@vibgrate/cli 1.0.45 → 1.0.47

package/dist/{chunk-YFJC5JSQ.js → chunk-UVFIFNYG.js}

@@ -227,6 +227,10 @@ function computeProjectId(relativePath, projectName, workspaceId) {
   const input = workspaceId ? `${relativePath}:${projectName}:${workspaceId}` : `${relativePath}:${projectName}`;
   return crypto.createHash("sha256").update(input).digest("hex").slice(0, 16);
 }
+function computeSolutionId(relativePath, solutionName, workspaceId) {
+  const input = workspaceId ? `${relativePath}:${solutionName}:${workspaceId}` : `${relativePath}:${solutionName}`;
+  return crypto.createHash("sha256").update(input).digest("hex").slice(0, 16);
+}
 
 // src/version.ts
 import { createRequire } from "module";
@@ -315,6 +319,27 @@ function formatText(artifact) {
   if (artifact.extended?.architecture) {
     lines.push(...formatArchitectureDiagram(artifact.extended.architecture));
   }
+  if (artifact.relationshipDiagram?.mermaid) {
+    lines.push(chalk.bold.cyan("\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"));
+    lines.push(chalk.bold.cyan("\u2551      Project Relationship Diagram        \u2551"));
+    lines.push(chalk.bold.cyan("\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D"));
+    lines.push("");
+    lines.push(chalk.bold("  Mermaid"));
+    lines.push(chalk.dim(artifact.relationshipDiagram.mermaid));
+    lines.push("");
+  }
+  if (artifact.solutions && artifact.solutions.length > 0) {
+    lines.push(chalk.bold.cyan("\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"));
+    lines.push(chalk.bold.cyan("\u2551        Solution Drift Summary            \u2551"));
+    lines.push(chalk.bold.cyan("\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D"));
+    lines.push("");
+    for (const solution of artifact.solutions) {
+      const solScore = solution.drift?.score;
+      const color = typeof solScore === "number" ? solScore >= 70 ? chalk.green : solScore >= 40 ? chalk.yellow : chalk.red : chalk.dim;
+      lines.push(`  \u2022 ${solution.name} (${solution.projectPaths.length} projects) \u2014 ${typeof solScore === "number" ? color(`${solScore}/100`) : chalk.dim("n/a")}`);
+    }
+    lines.push("");
+  }
   const scoreColor = artifact.drift.score >= 70 ? chalk.green : artifact.drift.score >= 40 ? chalk.yellow : chalk.red;
   lines.push(chalk.bold.cyan("\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"));
   lines.push(chalk.bold.cyan("\u2551        Drift Score Summary               \u2551"));
@@ -469,6 +494,26 @@ function formatExtended(ext) {
       lines.push("");
     }
   }
+  if (ext.uiPurpose) {
+    const up = ext.uiPurpose;
+    lines.push(chalk.bold.underline("  Product Purpose Signals"));
+    lines.push(`    Frameworks: ${up.detectedFrameworks.length > 0 ? up.detectedFrameworks.join(", ") : chalk.dim("unknown")}`);
+    lines.push(`    Evidence: ${up.topEvidence.length}${up.capped ? chalk.dim(` of ${up.evidenceCount} (capped)`) : ""}`);
+    const top = up.topEvidence.slice(0, 8);
+    if (top.length > 0) {
+      lines.push("    Top Signals:");
+      for (const item of top) {
+        lines.push(`      - [${item.kind}] ${item.value} ${chalk.dim(`(${item.file})`)}`);
+      }
+    }
+    if (up.unknownSignals.length > 0) {
+      lines.push("    Unknowns:");
+      for (const u of up.unknownSignals.slice(0, 4)) {
+        lines.push(`      - ${chalk.yellow(u)}`);
+      }
+    }
+    lines.push("");
+  }
   if (ext.owaspCategoryMapping) {
     const ow = ext.owaspCategoryMapping;
     lines.push(chalk.bold.underline("  OWASP Category Mapping"));
@@ -565,125 +610,22 @@ function formatExtended(ext) {
   }
   return lines;
 }
-var LAYER_LABELS = {
-  "presentation": "Presentation",
-  "routing": "Routing",
-  "middleware": "Middleware",
-  "services": "Services",
-  "domain": "Domain",
-  "data-access": "Data Access",
-  "infrastructure": "Infrastructure",
-  "config": "Config",
-  "shared": "Shared",
-  "testing": "Testing"
-};
-var LAYER_ICONS = {
-  "presentation": "\u{1F5A5}",
-  "routing": "\u{1F500}",
-  "middleware": "\u{1F517}",
-  "services": "\u2699",
-  "domain": "\u{1F48E}",
-  "data-access": "\u{1F5C4}",
-  "infrastructure": "\u{1F3D7}",
-  "config": "\u2699",
-  "shared": "\u{1F4E6}",
-  "testing": "\u{1F9EA}"
-};
 function formatArchitectureDiagram(arch) {
   const lines = [];
   lines.push(chalk.bold.cyan("\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"));
   lines.push(chalk.bold.cyan("\u2551        Architecture Layers               \u2551"));
   lines.push(chalk.bold.cyan("\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D"));
   lines.push("");
-  const archetypeDisplay = arch.archetype === "unknown" ? "Unknown" : arch.archetype;
-  const confPct = Math.round(arch.archetypeConfidence * 100);
-  lines.push(chalk.bold("  Archetype: ") + chalk.cyan.bold(archetypeDisplay) + chalk.dim(` (${confPct}% confidence)`));
-  lines.push(chalk.dim(`  ${arch.totalClassified} files classified \xB7 ${arch.unclassified} unclassified`));
+  lines.push(chalk.bold("  Archetype: ") + `${arch.archetype}` + chalk.dim(` (${Math.round(arch.archetypeConfidence * 100)}% confidence)`));
+  lines.push(`  Files classified: ${arch.totalClassified}` + (arch.unclassified > 0 ? chalk.dim(` (${arch.unclassified} unclassified)`) : ""));
   lines.push("");
-  const boxWidth = 44;
-  const visibleLayers = arch.layers.filter((l) => l.fileCount > 0 || l.techStack.length > 0 || l.services.length > 0);
-  if (visibleLayers.length === 0) {
-    lines.push(chalk.dim("  No layers detected"));
-    lines.push("");
-    return lines;
-  }
-  for (let i = 0; i < visibleLayers.length; i++) {
-    const layer = visibleLayers[i];
-    const icon = LAYER_ICONS[layer.layer] ?? "\xB7";
-    const label = LAYER_LABELS[layer.layer] ?? layer.layer;
-    const hasScore = layer.packages.length > 0;
-    const ds = layer.driftScore;
-    const scoreColor = !hasScore ? chalk.dim : ds >= 70 ? chalk.green : ds >= 40 ? chalk.yellow : chalk.red;
-    const riskBadgeStr = layer.riskLevel === "low" ? chalk.bgGreen.black(" LOW ") : layer.riskLevel === "moderate" ? chalk.bgYellow.black(" MOD ") : chalk.bgRed.white(" HIGH ");
-    if (i === 0) {
-      lines.push(chalk.cyan(`  \u250C${"\u2500".repeat(boxWidth)}\u2510`));
-    }
-    const nameStr = `${icon}  ${label}`;
-    const scoreStr = hasScore ? `${layer.driftScore}/100` : "n/a";
-    const fileSuffix = `${layer.fileCount} file${layer.fileCount !== 1 ? "s" : ""}`;
-    const leftContent = `  ${nameStr}`;
-    const rightContent = `${fileSuffix}  ${scoreStr}  `;
-    const leftLen = nameStr.length + 2;
-    const rightLen = rightContent.length;
-    const padLen = Math.max(1, boxWidth - leftLen - rightLen);
-    lines.push(
-      chalk.cyan("  \u2502") + `  ${icon}  ${chalk.bold(label)}` + " ".repeat(padLen) + chalk.dim(fileSuffix) + "  " + scoreColor.bold(scoreStr) + "  " + chalk.cyan("\u2502")
-    );
-    const barWidth = boxWidth - 8;
-    if (hasScore) {
-      const filled = Math.round(layer.driftScore / 100 * barWidth);
-      const empty = barWidth - filled;
-      lines.push(
-        chalk.cyan("  \u2502") + "    " + scoreColor("\u2588".repeat(filled)) + chalk.dim("\u2591".repeat(empty)) + "    " + chalk.cyan("\u2502")
-      );
-    } else {
-      lines.push(
-        chalk.cyan("  \u2502") + "    " + chalk.dim("\xB7".repeat(barWidth)) + "    " + chalk.cyan("\u2502")
-      );
-    }
-    if (layer.techStack.length > 0) {
-      const techNames = layer.techStack.slice(0, 6).map((t) => t.name);
-      const moreCount = layer.techStack.length > 6 ? ` +${layer.techStack.length - 6}` : "";
-      const techLine = `Tech: ${techNames.join(", ")}${moreCount}`;
-      const truncated = techLine.length > boxWidth - 6 ? techLine.slice(0, boxWidth - 9) + "..." : techLine;
-      const techPad = Math.max(0, boxWidth - truncated.length - 4);
-      lines.push(
-        chalk.cyan("  \u2502") + "    " + chalk.dim(truncated) + " ".repeat(techPad) + chalk.cyan("\u2502")
-      );
-    }
-    if (layer.services.length > 0) {
-      const svcNames = layer.services.slice(0, 5).map((s) => s.name);
-      const moreCount = layer.services.length > 5 ? ` +${layer.services.length - 5}` : "";
-      const svcLine = `Services: ${svcNames.join(", ")}${moreCount}`;
-      const truncated = svcLine.length > boxWidth - 6 ? svcLine.slice(0, boxWidth - 9) + "..." : svcLine;
-      const svcPad = Math.max(0, boxWidth - truncated.length - 4);
-      lines.push(
-        chalk.cyan("  \u2502") + "    " + chalk.dim(truncated) + " ".repeat(svcPad) + chalk.cyan("\u2502")
-      );
-    }
-    const driftPkgs = layer.packages.filter((p) => p.majorsBehind !== null && p.majorsBehind > 0);
-    if (driftPkgs.length > 0) {
-      const worst = driftPkgs.sort((a, b) => (b.majorsBehind ?? 0) - (a.majorsBehind ?? 0));
-      const shown = worst.slice(0, 3);
-      const pkgStrs = shown.map((p) => {
-        const color = (p.majorsBehind ?? 0) >= 2 ? chalk.red : chalk.yellow;
-        return color(`${p.name} -${p.majorsBehind}`);
-      });
-      const moreCount = worst.length > 3 ? chalk.dim(` +${worst.length - 3}`) : "";
-      const pkgLine = pkgStrs.join(chalk.dim(", ")) + moreCount;
-      const roughLen = shown.map((p) => `${p.name} -${p.majorsBehind}`).join(", ").length + (worst.length > 3 ? ` +${worst.length - 3}`.length : 0);
-      const pkgPad = Math.max(0, boxWidth - roughLen - 4);
-      lines.push(
-        chalk.cyan("  \u2502") + "    " + pkgLine + " ".repeat(pkgPad) + chalk.cyan("\u2502")
-      );
-    }
-    if (i < visibleLayers.length - 1) {
-      lines.push(chalk.cyan(`  \u251C${"\u2500".repeat(boxWidth)}\u2524`));
-    } else {
-      lines.push(chalk.cyan(`  \u2514${"\u2500".repeat(boxWidth)}\u2518`));
+  if (arch.layers.length > 0) {
+    for (const layer of arch.layers) {
+      const risk = layer.riskLevel === "low" ? chalk.green("low") : layer.riskLevel === "moderate" ? chalk.yellow("moderate") : chalk.red("high");
+      lines.push(`    ${chalk.bold(layer.layer)}  ${layer.fileCount} file${layer.fileCount !== 1 ? "s" : ""}  drift ${scoreBar(layer.driftScore)}  risk ${risk}`);
     }
+    lines.push("");
   }
-  lines.push("");
   return lines;
 }
 function generatePriorityActions(artifact) {
@@ -1158,19 +1100,19 @@ var pushCommand = new Command2("push").description("Push scan results to Vibgrat
 });
 
 // src/commands/scan.ts
-import * as path20 from "path";
+import * as path21 from "path";
 import { Command as Command3 } from "commander";
 import chalk6 from "chalk";
 
 // src/scanners/node-scanner.ts
-import * as path3 from "path";
+import * as path4 from "path";
 import * as semver2 from "semver";
 
 // src/utils/timeout.ts
 async function withTimeout(promise, ms) {
   let timer;
-  const timeout = new Promise((resolve8) => {
-    timer = setTimeout(() => resolve8({ ok: false }), ms);
+  const timeout = new Promise((resolve10) => {
+    timer = setTimeout(() => resolve10({ ok: false }), ms);
   });
   try {
     const result = await Promise.race([
@@ -1184,8 +1126,78 @@ async function withTimeout(promise, ms) {
 }
 
