@vibgrate/cli 1.0.41 → 1.0.42

package/dist/{chunk-NU7IIHIG.js → chunk-YFJC5JSQ.js}

@@ -1,555 +1,19 @@
-// src/utils/fs.ts
-import * as fs from "fs/promises";
-import * as os from "os";
-import * as path2 from "path";
-
-// src/utils/semaphore.ts
-var Semaphore = class {
-  available;
-  queue = [];
-  constructor(max) {
-    this.available = max;
-  }
-  async run(fn) {
-    await this.acquire();
-    try {
-      return await fn();
-    } finally {
-      this.release();
-    }
-  }
-  acquire() {
-    if (this.available > 0) {
-      this.available--;
-      return Promise.resolve();
-    }
-    return new Promise((resolve9) => this.queue.push(resolve9));
-  }
-  release() {
-    const next = this.queue.shift();
-    if (next) next();
-    else this.available++;
-  }
-};
-
-// src/utils/glob.ts
-import * as path from "path";
-function compileGlobs(patterns) {
-  if (patterns.length === 0) return null;
-  const matchers = patterns.map((p) => compileOne(normalise(p)));
-  return (relPath) => {
-    const norm = normalise(relPath);
-    return matchers.some((m) => m(norm));
-  };
-}
-function normalise(p) {
-  return p.split(path.sep).join("/").replace(/\/+$/, "");
-}
-function compileOne(pattern) {
-  if (!pattern.includes("/") && !hasGlobChars(pattern)) {
-    const prefix = pattern + "/";
-    return (p) => p === pattern || p.startsWith(prefix);
-  }
-  const re = globToRegex(pattern);
-  return (p) => re.test(p);
-}
-function hasGlobChars(s) {
-  return /[*?[\]{}]/.test(s);
-}
-function globToRegex(pattern) {
-  let i = 0;
-  let re = "^";
-  const len = pattern.length;
-  while (i < len) {
-    const ch = pattern[i];
-    if (ch === "*") {
-      if (pattern[i + 1] === "*") {
-        i += 2;
-        if (pattern[i] === "/") {
-          i++;
-          re += "(?:.+/)?";
-        } else {
-          re += ".*";
-        }
-      } else {
-        i++;
-        re += "[^/]*";
-      }
-    } else if (ch === "?") {
-      i++;
-      re += "[^/]";
-    } else if (ch === "[") {
-      const start = i;
-      i++;
-      while (i < len && pattern[i] !== "]") i++;
-      i++;
-      re += pattern.slice(start, i);
-    } else if (ch === "{") {
-      i++;
-      const alternatives = [];
-      let current = "";
-      while (i < len && pattern[i] !== "}") {
-        if (pattern[i] === ",") {
-          alternatives.push(current);
-          current = "";
-        } else {
-          current += pattern[i];
-        }
-        i++;
-      }
-      alternatives.push(current);
-      i++;
-      re += "(?:" + alternatives.map(escapeRegex).join("|") + ")";
-    } else {
-      re += escapeRegex(ch);
-      i++;
-    }
-  }
-  re += "$";
-  return new RegExp(re);
-}
-function escapeRegex(s) {
-  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-}
-
-// src/utils/fs.ts
-var SKIP_DIRS = /* @__PURE__ */ new Set([
-  "node_modules",
-  ".git",
-  ".vibgrate",
-  ".wrangler",
-  ".next",
-  "dist",
-  "build",
-  "out",
-  ".turbo",
-  ".cache",
-  "coverage",
-  "bin",
-  "obj",
-  ".vs",
-  "packages",
-  "TestResults"
-]);
-var SKIP_EXTENSIONS = /* @__PURE__ */ new Set([
-  // Fonts
-  ".woff",
-  ".woff2",
-  ".ttf",
-  ".otf",
-  ".eot",
-  // Images & vector
-  ".png",
-  ".jpg",
-  ".jpeg",
-  ".gif",
-  ".ico",
-  ".bmp",
-  ".tiff",
-  ".tif",
-  ".webp",
-  ".avif",
-  ".svg",
-  ".heic",
-  ".heif",
-  ".jfif",
-  ".psd",
-  ".ai",
-  ".eps",
-  ".raw",
-  ".cr2",
-  ".nef",
-  ".dng",
-  // Video
-  ".mp4",
-  ".webm",
-  ".avi",
-  ".mov",
-  ".mkv",
-  ".wmv",
-  ".flv",
-  ".m4v",
-  ".mpg",
-  ".mpeg",
-  ".3gp",
-  ".ogv",
-  // Audio
-  ".mp3",
-  ".wav",
-  ".ogg",
-  ".flac",
-  ".aac",
-  ".wma",
-  ".m4a",
-  ".opus",
-  ".aiff",
-  ".mid",
-  ".midi",
-  // Archives
-  ".zip",
-  ".tar",
-  ".gz",
-  ".bz2",
-  ".7z",
-  ".rar",
-  // Compiled / binary
-  ".exe",
-  ".dll",
-  ".so",
-  ".dylib",
-  ".o",
-  ".a",
-  ".class",
-  ".pyc",
-  ".pdb",
-  // Source maps & lockfiles (large, not useful for drift analysis)
-  ".map"
-]);
-var TEXT_CACHE_MAX_BYTES = 1048576;
-var FileCache = class _FileCache {
-  /** Directory walk results keyed by rootDir */
-  walkCache = /* @__PURE__ */ new Map();
-  /** File content keyed by absolute path (only files ≤ TEXT_CACHE_MAX_BYTES) */
-  textCache = /* @__PURE__ */ new Map();
-  /** Parsed JSON keyed by absolute path */
-  jsonCache = /* @__PURE__ */ new Map();
-  /** pathExists keyed by absolute path */
-  existsCache = /* @__PURE__ */ new Map();
-  /** User-configured exclude predicate (compiled from glob patterns) */
-  excludePredicate = null;
-  /** Directories that were auto-skipped because they were stuck (>60s) */
-  _stuckPaths = [];
-  /** Files skipped because they exceed maxFileSizeToScan */
-  _skippedLargeFiles = [];
-  /** Maximum file size (bytes) we will read. 0 = unlimited. */
-  _maxFileSize = 0;
-  /** Root dir for relative-path computation (set by the first walkDir call) */
-  _rootDir = null;
-  /** Set exclude patterns from config (call once before the walk) */
-  setExcludePatterns(patterns) {
-    this.excludePredicate = compileGlobs(patterns);
-  }
-  /** Set the maximum file size in bytes that readTextFile / readJsonFile will process */
-  setMaxFileSize(bytes) {
-    this._maxFileSize = bytes;
-  }
-  /** Record a path that timed out or was stuck during scanning */
-  addStuckPath(relPath) {
-    this._stuckPaths.push(relPath);
-  }
-  /** Get all paths that were auto-skipped due to being stuck (dirs + scanner files) */
-  get stuckPaths() {
-    return this._stuckPaths;
-  }
-  /** @deprecated Use stuckPaths instead */
-  get stuckDirs() {
-    return this._stuckPaths;
-  }
-  /** Get files that were skipped because they exceeded maxFileSizeToScan */
-  get skippedLargeFiles() {
-    return this._skippedLargeFiles;
-  }
-  // ── Directory walking ──
-  /**
-   * Walk the directory tree from `rootDir` once, skipping SKIP_DIRS plus
-   * common framework output dirs (.nuxt, .output, .svelte-kit).
-   *
-   * The result is memoised so every scanner filters the same array.
-   * Consumers that need additional filtering (e.g. SOURCE_EXTENSIONS,
-   * SKIP_EXTENSIONS) do so on the returned entries — no separate walk.
-   */
-  walkDir(rootDir, onProgress) {
-    this._rootDir = rootDir;
-    const cached = this.walkCache.get(rootDir);
-    if (cached) return cached;
-    const promise = this._doWalk(rootDir, onProgress);
-    this.walkCache.set(rootDir, promise);
-    return promise;
-  }
-  /** Additional dirs skipped only by the cached walk (framework outputs) */
-  static EXTRA_SKIP = /* @__PURE__ */ new Set([".nuxt", ".output", ".svelte-kit"]);
-  async _doWalk(rootDir, onProgress) {
-    const results = [];
-    const cores = typeof os.availableParallelism === "function" ? os.availableParallelism() : os.cpus().length || 4;
-    const maxConcurrentReads = Math.max(8, Math.min(64, cores * 4));
-    let foundCount = 0;
-    let lastReported = 0;
-    const REPORT_INTERVAL = 50;
-    const sem = new Semaphore(maxConcurrentReads);
-    const STUCK_TIMEOUT_MS = 6e4;
-    const extraSkip = _FileCache.EXTRA_SKIP;
-    const isExcluded = this.excludePredicate;
-    const stuckDirs = this._stuckPaths;
-    async function walk(dir) {
-      const relDir = path2.relative(rootDir, dir);
-      if (onProgress) {
-        onProgress(foundCount, relDir || ".");
-      }
-      let entries;
-      try {
-        entries = await sem.run(async () => {
-          const readPromise = fs.readdir(dir, { withFileTypes: true });
-          const result = await Promise.race([
-            readPromise.then((e) => ({ ok: true, entries: e })),
-            new Promise(
-              (resolve9) => setTimeout(() => resolve9({ ok: false }), STUCK_TIMEOUT_MS)
-            )
-          ]);
-          if (!result.ok) {
-            stuckDirs.push(relDir || dir);
-            return null;
-          }
-          return result.entries;
-        });
-      } catch {
-        return;
-      }
-      if (!entries) return;
-      const subWalks = [];
-      for (const e of entries) {
-        const absPath = path2.join(dir, e.name);
-        const relPath = path2.relative(rootDir, absPath);
-        if (isExcluded && isExcluded(relPath)) continue;
-        if (e.isDirectory()) {
-          if (SKIP_DIRS.has(e.name) || extraSkip.has(e.name)) continue;
-          results.push({ absPath, relPath, name: e.name, isFile: false, isDirectory: true });
-          subWalks.push(walk(absPath));
-        } else if (e.isFile()) {
-          const ext = path2.extname(e.name).toLowerCase();
-          if (SKIP_EXTENSIONS.has(ext)) continue;
-          results.push({ absPath, relPath, name: e.name, isFile: true, isDirectory: false });
-          foundCount++;
-          if (onProgress && foundCount - lastReported >= REPORT_INTERVAL) {
-            lastReported = foundCount;
-            onProgress(foundCount, relPath);
-          }
-        }
-      }
-      await Promise.all(subWalks);
-    }
-    await walk(rootDir);
-    if (onProgress && foundCount !== lastReported) {
-      onProgress(foundCount, "");
-    }
-    return results;
-  }
-  /**
-   * Find files matching a predicate from the cached walk.
-   * Returns absolute paths (same contract as the standalone `findFiles`).
-   */
-  async findFiles(rootDir, predicate) {
-    const entries = await this.walkDir(rootDir);
-    return entries.filter((e) => e.isFile && predicate(e.name)).map((e) => e.absPath);
-  }
-  async findPackageJsonFiles(rootDir) {
-    return this.findFiles(rootDir, (name) => name === "package.json");
-  }
-  async findCsprojFiles(rootDir) {
-    return this.findFiles(rootDir, (name) => name.endsWith(".csproj"));
-  }
-  async findSolutionFiles(rootDir) {
-    return this.findFiles(rootDir, (name) => name.endsWith(".sln"));
-  }
-  // ── File content reading ──
-  /**
-   * Read a text file. Files ≤ 1 MB are cached so subsequent calls from
-   * different scanners return the same string. Files > 1 MB (lockfiles,
-   * large generated files) are read directly and never retained.
-   *
-   * If maxFileSizeToScan is set and the file exceeds it, the file is
-   * recorded as skipped and an empty string is returned.
-   */
-  readTextFile(filePath) {
-    const abs = path2.resolve(filePath);
-    const cached = this.textCache.get(abs);
-    if (cached) return cached;
-    const maxSize = this._maxFileSize;
-    const skippedLarge = this._skippedLargeFiles;
-    const rootDir = this._rootDir;
-    const promise = (async () => {
-      if (maxSize > 0) {
-        try {
-          const stat4 = await fs.stat(abs);
-          if (stat4.size > maxSize) {
-            const rel = rootDir ? path2.relative(rootDir, abs) : abs;
-            skippedLarge.push(rel);
-            this.textCache.delete(abs);
-            return "";
-          }
-        } catch {
-        }
-      }
-      const content = await fs.readFile(abs, "utf8");
-      if (content.length > TEXT_CACHE_MAX_BYTES) {
-        this.textCache.delete(abs);
-      }
-      return content;
-    })();
-    this.textCache.set(abs, promise);
-    return promise;
-  }
-  /**
-   * Read and parse a JSON file. The parsed object is cached; the raw
-   * text is evicted immediately so we never hold both representations.
-   */
-  readJsonFile(filePath) {
-    const abs = path2.resolve(filePath);
-    const cached = this.jsonCache.get(abs);
-    if (cached) return cached;
-    const promise = this.readTextFile(abs).then((txt) => {
-      this.textCache.delete(abs);
-      return JSON.parse(txt);
-    });
-    this.jsonCache.set(abs, promise);
-    return promise;
-  }
-  // ── Existence checks ──
-  pathExists(p) {
-    const abs = path2.resolve(p);
-    const cached = this.existsCache.get(abs);
-    if (cached) return cached;
-    const promise = fs.access(abs).then(() => true, () => false);
-    this.existsCache.set(abs, promise);
-    return promise;
-  }
-  // ── Lifecycle ──
-  /** Release all cached data. Call after the scan completes. */
-  clear() {
-    this.walkCache.clear();
-    this.textCache.clear();
-    this.jsonCache.clear();
-    this.existsCache.clear();
-  }
-  /** Number of file content entries currently held */
-  get textCacheSize() {
-    return this.textCache.size;
-  }
-  /** Number of parsed JSON entries currently held */
-  get jsonCacheSize() {
-    return this.jsonCache.size;
-  }
-};
-async function quickTreeCount(rootDir, excludePatterns) {
-  let totalFiles = 0;
-  let totalDirs = 0;
-  const cores = typeof os.availableParallelism === "function" ? os.availableParallelism() : os.cpus().length || 4;
-  const maxConcurrent = Math.max(8, Math.min(128, cores * 8));
-  const sem = new Semaphore(maxConcurrent);
-  const extraSkip = /* @__PURE__ */ new Set([".nuxt", ".output", ".svelte-kit"]);
-  const isExcluded = excludePatterns ? compileGlobs(excludePatterns) : null;
-  async function count(dir) {
-    let entries;
-    try {
-      entries = await sem.run(() => fs.readdir(dir, { withFileTypes: true }));
-    } catch {
-      return;
-    }
-    const subs = [];
-    for (const e of entries) {
-      const relPath = path2.relative(rootDir, path2.join(dir, e.name));
-      if (isExcluded && isExcluded(relPath)) continue;
-      if (e.isDirectory()) {
-        if (SKIP_DIRS.has(e.name) || extraSkip.has(e.name)) continue;
-        totalDirs++;
-        subs.push(count(path2.join(dir, e.name)));
-      } else if (e.isFile()) {
-        const ext = path2.extname(e.name).toLowerCase();
-        if (!SKIP_EXTENSIONS.has(ext)) totalFiles++;
-      }
-    }
-    await Promise.all(subs);
-  }
-  await count(rootDir);
-  return { totalFiles, totalDirs };
-}
-async function countFilesInDir(dir, recursive = true) {
-  let count = 0;
-  const extraSkip = /* @__PURE__ */ new Set(["obj", "bin", "Debug", "Release", "TestResults"]);
-  async function walk(currentDir) {
-    let entries;
-    try {
-      entries = await fs.readdir(currentDir, { withFileTypes: true });
-    } catch {
-      return;
-    }
-    const subs = [];
-    for (const e of entries) {
-      if (e.isDirectory()) {
-        if (!recursive) continue;
-        if (SKIP_DIRS.has(e.name) || extraSkip.has(e.name)) continue;
-        subs.push(walk(path2.join(currentDir, e.name)));
-      } else if (e.isFile()) {
-        const ext = path2.extname(e.name).toLowerCase();
-        if (!SKIP_EXTENSIONS.has(ext)) count++;
-      }
-    }
-    await Promise.all(subs);
-  }
-  await walk(dir);
-  return count;
-}
-async function findFiles(rootDir, predicate) {
-  const results = [];
-  const cores = typeof os.availableParallelism === "function" ? os.availableParallelism() : os.cpus().length || 4;
-  const maxConcurrentReads = Math.max(8, Math.min(64, cores * 4));
-  const readDirSemaphore = new Semaphore(maxConcurrentReads);
-  async function walk(dir) {
-    let entries;
-    try {
-      entries = await readDirSemaphore.run(() => fs.readdir(dir, { withFileTypes: true }));
-    } catch {
-      return;
-    }
-    const subDirectoryWalks = [];
-    for (const e of entries) {
-      if (e.isDirectory()) {
-        if (SKIP_DIRS.has(e.name)) continue;
-        subDirectoryWalks.push(walk(path2.join(dir, e.name)));
-      } else if (e.isFile() && predicate(e.name)) {
-        const ext = path2.extname(e.name).toLowerCase();
-        if (!SKIP_EXTENSIONS.has(ext)) results.push(path2.join(dir, e.name));
-      }
-    }
-    await Promise.all(subDirectoryWalks);
-  }
-  await walk(rootDir);
-  return results;
-}
-async function findPackageJsonFiles(rootDir) {
-  return findFiles(rootDir, (name) => name === "package.json");
-}
-async function findSolutionFiles(rootDir) {
-  return findFiles(rootDir, (name) => name.endsWith(".sln"));
-}
-async function findCsprojFiles(rootDir) {
-  return findFiles(rootDir, (name) => name.endsWith(".csproj"));
-}
-async function readJsonFile(filePath) {
-  const txt = await fs.readFile(filePath, "utf8");
-  return JSON.parse(txt);
-}
-async function readTextFile(filePath) {
-  return fs.readFile(filePath, "utf8");
-}
-async function pathExists(p) {
-  try {
-    await fs.access(p);
-    return true;
-  } catch {
-    return false;
-  }
-}
-async function ensureDir(dir) {
-  await fs.mkdir(dir, { recursive: true });
-}
-async function writeJsonFile(filePath, data) {
-  await ensureDir(path2.dirname(filePath));
-  await fs.writeFile(filePath, JSON.stringify(data, null, 2) + "\n", "utf8");
-}
-async function writeTextFile(filePath, content) {
-  await ensureDir(path2.dirname(filePath));
-  await fs.writeFile(filePath, content, "utf8");
-}
+import {
+  FileCache,
+  Semaphore,
+  countFilesInDir,
+  ensureDir,
+  findCsprojFiles,
+  findFiles,
+  findPackageJsonFiles,
+  findSolutionFiles,
+  pathExists,
+  quickTreeCount,
+  readJsonFile,
+  readTextFile,
+  writeJsonFile,
+  writeTextFile
+} from "./chunk-RNVZIZNL.js";
 
