@vibgrate/cli 1.0.26 → 1.0.28

package/DOCS.md

@@ -40,6 +40,7 @@ For a quick overview, see the [README](./README.md). This document covers everyt
   - [Breaking Change Exposure](#breaking-change-exposure)
   - [File Hotspots](#file-hotspots)
   - [Security Posture](#security-posture)
+  - [Security Scanners](#security-scanners)
   - [Service Dependencies](#service-dependencies)
 - [CI Integration](#ci-integration)
   - [GitHub Actions](#github-actions)
@@ -65,7 +66,7 @@ Vibgrate recursively scans your repository for `package.json` (Node/TypeScript)
 4. **Generates** a deterministic Upgrade Drift Score (0–100)
 5. **Produces** findings, a full JSON artifact, and optional SARIF output
 
-No source code is read. No secrets are scanned. The CLI works entirely offline — dashboard upload is optional.
+Core drift analysis does not execute source code. Optional security scanners can run lightweight secret heuristics and local toolchain checks. Dashboard upload remains optional.
 
 ---
 
@@ -274,6 +275,7 @@ const config: VibgrateConfig = {
     breakingChangeExposure: { enabled: true },
     fileHotspots:           { enabled: true },
     securityPosture:        { enabled: true },
+    securityScanners:       { enabled: true },
     serviceDependencies:    { enabled: true },
   },
 };
@@ -398,6 +400,19 @@ Structural security hygiene indicators (not a secret scanner):
 - `.env` files tracked outside `.gitignore`
 - Audit severity counts (via `npm audit --json`)
 
+
+### Security Scanners
+
+Security scanner orchestration and readiness analysis focused on modern SAST and secrets tooling:
+
+- Semgrep support for SAST (version detection + freshness checks)
+- Gitleaks and TruffleHog support for secret scanning readiness
+- Recommended minimum version checks to highlight stale engines/signatures
+- Config discovery (`.semgrep.yml`, `.gitleaks.toml`, `.trufflehog.yml`)
+- Cache-backed heuristic secret signals to add value even when binaries are unavailable
+
+> This scanner does not guarantee full secret detection or rule coverage by itself; it reports toolchain status and lightweight in-repo indicators so teams can decide how to harden CI enforcement.
+
 ### Service Dependencies
 
 Maps external service and platform dependencies by detecting SDK packages:

package/README.md

@@ -162,7 +162,7 @@ Works across **Node.js/TypeScript** and **.NET** projects in the same scan. Dete
 
 Designed to live in your build pipeline. Returns meaningful exit codes, produces SARIF output for GitHub Code Scanning and Azure DevOps, and requires zero configuration to get started.
 
-### Ten Extended Scanners
+### 13 Extended Scanners
 
 Beyond the core drift score, Vibgrate runs a suite of extended scanners — all optional, all privacy-safe:
 
@@ -177,7 +177,10 @@ Beyond the core drift score, Vibgrate runs a suite of extended scanners — all
 | **Breaking Change Exposure** | Packages known to cause upgrade pain, legacy polyfills |
 | **File Hotspots** | Codebase shape — file counts, sizes, depth, shared packages |
 | **Security Posture** | Lockfile hygiene, `.gitignore` coverage, audit severity counts |
+| **Security Scanners** | Semgrep (SAST) + Gitleaks/TruffleHog readiness, version risk checks, heuristic secret signals |
 | **Service Dependencies** | External SDK detection — payment, auth, cloud, databases, messaging |
+| **Code Quality** | Cyclomatic complexity, function length, nesting depth, god files, dead-code estimate, circular imports |
+| **OWASP Category Mapping** | Semgrep OSS findings mapped to OWASP Top 10 categories (fast or cache-input mode) |
 
 ### Baseline & Delta Tracking
 
@@ -284,7 +287,8 @@ export default config;
 
 Vibgrate is designed to be safe to run on any codebase:
 
-- **No source code is read** — only `package.json`, `tsconfig.json`, lockfiles, and project manifests
+- **No source code content is exfiltrated** — code-quality metrics are computed locally and only aggregated numbers are emitted
+- **Source code is only read when explicitly needed** — core drift scanners use manifests/configs; OWASP mapping can inspect source files via Semgrep
 - **No secrets are scanned** — ever
 - **No git history, authors, or commit messages** — only HEAD SHA and branch name for traceability
 - **No data leaves your machine** unless you explicitly run `vibgrate push` or `vibgrate scan --push`

package/dist/{baseline-KXUPTMQ2.js → baseline-AA2FVYAX.js}

@@ -1,8 +1,8 @@
 import {
   baselineCommand,
   runBaseline
-} from "./chunk-7EEUYKZI.js";
-import "./chunk-27LB7QTA.js";
+} from "./chunk-T4GNX4OC.js";
+import "./chunk-XLRCQ476.js";
 export {
   baselineCommand,
   runBaseline

package/dist/{chunk-7EEUYKZI.js → chunk-T4GNX4OC.js}

@@ -1,7 +1,7 @@
 import {
   runScan,
   writeJsonFile
-} from "./chunk-27LB7QTA.js";
+} from "./chunk-XLRCQ476.js";
 
 // src/commands/baseline.ts
 import * as path from "path";

