@vibgrate/cli 1.0.1 → 1.0.2

package/dist/{chunk-VMNBKARQ.js → chunk-XZ4NRZMT.js}

@@ -4,6 +4,7 @@ import * as path from "path";
 var SKIP_DIRS = /* @__PURE__ */ new Set([
   "node_modules",
   ".git",
+  ".vibgrate",
   ".next",
   "dist",
   "build",
@@ -80,6 +81,7 @@ async function writeTextFile(filePath, content) {
 }
 
 // src/scoring/drift-score.ts
+import * as crypto from "crypto";
 var DEFAULT_THRESHOLDS = {
   failOnError: {
     eolDays: 180,
@@ -274,6 +276,10 @@ function generateFindings(projects, config) {
   }
   return findings;
 }
+function computeProjectId(relativePath, projectName, workspaceId) {
+  const input = workspaceId ? `${relativePath}:${projectName}:${workspaceId}` : `${relativePath}:${projectName}`;
+  return crypto.createHash("sha256").update(input).digest("hex").slice(0, 16);
+}
 
 // src/version.ts
 import { createRequire } from "module";
@@ -553,10 +559,17 @@ function generatePriorityActions(artifact) {
   );
   if (eolProjects.length > 0) {
     const names = eolProjects.map((p) => p.name).join(", ");
-    const runtimes = eolProjects.map((p) => `${p.runtime} \u2192 ${p.runtimeLatest}`).join(", ");
+    let detail = `End-of-life runtimes no longer receive security patches and block ecosystem upgrades.`;
+    const fileLines = [];
+    for (const p of eolProjects) {
+      fileLines.push(`
+     ./${p.path}`);
+      fileLines.push(`       ${p.runtime} \u2192 ${p.runtimeLatest} (${p.runtimeMajorsBehind} major${p.runtimeMajorsBehind > 1 ? "s" : ""} behind)`);
+    }
+    detail += fileLines.join("");
     actions.push({
       title: `Upgrade EOL runtime${eolProjects.length > 1 ? "s" : ""} in ${names}`,
-      explanation: `${runtimes}. End-of-life runtimes no longer receive security patches and block ecosystem upgrades.`,
+      explanation: detail,
       impact: `+${Math.min(eolProjects.length * 10, 30)} points (runtime & EOL scores)`,
       severity: 100
     });
@@ -565,16 +578,30 @@ function generatePriorityActions(artifact) {
   for (const p of artifact.projects) {
     for (const fw of p.frameworks) {
       if (fw.majorsBehind !== null && fw.majorsBehind >= 3) {
-        severeFrameworks.push({ name: fw.name, fw: `${fw.currentVersion} \u2192 ${fw.latestVersion}`, behind: fw.majorsBehind, project: p.name });
+        severeFrameworks.push({ name: fw.name, fw: `${fw.currentVersion} \u2192 ${fw.latestVersion}`, behind: fw.majorsBehind, project: p.name, projectPath: p.path });
       }
     }
   }
   if (severeFrameworks.length > 0) {
     const worst = severeFrameworks.sort((a, b) => b.behind - a.behind)[0];
     const others = severeFrameworks.length > 1 ? ` (+${severeFrameworks.length - 1} more)` : "";
+    let detail = `${worst.behind} major versions behind. Major framework drift increases breaking change risk and blocks access to security fixes and performance improvements.`;
+    const fileLines = [];
+    let shown = 0;
+    for (const sf of severeFrameworks) {
+      if (shown >= 8) break;
+      fileLines.push(`
+     ./${sf.projectPath}`);
+      fileLines.push(`       ${sf.name}: ${sf.fw} (${sf.behind} major${sf.behind > 1 ? "s" : ""} behind)`);
+      shown++;
+    }
+    const remaining = severeFrameworks.length - shown;
+    detail += fileLines.join("");
+    if (remaining > 0) detail += `
+     ... and ${remaining} more`;
     actions.push({
       title: `Upgrade ${worst.name} ${worst.fw} in ${worst.project}${others}`,
-      explanation: `${worst.behind} major versions behind. Major framework drift increases breaking change risk and blocks access to security fixes and performance improvements.`,
+      explanation: detail,
       impact: `+5\u201315 points (framework score)`,
       severity: 90
     });
@@ -585,9 +612,28 @@ function generatePriorityActions(artifact) {
     if (total === 0) continue;
     const twoPlusPct = Math.round(b.twoPlusBehind / total * 100);
     if (twoPlusPct >= 40) {
+      let detail = `${b.twoPlusBehind} of ${total} dependencies are 2+ majors behind. Run \`npm outdated\` and prioritise packages with known CVEs or breaking API changes.`;
+      const worstDeps = p.dependencies.filter((d) => d.majorsBehind !== null && d.majorsBehind >= 2).sort((a, b2) => (b2.majorsBehind ?? 0) - (a.majorsBehind ?? 0));
+      if (worstDeps.length > 0) {
+        const depLines = [];
+        let shown = 0;
+        depLines.push(`
+     ./${p.path}`);
+        for (const dep of worstDeps) {
+          if (shown >= 8) break;
+          const current = dep.resolvedVersion ?? dep.currentSpec;
+          const latest = dep.latestStable ?? "?";
+          depLines.push(`       ${dep.package}: ${current} \u2192 ${latest} (${dep.majorsBehind} major${dep.majorsBehind > 1 ? "s" : ""} behind)`);
+          shown++;
+        }
+        const remaining = worstDeps.length - shown;
+        detail += depLines.join("");
+        if (remaining > 0) detail += `
+     ... and ${remaining} more`;
+      }
       actions.push({
         title: `Reduce dependency rot in ${p.name} (${twoPlusPct}% severely outdated)`,
-        explanation: `${b.twoPlusBehind} of ${total} dependencies are 2+ majors behind. Run \`npm outdated\` and prioritise packages with known CVEs or breaking API changes.`,
+        explanation: detail,
         impact: `+5\u201310 points (dependency score)`,
         severity: 80 + twoPlusPct / 10
       });
@@ -597,7 +643,7 @@ function generatePriorityActions(artifact) {
   for (const p of artifact.projects) {
     for (const fw of p.frameworks) {
       if (fw.majorsBehind === 2) {
-        twoMajorFrameworks.push({ name: fw.name, project: p.name, fw: `${fw.currentVersion} \u2192 ${fw.latestVersion}` });
+        twoMajorFrameworks.push({ name: fw.name, project: p.name, projectPath: p.path, fw: `${fw.currentVersion} \u2192 ${fw.latestVersion}` });
       }
     }
   }
@@ -605,9 +651,23 @@ function generatePriorityActions(artifact) {
   if (uniqueTwo.length > 0) {
     const list = uniqueTwo.slice(0, 3).map((f) => `${f.name} (${f.fw})`).join(", ");
     const moreCount = uniqueTwo.length > 3 ? ` +${uniqueTwo.length - 3} more` : "";
+    let detail = `These frameworks are 2 major versions behind. Create upgrade tickets and check migration guides \u2014 the gap will widen with each new release.`;
+    const fileLines = [];
+    let shown = 0;
+    for (const tf of twoMajorFrameworks) {
+      if (shown >= 8) break;
+      fileLines.push(`
+     ./${tf.projectPath}`);
+      fileLines.push(`       ${tf.name}: ${tf.fw}`);
+      shown++;
+    }
+    const remaining = twoMajorFrameworks.length - shown;
+    detail += fileLines.join("");
+    if (remaining > 0) detail += `
+     ... and ${remaining} more`;
     actions.push({
       title: `Plan major framework upgrades: ${list}${moreCount}`,
-      explanation: `These frameworks are 2 major versions behind. Create upgrade tickets and check migration guides \u2014 the gap will widen with each new release.`,
+      explanation: detail,
       impact: `+5\u201310 points (framework score)`,
       severity: 60
     });
@@ -618,9 +678,31 @@ function generatePriorityActions(artifact) {
     if (total > 0) {
       const items = [...bc.deprecatedPackages, ...bc.legacyPolyfills].slice(0, 5).join(", ");
       const moreCount = total > 5 ? ` +${total - 5} more` : "";
+      let detail = `${total} package${total !== 1 ? "s" : ""} are deprecated or legacy polyfills. These receive no updates and may have known vulnerabilities.`;
+      const allPkgNames = /* @__PURE__ */ new Set([...bc.deprecatedPackages, ...bc.legacyPolyfills]);
+      const fileLines = [];
+      let shown = 0;
+      for (const p of artifact.projects) {
+        const matches = p.dependencies.filter((d) => allPkgNames.has(d.package));
+        if (matches.length === 0) continue;
+        if (shown >= 10) break;
+        fileLines.push(`
+     ./${p.path}`);
+        for (const dep of matches) {
+          if (shown >= 10) break;
+          const ver = dep.resolvedVersion ?? dep.currentSpec;
+          const label = bc.deprecatedPackages.includes(dep.package) ? "deprecated" : "polyfill";
+          fileLines.push(`       ${dep.package}: ${ver} (${label})`);
+          shown++;
+        }
+      }
+      const remaining = total - shown;
+      detail += fileLines.join("");
+      if (remaining > 0) detail += `
+     ... and ${remaining} more`;
       actions.push({
         title: `Replace deprecated/legacy packages: ${items}${moreCount}`,
-        explanation: `${total} package${total !== 1 ? "s" : ""} are deprecated or legacy polyfills. These receive no updates and may have known vulnerabilities.`,
+        explanation: detail,
         severity: 55
       });
     }
@@ -667,9 +749,20 @@ function generatePriorityActions(artifact) {
       const issues = [];
       if (sec.envFilesTracked) issues.push(".env files are tracked in git");
       if (!sec.lockfilePresent) issues.push("no lockfile found");
+      let detail;
+      if (sec.envFilesTracked) {
+        detail = "Environment files may contain secrets. Add them to .gitignore and rotate any exposed credentials immediately.";
+        detail += "\n     ./.gitignore";
+        detail += "\n       Add: .env, .env.*, .env.local";
+      } else {
+        detail = "Without a lockfile, installs are non-deterministic. Run the install command to generate one and commit it.";
+        detail += "\n     ./";
+        detail += `
+       Missing: ${sec.lockfileTypes.length > 0 ? sec.lockfileTypes.join(", ") + " (multiple types detected)" : "package-lock.json, pnpm-lock.yaml, or yarn.lock"}`;
+      }
       actions.push({
         title: `Fix security posture: ${issues.join(", ")}`,
-        explanation: sec.envFilesTracked ? "Environment files may contain secrets. Add them to .gitignore and rotate any exposed credentials immediately." : "Without a lockfile, installs are non-deterministic. Run the install command to generate one and commit it.",
+        explanation: detail,
         severity: 95
       });
     }
@@ -679,9 +772,22 @@ function generatePriorityActions(artifact) {
     const highImpactDupes = dupes.filter((d) => d.versions.length >= 3);
     if (highImpactDupes.length >= 3) {
       const names = highImpactDupes.slice(0, 4).map((d) => `${d.name} (${d.versions.length}v)`).join(", ");
+      let detail = `${highImpactDupes.length} packages have 3+ versions installed. Run \`npm dedupe\` to reduce bundle size and install time.`;
+      const dupeLines = [];
+      let shown = 0;
+      for (const d of highImpactDupes) {
+        if (shown >= 8) break;
+        dupeLines.push(`
+       ${d.name}: ${d.versions.join(", ")} (${d.consumers} consumer${d.consumers !== 1 ? "s" : ""})`);
+        shown++;
+      }
+      const remaining = highImpactDupes.length - shown;
+      detail += dupeLines.join("");
+      if (remaining > 0) detail += `
+     ... and ${remaining} more`;
       actions.push({
         title: `Deduplicate heavily-versioned packages`,
-        explanation: `${highImpactDupes.length} packages have 3+ versions installed: ${names}. Run \`npm dedupe\` to reduce bundle size and install time.`,
+        explanation: detail,
         severity: 35
       });
     }
@@ -772,13 +878,146 @@ function toSarifResult(finding) {
   };
 }
 
