@vibgrate/cli 0.1.1 → 0.1.3

package/dist/chunk-VXEZ7APL.js

@@ -0,0 +1,3697 @@
+// src/utils/fs.ts
+import * as fs from "fs/promises";
+import * as path from "path";
+var SKIP_DIRS = /* @__PURE__ */ new Set([
+  "node_modules",
+  ".git",
+  ".next",
+  "dist",
+  "build",
+  "out",
+  ".turbo",
+  ".cache",
+  "coverage",
+  "bin",
+  "obj",
+  ".vs",
+  "packages",
+  "TestResults"
+]);
+async function findFiles(rootDir, predicate) {
+  const results = [];
+  async function walk(dir) {
+    let entries;
+    try {
+      const dirents = await fs.readdir(dir, { withFileTypes: true });
+      entries = dirents.map((d) => ({
+        name: d.name,
+        isDirectory: d.isDirectory(),
+        isFile: d.isFile()
+      }));
+    } catch {
+      return;
+    }
+    for (const e of entries) {
+      if (e.isDirectory) {
+        if (SKIP_DIRS.has(e.name)) continue;
+        await walk(path.join(dir, e.name));
+      } else if (e.isFile && predicate(e.name)) {
+        results.push(path.join(dir, e.name));
+      }
+    }
+  }
+  await walk(rootDir);
+  return results;
+}
+async function findPackageJsonFiles(rootDir) {
+  return findFiles(rootDir, (name) => name === "package.json");
+}
+async function findSolutionFiles(rootDir) {
+  return findFiles(rootDir, (name) => name.endsWith(".sln"));
+}
+async function findCsprojFiles(rootDir) {
+  return findFiles(rootDir, (name) => name.endsWith(".csproj"));
+}
+async function readJsonFile(filePath) {
+  const txt = await fs.readFile(filePath, "utf8");
+  return JSON.parse(txt);
+}
+async function readTextFile(filePath) {
+  return fs.readFile(filePath, "utf8");
+}
+async function pathExists(p) {
+  try {
+    await fs.access(p);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function ensureDir(dir) {
+  await fs.mkdir(dir, { recursive: true });
+}
+async function writeJsonFile(filePath, data) {
+  await ensureDir(path.dirname(filePath));
+  await fs.writeFile(filePath, JSON.stringify(data, null, 2) + "\n", "utf8");
+}
+async function writeTextFile(filePath, content) {
+  await ensureDir(path.dirname(filePath));
+  await fs.writeFile(filePath, content, "utf8");
+}
+
+// src/scoring/drift-score.ts
+var DEFAULT_THRESHOLDS = {
+  failOnError: {
+    eolDays: 180,
+    frameworkMajorLag: 3,
+    dependencyTwoPlusPercent: 50
+  },
+  warn: {
+    frameworkMajorLag: 2,
+    dependencyTwoPlusPercent: 30
+  }
+};
+function clamp(val, min, max) {
+  return Math.min(max, Math.max(min, val));
+}
+function runtimeScore(projects) {
+  if (projects.length === 0) return 100;
+  const lags = projects.map((p) => p.runtimeMajorsBehind).filter((v) => v !== void 0);
+  if (lags.length === 0) return 100;
+  const maxLag = Math.max(...lags);
+  if (maxLag === 0) return 100;
+  if (maxLag === 1) return 80;
+  if (maxLag === 2) return 50;
+  if (maxLag === 3) return 20;
+  return 0;
+}
+function frameworkScore(projects) {
+  const allFrameworks = projects.flatMap((p) => p.frameworks);
+  if (allFrameworks.length === 0) return 100;
+  const lags = allFrameworks.map((f) => f.majorsBehind).filter((v) => v !== null);
+  if (lags.length === 0) return 100;
+  const maxLag = Math.max(...lags);
+  const avgLag = lags.reduce((a, b) => a + b, 0) / lags.length;
+  const maxPenalty = Math.min(maxLag * 20, 100);
+  const avgPenalty = Math.min(avgLag * 15, 100);
+  return clamp(100 - (maxPenalty * 0.6 + avgPenalty * 0.4), 0, 100);
+}
+function dependencyScore(projects) {
+  let totalCurrent = 0;
+  let totalOne = 0;
+  let totalTwo = 0;
+  let totalUnknown = 0;
+  for (const p of projects) {
+    totalCurrent += p.dependencyAgeBuckets.current;
+    totalOne += p.dependencyAgeBuckets.oneBehind;
+    totalTwo += p.dependencyAgeBuckets.twoPlusBehind;
+    totalUnknown += p.dependencyAgeBuckets.unknown;
+  }
+  const total = totalCurrent + totalOne + totalTwo;
+  if (total === 0) return 100;
+  const currentPct = totalCurrent / total;
+  const onePct = totalOne / total;
+  const twoPct = totalTwo / total;
+  return clamp(Math.round(currentPct * 100 - onePct * 10 - twoPct * 40), 0, 100);
+}
+function eolScore(projects) {
+  let score = 100;
+  for (const p of projects) {
+    if (p.type === "node" && p.runtimeMajorsBehind !== void 0) {
+      if (p.runtimeMajorsBehind >= 3) score = Math.min(score, 0);
+      else if (p.runtimeMajorsBehind >= 2) score = Math.min(score, 30);
+      else if (p.runtimeMajorsBehind >= 1) score = Math.min(score, 70);
+    }
+    if (p.type === "dotnet" && p.runtimeMajorsBehind !== void 0) {
+      if (p.runtimeMajorsBehind >= 3) score = Math.min(score, 0);
+      else if (p.runtimeMajorsBehind >= 2) score = Math.min(score, 20);
+      else if (p.runtimeMajorsBehind >= 1) score = Math.min(score, 60);
+    }
+  }
+  return score;
+}
+function computeDriftScore(projects) {
+  const rs = runtimeScore(projects);
+  const fs5 = frameworkScore(projects);
+  const ds = dependencyScore(projects);
+  const es = eolScore(projects);
+  const score = Math.round(rs * 0.25 + fs5 * 0.25 + ds * 0.3 + es * 0.2);
+  let riskLevel;
+  if (score >= 70) riskLevel = "low";
+  else if (score >= 40) riskLevel = "moderate";
+  else riskLevel = "high";
+  return {
+    score,
+    riskLevel,
+    components: {
+      runtimeScore: rs,
+      frameworkScore: fs5,
+      dependencyScore: ds,
+      eolScore: es
+    }
+  };
+}
+function generateFindings(projects, config) {
+  const thresholds = {
+    failOnError: { ...DEFAULT_THRESHOLDS.failOnError, ...config?.thresholds?.failOnError },
+    warn: { ...DEFAULT_THRESHOLDS.warn, ...config?.thresholds?.warn }
+  };
+  const findings = [];
+  for (const project of projects) {
+    if (project.runtimeMajorsBehind !== void 0 && project.runtimeMajorsBehind >= 3) {
+      findings.push({
+        ruleId: "vibgrate/runtime-eol",
+        level: "error",
+        message: `${project.type === "node" ? "Node.js" : ".NET"} runtime "${project.runtime}" is ${project.runtimeMajorsBehind} major versions behind (latest: ${project.runtimeLatest}). Likely at or past EOL.`,
+        location: project.path
+      });
+    } else if (project.runtimeMajorsBehind !== void 0 && project.runtimeMajorsBehind >= 2) {
+      findings.push({
+        ruleId: "vibgrate/runtime-lag",
+        level: "warning",
+        message: `${project.type === "node" ? "Node.js" : ".NET"} runtime "${project.runtime}" is ${project.runtimeMajorsBehind} major versions behind (latest: ${project.runtimeLatest}).`,
+        location: project.path
+      });
+    }
+    for (const fw of project.frameworks) {
+      if (fw.majorsBehind !== null && thresholds.failOnError.frameworkMajorLag !== void 0 && fw.majorsBehind >= thresholds.failOnError.frameworkMajorLag) {
+        findings.push({
+          ruleId: "vibgrate/framework-major-lag",
+          level: "error",
+          message: `${fw.name} is ${fw.majorsBehind} major versions behind (current: ${fw.currentVersion}, latest: ${fw.latestVersion}).`,
+          location: project.path
+        });
+      } else if (fw.majorsBehind !== null && thresholds.warn.frameworkMajorLag !== void 0 && fw.majorsBehind >= thresholds.warn.frameworkMajorLag) {
+        findings.push({
+          ruleId: "vibgrate/framework-major-lag",
+          level: "warning",
+          message: `${fw.name} is ${fw.majorsBehind} major versions behind (current: ${fw.currentVersion}, latest: ${fw.latestVersion}).`,
+          location: project.path
+        });
+      }
+    }
+    const totalDeps = project.dependencyAgeBuckets.current + project.dependencyAgeBuckets.oneBehind + project.dependencyAgeBuckets.twoPlusBehind;
+    if (totalDeps > 0) {
+      const twoPlusPct = project.dependencyAgeBuckets.twoPlusBehind / totalDeps * 100;
+      if (thresholds.failOnError.dependencyTwoPlusPercent !== void 0 && twoPlusPct >= thresholds.failOnError.dependencyTwoPlusPercent) {
+        findings.push({
+          ruleId: "vibgrate/dependency-rot",
+          level: "error",
+          message: `${Math.round(twoPlusPct)}% of dependencies are 2+ major versions behind in ${project.name}.`,
+          location: project.path
+        });
+      } else if (thresholds.warn.dependencyTwoPlusPercent !== void 0 && twoPlusPct >= thresholds.warn.dependencyTwoPlusPercent) {
+        findings.push({
+          ruleId: "vibgrate/dependency-rot",
+          level: "warning",
+          message: `${Math.round(twoPlusPct)}% of dependencies are 2+ major versions behind in ${project.name}.`,
+          location: project.path
+        });
+      }
+    }
+    for (const dep of project.dependencies) {
+      if (dep.majorsBehind !== null && dep.majorsBehind >= 3) {
+        findings.push({
+          ruleId: "vibgrate/dependency-major-lag",
+          level: "error",
+          message: `${dep.package} is ${dep.majorsBehind} major versions behind (spec: ${dep.currentSpec}, latest: ${dep.latestStable}).`,
+          location: project.path
+        });
+      }
+    }
+  }
+  return findings;
+}
+
+// src/formatters/text.ts
+import chalk from "chalk";
+function formatText(artifact) {
+  const lines = [];
+  lines.push("");
+  lines.push(chalk.bold.cyan("\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"));
+  lines.push(chalk.bold.cyan("\u2551        Vibgrate Drift Report             \u2551"));
+  lines.push(chalk.bold.cyan("\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D"));
+  lines.push("");
+  const scoreColor = artifact.drift.score >= 70 ? chalk.green : artifact.drift.score >= 40 ? chalk.yellow : chalk.red;
+  lines.push(chalk.bold("  Drift Score:  ") + scoreColor.bold(`${artifact.drift.score}/100`));
+  lines.push(chalk.bold("  Risk Level:   ") + riskBadge(artifact.drift.riskLevel));
+  lines.push(chalk.bold("  Projects:     ") + `${artifact.projects.length}`);
+  if (artifact.vcs) {
+    const vcsParts = [artifact.vcs.type];
+    if (artifact.vcs.branch) vcsParts.push(artifact.vcs.branch);
+    if (artifact.vcs.shortSha) vcsParts.push(chalk.dim(artifact.vcs.shortSha));
+    lines.push(chalk.bold("  VCS:          ") + vcsParts.join(" "));
+  }
+  lines.push("");
+  lines.push(chalk.bold.underline("  Score Breakdown"));
+  lines.push(`    Runtime:      ${scoreBar(artifact.drift.components.runtimeScore)}`);
+  lines.push(`    Frameworks:   ${scoreBar(artifact.drift.components.frameworkScore)}`);
+  lines.push(`    Dependencies: ${scoreBar(artifact.drift.components.dependencyScore)}`);
+  lines.push(`    EOL Risk:     ${scoreBar(artifact.drift.components.eolScore)}`);
+  lines.push("");
+  for (const project of artifact.projects) {
+    lines.push(chalk.bold(`  \u2500\u2500 ${project.name} `) + chalk.dim(`(${project.type}) ${project.path}`));
+    if (project.runtime) {
+      const behindStr = project.runtimeMajorsBehind !== void 0 && project.runtimeMajorsBehind > 0 ? chalk.yellow(` (${project.runtimeMajorsBehind} major${project.runtimeMajorsBehind > 1 ? "s" : ""} behind)`) : chalk.green(" (current)");
+      lines.push(`     Runtime: ${project.runtime}${behindStr}`);
+    }
+    if (project.targetFramework) {
+      lines.push(`     Target:  ${project.targetFramework}`);
+    }
+    if (project.frameworks.length > 0) {
+      lines.push("     Frameworks:");
+      for (const fw of project.frameworks) {
+        const lag = fw.majorsBehind !== null ? fw.majorsBehind === 0 ? chalk.green("current") : chalk.yellow(`${fw.majorsBehind} behind`) : chalk.dim("unknown");
+        lines.push(`       ${fw.name}: ${fw.currentVersion ?? "?"} \u2192 ${fw.latestVersion ?? "?"} (${lag})`);
+      }
+    }
+    const b = project.dependencyAgeBuckets;
+    const total = b.current + b.oneBehind + b.twoPlusBehind + b.unknown;
+    if (total > 0) {
+      lines.push("     Dependencies:");
+      lines.push(`       ${chalk.green(`${b.current} current`)}  ${chalk.yellow(`${b.oneBehind} 1-behind`)}  ${chalk.red(`${b.twoPlusBehind} 2+ behind`)}  ${chalk.dim(`${b.unknown} unknown`)}`);
+    }
+    lines.push("");
+  }
+  if (artifact.findings.length > 0) {
+    lines.push(chalk.bold.underline("  Findings"));
+    for (const f of artifact.findings) {
+      const icon = f.level === "error" ? chalk.red("\u2716") : f.level === "warning" ? chalk.yellow("\u26A0") : chalk.blue("\u2139");
+      lines.push(`    ${icon} ${f.message}`);
+      lines.push(chalk.dim(`      ${f.ruleId} in ${f.location}`));
+    }
+    lines.push("");
+  }
+  if (artifact.delta !== void 0) {
+    const deltaStr = artifact.delta > 0 ? chalk.green(`+${artifact.delta}`) : artifact.delta < 0 ? chalk.red(`${artifact.delta}`) : chalk.dim("0");
+    lines.push(chalk.bold("  Drift Delta: ") + deltaStr + " (vs baseline)");
+    lines.push("");
+  }
+  if (artifact.extended) {
+    lines.push(...formatExtended(artifact.extended));
+  }
+  lines.push(chalk.dim(`  Scanned at ${artifact.timestamp}`));
+  lines.push("");
+  return lines.join("\n");
+}
+function riskBadge(level) {
+  switch (level) {
+    case "low":
+      return chalk.bgGreen.black(" LOW ");
+    case "moderate":
+      return chalk.bgYellow.black(" MODERATE ");
+    case "high":
+      return chalk.bgRed.white(" HIGH ");
+    default:
+      return level;
+  }
+}
+function scoreBar(score) {
+  const width = 20;
+  const filled = Math.round(score / 100 * width);
+  const empty = width - filled;
+  const color = score >= 70 ? chalk.green : score >= 40 ? chalk.yellow : chalk.red;
+  return color("\u2588".repeat(filled)) + chalk.dim("\u2591".repeat(empty)) + ` ${score}`;
+}
+var CATEGORY_LABELS = {
+  frontend: "Frontend",
+  metaFrameworks: "Meta-frameworks",
+  bundlers: "Bundlers",
+  css: "CSS / UI",
+  backend: "Backend",
+  orm: "ORM / Database",
+  testing: "Testing",
+  lintFormat: "Lint & Format",
+  apiMessaging: "API & Messaging",
+  observability: "Observability",
+  payment: "Payment",
+  auth: "Auth",
+  email: "Email",
+  cloud: "Cloud",
+  databases: "Databases",
+  messaging: "Messaging",
+  crm: "CRM & Comms",
+  storage: "Storage",
+  search: "Search & AI"
+};
+function formatExtended(ext) {
+  const lines = [];
+  if (ext.toolingInventory) {
+    const inv = ext.toolingInventory;
+    const categories = Object.entries(inv).filter(([, items]) => items.length > 0);
+    if (categories.length > 0) {
+      lines.push(chalk.bold.underline("  Tech Stack"));
+      for (const [cat, items] of categories) {
+        const label = CATEGORY_LABELS[cat] ?? cat;
+        const names = items.map((i) => chalk.white(i.name)).join(chalk.dim(", "));
+        lines.push(`    ${chalk.cyan(label)}: ${names}`);
+      }
+      lines.push("");
+    }
+  }
+  if (ext.serviceDependencies) {
+    const svc = ext.serviceDependencies;
+    const categories = Object.entries(svc).filter(([, items]) => items.length > 0);
+    if (categories.length > 0) {
+      lines.push(chalk.bold.underline("  Services & Integrations"));
+      for (const [cat, items] of categories) {
+        const label = CATEGORY_LABELS[cat] ?? cat;
+        const names = items.map((i) => {
+          const ver = i.version ? chalk.dim(` ${i.version}`) : "";
+          return chalk.white(i.name) + ver;
+        }).join(chalk.dim(", "));
+        lines.push(`    ${chalk.cyan(label)}: ${names}`);
+      }
+      lines.push("");
+    }
+  }
+  if (ext.breakingChangeExposure) {
+    const bc = ext.breakingChangeExposure;
+    if (bc.deprecatedPackages.length > 0 || bc.legacyPolyfills.length > 0) {
