@vibgrate/cli 1.0.21 → 1.0.22

package/dist/{baseline-7WI3SI6H.js → baseline-IOXJPCX7.js}

@@ -1,8 +1,8 @@
 import {
   baselineCommand,
   runBaseline
-} from "./chunk-74QSNBZA.js";
-import "./chunk-L6R5WSCC.js";
+} from "./chunk-IMK7DUPY.js";
+import "./chunk-JFMGFWKC.js";
 export {
   baselineCommand,
   runBaseline

package/dist/{chunk-74QSNBZA.js → chunk-IMK7DUPY.js}

@@ -1,7 +1,7 @@
 import {
   runScan,
   writeJsonFile
-} from "./chunk-L6R5WSCC.js";
+} from "./chunk-JFMGFWKC.js";
 
 // src/commands/baseline.ts
 import * as path from "path";

package/dist/{chunk-L6R5WSCC.js → chunk-JFMGFWKC.js}

@@ -1,7 +1,7 @@
 // src/utils/fs.ts
 import * as fs from "fs/promises";
 import * as os from "os";
-import * as path from "path";
+import * as path2 from "path";
 
 // src/utils/semaphore.ts
 var Semaphore = class {
@@ -32,6 +32,86 @@ var Semaphore = class {
   }
 };
 
+// src/utils/glob.ts
+import * as path from "path";
+function compileGlobs(patterns) {
+  if (patterns.length === 0) return null;
+  const matchers = patterns.map((p) => compileOne(normalise(p)));
+  return (relPath) => {
+    const norm = normalise(relPath);
+    return matchers.some((m) => m(norm));
+  };
+}
+function normalise(p) {
+  return p.split(path.sep).join("/").replace(/\/+$/, "");
+}
+function compileOne(pattern) {
+  if (!pattern.includes("/") && !hasGlobChars(pattern)) {
+    const prefix = pattern + "/";
+    return (p) => p === pattern || p.startsWith(prefix);
+  }
+  const re = globToRegex(pattern);
+  return (p) => re.test(p);
+}
+function hasGlobChars(s) {
+  return /[*?[\]{}]/.test(s);
+}
+function globToRegex(pattern) {
+  let i = 0;
+  let re = "^";
+  const len = pattern.length;
+  while (i < len) {
+    const ch = pattern[i];
+    if (ch === "*") {
+      if (pattern[i + 1] === "*") {
+        i += 2;
+        if (pattern[i] === "/") {
+          i++;
+          re += "(?:.+/)?";
+        } else {
+          re += ".*";
+        }
+      } else {
+        i++;
+        re += "[^/]*";
+      }
+    } else if (ch === "?") {
+      i++;
+      re += "[^/]";
+    } else if (ch === "[") {
+      const start = i;
+      i++;
+      while (i < len && pattern[i] !== "]") i++;
+      i++;
+      re += pattern.slice(start, i);
+    } else if (ch === "{") {
+      i++;
+      const alternatives = [];
+      let current = "";
+      while (i < len && pattern[i] !== "}") {
+        if (pattern[i] === ",") {
+          alternatives.push(current);
+          current = "";
+        } else {
+          current += pattern[i];
+        }
+        i++;
+      }
+      alternatives.push(current);
+      i++;
+      re += "(?:" + alternatives.map(escapeRegex).join("|") + ")";
+    } else {
+      re += escapeRegex(ch);
+      i++;
+    }
+  }
+  re += "$";
+  return new RegExp(re);
+}
+function escapeRegex(s) {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+
 // src/utils/fs.ts
 var SKIP_DIRS = /* @__PURE__ */ new Set([
   "node_modules",
@@ -60,6 +140,40 @@ var FileCache = class _FileCache {
   jsonCache = /* @__PURE__ */ new Map();
   /** pathExists keyed by absolute path */
   existsCache = /* @__PURE__ */ new Map();
+  /** User-configured exclude predicate (compiled from glob patterns) */
+  excludePredicate = null;
+  /** Directories that were auto-skipped because they were stuck (>60s) */
+  _stuckPaths = [];
+  /** Files skipped because they exceed maxFileSizeToScan */
+  _skippedLargeFiles = [];
+  /** Maximum file size (bytes) we will read. 0 = unlimited. */
+  _maxFileSize = 0;
+  /** Root dir for relative-path computation (set by the first walkDir call) */
+  _rootDir = null;
+  /** Set exclude patterns from config (call once before the walk) */
+  setExcludePatterns(patterns) {
+    this.excludePredicate = compileGlobs(patterns);
+  }
+  /** Set the maximum file size in bytes that readTextFile / readJsonFile will process */
+  setMaxFileSize(bytes) {
+    this._maxFileSize = bytes;
+  }
+  /** Record a path that timed out or was stuck during scanning */
+  addStuckPath(relPath) {
+    this._stuckPaths.push(relPath);
+  }
+  /** Get all paths that were auto-skipped due to being stuck (dirs + scanner files) */
+  get stuckPaths() {
+    return this._stuckPaths;
+  }
+  /** @deprecated Use stuckPaths instead */
+  get stuckDirs() {
+    return this._stuckPaths;
+  }
+  /** Get files that were skipped because they exceeded maxFileSizeToScan */
+  get skippedLargeFiles() {
+    return this._skippedLargeFiles;
+  }
   // ── Directory walking ──
   /**
    * Walk the directory tree from `rootDir` once, skipping SKIP_DIRS plus
@@ -70,6 +184,7 @@ var FileCache = class _FileCache {
    * SKIP_EXTENSIONS) do so on the returned entries — no separate walk.
    */
   walkDir(rootDir, onProgress) {
+    this._rootDir = rootDir;
     const cached = this.walkCache.get(rootDir);
     if (cached) return cached;
     const promise = this._doWalk(rootDir, onProgress);
@@ -86,18 +201,34 @@ var FileCache = class _FileCache {
     let lastReported = 0;
     const REPORT_INTERVAL = 50;
     const sem = new Semaphore(maxConcurrentReads);
+    const STUCK_TIMEOUT_MS = 6e4;
     const extraSkip = _FileCache.EXTRA_SKIP;
+    const isExcluded = this.excludePredicate;
+    const stuckDirs = this._stuckPaths;
     async function walk(dir) {
+      const relDir = path2.relative(rootDir, dir);
       let entries;
       try {
-        entries = await fs.readdir(dir, { withFileTypes: true });
+        const readPromise = fs.readdir(dir, { withFileTypes: true });
+        const result = await Promise.race([
+          readPromise.then((e) => ({ ok: true, entries: e })),
+          new Promise(
+            (resolve7) => setTimeout(() => resolve7({ ok: false }), STUCK_TIMEOUT_MS)
+          )
+        ]);
+        if (!result.ok) {
+          stuckDirs.push(relDir || dir);
+          return;
+        }
+        entries = result.entries;
       } catch {
         return;
       }
       const subWalks = [];
       for (const e of entries) {
-        const absPath = path.join(dir, e.name);
-        const relPath = path.relative(rootDir, absPath);
+        const absPath = path2.join(dir, e.name);
+        const relPath = path2.relative(rootDir, absPath);
+        if (isExcluded && isExcluded(relPath)) continue;
         if (e.isDirectory()) {
           if (SKIP_DIRS.has(e.name) || extraSkip.has(e.name)) continue;
           results.push({ absPath, relPath, name: e.name, isFile: false, isDirectory: true });
@@ -107,7 +238,7 @@ var FileCache = class _FileCache {
           foundCount++;
           if (onProgress && foundCount - lastReported >= REPORT_INTERVAL) {
             lastReported = foundCount;
-            onProgress(foundCount);
+            onProgress(foundCount, relPath);
           }
         }
       }
@@ -115,7 +246,7 @@ var FileCache = class _FileCache {
     }
     await sem.run(() => walk(rootDir));
     if (onProgress && foundCount !== lastReported) {
-      onProgress(foundCount);
+      onProgress(foundCount, "");
     }
     return results;
   }
@@ -141,17 +272,36 @@ var FileCache = class _FileCache {
    * Read a text file. Files ≤ 1 MB are cached so subsequent calls from
    * different scanners return the same string. Files > 1 MB (lockfiles,
    * large generated files) are read directly and never retained.
+   *
+   * If maxFileSizeToScan is set and the file exceeds it, the file is
+   * recorded as skipped and an empty string is returned.
    */
   readTextFile(filePath) {
-    const abs = path.resolve(filePath);
+    const abs = path2.resolve(filePath);
     const cached = this.textCache.get(abs);
     if (cached) return cached;
-    const promise = fs.readFile(abs, "utf8").then((content) => {
+    const maxSize = this._maxFileSize;
+    const skippedLarge = this._skippedLargeFiles;
+    const rootDir = this._rootDir;
+    const promise = (async () => {
+      if (maxSize > 0) {
+        try {
+          const stat4 = await fs.stat(abs);
+          if (stat4.size > maxSize) {
+            const rel = rootDir ? path2.relative(rootDir, abs) : abs;
+            skippedLarge.push(rel);
+            this.textCache.delete(abs);
+            return "";
+          }
+        } catch {
+        }
+      }
+      const content = await fs.readFile(abs, "utf8");
       if (content.length > TEXT_CACHE_MAX_BYTES) {
         this.textCache.delete(abs);
       }
       return content;
-    });
+    })();
     this.textCache.set(abs, promise);
     return promise;
   }
@@ -160,7 +310,7 @@ var FileCache = class _FileCache {
    * text is evicted immediately so we never hold both representations.
    */
   readJsonFile(filePath) {
-    const abs = path.resolve(filePath);
+    const abs = path2.resolve(filePath);
     const cached = this.jsonCache.get(abs);
     if (cached) return cached;
     const promise = this.readTextFile(abs).then((txt) => {
@@ -172,7 +322,7 @@ var FileCache = class _FileCache {
   }
   // ── Existence checks ──
   pathExists(p) {
-    const abs = path.resolve(p);
+    const abs = path2.resolve(p);
     const cached = this.existsCache.get(abs);
     if (cached) return cached;
     const promise = fs.access(abs).then(() => true, () => false);
@@ -196,13 +346,14 @@ var FileCache = class _FileCache {
     return this.jsonCache.size;
   }
 };
-async function quickTreeCount(rootDir) {
+async function quickTreeCount(rootDir, excludePatterns) {
   let totalFiles = 0;
   let totalDirs = 0;
   const cores = typeof os.availableParallelism === "function" ? os.availableParallelism() : os.cpus().length || 4;
   const maxConcurrent = Math.max(8, Math.min(128, cores * 8));
   const sem = new Semaphore(maxConcurrent);
   const extraSkip = /* @__PURE__ */ new Set([".nuxt", ".output", ".svelte-kit"]);
+  const isExcluded = excludePatterns ? compileGlobs(excludePatterns) : null;
   async function count(dir) {
     let entries;
     try {
@@ -212,10 +363,12 @@ async function quickTreeCount(rootDir) {
     }
     const subs = [];
     for (const e of entries) {
+      const relPath = path2.relative(rootDir, path2.join(dir, e.name));
+      if (isExcluded && isExcluded(relPath)) continue;
       if (e.isDirectory()) {
         if (SKIP_DIRS.has(e.name) || extraSkip.has(e.name)) continue;
         totalDirs++;
-        subs.push(sem.run(() => count(path.join(dir, e.name))));
+        subs.push(sem.run(() => count(path2.join(dir, e.name))));
       } else if (e.isFile()) {
         totalFiles++;
       }
@@ -241,9 +394,9 @@ async function findFiles(rootDir, predicate) {
     for (const e of entries) {
       if (e.isDirectory()) {
         if (SKIP_DIRS.has(e.name)) continue;
-        subDirectoryWalks.push(readDirSemaphore.run(() => walk(path.join(dir, e.name))));
+        subDirectoryWalks.push(readDirSemaphore.run(() => walk(path2.join(dir, e.name))));
       } else if (e.isFile() && predicate(e.name)) {
-        results.push(path.join(dir, e.name));
+        results.push(path2.join(dir, e.name));
       }
     }
     await Promise.all(subDirectoryWalks);
@@ -279,11 +432,11 @@ async function ensureDir(dir) {
   await fs.mkdir(dir, { recursive: true });
 }
 async function writeJsonFile(filePath, data) {
-  await ensureDir(path.dirname(filePath));
+  await ensureDir(path2.dirname(filePath));
   await fs.writeFile(filePath, JSON.stringify(data, null, 2) + "\n", "utf8");
 }
 async function writeTextFile(filePath, content) {
-  await ensureDir(path.dirname(filePath));
+  await ensureDir(path2.dirname(filePath));
   await fs.writeFile(filePath, content, "utf8");
 }
 