-// src/commands/scan.ts
-import * as path12 from "path";
+// src/commands/dsn.ts
+import * as crypto2 from "crypto";
+import * as path2 from "path";
 import { Command } from "commander";
+import chalk2 from "chalk";
+var REGION_HOSTS = {
+  us: "us.ingest.vibgrate.com",
+  eu: "eu.ingest.vibgrate.com"
+};
+function resolveIngestHost(region, ingest) {
+  if (ingest) {
+    try {
+      return new URL(ingest).host;
+    } catch {
+      throw new Error(`Invalid ingest URL: ${ingest}`);
+    }
+  }
+  const r = (region ?? "us").toLowerCase();
+  const host = REGION_HOSTS[r];
+  if (!host) {
+    throw new Error(`Unknown region "${r}". Supported: ${Object.keys(REGION_HOSTS).join(", ")}`);
+  }
+  return host;
+}
+var dsnCommand = new Command("dsn").description("Manage DSN tokens");
+dsnCommand.command("create").description("Create a new DSN token").option("--ingest <url>", "Ingest API URL (overrides --region)").option("--region <region>", "Data residency region (us, eu)", "us").requiredOption("--workspace <id>", "Workspace ID").option("--write <path>", "Write DSN to file").action(async (opts) => {
+  const keyId = crypto2.randomBytes(8).toString("hex");
+  const secret = crypto2.randomBytes(32).toString("hex");
+  let ingestHost;
+  try {
+    ingestHost = resolveIngestHost(opts.region, opts.ingest);
+  } catch (e) {
+    console.error(chalk2.red(e instanceof Error ? e.message : String(e)));
+    process.exit(1);
+  }
+  const dsn = `vibgrate+https://${keyId}:${secret}@${ingestHost}/${opts.workspace}`;
+  console.log(chalk2.green("\u2714") + " DSN created");
+  console.log("");
+  console.log(chalk2.bold("DSN:"));
+  console.log(`  ${dsn}`);
+  console.log("");
+  console.log(chalk2.bold("Key ID:"));
+  console.log(`  ${keyId}`);
+  console.log("");
+  console.log(chalk2.dim("Set this as VIBGRATE_DSN in your CI environment."));
+  console.log(chalk2.dim("The secret must be registered on your Vibgrate ingest API."));
+  if (opts.write) {
+    const writePath = path2.resolve(opts.write);
+    await writeTextFile(writePath, dsn + "\n");
+    console.log("");
+    console.log(chalk2.green("\u2714") + ` DSN written to ${opts.write}`);
+    console.log(chalk2.yellow("\u26A0") + " Add this file to .gitignore!");
+  }
+});
+
+// src/commands/push.ts
+import * as crypto3 from "crypto";
+import * as path3 from "path";
+import { Command as Command2 } from "commander";
 import chalk3 from "chalk";
+function parseDsn(dsn) {
+  const match = dsn.match(/^vibgrate\+https:\/\/([^:]+):([^@]+)@([^/]+)\/(.+)$/);
+  if (!match) return null;
+  return {
+    keyId: match[1],
+    secret: match[2],
+    host: match[3],
+    workspaceId: match[4]
+  };
+}
+function computeHmac(body, secret) {
+  return crypto3.createHmac("sha256", secret).update(body).digest("base64");
+}
+var pushCommand = new Command2("push").description("Push scan results to Vibgrate API").option("--dsn <dsn>", "DSN token (or use VIBGRATE_DSN env)").option("--region <region>", "Override data residency region (us, eu)").option("--file <file>", "Scan artifact file", ".vibgrate/scan_result.json").option("--strict", "Fail on upload errors").action(async (opts) => {
+  const dsn = opts.dsn || process.env.VIBGRATE_DSN;
+  if (!dsn) {
+    console.error(chalk3.red("No DSN provided."));
+    console.error(chalk3.dim("Set VIBGRATE_DSN environment variable or use --dsn flag."));
+    if (opts.strict) process.exit(1);
+    return;
+  }
+  const parsed = parseDsn(dsn);
+  if (!parsed) {
+    console.error(chalk3.red("Invalid DSN format."));
+    console.error(chalk3.dim("Expected: vibgrate+https://<key_id>:<secret>@<host>/<workspace_id>"));
+    if (opts.strict) process.exit(1);
+    return;
+  }
+  const filePath = path3.resolve(opts.file);
+  if (!await pathExists(filePath)) {
+    console.error(chalk3.red(`Scan artifact not found: ${filePath}`));
+    console.error(chalk3.dim('Run "vibgrate scan" first.'));
+    if (opts.strict) process.exit(1);
+    return;
+  }
+  const body = await readTextFile(filePath);
+  const timestamp = String(Date.now());
+  const hmac = computeHmac(body, parsed.secret);
+  let host = parsed.host;
+  if (opts.region) {
+    try {
+      host = resolveIngestHost(opts.region);
+    } catch (e) {
+      console.error(chalk3.red(e instanceof Error ? e.message : String(e)));
+      if (opts.strict) process.exit(1);
+      return;
+    }
+  }
+  const url = `https://${host}/v1/ingest/scan`;
+  console.log(chalk3.dim(`Uploading to ${host}...`));
+  try {
+    const response = await fetch(url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "X-Vibgrate-Timestamp": timestamp,
+        "Authorization": `VibgrateDSN ${parsed.keyId}:${hmac}`
+      },
+      body
+    });
+    if (!response.ok) {
+      const text = await response.text();
+      throw new Error(`HTTP ${response.status}: ${text}`);
+    }
+    const result = await response.json();
+    console.log(chalk3.green("\u2714") + ` Uploaded successfully (${result.ingestId ?? "ok"})`);
+  } catch (e) {
+    const msg = e instanceof Error ? e.message : String(e);
+    console.error(chalk3.red(`Upload failed: ${msg}`));
+    if (opts.strict) process.exit(1);
+  }
+});
+
+// src/commands/scan.ts
+import * as path14 from "path";
+import { Command as Command3 } from "commander";
+import chalk5 from "chalk";
 