 // src/scoring/drift-score.ts
 import * as crypto from "crypto";
@@ -622,17 +86,27 @@ function eolScore(projects) {
       else if (p.runtimeMajorsBehind >= 2) score = Math.min(score, 20);
       else if (p.runtimeMajorsBehind >= 1) score = Math.min(score, 60);
     }
+    if (p.type === "python" && p.runtimeMajorsBehind !== void 0) {
+      if (p.runtimeMajorsBehind >= 6) score = Math.min(score, 0);
+      else if (p.runtimeMajorsBehind >= 4) score = Math.min(score, 20);
+      else if (p.runtimeMajorsBehind >= 2) score = Math.min(score, 60);
+    }
+    if (p.type === "java" && p.runtimeMajorsBehind !== void 0) {
+      if (p.runtimeMajorsBehind >= 10) score = Math.min(score, 0);
+      else if (p.runtimeMajorsBehind >= 4) score = Math.min(score, 30);
+      else if (p.runtimeMajorsBehind >= 1) score = Math.min(score, 70);
+    }
   }
   return score;
 }
 function computeDriftScore(projects) {
   const rs = runtimeScore(projects);
-  const fs7 = frameworkScore(projects);
+  const fs6 = frameworkScore(projects);
   const ds = dependencyScore(projects);
   const es = eolScore(projects);
   const components = [
     { score: rs, weight: 0.25 },
-    { score: fs7, weight: 0.25 },
+    { score: fs6, weight: 0.25 },
     { score: ds, weight: 0.3 },
     { score: es, weight: 0.2 }
   ];
@@ -643,7 +117,7 @@ function computeDriftScore(projects) {
       riskLevel: "low",
       components: {
         runtimeScore: Math.round(rs ?? 100),
-        frameworkScore: Math.round(fs7 ?? 100),
+        frameworkScore: Math.round(fs6 ?? 100),
         dependencyScore: Math.round(ds ?? 100),
         eolScore: Math.round(es ?? 100)
       }
@@ -661,7 +135,7 @@ function computeDriftScore(projects) {
   else riskLevel = "high";
   const measured = [];
   if (rs !== null) measured.push("runtime");
-  if (fs7 !== null) measured.push("framework");
+  if (fs6 !== null) measured.push("framework");
   if (ds !== null) measured.push("dependency");
   if (es !== null) measured.push("eol");
   return {
@@ -669,7 +143,7 @@ function computeDriftScore(projects) {
     riskLevel,
     components: {
       runtimeScore: Math.round(rs ?? 100),
-      frameworkScore: Math.round(fs7 ?? 100),
+      frameworkScore: Math.round(fs6 ?? 100),
       dependencyScore: Math.round(ds ?? 100),
       eolScore: Math.round(es ?? 100)
     },
@@ -684,17 +158,19 @@ function generateFindings(projects, config) {
   const findings = [];
   for (const project of projects) {
     if (project.runtimeMajorsBehind !== void 0 && project.runtimeMajorsBehind >= 3) {
+      const runtimeLabel = project.type === "node" ? "Node.js" : project.type === "dotnet" ? ".NET" : project.type === "python" ? "Python" : project.type === "java" ? "Java" : project.type;
       findings.push({
         ruleId: "vibgrate/runtime-eol",
         level: "error",
-        message: `${project.type === "node" ? "Node.js" : ".NET"} runtime "${project.runtime}" is ${project.runtimeMajorsBehind} major versions behind (latest: ${project.runtimeLatest}). Likely at or past EOL.`,
+        message: `${runtimeLabel} runtime "${project.runtime}" is ${project.runtimeMajorsBehind} major versions behind (latest: ${project.runtimeLatest}). Likely at or past EOL.`,
         location: project.path
       });
     } else if (project.runtimeMajorsBehind !== void 0 && project.runtimeMajorsBehind >= 2) {
+      const runtimeLabel = project.type === "node" ? "Node.js" : project.type === "dotnet" ? ".NET" : project.type === "python" ? "Python" : project.type === "java" ? "Java" : project.type;
       findings.push({
         ruleId: "vibgrate/runtime-lag",
         level: "warning",
-        message: `${project.type === "node" ? "Node.js" : ".NET"} runtime "${project.runtime}" is ${project.runtimeMajorsBehind} major versions behind (latest: ${project.runtimeLatest}).`,
+        message: `${runtimeLabel} runtime "${project.runtime}" is ${project.runtimeMajorsBehind} major versions behind (latest: ${project.runtimeLatest}).`,
         location: project.path
       });
     }
@@ -1544,7 +1020,7 @@ function toSarifResult(finding) {
 
