@vibgrate/cli 2026.610.1 → 2026.611.1

package/DOCS.md

@@ -162,7 +162,7 @@ Creates:
 The primary command. Scans your project for upgrade drift.
 
 ```bash
-vibgrate scan [path] [--format text|json|sarif|md] [--out <file>] [--fail-on warn|error] [--offline] [--package-manifest <file>] [--no-local-artifacts] [--max-privacy] [--baseline <file>] [--drift-budget <score>] [--drift-worsening <percent>] [--changed-only] [--concurrency <n>]
+vibgrate scan [path] [--format text|json|sarif|md] [--out <file>] [--fail-on warn|error] [--offline] [--package-manifest <file>] [--no-local-artifacts] [--max-privacy] [--baseline <file>] [--drift-budget <score>] [--drift-worsening <percent>] [--changed-only] [--exclude <glob>...] [--concurrency <n>]
 ```
 
 | Flag | Default | Description |
@@ -172,6 +172,7 @@ vibgrate scan [path] [--format text|json|sarif|md] [--out <file>] [--fail-on war
 | `--fail-on <level>` | — | Exit with code 2 if findings at this level exist |
 | `--baseline <file>` | — | Compare against a previous baseline |
 | `--changed-only` | — | Only scan changed files |
+| `-e, --exclude <glob>` | — | Exclude paths matching a glob pattern. Repeatable, and a single value may list several patterns separated by commas or semicolons. Merged with `exclude` from the config file |
 | `--concurrency <n>` | `8` | Max concurrent npm registry calls |
 | `--drift-budget <score>` | — | Fitness gate: fail if drift score is above this budget |
 | `--drift-worsening <percent>` | — | Fitness gate: fail if drift worsens by more than % vs baseline |
@@ -189,6 +190,32 @@ By default, the scan writes `.vibgrate/scan_result.json`. Use `--no-local-artifa
 
 For offline drift scoring, pass `--package-manifest <file>` with a downloaded manifest bundle such as `https://github.com/vibgrate/manifests/latest-packages.zip`.
 
+#### Excluding paths from a scan
+
+Use `--exclude` (alias `-e`) to skip directories or files from the scan. Values are [glob patterns](#exclude-glob-syntax) matched against repository-relative, forward-slash paths. The flag is **repeatable**, and a single value may carry **several patterns separated by commas or semicolons** — use whichever reads best:
+
+```bash
+# Repeat the flag
+vibgrate scan . --exclude "legacy/**" --exclude "vendor/**"
+
+# Or list multiple patterns in one flag (comma- or semicolon-separated)
+vibgrate scan . --exclude "legacy/**,vendor/**;**/fixtures/**"
+```
+
+CLI excludes are **additive**: they are merged (and de-duplicated) with any `exclude` patterns from your [config file](#configuration), so command-line excludes never replace your committed defaults.
+
+<a id="exclude-glob-syntax"></a>
+Supported glob syntax:
+
+| Pattern | Matches |
+|---------|---------|
+| `*` | Any run of characters within a single path segment (no `/`) |
+| `**` | Any number of path segments, including `/` (recursive) |
+| `?` | Exactly one non-separator character |
+| `{a,b}` | Alternation — either `a` or `b` |
+| `[abc]` | A single character from the set |
+| `legacy` | A bare name is treated as a directory prefix — equivalent to `legacy/**` |
+
 Examples:
 
 ```bash
@@ -198,6 +225,9 @@ vibgrate scan .
 # JSON output for automation
 vibgrate scan . --format json --out scan.json
 
+# Skip vendored and generated code
+vibgrate scan . --exclude "vendor/**,**/*.generated.ts;dist/**"
+
 # CI gate with baseline regression protection
 vibgrate scan . --baseline .vibgrate/baseline.json --drift-budget 40 --drift-worsening 5 --fail-on error
 
@@ -433,6 +463,18 @@ export default config;
 
 Also supports `vibgrate.config.js` and `vibgrate.config.json`.
 
+### Exclude patterns
+
+`exclude` accepts an array of glob patterns describing paths the scan should skip (relative to the repository root, forward-slash separated). See [exclude glob syntax](#exclude-glob-syntax) for the supported patterns.
+
+```typescript
+const config: VibgrateConfig = {
+  exclude: ["legacy/**", "vendor/**", "**/*.generated.ts"],
+};
+```
+
+The same patterns can be supplied per-run on the command line with [`--exclude`](#excluding-paths-from-a-scan). CLI excludes are merged with (not a replacement for) the config `exclude` list, so committed defaults always apply and ad-hoc excludes are additive.
+
 ### Thresholds
 
 Control when findings are raised and when the CLI should fail.

package/README.md

@@ -193,7 +193,7 @@ When offline mode runs without a package manifest, package freshness is marked a
 ## Core commands
 