 // src/scanners/node-scanner.ts
-import * as path2 from "path";
+import * as path4 from "path";
 import * as semver2 from "semver";
 
 // src/scanners/npm-cache.ts
@@ -793,7 +1032,7 @@ function maxStable(versions) {
   return stable.sort(semver.rcompare)[0] ?? null;
 }
 async function npmViewJson(args, cwd) {
-  return new Promise((resolve4, reject) => {
+  return new Promise((resolve6, reject) => {
     const child = spawn("npm", ["view", ...args, "--json"], {
       cwd,
       stdio: ["ignore", "pipe", "pipe"]
@@ -810,13 +1049,13 @@ async function npmViewJson(args, cwd) {
       }
       const trimmed = out.trim();
       if (!trimmed) {
-        resolve4(null);
+        resolve6(null);
         return;
       }
       try {
-        resolve4(JSON.parse(trimmed));
+        resolve6(JSON.parse(trimmed));
       } catch {
-        resolve4(trimmed.replace(/^"|"$/g, ""));
+        resolve6(trimmed.replace(/^"|"$/g, ""));
       }
     });
   });
@@ -968,8 +1207,8 @@ async function scanNodeProjects(rootDir, npmCache) {
 }
 async function scanOnePackageJson(packageJsonPath, rootDir, npmCache) {
   const pj = await readJsonFile(packageJsonPath);
-  const absProjectPath = path2.dirname(packageJsonPath);
-  const projectPath = path2.relative(rootDir, absProjectPath) || ".";
+  const absProjectPath = path4.dirname(packageJsonPath);
+  const projectPath = path4.relative(rootDir, absProjectPath) || ".";
   const nodeEngine = pj.engines?.node ?? void 0;
   let runtimeLatest;
   let runtimeMajorsBehind;
@@ -1051,7 +1290,7 @@ async function scanOnePackageJson(packageJsonPath, rootDir, npmCache) {
   return {
     type: "node",
     path: projectPath,
-    name: pj.name ?? path2.basename(absProjectPath),
+    name: pj.name ?? path4.basename(absProjectPath),
     runtime: nodeEngine,
     runtimeLatest,
     runtimeMajorsBehind,
@@ -1062,7 +1301,7 @@ async function scanOnePackageJson(packageJsonPath, rootDir, npmCache) {
 }
 