package/dist/{chunk-27LB7QTA.js → chunk-XLRCQ476.js}

@@ -23,7 +23,7 @@ var Semaphore = class {
       this.available--;
       return Promise.resolve();
     }
-    return new Promise((resolve7) => this.queue.push(resolve7));
+    return new Promise((resolve9) => this.queue.push(resolve9));
   }
   release() {
     const next = this.queue.shift();
@@ -291,7 +291,7 @@ var FileCache = class _FileCache {
           const result = await Promise.race([
             readPromise.then((e) => ({ ok: true, entries: e })),
             new Promise(
-              (resolve7) => setTimeout(() => resolve7({ ok: false }), STUCK_TIMEOUT_MS)
+              (resolve9) => setTimeout(() => resolve9({ ok: false }), STUCK_TIMEOUT_MS)
             )
           ]);
           if (!result.ok) {
@@ -940,14 +940,14 @@ function formatExtended(ext) {
     }
   }
   if (ext.tsModernity && ext.tsModernity.typescriptVersion) {
-    const ts = ext.tsModernity;
+    const ts2 = ext.tsModernity;
     lines.push(chalk.bold.underline("  TypeScript"));
     const parts = [];
-    parts.push(`v${ts.typescriptVersion}`);
-    if (ts.strict === true) parts.push(chalk.green("strict \u2714"));
-    else if (ts.strict === false) parts.push(chalk.yellow("strict \u2716"));
-    if (ts.moduleType) parts.push(ts.moduleType.toUpperCase());
-    if (ts.target) parts.push(`target: ${ts.target}`);
+    parts.push(`v${ts2.typescriptVersion}`);
+    if (ts2.strict === true) parts.push(chalk.green("strict \u2714"));
+    else if (ts2.strict === false) parts.push(chalk.yellow("strict \u2716"));
+    if (ts2.moduleType) parts.push(ts2.moduleType.toUpperCase());
+    if (ts2.target) parts.push(`target: ${ts2.target}`);
     lines.push(`    ${parts.join(chalk.dim(" \xB7 "))}`);
     lines.push("");
   }
@@ -966,6 +966,24 @@ function formatExtended(ext) {
       lines.push("");
     }
   }
+  if (ext.owaspCategoryMapping) {
+    const ow = ext.owaspCategoryMapping;
+    lines.push(chalk.bold.underline("  OWASP Category Mapping"));
+    if (!ow.available) {
+      lines.push(`    ${chalk.yellow("Scanner unavailable")}: ${ow.errors[0] ?? "semgrep not found"}`);
+    } else {
+      lines.push(`    Scanner: Semgrep OSS (${ow.mode})`);
+      lines.push(`    Findings: ${ow.findings.length} across ${Object.keys(ow.categoryCounts).length} categories`);
+      const top = Object.entries(ow.categoryCounts).slice(0, 6);
+      if (top.length > 0) {
+        lines.push(`    Top Categories: ${top.map(([cat, count]) => `${cat} (${count})`).join(", ")}`);
+      }
+      if (ow.errors.length > 0) {
+        lines.push(`    ${chalk.yellow("Partial errors")}: ${ow.errors.length}`);
+      }
+    }
+    lines.push("");
+  }
   if (ext.securityPosture) {
     const sec = ext.securityPosture;
     lines.push(chalk.bold.underline("  Security Posture"));
@@ -978,6 +996,27 @@ function formatExtended(ext) {
     lines.push(`    ${checks.join(chalk.dim(" \xB7 "))}`);
     lines.push("");
   }
+  if (ext.securityScanners) {
+    const ss = ext.securityScanners;
+    lines.push(chalk.bold.underline("  Security Scanners"));
+    const tools = [ss.semgrep, ...ss.secretScanners];
+    for (const tool of tools) {
+      const status = tool.status === "up-to-date" ? chalk.green("up-to-date") : tool.status === "review-needed" ? chalk.yellow("review-needed") : tool.status === "unavailable" ? chalk.red("unavailable") : chalk.yellow("unknown");
+      lines.push(`    ${tool.name}: ${status}${tool.version ? chalk.dim(` v${tool.version}`) : ""}`);
+      if (tool.risks.length > 0) {
+        lines.push(`      ${chalk.dim(tool.risks[0])}`);
+      }
+    }
+    const configs = [];
+    if (ss.configFiles.semgrep) configs.push(".semgrep.yml");
+    if (ss.configFiles.gitleaks) configs.push(".gitleaks.toml");
+    if (ss.configFiles.trufflehog) configs.push(".trufflehog.yml");
+    lines.push(`    Configs: ${configs.length > 0 ? configs.join(", ") : chalk.dim("none detected")}`);
+    if (ss.heuristicFindings.length > 0) {
+      lines.push(`    ${chalk.red("Potential secret signals")}: ${ss.heuristicFindings.length}`);
+    }
+    lines.push("");
+  }
   if (ext.platformMatrix) {
     const pm = ext.platformMatrix;
     if (pm.nativeModules.length > 0 || pm.dockerBaseImages.length > 0) {
@@ -991,6 +1030,17 @@ function formatExtended(ext) {
       lines.push("");
     }
   }
+  if (ext.codeQuality) {
+    const cq = ext.codeQuality;
+    lines.push(chalk.bold.underline("  Code Quality"));
+    lines.push(`    Files: ${chalk.white(`${cq.filesAnalyzed}`)} \xB7 Functions: ${chalk.white(`${cq.functionsAnalyzed}`)} \xB7 Avg complexity: ${chalk.white(`${cq.avgCyclomaticComplexity}`)} \xB7 Avg length: ${chalk.white(`${cq.avgFunctionLength}`)} lines`);
+    lines.push(`    Max nesting: ${cq.maxNestingDepth} \xB7 Circular deps: ${cq.circularDependencies} \xB7 Dead code: ${cq.deadCodePercent}%`);
+    if (cq.godFiles.length > 0) {
+      const preview = cq.godFiles.slice(0, 3).map((f) => `${f.path} (${f.lines} lines)`).join(", ");
+      lines.push(`    ${chalk.yellow("God files")}: ${preview}`);
+    }
+    lines.push("");
+  }
   if (ext.dependencyGraph) {
     const dg = ext.dependencyGraph;
     if (dg.lockfileType) {
@@ -1591,7 +1641,7 @@ var pushCommand = new Command2("push").description("Push scan results to Vibgrat
 });
 
 // src/commands/scan.ts
-import * as path17 from "path";
+import * as path20 from "path";
 import { Command as Command3 } from "commander";
 import chalk5 from "chalk";
 
@@ -1602,8 +1652,8 @@ import * as semver2 from "semver";
 // src/utils/timeout.ts
 async function withTimeout(promise, ms) {
   let timer;
-  const timeout = new Promise((resolve7) => {
-    timer = setTimeout(() => resolve7({ ok: false }), ms);
+  const timeout = new Promise((resolve9) => {
+    timer = setTimeout(() => resolve9({ ok: false }), ms);
   });
   try {
     const result = await Promise.race([
@@ -1628,7 +1678,7 @@ function maxStable(versions) {
   return stable.sort(semver.rcompare)[0] ?? null;
 }
 async function npmViewJson(args, cwd) {
-  return new Promise((resolve7, reject) => {
+  return new Promise((resolve9, reject) => {
     const child = spawn("npm", ["view", ...args, "--json"], {
       cwd,
       shell: true,
@@ -1646,13 +1696,13 @@ async function npmViewJson(args, cwd) {
       }
       const trimmed = out.trim();
       if (!trimmed) {
-        resolve7(null);
+        resolve9(null);
         return;
       }
       try {
-        resolve7(JSON.parse(trimmed));
+        resolve9(JSON.parse(trimmed));
       } catch {
-        resolve7(trimmed.replace(/^"|"$/g, ""));
+        resolve9(trimmed.replace(/^"|"$/g, ""));
       }
     });
   });
@@ -4422,6 +4472,138 @@ async function scanSecurityPosture(rootDir, cache) {
   return result;
 }
 