@@ -1217,7 +1370,7 @@ function toSarifResult(finding) {
 
 // src/commands/dsn.ts
 import * as crypto2 from "crypto";
-import * as path2 from "path";
+import * as path3 from "path";
 import { Command } from "commander";
 import chalk2 from "chalk";
 var REGION_HOSTS = {
@@ -1262,7 +1415,7 @@ dsnCommand.command("create").description("Create a new DSN token").option("--ing
   console.log(chalk2.dim("Set this as VIBGRATE_DSN in your CI environment."));
   console.log(chalk2.dim("The secret must be registered on your Vibgrate ingest API."));
   if (opts.write) {
-    const writePath = path2.resolve(opts.write);
+    const writePath = path3.resolve(opts.write);
     await writeTextFile(writePath, dsn + "\n");
     console.log("");
     console.log(chalk2.green("\u2714") + ` DSN written to ${opts.write}`);
@@ -1272,7 +1425,7 @@ dsnCommand.command("create").description("Create a new DSN token").option("--ing
 
 // src/commands/push.ts
 import * as crypto3 from "crypto";
-import * as path3 from "path";
+import * as path4 from "path";
 import { Command as Command2 } from "commander";
 import chalk3 from "chalk";
 function parseDsn(dsn) {
@@ -1301,7 +1454,7 @@ var pushCommand = new Command2("push").description("Push scan results to Vibgrat
     if (opts.strict) process.exit(1);
     return;
   }
-  const filePath = path3.resolve(opts.file);
+  const filePath = path4.resolve(opts.file);
   if (!await pathExists(filePath)) {
     console.error(chalk3.red(`Scan artifact not found: ${filePath}`));
     console.error(chalk3.dim('Run "vibgrate scan" first.'));
@@ -1346,14 +1499,31 @@ var pushCommand = new Command2("push").description("Push scan results to Vibgrat
 });
 