 // src/scanners/npm-cache.ts
-import { spawn } from "child_process";
+import { spawn as spawn2 } from "child_process";
 import * as semver from "semver";
+
+// src/package-version-manifest.ts
+import { mkdtemp, readFile, rm } from "fs/promises";
+import * as path3 from "path";
+import * as os from "os";
+import { spawn } from "child_process";
+function runCommand(cmd, args) {
+  return new Promise((resolve10, reject) => {
+    const child = spawn(cmd, args, { stdio: ["ignore", "pipe", "pipe"] });
+    let out = "";
+    let err = "";
+    child.stdout.on("data", (d) => out += String(d));
+    child.stderr.on("data", (d) => err += String(d));
+    child.on("error", reject);
+    child.on("close", (code) => {
+      if (code !== 0) {
+        reject(new Error(`${cmd} ${args.join(" ")} failed (code=${code}): ${err.trim()}`));
+        return;
+      }
+      resolve10(out);
+    });
+  });
+}
+async function parseManifestText(text, source) {
+  try {
+    return JSON.parse(text);
+  } catch {
+    throw new Error(`Invalid JSON in package version manifest: ${source}`);
+  }
+}
+async function loadManifestFromZip(zipPath) {
+  const tmpDir = await mkdtemp(path3.join(os.tmpdir(), "vibgrate-manifest-"));
+  try {
+    await runCommand("unzip", ["-qq", zipPath, "-d", tmpDir]);
+    const candidates = [
+      path3.join(tmpDir, "package-versions.json"),
+      path3.join(tmpDir, "manifest.json"),
+      path3.join(tmpDir, "index.json")
+    ];
+    for (const candidate of candidates) {
+      try {
+        const text = await readFile(candidate, "utf8");
+        return await parseManifestText(text, candidate);
+      } catch {
+      }
+    }
+    throw new Error("Zip must contain package-versions.json, manifest.json, or index.json");
+  } finally {
+    await rm(tmpDir, { recursive: true, force: true });
+  }
+}
+async function loadPackageVersionManifest(filePath) {
+  const resolved = path3.resolve(filePath);
+  if (resolved.toLowerCase().endsWith(".zip")) {
+    return loadManifestFromZip(resolved);
+  }
+  const text = await readFile(resolved, "utf8");
+  return parseManifestText(text, resolved);
+}
+function getManifestEntry(manifest, ecosystem, packageName) {
+  if (!manifest) return void 0;
+  const table = manifest[ecosystem];
+  if (!table) return void 0;
+  if (ecosystem === "nuget") {
+    return table[packageName.toLowerCase()] ?? table[packageName];
+  }
+  return table[packageName];
+}
+
+// src/scanners/npm-cache.ts
 function stableOnly(versions) {
   return versions.filter((v) => semver.valid(v) && semver.prerelease(v) === null);
 }
@@ -1195,8 +1207,8 @@ function maxStable(versions) {
   return stable.sort(semver.rcompare)[0] ?? null;
 }
 async function npmViewJson(args, cwd) {
-  return new Promise((resolve8, reject) => {
-    const child = spawn("npm", ["view", ...args, "--json"], {
+  return new Promise((resolve10, reject) => {
+    const child = spawn2("npm", ["view", ...args, "--json"], {
       cwd,
       shell: true,
       stdio: ["ignore", "pipe", "pipe"]
@@ -1213,27 +1225,42 @@ async function npmViewJson(args, cwd) {
       }
       const trimmed = out.trim();
       if (!trimmed) {
-        resolve8(null);
+        resolve10(null);
         return;
       }
       try {
-        resolve8(JSON.parse(trimmed));
+        resolve10(JSON.parse(trimmed));
       } catch {
-        resolve8(trimmed.replace(/^"|"$/g, ""));
+        resolve10(trimmed.replace(/^"|"$/g, ""));
       }
     });
   });
 }
 var NpmCache = class {
-  constructor(cwd, sem) {
+  constructor(cwd, sem, manifest, offline = false) {
     this.cwd = cwd;
     this.sem = sem;
+    this.manifest = manifest;
+    this.offline = offline;
   }
   meta = /* @__PURE__ */ new Map();
   get(pkg2) {
     const existing = this.meta.get(pkg2);
     if (existing) return existing;
     const p = this.sem.run(async () => {
+      const manifestEntry = getManifestEntry(this.manifest, "npm", pkg2);
+      if (manifestEntry) {
+        const stable2 = stableOnly(manifestEntry.versions ?? []);
+        const latestStableOverall2 = maxStable(stable2);
+        return {
+          latest: manifestEntry.latest ?? latestStableOverall2,
+          stableVersions: stable2,
+          latestStableOverall: latestStableOverall2
+        };
+      }
+      if (this.offline) {
+        return { latest: null, stableVersions: [], latestStableOverall: null };
+      }
       let latest = null;
       let versions = [];
       try {
@@ -1387,7 +1414,7 @@ async function scanNodeProjects(rootDir, npmCache, cache) {
         results.push(result.value);
         packageNameToPath.set(result.value.name, result.value.path);
       } else {
-        const relPath = path3.relative(rootDir, path3.dirname(pjPath));
+        const relPath = path4.relative(rootDir, path4.dirname(pjPath));
         if (cache) {
           cache.addStuckPath(relPath || ".");
         }
@@ -1418,8 +1445,8 @@ async function scanNodeProjects(rootDir, npmCache, cache) {
 }
 async function scanOnePackageJson(packageJsonPath, rootDir, npmCache, cache) {
   const pj = cache ? await cache.readJsonFile(packageJsonPath) : await readJsonFile(packageJsonPath);
-  const absProjectPath = path3.dirname(packageJsonPath);
-  const projectPath = path3.relative(rootDir, absProjectPath) || ".";
+  const absProjectPath = path4.dirname(packageJsonPath);
+  const projectPath = path4.relative(rootDir, absProjectPath) || ".";
   const nodeEngine = pj.engines?.node ?? void 0;
   let runtimeLatest;
   let runtimeMajorsBehind;
@@ -1506,7 +1533,7 @@ async function scanOnePackageJson(packageJsonPath, rootDir, npmCache, cache) {
   return {
     type: "node",
     path: projectPath,
-    name: pj.name ?? path3.basename(absProjectPath),
+    name: pj.name ?? path4.basename(absProjectPath),
     runtime: nodeEngine,
     runtimeLatest,
     runtimeMajorsBehind,
@@ -1518,7 +1545,7 @@ async function scanOnePackageJson(packageJsonPath, rootDir, npmCache, cache) {
 }
 
 // src/scanners/dotnet-scanner.ts
-import * as path4 from "path";
+import * as path5 from "path";
 import * as semver3 from "semver";
 import { XMLParser } from "fast-xml-parser";
 var parser = new XMLParser({
@@ -1720,7 +1747,7 @@ function parseCsproj(xml, filePath) {
   const parsed = parser.parse(xml);
   const project = parsed?.Project;
   if (!project) {
-    return { targetFrameworks: [], packageReferences: [], projectReferences: [], projectName: path4.basename(filePath, ".csproj") };
+    return { targetFrameworks: [], packageReferences: [], projectReferences: [], projectName: path5.basename(filePath, ".csproj") };
   }
   const propertyGroups = Array.isArray(project.PropertyGroup) ? project.PropertyGroup : project.PropertyGroup ? [project.PropertyGroup] : [];
   const targetFrameworks = [];
@@ -1757,7 +1784,7 @@ function parseCsproj(xml, filePath) {
     targetFrameworks: [...new Set(targetFrameworks)],
     packageReferences,
     projectReferences,
-    projectName: path4.basename(filePath, ".csproj")
+    projectName: path5.basename(filePath, ".csproj")
   };
 }
 async function scanDotnetProjects(rootDir, nugetCache, cache) {
@@ -1767,12 +1794,12 @@ async function scanDotnetProjects(rootDir, nugetCache, cache) {
   for (const slnPath of slnFiles) {
     try {
       const slnContent = cache ? await cache.readTextFile(slnPath) : await readTextFile(slnPath);
-      const slnDir = path4.dirname(slnPath);
+      const slnDir = path5.dirname(slnPath);
       const projectRegex = /Project\("[^"]*"\)\s*=\s*"[^"]*",\s*"([^"]+\.csproj)"/g;
       let match;
       while ((match = projectRegex.exec(slnContent)) !== null) {
         if (match[1]) {
-          const csprojPath = path4.resolve(slnDir, match[1].replace(/\\/g, "/"));
+          const csprojPath = path5.resolve(slnDir, match[1].replace(/\\/g, "/"));
           slnCsprojPaths.add(csprojPath);
         }
       }
@@ -1789,7 +1816,7 @@ async function scanDotnetProjects(rootDir, nugetCache, cache) {
       if (result.ok) {
         results.push(result.value);
       } else {
-        const relPath = path4.relative(rootDir, path4.dirname(csprojPath));
+        const relPath = path5.relative(rootDir, path5.dirname(csprojPath));
         if (cache) {
           cache.addStuckPath(relPath || ".");
         }
@@ -1805,7 +1832,7 @@ async function scanDotnetProjects(rootDir, nugetCache, cache) {
 async function scanOneCsproj(csprojPath, rootDir, nugetCache, cache) {
   const xml = cache ? await cache.readTextFile(csprojPath) : await readTextFile(csprojPath);
   const data = parseCsproj(xml, csprojPath);
-  const csprojDir = path4.dirname(csprojPath);
+  const csprojDir = path5.dirname(csprojPath);
   const primaryTfm = data.targetFrameworks[0];
   let runtimeMajorsBehind;
   let targetFramework = primaryTfm;
@@ -1883,9 +1910,9 @@ async function scanOneCsproj(csprojPath, rootDir, nugetCache, cache) {
     }
   }
   const projectReferences = data.projectReferences.map((refPath) => {
-    const absRefPath = path4.resolve(csprojDir, refPath);
-    const relRefPath = path4.relative(rootDir, path4.dirname(absRefPath));
-    const refName = path4.basename(absRefPath, ".csproj");
+    const absRefPath = path5.resolve(csprojDir, refPath);
+    const relRefPath = path5.relative(rootDir, path5.dirname(absRefPath));
+    const refName = path5.basename(absRefPath, ".csproj");
     return {
       path: relRefPath || ".",
       name: refName,
@@ -1906,7 +1933,7 @@ async function scanOneCsproj(csprojPath, rootDir, nugetCache, cache) {
   const buckets = bucketsMut;
   return {
     type: "dotnet",
-    path: path4.relative(rootDir, csprojDir) || ".",
+    path: path5.relative(rootDir, csprojDir) || ".",
     name: data.projectName,
     targetFramework,
     runtime: primaryTfm,
@@ -1921,7 +1948,7 @@ async function scanOneCsproj(csprojPath, rootDir, nugetCache, cache) {
 }
 
 // src/scanners/python-scanner.ts
-import * as path5 from "path";
+import * as path6 from "path";
 import * as semver4 from "semver";
 var KNOWN_PYTHON_FRAMEWORKS = {
   // ── Web Frameworks ──
@@ -2162,7 +2189,7 @@ async function scanPythonProjects(rootDir, pypiCache, cache) {
   const manifestFiles = cache ? await cache.findFiles(rootDir, (name) => PYTHON_MANIFEST_FILES.has(name) || /^requirements.*\.txt$/.test(name)) : await findPythonManifests(rootDir);
   const projectDirs = /* @__PURE__ */ new Map();
   for (const f of manifestFiles) {
-    const dir = path5.dirname(f);
+    const dir = path6.dirname(f);
     if (!projectDirs.has(dir)) projectDirs.set(dir, []);
     projectDirs.get(dir).push(f);
   }
@@ -2175,7 +2202,7 @@ async function scanPythonProjects(rootDir, pypiCache, cache) {
       if (result.ok) {
         results.push(result.value);
       } else {
-        const relPath = path5.relative(rootDir, dir);
+        const relPath = path6.relative(rootDir, dir);
         if (cache) cache.addStuckPath(relPath || ".");
         console.error(`Timeout scanning Python project ${dir} (>${STUCK_TIMEOUT_MS / 1e3}s) \u2014 skipped`);
       }
@@ -2191,12 +2218,12 @@ async function findPythonManifests(rootDir) {
   return findFiles2(rootDir, (name) => PYTHON_MANIFEST_FILES.has(name) || /^requirements.*\.txt$/.test(name));
 }
 async function scanOnePythonProject(dir, manifestFiles, rootDir, pypiCache, cache) {
-  const relDir = path5.relative(rootDir, dir) || ".";
-  let projectName = path5.basename(dir === rootDir ? rootDir : dir);
+  const relDir = path6.relative(rootDir, dir) || ".";
+  let projectName = path6.basename(dir === rootDir ? rootDir : dir);
   let pythonVersion;
   const allDeps = /* @__PURE__ */ new Map();
   for (const f of manifestFiles) {
-    const fileName = path5.basename(f);
+    const fileName = path6.basename(f);
     const content = cache ? await cache.readTextFile(f) : await readTextFile(f);
     if (fileName === "pyproject.toml") {
       const parsed = parsePyprojectToml(content);
@@ -2313,7 +2340,7 @@ async function scanOnePythonProject(dir, manifestFiles, rootDir, pypiCache, cach
 }
 
