@vibgrate/cli 2026.606.2 → 2026.609.1

package/dist/{baseline-MJNJICDN.js → baseline-IGEWCPFI.js}

@@ -1,8 +1,8 @@
 import {
   baselineCommand,
   runBaseline
-} from "./chunk-734OP6JR.js";
-import "./chunk-K2D6JXLA.js";
+} from "./chunk-7CIAP6ZD.js";
+import "./chunk-7J3LXQEA.js";
 import "./chunk-74ZJFYEM.js";
 import "./chunk-HAT4W7NZ.js";
 import "./chunk-JSBRDJBE.js";

package/dist/{chunk-734OP6JR.js → chunk-7CIAP6ZD.js}

@@ -1,6 +1,6 @@
 import {
   runScan
-} from "./chunk-K2D6JXLA.js";
+} from "./chunk-7J3LXQEA.js";
 
 // src/commands/baseline.ts
 import * as path3 from "path";

package/dist/{chunk-K2D6JXLA.js → chunk-7J3LXQEA.js}

@@ -1995,6 +1995,44 @@ async function appendExcludePatterns(rootDir, newPatterns) {
     return false;
   }
 }
+var MS_PER_DAY = 864e5;
+var DAYS_PER_YEAR = 365.25;
+function ageDaysBetween(resolvedVersion, latestStable, releaseDates) {
+  if (!resolvedVersion || !latestStable || !releaseDates) return null;
+  const resolvedIso = releaseDates[resolvedVersion];
+  const latestIso = releaseDates[latestStable];
+  if (!resolvedIso || !latestIso) return null;
+  const resolvedMs = Date.parse(resolvedIso);
+  const latestMs = Date.parse(latestIso);
+  if (Number.isNaN(resolvedMs) || Number.isNaN(latestMs)) return null;
+  const days = (latestMs - resolvedMs) / MS_PER_DAY;
+  return days > 0 ? days : 0;
+}
+function daysToLibyears(days) {
+  if (days === null) return null;
+  return days / DAYS_PER_YEAR;
+}
+function aggregateLibyears(values) {
+  let total = 0;
+  let max = 0;
+  let measured = 0;
+  for (const v of values) {
+    if (v === null || v === void 0 || Number.isNaN(v)) continue;
+    total += v;
+    if (v > max) max = v;
+    measured++;
+  }
+  if (measured === 0) return null;
+  return { total, max, measured };
+}
+function freshnessScoreFromLibyears(agg) {
+  if (!agg || agg.measured === 0) return null;
+  const avg = agg.total / agg.measured;
+  const avgPenalty = Math.min(avg * 20, 100);
+  const maxPenalty = Math.min(agg.max * 10, 100);
+  const score = 100 - (avgPenalty * 0.7 + maxPenalty * 0.3);
+  return Math.max(0, Math.min(100, Math.round(score)));
+}
 var DEFAULT_THRESHOLDS = {
   failOnError: {
     eolDays: 180,
@@ -2077,28 +2115,57 @@ function eolScore(projects) {
   }
   return score;
 }
+function freshnessScore(projects) {
+  const aggs = projects.map((p) => p.libyears).filter((a) => !!a);
+  if (aggs.length === 0) return null;
+  const total = aggs.reduce((s, a) => s + a.total, 0);
+  const measured = aggs.reduce((s, a) => s + a.measured, 0);
+  const max = aggs.reduce((m, a) => Math.max(m, a.max), 0);
+  if (measured === 0) return null;
+  return freshnessScoreFromLibyears({ total, max, measured });
+}
+function coverageConfidence(projects) {
+  let known = 0;
+  let unknown = 0;
+  for (const p of projects) {
+    known += p.dependencyAgeBuckets.current + p.dependencyAgeBuckets.oneBehind + p.dependencyAgeBuckets.twoPlusBehind;
+    unknown += p.dependencyAgeBuckets.unknown;
+  }
+  const total = known + unknown;
+  if (total === 0) return null;
+  return Math.round(known / total * 100) / 100;
+}
 function computeDriftScore(projects) {
   const rs = runtimeScore(projects);
   const fs8 = frameworkScore(projects);
   const ds = dependencyScore(projects);
   const es = eolScore(projects);
+  const frs = freshnessScore(projects);
   const components = [
     { score: rs, weight: 0.25 },
     { score: fs8, weight: 0.25 },
     { score: ds, weight: 0.3 },
-    { score: es, weight: 0.2 }
+    { score: es, weight: 0.2 },
+    { score: frs, weight: 0.15 }
   ];
+  const confidence = coverageConfidence(projects) ?? void 0;
+  const buildComponents = () => {
+    const c = {
+      runtimeScore: Math.round(rs ?? 100),
+      frameworkScore: Math.round(fs8 ?? 100),
+      dependencyScore: Math.round(ds ?? 100),
+      eolScore: Math.round(es ?? 100)
+    };
+    if (frs !== null) c.freshnessScore = Math.round(frs);
+    return c;
+  };
   const active = components.filter((c) => c.score !== null);
   if (active.length === 0) {
     return {
       score: 100,
       riskLevel: "low",
-      components: {
-        runtimeScore: Math.round(rs ?? 100),
-        frameworkScore: Math.round(fs8 ?? 100),
-        dependencyScore: Math.round(ds ?? 100),
-        eolScore: Math.round(es ?? 100)
-      }
+      components: buildComponents(),
+      ...confidence !== void 0 ? { confidence } : {}
     };
   }
   const totalActiveWeight = active.reduce((sum, c) => sum + c.weight, 0);
@@ -2116,16 +2183,13 @@ function computeDriftScore(projects) {
   if (fs8 !== null) measured.push("framework");
   if (ds !== null) measured.push("dependency");
   if (es !== null) measured.push("eol");
+  if (frs !== null) measured.push("freshness");
   return {
     score,
     riskLevel,
-    components: {
-      runtimeScore: Math.round(rs ?? 100),
-      frameworkScore: Math.round(fs8 ?? 100),
-      dependencyScore: Math.round(ds ?? 100),
-      eolScore: Math.round(es ?? 100)
-    },
-    measured
+    components: buildComponents(),
+    measured,
+    ...confidence !== void 0 ? { confidence } : {}
   };
 }
 function generateFindings(projects, config) {
@@ -3059,25 +3123,53 @@ function maxStable(versions) {
   if (stable.length === 0) return null;
   return stable.sort(semver.rcompare)[0] ?? null;
 }
+function parseReleaseDates(time) {
+  if (!time || typeof time !== "object") return void 0;
+  const out = {};
+  for (const [key, value] of Object.entries(time)) {
+    if (key === "created" || key === "modified") continue;
+    if (typeof value === "string") out[key] = value;
+  }
+  return Object.keys(out).length > 0 ? out : void 0;
+}
 function parseNpmMetaPayload(data) {
   let latest = null;
   let versions = [];
+  let license = null;
+  let releaseDates;