+// src/scanners/security-scanners.ts
+import { spawn as spawn2 } from "child_process";
+import * as path16 from "path";
+var TOOL_MATRIX = [
+  { key: "semgrep", category: "sast", command: "semgrep", versionArgs: ["--version"], minRecommendedVersion: "1.75.0" },
+  { key: "gitleaks", category: "secrets", command: "gitleaks", versionArgs: ["version"], minRecommendedVersion: "8.20.0" },
+  { key: "trufflehog", category: "secrets", command: "trufflehog", versionArgs: ["--version"], minRecommendedVersion: "3.80.0" }
+];
+var SEMVER_RE = /(\d+\.\d+\.\d+)/;
+var SECRET_HEURISTICS = [
+  { detector: "aws-access-key", pattern: /\bAKIA[0-9A-Z]{16}\b/g },
+  { detector: "github-token", pattern: /\bghp_[A-Za-z0-9]{36}\b/g },
+  { detector: "private-key", pattern: /-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----/g },
+  { detector: "slack-token", pattern: /\bxox[baprs]-[A-Za-z0-9-]{10,}\b/g }
+];
+var defaultRunner = (command, args) => new Promise((resolve9, reject) => {
+  const child = spawn2(command, args, { stdio: ["ignore", "pipe", "pipe"] });
+  let stdout = "";
+  let stderr = "";
+  child.stdout.on("data", (d) => {
+    stdout += d.toString();
+  });
+  child.stderr.on("data", (d) => {
+    stderr += d.toString();
+  });
+  child.on("error", reject);
+  child.on("close", (code) => {
+    resolve9({ stdout, stderr, exitCode: code ?? 1 });
+  });
+});
+function compareSemver(a, b) {
+  const av = a.split(".").map((v) => Number(v));
+  const bv = b.split(".").map((v) => Number(v));
+  for (let i = 0; i < 3; i++) {
+    const ai = av[i] ?? 0;
+    const bi = bv[i] ?? 0;
+    if (ai > bi) return 1;
+    if (ai < bi) return -1;
+  }
+  return 0;
+}
+function parseVersion(input) {
+  const match = input.match(SEMVER_RE);
+  return match ? match[1] : null;
+}
+async function assessTool(tool, runner) {
+  try {
+    const out = await runner(tool.command, tool.versionArgs);
+    const combined = `${out.stdout}
+${out.stderr}`.trim();
+    const version = parseVersion(combined);
+    const risks = [];
+    if (out.exitCode !== 0 || !version) {
+      risks.push("Installed but version could not be verified; output format may have changed.");
+      return {
+        name: tool.key,
+        category: tool.category,
+        command: tool.command,
+        available: true,
+        version,
+        minRecommendedVersion: tool.minRecommendedVersion,
+        status: "unknown",
+        risks
+      };
+    }
+    const status = compareSemver(version, tool.minRecommendedVersion) >= 0 ? "up-to-date" : "review-needed";
+    if (status === "review-needed") {
+      risks.push(`Detected version ${version} is older than recommended ${tool.minRecommendedVersion}; newer signatures/rules may be missing.`);
+    }
+    return {
+      name: tool.key,
+      category: tool.category,
+      command: tool.command,
+      available: true,
+      version,
+      minRecommendedVersion: tool.minRecommendedVersion,
+      status,
+      risks
+    };
+  } catch {
+    return {
+      name: tool.key,
+      category: tool.category,
+      command: tool.command,
+      available: false,
+      version: null,
+      minRecommendedVersion: tool.minRecommendedVersion,
+      status: "unavailable",
+      risks: ["Tool is not installed or not on PATH; Vibgrate cannot execute this scanner directly."]
+    };
+  }
+}
+async function detectSecretHeuristics(rootDir, cache) {
+  const entries = await cache.walkDir(rootDir);
+  const findings = [];
+  for (const entry of entries) {
+    if (!entry.isFile) continue;
+    const ext = path16.extname(entry.name).toLowerCase();
+    if (ext && [".png", ".jpg", ".jpeg", ".gif", ".zip", ".pdf"].includes(ext)) continue;
+    const content = await cache.readTextFile(entry.absPath);
+    if (!content || content.length > 3e5) continue;
+    for (const detector of SECRET_HEURISTICS) {
+      const match = detector.pattern.exec(content);
+      detector.pattern.lastIndex = 0;
+      if (match) {
+        findings.push({
+          file: entry.relPath,
+          detector: detector.detector,
+          sample: match[0].slice(0, 16)
+        });
+      }
+      if (findings.length >= 25) return findings;
+    }
+  }
+  return findings;
+}
+async function scanSecurityScanners(rootDir, cache, runner = defaultRunner) {
+  const [semgrep, gitleaks, trufflehog] = await Promise.all(TOOL_MATRIX.map((tool) => assessTool(tool, runner)));
+  const heuristicFindings = await detectSecretHeuristics(rootDir, cache);
+  const configFiles = {
+    semgrep: await cache.pathExists(path16.join(rootDir, ".semgrep.yml")) || await cache.pathExists(path16.join(rootDir, ".semgrep.yaml")),
+    gitleaks: await cache.pathExists(path16.join(rootDir, ".gitleaks.toml")),
+    trufflehog: await cache.pathExists(path16.join(rootDir, ".trufflehog.yml")) || await cache.pathExists(path16.join(rootDir, ".trufflehog.yaml"))
+  };
+  return {
+    semgrep,
+    secretScanners: [gitleaks, trufflehog],
+    configFiles,
+    heuristicFindings
+  };
+}
+
 // src/scanners/service-dependencies.ts
 var SERVICE_CATEGORIES = {
   payment: {
@@ -4837,7 +5019,7 @@ function scanServiceDependencies(projects) {
 }
 
 // src/scanners/architecture.ts
-import * as path16 from "path";
+import * as path17 from "path";
 import * as fs6 from "fs/promises";
 var ARCHETYPE_SIGNALS = [
   // Meta-frameworks (highest priority — they imply routing patterns)
@@ -5136,9 +5318,9 @@ async function walkSourceFiles(rootDir, cache) {
     const entries = await cache.walkDir(rootDir);
     return entries.filter((e) => {
       if (!e.isFile) return false;
-      const name = path16.basename(e.absPath);
+      const name = path17.basename(e.absPath);
       if (name.startsWith(".") && name !== ".") return false;
-      const ext = path16.extname(name);
+      const ext = path17.extname(name);
       return SOURCE_EXTENSIONS.has(ext);
     }).map((e) => e.relPath);
   }
@@ -5152,15 +5334,15 @@ async function walkSourceFiles(rootDir, cache) {
     }
     for (const entry of entries) {
       if (entry.name.startsWith(".") && entry.name !== ".") continue;
-      const fullPath = path16.join(dir, entry.name);
+      const fullPath = path17.join(dir, entry.name);
       if (entry.isDirectory()) {
         if (!IGNORE_DIRS.has(entry.name)) {
           await walk(fullPath);
         }
       } else if (entry.isFile()) {
-        const ext = path16.extname(entry.name);
+        const ext = path17.extname(entry.name);
         if (SOURCE_EXTENSIONS.has(ext)) {
-          files.push(path16.relative(rootDir, fullPath));
+          files.push(path17.relative(rootDir, fullPath));
         }
       }
     }
@@ -5184,7 +5366,7 @@ function classifyFile(filePath, archetype) {
     }
   }
   if (!bestMatch || bestMatch.confidence < 0.7) {
-    const baseName = path16.basename(filePath, path16.extname(filePath));
+    const baseName = path17.basename(filePath, path17.extname(filePath));
     const cleanBase = baseName.replace(/\.(test|spec)$/, "");
     for (const rule of SUFFIX_RULES) {
       if (cleanBase.endsWith(rule.suffix)) {
@@ -5368,6 +5550,411 @@ async function scanArchitecture(rootDir, projects, tooling, services, cache) {
   };
 }
 
