@vibgrate/cli 0.1.1 → 0.1.3

package/dist/chunk-DLRBJYO6.js

@@ -1,1077 +0,0 @@
-// src/utils/fs.ts
-import * as fs from "fs/promises";
-import * as path from "path";
-var SKIP_DIRS = /* @__PURE__ */ new Set([
-  "node_modules",
-  ".git",
-  ".next",
-  "dist",
-  "build",
-  "out",
-  ".turbo",
-  ".cache",
-  "coverage",
-  "bin",
-  "obj",
-  ".vs",
-  "packages",
-  "TestResults"
-]);
-async function findFiles(rootDir, predicate) {
-  const results = [];
-  async function walk(dir) {
-    let entries;
-    try {
-      const dirents = await fs.readdir(dir, { withFileTypes: true });
-      entries = dirents.map((d) => ({
-        name: d.name,
-        isDirectory: d.isDirectory(),
-        isFile: d.isFile()
-      }));
-    } catch {
-      return;
-    }
-    for (const e of entries) {
-      if (e.isDirectory) {
-        if (SKIP_DIRS.has(e.name)) continue;
-        await walk(path.join(dir, e.name));
-      } else if (e.isFile && predicate(e.name)) {
-        results.push(path.join(dir, e.name));
-      }
-    }
-  }
-  await walk(rootDir);
-  return results;
-}
-async function findPackageJsonFiles(rootDir) {
-  return findFiles(rootDir, (name) => name === "package.json");
-}
-async function findSolutionFiles(rootDir) {
-  return findFiles(rootDir, (name) => name.endsWith(".sln"));
-}
-async function findCsprojFiles(rootDir) {
-  return findFiles(rootDir, (name) => name.endsWith(".csproj"));
-}
-async function readJsonFile(filePath) {
-  const txt = await fs.readFile(filePath, "utf8");
-  return JSON.parse(txt);
-}
-async function readTextFile(filePath) {
-  return fs.readFile(filePath, "utf8");
-}
-async function pathExists(p) {
-  try {
-    await fs.access(p);
-    return true;
-  } catch {
-    return false;
-  }
-}
-async function ensureDir(dir) {
-  await fs.mkdir(dir, { recursive: true });
-}
-async function writeJsonFile(filePath, data) {
-  await ensureDir(path.dirname(filePath));
-  await fs.writeFile(filePath, JSON.stringify(data, null, 2) + "\n", "utf8");
-}
-async function writeTextFile(filePath, content) {
-  await ensureDir(path.dirname(filePath));
-  await fs.writeFile(filePath, content, "utf8");
-}
-
-// src/scoring/drift-score.ts
-var DEFAULT_THRESHOLDS = {
-  failOnError: {
-    eolDays: 180,
-    frameworkMajorLag: 3,
-    dependencyTwoPlusPercent: 50
-  },
-  warn: {
-    frameworkMajorLag: 2,
-    dependencyTwoPlusPercent: 30
-  }
-};
-function clamp(val, min, max) {
-  return Math.min(max, Math.max(min, val));
-}
-function runtimeScore(projects) {
-  if (projects.length === 0) return 100;
-  const lags = projects.map((p) => p.runtimeMajorsBehind).filter((v) => v !== void 0);
-  if (lags.length === 0) return 100;
-  const maxLag = Math.max(...lags);
-  if (maxLag === 0) return 100;
-  if (maxLag === 1) return 80;
-  if (maxLag === 2) return 50;
-  if (maxLag === 3) return 20;
-  return 0;
-}
-function frameworkScore(projects) {
-  const allFrameworks = projects.flatMap((p) => p.frameworks);
-  if (allFrameworks.length === 0) return 100;
-  const lags = allFrameworks.map((f) => f.majorsBehind).filter((v) => v !== null);
-  if (lags.length === 0) return 100;
-  const maxLag = Math.max(...lags);
-  const avgLag = lags.reduce((a, b) => a + b, 0) / lags.length;
-  const maxPenalty = Math.min(maxLag * 20, 100);
-  const avgPenalty = Math.min(avgLag * 15, 100);
-  return clamp(100 - (maxPenalty * 0.6 + avgPenalty * 0.4), 0, 100);
-}
-function dependencyScore(projects) {
-  let totalCurrent = 0;
-  let totalOne = 0;
-  let totalTwo = 0;
-  let totalUnknown = 0;
-  for (const p of projects) {
-    totalCurrent += p.dependencyAgeBuckets.current;
-    totalOne += p.dependencyAgeBuckets.oneBehind;
-    totalTwo += p.dependencyAgeBuckets.twoPlusBehind;
-    totalUnknown += p.dependencyAgeBuckets.unknown;
-  }
-  const total = totalCurrent + totalOne + totalTwo;
-  if (total === 0) return 100;
-  const currentPct = totalCurrent / total;
-  const onePct = totalOne / total;
-  const twoPct = totalTwo / total;
-  return clamp(Math.round(currentPct * 100 - onePct * 10 - twoPct * 40), 0, 100);
-}
-function eolScore(projects) {
-  let score = 100;
-  for (const p of projects) {
-    if (p.type === "node" && p.runtimeMajorsBehind !== void 0) {
-      if (p.runtimeMajorsBehind >= 3) score = Math.min(score, 0);
-      else if (p.runtimeMajorsBehind >= 2) score = Math.min(score, 30);
-      else if (p.runtimeMajorsBehind >= 1) score = Math.min(score, 70);
-    }
-    if (p.type === "dotnet" && p.runtimeMajorsBehind !== void 0) {
-      if (p.runtimeMajorsBehind >= 3) score = Math.min(score, 0);
-      else if (p.runtimeMajorsBehind >= 2) score = Math.min(score, 20);