 // src/scanners/dotnet-scanner.ts
-import * as path3 from "path";
+import * as path5 from "path";
 import { XMLParser } from "fast-xml-parser";
 var parser = new XMLParser({
   ignoreAttributes: false,
@@ -1263,7 +1502,7 @@ function parseCsproj(xml, filePath) {
   const parsed = parser.parse(xml);
   const project = parsed?.Project;
   if (!project) {
-    return { targetFrameworks: [], packageReferences: [], projectName: path3.basename(filePath, ".csproj") };
+    return { targetFrameworks: [], packageReferences: [], projectName: path5.basename(filePath, ".csproj") };
   }
   const propertyGroups = Array.isArray(project.PropertyGroup) ? project.PropertyGroup : project.PropertyGroup ? [project.PropertyGroup] : [];
   const targetFrameworks = [];
@@ -1291,7 +1530,7 @@ function parseCsproj(xml, filePath) {
   return {
     targetFrameworks: [...new Set(targetFrameworks)],
     packageReferences,
-    projectName: path3.basename(filePath, ".csproj")
+    projectName: path5.basename(filePath, ".csproj")
   };
 }
 async function scanDotnetProjects(rootDir) {
@@ -1301,12 +1540,12 @@ async function scanDotnetProjects(rootDir) {
   for (const slnPath of slnFiles) {
     try {
       const slnContent = await readTextFile(slnPath);
-      const slnDir = path3.dirname(slnPath);
+      const slnDir = path5.dirname(slnPath);
       const projectRegex = /Project\("[^"]*"\)\s*=\s*"[^"]*",\s*"([^"]+\.csproj)"/g;
       let match;
       while ((match = projectRegex.exec(slnContent)) !== null) {
         if (match[1]) {
-          const csprojPath = path3.resolve(slnDir, match[1].replace(/\\/g, "/"));
+          const csprojPath = path5.resolve(slnDir, match[1].replace(/\\/g, "/"));
           slnCsprojPaths.add(csprojPath);
         }
       }
@@ -1362,7 +1601,7 @@ async function scanOneCsproj(csprojPath, rootDir) {
   const buckets = { current: 0, oneBehind: 0, twoPlusBehind: 0, unknown: dependencies.length };
   return {
     type: "dotnet",
-    path: path3.relative(rootDir, path3.dirname(csprojPath)) || ".",
+    path: path5.relative(rootDir, path5.dirname(csprojPath)) || ".",
     name: data.projectName,
     targetFramework,
     runtime: primaryTfm,
@@ -1394,7 +1633,7 @@ var Semaphore = class {
       this.available--;
       return Promise.resolve();
     }
-    return new Promise((resolve4) => this.queue.push(resolve4));
+    return new Promise((resolve6) => this.queue.push(resolve6));
   }
   release() {
     const next = this.queue.shift();
@@ -1404,7 +1643,7 @@ var Semaphore = class {
 };
 
 // src/config.ts
-import * as path4 from "path";
+import * as path6 from "path";
 import * as fs2 from "fs/promises";
 var CONFIG_FILES = [
   "vibgrate.config.ts",
@@ -1427,7 +1666,7 @@ var DEFAULT_CONFIG = {
 };
 async function loadConfig(rootDir) {
   for (const file of CONFIG_FILES) {
-    const configPath = path4.join(rootDir, file);
+    const configPath = path6.join(rootDir, file);
     if (await pathExists(configPath)) {
       if (file.endsWith(".json")) {
         const txt = await readTextFile(configPath);
@@ -1443,7 +1682,7 @@ async function loadConfig(rootDir) {
   return DEFAULT_CONFIG;
 }
 async function writeDefaultConfig(rootDir) {
-  const configPath = path4.join(rootDir, "vibgrate.config.ts");
+  const configPath = path6.join(rootDir, "vibgrate.config.ts");
   const content = `import type { VibgrateConfig } from '@vibgrate/cli';
 
 const config: VibgrateConfig = {
@@ -1468,7 +1707,7 @@ export default config;
 }
 
 // src/utils/vcs.ts
-import * as path5 from "path";
+import * as path7 from "path";
 import * as fs3 from "fs/promises";
 async function detectVcs(rootDir) {
   try {
@@ -1482,7 +1721,7 @@ async function detectGit(rootDir) {
   if (!gitDir) {
     return { type: "unknown" };
   }
-  const headPath = path5.join(gitDir, "HEAD");
+  const headPath = path7.join(gitDir, "HEAD");
   let headContent;
   try {
     headContent = (await fs3.readFile(headPath, "utf8")).trim();
@@ -1506,10 +1745,10 @@ async function detectGit(rootDir) {
   };
 }
 async function findGitDir(startDir) {
-  let dir = path5.resolve(startDir);
-  const root = path5.parse(dir).root;
+  let dir = path7.resolve(startDir);
+  const root = path7.parse(dir).root;
   while (dir !== root) {
-    const gitPath = path5.join(dir, ".git");
+    const gitPath = path7.join(dir, ".git");
     try {
       const stat3 = await fs3.stat(gitPath);
       if (stat3.isDirectory()) {
@@ -1518,18 +1757,18 @@ async function findGitDir(startDir) {
       if (stat3.isFile()) {
         const content = (await fs3.readFile(gitPath, "utf8")).trim();
         if (content.startsWith("gitdir: ")) {
-          const resolved = path5.resolve(dir, content.slice(8));
+          const resolved = path7.resolve(dir, content.slice(8));
           return resolved;
         }
       }
     } catch {
     }
-    dir = path5.dirname(dir);
+    dir = path7.dirname(dir);
   }
   return null;
 }
 async function resolveRef(gitDir, refPath) {
-  const loosePath = path5.join(gitDir, refPath);
+  const loosePath = path7.join(gitDir, refPath);
   try {
     const sha = (await fs3.readFile(loosePath, "utf8")).trim();
     if (/^[0-9a-f]{40}$/i.test(sha)) {
@@ -1537,7 +1776,7 @@ async function resolveRef(gitDir, refPath) {
     }
   } catch {
   }
-  const packedPath = path5.join(gitDir, "packed-refs");
+  const packedPath = path7.join(gitDir, "packed-refs");
   try {
     const packed = await fs3.readFile(packedPath, "utf8");
     for (const line of packed.split("\n")) {
@@ -1553,16 +1792,16 @@ async function resolveRef(gitDir, refPath) {
 }
 
