@vibgrate/cli 2026.610.1 → 2026.610.2

package/DOCS.md

@@ -162,7 +162,7 @@ Creates:
 The primary command. Scans your project for upgrade drift.
 
 ```bash
-vibgrate scan [path] [--format text|json|sarif|md] [--out <file>] [--fail-on warn|error] [--offline] [--package-manifest <file>] [--no-local-artifacts] [--max-privacy] [--baseline <file>] [--drift-budget <score>] [--drift-worsening <percent>] [--changed-only] [--concurrency <n>]
+vibgrate scan [path] [--format text|json|sarif|md] [--out <file>] [--fail-on warn|error] [--offline] [--package-manifest <file>] [--no-local-artifacts] [--max-privacy] [--baseline <file>] [--drift-budget <score>] [--drift-worsening <percent>] [--changed-only] [--exclude <glob>...] [--concurrency <n>]
 ```
 
 | Flag | Default | Description |
@@ -172,6 +172,7 @@ vibgrate scan [path] [--format text|json|sarif|md] [--out <file>] [--fail-on war
 | `--fail-on <level>` | — | Exit with code 2 if findings at this level exist |
 | `--baseline <file>` | — | Compare against a previous baseline |
 | `--changed-only` | — | Only scan changed files |
+| `-e, --exclude <glob>` | — | Exclude paths matching a glob pattern. Repeatable, and a single value may list several patterns separated by commas or semicolons. Merged with `exclude` from the config file |
 | `--concurrency <n>` | `8` | Max concurrent npm registry calls |
 | `--drift-budget <score>` | — | Fitness gate: fail if drift score is above this budget |
 | `--drift-worsening <percent>` | — | Fitness gate: fail if drift worsens by more than % vs baseline |
@@ -189,6 +190,32 @@ By default, the scan writes `.vibgrate/scan_result.json`. Use `--no-local-artifa
 
 For offline drift scoring, pass `--package-manifest <file>` with a downloaded manifest bundle such as `https://github.com/vibgrate/manifests/latest-packages.zip`.
 
+#### Excluding paths from a scan
+
+Use `--exclude` (alias `-e`) to skip directories or files from the scan. Values are [glob patterns](#exclude-glob-syntax) matched against repository-relative, forward-slash paths. The flag is **repeatable**, and a single value may carry **several patterns separated by commas or semicolons** — use whichever reads best:
+
+```bash
+# Repeat the flag
+vibgrate scan . --exclude "legacy/**" --exclude "vendor/**"
+
+# Or list multiple patterns in one flag (comma- or semicolon-separated)
+vibgrate scan . --exclude "legacy/**,vendor/**;**/fixtures/**"
+```
+
+CLI excludes are **additive**: they are merged (and de-duplicated) with any `exclude` patterns from your [config file](#configuration), so command-line excludes never replace your committed defaults.
+
+<a id="exclude-glob-syntax"></a>
+Supported glob syntax:
+
+| Pattern | Matches |
+|---------|---------|
+| `*` | Any run of characters within a single path segment (no `/`) |
+| `**` | Any number of path segments, including `/` (recursive) |
+| `?` | Exactly one non-separator character |
+| `{a,b}` | Alternation — either `a` or `b` |
+| `[abc]` | A single character from the set |
+| `legacy` | A bare name is treated as a directory prefix — equivalent to `legacy/**` |
+
 Examples:
 
 ```bash
@@ -198,6 +225,9 @@ vibgrate scan .
 # JSON output for automation
 vibgrate scan . --format json --out scan.json
 
+# Skip vendored and generated code
+vibgrate scan . --exclude "vendor/**,**/*.generated.ts;dist/**"
+
 # CI gate with baseline regression protection
 vibgrate scan . --baseline .vibgrate/baseline.json --drift-budget 40 --drift-worsening 5 --fail-on error
 
@@ -433,6 +463,18 @@ export default config;
 
 Also supports `vibgrate.config.js` and `vibgrate.config.json`.
 
+### Exclude patterns
+
+`exclude` accepts an array of glob patterns describing paths the scan should skip (relative to the repository root, forward-slash separated). See [exclude glob syntax](#exclude-glob-syntax) for the supported patterns.
+
+```typescript
+const config: VibgrateConfig = {
+  exclude: ["legacy/**", "vendor/**", "**/*.generated.ts"],
+};
+```
+
+The same patterns can be supplied per-run on the command line with [`--exclude`](#excluding-paths-from-a-scan). CLI excludes are merged with (not a replacement for) the config `exclude` list, so committed defaults always apply and ad-hoc excludes are additive.
+
 ### Thresholds
 
 Control when findings are raised and when the CLI should fail.

package/README.md

@@ -193,7 +193,7 @@ When offline mode runs without a package manifest, package freshness is marked a
 ## Core commands
 