-      else if (p.runtimeMajorsBehind >= 1) score = Math.min(score, 60);
-    }
-  }
-  return score;
-}
-function computeDriftScore(projects) {
-  const rs = runtimeScore(projects);
-  const fs4 = frameworkScore(projects);
-  const ds = dependencyScore(projects);
-  const es = eolScore(projects);
-  const score = Math.round(rs * 0.25 + fs4 * 0.25 + ds * 0.3 + es * 0.2);
-  let riskLevel;
-  if (score >= 70) riskLevel = "low";
-  else if (score >= 40) riskLevel = "moderate";
-  else riskLevel = "high";
-  return {
-    score,
-    riskLevel,
-    components: {
-      runtimeScore: rs,
-      frameworkScore: fs4,
-      dependencyScore: ds,
-      eolScore: es
-    }
-  };
-}
-function generateFindings(projects, config) {
-  const thresholds = {
-    failOnError: { ...DEFAULT_THRESHOLDS.failOnError, ...config?.thresholds?.failOnError },
-    warn: { ...DEFAULT_THRESHOLDS.warn, ...config?.thresholds?.warn }
-  };
-  const findings = [];
-  for (const project of projects) {
-    if (project.runtimeMajorsBehind !== void 0 && project.runtimeMajorsBehind >= 3) {
-      findings.push({
-        ruleId: "vibgrate/runtime-eol",
-        level: "error",
-        message: `${project.type === "node" ? "Node.js" : ".NET"} runtime "${project.runtime}" is ${project.runtimeMajorsBehind} major versions behind (latest: ${project.runtimeLatest}). Likely at or past EOL.`,
-        location: project.path
-      });
-    } else if (project.runtimeMajorsBehind !== void 0 && project.runtimeMajorsBehind >= 2) {
-      findings.push({
-        ruleId: "vibgrate/runtime-lag",
-        level: "warning",
-        message: `${project.type === "node" ? "Node.js" : ".NET"} runtime "${project.runtime}" is ${project.runtimeMajorsBehind} major versions behind (latest: ${project.runtimeLatest}).`,
-        location: project.path
-      });
-    }
-    for (const fw of project.frameworks) {
-      if (fw.majorsBehind !== null && thresholds.failOnError.frameworkMajorLag !== void 0 && fw.majorsBehind >= thresholds.failOnError.frameworkMajorLag) {
-        findings.push({
-          ruleId: "vibgrate/framework-major-lag",
-          level: "error",
-          message: `${fw.name} is ${fw.majorsBehind} major versions behind (current: ${fw.currentVersion}, latest: ${fw.latestVersion}).`,
-          location: project.path
-        });
-      } else if (fw.majorsBehind !== null && thresholds.warn.frameworkMajorLag !== void 0 && fw.majorsBehind >= thresholds.warn.frameworkMajorLag) {
-        findings.push({
-          ruleId: "vibgrate/framework-major-lag",
-          level: "warning",
-          message: `${fw.name} is ${fw.majorsBehind} major versions behind (current: ${fw.currentVersion}, latest: ${fw.latestVersion}).`,
-          location: project.path
-        });
-      }
-    }
-    const totalDeps = project.dependencyAgeBuckets.current + project.dependencyAgeBuckets.oneBehind + project.dependencyAgeBuckets.twoPlusBehind;
-    if (totalDeps > 0) {
-      const twoPlusPct = project.dependencyAgeBuckets.twoPlusBehind / totalDeps * 100;
-      if (thresholds.failOnError.dependencyTwoPlusPercent !== void 0 && twoPlusPct >= thresholds.failOnError.dependencyTwoPlusPercent) {
-        findings.push({
-          ruleId: "vibgrate/dependency-rot",
-          level: "error",
-          message: `${Math.round(twoPlusPct)}% of dependencies are 2+ major versions behind in ${project.name}.`,
-          location: project.path
-        });
-      } else if (thresholds.warn.dependencyTwoPlusPercent !== void 0 && twoPlusPct >= thresholds.warn.dependencyTwoPlusPercent) {
-        findings.push({
-          ruleId: "vibgrate/dependency-rot",
-          level: "warning",
-          message: `${Math.round(twoPlusPct)}% of dependencies are 2+ major versions behind in ${project.name}.`,
-          location: project.path
-        });
-      }
-    }
-    for (const dep of project.dependencies) {
-      if (dep.majorsBehind !== null && dep.majorsBehind >= 3) {
-        findings.push({
-          ruleId: "vibgrate/dependency-major-lag",
-          level: "error",
-          message: `${dep.package} is ${dep.majorsBehind} major versions behind (spec: ${dep.currentSpec}, latest: ${dep.latestStable}).`,
-          location: project.path
-        });
-      }
-    }
-  }
-  return findings;
-}
-
-// src/formatters/text.ts
-import chalk from "chalk";
-function formatText(artifact) {
-  const lines = [];
-  lines.push("");
-  lines.push(chalk.bold.cyan("\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"));
-  lines.push(chalk.bold.cyan("\u2551        Vibgrate Drift Report             \u2551"));