+      lines.push(chalk.bold.underline("  Breaking Change Exposure"));
+      const exposureColor = bc.exposureScore >= 40 ? chalk.red : bc.exposureScore >= 20 ? chalk.yellow : chalk.green;
+      lines.push(`    Exposure Score: ${exposureColor.bold(`${bc.exposureScore}/100`)}`);
+      if (bc.deprecatedPackages.length > 0) {
+        lines.push(`    ${chalk.red("Deprecated")}: ${bc.deprecatedPackages.map((p) => chalk.dim(p)).join(", ")}`);
+      }
+      if (bc.legacyPolyfills.length > 0) {
+        lines.push(`    ${chalk.yellow("Polyfills")}: ${bc.legacyPolyfills.map((p) => chalk.dim(p)).join(", ")}`);
+      }
+      if (bc.peerConflictsDetected) {
+        lines.push(`    ${chalk.red("\u26A0")} Peer dependency conflicts detected`);
+      }
+      lines.push("");
+    }
+  }
+  if (ext.tsModernity && ext.tsModernity.typescriptVersion) {
+    const ts = ext.tsModernity;
+    lines.push(chalk.bold.underline("  TypeScript"));
+    const parts = [];
+    parts.push(`v${ts.typescriptVersion}`);
+    if (ts.strict === true) parts.push(chalk.green("strict \u2714"));
+    else if (ts.strict === false) parts.push(chalk.yellow("strict \u2716"));
+    if (ts.moduleType) parts.push(ts.moduleType.toUpperCase());
+    if (ts.target) parts.push(`target: ${ts.target}`);
+    lines.push(`    ${parts.join(chalk.dim(" \xB7 "))}`);
+    lines.push("");
+  }
+  if (ext.buildDeploy) {
+    const bd = ext.buildDeploy;
+    const hasSomething = bd.ci.length > 0 || bd.docker.dockerfileCount > 0 || bd.packageManagers.length > 0;
+    if (hasSomething) {
+      lines.push(chalk.bold.underline("  Build & Deploy"));
+      if (bd.ci.length > 0) lines.push(`    CI: ${bd.ci.join(", ")}`);
+      if (bd.docker.dockerfileCount > 0) {
+        lines.push(`    Docker: ${bd.docker.dockerfileCount} Dockerfile${bd.docker.dockerfileCount !== 1 ? "s" : ""} (${bd.docker.baseImages.join(", ")})`);
+      }
+      if (bd.packageManagers.length > 0) lines.push(`    Package Managers: ${bd.packageManagers.join(", ")}`);
+      if (bd.monorepoTools.length > 0) lines.push(`    Monorepo: ${bd.monorepoTools.join(", ")}`);
+      if (bd.iac.length > 0) lines.push(`    IaC: ${bd.iac.join(", ")}`);
+      lines.push("");
+    }
+  }
+  if (ext.securityPosture) {
+    const sec = ext.securityPosture;
+    lines.push(chalk.bold.underline("  Security Posture"));
+    const checks = [];
+    checks.push(sec.lockfilePresent ? chalk.green("Lockfile \u2714") : chalk.red("Lockfile \u2716"));
+    checks.push(sec.gitignoreCoversEnv ? chalk.green(".env \u2714") : chalk.red(".env \u2716"));
+    checks.push(sec.gitignoreCoversNodeModules ? chalk.green("node_modules \u2714") : chalk.yellow("node_modules \u2716"));
+    if (sec.multipleLockfileTypes) checks.push(chalk.yellow("Multiple lockfiles \u26A0"));
+    if (sec.envFilesTracked) checks.push(chalk.red("Env files tracked \u2716"));
+    lines.push(`    ${checks.join(chalk.dim(" \xB7 "))}`);
+    lines.push("");
+  }
+  if (ext.platformMatrix) {
+    const pm = ext.platformMatrix;
+    if (pm.nativeModules.length > 0 || pm.dockerBaseImages.length > 0) {
+      lines.push(chalk.bold.underline("  Platform"));
+      if (pm.nativeModules.length > 0) {
+        lines.push(`    Native modules: ${pm.nativeModules.map((m) => chalk.dim(m)).join(", ")}`);
+      }
+      if (pm.osAssumptions.length > 0) {
+        lines.push(`    OS assumptions: ${pm.osAssumptions.join(", ")}`);
+      }
+      lines.push("");
+    }
+  }
+  if (ext.dependencyGraph) {
+    const dg = ext.dependencyGraph;
+    if (dg.lockfileType) {
+      lines.push(chalk.bold.underline("  Dependency Graph"));
+      lines.push(`    ${dg.lockfileType}: ${chalk.white(`${dg.totalUnique}`)} unique, ${chalk.white(`${dg.totalInstalled}`)} installed`);
+      if (dg.duplicatedPackages.length > 0) {
+        lines.push(`    ${chalk.yellow(`${dg.duplicatedPackages.length} duplicated`)} packages`);
+      }
+      if (dg.phantomDependencies.length > 0) {
+        lines.push(`    ${chalk.red(`${dg.phantomDependencies.length} phantom`)} dependencies`);
+      }
+      lines.push("");
+    }
+  }
+  return lines;
+}
+
+// src/formatters/sarif.ts
+function formatSarif(artifact) {
+  const rules = buildRules(artifact.findings);
+  const results = artifact.findings.map((f) => toSarifResult(f));
+  return {
+    $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
+    version: "2.1.0",
+    runs: [
+      {
+        tool: {
+          driver: {
+            name: "vibgrate",
+            version: artifact.vibgrateVersion,
+            informationUri: "https://vibgrate.com",
+            rules
+          }
+        },
+        results,
+        invocations: [
+          {
+            executionSuccessful: true,
+            startTimeUtc: artifact.timestamp
+          }
+        ]
+      }
+    ]
+  };
+}
+function buildRules(findings) {
+  const ruleIds = [...new Set(findings.map((f) => f.ruleId))];
+  return ruleIds.map((id) => {
+    const descriptions = {
+      "vibgrate/runtime-eol": {
+        id: "vibgrate/runtime-eol",
+        shortDescription: { text: "Runtime at or past end-of-life" },
+        helpUri: "https://vibgrate.com/rules/runtime-eol"
+      },
+      "vibgrate/runtime-lag": {
+        id: "vibgrate/runtime-lag",
+        shortDescription: { text: "Runtime major version lag" },
+        helpUri: "https://vibgrate.com/rules/runtime-lag"
+      },
+      "vibgrate/framework-major-lag": {
+        id: "vibgrate/framework-major-lag",
+        shortDescription: { text: "Framework major version behind latest" },
+        helpUri: "https://vibgrate.com/rules/framework-major-lag"
+      },
+      "vibgrate/dependency-rot": {
+        id: "vibgrate/dependency-rot",
+        shortDescription: { text: "High percentage of outdated dependencies" },
+        helpUri: "https://vibgrate.com/rules/dependency-rot"
+      },
+      "vibgrate/dependency-major-lag": {
+        id: "vibgrate/dependency-major-lag",
+        shortDescription: { text: "Individual dependency severely behind" },
+        helpUri: "https://vibgrate.com/rules/dependency-major-lag"
+      }
+    };
+    return descriptions[id] ?? {
+      id,
+      shortDescription: { text: id },
+      helpUri: "https://vibgrate.com"
+    };
+  });
+}
+function toSarifResult(finding) {
+  return {
+    ruleId: finding.ruleId,
+    level: finding.level === "error" ? "error" : finding.level === "warning" ? "warning" : "note",
+    message: { text: finding.message },
+    locations: [
+      {
+        physicalLocation: {
+          artifactLocation: {
+            uri: finding.location
+          }
+        }
+      }
+    ]
+  };
+}
+
+// src/version.ts
+import { createRequire } from "module";
+var require2 = createRequire(import.meta.url);
+var pkg = require2("../package.json");
+var VERSION = pkg.version;
+
+// src/commands/scan.ts
+import * as path12 from "path";
+import { Command } from "commander";
+import chalk3 from "chalk";
+
+// src/scanners/node-scanner.ts
+import * as path2 from "path";
+import * as semver2 from "semver";
+
+// src/scanners/npm-cache.ts
+import { spawn } from "child_process";
+import * as semver from "semver";
+function stableOnly(versions) {
+  return versions.filter((v) => semver.valid(v) && semver.prerelease(v) === null);
+}
+function maxStable(versions) {
+  const stable = stableOnly(versions);
+  if (stable.length === 0) return null;
+  return stable.sort(semver.rcompare)[0] ?? null;
+}
+async function npmViewJson(args, cwd) {
+  return new Promise((resolve4, reject) => {
+    const child = spawn("npm", ["view", ...args, "--json"], {
+      cwd,
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    let out = "";
+    let err = "";
+    child.stdout.on("data", (d) => out += String(d));
+    child.stderr.on("data", (d) => err += String(d));
+    child.on("error", reject);
+    child.on("close", (code) => {
+      if (code !== 0) {
+        reject(new Error(`npm view ${args.join(" ")} failed (code=${code}): ${err.trim()}`));
+        return;
+      }
+      const trimmed = out.trim();
+      if (!trimmed) {
+        resolve4(null);
+        return;
+      }
+      try {
+        resolve4(JSON.parse(trimmed));
+      } catch {
+        resolve4(trimmed.replace(/^"|"$/g, ""));
+      }
+    });
+  });
+}
+var NpmCache = class {
+  constructor(cwd, sem) {
+    this.cwd = cwd;
+    this.sem = sem;
+  }
+  meta = /* @__PURE__ */ new Map();
+  get(pkg2) {
+    const existing = this.meta.get(pkg2);
+    if (existing) return existing;
+    const p = this.sem.run(async () => {
+      let latest = null;
+      try {
+        const dist = await npmViewJson([pkg2, "dist-tags"], this.cwd);
+        if (dist && typeof dist === "object" && typeof dist.latest === "string") {
+          latest = dist.latest;
+        }
+      } catch {
+      }
+      let versions = [];
+      try {
+        const v = await npmViewJson([pkg2, "versions"], this.cwd);
+        if (Array.isArray(v)) versions = v.map(String);
+        else if (typeof v === "string") versions = [v];
+      } catch {
+      }
+      const stable = stableOnly(versions);
+      const latestStableOverall = maxStable(stable);
+      if (!latest && latestStableOverall) latest = latestStableOverall;
+      return { latest, stableVersions: stable, latestStableOverall };
+    });
+    this.meta.set(pkg2, p);
+    return p;
+  }
+};
+function isSemverSpec(spec) {
+  const s = spec.trim();
+  if (!s) return false;
+  if (s.startsWith("workspace:")) return false;
+  if (s.startsWith("file:")) return false;
+  if (s.startsWith("link:")) return false;
+  if (s.startsWith("git+")) return false;
+  if (s.includes("://")) return false;
+  if (s.startsWith("github:")) return false;
+  if (s === "*" || s.toLowerCase() === "latest") return true;
+  return semver.validRange(s) !== null;
+}
+
+// src/scanners/node-scanner.ts
+var KNOWN_FRAMEWORKS = {
+  // ── Frontend ──
+  "react": "React",
+  "react-dom": "React DOM",
+  "vue": "Vue",
+  "@angular/core": "Angular",
+  "svelte": "Svelte",
+  "solid-js": "Solid",
+  "preact": "Preact",
+  "lit": "Lit",
+  "qwik": "Qwik",
+  "htmx.org": "htmx",
+  "alpinejs": "Alpine.js",
+  "stimulus": "Stimulus",
+  // ── Meta-frameworks ──
+  "next": "Next.js",
+  "nuxt": "Nuxt",
+  "@remix-run/react": "Remix",
+  "@remix-run/node": "Remix (Node)",
+  "gatsby": "Gatsby",
+  "astro": "Astro",
+  "@sveltejs/kit": "SvelteKit",
+  "@analogjs/platform": "Analog",
+  "@tanstack/start": "TanStack Start",
+  // ── Backend ──
+  "express": "Express",
+  "fastify": "Fastify",
+  "@nestjs/core": "NestJS",
+  "hono": "Hono",
+  "koa": "Koa",
+  "@hapi/hapi": "Hapi",
+  "restify": "Restify",
+  "@elysiajs/eden": "Elysia",
+  "elysia": "Elysia",
+  "@adonisjs/core": "AdonisJS",
+  "moleculer": "Moleculer",
+  "@feathersjs/feathers": "Feathers",
+  "sails": "Sails",
+  // ── Language & Runtime ──
+  "typescript": "TypeScript",
+  // ── State Management ──
+  "redux": "Redux",
+  "@reduxjs/toolkit": "Redux Toolkit",
+  "zustand": "Zustand",
+  "mobx": "MobX",
+  "jotai": "Jotai",
+  "recoil": "Recoil",
+  "pinia": "Pinia",
+  "vuex": "Vuex",
+  "@tanstack/react-query": "TanStack Query",
+  "swr": "SWR",
+  "xstate": "XState",
+  "@ngrx/store": "NgRx",
+  // ── ORM & Database ──
+  "prisma": "Prisma",
+  "drizzle-orm": "Drizzle",
+  "typeorm": "TypeORM",
+  "sequelize": "Sequelize",
+  "@mikro-orm/core": "MikroORM",
+  "mongoose": "Mongoose",
+  "knex": "Knex",
+  "kysely": "Kysely",
+  "objection": "Objection.js",
+  // ── Bundlers ──
+  "vite": "Vite",
+  "webpack": "webpack",
+  "rollup": "Rollup",
+  "esbuild": "esbuild",
+  "parcel": "Parcel",
+  "turbo": "Turbo",
+  "tsup": "tsup",
+  "@swc/core": "SWC",
+  "bun": "Bun",
+  // ── Testing ──
+  "vitest": "Vitest",
+  "jest": "Jest",
+  "@playwright/test": "Playwright",
+  "cypress": "Cypress",
+  "mocha": "Mocha",
+  "ava": "AVA",
+  "storybook": "Storybook",
+  "@storybook/react": "Storybook"
+};
+async function scanNodeProjects(rootDir, npmCache) {
+  const packageJsonFiles = await findPackageJsonFiles(rootDir);
+  const results = [];
+  for (const pjPath of packageJsonFiles) {
+    try {
+      const scan = await scanOnePackageJson(pjPath, rootDir, npmCache);
+      results.push(scan);
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e);
+      console.error(`Error scanning ${pjPath}: ${msg}`);
+    }
+  }
+  return results;
+}
+async function scanOnePackageJson(packageJsonPath, rootDir, npmCache) {
+  const pj = await readJsonFile(packageJsonPath);
+  const absProjectPath = path2.dirname(packageJsonPath);
+  const projectPath = path2.relative(rootDir, absProjectPath) || ".";
+  const nodeEngine = pj.engines?.node ?? void 0;
+  let runtimeLatest;
+  let runtimeMajorsBehind;
+  if (nodeEngine) {
+    const latestLtsMajor = 22;
+    const parsed = semver2.minVersion(nodeEngine);
+    if (parsed) {
+      const currentMajor = semver2.major(parsed);
+      runtimeLatest = `${latestLtsMajor}.0.0`;
+      runtimeMajorsBehind = Math.max(0, latestLtsMajor - currentMajor);
+    }
+  }
+  const sections = [
+    { name: "dependencies", deps: pj.dependencies },
+    { name: "devDependencies", deps: pj.devDependencies },
+    { name: "peerDependencies", deps: pj.peerDependencies },
+    { name: "optionalDependencies", deps: pj.optionalDependencies }
+  ];
+  const dependencies = [];
+  const frameworks = [];
+  const buckets = { current: 0, oneBehind: 0, twoPlusBehind: 0, unknown: 0 };
+  const depEntries = [];
+  for (const s of sections) {
+    if (!s.deps) continue;
+    for (const [pkg2, spec] of Object.entries(s.deps)) {
+      if (!isSemverSpec(spec)) continue;
+      depEntries.push({ pkg: pkg2, section: s.name, spec });
+    }
+  }
+  const metaPromises = depEntries.map(async (entry) => {
+    const meta = await npmCache.get(entry.pkg);
+    return { ...entry, meta };
+  });
+  const resolved = await Promise.all(metaPromises);
+  for (const { pkg: pkg2, section, spec, meta } of resolved) {
+    const resolvedVersion = meta.stableVersions.length > 0 ? semver2.maxSatisfying(meta.stableVersions, spec) ?? null : null;
+    const latestStable = meta.latestStableOverall;
+    let majorsBehind = null;
+    let drift = "unknown";
+    if (resolvedVersion && latestStable) {
+      const currentMajor = semver2.major(resolvedVersion);
+      const latestMajor = semver2.major(latestStable);
+      majorsBehind = latestMajor - currentMajor;
+      if (majorsBehind === 0) {
+        drift = semver2.eq(resolvedVersion, latestStable) ? "current" : "minor-behind";
+      } else {
+        drift = "major-behind";
+      }
+      if (majorsBehind === 0) buckets.current++;
+      else if (majorsBehind === 1) buckets.oneBehind++;
+      else buckets.twoPlusBehind++;
+    } else {
+      buckets.unknown++;
+    }
+    dependencies.push({
+      package: pkg2,
+      section,
+      currentSpec: spec,
+      resolvedVersion,
+      latestStable,
+      majorsBehind,
+      drift
+    });
+    if (pkg2 in KNOWN_FRAMEWORKS) {
+      frameworks.push({
+        name: KNOWN_FRAMEWORKS[pkg2],
+        currentVersion: resolvedVersion,
+        latestVersion: latestStable,
+        majorsBehind
+      });
+    }
+  }
+  dependencies.sort((a, b) => {
+    const order = { "major-behind": 0, "minor-behind": 1, "current": 2, "unknown": 3 };
+    const diff = (order[a.drift] ?? 9) - (order[b.drift] ?? 9);
