@vibgrate/cli 0.1.3 → 1.0.1

package/README.md

@@ -56,13 +56,19 @@ That's it. You'll see a full drift report in seconds.
 ## What You Get
 
 ```
+    ╭───╮➜
+   ╭┤◉ ◉├╮  V I B G R A T E
+   ╰┤───├╯  Drift Intelligence Engine v1.x.x
+    ╰───╯
+
 ╔══════════════════════════════════════════╗
 ║        Vibgrate Drift Report             ║
 ╚══════════════════════════════════════════╝
 
   Drift Score:  72/100
-  Risk Level:   Low
+  Risk Level:   LOW
   Projects:     3
+  VCS:          git main a1b2c3d
 
   Score Breakdown
     Runtime:      ████████████████████ 100
@@ -77,9 +83,61 @@ That's it. You'll see a full drift report in seconds.
      Dependencies:
        42 current  8 1-behind  3 2+ behind
 
-  Findings
+  ── web-app (node) src/web
+     Runtime: 20.11.0 (current)
+     Frameworks:
+       React: 18.2.0 → 19.0.0 (1 behind)
+     Dependencies:
+       31 current  5 1-behind  2 2+ behind
+
+  Tech Stack
+    Frontend: React, Tailwind CSS
+    Bundlers: Vite
+    Testing: Vitest, Playwright
+    Lint & Format: ESLint, Prettier
+
+  Services & Integrations
+    Cloud: AWS SDK v3
+    Databases: PostgreSQL
+
+  TypeScript
+    v5.4.2 · strict ✔ · ESM · target: ES2022
+
+  Build & Deploy
+    CI: GitHub Actions
+    Docker: 2 Dockerfiles (node:20-alpine)
+    Package Managers: pnpm
+
+  Security Posture
+    Lockfile ✔ · .env ✔ · node_modules ✔
+
+  Dependency Graph
+    pnpm-lock.yaml: 312 unique, 487 installed
+    5 duplicated packages
+
+  Findings (2 warnings, 1 note)
     ⚠ Framework "NestJS" is 1 major version(s) behind
+      framework/outdated in src/api/package.json
     ⚠ 12% of dependencies are 2+ major versions behind
+      dependency/outdated in src/api/package.json
+    ℹ TypeScript target is ES2022
+      ts/target in tsconfig.json
+
+╔══════════════════════════════════════════╗
+║        Top Priority Actions              ║
+╚══════════════════════════════════════════╝
+
+  1. Upgrade NestJS 10.3.0 → 11.0.0 in my-api
+     1 major version behind. Major framework drift increases
+     breaking change risk and blocks access to security fixes.
+     Impact: +5–15 points (framework score)
+
+  2. Reduce dependency rot in my-api (42% severely outdated)
+     3 of 53 dependencies are 2+ majors behind. Run `npm outdated`
+     and prioritise packages with known CVEs.
+     Impact: +5–10 points (dependency score)
+
+  Scanned at 2026-02-16T00:00:00.000Z · 1.2s · 48 files scanned
 ```
 
 ---

package/dist/{baseline-D5UDXOEJ.js → baseline-35XRSRAD.js}

@@ -1,8 +1,8 @@
 import {
   baselineCommand,
   runBaseline
-} from "./chunk-3X3ZMVHI.js";
-import "./chunk-VXEZ7APL.js";
+} from "./chunk-NTRKEIKP.js";
+import "./chunk-VMNBKARQ.js";
 export {
   baselineCommand,
   runBaseline

package/dist/{chunk-3X3ZMVHI.js → chunk-NTRKEIKP.js}

@@ -1,7 +1,7 @@
 import {
   runScan,
   writeJsonFile
-} from "./chunk-VXEZ7APL.js";
+} from "./chunk-VMNBKARQ.js";
 
 // src/commands/baseline.ts
 import * as path from "path";