-  lines.push(chalk.bold.cyan("\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D"));
-  lines.push("");
-  const scoreColor = artifact.drift.score >= 70 ? chalk.green : artifact.drift.score >= 40 ? chalk.yellow : chalk.red;
-  lines.push(chalk.bold("  Drift Score:  ") + scoreColor.bold(`${artifact.drift.score}/100`));
-  lines.push(chalk.bold("  Risk Level:   ") + riskBadge(artifact.drift.riskLevel));
-  lines.push(chalk.bold("  Projects:     ") + `${artifact.projects.length}`);
-  if (artifact.vcs) {
-    const vcsParts = [artifact.vcs.type];
-    if (artifact.vcs.branch) vcsParts.push(artifact.vcs.branch);
-    if (artifact.vcs.shortSha) vcsParts.push(chalk.dim(artifact.vcs.shortSha));
-    lines.push(chalk.bold("  VCS:          ") + vcsParts.join(" "));
-  }
-  lines.push("");
-  lines.push(chalk.bold.underline("  Score Breakdown"));
-  lines.push(`    Runtime:      ${scoreBar(artifact.drift.components.runtimeScore)}`);
-  lines.push(`    Frameworks:   ${scoreBar(artifact.drift.components.frameworkScore)}`);
-  lines.push(`    Dependencies: ${scoreBar(artifact.drift.components.dependencyScore)}`);
-  lines.push(`    EOL Risk:     ${scoreBar(artifact.drift.components.eolScore)}`);
-  lines.push("");
-  for (const project of artifact.projects) {
-    lines.push(chalk.bold(`  \u2500\u2500 ${project.name} `) + chalk.dim(`(${project.type}) ${project.path}`));
-    if (project.runtime) {
-      const behindStr = project.runtimeMajorsBehind !== void 0 && project.runtimeMajorsBehind > 0 ? chalk.yellow(` (${project.runtimeMajorsBehind} major${project.runtimeMajorsBehind > 1 ? "s" : ""} behind)`) : chalk.green(" (current)");
-      lines.push(`     Runtime: ${project.runtime}${behindStr}`);
-    }
-    if (project.targetFramework) {
-      lines.push(`     Target:  ${project.targetFramework}`);
-    }
-    if (project.frameworks.length > 0) {
-      lines.push("     Frameworks:");
-      for (const fw of project.frameworks) {
-        const lag = fw.majorsBehind !== null ? fw.majorsBehind === 0 ? chalk.green("current") : chalk.yellow(`${fw.majorsBehind} behind`) : chalk.dim("unknown");
-        lines.push(`       ${fw.name}: ${fw.currentVersion ?? "?"} \u2192 ${fw.latestVersion ?? "?"} (${lag})`);
-      }
-    }
-    const b = project.dependencyAgeBuckets;
-    const total = b.current + b.oneBehind + b.twoPlusBehind + b.unknown;
-    if (total > 0) {
-      lines.push("     Dependencies:");
-      lines.push(`       ${chalk.green(`${b.current} current`)}  ${chalk.yellow(`${b.oneBehind} 1-behind`)}  ${chalk.red(`${b.twoPlusBehind} 2+ behind`)}  ${chalk.dim(`${b.unknown} unknown`)}`);
-    }
-    lines.push("");
-  }
-  if (artifact.findings.length > 0) {
-    lines.push(chalk.bold.underline("  Findings"));
-    for (const f of artifact.findings) {
-      const icon = f.level === "error" ? chalk.red("\u2716") : f.level === "warning" ? chalk.yellow("\u26A0") : chalk.blue("\u2139");
-      lines.push(`    ${icon} ${f.message}`);
-      lines.push(chalk.dim(`      ${f.ruleId} in ${f.location}`));
-    }
-    lines.push("");
-  }
-  if (artifact.delta !== void 0) {
-    const deltaStr = artifact.delta > 0 ? chalk.green(`+${artifact.delta}`) : artifact.delta < 0 ? chalk.red(`${artifact.delta}`) : chalk.dim("0");
-    lines.push(chalk.bold("  Drift Delta: ") + deltaStr + " (vs baseline)");
-    lines.push("");
-  }
-  lines.push(chalk.dim(`  Scanned at ${artifact.timestamp}`));
-  lines.push("");
-  return lines.join("\n");
-}
-function riskBadge(level) {
-  switch (level) {
-    case "low":
-      return chalk.bgGreen.black(" LOW ");
-    case "moderate":
-      return chalk.bgYellow.black(" MODERATE ");
-    case "high":
-      return chalk.bgRed.white(" HIGH ");
-    default:
-      return level;
-  }
-}
-function scoreBar(score) {
-  const width = 20;
-  const filled = Math.round(score / 100 * width);
-  const empty = width - filled;
-  const color = score >= 70 ? chalk.green : score >= 40 ? chalk.yellow : chalk.red;
-  return color("\u2588".repeat(filled)) + chalk.dim("\u2591".repeat(empty)) + ` ${score}`;
-}
-
-// src/formatters/sarif.ts
-function formatSarif(artifact) {
-  const rules = buildRules(artifact.findings);
-  const results = artifact.findings.map((f) => toSarifResult(f));
-  return {
-    $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
-    version: "2.1.0",
-    runs: [
-      {
-        tool: {
-          driver: {
-            name: "vibgrate",
-            version: artifact.vibgrateVersion,
-            informationUri: "https://vibgrate.com",
-            rules
-          }
-        },
-        results,
-        invocations: [
-          {
