  })(),
+  // includeLicensePolicy &&
+  //   (async () => {
+  //     const r = await socketSdk.getOrgSecurityPolicy(orgSlug)
+  //     haveLicensePolicy = true
+  //     updateProgress()
+  //     return await handleApiCall(
+  //       r,
+  //       "looking up organization's license policy"
+  //     )
+  //   })(),
+  includeSecurityPolicy && (async () => {
+    const r = await socketSdk.getOrgSecurityPolicy(orgSlug);
+    haveSecurityPolicy = true;
+    updateProgress();
+    return await handleApiCall(r, "looking up organization's security policy");
+  })()]).finally(() => spinner.stop());
+  if (!Array.isArray(scan)) {
+    logger.logger.error('Was unable to fetch scan, bailing');
+    process.exitCode = 1;
+    return {
+      ok: false,
+      scan: undefined,
+      // licensePolicy: undefined,
+      securityPolicy: undefined
+    };
+  }
+
+  // // Note: security->license once the api ships in the sdk
+  // let licensePolicy: undefined | SocketSdkReturnType<'getOrgSecurityPolicy'> =
+  //   undefined
+  // if (includeLicensePolicy) {
+  //   if (licensePolicyMaybe && licensePolicyMaybe.success) {
+  //     licensePolicy = licensePolicyMaybe
+  //   } else {
+  //     logger.error('Was unable to fetch license policy, bailing')
+  //     process.exitCode = 1
+  //     return {
+  //       ok: false,
+  //       scan: undefined,
+  //       licensePolicy: undefined,
+  //       securityPolicy: undefined
+  //     }
+  //   }
+  // }
+
+  let securityPolicy = undefined;
+  if (includeSecurityPolicy) {
+    if (securityPolicyMaybe && securityPolicyMaybe.success) {
+      securityPolicy = securityPolicyMaybe;
+    } else {
+      logger.logger.error('Was unable to fetch security policy, bailing');
+      process.exitCode = 1;
+      return {
+        ok: false,
+        scan: undefined,
+        // licensePolicy: undefined,
+        securityPolicy: undefined
+      };
+    }
+  }
+  return {
+    ok: true,
+    scan,
+    // licensePolicy,
+    securityPolicy
+  };
+}
+
+function generateReport(scan, _licensePolicy, securityPolicy, {
+  fold,
+  orgSlug,
+  reportLevel,
+  scanId,
+  short
+}) {
+  const now = Date.now();
+
+  // Lazily access constants.spinner.
+  const {
+    spinner
+  } = constants;
+  spinner.start('Generating report...');
+
+  // Create an object that includes:
+  //   healthy: boolean
+  //   worst violation level;
+  //   per eco
+  //     per package
+  //       per version
+  //         per offending file
+  //           reported issue -> policy action
+
+  // In the context of a report;
+  // - the alert.severity is irrelevant
+  // - the securityPolicyDefault is irrelevant
+  // - the report defaults to healthy:true with no alerts
+  // - the appearance of an alert will trigger the policy action;
+  //   - error: healthy will end up as false, add alerts to report
+  //   - warn: healthy unchanged, add alerts to report
+  //   - monitor/ignore: no action
+  //   - defer: unknown (no action)
+
+  const violations = new Map();
+  let healthy = true;
+  const securityRules = securityPolicy?.data.securityPolicyRules;
+  if (securityPolicy && securityRules) {
+    // Note: reportLevel: error > warn > monitor > ignore > defer
+    scan.forEach(artifact => {
+      const {
+        alerts,
+        name: pkgName = '<unknown>',
+        type: ecosystem,
+        version = '<unknown>'
+      } = artifact;
+      alerts?.forEach(alert => {
+        const alertName = alert.type; // => policy[type]
+        const action = securityRules[alertName]?.action || '';
+        switch (action) {
+          case 'error':
+            {
+              healthy = false;
+              if (!short) {
+                addAlert(artifact, violations, fold, ecosystem, pkgName, version, alert, action);
+              }
+              break;
+            }
