@vibgrate/cli 1.0.49 → 1.0.51

package/DOCS.md

@@ -162,12 +162,12 @@ Creates:
 The primary command. Scans your project for upgrade drift.
 
 ```bash
-vibgrate scan [path] [--format text|json|sarif] [--out <file>] [--fail-on warn|error] [--offline] [--package-manifest <file>] [--no-local-artifacts] [--max-privacy] [--baseline <file>] [--drift-budget <score>] [--drift-worsening <percent>] [--changed-only] [--concurrency <n>]
+vibgrate scan [path] [--format text|json|sarif|md] [--out <file>] [--fail-on warn|error] [--offline] [--package-manifest <file>] [--no-local-artifacts] [--max-privacy] [--baseline <file>] [--drift-budget <score>] [--drift-worsening <percent>] [--changed-only] [--concurrency <n>]
 ```
 
 | Flag | Default | Description |
 |------|---------|-------------|
-| `--format` | `text` | Output format: `text`, `json`, or `sarif` |
+| `--format` | `text` | Output format: `text`, `json`, `sarif`, or `md` |
 | `--out <file>` | — | Write output to a file |
 | `--fail-on <level>` | — | Exit with code 2 if findings at this level exist |
 | `--baseline <file>` | — | Compare against a previous baseline |

package/README.md

@@ -176,7 +176,7 @@ When offline mode runs without a package manifest, package freshness is marked a
 ## Core commands
 
 ```bash
-vibgrate scan [path] [--format text|json|sarif] [--out <file>] [--fail-on warn|error] [--offline] [--package-manifest <file>] [--no-local-artifacts] [--max-privacy]
+vibgrate scan [path] [--format text|json|sarif|md] [--out <file>] [--fail-on warn|error] [--offline] [--package-manifest <file>] [--no-local-artifacts] [--max-privacy]
 vibgrate baseline [path]
 vibgrate report [--in <artifact.json>] [--format md|text|json]
 vibgrate push [--dsn <dsn>] [--file <artifact.json>] [--strict]

package/dist/{baseline-M6HQP4E5.js → baseline-FRBISJ66.js}

@@ -1,8 +1,8 @@
 import {
   baselineCommand,
   runBaseline
-} from "./chunk-4M7MNV6G.js";
-import "./chunk-E53FDKZE.js";
+} from "./chunk-TCYJSLL2.js";
+import "./chunk-TYAGUEXG.js";
 import "./chunk-RNVZIZNL.js";
 export {
   baselineCommand,

package/dist/{chunk-4M7MNV6G.js → chunk-TCYJSLL2.js}

@@ -1,6 +1,6 @@
 import {
   runScan
-} from "./chunk-E53FDKZE.js";
+} from "./chunk-TYAGUEXG.js";
 import {
   writeJsonFile
 } from "./chunk-RNVZIZNL.js";

package/dist/{chunk-E53FDKZE.js → chunk-TYAGUEXG.js}

@@ -965,6 +965,98 @@ function toSarifResult(finding) {
   };
 }
 
+// src/formatters/markdown.ts
+function formatMarkdown(artifact) {
+  const lines = [];
+  lines.push("# Vibgrate Drift Report");
+  lines.push("");
+  lines.push(`| Metric | Value |`);
+  lines.push(`|--------|-------|`);
+  lines.push(`| **Drift Score** | ${artifact.drift.score}/100 |`);
+  lines.push(`| **Risk Level** | ${artifact.drift.riskLevel.toUpperCase()} |`);
+  lines.push(`| **Projects** | ${artifact.projects.length} |`);
+  const scannedMeta = [artifact.timestamp];
+  if (artifact.durationMs !== void 0) scannedMeta.push(`${(artifact.durationMs / 1e3).toFixed(1)}s`);
+  if (artifact.filesScanned !== void 0) scannedMeta.push(`${artifact.filesScanned} files`);
+  if (artifact.treeSummary) scannedMeta.push(`${artifact.treeSummary.totalFiles.toLocaleString()} workspace files \xB7 ${artifact.treeSummary.totalDirs.toLocaleString()} dirs`);
+  lines.push(`| **Scanned** | ${scannedMeta.join(" \xB7 ")} |`);
+  if (artifact.vcs) {
+    lines.push(`| **VCS** | ${artifact.vcs.type} |`);
+    if (artifact.vcs.branch) lines.push(`| **Branch** | ${artifact.vcs.branch} |`);
+    if (artifact.vcs.sha) lines.push(`| **Commit** | \`${artifact.vcs.shortSha}\` |`);
+  }
+  lines.push("");
+  lines.push("## Score Breakdown");