   if (data && typeof data === "object") {
-    const record = data;
-    const dtLatest = record["dist-tags.latest"];
+    const record2 = data;
+    const dtLatest = record2["dist-tags.latest"];
     if (typeof dtLatest === "string") latest = dtLatest;
-    const distTags = record["dist-tags"];
+    const distTags = record2["dist-tags"];
     if (!latest && distTags && typeof distTags === "object" && typeof distTags.latest === "string") {
       latest = distTags.latest;
     }
-    const v = record.versions;
+    const v = record2.versions;
     if (Array.isArray(v)) versions = v.map(String);
     else if (typeof v === "string") versions = [v];
+    license = parseLicenseField(record2.license ?? record2.licenses);
+    releaseDates = parseReleaseDates(record2.time);
   }
   const stable = stableOnly(versions);
   const latestStableOverall = maxStable(stable);
   if (!latest && latestStableOverall) latest = latestStableOverall;
-  return { latest, stableVersions: stable, latestStableOverall };
+  return { latest, stableVersions: stable, latestStableOverall, license, ...releaseDates ? { releaseDates } : {} };
+}
+function parseLicenseField(value) {
+  if (!value) return null;
+  if (typeof value === "string") return value.trim() || null;
+  if (Array.isArray(value)) {
+    const parts = value.map(parseLicenseField).filter((s) => Boolean(s));
+    if (parts.length === 0) return null;
+    return parts.length === 1 ? parts[0] : `(${parts.join(" OR ")})`;
+  }
+  if (typeof value === "object") {
+    const obj = value;
+    if (typeof obj.type === "string") return obj.type.trim() || null;
+    if (typeof obj.spdx === "string") return obj.spdx.trim() || null;
+  }
+  return null;
 }
 var BATCH_SIZE = 24;
 var WINDOWS_MAX_COMMAND_CHARS = 7e3;
@@ -3144,7 +3236,7 @@ var NpmCache = class {
     if (pending.length === 0) return;
     const batchPromise = this.sem.run(() => this.fetchBatch(pending));
     for (const pkg2 of pending) {
-      const promise = batchPromise.then((batch) => batch.get(pkg2) ?? { latest: null, stableVersions: [], latestStableOverall: null });
+      const promise = batchPromise.then((batch) => batch.get(pkg2) ?? { latest: null, stableVersions: [], latestStableOverall: null, license: null });
       this.meta.set(pkg2, promise);
     }
     await batchPromise;
@@ -3167,10 +3259,12 @@ var NpmCache = class {
         out.set(pkg2, {
           latest: manifestEntry.latest ?? latestStableOverall,
           stableVersions: stable,
-          latestStableOverall
+          latestStableOverall,
+          license: manifestEntry.license ?? null,
+          ...manifestEntry.releaseDates ? { releaseDates: manifestEntry.releaseDates } : {}
         });
       } else if (this.offline) {
-        out.set(pkg2, { latest: null, stableVersions: [], latestStableOverall: null });
+        out.set(pkg2, { latest: null, stableVersions: [], latestStableOverall: null, license: null });
       } else {
         remote.push(pkg2);
       }
@@ -3191,22 +3285,22 @@ var NpmCache = class {
       return out;
     }
     try {
-      const data = await npmViewJson([...pkgs, "dist-tags.latest", "versions"], this.cwd);
+      const data = await npmViewJson([...pkgs, "dist-tags.latest", "versions", "license", "licenses", "time"], this.cwd);
       if (Array.isArray(data)) {
         for (let i = 0; i < data.length && i < pkgs.length; i++) {
           out.set(pkgs[i], parseNpmMetaPayload(data[i]));
         }
       } else if (data && typeof data === "object") {
-        const record = data;
+        const record2 = data;
         let keyedByPkg = 0;
         for (const pkg2 of pkgs) {
-          if (pkg2 in record) {
-            out.set(pkg2, parseNpmMetaPayload(record[pkg2]));
+          if (pkg2 in record2) {
+            out.set(pkg2, parseNpmMetaPayload(record2[pkg2]));
             keyedByPkg++;
           }
         }
         if (keyedByPkg === 0 && pkgs.length === 1) {
-          out.set(pkgs[0], parseNpmMetaPayload(record));
+          out.set(pkgs[0], parseNpmMetaPayload(record2));
         }
       }
     } catch {
@@ -3226,17 +3320,19 @@ var NpmCache = class {
       return {
         latest: manifestEntry.latest ?? latestStableOverall,
         stableVersions: stable,
-        latestStableOverall
+        latestStableOverall,
+        license: manifestEntry.license ?? null,
+        ...manifestEntry.releaseDates ? { releaseDates: manifestEntry.releaseDates } : {}
       };
     }
     if (this.offline) {
-      return { latest: null, stableVersions: [], latestStableOverall: null };
+      return { latest: null, stableVersions: [], latestStableOverall: null, license: null };
     }
     return this.fetchOneRemote(pkg2);
   }
   async fetchOneRemote(pkg2) {
     try {
-      const data = await npmViewJson([pkg2, "dist-tags.latest", "versions"], this.cwd);
+      const data = await npmViewJson([pkg2, "dist-tags.latest", "versions", "license", "licenses", "time"], this.cwd);
       return parseNpmMetaPayload(data);
     } catch {
       let latest = null;
@@ -3257,7 +3353,7 @@ var NpmCache = class {
       const stable = stableOnly(versions);
       const latestStableOverall = maxStable(stable);
       if (!latest && latestStableOverall) latest = latestStableOverall;
-      return { latest, stableVersions: stable, latestStableOverall };
+      return { latest, stableVersions: stable, latestStableOverall, license: null };
     }
   }
 };
@@ -3292,6 +3388,449 @@ function isSemverSpec(spec) {
   if (s === "*" || s.toLowerCase() === "latest") return true;
   return semver.validRange(s) !== null;
 }
+function riskForCategory(category) {
+  switch (category) {
+    case "public-domain":
+    case "permissive":
+      return "low";
+    case "weak-copyleft":
+      return "medium";
+    case "copyleft":
