@vibgrate/cli 1.0.20 → 1.0.22

package/dist/{chunk-T6WMUKLV.js → chunk-JFMGFWKC.js}

@@ -1,7 +1,7 @@
 // src/utils/fs.ts
 import * as fs from "fs/promises";
 import * as os from "os";
-import * as path from "path";
+import * as path2 from "path";
 
 // src/utils/semaphore.ts
 var Semaphore = class {
@@ -32,6 +32,86 @@ var Semaphore = class {
   }
 };
 
+// src/utils/glob.ts
+import * as path from "path";
+function compileGlobs(patterns) {
+  if (patterns.length === 0) return null;
+  const matchers = patterns.map((p) => compileOne(normalise(p)));
+  return (relPath) => {
+    const norm = normalise(relPath);
+    return matchers.some((m) => m(norm));
+  };
+}
+function normalise(p) {
+  return p.split(path.sep).join("/").replace(/\/+$/, "");
+}
+function compileOne(pattern) {
+  if (!pattern.includes("/") && !hasGlobChars(pattern)) {
+    const prefix = pattern + "/";
+    return (p) => p === pattern || p.startsWith(prefix);
+  }
+  const re = globToRegex(pattern);
+  return (p) => re.test(p);
+}
+function hasGlobChars(s) {
+  return /[*?[\]{}]/.test(s);
+}
+function globToRegex(pattern) {
+  let i = 0;
+  let re = "^";
+  const len = pattern.length;
+  while (i < len) {
+    const ch = pattern[i];
+    if (ch === "*") {
+      if (pattern[i + 1] === "*") {
+        i += 2;
+        if (pattern[i] === "/") {
+          i++;
+          re += "(?:.+/)?";
+        } else {
+          re += ".*";
+        }
+      } else {
+        i++;
+        re += "[^/]*";
+      }
+    } else if (ch === "?") {
+      i++;
+      re += "[^/]";
+    } else if (ch === "[") {
+      const start = i;
+      i++;
+      while (i < len && pattern[i] !== "]") i++;
+      i++;
+      re += pattern.slice(start, i);
+    } else if (ch === "{") {
+      i++;
+      const alternatives = [];
+      let current = "";
+      while (i < len && pattern[i] !== "}") {
+        if (pattern[i] === ",") {
+          alternatives.push(current);
+          current = "";
+        } else {
+          current += pattern[i];
+        }
+        i++;
+      }
+      alternatives.push(current);
+      i++;
+      re += "(?:" + alternatives.map(escapeRegex).join("|") + ")";
+    } else {
+      re += escapeRegex(ch);
+      i++;
+    }
+  }
+  re += "$";
+  return new RegExp(re);
+}
+function escapeRegex(s) {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+
 // src/utils/fs.ts
 var SKIP_DIRS = /* @__PURE__ */ new Set([
   "node_modules",
@@ -60,6 +140,40 @@ var FileCache = class _FileCache {
   jsonCache = /* @__PURE__ */ new Map();
   /** pathExists keyed by absolute path */
   existsCache = /* @__PURE__ */ new Map();
+  /** User-configured exclude predicate (compiled from glob patterns) */
+  excludePredicate = null;
+  /** Directories that were auto-skipped because they were stuck (>60s) */
+  _stuckPaths = [];
+  /** Files skipped because they exceed maxFileSizeToScan */
+  _skippedLargeFiles = [];
+  /** Maximum file size (bytes) we will read. 0 = unlimited. */
+  _maxFileSize = 0;
+  /** Root dir for relative-path computation (set by the first walkDir call) */
+  _rootDir = null;
+  /** Set exclude patterns from config (call once before the walk) */
+  setExcludePatterns(patterns) {
+    this.excludePredicate = compileGlobs(patterns);
+  }
+  /** Set the maximum file size in bytes that readTextFile / readJsonFile will process */
+  setMaxFileSize(bytes) {
+    this._maxFileSize = bytes;
+  }
+  /** Record a path that timed out or was stuck during scanning */
+  addStuckPath(relPath) {
+    this._stuckPaths.push(relPath);
+  }
+  /** Get all paths that were auto-skipped due to being stuck (dirs + scanner files) */
+  get stuckPaths() {
+    return this._stuckPaths;
+  }
+  /** @deprecated Use stuckPaths instead */
+  get stuckDirs() {
+    return this._stuckPaths;
+  }
+  /** Get files that were skipped because they exceeded maxFileSizeToScan */
+  get skippedLargeFiles() {
+    return this._skippedLargeFiles;
+  }
   // ── Directory walking ──
   /**
    * Walk the directory tree from `rootDir` once, skipping SKIP_DIRS plus
@@ -69,43 +183,71 @@ var FileCache = class _FileCache {
    * Consumers that need additional filtering (e.g. SOURCE_EXTENSIONS,
    * SKIP_EXTENSIONS) do so on the returned entries — no separate walk.
    */
-  walkDir(rootDir) {
+  walkDir(rootDir, onProgress) {
+    this._rootDir = rootDir;
     const cached = this.walkCache.get(rootDir);
     if (cached) return cached;
-    const promise = this._doWalk(rootDir);
+    const promise = this._doWalk(rootDir, onProgress);
     this.walkCache.set(rootDir, promise);
     return promise;
   }
   /** Additional dirs skipped only by the cached walk (framework outputs) */
   static EXTRA_SKIP = /* @__PURE__ */ new Set([".nuxt", ".output", ".svelte-kit"]);
-  async _doWalk(rootDir) {
+  async _doWalk(rootDir, onProgress) {
     const results = [];
     const cores = typeof os.availableParallelism === "function" ? os.availableParallelism() : os.cpus().length || 4;
     const maxConcurrentReads = Math.max(8, Math.min(64, cores * 4));
+    let foundCount = 0;
+    let lastReported = 0;
+    const REPORT_INTERVAL = 50;
     const sem = new Semaphore(maxConcurrentReads);
+    const STUCK_TIMEOUT_MS = 6e4;
     const extraSkip = _FileCache.EXTRA_SKIP;
+    const isExcluded = this.excludePredicate;
+    const stuckDirs = this._stuckPaths;
     async function walk(dir) {
+      const relDir = path2.relative(rootDir, dir);
       let entries;
       try {
-        entries = await fs.readdir(dir, { withFileTypes: true });
+        const readPromise = fs.readdir(dir, { withFileTypes: true });
+        const result = await Promise.race([
+          readPromise.then((e) => ({ ok: true, entries: e })),
+          new Promise(
+            (resolve7) => setTimeout(() => resolve7({ ok: false }), STUCK_TIMEOUT_MS)
+          )
+        ]);
+        if (!result.ok) {
+          stuckDirs.push(relDir || dir);
+          return;
+        }
+        entries = result.entries;
       } catch {
         return;
       }
       const subWalks = [];
       for (const e of entries) {
-        const absPath = path.join(dir, e.name);
-        const relPath = path.relative(rootDir, absPath);
+        const absPath = path2.join(dir, e.name);
+        const relPath = path2.relative(rootDir, absPath);
+        if (isExcluded && isExcluded(relPath)) continue;
         if (e.isDirectory()) {
           if (SKIP_DIRS.has(e.name) || extraSkip.has(e.name)) continue;
           results.push({ absPath, relPath, name: e.name, isFile: false, isDirectory: true });
           subWalks.push(sem.run(() => walk(absPath)));
         } else if (e.isFile()) {
           results.push({ absPath, relPath, name: e.name, isFile: true, isDirectory: false });
+          foundCount++;
+          if (onProgress && foundCount - lastReported >= REPORT_INTERVAL) {
+            lastReported = foundCount;
+            onProgress(foundCount, relPath);
+          }
         }
       }
       await Promise.all(subWalks);
     }
     await sem.run(() => walk(rootDir));
+    if (onProgress && foundCount !== lastReported) {
+      onProgress(foundCount, "");
+    }
     return results;
   }
   /**
@@ -130,17 +272,36 @@ var FileCache = class _FileCache {
    * Read a text file. Files ≤ 1 MB are cached so subsequent calls from
    * different scanners return the same string. Files > 1 MB (lockfiles,
    * large generated files) are read directly and never retained.
+   *
+   * If maxFileSizeToScan is set and the file exceeds it, the file is
+   * recorded as skipped and an empty string is returned.
    */
   readTextFile(filePath) {
-    const abs = path.resolve(filePath);
+    const abs = path2.resolve(filePath);
     const cached = this.textCache.get(abs);
     if (cached) return cached;
-    const promise = fs.readFile(abs, "utf8").then((content) => {
+    const maxSize = this._maxFileSize;
+    const skippedLarge = this._skippedLargeFiles;
+    const rootDir = this._rootDir;
+    const promise = (async () => {
+      if (maxSize > 0) {
+        try {
+          const stat4 = await fs.stat(abs);
+          if (stat4.size > maxSize) {
+            const rel = rootDir ? path2.relative(rootDir, abs) : abs;
+            skippedLarge.push(rel);
+            this.textCache.delete(abs);
+            return "";
+          }
+        } catch {
+        }
+      }
+      const content = await fs.readFile(abs, "utf8");
       if (content.length > TEXT_CACHE_MAX_BYTES) {
         this.textCache.delete(abs);
       }
       return content;
-    });
+    })();
     this.textCache.set(abs, promise);
     return promise;
   }
@@ -149,7 +310,7 @@ var FileCache = class _FileCache {
    * text is evicted immediately so we never hold both representations.
    */
   readJsonFile(filePath) {
-    const abs = path.resolve(filePath);
+    const abs = path2.resolve(filePath);
     const cached = this.jsonCache.get(abs);
     if (cached) return cached;
     const promise = this.readTextFile(abs).then((txt) => {
@@ -161,7 +322,7 @@ var FileCache = class _FileCache {
   }
   // ── Existence checks ──
   pathExists(p) {
-    const abs = path.resolve(p);
+    const abs = path2.resolve(p);
     const cached = this.existsCache.get(abs);
     if (cached) return cached;
     const promise = fs.access(abs).then(() => true, () => false);
@@ -185,6 +346,38 @@ var FileCache = class _FileCache {
     return this.jsonCache.size;
   }
 };
+async function quickTreeCount(rootDir, excludePatterns) {
+  let totalFiles = 0;
+  let totalDirs = 0;
+  const cores = typeof os.availableParallelism === "function" ? os.availableParallelism() : os.cpus().length || 4;
+  const maxConcurrent = Math.max(8, Math.min(128, cores * 8));
+  const sem = new Semaphore(maxConcurrent);
+  const extraSkip = /* @__PURE__ */ new Set([".nuxt", ".output", ".svelte-kit"]);
+  const isExcluded = excludePatterns ? compileGlobs(excludePatterns) : null;
+  async function count(dir) {
+    let entries;
+    try {
+      entries = await fs.readdir(dir, { withFileTypes: true });
+    } catch {
+      return;
+    }
+    const subs = [];
+    for (const e of entries) {
+      const relPath = path2.relative(rootDir, path2.join(dir, e.name));
+      if (isExcluded && isExcluded(relPath)) continue;
+      if (e.isDirectory()) {
+        if (SKIP_DIRS.has(e.name) || extraSkip.has(e.name)) continue;
+        totalDirs++;
+        subs.push(sem.run(() => count(path2.join(dir, e.name))));
+      } else if (e.isFile()) {
+        totalFiles++;
+      }
+    }
+    await Promise.all(subs);
+  }
+  await sem.run(() => count(rootDir));
+  return { totalFiles, totalDirs };
+}
 async function findFiles(rootDir, predicate) {
   const results = [];
   const cores = typeof os.availableParallelism === "function" ? os.availableParallelism() : os.cpus().length || 4;
@@ -201,9 +394,9 @@ async function findFiles(rootDir, predicate) {
     for (const e of entries) {
       if (e.isDirectory()) {
         if (SKIP_DIRS.has(e.name)) continue;
-        subDirectoryWalks.push(readDirSemaphore.run(() => walk(path.join(dir, e.name))));
+        subDirectoryWalks.push(readDirSemaphore.run(() => walk(path2.join(dir, e.name))));
       } else if (e.isFile() && predicate(e.name)) {
-        results.push(path.join(dir, e.name));
+        results.push(path2.join(dir, e.name));
       }
     }
     await Promise.all(subDirectoryWalks);
@@ -239,11 +432,11 @@ async function ensureDir(dir) {
   await fs.mkdir(dir, { recursive: true });
 }
 async function writeJsonFile(filePath, data) {
-  await ensureDir(path.dirname(filePath));
+  await ensureDir(path2.dirname(filePath));
   await fs.writeFile(filePath, JSON.stringify(data, null, 2) + "\n", "utf8");
 }
 async function writeTextFile(filePath, content) {
-  await ensureDir(path.dirname(filePath));
+  await ensureDir(path2.dirname(filePath));
   await fs.writeFile(filePath, content, "utf8");
 }
 
