npm - @vibgrate/cli - Versions diffs - 1.0.44 → 1.0.46 - Mend

@vibgrate/cli 1.0.44 → 1.0.46

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/DOCS.md +202 -89
package/README.md +150 -209
package/dist/{baseline-FDWMBM2O.js → baseline-AWRL3ITR.js} +2 -2
package/dist/{chunk-YFJC5JSQ.js → chunk-HEILEAVO.js} +442 -127
package/dist/{chunk-GN3IWKSY.js → chunk-PTMLMDZU.js} +20 -0
package/dist/{chunk-LO66M6OC.js → chunk-SKROLJET.js} +1 -1
package/dist/cli.js +190 -10
package/dist/index.d.ts +32 -0
package/dist/index.js +2 -2
package/package.json +1 -1

package/dist/{chunk-YFJC5JSQ.js → chunk-HEILEAVO.js} RENAMED Viewed

@@ -315,6 +315,15 @@ function formatText(artifact) {
   if (artifact.extended?.architecture) {
     lines.push(...formatArchitectureDiagram(artifact.extended.architecture));
   }
+  if (artifact.relationshipDiagram?.mermaid) {
+    lines.push(chalk.bold.cyan("\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"));
+    lines.push(chalk.bold.cyan("\u2551      Project Relationship Diagram        \u2551"));
+    lines.push(chalk.bold.cyan("\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D"));
+    lines.push("");
+    lines.push(chalk.bold("  Mermaid"));
+    lines.push(chalk.dim(artifact.relationshipDiagram.mermaid));
+    lines.push("");
+  }
   const scoreColor = artifact.drift.score >= 70 ? chalk.green : artifact.drift.score >= 40 ? chalk.yellow : chalk.red;
   lines.push(chalk.bold.cyan("\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"));
   lines.push(chalk.bold.cyan("\u2551        Drift Score Summary               \u2551"));
@@ -469,6 +478,26 @@ function formatExtended(ext) {
       lines.push("");
     }
   }
+  if (ext.uiPurpose) {
+    const up = ext.uiPurpose;
+    lines.push(chalk.bold.underline("  Product Purpose Signals"));
+    lines.push(`    Frameworks: ${up.detectedFrameworks.length > 0 ? up.detectedFrameworks.join(", ") : chalk.dim("unknown")}`);
+    lines.push(`    Evidence: ${up.topEvidence.length}${up.capped ? chalk.dim(` of ${up.evidenceCount} (capped)`) : ""}`);
+    const top = up.topEvidence.slice(0, 8);
+    if (top.length > 0) {
+      lines.push("    Top Signals:");
+      for (const item of top) {
+        lines.push(`      - [${item.kind}] ${item.value} ${chalk.dim(`(${item.file})`)}`);
+      }
+    }
+    if (up.unknownSignals.length > 0) {
+      lines.push("    Unknowns:");
+      for (const u of up.unknownSignals.slice(0, 4)) {
+        lines.push(`      - ${chalk.yellow(u)}`);
+      }
+    }
+    lines.push("");
+  }
   if (ext.owaspCategoryMapping) {
     const ow = ext.owaspCategoryMapping;
     lines.push(chalk.bold.underline("  OWASP Category Mapping"));
@@ -565,125 +594,22 @@ function formatExtended(ext) {
   }
   return lines;
 }
-var LAYER_LABELS = {
-  "presentation": "Presentation",
-  "routing": "Routing",
-  "middleware": "Middleware",
-  "services": "Services",
-  "domain": "Domain",
-  "data-access": "Data Access",
-  "infrastructure": "Infrastructure",
-  "config": "Config",
-  "shared": "Shared",
-  "testing": "Testing"
-};
-var LAYER_ICONS = {
-  "presentation": "\u{1F5A5}",
-  "routing": "\u{1F500}",
-  "middleware": "\u{1F517}",
-  "services": "\u2699",
-  "domain": "\u{1F48E}",
-  "data-access": "\u{1F5C4}",
-  "infrastructure": "\u{1F3D7}",
-  "config": "\u2699",
-  "shared": "\u{1F4E6}",
-  "testing": "\u{1F9EA}"
-};
 function formatArchitectureDiagram(arch) {
   const lines = [];
   lines.push(chalk.bold.cyan("\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"));
   lines.push(chalk.bold.cyan("\u2551        Architecture Layers               \u2551"));
   lines.push(chalk.bold.cyan("\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D"));
   lines.push("");
-  const archetypeDisplay = arch.archetype === "unknown" ? "Unknown" : arch.archetype;
-  const confPct = Math.round(arch.archetypeConfidence * 100);
-  lines.push(chalk.bold("  Archetype: ") + chalk.cyan.bold(archetypeDisplay) + chalk.dim(` (${confPct}% confidence)`));
-  lines.push(chalk.dim(`  ${arch.totalClassified} files classified \xB7 ${arch.unclassified} unclassified`));
+  lines.push(chalk.bold("  Archetype: ") + `${arch.archetype}` + chalk.dim(` (${Math.round(arch.archetypeConfidence * 100)}% confidence)`));
+  lines.push(`  Files classified: ${arch.totalClassified}` + (arch.unclassified > 0 ? chalk.dim(` (${arch.unclassified} unclassified)`) : ""));