package/dist/{chunk-VXEZ7APL.js → chunk-VMNBKARQ.js}

@@ -95,9 +95,9 @@ function clamp(val, min, max) {
   return Math.min(max, Math.max(min, val));
 }
 function runtimeScore(projects) {
-  if (projects.length === 0) return 100;
+  if (projects.length === 0) return null;
   const lags = projects.map((p) => p.runtimeMajorsBehind).filter((v) => v !== void 0);
-  if (lags.length === 0) return 100;
+  if (lags.length === 0) return null;
   const maxLag = Math.max(...lags);
   if (maxLag === 0) return 100;
   if (maxLag === 1) return 80;
@@ -107,9 +107,9 @@ function runtimeScore(projects) {
 }
 function frameworkScore(projects) {
   const allFrameworks = projects.flatMap((p) => p.frameworks);
-  if (allFrameworks.length === 0) return 100;
+  if (allFrameworks.length === 0) return null;
   const lags = allFrameworks.map((f) => f.majorsBehind).filter((v) => v !== null);
-  if (lags.length === 0) return 100;
+  if (lags.length === 0) return null;
   const maxLag = Math.max(...lags);
   const avgLag = lags.reduce((a, b) => a + b, 0) / lags.length;
   const maxPenalty = Math.min(maxLag * 20, 100);
@@ -128,13 +128,15 @@ function dependencyScore(projects) {
     totalUnknown += p.dependencyAgeBuckets.unknown;
   }
   const total = totalCurrent + totalOne + totalTwo;
-  if (total === 0) return 100;
+  if (total === 0) return null;
   const currentPct = totalCurrent / total;
   const onePct = totalOne / total;
   const twoPct = totalTwo / total;
   return clamp(Math.round(currentPct * 100 - onePct * 10 - twoPct * 40), 0, 100);
 }
 function eolScore(projects) {
+  const hasRuntimeData = projects.some((p) => p.runtimeMajorsBehind !== void 0);
+  if (!hasRuntimeData) return null;
   let score = 100;
   for (const p of projects) {
     if (p.type === "node" && p.runtimeMajorsBehind !== void 0) {
@@ -155,20 +157,50 @@ function computeDriftScore(projects) {
   const fs5 = frameworkScore(projects);
   const ds = dependencyScore(projects);
   const es = eolScore(projects);
-  const score = Math.round(rs * 0.25 + fs5 * 0.25 + ds * 0.3 + es * 0.2);
+  const components = [
+    { score: rs, weight: 0.25 },
+    { score: fs5, weight: 0.25 },
+    { score: ds, weight: 0.3 },
+    { score: es, weight: 0.2 }
+  ];
+  const active = components.filter((c) => c.score !== null);
+  if (active.length === 0) {
+    return {
+      score: 100,
+      riskLevel: "low",
+      components: {
+        runtimeScore: rs ?? 100,
+        frameworkScore: fs5 ?? 100,
+        dependencyScore: ds ?? 100,
+        eolScore: es ?? 100
+      }
+    };
+  }
+  const totalActiveWeight = active.reduce((sum, c) => sum + c.weight, 0);
+  let score = 0;
+  for (const c of active) {
+    score += c.score * (c.weight / totalActiveWeight);
+  }
+  score = Math.round(score);
   let riskLevel;
   if (score >= 70) riskLevel = "low";
   else if (score >= 40) riskLevel = "moderate";
   else riskLevel = "high";
+  const measured = [];
+  if (rs !== null) measured.push("runtime");
+  if (fs5 !== null) measured.push("framework");
+  if (ds !== null) measured.push("dependency");
+  if (es !== null) measured.push("eol");
   return {
     score,
     riskLevel,
     components: {
-      runtimeScore: rs,
-      frameworkScore: fs5,
-      dependencyScore: ds,
-      eolScore: es
-    }
+      runtimeScore: rs ?? 100,
+      frameworkScore: fs5 ?? 100,
+      dependencyScore: ds ?? 100,
+      eolScore: es ?? 100
+    },
+    measured
   };
 }
 function generateFindings(projects, config) {
@@ -243,11 +275,22 @@ function generateFindings(projects, config) {
   return findings;
 }
 