@@ -323,12 +516,12 @@ function eolScore(projects) {
 }
 function computeDriftScore(projects) {
   const rs = runtimeScore(projects);
-  const fs6 = frameworkScore(projects);
+  const fs7 = frameworkScore(projects);
   const ds = dependencyScore(projects);
   const es = eolScore(projects);
   const components = [
     { score: rs, weight: 0.25 },
-    { score: fs6, weight: 0.25 },
+    { score: fs7, weight: 0.25 },
     { score: ds, weight: 0.3 },
     { score: es, weight: 0.2 }
   ];
@@ -339,7 +532,7 @@ function computeDriftScore(projects) {
       riskLevel: "low",
       components: {
         runtimeScore: Math.round(rs ?? 100),
-        frameworkScore: Math.round(fs6 ?? 100),
+        frameworkScore: Math.round(fs7 ?? 100),
         dependencyScore: Math.round(ds ?? 100),
         eolScore: Math.round(es ?? 100)
       }
@@ -357,7 +550,7 @@ function computeDriftScore(projects) {
   else riskLevel = "high";
   const measured = [];
   if (rs !== null) measured.push("runtime");
-  if (fs6 !== null) measured.push("framework");
+  if (fs7 !== null) measured.push("framework");
   if (ds !== null) measured.push("dependency");
   if (es !== null) measured.push("eol");
   return {
@@ -365,7 +558,7 @@ function computeDriftScore(projects) {
     riskLevel,
     components: {
       runtimeScore: Math.round(rs ?? 100),
-      frameworkScore: Math.round(fs6 ?? 100),
+      frameworkScore: Math.round(fs7 ?? 100),
       dependencyScore: Math.round(ds ?? 100),
       eolScore: Math.round(es ?? 100)
     },
@@ -565,6 +758,10 @@ function formatText(artifact) {
   if (artifact.filesScanned !== void 0) {
     scannedParts.push(`${artifact.filesScanned} file${artifact.filesScanned !== 1 ? "s" : ""} scanned`);
   }
+  if (artifact.treeSummary) {
+    scannedParts.push(`${artifact.treeSummary.totalFiles.toLocaleString()} workspace files`);
+    scannedParts.push(`${artifact.treeSummary.totalDirs.toLocaleString()} dirs`);
+  }
   lines.push(chalk.dim(`  ${scannedParts.join(" \xB7 ")}`));
   lines.push("");
   return lines.join("\n");
@@ -1173,7 +1370,7 @@ function toSarifResult(finding) {
 
 // src/commands/dsn.ts
 import * as crypto2 from "crypto";
-import * as path2 from "path";
+import * as path3 from "path";
 import { Command } from "commander";
 import chalk2 from "chalk";
 var REGION_HOSTS = {
@@ -1218,7 +1415,7 @@ dsnCommand.command("create").description("Create a new DSN token").option("--ing
   console.log(chalk2.dim("Set this as VIBGRATE_DSN in your CI environment."));
   console.log(chalk2.dim("The secret must be registered on your Vibgrate ingest API."));
   if (opts.write) {
-    const writePath = path2.resolve(opts.write);
+    const writePath = path3.resolve(opts.write);
     await writeTextFile(writePath, dsn + "\n");
     console.log("");
     console.log(chalk2.green("\u2714") + ` DSN written to ${opts.write}`);
@@ -1228,7 +1425,7 @@ dsnCommand.command("create").description("Create a new DSN token").option("--ing
 
 // src/commands/push.ts
 import * as crypto3 from "crypto";
-import * as path3 from "path";
+import * as path4 from "path";
 import { Command as Command2 } from "commander";
 import chalk3 from "chalk";
 function parseDsn(dsn) {
@@ -1257,7 +1454,7 @@ var pushCommand = new Command2("push").description("Push scan results to Vibgrat
     if (opts.strict) process.exit(1);
     return;
   }
-  const filePath = path3.resolve(opts.file);
+  const filePath = path4.resolve(opts.file);
   if (!await pathExists(filePath)) {
     console.error(chalk3.red(`Scan artifact not found: ${filePath}`));
     console.error(chalk3.dim('Run "vibgrate scan" first.'));
@@ -1302,14 +1499,31 @@ var pushCommand = new Command2("push").description("Push scan results to Vibgrat
 });
 
 // src/commands/scan.ts
-import * as path15 from "path";
+import * as path17 from "path";
 import { Command as Command3 } from "commander";
 import chalk5 from "chalk";
 
 // src/scanners/node-scanner.ts
-import * as path4 from "path";
+import * as path5 from "path";
 import * as semver2 from "semver";
 
