@vibgrate/cli 1.0.45 → 1.0.47

package/dist/cli.js

@@ -1,10 +1,10 @@
 #!/usr/bin/env node
 import {
   formatMarkdown
-} from "./chunk-GN3IWKSY.js";
+} from "./chunk-PTMLMDZU.js";
 import {
   baselineCommand
-} from "./chunk-LO66M6OC.js";
+} from "./chunk-NASGRGXK.js";
 import {
   VERSION,
   dsnCommand,
@@ -12,16 +12,17 @@ import {
   pushCommand,
   scanCommand,
   writeDefaultConfig
-} from "./chunk-YFJC5JSQ.js";
+} from "./chunk-UVFIFNYG.js";
 import {
   ensureDir,
   pathExists,
-  readJsonFile
+  readJsonFile,
+  writeTextFile
 } from "./chunk-RNVZIZNL.js";
 
 // src/cli.ts
-import { Command as Command4 } from "commander";
-import chalk4 from "chalk";
+import { Command as Command5 } from "commander";
+import chalk5 from "chalk";
 
 // src/commands/init.ts
 import * as path from "path";
@@ -40,7 +41,7 @@ var initCommand = new Command("init").description("Initialize vibgrate in a proj
     console.log(chalk.green("\u2714") + ` Created ${chalk.bold("vibgrate.config.ts")}`);
   }
   if (opts.baseline) {
-    const { runBaseline } = await import("./baseline-FDWMBM2O.js");
+    const { runBaseline } = await import("./baseline-K7V6GAP3.js");
     await runBaseline(rootDir);
   }
   console.log("");
@@ -222,8 +223,186 @@ var updateCommand = new Command3("update").description("Update vibgrate to the l
   }
 });
 