+          case 'warn':
+            {
+              if (!short && reportLevel !== 'error') {
+                addAlert(artifact, violations, fold, ecosystem, pkgName, version, alert, action);
+              }
+              break;
+            }
+          case 'monitor':
+            {
+              if (!short && reportLevel !== 'warn' && reportLevel !== 'error') {
+                addAlert(artifact, violations, fold, ecosystem, pkgName, version, alert, action);
+              }
+              break;
+            }
+          case 'ignore':
+            {
+              if (!short && reportLevel !== 'warn' && reportLevel !== 'error' && reportLevel !== 'monitor') {
+                addAlert(artifact, violations, fold, ecosystem, pkgName, version, alert, action);
+              }
+              break;
+            }
+          case 'defer':
+            {
+              // Not sure but ignore for now. Defer to later ;)
+              if (!short && reportLevel === 'defer') {
+                addAlert(artifact, violations, fold, ecosystem, pkgName, version, alert, action);
+              }
+              break;
+            }
+        }
+      });
+    });
+  }
+  spinner.successAndStop(`Generated reported in ${Date.now() - now} ms`);
+  const report = short ? {
+    healthy
+  } : {
+    healthy,
+    orgSlug,
+    scanId,
+    options: {
+      fold,
+      reportLevel
+    },
+    alerts: violations
+  };
+  return report;
+}
+function createLeaf(art, alert, policyAction) {
+  const leaf = {
+    type: alert.type,
+    policy: policyAction,
+    url: `https://socket.dev/${art.type}/package/${art.name}/${art.version}`,
+    manifest: art.manifestFiles?.map(obj => obj.file) ?? []
+  };
+  return leaf;
+}
+function addAlert(art, violations, foldSetting, ecosystem, pkgName, version, alert, policyAction) {
+  if (!violations.has(ecosystem)) violations.set(ecosystem, new Map());
+  const ecomap = violations.get(ecosystem);
+  if (foldSetting === 'pkg') {
+    const existing = ecomap.get(pkgName);
+    if (!existing || isStricterPolicy(existing.policy, policyAction)) {
+      ecomap.set(pkgName, createLeaf(art, alert, policyAction));
+    }
+  } else {
+    if (!ecomap.has(pkgName)) ecomap.set(pkgName, new Map());
+    const pkgmap = ecomap.get(pkgName);
+    if (foldSetting === 'version') {
+      const existing = pkgmap.get(version);
+      if (!existing || isStricterPolicy(existing.policy, policyAction)) {
+        pkgmap.set(version, createLeaf(art, alert, policyAction));
+      }
+    } else {
+      if (!pkgmap.has(version)) pkgmap.set(version, new Map());
+      const file = alert.file || '<unknown>';
+      const vermap = pkgmap.get(version);
+      if (foldSetting === 'file') {
+        const existing = vermap.get(file);
+        if (!existing || isStricterPolicy(existing.policy, policyAction)) {
+          vermap.set(file, createLeaf(art, alert, policyAction));
+        }
+      } else {
+        if (!vermap.has(file)) vermap.set(file, new Map());
+        const key = `${alert.type} at ${alert.start}:${alert.end}`;
+        const filemap = vermap.get(file);
+        const existing = filemap.get(key);
+        if (!existing || isStricterPolicy(existing.policy, policyAction)) {
+          filemap.set(key, createLeaf(art, alert, policyAction));
+        }
+      }
+    }
+  }
+}
+function isStricterPolicy(was, is) {
+  // error > warn > monitor > ignore > defer > {unknown}
+  if (was === 'error') return false;
+  if (is === 'error') return true;
+  if (was === 'warn') return false;
+  if (is === 'warn') return false;
+  if (was === 'monitor') return false;
+  if (is === 'monitor') return false;
+  if (was === 'ignore') return false;
+  if (is === 'ignore') return false;
+  if (was === 'defer') return false;
+  if (is === 'defer') return false;
+  // unreachable?