+// src/scanners/code-quality.ts
+import * as path18 from "path";
+import * as ts from "typescript";
+var SOURCE_EXTENSIONS2 = /* @__PURE__ */ new Set([".ts", ".tsx", ".js", ".jsx", ".mjs", ".cjs"]);
+var DEFAULT_RESULT = {
+  filesAnalyzed: 0,
+  functionsAnalyzed: 0,
+  avgCyclomaticComplexity: 0,
+  avgFunctionLength: 0,
+  maxNestingDepth: 0,
+  godFiles: [],
+  circularDependencies: 0,
+  deadCodePercent: 0
+};
+async function scanCodeQuality(rootDir, cache) {
+  const filePaths = await findSourceFiles(rootDir, cache);
+  if (filePaths.length === 0) return { ...DEFAULT_RESULT };
+  let totalFunctions = 0;
+  let totalComplexity = 0;
+  let totalFunctionLength = 0;
+  let maxNestingDepth = 0;
+  let deadFunctions = 0;
+  const godFiles = [];
+  const depGraph = /* @__PURE__ */ new Map();
+  for (const filePath of filePaths) {
+    let raw = "";
+    try {
+      raw = cache ? await cache.readTextFile(filePath) : await readTextFile(filePath);
+    } catch {
+      continue;
+    }
+    if (!raw.trim()) continue;
+    const rel = normalizeModuleId(path18.relative(rootDir, filePath));
+    const source = ts.createSourceFile(filePath, raw, ts.ScriptTarget.Latest, true);
+    const imports = collectLocalImports(source, path18.dirname(filePath), rootDir);
+    depGraph.set(rel, imports);
+    const fileMetrics = computeFileMetrics(source, raw);
+    totalFunctions += fileMetrics.functionsAnalyzed;
+    totalComplexity += fileMetrics.totalComplexity;
+    totalFunctionLength += fileMetrics.totalFunctionLength;
+    maxNestingDepth = Math.max(maxNestingDepth, fileMetrics.maxNestingDepth);
+    deadFunctions += fileMetrics.deadFunctionCount;
+    const fileAvgComplexity = fileMetrics.functionsAnalyzed > 0 ? fileMetrics.totalComplexity / fileMetrics.functionsAnalyzed : 0;
+    if (fileMetrics.lines >= 450 || fileMetrics.functionsAnalyzed >= 25 || fileMetrics.functionsAnalyzed >= 10 && fileAvgComplexity >= 8) {
+      godFiles.push({
+        path: rel,
+        lines: fileMetrics.lines,
+        functionCount: fileMetrics.functionsAnalyzed,
+        averageComplexity: round2(fileAvgComplexity)
+      });
+    }
+  }
+  const circularDependencies = countCircularDependencyChains(depGraph);
+  const deadCodePercent = totalFunctions > 0 ? deadFunctions / totalFunctions * 100 : 0;
+  return {
+    filesAnalyzed: depGraph.size,
+    functionsAnalyzed: totalFunctions,
+    avgCyclomaticComplexity: totalFunctions > 0 ? round2(totalComplexity / totalFunctions) : 0,
+    avgFunctionLength: totalFunctions > 0 ? round2(totalFunctionLength / totalFunctions) : 0,
+    maxNestingDepth,
+    godFiles: godFiles.sort((a, b) => b.lines - a.lines || b.functionCount - a.functionCount).slice(0, 10),
+    circularDependencies,
+    deadCodePercent: round2(deadCodePercent)
+  };
+}
+async function findSourceFiles(rootDir, cache) {
+  if (cache) {
+    const entries = await cache.walkDir(rootDir);
+    return entries.filter((entry) => entry.isFile && SOURCE_EXTENSIONS2.has(path18.extname(entry.name).toLowerCase())).map((entry) => entry.absPath);
+  }
+  const files = await findFiles(rootDir, (name) => SOURCE_EXTENSIONS2.has(path18.extname(name).toLowerCase()));
+  return files;
+}
+function collectLocalImports(source, fileDir, rootDir) {
+  const deps = /* @__PURE__ */ new Set();
+  const visit = (node) => {
+    if (ts.isImportDeclaration(node) && ts.isStringLiteral(node.moduleSpecifier)) {
+      const target = resolveLocalImport(node.moduleSpecifier.text, fileDir, rootDir);
+      if (target) deps.add(target);
+    }
+    if (ts.isCallExpression(node) && node.expression.kind === ts.SyntaxKind.ImportKeyword && node.arguments[0] && ts.isStringLiteral(node.arguments[0])) {
+      const target = resolveLocalImport(node.arguments[0].text, fileDir, rootDir);
+      if (target) deps.add(target);
+    }
+    visitEach(node, visit);
+  };
+  visit(source);
+  return [...deps];
+}
+function resolveLocalImport(specifier, fileDir, rootDir) {
+  if (!specifier.startsWith(".")) return null;
+  const rawTarget = path18.resolve(fileDir, specifier);
+  const normalized = path18.relative(rootDir, rawTarget).replace(/\\/g, "/");
+  if (!normalized || normalized.startsWith("..")) return null;
+  return normalizeModuleId(normalized);
+}
+function normalizeModuleId(relPath) {
+  return relPath.replace(/\\/g, "/").replace(/\.(ts|tsx|js|jsx|mjs|cjs)$/, "").replace(/\/index$/, "");
+}
+function computeFileMetrics(source, raw) {
+  let functionsAnalyzed = 0;
+  let totalComplexity = 0;
+  let totalFunctionLength = 0;
+  let maxNestingDepth = 0;
+  let deadFunctionCount = 0;
+  const functionDecls = [];
+  const visit = (node) => {
+    if (isFunctionLike(node)) {
+      const complexity = computeCyclomatic(node);
+      const lineLength = computeNodeLineLength(source, node);
+      const nestingDepth = computeMaxNestingDepth(node);
+      functionsAnalyzed++;
+      totalComplexity += complexity;
+      totalFunctionLength += lineLength;
+      maxNestingDepth = Math.max(maxNestingDepth, nestingDepth);
+    }
+    if (ts.isFunctionDeclaration(node) && node.name) {
+      functionDecls.push(node);
+    }
+    visitEach(node, visit);
+  };
+  visit(source);
+  const functionBodies = raw;
+  for (const fn of functionDecls) {
+    if (isExported(fn)) continue;
+    const name = fn.name?.text;
+    if (!name) continue;
+    const refs = countWholeWord(functionBodies, name);
+    if (refs <= 1) deadFunctionCount++;
+  }
+  return {
+    lines: raw.split(/\r?\n/).length,
+    functionsAnalyzed,
+    totalComplexity,
+    totalFunctionLength,
+    maxNestingDepth,
+    deadFunctionCount
+  };
+}
+function computeCyclomatic(fn) {
+  let complexity = 1;
+  const visit = (node) => {
+    switch (node.kind) {
+      case ts.SyntaxKind.IfStatement:
+      case ts.SyntaxKind.ForStatement:
+      case ts.SyntaxKind.ForOfStatement:
+      case ts.SyntaxKind.ForInStatement:
+      case ts.SyntaxKind.WhileStatement:
+      case ts.SyntaxKind.DoStatement:
+      case ts.SyntaxKind.CaseClause:
+      case ts.SyntaxKind.CatchClause:
+      case ts.SyntaxKind.ConditionalExpression:
+        complexity++;
+        break;
+      case ts.SyntaxKind.BinaryExpression: {
+        const be = node;
+        if (be.operatorToken.kind === ts.SyntaxKind.AmpersandAmpersandToken || be.operatorToken.kind === ts.SyntaxKind.BarBarToken || be.operatorToken.kind === ts.SyntaxKind.QuestionQuestionToken) {
+          complexity++;
+        }
+        break;
+      }
+      default:
+        break;
+    }
+    visitEach(node, visit);
+  };
+  visit(fn);
+  return complexity;
+}
+function computeMaxNestingDepth(node) {
+  let maxDepth = 0;
+  const walk = (current, depth) => {
+    const nextDepth = isNestingNode(current) ? depth + 1 : depth;
+    maxDepth = Math.max(maxDepth, nextDepth);
+    visitEach(current, (child) => walk(child, nextDepth));
+  };
+  walk(node, 0);
+  return Math.max(0, maxDepth - 1);
+}
+function countCircularDependencyChains(graph) {
+  let cycles = 0;
+  const visited = /* @__PURE__ */ new Set();
+  const inStack = /* @__PURE__ */ new Set();
+  const dfs = (node) => {
+    visited.add(node);
+    inStack.add(node);
+    const deps = graph.get(node) ?? [];
+    for (const dep of deps) {
+      if (!graph.has(dep)) continue;
+      if (!visited.has(dep)) {
+        dfs(dep);
+      } else if (inStack.has(dep)) {
+        cycles++;
+      }
+    }
+    inStack.delete(node);
+  };
+  for (const node of graph.keys()) {
+    if (!visited.has(node)) dfs(node);
+  }
+  return cycles;
+}
+function computeNodeLineLength(source, node) {
+  const start = source.getLineAndCharacterOfPosition(node.getStart(source)).line;
+  const end = source.getLineAndCharacterOfPosition(node.getEnd()).line;
+  return end - start + 1;
+}
+function isFunctionLike(node) {
+  return ts.isFunctionDeclaration(node) || ts.isMethodDeclaration(node) || ts.isFunctionExpression(node) || ts.isArrowFunction(node) || ts.isConstructorDeclaration(node);
+}
+function isNestingNode(node) {
+  return node.kind === ts.SyntaxKind.IfStatement || node.kind === ts.SyntaxKind.ForStatement || node.kind === ts.SyntaxKind.ForOfStatement || node.kind === ts.SyntaxKind.ForInStatement || node.kind === ts.SyntaxKind.WhileStatement || node.kind === ts.SyntaxKind.DoStatement || node.kind === ts.SyntaxKind.SwitchStatement || node.kind === ts.SyntaxKind.TryStatement || node.kind === ts.SyntaxKind.CatchClause;
+}
+function isExported(node) {
+  if (!ts.canHaveModifiers(node)) return false;
+  const modifiers = ts.getModifiers(node);
+  return !!modifiers?.some((m) => m.kind === ts.SyntaxKind.ExportKeyword);
+}
+function countWholeWord(input, word) {
+  const re = new RegExp(`\\b${escapeRegExp(word)}\\b`, "g");
+  return input.match(re)?.length ?? 0;
+}
+function escapeRegExp(input) {
+  return input.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function round2(n) {
+  return Math.round(n * 100) / 100;
+}
+function visitEach(node, cb) {
+  node.forEachChild(cb);
+}
+
+// src/scanners/owasp-category-mapping.ts
+import { spawn as spawn3 } from "child_process";
+import * as path19 from "path";
+var OWASP_CONFIG = "p/owasp-top-ten";
+var DEFAULT_EXTENSIONS = /* @__PURE__ */ new Set([
+  ".js",
+  ".jsx",
+  ".ts",
+  ".tsx",
+  ".mjs",
+  ".cjs",
+  ".py",
+  ".rb",
+  ".java",
+  ".cs",
+  ".go",
+  ".php",
+  ".scala",
+  ".kt",
+  ".yaml",
+  ".yml",
+  ".json",
+  ".toml",
+  ".xml",
+  ".env"
+]);
+async function runSemgrep(args, cwd, stdin) {
+  return new Promise((resolve9, reject) => {
+    const child = spawn3("semgrep", args, {
+      cwd,
+      shell: true,
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    let stdout = "";
+    let stderr = "";
+    child.stdout.on("data", (d) => {
+      stdout += String(d);
+    });
+    child.stderr.on("data", (d) => {
+      stderr += String(d);
+    });
+    child.on("error", reject);
+    child.on("close", (code) => {
+      resolve9({ code: code ?? 1, stdout, stderr });
+    });
+    if (stdin !== void 0) child.stdin.write(stdin);
+    child.stdin.end();
+  });
+}
+function parseSemgrepJson(raw) {
+  try {
+    return JSON.parse(raw);
+  } catch {
+    return { results: [] };
+  }
+}
+function normalizeCategory(item) {
+  if (typeof item !== "string") return null;
+  const val = item.trim();
+  return val.length > 0 ? val : null;
+}
+function categoriesFromMetadata(metadata) {
+  if (!metadata) return [];
+  const raw = metadata.owasp;
+  if (Array.isArray(raw)) {
+    return raw.map(normalizeCategory).filter((v) => v !== null);
+  }
+  const single = normalizeCategory(raw);
+  return single ? [single] : [];
+}
+function severityLabel(severity) {
+  const s = (severity ?? "").toUpperCase();
+  if (s === "ERROR") return "high";
+  if (s === "WARNING") return "medium";
+  return "low";
+}
+function parseFindings(results, rootDir) {
+  return results.map((r) => {
+    const metadata = r.extra?.metadata;
+    return {
+      ruleId: r.check_id ?? "unknown",
+      path: r.path ? path19.relative(rootDir, path19.resolve(rootDir, r.path)) : "",
+      line: r.start?.line ?? 1,
+      endLine: r.end?.line,
+      message: r.extra?.message ?? "Potential security issue",
+      severity: severityLabel(r.extra?.severity),
+      categories: categoriesFromMetadata(metadata),
+      cwe: typeof metadata?.cwe === "string" ? metadata.cwe : null
+    };
+  });
+}
+function summarizeCategories(findings) {
+  const counts = {};
+  for (const finding of findings) {
+    for (const cat of finding.categories) {
+      counts[cat] = (counts[cat] ?? 0) + 1;
+    }
+  }
+  return Object.fromEntries(Object.entries(counts).sort((a, b) => b[1] - a[1]));
+}
+async function scanOwaspCategoryMapping(rootDir, cache, options = {}, runner = runSemgrep) {
+  const mode = options.mode ?? "fast";
+  if (mode === "fast") {
+    try {
+      const args = ["scan", "--config", OWASP_CONFIG, "--json", "--quiet", rootDir];