   lines.push("");
-  const boxWidth = 44;
-  const visibleLayers = arch.layers.filter((l) => l.fileCount > 0 || l.techStack.length > 0 || l.services.length > 0);
-  if (visibleLayers.length === 0) {
-    lines.push(chalk.dim("  No layers detected"));
-    lines.push("");
-    return lines;
-  }
-  for (let i = 0; i < visibleLayers.length; i++) {
-    const layer = visibleLayers[i];
-    const icon = LAYER_ICONS[layer.layer] ?? "\xB7";
-    const label = LAYER_LABELS[layer.layer] ?? layer.layer;
-    const hasScore = layer.packages.length > 0;
-    const ds = layer.driftScore;
-    const scoreColor = !hasScore ? chalk.dim : ds >= 70 ? chalk.green : ds >= 40 ? chalk.yellow : chalk.red;
-    const riskBadgeStr = layer.riskLevel === "low" ? chalk.bgGreen.black(" LOW ") : layer.riskLevel === "moderate" ? chalk.bgYellow.black(" MOD ") : chalk.bgRed.white(" HIGH ");
-    if (i === 0) {
-      lines.push(chalk.cyan(`  \u250C${"\u2500".repeat(boxWidth)}\u2510`));
-    }
-    const nameStr = `${icon}  ${label}`;
-    const scoreStr = hasScore ? `${layer.driftScore}/100` : "n/a";
-    const fileSuffix = `${layer.fileCount} file${layer.fileCount !== 1 ? "s" : ""}`;
-    const leftContent = `  ${nameStr}`;
-    const rightContent = `${fileSuffix}  ${scoreStr}  `;
-    const leftLen = nameStr.length + 2;
-    const rightLen = rightContent.length;
-    const padLen = Math.max(1, boxWidth - leftLen - rightLen);
-    lines.push(
-      chalk.cyan("  \u2502") + `  ${icon}  ${chalk.bold(label)}` + " ".repeat(padLen) + chalk.dim(fileSuffix) + "  " + scoreColor.bold(scoreStr) + "  " + chalk.cyan("\u2502")
-    );
-    const barWidth = boxWidth - 8;
-    if (hasScore) {
-      const filled = Math.round(layer.driftScore / 100 * barWidth);
-      const empty = barWidth - filled;
-      lines.push(
-        chalk.cyan("  \u2502") + "    " + scoreColor("\u2588".repeat(filled)) + chalk.dim("\u2591".repeat(empty)) + "    " + chalk.cyan("\u2502")
-      );
-    } else {
-      lines.push(
-        chalk.cyan("  \u2502") + "    " + chalk.dim("\xB7".repeat(barWidth)) + "    " + chalk.cyan("\u2502")
-      );
-    }
-    if (layer.techStack.length > 0) {
-      const techNames = layer.techStack.slice(0, 6).map((t) => t.name);
-      const moreCount = layer.techStack.length > 6 ? ` +${layer.techStack.length - 6}` : "";
-      const techLine = `Tech: ${techNames.join(", ")}${moreCount}`;
-      const truncated = techLine.length > boxWidth - 6 ? techLine.slice(0, boxWidth - 9) + "..." : techLine;
-      const techPad = Math.max(0, boxWidth - truncated.length - 4);
-      lines.push(
-        chalk.cyan("  \u2502") + "    " + chalk.dim(truncated) + " ".repeat(techPad) + chalk.cyan("\u2502")
-      );
-    }
-    if (layer.services.length > 0) {
-      const svcNames = layer.services.slice(0, 5).map((s) => s.name);
-      const moreCount = layer.services.length > 5 ? ` +${layer.services.length - 5}` : "";
-      const svcLine = `Services: ${svcNames.join(", ")}${moreCount}`;
-      const truncated = svcLine.length > boxWidth - 6 ? svcLine.slice(0, boxWidth - 9) + "..." : svcLine;
-      const svcPad = Math.max(0, boxWidth - truncated.length - 4);
-      lines.push(
-        chalk.cyan("  \u2502") + "    " + chalk.dim(truncated) + " ".repeat(svcPad) + chalk.cyan("\u2502")
-      );
-    }
-    const driftPkgs = layer.packages.filter((p) => p.majorsBehind !== null && p.majorsBehind > 0);
-    if (driftPkgs.length > 0) {
-      const worst = driftPkgs.sort((a, b) => (b.majorsBehind ?? 0) - (a.majorsBehind ?? 0));
-      const shown = worst.slice(0, 3);
-      const pkgStrs = shown.map((p) => {
-        const color = (p.majorsBehind ?? 0) >= 2 ? chalk.red : chalk.yellow;
-        return color(`${p.name} -${p.majorsBehind}`);
-      });
-      const moreCount = worst.length > 3 ? chalk.dim(` +${worst.length - 3}`) : "";
-      const pkgLine = pkgStrs.join(chalk.dim(", ")) + moreCount;
-      const roughLen = shown.map((p) => `${p.name} -${p.majorsBehind}`).join(", ").length + (worst.length > 3 ? ` +${worst.length - 3}`.length : 0);
-      const pkgPad = Math.max(0, boxWidth - roughLen - 4);
-      lines.push(
-        chalk.cyan("  \u2502") + "    " + pkgLine + " ".repeat(pkgPad) + chalk.cyan("\u2502")
-      );
-    }
-    if (i < visibleLayers.length - 1) {