+    case "network-copyleft":
+    case "proprietary":
+      return "high";
+    case "unknown":
+    default:
+      return "medium";
+  }
+}
+var NO_OBLIGATIONS = {
+  attribution: false,
+  copyleft: false,
+  networkCopyleft: false,
+  discloseSource: false,
+  patentGrant: false,
+  commercialRestriction: false
+};
+function record(seed) {
+  return {
+    spdxId: seed.id,
+    name: seed.name,
+    family: seed.family,
+    category: seed.category,
+    osiApproved: seed.osi ?? false,
+    fsfLibre: seed.fsf ?? false,
+    deprecated: seed.deprecated ?? false,
+    referenceUrl: seed.url ?? `https://spdx.org/licenses/${seed.id}.html`,
+    riskLevel: riskForCategory(seed.category),
+    obligations: { ...NO_OBLIGATIONS, ...seed.obligations ?? {} }
+  };
+}
+var ATTRIB = { attribution: true };
+var ATTRIB_PATENT = { attribution: true, patentGrant: true };
+var WEAK = { attribution: true, copyleft: true, discloseSource: true };
+var STRONG = { attribution: true, copyleft: true, discloseSource: true };
+var NETWORK = {
+  attribution: true,
+  copyleft: true,
+  networkCopyleft: true,
+  discloseSource: true
+};
+var SEEDS = [
+  // ── Public domain / unlicensed ──
+  { id: "CC0-1.0", name: "Creative Commons Zero v1.0 Universal", family: "CC", category: "public-domain", fsf: true },
+  { id: "Unlicense", name: "The Unlicense", family: "Public Domain", category: "public-domain", osi: true, fsf: true },
+  { id: "0BSD", name: "BSD Zero Clause License", family: "BSD", category: "permissive", osi: true },
+  { id: "WTFPL", name: "Do What The F*ck You Want To Public License", family: "WTFPL", category: "permissive", fsf: true },
+  // ── Permissive ──
+  { id: "MIT", name: "MIT License", family: "MIT", category: "permissive", osi: true, fsf: true, obligations: ATTRIB },
+  { id: "MIT-0", name: "MIT No Attribution", family: "MIT", category: "permissive", osi: true },
+  { id: "ISC", name: "ISC License", family: "ISC", category: "permissive", osi: true, fsf: true, obligations: ATTRIB },
+  { id: "BSD-2-Clause", name: 'BSD 2-Clause "Simplified" License', family: "BSD", category: "permissive", osi: true, fsf: true, obligations: ATTRIB },
+  { id: "BSD-3-Clause", name: 'BSD 3-Clause "New" or "Revised" License', family: "BSD", category: "permissive", osi: true, fsf: true, obligations: ATTRIB },
+  { id: "BSD-3-Clause-Clear", name: "BSD 3-Clause Clear License", family: "BSD", category: "permissive", osi: true, obligations: ATTRIB },
+  { id: "Apache-2.0", name: "Apache License 2.0", family: "Apache", category: "permissive", osi: true, fsf: true, obligations: ATTRIB_PATENT },
+  { id: "Apache-1.1", name: "Apache Software License 1.1", family: "Apache", category: "permissive", osi: true, obligations: ATTRIB },
+  { id: "Zlib", name: "zlib License", family: "Zlib", category: "permissive", osi: true, fsf: true },
+  { id: "BSL-1.0", name: "Boost Software License 1.0", family: "Boost", category: "permissive", osi: true, fsf: true, obligations: ATTRIB },
+  { id: "PostgreSQL", name: "PostgreSQL License", family: "BSD", category: "permissive", osi: true, obligations: ATTRIB },
+  { id: "Python-2.0", name: "Python License 2.0", family: "Python", category: "permissive", osi: true, obligations: ATTRIB },
+  { id: "PSF-2.0", name: "Python Software Foundation License 2.0", family: "Python", category: "permissive", obligations: ATTRIB },
+  { id: "Artistic-2.0", name: "Artistic License 2.0", family: "Artistic", category: "permissive", osi: true, fsf: true, obligations: ATTRIB },
+  { id: "NCSA", name: "University of Illinois/NCSA Open Source License", family: "NCSA", category: "permissive", osi: true, fsf: true, obligations: ATTRIB },
+  { id: "Unicode-DFS-2016", name: "Unicode License Agreement - Data Files and Software (2016)", family: "Unicode", category: "permissive", osi: true, obligations: ATTRIB },
+  { id: "BlueOak-1.0.0", name: "Blue Oak Model License 1.0.0", family: "BlueOak", category: "permissive", obligations: ATTRIB },
+  // ── Weak / file-level copyleft ──
+  { id: "LGPL-2.0-only", name: "GNU Library General Public License v2 only", family: "LGPL", category: "weak-copyleft", osi: true, fsf: true, obligations: WEAK },
+  { id: "LGPL-2.1-only", name: "GNU Lesser General Public License v2.1 only", family: "LGPL", category: "weak-copyleft", osi: true, fsf: true, obligations: WEAK },
+  { id: "LGPL-2.1-or-later", name: "GNU Lesser General Public License v2.1 or later", family: "LGPL", category: "weak-copyleft", osi: true, fsf: true, obligations: WEAK },
+  { id: "LGPL-3.0-only", name: "GNU Lesser General Public License v3.0 only", family: "LGPL", category: "weak-copyleft", osi: true, fsf: true, obligations: { ...WEAK, patentGrant: true } },
+  { id: "LGPL-3.0-or-later", name: "GNU Lesser General Public License v3.0 or later", family: "LGPL", category: "weak-copyleft", osi: true, fsf: true, obligations: { ...WEAK, patentGrant: true } },
+  { id: "MPL-2.0", name: "Mozilla Public License 2.0", family: "MPL", category: "weak-copyleft", osi: true, fsf: true, obligations: { ...WEAK, patentGrant: true } },
+  { id: "MPL-1.1", name: "Mozilla Public License 1.1", family: "MPL", category: "weak-copyleft", osi: true, fsf: true, obligations: WEAK },
+  { id: "EPL-1.0", name: "Eclipse Public License 1.0", family: "EPL", category: "weak-copyleft", osi: true, fsf: true, obligations: { ...WEAK, patentGrant: true } },
+  { id: "EPL-2.0", name: "Eclipse Public License 2.0", family: "EPL", category: "weak-copyleft", osi: true, fsf: true, obligations: { ...WEAK, patentGrant: true } },
+  { id: "CDDL-1.0", name: "Common Development and Distribution License 1.0", family: "CDDL", category: "weak-copyleft", osi: true, fsf: true, obligations: WEAK },