 // src/commands/dsn.ts
 import * as crypto2 from "crypto";
-import * as path3 from "path";
+import * as path from "path";
 import { Command } from "commander";
 import chalk2 from "chalk";
 var REGION_HOSTS = {
@@ -1589,7 +1065,7 @@ dsnCommand.command("create").description("Create a new DSN token").option("--ing
   console.log(chalk2.dim("Set this as VIBGRATE_DSN in your CI environment."));
   console.log(chalk2.dim("The secret must be registered on your Vibgrate ingest API."));
   if (opts.write) {
-    const writePath = path3.resolve(opts.write);
+    const writePath = path.resolve(opts.write);
     await writeTextFile(writePath, dsn + "\n");
     console.log("");
     console.log(chalk2.green("\u2714") + ` DSN written to ${opts.write}`);
@@ -1599,7 +1075,7 @@ dsnCommand.command("create").description("Create a new DSN token").option("--ing
 
 // src/commands/push.ts
 import * as crypto3 from "crypto";
-import * as path4 from "path";
+import * as path2 from "path";
 import { Command as Command2 } from "commander";
 import chalk3 from "chalk";
 function parseDsn(dsn) {
@@ -1629,7 +1105,7 @@ var pushCommand = new Command2("push").description("Push scan results to Vibgrat
     if (opts.strict) process.exit(1);
     return;
   }
-  const filePath = path4.resolve(opts.file);
+  const filePath = path2.resolve(opts.file);
   if (!await pathExists(filePath)) {
     console.error(chalk3.red(`Scan artifact not found: ${filePath}`));
     console.error(chalk3.dim('Run "vibgrate scan" first.'));
@@ -1687,14 +1163,14 @@ import { Command as Command3 } from "commander";
 import chalk6 from "chalk";
 
 // src/scanners/node-scanner.ts
-import * as path5 from "path";
+import * as path3 from "path";
 import * as semver2 from "semver";
 
 // src/utils/timeout.ts
 async function withTimeout(promise, ms) {
   let timer;
-  const timeout = new Promise((resolve9) => {
-    timer = setTimeout(() => resolve9({ ok: false }), ms);
+  const timeout = new Promise((resolve8) => {
+    timer = setTimeout(() => resolve8({ ok: false }), ms);
   });
   try {
     const result = await Promise.race([
@@ -1719,7 +1195,7 @@ function maxStable(versions) {
   return stable.sort(semver.rcompare)[0] ?? null;
 }
 async function npmViewJson(args, cwd) {
-  return new Promise((resolve9, reject) => {
+  return new Promise((resolve8, reject) => {
     const child = spawn("npm", ["view", ...args, "--json"], {
       cwd,
       shell: true,
@@ -1737,13 +1213,13 @@ async function npmViewJson(args, cwd) {
       }
       const trimmed = out.trim();
       if (!trimmed) {
-        resolve9(null);
+        resolve8(null);
         return;
       }
       try {
-        resolve9(JSON.parse(trimmed));
+        resolve8(JSON.parse(trimmed));
       } catch {
-        resolve9(trimmed.replace(/^"|"$/g, ""));
+        resolve8(trimmed.replace(/^"|"$/g, ""));
       }
     });
   });
@@ -1911,7 +1387,7 @@ async function scanNodeProjects(rootDir, npmCache, cache) {
         results.push(result.value);
         packageNameToPath.set(result.value.name, result.value.path);
       } else {
-        const relPath = path5.relative(rootDir, path5.dirname(pjPath));
+        const relPath = path3.relative(rootDir, path3.dirname(pjPath));
         if (cache) {
           cache.addStuckPath(relPath || ".");
         }
@@ -1942,8 +1418,8 @@ async function scanNodeProjects(rootDir, npmCache, cache) {
 }
 async function scanOnePackageJson(packageJsonPath, rootDir, npmCache, cache) {
   const pj = cache ? await cache.readJsonFile(packageJsonPath) : await readJsonFile(packageJsonPath);
-  const absProjectPath = path5.dirname(packageJsonPath);
-  const projectPath = path5.relative(rootDir, absProjectPath) || ".";
+  const absProjectPath = path3.dirname(packageJsonPath);
+  const projectPath = path3.relative(rootDir, absProjectPath) || ".";
   const nodeEngine = pj.engines?.node ?? void 0;
   let runtimeLatest;
   let runtimeMajorsBehind;
@@ -2030,7 +1506,7 @@ async function scanOnePackageJson(packageJsonPath, rootDir, npmCache, cache) {
   return {
     type: "node",
     path: projectPath,
-    name: pj.name ?? path5.basename(absProjectPath),
+    name: pj.name ?? path3.basename(absProjectPath),
     runtime: nodeEngine,
     runtimeLatest,
     runtimeMajorsBehind,
@@ -2042,7 +1518,8 @@ async function scanOnePackageJson(packageJsonPath, rootDir, npmCache, cache) {
 }
 
 // src/scanners/dotnet-scanner.ts
-import * as path6 from "path";
+import * as path4 from "path";
+import * as semver3 from "semver";
 import { XMLParser } from "fast-xml-parser";
 var parser = new XMLParser({
   ignoreAttributes: false,
@@ -2243,7 +1720,7 @@ function parseCsproj(xml, filePath) {
   const parsed = parser.parse(xml);
   const project = parsed?.Project;
   if (!project) {
-    return { targetFrameworks: [], packageReferences: [], projectReferences: [], projectName: path6.basename(filePath, ".csproj") };
+    return { targetFrameworks: [], packageReferences: [], projectReferences: [], projectName: path4.basename(filePath, ".csproj") };
   }
   const propertyGroups = Array.isArray(project.PropertyGroup) ? project.PropertyGroup : project.PropertyGroup ? [project.PropertyGroup] : [];
   const targetFrameworks = [];
@@ -2280,22 +1757,22 @@ function parseCsproj(xml, filePath) {
     targetFrameworks: [...new Set(targetFrameworks)],
     packageReferences,
     projectReferences,
-    projectName: path6.basename(filePath, ".csproj")
+    projectName: path4.basename(filePath, ".csproj")
   };
 }
-async function scanDotnetProjects(rootDir, cache) {
+async function scanDotnetProjects(rootDir, nugetCache, cache) {
   const csprojFiles = cache ? await cache.findCsprojFiles(rootDir) : await findCsprojFiles(rootDir);
   const slnFiles = cache ? await cache.findSolutionFiles(rootDir) : await findSolutionFiles(rootDir);
   const slnCsprojPaths = /* @__PURE__ */ new Set();
   for (const slnPath of slnFiles) {
     try {
       const slnContent = cache ? await cache.readTextFile(slnPath) : await readTextFile(slnPath);
-      const slnDir = path6.dirname(slnPath);
+      const slnDir = path4.dirname(slnPath);
       const projectRegex = /Project\("[^"]*"\)\s*=\s*"[^"]*",\s*"([^"]+\.csproj)"/g;
       let match;
       while ((match = projectRegex.exec(slnContent)) !== null) {
         if (match[1]) {
-          const csprojPath = path6.resolve(slnDir, match[1].replace(/\\/g, "/"));
+          const csprojPath = path4.resolve(slnDir, match[1].replace(/\\/g, "/"));
           slnCsprojPaths.add(csprojPath);
         }
       }
@@ -2307,12 +1784,12 @@ async function scanDotnetProjects(rootDir, cache) {
   const STUCK_TIMEOUT_MS = 6e4;
   for (const csprojPath of allCsprojFiles) {
     try {
-      const scanPromise = scanOneCsproj(csprojPath, rootDir, cache);
+      const scanPromise = scanOneCsproj(csprojPath, rootDir, nugetCache, cache);
       const result = await withTimeout(scanPromise, STUCK_TIMEOUT_MS);
       if (result.ok) {
         results.push(result.value);
       } else {
-        const relPath = path6.relative(rootDir, path6.dirname(csprojPath));
+        const relPath = path4.relative(rootDir, path4.dirname(csprojPath));
         if (cache) {
           cache.addStuckPath(relPath || ".");
         }
@@ -2325,44 +1802,90 @@ async function scanDotnetProjects(rootDir, cache) {
   }
   return results;
 }
-async function scanOneCsproj(csprojPath, rootDir, cache) {
+async function scanOneCsproj(csprojPath, rootDir, nugetCache, cache) {
   const xml = cache ? await cache.readTextFile(csprojPath) : await readTextFile(csprojPath);
   const data = parseCsproj(xml, csprojPath);
-  const csprojDir = path6.dirname(csprojPath);
+  const csprojDir = path4.dirname(csprojPath);
   const primaryTfm = data.targetFrameworks[0];
   let runtimeMajorsBehind;
   let targetFramework = primaryTfm;
   if (primaryTfm) {
-    const major2 = parseTfmMajor(primaryTfm);
-    if (major2 !== null) {
-      runtimeMajorsBehind = Math.max(0, LATEST_DOTNET_MAJOR - major2);
-    }
-  }
-  const dependencies = data.packageReferences.map((ref) => ({
-    package: ref.name,
-    section: "dependencies",
-    currentSpec: ref.version,
-    resolvedVersion: ref.version,
-    latestStable: null,
-    // NuGet lookup not implemented in v1
-    majorsBehind: null,
-    drift: "unknown"
-  }));
+    const major5 = parseTfmMajor(primaryTfm);
+    if (major5 !== null) {
+      runtimeMajorsBehind = Math.max(0, LATEST_DOTNET_MAJOR - major5);
+    }
+  }
+  const dependencies = [];
+  const bucketsMut = { current: 0, oneBehind: 0, twoPlusBehind: 0, unknown: 0 };
+  if (nugetCache) {
+    const metaPromises = data.packageReferences.map(async (ref) => {
+      const meta = await nugetCache.get(ref.name);
+      return { ref, meta };
+    });
+    const resolved = await Promise.all(metaPromises);
+    for (const { ref, meta } of resolved) {
+      const resolvedVersion = semver3.valid(ref.version) ? ref.version : null;
+      const latestStable = meta.latestStableOverall;
+      let majorsBehind = null;
+      let drift = "unknown";
+      if (resolvedVersion && latestStable) {
+        const currentMajor = semver3.major(resolvedVersion);
+        const latestMajor = semver3.major(latestStable);
+        majorsBehind = latestMajor - currentMajor;
+        if (majorsBehind === 0) {
+          drift = semver3.eq(resolvedVersion, latestStable) ? "current" : "minor-behind";
+        } else if (majorsBehind > 0) {
+          drift = "major-behind";
+        } else {
+          drift = "current";
+        }
+        if (majorsBehind <= 0) bucketsMut.current++;
+        else if (majorsBehind === 1) bucketsMut.oneBehind++;
+        else bucketsMut.twoPlusBehind++;
+      } else {
+        bucketsMut.unknown++;
+      }
+      dependencies.push({
+        package: ref.name,
+        section: "dependencies",
+        currentSpec: ref.version,
+        resolvedVersion,
+        latestStable,
+        majorsBehind,
+        drift
+      });
+    }
+  } else {
+    for (const ref of data.packageReferences) {
+      dependencies.push({
+        package: ref.name,
+        section: "dependencies",
+        currentSpec: ref.version,
+        resolvedVersion: ref.version,
+        latestStable: null,
+        majorsBehind: null,
+        drift: "unknown"
+      });
+      bucketsMut.unknown++;
+    }
+  }
   const frameworks = [];
+  const depLookup = new Map(dependencies.map((d) => [d.package, d]));
   for (const ref of data.packageReferences) {
     if (ref.name in KNOWN_DOTNET_FRAMEWORKS) {
+      const resolved = depLookup.get(ref.name);
       frameworks.push({
         name: KNOWN_DOTNET_FRAMEWORKS[ref.name],
-        currentVersion: ref.version,
-        latestVersion: null,
-        majorsBehind: null
+        currentVersion: resolved?.resolvedVersion ?? ref.version,
+        latestVersion: resolved?.latestStable ?? null,
+        majorsBehind: resolved?.majorsBehind ?? null
       });
     }
   }
   const projectReferences = data.projectReferences.map((refPath) => {
-    const absRefPath = path6.resolve(csprojDir, refPath);
-    const relRefPath = path6.relative(rootDir, path6.dirname(absRefPath));
-    const refName = path6.basename(absRefPath, ".csproj");
+    const absRefPath = path4.resolve(csprojDir, refPath);
+    const relRefPath = path4.relative(rootDir, path4.dirname(absRefPath));
+    const refName = path4.basename(absRefPath, ".csproj");
     return {
       path: relRefPath || ".",
       name: refName,
@@ -2374,10 +1897,16 @@ async function scanOneCsproj(csprojPath, rootDir, cache) {
     fileCount = await countFilesInDir(csprojDir);
   } catch {
   }
-  const buckets = { current: 0, oneBehind: 0, twoPlusBehind: 0, unknown: dependencies.length };
+  dependencies.sort((a, b) => {
+    const order = { "major-behind": 0, "minor-behind": 1, "current": 2, "unknown": 3 };
+    const diff = (order[a.drift] ?? 9) - (order[b.drift] ?? 9);
+    if (diff !== 0) return diff;
+    return a.package.localeCompare(b.package);
+  });
+  const buckets = bucketsMut;
   return {
     type: "dotnet",
-    path: path6.relative(rootDir, csprojDir) || ".",
+    path: path4.relative(rootDir, csprojDir) || ".",
     name: data.projectName,
     targetFramework,
     runtime: primaryTfm,
@@ -2391,9 +1920,957 @@ async function scanOneCsproj(csprojPath, rootDir, cache) {
   };
 }
 