-      lines.push(chalk.cyan(`  \u251C${"\u2500".repeat(boxWidth)}\u2524`));
-    } else {
-      lines.push(chalk.cyan(`  \u2514${"\u2500".repeat(boxWidth)}\u2518`));
+  if (arch.layers.length > 0) {
+    for (const layer of arch.layers) {
+      const risk = layer.riskLevel === "low" ? chalk.green("low") : layer.riskLevel === "moderate" ? chalk.yellow("moderate") : chalk.red("high");
+      lines.push(`    ${chalk.bold(layer.layer)}  ${layer.fileCount} file${layer.fileCount !== 1 ? "s" : ""}  drift ${scoreBar(layer.driftScore)}  risk ${risk}`);
     }
+    lines.push("");
   }
-  lines.push("");
   return lines;
 }
 function generatePriorityActions(artifact) {
@@ -1169,8 +1095,8 @@ import * as semver2 from "semver";
 // src/utils/timeout.ts
 async function withTimeout(promise, ms) {
   let timer;
-  const timeout = new Promise((resolve8) => {
-    timer = setTimeout(() => resolve8({ ok: false }), ms);
+  const timeout = new Promise((resolve9) => {
+    timer = setTimeout(() => resolve9({ ok: false }), ms);
   });
   try {
     const result = await Promise.race([
@@ -1195,7 +1121,7 @@ function maxStable(versions) {
   return stable.sort(semver.rcompare)[0] ?? null;
 }
 async function npmViewJson(args, cwd) {
-  return new Promise((resolve8, reject) => {
+  return new Promise((resolve9, reject) => {
     const child = spawn("npm", ["view", ...args, "--json"], {
       cwd,
       shell: true,
@@ -1213,13 +1139,13 @@ async function npmViewJson(args, cwd) {
       }
       const trimmed = out.trim();
       if (!trimmed) {
-        resolve8(null);
+        resolve9(null);
         return;
       }
       try {
-        resolve8(JSON.parse(trimmed));
+        resolve9(JSON.parse(trimmed));
       } catch {
-        resolve8(trimmed.replace(/^"|"$/g, ""));
+        resolve9(trimmed.replace(/^"|"$/g, ""));
       }
     });
   });
@@ -5060,7 +4986,7 @@ var SECRET_HEURISTICS = [
   { detector: "private-key", pattern: /-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----/g },
   { detector: "slack-token", pattern: /\bxox[baprs]-[A-Za-z0-9-]{10,}\b/g }
 ];
-var defaultRunner = (command, args) => new Promise((resolve8, reject) => {
+var defaultRunner = (command, args) => new Promise((resolve9, reject) => {
   const child = spawn2(command, args, { stdio: ["ignore", "pipe", "pipe"] });
   let stdout = "";
   let stderr = "";
@@ -5072,7 +4998,7 @@ var defaultRunner = (command, args) => new Promise((resolve8, reject) => {
   });
   child.on("error", reject);
   child.on("close", (code) => {
-    resolve8({ stdout, stderr, exitCode: code ?? 1 });
+    resolve9({ stdout, stderr, exitCode: code ?? 1 });
   });
 });
 function compareSemver(a, b) {
@@ -6022,6 +5948,56 @@ function mapToolingToLayers(tooling, services, depsByLayer) {
   }
   return { layerTooling, layerServices };
 }
+function generateLayerFlowMermaid(layers) {
+  const labels = {
+    presentation: "Presentation",
+    routing: "Routing",
+    middleware: "Middleware",
+    services: "Services",
+    domain: "Domain",
+    "data-access": "Data Access",
+    infrastructure: "Infrastructure",
+    config: "Config",
+    shared: "Shared",
+    testing: "Testing"
+  };
+  if (layers.length === 0) {
+    return 'flowchart TD\n  APP["Project"]';
+  }
+  const ordered = [...layers];
+  const lines = ["flowchart TD"];
+  for (let i = 0; i < ordered.length; i++) {
+    const layer = ordered[i];
+    lines.push(`  L${i}["${labels[layer]}"]`);
+    if (i > 0) lines.push(`  L${i - 1} --> L${i}`);
+  }
+  return lines.join("\n");
+}
+async function buildProjectArchitectureMermaid(rootDir, project, archetype, cache) {
+  const projectRoot = path17.resolve(rootDir, project.path || ".");
+  const allFiles = await walkSourceFiles(projectRoot, cache);
+  const layerSet = /* @__PURE__ */ new Set();
+  for (const rel of allFiles) {
+    const classification = classifyFile(rel, archetype);
+    if (classification) {
+      layerSet.add(classification.layer);
+    }
+  }
+  const layerOrder = [
+    "presentation",
+    "routing",
+    "middleware",
+    "services",
+    "domain",
+    "data-access",
+    "infrastructure",
+    "config",
+    "shared",
+    "testing"
+  ];
+  const orderedLayers = layerOrder.filter((l) => layerSet.has(l));
+  return generateLayerFlowMermaid(orderedLayers);
+}
 async function scanArchitecture(rootDir, projects, tooling, services, cache) {