 // src/scanners/java-scanner.ts
-import * as path6 from "path";
+import * as path7 from "path";
 import * as semver5 from "semver";
 import { XMLParser as XMLParser2 } from "fast-xml-parser";
 var parser2 = new XMLParser2({
@@ -2419,7 +2446,7 @@ function parsePom(xml, filePath) {
   const project = parsed?.project;
   if (!project) {
     return {
-      artifactId: path6.basename(path6.dirname(filePath)),
+      artifactId: path7.basename(path7.dirname(filePath)),
       dependencies: [],
       modules: [],
       properties: {}
@@ -2479,7 +2506,7 @@ function parsePom(xml, filePath) {
   }
   return {
     groupId: project.groupId ? String(project.groupId) : parent?.groupId,
-    artifactId: String(project.artifactId ?? path6.basename(path6.dirname(filePath))),
+    artifactId: String(project.artifactId ?? path7.basename(path7.dirname(filePath))),
     version: project.version ? String(project.version) : parent?.version,
     packaging: project.packaging ? String(project.packaging) : void 0,
     javaVersion,
@@ -2494,7 +2521,7 @@ function resolveProperty(value, properties) {
 }
 function parseGradleBuild(content, filePath) {
   const deps = [];
-  const projectName = path6.basename(path6.dirname(filePath));
+  const projectName = path7.basename(path7.dirname(filePath));
   let javaVersion;
   const compatMatch = content.match(/(?:sourceCompatibility|targetCompatibility|javaVersion)\s*[=:]\s*['"]?(?:JavaVersion\.VERSION_)?(\d+)['"]?/);
   if (compatMatch) javaVersion = compatMatch[1];
@@ -2557,7 +2584,7 @@ async function scanJavaProjects(rootDir, mavenCache, cache) {
   const manifestFiles = cache ? await cache.findFiles(rootDir, (name) => JAVA_MANIFEST_FILES.has(name)) : await findJavaManifests(rootDir);
   const projectDirs = /* @__PURE__ */ new Map();
   for (const f of manifestFiles) {
-    const dir = path6.dirname(f);
+    const dir = path7.dirname(f);
     if (!projectDirs.has(dir)) projectDirs.set(dir, []);
     projectDirs.get(dir).push(f);
   }
@@ -2570,7 +2597,7 @@ async function scanJavaProjects(rootDir, mavenCache, cache) {
       if (result.ok) {
         results.push(result.value);
       } else {
-        const relPath = path6.relative(rootDir, dir);
+        const relPath = path7.relative(rootDir, dir);
         if (cache) cache.addStuckPath(relPath || ".");
         console.error(`Timeout scanning Java project ${dir} (>${STUCK_TIMEOUT_MS / 1e3}s) \u2014 skipped`);
       }
@@ -2590,13 +2617,13 @@ async function findJavaManifests(rootDir) {
   return findFiles2(rootDir, (name) => JAVA_MANIFEST_FILES.has(name));
 }
 async function scanOneJavaProject(dir, manifestFiles, rootDir, mavenCache, cache) {
-  const relDir = path6.relative(rootDir, dir) || ".";
-  let projectName = path6.basename(dir === rootDir ? rootDir : dir);
+  const relDir = path7.relative(rootDir, dir) || ".";
+  let projectName = path7.basename(dir === rootDir ? rootDir : dir);
   let javaVersion;
   const allDeps = /* @__PURE__ */ new Map();
   const projectReferences = [];
   for (const f of manifestFiles) {
-    const fileName = path6.basename(f);
+    const fileName = path7.basename(f);
     const content = cache ? await cache.readTextFile(f) : await readTextFile(f);
     if (fileName === "pom.xml") {
       const pom = parsePom(content, f);
@@ -2610,7 +2637,7 @@ async function scanOneJavaProject(dir, manifestFiles, rootDir, mavenCache, cache
       }
       for (const mod of pom.modules) {
         projectReferences.push({
-          path: path6.join(relDir, mod),
+          path: path7.join(relDir, mod),
           name: mod,
           refType: "project"
         });
@@ -2716,8 +2743,10 @@ async function scanOneJavaProject(dir, manifestFiles, rootDir, mavenCache, cache
 // src/scanners/nuget-cache.ts
 import * as semver6 from "semver";
 var NuGetCache = class {
-  constructor(sem) {
+  constructor(sem, manifest, offline = false) {
     this.sem = sem;
+    this.manifest = manifest;
+    this.offline = offline;
   }
   meta = /* @__PURE__ */ new Map();
   baseUrl = "https://api.nuget.org/v3-flatcontainer";
@@ -2725,6 +2754,23 @@ var NuGetCache = class {
     const existing = this.meta.get(pkg2);
     if (existing) return existing;
     const p = this.sem.run(async () => {
+      const manifestEntry = getManifestEntry(this.manifest, "nuget", pkg2);
+      if (manifestEntry) {
+        const stableVersions = (manifestEntry.versions ?? []).filter((v) => {
+          const parsed = semver6.valid(v);
+          return parsed && semver6.prerelease(v) === null;
+        });
+        const sorted = [...stableVersions].sort(semver6.rcompare);
+        const latestStableOverall = sorted[0] ?? null;
+        return {
+          latest: manifestEntry.latest ?? latestStableOverall,
+          stableVersions,
+          latestStableOverall
+        };
+      }
+      if (this.offline) {
+        return { latest: null, stableVersions: [], latestStableOverall: null };
+      }
       try {
         const url = `${this.baseUrl}/${pkg2.toLowerCase()}/index.json`;
         const response = await fetch(url, {
@@ -2767,14 +2813,34 @@ function pep440ToSemver2(ver) {
   return semver7.valid(v);
 }
 var PyPICache = class {
-  constructor(sem) {
+  constructor(sem, manifest, offline = false) {
     this.sem = sem;
+    this.manifest = manifest;
+    this.offline = offline;
   }
   meta = /* @__PURE__ */ new Map();
   get(pkg2) {
     const existing = this.meta.get(pkg2);
     if (existing) return existing;
     const p = this.sem.run(async () => {
+      const manifestEntry = getManifestEntry(this.manifest, "pypi", pkg2);
+      if (manifestEntry) {
+        const stableVersions = [];
+        for (const ver of manifestEntry.versions ?? []) {
+          const sv = pep440ToSemver2(ver);
+          if (sv) stableVersions.push(sv);
+        }
+        const sorted = [...stableVersions].sort(semver7.rcompare);
+        const latestStableOverall = sorted[0] ?? null;
+        return {
+          latest: manifestEntry.latest ? pep440ToSemver2(manifestEntry.latest) ?? latestStableOverall : latestStableOverall,
+          stableVersions,
+          latestStableOverall
+        };
+      }
+      if (this.offline) {
+        return { latest: null, stableVersions: [], latestStableOverall: null };
+      }
       try {
         const url = `https://pypi.org/pypi/${encodeURIComponent(pkg2)}/json`;
         const response = await fetch(url, {
@@ -2821,8 +2887,10 @@ function mavenToSemver2(ver) {
   return semver8.valid(v);
 }
 var MavenCache = class {
-  constructor(sem) {
+  constructor(sem, manifest, offline = false) {
     this.sem = sem;
+    this.manifest = manifest;
+    this.offline = offline;
   }
   meta = /* @__PURE__ */ new Map();
   /**
@@ -2835,6 +2903,25 @@ var MavenCache = class {
     const existing = this.meta.get(key);
     if (existing) return existing;
     const p = this.sem.run(async () => {
+      const key2 = `${groupId}:${artifactId}`;
+      const manifestEntry = getManifestEntry(this.manifest, "maven", key2);
+      if (manifestEntry) {
+        const stableVersions = [];
+        for (const ver of manifestEntry.versions ?? []) {
+          const sv = mavenToSemver2(ver);
+          if (sv) stableVersions.push(sv);
+        }
+        const sorted = [...stableVersions].sort(semver8.rcompare);
+        const latestStableOverall = sorted[0] ?? null;
+        return {
+          latest: manifestEntry.latest ? mavenToSemver2(manifestEntry.latest) ?? latestStableOverall : latestStableOverall,
+          stableVersions,
+          latestStableOverall
+        };
+      }
+      if (this.offline) {
+        return { latest: null, stableVersions: [], latestStableOverall: null };
+      }
       try {
         const url = `https://search.maven.org/solrsearch/select?q=g:%22${encodeURIComponent(groupId)}%22+AND+a:%22${encodeURIComponent(artifactId)}%22&core=gav&rows=100&wt=json`;
         const response = await fetch(url, {
@@ -2869,7 +2956,7 @@ var MavenCache = class {
 };
 
 // src/config.ts
-import * as path7 from "path";
+import * as path8 from "path";
 import * as fs from "fs/promises";
 var CONFIG_FILES = [
   "vibgrate.config.ts",
@@ -2895,7 +2982,7 @@ var DEFAULT_CONFIG = {
 async function loadConfig(rootDir) {
   let config = DEFAULT_CONFIG;
   for (const file of CONFIG_FILES) {
-    const configPath = path7.join(rootDir, file);
+    const configPath = path8.join(rootDir, file);
     if (await pathExists(configPath)) {
       if (file.endsWith(".json")) {
         const txt = await readTextFile(configPath);
@@ -2910,7 +2997,7 @@ async function loadConfig(rootDir) {
       }
     }
   }
-  const sidecarPath = path7.join(rootDir, ".vibgrate", "auto-excludes.json");
+  const sidecarPath = path8.join(rootDir, ".vibgrate", "auto-excludes.json");
   if (await pathExists(sidecarPath)) {
     try {
       const txt = await readTextFile(sidecarPath);
@@ -2925,7 +3012,7 @@ async function loadConfig(rootDir) {
   return config;
 }
 async function writeDefaultConfig(rootDir) {
-  const configPath = path7.join(rootDir, "vibgrate.config.ts");
+  const configPath = path8.join(rootDir, "vibgrate.config.ts");
   const content = `import type { VibgrateConfig } from '@vibgrate/cli';
 
 const config: VibgrateConfig = {
@@ -2951,7 +3038,7 @@ export default config;
 }
 async function appendExcludePatterns(rootDir, newPatterns) {
   if (newPatterns.length === 0) return false;
-  const jsonPath = path7.join(rootDir, "vibgrate.config.json");
+  const jsonPath = path8.join(rootDir, "vibgrate.config.json");
   if (await pathExists(jsonPath)) {
     try {
       const txt = await readTextFile(jsonPath);
@@ -2964,8 +3051,8 @@ async function appendExcludePatterns(rootDir, newPatterns) {
     } catch {
     }
   }
-  const vibgrateDir = path7.join(rootDir, ".vibgrate");
-  const sidecarPath = path7.join(vibgrateDir, "auto-excludes.json");
+  const vibgrateDir = path8.join(rootDir, ".vibgrate");
+  const sidecarPath = path8.join(vibgrateDir, "auto-excludes.json");
   let existing = [];
   if (await pathExists(sidecarPath)) {
     try {
@@ -2986,7 +3073,7 @@ async function appendExcludePatterns(rootDir, newPatterns) {
 }
 
 // src/utils/vcs.ts
-import * as path8 from "path";
+import * as path9 from "path";
 import * as fs2 from "fs/promises";
 async function detectVcs(rootDir) {
   try {
@@ -3000,7 +3087,7 @@ async function detectGit(rootDir) {
   if (!gitDir) {
     return { type: "unknown" };
   }
-  const headPath = path8.join(gitDir, "HEAD");
+  const headPath = path9.join(gitDir, "HEAD");
   let headContent;
   try {
     headContent = (await fs2.readFile(headPath, "utf8")).trim();
@@ -3016,18 +3103,20 @@ async function detectGit(rootDir) {
   } else if (/^[0-9a-f]{40}$/i.test(headContent)) {
     sha = headContent;
   }
+  const remoteUrl = await readGitRemoteUrl(gitDir);
   return {
     type: "git",
     sha: sha ?? void 0,
     shortSha: sha ? sha.slice(0, 7) : void 0,
-    branch: branch ?? void 0
+    branch: branch ?? void 0,
+    remoteUrl
   };
 }
 async function findGitDir(startDir) {
-  let dir = path8.resolve(startDir);
-  const root = path8.parse(dir).root;
+  let dir = path9.resolve(startDir);
+  const root = path9.parse(dir).root;
   while (dir !== root) {
-    const gitPath = path8.join(dir, ".git");
+    const gitPath = path9.join(dir, ".git");
     try {
       const stat3 = await fs2.stat(gitPath);
       if (stat3.isDirectory()) {
@@ -3036,18 +3125,18 @@ async function findGitDir(startDir) {
       if (stat3.isFile()) {
         const content = (await fs2.readFile(gitPath, "utf8")).trim();
         if (content.startsWith("gitdir: ")) {
-          const resolved = path8.resolve(dir, content.slice(8));
+          const resolved = path9.resolve(dir, content.slice(8));
           return resolved;
         }
       }
     } catch {
     }
-    dir = path8.dirname(dir);
+    dir = path9.dirname(dir);
   }
   return null;
 }
 async function resolveRef(gitDir, refPath) {
-  const loosePath = path8.join(gitDir, refPath);
+  const loosePath = path9.join(gitDir, refPath);
   try {
     const sha = (await fs2.readFile(loosePath, "utf8")).trim();
     if (/^[0-9a-f]{40}$/i.test(sha)) {
@@ -3055,7 +3144,7 @@ async function resolveRef(gitDir, refPath) {
     }
   } catch {
   }
-  const packedPath = path8.join(gitDir, "packed-refs");
+  const packedPath = path9.join(gitDir, "packed-refs");
   try {
     const packed = await fs2.readFile(packedPath, "utf8");
     for (const line of packed.split("\n")) {
@@ -3069,6 +3158,39 @@ async function resolveRef(gitDir, refPath) {
   }
   return void 0;
 }
+async function readGitRemoteUrl(gitDir) {
+  const configPath = await resolveGitConfigPath(gitDir);
+  if (!configPath) return void 0;
+  try {
+    const config = await fs2.readFile(configPath, "utf8");
+    const originBlock = config.match(/\[remote\s+"origin"\]([\s\S]*?)(?=\n\[|$)/);
+    if (!originBlock) return void 0;
+    const urlMatch = originBlock[1]?.match(/\n\s*url\s*=\s*(.+)\s*/);
+    return urlMatch?.[1]?.trim();
+  } catch {
+    return void 0;
+  }
+}
+async function resolveGitConfigPath(gitDir) {
+  const directConfig = path9.join(gitDir, "config");
+  try {
+    const stat3 = await fs2.stat(directConfig);
+    if (stat3.isFile()) return directConfig;
+  } catch {
+  }
+  const commonDirFile = path9.join(gitDir, "commondir");
+  try {
+    const commonDir = (await fs2.readFile(commonDirFile, "utf8")).trim();
+    if (!commonDir) return void 0;
+    const resolvedCommonDir = path9.resolve(gitDir, commonDir);
+    const commonConfig = path9.join(resolvedCommonDir, "config");
+    const stat3 = await fs2.stat(commonConfig);
+    if (stat3.isFile()) return commonConfig;
+  } catch {
+    return void 0;
+  }
+  return void 0;
+}
 
 // src/ui/progress.ts
 import chalk4 from "chalk";
@@ -3452,11 +3574,11 @@ var ScanProgress = class {
 