+  return false;
+}
+
+/**
+ * Convert a Map<string, Map|string> to a nested object of similar shape.
+ * The goal is to serialize it with JSON.stringify, which Map can't do.
+ */
+function mapToObject(map) {
+  return Object.fromEntries(Array.from(map.entries()).map(([k, v]) => [k, v instanceof Map ? mapToObject(v) : v]));
+}
+
+function* walkNestedMap(map, keys = []) {
+  for (const [key, value] of map.entries()) {
+    if (value instanceof Map) {
+      yield* walkNestedMap(value, keys.concat(key));
+    } else {
+      yield {
+        keys: keys.concat(key),
+        value: value
+      };
+    }
+  }
+}
+
+async function reportFullScan({
+  filePath,
+  fold,
+  fullScanId,
+  includeLicensePolicy,
+  includeSecurityPolicy,
+  orgSlug,
+  outputKind,
+  reportLevel,
+  short
+}) {
+  logger.logger.error('output:', outputKind, ', file:', filePath, ', fold:', fold, ', reportLevel:', reportLevel);
+  if (!includeSecurityPolicy) {
+    return; // caller should assert
+  }
+  const {
+    // licensePolicy,
+    ok,
+    scan,
+    securityPolicy
+  } = await fetchReportData(orgSlug, fullScanId,
+  // includeLicensePolicy
+  includeSecurityPolicy);
+  if (!ok) {
     return;
   }
-  spinner?.successAndStop(file ? `Full scan details written to ${file}` : 'stdout');
-  return data;
+  const scanReport = generateReport(scan, undefined,
+  // licensePolicy,
+  securityPolicy, {
+    orgSlug,
+    scanId: fullScanId,
+    fold,
+    short,
+    reportLevel
+  });
+  if (!scanReport.healthy) {
+    process.exitCode = 1;
+  }
+  if (outputKind === 'json' || outputKind === 'text' && filePath && filePath.endsWith('.json')) {
+    const json = short ? JSON.stringify(scanReport) : toJsonReport(scanReport);
+    if (filePath && filePath !== '-') {
+      logger.logger.log('Writing json report to', filePath);
+      return await fs$1.writeFile(filePath, json);
+    }
+    logger.logger.log(json);
+    return;
+  }
+  if (outputKind === 'markdown' || filePath && filePath.endsWith('.md')) {
+    const md = short ? `healthy = ${scanReport.healthy}` : toMarkdownReport(scanReport);
+    if (filePath && filePath !== '-') {
+      logger.logger.log('Writing markdown report to', filePath);
+      return await fs$1.writeFile(filePath, md);
+    }
+    logger.logger.log(md);
+    return;
+  }
+  if (short) {
+    logger.logger.log(scanReport.healthy ? 'OK' : 'ERR');
+  } else {
+    logger.logger.dir(scanReport, {
+      depth: null
+    });
+  }
 }
+function toJsonReport(report) {
+  const obj = mapToObject(report.alerts);
+  const json = JSON.stringify({
+    ...report,
+    alerts: obj
+  }, null, 2);
+  return json;
+}
+function toMarkdownReport(report) {
+  const flatData = Array.from(walkNestedMap(report.alerts)).map(({
+    keys,
+    value
+  }) => {
+    const {
+      manifest,
+      policy,
+      type,
+      url
+    } = value;
+    return {
+      'Alert Type': type,
+      Package: keys[1] || '<unknown>',
+      'Introduced by': keys[2] || '<unknown>',
+      url,
+      'Manifest file': manifest.join(', '),
+      Policy: policy
+    };
+  });
+  const md = `
+# Scan Policy Report
 
-async function getFullScan(orgSlug, fullScanId) {
+This report tells you whether the results of a Socket scan results violate the
+security or license policy set by your organization.