+// src/scanners/python-scanner.ts
+import * as path5 from "path";
+import * as semver4 from "semver";
+var KNOWN_PYTHON_FRAMEWORKS = {
+  // ── Web Frameworks ──
+  "django": "Django",
+  "flask": "Flask",
+  "fastapi": "FastAPI",
+  "starlette": "Starlette",
+  "tornado": "Tornado",
+  "bottle": "Bottle",
+  "sanic": "Sanic",
+  "falcon": "Falcon",
+  "aiohttp": "aiohttp",
+  "quart": "Quart",
+  "litestar": "Litestar",
+  "robyn": "Robyn",
+  // ── ORM & Database ──
+  "sqlalchemy": "SQLAlchemy",
+  "django-rest-framework": "DRF",
+  "djangorestframework": "DRF",
+  "peewee": "Peewee",
+  "tortoise-orm": "Tortoise ORM",
+  "sqlmodel": "SQLModel",
+  "pony": "Pony ORM",
+  "alembic": "Alembic",
+  "psycopg2": "psycopg2",
+  "psycopg2-binary": "psycopg2",
+  "psycopg": "psycopg3",
+  "asyncpg": "asyncpg",
+  "pymongo": "PyMongo",
+  "motor": "Motor",
+  "redis": "redis-py",
+  "celery": "Celery",
+  "boto3": "AWS SDK (boto3)",
+  "botocore": "AWS SDK (botocore)",
+  // ── Data Science & ML ──
+  "numpy": "NumPy",
+  "pandas": "pandas",
+  "scipy": "SciPy",
+  "scikit-learn": "scikit-learn",
+  "tensorflow": "TensorFlow",
+  "torch": "PyTorch",
+  "keras": "Keras",
+  "matplotlib": "Matplotlib",
+  "seaborn": "Seaborn",
+  "plotly": "Plotly",
+  "polars": "Polars",
+  "dask": "Dask",
+  "xgboost": "XGBoost",
+  "lightgbm": "LightGBM",
+  "transformers": "Transformers (HF)",
+  "langchain": "LangChain",
+  "openai": "OpenAI SDK",
+  // ── Testing ──
+  "pytest": "pytest",
+  "unittest2": "unittest2",
+  "nose2": "nose2",
+  "tox": "tox",
+  "hypothesis": "Hypothesis",
+  "factory-boy": "factory_boy",
+  "faker": "Faker",
+  "coverage": "Coverage.py",
+  "responses": "responses",
+  "httpx": "HTTPX",
+  // ── Async & Tasks ──
+  "uvicorn": "Uvicorn",
+  "gunicorn": "Gunicorn",
+  "hypercorn": "Hypercorn",
+  "dramatiq": "Dramatiq",
+  "rq": "RQ",
+  "huey": "Huey",
+  // ── Auth & Security ──
+  "pyjwt": "PyJWT",
+  "authlib": "Authlib",
+  "python-jose": "python-jose",
+  "passlib": "Passlib",
+  "cryptography": "cryptography",
+  // ── Serialization & Validation ──
+  "pydantic": "Pydantic",
+  "marshmallow": "Marshmallow",
+  "attrs": "attrs",
+  "cerberus": "Cerberus",
+  "msgpack": "msgpack",
+  "protobuf": "protobuf",
+  // ── HTTP Clients ──
+  "requests": "Requests",
+  "urllib3": "urllib3",
+  // ── DevOps & Infrastructure ──
+  "ansible": "Ansible",
+  "fabric": "Fabric",
+  "invoke": "Invoke",
+  "paramiko": "Paramiko",
+  // ── Linting & Formatting ──
+  "black": "Black",
+  "ruff": "Ruff",
+  "flake8": "Flake8",
+  "mypy": "mypy",
+  "pylint": "Pylint",
+  "isort": "isort",
+  "bandit": "Bandit",
+  // ── Logging & Observability ──
+  "structlog": "structlog",
+  "loguru": "Loguru",
+  "sentry-sdk": "Sentry SDK",
+  "opentelemetry-api": "OpenTelemetry",
+  "prometheus-client": "prometheus-client"
+};
+var LATEST_PYTHON_MINOR = { major: 3, minor: 13 };
+function parseRequirementLine(line) {
+  const trimmed = line.trim();
+  if (!trimmed || trimmed.startsWith("#") || trimmed.startsWith("-")) return null;
+  const withoutMarkers = trimmed.split(";")[0].trim();
+  const match = withoutMarkers.match(/^([A-Za-z0-9][-A-Za-z0-9_.]*[A-Za-z0-9]?)(?:\[.*?\])?\s*(.*)?$/);
+  if (!match) return null;
+  const rawName = match[1];
+  const spec = (match[2] ?? "").trim();
+  const normalisedName = rawName.toLowerCase().replace(/[_.]+/g, "-");
+  return { name: rawName, spec, normalisedName };
+}
+function extractPinnedVersion(spec) {
+  const match = spec.match(/^==\s*([^\s,;]+)/);
+  return match?.[1] ?? null;
+}
+function pep440ToSemver(ver) {
+  let v = ver.replace(/^[vV]/, "").trim();
+  if (/(?:a\d|b\d|rc\d|alpha|beta|dev|post)/i.test(v)) return null;
+  const parts = v.split(".");
+  while (parts.length < 3) parts.push("0");
+  v = parts.slice(0, 3).join(".");
+  return semver4.valid(v);
+}
+function parseRequirementsTxt(content) {
+  const deps = [];
+  for (const line of content.split("\n")) {
+    const dep = parseRequirementLine(line);
+    if (dep) deps.push(dep);
+  }
+  return deps;
+}
+function parsePyprojectToml(content) {
+  const result = { dependencies: [] };
+  const nameMatch = content.match(/^\s*name\s*=\s*"([^"]+)"/m);
+  if (nameMatch) result.projectName = nameMatch[1];
+  const pyVerMatch = content.match(/^\s*requires-python\s*=\s*"([^"]+)"/m);
+  if (pyVerMatch) result.pythonVersion = pyVerMatch[1];
+  const depsBlockMatch = content.match(/^\s*dependencies\s*=\s*\[([\s\S]*?)\]/m);
+  if (depsBlockMatch) {
+    const block = depsBlockMatch[1];
+    const lineRegex = /"([^"]+)"/g;
+    let m;
+    while ((m = lineRegex.exec(block)) !== null) {
+      const dep = parseRequirementLine(m[1]);
+      if (dep) result.dependencies.push(dep);
+    }
+  }
+  const poetrySection = content.match(/\[tool\.poetry\.dependencies\]([\s\S]*?)(?=\n\s*\[|\n*$)/);
+  if (poetrySection) {
+    const lines = poetrySection[1].split("\n");
+    for (const line of lines) {
+      const kv = line.match(/^\s*([A-Za-z0-9][-A-Za-z0-9_.]*)\s*=\s*(?:"([^"]+)"|{.*?version\s*=\s*"([^"]+)".*?})/);
+      if (kv) {
+        const name = kv[1];
+        if (name.toLowerCase() === "python") {
+          result.pythonVersion = kv[2] ?? kv[3] ?? void 0;
+          continue;
+        }
+        const ver = kv[2] ?? kv[3] ?? "";
+        const normalisedName = name.toLowerCase().replace(/[_.]+/g, "-");
+        result.dependencies.push({ name, spec: ver ? `==${ver}` : "", normalisedName });
+      }
+    }
+  }
+  return result;
+}
+function parsePipfile(content) {
+  const deps = [];
+  const packagesMatch = content.match(/\[packages\]([\s\S]*?)(?=\n\s*\[|\n*$)/);
+  if (packagesMatch) {
+    const lines = packagesMatch[1].split("\n");
+    for (const line of lines) {
+      const kv = line.match(/^\s*([A-Za-z0-9][-A-Za-z0-9_.]*)\s*=\s*(?:"([^"]+)"|{.*?version\s*=\s*"([^"]+)".*?}|\*|"[*]")/);
+      if (kv) {
+        const name = kv[1];
+        const ver = kv[2] ?? kv[3] ?? "";
+        const normalisedName = name.toLowerCase().replace(/[_.]+/g, "-");
+        deps.push({ name, spec: ver || "*", normalisedName });
+      }
+    }
+  }
+  const devMatch = content.match(/\[dev-packages\]([\s\S]*?)(?=\n\s*\[|\n*$)/);
+  if (devMatch) {
+    const lines = devMatch[1].split("\n");
+    for (const line of lines) {
+      const kv = line.match(/^\s*([A-Za-z0-9][-A-Za-z0-9_.]*)\s*=\s*(?:"([^"]+)"|{.*?version\s*=\s*"([^"]+)".*?}|\*|"[*]")/);
+      if (kv) {
+        const name = kv[1];
+        const ver = kv[2] ?? kv[3] ?? "";
+        const normalisedName = name.toLowerCase().replace(/[_.]+/g, "-");
+        deps.push({ name, spec: ver || "*", normalisedName });
+      }
+    }
+  }
+  return deps;
+}
+function parseSetupCfg(content) {
+  const result = { deps: [] };
+  const metadataSection = content.match(/\[metadata\]([\s\S]*?)(?=\n\s*\[|\n*$)/);
+  if (metadataSection) {
+    const nameMatch = metadataSection[1].match(/^\s*name\s*=\s*(.+)$/m);
+    if (nameMatch) result.name = nameMatch[1].trim();
+  }
+  const optionsSection = content.match(/\[options\]([\s\S]*?)(?=\n\s*\[|\n*$)/);
+  if (optionsSection) {
+    const pyReqMatch = optionsSection[1].match(/^\s*python_requires\s*=\s*(.+)$/m);
+    if (pyReqMatch) result.pythonVersion = pyReqMatch[1].trim();
+    const installReqMatch = optionsSection[1].match(/install_requires\s*=\s*\n((?:\s+.*\n?)*)/);
+    if (installReqMatch) {
+      const block = installReqMatch[1];
+      for (const line of block.split("\n")) {
+        const dep = parseRequirementLine(line);
+        if (dep) result.deps.push(dep);
+      }
+    }
+  }
+  return result;
+}
+var PYTHON_MANIFEST_FILES = /* @__PURE__ */ new Set([
+  "requirements.txt",
+  "requirements-dev.txt",
+  "requirements_dev.txt",
+  "requirements-test.txt",
+  "dev-requirements.txt",
+  "pyproject.toml",
+  "setup.py",
+  "setup.cfg",
+  "Pipfile"
+]);
+async function scanPythonProjects(rootDir, pypiCache, cache) {
+  const manifestFiles = cache ? await cache.findFiles(rootDir, (name) => PYTHON_MANIFEST_FILES.has(name) || /^requirements.*\.txt$/.test(name)) : await findPythonManifests(rootDir);
+  const projectDirs = /* @__PURE__ */ new Map();
+  for (const f of manifestFiles) {
+    const dir = path5.dirname(f);
+    if (!projectDirs.has(dir)) projectDirs.set(dir, []);
+    projectDirs.get(dir).push(f);
+  }
+  const results = [];
+  const STUCK_TIMEOUT_MS = 6e4;
+  for (const [dir, files] of projectDirs) {
+    try {
+      const scanPromise = scanOnePythonProject(dir, files, rootDir, pypiCache, cache);
+      const result = await withTimeout(scanPromise, STUCK_TIMEOUT_MS);
+      if (result.ok) {
+        results.push(result.value);
+      } else {
+        const relPath = path5.relative(rootDir, dir);
+        if (cache) cache.addStuckPath(relPath || ".");
+        console.error(`Timeout scanning Python project ${dir} (>${STUCK_TIMEOUT_MS / 1e3}s) \u2014 skipped`);
+      }
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e);
+      console.error(`Error scanning Python project ${dir}: ${msg}`);
+    }
+  }
+  return results;
+}
+async function findPythonManifests(rootDir) {
+  const { findFiles: findFiles2 } = await import("./fs-Q63DRR7L.js");
+  return findFiles2(rootDir, (name) => PYTHON_MANIFEST_FILES.has(name) || /^requirements.*\.txt$/.test(name));
+}
+async function scanOnePythonProject(dir, manifestFiles, rootDir, pypiCache, cache) {
+  const relDir = path5.relative(rootDir, dir) || ".";
+  let projectName = path5.basename(dir === rootDir ? rootDir : dir);
+  let pythonVersion;
+  const allDeps = /* @__PURE__ */ new Map();
+  for (const f of manifestFiles) {
+    const fileName = path5.basename(f);
+    const content = cache ? await cache.readTextFile(f) : await readTextFile(f);
+    if (fileName === "pyproject.toml") {
+      const parsed = parsePyprojectToml(content);
+      if (parsed.projectName) projectName = parsed.projectName;
+      if (parsed.pythonVersion) pythonVersion = parsed.pythonVersion;
+      for (const dep of parsed.dependencies) {
+        if (!allDeps.has(dep.normalisedName)) allDeps.set(dep.normalisedName, dep);
+      }
+    } else if (fileName === "setup.cfg") {
+      const parsed = parseSetupCfg(content);
+      if (parsed.name) projectName = parsed.name;
+      if (parsed.pythonVersion && !pythonVersion) pythonVersion = parsed.pythonVersion;
+      for (const dep of parsed.deps) {
+        if (!allDeps.has(dep.normalisedName)) allDeps.set(dep.normalisedName, dep);
+      }
+    } else if (fileName === "Pipfile") {
+      for (const dep of parsePipfile(content)) {
+        if (!allDeps.has(dep.normalisedName)) allDeps.set(dep.normalisedName, dep);
+      }
+    } else if (fileName.startsWith("requirements") && fileName.endsWith(".txt")) {
+      for (const dep of parseRequirementsTxt(content)) {
+        if (!allDeps.has(dep.normalisedName)) allDeps.set(dep.normalisedName, dep);
+      }
+    }
+  }
+  let runtimeMajorsBehind;
+  let runtimeLatest;
+  if (pythonVersion) {
+    const verMatch = pythonVersion.match(/(\d+)\.(\d+)/);
+    if (verMatch) {
+      const reqMajor = parseInt(verMatch[1], 10);
+      const reqMinor = parseInt(verMatch[2], 10);
+      if (reqMajor === LATEST_PYTHON_MINOR.major) {
+        runtimeMajorsBehind = Math.max(0, LATEST_PYTHON_MINOR.minor - reqMinor);
+      } else if (reqMajor < LATEST_PYTHON_MINOR.major) {
+        runtimeMajorsBehind = LATEST_PYTHON_MINOR.minor + (LATEST_PYTHON_MINOR.major - reqMajor) * 10;
+      }
+      runtimeLatest = `${LATEST_PYTHON_MINOR.major}.${LATEST_PYTHON_MINOR.minor}`;
+    }
+  }
+  const dependencies = [];
+  const frameworks = [];
+  const buckets = { current: 0, oneBehind: 0, twoPlusBehind: 0, unknown: 0 };
+  const depEntries = [...allDeps.values()];
+  const metaPromises = depEntries.map(async (dep) => {
+    const meta = await pypiCache.get(dep.normalisedName);
+    return { dep, meta };
+  });
+  const resolved = await Promise.all(metaPromises);
+  for (const { dep, meta } of resolved) {
+    const pinnedVersion = extractPinnedVersion(dep.spec);
+    const resolvedVersion = pinnedVersion ? pep440ToSemver(pinnedVersion) : null;
+    const latestStable = meta.latestStableOverall;
+    let majorsBehind = null;
+    let drift = "unknown";
+    if (resolvedVersion && latestStable) {
+      const currentMajor = semver4.major(resolvedVersion);
+      const latestMajor = semver4.major(latestStable);
+      majorsBehind = latestMajor - currentMajor;
+      if (majorsBehind === 0) {
+        drift = semver4.eq(resolvedVersion, latestStable) ? "current" : "minor-behind";
+      } else if (majorsBehind > 0) {
+        drift = "major-behind";
+      } else {
+        drift = "current";
+      }
+      if (majorsBehind <= 0) buckets.current++;
+      else if (majorsBehind === 1) buckets.oneBehind++;
+      else buckets.twoPlusBehind++;
+    } else {
+      buckets.unknown++;
+    }
+    dependencies.push({
+      package: dep.name,
+      section: "dependencies",
+      currentSpec: dep.spec || "*",
+      resolvedVersion,
+      latestStable,
+      majorsBehind,
+      drift
+    });
+    if (dep.normalisedName in KNOWN_PYTHON_FRAMEWORKS) {
+      frameworks.push({
+        name: KNOWN_PYTHON_FRAMEWORKS[dep.normalisedName],
+        currentVersion: resolvedVersion,
+        latestVersion: latestStable,
+        majorsBehind
+      });
+    }
+  }
+  dependencies.sort((a, b) => {
+    const order = { "major-behind": 0, "minor-behind": 1, "current": 2, "unknown": 3 };
+    const diff = (order[a.drift] ?? 9) - (order[b.drift] ?? 9);
+    if (diff !== 0) return diff;
+    return a.package.localeCompare(b.package);
+  });
+  let fileCount;
+  try {
+    fileCount = await countFilesInDir(dir);
+  } catch {
+  }
+  return {
+    type: "python",
+    path: relDir,
+    name: projectName,
+    runtime: pythonVersion,
+    runtimeLatest,
+    runtimeMajorsBehind,
+    frameworks,
+    dependencies,
+    dependencyAgeBuckets: buckets,
+    fileCount
+  };
+}
+
+// src/scanners/java-scanner.ts
+import * as path6 from "path";
+import * as semver5 from "semver";
+import { XMLParser as XMLParser2 } from "fast-xml-parser";
+var parser2 = new XMLParser2({
+  ignoreAttributes: false,
+  attributeNamePrefix: "@_"
+});
+var KNOWN_JAVA_FRAMEWORKS = {
+  // ── Spring ──
+  "org.springframework.boot:spring-boot-starter-web": "Spring Boot Web",
+  "org.springframework.boot:spring-boot-starter": "Spring Boot",
+  "org.springframework.boot:spring-boot-starter-data-jpa": "Spring Data JPA",
+  "org.springframework.boot:spring-boot-starter-security": "Spring Security",
+  "org.springframework.boot:spring-boot-starter-webflux": "Spring WebFlux",
+  "org.springframework.boot:spring-boot-starter-actuator": "Spring Actuator",
+  "org.springframework.boot:spring-boot-starter-test": "Spring Boot Test",
+  "org.springframework:spring-core": "Spring Framework",
+  "org.springframework:spring-web": "Spring Web",
+  "org.springframework:spring-webmvc": "Spring MVC",
+  "org.springframework.cloud:spring-cloud-starter-netflix-eureka-client": "Spring Cloud Eureka",
+  "org.springframework.cloud:spring-cloud-starter-gateway": "Spring Cloud Gateway",
+  "org.springframework.kafka:spring-kafka": "Spring Kafka",
+  // ── Jakarta / Java EE ──
+  "jakarta.platform:jakarta.jakartaee-api": "Jakarta EE",
+  "jakarta.servlet:jakarta.servlet-api": "Jakarta Servlet",
+  "javax.servlet:javax.servlet-api": "Java Servlet (Legacy)",
+  // ── Micronaut ──
+  "io.micronaut:micronaut-core": "Micronaut",
+  "io.micronaut:micronaut-http-server-netty": "Micronaut HTTP",
+  // ── Quarkus ──
+  "io.quarkus:quarkus-core": "Quarkus",
+  "io.quarkus:quarkus-resteasy": "Quarkus RESTEasy",
+  "io.quarkus:quarkus-resteasy-reactive": "Quarkus RESTEasy Reactive",
+  // ── Vert.x ──
+  "io.vertx:vertx-core": "Vert.x",
+  "io.vertx:vertx-web": "Vert.x Web",
+  // ── ORM & Database ──
+  "org.hibernate.orm:hibernate-core": "Hibernate",
+  "org.hibernate:hibernate-core": "Hibernate",
+  "org.mybatis:mybatis": "MyBatis",
+  "org.mybatis.spring.boot:mybatis-spring-boot-starter": "MyBatis Spring Boot",
+  "org.jooq:jooq": "jOOQ",
+  "org.flywaydb:flyway-core": "Flyway",
+  "org.liquibase:liquibase-core": "Liquibase",
+  "com.zaxxer:HikariCP": "HikariCP",
+  "org.postgresql:postgresql": "PostgreSQL JDBC",
+  "com.mysql:mysql-connector-j": "MySQL Connector",
+  "mysql:mysql-connector-java": "MySQL Connector (Legacy)",
+  "com.oracle.database.jdbc:ojdbc11": "Oracle JDBC",
+  "org.mongodb:mongodb-driver-sync": "MongoDB Driver",
+  "io.lettuce:lettuce-core": "Lettuce (Redis)",
+  "redis.clients:jedis": "Jedis (Redis)",
+  // ── Messaging ──
+  "org.apache.kafka:kafka-clients": "Apache Kafka",
+  "com.rabbitmq:amqp-client": "RabbitMQ Client",
+  "software.amazon.awssdk:sqs": "AWS SQS",
+  "software.amazon.awssdk:sns": "AWS SNS",
+  // ── HTTP & API ──
+  "com.squareup.okhttp3:okhttp": "OkHttp",
+  "com.squareup.retrofit2:retrofit": "Retrofit",
+  "org.apache.httpcomponents.client5:httpclient5": "Apache HttpClient 5",
+  "io.grpc:grpc-netty": "gRPC",
+  "com.graphql-java:graphql-java": "GraphQL Java",
+  "com.netflix.graphql.dgs:graphql-dgs-spring-boot-starter": "Netflix DGS",
+  // ── JSON ──
+  "com.fasterxml.jackson.core:jackson-databind": "Jackson",
+  "com.google.code.gson:gson": "Gson",
+  // ── Testing ──
+  "junit:junit": "JUnit 4",
+  "org.junit.jupiter:junit-jupiter": "JUnit 5",
+  "org.junit.jupiter:junit-jupiter-api": "JUnit 5",
+  "org.mockito:mockito-core": "Mockito",
+  "org.assertj:assertj-core": "AssertJ",
+  "org.testcontainers:testcontainers": "Testcontainers",
+  "io.rest-assured:rest-assured": "REST Assured",
+  "org.awaitility:awaitility": "Awaitility",
+  "com.tngtech.archunit:archunit-junit5": "ArchUnit",
+  "org.hamcrest:hamcrest": "Hamcrest",
+  // ── Logging ──
+  "org.slf4j:slf4j-api": "SLF4J",
+  "ch.qos.logback:logback-classic": "Logback",