-            executionSuccessful: true,
-            startTimeUtc: artifact.timestamp
-          }
-        ]
-      }
-    ]
-  };
-}
-function buildRules(findings) {
-  const ruleIds = [...new Set(findings.map((f) => f.ruleId))];
-  return ruleIds.map((id) => {
-    const descriptions = {
-      "vibgrate/runtime-eol": {
-        id: "vibgrate/runtime-eol",
-        shortDescription: { text: "Runtime at or past end-of-life" },
-        helpUri: "https://vibgrate.com/rules/runtime-eol"
-      },
-      "vibgrate/runtime-lag": {
-        id: "vibgrate/runtime-lag",
-        shortDescription: { text: "Runtime major version lag" },
-        helpUri: "https://vibgrate.com/rules/runtime-lag"
-      },
-      "vibgrate/framework-major-lag": {
-        id: "vibgrate/framework-major-lag",
-        shortDescription: { text: "Framework major version behind latest" },
-        helpUri: "https://vibgrate.com/rules/framework-major-lag"
-      },
-      "vibgrate/dependency-rot": {
-        id: "vibgrate/dependency-rot",
-        shortDescription: { text: "High percentage of outdated dependencies" },
-        helpUri: "https://vibgrate.com/rules/dependency-rot"
-      },
-      "vibgrate/dependency-major-lag": {
-        id: "vibgrate/dependency-major-lag",
-        shortDescription: { text: "Individual dependency severely behind" },
-        helpUri: "https://vibgrate.com/rules/dependency-major-lag"
-      }
-    };
-    return descriptions[id] ?? {
-      id,
-      shortDescription: { text: id },
-      helpUri: "https://vibgrate.com"
-    };
-  });
-}
-function toSarifResult(finding) {
-  return {
-    ruleId: finding.ruleId,
-    level: finding.level === "error" ? "error" : finding.level === "warning" ? "warning" : "note",
-    message: { text: finding.message },
-    locations: [
-      {
-        physicalLocation: {
-          artifactLocation: {
-            uri: finding.location
-          }
-        }
-      }
-    ]
-  };
-}
-
-// src/version.ts
-import { createRequire } from "module";
-var require2 = createRequire(import.meta.url);
-var pkg = require2("../package.json");
-var VERSION = pkg.version;
-
-// src/commands/scan.ts
-import * as path6 from "path";
-import { Command } from "commander";
-import chalk2 from "chalk";
-
-// src/scanners/node-scanner.ts
-import * as path2 from "path";
-import * as semver2 from "semver";
-
-// src/scanners/npm-cache.ts
-import { spawn } from "child_process";
-import * as semver from "semver";
-function stableOnly(versions) {
-  return versions.filter((v) => semver.valid(v) && semver.prerelease(v) === null);
-}
-function maxStable(versions) {
-  const stable = stableOnly(versions);
-  if (stable.length === 0) return null;
-  return stable.sort(semver.rcompare)[0] ?? null;
-}
-async function npmViewJson(args, cwd) {
-  return new Promise((resolve4, reject) => {
-    const child = spawn("npm", ["view", ...args, "--json"], {
-      cwd,
-      stdio: ["ignore", "pipe", "pipe"]
-    });
-    let out = "";
-    let err = "";
-    child.stdout.on("data", (d) => out += String(d));
-    child.stderr.on("data", (d) => err += String(d));
-    child.on("error", reject);
-    child.on("close", (code) => {
-      if (code !== 0) {
-        reject(new Error(`npm view ${args.join(" ")} failed (code=${code}): ${err.trim()}`));
-        return;
-      }
-      const trimmed = out.trim();
-      if (!trimmed) {
-        resolve4(null);
-        return;
-      }
-      try {
-        resolve4(JSON.parse(trimmed));
-      } catch {
-        resolve4(trimmed.replace(/^"|"$/g, ""));
-      }
-    });
-  });
-}
-var NpmCache = class {
-  constructor(cwd, sem) {
-    this.cwd = cwd;
-    this.sem = sem;
-  }
-  meta = /* @__PURE__ */ new Map();
-  get(pkg2) {
-    const existing = this.meta.get(pkg2);
-    if (existing) return existing;
-    const p = this.sem.run(async () => {
-      let latest = null;
-      try {
-        const dist = await npmViewJson([pkg2, "dist-tags"], this.cwd);
-        if (dist && typeof dist === "object" && typeof dist.latest === "string") {
-          latest = dist.latest;
-        }
-      } catch {
-      }
-      let versions = [];
-      try {
-        const v = await npmViewJson([pkg2, "versions"], this.cwd);
-        if (Array.isArray(v)) versions = v.map(String);
-        else if (typeof v === "string") versions = [v];
-      } catch {
-      }
-      const stable = stableOnly(versions);
-      const latestStableOverall = maxStable(stable);
-      if (!latest && latestStableOverall) latest = latestStableOverall;
-      return { latest, stableVersions: stable, latestStableOverall };
-    });