 // src/commands/scan.ts
-import * as path16 from "path";
+import * as path17 from "path";
 import { Command as Command3 } from "commander";
 import chalk5 from "chalk";
 
 // src/scanners/node-scanner.ts
-import * as path4 from "path";
+import * as path5 from "path";
 import * as semver2 from "semver";
 
+// src/utils/timeout.ts
+async function withTimeout(promise, ms) {
+  let timer;
+  const timeout = new Promise((resolve7) => {
+    timer = setTimeout(() => resolve7({ ok: false }), ms);
+  });
+  try {
+    const result = await Promise.race([
+      promise.then((value) => ({ ok: true, value })),
+      timeout
+    ]);
+    return result;
+  } finally {
+    clearTimeout(timer);
+  }
+}
+
 // src/scanners/npm-cache.ts
 import { spawn } from "child_process";
 import * as semver from "semver";
@@ -1528,10 +1698,20 @@ var KNOWN_FRAMEWORKS = {
 async function scanNodeProjects(rootDir, npmCache, cache) {
   const packageJsonFiles = cache ? await cache.findPackageJsonFiles(rootDir) : await findPackageJsonFiles(rootDir);
   const results = [];
+  const STUCK_TIMEOUT_MS = 6e4;
   for (const pjPath of packageJsonFiles) {
     try {
-      const scan = await scanOnePackageJson(pjPath, rootDir, npmCache, cache);
-      results.push(scan);
+      const scanPromise = scanOnePackageJson(pjPath, rootDir, npmCache, cache);
+      const result = await withTimeout(scanPromise, STUCK_TIMEOUT_MS);
+      if (result.ok) {
+        results.push(result.value);
+      } else {
+        const relPath = path5.relative(rootDir, path5.dirname(pjPath));
+        if (cache) {
+          cache.addStuckPath(relPath || ".");
+        }
+        console.error(`Timeout scanning ${pjPath} (>${STUCK_TIMEOUT_MS / 1e3}s) \u2014 skipped`);
+      }
     } catch (e) {
       const msg = e instanceof Error ? e.message : String(e);
       console.error(`Error scanning ${pjPath}: ${msg}`);
@@ -1541,8 +1721,8 @@ async function scanNodeProjects(rootDir, npmCache, cache) {
 }
 async function scanOnePackageJson(packageJsonPath, rootDir, npmCache, cache) {
   const pj = cache ? await cache.readJsonFile(packageJsonPath) : await readJsonFile(packageJsonPath);
-  const absProjectPath = path4.dirname(packageJsonPath);
-  const projectPath = path4.relative(rootDir, absProjectPath) || ".";
+  const absProjectPath = path5.dirname(packageJsonPath);
+  const projectPath = path5.relative(rootDir, absProjectPath) || ".";
   const nodeEngine = pj.engines?.node ?? void 0;
   let runtimeLatest;
   let runtimeMajorsBehind;
@@ -1624,7 +1804,7 @@ async function scanOnePackageJson(packageJsonPath, rootDir, npmCache, cache) {
   return {
     type: "node",
     path: projectPath,
-    name: pj.name ?? path4.basename(absProjectPath),
+    name: pj.name ?? path5.basename(absProjectPath),
     runtime: nodeEngine,
     runtimeLatest,
     runtimeMajorsBehind,
@@ -1635,7 +1815,7 @@ async function scanOnePackageJson(packageJsonPath, rootDir, npmCache, cache) {
 }
 
 // src/scanners/dotnet-scanner.ts
-import * as path5 from "path";
+import * as path6 from "path";
 import { XMLParser } from "fast-xml-parser";
 var parser = new XMLParser({
   ignoreAttributes: false,
@@ -1836,7 +2016,7 @@ function parseCsproj(xml, filePath) {
   const parsed = parser.parse(xml);
   const project = parsed?.Project;
   if (!project) {
-    return { targetFrameworks: [], packageReferences: [], projectName: path5.basename(filePath, ".csproj") };
+    return { targetFrameworks: [], packageReferences: [], projectName: path6.basename(filePath, ".csproj") };
   }
   const propertyGroups = Array.isArray(project.PropertyGroup) ? project.PropertyGroup : project.PropertyGroup ? [project.PropertyGroup] : [];
   const targetFrameworks = [];
@@ -1864,7 +2044,7 @@ function parseCsproj(xml, filePath) {
   return {
     targetFrameworks: [...new Set(targetFrameworks)],
     packageReferences,
-    projectName: path5.basename(filePath, ".csproj")
+    projectName: path6.basename(filePath, ".csproj")
   };
 }
 async function scanDotnetProjects(rootDir, cache) {
@@ -1874,12 +2054,12 @@ async function scanDotnetProjects(rootDir, cache) {
   for (const slnPath of slnFiles) {
     try {
       const slnContent = cache ? await cache.readTextFile(slnPath) : await readTextFile(slnPath);
-      const slnDir = path5.dirname(slnPath);
+      const slnDir = path6.dirname(slnPath);
       const projectRegex = /Project\("[^"]*"\)\s*=\s*"[^"]*",\s*"([^"]+\.csproj)"/g;
       let match;
       while ((match = projectRegex.exec(slnContent)) !== null) {
         if (match[1]) {
-          const csprojPath = path5.resolve(slnDir, match[1].replace(/\\/g, "/"));
+          const csprojPath = path6.resolve(slnDir, match[1].replace(/\\/g, "/"));
           slnCsprojPaths.add(csprojPath);
         }
       }
@@ -1888,10 +2068,20 @@ async function scanDotnetProjects(rootDir, cache) {
   }
   const allCsprojFiles = /* @__PURE__ */ new Set([...csprojFiles, ...slnCsprojPaths]);
   const results = [];
+  const STUCK_TIMEOUT_MS = 6e4;
   for (const csprojPath of allCsprojFiles) {
     try {
-      const scan = await scanOneCsproj(csprojPath, rootDir, cache);
-      results.push(scan);
+      const scanPromise = scanOneCsproj(csprojPath, rootDir, cache);
+      const result = await withTimeout(scanPromise, STUCK_TIMEOUT_MS);
+      if (result.ok) {
+        results.push(result.value);
+      } else {
+        const relPath = path6.relative(rootDir, path6.dirname(csprojPath));
+        if (cache) {
+          cache.addStuckPath(relPath || ".");
+        }
+        console.error(`Timeout scanning ${csprojPath} (>${STUCK_TIMEOUT_MS / 1e3}s) \u2014 skipped`);
+      }
     } catch (e) {
       const msg = e instanceof Error ? e.message : String(e);
       console.error(`Error scanning ${csprojPath}: ${msg}`);
@@ -1935,7 +2125,7 @@ async function scanOneCsproj(csprojPath, rootDir, cache) {
   const buckets = { current: 0, oneBehind: 0, twoPlusBehind: 0, unknown: dependencies.length };
   return {
     type: "dotnet",
-    path: path5.relative(rootDir, path5.dirname(csprojPath)) || ".",
+    path: path6.relative(rootDir, path6.dirname(csprojPath)) || ".",
     name: data.projectName,
     targetFramework,
     runtime: primaryTfm,
@@ -1948,15 +2138,17 @@ async function scanOneCsproj(csprojPath, rootDir, cache) {
 }
 
