@vibgrate/cli 1.0.64 → 1.0.66

package/README.md

@@ -179,6 +179,7 @@ Vibgrate now supports explicit privacy controls:
 
 - `--no-local-artifacts` prevents writing `.vibgrate/*.json` files to disk.
 - `--max-privacy` enables a hardened profile (suppresses local artifact writes and disables high-context scanners such as UI-purpose evidence and architecture/code-quality enrichment).
+- Additional commercial scanner families are available and independently toggleable in `vibgrate.config.*`: `runtimeConfiguration`, `dataStores`, `apiSurface`, `operationalResilience`, `assetBranding`, and `ossGovernance` (see `docs/commercial-grade-scanners.md`).
 - `--offline` disables live registry/network lookups and never uploads scan results.
 - `--package-manifest <file>` accepts a local JSON or ZIP package-version manifest so drift can still be calculated offline. Download the latest bundle at `https://github.com/vibgrate/manifests/latest-packages.zip`.
 

package/dist/{baseline-HGBNL6CN.js → baseline-IEG2JITU.js}

@@ -1,8 +1,8 @@
 import {
   baselineCommand,
   runBaseline
-} from "./chunk-GCMUJKM7.js";
-import "./chunk-IQ4T2HLG.js";
+} from "./chunk-IHDUX5MC.js";
+import "./chunk-DMYMJUQP.js";
 import "./chunk-TBE6NQ5Z.js";
 export {
   baselineCommand,

package/dist/{chunk-IQ4T2HLG.js → chunk-DMYMJUQP.js}

@@ -1169,6 +1169,260 @@ import * as crypto3 from "crypto";
 import * as path2 from "path";
 import { Command as Command2 } from "commander";
 import chalk3 from "chalk";
+
+// src/utils/compact-artifact.ts
+import * as zlib from "zlib";
+import { promisify } from "util";
+
+// src/utils/compact-evidence.ts
+var CATEGORY_PATTERNS = [
+  { category: "pricing", pattern: /price|pricing|billing|subscri|trial|credit|plan|tier|upgrade|premium|pro|enterprise/i },
+  { category: "auth", pattern: /sign[- ]?in|sign[- ]?up|log[- ]?in|log[- ]?out|auth|sso|oauth|password|register|invite|onboard/i },
+  { category: "dashboard", pattern: /dashboard|overview|home|main|summary|stats/i },
+  { category: "settings", pattern: /setting|config|preference|option|profile|account/i },
+  { category: "users", pattern: /user|member|team|role|permission|access|admin|owner/i },
+  { category: "integrations", pattern: /integrat|connect|webhook|api[- ]?key|sync|import|export/i },
+  { category: "reports", pattern: /report|analy|metric|chart|graph|insight|track/i },
+  { category: "workflows", pattern: /workflow|automat|schedule|trigger|action|job|task|pipeline/i },
+  { category: "projects", pattern: /project|workspace|organization|folder|repo/i },
+  { category: "navigation", pattern: /menu|nav|sidebar|header|footer|breadcrumb/i }
+];
+function compactUiPurpose(result, maxSamplesPerCategory = 3) {
+  const evidence = result.topEvidence;
+  const dependencies = evidence.filter((e) => e.kind === "dependency").map((e) => e.value).slice(0, 10);
+  const routes = dedupeRoutes(
+    evidence.filter((e) => e.kind === "route").map((e) => e.value)
+  ).slice(0, 15);
+  const textEvidence = evidence.filter(
+    (e) => e.kind !== "dependency" && e.kind !== "route" && e.kind !== "feature_flag"
+  );
+  const byCategory = /* @__PURE__ */ new Map();
+  const categoryCounts = {};
+  for (const item of textEvidence) {
+    const category = categorize(item.value);
+    if (!byCategory.has(category)) {
+      byCategory.set(category, /* @__PURE__ */ new Set());
+    }
+    const normalized = normalizeValue(item.value);
+    if (normalized.length >= 3) {
+      byCategory.get(category).add(normalized);
+    }
+  }
+  const samples = [];
+  for (const [category, values] of byCategory) {
+    const deduped = dedupeStrings([...values]);
+    categoryCounts[category] = deduped.length;
+    for (const value of deduped.slice(0, maxSamplesPerCategory)) {
+      samples.push({ kind: "text", value, category });
+    }
+  }
+  const featureFlags = evidence.filter((e) => e.kind === "feature_flag");
+  if (featureFlags.length > 0) {
+    categoryCounts["feature_flags"] = featureFlags.length;
+    samples.push({ kind: "feature_flag", value: "feature flags detected", category: "feature_flags" });
+  }
+  return {
+    samples,
+    categoryCounts,
+    originalCount: evidence.length,
+    dependencies,
+    routes,
+    detectedFrameworks: result.detectedFrameworks
+  };
+}
+function categorize(value) {
+  for (const { category, pattern } of CATEGORY_PATTERNS) {
+    if (pattern.test(value)) return category;
+  }
+  return "general";
+}
+function normalizeValue(value) {
+  return value.toLowerCase().replace(/[^a-z0-9\s-]/g, " ").replace(/\s+/g, " ").trim().slice(0, 60);
+}
+function dedupeStrings(values) {
+  const sorted = values.sort((a, b) => b.length - a.length);
+  const kept = [];
+  for (const value of sorted) {
+    const isDupe = kept.some((k) => {
+      const stem = value.slice(0, 6);
+      return k.startsWith(stem) || k.includes(value) || value.includes(k);
+    });
+    if (!isDupe) {
+      kept.push(value);
+    }
+  }
+  return kept;
+}
+function dedupeRoutes(routes) {
+  const seen = /* @__PURE__ */ new Set();
+  const result = [];
+  for (const route of routes) {
+    const normalized = route.replace(/:[a-z_]+/gi, ":param").replace(/\[\[*\.*\.*[a-z_]+\]*\]/gi, ":param").replace(/\/+$/, "").toLowerCase();
+    if (!seen.has(normalized)) {
+      seen.add(normalized);
+      result.push(route);
+    }
+  }
+  return result;
+}
+
+// src/utils/compact-artifact.ts
+var gzip2 = promisify(zlib.gzip);
+var MAX_ITEMS = 50;
+function extractName(entry) {
+  const match = entry.match(/^(.+?)\s*\(/);
+  return match ? match[1].trim() : entry.trim();
+}
+function compactDataStores(result) {
+  return {
+    databaseTechnologies: result.databaseTechnologies.slice(0, 10),
+    connectionStrings: [],
+    // Don't include connection strings in upload
+    connectionPoolSettings: result.connectionPoolSettings.slice(0, MAX_ITEMS),
+    replicationSettings: result.replicationSettings.slice(0, 20),
+    readReplicaSettings: result.readReplicaSettings.slice(0, 20),
+    failoverSettings: result.failoverSettings.slice(0, 20),
+    collationAndEncoding: result.collationAndEncoding.slice(0, 20),
+    queryTimeoutDefaults: result.queryTimeoutDefaults.slice(0, 20),
+    manualIndexes: result.manualIndexes.map(extractName).slice(0, MAX_ITEMS),
+    tables: result.tables.map(extractName).slice(0, MAX_ITEMS),
+    views: result.views.map(extractName).slice(0, MAX_ITEMS),
+    storedProcedures: result.storedProcedures.map(extractName).slice(0, MAX_ITEMS),
+    triggers: result.triggers.map(extractName).slice(0, MAX_ITEMS),
+    rowLevelSecurityPolicies: result.rowLevelSecurityPolicies.slice(0, 20),
+    otherServices: result.otherServices.slice(0, 20)
+  };
+}
+function compactApiSurface(result) {
+  const seenProviders = /* @__PURE__ */ new Set();
+  const uniqueIntegrations = result.integrations.filter((i) => {
+    const domain = i.provider.split(":")[0];