-    this.meta.set(pkg2, p);
-    return p;
-  }
-};
-function isSemverSpec(spec) {
-  const s = spec.trim();
-  if (!s) return false;
-  if (s.startsWith("workspace:")) return false;
-  if (s.startsWith("file:")) return false;
-  if (s.startsWith("link:")) return false;
-  if (s.startsWith("git+")) return false;
-  if (s.includes("://")) return false;
-  if (s.startsWith("github:")) return false;
-  if (s === "*" || s.toLowerCase() === "latest") return true;
-  return semver.validRange(s) !== null;
-}
-
-// src/scanners/node-scanner.ts
-var KNOWN_FRAMEWORKS = {
-  "next": "Next.js",
-  "@nestjs/core": "NestJS",
-  "react": "React",
-  "vue": "Vue",
-  "express": "Express",
-  "@angular/core": "Angular",
-  "svelte": "Svelte",
-  "nuxt": "Nuxt",
-  "fastify": "Fastify",
-  "hono": "Hono",
-  "typescript": "TypeScript"
-};
-async function scanNodeProjects(rootDir, npmCache) {
-  const packageJsonFiles = await findPackageJsonFiles(rootDir);
-  const results = [];
-  for (const pjPath of packageJsonFiles) {
-    try {
-      const scan = await scanOnePackageJson(pjPath, rootDir, npmCache);
-      results.push(scan);
-    } catch (e) {
-      const msg = e instanceof Error ? e.message : String(e);
-      console.error(`Error scanning ${pjPath}: ${msg}`);
-    }
-  }
-  return results;
-}
-async function scanOnePackageJson(packageJsonPath, rootDir, npmCache) {
-  const pj = await readJsonFile(packageJsonPath);
-  const absProjectPath = path2.dirname(packageJsonPath);
-  const projectPath = path2.relative(rootDir, absProjectPath) || ".";
-  const nodeEngine = pj.engines?.node ?? void 0;
-  let runtimeLatest;
-  let runtimeMajorsBehind;
-  if (nodeEngine) {
-    const latestLtsMajor = 22;
-    const parsed = semver2.minVersion(nodeEngine);
-    if (parsed) {
-      const currentMajor = semver2.major(parsed);
-      runtimeLatest = `${latestLtsMajor}.0.0`;
-      runtimeMajorsBehind = Math.max(0, latestLtsMajor - currentMajor);
-    }
-  }
-  const sections = [
-    { name: "dependencies", deps: pj.dependencies },
-    { name: "devDependencies", deps: pj.devDependencies },
-    { name: "peerDependencies", deps: pj.peerDependencies },
-    { name: "optionalDependencies", deps: pj.optionalDependencies }
-  ];
-  const dependencies = [];
-  const frameworks = [];
-  const buckets = { current: 0, oneBehind: 0, twoPlusBehind: 0, unknown: 0 };
-  const depEntries = [];
-  for (const s of sections) {
-    if (!s.deps) continue;
-    for (const [pkg2, spec] of Object.entries(s.deps)) {
-      if (!isSemverSpec(spec)) continue;
-      depEntries.push({ pkg: pkg2, section: s.name, spec });
-    }
-  }
-  const metaPromises = depEntries.map(async (entry) => {
-    const meta = await npmCache.get(entry.pkg);
-    return { ...entry, meta };
-  });
-  const resolved = await Promise.all(metaPromises);
-  for (const { pkg: pkg2, section, spec, meta } of resolved) {
-    const resolvedVersion = meta.stableVersions.length > 0 ? semver2.maxSatisfying(meta.stableVersions, spec) ?? null : null;
-    const latestStable = meta.latestStableOverall;
-    let majorsBehind = null;
-    let drift = "unknown";
-    if (resolvedVersion && latestStable) {
-      const currentMajor = semver2.major(resolvedVersion);
-      const latestMajor = semver2.major(latestStable);
-      majorsBehind = latestMajor - currentMajor;
-      if (majorsBehind === 0) {
-        drift = semver2.eq(resolvedVersion, latestStable) ? "current" : "minor-behind";
-      } else {
-        drift = "major-behind";
-      }
-      if (majorsBehind === 0) buckets.current++;
-      else if (majorsBehind === 1) buckets.oneBehind++;
-      else buckets.twoPlusBehind++;
-    } else {
-      buckets.unknown++;
-    }
-    dependencies.push({
-      package: pkg2,
-      section,
-      currentSpec: spec,
-      resolvedVersion,
-      latestStable,
-      majorsBehind,
-      drift
-    });
-    if (pkg2 in KNOWN_FRAMEWORKS) {
-      frameworks.push({
-        name: KNOWN_FRAMEWORKS[pkg2],
-        currentVersion: resolvedVersion,
-        latestVersion: latestStable,
-        majorsBehind
-      });
-    }
-  }
-  dependencies.sort((a, b) => {
-    const order = { "major-behind": 0, "minor-behind": 1, "current": 2, "unknown": 3 };
-    const diff = (order[a.drift] ?? 9) - (order[b.drift] ?? 9);
-    if (diff !== 0) return diff;
-    return a.package.localeCompare(b.package);
-  });
-  return {
-    type: "node",
-    path: projectPath,
-    name: pj.name ?? path2.basename(absProjectPath),
-    runtime: nodeEngine,
-    runtimeLatest,
-    runtimeMajorsBehind,
-    frameworks,
-    dependencies,
-    dependencyAgeBuckets: buckets
-  };
-}
