@socketsecurity/cli 0.14.68 → 0.14.70

package/dist/require/cli.js

@@ -19,6 +19,7 @@ const logger = require('@socketsecurity/registry/lib/logger')
 const assert = require('node:assert')
 const fs = require('node:fs/promises')
 const commonTags = _socketInterop(require('common-tags'))
+const debug = require('@socketsecurity/registry/lib/debug')
 const strings = require('@socketsecurity/registry/lib/strings')
 const shadowNpmInject = require('./shadow-npm-inject.js')
 const constants = require('./constants.js')
@@ -27,22 +28,21 @@ const path$1 = require('node:path')
 const objects = require('@socketsecurity/registry/lib/objects')
 const path = require('@socketsecurity/registry/lib/path')
 const regexps = require('@socketsecurity/registry/lib/regexps')
-const prompts = require('@socketsecurity/registry/lib/prompts')
 const yargsParse = _socketInterop(require('yargs-parser'))
 const words = require('@socketsecurity/registry/lib/words')
 const fs$1 = require('node:fs')
 const shadowBin = require('./shadow-bin.js')
+const prompts = require('@socketsecurity/registry/lib/prompts')
 const chalkTable = _socketInterop(require('chalk-table'))
 const require$$0$1 = require('node:util')
 const registry = require('@socketsecurity/registry')
 const npm = require('@socketsecurity/registry/lib/npm')
 const packages = require('@socketsecurity/registry/lib/packages')
 const lockfile_fs = _socketInterop(require('@pnpm/lockfile.fs'))
+const spawn = require('@socketsecurity/registry/lib/spawn')
 const lockfile_detectDepTypes = _socketInterop(
   require('@pnpm/lockfile.detect-dep-types')
 )
-const debug = require('@socketsecurity/registry/lib/debug')
-const spawn = require('@socketsecurity/registry/lib/spawn')
 const shadowNpmPaths = require('./shadow-npm-paths.js')
 const browserslist = _socketInterop(require('browserslist'))
 const semver = _socketInterop(require('semver'))
@@ -56,8 +56,6 @@ const npa = _socketInterop(require('npm-package-arg'))
 const tinyglobby = _socketInterop(require('tinyglobby'))
 const promises = require('@socketsecurity/registry/lib/promises')
 const yaml = _socketInterop(require('yaml'))
-const betterAjvErrors = _socketInterop(require('@apideck/better-ajv-errors'))
-const config$K = require('@socketsecurity/config')
 
 function failMsgWithBadge(badge, msg) {
   return `${colors.bgRed(colors.bold(colors.white(` ${badge}: `)))} ${colors.bold(msg)}`
@@ -72,7 +70,7 @@ function handleUnsuccessfulApiResponse(_name, sockSdkError) {
     spinner.stop()
     throw new shadowNpmInject.AuthError(message)
   }
-  logger.logger.fail(failMsgWithBadge('API returned an error:', message))
+  logger.logger.fail(failMsgWithBadge('Socket API returned an error', message))
    
   process$1.exit(1)
 }
@@ -80,23 +78,25 @@ async function handleApiCall(value, description) {
   let result
   try {
     result = await value
-  } catch (cause) {
+  } catch (e) {
+    debug.debugLog(`handleApiCall[${description}] error:\n`, e)
     throw new Error(`Failed ${description}`, {
-      cause
+      cause: e
     })
   }
   return result
 }
 async function handleApiError(code) {
   if (code === 400) {
-    return 'One of the options passed might be incorrect.'
-  } else if (code === 403) {
-    return 'Your API token may not have the required permissions for this command or you might be trying to access (data from) an organization that is not linked to the API key you are logged in with.'
-  } else if (code === 404) {
+    return 'One of the options passed might be incorrect'
+  }
+  if (code === 403) {
+    return 'Your API token may not have the required permissions for this command or you might be trying to access (data from) an organization that is not linked to the API key you are logged in with'
+  }
+  if (code === 404) {
     return 'The requested Socket API endpoint was not found (404) or there was no result for the requested parameters. This could be a temporary problem caused by an incident or a bug in the CLI. If the problem persists please let us know.'
-  } else {
-    return `Server responded with status code ${code}`
   }
+  return `Server responded with status code ${code}`
 }
 function getLastFiveOfApiToken(token) {
   // Get the last 5 characters of the API token before the trailing "_api".
@@ -141,14 +141,13 @@ async function fetchOrgAnalyticsData(time, spinner) {
   )
   if (result.success === false) {
     handleUnsuccessfulApiResponse('getOrgAnalytics', result)
-    return undefined
   }
   spinner.stop()
   if (!result.data.length) {
     logger.logger.log(
       'No analytics data is available for this organization yet.'
     )
-    return undefined
+    return
   }
   return result.data
 }
@@ -161,14 +160,13 @@ async function fetchRepoAnalyticsData(repo, time, spinner) {
   )
   if (result.success === false) {
     handleUnsuccessfulApiResponse('getRepoAnalytics', result)
-    return undefined
   }
   spinner.stop()
   if (!result.data.length) {
     logger.logger.log(
       'No analytics data is available for this organization yet.'
     )
-    return undefined
+    return
   }
   return result.data
 }
@@ -730,7 +728,7 @@ function getHelpListOutput(
   return result.trim() || '(none)'
 }
 
-const { DRY_RUN_LABEL: DRY_RUN_LABEL$1, REDACTED } = constants
+const { DRY_RUN_LABEL, REDACTED: REDACTED$1 } = constants
 async function meowWithSubcommands(subcommands, options) {
   const {
     aliases = {},
@@ -803,15 +801,43 @@ async function meowWithSubcommands(subcommands, options) {
   // Hard override the config if instructed to do so.
   // The env var overrides the --flag, which overrides the persisted config
   // Also, when either of these are used, config updates won't persist.
+  let configOverrideResult
   if (process$1.env['SOCKET_CLI_CONFIG']) {
-    shadowNpmInject.overrideCachedConfig(
-      JSON.parse(process$1.env['SOCKET_CLI_CONFIG'])
+    configOverrideResult = shadowNpmInject.overrideCachedConfig(
+      process$1.env['SOCKET_CLI_CONFIG']
     )
   } else if (cli.flags['config']) {
-    shadowNpmInject.overrideCachedConfig(
-      JSON.parse(String(cli.flags['config'] || ''))
+    configOverrideResult = shadowNpmInject.overrideCachedConfig(
+      String(cli.flags['config'] || '')
     )
   }
+  if (process$1.env['SOCKET_CLI_NO_API_TOKEN']) {
+    // This overrides the config override and even the explicit token env var.
+    // The config will be marked as readOnly to prevent persisting it.
+    shadowNpmInject.overrideConfigApiToken(undefined)
+  } else {
+    // Note: these are SOCKET_SECURITY prefixed because they're not specific to
+    //       the CLI. For the sake of consistency we'll also support the env
+    //       keys that do have the SOCKET_CLI prefix, it's an easy mistake.
+    // In case multiple are supplied, the tokens supersede the keys and the
+    // security prefix supersedes the cli prefix. "Adventure mode" ;)
+    const tokenOverride =
+      process$1.env['SOCKET_CLI_API_KEY'] ||
+      process$1.env['SOCKET_SECURITY_API_KEY'] ||
+      process$1.env['SOCKET_CLI_API_TOKEN'] ||
+      process$1.env['SOCKET_SECURITY_API_TOKEN']
+    if (tokenOverride) {
+      // This will set the token (even if there was a config override) and
+      // set it to readOnly, making sure the temp token won't be persisted.
+      shadowNpmInject.overrideConfigApiToken(tokenOverride)
+    }
+  }
+  if (configOverrideResult?.ok === false) {
+    emitBanner(name)
+    logger.logger.fail(configOverrideResult.message)
+    process$1.exitCode = 2
+    return
+  }
 
   // If we got at least some args, then lets find out if we can find a command.
   if (commandOrAliasName) {
@@ -836,7 +862,7 @@ async function meowWithSubcommands(subcommands, options) {
   }
   if (!cli.flags['help'] && cli.flags['dryRun']) {
     process$1.exitCode = 0
-    logger.logger.log(`${DRY_RUN_LABEL$1}: No-op, call a sub-command; ok`)
+    logger.logger.log(`${DRY_RUN_LABEL}: No-op, call a sub-command; ok`)
   } else {
     cli.showHelp()
   }
@@ -885,9 +911,9 @@ function emitBanner(name) {
   logger.logger.error(getAsciiHeader(name))
 }
 function getAsciiHeader(command) {
-  const cliVersion = '0.14.68:23c5456:d5b553f3:pub' // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION_HASH']".
+  const cliVersion = '0.14.70:1042a5b:48e75331:pub' // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION_HASH']".
   const nodeVersion = process$1.version
-  const apiToken = shadowNpmInject.getConfigValue('apiToken')
+  const apiToken = shadowNpmInject.getDefaultToken()
   const shownToken = apiToken ? getLastFiveOfApiToken(apiToken) : 'no'
   const relCwd = path.normalizePath(
     process$1
@@ -908,7 +934,7 @@ function getAsciiHeader(command) {
   return `   ${body}\n`
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$I } = constants
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$G } = constants
 const config$J = {
   commandName: 'analytics',
   description: `Look up analytics data`,
@@ -921,7 +947,7 @@ const config$J = {
       shortFlag: 'f',
       default: '-',
       description:
-        'Path to a local file to save the output. Only valid with --json/--markdown. Defaults to stdout.'
+        'Filepath to save output. Only valid with --json/--markdown. Defaults to stdout.'
     },
     repo: {
       type: 'string',
@@ -947,6 +973,10 @@ const config$J = {
     Usage
       $ ${command} --scope=<scope> --time=<time filter>
 
+    API Token Requirements
+      - Quota: 1 unit
+      - Permissions: report:write
+
     Default parameters are set to show the organization-level analytics over the
     last 7 days.
 