+  lines.push("");
+  lines.push(`| Component | Score |`);
+  lines.push(`|-----------|-------|`);
+  lines.push(`| Runtime | ${artifact.drift.components.runtimeScore} |`);
+  lines.push(`| Frameworks | ${artifact.drift.components.frameworkScore} |`);
+  lines.push(`| Dependencies | ${artifact.drift.components.dependencyScore} |`);
+  lines.push(`| EOL Risk | ${artifact.drift.components.eolScore} |`);
+  lines.push("");
+  lines.push("## Projects");
+  lines.push("");
+  for (const project of artifact.projects) {
+    lines.push(`### ${project.name} (${project.type})`);
+    lines.push("");
+    if (project.runtime) {
+      const lag = project.runtimeMajorsBehind !== void 0 && project.runtimeMajorsBehind > 0 ? ` \u2014 ${project.runtimeMajorsBehind} major(s) behind` : " \u2014 current";
+      lines.push(`- **Runtime:** ${project.runtime}${lag}`);
+    }
+    if (project.frameworks.length > 0) {
+      lines.push("- **Frameworks:**");
+      for (const fw of project.frameworks) {
+        const lag = fw.majorsBehind !== null ? fw.majorsBehind === 0 ? "current" : `${fw.majorsBehind} behind` : "unknown";
+        lines.push(`  - ${fw.name}: ${fw.currentVersion ?? "?"} \u2192 ${fw.latestVersion ?? "?"} (${lag})`);
+      }
+    }
+    const b = project.dependencyAgeBuckets;
+    const total = b.current + b.oneBehind + b.twoPlusBehind + b.unknown;
+    if (total > 0) {
+      lines.push(`- **Dependencies:** ${b.current} current, ${b.oneBehind} 1-behind, ${b.twoPlusBehind} 2+ behind, ${b.unknown} unknown`);
+    }
+    lines.push("");
+  }
+  if (artifact.extended?.uiPurpose) {
+    const up = artifact.extended.uiPurpose;
+    lines.push("## Product Purpose Signals");
+    lines.push("");
+    lines.push(`- **Frameworks:** ${up.detectedFrameworks.length > 0 ? up.detectedFrameworks.join(", ") : "unknown"}`);
+    lines.push(`- **Evidence Items:** ${up.topEvidence.length}${up.capped ? ` (capped from ${up.evidenceCount})` : ""}`);
+    if (up.topEvidence.length > 0) {
+      lines.push("- **Top Evidence:**");
+      for (const item of up.topEvidence.slice(0, 10)) {
+        lines.push(`  - [${item.kind}] ${item.value} (${item.file})`);
+      }
+    }
+    if (up.unknownSignals.length > 0) {
+      lines.push("- **Unknowns:**");
+      for (const u of up.unknownSignals.slice(0, 5)) {
+        lines.push(`  - ${u}`);
+      }
+    }
+    lines.push("");
+  }
+  if (artifact.findings.length > 0) {
+    lines.push("## Findings");
+    lines.push("");
+    lines.push(`| Level | Rule | Message | Location |`);
+    lines.push(`|-------|------|---------|----------|`);
+    for (const f of artifact.findings) {
+      const emoji = f.level === "error" ? "\u{1F534}" : f.level === "warning" ? "\u{1F7E1}" : "\u{1F535}";
+      lines.push(`| ${emoji} ${f.level} | ${f.ruleId} | ${f.message} | ${f.location} |`);
+    }
+    lines.push("");
+  }
+  if (artifact.delta !== void 0) {
+    const dir = artifact.delta > 0 ? "\u{1F4C8}" : artifact.delta < 0 ? "\u{1F4C9}" : "\u27A1\uFE0F";
+    lines.push(`## Drift Delta: ${dir} ${artifact.delta > 0 ? "+" : ""}${artifact.delta} vs baseline`);
+    lines.push("");
+  }
+  return lines.join("\n");
+}
+
 // src/commands/dsn.ts
 import * as crypto2 from "crypto";
 import * as path from "path";
@@ -1524,6 +1616,22 @@ async function scanOnePackageJson(packageJsonPath, rootDir, npmCache, cache) {
       });
     }
   }
+  for (const s of sections) {
+    if (!s.deps) continue;
+    for (const [pkg2, spec] of Object.entries(s.deps)) {
+      if (!spec.trim().startsWith("workspace:")) continue;
+      dependencies.push({
+        package: pkg2,
+        section: s.name,