+    if (diff !== 0) return diff;
+    return a.package.localeCompare(b.package);
+  });
+  return {
+    type: "node",
+    path: projectPath,
+    name: pj.name ?? path2.basename(absProjectPath),
+    runtime: nodeEngine,
+    runtimeLatest,
+    runtimeMajorsBehind,
+    frameworks,
+    dependencies,
+    dependencyAgeBuckets: buckets
+  };
+}
+
+// src/scanners/dotnet-scanner.ts
+import * as path3 from "path";
+import { XMLParser } from "fast-xml-parser";
+var parser = new XMLParser({
+  ignoreAttributes: false,
+  attributeNamePrefix: "@_"
+});
+var KNOWN_DOTNET_FRAMEWORKS = {
+  // ── ASP.NET Core & Web ──
+  "Microsoft.AspNetCore.App": "ASP.NET Core",
+  "Microsoft.AspNetCore.Mvc": "ASP.NET Core MVC",
+  "Microsoft.AspNetCore.Components": "Blazor",
+  "Microsoft.AspNetCore.Components.WebAssembly": "Blazor WASM",
+  "Microsoft.AspNetCore.SignalR": "SignalR",
+  "Microsoft.AspNetCore.OData": "OData",
+  "Microsoft.AspNetCore.Identity": "ASP.NET Identity",
+  "Microsoft.AspNetCore.Authentication.JwtBearer": "JWT Bearer Auth",
+  "Microsoft.AspNetCore.Diagnostics.HealthChecks": "Health Checks",
+  "Swashbuckle.AspNetCore": "Swashbuckle",
+  "NSwag.AspNetCore": "NSwag",
+  // ── Entity Framework & Data Access ──
+  "Microsoft.EntityFrameworkCore": "EF Core",
+  "Microsoft.EntityFrameworkCore.SqlServer": "EF Core SQL Server",
+  "Microsoft.EntityFrameworkCore.Sqlite": "EF Core SQLite",
+  "Microsoft.EntityFrameworkCore.Design": "EF Core Design",
+  "Microsoft.EntityFrameworkCore.Tools": "EF Core Tools",
+  "Npgsql.EntityFrameworkCore.PostgreSQL": "EF Core PostgreSQL",
+  "Pomelo.EntityFrameworkCore.MySql": "EF Core MySQL (Pomelo)",
+  "MongoDB.EntityFrameworkCore": "EF Core MongoDB",
+  "Dapper": "Dapper",
+  "Dapper.Contrib": "Dapper Contrib",
+  "NHibernate": "NHibernate",
+  "Npgsql": "Npgsql",
+  "MySqlConnector": "MySqlConnector",
+  "MongoDB.Driver": "MongoDB Driver",
+  "StackExchange.Redis": "StackExchange.Redis",
+  "Microsoft.Data.SqlClient": "SqlClient",
+  "Oracle.ManagedDataAccess.Core": "Oracle (Managed)",
+  "Cassandra": "Cassandra Driver",
+  "Neo4j.Driver": "Neo4j Driver",
+  "Marten": "Marten",
+  "LiteDB": "LiteDB",
+  "RavenDB.Client": "RavenDB",
+  // ── Hosting & Configuration ──
+  "Microsoft.Extensions.Hosting": ".NET Hosting",
+  "Microsoft.Extensions.DependencyInjection": ".NET DI",
+  "Microsoft.Extensions.Configuration": ".NET Configuration",
+  "Microsoft.Extensions.Logging": ".NET Logging",
+  "Microsoft.Extensions.Options": ".NET Options",
+  "Microsoft.Extensions.Caching.Memory": ".NET Memory Cache",
+  "Microsoft.Extensions.Caching.StackExchangeRedis": ".NET Redis Cache",
+  "Microsoft.Extensions.Http": ".NET HttpClientFactory",
+  "Microsoft.Extensions.Resilience": ".NET Resilience",
+  // ── CQRS & Mediator ──
+  "MediatR": "MediatR",
+  "Wolverine": "Wolverine",
+  "Brighter": "Brighter",
+  // ── Mapping ──
+  "AutoMapper": "AutoMapper",
+  "Mapster": "Mapster",
+  "Riok.Mapperly": "Mapperly",
+  // ── Validation ──
+  "FluentValidation": "FluentValidation",
+  "FluentValidation.AspNetCore": "FluentValidation ASP.NET",
+  // ── Serialization ──
+  "Newtonsoft.Json": "Newtonsoft.Json",
+  "System.Text.Json": "System.Text.Json",
+  "MessagePack": "MessagePack",
+  "protobuf-net": "protobuf-net",
+  "CsvHelper": "CsvHelper",
+  // ── Logging & Observability ──
+  "Serilog": "Serilog",
+  "Serilog.AspNetCore": "Serilog ASP.NET",
+  "Serilog.Sinks.Console": "Serilog Console",
+  "Serilog.Sinks.Seq": "Serilog Seq",
+  "Serilog.Sinks.File": "Serilog File",
+  "Serilog.Sinks.Elasticsearch": "Serilog Elasticsearch",
+  "NLog": "NLog",
+  "NLog.Web.AspNetCore": "NLog ASP.NET",
+  "log4net": "log4net",
+  "OpenTelemetry": "OpenTelemetry",
+  "OpenTelemetry.Extensions.Hosting": "OpenTelemetry Hosting",
+  "OpenTelemetry.Instrumentation.AspNetCore": "OpenTelemetry ASP.NET",
+  "OpenTelemetry.Exporter.Prometheus": "OpenTelemetry Prometheus",
+  "OpenTelemetry.Exporter.Jaeger": "OpenTelemetry Jaeger",
+  "OpenTelemetry.Exporter.OpenTelemetryProtocol": "OpenTelemetry OTLP",
+  "App.Metrics": "App.Metrics",
+  "prometheus-net": "Prometheus.NET",
+  "Elastic.Apm": "Elastic APM",
+  // ── Testing ──
+  "xunit": "xUnit",
+  "xunit.runner.visualstudio": "xUnit Runner",
+  "NUnit": "NUnit",
+  "NUnit3TestAdapter": "NUnit Adapter",
+  "MSTest.TestFramework": "MSTest",
+  "MSTest.TestAdapter": "MSTest Adapter",
+  "Moq": "Moq",
+  "NSubstitute": "NSubstitute",
+  "FakeItEasy": "FakeItEasy",
+  "FluentAssertions": "FluentAssertions",
+  "Shouldly": "Shouldly",
+  "Bogus": "Bogus",
+  "AutoFixture": "AutoFixture",
+  "WireMock.Net": "WireMock.Net",
+  "Testcontainers": "Testcontainers",
+  "Respawn": "Respawn",
+  "BenchmarkDotNet": "BenchmarkDotNet",
+  "coverlet.collector": "Coverlet",
+  "SpecFlow": "SpecFlow",
+  "TUnit": "TUnit",
+  "Verify.Xunit": "Verify",
+  "Snapshooter": "Snapshooter",
+  // ── Messaging & Event Bus ──
+  "MassTransit": "MassTransit",
+  "MassTransit.RabbitMQ": "MassTransit RabbitMQ",
+  "MassTransit.Azure.ServiceBus.Core": "MassTransit Azure SB",
+  "NServiceBus": "NServiceBus",
+  "RabbitMQ.Client": "RabbitMQ Client",
+  "Confluent.Kafka": "Confluent Kafka",
+  "Azure.Messaging.ServiceBus": "Azure Service Bus",
+  "Azure.Messaging.EventHubs": "Azure Event Hubs",
+  "Amazon.SQS": "AWS SQS",
+  "Amazon.SNS": "AWS SNS",
+  "Rebus": "Rebus",
+  "EasyNetQ": "EasyNetQ",
+  "SlimMessageBus": "SlimMessageBus",
+  "CAP": "DotNetCore.CAP",
+  // ── Cloud SDKs ──
+  "AWSSDK.Core": "AWS SDK Core",
+  "AWSSDK.S3": "AWS SDK S3",
+  "AWSSDK.SQS": "AWS SDK SQS",
+  "AWSSDK.DynamoDBv2": "AWS SDK DynamoDB",
+  "AWSSDK.Lambda": "AWS SDK Lambda",
+  "AWSSDK.SecretsManager": "AWS SDK Secrets Manager",
+  "AWSSDK.CloudWatch": "AWS SDK CloudWatch",
+  "Azure.Storage.Blobs": "Azure Blob Storage",
+  "Azure.Identity": "Azure Identity",
+  "Azure.Security.KeyVault.Secrets": "Azure Key Vault",
+  "Azure.Cosmos": "Azure Cosmos DB",
+  "Microsoft.Azure.Functions.Worker": "Azure Functions",
+  "Google.Cloud.Storage.V1": "GCP Storage",
+  "Google.Cloud.PubSub.V1": "GCP Pub/Sub",
+  "Google.Cloud.Firestore": "GCP Firestore",
+  // ── Auth & Identity ──
+  "Microsoft.Identity.Web": "Microsoft Identity Web",
+  "Microsoft.Identity.Client": "MSAL",
+  "IdentityServer4": "IdentityServer4",
+  "Duende.IdentityServer": "Duende IdentityServer",
+  "Microsoft.AspNetCore.Authentication.OpenIdConnect": "OpenID Connect",
+  "IdentityModel": "IdentityModel",
+  // ── HTTP & API ──
+  "Refit": "Refit",
+  "RestSharp": "RestSharp",
+  "Flurl.Http": "Flurl",
+  "Polly": "Polly",
+  "Polly.Extensions.Http": "Polly HTTP",
+  "Microsoft.Extensions.Http.Polly": "HttpClient Polly",
+  "Grpc.AspNetCore": "gRPC ASP.NET",
+  "Grpc.Net.Client": "gRPC Client",
+  "GraphQL.Server.All": "GraphQL Server",
+  "HotChocolate.AspNetCore": "Hot Chocolate (GraphQL)",
+  // ── Background Processing ──
+  "Hangfire": "Hangfire",
+  "Hangfire.Core": "Hangfire Core",
+  "Hangfire.AspNetCore": "Hangfire ASP.NET",
+  "Quartz": "Quartz.NET",
+  "Quartz.Extensions.Hosting": "Quartz.NET Hosting",
+  "Coravel": "Coravel",
+  // ── File & Document ──
+  "EPPlus": "EPPlus",
+  "ClosedXML": "ClosedXML",
+  "iTextSharp": "iTextSharp",
+  "QuestPDF": "QuestPDF",
+  "ImageSharp": "ImageSharp",
+  "SixLabors.ImageSharp": "ImageSharp",
+  // ── Feature Flags & Config ──
+  "LaunchDarkly.ServerSdk": "LaunchDarkly",
+  "Microsoft.FeatureManagement": "Feature Management",
+  "Microsoft.FeatureManagement.AspNetCore": "Feature Management ASP.NET",
+  // ── Microservices & Distributed ──
+  "Dapr.Client": "Dapr",
+  "Steeltoe.Discovery.ClientCore": "Steeltoe",
+  "Ocelot": "Ocelot (API Gateway)",
+  "Yarp.ReverseProxy": "YARP",
+  // ── Real-time ──
+  "Microsoft.AspNetCore.SignalR.Client": "SignalR Client"
+};
+var LATEST_DOTNET_MAJOR = 9;
+function parseTfmMajor(tfm) {
+  const match = tfm.match(/^net(\d+)\.\d+$/);
+  if (match?.[1]) return parseInt(match[1], 10);
+  const coreMatch = tfm.match(/^netcoreapp(\d+)\.\d+$/);
+  if (coreMatch?.[1]) return parseInt(coreMatch[1], 10);
+  if (tfm.startsWith("netstandard")) return null;
+  const fxMatch = tfm.match(/^net(\d)(\d+)?$/);
+  if (fxMatch) return null;
+  return null;
+}
+function parseCsproj(xml, filePath) {
+  const parsed = parser.parse(xml);
+  const project = parsed?.Project;
+  if (!project) {
+    return { targetFrameworks: [], packageReferences: [], projectName: path3.basename(filePath, ".csproj") };
+  }
+  const propertyGroups = Array.isArray(project.PropertyGroup) ? project.PropertyGroup : project.PropertyGroup ? [project.PropertyGroup] : [];
+  const targetFrameworks = [];
+  for (const pg of propertyGroups) {
+    if (pg.TargetFramework) {
+      targetFrameworks.push(String(pg.TargetFramework));
+    }
+    if (pg.TargetFrameworks) {
+      const tfms = String(pg.TargetFrameworks).split(";").map((s) => s.trim()).filter(Boolean);
+      targetFrameworks.push(...tfms);
+    }
+  }
+  const itemGroups = Array.isArray(project.ItemGroup) ? project.ItemGroup : project.ItemGroup ? [project.ItemGroup] : [];
+  const packageReferences = [];
+  for (const ig of itemGroups) {
+    const refs = Array.isArray(ig.PackageReference) ? ig.PackageReference : ig.PackageReference ? [ig.PackageReference] : [];
+    for (const ref of refs) {
+      const name = ref["@_Include"] ?? ref["@_include"] ?? "";
+      const version = ref["@_Version"] ?? ref["@_version"] ?? ref.Version ?? "";
+      if (name && version) {
+        packageReferences.push({ name: String(name), version: String(version) });
+      }
+    }
+  }
+  return {
+    targetFrameworks: [...new Set(targetFrameworks)],
+    packageReferences,
+    projectName: path3.basename(filePath, ".csproj")
+  };
+}
+async function scanDotnetProjects(rootDir) {
+  const csprojFiles = await findCsprojFiles(rootDir);
+  const slnFiles = await findSolutionFiles(rootDir);
+  const slnCsprojPaths = /* @__PURE__ */ new Set();
+  for (const slnPath of slnFiles) {
+    try {
+      const slnContent = await readTextFile(slnPath);
+      const slnDir = path3.dirname(slnPath);
+      const projectRegex = /Project\("[^"]*"\)\s*=\s*"[^"]*",\s*"([^"]+\.csproj)"/g;
+      let match;
+      while ((match = projectRegex.exec(slnContent)) !== null) {
+        if (match[1]) {
+          const csprojPath = path3.resolve(slnDir, match[1].replace(/\\/g, "/"));
+          slnCsprojPaths.add(csprojPath);
+        }
+      }
+    } catch {
+    }
+  }
+  const allCsprojFiles = /* @__PURE__ */ new Set([...csprojFiles, ...slnCsprojPaths]);
+  const results = [];
+  for (const csprojPath of allCsprojFiles) {
+    try {
+      const scan = await scanOneCsproj(csprojPath, rootDir);
+      results.push(scan);
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e);
+      console.error(`Error scanning ${csprojPath}: ${msg}`);
+    }
+  }
+  return results;
+}
+async function scanOneCsproj(csprojPath, rootDir) {
+  const xml = await readTextFile(csprojPath);
+  const data = parseCsproj(xml, csprojPath);
+  const primaryTfm = data.targetFrameworks[0];
+  let runtimeMajorsBehind;
+  let targetFramework = primaryTfm;
+  if (primaryTfm) {
+    const major2 = parseTfmMajor(primaryTfm);
+    if (major2 !== null) {
+      runtimeMajorsBehind = Math.max(0, LATEST_DOTNET_MAJOR - major2);
+    }
+  }
+  const dependencies = data.packageReferences.map((ref) => ({
+    package: ref.name,
+    section: "dependencies",
+    currentSpec: ref.version,
+    resolvedVersion: ref.version,
+    latestStable: null,
+    // NuGet lookup not implemented in v1
+    majorsBehind: null,
+    drift: "unknown"
+  }));
+  const frameworks = [];
+  for (const ref of data.packageReferences) {
+    if (ref.name in KNOWN_DOTNET_FRAMEWORKS) {
+      frameworks.push({
+        name: KNOWN_DOTNET_FRAMEWORKS[ref.name],
+        currentVersion: ref.version,
+        latestVersion: null,
+        majorsBehind: null
+      });
+    }
+  }
+  const buckets = { current: 0, oneBehind: 0, twoPlusBehind: 0, unknown: dependencies.length };
+  return {
+    type: "dotnet",
+    path: path3.relative(rootDir, path3.dirname(csprojPath)) || ".",
+    name: data.projectName,
+    targetFramework,
+    runtime: primaryTfm,
+    runtimeLatest: `net${LATEST_DOTNET_MAJOR}.0`,
+    runtimeMajorsBehind,
+    frameworks,
+    dependencies,
+    dependencyAgeBuckets: buckets
+  };
+}
+
+// src/utils/semaphore.ts
+var Semaphore = class {
+  available;
+  queue = [];
+  constructor(max) {
+    this.available = max;
+  }
+  async run(fn) {
+    await this.acquire();
+    try {
+      return await fn();
+    } finally {
+      this.release();
+    }
+  }
+  acquire() {
+    if (this.available > 0) {
+      this.available--;
+      return Promise.resolve();
+    }
+    return new Promise((resolve4) => this.queue.push(resolve4));
+  }
+  release() {
+    const next = this.queue.shift();
+    if (next) next();
+    else this.available++;
+  }
+};
+
+// src/config.ts
+import * as path4 from "path";
+import * as fs2 from "fs/promises";
+var CONFIG_FILES = [
+  "vibgrate.config.ts",
+  "vibgrate.config.js",
+  "vibgrate.config.json"
+];
+var DEFAULT_CONFIG = {
+  exclude: [],
+  thresholds: {
+    failOnError: {
+      eolDays: 180,
+      frameworkMajorLag: 3,
+      dependencyTwoPlusPercent: 50
+    },
+    warn: {
+      frameworkMajorLag: 2,
+      dependencyTwoPlusPercent: 30
+    }
+  }
+};
+async function loadConfig(rootDir) {
+  for (const file of CONFIG_FILES) {
+    const configPath = path4.join(rootDir, file);
+    if (await pathExists(configPath)) {
+      if (file.endsWith(".json")) {
+        const txt = await readTextFile(configPath);
+        return { ...DEFAULT_CONFIG, ...JSON.parse(txt) };
+      }
+      try {
+        const mod = await import(configPath);
+        return { ...DEFAULT_CONFIG, ...mod.default ?? mod };
+      } catch {
+      }
+    }
+  }
+  return DEFAULT_CONFIG;
+}
+async function writeDefaultConfig(rootDir) {
+  const configPath = path4.join(rootDir, "vibgrate.config.ts");
+  const content = `import type { VibgrateConfig } from '@vibgrate/cli';
+
+const config: VibgrateConfig = {
+  // exclude: ['legacy/**'],
+  thresholds: {
+    failOnError: {
+      eolDays: 180,
+      frameworkMajorLag: 3,
+      dependencyTwoPlusPercent: 50,
+    },
+    warn: {
+      frameworkMajorLag: 2,
+      dependencyTwoPlusPercent: 30,
+    },
+  },
+};
+
+export default config;
+`;
+  await fs2.writeFile(configPath, content, "utf8");
+  return configPath;
+}
+
+// src/utils/vcs.ts
+import * as path5 from "path";
+import * as fs3 from "fs/promises";
+async function detectVcs(rootDir) {
+  try {
+    return await detectGit(rootDir);
+  } catch {
+    return { type: "unknown" };
+  }
+}
+async function detectGit(rootDir) {
+  const gitDir = await findGitDir(rootDir);
+  if (!gitDir) {
+    return { type: "unknown" };
+  }
+  const headPath = path5.join(gitDir, "HEAD");
+  let headContent;
+  try {
+    headContent = (await fs3.readFile(headPath, "utf8")).trim();
+  } catch {
+    return { type: "unknown" };
+  }
+  let sha;
+  let branch;
+  if (headContent.startsWith("ref: ")) {
+    const refPath = headContent.slice(5);
+    branch = refPath.startsWith("refs/heads/") ? refPath.slice(11) : refPath;
+    sha = await resolveRef(gitDir, refPath);
+  } else if (/^[0-9a-f]{40}$/i.test(headContent)) {