+  "org.apache.logging.log4j:log4j-core": "Log4j2",
+  // ── Build Plugins (tracked as frameworks) ──
+  "org.projectlombok:lombok": "Lombok",
+  "org.mapstruct:mapstruct": "MapStruct",
+  // ── Cloud SDKs ──
+  "software.amazon.awssdk:bom": "AWS SDK v2",
+  "com.google.cloud:google-cloud-bom": "Google Cloud SDK",
+  "com.azure:azure-sdk-bom": "Azure SDK",
+  // ── Security ──
+  "io.jsonwebtoken:jjwt-api": "JJWT",
+  "com.nimbusds:nimbus-jose-jwt": "Nimbus JOSE+JWT",
+  // ── Observability ──
+  "io.micrometer:micrometer-core": "Micrometer",
+  "io.opentelemetry:opentelemetry-api": "OpenTelemetry",
+  "io.prometheus:simpleclient": "Prometheus Client",
+  // ── Reactive ──
+  "io.projectreactor:reactor-core": "Project Reactor",
+  "io.reactivex.rxjava3:rxjava": "RxJava 3"
+};
+var LATEST_JAVA_LTS = 21;
+function parsePom(xml, filePath) {
+  const parsed = parser2.parse(xml);
+  const project = parsed?.project;
+  if (!project) {
+    return {
+      artifactId: path6.basename(path6.dirname(filePath)),
+      dependencies: [],
+      modules: [],
+      properties: {}
+    };
+  }
+  const properties = {};
+  if (project.properties && typeof project.properties === "object") {
+    for (const [key, val] of Object.entries(project.properties)) {
+      if (typeof val === "string" || typeof val === "number") {
+        properties[key] = String(val);
+      }
+    }
+  }
+  let javaVersion;
+  const javaProps = [
+    "java.version",
+    "maven.compiler.source",
+    "maven.compiler.target",
+    "maven.compiler.release",
+    "java.source.version"
+  ];
+  for (const prop of javaProps) {
+    if (properties[prop]) {
+      javaVersion = String(properties[prop]);
+      break;
+    }
+  }
+  const depContainer = project.dependencies;
+  const rawDeps = depContainer?.dependency ? Array.isArray(depContainer.dependency) ? depContainer.dependency : [depContainer.dependency] : [];
+  const dependencies = rawDeps.filter((d) => d.groupId && d.artifactId).map((d) => ({
+    groupId: resolveProperty(String(d.groupId ?? ""), properties),
+    artifactId: resolveProperty(String(d.artifactId ?? ""), properties),
+    version: resolveProperty(String(d.version ?? ""), properties),
+    scope: d.scope ? String(d.scope) : void 0
+  }));
+  const mgmt = project.dependencyManagement?.dependencies;
+  const mgmtDeps = mgmt?.dependency ? Array.isArray(mgmt.dependency) ? mgmt.dependency : [mgmt.dependency] : [];
+  for (const d of mgmtDeps) {
+    if (d.groupId && d.artifactId && d.version) {
+      dependencies.push({
+        groupId: resolveProperty(String(d.groupId), properties),
+        artifactId: resolveProperty(String(d.artifactId), properties),
+        version: resolveProperty(String(d.version), properties),
+        scope: d.scope ? String(d.scope) : void 0
+      });
+    }
+  }
+  const rawModules = project.modules?.module ? Array.isArray(project.modules.module) ? project.modules.module : [project.modules.module] : [];
+  const modules = rawModules.map(String);
+  let parent;
+  if (project.parent?.groupId && project.parent?.artifactId) {
+    parent = {
+      groupId: String(project.parent.groupId),
+      artifactId: String(project.parent.artifactId),
+      version: String(project.parent.version ?? "")
+    };
+  }
+  return {
+    groupId: project.groupId ? String(project.groupId) : parent?.groupId,
+    artifactId: String(project.artifactId ?? path6.basename(path6.dirname(filePath))),
+    version: project.version ? String(project.version) : parent?.version,
+    packaging: project.packaging ? String(project.packaging) : void 0,
+    javaVersion,
+    dependencies,
+    modules,
+    parent,
+    properties
+  };
+}
+function resolveProperty(value, properties) {
+  return value.replace(/\$\{([^}]+)\}/g, (_, key) => properties[key] ?? `\${${key}}`);
+}
+function parseGradleBuild(content, filePath) {
+  const deps = [];
+  const projectName = path6.basename(path6.dirname(filePath));
+  let javaVersion;
+  const compatMatch = content.match(/(?:sourceCompatibility|targetCompatibility|javaVersion)\s*[=:]\s*['"]?(?:JavaVersion\.VERSION_)?(\d+)['"]?/);
+  if (compatMatch) javaVersion = compatMatch[1];
+  const toolchainMatch = content.match(/JavaLanguageVersion\.of\((\d+)\)/);
+  if (toolchainMatch) javaVersion = toolchainMatch[1];
+  const depRegex = /(?:implementation|api|compileOnly|runtimeOnly|testImplementation|testRuntimeOnly|annotationProcessor|kapt)\s*(?:\(?\s*)?['"]([^'"]+)['"]/g;
+  let match;
+  while ((match = depRegex.exec(content)) !== null) {
+    const parts = match[1].split(":");
+    if (parts.length >= 2) {
+      deps.push({
+        groupId: parts[0],
+        artifactId: parts[1],
+        version: parts[2] ?? "",
+        configuration: match[0].split(/\s/)[0]
+      });
+    }
+  }
+  const kotlinDepRegex = /(?:implementation|api|compileOnly|runtimeOnly|testImplementation|testRuntimeOnly|annotationProcessor|kapt)\s*\(\s*"([^"]+)"\s*\)/g;
+  while ((match = kotlinDepRegex.exec(content)) !== null) {
+    const parts = match[1].split(":");
+    if (parts.length >= 2) {
+      const key = `${parts[0]}:${parts[1]}`;
+      if (!deps.some((d) => `${d.groupId}:${d.artifactId}` === key)) {
+        deps.push({
+          groupId: parts[0],
+          artifactId: parts[1],
+          version: parts[2] ?? "",
+          configuration: match[0].split(/\s/)[0]
+        });
+      }
+    }
+  }
+  const platformRegex = /(?:implementation|api)\s*(?:\(?\s*)?platform\s*\(\s*['"]([^'"]+)['"]\s*\)/g;
+  while ((match = platformRegex.exec(content)) !== null) {
+    const parts = match[1].split(":");
+    if (parts.length >= 2) {
+      deps.push({
+        groupId: parts[0],
+        artifactId: parts[1],
+        version: parts[2] ?? "",
+        configuration: "platform"
+      });
+    }
+  }
+  return { javaVersion, dependencies: deps, projectName };
+}
+function mavenToSemver(ver) {
+  let v = ver.trim();
+  if (!v || v.includes("$")) return null;
+  if (/(?:-SNAPSHOT|-alpha|-beta|-rc|-M\d|-CR\d)/i.test(v)) return null;
+  v = v.replace(/\.(?:RELEASE|Final|GA)$/i, "");
+  const parts = v.split(".");
+  while (parts.length < 3) parts.push("0");
+  v = parts.slice(0, 3).join(".");
+  return semver5.valid(v);
+}
+var JAVA_MANIFEST_FILES = /* @__PURE__ */ new Set(["pom.xml", "build.gradle", "build.gradle.kts"]);
+async function scanJavaProjects(rootDir, mavenCache, cache) {
+  const manifestFiles = cache ? await cache.findFiles(rootDir, (name) => JAVA_MANIFEST_FILES.has(name)) : await findJavaManifests(rootDir);
+  const projectDirs = /* @__PURE__ */ new Map();
+  for (const f of manifestFiles) {
+    const dir = path6.dirname(f);
+    if (!projectDirs.has(dir)) projectDirs.set(dir, []);
+    projectDirs.get(dir).push(f);
+  }
+  const results = [];
+  const STUCK_TIMEOUT_MS = 6e4;
+  for (const [dir, files] of projectDirs) {
+    try {
+      const scanPromise = scanOneJavaProject(dir, files, rootDir, mavenCache, cache);
+      const result = await withTimeout(scanPromise, STUCK_TIMEOUT_MS);
+      if (result.ok) {
+        results.push(result.value);
+      } else {
+        const relPath = path6.relative(rootDir, dir);
+        if (cache) cache.addStuckPath(relPath || ".");
+        console.error(`Timeout scanning Java project ${dir} (>${STUCK_TIMEOUT_MS / 1e3}s) \u2014 skipped`);
+      }
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e);
+      console.error(`Error scanning Java project ${dir}: ${msg}`);
+    }
+  }
+  const projectPathMap = /* @__PURE__ */ new Map();
+  for (const p of results) {
+    projectPathMap.set(p.name, p.path);
+  }
+  return results;
+}
+async function findJavaManifests(rootDir) {
+  const { findFiles: findFiles2 } = await import("./fs-Q63DRR7L.js");
+  return findFiles2(rootDir, (name) => JAVA_MANIFEST_FILES.has(name));
+}
+async function scanOneJavaProject(dir, manifestFiles, rootDir, mavenCache, cache) {
+  const relDir = path6.relative(rootDir, dir) || ".";
+  let projectName = path6.basename(dir === rootDir ? rootDir : dir);
+  let javaVersion;
+  const allDeps = /* @__PURE__ */ new Map();
+  const projectReferences = [];
+  for (const f of manifestFiles) {
+    const fileName = path6.basename(f);
+    const content = cache ? await cache.readTextFile(f) : await readTextFile(f);
+    if (fileName === "pom.xml") {
+      const pom = parsePom(content, f);
+      if (pom.artifactId) projectName = pom.artifactId;
+      if (pom.javaVersion) javaVersion = pom.javaVersion;
+      for (const dep of pom.dependencies) {
+        const key = `${dep.groupId}:${dep.artifactId}`;
+        if (!allDeps.has(key) && dep.version && !dep.version.includes("${")) {
+          allDeps.set(key, dep);
+        }
+      }
+      for (const mod of pom.modules) {
+        projectReferences.push({
+          path: path6.join(relDir, mod),
+          name: mod,
+          refType: "project"
+        });
+      }
+    } else if (fileName === "build.gradle" || fileName === "build.gradle.kts") {
+      const gradle = parseGradleBuild(content, f);
+      if (gradle.projectName) projectName = gradle.projectName;
+      if (gradle.javaVersion) javaVersion = gradle.javaVersion;
+      for (const dep of gradle.dependencies) {
+        const key = `${dep.groupId}:${dep.artifactId}`;
+        if (!allDeps.has(key) && dep.version) {
+          allDeps.set(key, dep);
+        }
+      }
+    }
+  }
+  let runtimeMajorsBehind;
+  let runtimeLatest;
+  if (javaVersion) {
+    const jvMatch = javaVersion.match(/^(1\.)?(\d+)/);
+    if (jvMatch) {
+      const major5 = jvMatch[1] ? parseInt(jvMatch[2], 10) : parseInt(jvMatch[2], 10);
+      runtimeMajorsBehind = Math.max(0, LATEST_JAVA_LTS - major5);
+      runtimeLatest = String(LATEST_JAVA_LTS);
+    }
+  }
+  const dependencies = [];
+  const frameworks = [];
+  const buckets = { current: 0, oneBehind: 0, twoPlusBehind: 0, unknown: 0 };
+  const depEntries = [...allDeps.entries()];
+  const metaPromises = depEntries.map(async ([key, dep]) => {
+    const meta = await mavenCache.get(dep.groupId, dep.artifactId);
+    return { key, dep, meta };
+  });
+  const resolved = await Promise.all(metaPromises);
+  for (const { key, dep, meta } of resolved) {
+    const resolvedVersion = mavenToSemver(dep.version);
+    const latestStable = meta.latestStableOverall;
+    let majorsBehind = null;
+    let drift = "unknown";
+    if (resolvedVersion && latestStable) {
+      const currentMajor = semver5.major(resolvedVersion);
+      const latestMajor = semver5.major(latestStable);
+      majorsBehind = latestMajor - currentMajor;
+      if (majorsBehind === 0) {
+        drift = semver5.eq(resolvedVersion, latestStable) ? "current" : "minor-behind";
+      } else if (majorsBehind > 0) {
+        drift = "major-behind";
+      } else {
+        drift = "current";
+      }
+      if (majorsBehind <= 0) buckets.current++;
+      else if (majorsBehind === 1) buckets.oneBehind++;
+      else buckets.twoPlusBehind++;
+    } else {
+      buckets.unknown++;
+    }
+    dependencies.push({
+      package: key,
+      section: "dependencies",
+      currentSpec: dep.version,
+      resolvedVersion,
+      latestStable,
+      majorsBehind,
+      drift
+    });
+    if (key in KNOWN_JAVA_FRAMEWORKS) {
+      frameworks.push({
+        name: KNOWN_JAVA_FRAMEWORKS[key],
+        currentVersion: resolvedVersion,
+        latestVersion: latestStable,
+        majorsBehind
+      });
+    }
+  }
+  dependencies.sort((a, b) => {
+    const order = { "major-behind": 0, "minor-behind": 1, "current": 2, "unknown": 3 };
+    const diff = (order[a.drift] ?? 9) - (order[b.drift] ?? 9);
+    if (diff !== 0) return diff;
+    return a.package.localeCompare(b.package);
+  });
+  let fileCount;
+  try {
+    fileCount = await countFilesInDir(dir);
+  } catch {
+  }
+  return {
+    type: "java",
+    path: relDir,
+    name: projectName,
+    runtime: javaVersion ? `Java ${javaVersion}` : void 0,
+    runtimeLatest: String(LATEST_JAVA_LTS),
+    runtimeMajorsBehind,
+    targetFramework: javaVersion ? `Java ${javaVersion}` : void 0,
+    frameworks,
+    dependencies,
+    dependencyAgeBuckets: buckets,
+    projectReferences: projectReferences.length > 0 ? projectReferences : void 0,
+    fileCount
+  };
+}
+
+// src/scanners/nuget-cache.ts
+import * as semver6 from "semver";
+var NuGetCache = class {
+  constructor(sem) {
+    this.sem = sem;
+  }
+  meta = /* @__PURE__ */ new Map();
+  baseUrl = "https://api.nuget.org/v3-flatcontainer";
+  get(pkg2) {
+    const existing = this.meta.get(pkg2);
+    if (existing) return existing;
+    const p = this.sem.run(async () => {
+      try {
+        const url = `${this.baseUrl}/${pkg2.toLowerCase()}/index.json`;
+        const response = await fetch(url, {
+          signal: AbortSignal.timeout(1e4),
+          headers: { "Accept": "application/json" }
+        });
+        if (!response.ok) {
+          return { latest: null, stableVersions: [], latestStableOverall: null };
+        }
+        const data = await response.json();
+        const allVersions = data.versions ?? [];
+        const stableVersions = allVersions.filter((v) => {
+          const parsed = semver6.valid(v);
+          return parsed && semver6.prerelease(v) === null;
+        });
+        const sorted = [...stableVersions].sort(semver6.rcompare);
+        const latestStableOverall = sorted[0] ?? null;
+        return {
+          latest: latestStableOverall,
+          stableVersions,
+          latestStableOverall
+        };
+      } catch {
+        return { latest: null, stableVersions: [], latestStableOverall: null };
+      }
+    });
+    this.meta.set(pkg2, p);
+    return p;
+  }
+};
+
+// src/scanners/pypi-cache.ts
+import * as semver7 from "semver";
+function pep440ToSemver2(ver) {
+  let v = ver.replace(/^[vV]/, "").trim();
+  if (/(?:a|b|rc|alpha|beta|dev|post)\d*/i.test(v)) return null;
+  const parts = v.split(".");
+  while (parts.length < 3) parts.push("0");
+  v = parts.slice(0, 3).join(".");
+  return semver7.valid(v);
+}
+var PyPICache = class {
+  constructor(sem) {
+    this.sem = sem;
+  }
+  meta = /* @__PURE__ */ new Map();
+  get(pkg2) {
+    const existing = this.meta.get(pkg2);
+    if (existing) return existing;
+    const p = this.sem.run(async () => {
+      try {
+        const url = `https://pypi.org/pypi/${encodeURIComponent(pkg2)}/json`;
+        const response = await fetch(url, {
+          signal: AbortSignal.timeout(1e4),
+          headers: { "Accept": "application/json" }
+        });
+        if (!response.ok) {
+          return { latest: null, stableVersions: [], latestStableOverall: null };
+        }
+        const data = await response.json();
+        const allVersionKeys = Object.keys(data.releases ?? {});
+        const stableVersions = [];
+        for (const ver of allVersionKeys) {
+          const sv = pep440ToSemver2(ver);
+          if (sv) stableVersions.push(sv);
+        }
+        const pypiLatest = data.info?.version ?? null;
+        const pypiLatestSemver = pypiLatest ? pep440ToSemver2(pypiLatest) : null;
+        const sorted = [...stableVersions].sort(semver7.rcompare);
+        const latestStableOverall = sorted[0] ?? pypiLatestSemver ?? null;
+        return {
+          latest: pypiLatestSemver ?? latestStableOverall,
+          stableVersions,
+          latestStableOverall
+        };
+      } catch {
+        return { latest: null, stableVersions: [], latestStableOverall: null };
+      }
+    });
+    this.meta.set(pkg2, p);
+    return p;
+  }
+};
+
+// src/scanners/maven-cache.ts
+import * as semver8 from "semver";
+function mavenToSemver2(ver) {
+  let v = ver.trim();
+  if (/(?:-SNAPSHOT|-alpha|-beta|-rc|-M\d|-CR\d)/i.test(v)) return null;
+  v = v.replace(/\.(?:RELEASE|Final|GA)$/i, "");
+  const parts = v.split(".");
+  while (parts.length < 3) parts.push("0");
+  v = parts.slice(0, 3).join(".");
+  return semver8.valid(v);
+}
+var MavenCache = class {
+  constructor(sem) {
+    this.sem = sem;
+  }
+  meta = /* @__PURE__ */ new Map();
+  /**
+   * Get metadata for a Maven artifact.
+   * @param groupId Maven group ID (e.g. "org.springframework.boot")
+   * @param artifactId Maven artifact ID (e.g. "spring-boot-starter-web")
+   */
+  get(groupId, artifactId) {
+    const key = `${groupId}:${artifactId}`;
+    const existing = this.meta.get(key);
+    if (existing) return existing;
+    const p = this.sem.run(async () => {
+      try {
+        const url = `https://search.maven.org/solrsearch/select?q=g:%22${encodeURIComponent(groupId)}%22+AND+a:%22${encodeURIComponent(artifactId)}%22&core=gav&rows=100&wt=json`;
+        const response = await fetch(url, {
+          signal: AbortSignal.timeout(1e4),
+          headers: { "Accept": "application/json" }
+        });
+        if (!response.ok) {
+          return { latest: null, stableVersions: [], latestStableOverall: null };
+        }
+        const data = await response.json();
+        const docs = data.response?.docs ?? [];
+        const allVersions = docs.map((d) => d.v).filter((v) => typeof v === "string");
+        const stableVersions = [];
+        for (const ver of allVersions) {
+          const sv = mavenToSemver2(ver);
+          if (sv) stableVersions.push(sv);
+        }
+        const sorted = [...stableVersions].sort(semver8.rcompare);
+        const latestStableOverall = sorted[0] ?? null;
+        return {
+          latest: latestStableOverall,
+          stableVersions,
+          latestStableOverall
+        };
+      } catch {
+        return { latest: null, stableVersions: [], latestStableOverall: null };
+      }
+    });
+    this.meta.set(key, p);
+    return p;
+  }
+};
+
 // src/config.ts
 import * as path7 from "path";
-import * as fs2 from "fs/promises";
+import * as fs from "fs/promises";
 var CONFIG_FILES = [
   "vibgrate.config.ts",
   "vibgrate.config.js",
@@ -2469,7 +2946,7 @@ const config: VibgrateConfig = {
 