+// src/version.ts
+import { createRequire } from "module";
+var require2 = createRequire(import.meta.url);
+var pkg = require2("../package.json");
+var VERSION = pkg.version;
+
 // src/formatters/text.ts
 import chalk from "chalk";
 function formatText(artifact) {
   const lines = [];
   lines.push("");
+  lines.push(chalk.cyan("    \u256D\u2500\u2500\u2500\u256E") + chalk.greenBright("\u279C"));
+  lines.push(chalk.cyan("   \u256D\u2524") + chalk.greenBright("\u25C9 \u25C9") + chalk.cyan("\u251C\u256E") + "  " + chalk.bold.white("V I B G R A T E"));
+  lines.push(chalk.cyan("   \u2570\u2524") + chalk.dim("\u2500\u2500\u2500") + chalk.cyan("\u251C\u256F") + "  " + chalk.dim(`Drift Intelligence Engine v${VERSION}`));
+  lines.push(chalk.cyan("    \u2570\u2500\u2500\u2500\u256F"));
+  lines.push("");
   lines.push(chalk.bold.cyan("\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"));
   lines.push(chalk.bold.cyan("\u2551        Vibgrate Drift Report             \u2551"));
   lines.push(chalk.bold.cyan("\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D"));
@@ -263,11 +306,12 @@ function formatText(artifact) {
     lines.push(chalk.bold("  VCS:          ") + vcsParts.join(" "));
   }
   lines.push("");
+  const m = new Set(artifact.drift.measured ?? ["runtime", "framework", "dependency", "eol"]);
   lines.push(chalk.bold.underline("  Score Breakdown"));
-  lines.push(`    Runtime:      ${scoreBar(artifact.drift.components.runtimeScore)}`);
-  lines.push(`    Frameworks:   ${scoreBar(artifact.drift.components.frameworkScore)}`);
-  lines.push(`    Dependencies: ${scoreBar(artifact.drift.components.dependencyScore)}`);
-  lines.push(`    EOL Risk:     ${scoreBar(artifact.drift.components.eolScore)}`);
+  lines.push(`    Runtime:      ${m.has("runtime") ? scoreBar(artifact.drift.components.runtimeScore) : chalk.dim("n/a")}`);
+  lines.push(`    Frameworks:   ${m.has("framework") ? scoreBar(artifact.drift.components.frameworkScore) : chalk.dim("n/a")}`);
+  lines.push(`    Dependencies: ${m.has("dependency") ? scoreBar(artifact.drift.components.dependencyScore) : chalk.dim("n/a")}`);
+  lines.push(`    EOL Risk:     ${m.has("eol") ? scoreBar(artifact.drift.components.eolScore) : chalk.dim("n/a")}`);
   lines.push("");
   for (const project of artifact.projects) {
     lines.push(chalk.bold(`  \u2500\u2500 ${project.name} `) + chalk.dim(`(${project.type}) ${project.path}`));
@@ -293,8 +337,24 @@ function formatText(artifact) {
     }
     lines.push("");
   }
+  if (artifact.delta !== void 0) {
+    const deltaStr = artifact.delta > 0 ? chalk.green(`+${artifact.delta}`) : artifact.delta < 0 ? chalk.red(`${artifact.delta}`) : chalk.dim("0");
+    lines.push(chalk.bold("  Drift Delta: ") + deltaStr + " (vs baseline)");
+    lines.push("");
+  }
+  if (artifact.extended) {
+    lines.push(...formatExtended(artifact.extended));
+  }
   if (artifact.findings.length > 0) {
-    lines.push(chalk.bold.underline("  Findings"));
+    const errors = artifact.findings.filter((f) => f.level === "error");
+    const warnings = artifact.findings.filter((f) => f.level === "warning");
+    const notes = artifact.findings.filter((f) => f.level === "note");
+    const summary = [
+      errors.length > 0 ? chalk.red(`${errors.length} error${errors.length !== 1 ? "s" : ""}`) : "",
+      warnings.length > 0 ? chalk.yellow(`${warnings.length} warning${warnings.length !== 1 ? "s" : ""}`) : "",
+      notes.length > 0 ? chalk.blue(`${notes.length} note${notes.length !== 1 ? "s" : ""}`) : ""
+    ].filter(Boolean).join(chalk.dim(", "));
+    lines.push(chalk.bold.underline(`  Findings`) + chalk.dim(` (${summary})`));
     for (const f of artifact.findings) {
       const icon = f.level === "error" ? chalk.red("\u2716") : f.level === "warning" ? chalk.yellow("\u26A0") : chalk.blue("\u2139");
       lines.push(`    ${icon} ${f.message}`);
@@ -302,15 +362,30 @@ function formatText(artifact) {
     }
     lines.push("");
   }
-  if (artifact.delta !== void 0) {
-    const deltaStr = artifact.delta > 0 ? chalk.green(`+${artifact.delta}`) : artifact.delta < 0 ? chalk.red(`${artifact.delta}`) : chalk.dim("0");
-    lines.push(chalk.bold("  Drift Delta: ") + deltaStr + " (vs baseline)");
+  const actions = generatePriorityActions(artifact);
+  if (actions.length > 0) {
+    lines.push(chalk.bold.cyan("\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"));
+    lines.push(chalk.bold.cyan("\u2551        Top Priority Actions              \u2551"));
+    lines.push(chalk.bold.cyan("\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D"));
     lines.push("");
+    for (let i = 0; i < actions.length; i++) {
+      const a = actions[i];
+      const num = chalk.bold.cyan(`  ${i + 1}.`);
+      lines.push(`${num} ${chalk.bold(a.title)}`);
+      lines.push(chalk.dim(`     ${a.explanation}`));
+      if (a.impact) lines.push(`     Impact: ${chalk.green(a.impact)}`);
+      lines.push("");
+    }
   }
-  if (artifact.extended) {
-    lines.push(...formatExtended(artifact.extended));
+  const scannedParts = [`Scanned at ${artifact.timestamp}`];
+  if (artifact.durationMs !== void 0) {
+    const secs = (artifact.durationMs / 1e3).toFixed(1);
+    scannedParts.push(`${secs}s`);
   }
-  lines.push(chalk.dim(`  Scanned at ${artifact.timestamp}`));
+  if (artifact.filesScanned !== void 0) {
+    scannedParts.push(`${artifact.filesScanned} file${artifact.filesScanned !== 1 ? "s" : ""} scanned`);
+  }
+  lines.push(chalk.dim(`  ${scannedParts.join(" \xB7 ")}`));
   lines.push("");
   return lines.join("\n");
 }
@@ -331,7 +406,7 @@ function scoreBar(score) {
   const filled = Math.round(score / 100 * width);
   const empty = width - filled;
   const color = score >= 70 ? chalk.green : score >= 40 ? chalk.yellow : chalk.red;
-  return color("\u2588".repeat(filled)) + chalk.dim("\u2591".repeat(empty)) + ` ${score}`;
+  return color("\u2588".repeat(filled)) + chalk.dim("\u2591".repeat(empty)) + ` ${Math.round(score)}`;
 }
 var CATEGORY_LABELS = {
   frontend: "Frontend",
@@ -471,6 +546,149 @@ function formatExtended(ext) {
   }
   return lines;
 }
+function generatePriorityActions(artifact) {
+  const actions = [];
+  const eolProjects = artifact.projects.filter(
+    (p) => p.runtimeMajorsBehind !== void 0 && p.runtimeMajorsBehind >= 3
+  );
+  if (eolProjects.length > 0) {
+    const names = eolProjects.map((p) => p.name).join(", ");