+// src/utils/timeout.ts
+async function withTimeout(promise, ms) {
+  let timer;
+  const timeout = new Promise((resolve7) => {
+    timer = setTimeout(() => resolve7({ ok: false }), ms);
+  });
+  try {
+    const result = await Promise.race([
+      promise.then((value) => ({ ok: true, value })),
+      timeout
+    ]);
+    return result;
+  } finally {
+    clearTimeout(timer);
+  }
+}
+
 // src/scanners/npm-cache.ts
 import { spawn } from "child_process";
 import * as semver from "semver";
@@ -1484,10 +1698,20 @@ var KNOWN_FRAMEWORKS = {
 async function scanNodeProjects(rootDir, npmCache, cache) {
   const packageJsonFiles = cache ? await cache.findPackageJsonFiles(rootDir) : await findPackageJsonFiles(rootDir);
   const results = [];
+  const STUCK_TIMEOUT_MS = 6e4;
   for (const pjPath of packageJsonFiles) {
     try {
-      const scan = await scanOnePackageJson(pjPath, rootDir, npmCache, cache);
-      results.push(scan);
+      const scanPromise = scanOnePackageJson(pjPath, rootDir, npmCache, cache);
+      const result = await withTimeout(scanPromise, STUCK_TIMEOUT_MS);
+      if (result.ok) {
+        results.push(result.value);
+      } else {
+        const relPath = path5.relative(rootDir, path5.dirname(pjPath));
+        if (cache) {
+          cache.addStuckPath(relPath || ".");
+        }
+        console.error(`Timeout scanning ${pjPath} (>${STUCK_TIMEOUT_MS / 1e3}s) \u2014 skipped`);
+      }
     } catch (e) {
       const msg = e instanceof Error ? e.message : String(e);
       console.error(`Error scanning ${pjPath}: ${msg}`);
@@ -1497,8 +1721,8 @@ async function scanNodeProjects(rootDir, npmCache, cache) {
 }
 async function scanOnePackageJson(packageJsonPath, rootDir, npmCache, cache) {
   const pj = cache ? await cache.readJsonFile(packageJsonPath) : await readJsonFile(packageJsonPath);
-  const absProjectPath = path4.dirname(packageJsonPath);
-  const projectPath = path4.relative(rootDir, absProjectPath) || ".";
+  const absProjectPath = path5.dirname(packageJsonPath);
+  const projectPath = path5.relative(rootDir, absProjectPath) || ".";
   const nodeEngine = pj.engines?.node ?? void 0;
   let runtimeLatest;
   let runtimeMajorsBehind;
@@ -1580,7 +1804,7 @@ async function scanOnePackageJson(packageJsonPath, rootDir, npmCache, cache) {
   return {
     type: "node",
     path: projectPath,
-    name: pj.name ?? path4.basename(absProjectPath),
+    name: pj.name ?? path5.basename(absProjectPath),
     runtime: nodeEngine,
     runtimeLatest,
     runtimeMajorsBehind,
@@ -1591,7 +1815,7 @@ async function scanOnePackageJson(packageJsonPath, rootDir, npmCache, cache) {
 }
 
 // src/scanners/dotnet-scanner.ts
-import * as path5 from "path";
+import * as path6 from "path";
 import { XMLParser } from "fast-xml-parser";
 var parser = new XMLParser({
   ignoreAttributes: false,
@@ -1792,7 +2016,7 @@ function parseCsproj(xml, filePath) {
   const parsed = parser.parse(xml);
   const project = parsed?.Project;
   if (!project) {
-    return { targetFrameworks: [], packageReferences: [], projectName: path5.basename(filePath, ".csproj") };
+    return { targetFrameworks: [], packageReferences: [], projectName: path6.basename(filePath, ".csproj") };
   }
   const propertyGroups = Array.isArray(project.PropertyGroup) ? project.PropertyGroup : project.PropertyGroup ? [project.PropertyGroup] : [];
   const targetFrameworks = [];
@@ -1820,7 +2044,7 @@ function parseCsproj(xml, filePath) {
   return {
     targetFrameworks: [...new Set(targetFrameworks)],
     packageReferences,
-    projectName: path5.basename(filePath, ".csproj")
+    projectName: path6.basename(filePath, ".csproj")
   };
 }
 async function scanDotnetProjects(rootDir, cache) {
@@ -1830,12 +2054,12 @@ async function scanDotnetProjects(rootDir, cache) {
   for (const slnPath of slnFiles) {
     try {
       const slnContent = cache ? await cache.readTextFile(slnPath) : await readTextFile(slnPath);
-      const slnDir = path5.dirname(slnPath);
+      const slnDir = path6.dirname(slnPath);
       const projectRegex = /Project\("[^"]*"\)\s*=\s*"[^"]*",\s*"([^"]+\.csproj)"/g;
       let match;
       while ((match = projectRegex.exec(slnContent)) !== null) {
         if (match[1]) {
-          const csprojPath = path5.resolve(slnDir, match[1].replace(/\\/g, "/"));
+          const csprojPath = path6.resolve(slnDir, match[1].replace(/\\/g, "/"));
           slnCsprojPaths.add(csprojPath);
         }
       }
@@ -1844,10 +2068,20 @@ async function scanDotnetProjects(rootDir, cache) {
   }
   const allCsprojFiles = /* @__PURE__ */ new Set([...csprojFiles, ...slnCsprojPaths]);
   const results = [];
+  const STUCK_TIMEOUT_MS = 6e4;
   for (const csprojPath of allCsprojFiles) {
     try {
-      const scan = await scanOneCsproj(csprojPath, rootDir, cache);
-      results.push(scan);
+      const scanPromise = scanOneCsproj(csprojPath, rootDir, cache);
+      const result = await withTimeout(scanPromise, STUCK_TIMEOUT_MS);
+      if (result.ok) {
+        results.push(result.value);
+      } else {
+        const relPath = path6.relative(rootDir, path6.dirname(csprojPath));
+        if (cache) {
+          cache.addStuckPath(relPath || ".");
+        }
+        console.error(`Timeout scanning ${csprojPath} (>${STUCK_TIMEOUT_MS / 1e3}s) \u2014 skipped`);
+      }
     } catch (e) {
       const msg = e instanceof Error ? e.message : String(e);
       console.error(`Error scanning ${csprojPath}: ${msg}`);
@@ -1891,7 +2125,7 @@ async function scanOneCsproj(csprojPath, rootDir, cache) {
   const buckets = { current: 0, oneBehind: 0, twoPlusBehind: 0, unknown: dependencies.length };
   return {
     type: "dotnet",
-    path: path5.relative(rootDir, path5.dirname(csprojPath)) || ".",
+    path: path6.relative(rootDir, path6.dirname(csprojPath)) || ".",
     name: data.projectName,
     targetFramework,
     runtime: primaryTfm,
@@ -1904,15 +2138,17 @@ async function scanOneCsproj(csprojPath, rootDir, cache) {
 }
 
 // src/config.ts
-import * as path6 from "path";
+import * as path7 from "path";
 import * as fs2 from "fs/promises";
 var CONFIG_FILES = [
   "vibgrate.config.ts",
   "vibgrate.config.js",
   "vibgrate.config.json"
 ];
+var DEFAULT_MAX_FILE_SIZE = 5242880;
 var DEFAULT_CONFIG = {
   exclude: [],
+  maxFileSizeToScan: DEFAULT_MAX_FILE_SIZE,
   thresholds: {
     failOnError: {
       eolDays: 180,
@@ -1926,28 +2162,44 @@ var DEFAULT_CONFIG = {
   }
 };
 async function loadConfig(rootDir) {
+  let config = DEFAULT_CONFIG;
   for (const file of CONFIG_FILES) {
-    const configPath = path6.join(rootDir, file);
+    const configPath = path7.join(rootDir, file);
     if (await pathExists(configPath)) {
       if (file.endsWith(".json")) {
         const txt = await readTextFile(configPath);
-        return { ...DEFAULT_CONFIG, ...JSON.parse(txt) };
+        config = { ...DEFAULT_CONFIG, ...JSON.parse(txt) };
+        break;
       }
       try {
         const mod = await import(configPath);
-        return { ...DEFAULT_CONFIG, ...mod.default ?? mod };
+        config = { ...DEFAULT_CONFIG, ...mod.default ?? mod };
+        break;
       } catch {
       }
     }
   }
-  return DEFAULT_CONFIG;
+  const sidecarPath = path7.join(rootDir, ".vibgrate", "auto-excludes.json");
+  if (await pathExists(sidecarPath)) {
+    try {
+      const txt = await readTextFile(sidecarPath);
+      const autoExcludes = JSON.parse(txt);
+      if (Array.isArray(autoExcludes) && autoExcludes.length > 0) {
+        const existing = config.exclude ?? [];
+        config = { ...config, exclude: [.../* @__PURE__ */ new Set([...existing, ...autoExcludes])] };
+      }
+    } catch {
+    }
+  }
+  return config;
 }
 async function writeDefaultConfig(rootDir) {
-  const configPath = path6.join(rootDir, "vibgrate.config.ts");
+  const configPath = path7.join(rootDir, "vibgrate.config.ts");
   const content = `import type { VibgrateConfig } from '@vibgrate/cli';
 