+    if (seenProviders.has(domain)) return false;
+    seenProviders.add(domain);
+    return true;
+  }).slice(0, MAX_ITEMS).map((i) => ({
+    provider: i.provider,
+    endpoint: "",
+    // Don't include full endpoints
+    version: i.version,
+    parameters: [],
+    // Don't include params
+    configOptions: [],
+    authHints: []
+  }));
+  return {
+    integrations: uniqueIntegrations,
+    openApiSpecifications: result.openApiSpecifications.slice(0, 10),
+    webhookUrls: result.webhookUrls.slice(0, 20),
+    callbackEndpoints: result.callbackEndpoints.slice(0, 20),
+    apiVersionPins: result.apiVersionPins.slice(0, 20),
+    tokenExpirationPolicies: result.tokenExpirationPolicies.slice(0, 20),
+    rateLimitOverrides: result.rateLimitOverrides.slice(0, 20),
+    customHeaders: result.customHeaders.slice(0, 20),
+    corsPolicies: result.corsPolicies.slice(0, 20),
+    oauthScopes: result.oauthScopes.slice(0, 20),
+    apiTokens: []
+    // Don't include token references
+  };
+}
+function compactAssetBranding(result) {
+  return {
+    faviconFiles: result.faviconFiles.slice(0, 1),
+    productLogos: []
+    // Don't include logos
+  };
+}
+function prepareArtifactForUpload(artifact) {
+  const compacted = { ...artifact };
+  if (compacted.extended) {
+    const ext = { ...compacted.extended };
+    if (ext.dataStores) {
+      ext.dataStores = compactDataStores(ext.dataStores);
+    }
+    if (ext.apiSurface) {
+      ext.apiSurface = compactApiSurface(ext.apiSurface);
+    }
+    if (ext.assetBranding) {
+      ext.assetBranding = compactAssetBranding(ext.assetBranding);
+    }
+    if (ext.uiPurpose) {
+      const compactedUi = compactUiPurpose(ext.uiPurpose);
+      ext.uiPurpose = {
+        enabled: ext.uiPurpose.enabled,
+        detectedFrameworks: compactedUi.detectedFrameworks,
+        evidenceCount: compactedUi.originalCount,
+        capped: ext.uiPurpose.capped,
+        topEvidence: [],
+        // Clear full evidence
+        unknownSignals: [],
+        // Add compacted data under extended properties
+        ...{ compacted: compactedUi }
+      };
+    }
+    if (ext.runtimeConfiguration) {
+      ext.runtimeConfiguration = {
+        ...ext.runtimeConfiguration,
+        environmentVariables: ext.runtimeConfiguration.environmentVariables.slice(0, 100),
+        hiddenConfigFiles: ext.runtimeConfiguration.hiddenConfigFiles.slice(0, MAX_ITEMS),
+        startupArguments: ext.runtimeConfiguration.startupArguments.slice(0, 100)
+      };
+    }
+    if (ext.operationalResilience) {
+      const ops = ext.operationalResilience;
+      ext.operationalResilience = {
+        implicitTimeouts: ops.implicitTimeouts.slice(0, 30),
+        defaultPaginationSize: ops.defaultPaginationSize.slice(0, 30),
+        implicitRetryLogic: ops.implicitRetryLogic.slice(0, 30),
+        defaultLocale: ops.defaultLocale.slice(0, 20),
+        defaultCurrency: ops.defaultCurrency.slice(0, 20),
+        implicitTimezone: ops.implicitTimezone.slice(0, 20),
+        defaultCharacterEncoding: ops.defaultCharacterEncoding.slice(0, 20),
+        sessionStores: ops.sessionStores.slice(0, 20),
+        distributedLocks: ops.distributedLocks.slice(0, 20),
+        jobSchedulers: ops.jobSchedulers.slice(0, 30),
+        idempotencyKeys: ops.idempotencyKeys.slice(0, 20),
+        rateLimitingCounters: ops.rateLimitingCounters.slice(0, 20),
+        circuitBreakerState: ops.circuitBreakerState.slice(0, 20),
+        abTestToggles: ops.abTestToggles.slice(0, 20),
+        regionalEnablementRules: ops.regionalEnablementRules.slice(0, 20),
+        betaAccessGroups: ops.betaAccessGroups.slice(0, 20),
+        licensingEnforcementLogic: ops.licensingEnforcementLogic.slice(0, 20),
+        killSwitches: ops.killSwitches.slice(0, 20),
+        connectorRetryLogic: ops.connectorRetryLogic.slice(0, 20),
+        apiPollingIntervals: ops.apiPollingIntervals.slice(0, 20),
+        fieldMappings: ops.fieldMappings.slice(0, 20),
+        schemaRegistryRules: ops.schemaRegistryRules.slice(0, 20),
+        deadLetterQueueBehavior: ops.deadLetterQueueBehavior.slice(0, 20),
+        dataMaskingRules: ops.dataMaskingRules.slice(0, 20),
+        transformationLogic: ops.transformationLogic.slice(0, 20),
+        timezoneHandling: ops.timezoneHandling.slice(0, 20),
+        encryptionSettings: ops.encryptionSettings.slice(0, 30),
+        hardcodedSecretSignals: ops.hardcodedSecretSignals.slice(0, 20)
+      };
+    }
+    if (ext.dependencyGraph) {
+      ext.dependencyGraph = {
+        ...ext.dependencyGraph,
+        phantomDependencies: ext.dependencyGraph.phantomDependencies.slice(0, MAX_ITEMS),
+        phantomDependencyDetails: ext.dependencyGraph.phantomDependencyDetails?.slice(0, MAX_ITEMS),
+        duplicatedPackages: ext.dependencyGraph.duplicatedPackages.slice(0, MAX_ITEMS)
+      };
+    }
+    compacted.extended = ext;
+  }
+  return compacted;
+}
+async function compressArtifact(artifact) {
+  const json = JSON.stringify(artifact);
+  return gzip2(json, { level: 9 });
+}
+async function prepareCompressedUpload(artifact) {
+  const compacted = prepareArtifactForUpload(artifact);
+  const compressed = await compressArtifact(compacted);
+  return { body: compressed, contentEncoding: "gzip" };
+}
+
+// src/commands/push.ts
 function parseDsn(dsn) {
   const cleaned = dsn.replace(/[\x00-\x1F\x7F\uFEFF\u200B-\u200D\u2060]/g, "").trim();
   const match = cleaned.match(/^vibgrate\+(https?):?\/\/([^:]+):([^@]+)@([^/]+)\/(.+)$/);
@@ -1203,7 +1457,8 @@ var pushCommand = new Command2("push").description("Push scan results to Vibgrat
     if (opts.strict) process.exit(1);
     return;
   }
-  const body = await readTextFile(filePath);
+  const artifact = await readJsonFile(filePath);
+  const { body, contentEncoding } = await prepareCompressedUpload(artifact);
   const timestamp = String(Date.now());
   let host = parsed.host;
   if (opts.region) {
@@ -1216,12 +1471,16 @@ var pushCommand = new Command2("push").description("Push scan results to Vibgrat
     }
   }
   const url = `${parsed.scheme}://${host}/v1/ingest/scan`;
-  console.log(chalk3.dim(`Uploading to ${host}...`));
+  const originalSize = JSON.stringify(artifact).length;
+  const compressedSize = body.length;
+  const ratio = ((1 - compressedSize / originalSize) * 100).toFixed(0);
+  console.log(chalk3.dim(`Uploading to ${host}... (${(compressedSize / 1024).toFixed(0)} KB, ${ratio}% smaller)`));
   try {
     const response = await fetch(url, {
       method: "POST",
       headers: {
         "Content-Type": "application/json",
+        "Content-Encoding": contentEncoding,
         "X-Vibgrate-Timestamp": timestamp,
         "Authorization": `VibgrateDSN ${parsed.keyId}:${parsed.secret}`,
         "Connection": "close"
@@ -1251,7 +1510,7 @@ var pushCommand = new Command2("push").description("Push scan results to Vibgrat
 });
 