 export default config;
 `;
-  await fs2.writeFile(configPath, content, "utf8");
+  await fs.writeFile(configPath, content, "utf8");
   return configPath;
 }
 async function appendExcludePatterns(rootDir, newPatterns) {
@@ -2482,7 +2959,7 @@ async function appendExcludePatterns(rootDir, newPatterns) {
       const existing2 = Array.isArray(cfg.exclude) ? cfg.exclude : [];
       const merged2 = [.../* @__PURE__ */ new Set([...existing2, ...newPatterns])];
       cfg.exclude = merged2;
-      await fs2.writeFile(jsonPath, JSON.stringify(cfg, null, 2) + "\n", "utf8");
+      await fs.writeFile(jsonPath, JSON.stringify(cfg, null, 2) + "\n", "utf8");
       return true;
     } catch {
     }
@@ -2500,8 +2977,8 @@ async function appendExcludePatterns(rootDir, newPatterns) {
   }
   const merged = [.../* @__PURE__ */ new Set([...existing, ...newPatterns])];
   try {
-    await fs2.mkdir(vibgrateDir, { recursive: true });
-    await fs2.writeFile(sidecarPath, JSON.stringify(merged, null, 2) + "\n", "utf8");
+    await fs.mkdir(vibgrateDir, { recursive: true });
+    await fs.writeFile(sidecarPath, JSON.stringify(merged, null, 2) + "\n", "utf8");
     return true;
   } catch {
     return false;
@@ -2510,7 +2987,7 @@ async function appendExcludePatterns(rootDir, newPatterns) {
 