@@ -1022,7 +1052,7 @@ async function run$J(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$I)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$G)
     return
   }
   assert(assertScope(scope))
@@ -1063,31 +1093,43 @@ async function fetchAuditLog({ logType, orgSlug, outputKind, page, perPage }) {
   )
   if (!result.success) {
     handleUnsuccessfulApiResponse('getAuditLogEvents', result)
-    return
   }
   spinner.stop()
   return result.data
 }
 
+const { REDACTED } = constants
 async function outputAuditLog(
   auditLogs,
   { logType, orgSlug, outputKind, page, perPage }
 ) {
   if (outputKind === 'json') {
-    await outputAsJson(auditLogs.results, orgSlug, logType, page, perPage)
-  } else if (outputKind === 'markdown') {
-    await outputAsMarkdown(auditLogs.results, orgSlug, logType, page, perPage)
+    logger.logger.log(
+      await outputAsJson(auditLogs.results, {
+        logType,
+        orgSlug,
+        page,
+        perPage
+      })
+    )
   } else {
-    await outputAsPrint(auditLogs.results, orgSlug, logType)
+    logger.logger.log(
+      await outputAsMarkdown(auditLogs.results, {
+        logType,
+        orgSlug,
+        page,
+        perPage
+      })
+    )
   }
 }
-async function outputAsJson(auditLogs, orgSlug, logType, page, perPage) {
+async function outputAsJson(auditLogs, { logType, orgSlug, page, perPage }) {
   let json
   try {
     json = JSON.stringify(
       {
         desc: 'Audit logs for given query',
-        generated: new Date().toISOString(),
+        generated: false ? REDACTED : new Date().toISOString(),
         org: orgSlug,
         logType,
         page,
@@ -1116,15 +1158,21 @@ async function outputAsJson(auditLogs, orgSlug, logType, page, perPage) {
       2
     )
   } catch (e) {
-    process.exitCode = 1
+    process$1.exitCode = 1
     logger.logger.fail(
       'There was a problem converting the logs to JSON, please try without the `--json` flag'
     )
-    return
+    if (debug.isDebug()) {
+      debug.debugLog('Error:\n', e)
+    }
+    return '{}'
   }
-  logger.logger.log(json)
+  return json
 }
-async function outputAsMarkdown(auditLogs, orgSlug, logType, page, perPage) {
+async function outputAsMarkdown(
+  auditLogs,
+  { logType, orgSlug, page, perPage }
+) {
   try {
     const table = mdTable(auditLogs, [
       'event_id',
@@ -1134,7 +1182,7 @@ async function outputAsMarkdown(auditLogs, orgSlug, logType, page, perPage) {
       'ip_address',
       'user_agent'
     ])
-    logger.logger.log(commonTags.stripIndents`
+    return `
 # Socket Audit Logs
 
 These are the Socket.dev audit logs as per requested query.
@@ -1142,50 +1190,21 @@ These are the Socket.dev audit logs as per requested query.
 - type filter: ${logType || '(none)'}
 - page: ${page}
 - per page: ${perPage}
-- generated: ${new Date().toISOString()}
+- generated: ${false ? REDACTED : new Date().toISOString()}
 
 ${table}
-`)
+`
   } catch (e) {
-    process.exitCode = 1
+    process$1.exitCode = 1
     logger.logger.fail(
-      'There was a problem converting the logs to JSON, please try without the `--json` flag'
+      'There was a problem converting the logs to Markdown, please try the `--json` flag'
     )
-    logger.logger.error(e)
-    return
-  }
-}
-async function outputAsPrint(auditLogs, orgSlug, logType) {
-  const data = []
-  const logDetails = {}
-  for (const d of auditLogs) {
-    const { created_at } = d
-    if (created_at) {
-      const name = `${new Date(created_at).toLocaleDateString('en-us', {
-        year: 'numeric',
-        month: 'numeric',
-        day: 'numeric'
-      })} - ${d.user_email} - ${d.type} - ${d.ip_address} - ${d.user_agent}`
-      data.push(
-        {
-          name
-        },
-        new prompts.Separator()
-      )
-      logDetails[name] = JSON.stringify(d.payload)
+    if (debug.isDebug()) {
+      debug.debugLog('Error:\n', e)
     }
+    // logger.error(e)
+    return ''
   }
-  logger.logger.log(
-    logDetails[
-      await prompts.select({
-        message: logType
-          ? `\n Audit log for: ${orgSlug} with type: ${logType}\n`
-          : `\n Audit log for: ${orgSlug}\n`,
-        choices: data,
-        pageSize: 30
-      })
-    ]
-  )
 }
 
 async function handleAuditLog({ logType, orgSlug, outputKind, page, perPage }) {
@@ -1208,7 +1227,7 @@ async function handleAuditLog({ logType, orgSlug, outputKind, page, perPage }) {
   })
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$H } = constants
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$F } = constants
 const config$I = {
   commandName: 'audit-log',
   description: 'Look up the audit log for an organization',
@@ -1239,6 +1258,10 @@ const config$I = {
     Usage
       $ ${command} <org slug>
 
+    API Token Requirements
+      - Quota: 1 unit
+      - Permissions: audit-log:list
+
     This feature requires an Enterprise Plan. To learn more about getting access
     to this feature and many more, please visit https://socket.dev/pricing
 
@@ -1294,7 +1317,7 @@ async function run$I(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$H)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$F)
     return
   }
   await handleAuditLog({
@@ -1422,7 +1445,7 @@ function isHelpFlag(cmdArg) {
 }
 
 // import { meowOrExit } from '../../utils/meow-with-subcommands'
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$G } = constants
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$E } = constants
 
 // TODO: convert yargs to meow. Or convert all the other things to yargs.
 const toLower = arg => arg.toLowerCase()
@@ -1585,7 +1608,7 @@ async function run$H(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$G)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$E)
     return
   }
   if (yargv.output === undefined) {
@@ -1621,7 +1644,7 @@ async function discoverConfigValue(key) {
       success: false,
       value: undefined,
       message:
-        'When uncertain, unset this key. Otherwise ask your network administrator.'
+        'When uncertain, unset this key. Otherwise ask your network administrator'
     }
   }
   if (key === 'apiToken') {
@@ -1835,7 +1858,7 @@ async function handleConfigAuto({ key, outputKind }) {
   await outputConfigAuto(key, result, outputKind)
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$F } = constants
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$D } = constants
 const config$G = {
   commandName: 'auto',
   description: 'Automatically discover and set the correct value config item',
@@ -1900,7 +1923,7 @@ async function run$G(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$F)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$D)
     return
   }
   await handleConfigAuto({
@@ -1909,7 +1932,13 @@ async function run$G(argv, importMeta, { parentName }) {
   })
 }
 
-async function outputConfigGet(key, value, outputKind) {
+async function outputConfigGet(
+  key,
+  value,
+  readOnly,
+  // Is config in read-only mode? (Overrides applied)
+  outputKind
+) {
   if (outputKind === 'json') {
     logger.logger.log(
       JSON.stringify({
@@ -1917,24 +1946,38 @@ async function outputConfigGet(key, value, outputKind) {
         result: {
           key,
           value
-        }
+        },
+        readOnly
       })
     )
   } else if (outputKind === 'markdown') {
     logger.logger.log(`# Config Value`)
     logger.logger.log('')
     logger.logger.log(`Config key '${key}' has value '${value}`)
+    if (readOnly) {
+      logger.logger.log('')
+      logger.logger.log(
+        'Note: the config is in read-only mode, meaning at least one key was temporarily\n      overridden from an env var or command flag.'
+      )
+    }
   } else {
     logger.logger.log(`${key}: ${value}`)
+    if (readOnly) {
+      logger.logger.log('')
+      logger.logger.log(
+        'Note: the config is in read-only mode, meaning at least one key was temporarily overridden from an env var or command flag.'
+      )
+    }
   }
 }
 
 async function handleConfigGet({ key, outputKind }) {
   const value = shadowNpmInject.getConfigValue(key)
-  await outputConfigGet(key, value, outputKind)
+  const readOnly = shadowNpmInject.isReadOnlyConfig()
+  await outputConfigGet(key, value, readOnly, outputKind)
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$E } = constants
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$C } = constants
 const config$F = {
   commandName: 'get',
   description: 'Get the value of a local CLI config item',
@@ -1994,7 +2037,7 @@ async function run$F(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$E)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$C)
     return
   }
   await handleConfigGet({
@@ -2004,6 +2047,7 @@ async function run$F(argv, importMeta, { parentName }) {
 }
 
 async function outputConfigList({ full, outputKind }) {
+  const readOnly = shadowNpmInject.isReadOnlyConfig()
   if (outputKind === 'json') {
     const obj = {}
     for (const key of shadowNpmInject.supportedConfigKeys.keys()) {
@@ -2020,7 +2064,8 @@ async function outputConfigList({ full, outputKind }) {
         {
           success: true,
           full,
-          config: obj
+          config: obj,
+          readOnly
         },
         null,
         2
@@ -2045,10 +2090,16 @@ async function outputConfigList({ full, outputKind }) {
         )
       }
     }
+    if (readOnly) {
+      logger.logger.log('')
+      logger.logger.log(
+        'Note: the config is in read-only mode, meaning at least one key was temporarily\n      overridden from an env var or command flag.'
+      )
+    }
   }
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$D } = constants
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$B } = constants
 const config$E = {
   commandName: 'list',
   description: 'Show all local CLI config items and their values',
@@ -2104,7 +2155,7 @@ async function run$E(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$D)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$B)
     return
   }
   await outputConfigList({
@@ -2113,29 +2164,43 @@ async function run$E(argv, importMeta, { parentName }) {
   })
 }
 
-async function outputConfigSet(key, _value, outputKind) {
+async function outputConfigSet(key, _value, readOnly, outputKind) {
   if (outputKind === 'json') {
     logger.logger.log(
       JSON.stringify({
         success: true,
-        message: `Config key '${key}' was updated`
+        message: `Config key '${key}' was updated${readOnly ? ' (Note: since at least one value was overridden from flag/env, the config was not persisted)' : ''}`,
+        readOnly
       })
     )
   } else if (outputKind === 'markdown') {
     logger.logger.log(`# Update config`)
     logger.logger.log('')
     logger.logger.log(`Config key '${key}' was updated`)
+    if (readOnly) {
+      logger.logger.log('')
+      logger.logger.log(
+        'Note: The change was not persisted because the config is in read-only mode,\n      meaning at least one key was temporarily overridden from an env var or\n      command flag.'
+      )
+    }
   } else {
     logger.logger.log(`OK`)
+    if (readOnly) {
+      logger.logger.log('')
+      logger.logger.log(
+        'Note: The change was not persisted because the config is in read-only mode, meaning at least one key was temporarily overridden from an env var or command flag.'
+      )
+    }
   }
 }
 
 async function handleConfigSet({ key, outputKind, value }) {
   shadowNpmInject.updateConfigValue(key, value)
-  await outputConfigSet(key, value, outputKind)
+  const readOnly = shadowNpmInject.isReadOnlyConfig()
+  await outputConfigSet(key, value, readOnly, outputKind)
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$C } = constants
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$A } = constants
 const config$D = {
   commandName: 'set',
   description: 'Update the value of a local CLI config item',
@@ -2209,7 +2274,7 @@ async function run$D(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$C)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$A)
     return
   }
   await handleConfigSet({
@@ -2241,7 +2306,7 @@ async function handleConfigUnset({ key, outputKind }) {
   await outputConfigUnset(key, outputKind)
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$B } = constants
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$z } = constants
 const config$C = {
   commandName: 'unset',
   description: 'Clear the value of a local CLI config item',
@@ -2301,7 +2366,7 @@ async function run$C(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$B)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$z)
     return
   }
   await handleConfigUnset({
@@ -2350,7 +2415,6 @@ async function fetchDependencies({ limit, offset }) {
   spinner.successAndStop('Received organization dependencies response.')
   if (!result.success) {
     handleUnsuccessfulApiResponse('searchDependencies', result)
-    return
   }
   return result.data
 }
@@ -2429,7 +2493,7 @@ async function handleDependencies({ limit, offset, outputKind }) {
   })
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$A } = constants
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$y } = constants
 const config$B = {
   commandName: 'dependencies',
   description:
@@ -2455,6 +2519,10 @@ const config$B = {
     Usage
       ${command}
 
+    API Token Requirements
+      - Quota: 1 unit
+      - Permissions: none (does need token with access to target org)
+
     Options
       ${getFlagListOutput(config.flags, 6)}
 
@@ -2498,7 +2566,7 @@ async function run$B(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$A)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$y)
     return
   }
   await handleDependencies({
@@ -2612,7 +2680,7 @@ async function handleDiffScan({
   })
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$z } = constants
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$x } = constants
 const config$A = {
   commandName: 'get',
   description: 'Get a diff scan for an organization',
@@ -2656,6 +2724,10 @@ const config$A = {
     Usage
       $ ${command} <org slug> --before=<before> --after=<after>
 