 // src/ui/progress.ts
-import chalk2 from "chalk";
+import chalk4 from "chalk";
 var ROBOT = [
-  chalk2.cyan("    \u256D\u2500\u2500\u2500\u256E") + chalk2.greenBright("\u279C"),
-  chalk2.cyan("   \u256D\u2524") + chalk2.greenBright("\u25C9 \u25C9") + chalk2.cyan("\u251C\u256E"),
-  chalk2.cyan("   \u2570\u2524") + chalk2.dim("\u2500\u2500\u2500") + chalk2.cyan("\u251C\u256F"),
-  chalk2.cyan("    \u2570\u2500\u2500\u2500\u256F")
+  chalk4.cyan("    \u256D\u2500\u2500\u2500\u256E") + chalk4.greenBright("\u279C"),
+  chalk4.cyan("   \u256D\u2524") + chalk4.greenBright("\u25C9 \u25C9") + chalk4.cyan("\u251C\u256E"),
+  chalk4.cyan("   \u2570\u2524") + chalk4.dim("\u2500\u2500\u2500") + chalk4.cyan("\u251C\u256F"),
+  chalk4.cyan("    \u2570\u2500\u2500\u2500\u256F")
 ];
 var BRAND = [
-  chalk2.bold.white("  V I B G R A T E"),
-  chalk2.dim(`  Drift Intelligence Engine`) + chalk2.dim(` v${VERSION}`)
+  chalk4.bold.white("  V I B G R A T E"),
+  chalk4.dim(`  Drift Intelligence Engine`) + chalk4.dim(` v${VERSION}`)
 ];
 var SPINNER_FRAMES = ["\u280B", "\u2819", "\u2839", "\u2838", "\u283C", "\u2834", "\u2826", "\u2827", "\u2807", "\u280F"];
 var ScanProgress = class {
@@ -1656,7 +1895,7 @@ var ScanProgress = class {
     const elapsed = ((Date.now() - this.startTime) / 1e3).toFixed(1);
     const doneCount = this.steps.filter((s) => s.status === "done").length;
     process.stderr.write(
-      chalk2.dim(`  \u2714 ${doneCount} scanners completed in ${elapsed}s
+      chalk4.dim(`  \u2714 ${doneCount} scanners completed in ${elapsed}s
 
 `)
     );
@@ -1688,16 +1927,16 @@ var ScanProgress = class {
     lines.push(`  ${ROBOT[0]}  ${BRAND[0]}`);
     lines.push(`  ${ROBOT[1]}  ${BRAND[1]}`);
     lines.push(`  ${ROBOT[2]}`);
-    lines.push(`  ${ROBOT[3]}  ${chalk2.dim(this.rootDir)}`);
+    lines.push(`  ${ROBOT[3]}  ${chalk4.dim(this.rootDir)}`);
     lines.push("");
     const totalSteps = this.steps.length;
     const doneSteps = this.steps.filter((s) => s.status === "done" || s.status === "skipped").length;
     const pct = totalSteps > 0 ? Math.round(doneSteps / totalSteps * 100) : 0;
     const barWidth = 30;
     const filled = Math.round(doneSteps / Math.max(totalSteps, 1) * barWidth);
-    const bar = chalk2.greenBright("\u2501".repeat(filled)) + chalk2.dim("\u254C".repeat(barWidth - filled));
+    const bar = chalk4.greenBright("\u2501".repeat(filled)) + chalk4.dim("\u254C".repeat(barWidth - filled));
     const elapsed = ((Date.now() - this.startTime) / 1e3).toFixed(1);
-    lines.push(`  ${bar} ${chalk2.bold.white(`${pct}%`)} ${chalk2.dim(`${elapsed}s`)}`);
+    lines.push(`  ${bar} ${chalk4.bold.white(`${pct}%`)} ${chalk4.dim(`${elapsed}s`)}`);
     lines.push("");
     for (const step of this.steps) {
       lines.push(this.renderStep(step));
@@ -1716,27 +1955,27 @@ var ScanProgress = class {
     let detail = "";
     switch (step.status) {
       case "done":
-        icon = chalk2.green("\u2714");
-        label = chalk2.white(step.label);
+        icon = chalk4.green("\u2714");
+        label = chalk4.white(step.label);
         break;
       case "active":
-        icon = chalk2.cyan(spinner);
-        label = chalk2.bold.white(step.label);
+        icon = chalk4.cyan(spinner);
+        label = chalk4.bold.white(step.label);
         break;
       case "skipped":
-        icon = chalk2.dim("\u25CC");
-        label = chalk2.dim.strikethrough(step.label);
+        icon = chalk4.dim("\u25CC");
+        label = chalk4.dim.strikethrough(step.label);
         break;
       default:
-        icon = chalk2.dim("\u25CB");
-        label = chalk2.dim(step.label);
+        icon = chalk4.dim("\u25CB");
+        label = chalk4.dim(step.label);
         break;
     }
     if (step.detail) {
-      detail = chalk2.dim(` \xB7 ${step.detail}`);
+      detail = chalk4.dim(` \xB7 ${step.detail}`);
     }
     if (step.count !== void 0 && step.count > 0) {
-      detail += chalk2.cyan(` (${step.count})`);
+      detail += chalk4.cyan(` (${step.count})`);
     }
     return `  ${icon} ${label}${detail}`;
   }
@@ -1748,18 +1987,18 @@ var ScanProgress = class {
     const e = this.stats.findings.errors;
     const n = this.stats.findings.notes;
     const parts = [
-      chalk2.bold.white(`  ${p}`) + chalk2.dim(` project${p !== 1 ? "s" : ""}`),
-      chalk2.white(`${d}`) + chalk2.dim(` dep${d !== 1 ? "s" : ""}`),
-      chalk2.white(`${f}`) + chalk2.dim(` framework${f !== 1 ? "s" : ""}`)
+      chalk4.bold.white(`  ${p}`) + chalk4.dim(` project${p !== 1 ? "s" : ""}`),
+      chalk4.white(`${d}`) + chalk4.dim(` dep${d !== 1 ? "s" : ""}`),
+      chalk4.white(`${f}`) + chalk4.dim(` framework${f !== 1 ? "s" : ""}`)
     ];
     const findingParts = [];
-    if (e > 0) findingParts.push(chalk2.red(`${e} \u2716`));
-    if (w > 0) findingParts.push(chalk2.yellow(`${w} \u26A0`));
-    if (n > 0) findingParts.push(chalk2.blue(`${n} \u2139`));
+    if (e > 0) findingParts.push(chalk4.red(`${e} \u2716`));
+    if (w > 0) findingParts.push(chalk4.yellow(`${w} \u26A0`));
+    if (n > 0) findingParts.push(chalk4.blue(`${n} \u2139`));
     if (findingParts.length > 0) {
-      parts.push(findingParts.join(chalk2.dim(" \xB7 ")));
+      parts.push(findingParts.join(chalk4.dim(" \xB7 ")));
     }
-    return `  ${chalk2.dim("\u2503")} ${parts.join(chalk2.dim(" \u2502 "))}`;
+    return `  ${chalk4.dim("\u2503")} ${parts.join(chalk4.dim(" \u2502 "))}`;
   }
   /** Simple CI-friendly output (no ANSI rewriting) */
   lastCIStep = null;
@@ -1778,7 +2017,7 @@ var ScanProgress = class {
 };
 