+    const runtimes = eolProjects.map((p) => `${p.runtime} \u2192 ${p.runtimeLatest}`).join(", ");
+    actions.push({
+      title: `Upgrade EOL runtime${eolProjects.length > 1 ? "s" : ""} in ${names}`,
+      explanation: `${runtimes}. End-of-life runtimes no longer receive security patches and block ecosystem upgrades.`,
+      impact: `+${Math.min(eolProjects.length * 10, 30)} points (runtime & EOL scores)`,
+      severity: 100
+    });
+  }
+  const severeFrameworks = [];
+  for (const p of artifact.projects) {
+    for (const fw of p.frameworks) {
+      if (fw.majorsBehind !== null && fw.majorsBehind >= 3) {
+        severeFrameworks.push({ name: fw.name, fw: `${fw.currentVersion} \u2192 ${fw.latestVersion}`, behind: fw.majorsBehind, project: p.name });
+      }
+    }
+  }
+  if (severeFrameworks.length > 0) {
+    const worst = severeFrameworks.sort((a, b) => b.behind - a.behind)[0];
+    const others = severeFrameworks.length > 1 ? ` (+${severeFrameworks.length - 1} more)` : "";
+    actions.push({
+      title: `Upgrade ${worst.name} ${worst.fw} in ${worst.project}${others}`,
+      explanation: `${worst.behind} major versions behind. Major framework drift increases breaking change risk and blocks access to security fixes and performance improvements.`,
+      impact: `+5\u201315 points (framework score)`,
+      severity: 90
+    });
+  }
+  for (const p of artifact.projects) {
+    const b = p.dependencyAgeBuckets;
+    const total = b.current + b.oneBehind + b.twoPlusBehind;
+    if (total === 0) continue;
+    const twoPlusPct = Math.round(b.twoPlusBehind / total * 100);
+    if (twoPlusPct >= 40) {
+      actions.push({
+        title: `Reduce dependency rot in ${p.name} (${twoPlusPct}% severely outdated)`,
+        explanation: `${b.twoPlusBehind} of ${total} dependencies are 2+ majors behind. Run \`npm outdated\` and prioritise packages with known CVEs or breaking API changes.`,
+        impact: `+5\u201310 points (dependency score)`,
+        severity: 80 + twoPlusPct / 10
+      });
+    }
+  }
+  const twoMajorFrameworks = [];
+  for (const p of artifact.projects) {
+    for (const fw of p.frameworks) {
+      if (fw.majorsBehind === 2) {
+        twoMajorFrameworks.push({ name: fw.name, project: p.name, fw: `${fw.currentVersion} \u2192 ${fw.latestVersion}` });
+      }
+    }
+  }
+  const uniqueTwo = [...new Map(twoMajorFrameworks.map((f) => [f.name, f])).values()];
+  if (uniqueTwo.length > 0) {
+    const list = uniqueTwo.slice(0, 3).map((f) => `${f.name} (${f.fw})`).join(", ");
+    const moreCount = uniqueTwo.length > 3 ? ` +${uniqueTwo.length - 3} more` : "";
+    actions.push({
+      title: `Plan major framework upgrades: ${list}${moreCount}`,
+      explanation: `These frameworks are 2 major versions behind. Create upgrade tickets and check migration guides \u2014 the gap will widen with each new release.`,
+      impact: `+5\u201310 points (framework score)`,
+      severity: 60
+    });
+  }
+  if (artifact.extended?.breakingChangeExposure) {
+    const bc = artifact.extended.breakingChangeExposure;
+    const total = bc.deprecatedPackages.length + bc.legacyPolyfills.length;
+    if (total > 0) {
+      const items = [...bc.deprecatedPackages, ...bc.legacyPolyfills].slice(0, 5).join(", ");
+      const moreCount = total > 5 ? ` +${total - 5} more` : "";
+      actions.push({
+        title: `Replace deprecated/legacy packages: ${items}${moreCount}`,
+        explanation: `${total} package${total !== 1 ? "s" : ""} are deprecated or legacy polyfills. These receive no updates and may have known vulnerabilities.`,
+        severity: 55
+      });
+    }
+  }
+  if (artifact.extended?.dependencyGraph) {
+    const dg = artifact.extended.dependencyGraph;
+    const phantomCount = dg.phantomDependencies.length;
+    if (phantomCount >= 10) {
+      let detail = `Packages used in code but not declared in package.json. These rely on transitive installs and can break unpredictably when other packages update.`;
+      const details = dg.phantomDependencyDetails;
+      if (details && details.length > 0) {
+        const byPath = /* @__PURE__ */ new Map();
+        for (const d of details) {
+          if (!byPath.has(d.sourcePath)) byPath.set(d.sourcePath, []);
+          byPath.get(d.sourcePath).push({ package: d.package, spec: d.spec });
+        }
+        const pathLines = [];
+        let shown = 0;
+        for (const [srcPath, pkgs] of byPath) {
+          if (shown >= 10) break;
+          pathLines.push(`
+     ./${srcPath}`);
+          for (const pkg2 of pkgs) {
+            if (shown >= 10) break;
+            pathLines.push(`       ${pkg2.package}: ${pkg2.spec}`);
+            shown++;
+          }
+        }
+        const remaining = phantomCount - shown;
+        detail += pathLines.join("");
+        if (remaining > 0) detail += `
+     ... and ${remaining} more`;
+      }
+      actions.push({
+        title: `Fix ${phantomCount} phantom dependencies`,
+        explanation: detail,
+        severity: 45
+      });
+    }
+  }
+  if (artifact.extended?.securityPosture) {
+    const sec = artifact.extended.securityPosture;
+    if (sec.envFilesTracked || !sec.lockfilePresent) {
+      const issues = [];
+      if (sec.envFilesTracked) issues.push(".env files are tracked in git");
+      if (!sec.lockfilePresent) issues.push("no lockfile found");
+      actions.push({
+        title: `Fix security posture: ${issues.join(", ")}`,
+        explanation: sec.envFilesTracked ? "Environment files may contain secrets. Add them to .gitignore and rotate any exposed credentials immediately." : "Without a lockfile, installs are non-deterministic. Run the install command to generate one and commit it.",
+        severity: 95
+      });
+    }
+  }
+  if (artifact.extended?.dependencyGraph) {
+    const dupes = artifact.extended.dependencyGraph.duplicatedPackages;
+    const highImpactDupes = dupes.filter((d) => d.versions.length >= 3);
+    if (highImpactDupes.length >= 3) {
+      const names = highImpactDupes.slice(0, 4).map((d) => `${d.name} (${d.versions.length}v)`).join(", ");
+      actions.push({
+        title: `Deduplicate heavily-versioned packages`,
+        explanation: `${highImpactDupes.length} packages have 3+ versions installed: ${names}. Run \`npm dedupe\` to reduce bundle size and install time.`,
+        severity: 35
+      });
+    }
+  }
+  actions.sort((a, b) => b.severity - a.severity);
+  return actions.slice(0, 5);
+}
 