   const { archetype, confidence: archetypeConfidence } = detectArchetype(projects);
   const sourceFiles = await walkSourceFiles(rootDir, cache);
@@ -6382,7 +6358,7 @@ var DEFAULT_EXTENSIONS = /* @__PURE__ */ new Set([
   ".env"
 ]);
 async function runSemgrep(args, cwd, stdin) {
-  return new Promise((resolve8, reject) => {
+  return new Promise((resolve9, reject) => {
     const child = spawn3("semgrep", args, {
       cwd,
       shell: true,
@@ -6398,7 +6374,7 @@ async function runSemgrep(args, cwd, stdin) {
     });
     child.on("error", reject);
     child.on("close", (code) => {
-      resolve8({ code: code ?? 1, stdout, stderr });
+      resolve9({ code: code ?? 1, stdout, stderr });
     });
     if (stdin !== void 0) child.stdin.write(stdin);
     child.stdin.end();
@@ -6528,6 +6504,221 @@ async function scanOwaspCategoryMapping(rootDir, cache, options = {}, runner = r
   };
 }
+// src/scanners/ui-purpose.ts
+var UI_EXTENSIONS = /* @__PURE__ */ new Set([
+  ".tsx",
+  ".jsx",
+  ".ts",
+  ".js",
+  ".vue",
+  ".svelte",
+  ".html",
+  ".mdx",
+  ".json",
+  ".yml",
+  ".yaml"
+]);
+var HIGH_SIGNAL_DEPENDENCIES = /* @__PURE__ */ new Set([
+  "stripe",
+  "posthog-js",
+  "posthog-node",
+  "@sentry/node",
+  "@sentry/browser",
+  "@sentry/react",
+  "next-auth",
+  "firebase",
+  "auth0",
+  "@auth0/auth0-react",
+  "@supabase/supabase-js",
+  "supabase",
+  "clerk",
+  "@clerk/clerk-js"
+]);
+var GENERIC_LOW_SIGNAL = /* @__PURE__ */ new Set(["welcome", "home", "click here", "learn more", "submit", "cancel"]);
+async function scanUiPurpose(rootDir, fileCache, maxItems = 300) {
+  const entries = await fileCache.walkDir(rootDir);
+  const files = entries.filter((e) => e.isFile);
+  const packageJsonEntry = files.find((e) => e.relPath === "package.json");
+  let packageJson = {};
+  if (packageJsonEntry) {
+    try {
+      packageJson = JSON.parse(await fileCache.readTextFile(packageJsonEntry.absPath));
+    } catch {
+      packageJson = {};
+    }
+  }
+  const frameworks = detectFrameworks(packageJson);
+  const items = [];
+  for (const entry of files) {
+    const ext = extension(entry.relPath);
+    if (!UI_EXTENSIONS.has(ext)) continue;
+    if (!isLikelyUiPath(entry.relPath)) {
+      const routeHints2 = extractRouteHints(entry.relPath, frameworks);
+      if (routeHints2.length > 0) {
+        items.push(...routeHints2.map((r) => ({ ...r, file: entry.relPath })));
+      }
+      continue;
+    }
+    const routeHints = extractRouteHints(entry.relPath, frameworks);
+    if (routeHints.length > 0) {
+      items.push(...routeHints.map((r) => ({ ...r, file: entry.relPath })));
+    }
+    const src = await fileCache.readTextFile(entry.absPath);
+    if (!src || src.length > 512e3) continue;
+    const strings = extractUiStrings(src);
+    for (const text of strings) {
+      const kind = classifyString(text);
+      const weight = scoreString(kind, text);
+      items.push({ kind, value: text, file: entry.relPath, weight });
+    }
+    if (/(featureFlag|FEATURE_FLAG|launchDarkly|isFeatureEnabled|flags\.)/.test(src)) {
+      items.push({ kind: "feature_flag", value: `flags in ${entry.relPath}`, file: entry.relPath, weight: 2 });
+    }
+  }
+  const deps = getDependencies(packageJson);
+  for (const [name, version] of deps) {
+    if (HIGH_SIGNAL_DEPENDENCIES.has(name)) {
+      items.push({ kind: "dependency", value: `${name}@${version}`, file: "package.json", weight: 4 });
+    }
+  }
+  const deduped = dedupeByKindValue(items).sort((a, b) => b.weight - a.weight || a.value.localeCompare(b.value));
+  const cappedItems = deduped.slice(0, maxItems);
+  const unknownSignals = buildUnknowns(cappedItems);
+  return {
+    enabled: true,
+    detectedFrameworks: frameworks,
+    evidenceCount: deduped.length,
+    capped: deduped.length > cappedItems.length,
+    topEvidence: cappedItems,
+    unknownSignals
+  };
+}
+function extension(relPath) {
+  const i = relPath.lastIndexOf(".");
+  return i === -1 ? "" : relPath.slice(i).toLowerCase();
+}
+function isLikelyUiPath(relPath) {
+  const lower = relPath.toLowerCase();