+    sha = headContent;
+  }
+  return {
+    type: "git",
+    sha: sha ?? void 0,
+    shortSha: sha ? sha.slice(0, 7) : void 0,
+    branch: branch ?? void 0
+  };
+}
+async function findGitDir(startDir) {
+  let dir = path5.resolve(startDir);
+  const root = path5.parse(dir).root;
+  while (dir !== root) {
+    const gitPath = path5.join(dir, ".git");
+    try {
+      const stat3 = await fs3.stat(gitPath);
+      if (stat3.isDirectory()) {
+        return gitPath;
+      }
+      if (stat3.isFile()) {
+        const content = (await fs3.readFile(gitPath, "utf8")).trim();
+        if (content.startsWith("gitdir: ")) {
+          const resolved = path5.resolve(dir, content.slice(8));
+          return resolved;
+        }
+      }
+    } catch {
+    }
+    dir = path5.dirname(dir);
+  }
+  return null;
+}
+async function resolveRef(gitDir, refPath) {
+  const loosePath = path5.join(gitDir, refPath);
+  try {
+    const sha = (await fs3.readFile(loosePath, "utf8")).trim();
+    if (/^[0-9a-f]{40}$/i.test(sha)) {
+      return sha;
+    }
+  } catch {
+  }
+  const packedPath = path5.join(gitDir, "packed-refs");
+  try {
+    const packed = await fs3.readFile(packedPath, "utf8");
+    for (const line of packed.split("\n")) {
+      if (line.startsWith("#") || line.startsWith("^")) continue;
+      const parts = line.trim().split(" ");
+      if (parts.length >= 2 && parts[1] === refPath) {
+        return parts[0];
+      }
+    }
+  } catch {
+  }
+  return void 0;
+}
+
+// src/ui/progress.ts
+import chalk2 from "chalk";
+var ROBOT = [
+  chalk2.cyan("    \u256D\u2500\u2500\u2500\u256E") + chalk2.greenBright("\u279C"),
+  chalk2.cyan("   \u256D\u2524") + chalk2.greenBright("\u25C9 \u25C9") + chalk2.cyan("\u251C\u256E"),
+  chalk2.cyan("   \u2570\u2524") + chalk2.dim("\u2500\u2500\u2500") + chalk2.cyan("\u251C\u256F"),
+  chalk2.cyan("    \u2570\u2500\u2500\u2500\u256F")
+];
+var BRAND = [
+  chalk2.bold.white("  V I B G R A T E"),
+  chalk2.dim("  Drift Intelligence Engine")
+];
+var SPINNER_FRAMES = ["\u280B", "\u2819", "\u2839", "\u2838", "\u283C", "\u2834", "\u2826", "\u2827", "\u2807", "\u280F"];
+var ScanProgress = class {
+  steps = [];
+  stats = {
+    projects: 0,
+    dependencies: 0,
+    frameworks: 0,
+    findings: { warnings: 0, errors: 0, notes: 0 }
+  };
+  spinnerFrame = 0;
+  timer = null;
+  lastLineCount = 0;
+  startTime = Date.now();
+  isTTY;
+  rootDir = "";
+  constructor(rootDir) {
+    this.isTTY = process.stderr.isTTY ?? false;
+    this.rootDir = rootDir;
+  }
+  /** Register all steps up front */
+  setSteps(steps) {
+    this.steps = steps.map((s) => ({ ...s, status: "pending" }));
+    if (this.isTTY) {
+      this.startSpinner();
+    }
+    this.render();
+  }
+  /** Mark a step as active (currently running) */
+  startStep(id) {
+    const step = this.steps.find((s) => s.id === id);
+    if (step) {
+      step.status = "active";
+      step.detail = void 0;
+      step.count = void 0;
+    }
+    this.render();
+  }
+  /** Mark a step as completed */
+  completeStep(id, detail, count) {
+    const step = this.steps.find((s) => s.id === id);
+    if (step) {
+      step.status = "done";
+      step.detail = detail;
+      step.count = count;
+    }
+    this.render();
+  }
+  /** Mark a step as skipped */
+  skipStep(id) {
+    const step = this.steps.find((s) => s.id === id);
+    if (step) {
+      step.status = "skipped";
+      step.detail = "disabled";
+    }
+    this.render();
+  }
+  /** Update live stats */
+  updateStats(partial) {
+    Object.assign(this.stats, partial);
+    this.render();
+  }
+  /** Increment stats */
+  addProjects(n) {
+    this.stats.projects += n;
+    this.render();
+  }
+  addDependencies(n) {
+    this.stats.dependencies += n;
+    this.render();
+  }
+  addFrameworks(n) {
+    this.stats.frameworks += n;
+    this.render();
+  }
+  addFindings(warnings, errors, notes) {
+    this.stats.findings.warnings += warnings;
+    this.stats.findings.errors += errors;
+    this.stats.findings.notes += notes;
+    this.render();
+  }
+  /** Stop the progress display and clear it */
+  finish() {
+    if (this.timer) {
+      clearInterval(this.timer);
+      this.timer = null;
+    }
+    if (this.isTTY) {
+      this.clearLines();
+    }
+    const elapsed = ((Date.now() - this.startTime) / 1e3).toFixed(1);
+    const doneCount = this.steps.filter((s) => s.status === "done").length;
+    process.stderr.write(
+      chalk2.dim(`  \u2714 ${doneCount} scanners completed in ${elapsed}s
+
+`)
+    );
+  }
+  // ── Internal rendering ──
+  startSpinner() {
+    this.timer = setInterval(() => {
+      this.spinnerFrame = (this.spinnerFrame + 1) % SPINNER_FRAMES.length;
+      this.render();
+    }, 80);
+  }
+  clearLines() {
+    if (this.lastLineCount > 0) {
+      process.stderr.write(`\x1B[${this.lastLineCount}A`);
+      for (let i = 0; i < this.lastLineCount; i++) {
+        process.stderr.write("\x1B[2K\n");
+      }
+      process.stderr.write(`\x1B[${this.lastLineCount}A`);
+    }
+  }
+  render() {
+    if (!this.isTTY) {
+      this.renderCI();
+      return;
+    }
+    this.clearLines();
+    const lines = [];
+    lines.push("");
+    lines.push(`  ${ROBOT[0]}  ${BRAND[0]}`);
+    lines.push(`  ${ROBOT[1]}  ${BRAND[1]}`);
+    lines.push(`  ${ROBOT[2]}`);
+    lines.push(`  ${ROBOT[3]}  ${chalk2.dim(this.rootDir)}`);
+    lines.push("");
+    const totalSteps = this.steps.length;
+    const doneSteps = this.steps.filter((s) => s.status === "done" || s.status === "skipped").length;
+    const pct = totalSteps > 0 ? Math.round(doneSteps / totalSteps * 100) : 0;
+    const barWidth = 30;
+    const filled = Math.round(doneSteps / Math.max(totalSteps, 1) * barWidth);
+    const bar = chalk2.greenBright("\u2501".repeat(filled)) + chalk2.dim("\u254C".repeat(barWidth - filled));
+    const elapsed = ((Date.now() - this.startTime) / 1e3).toFixed(1);
+    lines.push(`  ${bar} ${chalk2.bold.white(`${pct}%`)} ${chalk2.dim(`${elapsed}s`)}`);
+    lines.push("");
+    for (const step of this.steps) {
+      lines.push(this.renderStep(step));
+    }
+    lines.push("");
+    lines.push(this.renderStats());
+    lines.push("");
+    const output = lines.join("\n") + "\n";
+    process.stderr.write(output);
+    this.lastLineCount = lines.length;
+  }
+  renderStep(step) {
+    const spinner = SPINNER_FRAMES[this.spinnerFrame];
+    let icon;
+    let label;
+    let detail = "";
+    switch (step.status) {
+      case "done":
+        icon = chalk2.green("\u2714");
+        label = chalk2.white(step.label);
+        break;
+      case "active":
+        icon = chalk2.cyan(spinner);
+        label = chalk2.bold.white(step.label);
+        break;
+      case "skipped":
+        icon = chalk2.dim("\u25CC");
+        label = chalk2.dim.strikethrough(step.label);
+        break;
+      default:
+        icon = chalk2.dim("\u25CB");
+        label = chalk2.dim(step.label);
+        break;
+    }
+    if (step.detail) {
+      detail = chalk2.dim(` \xB7 ${step.detail}`);
+    }
+    if (step.count !== void 0 && step.count > 0) {
+      detail += chalk2.cyan(` (${step.count})`);
+    }
+    return `  ${icon} ${label}${detail}`;
+  }
+  renderStats() {
+    const p = this.stats.projects;
+    const d = this.stats.dependencies;
+    const f = this.stats.frameworks;
+    const w = this.stats.findings.warnings;
+    const e = this.stats.findings.errors;
+    const n = this.stats.findings.notes;
+    const parts = [
+      chalk2.bold.white(`  ${p}`) + chalk2.dim(` project${p !== 1 ? "s" : ""}`),
+      chalk2.white(`${d}`) + chalk2.dim(` dep${d !== 1 ? "s" : ""}`),
+      chalk2.white(`${f}`) + chalk2.dim(` framework${f !== 1 ? "s" : ""}`)
+    ];
+    const findingParts = [];
+    if (e > 0) findingParts.push(chalk2.red(`${e} \u2716`));
+    if (w > 0) findingParts.push(chalk2.yellow(`${w} \u26A0`));
+    if (n > 0) findingParts.push(chalk2.blue(`${n} \u2139`));
+    if (findingParts.length > 0) {
+      parts.push(findingParts.join(chalk2.dim(" \xB7 ")));
+    }
+    return `  ${chalk2.dim("\u2503")} ${parts.join(chalk2.dim(" \u2502 "))}`;
+  }
+  /** Simple CI-friendly output (no ANSI rewriting) */
+  lastCIStep = null;
+  renderCI() {
+    const active = this.steps.find((s) => s.status === "active");
+    if (active && active.id !== this.lastCIStep) {
+      this.lastCIStep = active.id;
+      process.stderr.write(`  \u25C9 ${active.label}...
+`);
+    }
+    for (const step of this.steps) {
+      if (step.status === "done" && step.id !== this.lastCIStep) {
+      }
+    }
+  }
+};
+
+// src/scanners/platform-matrix.ts
+import * as path6 from "path";
+var NATIVE_MODULE_PACKAGES = /* @__PURE__ */ new Set([
+  // Image / media processing
+  "sharp",
+  // libvips native bindings
+  "canvas",
+  // node-canvas (Cairo native)
+  "jimp",
+  // pure JS but optionally uses native
+  "@napi-rs/image",
+  // NAPI-RS image processing
+  "imagemagick",
+  // ImageMagick bindings
+  "gm",
+  // GraphicsMagick
+  "fluent-ffmpeg",
+  // FFmpeg bindings
+  "ffmpeg-static",
+  // bundled FFmpeg binary
+  "puppeteer",
+  // ships Chromium binary
+  "playwright",
+  // ships browser binaries
+  "playwright-core",
+  // browser binaries
+  // Cryptography / security
+  "bcrypt",
+  // native bcrypt
+  "argon2",
+  // native argon2 hashing
+  "sodium-native",
+  // libsodium bindings
+  "libsodium-wrappers",
+  // libsodium WASM/native
+  "node-forge",
+  // mostly JS but linked to native in some envs
+  "ssh2",
+  // native SSH bindings (optional)
+  "keytar",
+  // OS keychain native bindings
+  // Database drivers
+  "better-sqlite3",
+  // native SQLite
+  "sqlite3",
+  // native SQLite
+  "pg-native",
+  // PostgreSQL native bindings
+  "oracledb",
+  // Oracle native client
+  "odbc",
+  // native ODBC
+  "ibm_db",
+  // IBM DB2 native
+  "couchbase",
+  // native Couchbase SDK
+  "rocksdb",
+  // native RocksDB store
+  "leveldown",
+  // native LevelDB
+  "lmdb",
+  // native LMDB bindings
+  // Compilation & build tools
+  "node-gyp",
+  // native build tool itself
+  "node-pre-gyp",
+  // native binary distribution
+  "@mapbox/node-pre-gyp",
+  // native binary distribution
+  "prebuild",
+  // prebuilt native bindings
+  "prebuild-install",
+  // prebuilt native installer
+  "esbuild",
+  // platform-specific Go binary
+  "@swc/core",
+  // platform-specific Rust binary
+  "@rspack/core",
+  // platform-specific Rust binary
+  "@biomejs/biome",
+  // platform-specific Rust binary
+  "node-sass",
+  // deprecated, native libsass
+  "sass-embedded",
+  // Dart Sass embedded binary
+  "turbo",
+  // Turborepo Go/Rust binary
+  "@vercel/nft",
+  // native file tracing (optional)
+  // System / hardware access
+  "fsevents",
+  // macOS-only file watching
+  "cpu-features",
+  // CPU instruction detection
+  "deasync",
+  // native event loop control
+  "usb",
+  // USB device access
+  "serialport",
+  // serial port access
+  "node-hid",
+  // HID device access
+  "i2c-bus",
+  // I2C bus access
+  "spi-device",
+  // SPI bus access
+  "node-bluetooth",
+  // Bluetooth
+  "mdns",
+  // mDNS/Bonjour
+  // Compression
+  "snappy",
+  // native Snappy compression
+  "zstd-napi",
+  // native Zstandard
+  "lz4",
+  // native LZ4
+  "brotli",
+  // native Brotli (older, node has built-in)
+  // Regex / text
+  "re2",
+  // native RE2 regex engine
+  "oniguruma",
+  // native Oniguruma regex
+  "vscode-oniguruma",
+  // native Oniguruma (VS Code)
+  "tree-sitter",
+  // native parser generator
+  "node-tree-sitter",
+  // native Tree-sitter
+  // XML / HTML
+  "libxmljs",
+  // native libxml2
+  "libxmljs2",
+  // native libxml2
+  "node-expat",
+  // native Expat XML parser
+  "htmlparser2",
+  // mostly JS, optional native
+  // Networking / IPC
+  "@grpc/grpc-js",
+  // gRPC (JS but has native dep for HTTP/2)
+  "grpc",
+  // deprecated native gRPC
+  "zeromq",
+  // native ZeroMQ
+  "nanomsg",
+  // native nanomsg
+  "unix-dgram",
+  // native Unix sockets
+  // Observability
+  "dtrace-provider",
+  // native DTrace
+  "v8-profiler-next",
+  // native V8 profiler
+  "heapdump",
+  // native V8 heap dump
+  // Misc
+  "farmhash",
+  // native FarmHash
+  "xxhash",
+  // native xxHash
+  "xxhash-addon",
+  // native xxHash
+  "iconv",
+  // native iconv
+  "ref-napi",
+  // native FFI
+  "ffi-napi",
+  // native FFI
+  "node-pty",
+  // native pseudo-terminal
+  "robotjs",
+  // native desktop automation
+  "electron",
+  // ships Chromium + Node binary
+  "xdg-open",
+  // OS-specific
+  "windows-process-tree"
+  // Windows-only
+]);
+var OS_PATTERNS = [
+  { pattern: /\bcmd\.exe\b|\.bat\b|\.cmd\b/i, label: "windows-scripts" },
+  { pattern: /\bpowershell\b|\bpwsh\b/i, label: "powershell" },
+  { pattern: /\bbash\b|#!\/bin\/bash/i, label: "bash-scripts" },
+  { pattern: /\\\\/g, label: "backslash-paths" }
+];
+async function scanPlatformMatrix(rootDir) {
+  const result = {
+    dotnetTargetFrameworks: [],
+    nativeModules: [],
+    osAssumptions: [],
+    dockerBaseImages: [],
+    nodeVersionFiles: []
+  };
+  const pkgFiles = await findPackageJsonFiles(rootDir);
+  const allDeps = /* @__PURE__ */ new Set();
+  const osAssumptions = /* @__PURE__ */ new Set();
+  for (const pjPath of pkgFiles) {
+    try {
+      const pj = await readJsonFile(pjPath);
+      if (pj.engines?.node && !result.nodeEngines) result.nodeEngines = pj.engines.node;
+      if (pj.engines?.npm && !result.npmEngines) result.npmEngines = pj.engines.npm;
+      if (pj.engines?.pnpm && !result.pnpmEngines) {
+        result.pnpmEngines = pj.engines.pnpm;
+      }
+      for (const section of ["dependencies", "devDependencies", "optionalDependencies"]) {
+        const deps = pj[section];
+        if (deps) {
+          for (const name of Object.keys(deps)) {
+            allDeps.add(name);
+          }
+        }
+      }
+      const scripts = pj.scripts;
+      if (scripts && typeof scripts === "object") {
+        for (const val of Object.values(scripts)) {
+          if (typeof val !== "string") continue;
+          const firstToken = val.split(/\s/)[0] ?? "";
+          for (const { pattern, label } of OS_PATTERNS) {
+            if (pattern.test(firstToken)) {
+              osAssumptions.add(label);
+            }
+          }
+        }
+      }
+    } catch {
+    }
+  }
+  for (const dep of allDeps) {
+    if (NATIVE_MODULE_PACKAGES.has(dep)) {
+      result.nativeModules.push(dep);
+    }
+  }
+  result.nativeModules.sort();
+  result.osAssumptions = [...osAssumptions].sort();
+  const csprojFiles = await findFiles(rootDir, (name) => name.endsWith(".csproj"));
+  const tfms = /* @__PURE__ */ new Set();
+  for (const csprojPath of csprojFiles) {
+    try {
+      const xml = await readTextFile(csprojPath);
+      const tfMatch = xml.match(/<TargetFramework>(.*?)<\/TargetFramework>/);
+      if (tfMatch?.[1]) tfms.add(tfMatch[1]);
+      const tfsMatch = xml.match(/<TargetFrameworks>(.*?)<\/TargetFrameworks>/);
+      if (tfsMatch?.[1]) {
+        for (const tfm of tfsMatch[1].split(";")) {
+          if (tfm.trim()) tfms.add(tfm.trim());
+        }
+      }
+    } catch {
+    }
+  }
+  result.dotnetTargetFrameworks = [...tfms].sort();
+  const dockerfiles = await findFiles(
+    rootDir,
+    (name) => name === "Dockerfile" || name.startsWith("Dockerfile.")