 // src/formatters/sarif.ts
 function formatSarif(artifact) {
@@ -554,12 +772,6 @@ function toSarifResult(finding) {
   };
 }
 
-// src/version.ts
-import { createRequire } from "module";
-var require2 = createRequire(import.meta.url);
-var pkg = require2("../package.json");
-var VERSION = pkg.version;
-
 // src/commands/scan.ts
 import * as path12 from "path";
 import { Command } from "commander";
@@ -1350,7 +1562,7 @@ var ROBOT = [
 ];
 var BRAND = [
   chalk2.bold.white("  V I B G R A T E"),
-  chalk2.dim("  Drift Intelligence Engine")
+  chalk2.dim(`  Drift Intelligence Engine`) + chalk2.dim(` v${VERSION}`)
 ];
 var SPINNER_FRAMES = ["\u280B", "\u2819", "\u2839", "\u2838", "\u283C", "\u2834", "\u2826", "\u2827", "\u2807", "\u280F"];
 var ScanProgress = class {
@@ -2021,9 +2233,11 @@ async function scanDependencyGraph(rootDir) {
   const lockedNames = new Set(versionMap.keys());
   const pkgFiles = await findPackageJsonFiles(rootDir);
   const phantoms = /* @__PURE__ */ new Set();
+  const phantomDetails = [];
   for (const pjPath of pkgFiles) {
     try {
       const pj = await readJsonFile(pjPath);
+      const relPath = path7.relative(rootDir, pjPath);
       for (const section of ["dependencies", "devDependencies"]) {
         const deps = pj[section];
         if (!deps) continue;
@@ -2031,6 +2245,7 @@ async function scanDependencyGraph(rootDir) {
           const ver = typeof version === "string" ? version : "";
           if (!lockedNames.has(name) && !ver.startsWith("workspace:")) {
             phantoms.add(name);
+            phantomDetails.push({ package: name, spec: ver, sourcePath: relPath });
           }
         }
       }
@@ -2038,6 +2253,7 @@ async function scanDependencyGraph(rootDir) {
     }
   }
   result.phantomDependencies = [...phantoms].sort();
+  result.phantomDependencyDetails = phantomDetails.sort((a, b) => a.sourcePath.localeCompare(b.sourcePath) || a.package.localeCompare(b.package));
   return result;
 }
 