 const config: VibgrateConfig = {
   // exclude: ['legacy/**'],
+  // maxFileSizeToScan: 5_242_880, // 5 MB (default)
   thresholds: {
     failOnError: {
       eolDays: 180,
@@ -1966,9 +2218,44 @@ export default config;
   await fs2.writeFile(configPath, content, "utf8");
   return configPath;
 }
+async function appendExcludePatterns(rootDir, newPatterns) {
+  if (newPatterns.length === 0) return false;
+  const jsonPath = path7.join(rootDir, "vibgrate.config.json");
+  if (await pathExists(jsonPath)) {
+    try {
+      const txt = await readTextFile(jsonPath);
+      const cfg = JSON.parse(txt);
+      const existing2 = Array.isArray(cfg.exclude) ? cfg.exclude : [];
+      const merged2 = [.../* @__PURE__ */ new Set([...existing2, ...newPatterns])];
+      cfg.exclude = merged2;
+      await fs2.writeFile(jsonPath, JSON.stringify(cfg, null, 2) + "\n", "utf8");
+      return true;
+    } catch {
+    }
+  }
+  const vibgrateDir = path7.join(rootDir, ".vibgrate");
+  const sidecarPath = path7.join(vibgrateDir, "auto-excludes.json");
+  let existing = [];
+  if (await pathExists(sidecarPath)) {
+    try {
+      const txt = await readTextFile(sidecarPath);
+      const parsed = JSON.parse(txt);
+      if (Array.isArray(parsed)) existing = parsed;
+    } catch {
+    }
+  }
+  const merged = [.../* @__PURE__ */ new Set([...existing, ...newPatterns])];
+  try {
+    await fs2.mkdir(vibgrateDir, { recursive: true });
+    await fs2.writeFile(sidecarPath, JSON.stringify(merged, null, 2) + "\n", "utf8");
+    return true;
+  } catch {
+    return false;
+  }
+}
 
 // src/utils/vcs.ts
-import * as path7 from "path";
+import * as path8 from "path";
 import * as fs3 from "fs/promises";
 async function detectVcs(rootDir) {
   try {
@@ -1982,7 +2269,7 @@ async function detectGit(rootDir) {
   if (!gitDir) {
     return { type: "unknown" };
   }
-  const headPath = path7.join(gitDir, "HEAD");
+  const headPath = path8.join(gitDir, "HEAD");
   let headContent;
   try {
     headContent = (await fs3.readFile(headPath, "utf8")).trim();
@@ -2006,30 +2293,30 @@ async function detectGit(rootDir) {
   };
 }
 async function findGitDir(startDir) {
-  let dir = path7.resolve(startDir);
-  const root = path7.parse(dir).root;
+  let dir = path8.resolve(startDir);
+  const root = path8.parse(dir).root;
   while (dir !== root) {
-    const gitPath = path7.join(dir, ".git");
+    const gitPath = path8.join(dir, ".git");
     try {
-      const stat3 = await fs3.stat(gitPath);
-      if (stat3.isDirectory()) {
+      const stat4 = await fs3.stat(gitPath);
+      if (stat4.isDirectory()) {
         return gitPath;
       }
-      if (stat3.isFile()) {
+      if (stat4.isFile()) {
         const content = (await fs3.readFile(gitPath, "utf8")).trim();
         if (content.startsWith("gitdir: ")) {
-          const resolved = path7.resolve(dir, content.slice(8));
+          const resolved = path8.resolve(dir, content.slice(8));
           return resolved;
         }
       }
     } catch {
     }
-    dir = path7.dirname(dir);
+    dir = path8.dirname(dir);
   }
   return null;
 }
 async function resolveRef(gitDir, refPath) {
-  const loosePath = path7.join(gitDir, refPath);
+  const loosePath = path8.join(gitDir, refPath);
   try {
     const sha = (await fs3.readFile(loosePath, "utf8")).trim();
     if (/^[0-9a-f]{40}$/i.test(sha)) {
@@ -2037,7 +2324,7 @@ async function resolveRef(gitDir, refPath) {
     }
   } catch {
   }
-  const packedPath = path7.join(gitDir, "packed-refs");
+  const packedPath = path8.join(gitDir, "packed-refs");
   try {
     const packed = await fs3.readFile(packedPath, "utf8");
     for (const line of packed.split("\n")) {
@@ -2079,26 +2366,70 @@ var ScanProgress = class {
   startTime = Date.now();
   isTTY;
   rootDir = "";
+  /** Last rendered frame content (strip to compare for dirty-checking) */
+  lastFrame = "";
+  /** Whether we've hidden the cursor */
+  cursorHidden = false;
+  /** Estimated total scan duration in ms (from history or live calculation) */
+  estimatedTotalMs = null;
+  /** Per-step estimated durations from history */
+  stepEstimates = /* @__PURE__ */ new Map();
+  /** Per-step actual start times for timing */
+  stepStartTimes = /* @__PURE__ */ new Map();
+  /** Per-step recorded durations (completed steps) */
+  stepTimings = [];
   constructor(rootDir) {
     this.isTTY = process.stderr.isTTY ?? false;
     this.rootDir = rootDir;
+    if (this.isTTY) {
+      const restore = () => {
+        if (this.cursorHidden) {
+          process.stderr.write("\x1B[?25h");
+          this.cursorHidden = false;
+        }
+      };
+      process.on("exit", restore);
+      process.on("SIGINT", () => {
+        restore();
+        process.exit(130);
+      });
+      process.on("SIGTERM", () => {
+        restore();
+        process.exit(143);
+      });
+    }
+  }
+  /** Set the estimated total duration from scan history */
+  setEstimatedTotal(estimatedMs) {
+    this.estimatedTotalMs = estimatedMs;
+  }
+  /** Set per-step estimated durations from scan history */
+  setStepEstimates(estimates) {
+    this.stepEstimates = estimates;
+  }
+  /** Get completed step timings for persisting to history */
+  getStepTimings() {
+    return [...this.stepTimings];
   }
-  /** Register all steps up front */
+  /** Register all steps up front, optionally with weights */
   setSteps(steps) {
-    this.steps = steps.map((s) => ({ ...s, status: "pending" }));
+    this.steps = steps.map((s) => ({ ...s, status: "pending", weight: s.weight ?? 1 }));
     if (this.isTTY) {
       this.startSpinner();
     }
     this.render();
   }
-  /** Mark a step as active (currently running) */
-  startStep(id) {
+  /** Mark a step as active (currently running), optionally with expected total */
+  startStep(id, subTotal) {
     const step = this.steps.find((s) => s.id === id);
     if (step) {
       step.status = "active";
       step.detail = void 0;
       step.count = void 0;
+      step.subProgress = 0;
+      step.subTotal = subTotal;
     }
+    this.stepStartTimes.set(id, Date.now());
     this.render();
   }
   /** Mark a step as completed */
@@ -2109,6 +2440,10 @@ var ScanProgress = class {
       step.detail = detail;
       step.count = count;
     }
+    const started = this.stepStartTimes.get(id);
+    if (started) {
+      this.stepTimings.push({ id, durationMs: Date.now() - started });
+    }
     this.render();
   }
   /** Mark a step as skipped */
@@ -2120,6 +2455,16 @@ var ScanProgress = class {
     }
     this.render();
   }
+  /** Update sub-step progress for the active step (files processed, etc.) */
+  updateStepProgress(id, current, total, label) {
+    const step = this.steps.find((s) => s.id === id);
+    if (step) {
+      step.subProgress = current;
+      if (total !== void 0) step.subTotal = total;
+      if (label !== void 0) step.subLabel = label;
+    }
+    this.render();
+  }
   /** Update live stats */
   updateStats(partial) {
     Object.assign(this.stats, partial);
@@ -2151,38 +2496,45 @@ var ScanProgress = class {
       this.timer = null;
     }
     if (this.isTTY) {
-      this.clearLines();
+      let buf = "";
+      if (this.lastLineCount > 0) {
+        buf += `\x1B[${this.lastLineCount}A`;
+        for (let i = 0; i < this.lastLineCount; i++) {
+          buf += "\x1B[2K\n";
+        }
+        buf += `\x1B[${this.lastLineCount}A`;
+      }
+      buf += "\x1B[?25h";
+      if (buf) process.stderr.write(buf);
+      this.cursorHidden = false;
+      this.lastLineCount = 0;
     }
-    const elapsed = ((Date.now() - this.startTime) / 1e3).toFixed(1);
+    const elapsed = this.formatElapsed(Date.now() - this.startTime);
     const doneCount = this.steps.filter((s) => s.status === "done").length;
     process.stderr.write(
-      chalk4.dim(`  \u2714 ${doneCount} scanners completed in ${elapsed}s
+      chalk4.dim(`  \u2714 ${doneCount} scanners completed in ${elapsed}
 