+  return lower.startsWith("pages/") || lower.includes("/pages/") || lower.startsWith("app/") || lower.includes("/app/") || lower.startsWith("components/") || lower.includes("/components/") || lower.startsWith("ui/") || lower.includes("/ui/") || lower.startsWith("views/") || lower.includes("/views/") || lower.includes("/routes") || lower.startsWith("routes") || lower.includes("/router") || lower.startsWith("router") || lower.startsWith("locales/") || lower.includes("/locales/") || lower.startsWith("i18n/") || lower.includes("/i18n/") || lower.endsWith(".html") || lower.endsWith(".mdx");
+}
+function detectFrameworks(pkgJson) {
+  const deps = {
+    ...asRecord(pkgJson.dependencies),
+    ...asRecord(pkgJson.devDependencies)
+  };
+  const hits = [];
+  if (deps.next) hits.push("nextjs");
+  if (deps.nuxt || deps.nuxt3) hits.push("nuxt");
+  if (deps.react) hits.push("react");
+  if (deps.vue) hits.push("vue");
+  if (deps.svelte) hits.push("svelte");
+  if (deps["@angular/core"]) hits.push("angular");
+  return Array.from(new Set(hits));
+}
+function extractRouteHints(relPath, frameworks) {
+  const items = [];
+  if (frameworks.includes("nextjs")) {
+    const m = relPath.match(/^(?:src\/)?(pages|app)\/(.+)\.(tsx|jsx|ts|js)$/);
+    if (m) {
+      let route = "/" + m[2].replace(/(^|\/)page$/i, "").replace(/(^|\/)route$/i, "").replace(/index$/i, "").replace(/\[(?:\.\.\.)?(.+?)\]/g, ":$1").replace(/\/+/g, "/");
+      if (route !== "/" && route.endsWith("/")) route = route.slice(0, -1);
+      items.push({ kind: "route", value: route || "/", weight: 5 });
+    }
+  }
+  if (/(^|\/)(routes?|router)\.(ts|js|json)$/.test(relPath) || relPath.includes("/router/")) {
+    items.push({ kind: "route", value: `route config: ${relPath}`, weight: 3 });
+  }
+  return items;
+}
+function extractUiStrings(src) {
+  const out = [];
+  const textNodeRegex = />\s*([A-Za-z0-9][^<>]{2,120}?)\s*</g;
+  for (const m of src.matchAll(textNodeRegex)) {
+    const s = normaliseText(m[1] ?? "");
+    if (isUsefulString(s)) out.push(s);
+  }
+  const titleRegex = /<title>\s*([^<]{2,120})\s*<\/title>|title\s*[:=]\s*["'`](.{2,120}?)["'`]/g;
+  for (const m of src.matchAll(titleRegex)) {
+    const s = normaliseText((m[1] ?? m[2] ?? "").trim());
+    if (isUsefulString(s)) out.push(s);
+  }
+  const attrRegex = /(?:aria-label|label|placeholder|alt)\s*=\s*["'`](.{2,120}?)["'`]/g;
+  for (const m of src.matchAll(attrRegex)) {
+    const s = normaliseText(m[1] ?? "");
+    if (isUsefulString(s)) out.push(s);
+  }
+  const jsonValueRegex = /:\s*["'`](.{2,140}?)["'`]\s*[,\n]/g;
+  for (const m of src.matchAll(jsonValueRegex)) {
+    const s = normaliseText(m[1] ?? "");
+    if (isUsefulString(s)) out.push(s);
+  }
+  return out;
+}
+function classifyString(s) {
+  const lower = s.toLowerCase();
+  if (/(pricing|plan|billing|subscription|trial|credit)/.test(lower)) return "copy";
+  if (/(sign in|sign up|log in|register|invite|workspace|organization|sso|oauth)/.test(lower)) return "copy";
+  if (/(dashboard|reports|settings|integrations|users|roles|permissions)/.test(lower)) return "heading";
+  if (/(get started|start|scan|generate|export|run|deploy|upgrade|analy[sz]e)/.test(lower)) return "cta";
+  if (/(overview|features|about|documentation|docs)/.test(lower)) return "title";
+  if (/(menu|navigation|sidebar|breadcrumb)/.test(lower)) return "nav";
+  return "copy";
+}
+function scoreString(kind, value) {
+  const lower = value.toLowerCase();
+  if (GENERIC_LOW_SIGNAL.has(lower)) return 0;
+  let score = 1;
+  if (kind === "route") score += 4;
+  if (kind === "nav") score += 3;
+  if (kind === "title") score += 2;
+  if (kind === "heading") score += 2;
+  if (kind === "cta") score += 2;
+  if (/(pricing|billing|subscription|auth|security|integration)/.test(lower)) score += 2;
+  if (/(dashboard|report|scan|workspace|project|repository)/.test(lower)) score += 1;
+  return score;
+}
+function dedupeByKindValue(items) {
+  const seen = /* @__PURE__ */ new Map();
+  for (const item of items) {
+    const key = `${item.kind}::${item.value.toLowerCase()}`;
+    const prev = seen.get(key);
+    if (!prev || item.weight > prev.weight) {
+      seen.set(key, item);
+    }
+  }
+  return Array.from(seen.values()).filter((i) => i.weight > 0);
+}
+function buildUnknowns(items) {
+  const unknowns = [];
+  const hasPricing = items.some((i) => /pricing|billing|subscription|trial|credit/i.test(i.value));
+  const hasAuth = items.some((i) => /sign in|sign up|login|auth|sso|oauth|invite/i.test(i.value));