+  );
+  const baseImages = /* @__PURE__ */ new Set();
+  for (const df of dockerfiles) {
+    try {
+      const content = await readTextFile(df);
+      for (const line of content.split("\n")) {
+        const trimmed = line.trim();
+        if (/^FROM\s+/i.test(trimmed)) {
+          const parts = trimmed.split(/\s+/);
+          if (parts[1] && !parts[1].startsWith("--")) {
+            baseImages.add(parts[1]);
+          } else if (parts[1]?.startsWith("--")) {
+            const imageIdx = parts[1].includes("=") ? 2 : 3;
+            if (parts[imageIdx]) baseImages.add(parts[imageIdx]);
+          }
+        }
+      }
+    } catch {
+    }
+  }
+  result.dockerBaseImages = [...baseImages].sort();
+  for (const file of [".nvmrc", ".node-version", ".tool-versions"]) {
+    if (await pathExists(path6.join(rootDir, file))) {
+      result.nodeVersionFiles.push(file);
+    }
+  }
+  return result;
+}
+
+// src/scanners/dependency-risk.ts
+var DEPRECATED_PACKAGES = /* @__PURE__ */ new Set([
+  "request",
+  "node-sass",
+  "tslint",
+  "istanbul",
+  "popper.js",
+  "Left-pad",
+  "left-pad",
+  "bower",
+  "grunt",
+  "gulp",
+  "coffee-script",
+  "coffeescript",
+  "merge",
+  "nomnom",
+  "optimist",
+  "natives",
+  "querystring",
+  "domain-browser",
+  "sys",
+  "punycode"
+]);
+var NATIVE_MODULE_PACKAGES2 = /* @__PURE__ */ new Set([
+  "sharp",
+  "canvas",
+  "bcrypt",
+  "node-gyp",
+  "fsevents",
+  "better-sqlite3",
+  "sqlite3",
+  "leveldown",
+  "sodium-native",
+  "node-sass",
+  "argon2",
+  "usb",
+  "serialport",
+  "re2",
+  "libxmljs",
+  "libxmljs2",
+  "cpu-features",
+  "deasync",
+  "farmhash",
+  "grpc",
+  "@grpc/grpc-js"
+]);
+function scanDependencyRisk(projects) {
+  const deprecated = /* @__PURE__ */ new Set();
+  const nativeModules = /* @__PURE__ */ new Set();
+  let totalDeps = 0;
+  for (const project of projects) {
+    for (const dep of project.dependencies) {
+      totalDeps++;
+      if (DEPRECATED_PACKAGES.has(dep.package)) {
+        deprecated.add(dep.package);
+      }
+      if (NATIVE_MODULE_PACKAGES2.has(dep.package)) {
+        nativeModules.add(dep.package);
+      }
+    }
+  }
+  return {
+    deprecatedPackages: [...deprecated].sort(),
+    nativeModulePackages: [...nativeModules].sort(),
+    totalDependencies: totalDeps
+  };
+}
+
+// src/scanners/dependency-graph.ts
+import * as path7 from "path";
+function parsePnpmLock(content) {
+  const entries = [];
+  const regex = /^\s+\/?(@?[^@\s][^@\s]*?)@(\d+\.\d+\.\d+[^:\s]*)\s*:/gm;
+  let match;
+  while ((match = regex.exec(content)) !== null) {
+    if (match[1] && match[2]) {
+      entries.push({ name: match[1], version: match[2] });
+    }
+  }
+  return entries;
+}
+function parseNpmLock(content) {
+  const entries = [];
+  try {
+    const lock = JSON.parse(content);
+    if (lock.packages && typeof lock.packages === "object") {
+      for (const [key, value] of Object.entries(lock.packages)) {
+        if (key === "") continue;
+        const v = value;
+        if (v.version) {
+          const name = key.replace(/^node_modules\//, "").replace(/.*node_modules\//, "");
+          entries.push({ name, version: v.version });
+        }
+      }
+    } else if (lock.dependencies && typeof lock.dependencies === "object") {
+      let walkDeps2 = function(deps) {
+        for (const [name, data] of Object.entries(deps)) {
+          if (data.version) entries.push({ name, version: data.version });
+          if (data.dependencies) walkDeps2(data.dependencies);
+        }
+      };
+      var walkDeps = walkDeps2;
+      walkDeps2(lock.dependencies);
+    }
+  } catch {
+  }
+  return entries;
+}
+function parseYarnLock(content) {
+  const entries = [];
+  const regex = /^"?(@?[^\s"@]+)@[^:]+:\s*\n\s+version\s+"([^"]+)"/gm;
+  let match;
+  while ((match = regex.exec(content)) !== null) {
+    if (match[1] && match[2]) {
+      entries.push({ name: match[1], version: match[2] });
+    }
+  }
+  return entries;
+}
+async function scanDependencyGraph(rootDir) {
+  const result = {
+    lockfileType: null,
+    totalUnique: 0,
+    totalInstalled: 0,
+    duplicatedPackages: [],
+    phantomDependencies: []
+  };
+  let entries = [];
+  const pnpmLock = path7.join(rootDir, "pnpm-lock.yaml");
+  const npmLock = path7.join(rootDir, "package-lock.json");
+  const yarnLock = path7.join(rootDir, "yarn.lock");
+  if (await pathExists(pnpmLock)) {
+    result.lockfileType = "pnpm";
+    const content = await readTextFile(pnpmLock);
+    entries = parsePnpmLock(content);
+  } else if (await pathExists(npmLock)) {
+    result.lockfileType = "npm";
+    const content = await readTextFile(npmLock);
+    entries = parseNpmLock(content);
+  } else if (await pathExists(yarnLock)) {
+    result.lockfileType = "yarn";
+    const content = await readTextFile(yarnLock);
+    entries = parseYarnLock(content);
+  }
+  if (entries.length === 0) return result;
+  const versionMap = /* @__PURE__ */ new Map();
+  for (const entry of entries) {
+    const existing = versionMap.get(entry.name);
+    if (existing) {
+      existing.add(entry.version);
+    } else {
+      versionMap.set(entry.name, /* @__PURE__ */ new Set([entry.version]));
+    }
+  }
+  result.totalInstalled = entries.length;
+  result.totalUnique = versionMap.size;
+  const duplicated = [];
+  for (const [name, versions] of versionMap) {
+    if (versions.size > 1) {
+      duplicated.push({
+        name,
+        versions: [...versions].sort(),
+        consumers: versions.size
+      });
+    }
+  }
+  duplicated.sort((a, b) => b.versions.length - a.versions.length || a.name.localeCompare(b.name));
+  result.duplicatedPackages = duplicated;
+  const lockedNames = new Set(versionMap.keys());
+  const pkgFiles = await findPackageJsonFiles(rootDir);
+  const phantoms = /* @__PURE__ */ new Set();
+  for (const pjPath of pkgFiles) {
+    try {
+      const pj = await readJsonFile(pjPath);
+      for (const section of ["dependencies", "devDependencies"]) {
+        const deps = pj[section];
+        if (!deps) continue;
+        for (const [name, version] of Object.entries(deps)) {
+          const ver = typeof version === "string" ? version : "";
+          if (!lockedNames.has(name) && !ver.startsWith("workspace:")) {
+            phantoms.add(name);
+          }
+        }
+      }
+    } catch {
+    }
+  }
+  result.phantomDependencies = [...phantoms].sort();
+  return result;
+}
+
+// src/scanners/tooling-inventory.ts
+var CATEGORIES = {
+  frontend: {
+    "react": "React",
+    "react-dom": "React DOM",
+    "vue": "Vue",
+    "@angular/core": "Angular",
+    "svelte": "Svelte",
+    "solid-js": "Solid",
+    "qwik": "Qwik",
+    "htmx.org": "htmx",
+    "preact": "Preact",
+    "lit": "Lit",
+    "alpinejs": "Alpine.js",
+    "stimulus": "Stimulus",
+    "petite-vue": "petite-vue",
+    "mithril": "Mithril",
+    "inferno": "Inferno",
+    "hyperapp": "Hyperapp",
+    "marko": "Marko",
+    "@builder.io/qwik": "Qwik (Builder)",
+    "million": "Million",
+    "ember-source": "Ember"
+  },
+  metaFrameworks: {
+    "next": "Next.js",
+    "nuxt": "Nuxt",
+    "@analogjs/platform": "Analog",
+    "astro": "Astro",
+    "@remix-run/react": "Remix",
+    "gatsby": "Gatsby",
+    "@sveltejs/kit": "SvelteKit",
+    "@tanstack/start": "TanStack Start",
+    "@adonisjs/core": "AdonisJS",
+    "@redwoodjs/core": "RedwoodJS",
+    "blitz": "Blitz.js",
+    "@solidjs/start": "SolidStart",
+    "fresh": "Fresh (Deno)"
+  },
+  bundlers: {
+    "vite": "Vite",
+    "webpack": "webpack",
+    "rollup": "Rollup",
+    "esbuild": "esbuild",
+    "parcel": "Parcel",
+    "turbo": "Turbo",
+    "tsup": "tsup",
+    "unbuild": "unbuild",
+    "@swc/core": "SWC",
+    "bun": "Bun",
+    "pkg": "pkg",
+    "ncc": "ncc",
+    "@vercel/ncc": "Vercel ncc",
+    "microbundle": "microbundle",
+    "tsc-watch": "tsc-watch",
+    "ts-node": "ts-node",
+    "tsx": "tsx",
+    "jiti": "jiti",
+    "@rspack/core": "Rspack",
+    "farm": "Farm"
+  },
+  css: {
+    "tailwindcss": "Tailwind CSS",
+    "@mui/material": "MUI",
+    "vuetify": "Vuetify",
+    "bootstrap": "Bootstrap",
+    "styled-components": "styled-components",
+    "@emotion/react": "Emotion",
+    "@chakra-ui/react": "Chakra UI",
+    "sass": "Sass",
+    "@mantine/core": "Mantine",
+    "antd": "Ant Design",
+    "@radix-ui/react-slot": "Radix UI",
+    "@headlessui/react": "Headless UI",
+    "daisyui": "DaisyUI",
+    "@shadcn/ui": "shadcn/ui",
+    "primereact": "PrimeReact",
+    "primevue": "PrimeVue",
+    "@nextui-org/react": "NextUI",
+    "@ariakit/react": "Ariakit",
+    "windstitch": "Windstitch",
+    "vanilla-extract": "vanilla-extract",
+    "@vanilla-extract/css": "vanilla-extract",
+    "linaria": "Linaria",
+    "stylex": "StyleX",
+    "@stylexjs/stylex": "StyleX",
+    "unocss": "UnoCSS",
+    "postcss": "PostCSS",
+    "autoprefixer": "Autoprefixer",
+    "lightningcss": "Lightning CSS",
+    "less": "Less",
+    "stylus": "Stylus",
+    "open-props": "Open Props",
+    "@ark-ui/react": "Ark UI"
+  },
+  backend: {
+    "express": "Express",
+    "fastify": "Fastify",
+    "@nestjs/core": "NestJS",
+    "hono": "Hono",
+    "koa": "Koa",
+    "@hapi/hapi": "Hapi",
+    "restify": "Restify",
+    "elysia": "Elysia",
+    "@elysiajs/eden": "Elysia Eden",
+    "moleculer": "Moleculer",
+    "@feathersjs/feathers": "Feathers",
+    "sails": "Sails",
+    "micro": "Micro",
+    "polka": "Polka",
+    "h3": "h3",
+    "nitro": "Nitro",
+    "@trpc/server": "tRPC Server",
+    "@trpc/client": "tRPC Client",
+    "middy": "Middy (Lambda)",
+    "serverless": "Serverless Framework",
+    "aws-lambda": "AWS Lambda",
+    "@aws-sdk/client-lambda": "AWS Lambda SDK",
+    "@cloudflare/workers-types": "Cloudflare Workers",
+    "wrangler": "Wrangler"
+  },
+  orm: {
+    "prisma": "Prisma",
+    "@prisma/client": "Prisma Client",
+    "drizzle-orm": "Drizzle",
+    "typeorm": "TypeORM",
+    "sequelize": "Sequelize",
+    "knex": "Knex",
+    "pg": "pg (PostgreSQL)",
+    "mysql2": "mysql2",
+    "mongodb": "MongoDB",
+    "ioredis": "ioredis",
+    "redis": "Redis",
+    "better-sqlite3": "better-sqlite3",
+    "@mikro-orm/core": "MikroORM",
+    "mongoose": "Mongoose",
+    "mssql": "mssql",
+    "kysely": "Kysely",
+    "objection": "Objection.js",
+    "@planetscale/database": "PlanetScale",
+    "@neondatabase/serverless": "Neon",
+    "@libsql/client": "libSQL (Turso)",
+    "@electric-sql/pglite": "PGlite",
+    "sql.js": "sql.js",
+    "oracledb": "Oracle DB",
+    "cassandra-driver": "Cassandra",
+    "neo4j-driver": "Neo4j",
+    "@upstash/redis": "Upstash Redis",
+    "@upstash/kafka": "Upstash Kafka",
+    "dynamoose": "Dynamoose",
+    "fauna": "Fauna",
+    "faunadb": "FaunaDB",
+    "@clickhouse/client": "ClickHouse",
+    "influx": "InfluxDB",
+    "slonik": "Slonik",
+    "massive": "Massive.js"
+  },
+  testing: {
+    "vitest": "Vitest",
+    "jest": "Jest",
+    "mocha": "Mocha",
+    "@playwright/test": "Playwright",
+    "cypress": "Cypress",
+    "@testing-library/react": "Testing Library (React)",
+    "@testing-library/vue": "Testing Library (Vue)",
+    "@testing-library/svelte": "Testing Library (Svelte)",
+    "@testing-library/jest-dom": "Testing Library DOM",
+    "@testing-library/user-event": "Testing Library User Event",
+    "chai": "Chai",
+    "ava": "AVA",
+    "tap": "node-tap",
+    "supertest": "Supertest",
+    "storybook": "Storybook",
+    "@storybook/react": "Storybook (React)",
+    "@storybook/vue3": "Storybook (Vue)",
+    "msw": "Mock Service Worker",
+    "nock": "Nock",
+    "sinon": "Sinon",
+    "faker": "Faker",
+    "@faker-js/faker": "Faker.js",
+    "testcontainers": "Testcontainers",
+    "pact": "Pact",
+    "@pact-foundation/pact": "Pact",
+    "k6": "k6",
+    "artillery": "Artillery",
+    "autocannon": "Autocannon",
+    "puppeteer": "Puppeteer",
+    "webdriverio": "WebdriverIO",
+    "nightwatch": "Nightwatch",
+    "detox": "Detox (Mobile)",
+    "jest-image-snapshot": "Image Snapshot",
+    "happy-dom": "happy-dom",
+    "jsdom": "jsdom",
+    "c8": "c8 (coverage)",
+    "nyc": "nyc (coverage)",
+    "@vitest/coverage-v8": "Vitest Coverage"
+  },
+  lintFormat: {
+    "eslint": "ESLint",
+    "prettier": "Prettier",
+    "stylelint": "Stylelint",
+    "@biomejs/biome": "Biome",
+    "oxlint": "oxlint",
+    "tslint": "TSLint",
+    "@typescript-eslint/parser": "typescript-eslint",
+    "eslint-config-next": "ESLint Next.js",
+    "eslint-config-prettier": "ESLint Prettier",
+    "eslint-plugin-react": "ESLint React",
+    "eslint-plugin-vue": "ESLint Vue",
+    "husky": "Husky",
+    "lint-staged": "lint-staged",
+    "commitlint": "commitlint",
+    "@commitlint/cli": "commitlint",
+    "lefthook": "Lefthook",
+    "cspell": "CSpell",
+    "markdownlint": "markdownlint",
+    "depcheck": "depcheck",
+    "knip": "Knip",
+    "madge": "Madge",
+    "publint": "publint",
+    "arethetypeswrong": "Are the Types Wrong",
+    "sort-package-json": "sort-package-json"
+  },
+  apiMessaging: {
+    "graphql": "GraphQL",
+    "@grpc/grpc-js": "gRPC",
+    "@trpc/server": "tRPC",
+    "@connectrpc/connect": "Connect",
+    "socket.io": "Socket.IO",
+    "ws": "WebSocket (ws)",
+    "@apollo/server": "Apollo Server",
+    "@apollo/client": "Apollo Client",
+    "urql": "URQL",
+    "graphql-yoga": "GraphQL Yoga",
+    "mercurius": "Mercurius",
+    "type-graphql": "TypeGraphQL",
+    "nexus": "Nexus",
+    "pothos": "Pothos",
+    "@graphql-codegen/cli": "GraphQL Codegen",
+    "kafkajs": "Kafka.js",
+    "amqplib": "AMQP (RabbitMQ)",
+    "bullmq": "BullMQ",
+    "bull": "Bull",
+    "bee-queue": "Bee Queue",
+    "agenda": "Agenda",
+    "pg-boss": "pg-boss",
+    "@temporalio/client": "Temporal",
+    "inngest": "Inngest",
+    "trigger.dev": "Trigger.dev",
+    "nats": "NATS",
+    "mqtt": "MQTT",
+    "zeromq": "ZeroMQ",
+    "sse-channel": "SSE Channel"
+  },
+  observability: {
+    "@sentry/node": "Sentry (Node)",
+    "@sentry/browser": "Sentry (Browser)",
+    "@sentry/react": "Sentry (React)",
+    "@sentry/nextjs": "Sentry (Next.js)",
+    "@opentelemetry/api": "OpenTelemetry API",
+    "@opentelemetry/sdk-node": "OpenTelemetry SDK",
+    "@opentelemetry/auto-instrumentations-node": "OpenTelemetry Auto",
+    "applicationinsights": "Application Insights",
+    "pino": "Pino",
+    "winston": "Winston",
+    "dd-trace": "Datadog",
+    "newrelic": "New Relic",
+    "bunyan": "Bunyan",
+    "@axiomhq/pino": "Axiom (Pino)",
+    "loglevel": "loglevel",
+    "consola": "consola",
+    "@logtail/node": "Logtail",
+    "elastic-apm-node": "Elastic APM",
+    "prom-client": "Prometheus Client",
+    "@google-cloud/trace-agent": "GCP Trace",
+    "@google-cloud/logging": "GCP Logging",
+    "lightstep-tracer": "Lightstep",
+    "roarr": "Roarr",
+    "cls-hooked": "CLS Hooked",
+    "@baselime/node-opentelemetry": "Baselime",
+    "highlight.run": "Highlight",
+    "posthog-node": "PostHog",
+    "@amplitude/node": "Amplitude",
+    "mixpanel": "Mixpanel",
+    "@segment/analytics-node": "Segment"
+  }
+};
+function scanToolingInventory(projects) {
+  const result = {
+    frontend: [],
+    metaFrameworks: [],
+    bundlers: [],
+    css: [],
+    backend: [],
+    orm: [],
+    testing: [],
+    lintFormat: [],
+    apiMessaging: [],
+    observability: []
+  };
+  const packageVersions = /* @__PURE__ */ new Map();
+  for (const project of projects) {
+    for (const dep of project.dependencies) {
+      if (!packageVersions.has(dep.package)) {
+        packageVersions.set(dep.package, dep.resolvedVersion);
+      }
+    }
+  }
+  for (const [category, packages] of Object.entries(CATEGORIES)) {
+    const items = [];
+    for (const [pkg2, displayName] of Object.entries(packages)) {
+      if (packageVersions.has(pkg2)) {
+        items.push({
+          name: displayName,
+          package: pkg2,
+          version: packageVersions.get(pkg2) ?? null
+        });
+      }
+    }
+    items.sort((a, b) => a.name.localeCompare(b.name));
+    result[category] = items;
+  }
+  return result;
+}
+
+// src/scanners/build-deploy.ts
+import * as path8 from "path";
+var CI_FILES = {
+  ".github/workflows": "github-actions",
+  ".gitlab-ci.yml": "gitlab-ci",
+  "azure-pipelines.yml": "azure-devops",
+  "bitbucket-pipelines.yml": "bitbucket-pipelines",
+  "Jenkinsfile": "jenkins",
+  ".circleci/config.yml": "circleci",
+  ".travis.yml": "travis-ci"
+};
+var RELEASE_PACKAGES = /* @__PURE__ */ new Set([
+  "semantic-release",
+  "@changesets/cli",
+  "standard-version",
+  "release-it",
+  "auto",
+  "lerna"
+]);
+var RELEASE_FILES = {
+  ".changeset": "changesets",
+  ".releaserc": "semantic-release",
+  ".releaserc.json": "semantic-release",
+  ".releaserc.yml": "semantic-release",
+  "release.config.js": "semantic-release",
+  "release.config.cjs": "semantic-release",
+  "GitVersion.yml": "gitversion"
+};
+var MONOREPO_FILES = {
+  "pnpm-workspace.yaml": "pnpm-workspaces",
+  "lerna.json": "lerna",
+  "nx.json": "nx",
+  "turbo.json": "turbo",
+  "rush.json": "rush"
+};
+var IAC_EXTENSIONS = {
+  ".tf": "terraform",
+  ".bicep": "bicep"
+};
+async function scanBuildDeploy(rootDir) {
+  const result = {
+    ci: [],
+    ciWorkflowCount: 0,
+    docker: { dockerfileCount: 0, baseImages: [] },
+    iac: [],
+    releaseTooling: [],
+    packageManagers: [],
+    monorepoTools: []
+  };
+  const ciSystems = /* @__PURE__ */ new Set();
+  for (const [file, system] of Object.entries(CI_FILES)) {
+    const fullPath = path8.join(rootDir, file);
+    if (await pathExists(fullPath)) {
+      ciSystems.add(system);
+    }
+  }
+  const ghWorkflowDir = path8.join(rootDir, ".github", "workflows");
+  if (await pathExists(ghWorkflowDir)) {
+    try {
+      const files = await findFiles(
+        ghWorkflowDir,
+        (name) => name.endsWith(".yml") || name.endsWith(".yaml")
+      );
+      result.ciWorkflowCount = files.length;
+    } catch {
+    }
+  }
+  result.ci = [...ciSystems].sort();
+  const dockerfiles = await findFiles(
+    rootDir,
+    (name) => name === "Dockerfile" || name.startsWith("Dockerfile.")