+      const result = await runner(args, rootDir);
+      if (result.code !== 0 && !result.stdout.trim()) {
+        return {
+          scanner: "semgrep",
+          available: false,
+          mode,
+          scannedFiles: 0,
+          findings: [],
+          categoryCounts: {},
+          errors: [result.stderr.trim() || `semgrep exited with code ${result.code}`]
+        };
+      }
+      const parsed = parseSemgrepJson(result.stdout);
+      const findings2 = parseFindings(parsed.results ?? [], rootDir);
+      return {
+        scanner: "semgrep",
+        available: true,
+        mode,
+        scannedFiles: 0,
+        findings: findings2,
+        categoryCounts: summarizeCategories(findings2),
+        errors: []
+      };
+    } catch (err) {
+      return {
+        scanner: "semgrep",
+        available: false,
+        mode,
+        scannedFiles: 0,
+        findings: [],
+        categoryCounts: {},
+        errors: [err instanceof Error ? err.message : "semgrep unavailable"]
+      };
+    }
+  }
+  const entries = cache ? await cache.walkDir(rootDir) : [];
+  const files = entries.filter((e) => e.isFile && DEFAULT_EXTENSIONS.has(path19.extname(e.name).toLowerCase()));
+  const findings = [];
+  const errors = [];
+  let scannedFiles = 0;
+  for (const file of files) {
+    try {
+      const content = cache ? await cache.readTextFile(file.absPath) : "";
+      if (!content) continue;
+      const args = ["scan", "--config", OWASP_CONFIG, "--json", "--quiet", "--stdin", "--stdin-filename", file.relPath];
+      const result = await runner(args, rootDir, content);
+      if (result.code !== 0 && !result.stdout.trim()) {
+        errors.push(result.stderr.trim() || `semgrep failed for ${file.relPath}`);
+        continue;
+      }
+      const parsed = parseSemgrepJson(result.stdout);
+      findings.push(...parseFindings(parsed.results ?? [], rootDir));
+      scannedFiles += 1;
+    } catch (err) {
+      errors.push(err instanceof Error ? err.message : `semgrep failed for ${file.relPath}`);
+    }
+  }
+  return {
+    scanner: "semgrep",
+    available: errors.length === 0 || findings.length > 0,
+    mode,
+    scannedFiles,
+    findings,
+    categoryCounts: summarizeCategories(findings),
+    errors
+  };
+}
+
 // src/commands/scan.ts
 async function runScan(rootDir, opts) {
   const scanStart = Date.now();
@@ -5394,12 +5981,15 @@ async function runScan(rootDir, opts) {
       ...scanners?.serviceDependencies?.enabled !== false ? [{ id: "services", label: "Service dependencies" }] : [],
       ...scanners?.breakingChangeExposure?.enabled !== false ? [{ id: "breaking", label: "Breaking change exposure" }] : [],
       ...scanners?.securityPosture?.enabled !== false ? [{ id: "security", label: "Security posture" }] : [],
+      ...scanners?.securityScanners?.enabled !== false ? [{ id: "secscan", label: "Security scanners" }] : [],
       ...scanners?.buildDeploy?.enabled !== false ? [{ id: "build", label: "Build & deploy analysis" }] : [],
       ...scanners?.tsModernity?.enabled !== false ? [{ id: "ts", label: "TypeScript modernity" }] : [],
       ...scanners?.fileHotspots?.enabled !== false ? [{ id: "hotspots", label: "File hotspots" }] : [],
       ...scanners?.dependencyGraph?.enabled !== false ? [{ id: "depgraph", label: "Dependency graph" }] : [],
       ...scanners?.dependencyRisk?.enabled !== false ? [{ id: "deprisk", label: "Dependency risk" }] : [],
-      ...scanners?.architecture?.enabled !== false ? [{ id: "architecture", label: "Architecture layers" }] : []
+      ...scanners?.architecture?.enabled !== false ? [{ id: "architecture", label: "Architecture layers" }] : [],
+      ...scanners?.codeQuality?.enabled !== false ? [{ id: "codequality", label: "Code quality metrics" }] : [],
+      ...scanners?.owaspCategoryMapping?.enabled !== false ? [{ id: "owasp", label: "OWASP category mapping" }] : []
     ] : [],
     { id: "drift", label: "Computing drift score" },
     { id: "findings", label: "Generating findings" }
@@ -5532,6 +6122,22 @@ async function runScan(rootDir, opts) {
         })
       );
     }
+    if (scanners?.securityScanners?.enabled !== false) {
+      progress.startStep("secscan");
+      scannerTasks.push(
+        scanSecurityScanners(rootDir, fileCache).then((result) => {
+          extended.securityScanners = result;
+          const unavailable = [result.semgrep, ...result.secretScanners].filter((t) => !t.available).length;
+          const stale = [result.semgrep, ...result.secretScanners].filter((t) => t.status === "review-needed").length;
+          const findings2 = result.heuristicFindings.length;
+          const parts = [];
+          if (unavailable > 0) parts.push(`${unavailable} missing`);
+          if (stale > 0) parts.push(`${stale} outdated`);
+          if (findings2 > 0) parts.push(`${findings2} secret signal${findings2 !== 1 ? "s" : ""}`);
+          progress.completeStep("secscan", parts.join(" \xB7 ") || "ready");
+        })
+      );
+    }
     if (scanners?.buildDeploy?.enabled !== false) {
       progress.startStep("build");
       scannerTasks.push(
@@ -5576,6 +6182,19 @@ async function runScan(rootDir, opts) {
         })
       );
     }
+    if (scanners?.codeQuality?.enabled !== false) {
+      progress.startStep("codequality");
+      scannerTasks.push(
+        scanCodeQuality(rootDir, fileCache).then((result) => {
+          extended.codeQuality = result;
+          const cqParts = [];
+          cqParts.push(`${result.filesAnalyzed} files`);
+          cqParts.push(`${result.functionsAnalyzed} functions`);
+          if (result.circularDependencies > 0) cqParts.push(`${result.circularDependencies} cycles`);
+          progress.completeStep("codequality", cqParts.join(" \xB7 "), result.functionsAnalyzed);
+        })
+      );
+    }
     if (scanners?.dependencyRisk?.enabled !== false) {
       progress.startStep("deprisk");
       scannerTasks.push(