 // src/config.ts
-import * as path6 from "path";
+import * as path7 from "path";
 import * as fs2 from "fs/promises";
 var CONFIG_FILES = [
   "vibgrate.config.ts",
   "vibgrate.config.js",
   "vibgrate.config.json"
 ];
+var DEFAULT_MAX_FILE_SIZE = 5242880;
 var DEFAULT_CONFIG = {
   exclude: [],
+  maxFileSizeToScan: DEFAULT_MAX_FILE_SIZE,
   thresholds: {
     failOnError: {
       eolDays: 180,
@@ -1970,28 +2162,44 @@ var DEFAULT_CONFIG = {
   }
 };
 async function loadConfig(rootDir) {
+  let config = DEFAULT_CONFIG;
   for (const file of CONFIG_FILES) {
-    const configPath = path6.join(rootDir, file);
+    const configPath = path7.join(rootDir, file);
     if (await pathExists(configPath)) {
       if (file.endsWith(".json")) {
         const txt = await readTextFile(configPath);
-        return { ...DEFAULT_CONFIG, ...JSON.parse(txt) };
+        config = { ...DEFAULT_CONFIG, ...JSON.parse(txt) };
+        break;
       }
       try {
         const mod = await import(configPath);
-        return { ...DEFAULT_CONFIG, ...mod.default ?? mod };
+        config = { ...DEFAULT_CONFIG, ...mod.default ?? mod };
+        break;
       } catch {
       }
     }
   }
-  return DEFAULT_CONFIG;
+  const sidecarPath = path7.join(rootDir, ".vibgrate", "auto-excludes.json");
+  if (await pathExists(sidecarPath)) {
+    try {
+      const txt = await readTextFile(sidecarPath);
+      const autoExcludes = JSON.parse(txt);
+      if (Array.isArray(autoExcludes) && autoExcludes.length > 0) {
+        const existing = config.exclude ?? [];
+        config = { ...config, exclude: [.../* @__PURE__ */ new Set([...existing, ...autoExcludes])] };
+      }
+    } catch {
+    }
+  }
+  return config;
 }
 async function writeDefaultConfig(rootDir) {
-  const configPath = path6.join(rootDir, "vibgrate.config.ts");
+  const configPath = path7.join(rootDir, "vibgrate.config.ts");
   const content = `import type { VibgrateConfig } from '@vibgrate/cli';
 
 const config: VibgrateConfig = {
   // exclude: ['legacy/**'],
+  // maxFileSizeToScan: 5_242_880, // 5 MB (default)
   thresholds: {
     failOnError: {
       eolDays: 180,
@@ -2010,9 +2218,44 @@ export default config;
   await fs2.writeFile(configPath, content, "utf8");
   return configPath;
 }
+async function appendExcludePatterns(rootDir, newPatterns) {
+  if (newPatterns.length === 0) return false;
+  const jsonPath = path7.join(rootDir, "vibgrate.config.json");
+  if (await pathExists(jsonPath)) {
+    try {
+      const txt = await readTextFile(jsonPath);
+      const cfg = JSON.parse(txt);
+      const existing2 = Array.isArray(cfg.exclude) ? cfg.exclude : [];
+      const merged2 = [.../* @__PURE__ */ new Set([...existing2, ...newPatterns])];
+      cfg.exclude = merged2;
+      await fs2.writeFile(jsonPath, JSON.stringify(cfg, null, 2) + "\n", "utf8");
+      return true;
+    } catch {
+    }
+  }
+  const vibgrateDir = path7.join(rootDir, ".vibgrate");
+  const sidecarPath = path7.join(vibgrateDir, "auto-excludes.json");
+  let existing = [];
+  if (await pathExists(sidecarPath)) {
+    try {
+      const txt = await readTextFile(sidecarPath);
+      const parsed = JSON.parse(txt);
+      if (Array.isArray(parsed)) existing = parsed;
+    } catch {
+    }
+  }
+  const merged = [.../* @__PURE__ */ new Set([...existing, ...newPatterns])];
+  try {
+    await fs2.mkdir(vibgrateDir, { recursive: true });
+    await fs2.writeFile(sidecarPath, JSON.stringify(merged, null, 2) + "\n", "utf8");
+    return true;
+  } catch {
+    return false;
+  }
+}
 