+  const hasIntegrations = items.some((i) => /integration|webhook|api key|connector/i.test(i.value));
+  const hasRoutes = items.some((i) => i.kind === "route");
+  if (!hasPricing) unknowns.push("No pricing or billing evidence found.");
+  if (!hasAuth) unknowns.push("No authentication or user access flow evidence found.");
+  if (!hasIntegrations) unknowns.push("No integrations/connectors evidence found.");
+  if (!hasRoutes) unknowns.push("No route structure evidence found.");
+  return unknowns;
+}
+function asRecord(value) {
+  if (!value || typeof value !== "object") return {};
+  return value;
+}
+function getDependencies(pkgJson) {
+  return Object.entries(asRecord(pkgJson.dependencies));
+}
+function normaliseText(s) {
+  return s.replace(/\s+/g, " ").trim();
+}
+function isUsefulString(s) {
+  if (!s || s.length < 3 || s.length > 160) return false;
+  if (/^[0-9_./-]+$/.test(s)) return false;
+  if (/^(true|false|null|undefined)$/i.test(s)) return false;
+  if (/[<>{}]/.test(s)) return false;
+  if (/function\s*\(|=>|console\.|import\s+|export\s+/.test(s)) return false;
+  return true;
+}
 // src/utils/tool-installer.ts
 import { spawn as spawn4 } from "child_process";
 import chalk5 from "chalk";
@@ -6538,7 +6729,7 @@ var SECURITY_TOOLS = [
 ];
 var IS_WIN = process.platform === "win32";
 function runCommand(cmd, args) {
-  return new Promise((resolve8) => {
+  return new Promise((resolve9) => {
     const child = spawn4(cmd, args, {
       stdio: ["ignore", "pipe", "pipe"],
       shell: IS_WIN
@@ -6552,8 +6743,8 @@ function runCommand(cmd, args) {
     child.stderr.on("data", (d) => {
       stderr += d.toString();
     });
-    child.on("error", () => resolve8({ exitCode: 127, stdout, stderr }));
-    child.on("close", (code) => resolve8({ exitCode: code ?? 1, stdout, stderr }));
+    child.on("error", () => resolve9({ exitCode: 127, stdout, stderr }));
+    child.on("close", (code) => resolve9({ exitCode: code ?? 1, stdout, stderr }));
   });
 }
 async function commandExists(command) {
@@ -6620,6 +6811,76 @@ async function installMissingTools(log = (m) => process.stderr.write(m + "\n"))
   return result;
 }
+// src/utils/mermaid.ts
+function sanitizeId(input) {
+  return input.replace(/[^a-zA-Z0-9_]/g, "_");
+}
+function escapeLabel(input) {
+  return input.replace(/"/g, '\\"');
+}
+function scoreClass(score) {
+  if (score === void 0 || Number.isNaN(score)) return "scoreUnknown";
+  if (score >= 70) return "scoreHigh";
+  if (score >= 40) return "scoreModerate";
+  return "scoreLow";
+}
+function nodeLabel(project) {
+  const score = project.drift?.score;
+  const scoreText = typeof score === "number" ? ` (${score})` : " (n/a)";
+  return `${project.name}${scoreText}`;
+}
+function buildDefs() {
+  return [
+    "classDef scoreHigh fill:#064e3b,stroke:#10b981,color:#d1fae5,stroke-width:2px",
+    "classDef scoreModerate fill:#78350f,stroke:#f59e0b,color:#fef3c7,stroke-width:2px",
+    "classDef scoreLow fill:#7f1d1d,stroke:#ef4444,color:#fee2e2,stroke-width:2px",
+    "classDef scoreUnknown fill:#334155,stroke:#94a3b8,color:#e2e8f0,stroke-width:2px"
+  ];
+}
+function generateWorkspaceRelationshipMermaid(projects) {
+  const lines = ["flowchart LR"];
+  const byPath = new Map(projects.map((p) => [p.path, p]));
+  for (const project of projects) {
+    const id = sanitizeId(project.projectId || project.path || project.name);
+    lines.push(`${id}["${escapeLabel(nodeLabel(project))}"]`);
+    lines.push(`class ${id} ${scoreClass(project.drift?.score)}`);
+  }
+  for (const project of projects) {
+    const fromId = sanitizeId(project.projectId || project.path || project.name);
+    for (const ref of project.projectReferences ?? []) {
+      const target = byPath.get(ref.path);
+      if (!target) continue;
+      const toId = sanitizeId(target.projectId || target.path || target.name);
+      lines.push(`${fromId} --> ${toId}`);
+    }
+  }
+  lines.push(...buildDefs());
+  return { mermaid: lines.join("\n") };
+}
+function generateProjectRelationshipMermaid(project, projects) {
+  const lines = ["flowchart LR"];
+  const byPath = new Map(projects.map((p) => [p.path, p]));
+  const parents = projects.filter((p) => p.projectReferences?.some((r) => r.path === project.path));
+  const children = (project.projectReferences ?? []).map((r) => byPath.get(r.path)).filter((p) => Boolean(p));