 `)
     );
   }
   // ── Internal rendering ──
   startSpinner() {
+    if (!this.cursorHidden) {
+      process.stderr.write("\x1B[?25l");
+      this.cursorHidden = true;
+    }
     this.timer = setInterval(() => {
       this.spinnerFrame = (this.spinnerFrame + 1) % SPINNER_FRAMES.length;
       this.render();
-    }, 80);
+    }, 120);
   }
   clearLines() {
-    if (this.lastLineCount > 0) {
-      process.stderr.write(`\x1B[${this.lastLineCount}A`);
-      for (let i = 0; i < this.lastLineCount; i++) {
-        process.stderr.write("\x1B[2K\n");
-      }
-      process.stderr.write(`\x1B[${this.lastLineCount}A`);
-    }
   }
   render() {
     if (!this.isTTY) {
       this.renderCI();
       return;
     }
-    this.clearLines();
     const lines = [];
     lines.push("");
     lines.push(`  ${ROBOT[0]}  ${BRAND[0]}`);
@@ -2190,14 +2542,32 @@ var ScanProgress = class {
     lines.push(`  ${ROBOT[2]}`);
     lines.push(`  ${ROBOT[3]}  ${chalk4.dim(this.rootDir)}`);
     lines.push("");
-    const totalSteps = this.steps.length;
-    const doneSteps = this.steps.filter((s) => s.status === "done" || s.status === "skipped").length;
-    const pct = totalSteps > 0 ? Math.round(doneSteps / totalSteps * 100) : 0;
+    const totalWeight = this.steps.reduce((sum, s) => sum + (s.weight ?? 1), 0);
+    let completedWeight = 0;
+    for (const step of this.steps) {
+      const w = step.weight ?? 1;
+      if (step.status === "done" || step.status === "skipped") {
+        completedWeight += w;
+      } else if (step.status === "active" && step.subTotal && step.subTotal > 0 && step.subProgress !== void 0) {
+        completedWeight += w * Math.min(step.subProgress / step.subTotal, 0.99);
+      } else if (step.status === "active") {
+        const stepStart = this.stepStartTimes.get(step.id);
+        const estimate = this.stepEstimates.get(step.id);
+        if (stepStart && estimate && estimate > 0) {
+          const stepElapsed = Date.now() - stepStart;
+          completedWeight += w * Math.min(stepElapsed / estimate, 0.95);
+        }
+      }
+    }
+    const pct = totalWeight > 0 ? Math.min(Math.round(completedWeight / totalWeight * 100), 99) : 0;
     const barWidth = 30;
-    const filled = Math.round(doneSteps / Math.max(totalSteps, 1) * barWidth);
-    const bar = chalk4.greenBright("\u2501".repeat(filled)) + chalk4.dim("\u254C".repeat(barWidth - filled));
-    const elapsed = ((Date.now() - this.startTime) / 1e3).toFixed(1);
-    lines.push(`  ${bar} ${chalk4.bold.white(`${pct}%`)} ${chalk4.dim(`${elapsed}s`)}`);
+    const filled = Math.round(completedWeight / Math.max(totalWeight, 1) * barWidth);
+    const bar = chalk4.greenBright("\u2501".repeat(Math.min(filled, barWidth))) + chalk4.dim("\u254C".repeat(Math.max(barWidth - filled, 0)));
+    const elapsedMs = Date.now() - this.startTime;
+    const elapsedStr = this.formatElapsed(elapsedMs);
+    const etaStr = this.computeEtaString(elapsedMs, completedWeight, totalWeight);
+    const treePart = this.stats.treeSummary ? chalk4.dim(` \xB7 ${this.stats.treeSummary.totalFiles.toLocaleString()} files \xB7 ${this.stats.treeSummary.totalDirs.toLocaleString()} dirs`) : "";
+    lines.push(`  ${bar} ${chalk4.bold.white(`${pct}%`)} ${chalk4.dim(elapsedStr)}${etaStr}${treePart}`);
     lines.push("");
     for (const step of this.steps) {
       lines.push(this.renderStep(step));
@@ -2205,8 +2575,21 @@ var ScanProgress = class {
     lines.push("");
     lines.push(this.renderStats());
     lines.push("");
-    const output = lines.join("\n") + "\n";
-    process.stderr.write(output);
+    const content = lines.join("\n") + "\n";
+    if (content === this.lastFrame && this.lastLineCount === lines.length) {
+      return;
+    }
+    this.lastFrame = content;
+    let buf = "";
+    if (this.lastLineCount > 0) {
+      buf += `\x1B[${this.lastLineCount}A`;
+      for (let i = 0; i < this.lastLineCount; i++) {
+        buf += "\x1B[2K\n";
+      }
+      buf += `\x1B[${this.lastLineCount}A`;
+    }
+    buf += content;
+    process.stderr.write(buf);
     this.lastLineCount = lines.length;
   }
   renderStep(step) {
@@ -2222,6 +2605,14 @@ var ScanProgress = class {
       case "active":
         icon = chalk4.cyan(spinner);
         label = chalk4.bold.white(step.label);
+        if (step.subTotal && step.subTotal > 0 && step.subProgress !== void 0 && step.subProgress > 0) {
+          detail = chalk4.dim(` \xB7 ${step.subProgress.toLocaleString()} / ${step.subTotal.toLocaleString()}`);
+        }
+        if (step.subLabel) {
+          const maxLen = 50;
+          const displayPath = step.subLabel.length > maxLen ? "\u2026" + step.subLabel.slice(-maxLen + 1) : step.subLabel;
+          detail += chalk4.dim(` ${displayPath}`);
+        }
         break;
       case "skipped":
         icon = chalk4.dim("\u25CC");
@@ -2275,10 +2666,141 @@ var ScanProgress = class {
       }
     }
   }
+  // ── Time formatting helpers ──
+  /**
+   * Format elapsed time:
+   * - Under 90s → "12.3s"
+   * - 90s and above → "1m 30s"
+   */
+  formatElapsed(ms) {
+    const totalSecs = ms / 1e3;
+    if (totalSecs < 90) {
+      return `${totalSecs.toFixed(1)}s`;
+    }
+    const mins = Math.floor(totalSecs / 60);
+    const secs = Math.floor(totalSecs % 60);
+    return `${mins}m ${secs.toString().padStart(2, "0")}s`;
+  }
+  /**
+   * Compute an ETA string for the progress bar.
+   *
+   * Uses two sources blended together:
+   * 1. **Historical estimate** from `estimatedTotalMs` (if available)
+   * 2. **Live rate** — extrapolated from `elapsedMs` and `completedWeight`
+   *
+   * Returns empty string if not enough data yet (< 3% progress or < 2s elapsed).
+   */
+  computeEtaString(elapsedMs, completedWeight, totalWeight) {
+    if (totalWeight === 0 || elapsedMs < 2e3) return "";
+    const fraction = completedWeight / totalWeight;
+    if (fraction < 0.03) {
+      if (this.estimatedTotalMs !== null && this.estimatedTotalMs > 0) {
+        const remaining = Math.max(0, this.estimatedTotalMs - elapsedMs);
+        if (remaining > 1e3) {
+          return chalk4.dim(` \xB7 ~${this.formatElapsed(remaining)} left`);
+        }
+      }
+      return "";
+    }
+    const liveRemaining = elapsedMs / fraction * (1 - fraction);
+    let remainingMs;
+    if (this.estimatedTotalMs !== null && this.estimatedTotalMs > 0) {
+      const histRemaining = Math.max(0, this.estimatedTotalMs - elapsedMs);
+      const histWeight = Math.max(0.1, 1 - fraction);
+      remainingMs = histRemaining * histWeight + liveRemaining * (1 - histWeight);
+    } else {
+      remainingMs = liveRemaining;
+    }
+    if (remainingMs < 1500) return "";
+    return chalk4.dim(` \xB7 ~${this.formatElapsed(remainingMs)} left`);
+  }
 };
 