 // src/utils/vcs.ts
-import * as path7 from "path";
+import * as path8 from "path";
 import * as fs3 from "fs/promises";
 async function detectVcs(rootDir) {
   try {
@@ -2026,7 +2269,7 @@ async function detectGit(rootDir) {
   if (!gitDir) {
     return { type: "unknown" };
   }
-  const headPath = path7.join(gitDir, "HEAD");
+  const headPath = path8.join(gitDir, "HEAD");
   let headContent;
   try {
     headContent = (await fs3.readFile(headPath, "utf8")).trim();
@@ -2050,30 +2293,30 @@ async function detectGit(rootDir) {
   };
 }
 async function findGitDir(startDir) {
-  let dir = path7.resolve(startDir);
-  const root = path7.parse(dir).root;
+  let dir = path8.resolve(startDir);
+  const root = path8.parse(dir).root;
   while (dir !== root) {
-    const gitPath = path7.join(dir, ".git");
+    const gitPath = path8.join(dir, ".git");
     try {
-      const stat3 = await fs3.stat(gitPath);
-      if (stat3.isDirectory()) {
+      const stat4 = await fs3.stat(gitPath);
+      if (stat4.isDirectory()) {
         return gitPath;
       }
-      if (stat3.isFile()) {
+      if (stat4.isFile()) {
         const content = (await fs3.readFile(gitPath, "utf8")).trim();
         if (content.startsWith("gitdir: ")) {
-          const resolved = path7.resolve(dir, content.slice(8));
+          const resolved = path8.resolve(dir, content.slice(8));
           return resolved;
         }
       }
     } catch {
     }
-    dir = path7.dirname(dir);
+    dir = path8.dirname(dir);
   }
   return null;
 }
 async function resolveRef(gitDir, refPath) {
-  const loosePath = path7.join(gitDir, refPath);
+  const loosePath = path8.join(gitDir, refPath);
   try {
     const sha = (await fs3.readFile(loosePath, "utf8")).trim();
     if (/^[0-9a-f]{40}$/i.test(sha)) {
@@ -2081,7 +2324,7 @@ async function resolveRef(gitDir, refPath) {
     }
   } catch {
   }
-  const packedPath = path7.join(gitDir, "packed-refs");
+  const packedPath = path8.join(gitDir, "packed-refs");
   try {
     const packed = await fs3.readFile(packedPath, "utf8");
     for (const line of packed.split("\n")) {
@@ -2123,6 +2366,10 @@ var ScanProgress = class {
   startTime = Date.now();
   isTTY;
   rootDir = "";
+  /** Last rendered frame content (strip to compare for dirty-checking) */
+  lastFrame = "";
+  /** Whether we've hidden the cursor */
+  cursorHidden = false;
   /** Estimated total scan duration in ms (from history or live calculation) */
   estimatedTotalMs = null;
   /** Per-step estimated durations from history */
@@ -2134,6 +2381,23 @@ var ScanProgress = class {
   constructor(rootDir) {
     this.isTTY = process.stderr.isTTY ?? false;
     this.rootDir = rootDir;
+    if (this.isTTY) {
+      const restore = () => {
+        if (this.cursorHidden) {
+          process.stderr.write("\x1B[?25h");
+          this.cursorHidden = false;
+        }
+      };
+      process.on("exit", restore);
+      process.on("SIGINT", () => {
+        restore();
+        process.exit(130);
+      });
+      process.on("SIGTERM", () => {
+        restore();
+        process.exit(143);
+      });
+    }
   }
   /** Set the estimated total duration from scan history */
   setEstimatedTotal(estimatedMs) {
@@ -2192,11 +2456,12 @@ var ScanProgress = class {
     this.render();
   }
   /** Update sub-step progress for the active step (files processed, etc.) */
-  updateStepProgress(id, current, total) {
+  updateStepProgress(id, current, total, label) {
     const step = this.steps.find((s) => s.id === id);
     if (step) {
       step.subProgress = current;
       if (total !== void 0) step.subTotal = total;
+      if (label !== void 0) step.subLabel = label;
     }
     this.render();
   }
@@ -2231,7 +2496,18 @@ var ScanProgress = class {
       this.timer = null;
     }
     if (this.isTTY) {
-      this.clearLines();
+      let buf = "";
+      if (this.lastLineCount > 0) {
+        buf += `\x1B[${this.lastLineCount}A`;
+        for (let i = 0; i < this.lastLineCount; i++) {
+          buf += "\x1B[2K\n";
+        }
+        buf += `\x1B[${this.lastLineCount}A`;
+      }
+      buf += "\x1B[?25h";
+      if (buf) process.stderr.write(buf);
+      this.cursorHidden = false;
+      this.lastLineCount = 0;
     }
     const elapsed = this.formatElapsed(Date.now() - this.startTime);
     const doneCount = this.steps.filter((s) => s.status === "done").length;
@@ -2243,26 +2519,22 @@ var ScanProgress = class {
   }
   // ── Internal rendering ──
   startSpinner() {
+    if (!this.cursorHidden) {
+      process.stderr.write("\x1B[?25l");
+      this.cursorHidden = true;
+    }
     this.timer = setInterval(() => {
       this.spinnerFrame = (this.spinnerFrame + 1) % SPINNER_FRAMES.length;
       this.render();
-    }, 80);
+    }, 120);
   }
   clearLines() {
-    if (this.lastLineCount > 0) {
-      process.stderr.write(`\x1B[${this.lastLineCount}A`);
-      for (let i = 0; i < this.lastLineCount; i++) {
-        process.stderr.write("\x1B[2K\n");
-      }
-      process.stderr.write(`\x1B[${this.lastLineCount}A`);
-    }
   }
   render() {
     if (!this.isTTY) {
       this.renderCI();
       return;
     }
-    this.clearLines();
     const lines = [];
     lines.push("");
     lines.push(`  ${ROBOT[0]}  ${BRAND[0]}`);
@@ -2303,8 +2575,21 @@ var ScanProgress = class {
     lines.push("");
     lines.push(this.renderStats());
     lines.push("");
-    const output = lines.join("\n") + "\n";
-    process.stderr.write(output);
+    const content = lines.join("\n") + "\n";
+    if (content === this.lastFrame && this.lastLineCount === lines.length) {
+      return;
+    }
+    this.lastFrame = content;
+    let buf = "";
+    if (this.lastLineCount > 0) {
+      buf += `\x1B[${this.lastLineCount}A`;
+      for (let i = 0; i < this.lastLineCount; i++) {
+        buf += "\x1B[2K\n";
+      }
+      buf += `\x1B[${this.lastLineCount}A`;
+    }
+    buf += content;
+    process.stderr.write(buf);
     this.lastLineCount = lines.length;
   }
   renderStep(step) {
@@ -2323,6 +2608,11 @@ var ScanProgress = class {
         if (step.subTotal && step.subTotal > 0 && step.subProgress !== void 0 && step.subProgress > 0) {
           detail = chalk4.dim(` \xB7 ${step.subProgress.toLocaleString()} / ${step.subTotal.toLocaleString()}`);
         }
+        if (step.subLabel) {
+          const maxLen = 50;
+          const displayPath = step.subLabel.length > maxLen ? "\u2026" + step.subLabel.slice(-maxLen + 1) : step.subLabel;
+          detail += chalk4.dim(` ${displayPath}`);
+        }
         break;
       case "skipped":
         icon = chalk4.dim("\u25CC");
@@ -2428,11 +2718,11 @@ var ScanProgress = class {
 
 // src/ui/scan-history.ts
 import * as fs4 from "fs/promises";
-import * as path8 from "path";
+import * as path9 from "path";
 var HISTORY_FILENAME = "scan_history.json";
 var MAX_RECORDS = 10;
 async function loadScanHistory(rootDir) {
-  const filePath = path8.join(rootDir, ".vibgrate", HISTORY_FILENAME);
+  const filePath = path9.join(rootDir, ".vibgrate", HISTORY_FILENAME);
   try {
     const txt = await fs4.readFile(filePath, "utf8");
     const data = JSON.parse(txt);
@@ -2445,8 +2735,8 @@ async function loadScanHistory(rootDir) {
   }
 }
 async function saveScanHistory(rootDir, record) {
-  const dir = path8.join(rootDir, ".vibgrate");
-  const filePath = path8.join(dir, HISTORY_FILENAME);
+  const dir = path9.join(rootDir, ".vibgrate");
+  const filePath = path9.join(dir, HISTORY_FILENAME);
   let history;
   const existing = await loadScanHistory(rootDir);
   if (existing) {
@@ -2510,7 +2800,7 @@ function estimateStepDurations(history, currentFileCount) {
 }
 
 // src/scanners/platform-matrix.ts
-import * as path9 from "path";
+import * as path10 from "path";
 var NATIVE_MODULE_PACKAGES = /* @__PURE__ */ new Set([
   // Image / media processing
   "sharp",
@@ -2790,7 +3080,7 @@ async function scanPlatformMatrix(rootDir, cache) {
   }
   result.dockerBaseImages = [...baseImages].sort();
   for (const file of [".nvmrc", ".node-version", ".tool-versions"]) {
-    const exists = cache ? await cache.pathExists(path9.join(rootDir, file)) : await pathExists(path9.join(rootDir, file));
+    const exists = cache ? await cache.pathExists(path10.join(rootDir, file)) : await pathExists(path10.join(rootDir, file));
     if (exists) {
       result.nodeVersionFiles.push(file);
     }
@@ -2867,7 +3157,7 @@ function scanDependencyRisk(projects) {
 }
 