 // src/commands/scan.ts
-import * as path23 from "path";
+import * as path24 from "path";
 import { Command as Command3 } from "commander";
 import chalk6 from "chalk";
 
@@ -7446,96 +7705,353 @@ function isUsefulString(s) {
   return true;
 }
 
-// src/utils/compact-evidence.ts
-var CATEGORY_PATTERNS = [
-  { category: "pricing", pattern: /price|pricing|billing|subscri|trial|credit|plan|tier|upgrade|premium|pro|enterprise/i },
-  { category: "auth", pattern: /sign[- ]?in|sign[- ]?up|log[- ]?in|log[- ]?out|auth|sso|oauth|password|register|invite|onboard/i },
-  { category: "dashboard", pattern: /dashboard|overview|home|main|summary|stats/i },
-  { category: "settings", pattern: /setting|config|preference|option|profile|account/i },
-  { category: "users", pattern: /user|member|team|role|permission|access|admin|owner/i },
-  { category: "integrations", pattern: /integrat|connect|webhook|api[- ]?key|sync|import|export/i },
-  { category: "reports", pattern: /report|analy|metric|chart|graph|insight|track/i },
-  { category: "workflows", pattern: /workflow|automat|schedule|trigger|action|job|task|pipeline/i },
-  { category: "projects", pattern: /project|workspace|organization|folder|repo/i },
-  { category: "navigation", pattern: /menu|nav|sidebar|header|footer|breadcrumb/i }
-];
-function compactUiPurpose(result, maxSamplesPerCategory = 3) {
-  const evidence = result.topEvidence;
-  const dependencies = evidence.filter((e) => e.kind === "dependency").map((e) => e.value).slice(0, 10);
-  const routes = dedupeRoutes(
-    evidence.filter((e) => e.kind === "route").map((e) => e.value)
-  ).slice(0, 15);
-  const textEvidence = evidence.filter(
-    (e) => e.kind !== "dependency" && e.kind !== "route" && e.kind !== "feature_flag"
-  );
-  const byCategory = /* @__PURE__ */ new Map();
-  const categoryCounts = {};
-  for (const item of textEvidence) {
-    const category = categorize(item.value);
-    if (!byCategory.has(category)) {
-      byCategory.set(category, /* @__PURE__ */ new Set());
-    }
-    const normalized = normalizeValue(item.value);
-    if (normalized.length >= 3) {
-      byCategory.get(category).add(normalized);
-    }
+// src/scanners/requirements-scanners.ts
+import * as path23 from "path";
+var MAX_SCAN_BYTES = 75e4;
+function uniq(values) {
+  return [...new Set(values)].sort((a, b) => a.localeCompare(b));
+}
+function pushMatch(matches, value, sourceFile) {
+  if (!value) return;
+  const normalized = value.trim();
+  if (!normalized) return;
+  matches.push(`${normalized} (${sourceFile})`);
+}
+function extract(content, pattern, sourceFile) {
+  const out = [];
+  let match;
+  while ((match = pattern.exec(content)) !== null) {
+    const captured = match.slice(1).find((v) => typeof v === "string" && v.length > 0);
+    pushMatch(out, captured ?? match[0], sourceFile);
   }
-  const samples = [];
-  for (const [category, values] of byCategory) {
-    const deduped = dedupeStrings([...values]);
-    categoryCounts[category] = deduped.length;
-    for (const value of deduped.slice(0, maxSamplesPerCategory)) {
-      samples.push({ kind: "text", value, category });
+  return out;
+}
+function detectDbBrand(raw) {
+  const value = raw.toLowerCase();
+  if (value.includes("postgres")) return { kind: "sql", brand: "PostgreSQL", version: null, evidence: raw };
+  if (value.includes("mysql") || value.includes("mariadb")) return { kind: "sql", brand: "MySQL/MariaDB", version: null, evidence: raw };
+  if (value.includes("mssql") || value.includes("sqlserver")) return { kind: "sql", brand: "SQL Server", version: null, evidence: raw };
+  if (value.includes("oracle")) return { kind: "sql", brand: "Oracle", version: null, evidence: raw };
+  if (value.includes("sqlite")) return { kind: "sql", brand: "SQLite", version: null, evidence: raw };
+  if (value.includes("mongodb")) return { kind: "nosql", brand: "MongoDB", version: null, evidence: raw };
+  if (value.includes("redis")) return { kind: "nosql", brand: "Redis", version: null, evidence: raw };
+  if (value.includes("cassandra")) return { kind: "nosql", brand: "Cassandra", version: null, evidence: raw };
+  if (value.includes("dynamodb")) return { kind: "nosql", brand: "DynamoDB", version: null, evidence: raw };
+  if (value.includes("neo4j")) return { kind: "nosql", brand: "Neo4j", version: null, evidence: raw };
+  return null;
+}
+async function scanTextFiles(rootDir, fileCache) {
+  const entries = await fileCache.walkDir(rootDir);
+  const files = entries.filter((entry) => entry.isFile).map((entry) => entry.absPath);
+  const out = [];
+  for (const file of files) {
+    try {
+      const relPath = path23.relative(rootDir, file).replace(/\\/g, "/");
+      const content = await fileCache.readTextFile(file);
+      if (!content || content.length > MAX_SCAN_BYTES) continue;
+      out.push({ relPath, content });
+    } catch {
     }
   }
-  const featureFlags = evidence.filter((e) => e.kind === "feature_flag");
-  if (featureFlags.length > 0) {
-    categoryCounts["feature_flags"] = featureFlags.length;
-    samples.push({ kind: "feature_flag", value: "feature flags detected", category: "feature_flags" });
-  }
-  return {
-    samples,
-    categoryCounts,
-    originalCount: evidence.length,
-    dependencies,
-    routes,
-    detectedFrameworks: result.detectedFrameworks
+  return out;
+}
+async function scanRuntimeConfiguration(rootDir, fileCache) {
+  const files = await scanTextFiles(rootDir, fileCache);
+  const result = {
+    environmentVariables: [],
+    featureFlags: [],
+    hiddenConfigFiles: [],
+    dotEnvFiles: [],
+    secretsInjectionPaths: [],
+    containerEntrypoints: [],
+    startupArguments: [],
+    jvmFlags: [],
+    threadPoolSettings: []
   };
+  for (const file of files) {
+    if (file.relPath.split("/").some((segment) => segment.startsWith("."))) {
+      result.hiddenConfigFiles.push(file.relPath);
+    }
+    if (/\.env(\.|$)/i.test(file.relPath)) {
+      result.dotEnvFiles.push(file.relPath);
+    }
+    result.environmentVariables.push(...extract(file.content, /(?:process\.env\.([A-Z0-9_]{3,})|process\.env\[['"]([A-Z0-9_]{3,})['"]\]|System\.getenv\(['"]([A-Z0-9_]{3,})['"]\)|os\.environ\[['"]([A-Z0-9_]{3,})['"]\]|getenv\(['"]([A-Z0-9_]{3,})['"]\))/g, file.relPath));
+    result.featureFlags.push(...extract(file.content, /\b(?:feature[_-]?flag|ff_|is[A-Z][A-Za-z0-9]+Enabled|launchdarkly|unleash)\b/gi, file.relPath));
+    result.secretsInjectionPaths.push(...extract(file.content, /\b(?:vault|secrets?\/(?:mount|inject|path)|aws\/secretsmanager|gcp\/secretmanager)\b/gi, file.relPath));
+    result.containerEntrypoints.push(...extract(file.content, /\b(?:ENTRYPOINT|CMD)\s+([^\n]+)/g, file.relPath));
+    result.startupArguments.push(...extract(file.content, /\b(?:--[a-z0-9-]+=?[\w:/.-]*)/gi, file.relPath));
+    result.jvmFlags.push(...extract(file.content, /\b(-Xmx\S+|-Xms\S+|-XX:[^\s'"\]]+)/g, file.relPath));
+    result.threadPoolSettings.push(...extract(file.content, /\b(?:thread[_-]?pool|max[_-]?threads|min[_-]?threads|worker[_-]?threads)\b[^\n]*/gi, file.relPath));
+  }
+  result.environmentVariables = uniq(result.environmentVariables);
+  result.featureFlags = uniq(result.featureFlags);
+  result.hiddenConfigFiles = uniq(result.hiddenConfigFiles);
+  result.dotEnvFiles = uniq(result.dotEnvFiles);
+  result.secretsInjectionPaths = uniq(result.secretsInjectionPaths);
+  result.containerEntrypoints = uniq(result.containerEntrypoints);
+  result.startupArguments = uniq(result.startupArguments).slice(0, 250);
+  result.jvmFlags = uniq(result.jvmFlags);
+  result.threadPoolSettings = uniq(result.threadPoolSettings);
+  return result;
 }
-function categorize(value) {
-  for (const { category, pattern } of CATEGORY_PATTERNS) {
-    if (pattern.test(value)) return category;
+async function scanDataStores(rootDir, fileCache) {
+  const files = await scanTextFiles(rootDir, fileCache);
+  const dbTechnologies = [];
+  const result = {
+    databaseTechnologies: [],
+    connectionStrings: [],
+    connectionPoolSettings: [],
+    replicationSettings: [],
+    readReplicaSettings: [],
+    failoverSettings: [],
+    collationAndEncoding: [],
+    queryTimeoutDefaults: [],
+    manualIndexes: [],
+    tables: [],
+    views: [],
+    storedProcedures: [],