 ```bash
-vibgrate scan [path] [--format text|json|sarif|md] [--out <file>] [--fail-on warn|error] [--offline] [--package-manifest <file>] [--no-local-artifacts] [--max-privacy]
+vibgrate scan [path] [--format text|json|sarif|md] [--out <file>] [--fail-on warn|error] [--exclude <glob>...] [--offline] [--package-manifest <file>] [--no-local-artifacts] [--max-privacy]
 vibgrate baseline [path]
 vibgrate report [--in <artifact.json>] [--format md|text|json]
 vibgrate push [--dsn <dsn>] [--file <artifact.json>] [--strict]
@@ -225,7 +225,19 @@ Expected result:
 - Exit code `2` when the configured gate is exceeded
 
 ```bash
-# 3) Offline scan using local package-version bundle
+# 3) Scan while excluding vendored / generated paths
+#    --exclude is repeatable and accepts comma/semicolon-separated globs;
+#    patterns are merged with `exclude` from vibgrate.config.*
+npx @vibgrate/cli scan . --exclude "legacy/**,vendor/**" --exclude "**/*.generated.ts"
+```
+
+Expected result:
+
+- Matching directories and files are skipped before scanning
+- Excludes from the config file still apply (CLI patterns are additive)
+
+```bash
+# 4) Offline scan using local package-version bundle
 npx @vibgrate/cli scan . --offline --package-manifest ./latest-packages.zip --format json --out scan.json
 ```
 
@@ -236,7 +248,7 @@ Expected result:
 - Package freshness may be marked unknown if manifest lacks entries
 
 ```bash
-# 4) Export SBOM and compare two runs
+# 5) Export SBOM and compare two runs
 npx @vibgrate/cli sbom export --format cyclonedx --out sbom.cdx.json
 npx @vibgrate/cli sbom delta --from .vibgrate/baseline.json --to .vibgrate/scan_result.json --out sbom-delta.txt
 ```

package/dist/{baseline-Q3S7D7RQ.js → baseline-FYQ2HRTZ.js}

@@ -1,10 +1,10 @@
 import {
   baselineCommand,
   runBaseline
-} from "./chunk-HQCB2BTS.js";
-import "./chunk-X2MPRPZ6.js";
+} from "./chunk-GH53OHBI.js";
+import "./chunk-5HKSJI57.js";
 import "./chunk-74ZJFYEM.js";
-import "./chunk-RAQ76CZO.js";
+import "./chunk-W6LGNQSJ.js";
 import "./chunk-JSBRDJBE.js";
 export {
   baselineCommand,