+    API Token Requirements
+      - Quota: 1 unit
+      - Permissions: full-scans:list
+
     This command displays the package changes between two scans. The full output
     can be pretty large depending on the size of your repo and time range. It is
     best stored to disk to be further analyzed by other tools.
@@ -2687,7 +2759,7 @@ async function run$A(argv, importMeta, { parentName }) {
     {
       test: !!(before && after),
       message:
-        'Specify a before and after scan ID\nThe args are expecting a full `aaa0aa0a-aaaa-0000-0a0a-0000000a00a0` scan ID.',
+        'Specify a before and after scan ID.\nThe args are expecting a full `aaa0aa0a-aaaa-0000-0a0a-0000000a00a0` scan ID.',
       pass: 'ok',
       fail:
         !before && !after
@@ -2724,7 +2796,7 @@ async function run$A(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$z)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$x)
     return
   }
   await handleDiffScan({
@@ -2764,8 +2836,13 @@ const { NPM: NPM$f } = constants
 function isTopLevel(tree, node) {
   return tree.children.get(node.name) === node
 }
-async function npmFix(_pkgEnvDetails, cwd, options) {
-  const { spinner } = {
+async function npmFix(_pkgEnvDetails, options) {
+  const {
+    cwd = process.cwd(),
+    spinner,
+    test = false,
+    testScript = 'test'
+  } = {
     __proto__: null,
     ...options
   }
@@ -2781,7 +2858,8 @@ async function npmFix(_pkgEnvDetails, cwd, options) {
       existing: true,
       unfixable: false,
       upgradable: false
-    }
+    },
+    nothrow: true
   })
   const infoByPkg = shadowNpmInject.getCveInfoByAlertsMap(alertsMap)
   if (!infoByPkg) {
@@ -2826,11 +2904,13 @@ async function npmFix(_pkgEnvDetails, cwd, options) {
           shadowNpmInject.updateNode(node, packument, vulnerableVersionRange)
         ) {
           try {
-            // eslint-disable-next-line no-await-in-loop
-            await npm.runScript('test', [], {
-              spinner,
-              stdio: 'ignore'
-            })
+            if (test) {
+              // eslint-disable-next-line no-await-in-loop
+              await npm.runScript(testScript, [], {
+                spinner,
+                stdio: 'ignore'
+              })
+            }
             spinner?.info(`Patched ${name} ${oldVersion} -> ${node.version}`)
             if (isTopLevel(tree, node)) {
               for (const depField of [
@@ -2866,16 +2946,24 @@ async function npmFix(_pkgEnvDetails, cwd, options) {
   spinner?.stop()
 }
 
-async function getAlertsMapFromPnpmLockfile(lockfile, options) {
-  const { include: _include, spinner } = {
+async function getAlertsMapFromPnpmLockfile(lockfile, options_) {
+  const options = {
     __proto__: null,
-    ...options
+    consolidate: false,
+    nothrow: false,
+    ...options_
   }
   const include = {
     __proto__: null,
+    blocked: true,
+    critical: true,
+    cve: true,
+    existing: false,
     unfixable: true,
-    ..._include
+    upgradable: false,
+    ...options.include
   }
+  const { spinner } = options
   const depTypes = lockfile_detectDepTypes.detectDepTypes(lockfile)
   const pkgIds = Object.keys(depTypes)
   let { length: remaining } = pkgIds
@@ -2890,9 +2978,11 @@ async function getAlertsMapFromPnpmLockfile(lockfile, options) {
   )
   const toAlertsMapOptions = {
     overrides: lockfile.overrides,
-    ...options
+    consolidate: options.consolidate,
+    include,
+    spinner
   }
-  for await (const batchPackageFetchResult of sockSdk.batchPackageStream(
+  for await (const batchResult of sockSdk.batchPackageStream(
     {
       alerts: 'true',
       compact: 'true',
@@ -2904,12 +2994,18 @@ async function getAlertsMapFromPnpmLockfile(lockfile, options) {
       }))
     }
   )) {
-    if (batchPackageFetchResult.success) {
+    if (batchResult.success) {
       await shadowNpmInject.addArtifactToAlertsMap(
-        batchPackageFetchResult.data,
+        batchResult.data,
         alertsByPkgId,
         toAlertsMapOptions
       )
+    } else if (!options.nothrow) {
+      const statusCode = batchResult.status ?? 'unknown'
+      const statusMessage = batchResult.error ?? 'No status message'
+      throw new Error(
+        `Socket API server error (${statusCode}): ${statusMessage}`
+      )
     }
     remaining -= 1
     if (spinner && remaining > 0) {
@@ -3021,13 +3117,13 @@ function runAgentInstall(pkgEnvDetails, options) {
   }
   return spawn.spawn(agentExecPath, ['install', ...args], {
     spinner,
-    stdio: debug.isDebug() ? 'inherit' : 'ignore',
+    stdio: debug.isDebug() ? 'inherit' : 'inherit',
     ...spawnOptions,
     env: {
       ...process.env,
       NODE_OPTIONS: cmdFlagsToString([
         // Lazily access constants.nodeHardenFlags.
-        ...constants.nodeHardenFlags,
+        // ...constants.nodeHardenFlags,
         // Lazily access constants.nodeNoWarningsFlags.
         ...constants.nodeNoWarningsFlags
       ]),
@@ -3037,12 +3133,99 @@ function runAgentInstall(pkgEnvDetails, options) {
 }
 
 const { NPM: NPM$c, OVERRIDES: OVERRIDES$2, PNPM: PNPM$9 } = constants
-async function pnpmFix(pkgEnvDetails, cwd, options) {
-  const { spinner } = {
+async function branchExists(branchName, cwd) {
+  try {
+    await spawn.spawn('git', ['rev-parse', '--verify', branchName], {
+      cwd,
+      stdio: 'ignore'
+    })
+    return true
+  } catch {
+    return false
+  }
+}
+async function remoteBranchExists(branchName, cwd) {
+  try {
+    const result = await spawn.spawn(
+      'git',
+      ['ls-remote', '--heads', 'origin', branchName],
+      {
+        cwd,
+        stdio: 'pipe'
+      }
+    )
+    return !!result.stdout.trim()
+  } catch {
+    return false
+  }
+}
+async function commitAndPushFix(branchName, commitMsg, cwd) {
+  const localExists = await branchExists(branchName, cwd)
+  const remoteExists = await remoteBranchExists(branchName, cwd)
+  if (localExists || remoteExists) {
+    logger.logger.warn(
+      `Branch "${branchName}" already exists. Skipping creation.`
+    )
+    return
+  }
+  await spawn.spawn('git', ['checkout', '-b', branchName], {
+    cwd
+  })
+  await spawn.spawn('git', ['add', 'package.json', 'pnpm-lock.yaml'], {
+    cwd
+  })
+  await spawn.spawn('git', ['commit', '-m', commitMsg], {
+    cwd
+  })
+  await spawn.spawn('git', ['push', '--set-upstream', 'origin', branchName], {
+    cwd
+  })
+}
+async function createPullRequest({
+  base = 'main',
+  body,
+  head,
+  owner,
+  repo,
+  title
+}) {
+  const octokit = new vendor.Octokit({
+    auth: process.env['GITHUB_TOKEN']
+  })
+  await octokit.pulls.create({
+    owner,
+    repo,
+    title,
+    head,
+    base,
+    ...(body
+      ? {
+          body
+        }
+      : {})
+  })
+}
+function getRepoInfo() {
+  const repoString = process.env['GITHUB_REPOSITORY']
+  if (!repoString || !repoString.includes('/')) {
+    throw new Error('GITHUB_REPOSITORY is not set or invalid')
+  }
+  const { 0: owner, 1: repo } = repoString.split('/')
+  return {
+    owner,
+    repo
+  }
+}
+async function pnpmFix(pkgEnvDetails, options) {
+  const {
+    cwd = process.cwd(),
+    spinner,
+    test = false,
+    testScript = 'test'
+  } = {
     __proto__: null,
     ...options
   }
-  spinner?.start()
   const lockfile = await lockfile_fs.readWantedLockfile(cwd, {
     ignoreIncompatible: false
   })
@@ -3056,7 +3239,8 @@ async function pnpmFix(pkgEnvDetails, cwd, options) {
       existing: true,
       unfixable: false,
       upgradable: false
-    }
+    },
+    nothrow: true
   })
   const infoByPkg = shadowNpmInject.getCveInfoByAlertsMap(alertsMap)
   if (!infoByPkg) {
@@ -3072,11 +3256,12 @@ async function pnpmFix(pkgEnvDetails, cwd, options) {
     editable: true
   })
   const { content: pkgJson } = editablePkgJson
+  spinner?.stop()
   for (const { 0: name, 1: infos } of infoByPkg) {
     const tree = arb.actualTree
     const hasUpgrade = !!registry.getManifestData(NPM$c, name)
     if (hasUpgrade) {
-      spinner?.info(`Skipping ${name}. Socket Optimize package exists.`)
+      logger.logger.info(`Skipping ${name}. Socket Optimize package exists.`)
       continue
     }
     const nodes = shadowNpmInject.findPackageNodes(tree, name)
@@ -3098,6 +3283,7 @@ async function pnpmFix(pkgEnvDetails, cwd, options) {
         const { firstPatchedVersionIdentifier, vulnerableVersionRange } =
           infos[j]
         const { version: oldVersion } = node
+        const oldSpec = `${name}@${oldVersion}`
         const availableVersions = Object.keys(packument.versions)
         // Find the highest non-vulnerable version within the same major range
         const targetVersion = shadowNpmInject.findBestPatchVersion(
@@ -3108,20 +3294,28 @@ async function pnpmFix(pkgEnvDetails, cwd, options) {
         const targetPackument = targetVersion
           ? packument.versions[targetVersion]
           : undefined
-        if (targetPackument) {
+        spinner?.stop()
+
+        // Check targetVersion to make TypeScript happy.
+        if (targetVersion && targetPackument) {
           const oldPnpm = pkgJson[PNPM$9]
           const oldOverrides = oldPnpm?.[OVERRIDES$2]
-          try {
-            editablePkgJson.update({
-              [PNPM$9]: {
-                ...oldPnpm,
-                [OVERRIDES$2]: {
-                  [`${node.name}@${vulnerableVersionRange}`]: `^${targetVersion}`,
-                  ...oldOverrides
-                }
+          const overrideKey = `${node.name}@${vulnerableVersionRange}`
+          const overrideRange = `^${targetVersion}`
+          const fixSpec = `${name}@${overrideRange}`
+          const data = {
+            [PNPM$9]: {
+              ...oldPnpm,
+              [OVERRIDES$2]: {
+                [overrideKey]: overrideRange,
+                ...oldOverrides
               }
-            })
-            spinner?.info(`Patched ${name} ${oldVersion} -> ${node.version}`)
+            }
+          }
+          try {
+            editablePkgJson.update(data)
+            spinner?.start()
+            spinner?.info(`Installing ${fixSpec}`)
 