+
+## Health status
+
+${report.healthy ? 'The scan *PASSES* all requirements set by your security and license policy.' : 'The scan *VIOLATES* one or more policies set to the "error" level.'}
+
+## Settings
+
+Configuration used to generate this report:
+
+- Organization: ${report.orgSlug}
+- Scan ID: ${report.scanId}
+- Alert folding: ${report.options.fold === 'none' ? 'none' : `up to ${report.options.fold}`}
+- Minimal policy level for alert to be included in report: ${report.options.reportLevel === 'defer' ? 'everything' : report.options.reportLevel}
+
+## Alerts
+
+${report.alerts.size ? `All the alerts from the scan with a policy set to at least "${report.options.reportLevel}"}.` : `The scan contained no alerts for with a policy set to at least "${report.options.reportLevel}".`}
+
+${!report.alerts.size ? '' : mdTable(flatData, ['Policy', 'Alert Type', 'Package', 'Introduced by', 'url', 'Manifest file'])}
+  `.trim() + '\n';
+  return md;
+}
+
+const {
+  DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$3
+} = constants;
+const config$3 = {
+  commandName: 'report',
+  description: 'Check whether a scan result passes the organizational policies (security, license)',
+  hidden: true,
+  // [beta]
+  flags: {
+    ...commonFlags,
+    ...outputFlags,
+    fold: {
+      type: 'string',
+      default: 'none',
+      description: 'Fold reported alerts to some degree'
+    },
+    reportLevel: {
+      type: 'string',
+      default: 'warn',
+      description: 'Which policy level alerts should be reported'
+    },
+    short: {
+      type: 'boolean',
+      default: false,
+      description: 'Report only the healthy status'
+    },
+    // license: {
+    //   type: 'boolean',
+    //   default: true,
+    //   description: 'Report the license policy status. Default: true'
+    // },
+    security: {
+      type: 'boolean',
+      default: true,
+      description: 'Report the security policy status. Default: true'
+    }
+  },
+  help: (command, config) => `
+    Usage
+      $ ${command} <org slug> <scan ID> [path to output file]
+
+    Options
+      ${getFlagListOutput(config.flags, 6)}
+
+    This consumes 1 quota unit plus 1 for each of the requested policy types.
+
+    Note: By default it reports both so by default it consumes 3 quota units.
+
+    Your API token will need the \`full-scans:list\` scope regardless. Additionally
+    it needs \`security-policy:read\` to report on the security policy.
+
+    By default the result is a nested object that looks like this:
+      \`{[ecosystem]: {[pkgName]: {[version]: {[file]: {[type:loc]: policy}}}}\`
+    You can fold this up to given level: 'pkg', 'version', 'file', and 'none'.
+
+    By default only the warn and error policy level alerts are reported. You can
+    override this and request more ('defer' < 'ignore' < 'monitor' < 'warn' < 'error')
+
+    Short responses: JSON: \`{healthy:bool}\`, markdown: \`healthy = bool\`, text: \`OK/ERR\`
+
+    Examples
+      $ ${command} FakeOrg 000aaaa1-0000-0a0a-00a0-00a0000000a0 --json --fold=version
+  `
+};
+const cmdScanReport = {
+  description: config$3.description,
+  hidden: config$3.hidden,
+  run: run$3
+};
+async function run$3(argv, importMeta, {
+  parentName
+}) {
+  const cli = meowOrExit({
+    argv,
+    config: config$3,
+    importMeta,
+    parentName
+  });
+  const {
+    fold = 'none',
+    json,
+    // license,
+    markdown,
+    reportLevel = 'warn',
+    security
+  } = cli.flags;
+  const [orgSlug = '', fullScanId = '', file = '-'] = cli.input;
+  if (!orgSlug || !fullScanId ||
+  // (!license && !security) ||
+  json && markdown) {
+    // Use exit status of 2 to indicate incorrect usage, generally invalid
+    // options or missing arguments.