@@ -5590,6 +6209,25 @@ async function runScan(rootDir, opts) {
       );
     }
     await Promise.all(scannerTasks);
+    if (scanners?.owaspCategoryMapping?.enabled !== false) {
+      progress.startStep("owasp");
+      extended.owaspCategoryMapping = await scanOwaspCategoryMapping(
+        rootDir,
+        fileCache,
+        { mode: scanners?.owaspCategoryMapping?.mode ?? "fast" }
+      );
+      const owasp = extended.owaspCategoryMapping;
+      if (!owasp.available) {
+        progress.completeStep("owasp", "scanner unavailable");
+      } else {
+        const catCount = Object.keys(owasp.categoryCounts).length;
+        progress.completeStep(
+          "owasp",
+          `${owasp.findings.length} finding${owasp.findings.length !== 1 ? "s" : ""} \xB7 ${catCount} categor${catCount === 1 ? "y" : "ies"}`,
+          owasp.findings.length
+        );
+      }
+    }
     if (scanners?.architecture?.enabled !== false) {
       progress.startStep("architecture");
       extended.architecture = await scanArchitecture(
@@ -5659,18 +6297,21 @@ async function runScan(rootDir, opts) {
   }
   if (extended.fileHotspots) filesScanned += extended.fileHotspots.totalFiles;
   if (extended.securityPosture) filesScanned += 1;
+  if (extended.securityScanners) filesScanned += extended.securityScanners.heuristicFindings.length;
   if (extended.tsModernity?.typescriptVersion) filesScanned += 1;
   if (extended.dependencyGraph?.lockfileType) filesScanned += 1;
   if (extended.buildDeploy) {
     filesScanned += extended.buildDeploy.docker.dockerfileCount;
     filesScanned += extended.buildDeploy.ci.length;
   }
+  if (extended.codeQuality) filesScanned += extended.codeQuality.filesAnalyzed;
+  if (extended.owaspCategoryMapping) filesScanned += extended.owaspCategoryMapping.scannedFiles;
   const durationMs = Date.now() - scanStart;
   const artifact = {
     schemaVersion: "1.0",
     timestamp: (/* @__PURE__ */ new Date()).toISOString(),
     vibgrateVersion: VERSION,
-    rootPath: path17.basename(rootDir),
+    rootPath: path20.basename(rootDir),
     ...vcs.type !== "unknown" ? { vcs } : {},
     projects: allProjects,
     drift,
@@ -5681,7 +6322,7 @@ async function runScan(rootDir, opts) {
     treeSummary: treeCount
   };
   if (opts.baseline) {
-    const baselinePath = path17.resolve(opts.baseline);
+    const baselinePath = path20.resolve(opts.baseline);
     if (await pathExists(baselinePath)) {
       try {
         const baseline = await readJsonFile(baselinePath);
@@ -5692,9 +6333,9 @@ async function runScan(rootDir, opts) {
       }
     }
   }
-  const vibgrateDir = path17.join(rootDir, ".vibgrate");
+  const vibgrateDir = path20.join(rootDir, ".vibgrate");
   await ensureDir(vibgrateDir);
-  await writeJsonFile(path17.join(vibgrateDir, "scan_result.json"), artifact);
+  await writeJsonFile(path20.join(vibgrateDir, "scan_result.json"), artifact);
   await saveScanHistory(rootDir, {
     timestamp: artifact.timestamp,
     totalDurationMs: durationMs,
@@ -5704,10 +6345,10 @@ async function runScan(rootDir, opts) {
   });
   for (const project of allProjects) {
     if (project.drift && project.path) {
-      const projectDir = path17.resolve(rootDir, project.path);
-      const projectVibgrateDir = path17.join(projectDir, ".vibgrate");
+      const projectDir = path20.resolve(rootDir, project.path);
+      const projectVibgrateDir = path20.join(projectDir, ".vibgrate");
       await ensureDir(projectVibgrateDir);
-      await writeJsonFile(path17.join(projectVibgrateDir, "project_score.json"), {
+      await writeJsonFile(path20.join(projectVibgrateDir, "project_score.json"), {
         projectId: project.projectId,
         name: project.name,
         type: project.type,
@@ -5724,7 +6365,7 @@ async function runScan(rootDir, opts) {
   if (opts.format === "json") {
     const jsonStr = JSON.stringify(artifact, null, 2);
     if (opts.out) {
-      await writeTextFile(path17.resolve(opts.out), jsonStr);
+      await writeTextFile(path20.resolve(opts.out), jsonStr);
       console.log(chalk5.green("\u2714") + ` JSON written to ${opts.out}`);
     } else {
       console.log(jsonStr);
@@ -5733,7 +6374,7 @@ async function runScan(rootDir, opts) {
     const sarif = formatSarif(artifact);
     const sarifStr = JSON.stringify(sarif, null, 2);
     if (opts.out) {
-      await writeTextFile(path17.resolve(opts.out), sarifStr);
+      await writeTextFile(path20.resolve(opts.out), sarifStr);
       console.log(chalk5.green("\u2714") + ` SARIF written to ${opts.out}`);
     } else {
       console.log(sarifStr);
@@ -5742,7 +6383,7 @@ async function runScan(rootDir, opts) {
     const text = formatText(artifact);
     console.log(text);
     if (opts.out) {
-      await writeTextFile(path17.resolve(opts.out), text);
+      await writeTextFile(path20.resolve(opts.out), text);
     }
   }
   return artifact;
@@ -5801,7 +6442,7 @@ async function autoPush(artifact, rootDir, opts) {
   }
 }
 var scanCommand = new Command3("scan").description("Scan a project for upgrade drift").argument("[path]", "Path to scan", ".").option("--out <file>", "Output file path").option("--format <format>", "Output format (text|json|sarif)", "text").option("--fail-on <level>", "Fail on warn or error").option("--baseline <file>", "Compare against baseline").option("--changed-only", "Only scan changed files").option("--concurrency <n>", "Max concurrent npm calls", "8").option("--push", "Auto-push results to Vibgrate API after scan").option("--dsn <dsn>", "DSN token for push (or use VIBGRATE_DSN env)").option("--region <region>", "Override data residency region for push (us, eu)").option("--strict", "Fail on push errors").action(async (targetPath, opts) => {
-  const rootDir = path17.resolve(targetPath);
+  const rootDir = path20.resolve(targetPath);
   if (!await pathExists(rootDir)) {
     console.error(chalk5.red(`Path does not exist: ${rootDir}`));
     process.exit(1);