             // eslint-disable-next-line no-await-in-loop
             await editablePkgJson.save()
@@ -3129,11 +3323,70 @@ async function pnpmFix(pkgEnvDetails, cwd, options) {
             await runAgentInstall(pkgEnvDetails, {
               spinner
             })
+            if (test) {
+              spinner?.info(`Testing ${fixSpec}`)
+              // eslint-disable-next-line no-await-in-loop
+              await npm.runScript(testScript, [], {
+                spinner,
+                stdio: 'ignore'
+              })
+            }
+            try {
+              const branchName = `fix-${name}-${targetVersion.replace(/\./g, '-')}`
+              const commitMsg = `fix: upgrade ${name} to ${targetVersion}`
+              const { owner, repo } = getRepoInfo()
+              // eslint-disable-next-line no-await-in-loop
+              await commitAndPushFix(branchName, commitMsg, cwd)
+              // eslint-disable-next-line no-await-in-loop
+              await createPullRequest({
+                owner,
+                repo,
+                title: commitMsg,
+                head: branchName,
+                base: process.env['GITHUB_REF_NAME'] ?? 'master',
+                body: `This PR fixes a security issue in \`${name}\` by upgrading to \`${targetVersion}\`.`
+              })
+            } catch (e) {
+              console.log(e)
+            }
+            logger.logger.success(`Fixed ${name}`)
           } catch {
-            spinner?.error(`Reverting ${name} to ${oldVersion}`)
+            spinner?.error(`Reverting ${fixSpec}`)
+            const pnpmKeyCount = Object.keys(data[PNPM$9]).length
+            const pnpmOverridesKeyCount = Object.keys(
+              data[PNPM$9][OVERRIDES$2]
+            ).length
+            if (pnpmKeyCount === 1 && pnpmOverridesKeyCount === 1) {
+              editablePkgJson.update({
+                // Setting to `undefined` will remove the property.
+                [PNPM$9]: undefined
+              })
+            } else {
+              editablePkgJson.update({
+                [PNPM$9]: {
+                  ...oldPnpm,
+                  [OVERRIDES$2]:
+                    pnpmOverridesKeyCount === 1
+                      ? undefined
+                      : {
+                          [overrideKey]: undefined,
+                          ...oldOverrides
+                        }
+                }
+              })
+            }
+            // eslint-disable-next-line no-await-in-loop
+            await editablePkgJson.save()
+            // eslint-disable-next-line no-await-in-loop
+            await runAgentInstall(pkgEnvDetails, {
+              spinner
+            })
+            spinner?.stop()
+            logger.logger.error(`Failed to fix ${oldSpec}`)
           }
         } else {
-          spinner?.error(`Could not patch ${name} ${oldVersion}`)
+          spinner?.stop()
+          logger.logger.error(`Could not patch ${oldSpec}`)
         }
       }
     }
@@ -3539,39 +3792,59 @@ async function detectAndValidatePackageEnvironment(cwd, options) {
 
 const { NPM: NPM$a, PNPM: PNPM$7 } = constants
 const CMD_NAME$2 = 'socket fix'
-async function runFix() {
-  // Lazily access constants.spinner.
-  const { spinner } = constants
-  spinner.start()
-  const cwd = process.cwd()
+async function runFix({
+  cwd = process.cwd(),
+  spinner,
+  test = false,
+  testScript = 'test'
+}) {
   const pkgEnvDetails = await detectAndValidatePackageEnvironment(cwd, {
     cmdName: CMD_NAME$2,
     logger: logger.logger
   })
   if (!pkgEnvDetails) {
-    spinner.stop()
+    spinner?.stop()
     return
   }
+  logger.logger.info(`Fixing packages for ${pkgEnvDetails.agent}`)
   switch (pkgEnvDetails.agent) {
     case NPM$a: {
-      await npmFix(pkgEnvDetails, cwd)
+      await npmFix(pkgEnvDetails, {
+        spinner,
+        test,
+        testScript
+      })
       break
     }
     case PNPM$7: {
-      await pnpmFix(pkgEnvDetails, cwd)
+      await pnpmFix(pkgEnvDetails, {
+        spinner,
+        test,
+        testScript
+      })
       break
     }
   }
-  spinner.successAndStop('Socket.dev fix successful')
+  // spinner.successAndStop('Socket.dev fix successful')
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$y } = constants
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$w } = constants
 const config$z = {
   commandName: 'fix',
   description: 'Fix "fixable" Socket alerts',
   hidden: true,
   flags: {
-    ...commonFlags
+    ...commonFlags,
+    test: {
+      type: 'boolean',
+      default: true,
+      description: 'Very the fix by running unit tests'
+    },
+    testScript: {
+      type: 'string',
+      default: 'test',
+      description: 'The test script to run for each fix attempt'
+    }
   },
   help: (command, config) => `
     Usage
@@ -3594,10 +3867,17 @@ async function run$z(argv, importMeta, { parentName }) {
     parentName
   })
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$y)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$w)
     return
   }
-  await runFix()
+
+  // Lazily access constants.spinner.
+  const { spinner } = constants
+  await runFix({
+    spinner,
+    test: Boolean(cli.flags['test']),
+    testScript: cli.flags['testScript']
+  })
 }
 
 async function fetchPackageInfo(pkgName, pkgVersion, includeAllIssues) {
@@ -3622,10 +3902,10 @@ async function fetchPackageInfo(pkgName, pkgVersion, includeAllIssues) {
   )
   spinner.successAndStop('Data fetched')
   if (result.success === false) {
-    return handleUnsuccessfulApiResponse('getIssuesByNPMPackage', result)
+    handleUnsuccessfulApiResponse('getIssuesByNPMPackage', result)
   }
   if (scoreResult.success === false) {
-    return handleUnsuccessfulApiResponse('getScoreByNPMPackage', scoreResult)
+    handleUnsuccessfulApiResponse('getScoreByNPMPackage', scoreResult)
   }
   const severityCount = shadowNpmInject.getSeverityCount(
     result.data,
@@ -3786,7 +4066,7 @@ async function handlePackageInfo({
   }
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$x } = constants
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$v } = constants
 const config$y = {
   commandName: 'info',
   description: 'Look up info regarding a package',
@@ -3854,7 +4134,7 @@ async function run$y(argv, importMeta, { parentName }) {
   const pkgVersion =
     versionSeparator < 1 ? 'latest' : rawPkgName.slice(versionSeparator + 1)
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$x)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$v)
     return
   }
   await handlePackageInfo({
@@ -3891,7 +4171,6 @@ async function attemptLogin(apiBaseUrl, apiProxy) {
   if (!result.success) {
     logger.logger.fail('Authentication failed...')
     handleUnsuccessfulApiResponse('getOrganizations', result)
-    return
   }
   logger.logger.success('API key verified')
   const orgs = result.data
@@ -3929,16 +4208,24 @@ async function attemptLogin(apiBaseUrl, apiProxy) {
     }
   }
   spinner.stop()
-  const oldToken = shadowNpmInject.getConfigValue('apiToken')
+  const previousPersistedToken = shadowNpmInject.getConfigValue('apiToken')
   try {
     applyLogin(apiToken, enforcedOrgs, apiBaseUrl, apiProxy)
-    logger.logger.success(`API credentials ${oldToken ? 'updated' : 'set'}`)
+    logger.logger.success(
+      `API credentials ${previousPersistedToken === apiToken ? 'refreshed' : previousPersistedToken ? 'updated' : 'set'}`
+    )
+    if (!shadowNpmInject.isReadOnlyConfig()) {
+      logger.logger.log('')
+      logger.logger.warn(
+        'Note: config is in read-only mode, at least one key was overridden through flag/env, so the login was not persisted!'
+      )
+    }
   } catch {
     logger.logger.fail(`API login failed`)
   }
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$w } = constants
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$u } = constants
 const config$x = {
   commandName: 'login',
   description: 'Socket API login',
@@ -3958,6 +4245,9 @@ const config$x = {
     Usage
       $ ${command}
 
+    API Token Requirements
+      - Quota: 1 unit
+
     Logs into the Socket API by prompting for an API key
 
     Options
@@ -3983,7 +4273,7 @@ async function run$x(argv, importMeta, { parentName }) {
   const apiBaseUrl = cli.flags['apiBaseUrl']
   const apiProxy = cli.flags['apiProxy']
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$w)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$u)
     return
   }
   if (!isInteractive()) {
@@ -4005,12 +4295,18 @@ function attemptLogout() {
   try {
     applyLogout()
     logger.logger.success('Successfully logged out')
+    if (!shadowNpmInject.isReadOnlyConfig()) {
+      logger.logger.log('')
+      logger.logger.warn(
+        'Note: config is in read-only mode, at least one key was overridden through flag/env, so the logout was not persisted!'
+      )
+    }
   } catch {
     logger.logger.fail('Failed to complete logout steps')
   }
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$v } = constants
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$t } = constants
 const config$w = {
   commandName: 'logout',
   description: 'Socket API logout',
@@ -4038,7 +4334,7 @@ async function run$w(argv, importMeta, { parentName }) {
     parentName
   })
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$v)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$t)
     return
   }
   attemptLogout()
@@ -4146,7 +4442,7 @@ async function convertGradleToMaven(target, bin, _out, verbose, gradleOpts) {
   }
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$u } = constants
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$s } = constants
 const config$v = {
   commandName: 'gradle',
   description:
@@ -4293,7 +4589,7 @@ async function run$v(argv, importMeta, { parentName }) {
       .filter(Boolean)
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$u)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$s)
     return
   }
   await convertGradleToMaven(target, bin, out, verbose, gradleOpts)
@@ -4402,7 +4698,7 @@ async function convertSbtToMaven(target, bin, out, verbose, sbtOpts) {
   }
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$t } = constants
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$r } = constants
 const config$u = {
   commandName: 'scala',
   description:
@@ -4547,13 +4843,13 @@ async function run$u(argv, importMeta, { parentName }) {
       .filter(Boolean)
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$t)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$r)
     return
   }
   await convertSbtToMaven(target, bin, out, verbose, sbtOpts)
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$s } = constants
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$q } = constants
 const config$t = {
   commandName: 'auto',
   description: 'Auto-detect build and attempt to generate manifest file',
@@ -4619,7 +4915,7 @@ async function run$t(argv, importMeta, { parentName }) {
     }
     subArgs.push(dir)
     if (cli.flags['dryRun']) {
-      logger.logger.log(DRY_RUN_BAIL_TEXT$s)
+      logger.logger.log(DRY_RUN_BAIL_TEXT$q)
       return
     }
     await cmdManifestScala.run(subArgs, importMeta, {
@@ -4636,7 +4932,7 @@ async function run$t(argv, importMeta, { parentName }) {
       subArgs.push(cwd)
     }
     if (cli.flags['dryRun']) {
-      logger.logger.log(DRY_RUN_BAIL_TEXT$s)
+      logger.logger.log(DRY_RUN_BAIL_TEXT$q)
       return
     }
     await cmdManifestGradle.run(subArgs, importMeta, {
@@ -4645,7 +4941,7 @@ async function run$t(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$s)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$q)
     return
   }
 
@@ -4674,7 +4970,7 @@ async function run$t(argv, importMeta, { parentName }) {
     .showHelp()
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$r } = constants
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$p } = constants
 