+        currentSpec: spec,
+        resolvedVersion: null,
+        latestStable: null,
+        majorsBehind: null,
+        drift: "unknown"
+      });
+      buckets.unknown++;
+    }
+  }
   dependencies.sort((a, b) => {
     const order = { "major-behind": 0, "minor-behind": 1, "current": 2, "unknown": 3 };
     const diff = (order[a.drift] ?? 9) - (order[b.drift] ?? 9);
@@ -7436,7 +7544,30 @@ async function runScan(rootDir, opts) {
   filesScanned += polyglotProjects.length;
   progress.addProjects(polyglotProjects.length);
   progress.completeStep("polyglot", `${polyglotProjects.length} project${polyglotProjects.length !== 1 ? "s" : ""}`, polyglotProjects.length);
-  const allProjects = [...nodeProjects, ...dotnetProjects, ...pythonProjects, ...javaProjects, ...polyglotProjects];
+  const rawProjects = [...nodeProjects, ...dotnetProjects, ...pythonProjects, ...javaProjects, ...polyglotProjects];
+  const deduplicatedMap = /* @__PURE__ */ new Map();
+  for (const project of rawProjects) {
+    const existing = deduplicatedMap.get(project.path);
+    if (!existing) {
+      deduplicatedMap.set(project.path, project);
+    } else {
+      const keepNew = project.dependencies.length > existing.dependencies.length;
+      const winner = keepNew ? project : existing;
+      const loser = keepNew ? existing : project;
+      if (loser.projectReferences?.length) {
+        if (!winner.projectReferences) {
+          winner.projectReferences = loser.projectReferences;
+        } else {
+          const existingPaths = new Set(winner.projectReferences.map((r) => r.path));
+          for (const ref of loser.projectReferences) {
+            if (!existingPaths.has(ref.path)) winner.projectReferences.push(ref);
+          }
+        }
+      }
+      deduplicatedMap.set(project.path, winner);
+    }
+  }
+  const allProjects = [...deduplicatedMap.values()];
   const dsn = opts.dsn || process.env.VIBGRATE_DSN;
   const parsedDsn = dsn ? parseDsn(dsn) : null;
   const workspaceId = parsedDsn?.workspaceId;
@@ -7841,6 +7972,12 @@ async function runScan(rootDir, opts) {
     } else {
       console.log(sarifStr);
     }
+  } else if (opts.format === "md") {
+    const markdown = formatMarkdown(artifact);
+    console.log(markdown);
+    if (opts.out) {
+      await writeTextFile(path22.resolve(opts.out), markdown);
+    }
   } else {
     const text = formatText(artifact);
     console.log(text);
@@ -7943,7 +8080,7 @@ function parseNonNegativeNumber(value, label) {
   }
   return parsed;
 }
-var scanCommand = new Command3("scan").description("Scan a project for upgrade drift").argument("[path]", "Path to scan", ".").option("--out <file>", "Output file path").option("--format <format>", "Output format (text|json|sarif)", "text").option("--fail-on <level>", "Fail on warn or error").option("--baseline <file>", "Compare against baseline").option("--changed-only", "Only scan changed files").option("--concurrency <n>", "Max concurrent npm calls", "8").option("--push", "Auto-push results to Vibgrate API after scan").option("--dsn <dsn>", "DSN token for push (or use VIBGRATE_DSN env)").option("--region <region>", "Override data residency region for push (us, eu)").option("--strict", "Fail on push errors").option("--install-tools", "Auto-install missing security scanners via Homebrew").option("--ui-purpose", "Enable optional UI purpose evidence extraction (slower)").option("--no-local-artifacts", "Do not write .vibgrate JSON artifacts to disk").option("--max-privacy", "Enable strongest privacy mode (minimal scanners, no local artifacts)").option("--offline", "Run without network calls; do not upload results").option("--package-manifest <file>", "Use local package-version manifest JSON/ZIP (for offline mode)").option("--drift-budget <score>", "Fail if drift score is above budget (0-100)").option("--drift-worsening <percent>", "Fail if drift worsens by more than % since baseline").action(async (targetPath, opts) => {