 // src/scanners/dependency-graph.ts
-import * as path10 from "path";
+import * as path11 from "path";
 function parsePnpmLock(content) {
   const entries = [];
   const regex = /^\s+\/?(@?[^@\s][^@\s]*?)@(\d+\.\d+\.\d+[^:\s]*)\s*:/gm;
@@ -2926,9 +3216,9 @@ async function scanDependencyGraph(rootDir, cache) {
     phantomDependencies: []
   };
   let entries = [];
-  const pnpmLock = path10.join(rootDir, "pnpm-lock.yaml");
-  const npmLock = path10.join(rootDir, "package-lock.json");
-  const yarnLock = path10.join(rootDir, "yarn.lock");
+  const pnpmLock = path11.join(rootDir, "pnpm-lock.yaml");
+  const npmLock = path11.join(rootDir, "package-lock.json");
+  const yarnLock = path11.join(rootDir, "yarn.lock");
   const _pathExists = cache ? (p) => cache.pathExists(p) : pathExists;
   const _readTextFile = cache ? (p) => cache.readTextFile(p) : readTextFile;
   if (await _pathExists(pnpmLock)) {
@@ -2975,7 +3265,7 @@ async function scanDependencyGraph(rootDir, cache) {
   for (const pjPath of pkgFiles) {
     try {
       const pj = cache ? await cache.readJsonFile(pjPath) : await readJsonFile(pjPath);
-      const relPath = path10.relative(rootDir, pjPath);
+      const relPath = path11.relative(rootDir, pjPath);
       for (const section of ["dependencies", "devDependencies"]) {
         const deps = pj[section];
         if (!deps) continue;
@@ -3321,7 +3611,7 @@ function scanToolingInventory(projects) {
 }
 
 // src/scanners/build-deploy.ts
-import * as path11 from "path";
+import * as path12 from "path";
 var CI_FILES = {
   ".github/workflows": "github-actions",
   ".gitlab-ci.yml": "gitlab-ci",
@@ -3374,17 +3664,17 @@ async function scanBuildDeploy(rootDir, cache) {
   const _readTextFile = cache ? (p) => cache.readTextFile(p) : readTextFile;
   const ciSystems = /* @__PURE__ */ new Set();
   for (const [file, system] of Object.entries(CI_FILES)) {
-    const fullPath = path11.join(rootDir, file);
+    const fullPath = path12.join(rootDir, file);
     if (await _pathExists(fullPath)) {
       ciSystems.add(system);
     }
   }
-  const ghWorkflowDir = path11.join(rootDir, ".github", "workflows");
+  const ghWorkflowDir = path12.join(rootDir, ".github", "workflows");
   if (await _pathExists(ghWorkflowDir)) {
     try {
       if (cache) {
         const entries = await cache.walkDir(rootDir);
-        const ghPrefix = path11.relative(rootDir, ghWorkflowDir) + path11.sep;
+        const ghPrefix = path12.relative(rootDir, ghWorkflowDir) + path12.sep;
         result.ciWorkflowCount = entries.filter(
           (e) => e.isFile && e.relPath.startsWith(ghPrefix) && (e.name.endsWith(".yml") || e.name.endsWith(".yaml"))
         ).length;
@@ -3435,11 +3725,11 @@ async function scanBuildDeploy(rootDir, cache) {
     (name) => name.endsWith(".cfn.json") || name.endsWith(".cfn.yaml")
   );
   if (cfnFiles.length > 0) iacSystems.add("cloudformation");
-  if (await _pathExists(path11.join(rootDir, "Pulumi.yaml"))) iacSystems.add("pulumi");
+  if (await _pathExists(path12.join(rootDir, "Pulumi.yaml"))) iacSystems.add("pulumi");
   result.iac = [...iacSystems].sort();
   const releaseTools = /* @__PURE__ */ new Set();
   for (const [file, tool] of Object.entries(RELEASE_FILES)) {
-    if (await _pathExists(path11.join(rootDir, file))) releaseTools.add(tool);
+    if (await _pathExists(path12.join(rootDir, file))) releaseTools.add(tool);
   }
   const pkgFiles = cache ? await cache.findPackageJsonFiles(rootDir) : await findPackageJsonFiles(rootDir);
   for (const pjPath of pkgFiles) {
@@ -3464,19 +3754,19 @@ async function scanBuildDeploy(rootDir, cache) {
   };
   const managers = /* @__PURE__ */ new Set();
   for (const [file, manager] of Object.entries(lockfileMap)) {
-    if (await _pathExists(path11.join(rootDir, file))) managers.add(manager);
+    if (await _pathExists(path12.join(rootDir, file))) managers.add(manager);
   }
   result.packageManagers = [...managers].sort();
   const monoTools = /* @__PURE__ */ new Set();
   for (const [file, tool] of Object.entries(MONOREPO_FILES)) {
-    if (await _pathExists(path11.join(rootDir, file))) monoTools.add(tool);
+    if (await _pathExists(path12.join(rootDir, file))) monoTools.add(tool);
   }
   result.monorepoTools = [...monoTools].sort();
   return result;
 }
 
 // src/scanners/ts-modernity.ts
-import * as path12 from "path";
+import * as path13 from "path";
 async function scanTsModernity(rootDir, cache) {
   const result = {
     typescriptVersion: null,
@@ -3514,7 +3804,7 @@ async function scanTsModernity(rootDir, cache) {
   if (hasEsm && hasCjs) result.moduleType = "mixed";
   else if (hasEsm) result.moduleType = "esm";
   else if (hasCjs) result.moduleType = "cjs";
-  let tsConfigPath = path12.join(rootDir, "tsconfig.json");
+  let tsConfigPath = path13.join(rootDir, "tsconfig.json");
   const tsConfigExists = cache ? await cache.pathExists(tsConfigPath) : await pathExists(tsConfigPath);
   if (!tsConfigExists) {
     const tsConfigs = cache ? await cache.findFiles(rootDir, (name) => name === "tsconfig.json") : await findFiles(rootDir, (name) => name === "tsconfig.json");
@@ -3861,7 +4151,7 @@ function scanBreakingChangeExposure(projects) {
 
 // src/scanners/file-hotspots.ts
 import * as fs5 from "fs/promises";
-import * as path13 from "path";
+import * as path14 from "path";
 var SKIP_DIRS2 = /* @__PURE__ */ new Set([
   "node_modules",
   ".git",
@@ -3904,16 +4194,16 @@ async function scanFileHotspots(rootDir, cache) {
     const entries = await cache.walkDir(rootDir);
     for (const entry of entries) {
       if (!entry.isFile) continue;
-      const ext = path13.extname(entry.name).toLowerCase();
+      const ext = path14.extname(entry.name).toLowerCase();
       if (SKIP_EXTENSIONS.has(ext)) continue;
-      const depth = entry.relPath.split(path13.sep).length - 1;
+      const depth = entry.relPath.split(path14.sep).length - 1;
       if (depth > maxDepth) maxDepth = depth;
       extensionCounts[ext] = (extensionCounts[ext] ?? 0) + 1;
       try {
-        const stat3 = await fs5.stat(entry.absPath);
+        const stat4 = await fs5.stat(entry.absPath);
         allFiles.push({
           path: entry.relPath,
-          bytes: stat3.size
+          bytes: stat4.size
         });
       } catch {
       }
@@ -3935,16 +4225,16 @@ async function scanFileHotspots(rootDir, cache) {
       for (const e of entries) {
         if (e.isDirectory) {
           if (SKIP_DIRS2.has(e.name)) continue;
-          await walk(path13.join(dir, e.name), depth + 1);
+          await walk(path14.join(dir, e.name), depth + 1);
         } else if (e.isFile) {
-          const ext = path13.extname(e.name).toLowerCase();
+          const ext = path14.extname(e.name).toLowerCase();
           if (SKIP_EXTENSIONS.has(ext)) continue;
           extensionCounts[ext] = (extensionCounts[ext] ?? 0) + 1;
           try {
-            const stat3 = await fs5.stat(path13.join(dir, e.name));
+            const stat4 = await fs5.stat(path14.join(dir, e.name));
             allFiles.push({
-              path: path13.relative(rootDir, path13.join(dir, e.name)),
-              bytes: stat3.size
+              path: path14.relative(rootDir, path14.join(dir, e.name)),
+              bytes: stat4.size
             });
           } catch {
           }
@@ -3966,7 +4256,7 @@ async function scanFileHotspots(rootDir, cache) {
 }
 