 // TODO: we may want to dedupe some pieces for all gradle languages. I think it
 //       makes sense to have separate commands for them and I think it makes
@@ -4827,7 +5123,7 @@ async function run$s(argv, importMeta, { parentName }) {
       .filter(Boolean)
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$r)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$p)
     return
   }
   await convertGradleToMaven(target, bin, out, verbose, gradleOpts)
@@ -4878,7 +5174,7 @@ async function wrapNpm(argv) {
   await shadowBin(NPM$8, argv)
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$q, NPM: NPM$7 } = constants
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$o, NPM: NPM$7 } = constants
 const config$q = {
   commandName: 'npm',
   description: `${NPM$7} wrapper functionality`,
@@ -4905,7 +5201,7 @@ async function run$q(argv, importMeta, { parentName }) {
     parentName
   })
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$q)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$o)
     return
   }
   await wrapNpm(argv)
@@ -4918,7 +5214,7 @@ async function wrapNpx(argv) {
   await shadowBin(NPX$2, argv)
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$p, NPX: NPX$1 } = constants
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$n, NPX: NPX$1 } = constants
 const config$p = {
   commandName: 'npx',
   description: `${NPX$1} wrapper functionality`,
@@ -4945,13 +5241,13 @@ async function run$p(argv, importMeta, { parentName }) {
     parentName
   })
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$p)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$n)
     return
   }
   await wrapNpx(argv)
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$o } = constants
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$m } = constants
 const config$o = {
   commandName: 'oops',
   description: 'Trigger an intentional error (for development)',
@@ -4979,7 +5275,7 @@ async function run$o(argv, importMeta, { parentName }) {
     parentName
   })
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$o)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$m)
     return
   }
   throw new Error('This error was intentionally left blank')
@@ -5868,7 +6164,7 @@ async function applyOptimization(cwd, pin, prod) {
   }
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$n } = constants
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$l } = constants
 const config$n = {
   commandName: 'optimize',
   description: 'Optimize dependencies with @socketregistry overrides',
@@ -5912,7 +6208,7 @@ async function run$n(argv, importMeta, { parentName }) {
   })
   const cwd = process.cwd()
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$n)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$l)
     return
   }
   await applyOptimization(
@@ -5935,7 +6231,6 @@ async function fetchOrganization() {
   spinner.successAndStop('Received organization list response.')
   if (!result.success) {
     handleUnsuccessfulApiResponse('getOrganizations', result)
-    return
   }
   return result.data
 }
@@ -6014,7 +6309,7 @@ async function handleOrganizationList(outputKind = 'text') {
   await outputOrganizationList(data, outputKind)
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$m } = constants
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$k } = constants
 const config$m = {
   commandName: 'list',
   description: 'List organizations associated with the API key used',
@@ -6027,6 +6322,10 @@ const config$m = {
     Usage
       $ ${command}
 
+    API Token Requirements
+      - Quota: 1 unit
+      - Permissions: none (does need a token)
+
     Options
       ${getFlagListOutput(config$m.flags, 6)}
   `
@@ -6067,7 +6366,7 @@ async function run$m(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$m)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$k)
     return
   }
   await handleOrganizationList(json ? 'json' : markdown ? 'markdown' : 'text')
@@ -6086,7 +6385,6 @@ async function fetchLicensePolicy(orgSlug) {
   spinner.successAndStop('Received organization license policy response.')
   if (!result.success) {
     handleUnsuccessfulApiResponse('getOrgLicensePolicy', result)
-    return
   }
   return result.data
 }
@@ -6131,7 +6429,7 @@ async function handleLicensePolicy(orgSlug, outputKind) {
   await outputLicensePolicy(data, outputKind)
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$l } = constants
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$j } = constants
 
 // TODO: secret toplevel alias `socket license policy`?
 const config$l = {
@@ -6146,6 +6444,10 @@ const config$l = {
     Usage
       $ ${command} <org slug>
 
+    API Token Requirements
+      - Quota: 1 unit
+      - Permissions: license-policy:read
+
     Options
       ${getFlagListOutput(config$l.flags, 6)}
 
@@ -6202,7 +6504,7 @@ async function run$l(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$l)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$j)
     return
   }
   await handleLicensePolicy(
@@ -6224,7 +6526,6 @@ async function fetchSecurityPolicy(orgSlug) {
   spinner.successAndStop('Received organization security policy response.')
   if (!result.success) {
     handleUnsuccessfulApiResponse('getOrgSecurityPolicy', result)
-    return
   }
   return result.data
 }
@@ -6270,7 +6571,7 @@ async function handleSecurityPolicy(orgSlug, outputKind) {
   await outputSecurityPolicy(data, outputKind)
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$k } = constants
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$i } = constants
 
 // TODO: secret toplevel alias `socket security policy`?
 const config$k = {
@@ -6285,6 +6586,10 @@ const config$k = {
     Usage
       $ ${command} <org slug>
 
+    API Token Requirements
+      - Quota: 1 unit
+      - Permissions: security-policy:read
+
     Options
       ${getFlagListOutput(config$k.flags, 6)}
 
@@ -6341,7 +6646,7 @@ async function run$k(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$k)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$i)
     return
   }
   await handleSecurityPolicy(
@@ -6389,7 +6694,6 @@ async function fetchQuota() {
   spinner.successAndStop('Received organization quota response.')
   if (!result.success) {
     handleUnsuccessfulApiResponse('getQuota', result)
-    return
   }
   return result.data
 }
@@ -6428,7 +6732,7 @@ async function handleQuota(outputKind = 'text') {
   await outputQuota(data, outputKind)
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$j } = constants
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$h } = constants
 const config$j = {
   commandName: 'quota',
   description: 'List organizations associated with the API key used',
@@ -6481,7 +6785,7 @@ async function run$j(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$j)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$h)
     return
   }
   await handleQuota(json ? 'json' : markdown ? 'markdown' : 'text')
@@ -6514,6 +6818,7 @@ const cmdOrganization = {
   }
 }
 
+const { SOCKET_CLI_ISSUES_URL } = constants
 async function fetchPurlDeepScore(purl) {
   const apiToken = shadowNpmInject.getDefaultToken()
   if (!apiToken) {
@@ -6555,7 +6860,7 @@ async function fetchPurlDeepScore(purl) {
     return JSON.parse(data)
   } catch (e) {
     throw new Error(
-      'Was unable to JSON parse the input from the server. It may not have been a proper JSON response. Please report this problem.'
+      `Unable to parse JSON response from the Socket API.\nPlease report to ${SOCKET_CLI_ISSUES_URL}`
     )
   }
 }
@@ -6748,7 +7053,7 @@ async function outputPurlScore(purl, data, outputKind) {
         )
       } else {
         logger.logger.log(
-          'This package had no alerts and neither did any of its direct/transitive dependencies.'
+          'This package had no alerts and neither did any of its direct/transitive dependencies'
         )
       }
       logger.logger.log('')
@@ -6823,7 +7128,7 @@ function parsePackageSpecifiers(ecosystem, pkgs) {
   }
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$i } = constants
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$g } = constants
 const config$i = {
   commandName: 'score',
   description:
@@ -6837,13 +7142,13 @@ const config$i = {
     Usage
       $ ${command} <<ecosystem> <name> | <purl>>
 
+    API Token Requirements
+      - Quota: 100 units
+      - Permissions: packages:list
+
     Options
       ${getFlagListOutput(config.flags, 6)}
 
-    Requirements
-      - quota: 100
-      - scope: \`packages:list\`
-
     Show deep scoring details for one package. The score will reflect the package
     itself, any of its dependencies, and any of its transitive dependencies.
 
@@ -6915,7 +7220,7 @@ async function run$i(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$i)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$g)
     return
   }
   await handlePurlDeepScore(
@@ -6939,10 +7244,6 @@ async function fetchPurlsShallowScore(purls) {
     sockSdk.batchPackageFetch(
       {
         alerts: 'true'
-        // compact: false,
-        // fixable: false,
-        // licenseattrib: false,
-        // licensedetails: false
       },
       {
         components: purls.map(purl => ({
@@ -6955,7 +7256,6 @@ async function fetchPurlsShallowScore(purls) {
   spinner.successAndStop('Request completed')
   if (!result.success) {
     handleUnsuccessfulApiResponse('batchPackageFetch', result)
-    return
   }
   return result
 }
@@ -7112,7 +7412,7 @@ async function handlePurlsShallowScore({ outputKind, purls }) {
   outputPurlsShallowScore(purls, packageData.data, outputKind)
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$h } = constants
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$f } = constants
 const config$h = {
   commandName: 'shallow',
   description:
@@ -7126,13 +7426,13 @@ const config$h = {
     Usage
       $ ${command} <<ecosystem> <name> [<name> ...] | <purl> [<purl> ...]>
 
+    API Token Requirements
+      - Quota: 100 units
+      - Permissions: packages:list
+
     Options
       ${getFlagListOutput(config.flags, 6)}
 
-    Requirements
-      - quota: 100
-      - scope: \`packages:list\`
-
     Show scoring details for one or more packages purely based on their own package.
     This means that any dependency scores are not reflected by the score. You can
     use the \`socket package score <pkg>\` command to get its full transitive score.
@@ -7203,7 +7503,7 @@ async function run$h(argv, importMeta, { parentName }) {
     return
   }
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$h)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$f)
     return
   }
   await handlePurlsShallowScore({
@@ -7256,7 +7556,7 @@ async function runRawNpm(argv) {
   await spawnPromise
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$g, NPM } = constants
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$e, NPM } = constants
 const config$g = {
   commandName: 'raw-npm',
   description: `Temporarily disable the Socket ${NPM} wrapper`,
@@ -7284,7 +7584,7 @@ async function run$g(argv, importMeta, { parentName }) {
     parentName
   })
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$g)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$e)
     return
   }
   await runRawNpm(argv)
@@ -7306,7 +7606,7 @@ async function runRawNpx(argv) {
   await spawnPromise
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$f, NPX } = constants
+const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$d, NPX } = constants
 const config$f = {
   commandName: 'raw-npx',
   description: `Temporarily disable the Socket ${NPX} wrapper`,
@@ -7334,242 +7634,12 @@ async function run$f(argv, importMeta, { parentName }) {
     parentName
   })
   if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$f)
+    logger.logger.log(DRY_RUN_BAIL_TEXT$d)
     return
   }
   await runRawNpx(argv)
 }
 