 ```bash
-vibgrate scan [path] [--format text|json|sarif|md] [--out <file>] [--fail-on warn|error] [--offline] [--package-manifest <file>] [--no-local-artifacts] [--max-privacy]
+vibgrate scan [path] [--format text|json|sarif|md] [--out <file>] [--fail-on warn|error] [--exclude <glob>...] [--offline] [--package-manifest <file>] [--no-local-artifacts] [--max-privacy]
 vibgrate baseline [path]
 vibgrate report [--in <artifact.json>] [--format md|text|json]
 vibgrate push [--dsn <dsn>] [--file <artifact.json>] [--strict]
@@ -225,7 +225,19 @@ Expected result:
 - Exit code `2` when the configured gate is exceeded
 
 ```bash
-# 3) Offline scan using local package-version bundle
+# 3) Scan while excluding vendored / generated paths
+#    --exclude is repeatable and accepts comma/semicolon-separated globs;
+#    patterns are merged with `exclude` from vibgrate.config.*
+npx @vibgrate/cli scan . --exclude "legacy/**,vendor/**" --exclude "**/*.generated.ts"
+```
+
+Expected result:
+
+- Matching directories and files are skipped before scanning
+- Excludes from the config file still apply (CLI patterns are additive)
+
+```bash
+# 4) Offline scan using local package-version bundle
 npx @vibgrate/cli scan . --offline --package-manifest ./latest-packages.zip --format json --out scan.json
 ```
 
@@ -236,7 +248,7 @@ Expected result:
 - Package freshness may be marked unknown if manifest lacks entries
 
 ```bash
-# 4) Export SBOM and compare two runs
+# 5) Export SBOM and compare two runs
 npx @vibgrate/cli sbom export --format cyclonedx --out sbom.cdx.json
 npx @vibgrate/cli sbom delta --from .vibgrate/baseline.json --to .vibgrate/scan_result.json --out sbom-delta.txt
 ```

package/dist/{baseline-Q3S7D7RQ.js → baseline-QRGGTCJD.js}

@@ -1,10 +1,10 @@
 import {
   baselineCommand,
   runBaseline
-} from "./chunk-HQCB2BTS.js";
-import "./chunk-X2MPRPZ6.js";
+} from "./chunk-4CDBCG4I.js";
+import "./chunk-EIZZ6VC3.js";
 import "./chunk-74ZJFYEM.js";
-import "./chunk-RAQ76CZO.js";
+import "./chunk-C7LU6YIL.js";
 import "./chunk-JSBRDJBE.js";
 export {
   baselineCommand,

package/dist/{chunk-HQCB2BTS.js → chunk-4CDBCG4I.js}

@@ -1,6 +1,6 @@
 import {
   runScan
-} from "./chunk-X2MPRPZ6.js";
+} from "./chunk-EIZZ6VC3.js";
 
 // src/commands/baseline.ts
 import * as path3 from "path";
@@ -48,9 +48,12 @@ import * as path from "path";
 