+// src/ui/scan-history.ts
+import * as fs4 from "fs/promises";
+import * as path9 from "path";
+var HISTORY_FILENAME = "scan_history.json";
+var MAX_RECORDS = 10;
+async function loadScanHistory(rootDir) {
+  const filePath = path9.join(rootDir, ".vibgrate", HISTORY_FILENAME);
+  try {
+    const txt = await fs4.readFile(filePath, "utf8");
+    const data = JSON.parse(txt);
+    if (data.version === 1 && Array.isArray(data.records)) {
+      return data;
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+async function saveScanHistory(rootDir, record) {
+  const dir = path9.join(rootDir, ".vibgrate");
+  const filePath = path9.join(dir, HISTORY_FILENAME);
+  let history;
+  const existing = await loadScanHistory(rootDir);
+  if (existing) {
+    history = existing;
+    history.records.push(record);
+    if (history.records.length > MAX_RECORDS) {
+      history.records = history.records.slice(-MAX_RECORDS);
+    }
+  } else {
+    history = { version: 1, records: [record] };
+  }
+  try {
+    await fs4.mkdir(dir, { recursive: true });
+    await fs4.writeFile(filePath, JSON.stringify(history, null, 2) + "\n", "utf8");
+  } catch {
+  }
+}
+function estimateTotalDuration(history, currentFileCount) {
+  if (!history || history.records.length === 0) return null;
+  const similar = history.records.filter((r) => {
+    if (r.totalFiles === 0 || currentFileCount === 0) return false;
+    const ratio = currentFileCount / r.totalFiles;
+    return ratio >= 0.33 && ratio <= 3;
+  });
+  if (similar.length > 0) {
+    let weightedSum = 0;
+    let weightTotal = 0;
+    for (let i = 0; i < similar.length; i++) {
+      const rec = similar[i];
+      const weight = i + 1;
+      const scale = currentFileCount / rec.totalFiles;
+      weightedSum += rec.totalDurationMs * scale * weight;
+      weightTotal += weight;
+    }
+    return Math.round(weightedSum / weightTotal);
+  }
+  const last = history.records[history.records.length - 1];
+  if (last.totalFiles > 0 && currentFileCount > 0) {
+    const scale = currentFileCount / last.totalFiles;
+    return Math.round(last.totalDurationMs * scale);
+  }
+  return last.totalDurationMs;
+}
+function estimateStepDurations(history, currentFileCount) {
+  const result = /* @__PURE__ */ new Map();
+  if (!history || history.records.length === 0) return result;
+  let best = null;
+  for (let i = history.records.length - 1; i >= 0; i--) {
+    const rec = history.records[i];
+    if (rec.steps.length > 0) {
+      best = rec;
+      break;
+    }
+  }
+  if (!best) return result;
+  const scale = best.totalFiles > 0 && currentFileCount > 0 ? currentFileCount / best.totalFiles : 1;
+  for (const step of best.steps) {
+    result.set(step.id, Math.round(step.durationMs * scale));
+  }
+  return result;
+}
+
 // src/scanners/platform-matrix.ts
-import * as path8 from "path";
+import * as path10 from "path";
 var NATIVE_MODULE_PACKAGES = /* @__PURE__ */ new Set([
   // Image / media processing
   "sharp",
@@ -2558,7 +3080,7 @@ async function scanPlatformMatrix(rootDir, cache) {
   }
   result.dockerBaseImages = [...baseImages].sort();
   for (const file of [".nvmrc", ".node-version", ".tool-versions"]) {
-    const exists = cache ? await cache.pathExists(path8.join(rootDir, file)) : await pathExists(path8.join(rootDir, file));
+    const exists = cache ? await cache.pathExists(path10.join(rootDir, file)) : await pathExists(path10.join(rootDir, file));
     if (exists) {
       result.nodeVersionFiles.push(file);
     }
@@ -2635,7 +3157,7 @@ function scanDependencyRisk(projects) {
 }
 
 // src/scanners/dependency-graph.ts
-import * as path9 from "path";
+import * as path11 from "path";
 function parsePnpmLock(content) {
   const entries = [];
   const regex = /^\s+\/?(@?[^@\s][^@\s]*?)@(\d+\.\d+\.\d+[^:\s]*)\s*:/gm;
@@ -2694,9 +3216,9 @@ async function scanDependencyGraph(rootDir, cache) {
     phantomDependencies: []
   };
   let entries = [];
-  const pnpmLock = path9.join(rootDir, "pnpm-lock.yaml");
-  const npmLock = path9.join(rootDir, "package-lock.json");
-  const yarnLock = path9.join(rootDir, "yarn.lock");
+  const pnpmLock = path11.join(rootDir, "pnpm-lock.yaml");
+  const npmLock = path11.join(rootDir, "package-lock.json");
+  const yarnLock = path11.join(rootDir, "yarn.lock");
   const _pathExists = cache ? (p) => cache.pathExists(p) : pathExists;
   const _readTextFile = cache ? (p) => cache.readTextFile(p) : readTextFile;
   if (await _pathExists(pnpmLock)) {
@@ -2743,7 +3265,7 @@ async function scanDependencyGraph(rootDir, cache) {
   for (const pjPath of pkgFiles) {
     try {
       const pj = cache ? await cache.readJsonFile(pjPath) : await readJsonFile(pjPath);
-      const relPath = path9.relative(rootDir, pjPath);
+      const relPath = path11.relative(rootDir, pjPath);
       for (const section of ["dependencies", "devDependencies"]) {
         const deps = pj[section];
         if (!deps) continue;
@@ -3089,7 +3611,7 @@ function scanToolingInventory(projects) {
 }
 
 // src/scanners/build-deploy.ts
-import * as path10 from "path";
+import * as path12 from "path";
 var CI_FILES = {
   ".github/workflows": "github-actions",
   ".gitlab-ci.yml": "gitlab-ci",
@@ -3142,17 +3664,17 @@ async function scanBuildDeploy(rootDir, cache) {
   const _readTextFile = cache ? (p) => cache.readTextFile(p) : readTextFile;
   const ciSystems = /* @__PURE__ */ new Set();
   for (const [file, system] of Object.entries(CI_FILES)) {
-    const fullPath = path10.join(rootDir, file);
+    const fullPath = path12.join(rootDir, file);
     if (await _pathExists(fullPath)) {
       ciSystems.add(system);
     }
   }
-  const ghWorkflowDir = path10.join(rootDir, ".github", "workflows");
+  const ghWorkflowDir = path12.join(rootDir, ".github", "workflows");
   if (await _pathExists(ghWorkflowDir)) {
     try {
       if (cache) {
         const entries = await cache.walkDir(rootDir);
-        const ghPrefix = path10.relative(rootDir, ghWorkflowDir) + path10.sep;
+        const ghPrefix = path12.relative(rootDir, ghWorkflowDir) + path12.sep;
         result.ciWorkflowCount = entries.filter(
           (e) => e.isFile && e.relPath.startsWith(ghPrefix) && (e.name.endsWith(".yml") || e.name.endsWith(".yaml"))
         ).length;
@@ -3203,11 +3725,11 @@ async function scanBuildDeploy(rootDir, cache) {
     (name) => name.endsWith(".cfn.json") || name.endsWith(".cfn.yaml")
   );
   if (cfnFiles.length > 0) iacSystems.add("cloudformation");
-  if (await _pathExists(path10.join(rootDir, "Pulumi.yaml"))) iacSystems.add("pulumi");
+  if (await _pathExists(path12.join(rootDir, "Pulumi.yaml"))) iacSystems.add("pulumi");
   result.iac = [...iacSystems].sort();
   const releaseTools = /* @__PURE__ */ new Set();
   for (const [file, tool] of Object.entries(RELEASE_FILES)) {
-    if (await _pathExists(path10.join(rootDir, file))) releaseTools.add(tool);
+    if (await _pathExists(path12.join(rootDir, file))) releaseTools.add(tool);
   }
   const pkgFiles = cache ? await cache.findPackageJsonFiles(rootDir) : await findPackageJsonFiles(rootDir);
   for (const pjPath of pkgFiles) {
@@ -3232,19 +3754,19 @@ async function scanBuildDeploy(rootDir, cache) {
   };
   const managers = /* @__PURE__ */ new Set();
   for (const [file, manager] of Object.entries(lockfileMap)) {
-    if (await _pathExists(path10.join(rootDir, file))) managers.add(manager);
+    if (await _pathExists(path12.join(rootDir, file))) managers.add(manager);
   }
   result.packageManagers = [...managers].sort();
   const monoTools = /* @__PURE__ */ new Set();
   for (const [file, tool] of Object.entries(MONOREPO_FILES)) {
-    if (await _pathExists(path10.join(rootDir, file))) monoTools.add(tool);
+    if (await _pathExists(path12.join(rootDir, file))) monoTools.add(tool);
   }
   result.monorepoTools = [...monoTools].sort();
   return result;
 }
 