+    triggers: [],
+    rowLevelSecurityPolicies: [],
+    otherServices: []
+  };
+  for (const file of files) {
+    const connStrings = extract(file.content, /\b(?:postgres(?:ql)?:\/\/[^\s'"`]+|mysql:\/\/[^\s'"`]+|mongodb(?:\+srv)?:\/\/[^\s'"`]+|redis:\/\/[^\s'"`]+)\b/gi, file.relPath);
+    result.connectionStrings.push(...connStrings);
+    const dbEvidence = [
+      ...extract(file.content, /\b(?:postgres|postgresql|mysql|mariadb|mssql|sqlserver|oracle|sqlite|mongodb|redis|cassandra|dynamodb|neo4j)\b/gi, file.relPath),
+      ...connStrings
+    ];
+    for (const evidence of dbEvidence) {
+      const detected = detectDbBrand(evidence);
+      if (detected) dbTechnologies.push(detected);
+    }
+    result.connectionPoolSettings.push(...extract(file.content, /\b(?:pool(?:Size|_size)?|maxPoolSize|minPoolSize|connectionLimit)\b[^\n]*/gi, file.relPath));
+    result.replicationSettings.push(...extract(file.content, /\b(?:replication|cluster|replicaSet)\b[^\n]*/gi, file.relPath));
+    result.readReplicaSettings.push(...extract(file.content, /\b(?:read[_-]?replica|reader[_-]?endpoint)\b[^\n]*/gi, file.relPath));
+    result.failoverSettings.push(...extract(file.content, /\b(?:failover|multi[_-]?az|secondary[_-]?host)\b[^\n]*/gi, file.relPath));
+    result.collationAndEncoding.push(...extract(file.content, /\b(?:collation|charset|encoding|utf-?8)\b[^\n]*/gi, file.relPath));
+    result.queryTimeoutDefaults.push(...extract(file.content, /\b(?:statement_timeout|query[_-]?timeout|socketTimeout|commandTimeout)\b[^\n]*/gi, file.relPath));
+    result.manualIndexes.push(...extract(file.content, /\bcreate\s+(?:unique\s+)?index\s+[^;\n]+/gi, file.relPath));
+    result.tables.push(...extract(file.content, /\bcreate\s+table\s+([a-zA-Z0-9_."]+)/gi, file.relPath));
+    result.views.push(...extract(file.content, /\bcreate\s+view\s+([a-zA-Z0-9_."]+)/gi, file.relPath));
+    result.storedProcedures.push(...extract(file.content, /\bcreate\s+(?:or\s+replace\s+)?procedure\s+([a-zA-Z0-9_."]+)/gi, file.relPath));
+    result.triggers.push(...extract(file.content, /\bcreate\s+trigger\s+([a-zA-Z0-9_."]+)/gi, file.relPath));
+    result.rowLevelSecurityPolicies.push(...extract(file.content, /\b(?:row\s+level\s+security|create\s+policy|alter\s+table\s+.*\s+enable\s+row\s+level\s+security)\b[^;\n]*/gi, file.relPath));
+    result.otherServices.push(...extract(file.content, /\b(?:redis:\/\/[^\s'"`]+|amqp:\/\/[^\s'"`]+|kafka:\/\/[^\s'"`]+|elasticsearch:\/\/[^\s'"`]+)\b/gi, file.relPath));
+  }
+  const dedupDb = /* @__PURE__ */ new Map();
+  for (const db of dbTechnologies) dedupDb.set(`${db.kind}:${db.brand}:${db.evidence}`, db);
+  result.databaseTechnologies = [...dedupDb.values()].sort((a, b) => a.brand.localeCompare(b.brand));
+  result.connectionStrings = uniq(result.connectionStrings);
+  result.connectionPoolSettings = uniq(result.connectionPoolSettings);
+  result.replicationSettings = uniq(result.replicationSettings);
+  result.readReplicaSettings = uniq(result.readReplicaSettings);
+  result.failoverSettings = uniq(result.failoverSettings);
+  result.collationAndEncoding = uniq(result.collationAndEncoding);
+  result.queryTimeoutDefaults = uniq(result.queryTimeoutDefaults);
+  result.manualIndexes = uniq(result.manualIndexes);
+  result.tables = uniq(result.tables);
+  result.views = uniq(result.views);
+  result.storedProcedures = uniq(result.storedProcedures);
+  result.triggers = uniq(result.triggers);
+  result.rowLevelSecurityPolicies = uniq(result.rowLevelSecurityPolicies);
+  result.otherServices = uniq(result.otherServices);
+  return result;
+}
+function detectOpenApiSpecification(relPath, content) {
+  const lowerPath = relPath.toLowerCase();
+  const format = lowerPath.endsWith(".json") ? "json" : lowerPath.endsWith(".yaml") ? "yaml" : lowerPath.endsWith(".yml") ? "yml" : null;
+  if (!format) return null;
+  const hasOpenApi = /\bopenapi\s*[:=]\s*['"]?3\./i.test(content) || /\bswagger\s*[:=]\s*['"]?2\.0/i.test(content) || /"openapi"\s*:\s*"3\./i.test(content);
+  const likelyName = /(openapi|swagger).*(\.ya?ml|\.json)$/i.test(lowerPath) || /\/api-docs\b/i.test(lowerPath);
+  if (!hasOpenApi && !likelyName) return null;
+  const version = content.match(/\bopenapi\s*[:=]\s*['"]?([^'"\s,]+)/i)?.[1] ?? content.match(/\bswagger\s*[:=]\s*['"]?([^'"\s,]+)/i)?.[1] ?? null;
+  const title = content.match(/\btitle\s*[:=]\s*['"]([^'"]+)['"]/i)?.[1] ?? content.match(/\btitle\s*[:=]\s*([^\n#]+)/i)?.[1]?.trim() ?? content.match(/"title"\s*:\s*"([^"]+)"/i)?.[1] ?? null;
+  const endpointCount = content.match(/(^|\n)\s*\/[^\n:]+:\s*(get|post|put|patch|delete|options|head)/gim)?.length ?? content.match(/"\/[^"]+"\s*:\s*\{/g)?.length ?? null;
+  return { path: relPath, format, version, title, endpointCount };
+}
+async function scanApiSurface(rootDir, fileCache) {
+  const files = await scanTextFiles(rootDir, fileCache);
+  const integrations = [];
+  const result = {
+    integrations: [],
+    openApiSpecifications: [],
+    webhookUrls: [],
+    callbackEndpoints: [],
+    apiVersionPins: [],
+    tokenExpirationPolicies: [],
+    rateLimitOverrides: [],
+    customHeaders: [],
+    corsPolicies: [],
+    oauthScopes: [],
+    apiTokens: []
+  };
+  for (const file of files) {
+    const openApiSpec = detectOpenApiSpecification(file.relPath, file.content);
+    if (openApiSpec) result.openApiSpecifications.push(openApiSpec);
+    const endpoints = extract(file.content, /\bhttps?:\/\/[^\s'"`]+/gi, file.relPath);
+    for (const endpoint of endpoints) {
+      const provider = endpoint.replace(/^https?:\/\//, "").split("/")[0] ?? "unknown";
+      const versionMatch = endpoint.match(/\/(v\d+(?:\.\d+)?)\b/i);
+      const params = endpoint.match(/[?&]([a-zA-Z0-9_.-]+)=/g)?.map((p) => p.replace(/[?&=]/g, "")) ?? [];
+      integrations.push({
+        provider,
+        endpoint,
+        version: versionMatch ? versionMatch[1] : null,
+        parameters: params,
+        configOptions: extract(file.content, /\b(?:baseUrl|apiUrl|endpoint|timeout|retries|apiVersion)\b[^\n]*/gi, file.relPath),
+        authHints: extract(file.content, /\b(?:api[_-]?key|bearer\s+[a-z0-9_.-]+|client[_-]?secret|oauth)\b[^\n]*/gi, file.relPath)
+      });
+    }
+    result.webhookUrls.push(...extract(file.content, /\bhttps?:\/\/[^\s'"`]*(?:webhook|hooks?)[^\s'"`]*/gi, file.relPath));
+    result.callbackEndpoints.push(...extract(file.content, /\bhttps?:\/\/[^\s'"`]*(?:callback|redirect_uri)[^\s'"`]*/gi, file.relPath));
+    result.apiVersionPins.push(...extract(file.content, /\bapi[_-]?version\b[^\n]*/gi, file.relPath));
+    result.tokenExpirationPolicies.push(...extract(file.content, /\b(?:token[_-]?expiry|expires[_-]?in|refresh[_-]?token[_-]?ttl)\b[^\n]*/gi, file.relPath));
+    result.rateLimitOverrides.push(...extract(file.content, /\b(?:rate[_-]?limit|max[_-]?requests|throttle)\b[^\n]*/gi, file.relPath));
+    result.customHeaders.push(...extract(file.content, /\b(?:x-[a-z0-9-]+|authorization|user-agent)\b[^\n]*/gi, file.relPath));
+    result.corsPolicies.push(...extract(file.content, /\b(?:cors|access-control-allow-origin|allowedOrigins)\b[^\n]*/gi, file.relPath));
+    result.oauthScopes.push(...extract(file.content, /\b(?:scope|scopes)\b[^\n]*(?:openid|profile|email|read|write)/gi, file.relPath));
+    result.apiTokens.push(...extract(file.content, /\b(?:api[_-]?token|access[_-]?token|bearer[_-]?token)\b[^\n]*/gi, file.relPath));
+  }
+  const integrationMap = /* @__PURE__ */ new Map();
+  for (const integration of integrations) {
+    const key = `${integration.provider}:${integration.endpoint}`;
+    integrationMap.set(key, {
+      ...integration,
+      parameters: uniq(integration.parameters),
+      configOptions: uniq(integration.configOptions),
+      authHints: uniq(integration.authHints)
+    });
   }
-  return "general";
+  result.integrations = [...integrationMap.values()].sort((a, b) => a.provider.localeCompare(b.provider));
+  result.openApiSpecifications = [...new Map(result.openApiSpecifications.map((spec) => [spec.path, spec])).values()].sort((a, b) => a.path.localeCompare(b.path));
+  result.webhookUrls = uniq(result.webhookUrls);
+  result.callbackEndpoints = uniq(result.callbackEndpoints);
+  result.apiVersionPins = uniq(result.apiVersionPins);