package/dist/{chunk-X2MPRPZ6.js → chunk-5HKSJI57.js}

@@ -14,7 +14,7 @@ import {
   readTextFile,
   writeJsonFile,
   writeTextFile
-} from "./chunk-RAQ76CZO.js";
+} from "./chunk-W6LGNQSJ.js";
 import {
   __commonJS,
   __toESM
@@ -4938,7 +4938,7 @@ async function scanPythonProjects(rootDir, pypiCache, cache, projectScanTimeout)
   return results;
 }
 async function findPythonManifests(rootDir) {
-  const { findFiles: findFiles2 } = await import("./fs-CMSVYM7J-QRLLRZ2J.js");
+  const { findFiles: findFiles2 } = await import("./fs-IJIQMW3G-NJTQJLB6.js");
   return findFiles2(rootDir, (name) => PYTHON_MANIFEST_FILES.has(name) || /^requirements.*\.txt$/.test(name));
 }
 async function scanOnePythonProject(dir, manifestFiles, rootDir, pypiCache, cache) {
@@ -5335,7 +5335,7 @@ async function scanJavaProjects(rootDir, mavenCache, cache, projectScanTimeout)
   return results;
 }
 async function findJavaManifests(rootDir) {
-  const { findFiles: findFiles2 } = await import("./fs-CMSVYM7J-QRLLRZ2J.js");
+  const { findFiles: findFiles2 } = await import("./fs-IJIQMW3G-NJTQJLB6.js");
   return findFiles2(rootDir, (name) => JAVA_MANIFEST_FILES.has(name));
 }
 async function scanOneJavaProject(dir, manifestFiles, rootDir, mavenCache, cache) {
@@ -5700,7 +5700,7 @@ async function scanRubyProjects(rootDir, rubygemsCache, cache, projectScanTimeou
   return results;
 }
 async function findRubyManifests(rootDir) {
-  const { findFiles: findFiles2 } = await import("./fs-CMSVYM7J-QRLLRZ2J.js");
+  const { findFiles: findFiles2 } = await import("./fs-IJIQMW3G-NJTQJLB6.js");
   return findFiles2(rootDir, (name) => RUBY_MANIFEST_FILES.has(name) || isGemspec(name));
 }
 async function scanOneRubyProject(dir, manifestFiles, rootDir, rubygemsCache, cache) {
@@ -5924,7 +5924,7 @@ async function scanSwiftProjects(rootDir, swiftCache, cache, projectScanTimeout)
   return results;
 }
 async function findSwiftManifests(rootDir) {
-  const { findFiles: findFiles2 } = await import("./fs-CMSVYM7J-QRLLRZ2J.js");
+  const { findFiles: findFiles2 } = await import("./fs-IJIQMW3G-NJTQJLB6.js");
   return findFiles2(rootDir, (name) => SWIFT_MANIFEST_FILES.has(name));
 }
 async function scanOneSwiftProject(dir, manifestFile, rootDir, swiftCache, cache) {
@@ -6161,7 +6161,7 @@ async function scanGoProjects(rootDir, goCache, cache, projectScanTimeout) {
   return results;
 }
 async function findGoManifests(rootDir) {
-  const { findFiles: findFiles2 } = await import("./fs-CMSVYM7J-QRLLRZ2J.js");
+  const { findFiles: findFiles2 } = await import("./fs-IJIQMW3G-NJTQJLB6.js");
   return findFiles2(rootDir, (name) => GO_MANIFEST_FILES.has(name));
 }
 async function scanOneGoProject(dir, manifestFile, rootDir, goCache, cache) {
@@ -6395,7 +6395,7 @@ async function scanRustProjects(rootDir, cargoCache, cache, projectScanTimeout)
   return results;
 }
 async function findRustManifests(rootDir) {
-  const { findFiles: findFiles2 } = await import("./fs-CMSVYM7J-QRLLRZ2J.js");
+  const { findFiles: findFiles2 } = await import("./fs-IJIQMW3G-NJTQJLB6.js");
   return findFiles2(rootDir, (name) => RUST_MANIFEST_FILES.has(name));
 }
 async function scanOneRustProject(dir, manifestFile, rootDir, cargoCache, cache) {
@@ -6619,7 +6619,7 @@ async function scanPhpProjects(rootDir, composerCache, cache, projectScanTimeout
   return results;
 }
 async function findPhpManifests(rootDir) {
-  const { findFiles: findFiles2 } = await import("./fs-CMSVYM7J-QRLLRZ2J.js");
+  const { findFiles: findFiles2 } = await import("./fs-IJIQMW3G-NJTQJLB6.js");
   return findFiles2(rootDir, (name) => PHP_MANIFEST_FILES.has(name));
 }
 async function scanOnePhpProject(dir, manifestFile, rootDir, composerCache, cache) {
@@ -6884,7 +6884,7 @@ async function scanDartProjects(rootDir, pubCache, cache, projectScanTimeout) {
   return results;
 }
 async function findDartManifests(rootDir) {
-  const { findFiles: findFiles2 } = await import("./fs-CMSVYM7J-QRLLRZ2J.js");
+  const { findFiles: findFiles2 } = await import("./fs-IJIQMW3G-NJTQJLB6.js");
   return findFiles2(rootDir, (name) => DART_MANIFEST_FILES.has(name));
 }
 async function scanOneDartProject(dir, manifestFile, rootDir, pubCache, cache) {
@@ -13980,7 +13980,7 @@ async function runScan(rootDir, opts) {
   const composerCache = new ComposerCache(sem, packageManifest, offlineMode);
   const pubCache = new PubCache(sem, packageManifest, offlineMode);
   const fileCache = new FileCache();
-  const excludePatterns = config.exclude ?? [];
+  const excludePatterns = [.../* @__PURE__ */ new Set([...config.exclude ?? [], ...opts.exclude ?? []])];
   fileCache.setExcludePatterns(excludePatterns);
   const projectScanTimeoutMs = (opts.projectScanTimeout ?? config.projectScanTimeout ?? 180) * 1e3;
   fileCache.setMaxFileSize(config.maxFileSizeToScan ?? 5242880);