+var scanCommand = new Command3("scan").description("Scan a project for upgrade drift").argument("[path]", "Path to scan", ".").option("--out <file>", "Output file path").option("--format <format>", "Output format (text|json|sarif|md)", "text").option("--fail-on <level>", "Fail on warn or error").option("--baseline <file>", "Compare against baseline").option("--changed-only", "Only scan changed files").option("--concurrency <n>", "Max concurrent npm calls", "8").option("--push", "Auto-push results to Vibgrate API after scan").option("--dsn <dsn>", "DSN token for push (or use VIBGRATE_DSN env)").option("--region <region>", "Override data residency region for push (us, eu)").option("--strict", "Fail on push errors").option("--install-tools", "Auto-install missing security scanners via Homebrew").option("--ui-purpose", "Enable optional UI purpose evidence extraction (slower)").option("--no-local-artifacts", "Do not write .vibgrate JSON artifacts to disk").option("--max-privacy", "Enable strongest privacy mode (minimal scanners, no local artifacts)").option("--offline", "Run without network calls; do not upload results").option("--package-manifest <file>", "Use local package-version manifest JSON/ZIP (for offline mode)").option("--drift-budget <score>", "Fail if drift score is above budget (0-100)").option("--drift-worsening <percent>", "Fail if drift worsens by more than % since baseline").action(async (targetPath, opts) => {
   const rootDir = path22.resolve(targetPath);
   if (!await pathExists(rootDir)) {
     console.error(chalk6.red(`Path does not exist: ${rootDir}`));
@@ -8018,6 +8155,7 @@ export {
   VERSION,
   formatText,
   formatSarif,
+  formatMarkdown,
   dsnCommand,
   pushCommand,
   runScan,

package/dist/cli.js

@@ -1,18 +1,16 @@
 #!/usr/bin/env node
-import {
-  formatMarkdown
-} from "./chunk-PTMLMDZU.js";
 import {
   baselineCommand
-} from "./chunk-4M7MNV6G.js";
+} from "./chunk-TCYJSLL2.js";
 import {
   VERSION,
   dsnCommand,
+  formatMarkdown,
   formatText,
   pushCommand,
   scanCommand,
   writeDefaultConfig
-} from "./chunk-E53FDKZE.js";
+} from "./chunk-TYAGUEXG.js";
 import {
   ensureDir,
   pathExists,
@@ -41,7 +39,7 @@ var initCommand = new Command("init").description("Initialize vibgrate in a proj
     console.log(chalk.green("\u2714") + ` Created ${chalk.bold("vibgrate.config.ts")}`);
   }
   if (opts.baseline) {
-    const { runBaseline } = await import("./baseline-M6HQP4E5.js");
+    const { runBaseline } = await import("./baseline-FRBISJ66.js");
     await runBaseline(rootDir);
   }
   console.log("");
@@ -104,11 +102,16 @@ async function checkForUpdate() {
     }
     const controller = new AbortController();
     const timeout = setTimeout(() => controller.abort(), 5e3);
-    const response = await fetch(REGISTRY_URL, {
-      headers: { Accept: "application/json" },
-      signal: controller.signal
-    });
-    clearTimeout(timeout);
+    timeout.unref?.();
+    let response;
+    try {
+      response = await fetch(REGISTRY_URL, {
+        headers: { Accept: "application/json" },
+        signal: controller.signal
+      });
+    } finally {
+      clearTimeout(timeout);
+    }
     if (!response.ok) return null;
     const data = await response.json();
     const latest = data.version;