+  );
+  result.docker.dockerfileCount = dockerfiles.length;
+  const baseImages = /* @__PURE__ */ new Set();
+  for (const df of dockerfiles) {
+    try {
+      const content = await readTextFile(df);
+      for (const line of content.split("\n")) {
+        const trimmed = line.trim();
+        if (/^FROM\s+/i.test(trimmed)) {
+          const parts = trimmed.split(/\s+/);
+          let imageIdx = 1;
+          if (parts[1]?.startsWith("--")) {
+            imageIdx = parts[1].includes("=") ? 2 : 3;
+          }
+          if (parts[imageIdx]) {
+            baseImages.add(parts[imageIdx]);
+          }
+        }
+      }
+    } catch {
+    }
+  }
+  result.docker.baseImages = [...baseImages].sort();
+  const iacSystems = /* @__PURE__ */ new Set();
+  for (const [ext, system] of Object.entries(IAC_EXTENSIONS)) {
+    const files = await findFiles(rootDir, (name) => name.endsWith(ext));
+    if (files.length > 0) iacSystems.add(system);
+  }
+  const cfnFiles = await findFiles(
+    rootDir,
+    (name) => name.endsWith(".cfn.json") || name.endsWith(".cfn.yaml")
+  );
+  if (cfnFiles.length > 0) iacSystems.add("cloudformation");
+  if (await pathExists(path8.join(rootDir, "Pulumi.yaml"))) iacSystems.add("pulumi");
+  result.iac = [...iacSystems].sort();
+  const releaseTools = /* @__PURE__ */ new Set();
+  for (const [file, tool] of Object.entries(RELEASE_FILES)) {
+    if (await pathExists(path8.join(rootDir, file))) releaseTools.add(tool);
+  }
+  const pkgFiles = await findPackageJsonFiles(rootDir);
+  for (const pjPath of pkgFiles) {
+    try {
+      const pj = await readJsonFile(pjPath);
+      for (const section of ["dependencies", "devDependencies"]) {
+        const deps = pj[section];
+        if (!deps) continue;
+        for (const name of Object.keys(deps)) {
+          if (RELEASE_PACKAGES.has(name)) releaseTools.add(name);
+        }
+      }
+    } catch {
+    }
+  }
+  result.releaseTooling = [...releaseTools].sort();
+  const lockfileMap = {
+    "pnpm-lock.yaml": "pnpm",
+    "package-lock.json": "npm",
+    "yarn.lock": "yarn",
+    "bun.lockb": "bun"
+  };
+  const managers = /* @__PURE__ */ new Set();
+  for (const [file, manager] of Object.entries(lockfileMap)) {
+    if (await pathExists(path8.join(rootDir, file))) managers.add(manager);
+  }
+  result.packageManagers = [...managers].sort();
+  const monoTools = /* @__PURE__ */ new Set();
+  for (const [file, tool] of Object.entries(MONOREPO_FILES)) {
+    if (await pathExists(path8.join(rootDir, file))) monoTools.add(tool);
+  }
+  result.monorepoTools = [...monoTools].sort();
+  return result;
+}
+
+// src/scanners/ts-modernity.ts
+import * as path9 from "path";
+async function scanTsModernity(rootDir) {
+  const result = {
+    typescriptVersion: null,
+    strict: null,
+    noImplicitAny: null,
+    strictNullChecks: null,
+    module: null,
+    moduleResolution: null,
+    target: null,
+    moduleType: null,
+    exportsField: false
+  };
+  const pkgFiles = await findPackageJsonFiles(rootDir);
+  let hasEsm = false;
+  let hasCjs = false;
+  for (const pjPath of pkgFiles) {
+    try {
+      const pj = await readJsonFile(pjPath);
+      if (!result.typescriptVersion) {
+        const tsVer = pj.devDependencies?.["typescript"] ?? pj.dependencies?.["typescript"];
+        if (tsVer) {
+          result.typescriptVersion = tsVer.replace(/^[\^~>=<\s]+/, "");
+        }
+      }
+      const typeField = pj.type;
+      if (typeField === "module") hasEsm = true;
+      else if (typeField === "commonjs") hasCjs = true;
+      else if (!typeField) hasCjs = true;
+      if (pj.exports) {
+        result.exportsField = true;
+      }
+    } catch {
+    }
+  }
+  if (hasEsm && hasCjs) result.moduleType = "mixed";
+  else if (hasEsm) result.moduleType = "esm";
+  else if (hasCjs) result.moduleType = "cjs";
+  let tsConfigPath = path9.join(rootDir, "tsconfig.json");
+  if (!await pathExists(tsConfigPath)) {
+    const tsConfigs = await findFiles(rootDir, (name) => name === "tsconfig.json");
+    if (tsConfigs.length > 0) {
+      tsConfigPath = tsConfigs[0];
+    } else {
+      return result;
+    }
+  }
+  try {
+    const raw = await readTextFile(tsConfigPath);
+    const stripped = raw.replace(/\/\/.*$/gm, "").replace(/\/\*[\s\S]*?\*\//g, "").replace(/,(\s*[}\]])/g, "$1");
+    const tsConfig = JSON.parse(stripped);
+    const co = tsConfig?.compilerOptions;
+    if (co) {
+      if (typeof co.strict === "boolean") result.strict = co.strict;
+      if (typeof co.noImplicitAny === "boolean") result.noImplicitAny = co.noImplicitAny;
+      if (typeof co.strictNullChecks === "boolean") result.strictNullChecks = co.strictNullChecks;
+      if (typeof co.module === "string") result.module = co.module;
+      if (typeof co.moduleResolution === "string") result.moduleResolution = co.moduleResolution;
+      if (typeof co.target === "string") result.target = co.target;
+    }
+  } catch {
+  }
+  return result;
+}
+
+// src/scanners/breaking-change.ts
+var DEPRECATED_PACKAGES2 = /* @__PURE__ */ new Set([
+  // Fully deprecated / archived
+  "request",
+  // deprecated 2020, use undici/node fetch
+  "request-promise",
+  // deprecated with request
+  "request-promise-native",
+  // deprecated with request
+  "moment",
+  // deprecated, use date-fns / luxon / Temporal
+  "node-sass",
+  // deprecated, use sass (Dart Sass)
+  "tslint",
+  // archived, use eslint + typescript-eslint
+  "aws-sdk",
+  // AWS SDK v2 EOL, use @aws-sdk/* v3
+  "babel-core",
+  // replaced by @babel/core
+  "babel-preset-env",
+  // replaced by @babel/preset-env
+  "babel-preset-react",
+  // replaced by @babel/preset-react
+  "babel-loader",
+  // 7.x deprecated, must pair with @babel/core
+  "core-js",
+  // v2 deprecated (v3 ok but signals old config)
+  "istanbul",
+  // replaced by nyc / c8
+  "istanbul-instrumenter-loader",
+  // deprecated with istanbul
+  "left-pad",
+  // meme package, use String.padStart
+  "popper.js",
+  // deprecated, use @popperjs/core
+  "create-react-class",
+  // deprecated React pattern
+  "react-addons-css-transition-group",
+  // deprecated React addon
+  "react-addons-test-utils",
+  // use react-dom/test-utils
+  "@types/express-serve-static-core",
+  // now shipped with express
+  "enzyme",
+  // unmaintained, use Testing Library or Vitest
+  "enzyme-adapter-react-16",
+  // unmaintained
+  "enzyme-adapter-react-17",
+  // unmaintained
+  "react-hot-loader",
+  // deprecated, use React Fast Refresh
+  "react-loadable",
+  // unmaintained, use React.lazy
+  "react-router-dom-v5-compat",
+  // migration shim
+  "redux-thunk",
+  // bundled into @reduxjs/toolkit since v1.5
+  "redux-saga",
+  // declining, consider RTK Query
+  "recompose",
+  // archived, use hooks
+  "classnames",
+  // works but clsx is faster & smaller
+  "glamor",
+  // deprecated CSS-in-JS
+  "radium",
+  // deprecated CSS-in-JS
+  "material-ui",
+  // replaced by @mui/material
+  "@material-ui/core",
+  // replaced by @mui/material
+  // Unmaintained / abandoned
+  "bower",
+  // dead package manager
+  "grunt",
+  // superseded by npm scripts / modern bundlers
+  "gulp",
+  // declining, modern bundlers preferred
+  "browserify",
+  // superseded by modern bundlers
+  "coffee-script",
+  // CoffeeScript 1.x deprecated
+  "coffeescript",
+  // declining
+  "jade",
+  // renamed to pug
+  "nomnom",
+  // deprecated CLI parser
+  "optimist",
+  // deprecated CLI parser, use yargs/commander
+  "minimist",
+  // unmaintained, use mri or parseArgs
+  "colors",
+  // supply chain compromised, use chalk/picocolors
+  "faker",
+  // supply chain compromised, use @faker-js/faker
+  "event-stream",
+  // supply chain incident
+  "ua-parser-js",
+  // had supply chain incident
+  "caniuse-db",
+  // replaced by caniuse-lite
+  "circular-json",
+  // deprecated, use flatted
+  "mkdirp",
+  // Node has fs.mkdir recursive since v10
+  "rimraf",
+  // Node has fs.rm recursive since v14
+  "glob",
+  // consider fast-glob or Node fs.glob
+  "swig",
+  // abandoned template engine
+  "dustjs-linkedin",
+  // abandoned template engine
+  "hogan.js",
+  // abandoned template engine
+  "passport-local-mongoose",
+  // low maintenance
+  // Known breaking-change magnets
+  "@angular/http",
+  // removed in Angular 15+
+  "rxjs-compat",
+  // migration shim for RxJS 5→6
+  "protractor",
+  // deprecated by Angular team
+  "karma",
+  // deprecated, Vitest/Jest preferred
+  "karma-jasmine",
+  // deprecated with Karma
+  "jasmine"
+  // declining in usage
+]);
+var LEGACY_POLYFILLS = /* @__PURE__ */ new Set([
+  // Built-in fetch & web APIs (Node 18+)
+  "node-fetch",
+  // native fetch since Node 18
+  "cross-fetch",
+  // native fetch since Node 18
+  "isomorphic-fetch",
+  // native fetch since Node 18
+  "whatwg-fetch",
+  // native fetch since Node 18
+  "abort-controller",
+  // native AbortController since Node 15
+  "form-data",
+  // native FormData since Node 18
+  "formdata-polyfill",
+  // native FormData since Node 18
+  "web-streams-polyfill",
+  // native ReadableStream since Node 18
+  "whatwg-url",
+  // native URL since Node 10
+  "url-parse",
+  // native URL since Node 10
+  "domexception",
+  // native DOMException since Node 17
+  "abortcontroller-polyfill",
+  // native since Node 15
+  // Built-in Node modules shimmed for browser
+  "querystring",
+  // URLSearchParams preferred, native in Node
+  "string_decoder",
+  // native TextDecoder preferred
+  "buffer",
+  // native Buffer in Node, Uint8Array in browser
+  "events",
+  // native EventTarget preferred
+  "path-browserify",
+  // browser shim
+  "stream-browserify",
+  // browser shim
+  "stream-http",
+  // browser shim
+  "https-browserify",
+  // browser shim
+  "os-browserify",
+  // browser shim
+  "crypto-browserify",
+  // native Web Crypto API
+  "assert",
+  // native assert in Node, console.assert in browser
+  "util",
+  // Node native, deprecations in browser bundles
+  "process",
+  // shimmed, usually unnecessary
+  "timers-browserify",
+  // native timers
+  "tty-browserify",
+  // rarely needed
+  "vm-browserify",
+  // rarely needed
+  "domain-browser",
+  // domains deprecated in Node
+  "punycode",
+  // native in URL since Node 10
+  "readable-stream",
+  // Node streams polyfill, usually unnecessary
+  // ES / language polyfills for ES2015+ (Node 18+ has all)
+  "es6-promise",
+  // native Promise since Node 4
+  "promise-polyfill",
+  // native Promise
+  "es6-symbol",
+  // native Symbol since Node 4
+  "es6-map",
+  // native Map since Node 4
+  "es6-set",
+  // native Set since Node 4
+  "es6-weak-map",
+  // native WeakMap since Node 4
+  "es6-iterator",
+  // native iterators
+  "object-assign",
+  // native Object.assign since Node 4
+  "object.assign",
+  // same
+  "array.prototype.find",
+  // native since ES2015
+  "array.prototype.findindex",
+  // native since ES2015
+  "array.prototype.flat",
+  // native since Node 11
+  "array.prototype.flatmap",
+  // native since Node 11
+  "array-includes",
+  // native Array.includes since Node 6
+  "string.prototype.startswith",
+  // native since ES2015
+  "string.prototype.endswith",
+  // native since ES2015
+  "string.prototype.includes",
+  // native since ES2015
+  "string.prototype.padstart",
+  // native since Node 8
+  "string.prototype.padend",
+  // native since Node 8
+  "string.prototype.matchall",
+  // native since Node 12
+  "string.prototype.replaceall",
+  // native since Node 15
+  "string.prototype.trimstart",
+  // native since Node 10
+  "string.prototype.trimend",
+  // native since Node 10
+  "string.prototype.at",
+  // native since Node 16.6
+  "object.entries",
+  // native since Node 7
+  "object.values",
+  // native since Node 7
+  "object.fromentries",
+  // native since Node 12
+  "globalthis",
+  // native globalThis since Node 12
+  "symbol-observable",
+  // TC39 withdrawn
+  "setimmediate",
+  // Node-only, setTimeout(fn, 0) preferred
+  "regenerator-runtime",
+  // async/await native since Node 8
+  "@babel/polyfill",
+  // deprecated, use core-js directly
+  "whatwg-encoding",
+  // native TextEncoder/TextDecoder
+  "text-encoding",
+  // native TextEncoder/TextDecoder since Node 11
+  "encoding",
+  // native TextEncoder/TextDecoder
+  "unorm",
+  // native String.normalize since Node 0.12
+  "number.isnan",
+  // native Number.isNaN since Node 0.12
+  "is-nan",
+  // native Number.isNaN
+  "has-symbols",
+  // native Symbol detection
+  "has",
+  // native Object.hasOwn since Node 16.9
+  "hasown",
+  // shim for Object.hasOwn
+  "safe-buffer",
+  // Buffer.from available since Node 5.10
+  "safer-buffer"
+  // Buffer.from available since Node 5.10
+]);
+function scanBreakingChangeExposure(projects) {
+  const deprecated = /* @__PURE__ */ new Set();
+  const legacyPolyfills = /* @__PURE__ */ new Set();
+  let peerConflictsDetected = false;
+  const allDeps = /* @__PURE__ */ new Set();
+  for (const project of projects) {
+    for (const dep of project.dependencies) {
+      allDeps.add(dep.package);
+      if (DEPRECATED_PACKAGES2.has(dep.package)) {
+        deprecated.add(dep.package);
+      }
+      if (LEGACY_POLYFILLS.has(dep.package)) {
+        legacyPolyfills.add(dep.package);
+      }
+      if (dep.section === "peerDependencies" && dep.majorsBehind !== null && dep.majorsBehind >= 2) {
+        peerConflictsDetected = true;
+      }
+    }
+  }
+  let score = 0;
+  score += Math.min(deprecated.size * 10, 40);
+  score += Math.min(legacyPolyfills.size * 5, 30);
+  score += peerConflictsDetected ? 20 : 0;
+  score = Math.min(score, 100);
+  return {
+    deprecatedPackages: [...deprecated].sort(),
+    legacyPolyfills: [...legacyPolyfills].sort(),
+    peerConflictsDetected,
+    exposureScore: score
+  };
+}
+
+// src/scanners/file-hotspots.ts
+import * as fs4 from "fs/promises";
+import * as path10 from "path";
+var SKIP_DIRS2 = /* @__PURE__ */ new Set([
+  "node_modules",
+  ".git",
+  ".next",
+  "dist",
+  "build",
+  "out",
+  ".turbo",
+  ".cache",
+  "coverage",
+  "bin",
+  "obj",
+  ".vs",
+  "TestResults",
+  ".nuxt",
+  ".output",
+  ".svelte-kit"
+]);
+var SKIP_EXTENSIONS = /* @__PURE__ */ new Set([
+  ".map",
+  ".lock",
+  ".png",
+  ".jpg",
+  ".jpeg",
+  ".gif",
+  ".ico",
+  ".svg",
+  ".woff",
+  ".woff2",
+  ".ttf",
+  ".eot",
+  ".mp4",
+  ".webm"
+]);
+async function scanFileHotspots(rootDir) {
+  const extensionCounts = {};
+  const allFiles = [];
+  let maxDepth = 0;
+  async function walk(dir, depth) {
+    if (depth > maxDepth) maxDepth = depth;
+    let entries;
+    try {
+      const dirents = await fs4.readdir(dir, { withFileTypes: true });
+      entries = dirents.map((d) => ({
+        name: d.name,
+        isDirectory: d.isDirectory(),
+        isFile: d.isFile()
+      }));