-const { DRY_RUN_LABEL } = constants
-async function createReport(socketConfig, inputPaths, { cwd, dryRun }) {
-  // Lazily access constants.spinner.
-  const { spinner } = constants
-  const sockSdk = await shadowNpmInject.setupSdk()
-  const supportedFiles = await sockSdk
-    .getReportSupportedFiles()
-    .then(res => {
-      if (!res.success) {
-        handleUnsuccessfulApiResponse('getReportSupportedFiles', res)
-      }
-      return res.data
-    })
-    .catch(cause => {
-      throw new Error('Failed getting supported files for report', {
-        cause
-      })
-    })
-  const packagePaths = await shadowNpmPaths.getPackageFilesForScan(
-    cwd,
-    inputPaths,
-    supportedFiles,
-    socketConfig
-  )
-  const packagePathsCount = packagePaths.length
-  if (packagePathsCount && debug.isDebug()) {
-    for (const pkgPath of packagePaths) {
-      debug.debugLog(`Uploading: ${pkgPath}`)
-    }
-  }
-  if (dryRun) {
-    debug.debugLog(`${DRY_RUN_LABEL}: Skipped actual upload`)
-    return undefined
-  }
-  spinner.start(
-    `Creating report with ${packagePathsCount} package ${words.pluralize('file', packagePathsCount)}`
-  )
-  const apiCall = sockSdk.createReportFromFilePaths(
-    packagePaths,
-    cwd,
-    socketConfig?.issueRules
-  )
-  const result = await handleApiCall(apiCall, 'creating report')
-  if (!result.success) {
-    handleUnsuccessfulApiResponse('createReport', result)
-    return undefined
-  }
-  spinner.successAndStop()
-  return result
-}
-
-async function getSocketConfig(absoluteConfigPath) {
-  const socketConfig = await config$K
-    .readSocketConfig(absoluteConfigPath)
-    .catch(cause => {
-      if (
-        cause &&
-        typeof cause === 'object' &&
-        cause instanceof config$K.SocketValidationError
-      ) {
-        // Inspired by workbox-build:
-        // https://github.com/GoogleChrome/workbox/blob/95f97a207fd51efb3f8a653f6e3e58224183a778/packages/workbox-build/src/lib/validate-options.ts#L68-L71
-        const betterErrors = betterAjvErrors.betterAjvErrors({
-          basePath: 'config',
-          data: cause.data,
-          errors: cause.validationErrors,
-          schema: cause.schema
-        })
-        throw new shadowNpmInject.InputError(
-          'The socket.yml config is not valid',
-          betterErrors
-            .map(
-              err =>
-                `[${err.path}] ${err.message}.${err.suggestion ? err.suggestion : ''}`
-            )
-            .join('\n')
-        )
-      } else {
-        throw new Error('Failed to read socket.yml config', {
-          cause
-        })
-      }
-    })
-  return socketConfig
-}
-
-const MAX_TIMEOUT_RETRY = 5
-const HTTP_CODE_TIMEOUT = 524
-async function fetchReportData$1(reportId, includeAllIssues, strict) {
-  // Lazily access constants.spinner.
-  const { spinner } = constants
-  spinner.log('Fetching report with ID ${reportId} (this could take a while)')
-  spinner.start(`Fetch started... (this could take a while)`)
-  const sockSdk = await shadowNpmInject.setupSdk()
-  let result
-  for (let retry = 1; !result; ++retry) {
-    try {
-      // eslint-disable-next-line no-await-in-loop
-      result = await handleApiCall(
-        sockSdk.getReport(reportId),
-        'fetching report'
-      )
-    } catch (err) {
-      if (
-        retry >= MAX_TIMEOUT_RETRY ||
-        !(err instanceof Error) ||
-        err.cause?.cause?.response?.statusCode !== HTTP_CODE_TIMEOUT
-      ) {
-        spinner.stop(`Failed to fetch report`)
-        throw err
-      }
-      spinner.fail(`Retrying report fetch ${retry} / ${MAX_TIMEOUT_RETRY}`)
-    }
-  }
-  if (!result.success) {
-    return handleUnsuccessfulApiResponse('getReport', result)
-  }
-
-  // Conclude the status of the API call.
-  if (strict) {
-    if (result.data.healthy) {
-      spinner.success('Report result is healthy and great!')
-    } else {
-      spinner.error('Report result deemed unhealthy for project')
-    }
-  } else if (!result.data.healthy) {
-    const severityCount = shadowNpmInject.getSeverityCount(
-      result.data.issues,
-      includeAllIssues ? undefined : 'high'
-    )
-    const issueSummary = shadowNpmInject.formatSeverityCount(severityCount)
-    spinner.success(`Report has these issues: ${issueSummary}`)
-  } else {
-    spinner.success('Report has no issues')
-  }
-  spinner.stop()
-  return result.data
-}
-
-function formatReportDataOutput(
-  reportId,
-  data,
-  commandName,
-  outputKind,
-  strict,
-  artifacts
-) {
-  if (outputKind === 'json') {
-    logger.logger.log(JSON.stringify(data, undefined, 2))
-  } else {
-    const format = new shadowNpmInject.ColorOrMarkdown(
-      outputKind === 'markdown'
-    )
-    logger.logger.log(commonTags.stripIndents`
-      Detailed info on socket.dev: ${format.hyperlink(reportId, data.url, {
-        fallbackToUrl: true
-      })}`)
-    if (outputKind === 'print') {
-      logger.logger.log(data)
-      logger.logger.log(
-        colors.dim(
-          `Or rerun ${colors.italic(commandName)} using the ${colors.italic('--json')} flag to get full JSON output`
-        )
-      )
-      logger.logger.log('The scan:')
-      logger.logger.log(artifacts)
-    }
-  }
-  if (strict && !data.healthy) {
-     
-    process$1.exit(1)
-  }
-}
-
-async function fetchScan(orgSlug, scanId) {
-  const apiToken = shadowNpmInject.getDefaultToken()
-  if (!apiToken) {
-    throw new shadowNpmInject.AuthError(
-      'User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.'
-    )
-  }
-
-  // Lazily access constants.spinner.
-  const { spinner } = constants
-  spinner.start('Fetching scan data...')
-  const response = await queryApi(
-    `orgs/${orgSlug}/full-scans/${encodeURIComponent(scanId)}`,
-    apiToken
-  )
-  spinner.successAndStop('Received response while fetching scan data.')
-  if (!response.ok) {
-    const err = await handleApiError(response.status)
-    logger.logger.fail(
-      failMsgWithBadge(response.statusText, `Fetch error: ${err}`)
-    )
-    return
-  }
-
-  // This is nd-json; each line is a json object
-  const jsons = await response.text()
-  const lines = jsons.split('\n').filter(Boolean)
-  const data = lines.map(line => {
-    try {
-      return JSON.parse(line)
-    } catch {
-      console.error(
-        'At least one line item was returned that could not be parsed as JSON...'
-      )
-      return {}
-    }
-  })
-  return data
-}
-
-async function viewReport(reportId, { all, commandName, outputKind, strict }) {
-  const result = await fetchReportData$1(reportId, all, strict)
-  const artifacts = await fetchScan('socketdev', reportId)
-  if (result) {
-    formatReportDataOutput(
-      reportId,
-      result,
-      commandName,
-      outputKind,
-      strict,
-      artifacts
-    )
-  }
-}
-
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$e } = constants
 const config$e = {
   commandName: 'create',
   description: '[Deprecated] Create a project report',
@@ -7601,57 +7671,17 @@ const cmdReportCreate = {
   run: run$e
 }
 async function run$e(argv, importMeta, { parentName }) {
-  const cli = meowOrExit({
+  meowOrExit({
     argv,
     config: config$e,
     importMeta,
     parentName
   })
-
-  // TODO: Allow setting a custom cwd and/or configFile path?
-  const cwd = process.cwd()
-  const absoluteConfigPath = path$1.join(cwd, 'socket.yml')
-  const dryRun = Boolean(cli.flags['dryRun'])
-  const json = Boolean(cli.flags['json'])
-  const markdown = Boolean(cli.flags['markdown'])
-  const strict = Boolean(cli.flags['strict'])
-  const includeAllIssues = Boolean(cli.flags['all'])
-  const view = Boolean(cli.flags['view'])
-
-  // Note exiting earlier to skirt a hidden auth requirement
-  if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$e)
-    return
-  }
-  const socketConfig = await getSocketConfig(absoluteConfigPath)
-  const result = await createReport(socketConfig, cli.input, {
-    cwd,
-    dryRun
-  })
-  const commandName = `${parentName} ${config$e.commandName}`
-  if (result?.success) {
-    if (view) {
-      const reportId = result.data.id
-      await viewReport(reportId, {
-        all: includeAllIssues,
-        commandName,
-        outputKind: json ? 'json' : markdown ? 'markdown' : 'print',
-        strict
-      })
-    } else if (json) {
-      logger.logger.log(JSON.stringify(result.data, undefined, 2))
-    } else {
-      const format = new shadowNpmInject.ColorOrMarkdown(markdown)
-      logger.logger.log(
-        `New report: ${format.hyperlink(result.data.id, result.data.url, {
-          fallbackToUrl: true
-        })}`
-      )
-    }
-  }
+  logger.logger.fail(
+    'This command has been sunset. Instead, please look at `socket scan create` to create scans and `socket scan report` to view a report of your scans.'
+  )
 }
 
-const { DRY_RUN_BAIL_TEXT: DRY_RUN_BAIL_TEXT$d } = constants
 const config$d = {
   commandName: 'view',
   description: '[Deprecated] View a project report',
@@ -7672,49 +7702,15 @@ const cmdReportView = {
   run: run$d
 }
 async function run$d(argv, importMeta, { parentName }) {
-  const cli = meowOrExit({
+  meowOrExit({
     argv,
     config: config$d,
     importMeta,
     parentName
   })
-  const { json, markdown } = cli.flags
-  const [reportId = '', ...extraInput] = cli.input
-  const wasBadInput = handleBadInput(
-    {
-      test: reportId,
-      message: 'Need at least one report ID',
-      pass: 'ok',
-      fail: 'missing'
-    },
-    {
-      nook: true,
-      test: extraInput.length === 0,
-      message: 'Can only handle a single report ID',
-      pass: 'ok',
-      fail: 'received ' + (extraInput.length + 1)
-    },
-    {
-      nook: true,
-      test: !json || !markdown,
-      message: 'The json and markdown flags cannot be both set, pick one',
-      pass: 'ok',
-      fail: 'omit one'
-    }
+  logger.logger.fail(
+    'This command has been sunset. Instead, please look at `socket scan create` to create scans and `socket scan report` to view a report of your scans.'
   )
-  if (wasBadInput) {
-    return
-  }
-  if (cli.flags['dryRun']) {
-    logger.logger.log(DRY_RUN_BAIL_TEXT$d)
-    return
-  }
-  await viewReport(reportId, {
-    all: Boolean(cli.flags['all']),
-    commandName: `${parentName} ${config$d.commandName}`,
-    outputKind: json ? 'json' : markdown ? 'markdown' : 'print',
-    strict: Boolean(cli.flags['strict'])
-  })
 }
 
 const description$2 = '[Deprecated] Project report related commands'
@@ -7764,7 +7760,6 @@ async function fetchCreateRepo({
   spinner.successAndStop('Received response requesting to create a repository.')
   if (!result.success) {
     handleUnsuccessfulApiResponse('createOrgRepo', result)
-    return
   }
   return result.data
 }
@@ -7837,6 +7832,10 @@ const config$c = {
     Usage
       $ ${command} <org slug>
 
+    API Token Requirements
+      - Quota: 1 unit
+      - Permissions: repo:create
+
     Options
       ${getFlagListOutput(config.flags, 6)}
 
@@ -7912,7 +7911,6 @@ async function handleDeleteRepo(orgSlug, repoName) {
   )
   if (!result.success) {
     handleUnsuccessfulApiResponse('deleteOrgRepo', result)
-    return
   }
   spinner.successAndStop('Repository deleted successfully')
 }
@@ -7929,6 +7927,10 @@ const config$b = {
     Usage
       $ ${command} <org slug> <repo slug>
 
+    API Token Requirements
+      - Quota: 1 unit
+      - Permissions: repo:delete
+
     Options
       ${getFlagListOutput(config.flags, 6)}
 
@@ -8003,7 +8005,6 @@ async function fetchListRepos({ direction, orgSlug, page, per_page, sort }) {
   spinner.successAndStop('Received response for repository list.')
   if (!result.success) {
     handleUnsuccessfulApiResponse('getOrgRepoList', result)
-    return
   }
   return result.data
 }
@@ -8105,6 +8106,10 @@ const config$a = {
     Usage
       $ ${command} <org slug>
 
+    API Token Requirements
+      - Quota: 1 unit
+      - Permissions: repo:list
+
     Options
       ${getFlagListOutput(config.flags, 6)}
 
@@ -8197,7 +8202,6 @@ async function fetchUpdateRepo({
   spinner.successAndStop('Received response trying to update a repository')
   if (!result.success) {
     handleUnsuccessfulApiResponse('updateOrgRepo', result)
-    return
   }
   return result.data
 }
@@ -8270,6 +8274,10 @@ const config$9 = {
     Usage
       $ ${command} <org slug>
 
+    API Token Requirements
+      - Quota: 1 unit
+      - Permissions: repo:update
+
     Options
       ${getFlagListOutput(config.flags, 6)}
 
@@ -8346,7 +8354,6 @@ async function fetchViewRepo(orgSlug, repoName) {
   spinner.successAndStop('Received response while fetched repository data.')
   if (!result.success) {
     handleUnsuccessfulApiResponse('getOrgRepo', result)
-    return
   }
   return result.data
 }
@@ -8441,6 +8448,10 @@ const config$8 = {
     Usage
       $ ${command} <org slug>
 