@@ -127,11 +130,16 @@ async function fetchLatestVersion() {
   try {
     const controller = new AbortController();
     const timeout = setTimeout(() => controller.abort(), 1e4);
-    const response = await fetch(REGISTRY_URL, {
-      headers: { Accept: "application/json" },
-      signal: controller.signal
-    });
-    clearTimeout(timeout);
+    timeout.unref?.();
+    let response;
+    try {
+      response = await fetch(REGISTRY_URL, {
+        headers: { Accept: "application/json" },
+        signal: controller.signal
+      });
+    } finally {
+      clearTimeout(timeout);
+    }
     if (!response.ok) return null;
     const data = await response.json();
     const latest = data.version;
@@ -412,14 +420,18 @@ program.addCommand(dsnCommand);
 program.addCommand(pushCommand);
 program.addCommand(updateCommand);
 program.addCommand(sbomCommand);
-program.parseAsync().then(async () => {
-  const update = await checkForUpdate();
-  if (update?.updateAvailable) {
+function notifyIfUpdateAvailable() {
+  void checkForUpdate().then((update) => {
+    if (!update?.updateAvailable) return;
     console.error("");
     console.error(chalk5.yellow(`  Update available: ${update.current} \u2192 ${update.latest}`));
     console.error(chalk5.dim('  Run "vibgrate update" to install the latest version.'));
     console.error("");
-  }
+  }).catch(() => {
+  });
+}
+program.parseAsync().then(() => {
+  notifyIfUpdateAvailable();
 }).catch((err) => {
   console.error(err);
   process.exit(1);

package/dist/index.d.ts

@@ -1,7 +1,7 @@
 type DepSection = 'dependencies' | 'devDependencies' | 'peerDependencies' | 'optionalDependencies';
 type RiskLevel = 'low' | 'moderate' | 'high';
 type ProjectType = 'node' | 'dotnet' | 'python' | 'java' | 'go' | 'rust' | 'php' | 'typescript' | 'ruby' | 'swift' | 'kotlin' | 'dart' | 'scala' | 'r' | 'objective-c' | 'elixir' | 'haskell' | 'lua' | 'perl' | 'julia' | 'shell' | 'clojure' | 'groovy' | 'c' | 'cpp' | 'cobol' | 'fortran' | 'visual-basic' | 'pascal' | 'ada' | 'assembly' | 'rpg';
-type OutputFormat = 'text' | 'json' | 'sarif';
+type OutputFormat = 'text' | 'json' | 'sarif' | 'md';
 interface DependencyRow {
     package: string;
     section: DepSection;

package/dist/index.js

@@ -1,13 +1,11 @@
-import {
-  formatMarkdown
-} from "./chunk-PTMLMDZU.js";
 import {
   computeDriftScore,
+  formatMarkdown,
   formatSarif,
   formatText,
   generateFindings,
   runScan
-} from "./chunk-E53FDKZE.js";
+} from "./chunk-TYAGUEXG.js";
 import "./chunk-RNVZIZNL.js";
 export {
   computeDriftScore,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vibgrate/cli",
-  "version": "1.0.49",
+  "version": "1.0.51",
   "description": "CLI for measuring upgrade drift across Node, .NET, Python & Java projects",
   "type": "module",
   "bin": {

package/dist/chunk-PTMLMDZU.js

@@ -1,95 +0,0 @@
-// src/formatters/markdown.ts
-function formatMarkdown(artifact) {
-  const lines = [];
-  lines.push("# Vibgrate Drift Report");
-  lines.push("");
-  lines.push(`| Metric | Value |`);
-  lines.push(`|--------|-------|`);
-  lines.push(`| **Drift Score** | ${artifact.drift.score}/100 |`);
-  lines.push(`| **Risk Level** | ${artifact.drift.riskLevel.toUpperCase()} |`);
-  lines.push(`| **Projects** | ${artifact.projects.length} |`);
-  const scannedMeta = [artifact.timestamp];
-  if (artifact.durationMs !== void 0) scannedMeta.push(`${(artifact.durationMs / 1e3).toFixed(1)}s`);
-  if (artifact.filesScanned !== void 0) scannedMeta.push(`${artifact.filesScanned} files`);
-  if (artifact.treeSummary) scannedMeta.push(`${artifact.treeSummary.totalFiles.toLocaleString()} workspace files \xB7 ${artifact.treeSummary.totalDirs.toLocaleString()} dirs`);