-
-// src/scanners/dotnet-scanner.ts
-import * as path3 from "path";
-import { XMLParser } from "fast-xml-parser";
-var parser = new XMLParser({
-  ignoreAttributes: false,
-  attributeNamePrefix: "@_"
-});
-var KNOWN_DOTNET_FRAMEWORKS = {
-  "Microsoft.AspNetCore.App": "ASP.NET Core",
-  "Microsoft.EntityFrameworkCore": "EF Core",
-  "Microsoft.Extensions.Hosting": ".NET Hosting",
-  "Swashbuckle.AspNetCore": "Swashbuckle",
-  "MediatR": "MediatR",
-  "AutoMapper": "AutoMapper",
-  "FluentValidation": "FluentValidation",
-  "Serilog": "Serilog",
-  "xunit": "xUnit",
-  "NUnit": "NUnit",
-  "Moq": "Moq"
-};
-var LATEST_DOTNET_MAJOR = 9;
-function parseTfmMajor(tfm) {
-  const match = tfm.match(/^net(\d+)\.\d+$/);
-  if (match?.[1]) return parseInt(match[1], 10);
-  const coreMatch = tfm.match(/^netcoreapp(\d+)\.\d+$/);
-  if (coreMatch?.[1]) return parseInt(coreMatch[1], 10);
-  if (tfm.startsWith("netstandard")) return null;
-  const fxMatch = tfm.match(/^net(\d)(\d+)?$/);
-  if (fxMatch) return null;
-  return null;
-}
-function parseCsproj(xml, filePath) {
-  const parsed = parser.parse(xml);
-  const project = parsed?.Project;
-  if (!project) {
-    return { targetFrameworks: [], packageReferences: [], projectName: path3.basename(filePath, ".csproj") };
-  }
-  const propertyGroups = Array.isArray(project.PropertyGroup) ? project.PropertyGroup : project.PropertyGroup ? [project.PropertyGroup] : [];
-  const targetFrameworks = [];
-  for (const pg of propertyGroups) {
-    if (pg.TargetFramework) {
-      targetFrameworks.push(String(pg.TargetFramework));
-    }
-    if (pg.TargetFrameworks) {
-      const tfms = String(pg.TargetFrameworks).split(";").map((s) => s.trim()).filter(Boolean);
-      targetFrameworks.push(...tfms);
-    }
-  }
-  const itemGroups = Array.isArray(project.ItemGroup) ? project.ItemGroup : project.ItemGroup ? [project.ItemGroup] : [];
-  const packageReferences = [];
-  for (const ig of itemGroups) {
-    const refs = Array.isArray(ig.PackageReference) ? ig.PackageReference : ig.PackageReference ? [ig.PackageReference] : [];
-    for (const ref of refs) {
-      const name = ref["@_Include"] ?? ref["@_include"] ?? "";
-      const version = ref["@_Version"] ?? ref["@_version"] ?? ref.Version ?? "";
-      if (name && version) {
-        packageReferences.push({ name: String(name), version: String(version) });
-      }
-    }
-  }
-  return {
-    targetFrameworks: [...new Set(targetFrameworks)],
-    packageReferences,
-    projectName: path3.basename(filePath, ".csproj")
-  };
-}
-async function scanDotnetProjects(rootDir) {
-  const csprojFiles = await findCsprojFiles(rootDir);
-  const slnFiles = await findSolutionFiles(rootDir);
-  const slnCsprojPaths = /* @__PURE__ */ new Set();
-  for (const slnPath of slnFiles) {
-    try {
-      const slnContent = await readTextFile(slnPath);
-      const slnDir = path3.dirname(slnPath);
-      const projectRegex = /Project\("[^"]*"\)\s*=\s*"[^"]*",\s*"([^"]+\.csproj)"/g;
-      let match;
-      while ((match = projectRegex.exec(slnContent)) !== null) {
-        if (match[1]) {
-          const csprojPath = path3.resolve(slnDir, match[1].replace(/\\/g, "/"));
-          slnCsprojPaths.add(csprojPath);
-        }
-      }
-    } catch {
-    }
-  }
-  const allCsprojFiles = /* @__PURE__ */ new Set([...csprojFiles, ...slnCsprojPaths]);
-  const results = [];
-  for (const csprojPath of allCsprojFiles) {
-    try {
-      const scan = await scanOneCsproj(csprojPath, rootDir);
-      results.push(scan);
-    } catch (e) {
-      const msg = e instanceof Error ? e.message : String(e);
-      console.error(`Error scanning ${csprojPath}: ${msg}`);
-    }
-  }
-  return results;
-}
-async function scanOneCsproj(csprojPath, rootDir) {
-  const xml = await readTextFile(csprojPath);
-  const data = parseCsproj(xml, csprojPath);
-  const primaryTfm = data.targetFrameworks[0];
-  let runtimeMajorsBehind;
-  let targetFramework = primaryTfm;
-  if (primaryTfm) {
-    const major2 = parseTfmMajor(primaryTfm);
-    if (major2 !== null) {
-      runtimeMajorsBehind = Math.max(0, LATEST_DOTNET_MAJOR - major2);
-    }
-  }
-  const dependencies = data.packageReferences.map((ref) => ({
-    package: ref.name,
-    section: "dependencies",
-    currentSpec: ref.version,
-    resolvedVersion: ref.version,
-    latestStable: null,
-    // NuGet lookup not implemented in v1
-    majorsBehind: null,
-    drift: "unknown"
-  }));
-  const frameworks = [];
-  for (const ref of data.packageReferences) {
-    if (ref.name in KNOWN_DOTNET_FRAMEWORKS) {
-      frameworks.push({
-        name: KNOWN_DOTNET_FRAMEWORKS[ref.name],