+  result.tokenExpirationPolicies = uniq(result.tokenExpirationPolicies);
+  result.rateLimitOverrides = uniq(result.rateLimitOverrides);
+  result.customHeaders = uniq(result.customHeaders);
+  result.corsPolicies = uniq(result.corsPolicies);
+  result.oauthScopes = uniq(result.oauthScopes);
+  result.apiTokens = uniq(result.apiTokens);
+  return result;
 }
-function normalizeValue(value) {
-  return value.toLowerCase().replace(/[^a-z0-9\s-]/g, " ").replace(/\s+/g, " ").trim().slice(0, 60);
+async function scanOperationalResilience(rootDir, fileCache) {
+  const files = await scanTextFiles(rootDir, fileCache);
+  const result = {
+    implicitTimeouts: [],
+    defaultPaginationSize: [],
+    implicitRetryLogic: [],
+    defaultLocale: [],
+    defaultCurrency: [],
+    implicitTimezone: [],
+    defaultCharacterEncoding: [],
+    sessionStores: [],
+    distributedLocks: [],
+    jobSchedulers: [],
+    idempotencyKeys: [],
+    rateLimitingCounters: [],
+    circuitBreakerState: [],
+    abTestToggles: [],
+    regionalEnablementRules: [],
+    betaAccessGroups: [],
+    licensingEnforcementLogic: [],
+    killSwitches: [],
+    connectorRetryLogic: [],
+    apiPollingIntervals: [],
+    fieldMappings: [],
+    schemaRegistryRules: [],
+    deadLetterQueueBehavior: [],
+    dataMaskingRules: [],
+    transformationLogic: [],
+    timezoneHandling: [],
+    encryptionSettings: [],
+    hardcodedSecretSignals: []
+  };
+  for (const file of files) {
+    result.implicitTimeouts.push(...extract(file.content, /\b(?:timeout|requestTimeout|connectTimeout|readTimeout)\b[^\n]*/gi, file.relPath));
+    result.defaultPaginationSize.push(...extract(file.content, /\b(?:pageSize|limit|perPage|defaultPageSize)\b[^\n]*/gi, file.relPath));
+    result.implicitRetryLogic.push(...extract(file.content, /\b(?:retry|backoff|maxRetries)\b[^\n]*/gi, file.relPath));
+    result.defaultLocale.push(...extract(file.content, /\b(?:defaultLocale|locale\s*[:=]|en-US|en_GB)\b[^\n]*/gi, file.relPath));
+    result.defaultCurrency.push(...extract(file.content, /\b(?:defaultCurrency|currency\s*[:=]|USD|EUR|GBP)\b[^\n]*/gi, file.relPath));
+    result.implicitTimezone.push(...extract(file.content, /\b(?:timezone|timeZone|UTC|GMT)\b[^\n]*/gi, file.relPath));
+    result.defaultCharacterEncoding.push(...extract(file.content, /\b(?:charset|encoding|UTF-?8|ISO-8859-1)\b[^\n]*/gi, file.relPath));
+    result.sessionStores.push(...extract(file.content, /\b(?:sessionStore|redisStore|memoryStore)\b[^\n]*/gi, file.relPath));
+    result.distributedLocks.push(...extract(file.content, /\b(?:distributed[_-]?lock|redlock|mutex)\b[^\n]*/gi, file.relPath));
+    result.jobSchedulers.push(...extract(file.content, /\b(?:cron|schedule|bullmq|agenda|job[_-]?scheduler)\b[^\n]*/gi, file.relPath));
+    result.idempotencyKeys.push(...extract(file.content, /\b(?:idempotency[_-]?key|Idempotency-Key)\b[^\n]*/gi, file.relPath));
+    result.rateLimitingCounters.push(...extract(file.content, /\b(?:rate[_-]?limit|throttle|quota)\b[^\n]*/gi, file.relPath));
+    result.circuitBreakerState.push(...extract(file.content, /\b(?:circuit[_-]?breaker|half[_-]?open|open[_-]?state)\b[^\n]*/gi, file.relPath));
+    result.abTestToggles.push(...extract(file.content, /\b(?:a\/b|ab[_-]?test|experiment[_-]?flag)\b[^\n]*/gi, file.relPath));
+    result.regionalEnablementRules.push(...extract(file.content, /\b(?:region[_-]?enabled|geo[_-]?fence|country[_-]?allow)\b[^\n]*/gi, file.relPath));
+    result.betaAccessGroups.push(...extract(file.content, /\b(?:beta[_-]?users?|early[_-]?access|allowlist)\b[^\n]*/gi, file.relPath));
+    result.licensingEnforcementLogic.push(...extract(file.content, /\b(?:license[_-]?key|entitlement|plan[_-]?check)\b[^\n]*/gi, file.relPath));
+    result.killSwitches.push(...extract(file.content, /\b(?:kill[_-]?switch|disable[_-]?all|emergency[_-]?stop)\b[^\n]*/gi, file.relPath));
+    result.connectorRetryLogic.push(...extract(file.content, /\b(?:connector|integration)\b[^\n]*(?:retry|backoff)/gi, file.relPath));
+    result.apiPollingIntervals.push(...extract(file.content, /\b(?:poll(?:ing)?[_-]?interval|sync[_-]?interval)\b[^\n]*/gi, file.relPath));
+    result.fieldMappings.push(...extract(file.content, /\b(?:field[_-]?mapping|mapFields?|column[_-]?map)\b[^\n]*/gi, file.relPath));
+    result.schemaRegistryRules.push(...extract(file.content, /\b(?:schema[_-]?registry|avro|protobuf)\b[^\n]*/gi, file.relPath));
+    result.deadLetterQueueBehavior.push(...extract(file.content, /\b(?:dead[_-]?letter|dlq)\b[^\n]*/gi, file.relPath));
+    result.dataMaskingRules.push(...extract(file.content, /\b(?:data[_-]?mask|redact|pii[_-]?mask)\b[^\n]*/gi, file.relPath));
+    result.transformationLogic.push(...extract(file.content, /\b(?:transform|mapper|normaliz(?:e|ation))\b[^\n]*/gi, file.relPath));
+    result.timezoneHandling.push(...extract(file.content, /\b(?:convertTimezone|tz\(|moment\.tz|DateTimeZone)\b[^\n]*/gi, file.relPath));
+    result.encryptionSettings.push(...extract(file.content, /\b(?:kms|encrypt(?:ion)?|cipher|tls|minTlsVersion)\b[^\n]*/gi, file.relPath));
+    result.hardcodedSecretSignals.push(...extract(file.content, /\b(?:password|passwd|connectionString|api[_-]?key|secret)\b\s*[:=]\s*['"][^'"]{4,}['"]/gi, file.relPath));
+  }
+  Object.keys(result).forEach((key) => {
+    result[key] = uniq(result[key]);
+  });
+  return result;
 }
-function dedupeStrings(values) {
-  const sorted = values.sort((a, b) => b.length - a.length);
-  const kept = [];
-  for (const value of sorted) {
-    const isDupe = kept.some((k) => {
-      const stem = value.slice(0, 6);
-      return k.startsWith(stem) || k.includes(value) || value.includes(k);
-    });
-    if (!isDupe) {
-      kept.push(value);
+async function scanAssetBranding(rootDir, fileCache) {
+  const entries = await fileCache.walkDir(rootDir);
+  const faviconCandidates = entries.filter((entry) => entry.isFile && /favicon/i.test(entry.name));
+  const logoCandidates = entries.filter((entry) => entry.isFile && /logo/i.test(entry.name));
+  const faviconFiles = [];
+  for (const entry of faviconCandidates.slice(0, 10)) {
+    try {
+      const content = await fileCache.readTextFile(entry.absPath);
+      if (!content) continue;
+      const encoded = Buffer.from(content).toString("base64");
+      faviconFiles.push({
+        path: entry.relPath,
+        base64: encoded.slice(0, 1e4)
+      });
+    } catch {
     }
   }
-  return kept;
+  return {
+    faviconFiles,
+    productLogos: uniq(logoCandidates.map((entry) => entry.relPath))
+  };
 }
-function dedupeRoutes(routes) {
-  const seen = /* @__PURE__ */ new Set();
-  const result = [];
-  for (const route of routes) {
-    const normalized = route.replace(/:[a-z_]+/gi, ":param").replace(/\[\[*\.*\.*[a-z_]+\]*\]/gi, ":param").replace(/\/+$/, "").toLowerCase();
-    if (!seen.has(normalized)) {
-      seen.add(normalized);
-      result.push(route);
+async function scanOssGovernance(rootDir, fileCache) {
+  const files = await scanTextFiles(rootDir, fileCache);
+  const directDeps = /* @__PURE__ */ new Set();
+  const transitiveDeps = /* @__PURE__ */ new Set();
+  const vulns = [];
+  const licenseRisks = [];
+  for (const file of files) {
+    if (/package(-lock)?\.json$|pnpm-lock\.yaml$|poetry\.lock$|pom\.xml$/i.test(file.relPath)) {
+      const depMatches = file.content.match(/"([@a-zA-Z0-9_.\/-]+)"\s*:/g) ?? [];
+      depMatches.forEach((match) => transitiveDeps.add(match.replace(/["\s:]/g, "")));
+    }
+    if (/package\.json$/i.test(file.relPath)) {
+      const depMatches = file.content.match(/"([@a-zA-Z0-9_.\/-]+)"\s*:\s*"[~^0-9*><=.-]+"/g) ?? [];
+      depMatches.forEach((match) => {
+        const pkg2 = match.split(":")[0]?.replace(/"/g, "").trim();
+        if (pkg2) directDeps.add(pkg2);
+      });
     }
+    vulns.push(...extract(file.content, /\b(?:CVE-\d{4}-\d{4,}|critical vulnerability|high severity)\b[^\n]*/gi, file.relPath));
+    licenseRisks.push(...extract(file.content, /\b(?:GPL-3\.0|AGPL|SSPL|BUSL|source[- ]available)\b[^\n]*/gi, file.relPath));
   }
-  return result;
+  return {
+    directDependencies: directDeps.size,
+    transitiveDependencies: Math.max(transitiveDeps.size, directDeps.size),
+    knownVulnerabilities: uniq(vulns),
+    licenseRisks: uniq(licenseRisks)
+  };
 }
 