+    API Token Requirements
+      - Quota: 1 unit
+      - Permissions: repo:list
+
     Options
       ${getFlagListOutput(config.flags, 6)}
 
@@ -8546,7 +8557,9 @@ async function fetchCreateOrgFullScan(
 
   // Lazily access constants.spinner.
   const { spinner } = constants
-  spinner.start(`Creating a scan with ${packagePaths.length} packages...`)
+  spinner.start(
+    `Sending request to create a scan with ${packagePaths.length} packages...`
+  )
   const result = await handleApiCall(
     sockSdk.createOrgFullScan(
       orgSlug,
@@ -8563,10 +8576,9 @@ async function fetchCreateOrgFullScan(
     ),
     'Creating scan'
   )
-  spinner.successAndStop('Scan created successfully')
+  spinner.successAndStop('Completed request to create a new scan.')
   if (!result.success) {
     handleUnsuccessfulApiResponse('CreateOrgFullScan', result)
-    return
   }
   return result.data
 }
@@ -8581,12 +8593,12 @@ async function fetchSupportedScanFileNames() {
     sockSdk.getReportSupportedFiles(),
     'fetching supported scan file types'
   )
-  spinner.successAndStop(
+  spinner.stop()
+  logger.logger.success(
     'Received response while fetched supported scan file types.'
   )
   if (!result.success) {
     handleUnsuccessfulApiResponse('getReportSupportedFiles', result)
-    return
   }
   return result.data
 }
@@ -8624,7 +8636,6 @@ async function handleCreateNewScan({
     cwd,
     targets,
     supportedFileNames
-    // socketConfig
   )
   handleBadInput({
     nook: true,
@@ -8688,7 +8699,7 @@ async function suggestOrgSlug() {
     }
   } else {
     logger.logger.fail(
-      'Failed to lookup organization list from API, unable to suggest.'
+      'Failed to lookup organization list from API, unable to suggest'
     )
   }
 }
@@ -8943,6 +8954,10 @@ const config$7 = {
     Usage
       $ ${command} [...options] <org> <TARGET> [TARGET...]
 
+    API Token Requirements
+      - Quota: 1 unit
+      - Permissions: full-scans:create
+
     Uploads the specified "package.json" and lock files for JavaScript, Python,
     Go, Scala, Gradle, and Kotlin dependency manifests.
     If any folder is specified, the ones found in there recursively are uploaded.
@@ -8984,7 +8999,7 @@ async function run$7(argv, importMeta, { parentName }) {
     cwdOverride && cwdOverride !== 'process.cwd()'
       ? String(cwdOverride)
       : process.cwd()
-  let { branch: branchName, repo: repoName } = cli.flags
+  let { branch: branchName = '', repo: repoName = '' } = cli.flags
 
   // We're going to need an api token to suggest data because those suggestions
   // must come from data we already know. Don't error on missing api token yet.
@@ -9112,7 +9127,6 @@ async function fetchDeleteOrgFullScan(orgSlug, scanId) {
   spinner.successAndStop('Received response for deleting a scan.')
   if (!result.success) {
     handleUnsuccessfulApiResponse('deleteOrgFullScan', result)
-    return
   }
   return result.data
 }
@@ -9142,6 +9156,10 @@ const config$6 = {
     Usage
       $ ${command} <org slug> <scan ID>
 
+    API Token Requirements
+      - Quota: 1 unit
+      - Permissions: full-scans:delete
+
     Options
       ${getFlagListOutput(config.flags, 6)}
 
@@ -9224,7 +9242,6 @@ async function fetchListScans({
   spinner.successAndStop(`Received response for list of scans.`)
   if (!result.success) {
     handleUnsuccessfulApiResponse('getOrgFullScanList', result)
-    return
   }
   return result.data
 }
@@ -9345,6 +9362,10 @@ const config$5 = {
     Usage
       $ ${command} <org slug>
 
+    API Token Requirements
+      - Quota: 1 unit
+      - Permissions: full-scans:list
+
     Options
       ${getFlagListOutput(config.flags, 6)}
 
@@ -9423,7 +9444,6 @@ async function fetchScanMetadata(orgSlug, scanId) {
   spinner.successAndStop('Received response for scan meta data.')
   if (!result.success) {
     handleUnsuccessfulApiResponse('getOrgFullScanMetadata', result)
-    return
   }
   return result.data
 }
@@ -9485,6 +9505,10 @@ const config$4 = {
     Usage
       $ ${command} <org slug> <scan id>
 
+    API Token Requirements
+      - Quota: 1 unit
+      - Permissions: full-scans:list
+
     Options
       ${getFlagListOutput(config.flags, 6)}
 
@@ -9556,14 +9580,8 @@ async function run$4(argv, importMeta, { parentName }) {
 /**
  * This fetches all the relevant pieces of data to generate a report, given a
  * full scan ID.
- * It can optionally only fetch the security or license side of things.
  */
-async function fetchReportData(
-  orgSlug,
-  scanId,
-  // includeLicensePolicy: boolean,
-  includeSecurityPolicy
-) {
+async function fetchReportData(orgSlug, scanId, includeLicensePolicy) {
   const apiToken = shadowNpmInject.getDefaultToken()
   if (!apiToken) {
     throw new shadowNpmInject.AuthError(
@@ -9572,7 +9590,6 @@ async function fetchReportData(
   }
   const sockSdk = await shadowNpmInject.setupSdk(apiToken)
   let haveScan = false
-  // let haveLicensePolicy = false
   let haveSecurityPolicy = false
 
   // Lazily access constants.spinner.
@@ -9580,48 +9597,26 @@ async function fetchReportData(
   function updateProgress() {
     const needs = [
       !haveScan ? 'scan' : undefined,
-      // includeLicensePolicy && !haveLicensePolicy ? 'license policy' : undefined,
-      includeSecurityPolicy && !haveSecurityPolicy
-        ? 'security policy'
-        : undefined
+      !haveSecurityPolicy ? 'security policy' : undefined
     ].filter(Boolean)
-    if (needs.length > 2) {
-      // .toOxford()
-      needs[needs.length - 1] = `and ${needs[needs.length - 1]}`
-    }
     const haves = [
       haveScan ? 'scan' : undefined,
-      // includeLicensePolicy && haveLicensePolicy ? 'license policy' : undefined,
-      includeSecurityPolicy && haveSecurityPolicy
-        ? 'security policy'
-        : undefined
+      haveSecurityPolicy ? 'security policy' : undefined
     ].filter(Boolean)
-    if (haves.length > 2) {
-      // .toOxford()
-      haves[haves.length - 1] = `and ${haves[haves.length - 1]}`
-    }
     if (needs.length) {
       spinner.start(
-        `Fetching ${needs.join(needs.length > 2 ? ', ' : ' and ')}...${haves.length ? ` Completed fetching ${haves.join(haves.length > 2 ? ', ' : ' and ')}.` : ''}`
+        `Fetching ${needs.join(' and ')}...${haves.length ? ` Completed fetching ${haves.join(' and ')}.` : ''}`
       )
     } else {
-      spinner.successAndStop(
-        `Completed fetching ${haves.join(haves.length > 2 ? ', ' : ' and ')}.`
-      )
+      spinner.successAndStop(`Completed fetching ${haves.join(' and ')}.`)
     }
   }
   updateProgress()
-
-  // @ts-ignore
-  const [
-    scan,
-    // licensePolicyMaybe,
-    securityPolicyMaybe
-  ] = await Promise.all([
+  const [scan, securityPolicyMaybe] = await Promise.all([
     (async () => {
       try {
         const response = await queryApi(
-          `orgs/${orgSlug}/full-scans/${encodeURIComponent(scanId)}`,
+          `orgs/${orgSlug}/full-scans/${encodeURIComponent(scanId)}${includeLicensePolicy ? '?include_license_details=true' : ''}`,
           apiToken
         )
         haveScan = true
@@ -9647,32 +9642,16 @@ async function fetchReportData(
         })
         return data
       } catch (e) {
-        spinner.errorAndStop(
-          'There was an issue while fetching full scan data.'
-        )
+        spinner.errorAndStop('There was an issue while fetching full scan data')
         throw e
       }
     })(),
-    // includeLicensePolicy &&
-    //   (async () => {
-    //     const r = await sockSdk.getOrgSecurityPolicy(orgSlug)
-    //     haveLicensePolicy = true
-    //     updateProgress()
-    //     return await handleApiCall(
-    //       r,
-    //       "looking up organization's license policy"
-    //     )
-    //   })(),
-    includeSecurityPolicy &&
-      (async () => {
-        const r = await sockSdk.getOrgSecurityPolicy(orgSlug)
-        haveSecurityPolicy = true
-        updateProgress()
-        return await handleApiCall(
-          r,
-          "looking up organization's security policy"
-        )
-      })()
+    (async () => {
+      const r = await sockSdk.getOrgSecurityPolicy(orgSlug)
+      haveSecurityPolicy = true
+      updateProgress()
+      return await handleApiCall(r, "looking up organization's security policy")
+    })()
   ]).finally(() => spinner.stop())
   if (!Array.isArray(scan)) {
     logger.logger.error('Was unable to fetch scan, bailing')
@@ -9680,55 +9659,30 @@ async function fetchReportData(
     return {
       ok: false,
       scan: undefined,
-      // licensePolicy: undefined,
       securityPolicy: undefined
     }
   }
-
-  // // Note: security->license once the api ships in the sdk
-  // let licensePolicy: undefined | SocketSdkReturnType<'getOrgSecurityPolicy'> =
-  //   undefined
-  // if (includeLicensePolicy) {
-  //   if (licensePolicyMaybe && licensePolicyMaybe.success) {
-  //     licensePolicy = licensePolicyMaybe
-  //   } else {
-  //     logger.error('Was unable to fetch license policy, bailing')
-  //     process.exitCode = 1
-  //     return {
-  //       ok: false,
-  //       scan: undefined,
-  //       licensePolicy: undefined,
-  //       securityPolicy: undefined
-  //     }
-  //   }
-  // }
-
   let securityPolicy = undefined
-  if (includeSecurityPolicy) {
-    if (securityPolicyMaybe && securityPolicyMaybe.success) {
-      securityPolicy = securityPolicyMaybe
-    } else {
-      logger.logger.error('Was unable to fetch security policy, bailing')
-      process.exitCode = 1
-      return {
-        ok: false,
-        scan: undefined,
-        // licensePolicy: undefined,
-        securityPolicy: undefined
-      }
+  if (securityPolicyMaybe && securityPolicyMaybe.success) {
+    securityPolicy = securityPolicyMaybe
+  } else {
+    logger.logger.error('Was unable to fetch security policy, bailing')
+    process.exitCode = 1
+    return {
+      ok: false,
+      scan: undefined,
+      securityPolicy: undefined
     }
   }
   return {
     ok: true,
     scan,
-    // licensePolicy,
     securityPolicy
   }
 }
 
 function generateReport(
   scan,
-  _licensePolicy,
   securityPolicy,
   { fold, orgSlug, reportLevel, scanId, short, spinner }
 ) {
@@ -9754,6 +9708,14 @@ function generateReport(
   //   - monitor/ignore: no action
   //   - defer: unknown (no action)
 