+// src/commands/sbom.ts
+import * as path5 from "path";
+import { randomUUID } from "crypto";
+import { Command as Command4 } from "commander";
+import chalk4 from "chalk";
+function flattenDependencies(artifact) {
+  const rows = [];
+  for (const project of artifact.projects) {
+    for (const dep of project.dependencies) {
+      rows.push({
+        project: project.name,
+        package: dep.package,
+        version: dep.resolvedVersion ?? dep.currentSpec,
+        currentSpec: dep.currentSpec,
+        drift: dep.drift,
+        majorsBehind: dep.majorsBehind
+      });
+    }
+  }
+  return rows;
+}
+function toCycloneDx(artifact) {
+  const dependencies = flattenDependencies(artifact);
+  return {
+    bomFormat: "CycloneDX",
+    specVersion: "1.5",
+    serialNumber: `urn:uuid:${randomUUID()}`,
+    version: 1,
+    metadata: {
+      timestamp: artifact.timestamp,
+      tools: [
+        {
+          vendor: "Vibgrate",
+          name: "@vibgrate/cli",
+          version: artifact.vibgrateVersion
+        }
+      ],
+      component: {
+        type: "application",
+        name: artifact.rootPath
+      }
+    },
+    components: dependencies.map((dep) => ({
+      type: "library",
+      name: dep.package,
+      version: dep.version,
+      properties: [
+        { name: "vibgrate:project", value: dep.project },
+        { name: "vibgrate:currentSpec", value: dep.currentSpec },
+        { name: "vibgrate:drift", value: dep.drift },
+        { name: "vibgrate:majorsBehind", value: String(dep.majorsBehind ?? "unknown") }
+      ]
+    }))
+  };
+}
+function toSpdx(artifact) {
+  const dependencies = flattenDependencies(artifact);
+  return {
+    spdxVersion: "SPDX-2.3",
+    dataLicense: "CC0-1.0",
+    SPDXID: "SPDXRef-DOCUMENT",
+    name: `${artifact.rootPath}-sbom`,
+    documentNamespace: `https://vibgrate.com/spdx/${artifact.rootPath}/${randomUUID()}`,
+    creationInfo: {
+      created: artifact.timestamp,
+      creators: [`Tool: @vibgrate/cli-${artifact.vibgrateVersion}`]
+    },
+    packages: dependencies.map((dep, i) => ({
+      name: dep.package,
+      SPDXID: `SPDXRef-Package-${i + 1}`,
+      versionInfo: dep.version,
+      downloadLocation: "NOASSERTION",
+      filesAnalyzed: false,
+      externalRefs: [
+        {
+          referenceCategory: "PACKAGE-MANAGER",
+          referenceType: "purl",
+          referenceLocator: `pkg:npm/${encodeURIComponent(dep.package)}@${encodeURIComponent(dep.version)}`
+        }
+      ],
+      annotations: [
+        {
+          annotationType: "OTHER",
+          annotator: "Tool: @vibgrate/cli",
+          annotationDate: artifact.timestamp,
+          comment: `project=${dep.project}; drift=${dep.drift}; majorsBehind=${dep.majorsBehind ?? "unknown"}`
+        }
+      ]
+    }))
+  };
+}
+function projectDependencyMap(artifact) {
+  const map = /* @__PURE__ */ new Map();
+  for (const project of artifact.projects) {
+    for (const dep of project.dependencies) {
+      map.set(`${project.name}:${dep.package}`, dep);
+    }
+  }
+  return map;
+}
+function formatDeltaText(base, current) {
+  const baseMap = projectDependencyMap(base);
+  const currentMap = projectDependencyMap(current);
+  const added = [];
+  const removed = [];
+  const changed = [];
+  for (const [key, dep] of currentMap.entries()) {
+    if (!baseMap.has(key)) {
+      added.push(`${key} @ ${dep.resolvedVersion ?? dep.currentSpec}`);
+      continue;
+    }
+    const prev = baseMap.get(key);
+    const prevVersion = prev.resolvedVersion ?? prev.currentSpec;
+    const nowVersion = dep.resolvedVersion ?? dep.currentSpec;
+    if (prevVersion !== nowVersion || prev.majorsBehind !== dep.majorsBehind) {
+      changed.push(`${key} ${prevVersion} -> ${nowVersion} (majorsBehind ${prev.majorsBehind ?? "unknown"} -> ${dep.majorsBehind ?? "unknown"})`);