 // src/ui/scan-history.ts
 import * as fs3 from "fs/promises";
-import * as path9 from "path";
+import * as path10 from "path";
 var HISTORY_FILENAME = "scan_history.json";
 var MAX_RECORDS = 10;
 async function loadScanHistory(rootDir) {
-  const filePath = path9.join(rootDir, ".vibgrate", HISTORY_FILENAME);
+  const filePath = path10.join(rootDir, ".vibgrate", HISTORY_FILENAME);
   try {
     const txt = await fs3.readFile(filePath, "utf8");
     const data = JSON.parse(txt);
@@ -3469,8 +3591,8 @@ async function loadScanHistory(rootDir) {
   }
 }
 async function saveScanHistory(rootDir, record) {
-  const dir = path9.join(rootDir, ".vibgrate");
-  const filePath = path9.join(dir, HISTORY_FILENAME);
+  const dir = path10.join(rootDir, ".vibgrate");
+  const filePath = path10.join(dir, HISTORY_FILENAME);
   let history;
   const existing = await loadScanHistory(rootDir);
   if (existing) {
@@ -3534,7 +3656,7 @@ function estimateStepDurations(history, currentFileCount) {
 }
 
 // src/scanners/platform-matrix.ts
-import * as path10 from "path";
+import * as path11 from "path";
 var NATIVE_MODULE_PACKAGES = /* @__PURE__ */ new Set([
   // Image / media processing
   "sharp",
@@ -3814,7 +3936,7 @@ async function scanPlatformMatrix(rootDir, cache) {
   }
   result.dockerBaseImages = [...baseImages].sort();
   for (const file of [".nvmrc", ".node-version", ".tool-versions"]) {
-    const exists = cache ? await cache.pathExists(path10.join(rootDir, file)) : await pathExists(path10.join(rootDir, file));
+    const exists = cache ? await cache.pathExists(path11.join(rootDir, file)) : await pathExists(path11.join(rootDir, file));
     if (exists) {
       result.nodeVersionFiles.push(file);
     }
@@ -3891,7 +4013,7 @@ function scanDependencyRisk(projects) {
 }
 
 // src/scanners/dependency-graph.ts
-import * as path11 from "path";
+import * as path12 from "path";
 function parsePnpmLock(content) {
   const entries = [];
   const regex = /^\s+\/?(@?[^@\s][^@\s]*?)@(\d+\.\d+\.\d+[^:\s]*)\s*:/gm;
@@ -3950,9 +4072,9 @@ async function scanDependencyGraph(rootDir, cache) {
     phantomDependencies: []
   };
   let entries = [];
-  const pnpmLock = path11.join(rootDir, "pnpm-lock.yaml");
-  const npmLock = path11.join(rootDir, "package-lock.json");
-  const yarnLock = path11.join(rootDir, "yarn.lock");
+  const pnpmLock = path12.join(rootDir, "pnpm-lock.yaml");
+  const npmLock = path12.join(rootDir, "package-lock.json");
+  const yarnLock = path12.join(rootDir, "yarn.lock");
   const _pathExists = cache ? (p) => cache.pathExists(p) : pathExists;
   const _readTextFile = cache ? (p) => cache.readTextFile(p) : readTextFile;
   if (await _pathExists(pnpmLock)) {
@@ -3999,7 +4121,7 @@ async function scanDependencyGraph(rootDir, cache) {
   for (const pjPath of pkgFiles) {
     try {
       const pj = cache ? await cache.readJsonFile(pjPath) : await readJsonFile(pjPath);
-      const relPath = path11.relative(rootDir, pjPath);
+      const relPath = path12.relative(rootDir, pjPath);
       for (const section of ["dependencies", "devDependencies"]) {
         const deps = pj[section];
         if (!deps) continue;
@@ -4345,7 +4467,7 @@ function scanToolingInventory(projects) {
 }
 
 // src/scanners/build-deploy.ts
-import * as path12 from "path";
+import * as path13 from "path";
 var CI_FILES = {
   ".github/workflows": "github-actions",
   ".gitlab-ci.yml": "gitlab-ci",
@@ -4398,17 +4520,17 @@ async function scanBuildDeploy(rootDir, cache) {
   const _readTextFile = cache ? (p) => cache.readTextFile(p) : readTextFile;
   const ciSystems = /* @__PURE__ */ new Set();
   for (const [file, system] of Object.entries(CI_FILES)) {
-    const fullPath = path12.join(rootDir, file);
+    const fullPath = path13.join(rootDir, file);
     if (await _pathExists(fullPath)) {
       ciSystems.add(system);
     }
   }
-  const ghWorkflowDir = path12.join(rootDir, ".github", "workflows");
+  const ghWorkflowDir = path13.join(rootDir, ".github", "workflows");
   if (await _pathExists(ghWorkflowDir)) {
     try {
       if (cache) {
         const entries = await cache.walkDir(rootDir);
-        const ghPrefix = path12.relative(rootDir, ghWorkflowDir) + path12.sep;
+        const ghPrefix = path13.relative(rootDir, ghWorkflowDir) + path13.sep;
         result.ciWorkflowCount = entries.filter(
           (e) => e.isFile && e.relPath.startsWith(ghPrefix) && (e.name.endsWith(".yml") || e.name.endsWith(".yaml"))
         ).length;
@@ -4459,11 +4581,11 @@ async function scanBuildDeploy(rootDir, cache) {
     (name) => name.endsWith(".cfn.json") || name.endsWith(".cfn.yaml")
   );
   if (cfnFiles.length > 0) iacSystems.add("cloudformation");
-  if (await _pathExists(path12.join(rootDir, "Pulumi.yaml"))) iacSystems.add("pulumi");
+  if (await _pathExists(path13.join(rootDir, "Pulumi.yaml"))) iacSystems.add("pulumi");
   result.iac = [...iacSystems].sort();
   const releaseTools = /* @__PURE__ */ new Set();
   for (const [file, tool] of Object.entries(RELEASE_FILES)) {
-    if (await _pathExists(path12.join(rootDir, file))) releaseTools.add(tool);
+    if (await _pathExists(path13.join(rootDir, file))) releaseTools.add(tool);
   }
   const pkgFiles = cache ? await cache.findPackageJsonFiles(rootDir) : await findPackageJsonFiles(rootDir);
   for (const pjPath of pkgFiles) {
@@ -4488,19 +4610,19 @@ async function scanBuildDeploy(rootDir, cache) {
   };
   const managers = /* @__PURE__ */ new Set();
   for (const [file, manager] of Object.entries(lockfileMap)) {
-    if (await _pathExists(path12.join(rootDir, file))) managers.add(manager);
+    if (await _pathExists(path13.join(rootDir, file))) managers.add(manager);
   }
   result.packageManagers = [...managers].sort();
   const monoTools = /* @__PURE__ */ new Set();
   for (const [file, tool] of Object.entries(MONOREPO_FILES)) {
-    if (await _pathExists(path12.join(rootDir, file))) monoTools.add(tool);
+    if (await _pathExists(path13.join(rootDir, file))) monoTools.add(tool);
   }
   result.monorepoTools = [...monoTools].sort();
   return result;
 }
 
 // src/scanners/ts-modernity.ts
-import * as path13 from "path";
+import * as path14 from "path";
 async function scanTsModernity(rootDir, cache) {
   const result = {
     typescriptVersion: null,
@@ -4538,7 +4660,7 @@ async function scanTsModernity(rootDir, cache) {
   if (hasEsm && hasCjs) result.moduleType = "mixed";
   else if (hasEsm) result.moduleType = "esm";
   else if (hasCjs) result.moduleType = "cjs";
-  let tsConfigPath = path13.join(rootDir, "tsconfig.json");
+  let tsConfigPath = path14.join(rootDir, "tsconfig.json");
   const tsConfigExists = cache ? await cache.pathExists(tsConfigPath) : await pathExists(tsConfigPath);
   if (!tsConfigExists) {
     const tsConfigs = cache ? await cache.findFiles(rootDir, (name) => name === "tsconfig.json") : await findFiles(rootDir, (name) => name === "tsconfig.json");
@@ -4885,7 +5007,7 @@ function scanBreakingChangeExposure(projects) {
 
 // src/scanners/file-hotspots.ts
 import * as fs4 from "fs/promises";
-import * as path14 from "path";
+import * as path15 from "path";
 var SKIP_DIRS = /* @__PURE__ */ new Set([
   "node_modules",
   ".git",
@@ -4930,9 +5052,9 @@ async function scanFileHotspots(rootDir, cache) {
     const entries = await cache.walkDir(rootDir);
     for (const entry of entries) {
       if (!entry.isFile) continue;
-      const ext = path14.extname(entry.name).toLowerCase();
+      const ext = path15.extname(entry.name).toLowerCase();
       if (SKIP_EXTENSIONS.has(ext)) continue;
-      const depth = entry.relPath.split(path14.sep).length - 1;
+      const depth = entry.relPath.split(path15.sep).length - 1;
       if (depth > maxDepth) maxDepth = depth;
       extensionCounts[ext] = (extensionCounts[ext] ?? 0) + 1;
       try {
@@ -4961,15 +5083,15 @@ async function scanFileHotspots(rootDir, cache) {
       for (const e of entries) {
         if (e.isDirectory) {
           if (SKIP_DIRS.has(e.name)) continue;
-          await walk(path14.join(dir, e.name), depth + 1);
+          await walk(path15.join(dir, e.name), depth + 1);
         } else if (e.isFile) {
-          const ext = path14.extname(e.name).toLowerCase();
+          const ext = path15.extname(e.name).toLowerCase();
           if (SKIP_EXTENSIONS.has(ext)) continue;
           extensionCounts[ext] = (extensionCounts[ext] ?? 0) + 1;
           try {
-            const stat3 = await fs4.stat(path14.join(dir, e.name));
+            const stat3 = await fs4.stat(path15.join(dir, e.name));
             allFiles.push({
-              path: path14.relative(rootDir, path14.join(dir, e.name)),
+              path: path15.relative(rootDir, path15.join(dir, e.name)),
               bytes: stat3.size
             });
           } catch {
@@ -4992,7 +5114,7 @@ async function scanFileHotspots(rootDir, cache) {
 }
 
 // src/scanners/security-posture.ts
-import * as path15 from "path";
+import * as path16 from "path";
 var LOCKFILES = {
   "pnpm-lock.yaml": "pnpm",
   "package-lock.json": "npm",
@@ -5013,14 +5135,14 @@ async function scanSecurityPosture(rootDir, cache) {
   const _readTextFile = cache ? (p) => cache.readTextFile(p) : readTextFile;
   const foundLockfiles = [];
   for (const [file, type] of Object.entries(LOCKFILES)) {
-    if (await _pathExists(path15.join(rootDir, file))) {
+    if (await _pathExists(path16.join(rootDir, file))) {
       foundLockfiles.push(type);
     }
   }
   result.lockfilePresent = foundLockfiles.length > 0;
   result.multipleLockfileTypes = foundLockfiles.length > 1;
   result.lockfileTypes = foundLockfiles.sort();
-  const gitignorePath = path15.join(rootDir, ".gitignore");
+  const gitignorePath = path16.join(rootDir, ".gitignore");
   if (await _pathExists(gitignorePath)) {
     try {
       const content = await _readTextFile(gitignorePath);
@@ -5035,7 +5157,7 @@ async function scanSecurityPosture(rootDir, cache) {
     }
   }
   for (const envFile of [".env", ".env.local", ".env.development", ".env.production"]) {
-    if (await _pathExists(path15.join(rootDir, envFile))) {
+    if (await _pathExists(path16.join(rootDir, envFile))) {
       if (!result.gitignoreCoversEnv) {
         result.envFilesTracked = true;
         break;
@@ -5046,8 +5168,8 @@ async function scanSecurityPosture(rootDir, cache) {
 }
 
 // src/scanners/security-scanners.ts
-import { spawn as spawn2 } from "child_process";
-import * as path16 from "path";
+import { spawn as spawn3 } from "child_process";
+import * as path17 from "path";
 var TOOL_MATRIX = [
   { key: "semgrep", category: "sast", command: "semgrep", versionArgs: ["--version"], minRecommendedVersion: "1.75.0" },
   { key: "gitleaks", category: "secrets", command: "gitleaks", versionArgs: ["version"], minRecommendedVersion: "8.20.0" },
@@ -5060,8 +5182,8 @@ var SECRET_HEURISTICS = [
   { detector: "private-key", pattern: /-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----/g },
   { detector: "slack-token", pattern: /\bxox[baprs]-[A-Za-z0-9-]{10,}\b/g }
 ];
-var defaultRunner = (command, args) => new Promise((resolve8, reject) => {
-  const child = spawn2(command, args, { stdio: ["ignore", "pipe", "pipe"] });
+var defaultRunner = (command, args) => new Promise((resolve10, reject) => {
+  const child = spawn3(command, args, { stdio: ["ignore", "pipe", "pipe"] });
   let stdout = "";
   let stderr = "";
   child.stdout.on("data", (d) => {
@@ -5072,7 +5194,7 @@ var defaultRunner = (command, args) => new Promise((resolve8, reject) => {
   });
   child.on("error", reject);
   child.on("close", (code) => {
-    resolve8({ stdout, stderr, exitCode: code ?? 1 });
+    resolve10({ stdout, stderr, exitCode: code ?? 1 });
   });
 });
 function compareSemver(a, b) {
@@ -5142,7 +5264,7 @@ async function detectSecretHeuristics(rootDir, cache) {
   const findings = [];
   for (const entry of entries) {
     if (!entry.isFile) continue;
-    const ext = path16.extname(entry.name).toLowerCase();
+    const ext = path17.extname(entry.name).toLowerCase();
     if (ext && [".png", ".jpg", ".jpeg", ".gif", ".zip", ".pdf"].includes(ext)) continue;
     const content = await cache.readTextFile(entry.absPath);
     if (!content || content.length > 3e5) continue;
@@ -5165,9 +5287,9 @@ async function scanSecurityScanners(rootDir, cache, runner = defaultRunner) {
   const [semgrep, gitleaks, trufflehog] = await Promise.all(TOOL_MATRIX.map((tool) => assessTool(tool, runner)));
   const heuristicFindings = await detectSecretHeuristics(rootDir, cache);
   const configFiles = {
-    semgrep: await cache.pathExists(path16.join(rootDir, ".semgrep.yml")) || await cache.pathExists(path16.join(rootDir, ".semgrep.yaml")),
-    gitleaks: await cache.pathExists(path16.join(rootDir, ".gitleaks.toml")),
-    trufflehog: await cache.pathExists(path16.join(rootDir, ".trufflehog.yml")) || await cache.pathExists(path16.join(rootDir, ".trufflehog.yaml"))
+    semgrep: await cache.pathExists(path17.join(rootDir, ".semgrep.yml")) || await cache.pathExists(path17.join(rootDir, ".semgrep.yaml")),
+    gitleaks: await cache.pathExists(path17.join(rootDir, ".gitleaks.toml")),
+    trufflehog: await cache.pathExists(path17.join(rootDir, ".trufflehog.yml")) || await cache.pathExists(path17.join(rootDir, ".trufflehog.yaml"))
   };
   return {
     semgrep,
@@ -5592,7 +5714,7 @@ function scanServiceDependencies(projects) {
 }
 