@@ -3447,10 +3663,12 @@ function scanServiceDependencies(projects) {
 
 // src/commands/scan.ts
 async function runScan(rootDir, opts) {
+  const scanStart = Date.now();
   const config = await loadConfig(rootDir);
   const sem = new Semaphore(opts.concurrency);
   const npmCache = new NpmCache(rootDir, sem);
   const scanners = config.scanners;
+  let filesScanned = 0;
   const progress = new ScanProgress(rootDir);
   const steps = [
     { id: "config", label: "Loading configuration" },
@@ -3484,6 +3702,7 @@ async function runScan(rootDir, opts) {
     progress.addDependencies(p.dependencies.length);
     progress.addFrameworks(p.frameworks.length);
   }
+  filesScanned += nodeProjects.length;
   progress.addProjects(nodeProjects.length);
   progress.completeStep("node", `${nodeProjects.length} project${nodeProjects.length !== 1 ? "s" : ""}`, nodeProjects.length);
   progress.startStep("dotnet");
@@ -3492,91 +3711,130 @@ async function runScan(rootDir, opts) {
     progress.addDependencies(p.dependencies.length);
     progress.addFrameworks(p.frameworks.length);
   }
+  filesScanned += dotnetProjects.length;
   progress.addProjects(dotnetProjects.length);
   progress.completeStep("dotnet", `${dotnetProjects.length} project${dotnetProjects.length !== 1 ? "s" : ""}`, dotnetProjects.length);
   const allProjects = [...nodeProjects, ...dotnetProjects];
   const extended = {};
   if (scanners !== false) {
+    const scannerTasks = [];
     if (scanners?.platformMatrix?.enabled !== false) {
       progress.startStep("platform");
-      extended.platformMatrix = await scanPlatformMatrix(rootDir);
-      const nativeCount = extended.platformMatrix.nativeModules.length;
-      const dockerCount = extended.platformMatrix.dockerBaseImages.length;
-      const parts = [];
-      if (nativeCount > 0) parts.push(`${nativeCount} native`);
-      if (dockerCount > 0) parts.push(`${dockerCount} docker`);
-      progress.completeStep("platform", parts.join(", ") || "clean", nativeCount + dockerCount);
+      scannerTasks.push(
+        scanPlatformMatrix(rootDir).then((result) => {
+          extended.platformMatrix = result;
+          const nativeCount = result.nativeModules.length;
+          const dockerCount = result.dockerBaseImages.length;
+          const parts = [];
+          if (nativeCount > 0) parts.push(`${nativeCount} native`);
+          if (dockerCount > 0) parts.push(`${dockerCount} docker`);
+          progress.completeStep("platform", parts.join(", ") || "clean", nativeCount + dockerCount);
+        })
+      );
     }
     if (scanners?.toolingInventory?.enabled !== false) {
       progress.startStep("tooling");
-      extended.toolingInventory = scanToolingInventory(allProjects);
-      const toolCount = Object.values(extended.toolingInventory).reduce((sum, arr) => sum + arr.length, 0);
-      progress.completeStep("tooling", `${toolCount} tool${toolCount !== 1 ? "s" : ""} mapped`, toolCount);
+      scannerTasks.push(
+        Promise.resolve().then(() => {
+          extended.toolingInventory = scanToolingInventory(allProjects);
+          const toolCount = Object.values(extended.toolingInventory).reduce((sum, arr) => sum + arr.length, 0);
+          progress.completeStep("tooling", `${toolCount} tool${toolCount !== 1 ? "s" : ""} mapped`, toolCount);
+        })
+      );
     }
     if (scanners?.serviceDependencies?.enabled !== false) {
       progress.startStep("services");
-      extended.serviceDependencies = scanServiceDependencies(allProjects);
-      const svcCount = Object.values(extended.serviceDependencies).reduce((sum, arr) => sum + arr.length, 0);
-      progress.completeStep("services", `${svcCount} service${svcCount !== 1 ? "s" : ""} detected`, svcCount);
+      scannerTasks.push(
+        Promise.resolve().then(() => {
+          extended.serviceDependencies = scanServiceDependencies(allProjects);
+          const svcCount = Object.values(extended.serviceDependencies).reduce((sum, arr) => sum + arr.length, 0);
+          progress.completeStep("services", `${svcCount} service${svcCount !== 1 ? "s" : ""} detected`, svcCount);
+        })
+      );
     }
     if (scanners?.breakingChangeExposure?.enabled !== false) {
       progress.startStep("breaking");
-      extended.breakingChangeExposure = scanBreakingChangeExposure(allProjects);
-      const bc = extended.breakingChangeExposure;
-      const bcTotal = bc.deprecatedPackages.length + bc.legacyPolyfills.length;
-      progress.completeStep(
-        "breaking",
-        bcTotal > 0 ? `${bc.deprecatedPackages.length} deprecated, ${bc.legacyPolyfills.length} polyfills` : "none found",
-        bcTotal
+      scannerTasks.push(
+        Promise.resolve().then(() => {
+          extended.breakingChangeExposure = scanBreakingChangeExposure(allProjects);
+          const bc = extended.breakingChangeExposure;
+          const bcTotal = bc.deprecatedPackages.length + bc.legacyPolyfills.length;
+          progress.completeStep(
+            "breaking",
+            bcTotal > 0 ? `${bc.deprecatedPackages.length} deprecated, ${bc.legacyPolyfills.length} polyfills` : "none found",
+            bcTotal
+          );
+        })
       );
     }
     if (scanners?.securityPosture?.enabled !== false) {
       progress.startStep("security");
-      extended.securityPosture = await scanSecurityPosture(rootDir);
-      const sec = extended.securityPosture;
-      const secDetail = sec.lockfilePresent ? `lockfile \u2714${sec.gitignoreCoversEnv ? " \xB7 .env \u2714" : " \xB7 .env \u2716"}` : "no lockfile";
-      progress.completeStep("security", secDetail);
+      scannerTasks.push(
+        scanSecurityPosture(rootDir).then((result) => {
+          extended.securityPosture = result;
+          const secDetail = result.lockfilePresent ? `lockfile \u2714${result.gitignoreCoversEnv ? " \xB7 .env \u2714" : " \xB7 .env \u2716"}` : "no lockfile";