+    // https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html
+    process.exitCode = 2;
+    logger.logger.fail(commonTags.stripIndents`
+      ${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:
+
+      - Org name as the first argument ${!orgSlug ? colors.red('(missing!)') : colors.green('(ok)')}
+
+      - Full Scan ID to fetch as second argument ${!fullScanId ? colors.red('(missing!)') : colors.green('(ok)')}
+
+      - Not both the --json and --markdown flags ${json && markdown ? colors.red('(pick one!)') : colors.green('(ok)')}
+    `
+    // - At least one policy to report ${!license && !security ? colors.red('(do not omit both!)') : colors.green('(ok)')}
+    );
+    return;
+  }
+  if (cli.flags['dryRun']) {
+    logger.logger.log(DRY_RUN_BAIL_TEXT$3);
+    return;
+  }
+  await reportFullScan({
+    orgSlug,
+    fullScanId,
+    includeLicensePolicy: false,
+    // !!license,
+    includeSecurityPolicy: typeof security === 'boolean' ? security : true,
+    outputKind: json ? 'json' : markdown ? 'markdown' : 'text',
+    filePath: file,
+    fold: fold,
+    short: !!cli.flags['short'],
+    reportLevel: reportLevel
+  });
+}
+
+async function streamFullScan(orgSlug, fullScanId, file) {
   // Lazily access constants.spinner.
   const {
     spinner
@@ -7671,26 +8603,14 @@ async function getFullScan(orgSlug, fullScanId) {
   if (!apiToken) {
     throw new shadowNpmInject.AuthError('User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.');
   }
-  spinner.start('Fetching full-scan...');
-  const response = await queryAPI(`orgs/${orgSlug}/full-scans/${encodeURIComponent(fullScanId)}`, apiToken);
-  spinner.stop('Fetch complete.');
-  if (!response.ok) {
-    const err = await handleAPIError(response.status);
-    logger.logger.fail(`${colors.bgRed(colors.white(response.statusText))}: Fetch error: ${err}`);
+  spinner.start('Fetching scan...');
+  const socketSdk = await shadowNpmInject.setupSdk(apiToken);
+  const data = await handleApiCall(socketSdk.getOrgFullScan(orgSlug, fullScanId, file === '-' ? undefined : file), 'Fetching a scan');
+  if (!data?.success) {
+    handleUnsuccessfulApiResponse('getOrgFullScan', data);
     return;
   }
-
-  // This is nd-json; each line is a json object
-  const jsons = await response.text();
-  const lines = jsons.split('\n').filter(Boolean);
-  const data = lines.map(line => {
-    try {
-      return JSON.parse(line);
-    } catch {
-      console.error('At least one line item was returned that could not be parsed as JSON...');
-      return {};
-    }
-  });
+  spinner?.successAndStop(file ? `Full scan details written to ${file}` : 'stdout');
   return data;
 }
 
@@ -7808,6 +8728,7 @@ const cmdScan = {
       list: cmdScanList,
       del: cmdScanDel,
       metadata: cmdScanMetadata,
+      report: cmdScanReport,
       view: cmdScanView
     }, {
       aliases: {
@@ -8288,7 +9209,7 @@ void (async () => {
   await vendor.updater({
     name: SOCKET_CLI_BIN_NAME,
     // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION']".
-    version: "0.14.60",
+    version: "0.14.62",
     ttl: 86_400_000 /* 24 hours in milliseconds */
   });
   try {
@@ -8355,5 +9276,5 @@ void (async () => {
     await shadowNpmInject.captureException(e);
   }
 })();
-//# debugId=a4fe81ae-a54c-4a9c-bd36-803984c36419
+//# debugId=a794b9bc-963d-4504-a1af-e5c87018417b
 //# sourceMappingURL=cli.js.map