package/dist/cli.js

@@ -4,7 +4,7 @@ import {
 } from "./chunk-GN3IWKSY.js";
 import {
   baselineCommand
-} from "./chunk-7EEUYKZI.js";
+} from "./chunk-T4GNX4OC.js";
 import {
   VERSION,
   dsnCommand,
@@ -15,7 +15,7 @@ import {
   readJsonFile,
   scanCommand,
   writeDefaultConfig
-} from "./chunk-27LB7QTA.js";
+} from "./chunk-XLRCQ476.js";
 
 // src/cli.ts
 import { Command as Command4 } from "commander";
@@ -38,7 +38,7 @@ var initCommand = new Command("init").description("Initialize vibgrate in a proj
     console.log(chalk.green("\u2714") + ` Created ${chalk.bold("vibgrate.config.ts")}`);
   }
   if (opts.baseline) {
-    const { runBaseline } = await import("./baseline-KXUPTMQ2.js");
+    const { runBaseline } = await import("./baseline-AA2FVYAX.js");
     await runBaseline(rootDir);
   }
   console.log("");

package/dist/index.d.ts

@@ -107,6 +107,10 @@ interface ScanOptions {
 interface ScannerToggle {
     enabled: boolean;
 }
+type OwaspScannerMode = 'fast' | 'cache-input';
+interface OwaspScannerConfig extends ScannerToggle {
+    mode?: OwaspScannerMode;
+}
 interface ScannersConfig {
     platformMatrix?: ScannerToggle;
     dependencyRisk?: ScannerToggle;
@@ -117,8 +121,11 @@ interface ScannersConfig {
     breakingChangeExposure?: ScannerToggle;
     fileHotspots?: ScannerToggle;
     securityPosture?: ScannerToggle;
+    securityScanners?: ScannerToggle;
     serviceDependencies?: ScannerToggle;
     architecture?: ScannerToggle;
+    codeQuality?: ScannerToggle;
+    owaspCategoryMapping?: OwaspScannerConfig;
 }
 interface VibgrateConfig {
     include?: string[];
@@ -258,6 +265,32 @@ interface ServiceDependenciesResult {
     storage: ServiceDependencyItem[];
     search: ServiceDependencyItem[];
 }
+type SecurityScannerStatus = 'up-to-date' | 'review-needed' | 'unknown' | 'unavailable';
+interface SecurityToolAssessment {
+    name: 'semgrep' | 'gitleaks' | 'trufflehog';
+    category: 'sast' | 'secrets';
+    command: string;
+    available: boolean;
+    version: string | null;
+    minRecommendedVersion: string;
+    status: SecurityScannerStatus;
+    risks: string[];
+}
+interface SecretHeuristicFinding {
+    file: string;
+    detector: string;
+    sample: string;
+}
+interface SecurityScannersResult {
+    semgrep: SecurityToolAssessment;
+    secretScanners: SecurityToolAssessment[];
+    configFiles: {
+        semgrep: boolean;
+        gitleaks: boolean;
+        trufflehog: boolean;
+    };
+    heuristicFindings: SecretHeuristicFinding[];
+}
 /** Detected project archetype (fingerprint) */
 type ProjectArchetype = 'nextjs' | 'remix' | 'sveltekit' | 'nuxt' | 'nestjs' | 'express' | 'fastify' | 'hono' | 'koa' | 'serverless' | 'library' | 'cli' | 'monorepo' | 'unknown';
 /** Architectural layer classification */
@@ -300,6 +333,22 @@ interface ArchitectureResult {
     /** Files that could not be classified */
     unclassified: number;
 }
+interface GodFile {
+    path: string;
+    lines: number;
+    functionCount: number;
+    averageComplexity: number;
+}
+interface CodeQualityResult {
+    filesAnalyzed: number;
+    functionsAnalyzed: number;
+    avgCyclomaticComplexity: number;
+    avgFunctionLength: number;
+    maxNestingDepth: number;
+    godFiles: GodFile[];
+    circularDependencies: number;
+    deadCodePercent: number;
+}
 interface ExtendedScanResults {
     platformMatrix?: PlatformMatrixResult;
     dependencyRisk?: DependencyRiskResult;
@@ -310,8 +359,30 @@ interface ExtendedScanResults {
     breakingChangeExposure?: BreakingChangeExposureResult;
     fileHotspots?: FileHotspotsResult;
     securityPosture?: SecurityPostureResult;
+    securityScanners?: SecurityScannersResult;
     serviceDependencies?: ServiceDependenciesResult;
     architecture?: ArchitectureResult;
+    codeQuality?: CodeQualityResult;
+    owaspCategoryMapping?: OwaspCategoryMappingResult;
+}
+interface OwaspFinding {
+    ruleId: string;
+    path: string;
+    line: number;
+    endLine?: number;
+    message: string;
+    severity: 'low' | 'medium' | 'high';
+    categories: string[];
+    cwe: string | null;
+}
+interface OwaspCategoryMappingResult {
+    scanner: 'semgrep';
+    available: boolean;
+    mode: OwaspScannerMode;
+    scannedFiles: number;
+    findings: OwaspFinding[];
+    categoryCounts: Record<string, number>;
+    errors: string[];
 }
 
 declare function runScan(rootDir: string, opts: ScanOptions): Promise<ScanArtifact>;

package/dist/index.js

@@ -7,7 +7,7 @@ import {
   formatText,
   generateFindings,
   runScan
-} from "./chunk-27LB7QTA.js";
+} from "./chunk-XLRCQ476.js";
 export {
   computeDriftScore,
   formatMarkdown,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vibgrate/cli",
-  "version": "1.0.26",
+  "version": "1.0.28",
   "description": "CLI for measuring upgrade drift across Node & .NET projects",
   "type": "module",
   "bin": {
@@ -43,7 +43,6 @@
     "eslint": "^9.0.0",
     "tsup": "^8.0.0",
     "tsx": "^4.0.0",
-    "typescript": "^5.4.0",
     "vitest": "^2.0.0"
   },
   "dependencies": {
@@ -51,6 +50,7 @@
     "commander": "^12.0.0",
     "fast-xml-parser": "^4.3.0",
     "semver": "^7.6.0",
+    "typescript": "^5.4.0",
     "zod": "^3.23.0"
   },
   "engines": {