 // src/scanners/architecture.ts
-import * as path17 from "path";
+import * as path18 from "path";
 import * as fs5 from "fs/promises";
 var ARCHETYPE_SIGNALS = [
   // Meta-frameworks (highest priority — they imply routing patterns)
@@ -5891,9 +6013,9 @@ async function walkSourceFiles(rootDir, cache) {
     const entries = await cache.walkDir(rootDir);
     return entries.filter((e) => {
       if (!e.isFile) return false;
-      const name = path17.basename(e.absPath);
+      const name = path18.basename(e.absPath);
       if (name.startsWith(".") && name !== ".") return false;
-      const ext = path17.extname(name);
+      const ext = path18.extname(name);
       return SOURCE_EXTENSIONS.has(ext);
     }).map((e) => e.relPath);
   }
@@ -5907,15 +6029,15 @@ async function walkSourceFiles(rootDir, cache) {
     }
     for (const entry of entries) {
       if (entry.name.startsWith(".") && entry.name !== ".") continue;
-      const fullPath = path17.join(dir, entry.name);
+      const fullPath = path18.join(dir, entry.name);
       if (entry.isDirectory()) {
         if (!IGNORE_DIRS.has(entry.name)) {
           await walk(fullPath);
         }
       } else if (entry.isFile()) {
-        const ext = path17.extname(entry.name);
+        const ext = path18.extname(entry.name);
         if (SOURCE_EXTENSIONS.has(ext)) {
-          files.push(path17.relative(rootDir, fullPath));
+          files.push(path18.relative(rootDir, fullPath));
         }
       }
     }
@@ -5939,7 +6061,7 @@ function classifyFile(filePath, archetype) {
     }
   }
   if (!bestMatch || bestMatch.confidence < 0.7) {
-    const baseName = path17.basename(filePath, path17.extname(filePath));
+    const baseName = path18.basename(filePath, path18.extname(filePath));
     const cleanBase = baseName.replace(/\.(test|spec)$/, "");
     for (const rule of SUFFIX_RULES) {
       if (cleanBase.endsWith(rule.suffix)) {
@@ -6022,6 +6144,56 @@ function mapToolingToLayers(tooling, services, depsByLayer) {
   }
   return { layerTooling, layerServices };
 }
+function generateLayerFlowMermaid(layers) {
+  const labels = {
+    presentation: "Presentation",
+    routing: "Routing",
+    middleware: "Middleware",
+    services: "Services",
+    domain: "Domain",
+    "data-access": "Data Access",
+    infrastructure: "Infrastructure",
+    config: "Config",
+    shared: "Shared",
+    testing: "Testing"
+  };
+  if (layers.length === 0) {
+    return 'flowchart TD\n  APP["Project"]';
+  }
+  const ordered = [...layers];
+  const lines = ["flowchart TD"];
+  for (let i = 0; i < ordered.length; i++) {
+    const layer = ordered[i];
+    lines.push(`  L${i}["${labels[layer]}"]`);
+    if (i > 0) lines.push(`  L${i - 1} --> L${i}`);
+  }
+  return lines.join("\n");
+}
+async function buildProjectArchitectureMermaid(rootDir, project, archetype, cache) {
+  const projectRoot = path18.resolve(rootDir, project.path || ".");
+  const allFiles = await walkSourceFiles(projectRoot, cache);
+  const layerSet = /* @__PURE__ */ new Set();
+  for (const rel of allFiles) {
+    const classification = classifyFile(rel, archetype);
+    if (classification) {
+      layerSet.add(classification.layer);
+    }
+  }
+  const layerOrder = [
+    "presentation",
+    "routing",
+    "middleware",
+    "services",
+    "domain",
+    "data-access",
+    "infrastructure",
+    "config",
+    "shared",
+    "testing"
+  ];
+  const orderedLayers = layerOrder.filter((l) => layerSet.has(l));
+  return generateLayerFlowMermaid(orderedLayers);
+}
 async function scanArchitecture(rootDir, projects, tooling, services, cache) {
   const { archetype, confidence: archetypeConfidence } = detectArchetype(projects);
   const sourceFiles = await walkSourceFiles(rootDir, cache);
@@ -6124,7 +6296,7 @@ async function scanArchitecture(rootDir, projects, tooling, services, cache) {
 }
 
 // src/scanners/code-quality.ts
-import * as path18 from "path";
+import * as path19 from "path";
 import * as ts from "typescript";
 var SOURCE_EXTENSIONS2 = /* @__PURE__ */ new Set([".ts", ".tsx", ".js", ".jsx", ".mjs", ".cjs"]);
 var DEFAULT_RESULT = {
@@ -6155,9 +6327,9 @@ async function scanCodeQuality(rootDir, cache) {
       continue;
     }
     if (!raw.trim()) continue;
-    const rel = normalizeModuleId(path18.relative(rootDir, filePath));
+    const rel = normalizeModuleId(path19.relative(rootDir, filePath));
     const source = ts.createSourceFile(filePath, raw, ts.ScriptTarget.Latest, true);
-    const imports = collectLocalImports(source, path18.dirname(filePath), rootDir);
+    const imports = collectLocalImports(source, path19.dirname(filePath), rootDir);
     depGraph.set(rel, imports);
     const fileMetrics = computeFileMetrics(source, raw);
     totalFunctions += fileMetrics.functionsAnalyzed;
@@ -6191,9 +6363,9 @@ async function scanCodeQuality(rootDir, cache) {
 async function findSourceFiles(rootDir, cache) {
   if (cache) {
     const entries = await cache.walkDir(rootDir);
-    return entries.filter((entry) => entry.isFile && SOURCE_EXTENSIONS2.has(path18.extname(entry.name).toLowerCase())).map((entry) => entry.absPath);
+    return entries.filter((entry) => entry.isFile && SOURCE_EXTENSIONS2.has(path19.extname(entry.name).toLowerCase())).map((entry) => entry.absPath);
   }
-  const files = await findFiles(rootDir, (name) => SOURCE_EXTENSIONS2.has(path18.extname(name).toLowerCase()));
+  const files = await findFiles(rootDir, (name) => SOURCE_EXTENSIONS2.has(path19.extname(name).toLowerCase()));
   return files;
 }
 function collectLocalImports(source, fileDir, rootDir) {
@@ -6214,8 +6386,8 @@ function collectLocalImports(source, fileDir, rootDir) {
 }
 function resolveLocalImport(specifier, fileDir, rootDir) {
   if (!specifier.startsWith(".")) return null;
-  const rawTarget = path18.resolve(fileDir, specifier);
-  const normalized = path18.relative(rootDir, rawTarget).replace(/\\/g, "/");
+  const rawTarget = path19.resolve(fileDir, specifier);
+  const normalized = path19.relative(rootDir, rawTarget).replace(/\\/g, "/");
   if (!normalized || normalized.startsWith("..")) return null;
   return normalizeModuleId(normalized);
 }
@@ -6356,8 +6528,8 @@ function visitEach(node, cb) {
 }
 
 // src/scanners/owasp-category-mapping.ts
-import { spawn as spawn3 } from "child_process";
-import * as path19 from "path";
+import { spawn as spawn4 } from "child_process";
+import * as path20 from "path";
 var OWASP_CONFIG = "p/owasp-top-ten";
 var DEFAULT_EXTENSIONS = /* @__PURE__ */ new Set([
   ".js",
@@ -6382,8 +6554,8 @@ var DEFAULT_EXTENSIONS = /* @__PURE__ */ new Set([
   ".env"
 ]);
 async function runSemgrep(args, cwd, stdin) {
-  return new Promise((resolve8, reject) => {
-    const child = spawn3("semgrep", args, {
+  return new Promise((resolve10, reject) => {
+    const child = spawn4("semgrep", args, {
       cwd,
       shell: true,
       stdio: ["pipe", "pipe", "pipe"]
@@ -6398,7 +6570,7 @@ async function runSemgrep(args, cwd, stdin) {
     });
     child.on("error", reject);
     child.on("close", (code) => {
-      resolve8({ code: code ?? 1, stdout, stderr });
+      resolve10({ code: code ?? 1, stdout, stderr });
     });
     if (stdin !== void 0) child.stdin.write(stdin);
     child.stdin.end();
@@ -6436,7 +6608,7 @@ function parseFindings(results, rootDir) {
     const metadata = r.extra?.metadata;
     return {
       ruleId: r.check_id ?? "unknown",
-      path: r.path ? path19.relative(rootDir, path19.resolve(rootDir, r.path)) : "",
+      path: r.path ? path20.relative(rootDir, path20.resolve(rootDir, r.path)) : "",
       line: r.start?.line ?? 1,
       endLine: r.end?.line,
       message: r.extra?.message ?? "Potential security issue",
@@ -6496,7 +6668,7 @@ async function scanOwaspCategoryMapping(rootDir, cache, options = {}, runner = r
     }
   }
   const entries = cache ? await cache.walkDir(rootDir) : [];
-  const files = entries.filter((e) => e.isFile && DEFAULT_EXTENSIONS.has(path19.extname(e.name).toLowerCase()));
+  const files = entries.filter((e) => e.isFile && DEFAULT_EXTENSIONS.has(path20.extname(e.name).toLowerCase()));
   const findings = [];
   const errors = [];
   let scannedFiles = 0;
@@ -6528,8 +6700,223 @@ async function scanOwaspCategoryMapping(rootDir, cache, options = {}, runner = r
   };
 }
 