-  lines.push(`| **Scanned** | ${scannedMeta.join(" \xB7 ")} |`);
-  if (artifact.vcs) {
-    lines.push(`| **VCS** | ${artifact.vcs.type} |`);
-    if (artifact.vcs.branch) lines.push(`| **Branch** | ${artifact.vcs.branch} |`);
-    if (artifact.vcs.sha) lines.push(`| **Commit** | \`${artifact.vcs.shortSha}\` |`);
-  }
-  lines.push("");
-  lines.push("## Score Breakdown");
-  lines.push("");
-  lines.push(`| Component | Score |`);
-  lines.push(`|-----------|-------|`);
-  lines.push(`| Runtime | ${artifact.drift.components.runtimeScore} |`);
-  lines.push(`| Frameworks | ${artifact.drift.components.frameworkScore} |`);
-  lines.push(`| Dependencies | ${artifact.drift.components.dependencyScore} |`);
-  lines.push(`| EOL Risk | ${artifact.drift.components.eolScore} |`);
-  lines.push("");
-  lines.push("## Projects");
-  lines.push("");
-  for (const project of artifact.projects) {
-    lines.push(`### ${project.name} (${project.type})`);
-    lines.push("");
-    if (project.runtime) {
-      const lag = project.runtimeMajorsBehind !== void 0 && project.runtimeMajorsBehind > 0 ? ` \u2014 ${project.runtimeMajorsBehind} major(s) behind` : " \u2014 current";
-      lines.push(`- **Runtime:** ${project.runtime}${lag}`);
-    }
-    if (project.frameworks.length > 0) {
-      lines.push("- **Frameworks:**");
-      for (const fw of project.frameworks) {
-        const lag = fw.majorsBehind !== null ? fw.majorsBehind === 0 ? "current" : `${fw.majorsBehind} behind` : "unknown";
-        lines.push(`  - ${fw.name}: ${fw.currentVersion ?? "?"} \u2192 ${fw.latestVersion ?? "?"} (${lag})`);
-      }
-    }
-    const b = project.dependencyAgeBuckets;
-    const total = b.current + b.oneBehind + b.twoPlusBehind + b.unknown;
-    if (total > 0) {
-      lines.push(`- **Dependencies:** ${b.current} current, ${b.oneBehind} 1-behind, ${b.twoPlusBehind} 2+ behind, ${b.unknown} unknown`);
-    }
-    lines.push("");
-  }
-  if (artifact.extended?.uiPurpose) {
-    const up = artifact.extended.uiPurpose;
-    lines.push("## Product Purpose Signals");
-    lines.push("");
-    lines.push(`- **Frameworks:** ${up.detectedFrameworks.length > 0 ? up.detectedFrameworks.join(", ") : "unknown"}`);
-    lines.push(`- **Evidence Items:** ${up.topEvidence.length}${up.capped ? ` (capped from ${up.evidenceCount})` : ""}`);
-    if (up.topEvidence.length > 0) {
-      lines.push("- **Top Evidence:**");
-      for (const item of up.topEvidence.slice(0, 10)) {
-        lines.push(`  - [${item.kind}] ${item.value} (${item.file})`);
-      }
-    }
-    if (up.unknownSignals.length > 0) {
-      lines.push("- **Unknowns:**");
-      for (const u of up.unknownSignals.slice(0, 5)) {
-        lines.push(`  - ${u}`);
-      }
-    }
-    lines.push("");
-  }
-  if (artifact.findings.length > 0) {
-    lines.push("## Findings");
-    lines.push("");
-    lines.push(`| Level | Rule | Message | Location |`);
-    lines.push(`|-------|------|---------|----------|`);
-    for (const f of artifact.findings) {
-      const emoji = f.level === "error" ? "\u{1F534}" : f.level === "warning" ? "\u{1F7E1}" : "\u{1F535}";
-      lines.push(`| ${emoji} ${f.level} | ${f.ruleId} | ${f.message} | ${f.location} |`);
-    }
-    lines.push("");
-  }
-  if (artifact.delta !== void 0) {
-    const dir = artifact.delta > 0 ? "\u{1F4C8}" : artifact.delta < 0 ? "\u{1F4C9}" : "\u27A1\uFE0F";
-    lines.push(`## Drift Delta: ${dir} ${artifact.delta > 0 ? "+" : ""}${artifact.delta} vs baseline`);
-    lines.push("");
-  }
-  return lines.join("\n");
-}
-
-export {
-  formatMarkdown
-};