 // src/utils/fs.ts
 var execFileAsync = promisify(execFile);
+function stripBom(text) {
+  return text.charCodeAt(0) === 65279 ? text.slice(1) : text;
+}
 async function readJsonFile(filePath) {
   const txt = await fs.readFile(filePath, "utf8");
-  return JSON.parse(txt);
+  return JSON.parse(stripBom(txt));
 }
 async function pathExists(p) {
   try {

package/dist/{chunk-RAQ76CZO.js → chunk-C7LU6YIL.js}

@@ -1,4 +1,4 @@
-// ../vibgrate-core/dist/chunk-6F5NUOIM.js
+// ../vibgrate-core/dist/chunk-R3UFC4G6.js
 import { execFile } from "child_process";
 import * as fs from "fs/promises";
 import * as os from "os";
@@ -32,6 +32,18 @@ var Semaphore = class {
     else this.available++;
   }
 };
+function parseExcludePatterns(input) {
+  if (input === void 0) return [];
+  const raw = Array.isArray(input) ? input : [input];
+  const out = [];
+  for (const entry of raw) {
+    for (const part of entry.split(/[,;]/)) {
+      const trimmed = part.trim();
+      if (trimmed) out.push(trimmed);
+    }
+  }
+  return [...new Set(out)];
+}
 function compileGlobs(patterns) {
   if (patterns.length === 0) return null;
   const matchers = patterns.map((p) => compileOne(normalise(p)));
@@ -112,6 +124,10 @@ function escapeRegex(s) {
 var execFileAsync = promisify(execFile);
 var SKIP_DIRS = /* @__PURE__ */ new Set([
   "node_modules",
+  // Vendored third-party dependency trees (Go vendor/, PHP composer,
+  // Rails vendor/) — their manifests are not the repo's own projects and
+  // their runtimes/dependencies must not produce drift findings.
+  "vendor",
   ".git",
   ".vibgrate",
   ".wrangler",
@@ -550,7 +566,7 @@ var FileCache = class _FileCache {
     if (cached) return cached;
     const promise = this.readTextFile(abs).then((txt) => {
       this.textCache.delete(abs);
-      return JSON.parse(txt);
+      return JSON.parse(stripBom(txt));
     });
     this.jsonCache.set(abs, promise);
     return promise;
@@ -745,9 +761,12 @@ async function findSolutionFiles(rootDir) {
 async function findCsprojFiles(rootDir) {
   return findFiles(rootDir, (name) => name.endsWith(".csproj"));
 }
+function stripBom(text) {
+  return text.charCodeAt(0) === 65279 ? text.slice(1) : text;
+}
 async function readJsonFile(filePath) {
   const txt = await fs.readFile(filePath, "utf8");
-  return JSON.parse(txt);
+  return JSON.parse(stripBom(txt));
 }
 async function readTextFile(filePath) {
   return fs.readFile(filePath, "utf8");
@@ -774,6 +793,7 @@ async function writeTextFile(filePath, content) {
 
 export {
   Semaphore,
+  parseExcludePatterns,
   FileCache,
   quickTreeCount,
   normalizeGlobForRipgrep,
@@ -783,6 +803,7 @@ export {
   findPackageJsonFiles,
   findSolutionFiles,
   findCsprojFiles,
+  stripBom,
   readJsonFile,
   readTextFile,
   pathExists,