 // src/scanners/platform-matrix.ts
-import * as path6 from "path";
+import * as path8 from "path";
 var NATIVE_MODULE_PACKAGES = /* @__PURE__ */ new Set([
   // Image / media processing
   "sharp",
@@ -2055,7 +2294,7 @@ async function scanPlatformMatrix(rootDir) {
   }
   result.dockerBaseImages = [...baseImages].sort();
   for (const file of [".nvmrc", ".node-version", ".tool-versions"]) {
-    if (await pathExists(path6.join(rootDir, file))) {
+    if (await pathExists(path8.join(rootDir, file))) {
       result.nodeVersionFiles.push(file);
     }
   }
@@ -2131,7 +2370,7 @@ function scanDependencyRisk(projects) {
 }
 
 // src/scanners/dependency-graph.ts
-import * as path7 from "path";
+import * as path9 from "path";
 function parsePnpmLock(content) {
   const entries = [];
   const regex = /^\s+\/?(@?[^@\s][^@\s]*?)@(\d+\.\d+\.\d+[^:\s]*)\s*:/gm;
@@ -2190,9 +2429,9 @@ async function scanDependencyGraph(rootDir) {
     phantomDependencies: []
   };
   let entries = [];
-  const pnpmLock = path7.join(rootDir, "pnpm-lock.yaml");
-  const npmLock = path7.join(rootDir, "package-lock.json");
-  const yarnLock = path7.join(rootDir, "yarn.lock");
+  const pnpmLock = path9.join(rootDir, "pnpm-lock.yaml");
+  const npmLock = path9.join(rootDir, "package-lock.json");
+  const yarnLock = path9.join(rootDir, "yarn.lock");
   if (await pathExists(pnpmLock)) {
     result.lockfileType = "pnpm";
     const content = await readTextFile(pnpmLock);
@@ -2237,7 +2476,7 @@ async function scanDependencyGraph(rootDir) {
   for (const pjPath of pkgFiles) {
     try {
       const pj = await readJsonFile(pjPath);
-      const relPath = path7.relative(rootDir, pjPath);
+      const relPath = path9.relative(rootDir, pjPath);
       for (const section of ["dependencies", "devDependencies"]) {
         const deps = pj[section];
         if (!deps) continue;
@@ -2583,7 +2822,7 @@ function scanToolingInventory(projects) {
 }
 
 // src/scanners/build-deploy.ts
-import * as path8 from "path";
+import * as path10 from "path";
 var CI_FILES = {
   ".github/workflows": "github-actions",
   ".gitlab-ci.yml": "gitlab-ci",
@@ -2633,12 +2872,12 @@ async function scanBuildDeploy(rootDir) {
   };
   const ciSystems = /* @__PURE__ */ new Set();
   for (const [file, system] of Object.entries(CI_FILES)) {
-    const fullPath = path8.join(rootDir, file);
+    const fullPath = path10.join(rootDir, file);
     if (await pathExists(fullPath)) {
       ciSystems.add(system);
     }
   }
-  const ghWorkflowDir = path8.join(rootDir, ".github", "workflows");
+  const ghWorkflowDir = path10.join(rootDir, ".github", "workflows");
   if (await pathExists(ghWorkflowDir)) {
     try {
       const files = await findFiles(
@@ -2686,11 +2925,11 @@ async function scanBuildDeploy(rootDir) {
     (name) => name.endsWith(".cfn.json") || name.endsWith(".cfn.yaml")
   );
   if (cfnFiles.length > 0) iacSystems.add("cloudformation");
-  if (await pathExists(path8.join(rootDir, "Pulumi.yaml"))) iacSystems.add("pulumi");
+  if (await pathExists(path10.join(rootDir, "Pulumi.yaml"))) iacSystems.add("pulumi");
   result.iac = [...iacSystems].sort();
   const releaseTools = /* @__PURE__ */ new Set();
   for (const [file, tool] of Object.entries(RELEASE_FILES)) {
-    if (await pathExists(path8.join(rootDir, file))) releaseTools.add(tool);
+    if (await pathExists(path10.join(rootDir, file))) releaseTools.add(tool);
   }
   const pkgFiles = await findPackageJsonFiles(rootDir);
   for (const pjPath of pkgFiles) {
@@ -2715,19 +2954,19 @@ async function scanBuildDeploy(rootDir) {
   };
   const managers = /* @__PURE__ */ new Set();
   for (const [file, manager] of Object.entries(lockfileMap)) {
-    if (await pathExists(path8.join(rootDir, file))) managers.add(manager);
+    if (await pathExists(path10.join(rootDir, file))) managers.add(manager);
   }
   result.packageManagers = [...managers].sort();
   const monoTools = /* @__PURE__ */ new Set();
   for (const [file, tool] of Object.entries(MONOREPO_FILES)) {
-    if (await pathExists(path8.join(rootDir, file))) monoTools.add(tool);
+    if (await pathExists(path10.join(rootDir, file))) monoTools.add(tool);
   }
   result.monorepoTools = [...monoTools].sort();
   return result;
 }
 
 // src/scanners/ts-modernity.ts
-import * as path9 from "path";
+import * as path11 from "path";
 async function scanTsModernity(rootDir) {
   const result = {
     typescriptVersion: null,
@@ -2765,7 +3004,7 @@ async function scanTsModernity(rootDir) {
   if (hasEsm && hasCjs) result.moduleType = "mixed";
   else if (hasEsm) result.moduleType = "esm";
   else if (hasCjs) result.moduleType = "cjs";
-  let tsConfigPath = path9.join(rootDir, "tsconfig.json");
+  let tsConfigPath = path11.join(rootDir, "tsconfig.json");
   if (!await pathExists(tsConfigPath)) {
     const tsConfigs = await findFiles(rootDir, (name) => name === "tsconfig.json");
     if (tsConfigs.length > 0) {
@@ -3111,7 +3350,7 @@ function scanBreakingChangeExposure(projects) {
 