+    }
+  }
+  for (const [key, dep] of baseMap.entries()) {
+    if (!currentMap.has(key)) {
+      removed.push(`${key} @ ${dep.resolvedVersion ?? dep.currentSpec}`);
+    }
+  }
+  const lines = [
+    "Vibgrate SBOM Delta",
+    "===================",
+    `Baseline: ${base.timestamp}`,
+    `Current:  ${current.timestamp}`,
+    `Drift score delta: ${(current.drift.score - base.drift.score).toFixed(2)} points`,
+    "",
+    `Added dependencies (${added.length})`,
+    ...added.map((d) => `  + ${d}`),
+    "",
+    `Removed dependencies (${removed.length})`,
+    ...removed.map((d) => `  - ${d}`),
+    "",
+    `Changed dependencies (${changed.length})`,
+    ...changed.map((d) => `  * ${d}`)
+  ];
+  return lines.join("\n");
+}
+async function readArtifactOrExit(filePath) {
+  const absolutePath = path5.resolve(filePath);
+  if (!await pathExists(absolutePath)) {
+    console.error(chalk4.red(`Artifact not found: ${absolutePath}`));
+    process.exit(1);
+  }
+  return readJsonFile(absolutePath);
+}
+var exportCommand = new Command4("export").description("Export scan artifact as SBOM").option("--in <file>", "Input artifact file", ".vibgrate/scan_result.json").option("--out <file>", "Output SBOM file").option("--format <format>", "SBOM format (cyclonedx|spdx)", "cyclonedx").action(async (opts) => {
+  const artifact = await readArtifactOrExit(opts.in);
+  const format = opts.format.toLowerCase();
+  if (format !== "cyclonedx" && format !== "spdx") {
+    console.error(chalk4.red("Invalid SBOM format. Use cyclonedx or spdx."));
+    process.exit(1);
+  }
+  const sbom = format === "cyclonedx" ? toCycloneDx(artifact) : toSpdx(artifact);
+  const body = JSON.stringify(sbom, null, 2);
+  if (opts.out) {
+    await writeTextFile(path5.resolve(opts.out), body);
+    console.log(chalk4.green("\u2714") + ` SBOM written to ${opts.out}`);
+  } else {
+    console.log(body);
+  }
+});
+var deltaCommand = new Command4("delta").description("Show SBOM delta between two scan artifacts").requiredOption("--from <file>", "Baseline scan artifact path").requiredOption("--to <file>", "Current scan artifact path").option("--out <file>", "Write report to file").action(async (opts) => {
+  const base = await readArtifactOrExit(opts.from);
+  const current = await readArtifactOrExit(opts.to);
+  const report = formatDeltaText(base, current);
+  if (opts.out) {
+    await writeTextFile(path5.resolve(opts.out), report);
+    console.log(chalk4.green("\u2714") + ` SBOM delta report written to ${opts.out}`);
+  } else {
+    console.log(report);
+  }
+});
+var sbomCommand = new Command4("sbom").description("SBOM export and delta reports for dependency drift tracking").addCommand(exportCommand).addCommand(deltaCommand);
+
 // src/cli.ts
-var program = new Command4();
+var program = new Command5();
 program.name("vibgrate").description("Continuous Drift Intelligence for Node & .NET").version(VERSION);
 program.addCommand(initCommand);
 program.addCommand(scanCommand);
@@ -232,12 +411,13 @@ program.addCommand(reportCommand);
 program.addCommand(dsnCommand);
 program.addCommand(pushCommand);
 program.addCommand(updateCommand);
+program.addCommand(sbomCommand);
 program.parseAsync().then(async () => {
   const update = await checkForUpdate();
   if (update?.updateAvailable) {
     console.error("");
-    console.error(chalk4.yellow(`  Update available: ${update.current} \u2192 ${update.latest}`));
-    console.error(chalk4.dim('  Run "vibgrate update" to install the latest version.'));
+    console.error(chalk5.yellow(`  Update available: ${update.current} \u2192 ${update.latest}`));
+    console.error(chalk5.dim('  Run "vibgrate update" to install the latest version.'));
     console.error("");
   }
 }).catch((err) => {