+  { id: "CDDL-1.1", name: "Common Development and Distribution License 1.1", family: "CDDL", category: "weak-copyleft", obligations: WEAK },
+  { id: "CPL-1.0", name: "Common Public License 1.0", family: "CPL", category: "weak-copyleft", osi: true, fsf: true, obligations: WEAK },
+  { id: "MS-PL", name: "Microsoft Public License", family: "Microsoft", category: "weak-copyleft", osi: true, fsf: true, obligations: ATTRIB },
+  { id: "MS-RL", name: "Microsoft Reciprocal License", family: "Microsoft", category: "weak-copyleft", osi: true, fsf: true, obligations: WEAK },
+  // ── Strong copyleft ──
+  { id: "GPL-2.0-only", name: "GNU General Public License v2.0 only", family: "GPL", category: "copyleft", osi: true, fsf: true, obligations: STRONG },
+  { id: "GPL-2.0-or-later", name: "GNU General Public License v2.0 or later", family: "GPL", category: "copyleft", osi: true, fsf: true, obligations: STRONG },
+  { id: "GPL-3.0-only", name: "GNU General Public License v3.0 only", family: "GPL", category: "copyleft", osi: true, fsf: true, obligations: { ...STRONG, patentGrant: true } },
+  { id: "GPL-3.0-or-later", name: "GNU General Public License v3.0 or later", family: "GPL", category: "copyleft", osi: true, fsf: true, obligations: { ...STRONG, patentGrant: true } },
+  { id: "EUPL-1.1", name: "European Union Public License 1.1", family: "EUPL", category: "copyleft", osi: true, fsf: true, obligations: STRONG },
+  { id: "EUPL-1.2", name: "European Union Public License 1.2", family: "EUPL", category: "copyleft", osi: true, fsf: true, obligations: STRONG },
+  { id: "OSL-3.0", name: "Open Software License 3.0", family: "OSL", category: "copyleft", osi: true, fsf: true, obligations: { ...STRONG, patentGrant: true } },
+  { id: "CECILL-2.1", name: "CeCILL Free Software License Agreement v2.1", family: "CeCILL", category: "copyleft", osi: true, fsf: true, obligations: STRONG },
+  { id: "CC-BY-SA-4.0", name: "Creative Commons Attribution Share Alike 4.0 International", family: "CC", category: "copyleft", obligations: { attribution: true, copyleft: true } },
+  // ── Network copyleft ──
+  { id: "AGPL-3.0-only", name: "GNU Affero General Public License v3.0 only", family: "AGPL", category: "network-copyleft", osi: true, fsf: true, obligations: { ...NETWORK, patentGrant: true } },
+  { id: "AGPL-3.0-or-later", name: "GNU Affero General Public License v3.0 or later", family: "AGPL", category: "network-copyleft", osi: true, fsf: true, obligations: { ...NETWORK, patentGrant: true } },
+  // ── Source-available / proprietary (non-OSI) ──
+  { id: "SSPL-1.0", name: "Server Side Public License 1.0", family: "SSPL", category: "network-copyleft", obligations: NETWORK },
+  { id: "BUSL-1.1", name: "Business Source License 1.1", family: "BUSL", category: "proprietary", obligations: { commercialRestriction: true, discloseSource: true } },
+  { id: "Elastic-2.0", name: "Elastic License 2.0", family: "Elastic", category: "proprietary", obligations: { commercialRestriction: true } },
+  { id: "RPL-1.5", name: "Reciprocal Public License 1.5", family: "RPL", category: "network-copyleft", osi: true, obligations: NETWORK },
+  { id: "Commons-Clause", name: "Commons Clause License Condition v1.0", family: "Commons-Clause", category: "proprietary", obligations: { commercialRestriction: true } },
+  { id: "LicenseRef-Proprietary", name: "Proprietary / Commercial", family: "Proprietary", category: "proprietary", obligations: { commercialRestriction: true } },
+  // ── Non-commercial Creative Commons (restrictive) ──
+  { id: "CC-BY-NC-4.0", name: "Creative Commons Attribution Non Commercial 4.0 International", family: "CC", category: "proprietary", obligations: { attribution: true, commercialRestriction: true } },
+  { id: "CC-BY-4.0", name: "Creative Commons Attribution 4.0 International", family: "CC", category: "permissive", obligations: ATTRIB }
+];
+var RECORDS = SEEDS.map(record);
+var BY_ID = /* @__PURE__ */ new Map();
+for (const rec of RECORDS) {
+  BY_ID.set(rec.spdxId.toLowerCase(), rec);
+}
+function getLicenseRecord(spdxId) {
+  return BY_ID.get(spdxId.trim().toLowerCase());
+}
+function unknownLicenseRecord(name = "Unknown") {
+  return {
+    spdxId: "NOASSERTION",
+    name,
+    family: "Unknown",
+    category: "unknown",
+    osiApproved: false,
+    fsfLibre: false,
+    deprecated: false,
+    referenceUrl: "",
+    riskLevel: "medium",
+    obligations: { ...NO_OBLIGATIONS }
+  };
+}
+function normalizeAliasKey(raw) {
+  return raw.trim().toLowerCase().replace(/^\(+|\)+$/g, "").replace(/[._]/g, "-").replace(/\s+/g, " ").replace(/\s*-\s*/g, "-").replace(/\bversion\b/g, "v").replace(/\blicen[sc]e\b/g, "").replace(/\s+/g, " ").trim();
+}
+var RAW_ALIASES = {
+  // MIT
+  "mit": "MIT",
+  "mit license": "MIT",
+  "the mit license": "MIT",
+  "expat": "MIT",
+  // ISC
+  "isc": "ISC",
+  // Apache
+  "apache": "Apache-2.0",
+  "apache 2": "Apache-2.0",
+  "apache2": "Apache-2.0",
+  "apache 2.0": "Apache-2.0",
+  "apache-2": "Apache-2.0",
+  "apache license 2.0": "Apache-2.0",
+  "apache license version 2.0": "Apache-2.0",
+  "asl 2.0": "Apache-2.0",
+  "al2": "Apache-2.0",
+  // BSD
+  "bsd": "BSD-3-Clause",
+  "bsd license": "BSD-3-Clause",
+  "bsd-2": "BSD-2-Clause",
+  "bsd 2-clause": "BSD-2-Clause",
+  "simplified bsd": "BSD-2-Clause",
+  "freebsd": "BSD-2-Clause",
+  "bsd-3": "BSD-3-Clause",
+  "bsd 3-clause": "BSD-3-Clause",
+  "new bsd": "BSD-3-Clause",
+  "modified bsd": "BSD-3-Clause",
+  "revised bsd": "BSD-3-Clause",
+  // GPL
+  "gpl": "GPL-3.0-or-later",
+  "gplv2": "GPL-2.0-only",
+  "gpl2": "GPL-2.0-only",
+  "gpl-2": "GPL-2.0-only",
+  "gpl 2.0": "GPL-2.0-only",
+  "gpl-2.0": "GPL-2.0-only",
+  "gpl-2.0+": "GPL-2.0-or-later",
+  "gnu gpl v2": "GPL-2.0-only",
+  "gplv3": "GPL-3.0-only",
+  "gpl3": "GPL-3.0-only",
+  "gpl-3": "GPL-3.0-only",