+    } catch {
+      return;
+    }
+    for (const e of entries) {
+      if (e.isDirectory) {
+        if (SKIP_DIRS2.has(e.name)) continue;
+        await walk(path10.join(dir, e.name), depth + 1);
+      } else if (e.isFile) {
+        const ext = path10.extname(e.name).toLowerCase();
+        if (SKIP_EXTENSIONS.has(ext)) continue;
+        extensionCounts[ext] = (extensionCounts[ext] ?? 0) + 1;
+        try {
+          const stat3 = await fs4.stat(path10.join(dir, e.name));
+          allFiles.push({
+            path: path10.relative(rootDir, path10.join(dir, e.name)),
+            bytes: stat3.size
+          });
+        } catch {
+        }
+      }
+    }
+  }
+  await walk(rootDir, 0);
+  allFiles.sort((a, b) => b.bytes - a.bytes);
+  const largestFiles = allFiles.slice(0, 20);
+  return {
+    fileCountByExtension: extensionCounts,
+    largestFiles,
+    totalFiles: allFiles.length,
+    maxDirectoryDepth: maxDepth,
+    mostUsedPackages: []
+    // Filled in by caller with project data
+  };
+}
+
+// src/scanners/security-posture.ts
+import * as path11 from "path";
+var LOCKFILES = {
+  "pnpm-lock.yaml": "pnpm",
+  "package-lock.json": "npm",
+  "yarn.lock": "yarn",
+  "bun.lockb": "bun",
+  "packages.lock.json": "nuget"
+};
+async function scanSecurityPosture(rootDir) {
+  const result = {
+    lockfilePresent: false,
+    multipleLockfileTypes: false,
+    gitignoreCoversEnv: false,
+    gitignoreCoversNodeModules: false,
+    envFilesTracked: false,
+    lockfileTypes: []
+  };
+  const foundLockfiles = [];
+  for (const [file, type] of Object.entries(LOCKFILES)) {
+    if (await pathExists(path11.join(rootDir, file))) {
+      foundLockfiles.push(type);
+    }
+  }
+  result.lockfilePresent = foundLockfiles.length > 0;
+  result.multipleLockfileTypes = foundLockfiles.length > 1;
+  result.lockfileTypes = foundLockfiles.sort();
+  const gitignorePath = path11.join(rootDir, ".gitignore");
+  if (await pathExists(gitignorePath)) {
+    try {
+      const content = await readTextFile(gitignorePath);
+      const lines = content.split("\n").map((l) => l.trim());
+      result.gitignoreCoversEnv = lines.some(
+        (line) => line === ".env" || line === ".env*" || line === ".env.*" || line === ".env.local" || line === "*.env"
+      );
+      result.gitignoreCoversNodeModules = lines.some(
+        (line) => line === "node_modules" || line === "node_modules/" || line === "/node_modules"
+      );
+    } catch {
+    }
+  }
+  for (const envFile of [".env", ".env.local", ".env.development", ".env.production"]) {
+    if (await pathExists(path11.join(rootDir, envFile))) {
+      if (!result.gitignoreCoversEnv) {
+        result.envFilesTracked = true;
+        break;
+      }
+    }
+  }
+  return result;
+}
+
+// src/scanners/service-dependencies.ts
+var SERVICE_CATEGORIES = {
+  payment: {
+    "stripe": "Stripe",
+    "@stripe/stripe-js": "Stripe.js",
+    "@stripe/react-stripe-js": "Stripe React",
+    "braintree": "Braintree",
+    "braintree-web": "Braintree Web",
+    "@paypal/checkout-server-sdk": "PayPal",
+    "@paypal/react-paypal-js": "PayPal React",
+    "@paypal/paypal-js": "PayPal.js",
+    "square": "Square",
+    "razorpay": "Razorpay",
+    "adyen-api-library": "Adyen",
+    "@adyen/api-library": "Adyen",
+    "@adyen/adyen-web": "Adyen Web",
+    "mollie-api-node": "Mollie",
+    "@lemonsqueezy/lemonsqueezy.js": "Lemon Squeezy",
+    "paddle-sdk": "Paddle",
+    "@paddle/paddle-node-sdk": "Paddle",
+    "coinbase-commerce-node": "Coinbase Commerce",
+    "gocardless-nodejs": "GoCardless",
+    "klarna-checkout": "Klarna",
+    "@recurly/recurly-js": "Recurly",
+    "chargebee": "Chargebee"
+  },
+  auth: {
+    "@auth0/auth0-spa-js": "Auth0 SPA",
+    "@auth0/auth0-react": "Auth0 React",
+    "@auth0/nextjs-auth0": "Auth0 Next.js",
+    "auth0": "Auth0",
+    "@clerk/clerk-sdk-node": "Clerk (Node)",
+    "@clerk/nextjs": "Clerk (Next.js)",
+    "@clerk/clerk-react": "Clerk (React)",
+    "firebase-admin": "Firebase Admin",
+    "firebase": "Firebase",
+    "@firebase/auth": "Firebase Auth",
+    "passport": "Passport.js",
+    "passport-local": "Passport Local",
+    "passport-google-oauth20": "Passport Google",
+    "passport-github2": "Passport GitHub",
+    "next-auth": "NextAuth",
+    "@auth/core": "Auth.js",
+    "@supabase/supabase-js": "Supabase",
+    "@supabase/auth-helpers-nextjs": "Supabase Auth (Next.js)",
+    "@supabase/ssr": "Supabase SSR",
+    "jsonwebtoken": "JWT",
+    "jose": "JOSE",
+    "@okta/okta-auth-js": "Okta",
+    "@okta/okta-react": "Okta React",
+    "oidc-client-ts": "OIDC Client",
+    "@casl/ability": "CASL",
+    "casbin": "Casbin",
+    "keycloak-js": "Keycloak",
+    "@keycloak/keycloak-admin-client": "Keycloak Admin",
+    "lucia": "Lucia Auth",
+    "@lucia-auth/adapter-prisma": "Lucia (Prisma)",
+    "arctic": "Arctic (OAuth)",
+    "better-auth": "Better Auth",
+    "grant": "Grant (OAuth)",
+    "@workos-inc/node": "WorkOS",
+    "stytch": "Stytch",
+    "frontegg": "Frontegg",
+    "@descope/node-sdk": "Descope",
+    "kinde-auth-nextjs": "Kinde"
+  },
+  email: {
+    "@sendgrid/mail": "SendGrid",
+    "@sendgrid/client": "SendGrid Client",
+    "nodemailer": "Nodemailer",
+    "twilio": "Twilio",
+    "@aws-sdk/client-ses": "AWS SES",
+    "@aws-sdk/client-sesv2": "AWS SES v2",
+    "postmark": "Postmark",
+    "mailgun.js": "Mailgun",
+    "resend": "Resend",
+    "@react-email/components": "React Email",
+    "react-email": "React Email",
+    "mjml": "MJML",
+    "email-templates": "Email Templates",
+    "@mailchimp/mailchimp_marketing": "Mailchimp",
+    "@mailchimp/mailchimp_transactional": "Mailchimp Transactional",
+    "plunk-node": "Plunk",
+    "brevo": "Brevo (Sendinblue)",
+    "sib-api-v3-sdk": "Brevo v3",
+    "@customer.io/node": "Customer.io",
+    "sparkpost": "SparkPost",
+    "mandrill-api": "Mandrill",
+    "mail-listener5": "Mail Listener",
+    "@azure/communication-email": "Azure Email"
+  },
+  cloud: {
+    // AWS
+    "aws-sdk": "AWS SDK v2",
+    "@aws-sdk/client-s3": "AWS S3",
+    "@aws-sdk/client-lambda": "AWS Lambda",
+    "@aws-sdk/client-dynamodb": "AWS DynamoDB",
+    "@aws-sdk/client-ec2": "AWS EC2",
+    "@aws-sdk/client-ecs": "AWS ECS",
+    "@aws-sdk/client-ecr": "AWS ECR",
+    "@aws-sdk/client-cloudformation": "AWS CloudFormation",
+    "@aws-sdk/client-cloudwatch": "AWS CloudWatch",
+    "@aws-sdk/client-cloudfront": "AWS CloudFront",
+    "@aws-sdk/client-iam": "AWS IAM",
+    "@aws-sdk/client-secrets-manager": "AWS Secrets Manager",
+    "@aws-sdk/client-ssm": "AWS SSM",
+    "@aws-sdk/client-sts": "AWS STS",
+    "@aws-sdk/client-cognito-identity-provider": "AWS Cognito",
+    "@aws-sdk/client-route-53": "AWS Route 53",
+    "@aws-sdk/client-step-functions": "AWS Step Functions",
+    "@aws-sdk/client-eventbridge": "AWS EventBridge",
+    "@aws-sdk/client-kinesis": "AWS Kinesis",
+    "@aws-sdk/client-kms": "AWS KMS",
+    "@aws-sdk/client-athena": "AWS Athena",
+    "@aws-sdk/client-bedrock-runtime": "AWS Bedrock",
+    "@aws-sdk/lib-dynamodb": "AWS DynamoDB Doc",
+    // Azure
+    "@azure/storage-blob": "Azure Blob",
+    "@azure/identity": "Azure Identity",
+    "@azure/cosmos": "Azure Cosmos DB",
+    "@azure/keyvault-secrets": "Azure Key Vault",
+    "@azure/service-bus": "Azure Service Bus",
+    "@azure/event-hubs": "Azure Event Hubs",
+    "@azure/functions": "Azure Functions",
+    "@azure/ai-form-recognizer": "Azure Form Recognizer",
+    "@azure/openai": "Azure OpenAI",
+    "@azure/app-configuration": "Azure App Config",
+    "@azure/monitor-opentelemetry": "Azure Monitor OTel",
+    "@azure/container-registry": "Azure Container Registry",
+    // GCP
+    "@google-cloud/storage": "GCP Storage",
+    "@google-cloud/functions-framework": "GCP Functions",
+    "@google-cloud/bigquery": "GCP BigQuery",
+    "@google-cloud/firestore": "GCP Firestore",
+    "@google-cloud/pubsub": "GCP Pub/Sub",
+    "@google-cloud/secret-manager": "GCP Secret Manager",
+    "@google-cloud/tasks": "GCP Cloud Tasks",
+    "@google-cloud/run": "GCP Cloud Run",
+    "@google-cloud/logging": "GCP Logging",
+    "@google-cloud/translate": "GCP Translate",
+    "@google-cloud/vertexai": "GCP Vertex AI",
+    // Multi-cloud / PaaS
+    "@vercel/sdk": "Vercel",
+    "@vercel/kv": "Vercel KV",
+    "@vercel/blob": "Vercel Blob",
+    "@vercel/postgres": "Vercel Postgres",
+    "@vercel/edge-config": "Vercel Edge Config",
+    "@netlify/functions": "Netlify Functions",
+    "@cloudflare/workers-types": "Cloudflare Workers",
+    "wrangler": "Wrangler",
+    "@railway/cli": "Railway",
+    "@fly/apps": "Fly.io",
+    "heroku-client": "Heroku",
+    "@pulumi/pulumi": "Pulumi",
+    "@pulumi/aws": "Pulumi AWS",
+    "cdktf": "CDK for Terraform",
+    "aws-cdk-lib": "AWS CDK",
+    "sst": "SST"
+  },
+  databases: {
+    "pg": "PostgreSQL",
+    "postgres": "Postgres.js",
+    "mysql2": "MySQL",
+    "mysql": "MySQL (legacy)",
+    "mongodb": "MongoDB",
+    "ioredis": "Redis (ioredis)",
+    "redis": "Redis",
+    "better-sqlite3": "SQLite",
+    "sql.js": "sql.js",
+    "@prisma/client": "Prisma",
+    "drizzle-orm": "Drizzle",
+    "typeorm": "TypeORM",
+    "sequelize": "Sequelize",
+    "knex": "Knex",
+    "kysely": "Kysely",
+    "objection": "Objection.js",
+    "slonik": "Slonik",
+    "massive": "Massive.js",
+    "mongoose": "Mongoose",
+    "@mikro-orm/core": "MikroORM",
+    "mssql": "SQL Server",
+    "oracledb": "Oracle",
+    "cassandra-driver": "Cassandra",
+    "neo4j-driver": "Neo4j",
+    "arangojs": "ArangoDB",
+    "@clickhouse/client": "ClickHouse",
+    "influx": "InfluxDB",
+    "@libsql/client": "libSQL (Turso)",
+    "@neondatabase/serverless": "Neon",
+    "@planetscale/database": "PlanetScale",
+    "@electric-sql/pglite": "PGlite",
+    "@upstash/redis": "Upstash Redis",
+    "@upstash/kafka": "Upstash Kafka",
+    "@upstash/qstash": "Upstash QStash",
+    "@upstash/vector": "Upstash Vector",
+    "dynamoose": "Dynamoose",
+    "fauna": "Fauna",
+    "faunadb": "FaunaDB",
+    "@supabase/postgrest-js": "Supabase PostgREST",
+    "couchbase": "Couchbase",
+    "couchdb-nano": "CouchDB",
+    "duckdb": "DuckDB",
+    "@tidbcloud/serverless": "TiDB Serverless"
+  },
+  messaging: {
+    "@aws-sdk/client-sqs": "AWS SQS",
+    "@aws-sdk/client-sns": "AWS SNS",
+    "amqplib": "RabbitMQ",
+    "kafkajs": "Kafka",
+    "bullmq": "BullMQ",
+    "bull": "Bull",
+    "@google-cloud/pubsub": "GCP Pub/Sub",
+    "bee-queue": "Bee Queue",
+    "pg-boss": "pg-boss",
+    "agenda": "Agenda",
+    "@azure/service-bus": "Azure Service Bus",
+    "@azure/event-hubs": "Azure Event Hubs",
+    "nats": "NATS",
+    "mqtt": "MQTT",
+    "zeromq": "ZeroMQ",
+    "@temporalio/client": "Temporal Client",
+    "@temporalio/worker": "Temporal Worker",
+    "inngest": "Inngest",
+    "@trigger.dev/sdk": "Trigger.dev",
+    "@defer/client": "Defer",
+    "graphile-worker": "Graphile Worker",
+    "@quirrel/quirrel": "Quirrel",
+    "rhea": "AMQP 1.0 (rhea)",
+    "stompit": "STOMP",
+    "@eventstore/db-client": "EventStoreDB",
+    "@aws-sdk/client-eventbridge": "AWS EventBridge",
+    "@aws-sdk/client-kinesis": "AWS Kinesis",
+    "@aws-sdk/client-firehose": "AWS Firehose"
+  },
+  observability: {
+    "@sentry/node": "Sentry (Node)",
+    "@sentry/browser": "Sentry (Browser)",
+    "@sentry/react": "Sentry (React)",
+    "@sentry/nextjs": "Sentry (Next.js)",
+    "@sentry/vue": "Sentry (Vue)",
+    "@sentry/angular": "Sentry (Angular)",
+    "@opentelemetry/api": "OpenTelemetry API",
+    "@opentelemetry/sdk-node": "OpenTelemetry SDK",
+    "@opentelemetry/auto-instrumentations-node": "OpenTelemetry Auto",
+    "applicationinsights": "App Insights",
+    "dd-trace": "Datadog",
+    "@datadog/browser-rum": "Datadog RUM",
+    "newrelic": "New Relic",
+    "@newrelic/browser-agent": "New Relic Browser",
+    "pino": "Pino",
+    "winston": "Winston",
+    "bunyan": "Bunyan",
+    "consola": "Consola",
+    "loglevel": "loglevel",
+    "roarr": "Roarr",
+    "prom-client": "Prometheus",
+    "elastic-apm-node": "Elastic APM",
+    "@logtail/node": "Logtail",
+    "@axiomhq/pino": "Axiom (Pino)",
+    "@axiomhq/winston": "Axiom (Winston)",
+    "@baselime/node-opentelemetry": "Baselime",
+    "highlight.run": "Highlight",
+    "@google-cloud/trace-agent": "GCP Trace",
+    "@google-cloud/logging": "GCP Logging",
+    "@azure/monitor-opentelemetry": "Azure Monitor",
+    "lightstep-tracer": "Lightstep",
+    "honeycomb-beeline": "Honeycomb",
+    "@honeycombio/opentelemetry-node": "Honeycomb OTel",
+    "posthog-node": "PostHog",
+    "@amplitude/node": "Amplitude",
+    "mixpanel": "Mixpanel",
+    "@segment/analytics-node": "Segment",
+    "analytics-node": "Segment (legacy)",
+    "@rudderstack/rudder-sdk-node": "RudderStack",
+    "heap-api": "Heap",
+    "@fullstory/browser": "FullStory",
+    "@logrocket/react": "LogRocket",
+    "logrocket": "LogRocket",
+    "hotjar-js": "Hotjar",
+    "@clarity-ai/clarity": "Microsoft Clarity"
+  },
+  crm: {
+    "xero-node": "Xero",
+    "hubspot-api-client": "HubSpot",
+    "@hubspot/api-client": "HubSpot",
+    "@slack/web-api": "Slack Web API",
+    "@slack/bolt": "Slack Bolt",
+    "@slack/events-api": "Slack Events",
+    "discord.js": "Discord",
+    "intercom-client": "Intercom",
+    "salesforce-sdk": "Salesforce",
+    "jsforce": "JSforce (Salesforce)",
+    "@zendesk/sell-client": "Zendesk",
+    "node-zendesk": "Zendesk",
+    "freshdesk-api": "Freshdesk",
+    "pipedrive": "Pipedrive",
+    "airtable": "Airtable",
+    "@notionhq/client": "Notion",
+    "@linear/sdk": "Linear",
+    "jira-client": "Jira",
+    "jira.js": "Jira.js",
+    "@octokit/rest": "GitHub (Octokit)",
+    "@octokit/core": "GitHub (Octokit Core)",
+    "gitlab": "GitLab",
+    "@gitbeaker/rest": "GitLab (Gitbeaker)",
+    "clickup.js": "ClickUp",
+    "asana": "Asana",
+    "monday-sdk-js": "Monday.com",
+    "telegram-bot-api": "Telegram",
+    "telegraf": "Telegraf (Telegram)",
+    "@microsoft/microsoft-graph-client": "Microsoft Graph",
+    "googleapis": "Google APIs",
+    "@google-cloud/aiplatform": "Google AI Platform"
+  },
+  storage: {
+    "@aws-sdk/client-s3": "AWS S3",
+    "@aws-sdk/s3-request-presigner": "AWS S3 Presigner",
+    "@azure/storage-blob": "Azure Blob",
+    "@azure/storage-queue": "Azure Storage Queue",
+    "@azure/storage-file-share": "Azure File Share",
+    "@google-cloud/storage": "GCP Storage",
+    "minio": "MinIO",
+    "@supabase/storage-js": "Supabase Storage",
+    "cloudinary": "Cloudinary",
+    "uploadthing": "UploadThing",
+    "@uploadthing/react": "UploadThing React",
+    "multer": "Multer",
+    "multer-s3": "Multer S3",
+    "formidable": "Formidable",