+// src/scanners/ui-purpose.ts
+var UI_EXTENSIONS = /* @__PURE__ */ new Set([
+  ".tsx",
+  ".jsx",
+  ".ts",
+  ".js",
+  ".vue",
+  ".svelte",
+  ".html",
+  ".mdx",
+  ".json",
+  ".yml",
+  ".yaml"
+]);
+var HIGH_SIGNAL_DEPENDENCIES = /* @__PURE__ */ new Set([
+  "stripe",
+  "posthog-js",
+  "posthog-node",
+  "@sentry/node",
+  "@sentry/browser",
+  "@sentry/react",
+  "next-auth",
+  "firebase",
+  "auth0",
+  "@auth0/auth0-react",
+  "@supabase/supabase-js",
+  "supabase",
+  "clerk",
+  "@clerk/clerk-js"
+]);
+var GENERIC_LOW_SIGNAL = /* @__PURE__ */ new Set(["welcome", "home", "click here", "learn more", "submit", "cancel"]);
+async function scanUiPurpose(rootDir, fileCache, maxItems = 300) {
+  const entries = await fileCache.walkDir(rootDir);
+  const files = entries.filter((e) => e.isFile);
+  const packageJsonEntry = files.find((e) => e.relPath === "package.json");
+  let packageJson = {};
+  if (packageJsonEntry) {
+    try {
+      packageJson = JSON.parse(await fileCache.readTextFile(packageJsonEntry.absPath));
+    } catch {
+      packageJson = {};
+    }
+  }
+  const frameworks = detectFrameworks(packageJson);
+  const items = [];
+  for (const entry of files) {
+    const ext = extension(entry.relPath);
+    if (!UI_EXTENSIONS.has(ext)) continue;
+    if (!isLikelyUiPath(entry.relPath)) {
+      const routeHints2 = extractRouteHints(entry.relPath, frameworks);
+      if (routeHints2.length > 0) {
+        items.push(...routeHints2.map((r) => ({ ...r, file: entry.relPath })));
+      }
+      continue;
+    }
+    const routeHints = extractRouteHints(entry.relPath, frameworks);
+    if (routeHints.length > 0) {
+      items.push(...routeHints.map((r) => ({ ...r, file: entry.relPath })));
+    }
+    const src = await fileCache.readTextFile(entry.absPath);
+    if (!src || src.length > 512e3) continue;
+    const strings = extractUiStrings(src);
+    for (const text of strings) {
+      const kind = classifyString(text);
+      const weight = scoreString(kind, text);
+      items.push({ kind, value: text, file: entry.relPath, weight });
+    }
+    if (/(featureFlag|FEATURE_FLAG|launchDarkly|isFeatureEnabled|flags\.)/.test(src)) {
+      items.push({ kind: "feature_flag", value: `flags in ${entry.relPath}`, file: entry.relPath, weight: 2 });
+    }
+  }
+  const deps = getDependencies(packageJson);
+  for (const [name, version] of deps) {
+    if (HIGH_SIGNAL_DEPENDENCIES.has(name)) {
+      items.push({ kind: "dependency", value: `${name}@${version}`, file: "package.json", weight: 4 });
+    }
+  }
+  const deduped = dedupeByKindValue(items).sort((a, b) => b.weight - a.weight || a.value.localeCompare(b.value));
+  const cappedItems = deduped.slice(0, maxItems);
+  const unknownSignals = buildUnknowns(cappedItems);
+  return {
+    enabled: true,
+    detectedFrameworks: frameworks,
+    evidenceCount: deduped.length,
+    capped: deduped.length > cappedItems.length,
+    topEvidence: cappedItems,
+    unknownSignals
+  };
+}
+function extension(relPath) {
+  const i = relPath.lastIndexOf(".");
+  return i === -1 ? "" : relPath.slice(i).toLowerCase();
+}
+function isLikelyUiPath(relPath) {
+  const lower = relPath.toLowerCase();
+  return lower.startsWith("pages/") || lower.includes("/pages/") || lower.startsWith("app/") || lower.includes("/app/") || lower.startsWith("components/") || lower.includes("/components/") || lower.startsWith("ui/") || lower.includes("/ui/") || lower.startsWith("views/") || lower.includes("/views/") || lower.includes("/routes") || lower.startsWith("routes") || lower.includes("/router") || lower.startsWith("router") || lower.startsWith("locales/") || lower.includes("/locales/") || lower.startsWith("i18n/") || lower.includes("/i18n/") || lower.endsWith(".html") || lower.endsWith(".mdx");
+}
+function detectFrameworks(pkgJson) {
+  const deps = {
+    ...asRecord(pkgJson.dependencies),
+    ...asRecord(pkgJson.devDependencies)
+  };
+  const hits = [];
+  if (deps.next) hits.push("nextjs");
+  if (deps.nuxt || deps.nuxt3) hits.push("nuxt");
+  if (deps.react) hits.push("react");
+  if (deps.vue) hits.push("vue");
+  if (deps.svelte) hits.push("svelte");
+  if (deps["@angular/core"]) hits.push("angular");
+  return Array.from(new Set(hits));
+}
+function extractRouteHints(relPath, frameworks) {
+  const items = [];
+  if (frameworks.includes("nextjs")) {
+    const m = relPath.match(/^(?:src\/)?(pages|app)\/(.+)\.(tsx|jsx|ts|js)$/);
+    if (m) {
+      let route = "/" + m[2].replace(/(^|\/)page$/i, "").replace(/(^|\/)route$/i, "").replace(/index$/i, "").replace(/\[(?:\.\.\.)?(.+?)\]/g, ":$1").replace(/\/+/g, "/");
+      if (route !== "/" && route.endsWith("/")) route = route.slice(0, -1);
+      items.push({ kind: "route", value: route || "/", weight: 5 });
+    }
+  }
+  if (/(^|\/)(routes?|router)\.(ts|js|json)$/.test(relPath) || relPath.includes("/router/")) {
+    items.push({ kind: "route", value: `route config: ${relPath}`, weight: 3 });
+  }
+  return items;
+}
+function extractUiStrings(src) {
+  const out = [];
+  const textNodeRegex = />\s*([A-Za-z0-9][^<>]{2,120}?)\s*</g;
+  for (const m of src.matchAll(textNodeRegex)) {
+    const s = normaliseText(m[1] ?? "");
+    if (isUsefulString(s)) out.push(s);
+  }
+  const titleRegex = /<title>\s*([^<]{2,120})\s*<\/title>|title\s*[:=]\s*["'`](.{2,120}?)["'`]/g;
+  for (const m of src.matchAll(titleRegex)) {
+    const s = normaliseText((m[1] ?? m[2] ?? "").trim());
+    if (isUsefulString(s)) out.push(s);
+  }
+  const attrRegex = /(?:aria-label|label|placeholder|alt)\s*=\s*["'`](.{2,120}?)["'`]/g;
+  for (const m of src.matchAll(attrRegex)) {
+    const s = normaliseText(m[1] ?? "");
+    if (isUsefulString(s)) out.push(s);
+  }
+  const jsonValueRegex = /:\s*["'`](.{2,140}?)["'`]\s*[,\n]/g;
+  for (const m of src.matchAll(jsonValueRegex)) {
+    const s = normaliseText(m[1] ?? "");
+    if (isUsefulString(s)) out.push(s);
+  }
+  return out;
+}
+function classifyString(s) {
+  const lower = s.toLowerCase();
+  if (/(pricing|plan|billing|subscription|trial|credit)/.test(lower)) return "copy";
+  if (/(sign in|sign up|log in|register|invite|workspace|organization|sso|oauth)/.test(lower)) return "copy";
+  if (/(dashboard|reports|settings|integrations|users|roles|permissions)/.test(lower)) return "heading";
+  if (/(get started|start|scan|generate|export|run|deploy|upgrade|analy[sz]e)/.test(lower)) return "cta";
+  if (/(overview|features|about|documentation|docs)/.test(lower)) return "title";
+  if (/(menu|navigation|sidebar|breadcrumb)/.test(lower)) return "nav";
+  return "copy";
+}
+function scoreString(kind, value) {
+  const lower = value.toLowerCase();
+  if (GENERIC_LOW_SIGNAL.has(lower)) return 0;
+  let score = 1;
+  if (kind === "route") score += 4;
+  if (kind === "nav") score += 3;
+  if (kind === "title") score += 2;
+  if (kind === "heading") score += 2;
+  if (kind === "cta") score += 2;
+  if (/(pricing|billing|subscription|auth|security|integration)/.test(lower)) score += 2;
+  if (/(dashboard|report|scan|workspace|project|repository)/.test(lower)) score += 1;
+  return score;
+}
+function dedupeByKindValue(items) {
+  const seen = /* @__PURE__ */ new Map();
+  for (const item of items) {
+    const key = `${item.kind}::${item.value.toLowerCase()}`;
+    const prev = seen.get(key);
+    if (!prev || item.weight > prev.weight) {
+      seen.set(key, item);
+    }
+  }
+  return Array.from(seen.values()).filter((i) => i.weight > 0);
+}
+function buildUnknowns(items) {
+  const unknowns = [];
+  const hasPricing = items.some((i) => /pricing|billing|subscription|trial|credit/i.test(i.value));
+  const hasAuth = items.some((i) => /sign in|sign up|login|auth|sso|oauth|invite/i.test(i.value));
+  const hasIntegrations = items.some((i) => /integration|webhook|api key|connector/i.test(i.value));
+  const hasRoutes = items.some((i) => i.kind === "route");
+  if (!hasPricing) unknowns.push("No pricing or billing evidence found.");
+  if (!hasAuth) unknowns.push("No authentication or user access flow evidence found.");
+  if (!hasIntegrations) unknowns.push("No integrations/connectors evidence found.");
+  if (!hasRoutes) unknowns.push("No route structure evidence found.");
+  return unknowns;
+}
+function asRecord(value) {
+  if (!value || typeof value !== "object") return {};
+  return value;
+}
+function getDependencies(pkgJson) {
+  return Object.entries(asRecord(pkgJson.dependencies));
+}
+function normaliseText(s) {
+  return s.replace(/\s+/g, " ").trim();
+}
+function isUsefulString(s) {
+  if (!s || s.length < 3 || s.length > 160) return false;
+  if (/^[0-9_./-]+$/.test(s)) return false;
+  if (/^(true|false|null|undefined)$/i.test(s)) return false;
+  if (/[<>{}]/.test(s)) return false;
+  if (/function\s*\(|=>|console\.|import\s+|export\s+/.test(s)) return false;
+  return true;
+}
+
 // src/utils/tool-installer.ts
-import { spawn as spawn4 } from "child_process";
+import { spawn as spawn5 } from "child_process";
 import chalk5 from "chalk";
 var SECURITY_TOOLS = [
   { name: "semgrep", command: "semgrep", brew: "semgrep", winget: null, scoop: null, pip: "semgrep" },
@@ -6537,9 +6924,9 @@ var SECURITY_TOOLS = [
   { name: "trufflehog", command: "trufflehog", brew: "trufflehog", winget: null, scoop: "trufflehog", pip: null }
 ];
 var IS_WIN = process.platform === "win32";
-function runCommand(cmd, args) {
-  return new Promise((resolve8) => {
-    const child = spawn4(cmd, args, {
+function runCommand2(cmd, args) {
+  return new Promise((resolve10) => {
+    const child = spawn5(cmd, args, {
       stdio: ["ignore", "pipe", "pipe"],
       shell: IS_WIN
       // required for .cmd/.ps1 wrappers on Windows
@@ -6552,19 +6939,19 @@ function runCommand(cmd, args) {
     child.stderr.on("data", (d) => {
       stderr += d.toString();
     });
-    child.on("error", () => resolve8({ exitCode: 127, stdout, stderr }));
-    child.on("close", (code) => resolve8({ exitCode: code ?? 1, stdout, stderr }));
+    child.on("error", () => resolve10({ exitCode: 127, stdout, stderr }));
+    child.on("close", (code) => resolve10({ exitCode: code ?? 1, stdout, stderr }));
   });
 }
 async function commandExists(command) {
   const checker = IS_WIN ? "where" : "which";
-  const { exitCode } = await runCommand(checker, [command]);
+  const { exitCode } = await runCommand2(checker, [command]);
   return exitCode === 0;
 }
 async function tryInstall(tool, strategies, log) {
   for (const { pm, args } of strategies) {
     log(chalk5.dim(`    ${pm} ${args.join(" ")}\u2026`));
-    const { exitCode, stderr } = await runCommand(pm, args);
+    const { exitCode, stderr } = await runCommand2(pm, args);
     if (exitCode === 0) {
       log(`    ${chalk5.green("\u2714")} ${tool.name} installed via ${pm}`);
       return { ok: true, pm };
@@ -6620,20 +7007,163 @@ async function installMissingTools(log = (m) => process.stderr.write(m + "\n"))
   return result;
 }
 