+  "gpl 3.0": "GPL-3.0-only",
+  "gpl-3.0": "GPL-3.0-only",
+  "gpl-3.0+": "GPL-3.0-or-later",
+  "gnu gpl v3": "GPL-3.0-only",
+  "gnu general public v3": "GPL-3.0-only",
+  // LGPL
+  "lgpl": "LGPL-3.0-or-later",
+  "lgplv2.1": "LGPL-2.1-only",
+  "lgpl-2.1": "LGPL-2.1-only",
+  "lgpl 2.1": "LGPL-2.1-only",
+  "lgplv3": "LGPL-3.0-only",
+  "lgpl-3": "LGPL-3.0-only",
+  "lgpl-3.0": "LGPL-3.0-only",
+  "lgpl 3.0": "LGPL-3.0-only",
+  // AGPL
+  "agpl": "AGPL-3.0-or-later",
+  "agplv3": "AGPL-3.0-only",
+  "agpl-3": "AGPL-3.0-only",
+  "agpl-3.0": "AGPL-3.0-only",
+  "agpl 3.0": "AGPL-3.0-only",
+  "gnu agpl v3": "AGPL-3.0-only",
+  // MPL
+  "mpl": "MPL-2.0",
+  "mpl 2.0": "MPL-2.0",
+  "mpl-2": "MPL-2.0",
+  "mozilla public 2.0": "MPL-2.0",
+  // EPL
+  "epl": "EPL-2.0",
+  "eclipse public 2.0": "EPL-2.0",
+  "epl-2": "EPL-2.0",
+  // Source-available / proprietary
+  "sspl": "SSPL-1.0",
+  "server side public": "SSPL-1.0",
+  "busl": "BUSL-1.1",
+  "business source": "BUSL-1.1",
+  "elastic": "Elastic-2.0",
+  "elastic-2": "Elastic-2.0",
+  "commons clause": "Commons-Clause",
+  "proprietary": "LicenseRef-Proprietary",
+  "commercial": "LicenseRef-Proprietary",
+  "see license in license": "LicenseRef-Proprietary",
+  "unlicensed": "LicenseRef-Proprietary",
+  "all rights reserved": "LicenseRef-Proprietary",
+  // Public domain
+  "cc0": "CC0-1.0",
+  "cc0 1.0": "CC0-1.0",
+  "public domain": "CC0-1.0",
+  "the unlicense": "Unlicense",
+  "wtfpl": "WTFPL",
+  // Boost / zlib / others
+  "boost": "BSL-1.0",
+  "bsl": "BSL-1.0",
+  "zlib/libpng": "Zlib",
+  "python": "Python-2.0",
+  "psf": "PSF-2.0",
+  "artistic": "Artistic-2.0"
+};
+var ALIASES = /* @__PURE__ */ new Map();
+for (const [raw, spdx] of Object.entries(RAW_ALIASES)) {
+  ALIASES.set(normalizeAliasKey(raw), spdx);
+}
+function resolveAlias(raw) {
+  return ALIASES.get(normalizeAliasKey(raw));
+}
+var TOKEN_RE = /\(|\)|\bWITH\b|\bAND\b|\bOR\b|[^\s()]+/gi;
+function parseLicenseExpression(raw) {
+  const input = (raw ?? "").trim();
+  const licenseIds = [];
+  const exceptions = [];
+  let hasOr = false;
+  let hasAnd = false;
+  let orLater = false;
+  let expectException = false;
+  const tokens = input.match(TOKEN_RE) ?? [];
+  for (const token of tokens) {
+    const upper = token.toUpperCase();
+    if (token === "(" || token === ")") continue;
+    if (upper === "OR") {
+      hasOr = true;
+      expectException = false;
+      continue;
+    }
+    if (upper === "AND") {
+      hasAnd = true;
+      expectException = false;
+      continue;
+    }
+    if (upper === "WITH") {
+      expectException = true;
+      continue;
+    }
+    if (expectException) {
+      if (!exceptions.includes(token)) exceptions.push(token);
+      expectException = false;
+      continue;
+    }
+    let id = token;
+    if (id.endsWith("+")) {
+      orLater = true;
+      id = id.slice(0, -1);
+    }
+    if (id && !licenseIds.includes(id)) licenseIds.push(id);
+  }
+  const operator = hasOr ? "OR" : hasAnd ? "AND" : "SINGLE";
+  return {
+    licenseIds,
+    exceptions,
+    operator,
+    orLater,
+    normalized: serialise(licenseIds, exceptions, operator, orLater, input)
+  };
+}
+function serialise(ids, exceptions, operator, orLater, original) {
+  if (ids.length === 0) return original.trim();
+  if (ids.length === 1) {
+    let out = ids[0];
+    if (orLater && !out.endsWith("+")) out += "+";
+    if (exceptions.length > 0) out += ` WITH ${exceptions.join(" WITH ")}`;
+    return out;
+  }
+  const joiner = operator === "AND" ? " AND " : " OR ";
+  return ids.join(joiner);
+}
+function isCompoundExpression(raw) {
+  return /\b(?:AND|OR|WITH)\b|\+\s*$|\(/i.test(raw);
+}
+var CATEGORY_RESTRICTIVENESS = {
+  "public-domain": 0,
+  permissive: 1,
+  "weak-copyleft": 2,
+  copyleft: 3,
+  "network-copyleft": 4,
+  proprietary: 5,
+  unknown: 2
+};
+function verdictFromRecord(rec, matchStatus, confidence, expression, components) {
+  return {
+    spdxId: rec.spdxId,
+    name: rec.name,
+    expression: expression ?? rec.spdxId,
+    family: rec.family,
+    category: rec.category,
+    riskLevel: rec.riskLevel,
+    osiApproved: rec.osiApproved,
+    fsfLibre: rec.fsfLibre,
+    obligations: rec.obligations,
+    matchStatus,
+    confidence,
+    components: components ?? [rec.spdxId]
+  };
+}
+function fuzzyMatch(raw) {
+  const s = raw.toLowerCase();
+  if (/\bagpl/.test(s)) return getLicenseRecord("AGPL-3.0-or-later");
+  if (/\bsspl/.test(s)) return getLicenseRecord("SSPL-1.0");
+  if (/\bbusl|business source/.test(s)) return getLicenseRecord("BUSL-1.1");
+  if (/\blgpl/.test(s)) return getLicenseRecord("LGPL-3.0-or-later");
+  if (/\bgpl/.test(s)) return getLicenseRecord("GPL-3.0-or-later");
+  if (/\bmpl|mozilla/.test(s)) return getLicenseRecord("MPL-2.0");
+  if (/\bepl|eclipse/.test(s)) return getLicenseRecord("EPL-2.0");
+  if (/\bapache/.test(s)) return getLicenseRecord("Apache-2.0");
+  if (/\bbsd/.test(s)) return getLicenseRecord("BSD-3-Clause");
+  if (/\bmit\b/.test(s)) return getLicenseRecord("MIT");
+  if (/\bisc\b/.test(s)) return getLicenseRecord("ISC");
+  if (/commons clause/.test(s)) return getLicenseRecord("Commons-Clause");
+  if (/proprietary|commercial|all rights reserved/.test(s)) return getLicenseRecord("LicenseRef-Proprietary");
+  if (/public domain|cc0/.test(s)) return getLicenseRecord("CC0-1.0");
+  return void 0;
+}
+function normalizeLicense(raw) {
+  const input = (raw ?? "").trim();
+  if (!input || /^(unknown|noassertion|none|n\/a)$/i.test(input)) {
+    return verdictFromRecord(unknownLicenseRecord(), "unknown", 0);
+  }
+  const exact = getLicenseRecord(input);
+  if (exact) return verdictFromRecord(exact, "exact", 1);
+  if (isCompoundExpression(input)) {
+    return resolveExpression(input);
+  }