 // src/scanners/security-posture.ts
-import * as path14 from "path";
+import * as path15 from "path";
 var LOCKFILES = {
   "pnpm-lock.yaml": "pnpm",
   "package-lock.json": "npm",
@@ -3987,14 +4277,14 @@ async function scanSecurityPosture(rootDir, cache) {
   const _readTextFile = cache ? (p) => cache.readTextFile(p) : readTextFile;
   const foundLockfiles = [];
   for (const [file, type] of Object.entries(LOCKFILES)) {
-    if (await _pathExists(path14.join(rootDir, file))) {
+    if (await _pathExists(path15.join(rootDir, file))) {
       foundLockfiles.push(type);
     }
   }
   result.lockfilePresent = foundLockfiles.length > 0;
   result.multipleLockfileTypes = foundLockfiles.length > 1;
   result.lockfileTypes = foundLockfiles.sort();
-  const gitignorePath = path14.join(rootDir, ".gitignore");
+  const gitignorePath = path15.join(rootDir, ".gitignore");
   if (await _pathExists(gitignorePath)) {
     try {
       const content = await _readTextFile(gitignorePath);
@@ -4009,7 +4299,7 @@ async function scanSecurityPosture(rootDir, cache) {
     }
   }
   for (const envFile of [".env", ".env.local", ".env.development", ".env.production"]) {
-    if (await _pathExists(path14.join(rootDir, envFile))) {
+    if (await _pathExists(path15.join(rootDir, envFile))) {
       if (!result.gitignoreCoversEnv) {
         result.envFilesTracked = true;
         break;
@@ -4434,7 +4724,7 @@ function scanServiceDependencies(projects) {
 }
 