+          progress.completeStep("security", secDetail);
+        })
+      );
     }
     if (scanners?.buildDeploy?.enabled !== false) {
       progress.startStep("build");
-      extended.buildDeploy = await scanBuildDeploy(rootDir);
-      const bd = extended.buildDeploy;
-      const bdParts = [];
-      if (bd.ci.length > 0) bdParts.push(bd.ci.join(", "));
-      if (bd.docker.dockerfileCount > 0) bdParts.push(`${bd.docker.dockerfileCount} Dockerfile${bd.docker.dockerfileCount !== 1 ? "s" : ""}`);
-      progress.completeStep("build", bdParts.join(" \xB7 ") || "none detected");
+      scannerTasks.push(
+        scanBuildDeploy(rootDir).then((result) => {
+          extended.buildDeploy = result;
+          const bdParts = [];
+          if (result.ci.length > 0) bdParts.push(result.ci.join(", "));
+          if (result.docker.dockerfileCount > 0) bdParts.push(`${result.docker.dockerfileCount} Dockerfile${result.docker.dockerfileCount !== 1 ? "s" : ""}`);
+          progress.completeStep("build", bdParts.join(" \xB7 ") || "none detected");
+        })
+      );
     }
     if (scanners?.tsModernity?.enabled !== false) {
       progress.startStep("ts");
-      extended.tsModernity = await scanTsModernity(rootDir);
-      const ts = extended.tsModernity;
-      const tsParts = [];
-      if (ts.typescriptVersion) tsParts.push(`v${ts.typescriptVersion}`);
-      if (ts.strict === true) tsParts.push("strict");
-      if (ts.moduleType) tsParts.push(ts.moduleType.toUpperCase());
-      progress.completeStep("ts", tsParts.join(" \xB7 ") || "no tsconfig");
+      scannerTasks.push(
+        scanTsModernity(rootDir).then((result) => {
+          extended.tsModernity = result;
+          const tsParts = [];
+          if (result.typescriptVersion) tsParts.push(`v${result.typescriptVersion}`);
+          if (result.strict === true) tsParts.push("strict");
+          if (result.moduleType) tsParts.push(result.moduleType.toUpperCase());
+          progress.completeStep("ts", tsParts.join(" \xB7 ") || "no tsconfig");
+        })
+      );
     }
     if (scanners?.fileHotspots?.enabled !== false) {
       progress.startStep("hotspots");
-      extended.fileHotspots = await scanFileHotspots(rootDir);
-      progress.completeStep("hotspots", `${extended.fileHotspots.totalFiles} files`, extended.fileHotspots.totalFiles);
+      scannerTasks.push(
+        scanFileHotspots(rootDir).then((result) => {
+          extended.fileHotspots = result;
+          progress.completeStep("hotspots", `${result.totalFiles} files`, result.totalFiles);
+        })
+      );
     }
     if (scanners?.dependencyGraph?.enabled !== false) {
       progress.startStep("depgraph");
-      extended.dependencyGraph = await scanDependencyGraph(rootDir);
-      const dg = extended.dependencyGraph;
-      const dgDetail = dg.lockfileType ? `${dg.lockfileType} \xB7 ${dg.totalUnique} unique` : "no lockfile";
-      progress.completeStep("depgraph", dgDetail, dg.totalUnique);
+      scannerTasks.push(
+        scanDependencyGraph(rootDir).then((result) => {
+          extended.dependencyGraph = result;
+          const dgDetail = result.lockfileType ? `${result.lockfileType} \xB7 ${result.totalUnique} unique` : "no lockfile";
+          progress.completeStep("depgraph", dgDetail, result.totalUnique);
+        })
+      );
     }
     if (scanners?.dependencyRisk?.enabled !== false) {
       progress.startStep("deprisk");
-      extended.dependencyRisk = scanDependencyRisk(allProjects);
-      const dr = extended.dependencyRisk;
-      const drParts = [];
-      if (dr.deprecatedPackages.length > 0) drParts.push(`${dr.deprecatedPackages.length} deprecated`);
-      if (dr.nativeModulePackages.length > 0) drParts.push(`${dr.nativeModulePackages.length} native`);
-      progress.completeStep("deprisk", drParts.join(", ") || "low risk");
+      scannerTasks.push(
+        Promise.resolve().then(() => {
+          extended.dependencyRisk = scanDependencyRisk(allProjects);
+          const dr = extended.dependencyRisk;
+          const drParts = [];
+          if (dr.deprecatedPackages.length > 0) drParts.push(`${dr.deprecatedPackages.length} deprecated`);
+          if (dr.nativeModulePackages.length > 0) drParts.push(`${dr.nativeModulePackages.length} native`);
+          progress.completeStep("deprisk", drParts.join(", ") || "low risk");
+        })
+      );
     }
+    await Promise.all(scannerTasks);
   }
   progress.startStep("drift");
   const drift = computeDriftScore(allProjects);
@@ -3596,6 +3854,15 @@ async function runScan(rootDir, opts) {
   if (allProjects.length === 0) {
     console.log(chalk3.yellow("No projects found."));
   }
+  if (extended.fileHotspots) filesScanned += extended.fileHotspots.totalFiles;
+  if (extended.securityPosture) filesScanned += 1;
+  if (extended.tsModernity?.typescriptVersion) filesScanned += 1;
+  if (extended.dependencyGraph?.lockfileType) filesScanned += 1;
+  if (extended.buildDeploy) {
+    filesScanned += extended.buildDeploy.docker.dockerfileCount;
+    filesScanned += extended.buildDeploy.ci.length;
+  }
+  const durationMs = Date.now() - scanStart;
   const artifact = {
     schemaVersion: "1.0",
     timestamp: (/* @__PURE__ */ new Date()).toISOString(),
@@ -3605,7 +3872,9 @@ async function runScan(rootDir, opts) {
     projects: allProjects,
     drift,
     findings,
-    ...Object.keys(extended).length > 0 ? { extended } : {}
+    ...Object.keys(extended).length > 0 ? { extended } : {},
+    durationMs,
+    filesScanned
   };
   if (opts.baseline) {
     const baselinePath = path12.resolve(opts.baseline);
@@ -3689,9 +3958,9 @@ export {
   writeDefaultConfig,
   computeDriftScore,
   generateFindings,
+  VERSION,
   formatText,
   formatSarif,
-  VERSION,
   runScan,
   scanCommand
 };