 // src/utils/tool-installer.ts
@@ -7639,21 +8155,27 @@ function escapeLabel(input) {
 }
 function scoreClass(score) {
   if (score === void 0 || Number.isNaN(score)) return "scoreUnknown";
-  if (score >= 70) return "scoreHigh";
-  if (score >= 40) return "scoreModerate";
+  if (score >= 80) return "scoreHigh";
+  if (score >= 50) return "scoreModerate";
   return "scoreLow";
 }
 function nodeLabel(project) {
   const score = project.drift?.score;
-  const scoreText = typeof score === "number" ? ` (${score})` : " (n/a)";
-  return `${project.name}${scoreText}`;
+  if (typeof score === "number") {
+    return `${project.name} (${score})`;
+  }
+  return project.name;
 }
 function buildDefs() {
   return [
-    "classDef scoreHigh fill:#064e3b,stroke:#10b981,color:#d1fae5,stroke-width:2px",
-    "classDef scoreModerate fill:#78350f,stroke:#f59e0b,color:#fef3c7,stroke-width:2px",
-    "classDef scoreLow fill:#7f1d1d,stroke:#ef4444,color:#fee2e2,stroke-width:2px",
-    "classDef scoreUnknown fill:#334155,stroke:#94a3b8,color:#e2e8f0,stroke-width:2px"
+    // Emerald border for high scores (>= 80) - border-emerald-500
+    "classDef scoreHigh fill:#1e293b,stroke:#10b981,color:#f1f5f9,stroke-width:2px",
+    // Amber border for moderate scores (50-79) - border-amber-500
+    "classDef scoreModerate fill:#1e293b,stroke:#f59e0b,color:#f1f5f9,stroke-width:2px",
+    // Red border for low scores (< 50) - border-red-500
+    "classDef scoreLow fill:#1e293b,stroke:#ef4444,color:#f1f5f9,stroke-width:2px",
+    // Slate border for unknown scores
+    "classDef scoreUnknown fill:#1e293b,stroke:#64748b,color:#94a3b8,stroke-width:2px"
   ];
 }
 function generateWorkspaceRelationshipMermaid(projects) {
@@ -7739,17 +8261,17 @@ async function discoverSolutions(rootDir, fileCache) {
   for (const solutionFile of solutionFiles) {
     try {
       const content = await fileCache.readTextFile(solutionFile);
-      const dir = path23.dirname(solutionFile);
-      const relSolutionPath = path23.relative(rootDir, solutionFile).replace(/\\/g, "/");
+      const dir = path24.dirname(solutionFile);
+      const relSolutionPath = path24.relative(rootDir, solutionFile).replace(/\\/g, "/");
       const projectPaths = /* @__PURE__ */ new Set();
       const projectRegex = /Project\("[^"]*"\)\s*=\s*"([^"]*)",\s*"([^"]+\.csproj)"/g;
       let match;
       while ((match = projectRegex.exec(content)) !== null) {
         const projectRelative = match[2];
-        const absProjectPath = path23.resolve(dir, projectRelative.replace(/\\/g, "/"));
-        projectPaths.add(path23.relative(rootDir, absProjectPath).replace(/\\/g, "/"));
+        const absProjectPath = path24.resolve(dir, projectRelative.replace(/\\/g, "/"));
+        projectPaths.add(path24.relative(rootDir, absProjectPath).replace(/\\/g, "/"));
       }
-      const solutionName = path23.basename(solutionFile, path23.extname(solutionFile));
+      const solutionName = path24.basename(solutionFile, path24.extname(solutionFile));
       parsed.push({
         path: relSolutionPath,
         name: solutionName,
@@ -7792,7 +8314,13 @@ async function runScan(rootDir, opts) {
     architecture: !maxPrivacyMode,
     codeQuality: !maxPrivacyMode,
     owaspCategoryMapping: !maxPrivacyMode,
-    uiPurpose: !maxPrivacyMode
+    uiPurpose: !maxPrivacyMode,
+    runtimeConfiguration: !maxPrivacyMode,
+    dataStores: true,
+    apiSurface: !maxPrivacyMode,
+    operationalResilience: !maxPrivacyMode,
+    assetBranding: true,
+    ossGovernance: true
   };
   let filesScanned = 0;
   const progress = new ScanProgress(rootDir);
@@ -7821,7 +8349,13 @@ async function runScan(rootDir, opts) {
       ...scannerPolicy.architecture && scanners?.architecture?.enabled !== false ? [{ id: "architecture", label: "Architecture layers" }] : [],
       ...scannerPolicy.codeQuality && scanners?.codeQuality?.enabled !== false ? [{ id: "codequality", label: "Code quality metrics" }] : [],
       ...scannerPolicy.owaspCategoryMapping && scanners?.owaspCategoryMapping?.enabled !== false ? [{ id: "owasp", label: "OWASP category mapping" }] : [],
-      ...!maxPrivacyMode && (opts.uiPurpose || scanners?.uiPurpose?.enabled === true) ? [{ id: "uipurpose", label: "UI purpose evidence" }] : []
+      ...!maxPrivacyMode && (opts.uiPurpose || scanners?.uiPurpose?.enabled === true) ? [{ id: "uipurpose", label: "UI purpose evidence" }] : [],
+      ...scannerPolicy.runtimeConfiguration && scanners?.runtimeConfiguration?.enabled !== false ? [{ id: "runtimecfg", label: "Runtime configuration" }] : [],
+      ...scannerPolicy.dataStores && scanners?.dataStores?.enabled !== false ? [{ id: "datastores", label: "Data stores & schema" }] : [],
+      ...scannerPolicy.apiSurface && scanners?.apiSurface?.enabled !== false ? [{ id: "apisurface", label: "API integrations" }] : [],
+      ...scannerPolicy.operationalResilience && scanners?.operationalResilience?.enabled !== false ? [{ id: "resilience", label: "Operational resilience" }] : [],
+      ...scannerPolicy.assetBranding && scanners?.assetBranding?.enabled !== false ? [{ id: "branding", label: "Branding assets" }] : [],
+      ...scannerPolicy.ossGovernance && scanners?.ossGovernance?.enabled !== false ? [{ id: "ossgov", label: "OSS governance" }] : []
     ] : [],
     { id: "drift", label: "Computing drift score" },
     { id: "findings", label: "Generating findings" }
@@ -7947,7 +8481,7 @@ async function runScan(rootDir, opts) {
     project.drift = computeDriftScore([project]);
     project.projectId = computeProjectId(project.path, project.name, workspaceId);
   }
-  const solutionsManifestPath = path23.join(rootDir, ".vibgrate", "solutions.json");
+  const solutionsManifestPath = path24.join(rootDir, ".vibgrate", "solutions.json");
   const persistedSolutionIds = /* @__PURE__ */ new Map();
   if (await pathExists(solutionsManifestPath)) {
     try {
@@ -8124,6 +8658,66 @@ async function runScan(rootDir, opts) {
         })
       );
     }
+    if (scannerPolicy.runtimeConfiguration && scanners?.runtimeConfiguration?.enabled !== false) {
+      progress.startStep("runtimecfg");
+      scannerTasks.push(
+        scanRuntimeConfiguration(rootDir, fileCache).then((result) => {
+          extended.runtimeConfiguration = result;
+          const count = result.environmentVariables.length + result.featureFlags.length + result.dotEnvFiles.length;
+          progress.completeStep("runtimecfg", `${count} runtime signals`, count);
+        })
+      );
+    }
+    if (scannerPolicy.dataStores && scanners?.dataStores?.enabled !== false) {
+      progress.startStep("datastores");
+      scannerTasks.push(
+        scanDataStores(rootDir, fileCache).then((result) => {
+          extended.dataStores = result;
+          const count = result.databaseTechnologies.length + result.tables.length + result.views.length;
+          progress.completeStep("datastores", `${result.databaseTechnologies.length} engines \xB7 ${result.tables.length} tables`, count);
+        })
+      );
+    }
+    if (scannerPolicy.apiSurface && scanners?.apiSurface?.enabled !== false) {
+      progress.startStep("apisurface");
+      scannerTasks.push(
+        scanApiSurface(rootDir, fileCache).then((result) => {
+          extended.apiSurface = result;
+          const count = result.integrations.length + result.webhookUrls.length;
+          progress.completeStep("apisurface", `${result.integrations.length} integrations`, count);
+        })
+      );
+    }
+    if (scannerPolicy.operationalResilience && scanners?.operationalResilience?.enabled !== false) {
+      progress.startStep("resilience");
+      scannerTasks.push(
+        scanOperationalResilience(rootDir, fileCache).then((result) => {
+          extended.operationalResilience = result;
+          const count = result.implicitTimeouts.length + result.implicitRetryLogic.length + result.killSwitches.length;
+          progress.completeStep("resilience", `${count} resilience signals`, count);
+        })
+      );
+    }
+    if (scannerPolicy.assetBranding && scanners?.assetBranding?.enabled !== false) {
+      progress.startStep("branding");
+      scannerTasks.push(
+        scanAssetBranding(rootDir, fileCache).then((result) => {
+          extended.assetBranding = result;
+          const count = result.faviconFiles.length + result.productLogos.length;
+          progress.completeStep("branding", `${result.faviconFiles.length} favicons \xB7 ${result.productLogos.length} logos`, count);
+        })
+      );
+    }
+    if (scannerPolicy.ossGovernance && scanners?.ossGovernance?.enabled !== false) {
+      progress.startStep("ossgov");
+      scannerTasks.push(
+        scanOssGovernance(rootDir, fileCache).then((result) => {
+          extended.ossGovernance = result;
+          const count = result.directDependencies + result.knownVulnerabilities.length + result.licenseRisks.length;