+// src/utils/mermaid.ts
+function sanitizeId(input) {
+  return input.replace(/[^a-zA-Z0-9_]/g, "_");
+}
+function escapeLabel(input) {
+  return input.replace(/"/g, '\\"');
+}
+function scoreClass(score) {
+  if (score === void 0 || Number.isNaN(score)) return "scoreUnknown";
+  if (score >= 70) return "scoreHigh";
+  if (score >= 40) return "scoreModerate";
+  return "scoreLow";
+}
+function nodeLabel(project) {
+  const score = project.drift?.score;
+  const scoreText = typeof score === "number" ? ` (${score})` : " (n/a)";
+  return `${project.name}${scoreText}`;
+}
+function buildDefs() {
+  return [
+    "classDef scoreHigh fill:#064e3b,stroke:#10b981,color:#d1fae5,stroke-width:2px",
+    "classDef scoreModerate fill:#78350f,stroke:#f59e0b,color:#fef3c7,stroke-width:2px",
+    "classDef scoreLow fill:#7f1d1d,stroke:#ef4444,color:#fee2e2,stroke-width:2px",
+    "classDef scoreUnknown fill:#334155,stroke:#94a3b8,color:#e2e8f0,stroke-width:2px"
+  ];
+}
+function generateWorkspaceRelationshipMermaid(projects) {
+  const lines = ["flowchart LR"];
+  const byPath = new Map(projects.map((p) => [p.path, p]));
+  for (const project of projects) {
+    const id = sanitizeId(project.projectId || project.path || project.name);
+    lines.push(`${id}["${escapeLabel(nodeLabel(project))}"]`);
+    lines.push(`class ${id} ${scoreClass(project.drift?.score)}`);
+  }
+  for (const project of projects) {
+    const fromId = sanitizeId(project.projectId || project.path || project.name);
+    for (const ref of project.projectReferences ?? []) {
+      const target = byPath.get(ref.path);
+      if (!target) continue;
+      const toId = sanitizeId(target.projectId || target.path || target.name);
+      lines.push(`${fromId} --> ${toId}`);
+    }
+  }
+  lines.push(...buildDefs());
+  return { mermaid: lines.join("\n") };
+}
+function generateProjectRelationshipMermaid(project, projects) {
+  const lines = ["flowchart LR"];
+  const byPath = new Map(projects.map((p) => [p.path, p]));
+  const parents = projects.filter((p) => p.projectReferences?.some((r) => r.path === project.path));
+  const children = (project.projectReferences ?? []).map((r) => byPath.get(r.path)).filter((p) => Boolean(p));
+  const centerId = sanitizeId(project.projectId || project.path || project.name);
+  lines.push(`${centerId}["${escapeLabel(nodeLabel(project))}"]`);
+  lines.push(`class ${centerId} ${scoreClass(project.drift?.score)}`);
+  for (const parent of parents) {
+    const id = sanitizeId(parent.projectId || parent.path || parent.name);
+    lines.push(`${id}["${escapeLabel(nodeLabel(parent))}"]`);
+    lines.push(`class ${id} ${scoreClass(parent.drift?.score)}`);
+    lines.push(`${id} --> ${centerId}`);
+  }
+  for (const child of children) {
+    const id = sanitizeId(child.projectId || child.path || child.name);
+    lines.push(`${id}["${escapeLabel(nodeLabel(child))}"]`);
+    lines.push(`class ${id} ${scoreClass(child.drift?.score)}`);
+    lines.push(`${centerId} --> ${id}`);
+  }
+  lines.push(...buildDefs());
+  return { mermaid: lines.join("\n") };
+}
+function generateSolutionRelationshipMermaid(solution, projects) {
+  const lines = ["flowchart TB"];
+  const solutionNodeId = sanitizeId(solution.solutionId || solution.path || solution.name);
+  const solutionScore = solution.drift?.score;
+  const solutionScoreText = typeof solutionScore === "number" ? ` (${solutionScore})` : " (n/a)";
+  lines.push(`${solutionNodeId}["${escapeLabel(`${solution.name}${solutionScoreText}`)}"]`);
+  lines.push(`class ${solutionNodeId} ${scoreClass(solutionScore)}`);
+  const projectByPath = new Map(projects.map((p) => [p.path, p]));
+  for (const projectPath of solution.projectPaths) {
+    const project = projectByPath.get(projectPath);
+    if (!project) continue;
+    const projectNodeId = sanitizeId(project.projectId || project.path || project.name);
+    lines.push(`${projectNodeId}["${escapeLabel(nodeLabel(project))}"]`);
+    lines.push(`class ${projectNodeId} ${scoreClass(project.drift?.score)}`);
+    lines.push(`${solutionNodeId} --> ${projectNodeId}`);
+    for (const ref of project.projectReferences ?? []) {
+      const target = projectByPath.get(ref.path);
+      if (!target) continue;
+      const toId = sanitizeId(target.projectId || target.path || target.name);
+      lines.push(`${projectNodeId} --> ${toId}`);
+    }
+  }
+  lines.push(...buildDefs());
+  return { mermaid: lines.join("\n") };
+}
+
 // src/commands/scan.ts
+async function discoverSolutions(rootDir, fileCache) {
+  const solutionFiles = await fileCache.findSolutionFiles(rootDir);
+  const parsed = [];
+  for (const solutionFile of solutionFiles) {
+    try {
+      const content = await fileCache.readTextFile(solutionFile);
+      const dir = path21.dirname(solutionFile);
+      const relSolutionPath = path21.relative(rootDir, solutionFile).replace(/\\/g, "/");
+      const projectPaths = /* @__PURE__ */ new Set();
+      const projectRegex = /Project\("[^"]*"\)\s*=\s*"([^"]*)",\s*"([^"]+\.csproj)"/g;
+      let match;
+      while ((match = projectRegex.exec(content)) !== null) {
+        const projectRelative = match[2];
+        const absProjectPath = path21.resolve(dir, projectRelative.replace(/\\/g, "/"));
+        projectPaths.add(path21.relative(rootDir, absProjectPath).replace(/\\/g, "/"));
+      }
+      const solutionName = path21.basename(solutionFile, path21.extname(solutionFile));
+      parsed.push({
+        path: relSolutionPath,
+        name: solutionName,
+        type: "dotnet-sln",
+        projectPaths: [...projectPaths]
+      });
+    } catch {
+    }
+  }
+  return parsed;
+}
 async function runScan(rootDir, opts) {
   const scanStart = Date.now();
   const config = await loadConfig(rootDir);
   const sem = new Semaphore(opts.concurrency);
-  const npmCache = new NpmCache(rootDir, sem);
-  const nugetCache = new NuGetCache(sem);
-  const pypiCache = new PyPICache(sem);
-  const mavenCache = new MavenCache(sem);
+  const packageManifest = opts.packageManifest ? await loadPackageVersionManifest(opts.packageManifest) : void 0;
+  const offlineMode = opts.offline === true;
+  const maxPrivacyMode = opts.maxPrivacy === true;
+  const npmCache = new NpmCache(rootDir, sem, packageManifest, offlineMode);
+  const nugetCache = new NuGetCache(sem, packageManifest, offlineMode);
+  const pypiCache = new PyPICache(sem, packageManifest, offlineMode);
+  const mavenCache = new MavenCache(sem, packageManifest, offlineMode);
   const fileCache = new FileCache();
   const excludePatterns = config.exclude ?? [];
   fileCache.setExcludePatterns(excludePatterns);
   fileCache.setMaxFileSize(config.maxFileSizeToScan ?? 5242880);
   const scanners = config.scanners;
+  const scannerPolicy = {
+    platformMatrix: !maxPrivacyMode,
+    toolingInventory: true,
+    serviceDependencies: !maxPrivacyMode,
+    breakingChangeExposure: !maxPrivacyMode,
+    securityPosture: true,
+    securityScanners: !maxPrivacyMode,
+    buildDeploy: !maxPrivacyMode,
+    tsModernity: !maxPrivacyMode,
+    fileHotspots: !maxPrivacyMode,
+    dependencyGraph: true,
+    dependencyRisk: true,
+    architecture: !maxPrivacyMode,
+    codeQuality: !maxPrivacyMode,
+    owaspCategoryMapping: !maxPrivacyMode,
+    uiPurpose: !maxPrivacyMode
+  };
   let filesScanned = 0;
   const progress = new ScanProgress(rootDir);
   const steps = [
@@ -6646,27 +7176,28 @@ async function runScan(rootDir, opts) {
     { id: "python", label: "Scanning Python projects", weight: 3 },
     { id: "java", label: "Scanning Java projects", weight: 3 },
     ...scanners !== false ? [
-      ...scanners?.platformMatrix?.enabled !== false ? [{ id: "platform", label: "Platform matrix" }] : [],
-      ...scanners?.toolingInventory?.enabled !== false ? [{ id: "tooling", label: "Tooling inventory" }] : [],
-      ...scanners?.serviceDependencies?.enabled !== false ? [{ id: "services", label: "Service dependencies" }] : [],
-      ...scanners?.breakingChangeExposure?.enabled !== false ? [{ id: "breaking", label: "Breaking change exposure" }] : [],
-      ...scanners?.securityPosture?.enabled !== false ? [{ id: "security", label: "Security posture" }] : [],
-      ...scanners?.securityScanners?.enabled !== false ? [{ id: "secscan", label: "Security scanners" }] : [],
-      ...scanners?.buildDeploy?.enabled !== false ? [{ id: "build", label: "Build & deploy analysis" }] : [],
-      ...scanners?.tsModernity?.enabled !== false ? [{ id: "ts", label: "TypeScript modernity" }] : [],
-      ...scanners?.fileHotspots?.enabled !== false ? [{ id: "hotspots", label: "File hotspots" }] : [],
-      ...scanners?.dependencyGraph?.enabled !== false ? [{ id: "depgraph", label: "Dependency graph" }] : [],
-      ...scanners?.dependencyRisk?.enabled !== false ? [{ id: "deprisk", label: "Dependency risk" }] : [],
-      ...scanners?.architecture?.enabled !== false ? [{ id: "architecture", label: "Architecture layers" }] : [],
-      ...scanners?.codeQuality?.enabled !== false ? [{ id: "codequality", label: "Code quality metrics" }] : [],
-      ...scanners?.owaspCategoryMapping?.enabled !== false ? [{ id: "owasp", label: "OWASP category mapping" }] : []
+      ...scannerPolicy.platformMatrix && scanners?.platformMatrix?.enabled !== false ? [{ id: "platform", label: "Platform matrix" }] : [],
+      ...scannerPolicy.toolingInventory && scanners?.toolingInventory?.enabled !== false ? [{ id: "tooling", label: "Tooling inventory" }] : [],
+      ...scannerPolicy.serviceDependencies && scanners?.serviceDependencies?.enabled !== false ? [{ id: "services", label: "Service dependencies" }] : [],
+      ...scannerPolicy.breakingChangeExposure && scanners?.breakingChangeExposure?.enabled !== false ? [{ id: "breaking", label: "Breaking change exposure" }] : [],
+      ...scannerPolicy.securityPosture && scanners?.securityPosture?.enabled !== false ? [{ id: "security", label: "Security posture" }] : [],
+      ...scannerPolicy.securityScanners && scanners?.securityScanners?.enabled !== false ? [{ id: "secscan", label: "Security scanners" }] : [],
+      ...scannerPolicy.buildDeploy && scanners?.buildDeploy?.enabled !== false ? [{ id: "build", label: "Build & deploy analysis" }] : [],
+      ...scannerPolicy.tsModernity && scanners?.tsModernity?.enabled !== false ? [{ id: "ts", label: "TypeScript modernity" }] : [],
+      ...scannerPolicy.fileHotspots && scanners?.fileHotspots?.enabled !== false ? [{ id: "hotspots", label: "File hotspots" }] : [],
+      ...scannerPolicy.dependencyGraph && scanners?.dependencyGraph?.enabled !== false ? [{ id: "depgraph", label: "Dependency graph" }] : [],
+      ...scannerPolicy.dependencyRisk && scanners?.dependencyRisk?.enabled !== false ? [{ id: "deprisk", label: "Dependency risk" }] : [],
+      ...scannerPolicy.architecture && scanners?.architecture?.enabled !== false ? [{ id: "architecture", label: "Architecture layers" }] : [],
+      ...scannerPolicy.codeQuality && scanners?.codeQuality?.enabled !== false ? [{ id: "codequality", label: "Code quality metrics" }] : [],
+      ...scannerPolicy.owaspCategoryMapping && scanners?.owaspCategoryMapping?.enabled !== false ? [{ id: "owasp", label: "OWASP category mapping" }] : [],
+      ...!maxPrivacyMode && (opts.uiPurpose || scanners?.uiPurpose?.enabled === true) ? [{ id: "uipurpose", label: "UI purpose evidence" }] : []
     ] : [],
     { id: "drift", label: "Computing drift score" },
     { id: "findings", label: "Generating findings" }
   ];
   progress.setSteps(steps);
   progress.completeStep("config", "loaded");
-  const registryOk = await checkRegistryAccess(rootDir);
+  const registryOk = offlineMode ? true : await checkRegistryAccess(rootDir);
   if (!registryOk) {
     progress.finish();
     const msg = [
@@ -6748,10 +7279,45 @@ async function runScan(rootDir, opts) {
     project.drift = computeDriftScore([project]);
     project.projectId = computeProjectId(project.path, project.name, workspaceId);
   }
+  const solutionsManifestPath = path21.join(rootDir, ".vibgrate", "solutions.json");
+  const persistedSolutionIds = /* @__PURE__ */ new Map();
+  if (await pathExists(solutionsManifestPath)) {
+    try {
+      const persisted = await readJsonFile(solutionsManifestPath);
+      for (const solution of persisted.solutions ?? []) {
+        if (solution.path && solution.solutionId) persistedSolutionIds.set(solution.path, solution.solutionId);
+      }
+    } catch {
+    }
+  }
+  const discoveredSolutions = await discoverSolutions(rootDir, fileCache);
+  const solutions = discoveredSolutions.map((solution) => ({
+    solutionId: persistedSolutionIds.get(solution.path) ?? computeSolutionId(solution.path, solution.name, workspaceId),
+    path: solution.path,
+    name: solution.name,
+    type: solution.type,
+    projectPaths: solution.projectPaths
+  }));
+  const projectsByPath = new Map(allProjects.map((project) => [project.path, project]));
+  for (const solution of solutions) {
+    const includedProjects = solution.projectPaths.map((projectPath) => projectsByPath.get(projectPath)).filter((project) => Boolean(project));
+    solution.drift = includedProjects.length > 0 ? computeDriftScore(includedProjects) : void 0;
+    for (const project of includedProjects) {
+      project.solutionId = solution.solutionId;
+      project.solutionName = solution.name;
+    }
+  }
+  for (const project of allProjects) {
+    project.relationshipDiagram = generateProjectRelationshipMermaid(project, allProjects);
+  }
+  for (const solution of solutions) {
+    solution.relationshipDiagram = generateSolutionRelationshipMermaid(solution, allProjects);
+  }
+  const relationshipDiagram = generateWorkspaceRelationshipMermaid(allProjects);
   const extended = {};
   if (scanners !== false) {
     const scannerTasks = [];
-    if (scanners?.platformMatrix?.enabled !== false) {
+    if (scannerPolicy.platformMatrix && scanners?.platformMatrix?.enabled !== false) {
       progress.startStep("platform");
       scannerTasks.push(
         scanPlatformMatrix(rootDir, fileCache).then((result) => {
@@ -6765,7 +7331,7 @@ async function runScan(rootDir, opts) {
         })
       );
     }
-    if (scanners?.toolingInventory?.enabled !== false) {
+    if (scannerPolicy.toolingInventory && scanners?.toolingInventory?.enabled !== false) {
       progress.startStep("tooling");
       scannerTasks.push(
         Promise.resolve().then(() => {
@@ -6775,7 +7341,7 @@ async function runScan(rootDir, opts) {
         })
       );
     }
-    if (scanners?.serviceDependencies?.enabled !== false) {
+    if (scannerPolicy.serviceDependencies && scanners?.serviceDependencies?.enabled !== false) {
       progress.startStep("services");
       scannerTasks.push(
         Promise.resolve().then(() => {
@@ -6785,7 +7351,7 @@ async function runScan(rootDir, opts) {
         })
       );
     }
-    if (scanners?.breakingChangeExposure?.enabled !== false) {
+    if (scannerPolicy.breakingChangeExposure && scanners?.breakingChangeExposure?.enabled !== false) {
       progress.startStep("breaking");
       scannerTasks.push(
         Promise.resolve().then(() => {
@@ -6800,7 +7366,7 @@ async function runScan(rootDir, opts) {
         })
       );
     }
-    if (scanners?.securityPosture?.enabled !== false) {
+    if (scannerPolicy.securityPosture && scanners?.securityPosture?.enabled !== false) {