 // src/scanners/file-hotspots.ts
 import * as fs4 from "fs/promises";
-import * as path10 from "path";
+import * as path12 from "path";
 var SKIP_DIRS2 = /* @__PURE__ */ new Set([
   "node_modules",
   ".git",
@@ -3166,15 +3405,15 @@ async function scanFileHotspots(rootDir) {
     for (const e of entries) {
       if (e.isDirectory) {
         if (SKIP_DIRS2.has(e.name)) continue;
-        await walk(path10.join(dir, e.name), depth + 1);
+        await walk(path12.join(dir, e.name), depth + 1);
       } else if (e.isFile) {
-        const ext = path10.extname(e.name).toLowerCase();
+        const ext = path12.extname(e.name).toLowerCase();
         if (SKIP_EXTENSIONS.has(ext)) continue;
         extensionCounts[ext] = (extensionCounts[ext] ?? 0) + 1;
         try {
-          const stat3 = await fs4.stat(path10.join(dir, e.name));
+          const stat3 = await fs4.stat(path12.join(dir, e.name));
           allFiles.push({
-            path: path10.relative(rootDir, path10.join(dir, e.name)),
+            path: path12.relative(rootDir, path12.join(dir, e.name)),
             bytes: stat3.size
           });
         } catch {
@@ -3196,7 +3435,7 @@ async function scanFileHotspots(rootDir) {
 }
 