-        currentVersion: ref.version,
-        latestVersion: null,
-        majorsBehind: null
-      });
-    }
-  }
-  const buckets = { current: 0, oneBehind: 0, twoPlusBehind: 0, unknown: dependencies.length };
-  return {
-    type: "dotnet",
-    path: path3.relative(rootDir, path3.dirname(csprojPath)) || ".",
-    name: data.projectName,
-    targetFramework,
-    runtime: primaryTfm,
-    runtimeLatest: `net${LATEST_DOTNET_MAJOR}.0`,
-    runtimeMajorsBehind,
-    frameworks,
-    dependencies,
-    dependencyAgeBuckets: buckets
-  };
-}
-
-// src/utils/semaphore.ts
-var Semaphore = class {
-  available;
-  queue = [];
-  constructor(max) {
-    this.available = max;
-  }
-  async run(fn) {
-    await this.acquire();
-    try {
-      return await fn();
-    } finally {
-      this.release();
-    }
-  }
-  acquire() {
-    if (this.available > 0) {
-      this.available--;
-      return Promise.resolve();
-    }
-    return new Promise((resolve4) => this.queue.push(resolve4));
-  }
-  release() {
-    const next = this.queue.shift();
-    if (next) next();
-    else this.available++;
-  }
-};
-
-// src/config.ts
-import * as path4 from "path";
-import * as fs2 from "fs/promises";
-var CONFIG_FILES = [
-  "vibgrate.config.ts",
-  "vibgrate.config.js",
-  "vibgrate.config.json"
-];
-var DEFAULT_CONFIG = {
-  exclude: [],
-  thresholds: {
-    failOnError: {
-      eolDays: 180,
-      frameworkMajorLag: 3,
-      dependencyTwoPlusPercent: 50
-    },
-    warn: {
-      frameworkMajorLag: 2,
-      dependencyTwoPlusPercent: 30
-    }
-  }
-};
-async function loadConfig(rootDir) {
-  for (const file of CONFIG_FILES) {
-    const configPath = path4.join(rootDir, file);
-    if (await pathExists(configPath)) {
-      if (file.endsWith(".json")) {
-        const txt = await readTextFile(configPath);
-        return { ...DEFAULT_CONFIG, ...JSON.parse(txt) };
-      }
-      try {
-        const mod = await import(configPath);
-        return { ...DEFAULT_CONFIG, ...mod.default ?? mod };
-      } catch {
-      }
-    }
-  }
-  return DEFAULT_CONFIG;
-}
-async function writeDefaultConfig(rootDir) {
-  const configPath = path4.join(rootDir, "vibgrate.config.ts");
-  const content = `import type { VibgrateConfig } from '@vibgrate/cli';
-
-const config: VibgrateConfig = {
-  // exclude: ['legacy/**'],
-  thresholds: {
-    failOnError: {
-      eolDays: 180,
-      frameworkMajorLag: 3,
-      dependencyTwoPlusPercent: 50,
-    },
-    warn: {
-      frameworkMajorLag: 2,
-      dependencyTwoPlusPercent: 30,
-    },
-  },
-};
-
-export default config;
-`;
-  await fs2.writeFile(configPath, content, "utf8");
-  return configPath;
-}
-
-// src/utils/vcs.ts
-import * as path5 from "path";
-import * as fs3 from "fs/promises";
-async function detectVcs(rootDir) {
-  try {
-    return await detectGit(rootDir);
-  } catch {
-    return { type: "unknown" };
-  }
-}
-async function detectGit(rootDir) {
-  const gitDir = await findGitDir(rootDir);
-  if (!gitDir) {
-    return { type: "unknown" };
-  }
-  const headPath = path5.join(gitDir, "HEAD");
-  let headContent;
-  try {
-    headContent = (await fs3.readFile(headPath, "utf8")).trim();
-  } catch {
-    return { type: "unknown" };
-  }
-  let sha;
-  let branch;
-  if (headContent.startsWith("ref: ")) {
-    const refPath = headContent.slice(5);
-    branch = refPath.startsWith("refs/heads/") ? refPath.slice(11) : refPath;
-    sha = await resolveRef(gitDir, refPath);
-  } else if (/^[0-9a-f]{40}$/i.test(headContent)) {
-    sha = headContent;
-  }
-  return {
-    type: "git",
-    sha: sha ?? void 0,
-    shortSha: sha ? sha.slice(0, 7) : void 0,
-    branch: branch ?? void 0
-  };
-}
-async function findGitDir(startDir) {
-  let dir = path5.resolve(startDir);
-  const root = path5.parse(dir).root;
-  while (dir !== root) {
-    const gitPath = path5.join(dir, ".git");
-    try {
-      const stat2 = await fs3.stat(gitPath);
-      if (stat2.isDirectory()) {
-        return gitPath;
-      }
-      if (stat2.isFile()) {
-        const content = (await fs3.readFile(gitPath, "utf8")).trim();
-        if (content.startsWith("gitdir: ")) {
-          const resolved = path5.resolve(dir, content.slice(8));
-          return resolved;
-        }
-      }
-    } catch {
-    }
-    dir = path5.dirname(dir);
-  }
-  return null;
-}
-async function resolveRef(gitDir, refPath) {
-  const loosePath = path5.join(gitDir, refPath);
-  try {
-    const sha = (await fs3.readFile(loosePath, "utf8")).trim();
-    if (/^[0-9a-f]{40}$/i.test(sha)) {
-      return sha;
-    }
-  } catch {
-  }