+          progress.completeStep("ossgov", `${result.directDependencies} direct deps`, count);
+        })
+      );
+    }
     if (scannerPolicy.dependencyRisk && scanners?.dependencyRisk?.enabled !== false) {
       progress.startStep("deprisk");
       scannerTasks.push(
@@ -8164,7 +8758,7 @@ async function runScan(rootDir, opts) {
       const summary = [`${up.topEvidence.length} evidence`, ...up.capped ? ["capped"] : []].join(" \xB7 ");
       progress.completeStep("uipurpose", summary, up.topEvidence.length);
       await Promise.all(allProjects.map(async (project) => {
-        const projectDir = path23.join(rootDir, project.path);
+        const projectDir = path24.join(rootDir, project.path);
         const projectResult = await scanUiPurpose(projectDir, fileCache, 150);
         if (projectResult.topEvidence.length > 0) {
           project.uiPurpose = compactUiPurpose(projectResult);
@@ -8258,13 +8852,19 @@ async function runScan(rootDir, opts) {
   if (extended.codeQuality) filesScanned += extended.codeQuality.filesAnalyzed;
   if (extended.owaspCategoryMapping) filesScanned += extended.owaspCategoryMapping.scannedFiles;
   if (extended.uiPurpose) filesScanned += extended.uiPurpose.topEvidence.length;
+  if (extended.runtimeConfiguration) filesScanned += extended.runtimeConfiguration.hiddenConfigFiles.length;
+  if (extended.dataStores) filesScanned += extended.dataStores.databaseTechnologies.length + extended.dataStores.tables.length;
+  if (extended.apiSurface) filesScanned += extended.apiSurface.integrations.length;
+  if (extended.operationalResilience) filesScanned += extended.operationalResilience.implicitTimeouts.length;
+  if (extended.assetBranding) filesScanned += extended.assetBranding.faviconFiles.length + extended.assetBranding.productLogos.length;
+  if (extended.ossGovernance) filesScanned += extended.ossGovernance.directDependencies;
   const durationMs = Date.now() - scanStart;
   const repository = await buildRepositoryInfo(rootDir, vcs.remoteUrl, extended.buildDeploy?.ci);
   const artifact = {
     schemaVersion: "1.0",
     timestamp: (/* @__PURE__ */ new Date()).toISOString(),
     vibgrateVersion: VERSION,
-    rootPath: path23.basename(rootDir),
+    rootPath: path24.basename(rootDir),
     ...vcs.type !== "unknown" ? { vcs } : {},
     repository,
     projects: allProjects,
@@ -8278,7 +8878,7 @@ async function runScan(rootDir, opts) {
     relationshipDiagram
   };
   if (opts.baseline) {
-    const baselinePath = path23.resolve(opts.baseline);
+    const baselinePath = path24.resolve(opts.baseline);
     if (await pathExists(baselinePath)) {
       try {
         const baseline = await readJsonFile(baselinePath);
@@ -8290,10 +8890,10 @@ async function runScan(rootDir, opts) {
     }
   }
   if (!opts.noLocalArtifacts && !maxPrivacyMode) {
-    const vibgrateDir = path23.join(rootDir, ".vibgrate");
+    const vibgrateDir = path24.join(rootDir, ".vibgrate");
     await ensureDir(vibgrateDir);
-    await writeJsonFile(path23.join(vibgrateDir, "scan_result.json"), artifact);
-    await writeJsonFile(path23.join(vibgrateDir, "solutions.json"), {
+    await writeJsonFile(path24.join(vibgrateDir, "scan_result.json"), artifact);
+    await writeJsonFile(path24.join(vibgrateDir, "solutions.json"), {
       scannedAt: artifact.timestamp,
       solutions: solutions.map((solution) => ({
         solutionId: solution.solutionId,
@@ -8314,10 +8914,10 @@ async function runScan(rootDir, opts) {
   if (!opts.noLocalArtifacts && !maxPrivacyMode) {
     for (const project of allProjects) {
       if (project.drift && project.path) {
-        const projectDir = path23.resolve(rootDir, project.path);
-        const projectVibgrateDir = path23.join(projectDir, ".vibgrate");
+        const projectDir = path24.resolve(rootDir, project.path);
+        const projectVibgrateDir = path24.join(projectDir, ".vibgrate");
         await ensureDir(projectVibgrateDir);
-        await writeJsonFile(path23.join(projectVibgrateDir, "project_score.json"), {
+        await writeJsonFile(path24.join(projectVibgrateDir, "project_score.json"), {
           projectId: project.projectId,
           name: project.name,
           type: project.type,
@@ -8337,7 +8937,7 @@ async function runScan(rootDir, opts) {
   if (opts.format === "json") {
     const jsonStr = JSON.stringify(artifact, null, 2);
     if (opts.out) {
-      await writeTextFile(path23.resolve(opts.out), jsonStr);
+      await writeTextFile(path24.resolve(opts.out), jsonStr);
       console.log(chalk6.green("\u2714") + ` JSON written to ${opts.out}`);
     } else {
       console.log(jsonStr);
@@ -8346,7 +8946,7 @@ async function runScan(rootDir, opts) {
     const sarif = formatSarif(artifact);
     const sarifStr = JSON.stringify(sarif, null, 2);
     if (opts.out) {
-      await writeTextFile(path23.resolve(opts.out), sarifStr);
+      await writeTextFile(path24.resolve(opts.out), sarifStr);
       console.log(chalk6.green("\u2714") + ` SARIF written to ${opts.out}`);
     } else {
       console.log(sarifStr);
@@ -8355,20 +8955,20 @@ async function runScan(rootDir, opts) {
     const markdown = formatMarkdown(artifact);
     console.log(markdown);
     if (opts.out) {
-      await writeTextFile(path23.resolve(opts.out), markdown);
+      await writeTextFile(path24.resolve(opts.out), markdown);
     }
   } else {
     const text = formatText(artifact);
     console.log(text);
     if (opts.out) {
-      await writeTextFile(path23.resolve(opts.out), text);
+      await writeTextFile(path24.resolve(opts.out), text);
     }
   }
   return artifact;
 }
 async function buildRepositoryInfo(rootDir, remoteUrl, ciSystems) {
-  const packageJsonPath = path23.join(rootDir, "package.json");
-  let name = path23.basename(rootDir);
+  const packageJsonPath = path24.join(rootDir, "package.json");
+  let name = path24.basename(rootDir);
   let version;
   if (await pathExists(packageJsonPath)) {
     try {
@@ -8403,7 +9003,7 @@ async function autoPush(artifact, rootDir, opts) {
     if (opts.strict) process.exit(1);
     return;
   }
-  const body = JSON.stringify(artifact);
+  const { body, contentEncoding } = await prepareCompressedUpload(artifact);
   const timestamp = String(Date.now());
   let host = parsed.host;
   if (opts.region) {
@@ -8416,12 +9016,16 @@ async function autoPush(artifact, rootDir, opts) {
     }
   }
   const url = `${parsed.scheme}://${host}/v1/ingest/scan`;
-  console.log(chalk6.dim(`Uploading to ${host}...`));
+  const originalSize = JSON.stringify(artifact).length;
+  const compressedSize = body.length;
+  const ratio = ((1 - compressedSize / originalSize) * 100).toFixed(0);
+  console.log(chalk6.dim(`Uploading to ${host}... (${(compressedSize / 1024).toFixed(0)} KB, ${ratio}% smaller)`));
   try {
     const response = await fetch(url, {
       method: "POST",
       headers: {
         "Content-Type": "application/json",
+        "Content-Encoding": contentEncoding,
         "X-Vibgrate-Timestamp": timestamp,
         "Authorization": `VibgrateDSN ${parsed.keyId}:${parsed.secret}`,
         "Connection": "close"
@@ -8463,7 +9067,7 @@ function parseNonNegativeNumber(value, label) {
   return parsed;
 }
 var scanCommand = new Command3("scan").description("Scan a project for upgrade drift").argument("[path]", "Path to scan", ".").option("--out <file>", "Output file path").option("--format <format>", "Output format (text|json|sarif|md)", "text").option("--fail-on <level>", "Fail on warn or error").option("--baseline <file>", "Compare against baseline").option("--changed-only", "Only scan changed files").option("--concurrency <n>", "Max concurrent npm calls", "8").option("--push", "Auto-push results to Vibgrate API after scan").option("--dsn <dsn>", "DSN token for push (or use VIBGRATE_DSN env)").option("--region <region>", "Override data residency region for push (us, eu)").option("--strict", "Fail on push errors").option("--install-tools", "Auto-install missing security scanners via Homebrew").option("--ui-purpose", "Enable optional UI purpose evidence extraction (slower)").option("--no-local-artifacts", "Do not write .vibgrate JSON artifacts to disk").option("--max-privacy", "Enable strongest privacy mode (minimal scanners, no local artifacts)").option("--offline", "Run without network calls; do not upload results").option("--package-manifest <file>", "Use local package-version manifest JSON/ZIP (for offline mode)").option("--drift-budget <score>", "Fail if drift score is above budget (0-100)").option("--drift-worsening <percent>", "Fail if drift worsens by more than % since baseline").action(async (targetPath, opts) => {
-  const rootDir = path23.resolve(targetPath);
+  const rootDir = path24.resolve(targetPath);
   if (!await pathExists(rootDir)) {
     console.error(chalk6.red(`Path does not exist: ${rootDir}`));
     process.exit(1);