 // src/utils/vcs.ts
 import * as path8 from "path";
-import * as fs3 from "fs/promises";
+import * as fs2 from "fs/promises";
 async function detectVcs(rootDir) {
   try {
     return await detectGit(rootDir);
@@ -2526,7 +3003,7 @@ async function detectGit(rootDir) {
   const headPath = path8.join(gitDir, "HEAD");
   let headContent;
   try {
-    headContent = (await fs3.readFile(headPath, "utf8")).trim();
+    headContent = (await fs2.readFile(headPath, "utf8")).trim();
   } catch {
     return { type: "unknown" };
   }
@@ -2552,12 +3029,12 @@ async function findGitDir(startDir) {
   while (dir !== root) {
     const gitPath = path8.join(dir, ".git");
     try {
-      const stat4 = await fs3.stat(gitPath);
-      if (stat4.isDirectory()) {
+      const stat3 = await fs2.stat(gitPath);
+      if (stat3.isDirectory()) {
         return gitPath;
       }
-      if (stat4.isFile()) {
-        const content = (await fs3.readFile(gitPath, "utf8")).trim();
+      if (stat3.isFile()) {
+        const content = (await fs2.readFile(gitPath, "utf8")).trim();
         if (content.startsWith("gitdir: ")) {
           const resolved = path8.resolve(dir, content.slice(8));
           return resolved;
@@ -2572,7 +3049,7 @@ async function findGitDir(startDir) {
 async function resolveRef(gitDir, refPath) {
   const loosePath = path8.join(gitDir, refPath);
   try {
-    const sha = (await fs3.readFile(loosePath, "utf8")).trim();
+    const sha = (await fs2.readFile(loosePath, "utf8")).trim();
     if (/^[0-9a-f]{40}$/i.test(sha)) {
       return sha;
     }
@@ -2580,7 +3057,7 @@ async function resolveRef(gitDir, refPath) {
   }
   const packedPath = path8.join(gitDir, "packed-refs");
   try {
-    const packed = await fs3.readFile(packedPath, "utf8");
+    const packed = await fs2.readFile(packedPath, "utf8");
     for (const line of packed.split("\n")) {
       if (line.startsWith("#") || line.startsWith("^")) continue;
       const parts = line.trim().split(" ");
@@ -2974,14 +3451,14 @@ var ScanProgress = class {
 };
 