 // src/scanners/ts-modernity.ts
-import * as path11 from "path";
+import * as path13 from "path";
 async function scanTsModernity(rootDir, cache) {
   const result = {
     typescriptVersion: null,
@@ -3282,7 +3804,7 @@ async function scanTsModernity(rootDir, cache) {
   if (hasEsm && hasCjs) result.moduleType = "mixed";
   else if (hasEsm) result.moduleType = "esm";
   else if (hasCjs) result.moduleType = "cjs";
-  let tsConfigPath = path11.join(rootDir, "tsconfig.json");
+  let tsConfigPath = path13.join(rootDir, "tsconfig.json");
   const tsConfigExists = cache ? await cache.pathExists(tsConfigPath) : await pathExists(tsConfigPath);
   if (!tsConfigExists) {
     const tsConfigs = cache ? await cache.findFiles(rootDir, (name) => name === "tsconfig.json") : await findFiles(rootDir, (name) => name === "tsconfig.json");
@@ -3628,8 +4150,8 @@ function scanBreakingChangeExposure(projects) {
 }
 
 // src/scanners/file-hotspots.ts
-import * as fs4 from "fs/promises";
-import * as path12 from "path";
+import * as fs5 from "fs/promises";
+import * as path14 from "path";
 var SKIP_DIRS2 = /* @__PURE__ */ new Set([
   "node_modules",
   ".git",
@@ -3672,16 +4194,16 @@ async function scanFileHotspots(rootDir, cache) {
     const entries = await cache.walkDir(rootDir);
     for (const entry of entries) {
       if (!entry.isFile) continue;
-      const ext = path12.extname(entry.name).toLowerCase();
+      const ext = path14.extname(entry.name).toLowerCase();
       if (SKIP_EXTENSIONS.has(ext)) continue;
-      const depth = entry.relPath.split(path12.sep).length - 1;
+      const depth = entry.relPath.split(path14.sep).length - 1;
       if (depth > maxDepth) maxDepth = depth;
       extensionCounts[ext] = (extensionCounts[ext] ?? 0) + 1;
       try {
-        const stat3 = await fs4.stat(entry.absPath);
+        const stat4 = await fs5.stat(entry.absPath);
         allFiles.push({
           path: entry.relPath,
-          bytes: stat3.size
+          bytes: stat4.size
         });
       } catch {
       }
@@ -3691,7 +4213,7 @@ async function scanFileHotspots(rootDir, cache) {
       if (depth > maxDepth) maxDepth = depth;
       let entries;
       try {
-        const dirents = await fs4.readdir(dir, { withFileTypes: true });
+        const dirents = await fs5.readdir(dir, { withFileTypes: true });
         entries = dirents.map((d) => ({
           name: d.name,
           isDirectory: d.isDirectory(),
@@ -3703,16 +4225,16 @@ async function scanFileHotspots(rootDir, cache) {
       for (const e of entries) {
         if (e.isDirectory) {
           if (SKIP_DIRS2.has(e.name)) continue;
-          await walk(path12.join(dir, e.name), depth + 1);
+          await walk(path14.join(dir, e.name), depth + 1);
         } else if (e.isFile) {
-          const ext = path12.extname(e.name).toLowerCase();
+          const ext = path14.extname(e.name).toLowerCase();
           if (SKIP_EXTENSIONS.has(ext)) continue;
           extensionCounts[ext] = (extensionCounts[ext] ?? 0) + 1;
           try {
-            const stat3 = await fs4.stat(path12.join(dir, e.name));
+            const stat4 = await fs5.stat(path14.join(dir, e.name));
             allFiles.push({
-              path: path12.relative(rootDir, path12.join(dir, e.name)),
-              bytes: stat3.size
+              path: path14.relative(rootDir, path14.join(dir, e.name)),
+              bytes: stat4.size
             });
           } catch {
           }
@@ -3734,7 +4256,7 @@ async function scanFileHotspots(rootDir, cache) {
 }
 
 // src/scanners/security-posture.ts
-import * as path13 from "path";
+import * as path15 from "path";
 var LOCKFILES = {
   "pnpm-lock.yaml": "pnpm",
   "package-lock.json": "npm",
@@ -3755,14 +4277,14 @@ async function scanSecurityPosture(rootDir, cache) {
   const _readTextFile = cache ? (p) => cache.readTextFile(p) : readTextFile;
   const foundLockfiles = [];
   for (const [file, type] of Object.entries(LOCKFILES)) {
-    if (await _pathExists(path13.join(rootDir, file))) {
+    if (await _pathExists(path15.join(rootDir, file))) {
       foundLockfiles.push(type);
     }
   }
   result.lockfilePresent = foundLockfiles.length > 0;
   result.multipleLockfileTypes = foundLockfiles.length > 1;
   result.lockfileTypes = foundLockfiles.sort();
-  const gitignorePath = path13.join(rootDir, ".gitignore");
+  const gitignorePath = path15.join(rootDir, ".gitignore");
   if (await _pathExists(gitignorePath)) {
     try {
       const content = await _readTextFile(gitignorePath);
@@ -3777,7 +4299,7 @@ async function scanSecurityPosture(rootDir, cache) {
     }
   }
   for (const envFile of [".env", ".env.local", ".env.development", ".env.production"]) {
-    if (await _pathExists(path13.join(rootDir, envFile))) {
+    if (await _pathExists(path15.join(rootDir, envFile))) {
       if (!result.gitignoreCoversEnv) {
         result.envFilesTracked = true;
         break;
@@ -4202,8 +4724,8 @@ function scanServiceDependencies(projects) {
 }
 