+    "busboy": "Busboy",
+    "@vercel/blob": "Vercel Blob",
+    "imagekit": "ImageKit",
+    "sharp": "Sharp (image)",
+    "jimp": "Jimp (image)",
+    "fluent-ffmpeg": "FFmpeg",
+    "@google-cloud/vision": "GCP Vision",
+    "@aws-sdk/client-rekognition": "AWS Rekognition",
+    "file-type": "file-type",
+    "@backblaze-b2/sdk": "Backblaze B2",
+    "wasabi-sdk": "Wasabi"
+  },
+  search: {
+    "@elastic/elasticsearch": "Elasticsearch",
+    "algoliasearch": "Algolia",
+    "@algolia/client-search": "Algolia Client",
+    "react-instantsearch": "Algolia InstantSearch",
+    "meilisearch": "Meilisearch",
+    "typesense": "Typesense",
+    "@opensearch-project/opensearch": "OpenSearch",
+    "solr-client": "Solr",
+    "lunr": "Lunr",
+    "flexsearch": "FlexSearch",
+    "fuse.js": "Fuse.js",
+    "minisearch": "MiniSearch",
+    "orama": "Orama",
+    "@orama/orama": "Orama",
+    "@trieve/trieve-ts-sdk": "Trieve",
+    "pagefind": "Pagefind",
+    // Vector / AI search
+    "@pinecone-database/pinecone": "Pinecone",
+    "chromadb": "Chroma",
+    "@qdrant/js-client-rest": "Qdrant",
+    "weaviate-ts-client": "Weaviate",
+    "@zilliz/milvus2-sdk-node": "Milvus",
+    "openai": "OpenAI",
+    "@anthropic-ai/sdk": "Anthropic",
+    "@langchain/core": "LangChain",
+    "langchain": "LangChain",
+    "@google/generative-ai": "Google Gemini",
+    "cohere-ai": "Cohere",
+    "replicate": "Replicate",
+    "@huggingface/inference": "Hugging Face",
+    "ai": "Vercel AI SDK",
+    "@ai-sdk/openai": "AI SDK (OpenAI)"
+  }
+};
+function scanServiceDependencies(projects) {
+  const packageVersions = /* @__PURE__ */ new Map();
+  for (const project of projects) {
+    for (const dep of project.dependencies) {
+      if (!packageVersions.has(dep.package)) {
+        packageVersions.set(dep.package, dep.resolvedVersion);
+      }
+    }
+  }
+  const result = {
+    payment: [],
+    auth: [],
+    email: [],
+    cloud: [],
+    databases: [],
+    messaging: [],
+    observability: [],
+    crm: [],
+    storage: [],
+    search: []
+  };
+  for (const [category, packages] of Object.entries(SERVICE_CATEGORIES)) {
+    const items = [];
+    for (const [pkg2, displayName] of Object.entries(packages)) {
+      if (packageVersions.has(pkg2)) {
+        items.push({
+          name: displayName,
+          package: pkg2,
+          version: packageVersions.get(pkg2) ?? null
+        });
+      }
+    }
+    items.sort((a, b) => a.name.localeCompare(b.name));
+    result[category] = items;
+  }
+  return result;
+}
+
+// src/commands/scan.ts
+async function runScan(rootDir, opts) {
+  const config = await loadConfig(rootDir);
+  const sem = new Semaphore(opts.concurrency);
+  const npmCache = new NpmCache(rootDir, sem);
+  const scanners = config.scanners;
+  const progress = new ScanProgress(rootDir);
+  const steps = [
+    { id: "config", label: "Loading configuration" },
+    { id: "vcs", label: "Detecting version control" },
+    { id: "node", label: "Scanning Node projects" },
+    { id: "dotnet", label: "Scanning .NET projects" },
+    ...scanners !== false ? [
+      ...scanners?.platformMatrix?.enabled !== false ? [{ id: "platform", label: "Platform matrix" }] : [],
+      ...scanners?.toolingInventory?.enabled !== false ? [{ id: "tooling", label: "Tooling inventory" }] : [],
+      ...scanners?.serviceDependencies?.enabled !== false ? [{ id: "services", label: "Service dependencies" }] : [],
+      ...scanners?.breakingChangeExposure?.enabled !== false ? [{ id: "breaking", label: "Breaking change exposure" }] : [],
+      ...scanners?.securityPosture?.enabled !== false ? [{ id: "security", label: "Security posture" }] : [],
+      ...scanners?.buildDeploy?.enabled !== false ? [{ id: "build", label: "Build & deploy analysis" }] : [],
+      ...scanners?.tsModernity?.enabled !== false ? [{ id: "ts", label: "TypeScript modernity" }] : [],
+      ...scanners?.fileHotspots?.enabled !== false ? [{ id: "hotspots", label: "File hotspots" }] : [],
+      ...scanners?.dependencyGraph?.enabled !== false ? [{ id: "depgraph", label: "Dependency graph" }] : [],
+      ...scanners?.dependencyRisk?.enabled !== false ? [{ id: "deprisk", label: "Dependency risk" }] : []
+    ] : [],
+    { id: "drift", label: "Computing drift score" },
+    { id: "findings", label: "Generating findings" }
+  ];
+  progress.setSteps(steps);
+  progress.completeStep("config", "loaded");
+  progress.startStep("vcs");
+  const vcs = await detectVcs(rootDir);
+  const vcsDetail = vcs.type !== "unknown" ? `${vcs.type}${vcs.branch ? ` ${vcs.branch}` : ""}${vcs.shortSha ? ` @ ${vcs.shortSha}` : ""}` : "none detected";
+  progress.completeStep("vcs", vcsDetail);
+  progress.startStep("node");
+  const nodeProjects = await scanNodeProjects(rootDir, npmCache);
+  for (const p of nodeProjects) {
+    progress.addDependencies(p.dependencies.length);
+    progress.addFrameworks(p.frameworks.length);
+  }
+  progress.addProjects(nodeProjects.length);
+  progress.completeStep("node", `${nodeProjects.length} project${nodeProjects.length !== 1 ? "s" : ""}`, nodeProjects.length);
+  progress.startStep("dotnet");
+  const dotnetProjects = await scanDotnetProjects(rootDir);
+  for (const p of dotnetProjects) {
+    progress.addDependencies(p.dependencies.length);
+    progress.addFrameworks(p.frameworks.length);
+  }
+  progress.addProjects(dotnetProjects.length);
+  progress.completeStep("dotnet", `${dotnetProjects.length} project${dotnetProjects.length !== 1 ? "s" : ""}`, dotnetProjects.length);
+  const allProjects = [...nodeProjects, ...dotnetProjects];
+  const extended = {};
+  if (scanners !== false) {
+    if (scanners?.platformMatrix?.enabled !== false) {
+      progress.startStep("platform");
+      extended.platformMatrix = await scanPlatformMatrix(rootDir);
+      const nativeCount = extended.platformMatrix.nativeModules.length;
+      const dockerCount = extended.platformMatrix.dockerBaseImages.length;
+      const parts = [];
+      if (nativeCount > 0) parts.push(`${nativeCount} native`);
+      if (dockerCount > 0) parts.push(`${dockerCount} docker`);
+      progress.completeStep("platform", parts.join(", ") || "clean", nativeCount + dockerCount);
+    }
+    if (scanners?.toolingInventory?.enabled !== false) {
+      progress.startStep("tooling");
+      extended.toolingInventory = scanToolingInventory(allProjects);
+      const toolCount = Object.values(extended.toolingInventory).reduce((sum, arr) => sum + arr.length, 0);
+      progress.completeStep("tooling", `${toolCount} tool${toolCount !== 1 ? "s" : ""} mapped`, toolCount);
+    }
+    if (scanners?.serviceDependencies?.enabled !== false) {
+      progress.startStep("services");
+      extended.serviceDependencies = scanServiceDependencies(allProjects);
+      const svcCount = Object.values(extended.serviceDependencies).reduce((sum, arr) => sum + arr.length, 0);
+      progress.completeStep("services", `${svcCount} service${svcCount !== 1 ? "s" : ""} detected`, svcCount);
+    }
+    if (scanners?.breakingChangeExposure?.enabled !== false) {
+      progress.startStep("breaking");
+      extended.breakingChangeExposure = scanBreakingChangeExposure(allProjects);
+      const bc = extended.breakingChangeExposure;
+      const bcTotal = bc.deprecatedPackages.length + bc.legacyPolyfills.length;
+      progress.completeStep(
+        "breaking",
+        bcTotal > 0 ? `${bc.deprecatedPackages.length} deprecated, ${bc.legacyPolyfills.length} polyfills` : "none found",
+        bcTotal
+      );
+    }
+    if (scanners?.securityPosture?.enabled !== false) {
+      progress.startStep("security");
+      extended.securityPosture = await scanSecurityPosture(rootDir);
+      const sec = extended.securityPosture;
+      const secDetail = sec.lockfilePresent ? `lockfile \u2714${sec.gitignoreCoversEnv ? " \xB7 .env \u2714" : " \xB7 .env \u2716"}` : "no lockfile";
+      progress.completeStep("security", secDetail);
+    }
+    if (scanners?.buildDeploy?.enabled !== false) {
+      progress.startStep("build");
+      extended.buildDeploy = await scanBuildDeploy(rootDir);
+      const bd = extended.buildDeploy;
+      const bdParts = [];
+      if (bd.ci.length > 0) bdParts.push(bd.ci.join(", "));
+      if (bd.docker.dockerfileCount > 0) bdParts.push(`${bd.docker.dockerfileCount} Dockerfile${bd.docker.dockerfileCount !== 1 ? "s" : ""}`);
+      progress.completeStep("build", bdParts.join(" \xB7 ") || "none detected");
+    }
+    if (scanners?.tsModernity?.enabled !== false) {
+      progress.startStep("ts");
+      extended.tsModernity = await scanTsModernity(rootDir);
+      const ts = extended.tsModernity;
+      const tsParts = [];
+      if (ts.typescriptVersion) tsParts.push(`v${ts.typescriptVersion}`);
+      if (ts.strict === true) tsParts.push("strict");
+      if (ts.moduleType) tsParts.push(ts.moduleType.toUpperCase());
+      progress.completeStep("ts", tsParts.join(" \xB7 ") || "no tsconfig");
+    }
+    if (scanners?.fileHotspots?.enabled !== false) {
+      progress.startStep("hotspots");
+      extended.fileHotspots = await scanFileHotspots(rootDir);
+      progress.completeStep("hotspots", `${extended.fileHotspots.totalFiles} files`, extended.fileHotspots.totalFiles);
+    }
+    if (scanners?.dependencyGraph?.enabled !== false) {
+      progress.startStep("depgraph");
+      extended.dependencyGraph = await scanDependencyGraph(rootDir);
+      const dg = extended.dependencyGraph;
+      const dgDetail = dg.lockfileType ? `${dg.lockfileType} \xB7 ${dg.totalUnique} unique` : "no lockfile";
+      progress.completeStep("depgraph", dgDetail, dg.totalUnique);
+    }
+    if (scanners?.dependencyRisk?.enabled !== false) {
+      progress.startStep("deprisk");
+      extended.dependencyRisk = scanDependencyRisk(allProjects);
+      const dr = extended.dependencyRisk;
+      const drParts = [];
+      if (dr.deprecatedPackages.length > 0) drParts.push(`${dr.deprecatedPackages.length} deprecated`);
+      if (dr.nativeModulePackages.length > 0) drParts.push(`${dr.nativeModulePackages.length} native`);
+      progress.completeStep("deprisk", drParts.join(", ") || "low risk");
+    }
+  }
+  progress.startStep("drift");
+  const drift = computeDriftScore(allProjects);
+  progress.completeStep("drift", `${drift.score}/100 \u2014 ${drift.riskLevel} risk`);
+  progress.startStep("findings");
+  const findings = generateFindings(allProjects, config);
+  const warnCount = findings.filter((f) => f.level === "warning").length;
+  const errCount = findings.filter((f) => f.level === "error").length;
+  const noteCount = findings.filter((f) => f.level === "note").length;
+  progress.addFindings(warnCount, errCount, noteCount);
+  const findingParts = [];
+  if (errCount > 0) findingParts.push(`${errCount} error${errCount !== 1 ? "s" : ""}`);
+  if (warnCount > 0) findingParts.push(`${warnCount} warning${warnCount !== 1 ? "s" : ""}`);
+  if (noteCount > 0) findingParts.push(`${noteCount} note${noteCount !== 1 ? "s" : ""}`);
+  progress.completeStep("findings", findingParts.join(", ") || "none");
+  progress.finish();
+  if (allProjects.length === 0) {
+    console.log(chalk3.yellow("No projects found."));
+  }
+  const artifact = {
+    schemaVersion: "1.0",
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    vibgrateVersion: VERSION,
+    rootPath: path12.basename(rootDir),
+    ...vcs.type !== "unknown" ? { vcs } : {},
+    projects: allProjects,
+    drift,
+    findings,
+    ...Object.keys(extended).length > 0 ? { extended } : {}
+  };
+  if (opts.baseline) {
+    const baselinePath = path12.resolve(opts.baseline);
+    if (await pathExists(baselinePath)) {
+      try {
+        const baseline = await readJsonFile(baselinePath);
+        artifact.baseline = baselinePath;
+        artifact.delta = artifact.drift.score - baseline.drift.score;
+      } catch {
+        console.error(chalk3.yellow(`Warning: Could not read baseline file: ${baselinePath}`));
+      }
+    }
+  }
+  const vibgrateDir = path12.join(rootDir, ".vibgrate");
+  await ensureDir(vibgrateDir);
+  await writeJsonFile(path12.join(vibgrateDir, "scan_result.json"), artifact);
+  if (opts.format === "json") {
+    const jsonStr = JSON.stringify(artifact, null, 2);
+    if (opts.out) {
+      await writeTextFile(path12.resolve(opts.out), jsonStr);
+      console.log(chalk3.green("\u2714") + ` JSON written to ${opts.out}`);
+    } else {
+      console.log(jsonStr);
+    }
+  } else if (opts.format === "sarif") {
+    const sarif = formatSarif(artifact);
+    const sarifStr = JSON.stringify(sarif, null, 2);
+    if (opts.out) {
+      await writeTextFile(path12.resolve(opts.out), sarifStr);
+      console.log(chalk3.green("\u2714") + ` SARIF written to ${opts.out}`);
+    } else {
+      console.log(sarifStr);
+    }
+  } else {
+    const text = formatText(artifact);
+    console.log(text);
+    if (opts.out) {
+      await writeTextFile(path12.resolve(opts.out), text);
+    }
+  }
+  return artifact;
+}
+var scanCommand = new Command("scan").description("Scan a project for upgrade drift").argument("[path]", "Path to scan", ".").option("--out <file>", "Output file path").option("--format <format>", "Output format (text|json|sarif)", "text").option("--fail-on <level>", "Fail on warn or error").option("--baseline <file>", "Compare against baseline").option("--changed-only", "Only scan changed files").option("--concurrency <n>", "Max concurrent npm calls", "8").action(async (targetPath, opts) => {
+  const rootDir = path12.resolve(targetPath);
+  if (!await pathExists(rootDir)) {
+    console.error(chalk3.red(`Path does not exist: ${rootDir}`));
+    process.exit(1);
+  }
+  const scanOpts = {
+    out: opts.out,
+    format: opts.format || "text",
+    failOn: opts.failOn,
+    baseline: opts.baseline,
+    changedOnly: opts.changedOnly,
+    concurrency: parseInt(opts.concurrency, 10) || 8
+  };
+  const artifact = await runScan(rootDir, scanOpts);
+  if (opts.failOn) {
+    const hasErrors = artifact.findings.some((f) => f.level === "error");
+    const hasWarnings = artifact.findings.some((f) => f.level === "warning");
+    if (opts.failOn === "error" && hasErrors) {
+      console.error(chalk3.red(`
+Failing: ${artifact.findings.filter((f) => f.level === "error").length} error finding(s) detected.`));
+      process.exit(2);
+    }
+    if (opts.failOn === "warn" && (hasErrors || hasWarnings)) {
+      console.error(chalk3.red(`
+Failing: findings detected at warn level or above.`));
+      process.exit(2);
+    }
+  }
+});
+
+export {
+  readJsonFile,
+  readTextFile,
+  pathExists,
+  ensureDir,
+  writeJsonFile,
+  writeTextFile,
+  writeDefaultConfig,
+  computeDriftScore,
+  generateFindings,
+  formatText,
+  formatSarif,
+  VERSION,
+  runScan,
+  scanCommand
+};