-  const packedPath = path5.join(gitDir, "packed-refs");
-  try {
-    const packed = await fs3.readFile(packedPath, "utf8");
-    for (const line of packed.split("\n")) {
-      if (line.startsWith("#") || line.startsWith("^")) continue;
-      const parts = line.trim().split(" ");
-      if (parts.length >= 2 && parts[1] === refPath) {
-        return parts[0];
-      }
-    }
-  } catch {
-  }
-  return void 0;
-}
-
-// src/commands/scan.ts
-async function runScan(rootDir, opts) {
-  const config = await loadConfig(rootDir);
-  const sem = new Semaphore(opts.concurrency);
-  const npmCache = new NpmCache(rootDir, sem);
-  console.log(chalk2.dim(`Scanning ${rootDir}...`));
-  const vcs = await detectVcs(rootDir);
-  const nodeProjects = await scanNodeProjects(rootDir, npmCache);
-  const dotnetProjects = await scanDotnetProjects(rootDir);
-  const allProjects = [...nodeProjects, ...dotnetProjects];
-  if (allProjects.length === 0) {
-    console.log(chalk2.yellow("No projects found."));
-  }
-  const drift = computeDriftScore(allProjects);
-  const findings = generateFindings(allProjects, config);
-  const artifact = {
-    schemaVersion: "1.0",
-    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-    vibgrateVersion: VERSION,
-    rootPath: path6.basename(rootDir),
-    ...vcs.type !== "unknown" ? { vcs } : {},
-    projects: allProjects,
-    drift,
-    findings
-  };
-  if (opts.baseline) {
-    const baselinePath = path6.resolve(opts.baseline);
-    if (await pathExists(baselinePath)) {
-      try {
-        const baseline = await readJsonFile(baselinePath);
-        artifact.baseline = baselinePath;
-        artifact.delta = artifact.drift.score - baseline.drift.score;
-      } catch {
-        console.error(chalk2.yellow(`Warning: Could not read baseline file: ${baselinePath}`));
-      }
-    }
-  }
-  const vibgrateDir = path6.join(rootDir, ".vibgrate");
-  await ensureDir(vibgrateDir);
-  await writeJsonFile(path6.join(vibgrateDir, "scan_result.json"), artifact);
-  if (opts.format === "json") {
-    const jsonStr = JSON.stringify(artifact, null, 2);
-    if (opts.out) {
-      await writeTextFile(path6.resolve(opts.out), jsonStr);
-      console.log(chalk2.green("\u2714") + ` JSON written to ${opts.out}`);
-    } else {
-      console.log(jsonStr);
-    }
-  } else if (opts.format === "sarif") {
-    const sarif = formatSarif(artifact);
-    const sarifStr = JSON.stringify(sarif, null, 2);
-    if (opts.out) {
-      await writeTextFile(path6.resolve(opts.out), sarifStr);
-      console.log(chalk2.green("\u2714") + ` SARIF written to ${opts.out}`);
-    } else {
-      console.log(sarifStr);
-    }
-  } else {
-    const text = formatText(artifact);
-    console.log(text);
-    if (opts.out) {
-      await writeTextFile(path6.resolve(opts.out), text);
-    }
-  }
-  return artifact;
-}
-var scanCommand = new Command("scan").description("Scan a project for upgrade drift").argument("[path]", "Path to scan", ".").option("--out <file>", "Output file path").option("--format <format>", "Output format (text|json|sarif)", "text").option("--fail-on <level>", "Fail on warn or error").option("--baseline <file>", "Compare against baseline").option("--changed-only", "Only scan changed files").option("--concurrency <n>", "Max concurrent npm calls", "8").action(async (targetPath, opts) => {
-  const rootDir = path6.resolve(targetPath);
-  if (!await pathExists(rootDir)) {
-    console.error(chalk2.red(`Path does not exist: ${rootDir}`));
-    process.exit(1);
-  }
-  const scanOpts = {
-    out: opts.out,
-    format: opts.format || "text",
-    failOn: opts.failOn,
-    baseline: opts.baseline,
-    changedOnly: opts.changedOnly,
-    concurrency: parseInt(opts.concurrency, 10) || 8
-  };
-  const artifact = await runScan(rootDir, scanOpts);
-  if (opts.failOn) {
-    const hasErrors = artifact.findings.some((f) => f.level === "error");
-    const hasWarnings = artifact.findings.some((f) => f.level === "warning");
-    if (opts.failOn === "error" && hasErrors) {
-      console.error(chalk2.red(`
-Failing: ${artifact.findings.filter((f) => f.level === "error").length} error finding(s) detected.`));
-      process.exit(2);
-    }
-    if (opts.failOn === "warn" && (hasErrors || hasWarnings)) {
-      console.error(chalk2.red(`
-Failing: findings detected at warn level or above.`));
-      process.exit(2);
-    }
-  }
-});
-
-export {
-  readJsonFile,
-  readTextFile,
-  pathExists,
-  ensureDir,
-  writeJsonFile,
-  writeTextFile,
-  writeDefaultConfig,
-  computeDriftScore,
-  generateFindings,
-  formatText,
-  formatSarif,
-  VERSION,
-  runScan,
-  scanCommand
-};