+  const centerId = sanitizeId(project.projectId || project.path || project.name);
+  lines.push(`${centerId}["${escapeLabel(nodeLabel(project))}"]`);
+  lines.push(`class ${centerId} ${scoreClass(project.drift?.score)}`);
+  for (const parent of parents) {
+    const id = sanitizeId(parent.projectId || parent.path || parent.name);
+    lines.push(`${id}["${escapeLabel(nodeLabel(parent))}"]`);
+    lines.push(`class ${id} ${scoreClass(parent.drift?.score)}`);
+    lines.push(`${id} --> ${centerId}`);
+  }
+  for (const child of children) {
+    const id = sanitizeId(child.projectId || child.path || child.name);
+    lines.push(`${id}["${escapeLabel(nodeLabel(child))}"]`);
+    lines.push(`class ${id} ${scoreClass(child.drift?.score)}`);
+    lines.push(`${centerId} --> ${id}`);
+  }
+  lines.push(...buildDefs());
+  return { mermaid: lines.join("\n") };
+}
 // src/commands/scan.ts
 async function runScan(rootDir, opts) {
   const scanStart = Date.now();
@@ -6659,7 +6920,8 @@ async function runScan(rootDir, opts) {
       ...scanners?.dependencyRisk?.enabled !== false ? [{ id: "deprisk", label: "Dependency risk" }] : [],
       ...scanners?.architecture?.enabled !== false ? [{ id: "architecture", label: "Architecture layers" }] : [],
       ...scanners?.codeQuality?.enabled !== false ? [{ id: "codequality", label: "Code quality metrics" }] : [],
-      ...scanners?.owaspCategoryMapping?.enabled !== false ? [{ id: "owasp", label: "OWASP category mapping" }] : []
+      ...scanners?.owaspCategoryMapping?.enabled !== false ? [{ id: "owasp", label: "OWASP category mapping" }] : [],
+      ...opts.uiPurpose || scanners?.uiPurpose?.enabled === true ? [{ id: "uipurpose", label: "UI purpose evidence" }] : []
     ] : [],
     { id: "drift", label: "Computing drift score" },
     { id: "findings", label: "Generating findings" }
@@ -6748,6 +7010,10 @@ async function runScan(rootDir, opts) {
     project.drift = computeDriftScore([project]);
     project.projectId = computeProjectId(project.path, project.name, workspaceId);
   }
+  for (const project of allProjects) {
+    project.relationshipDiagram = generateProjectRelationshipMermaid(project, allProjects);
+  }
+  const relationshipDiagram = generateWorkspaceRelationshipMermaid(allProjects);
   const extended = {};
   if (scanners !== false) {
     const scannerTasks = [];
@@ -6923,6 +7189,13 @@ async function runScan(rootDir, opts) {
         );
       }
     }
+    if (opts.uiPurpose || scanners?.uiPurpose?.enabled === true) {
+      progress.startStep("uipurpose");
+      extended.uiPurpose = await scanUiPurpose(rootDir, fileCache);
+      const up = extended.uiPurpose;
+      const summary = [`${up.topEvidence.length} evidence`, ...up.capped ? ["capped"] : []].join(" \xB7 ");
+      progress.completeStep("uipurpose", summary, up.topEvidence.length);
+    }
     if (scanners?.architecture?.enabled !== false) {
       progress.startStep("architecture");
       extended.architecture = await scanArchitecture(
@@ -6934,6 +7207,14 @@ async function runScan(rootDir, opts) {
       );
       const arch = extended.architecture;
       const layerCount = arch.layers.filter((l) => l.fileCount > 0).length;
+      await Promise.all(allProjects.map(async (project) => {
+        project.architectureMermaid = await buildProjectArchitectureMermaid(
+          rootDir,
+          project,
+          arch.archetype,
+          fileCache
+        );
+      }));
       progress.completeStep(
         "architecture",
         `${arch.archetype} \xB7 ${layerCount} layer${layerCount !== 1 ? "s" : ""} \xB7 ${arch.totalClassified} files`,
@@ -7001,6 +7282,7 @@ async function runScan(rootDir, opts) {
   }
   if (extended.codeQuality) filesScanned += extended.codeQuality.filesAnalyzed;
   if (extended.owaspCategoryMapping) filesScanned += extended.owaspCategoryMapping.scannedFiles;
+  if (extended.uiPurpose) filesScanned += extended.uiPurpose.topEvidence.length;
   const durationMs = Date.now() - scanStart;
   const artifact = {
     schemaVersion: "1.0",
@@ -7014,7 +7296,8 @@ async function runScan(rootDir, opts) {
     ...Object.keys(extended).length > 0 ? { extended } : {},
     durationMs,
     filesScanned,
-    treeSummary: treeCount
+    treeSummary: treeCount,
+    relationshipDiagram
   };
   if (opts.baseline) {