 // src/scanners/architecture.ts
-import * as path15 from "path";
+import * as path16 from "path";
 import * as fs6 from "fs/promises";
 var ARCHETYPE_SIGNALS = [
   // Meta-frameworks (highest priority — they imply routing patterns)
@@ -4733,9 +5023,9 @@ async function walkSourceFiles(rootDir, cache) {
     const entries = await cache.walkDir(rootDir);
     return entries.filter((e) => {
       if (!e.isFile) return false;
-      const name = path15.basename(e.absPath);
+      const name = path16.basename(e.absPath);
       if (name.startsWith(".") && name !== ".") return false;
-      const ext = path15.extname(name);
+      const ext = path16.extname(name);
       return SOURCE_EXTENSIONS.has(ext);
     }).map((e) => e.relPath);
   }
@@ -4749,15 +5039,15 @@ async function walkSourceFiles(rootDir, cache) {
     }
     for (const entry of entries) {
       if (entry.name.startsWith(".") && entry.name !== ".") continue;
-      const fullPath = path15.join(dir, entry.name);
+      const fullPath = path16.join(dir, entry.name);
       if (entry.isDirectory()) {
         if (!IGNORE_DIRS.has(entry.name)) {
           await walk(fullPath);
         }
       } else if (entry.isFile()) {
-        const ext = path15.extname(entry.name);
+        const ext = path16.extname(entry.name);
         if (SOURCE_EXTENSIONS.has(ext)) {
-          files.push(path15.relative(rootDir, fullPath));
+          files.push(path16.relative(rootDir, fullPath));
         }
       }
     }
@@ -4781,7 +5071,7 @@ function classifyFile(filePath, archetype) {
     }
   }
   if (!bestMatch || bestMatch.confidence < 0.7) {
-    const baseName = path15.basename(filePath, path15.extname(filePath));
+    const baseName = path16.basename(filePath, path16.extname(filePath));
     const cleanBase = baseName.replace(/\.(test|spec)$/, "");
     for (const rule of SUFFIX_RULES) {
       if (cleanBase.endsWith(rule.suffix)) {
@@ -4972,6 +5262,9 @@ async function runScan(rootDir, opts) {
   const sem = new Semaphore(opts.concurrency);
   const npmCache = new NpmCache(rootDir, sem);
   const fileCache = new FileCache();
+  const excludePatterns = config.exclude ?? [];
+  fileCache.setExcludePatterns(excludePatterns);
+  fileCache.setMaxFileSize(config.maxFileSizeToScan ?? 5242880);
   const scanners = config.scanners;
   let filesScanned = 0;
   const progress = new ScanProgress(rootDir);
@@ -5001,7 +5294,7 @@ async function runScan(rootDir, opts) {
   progress.setSteps(steps);
   progress.completeStep("config", "loaded");
   progress.startStep("discovery");
-  const treeCount = await quickTreeCount(rootDir);
+  const treeCount = await quickTreeCount(rootDir, excludePatterns);
   progress.updateStats({ treeSummary: treeCount });
   progress.completeStep(
     "discovery",
@@ -5016,8 +5309,8 @@ async function runScan(rootDir, opts) {
   const vcsDetail = vcs.type !== "unknown" ? `${vcs.type}${vcs.branch ? ` ${vcs.branch}` : ""}${vcs.shortSha ? ` @ ${vcs.shortSha}` : ""}` : "none detected";
   progress.completeStep("vcs", vcsDetail);
   progress.startStep("walk", treeCount.totalFiles);
-  await fileCache.walkDir(rootDir, (found) => {
-    progress.updateStepProgress("walk", found, treeCount.totalFiles);
+  await fileCache.walkDir(rootDir, (found, currentPath) => {
+    progress.updateStepProgress("walk", found, treeCount.totalFiles, currentPath);
   });
   progress.completeStep("walk", `${treeCount.totalFiles.toLocaleString()} files indexed`);
   progress.startStep("node");
@@ -5199,6 +5492,36 @@ async function runScan(rootDir, opts) {
   if (noteCount > 0) findingParts.push(`${noteCount} note${noteCount !== 1 ? "s" : ""}`);
   progress.completeStep("findings", findingParts.join(", ") || "none");
   progress.finish();
+  const stuckPaths = fileCache.stuckPaths;
+  const skippedLarge = fileCache.skippedLargeFiles;
+  if (stuckPaths.length > 0) {
+    console.log(
+      chalk5.yellow(`
+\u26A0 ${stuckPaths.length} path${stuckPaths.length === 1 ? "" : "s"} timed out (>60s) and ${stuckPaths.length === 1 ? "was" : "were"} skipped:`)
+    );
+    for (const d of stuckPaths) {
+      console.log(chalk5.dim(`  \u2192 ${d}`));
+    }
+    const newExcludes = stuckPaths.map((d) => `${d}/**`);
+    const updated = await appendExcludePatterns(rootDir, newExcludes);
+    if (updated) {
+      console.log(chalk5.green("\u2714") + ` Added ${newExcludes.length} pattern${newExcludes.length !== 1 ? "s" : ""} to exclude list in config`);
+    }
+  }
+  if (skippedLarge.length > 0) {
+    const sizeLimit = config.maxFileSizeToScan ?? 5242880;
+    const sizeMB = (sizeLimit / 1048576).toFixed(0);
+    console.log(
+      chalk5.yellow(`
+\u26A0 ${skippedLarge.length} file${skippedLarge.length === 1 ? "" : "s"} skipped (>${sizeMB} MB):`)
+    );
+    for (const f of skippedLarge.slice(0, 10)) {
+      console.log(chalk5.dim(`  \u2192 ${f}`));
+    }
+    if (skippedLarge.length > 10) {
+      console.log(chalk5.dim(`  \u2026 and ${skippedLarge.length - 10} more`));
+    }
+  }
   fileCache.clear();
   if (allProjects.length === 0) {
     console.log(chalk5.yellow("No projects found."));
@@ -5216,7 +5539,7 @@ async function runScan(rootDir, opts) {
     schemaVersion: "1.0",
     timestamp: (/* @__PURE__ */ new Date()).toISOString(),
     vibgrateVersion: VERSION,
-    rootPath: path16.basename(rootDir),
+    rootPath: path17.basename(rootDir),
     ...vcs.type !== "unknown" ? { vcs } : {},
     projects: allProjects,
     drift,
@@ -5227,7 +5550,7 @@ async function runScan(rootDir, opts) {
     treeSummary: treeCount
   };
   if (opts.baseline) {
-    const baselinePath = path16.resolve(opts.baseline);
+    const baselinePath = path17.resolve(opts.baseline);
     if (await pathExists(baselinePath)) {
       try {
         const baseline = await readJsonFile(baselinePath);
@@ -5238,9 +5561,9 @@ async function runScan(rootDir, opts) {
       }
     }
   }
-  const vibgrateDir = path16.join(rootDir, ".vibgrate");
+  const vibgrateDir = path17.join(rootDir, ".vibgrate");
   await ensureDir(vibgrateDir);
-  await writeJsonFile(path16.join(vibgrateDir, "scan_result.json"), artifact);
+  await writeJsonFile(path17.join(vibgrateDir, "scan_result.json"), artifact);
   await saveScanHistory(rootDir, {
     timestamp: artifact.timestamp,
     totalDurationMs: durationMs,
@@ -5250,10 +5573,10 @@ async function runScan(rootDir, opts) {
   });
   for (const project of allProjects) {
     if (project.drift && project.path) {
-      const projectDir = path16.resolve(rootDir, project.path);
-      const projectVibgrateDir = path16.join(projectDir, ".vibgrate");
+      const projectDir = path17.resolve(rootDir, project.path);
+      const projectVibgrateDir = path17.join(projectDir, ".vibgrate");
       await ensureDir(projectVibgrateDir);
-      await writeJsonFile(path16.join(projectVibgrateDir, "project_score.json"), {
+      await writeJsonFile(path17.join(projectVibgrateDir, "project_score.json"), {
         projectId: project.projectId,
         name: project.name,
         type: project.type,
@@ -5270,7 +5593,7 @@ async function runScan(rootDir, opts) {
   if (opts.format === "json") {
     const jsonStr = JSON.stringify(artifact, null, 2);
     if (opts.out) {
-      await writeTextFile(path16.resolve(opts.out), jsonStr);
+      await writeTextFile(path17.resolve(opts.out), jsonStr);
       console.log(chalk5.green("\u2714") + ` JSON written to ${opts.out}`);
     } else {
       console.log(jsonStr);
@@ -5279,7 +5602,7 @@ async function runScan(rootDir, opts) {
     const sarif = formatSarif(artifact);
     const sarifStr = JSON.stringify(sarif, null, 2);
     if (opts.out) {
-      await writeTextFile(path16.resolve(opts.out), sarifStr);
+      await writeTextFile(path17.resolve(opts.out), sarifStr);
       console.log(chalk5.green("\u2714") + ` SARIF written to ${opts.out}`);
     } else {
       console.log(sarifStr);
@@ -5288,7 +5611,7 @@ async function runScan(rootDir, opts) {
     const text = formatText(artifact);
     console.log(text);
     if (opts.out) {
-      await writeTextFile(path16.resolve(opts.out), text);
+      await writeTextFile(path17.resolve(opts.out), text);
     }
   }
   return artifact;
@@ -5347,7 +5670,7 @@ async function autoPush(artifact, rootDir, opts) {
   }
 }
 var scanCommand = new Command3("scan").description("Scan a project for upgrade drift").argument("[path]", "Path to scan", ".").option("--out <file>", "Output file path").option("--format <format>", "Output format (text|json|sarif)", "text").option("--fail-on <level>", "Fail on warn or error").option("--baseline <file>", "Compare against baseline").option("--changed-only", "Only scan changed files").option("--concurrency <n>", "Max concurrent npm calls", "8").option("--push", "Auto-push results to Vibgrate API after scan").option("--dsn <dsn>", "DSN token for push (or use VIBGRATE_DSN env)").option("--region <region>", "Override data residency region for push (us, eu)").option("--strict", "Fail on push errors").action(async (targetPath, opts) => {
-  const rootDir = path16.resolve(targetPath);
+  const rootDir = path17.resolve(targetPath);
   if (!await pathExists(rootDir)) {
     console.error(chalk5.red(`Path does not exist: ${rootDir}`));
     process.exit(1);

package/dist/cli.js

@@ -4,7 +4,7 @@ import {
 } from "./chunk-GN3IWKSY.js";
 import {
   baselineCommand
-} from "./chunk-74QSNBZA.js";
+} from "./chunk-IMK7DUPY.js";
 import {
   VERSION,
   dsnCommand,
@@ -15,7 +15,7 @@ import {
   readJsonFile,
   scanCommand,
   writeDefaultConfig
-} from "./chunk-L6R5WSCC.js";
+} from "./chunk-JFMGFWKC.js";
 
 // src/cli.ts
 import { Command as Command4 } from "commander";
@@ -38,7 +38,7 @@ var initCommand = new Command("init").description("Initialize vibgrate in a proj
     console.log(chalk.green("\u2714") + ` Created ${chalk.bold("vibgrate.config.ts")}`);
   }
   if (opts.baseline) {
-    const { runBaseline } = await import("./baseline-7WI3SI6H.js");
+    const { runBaseline } = await import("./baseline-IOXJPCX7.js");
     await runBaseline(rootDir);
   }
   console.log("");

package/dist/index.d.ts

@@ -123,6 +123,9 @@ interface ScannersConfig {
 interface VibgrateConfig {
     include?: string[];
     exclude?: string[];
+    /** Maximum file size (bytes) the CLI will read during a scan. Files larger
+     *  than this are silently skipped.  Default: 5 242 880 (5 MB). */
+    maxFileSizeToScan?: number;
     scanners?: ScannersConfig | false;
     thresholds?: {
         failOnError?: {

package/dist/index.js

@@ -7,7 +7,7 @@ import {
   formatText,
   generateFindings,
   runScan
-} from "./chunk-L6R5WSCC.js";
+} from "./chunk-JFMGFWKC.js";
 export {
   computeDriftScore,
   formatMarkdown,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vibgrate/cli",
-  "version": "1.0.21",
+  "version": "1.0.22",
   "description": "CLI for measuring upgrade drift across Node & .NET projects",
   "type": "module",
   "bin": {