+  const aliasId = resolveAlias(input);
+  if (aliasId) {
+    const rec = getLicenseRecord(aliasId);
+    if (rec) return verdictFromRecord(rec, "alias", 0.95);
+  }
+  const fuzzy = fuzzyMatch(input);
+  if (fuzzy) {
+    return { ...verdictFromRecord(fuzzy, "fuzzy", 0.6), name: input.slice(0, 120) };
+  }
+  return verdictFromRecord(unknownLicenseRecord(input.slice(0, 120)), "unknown", 0);
+}
+function resolveExpression(input) {
+  const parsed = parseLicenseExpression(input);
+  if (parsed.licenseIds.length === 0) {
+    return verdictFromRecord(unknownLicenseRecord(input.slice(0, 120)), "unknown", 0);
+  }
+  const componentVerdicts = parsed.licenseIds.map((id) => {
+    const exact = getLicenseRecord(id);
+    if (exact) return verdictFromRecord(exact, "exact", 1);
+    const aliasId = resolveAlias(id);
+    if (aliasId) {
+      const rec = getLicenseRecord(aliasId);
+      if (rec) return verdictFromRecord(rec, "alias", 0.95);
+    }
+    const fuzzy = fuzzyMatch(id);
+    if (fuzzy) return verdictFromRecord(fuzzy, "fuzzy", 0.6);
+    return verdictFromRecord(unknownLicenseRecord(id), "unknown", 0);
+  });
+  const pickMostRestrictive = parsed.operator !== "OR";
+  let chosen = componentVerdicts[0];
+  for (const v of componentVerdicts) {
+    const more = CATEGORY_RESTRICTIVENESS[v.category] > CATEGORY_RESTRICTIVENESS[chosen.category];
+    if (pickMostRestrictive ? more : !more) chosen = v;
+  }
+  const obligations = unionObligations(
+    pickMostRestrictive ? componentVerdicts : [chosen]
+  );
+  const components = componentVerdicts.map((v) => v.spdxId);
+  const category = chosen.category;
+  return {
+    spdxId: chosen.spdxId,
+    name: parsed.normalized,
+    expression: parsed.normalized,
+    family: chosen.family,
+    category,
+    riskLevel: riskForCategory(category),
+    osiApproved: componentVerdicts.every((v) => v.osiApproved),
+    fsfLibre: componentVerdicts.every((v) => v.fsfLibre),
+    obligations,
+    matchStatus: "expression",
+    confidence: Math.min(...componentVerdicts.map((v) => v.confidence)) || 0.5,
+    components
+  };
+}
+function unionObligations(verdicts) {
+  const out = {
+    attribution: false,
+    copyleft: false,
+    networkCopyleft: false,
+    discloseSource: false,
+    patentGrant: false,
+    commercialRestriction: false
+  };
+  for (const v of verdicts) {
+    out.attribution ||= v.obligations.attribution;
+    out.copyleft ||= v.obligations.copyleft;
+    out.networkCopyleft ||= v.obligations.networkCopyleft;
+    out.discloseSource ||= v.obligations.discloseSource;
+    out.patentGrant ||= v.obligations.patentGrant;
+    out.commercialRestriction ||= v.obligations.commercialRestriction;
+  }
+  return out;
+}
+function buildDependencyLicense(raw, source) {
+  const trimmed = (raw ?? "").trim();
+  if (!trimmed) {
+    return { raw: null, spdxId: null, source: "none", confidence: 0 };
+  }
+  const verdict = normalizeLicense(trimmed);
+  return {
+    raw: trimmed.slice(0, 200),
+    spdxId: verdict.matchStatus === "unknown" ? null : verdict.spdxId,
+    source,
+    confidence: verdict.confidence
+  };
+}
 var KNOWN_FRAMEWORKS = {
   // ── Frontend ──
   "react": "React",
@@ -3544,6 +4083,8 @@ async function scanOnePackageJson(packageJsonPath, rootDir, npmCache, cache) {
     } else {
       buckets.unknown++;
     }
+    const ageDays = ageDaysBetween(resolvedVersion, latestStable, meta.releaseDates);
+    const libyears = daysToLibyears(ageDays);
     dependencies.push({
       package: pkg2,
       section,
@@ -3551,7 +4092,10 @@ async function scanOnePackageJson(packageJsonPath, rootDir, npmCache, cache) {
       resolvedVersion,
       latestStable,
       majorsBehind,
-      drift
+      drift,
+      license: buildDependencyLicense(meta.license, "registry"),
+      ageDays,
+      libyears
     });
     if (pkg2 in KNOWN_FRAMEWORKS) {
       frameworks.push({
@@ -3573,7 +4117,8 @@ async function scanOnePackageJson(packageJsonPath, rootDir, npmCache, cache) {
         resolvedVersion: null,
         latestStable: null,
         majorsBehind: null,
-        drift: "unknown"
+        drift: "unknown",
+        license: { raw: null, spdxId: null, source: "none", confidence: 0 }
       });
       buckets.unknown++;
     }
@@ -3599,6 +4144,7 @@ async function scanOnePackageJson(packageJsonPath, rootDir, npmCache, cache) {
     frameworks,
     dependencies,
     dependencyAgeBuckets: buckets,
+    libyears: aggregateLibyears(dependencies.map((d) => d.libyears)) ?? void 0,
     fileCount
   };
 }
@@ -11139,6 +11685,19 @@ function detectDbBrand(raw) {
   if (value.includes("cosmosdb") || value.includes("@azure/cosmos") || value.includes("cosmos")) return { kind: "nosql", brand: "CosmosDB", version: null, evidence: raw };
   if (value.includes("dynamodb")) return { kind: "nosql", brand: "DynamoDB", version: null, evidence: raw };
   if (value.includes("neo4j")) return { kind: "nosql", brand: "Neo4j", version: null, evidence: raw };
+  if (value.includes("clickhouse")) return { kind: "sql", brand: "ClickHouse", version: null, evidence: raw };
+  if (value.includes("snowflake")) return { kind: "sql", brand: "Snowflake", version: null, evidence: raw };
+  if (value.includes("bigquery")) return { kind: "sql", brand: "BigQuery", version: null, evidence: raw };
+  if (value.includes("firestore")) return { kind: "nosql", brand: "Firestore", version: null, evidence: raw };
+  if (value.includes("cockroach")) return { kind: "sql", brand: "CockroachDB", version: null, evidence: raw };
+  if (value.includes("planetscale")) return { kind: "sql", brand: "PlanetScale", version: null, evidence: raw };
+  if (value.includes("supabase")) return { kind: "sql", brand: "Supabase", version: null, evidence: raw };