+  // Note: the server will emit alerts for license policy violations but
+  //       those are only included if you set the flag when requesting the scan
+  //       data. The alerts map to a single security policy key that determines
+  //       what to do with any violation, regardless of the concrete license.
+  //       That rule is called "License Policy Violation".
+  // The license policy part is implicitly handled here. Either they are
+  // included and may show up, or they are not and won't show up.
+
   const violations = new Map()
   let healthy = true
   const securityRules = securityPolicy?.data.securityPolicyRules
@@ -10000,13 +9962,11 @@ function* walkNestedMap(map, keys = []) {
 
 async function outputScanReport(
   scan,
-  // licensePolicy: undefined | SocketSdkReturnType<'getOrgSecurityPolicy'>,
   securityPolicy,
   {
     filePath,
     fold,
     includeLicensePolicy,
-    includeSecurityPolicy,
     orgSlug,
     outputKind,
     reportLevel,
@@ -10014,25 +9974,15 @@ async function outputScanReport(
     short
   }
 ) {
-  if (!includeSecurityPolicy) {
-    process.exitCode = 1
-    return // caller should assert
-  }
-  const scanReport = generateReport(
-    scan,
-    undefined,
-    // licensePolicy,
-    securityPolicy,
-    {
-      orgSlug,
-      scanId,
-      fold,
-      reportLevel,
-      short,
-      // Lazily access constants.spinner.
-      spinner: constants.spinner
-    }
-  )
+  const scanReport = generateReport(scan, securityPolicy, {
+    orgSlug,
+    scanId,
+    fold,
+    reportLevel,
+    short,
+    // Lazily access constants.spinner.
+    spinner: constants.spinner
+  })
   if (!scanReport.healthy) {
     process.exitCode = 1
   }
@@ -10040,7 +9990,9 @@ async function outputScanReport(
     outputKind === 'json' ||
     (outputKind === 'text' && filePath && filePath.endsWith('.json'))
   ) {
-    const json = short ? JSON.stringify(scanReport) : toJsonReport(scanReport)
+    const json = short
+      ? JSON.stringify(scanReport)
+      : toJsonReport(scanReport, includeLicensePolicy)
     if (filePath !== '-') {
       logger.logger.log('Writing json report to', filePath)
       return await fs.writeFile(filePath, json)
@@ -10051,7 +10003,7 @@ async function outputScanReport(
   if (outputKind === 'markdown' || filePath.endsWith('.md')) {
     const md = short
       ? `healthy = ${scanReport.healthy}`
-      : toMarkdownReport(scanReport)
+      : toMarkdownReport(scanReport, includeLicensePolicy)
     if (filePath !== '-') {
       logger.logger.log('Writing markdown report to', filePath)
       return await fs.writeFile(filePath, md)
@@ -10067,10 +10019,11 @@ async function outputScanReport(
     })
   }
 }
-function toJsonReport(report) {
+function toJsonReport(report, includeLicensePolicy) {
   const obj = mapToObject(report.alerts)
   const json = JSON.stringify(
     {
+      includeLicensePolicy,
       ...report,
       alerts: obj
     },
@@ -10079,7 +10032,7 @@ function toJsonReport(report) {
   )
   return json
 }
-function toMarkdownReport(report) {
+function toMarkdownReport(report, includeLicensePolicy) {
   const flatData = Array.from(walkNestedMap(report.alerts)).map(
     ({ keys, value }) => {
       const { manifest, policy, type, url } = value
@@ -10098,11 +10051,11 @@ function toMarkdownReport(report) {
 # Scan Policy Report
 
 This report tells you whether the results of a Socket scan results violate the
-security or license policy set by your organization.
+security${includeLicensePolicy ? ' or license' : ''} policy set by your organization.
 
 ## Health status
 
-${report.healthy ? 'The scan *PASSES* all requirements set by your security and license policy.' : 'The scan *VIOLATES* one or more policies set to the "error" level.'}
+${report.healthy ? `The scan *PASSES* all requirements set by your security${includeLicensePolicy ? ' and license' : ''} policy.` : 'The scan *VIOLATES* one or more policies set to the "error" level.'}
 
 ## Settings
 
@@ -10112,6 +10065,7 @@ Configuration used to generate this report:
 - Scan ID: ${report.scanId}
 - Alert folding: ${report.options.fold === 'none' ? 'none' : `up to ${report.options.fold}`}
 - Minimal policy level for alert to be included in report: ${report.options.reportLevel === 'defer' ? 'everything' : report.options.reportLevel}
+- Include license alerts: ${includeLicensePolicy ? 'yes' : 'no'}
 
 ## Alerts
 
@@ -10126,27 +10080,16 @@ async function handleScanReport({
   filePath,
   fold,
   includeLicensePolicy,
-  includeSecurityPolicy,
   orgSlug,
   outputKind,
   reportLevel,
   scanId,
   short
 }) {
-  if (!includeSecurityPolicy) {
-    process.exitCode = 1
-    return // caller should assert
-  }
-  const {
-    // licensePolicy,
-    ok,
-    scan,
-    securityPolicy
-  } = await fetchReportData(
+  const { ok, scan, securityPolicy } = await fetchReportData(
     orgSlug,
     scanId,
-    // includeLicensePolicy
-    includeSecurityPolicy
+    includeLicensePolicy
   )
   if (!ok) {
     return
@@ -10156,7 +10099,6 @@ async function handleScanReport({
     fold,
     scanId: scanId,
     includeLicensePolicy,
-    includeSecurityPolicy,
     orgSlug,
     outputKind,
     reportLevel,
@@ -10169,8 +10111,7 @@ const config$3 = {
   commandName: 'report',
   description:
     'Check whether a scan result passes the organizational policies (security, license)',
-  hidden: true,
-  // [beta]
+  hidden: false,
   flags: {
     ...commonFlags,
     ...outputFlags,
@@ -10189,31 +10130,23 @@ const config$3 = {
       default: false,
       description: 'Report only the healthy status'
     },
-    // license: {
-    //   type: 'boolean',
-    //   default: true,
-    //   description: 'Report the license policy status. Default: true'
-    // },
-    security: {
+    license: {
       type: 'boolean',
-      default: true,
-      description: 'Report the security policy status. Default: true'
+      default: false,
+      description: 'Also report the license policy status. Default: false'
     }
   },
   help: (command, config) => `
     Usage
       $ ${command} <org slug> <scan ID> [path to output file]
 
+    API Token Requirements
+      - Quota: 2 units
+      - Permissions: full-scans:list security-policy:read
+
     Options
       ${getFlagListOutput(config.flags, 6)}
 
-    This consumes 1 quota unit plus 1 for each of the requested policy types.
-
-    Note: By default it reports both so by default it consumes 3 quota units.
-
-    Your API token will need the \`full-scans:list\` scope regardless. Additionally
-    it needs \`security-policy:read\` to report on the security policy.
-
     By default the result is a nested object that looks like this:
       \`{[ecosystem]: {[pkgName]: {[version]: {[file]: {[type:loc]: policy}}}}\`
     You can fold this up to given level: 'pkg', 'version', 'file', and 'none'.
@@ -10225,6 +10158,7 @@ const config$3 = {
 
     Examples
       $ ${command} FakeOrg 000aaaa1-0000-0a0a-00a0-00a0000000a0 --json --fold=version
+      $ ${command} FakeOrg 000aaaa1-0000-0a0a-00a0-00a0000000a0 --license --markdown --short
   `
 }
 const cmdScanReport = {
@@ -10242,10 +10176,9 @@ async function run$3(argv, importMeta, { parentName }) {
   const {
     fold = 'none',
     json,
-    // license,
+    license,
     markdown,
-    reportLevel = 'warn',
-    security
+    reportLevel = 'warn'
   } = cli.flags
   const defaultOrgSlug = shadowNpmInject.getConfigValue('defaultOrg')
   const orgSlug = defaultOrgSlug || cli.input[0] || ''
@@ -10292,9 +10225,7 @@ async function run$3(argv, importMeta, { parentName }) {
   await handleScanReport({
     orgSlug,
     scanId: scanId,
-    includeLicensePolicy: false,
-    // !!license,
-    includeSecurityPolicy: typeof security === 'boolean' ? security : true,
+    includeLicensePolicy: !!license,
     outputKind: json ? 'json' : markdown ? 'markdown' : 'text',
     filePath: file,
     fold: fold,
@@ -10303,6 +10234,46 @@ async function run$3(argv, importMeta, { parentName }) {
   })
 }
 
+async function fetchScan(orgSlug, scanId) {
+  const apiToken = shadowNpmInject.getDefaultToken()
+  if (!apiToken) {
+    throw new shadowNpmInject.AuthError(
+      'User must be authenticated to run this command. To log in, run the command `socket login` and enter your API key.'
+    )
+  }
+
+  // Lazily access constants.spinner.
+  const { spinner } = constants
+  spinner.start('Fetching scan data...')
+  const response = await queryApi(
+    `orgs/${orgSlug}/full-scans/${encodeURIComponent(scanId)}`,
+    apiToken
+  )
+  spinner.successAndStop('Received response while fetching scan data.')
+  if (!response.ok) {
+    const err = await handleApiError(response.status)
+    logger.logger.fail(
+      failMsgWithBadge(response.statusText, `Fetch error: ${err}`)
+    )
+    return
+  }
+
+  // This is nd-json; each line is a json object
+  const jsons = await response.text()
+  const lines = jsons.split('\n').filter(Boolean)
+  const data = lines.map(line => {
+    try {
+      return JSON.parse(line)
+    } catch {
+      console.error(
+        'At least one line item was returned that could not be parsed as JSON...'
+      )
+      return {}
+    }
+  })
+  return data
+}
+
 async function outputScanView(artifacts, orgSlug, scanId, filePath) {
   const display = artifacts.map(art => {
     const author = Array.isArray(art.author)
@@ -10363,7 +10334,6 @@ async function streamScan(orgSlug, scanId, file) {
   spinner.successAndStop(`Full scan details written to ${file}`)
   if (!data?.success) {
     handleUnsuccessfulApiResponse('getOrgFullScan', data)
-    return
   }
   return data
 }
@@ -10381,6 +10351,10 @@ const config$2 = {
     Usage
       $ ${command} <org slug> <scan ID> [path to output file]
 
+    API Token Requirements
+      - Quota: 1 unit
+      - Permissions: full-scans:list
+
     When no output path is given the contents is sent to stdout.
 
     Options
@@ -10730,6 +10704,11 @@ const config$1 = {
     Usage
       $ ${command}
 
+    API Token Requirements
+      - Quota: 1 unit
+      - Permissions: threat-feed:list
+      - Special access
+
     This feature requires a Threat Feed license. Please contact
     sales@socket.dev if you are interested in purchasing this access.
 
@@ -10848,7 +10827,7 @@ function checkSocketWrapperSetup(file) {
     )
   if (linesWithSocketAlias.length) {
     logger.logger.log(
-      `The Socket npm/npx wrapper is set up in your bash profile (${file}).`
+      `The Socket npm/npx wrapper is set up in your bash profile (${file})`
     )
     return true
   }
@@ -11030,7 +11009,7 @@ void (async () => {
   await vendor.updater({
     name: SOCKET_CLI_BIN_NAME,
     // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_VERSION']".
-    version: '0.14.68',
+    version: '0.14.70',
     ttl: 86_400_000 /* 24 hours in milliseconds */
   })
   try {
@@ -11101,5 +11080,5 @@ void (async () => {
     await shadowNpmInject.captureException(e)
   }
 })()
-//# debugId=bc0f5677-df34-40b4-8b22-43ff1bba5210
+//# debugId=f17b556c-de1f-4885-9463-ba44d3fdf9c
 //# sourceMappingURL=cli.js.map