 // src/ui/scan-history.ts
-import * as fs4 from "fs/promises";
+import * as fs3 from "fs/promises";
 import * as path9 from "path";
 var HISTORY_FILENAME = "scan_history.json";
 var MAX_RECORDS = 10;
 async function loadScanHistory(rootDir) {
   const filePath = path9.join(rootDir, ".vibgrate", HISTORY_FILENAME);
   try {
-    const txt = await fs4.readFile(filePath, "utf8");
+    const txt = await fs3.readFile(filePath, "utf8");
     const data = JSON.parse(txt);
     if (data.version === 1 && Array.isArray(data.records)) {
       return data;
@@ -3006,8 +3483,8 @@ async function saveScanHistory(rootDir, record) {
     history = { version: 1, records: [record] };
   }
   try {
-    await fs4.mkdir(dir, { recursive: true });
-    await fs4.writeFile(filePath, JSON.stringify(history, null, 2) + "\n", "utf8");
+    await fs3.mkdir(dir, { recursive: true });
+    await fs3.writeFile(filePath, JSON.stringify(history, null, 2) + "\n", "utf8");
   } catch {
   }
 }
@@ -4407,9 +4884,9 @@ function scanBreakingChangeExposure(projects) {
 }
 
 // src/scanners/file-hotspots.ts
-import * as fs5 from "fs/promises";
+import * as fs4 from "fs/promises";
 import * as path14 from "path";
-var SKIP_DIRS2 = /* @__PURE__ */ new Set([
+var SKIP_DIRS = /* @__PURE__ */ new Set([
   "node_modules",
   ".git",
   ".wrangler",
@@ -4428,7 +4905,7 @@ var SKIP_DIRS2 = /* @__PURE__ */ new Set([
   ".output",
   ".svelte-kit"
 ]);
-var SKIP_EXTENSIONS2 = /* @__PURE__ */ new Set([
+var SKIP_EXTENSIONS = /* @__PURE__ */ new Set([
   ".map",
   ".lock",
   ".png",
@@ -4454,15 +4931,15 @@ async function scanFileHotspots(rootDir, cache) {
     for (const entry of entries) {
       if (!entry.isFile) continue;
       const ext = path14.extname(entry.name).toLowerCase();
-      if (SKIP_EXTENSIONS2.has(ext)) continue;
+      if (SKIP_EXTENSIONS.has(ext)) continue;
       const depth = entry.relPath.split(path14.sep).length - 1;
       if (depth > maxDepth) maxDepth = depth;
       extensionCounts[ext] = (extensionCounts[ext] ?? 0) + 1;
       try {
-        const stat4 = await fs5.stat(entry.absPath);
+        const stat3 = await fs4.stat(entry.absPath);
         allFiles.push({
           path: entry.relPath,
-          bytes: stat4.size
+          bytes: stat3.size
         });
       } catch {
       }
@@ -4472,7 +4949,7 @@ async function scanFileHotspots(rootDir, cache) {
       if (depth > maxDepth) maxDepth = depth;
       let entries;
       try {
-        const dirents = await fs5.readdir(dir, { withFileTypes: true });
+        const dirents = await fs4.readdir(dir, { withFileTypes: true });
         entries = dirents.map((d) => ({
           name: d.name,
           isDirectory: d.isDirectory(),
@@ -4483,17 +4960,17 @@ async function scanFileHotspots(rootDir, cache) {
       }
       for (const e of entries) {
         if (e.isDirectory) {
-          if (SKIP_DIRS2.has(e.name)) continue;
+          if (SKIP_DIRS.has(e.name)) continue;
           await walk(path14.join(dir, e.name), depth + 1);
         } else if (e.isFile) {
           const ext = path14.extname(e.name).toLowerCase();
-          if (SKIP_EXTENSIONS2.has(ext)) continue;
+          if (SKIP_EXTENSIONS.has(ext)) continue;
           extensionCounts[ext] = (extensionCounts[ext] ?? 0) + 1;
           try {
-            const stat4 = await fs5.stat(path14.join(dir, e.name));
+            const stat3 = await fs4.stat(path14.join(dir, e.name));
             allFiles.push({
               path: path14.relative(rootDir, path14.join(dir, e.name)),
-              bytes: stat4.size
+              bytes: stat3.size
             });
           } catch {
           }
@@ -4583,7 +5060,7 @@ var SECRET_HEURISTICS = [
   { detector: "private-key", pattern: /-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----/g },
   { detector: "slack-token", pattern: /\bxox[baprs]-[A-Za-z0-9-]{10,}\b/g }
 ];
-var defaultRunner = (command, args) => new Promise((resolve9, reject) => {
+var defaultRunner = (command, args) => new Promise((resolve8, reject) => {
   const child = spawn2(command, args, { stdio: ["ignore", "pipe", "pipe"] });
   let stdout = "";
   let stderr = "";
@@ -4595,7 +5072,7 @@ var defaultRunner = (command, args) => new Promise((resolve9, reject) => {
   });
   child.on("error", reject);
   child.on("close", (code) => {
-    resolve9({ stdout, stderr, exitCode: code ?? 1 });
+    resolve8({ stdout, stderr, exitCode: code ?? 1 });
   });
 });
 function compareSemver(a, b) {
@@ -5116,7 +5593,7 @@ function scanServiceDependencies(projects) {
 
 // src/scanners/architecture.ts
 import * as path17 from "path";
-import * as fs6 from "fs/promises";
+import * as fs5 from "fs/promises";
 var ARCHETYPE_SIGNALS = [
   // Meta-frameworks (highest priority — they imply routing patterns)
   { packages: ["next", "@next/core"], archetype: "nextjs", weight: 10 },
@@ -5424,7 +5901,7 @@ async function walkSourceFiles(rootDir, cache) {
   async function walk(dir) {
     let entries;
     try {
-      entries = await fs6.readdir(dir, { withFileTypes: true });
+      entries = await fs5.readdir(dir, { withFileTypes: true });
     } catch {
       return;
     }
@@ -5905,7 +6382,7 @@ var DEFAULT_EXTENSIONS = /* @__PURE__ */ new Set([
   ".env"
 ]);
 async function runSemgrep(args, cwd, stdin) {
-  return new Promise((resolve9, reject) => {
+  return new Promise((resolve8, reject) => {
     const child = spawn3("semgrep", args, {
       cwd,
       shell: true,
@@ -5921,7 +6398,7 @@ async function runSemgrep(args, cwd, stdin) {
     });
     child.on("error", reject);
     child.on("close", (code) => {
-      resolve9({ code: code ?? 1, stdout, stderr });
+      resolve8({ code: code ?? 1, stdout, stderr });
     });
     if (stdin !== void 0) child.stdin.write(stdin);
     child.stdin.end();
@@ -6061,7 +6538,7 @@ var SECURITY_TOOLS = [
 ];
 var IS_WIN = process.platform === "win32";
 function runCommand(cmd, args) {
-  return new Promise((resolve9) => {
+  return new Promise((resolve8) => {
     const child = spawn4(cmd, args, {
       stdio: ["ignore", "pipe", "pipe"],
       shell: IS_WIN
@@ -6075,8 +6552,8 @@ function runCommand(cmd, args) {
     child.stderr.on("data", (d) => {
       stderr += d.toString();
     });
-    child.on("error", () => resolve9({ exitCode: 127, stdout, stderr }));
-    child.on("close", (code) => resolve9({ exitCode: code ?? 1, stdout, stderr }));
+    child.on("error", () => resolve8({ exitCode: 127, stdout, stderr }));
+    child.on("close", (code) => resolve8({ exitCode: code ?? 1, stdout, stderr }));
   });
 }
 async function commandExists(command) {
@@ -6149,6 +6626,9 @@ async function runScan(rootDir, opts) {
   const config = await loadConfig(rootDir);
   const sem = new Semaphore(opts.concurrency);
   const npmCache = new NpmCache(rootDir, sem);
+  const nugetCache = new NuGetCache(sem);
+  const pypiCache = new PyPICache(sem);
+  const mavenCache = new MavenCache(sem);
   const fileCache = new FileCache();
   const excludePatterns = config.exclude ?? [];
   fileCache.setExcludePatterns(excludePatterns);
@@ -6163,6 +6643,8 @@ async function runScan(rootDir, opts) {
     { id: "walk", label: "Indexing files", weight: 8 },
     { id: "node", label: "Scanning Node projects", weight: 4 },
     { id: "dotnet", label: "Scanning .NET projects", weight: 2 },
+    { id: "python", label: "Scanning Python projects", weight: 3 },
+    { id: "java", label: "Scanning Java projects", weight: 3 },
     ...scanners !== false ? [
       ...scanners?.platformMatrix?.enabled !== false ? [{ id: "platform", label: "Platform matrix" }] : [],
       ...scanners?.toolingInventory?.enabled !== false ? [{ id: "tooling", label: "Tooling inventory" }] : [],
@@ -6232,7 +6714,7 @@ async function runScan(rootDir, opts) {
   progress.addProjects(nodeProjects.length);
   progress.completeStep("node", `${nodeProjects.length} project${nodeProjects.length !== 1 ? "s" : ""}`, nodeProjects.length);
   progress.startStep("dotnet");
-  const dotnetProjects = await scanDotnetProjects(rootDir, fileCache);
+  const dotnetProjects = await scanDotnetProjects(rootDir, nugetCache, fileCache);
   for (const p of dotnetProjects) {
     progress.addDependencies(p.dependencies.length);
     progress.addFrameworks(p.frameworks.length);
@@ -6240,7 +6722,25 @@ async function runScan(rootDir, opts) {
   filesScanned += dotnetProjects.length;
   progress.addProjects(dotnetProjects.length);
   progress.completeStep("dotnet", `${dotnetProjects.length} project${dotnetProjects.length !== 1 ? "s" : ""}`, dotnetProjects.length);
-  const allProjects = [...nodeProjects, ...dotnetProjects];
+  progress.startStep("python");
+  const pythonProjects = await scanPythonProjects(rootDir, pypiCache, fileCache);
+  for (const p of pythonProjects) {
+    progress.addDependencies(p.dependencies.length);
+    progress.addFrameworks(p.frameworks.length);
+  }
+  filesScanned += pythonProjects.length;
+  progress.addProjects(pythonProjects.length);
+  progress.completeStep("python", `${pythonProjects.length} project${pythonProjects.length !== 1 ? "s" : ""}`, pythonProjects.length);
+  progress.startStep("java");
+  const javaProjects = await scanJavaProjects(rootDir, mavenCache, fileCache);
+  for (const p of javaProjects) {
+    progress.addDependencies(p.dependencies.length);
+    progress.addFrameworks(p.frameworks.length);
+  }
+  filesScanned += javaProjects.length;
+  progress.addProjects(javaProjects.length);
+  progress.completeStep("java", `${javaProjects.length} project${javaProjects.length !== 1 ? "s" : ""}`, javaProjects.length);
+  const allProjects = [...nodeProjects, ...dotnetProjects, ...pythonProjects, ...javaProjects];
   const dsn = opts.dsn || process.env.VIBGRATE_DSN;
   const parsedDsn = dsn ? parseDsn(dsn) : null;
   const workspaceId = parsedDsn?.workspaceId;
@@ -6686,10 +7186,6 @@ Failing: findings detected at warn level or above.`));
 });
 
 export {
-  readJsonFile,
-  pathExists,
-  ensureDir,
-  writeJsonFile,
   writeDefaultConfig,
   computeDriftScore,
   generateFindings,