package/dist/{chunk-HQCB2BTS.js → chunk-GH53OHBI.js}

@@ -1,6 +1,6 @@
 import {
   runScan
-} from "./chunk-X2MPRPZ6.js";
+} from "./chunk-5HKSJI57.js";
 
 // src/commands/baseline.ts
 import * as path3 from "path";

package/dist/{chunk-RAQ76CZO.js → chunk-W6LGNQSJ.js}

@@ -1,4 +1,4 @@
-// ../vibgrate-core/dist/chunk-6F5NUOIM.js
+// ../vibgrate-core/dist/chunk-IDJRKJOC.js
 import { execFile } from "child_process";
 import * as fs from "fs/promises";
 import * as os from "os";
@@ -32,6 +32,18 @@ var Semaphore = class {
     else this.available++;
   }
 };
+function parseExcludePatterns(input) {
+  if (input === void 0) return [];
+  const raw = Array.isArray(input) ? input : [input];
+  const out = [];
+  for (const entry of raw) {
+    for (const part of entry.split(/[,;]/)) {
+      const trimmed = part.trim();
+      if (trimmed) out.push(trimmed);
+    }
+  }
+  return [...new Set(out)];
+}
 function compileGlobs(patterns) {
   if (patterns.length === 0) return null;
   const matchers = patterns.map((p) => compileOne(normalise(p)));
@@ -774,6 +786,7 @@ async function writeTextFile(filePath, content) {
 
 export {
   Semaphore,
+  parseExcludePatterns,
   FileCache,
   quickTreeCount,
   normalizeGlobForRipgrep,