package/dist/index.d.ts

@@ -31,6 +31,10 @@ interface ProjectScan {
     name: string;
     /** Deterministic project ID: SHA-256 hash of `${path}:${name}:${workspaceId}` */
     projectId?: string;
+    /** Optional solution identifier when project belongs to a solution/workspace file */
+    solutionId?: string;
+    /** Optional solution name resolved from solution/workspace metadata */
+    solutionName?: string;
     runtime?: string;
     runtimeLatest?: string;
     runtimeMajorsBehind?: number;
@@ -49,6 +53,30 @@ interface ProjectScan {
     projectReferences?: ProjectReference[];
     /** Number of source files in the project directory */
     fileCount?: number;
+    /** Project-level architecture layer diagram (Mermaid flowchart) */
+    architectureMermaid?: string;
+    /** Project-level relationship diagram (first-level parents + children) */
+    relationshipDiagram?: MermaidDiagram;
+}
+interface SolutionScan {
+    /** Deterministic solution ID: SHA-256 hash of `${path}:${name}:${workspaceId}` */
+    solutionId: string;
+    /** Relative path to solution file */
+    path: string;
+    /** Solution display name */
+    name: string;
+    /** Solution file type */
+    type: 'dotnet-sln';
+    /** Projects resolved as belonging to this solution (by relative project path) */
+    projectPaths: string[];
+    /** Aggregate drift score for all resolved projects in this solution */
+    drift?: DriftScore;
+    /** Solution relationship diagram with top-level solution node and project links */
+    relationshipDiagram?: MermaidDiagram;
+}
+interface MermaidDiagram {
+    mermaid: string;
+    svg?: string;
 }
 interface DriftScore {
     score: number;
@@ -75,6 +103,13 @@ interface VcsInfo {
     sha?: string;
     shortSha?: string;
     branch?: string;
+    remoteUrl?: string;
+}
+interface RepositoryInfo {
+    name: string;
+    version?: string;
+    pipeline?: string;
+    remoteUrl?: string;
 }
 interface TreeCount {
     /** Total files discovered (excluding skipped dirs like node_modules, .git, dist) */
@@ -88,7 +123,9 @@ interface ScanArtifact {
     vibgrateVersion: string;
     rootPath: string;
     vcs?: VcsInfo;
+    repository?: RepositoryInfo;
     projects: ProjectScan[];
+    solutions?: SolutionScan[];
     drift: DriftScore;
     findings: Finding[];
     baseline?: string;
@@ -100,6 +137,8 @@ interface ScanArtifact {
     filesScanned?: number;
     /** Workspace tree summary (file & directory counts from discovery) */
     treeSummary?: TreeCount;
+    /** Workspace-level relationship diagram */
+    relationshipDiagram?: MermaidDiagram;
 }
 interface ScanOptions {
     out?: string;
@@ -117,6 +156,20 @@ interface ScanOptions {
     strict?: boolean;
     /** Auto-install missing security tools via Homebrew */
     installTools?: boolean;
+    /** Enable optional UI-purpose evidence extraction (slower, richer context for dashboard) */
+    uiPurpose?: boolean;
+    /** Prevent writing .vibgrate JSON artifacts to disk */
+    noLocalArtifacts?: boolean;
+    /** Enable strongest privacy profile: minimize scanners and suppress local artifacts */
+    maxPrivacy?: boolean;
+    /** Run without any network calls; drift may be partial without a package manifest */
+    offline?: boolean;
+    /** Path to package-version manifest JSON or ZIP used in offline/privacy workflows */
+    packageManifest?: string;
+    /** Fail the run if drift score is above this absolute budget */
+    driftBudget?: number;
+    /** Fail when drift worsens by more than this percentage vs baseline */
+    driftWorseningPercent?: number;
 }
 interface ScannerToggle {
     enabled: boolean;
@@ -140,6 +193,7 @@ interface ScannersConfig {
     architecture?: ScannerToggle;
     codeQuality?: ScannerToggle;
     owaspCategoryMapping?: OwaspScannerConfig;
+    uiPurpose?: ScannerToggle;
 }
 interface VibgrateConfig {
     include?: string[];
@@ -363,6 +417,20 @@ interface CodeQualityResult {
     circularDependencies: number;
     deadCodePercent: number;
 }
+interface UiPurposeEvidenceItem {
+    kind: 'route' | 'nav' | 'title' | 'heading' | 'cta' | 'copy' | 'dependency' | 'feature_flag';
+    value: string;
+    file: string;
+    weight: number;
+}
+interface UiPurposeResult {
+    enabled: boolean;
+    detectedFrameworks: string[];
+    evidenceCount: number;
+    capped: boolean;
+    topEvidence: UiPurposeEvidenceItem[];
+    unknownSignals: string[];
+}
 interface ExtendedScanResults {
     platformMatrix?: PlatformMatrixResult;
     dependencyRisk?: DependencyRiskResult;
@@ -378,6 +446,7 @@ interface ExtendedScanResults {
     architecture?: ArchitectureResult;
     codeQuality?: CodeQualityResult;
     owaspCategoryMapping?: OwaspCategoryMappingResult;
+    uiPurpose?: UiPurposeResult;
 }
 interface OwaspFinding {
     ruleId: string;

package/dist/index.js

@@ -1,13 +1,13 @@
 import {
   formatMarkdown
-} from "./chunk-GN3IWKSY.js";
+} from "./chunk-PTMLMDZU.js";
 import {
   computeDriftScore,
   formatSarif,
   formatText,
   generateFindings,
   runScan
-} from "./chunk-YFJC5JSQ.js";
+} from "./chunk-UVFIFNYG.js";
 import "./chunk-RNVZIZNL.js";
 export {
   computeDriftScore,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vibgrate/cli",
-  "version": "1.0.45",
+  "version": "1.0.47",
   "description": "CLI for measuring upgrade drift across Node, .NET, Python & Java projects",
   "type": "module",
   "bin": {