 // src/scanners/security-posture.ts
-import * as path11 from "path";
+import * as path13 from "path";
 var LOCKFILES = {
   "pnpm-lock.yaml": "pnpm",
   "package-lock.json": "npm",
@@ -3215,14 +3454,14 @@ async function scanSecurityPosture(rootDir) {
   };
   const foundLockfiles = [];
   for (const [file, type] of Object.entries(LOCKFILES)) {
-    if (await pathExists(path11.join(rootDir, file))) {
+    if (await pathExists(path13.join(rootDir, file))) {
       foundLockfiles.push(type);
     }
   }
   result.lockfilePresent = foundLockfiles.length > 0;
   result.multipleLockfileTypes = foundLockfiles.length > 1;
   result.lockfileTypes = foundLockfiles.sort();
-  const gitignorePath = path11.join(rootDir, ".gitignore");
+  const gitignorePath = path13.join(rootDir, ".gitignore");
   if (await pathExists(gitignorePath)) {
     try {
       const content = await readTextFile(gitignorePath);
@@ -3237,7 +3476,7 @@ async function scanSecurityPosture(rootDir) {
     }
   }
   for (const envFile of [".env", ".env.local", ".env.development", ".env.production"]) {
-    if (await pathExists(path11.join(rootDir, envFile))) {
+    if (await pathExists(path13.join(rootDir, envFile))) {
       if (!result.gitignoreCoversEnv) {
         result.envFilesTracked = true;
         break;
@@ -3715,6 +3954,13 @@ async function runScan(rootDir, opts) {
   progress.addProjects(dotnetProjects.length);
   progress.completeStep("dotnet", `${dotnetProjects.length} project${dotnetProjects.length !== 1 ? "s" : ""}`, dotnetProjects.length);
   const allProjects = [...nodeProjects, ...dotnetProjects];
+  const dsn = opts.dsn || process.env.VIBGRATE_DSN;
+  const parsedDsn = dsn ? parseDsn(dsn) : null;
+  const workspaceId = parsedDsn?.workspaceId;
+  for (const project of allProjects) {
+    project.drift = computeDriftScore([project]);
+    project.projectId = computeProjectId(project.path, project.name, workspaceId);
+  }
   const extended = {};
   if (scanners !== false) {
     const scannerTasks = [];
@@ -3852,7 +4098,7 @@ async function runScan(rootDir, opts) {
   progress.completeStep("findings", findingParts.join(", ") || "none");
   progress.finish();
   if (allProjects.length === 0) {
-    console.log(chalk3.yellow("No projects found."));
+    console.log(chalk5.yellow("No projects found."));
   }
   if (extended.fileHotspots) filesScanned += extended.fileHotspots.totalFiles;
   if (extended.securityPosture) filesScanned += 1;
@@ -3867,7 +4113,7 @@ async function runScan(rootDir, opts) {
     schemaVersion: "1.0",
     timestamp: (/* @__PURE__ */ new Date()).toISOString(),
     vibgrateVersion: VERSION,
-    rootPath: path12.basename(rootDir),
+    rootPath: path14.basename(rootDir),
     ...vcs.type !== "unknown" ? { vcs } : {},
     projects: allProjects,
     drift,
@@ -3877,25 +4123,44 @@ async function runScan(rootDir, opts) {
     filesScanned
   };
   if (opts.baseline) {
-    const baselinePath = path12.resolve(opts.baseline);
+    const baselinePath = path14.resolve(opts.baseline);
     if (await pathExists(baselinePath)) {
       try {
         const baseline = await readJsonFile(baselinePath);
         artifact.baseline = baselinePath;
         artifact.delta = artifact.drift.score - baseline.drift.score;
       } catch {
-        console.error(chalk3.yellow(`Warning: Could not read baseline file: ${baselinePath}`));
+        console.error(chalk5.yellow(`Warning: Could not read baseline file: ${baselinePath}`));
       }
     }
   }
-  const vibgrateDir = path12.join(rootDir, ".vibgrate");
+  const vibgrateDir = path14.join(rootDir, ".vibgrate");
   await ensureDir(vibgrateDir);
-  await writeJsonFile(path12.join(vibgrateDir, "scan_result.json"), artifact);
+  await writeJsonFile(path14.join(vibgrateDir, "scan_result.json"), artifact);
+  for (const project of allProjects) {
+    if (project.drift && project.path) {
+      const projectDir = path14.resolve(rootDir, project.path);
+      const projectVibgrateDir = path14.join(projectDir, ".vibgrate");
+      await ensureDir(projectVibgrateDir);
+      await writeJsonFile(path14.join(projectVibgrateDir, "project_score.json"), {
+        projectId: project.projectId,
+        name: project.name,
+        type: project.type,
+        path: project.path,
+        score: project.drift.score,
+        riskLevel: project.drift.riskLevel,
+        components: project.drift.components,
+        measured: project.drift.measured,
+        scannedAt: artifact.timestamp,
+        vibgrateVersion: VERSION
+      });
+    }
+  }
   if (opts.format === "json") {
     const jsonStr = JSON.stringify(artifact, null, 2);
     if (opts.out) {
-      await writeTextFile(path12.resolve(opts.out), jsonStr);
-      console.log(chalk3.green("\u2714") + ` JSON written to ${opts.out}`);
+      await writeTextFile(path14.resolve(opts.out), jsonStr);
+      console.log(chalk5.green("\u2714") + ` JSON written to ${opts.out}`);
     } else {
       console.log(jsonStr);
     }
@@ -3903,8 +4168,8 @@ async function runScan(rootDir, opts) {
     const sarif = formatSarif(artifact);
     const sarifStr = JSON.stringify(sarif, null, 2);
     if (opts.out) {
-      await writeTextFile(path12.resolve(opts.out), sarifStr);
-      console.log(chalk3.green("\u2714") + ` SARIF written to ${opts.out}`);
+      await writeTextFile(path14.resolve(opts.out), sarifStr);
+      console.log(chalk5.green("\u2714") + ` SARIF written to ${opts.out}`);
     } else {
       console.log(sarifStr);
     }
@@ -3912,15 +4177,66 @@ async function runScan(rootDir, opts) {
     const text = formatText(artifact);
     console.log(text);
     if (opts.out) {
-      await writeTextFile(path12.resolve(opts.out), text);
+      await writeTextFile(path14.resolve(opts.out), text);
     }
   }
   return artifact;
 }
-var scanCommand = new Command("scan").description("Scan a project for upgrade drift").argument("[path]", "Path to scan", ".").option("--out <file>", "Output file path").option("--format <format>", "Output format (text|json|sarif)", "text").option("--fail-on <level>", "Fail on warn or error").option("--baseline <file>", "Compare against baseline").option("--changed-only", "Only scan changed files").option("--concurrency <n>", "Max concurrent npm calls", "8").action(async (targetPath, opts) => {
-  const rootDir = path12.resolve(targetPath);
+async function autoPush(artifact, rootDir, opts) {
+  const dsn = opts.dsn || process.env.VIBGRATE_DSN;
+  if (!dsn) {
+    console.error(chalk5.red("No DSN provided for push."));
+    console.error(chalk5.dim("Set VIBGRATE_DSN environment variable or use --dsn flag."));
+    if (opts.strict) process.exit(1);
+    return;
+  }
+  const parsed = parseDsn(dsn);
+  if (!parsed) {
+    console.error(chalk5.red("Invalid DSN format."));
+    if (opts.strict) process.exit(1);
+    return;
+  }
+  const body = JSON.stringify(artifact);
+  const timestamp = String(Date.now());
+  const hmac = computeHmac(body, parsed.secret);
+  let host = parsed.host;
+  if (opts.region) {
+    try {
+      host = resolveIngestHost(opts.region);
+    } catch (e) {
+      console.error(chalk5.red(e instanceof Error ? e.message : String(e)));
+      if (opts.strict) process.exit(1);
+      return;
+    }
+  }
+  const url = `https://${host}/v1/ingest/scan`;
+  console.log(chalk5.dim(`Uploading to ${host}...`));
+  try {
+    const response = await fetch(url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "X-Vibgrate-Timestamp": timestamp,
+        "Authorization": `VibgrateDSN ${parsed.keyId}:${hmac}`
+      },
+      body
+    });
+    if (!response.ok) {
+      const text = await response.text();
+      throw new Error(`HTTP ${response.status}: ${text}`);
+    }
+    const result = await response.json();
+    console.log(chalk5.green("\u2714") + ` Uploaded successfully (${result.ingestId ?? "ok"})`);
+  } catch (e) {
+    const msg = e instanceof Error ? e.message : String(e);
+    console.error(chalk5.red(`Upload failed: ${msg}`));
+    if (opts.strict) process.exit(1);
+  }
+}
+var scanCommand = new Command3("scan").description("Scan a project for upgrade drift").argument("[path]", "Path to scan", ".").option("--out <file>", "Output file path").option("--format <format>", "Output format (text|json|sarif)", "text").option("--fail-on <level>", "Fail on warn or error").option("--baseline <file>", "Compare against baseline").option("--changed-only", "Only scan changed files").option("--concurrency <n>", "Max concurrent npm calls", "8").option("--push", "Auto-push results to Vibgrate API after scan").option("--dsn <dsn>", "DSN token for push (or use VIBGRATE_DSN env)").option("--region <region>", "Override data residency region for push (us, eu)").option("--strict", "Fail on push errors").action(async (targetPath, opts) => {
+  const rootDir = path14.resolve(targetPath);
   if (!await pathExists(rootDir)) {
-    console.error(chalk3.red(`Path does not exist: ${rootDir}`));
+    console.error(chalk5.red(`Path does not exist: ${rootDir}`));
     process.exit(1);
   }
   const scanOpts = {
@@ -3929,38 +4245,45 @@ var scanCommand = new Command("scan").description("Scan a project for upgrade dr
     failOn: opts.failOn,
     baseline: opts.baseline,
     changedOnly: opts.changedOnly,
-    concurrency: parseInt(opts.concurrency, 10) || 8
+    concurrency: parseInt(opts.concurrency, 10) || 8,
+    push: opts.push,
+    dsn: opts.dsn,
+    region: opts.region,
+    strict: opts.strict
   };
   const artifact = await runScan(rootDir, scanOpts);
   if (opts.failOn) {
     const hasErrors = artifact.findings.some((f) => f.level === "error");
     const hasWarnings = artifact.findings.some((f) => f.level === "warning");
     if (opts.failOn === "error" && hasErrors) {
-      console.error(chalk3.red(`
+      console.error(chalk5.red(`
 Failing: ${artifact.findings.filter((f) => f.level === "error").length} error finding(s) detected.`));
       process.exit(2);
     }
     if (opts.failOn === "warn" && (hasErrors || hasWarnings)) {
-      console.error(chalk3.red(`
+      console.error(chalk5.red(`
 Failing: findings detected at warn level or above.`));
       process.exit(2);
     }
   }
+  if (opts.push) {
+    await autoPush(artifact, rootDir, scanOpts);
+  }
 });
 
 export {
   readJsonFile,
-  readTextFile,
   pathExists,
   ensureDir,
   writeJsonFile,
-  writeTextFile,
   writeDefaultConfig,
   computeDriftScore,
   generateFindings,
   VERSION,
   formatText,
   formatSarif,
+  dsnCommand,
+  pushCommand,
   runScan,
   scanCommand
 };