package/dist/cli.js

@@ -6,7 +6,7 @@ import {
   pathExists,
   readJsonFile,
   writeTextFile
-} from "./chunk-HQCB2BTS.js";
+} from "./chunk-GH53OHBI.js";
 import {
   computeRepoFingerprint,
   detectVcs,
@@ -16,13 +16,14 @@ import {
   resolveRepositoryName,
   runScan,
   writeDefaultConfig
-} from "./chunk-X2MPRPZ6.js";
+} from "./chunk-5HKSJI57.js";
 import {
   require_semver
 } from "./chunk-74ZJFYEM.js";
 import {
+  parseExcludePatterns,
   pathExists as pathExists2
-} from "./chunk-RAQ76CZO.js";
+} from "./chunk-W6LGNQSJ.js";
 import {
   __toESM
 } from "./chunk-JSBRDJBE.js";
@@ -48,7 +49,7 @@ var initCommand = new Command("init").description("Initialize vibgrate in a proj
     console.log(chalk.green("\u2714") + ` Created ${chalk.bold("vibgrate.config.ts")}`);
   }
   if (opts.baseline) {
-    const { runBaseline } = await import("./baseline-Q3S7D7RQ.js");
+    const { runBaseline } = await import("./baseline-FYQ2HRTZ.js");
     await runBaseline(rootDir);
   }
   console.log("");
@@ -302,6 +303,9 @@ async function autoPush(artifact, rootDir, opts) {
     if (opts.strict) process.exit(1);
   }
 }
+function collectExcludes(value, previous) {
+  return [...previous, ...parseExcludePatterns(value)];
+}
 function parseNonNegativeNumber(value, label) {
   if (value === void 0) return void 0;
   const parsed = Number(value);
@@ -310,7 +314,12 @@ function parseNonNegativeNumber(value, label) {
   }
   return parsed;
 }
-var scanCommand = new Command3("scan").description("Scan a project for upgrade drift").argument("[path]", "Path to scan", ".").option("--out <file>", "Output file path").option("--format <format>", "Output format (text|json|sarif|md)", "text").option("--fail-on <level>", "Fail on warn or error").option("--baseline <file>", "Compare against baseline").option("--changed-only", "Only scan changed files").option("--concurrency <n>", "Max concurrent npm calls", "8").option("--push", "Auto-push results to Vibgrate API after scan").option("--dsn <dsn>", "DSN token for push (or use VIBGRATE_DSN env)").option("--region <region>", "Override data residency region for push (us, eu)").option("--strict", "Fail on push errors").option("--ui-purpose", "Enable optional UI purpose evidence extraction (slower)").option("--no-local-artifacts", "Do not write .vibgrate JSON artifacts to disk").option("--max-privacy", "Enable strongest privacy mode (minimal scanners, no local artifacts)").option("--offline", "Run without network calls; do not upload results").option("--package-manifest <file>", "Use local package-version manifest JSON/ZIP (for offline mode)").option("--project-scan-timeout <seconds>", "Per-project scan timeout in seconds (default: 180)").option("--drift-budget <score>", "Fail if drift score is above budget (0-100)").option("--drift-worsening <percent>", "Fail if drift worsens by more than % since baseline").action(async (targetPath, opts) => {
+var scanCommand = new Command3("scan").description("Scan a project for upgrade drift").argument("[path]", "Path to scan", ".").option("--out <file>", "Output file path").option("--format <format>", "Output format (text|json|sarif|md)", "text").option("--fail-on <level>", "Fail on warn or error").option("--baseline <file>", "Compare against baseline").option("--changed-only", "Only scan changed files").option(
+  "-e, --exclude <glob>",
+  'Exclude paths matching a glob pattern. Repeatable, and a single value may list several patterns separated by commas or semicolons (e.g. --exclude "legacy/**,vendor/**"). Merged with excludes from the config file.',
+  collectExcludes,
+  []
+).option("--concurrency <n>", "Max concurrent npm calls", "8").option("--push", "Auto-push results to Vibgrate API after scan").option("--dsn <dsn>", "DSN token for push (or use VIBGRATE_DSN env)").option("--region <region>", "Override data residency region for push (us, eu)").option("--strict", "Fail on push errors").option("--ui-purpose", "Enable optional UI purpose evidence extraction (slower)").option("--no-local-artifacts", "Do not write .vibgrate JSON artifacts to disk").option("--max-privacy", "Enable strongest privacy mode (minimal scanners, no local artifacts)").option("--offline", "Run without network calls; do not upload results").option("--package-manifest <file>", "Use local package-version manifest JSON/ZIP (for offline mode)").option("--project-scan-timeout <seconds>", "Per-project scan timeout in seconds (default: 180)").option("--drift-budget <score>", "Fail if drift score is above budget (0-100)").option("--drift-worsening <percent>", "Fail if drift worsens by more than % since baseline").action(async (targetPath, opts) => {
   const rootDir = path3.resolve(targetPath);
   if (!await pathExists2(rootDir)) {
     console.error(chalk3.red(`Path does not exist: ${rootDir}`));
@@ -374,6 +383,7 @@ var scanCommand = new Command3("scan").description("Scan a project for upgrade d
     failOn: opts.failOn,
     baseline: opts.baseline,
     changedOnly: opts.changedOnly,
+    exclude: opts.exclude,
     concurrency: parseInt(opts.concurrency, 10) || 8,
     push: opts.push,
     dsn: opts.dsn,

package/dist/{fs-CMSVYM7J-QRLLRZ2J.js → fs-IJIQMW3G-NJTQJLB6.js}

@@ -14,7 +14,7 @@ import {
   readTextFile,
   writeJsonFile,
   writeTextFile
-} from "./chunk-RAQ76CZO.js";
+} from "./chunk-W6LGNQSJ.js";
 import "./chunk-JSBRDJBE.js";
 export {
   FileCache,

package/dist/index.js

@@ -5,9 +5,9 @@ import {
   formatText,
   generateFindings,
   runScan
-} from "./chunk-X2MPRPZ6.js";
+} from "./chunk-5HKSJI57.js";
 import "./chunk-74ZJFYEM.js";
-import "./chunk-RAQ76CZO.js";
+import "./chunk-W6LGNQSJ.js";
 import "./chunk-JSBRDJBE.js";
 export {
   computeDriftScore,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vibgrate/cli",
-  "version": "2026.610.1",
+  "version": "2026.610.2",
   "description": "CLI for measuring upgrade drift across Node, .NET, Python & Java projects",
   "type": "module",
   "bin": {