+  if (value.includes("tidb")) return { kind: "sql", brand: "TiDB", version: null, evidence: raw };
+  if (value.includes("couchdb")) return { kind: "nosql", brand: "CouchDB", version: null, evidence: raw };
+  if (value.includes("elasticsearch") || value.includes("opensearch")) return { kind: "nosql", brand: "Elasticsearch", version: null, evidence: raw };
+  if (value.includes("influxdb")) return { kind: "nosql", brand: "InfluxDB", version: null, evidence: raw };
+  if (value.includes("memcached")) return { kind: "nosql", brand: "Memcached", version: null, evidence: raw };
+  if (value.includes("cockroachdb")) return { kind: "sql", brand: "CockroachDB", version: null, evidence: raw };
   return null;
 }
 async function scanTextFiles(rootDir, fileCache) {
@@ -11215,12 +11774,12 @@ async function scanDataStores(rootDir, fileCache) {
     otherServices: []
   };
   for (const file of files) {
-    const connStrings = extract(file.content, /\b(?:postgres(?:ql)?:\/\/[^\s'"`]+|mysql:\/\/[^\s'"`]+|mongodb(?:\+srv)?:\/\/[^\s'"`]+|redis:\/\/[^\s'"`]+)\b/gi, file.relPath);
+    const connStrings = extract(file.content, /\b(?:postgres(?:ql)?:\/\/[^\s'"`]+|mysql:\/\/[^\s'"`]+|mongodb(?:\+srv)?:\/\/[^\s'"`]+|redis:\/\/[^\s'"`]+|clickhouse:\/\/[^\s'"`]+|cockroachdb:\/\/[^\s'"`]+|snowflake:\/\/[^\s'"`]+)\b/gi, file.relPath);
     result.connectionStrings.push(...connStrings);
     const isLockFile = LOCKFILE_NAMES.has(path27.basename(file.relPath));
     if (!isLockFile) {
       const dbEvidence = [
-        ...extract(file.content, /\b(?:postgres|postgresql|mysql|mariadb|mssql|sqlserver|oracle|sqlite|mongodb|redis|cassandra|cosmosdb|cosmos|dynamodb|neo4j)\b/gi, file.relPath),
+        ...extract(file.content, /\b(?:postgres|postgresql|mysql|mariadb|mssql|sqlserver|oracle|sqlite|mongodb|redis|cassandra|cosmosdb|cosmos|dynamodb|neo4j|clickhouse|snowflake|bigquery|firestore|cockroach|cockroachdb|planetscale|supabase|tidb|couchdb|elasticsearch|opensearch|influxdb|memcached)\b/gi, file.relPath),
         ...connStrings
       ];
       for (const evidence of dbEvidence) {
@@ -11506,7 +12065,9 @@ async function scanOssGovernance(rootDir, fileCache) {
       });
     }
     vulns.push(...extract(file.content, /\b(?:CVE-\d{4}-\d{4,}|critical vulnerability|high severity)\b[^\n]*/gi, file.relPath));
-    licenseRisks.push(...extract(file.content, /\b(?:GPL-3\.0|AGPL|SSPL|BUSL|source[- ]available)\b[^\n]*/gi, file.relPath));
+    if (/package(-lock)?\.json$|pnpm-lock\.yaml$|yarn\.lock$|poetry\.lock$|pom\.xml$|build\.gradle(\.kts)?$|Cargo\.(toml|lock)$|composer\.(json|lock)$|requirements\.txt$|\.csproj$|\.nuspec$/i.test(file.relPath)) {
+      licenseRisks.push(...extract(file.content, /\b(?:GPL-3\.0|AGPL|SSPL|BUSL|source[- ]available)\b[^\n]*/gi, file.relPath));
+    }
   }
   return {
     directDependencies: directDeps.size,
@@ -13227,19 +13788,19 @@ async function loadScanHistory(rootDir) {
     return null;
   }
 }
-async function saveScanHistory(rootDir, record) {
+async function saveScanHistory(rootDir, record2) {
   const dir = path32.join(rootDir, ".vibgrate");
   const filePath = path32.join(dir, HISTORY_FILENAME);
   let history;
   const existing = await loadScanHistory(rootDir);
   if (existing) {
     history = existing;
-    history.records.push(record);
+    history.records.push(record2);
     if (history.records.length > MAX_RECORDS) {
       history.records = history.records.slice(-MAX_RECORDS);
     }
   } else {
-    history = { version: 1, records: [record] };
+    history = { version: 1, records: [record2] };
   }
   try {
     await fs7.mkdir(dir, { recursive: true });

package/dist/cli.js

@@ -6,7 +6,7 @@ import {
   pathExists,
   readJsonFile,
   writeTextFile
-} from "./chunk-734OP6JR.js";
+} from "./chunk-7CIAP6ZD.js";
 import {
   computeRepoFingerprint,
   detectVcs,
@@ -16,7 +16,7 @@ import {
   resolveRepositoryName,
   runScan,
   writeDefaultConfig
-} from "./chunk-K2D6JXLA.js";
+} from "./chunk-7J3LXQEA.js";
 import {
   require_semver
 } from "./chunk-74ZJFYEM.js";
@@ -48,7 +48,7 @@ var initCommand = new Command("init").description("Initialize vibgrate in a proj
     console.log(chalk.green("\u2714") + ` Created ${chalk.bold("vibgrate.config.ts")}`);
   }
   if (opts.baseline) {
-    const { runBaseline } = await import("./baseline-MJNJICDN.js");
+    const { runBaseline } = await import("./baseline-IGEWCPFI.js");
     await runBaseline(rootDir);
   }
   console.log("");
@@ -74,10 +74,38 @@ import * as crypto from "crypto";
 import * as path2 from "path";
 import { Command as Command2 } from "commander";
 import chalk2 from "chalk";
-var REGION_HOSTS = {
-  us: "us.ingest.vibgrate.com",
-  eu: "eu.ingest.vibgrate.com"
-};
+
+// src/regions.ts
+var REGIONS = [
+  {
+    id: "us",
+    label: "United States",
+    ingestHost: "us.ingest.vibgrate.com",
+    dashHost: "dash.vibgrate.com",
+    available: true
+  },
+  {
+    id: "eu",
+    label: "European Union",
+    ingestHost: "eu.ingest.vibgrate.com",
+    dashHost: "dash.vibgrate.eu",
+    available: true
+  },
+  {
+    id: "apac",
+    label: "Asia-Pacific (coming soon)",
+    ingestHost: "apac.ingest.vibgrate.com",
+    dashHost: "dash.vibgrate.com",
+    available: false
+  }
+];
+var DEFAULT_REGION = "us";
+function availableRegionIds() {
+  return REGIONS.filter((r) => r.available).map((r) => r.id);
+}
+function findRegion(id) {
+  return REGIONS.find((r) => r.id === id);
+}
 function resolveIngestHost(region, ingest) {
   if (ingest) {
     try {
@@ -86,14 +114,23 @@ function resolveIngestHost(region, ingest) {
       throw new Error(`Invalid ingest URL: ${ingest}`);
     }
   }
-  const r = (region ?? "us").toLowerCase();
-  const host = REGION_HOSTS[r];
-  if (!host) {
-    throw new Error(`Unknown region "${r}". Supported: ${Object.keys(REGION_HOSTS).join(", ")}`);