 // src/scanners/architecture.ts
-import * as path14 from "path";
-import * as fs5 from "fs/promises";
+import * as path16 from "path";
+import * as fs6 from "fs/promises";
 var ARCHETYPE_SIGNALS = [
   // Meta-frameworks (highest priority — they imply routing patterns)
   { packages: ["next", "@next/core"], archetype: "nextjs", weight: 10 },
@@ -4501,9 +5023,9 @@ async function walkSourceFiles(rootDir, cache) {
     const entries = await cache.walkDir(rootDir);
     return entries.filter((e) => {
       if (!e.isFile) return false;
-      const name = path14.basename(e.absPath);
+      const name = path16.basename(e.absPath);
       if (name.startsWith(".") && name !== ".") return false;
-      const ext = path14.extname(name);
+      const ext = path16.extname(name);
       return SOURCE_EXTENSIONS.has(ext);
     }).map((e) => e.relPath);
   }
@@ -4511,21 +5033,21 @@ async function walkSourceFiles(rootDir, cache) {
   async function walk(dir) {
     let entries;
     try {
-      entries = await fs5.readdir(dir, { withFileTypes: true });
+      entries = await fs6.readdir(dir, { withFileTypes: true });
     } catch {
       return;
     }
     for (const entry of entries) {
       if (entry.name.startsWith(".") && entry.name !== ".") continue;
-      const fullPath = path14.join(dir, entry.name);
+      const fullPath = path16.join(dir, entry.name);
       if (entry.isDirectory()) {
         if (!IGNORE_DIRS.has(entry.name)) {
           await walk(fullPath);
         }
       } else if (entry.isFile()) {
-        const ext = path14.extname(entry.name);
+        const ext = path16.extname(entry.name);
         if (SOURCE_EXTENSIONS.has(ext)) {
-          files.push(path14.relative(rootDir, fullPath));
+          files.push(path16.relative(rootDir, fullPath));
         }
       }
     }
@@ -4549,7 +5071,7 @@ function classifyFile(filePath, archetype) {
     }
   }
   if (!bestMatch || bestMatch.confidence < 0.7) {
-    const baseName = path14.basename(filePath, path14.extname(filePath));
+    const baseName = path16.basename(filePath, path16.extname(filePath));
     const cleanBase = baseName.replace(/\.(test|spec)$/, "");
     for (const rule of SUFFIX_RULES) {
       if (cleanBase.endsWith(rule.suffix)) {
@@ -4740,14 +5262,19 @@ async function runScan(rootDir, opts) {
   const sem = new Semaphore(opts.concurrency);
   const npmCache = new NpmCache(rootDir, sem);
   const fileCache = new FileCache();
+  const excludePatterns = config.exclude ?? [];
+  fileCache.setExcludePatterns(excludePatterns);
+  fileCache.setMaxFileSize(config.maxFileSizeToScan ?? 5242880);
   const scanners = config.scanners;
   let filesScanned = 0;
   const progress = new ScanProgress(rootDir);
   const steps = [
     { id: "config", label: "Loading configuration" },
+    { id: "discovery", label: "Discovering workspace", weight: 3 },
     { id: "vcs", label: "Detecting version control" },
-    { id: "node", label: "Scanning Node projects" },
-    { id: "dotnet", label: "Scanning .NET projects" },
+    { id: "walk", label: "Indexing files", weight: 8 },
+    { id: "node", label: "Scanning Node projects", weight: 4 },
+    { id: "dotnet", label: "Scanning .NET projects", weight: 2 },
     ...scanners !== false ? [
       ...scanners?.platformMatrix?.enabled !== false ? [{ id: "platform", label: "Platform matrix" }] : [],
       ...scanners?.toolingInventory?.enabled !== false ? [{ id: "tooling", label: "Tooling inventory" }] : [],
@@ -4766,10 +5293,26 @@ async function runScan(rootDir, opts) {
   ];
   progress.setSteps(steps);
   progress.completeStep("config", "loaded");
+  progress.startStep("discovery");
+  const treeCount = await quickTreeCount(rootDir, excludePatterns);
+  progress.updateStats({ treeSummary: treeCount });
+  progress.completeStep(
+    "discovery",
+    `${treeCount.totalFiles.toLocaleString()} files \xB7 ${treeCount.totalDirs.toLocaleString()} dirs`
+  );
+  const scanHistory = await loadScanHistory(rootDir);
+  const estimatedTotal = estimateTotalDuration(scanHistory, treeCount.totalFiles);
+  progress.setEstimatedTotal(estimatedTotal);
+  progress.setStepEstimates(estimateStepDurations(scanHistory, treeCount.totalFiles));
   progress.startStep("vcs");
   const vcs = await detectVcs(rootDir);
   const vcsDetail = vcs.type !== "unknown" ? `${vcs.type}${vcs.branch ? ` ${vcs.branch}` : ""}${vcs.shortSha ? ` @ ${vcs.shortSha}` : ""}` : "none detected";
   progress.completeStep("vcs", vcsDetail);
+  progress.startStep("walk", treeCount.totalFiles);
+  await fileCache.walkDir(rootDir, (found, currentPath) => {
+    progress.updateStepProgress("walk", found, treeCount.totalFiles, currentPath);
+  });
+  progress.completeStep("walk", `${treeCount.totalFiles.toLocaleString()} files indexed`);
   progress.startStep("node");
   const nodeProjects = await scanNodeProjects(rootDir, npmCache, fileCache);
   for (const p of nodeProjects) {
@@ -4949,6 +5492,36 @@ async function runScan(rootDir, opts) {
   if (noteCount > 0) findingParts.push(`${noteCount} note${noteCount !== 1 ? "s" : ""}`);
   progress.completeStep("findings", findingParts.join(", ") || "none");
   progress.finish();
+  const stuckPaths = fileCache.stuckPaths;
+  const skippedLarge = fileCache.skippedLargeFiles;
+  if (stuckPaths.length > 0) {
+    console.log(
+      chalk5.yellow(`
+\u26A0 ${stuckPaths.length} path${stuckPaths.length === 1 ? "" : "s"} timed out (>60s) and ${stuckPaths.length === 1 ? "was" : "were"} skipped:`)
+    );
+    for (const d of stuckPaths) {
+      console.log(chalk5.dim(`  \u2192 ${d}`));
+    }
+    const newExcludes = stuckPaths.map((d) => `${d}/**`);
+    const updated = await appendExcludePatterns(rootDir, newExcludes);
+    if (updated) {
+      console.log(chalk5.green("\u2714") + ` Added ${newExcludes.length} pattern${newExcludes.length !== 1 ? "s" : ""} to exclude list in config`);
+    }
+  }
+  if (skippedLarge.length > 0) {
+    const sizeLimit = config.maxFileSizeToScan ?? 5242880;
+    const sizeMB = (sizeLimit / 1048576).toFixed(0);
+    console.log(
+      chalk5.yellow(`
+\u26A0 ${skippedLarge.length} file${skippedLarge.length === 1 ? "" : "s"} skipped (>${sizeMB} MB):`)
+    );
+    for (const f of skippedLarge.slice(0, 10)) {
+      console.log(chalk5.dim(`  \u2192 ${f}`));
+    }
+    if (skippedLarge.length > 10) {
+      console.log(chalk5.dim(`  \u2026 and ${skippedLarge.length - 10} more`));
+    }
+  }
   fileCache.clear();
   if (allProjects.length === 0) {
     console.log(chalk5.yellow("No projects found."));
@@ -4966,17 +5539,18 @@ async function runScan(rootDir, opts) {
     schemaVersion: "1.0",
     timestamp: (/* @__PURE__ */ new Date()).toISOString(),
     vibgrateVersion: VERSION,
-    rootPath: path15.basename(rootDir),
+    rootPath: path17.basename(rootDir),
     ...vcs.type !== "unknown" ? { vcs } : {},
     projects: allProjects,
     drift,
     findings,
     ...Object.keys(extended).length > 0 ? { extended } : {},
     durationMs,
-    filesScanned
+    filesScanned,
+    treeSummary: treeCount
   };
   if (opts.baseline) {
-    const baselinePath = path15.resolve(opts.baseline);
+    const baselinePath = path17.resolve(opts.baseline);
     if (await pathExists(baselinePath)) {
       try {
         const baseline = await readJsonFile(baselinePath);
@@ -4987,15 +5561,22 @@ async function runScan(rootDir, opts) {
       }
     }
   }
-  const vibgrateDir = path15.join(rootDir, ".vibgrate");
+  const vibgrateDir = path17.join(rootDir, ".vibgrate");
   await ensureDir(vibgrateDir);
-  await writeJsonFile(path15.join(vibgrateDir, "scan_result.json"), artifact);
+  await writeJsonFile(path17.join(vibgrateDir, "scan_result.json"), artifact);
+  await saveScanHistory(rootDir, {
+    timestamp: artifact.timestamp,
+    totalDurationMs: durationMs,
+    totalFiles: treeCount.totalFiles,
+    totalDirs: treeCount.totalDirs,
+    steps: progress.getStepTimings()
+  });
   for (const project of allProjects) {
     if (project.drift && project.path) {
-      const projectDir = path15.resolve(rootDir, project.path);
-      const projectVibgrateDir = path15.join(projectDir, ".vibgrate");
+      const projectDir = path17.resolve(rootDir, project.path);
+      const projectVibgrateDir = path17.join(projectDir, ".vibgrate");
       await ensureDir(projectVibgrateDir);
-      await writeJsonFile(path15.join(projectVibgrateDir, "project_score.json"), {
+      await writeJsonFile(path17.join(projectVibgrateDir, "project_score.json"), {
         projectId: project.projectId,
         name: project.name,
         type: project.type,
@@ -5012,7 +5593,7 @@ async function runScan(rootDir, opts) {
   if (opts.format === "json") {
     const jsonStr = JSON.stringify(artifact, null, 2);
     if (opts.out) {
-      await writeTextFile(path15.resolve(opts.out), jsonStr);
+      await writeTextFile(path17.resolve(opts.out), jsonStr);
       console.log(chalk5.green("\u2714") + ` JSON written to ${opts.out}`);
     } else {
       console.log(jsonStr);
@@ -5021,7 +5602,7 @@ async function runScan(rootDir, opts) {
     const sarif = formatSarif(artifact);
     const sarifStr = JSON.stringify(sarif, null, 2);
     if (opts.out) {
-      await writeTextFile(path15.resolve(opts.out), sarifStr);
+      await writeTextFile(path17.resolve(opts.out), sarifStr);
       console.log(chalk5.green("\u2714") + ` SARIF written to ${opts.out}`);
     } else {
       console.log(sarifStr);
@@ -5030,7 +5611,7 @@ async function runScan(rootDir, opts) {
     const text = formatText(artifact);
     console.log(text);
     if (opts.out) {
-      await writeTextFile(path15.resolve(opts.out), text);
+      await writeTextFile(path17.resolve(opts.out), text);
     }
   }
   return artifact;
@@ -5089,7 +5670,7 @@ async function autoPush(artifact, rootDir, opts) {
   }
 }
 var scanCommand = new Command3("scan").description("Scan a project for upgrade drift").argument("[path]", "Path to scan", ".").option("--out <file>", "Output file path").option("--format <format>", "Output format (text|json|sarif)", "text").option("--fail-on <level>", "Fail on warn or error").option("--baseline <file>", "Compare against baseline").option("--changed-only", "Only scan changed files").option("--concurrency <n>", "Max concurrent npm calls", "8").option("--push", "Auto-push results to Vibgrate API after scan").option("--dsn <dsn>", "DSN token for push (or use VIBGRATE_DSN env)").option("--region <region>", "Override data residency region for push (us, eu)").option("--strict", "Fail on push errors").action(async (targetPath, opts) => {
-  const rootDir = path15.resolve(targetPath);
+  const rootDir = path17.resolve(targetPath);
   if (!await pathExists(rootDir)) {
     console.error(chalk5.red(`Path does not exist: ${rootDir}`));
     process.exit(1);