     const baselinePath = path20.resolve(opts.baseline);
@@ -7145,7 +7428,15 @@ async function autoPush(artifact, rootDir, opts) {
     if (opts.strict) process.exit(1);
   }
 }
-var scanCommand = new Command3("scan").description("Scan a project for upgrade drift").argument("[path]", "Path to scan", ".").option("--out <file>", "Output file path").option("--format <format>", "Output format (text|json|sarif)", "text").option("--fail-on <level>", "Fail on warn or error").option("--baseline <file>", "Compare against baseline").option("--changed-only", "Only scan changed files").option("--concurrency <n>", "Max concurrent npm calls", "8").option("--push", "Auto-push results to Vibgrate API after scan").option("--dsn <dsn>", "DSN token for push (or use VIBGRATE_DSN env)").option("--region <region>", "Override data residency region for push (us, eu)").option("--strict", "Fail on push errors").option("--install-tools", "Auto-install missing security scanners via Homebrew").action(async (targetPath, opts) => {
+function parseNonNegativeNumber(value, label) {
+  if (value === void 0) return void 0;
+  const parsed = Number(value);
+  if (!Number.isFinite(parsed) || parsed < 0) {
+    throw new Error(`${label} must be a non-negative number.`);
+  }
+  return parsed;
+}
+var scanCommand = new Command3("scan").description("Scan a project for upgrade drift").argument("[path]", "Path to scan", ".").option("--out <file>", "Output file path").option("--format <format>", "Output format (text|json|sarif)", "text").option("--fail-on <level>", "Fail on warn or error").option("--baseline <file>", "Compare against baseline").option("--changed-only", "Only scan changed files").option("--concurrency <n>", "Max concurrent npm calls", "8").option("--push", "Auto-push results to Vibgrate API after scan").option("--dsn <dsn>", "DSN token for push (or use VIBGRATE_DSN env)").option("--region <region>", "Override data residency region for push (us, eu)").option("--strict", "Fail on push errors").option("--install-tools", "Auto-install missing security scanners via Homebrew").option("--ui-purpose", "Enable optional UI purpose evidence extraction (slower)").option("--drift-budget <score>", "Fail if drift score is above budget (0-100)").option("--drift-worsening <percent>", "Fail if drift worsens by more than % since baseline").action(async (targetPath, opts) => {
   const rootDir = path20.resolve(targetPath);
   if (!await pathExists(rootDir)) {
     console.error(chalk6.red(`Path does not exist: ${rootDir}`));
@@ -7162,7 +7453,10 @@ var scanCommand = new Command3("scan").description("Scan a project for upgrade d
     dsn: opts.dsn,
     region: opts.region,
     strict: opts.strict,
-    installTools: opts.installTools
+    installTools: opts.installTools,
+    uiPurpose: opts.uiPurpose,
+    driftBudget: parseNonNegativeNumber(opts.driftBudget, "--drift-budget"),
+    driftWorseningPercent: parseNonNegativeNumber(opts.driftWorsening, "--drift-worsening")
   };
   const artifact = await runScan(rootDir, scanOpts);
   if (opts.failOn) {
@@ -7179,6 +7473,27 @@ Failing: findings detected at warn level or above.`));
       process.exit(2);
     }
   }
+  if (scanOpts.driftBudget !== void 0 && artifact.drift.score > scanOpts.driftBudget) {
+    console.error(chalk6.red(`
+Failing fitness function: drift score ${artifact.drift.score}/100 exceeds budget ${scanOpts.driftBudget}.`));
+    process.exit(2);
+  }
+  if (scanOpts.driftWorseningPercent !== void 0) {
+    if (artifact.delta === void 0) {
+      console.error(chalk6.red("\nFailing fitness function: --drift-worsening requires --baseline to compare against previous drift."));
+      process.exit(2);
+    }
+    if (artifact.delta > 0) {
+      const baselineScore = artifact.drift.score - artifact.delta;
+      const denominator = Math.max(Math.abs(baselineScore), 1e-4);
+      const worseningPercent = artifact.delta / denominator * 100;
+      if (worseningPercent > scanOpts.driftWorseningPercent) {
+        console.error(chalk6.red(`
+Failing fitness function: drift worsened by ${worseningPercent.toFixed(2)}% (threshold ${scanOpts.driftWorseningPercent}%).`));
+        process.exit(2);
+      }
+    }
+  }
   const hasDsn = !!(opts.dsn || process.env.VIBGRATE_DSN);
   if (opts.push || hasDsn) {
     await autoPush(artifact, rootDir, scanOpts);