package/dist/{chunk-GCMUJKM7.js → chunk-IHDUX5MC.js}

@@ -1,6 +1,6 @@
 import {
   runScan
-} from "./chunk-IQ4T2HLG.js";
+} from "./chunk-DMYMJUQP.js";
 import {
   writeJsonFile
 } from "./chunk-TBE6NQ5Z.js";

package/dist/cli.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import {
   baselineCommand
-} from "./chunk-GCMUJKM7.js";
+} from "./chunk-IHDUX5MC.js";
 import {
   VERSION,
   dsnCommand,
@@ -10,7 +10,7 @@ import {
   pushCommand,
   scanCommand,
   writeDefaultConfig
-} from "./chunk-IQ4T2HLG.js";
+} from "./chunk-DMYMJUQP.js";
 import {
   ensureDir,
   pathExists,
@@ -39,7 +39,7 @@ var initCommand = new Command("init").description("Initialize vibgrate in a proj
     console.log(chalk.green("\u2714") + ` Created ${chalk.bold("vibgrate.config.ts")}`);
   }
   if (opts.baseline) {
-    const { runBaseline } = await import("./baseline-HGBNL6CN.js");
+    const { runBaseline } = await import("./baseline-IEG2JITU.js");
     await runBaseline(rootDir);
   }
   console.log("");

package/dist/index.d.ts

@@ -196,6 +196,12 @@ interface ScannersConfig {
     codeQuality?: ScannerToggle;
     owaspCategoryMapping?: OwaspScannerConfig;
     uiPurpose?: ScannerToggle;
+    runtimeConfiguration?: ScannerToggle;
+    dataStores?: ScannerToggle;
+    apiSurface?: ScannerToggle;
+    operationalResilience?: ScannerToggle;
+    assetBranding?: ScannerToggle;
+    ossGovernance?: ScannerToggle;
 }
 interface VibgrateConfig {
     include?: string[];
@@ -487,6 +493,111 @@ interface UiPurposeResult {
     topEvidence: UiPurposeEvidenceItem[];
     unknownSignals: string[];
 }
+interface RuntimeConfigurationResult {
+    environmentVariables: string[];
+    featureFlags: string[];
+    hiddenConfigFiles: string[];
+    dotEnvFiles: string[];
+    secretsInjectionPaths: string[];
+    containerEntrypoints: string[];
+    startupArguments: string[];
+    jvmFlags: string[];
+    threadPoolSettings: string[];
+}
+interface DatabaseTechnology {
+    kind: 'sql' | 'nosql';
+    brand: string;
+    version: string | null;
+    evidence: string;
+}
+interface DataStoresResult {
+    databaseTechnologies: DatabaseTechnology[];
+    connectionStrings: string[];
+    connectionPoolSettings: string[];
+    replicationSettings: string[];
+    readReplicaSettings: string[];
+    failoverSettings: string[];
+    collationAndEncoding: string[];
+    queryTimeoutDefaults: string[];
+    manualIndexes: string[];
+    tables: string[];
+    views: string[];
+    storedProcedures: string[];
+    triggers: string[];
+    rowLevelSecurityPolicies: string[];
+    otherServices: string[];
+}
+interface OpenApiSpecification {
+    path: string;
+    format: 'json' | 'yaml' | 'yml';
+    version: string | null;
+    title: string | null;
+    endpointCount: number | null;
+}
+interface ApiIntegration {
+    provider: string;
+    endpoint: string;
+    version: string | null;
+    parameters: string[];
+    configOptions: string[];
+    authHints: string[];
+}
+interface ApiSurfaceResult {
+    integrations: ApiIntegration[];
+    openApiSpecifications: OpenApiSpecification[];
+    webhookUrls: string[];
+    callbackEndpoints: string[];
+    apiVersionPins: string[];
+    tokenExpirationPolicies: string[];
+    rateLimitOverrides: string[];
+    customHeaders: string[];
+    corsPolicies: string[];
+    oauthScopes: string[];
+    apiTokens: string[];
+}
+interface OperationalResilienceResult {
+    implicitTimeouts: string[];
+    defaultPaginationSize: string[];
+    implicitRetryLogic: string[];
+    defaultLocale: string[];
+    defaultCurrency: string[];
+    implicitTimezone: string[];
+    defaultCharacterEncoding: string[];
+    sessionStores: string[];
+    distributedLocks: string[];
+    jobSchedulers: string[];
+    idempotencyKeys: string[];
+    rateLimitingCounters: string[];
+    circuitBreakerState: string[];
+    abTestToggles: string[];
+    regionalEnablementRules: string[];
+    betaAccessGroups: string[];
+    licensingEnforcementLogic: string[];
+    killSwitches: string[];
+    connectorRetryLogic: string[];
+    apiPollingIntervals: string[];
+    fieldMappings: string[];
+    schemaRegistryRules: string[];
+    deadLetterQueueBehavior: string[];
+    dataMaskingRules: string[];
+    transformationLogic: string[];
+    timezoneHandling: string[];
+    encryptionSettings: string[];
+    hardcodedSecretSignals: string[];
+}
+interface AssetBrandingResult {
+    faviconFiles: Array<{
+        path: string;
+        base64: string;
+    }>;
+    productLogos: string[];
+}
+interface OssGovernanceResult {
+    directDependencies: number;
+    transitiveDependencies: number;
+    knownVulnerabilities: string[];
+    licenseRisks: string[];
+}
 interface ExtendedScanResults {
     platformMatrix?: PlatformMatrixResult;
     dependencyRisk?: DependencyRiskResult;
@@ -503,6 +614,12 @@ interface ExtendedScanResults {
     codeQuality?: CodeQualityResult;
     owaspCategoryMapping?: OwaspCategoryMappingResult;
     uiPurpose?: UiPurposeResult;
+    runtimeConfiguration?: RuntimeConfigurationResult;
+    dataStores?: DataStoresResult;
+    apiSurface?: ApiSurfaceResult;
+    operationalResilience?: OperationalResilienceResult;
+    assetBranding?: AssetBrandingResult;
+    ossGovernance?: OssGovernanceResult;
 }
 interface OwaspFinding {
     ruleId: string;

package/dist/index.js

@@ -5,7 +5,7 @@ import {
   formatText,
   generateFindings,
   runScan
-} from "./chunk-IQ4T2HLG.js";
+} from "./chunk-DMYMJUQP.js";
 import "./chunk-TBE6NQ5Z.js";
 export {
   computeDriftScore,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vibgrate/cli",
-  "version": "1.0.64",
+  "version": "1.0.66",
   "description": "CLI for measuring upgrade drift across Node, .NET, Python & Java projects",
   "type": "module",
   "bin": {