+  const id = (region ?? DEFAULT_REGION).toLowerCase();
+  const match = findRegion(id);
+  if (!match) {
+    throw new Error(`Unknown region "${id}". Supported: ${availableRegionIds().join(", ")}`);
+  }
+  if (!match.available) {
+    throw new Error(`Region "${id}" (${match.label}) is not yet available. Supported: ${availableRegionIds().join(", ")}`);
   }
-  return host;
+  return match.ingestHost;
+}
+function dashHostForIngestHost(ingestHost) {
+  const match = REGIONS.find((r) => r.ingestHost === ingestHost);
+  return match?.dashHost ?? "dash.vibgrate.com";
 }
-async function provisionDsn(keyId, secret, workspaceId, ingestHost) {
+
+// src/commands/dsn.ts
+async function provisionDsn(keyId, secret, workspaceId, ingestHost, region) {
   const url = `https://${ingestHost}/v1/provision`;
   try {
     const response = await fetch(url, {
@@ -103,7 +140,10 @@ async function provisionDsn(keyId, secret, workspaceId, ingestHost) {
         "Connection": "close"
         // Prevent keep-alive delays on exit
       },
-      body: JSON.stringify({ keyId, secret, workspaceId })
+      // Pin the workspace to the selected region. The API rejects the request
+      // if `region` doesn't match the endpoint host (residency guard). For a
+      // custom --ingest host we omit it and let the API derive it from the host.
+      body: JSON.stringify(region ? { keyId, secret, workspaceId, region } : { keyId, secret, workspaceId })
     });
     if (!response.ok) {
       const result = await response.json();
@@ -115,7 +155,7 @@ async function provisionDsn(keyId, secret, workspaceId, ingestHost) {
   }
 }
 var dsnCommand = new Command2("dsn").description("Manage DSN tokens");
-dsnCommand.command("create").description("Create a new DSN token").option("--ingest <url>", "Ingest API URL (overrides --region)").option("--region <region>", "Data residency region (us, eu)", "us").requiredOption("--workspace <id>", 'Workspace ID (use "new" to auto-generate)').option("--write <path>", "Write DSN to file").action(async (opts) => {
+dsnCommand.command("create").description("Create a new DSN token").option("--ingest <url>", "Ingest API URL (overrides --region)").option("--region <region>", `Data residency region (${availableRegionIds().join(", ")})`, "us").requiredOption("--workspace <id>", 'Workspace ID (use "new" to auto-generate)').option("--write <path>", "Write DSN to file").action(async (opts) => {
   const keyId = crypto.randomBytes(12).toString("hex");
   const secret = crypto.randomBytes(32).toString("hex");
   let ingestHost;
@@ -131,8 +171,9 @@ dsnCommand.command("create").description("Create a new DSN token").option("--ing
     workspaceId = crypto.randomBytes(8).toString("hex");
     console.log(chalk2.dim(`Provisioning new workspace ${workspaceId}...`));
   }
+  const region = opts.ingest ? void 0 : opts.region.toLowerCase();
   if (isNewWorkspace) {
-    const result = await provisionDsn(keyId, secret, workspaceId, ingestHost);
+    const result = await provisionDsn(keyId, secret, workspaceId, ingestHost, region);
     if (!result.success) {
       console.error(chalk2.red(`Failed to provision DSN: ${result.error}`));
       process.exit(1);
@@ -141,6 +182,9 @@ dsnCommand.command("create").description("Create a new DSN token").option("--ing
   const dsn = `vibgrate+https://${keyId}:${secret}@${ingestHost}/${workspaceId}`;
   console.log(chalk2.green("\u2714") + " DSN created");
   console.log("");
+  console.log(chalk2.bold("Region:"));
+  console.log(`  ${region ?? "custom"} (${ingestHost})`);
+  console.log("");
   console.log(chalk2.bold("DSN:"));
   console.log(`  ${dsn}`);
   console.log("");
@@ -1379,7 +1423,7 @@ function parseDsn2(dsn) {
 function computeHmac(body, secret) {
   return crypto2.createHmac("sha256", secret).update(body).digest("base64");
 }
-var pushCommand = new Command5("push").description("Push scan results to Vibgrate API").option("--dsn <dsn>", "DSN token (or use VIBGRATE_DSN env)").option("--region <region>", "Override data residency region (us, eu)").option("--file <file>", "Scan artifact file", ".vibgrate/scan_result.json").option("--strict", "Fail on upload errors").action(async (opts) => {
+var pushCommand = new Command5("push").description("Push scan results to Vibgrate API").option("--dsn <dsn>", "DSN token (or use VIBGRATE_DSN env)").option("--region <region>", `Override data residency region (${availableRegionIds().join(", ")})`).option("--file <file>", "Scan artifact file", ".vibgrate/scan_result.json").option("--strict", "Fail on upload errors").action(async (opts) => {
   const dsn = opts.dsn || process.env.VIBGRATE_DSN;
   if (!dsn) {
     console.error(chalk6.red("No DSN provided."));
@@ -1442,7 +1486,7 @@ var pushCommand = new Command5("push").description("Push scan results to Vibgrat
     console.log(chalk6.dim("Processing continues in the background. Results available shortly."));
     console.log();
     if (result.ingestId) {
-      const dashHost = host.includes("eu.") ? "dash.vibgrate.eu" : "dash.vibgrate.com";
+      const dashHost = dashHostForIngestHost(host);
       const reportUrl = `https://${dashHost}/${parsed.workspaceId}/scan/${result.ingestId}`;
       console.log(chalk6.dim("View report: ") + chalk6.underline(reportUrl));
     }

package/dist/index.js

@@ -5,7 +5,7 @@ import {
   formatText,
   generateFindings,
   runScan
-} from "./chunk-K2D6JXLA.js";
+} from "./chunk-7J3LXQEA.js";
 import "./chunk-74ZJFYEM.js";
 import "./chunk-HAT4W7NZ.js";
 import "./chunk-JSBRDJBE.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vibgrate/cli",
-  "version": "2026.606.2",
+  "version": "2026.609.1",
   "description": "CLI for measuring upgrade drift across Node, .NET, Python & Java projects",
   "type": "module",
   "bin": {