package/dist/{chunk-AMOJCCF5.js → chunk-VXZT34Y5.js}

@@ -8,7 +8,10 @@ function formatMarkdown(artifact) {
   lines.push(`| **Drift Score** | ${artifact.drift.score}/100 |`);
   lines.push(`| **Risk Level** | ${artifact.drift.riskLevel.toUpperCase()} |`);
   lines.push(`| **Projects** | ${artifact.projects.length} |`);
-  lines.push(`| **Scanned** | ${artifact.timestamp} |`);
+  const scannedMeta = [artifact.timestamp];
+  if (artifact.durationMs !== void 0) scannedMeta.push(`${(artifact.durationMs / 1e3).toFixed(1)}s`);
+  if (artifact.filesScanned !== void 0) scannedMeta.push(`${artifact.filesScanned} files`);
+  lines.push(`| **Scanned** | ${scannedMeta.join(" \xB7 ")} |`);
   if (artifact.vcs) {
     lines.push(`| **VCS** | ${artifact.vcs.type} |`);
     if (artifact.vcs.branch) lines.push(`| **Branch** | ${artifact.vcs.branch} |`);

package/dist/cli.js

@@ -1,10 +1,10 @@
 #!/usr/bin/env node
 import {
   formatMarkdown
-} from "./chunk-AMOJCCF5.js";
+} from "./chunk-VXZT34Y5.js";
 import {
   baselineCommand
-} from "./chunk-3X3ZMVHI.js";
+} from "./chunk-NTRKEIKP.js";
 import {
   VERSION,
   ensureDir,
@@ -15,7 +15,7 @@ import {
   scanCommand,
   writeDefaultConfig,
   writeTextFile
-} from "./chunk-VXEZ7APL.js";
+} from "./chunk-VMNBKARQ.js";
 
 // src/cli.ts
 import { Command as Command6 } from "commander";
@@ -38,7 +38,7 @@ var initCommand = new Command("init").description("Initialize vibgrate in a proj
     console.log(chalk.green("\u2714") + ` Created ${chalk.bold("vibgrate.config.ts")}`);
   }
   if (opts.baseline) {
-    const { runBaseline } = await import("./baseline-D5UDXOEJ.js");
+    const { runBaseline } = await import("./baseline-35XRSRAD.js");
     await runBaseline(rootDir);
   }
   console.log("");

package/dist/index.d.ts

@@ -43,6 +43,8 @@ interface DriftScore {
         dependencyScore: number;
         eolScore: number;
     };
+    /** Which components had sufficient data to score. Missing = no data available. */
+    measured?: ('runtime' | 'framework' | 'dependency' | 'eol')[];
 }
 interface Finding {
     ruleId: string;
@@ -70,6 +72,10 @@ interface ScanArtifact {
     baseline?: string;
     delta?: number;
     extended?: ExtendedScanResults;
+    /** Scan wall-clock duration in milliseconds */
+    durationMs?: number;
+    /** Number of manifest/config files scanned */
+    filesScanned?: number;
 }
 interface ScanOptions {
     out?: string;
@@ -130,12 +136,18 @@ interface DuplicatedPackage {
     versions: string[];
     consumers: number;
 }
+interface PhantomDependency {
+    package: string;
+    spec: string;
+    sourcePath: string;
+}
 interface DependencyGraphResult {
     lockfileType: string | null;
     totalUnique: number;
     totalInstalled: number;
     duplicatedPackages: DuplicatedPackage[];
     phantomDependencies: string[];
+    phantomDependencyDetails?: PhantomDependency[];
 }
 interface InventoryItem {
     name: string;

package/dist/index.js

@@ -1,13 +1,13 @@
 import {
   formatMarkdown
-} from "./chunk-AMOJCCF5.js";
+} from "./chunk-VXZT34Y5.js";
 import {
   computeDriftScore,
   formatSarif,
   formatText,
   generateFindings,
   runScan
-} from "./chunk-VXEZ7APL.js";
+} from "./chunk-VMNBKARQ.js";
 export {
   computeDriftScore,
   formatMarkdown,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vibgrate/cli",
-  "version": "0.1.3",
+  "version": "1.0.1",
   "description": "CLI for measuring upgrade drift across Node & .NET projects",
   "type": "module",
   "bin": {