       progress.startStep("security");
       scannerTasks.push(
         scanSecurityPosture(rootDir, fileCache).then((result) => {
@@ -6810,7 +7376,7 @@ async function runScan(rootDir, opts) {
         })
       );
     }
-    if (scanners?.securityScanners?.enabled !== false) {
+    if (scannerPolicy.securityScanners && scanners?.securityScanners?.enabled !== false) {
       if (opts.installTools) {
         const installResult = await installMissingTools();
         if (installResult.installed.length > 0) {
@@ -6833,7 +7399,7 @@ async function runScan(rootDir, opts) {
         })
       );
     }
-    if (scanners?.buildDeploy?.enabled !== false) {
+    if (scannerPolicy.buildDeploy && scanners?.buildDeploy?.enabled !== false) {
       progress.startStep("build");
       scannerTasks.push(
         scanBuildDeploy(rootDir, fileCache).then((result) => {
@@ -6845,7 +7411,7 @@ async function runScan(rootDir, opts) {
         })
       );
     }
-    if (scanners?.tsModernity?.enabled !== false) {
+    if (scannerPolicy.tsModernity && scanners?.tsModernity?.enabled !== false) {
       progress.startStep("ts");
       scannerTasks.push(
         scanTsModernity(rootDir, fileCache).then((result) => {
@@ -6858,7 +7424,7 @@ async function runScan(rootDir, opts) {
         })
       );
     }
-    if (scanners?.fileHotspots?.enabled !== false) {
+    if (scannerPolicy.fileHotspots && scanners?.fileHotspots?.enabled !== false) {
       progress.startStep("hotspots");
       scannerTasks.push(
         scanFileHotspots(rootDir, fileCache).then((result) => {
@@ -6867,7 +7433,7 @@ async function runScan(rootDir, opts) {
         })
       );
     }
-    if (scanners?.dependencyGraph?.enabled !== false) {
+    if (scannerPolicy.dependencyGraph && scanners?.dependencyGraph?.enabled !== false) {
       progress.startStep("depgraph");
       scannerTasks.push(
         scanDependencyGraph(rootDir, fileCache).then((result) => {
@@ -6877,7 +7443,7 @@ async function runScan(rootDir, opts) {
         })
       );
     }
-    if (scanners?.codeQuality?.enabled !== false) {
+    if (scannerPolicy.codeQuality && scanners?.codeQuality?.enabled !== false) {
       progress.startStep("codequality");
       scannerTasks.push(
         scanCodeQuality(rootDir, fileCache).then((result) => {
@@ -6890,7 +7456,7 @@ async function runScan(rootDir, opts) {
         })
       );
     }
-    if (scanners?.dependencyRisk?.enabled !== false) {
+    if (scannerPolicy.dependencyRisk && scanners?.dependencyRisk?.enabled !== false) {
       progress.startStep("deprisk");
       scannerTasks.push(
         Promise.resolve().then(() => {
@@ -6904,7 +7470,7 @@ async function runScan(rootDir, opts) {
       );
     }
     await Promise.all(scannerTasks);
-    if (scanners?.owaspCategoryMapping?.enabled !== false) {
+    if (scannerPolicy.owaspCategoryMapping && scanners?.owaspCategoryMapping?.enabled !== false) {
       progress.startStep("owasp");
       extended.owaspCategoryMapping = await scanOwaspCategoryMapping(
         rootDir,
@@ -6923,7 +7489,14 @@ async function runScan(rootDir, opts) {
         );
       }
     }
-    if (scanners?.architecture?.enabled !== false) {
+    if (!maxPrivacyMode && (opts.uiPurpose || scanners?.uiPurpose?.enabled === true)) {
+      progress.startStep("uipurpose");
+      extended.uiPurpose = await scanUiPurpose(rootDir, fileCache);
+      const up = extended.uiPurpose;
+      const summary = [`${up.topEvidence.length} evidence`, ...up.capped ? ["capped"] : []].join(" \xB7 ");
+      progress.completeStep("uipurpose", summary, up.topEvidence.length);
+    }
+    if (scannerPolicy.architecture && scanners?.architecture?.enabled !== false) {
       progress.startStep("architecture");
       extended.architecture = await scanArchitecture(
         rootDir,
@@ -6934,6 +7507,14 @@ async function runScan(rootDir, opts) {
       );
       const arch = extended.architecture;
       const layerCount = arch.layers.filter((l) => l.fileCount > 0).length;
+      await Promise.all(allProjects.map(async (project) => {
+        project.architectureMermaid = await buildProjectArchitectureMermaid(
+          rootDir,
+          project,
+          arch.archetype,
+          fileCache
+        );
+      }));
       progress.completeStep(
         "architecture",
         `${arch.archetype} \xB7 ${layerCount} layer${layerCount !== 1 ? "s" : ""} \xB7 ${arch.totalClassified} files`,
@@ -7001,23 +7582,28 @@ async function runScan(rootDir, opts) {
   }
   if (extended.codeQuality) filesScanned += extended.codeQuality.filesAnalyzed;
   if (extended.owaspCategoryMapping) filesScanned += extended.owaspCategoryMapping.scannedFiles;
+  if (extended.uiPurpose) filesScanned += extended.uiPurpose.topEvidence.length;
   const durationMs = Date.now() - scanStart;
+  const repository = await buildRepositoryInfo(rootDir, vcs.remoteUrl, extended.buildDeploy?.ci);
   const artifact = {
     schemaVersion: "1.0",
     timestamp: (/* @__PURE__ */ new Date()).toISOString(),
     vibgrateVersion: VERSION,
-    rootPath: path20.basename(rootDir),
+    rootPath: path21.basename(rootDir),
     ...vcs.type !== "unknown" ? { vcs } : {},
+    repository,
     projects: allProjects,
+    ...solutions.length > 0 ? { solutions } : {},
     drift,
     findings,
     ...Object.keys(extended).length > 0 ? { extended } : {},
     durationMs,
     filesScanned,
-    treeSummary: treeCount
+    treeSummary: treeCount,
+    relationshipDiagram
   };
   if (opts.baseline) {
-    const baselinePath = path20.resolve(opts.baseline);
+    const baselinePath = path21.resolve(opts.baseline);
     if (await pathExists(baselinePath)) {
       try {
         const baseline = await readJsonFile(baselinePath);
@@ -7028,9 +7614,21 @@ async function runScan(rootDir, opts) {
       }
     }
   }
-  const vibgrateDir = path20.join(rootDir, ".vibgrate");
-  await ensureDir(vibgrateDir);
-  await writeJsonFile(path20.join(vibgrateDir, "scan_result.json"), artifact);
+  if (!opts.noLocalArtifacts && !maxPrivacyMode) {
+    const vibgrateDir = path21.join(rootDir, ".vibgrate");
+    await ensureDir(vibgrateDir);
+    await writeJsonFile(path21.join(vibgrateDir, "scan_result.json"), artifact);
+    await writeJsonFile(path21.join(vibgrateDir, "solutions.json"), {
+      scannedAt: artifact.timestamp,
+      solutions: solutions.map((solution) => ({
+        solutionId: solution.solutionId,
+        name: solution.name,
+        path: solution.path,
+        type: solution.type,
+        projectPaths: solution.projectPaths
+      }))
+    });
+  }
   await saveScanHistory(rootDir, {
     timestamp: artifact.timestamp,
     totalDurationMs: durationMs,
@@ -7038,29 +7636,33 @@ async function runScan(rootDir, opts) {
     totalDirs: treeCount.totalDirs,
     steps: progress.getStepTimings()
   });
-  for (const project of allProjects) {
-    if (project.drift && project.path) {
-      const projectDir = path20.resolve(rootDir, project.path);
-      const projectVibgrateDir = path20.join(projectDir, ".vibgrate");
-      await ensureDir(projectVibgrateDir);
-      await writeJsonFile(path20.join(projectVibgrateDir, "project_score.json"), {
-        projectId: project.projectId,
-        name: project.name,
-        type: project.type,
-        path: project.path,
-        score: project.drift.score,
-        riskLevel: project.drift.riskLevel,
-        components: project.drift.components,
-        measured: project.drift.measured,
-        scannedAt: artifact.timestamp,
-        vibgrateVersion: VERSION
-      });
+  if (!opts.noLocalArtifacts && !maxPrivacyMode) {
+    for (const project of allProjects) {
+      if (project.drift && project.path) {
+        const projectDir = path21.resolve(rootDir, project.path);
+        const projectVibgrateDir = path21.join(projectDir, ".vibgrate");
+        await ensureDir(projectVibgrateDir);
+        await writeJsonFile(path21.join(projectVibgrateDir, "project_score.json"), {
+          projectId: project.projectId,
+          name: project.name,
+          type: project.type,
+          path: project.path,
+          score: project.drift.score,
+          riskLevel: project.drift.riskLevel,
+          components: project.drift.components,
+          measured: project.drift.measured,
+          scannedAt: artifact.timestamp,
+          vibgrateVersion: VERSION,
+          solutionId: project.solutionId,
+          solutionName: project.solutionName
+        });
+      }
     }
   }
   if (opts.format === "json") {
     const jsonStr = JSON.stringify(artifact, null, 2);
     if (opts.out) {
-      await writeTextFile(path20.resolve(opts.out), jsonStr);
+      await writeTextFile(path21.resolve(opts.out), jsonStr);
       console.log(chalk6.green("\u2714") + ` JSON written to ${opts.out}`);
     } else {
       console.log(jsonStr);
@@ -7069,7 +7671,7 @@ async function runScan(rootDir, opts) {
     const sarif = formatSarif(artifact);
     const sarifStr = JSON.stringify(sarif, null, 2);
     if (opts.out) {
-      await writeTextFile(path20.resolve(opts.out), sarifStr);
+      await writeTextFile(path21.resolve(opts.out), sarifStr);
       console.log(chalk6.green("\u2714") + ` SARIF written to ${opts.out}`);
     } else {
       console.log(sarifStr);
@@ -7078,11 +7680,34 @@ async function runScan(rootDir, opts) {
     const text = formatText(artifact);
     console.log(text);
     if (opts.out) {
-      await writeTextFile(path20.resolve(opts.out), text);
+      await writeTextFile(path21.resolve(opts.out), text);
     }
   }
   return artifact;
 }
+async function buildRepositoryInfo(rootDir, remoteUrl, ciSystems) {
+  const packageJsonPath = path21.join(rootDir, "package.json");
+  let name = path21.basename(rootDir);
+  let version;
+  if (await pathExists(packageJsonPath)) {
+    try {
+      const packageJson = await readJsonFile(packageJsonPath);
+      if (typeof packageJson.name === "string" && packageJson.name.trim()) {
+        name = packageJson.name.trim();
+      }
+      if (typeof packageJson.version === "string" && packageJson.version.trim()) {
+        version = packageJson.version.trim();
+      }
+    } catch {
+    }
+  }
+  return {
+    name,
+    ...version ? { version } : {},
+    ...ciSystems && ciSystems.length > 0 ? { pipeline: ciSystems.join(",") } : {},
+    ...remoteUrl ? { remoteUrl } : {}
+  };
+}
 async function autoPush(artifact, rootDir, opts) {
   const dsn = opts.dsn || process.env.VIBGRATE_DSN;
   if (!dsn) {
@@ -7145,8 +7770,16 @@ async function autoPush(artifact, rootDir, opts) {
     if (opts.strict) process.exit(1);
   }
 }
-var scanCommand = new Command3("scan").description("Scan a project for upgrade drift").argument("[path]", "Path to scan", ".").option("--out <file>", "Output file path").option("--format <format>", "Output format (text|json|sarif)", "text").option("--fail-on <level>", "Fail on warn or error").option("--baseline <file>", "Compare against baseline").option("--changed-only", "Only scan changed files").option("--concurrency <n>", "Max concurrent npm calls", "8").option("--push", "Auto-push results to Vibgrate API after scan").option("--dsn <dsn>", "DSN token for push (or use VIBGRATE_DSN env)").option("--region <region>", "Override data residency region for push (us, eu)").option("--strict", "Fail on push errors").option("--install-tools", "Auto-install missing security scanners via Homebrew").action(async (targetPath, opts) => {
-  const rootDir = path20.resolve(targetPath);
+function parseNonNegativeNumber(value, label) {
+  if (value === void 0) return void 0;
+  const parsed = Number(value);
+  if (!Number.isFinite(parsed) || parsed < 0) {
+    throw new Error(`${label} must be a non-negative number.`);
+  }
+  return parsed;
+}
+var scanCommand = new Command3("scan").description("Scan a project for upgrade drift").argument("[path]", "Path to scan", ".").option("--out <file>", "Output file path").option("--format <format>", "Output format (text|json|sarif)", "text").option("--fail-on <level>", "Fail on warn or error").option("--baseline <file>", "Compare against baseline").option("--changed-only", "Only scan changed files").option("--concurrency <n>", "Max concurrent npm calls", "8").option("--push", "Auto-push results to Vibgrate API after scan").option("--dsn <dsn>", "DSN token for push (or use VIBGRATE_DSN env)").option("--region <region>", "Override data residency region for push (us, eu)").option("--strict", "Fail on push errors").option("--install-tools", "Auto-install missing security scanners via Homebrew").option("--ui-purpose", "Enable optional UI purpose evidence extraction (slower)").option("--no-local-artifacts", "Do not write .vibgrate JSON artifacts to disk").option("--max-privacy", "Enable strongest privacy mode (minimal scanners, no local artifacts)").option("--offline", "Run without network calls; do not upload results").option("--package-manifest <file>", "Use local package-version manifest JSON/ZIP (for offline mode)").option("--drift-budget <score>", "Fail if drift score is above budget (0-100)").option("--drift-worsening <percent>", "Fail if drift worsens by more than % since baseline").action(async (targetPath, opts) => {
+  const rootDir = path21.resolve(targetPath);
   if (!await pathExists(rootDir)) {
     console.error(chalk6.red(`Path does not exist: ${rootDir}`));
     process.exit(1);
@@ -7162,7 +7795,14 @@ var scanCommand = new Command3("scan").description("Scan a project for upgrade d
     dsn: opts.dsn,
     region: opts.region,
     strict: opts.strict,
-    installTools: opts.installTools
+    installTools: opts.installTools,
+    uiPurpose: opts.uiPurpose,
+    noLocalArtifacts: opts.noLocalArtifacts,
+    maxPrivacy: opts.maxPrivacy,
+    offline: opts.offline,
+    packageManifest: opts.packageManifest,
+    driftBudget: parseNonNegativeNumber(opts.driftBudget, "--drift-budget"),
+    driftWorseningPercent: parseNonNegativeNumber(opts.driftWorsening, "--drift-worsening")
   };
   const artifact = await runScan(rootDir, scanOpts);
   if (opts.failOn) {
@@ -7179,8 +7819,29 @@ Failing: findings detected at warn level or above.`));
       process.exit(2);
     }
   }
+  if (scanOpts.driftBudget !== void 0 && artifact.drift.score > scanOpts.driftBudget) {
+    console.error(chalk6.red(`
+Failing fitness function: drift score ${artifact.drift.score}/100 exceeds budget ${scanOpts.driftBudget}.`));
+    process.exit(2);
+  }
+  if (scanOpts.driftWorseningPercent !== void 0) {
+    if (artifact.delta === void 0) {
+      console.error(chalk6.red("\nFailing fitness function: --drift-worsening requires --baseline to compare against previous drift."));
+      process.exit(2);
+    }
+    if (artifact.delta > 0) {
+      const baselineScore = artifact.drift.score - artifact.delta;
+      const denominator = Math.max(Math.abs(baselineScore), 1e-4);
+      const worseningPercent = artifact.delta / denominator * 100;
+      if (worseningPercent > scanOpts.driftWorseningPercent) {
+        console.error(chalk6.red(`
+Failing fitness function: drift worsened by ${worseningPercent.toFixed(2)}% (threshold ${scanOpts.driftWorseningPercent}%).`));
+        process.exit(2);
+      }
+    }
+  }
   const hasDsn = !!(opts.dsn || process.env.VIBGRATE_DSN);
-  if (opts.push || hasDsn) {
+  if (!scanOpts.offline && (opts.push || hasDsn)) {
     await autoPush(artifact, rootDir, scanOpts);
   }
 });