package/dist/{chunk-X2MPRPZ6.js → chunk-EIZZ6VC3.js}

@@ -14,7 +14,7 @@ import {
   readTextFile,
   writeJsonFile,
   writeTextFile
-} from "./chunk-RAQ76CZO.js";
+} from "./chunk-C7LU6YIL.js";
 import {
   __commonJS,
   __toESM
@@ -1802,6 +1802,8 @@ import * as path31 from "path";
 import * as path33 from "path";
 import chalk3 from "chalk";
 import chalk2 from "chalk";
+import { writeFileSync, mkdirSync } from "fs";
+import { dirname as dirname182, basename as basename192 } from "path";
 import * as fs7 from "fs/promises";
 import * as path32 from "path";
 var CONFIG_FILES = [
@@ -4938,7 +4940,7 @@ async function scanPythonProjects(rootDir, pypiCache, cache, projectScanTimeout)
   return results;
 }
 async function findPythonManifests(rootDir) {
-  const { findFiles: findFiles2 } = await import("./fs-CMSVYM7J-QRLLRZ2J.js");
+  const { findFiles: findFiles2 } = await import("./fs-PXXYZATK-EW5LCUA7.js");
   return findFiles2(rootDir, (name) => PYTHON_MANIFEST_FILES.has(name) || /^requirements.*\.txt$/.test(name));
 }
 async function scanOnePythonProject(dir, manifestFiles, rootDir, pypiCache, cache) {
@@ -5335,7 +5337,7 @@ async function scanJavaProjects(rootDir, mavenCache, cache, projectScanTimeout)
   return results;
 }
 async function findJavaManifests(rootDir) {
-  const { findFiles: findFiles2 } = await import("./fs-CMSVYM7J-QRLLRZ2J.js");
+  const { findFiles: findFiles2 } = await import("./fs-PXXYZATK-EW5LCUA7.js");
   return findFiles2(rootDir, (name) => JAVA_MANIFEST_FILES.has(name));
 }
 async function scanOneJavaProject(dir, manifestFiles, rootDir, mavenCache, cache) {
@@ -5700,7 +5702,7 @@ async function scanRubyProjects(rootDir, rubygemsCache, cache, projectScanTimeou
   return results;
 }
 async function findRubyManifests(rootDir) {
-  const { findFiles: findFiles2 } = await import("./fs-CMSVYM7J-QRLLRZ2J.js");
+  const { findFiles: findFiles2 } = await import("./fs-PXXYZATK-EW5LCUA7.js");
   return findFiles2(rootDir, (name) => RUBY_MANIFEST_FILES.has(name) || isGemspec(name));
 }
 async function scanOneRubyProject(dir, manifestFiles, rootDir, rubygemsCache, cache) {
@@ -5924,7 +5926,7 @@ async function scanSwiftProjects(rootDir, swiftCache, cache, projectScanTimeout)
   return results;
 }
 async function findSwiftManifests(rootDir) {
-  const { findFiles: findFiles2 } = await import("./fs-CMSVYM7J-QRLLRZ2J.js");
+  const { findFiles: findFiles2 } = await import("./fs-PXXYZATK-EW5LCUA7.js");
   return findFiles2(rootDir, (name) => SWIFT_MANIFEST_FILES.has(name));
 }
 async function scanOneSwiftProject(dir, manifestFile, rootDir, swiftCache, cache) {
@@ -6161,7 +6163,7 @@ async function scanGoProjects(rootDir, goCache, cache, projectScanTimeout) {
   return results;
 }
 async function findGoManifests(rootDir) {
-  const { findFiles: findFiles2 } = await import("./fs-CMSVYM7J-QRLLRZ2J.js");
+  const { findFiles: findFiles2 } = await import("./fs-PXXYZATK-EW5LCUA7.js");
   return findFiles2(rootDir, (name) => GO_MANIFEST_FILES.has(name));
 }
 async function scanOneGoProject(dir, manifestFile, rootDir, goCache, cache) {
@@ -6395,7 +6397,7 @@ async function scanRustProjects(rootDir, cargoCache, cache, projectScanTimeout)
   return results;
 }
 async function findRustManifests(rootDir) {
-  const { findFiles: findFiles2 } = await import("./fs-CMSVYM7J-QRLLRZ2J.js");
+  const { findFiles: findFiles2 } = await import("./fs-PXXYZATK-EW5LCUA7.js");
   return findFiles2(rootDir, (name) => RUST_MANIFEST_FILES.has(name));
 }
 async function scanOneRustProject(dir, manifestFile, rootDir, cargoCache, cache) {
@@ -6619,7 +6621,7 @@ async function scanPhpProjects(rootDir, composerCache, cache, projectScanTimeout
   return results;
 }
 async function findPhpManifests(rootDir) {
-  const { findFiles: findFiles2 } = await import("./fs-CMSVYM7J-QRLLRZ2J.js");
+  const { findFiles: findFiles2 } = await import("./fs-PXXYZATK-EW5LCUA7.js");
   return findFiles2(rootDir, (name) => PHP_MANIFEST_FILES.has(name));
 }
 async function scanOnePhpProject(dir, manifestFile, rootDir, composerCache, cache) {
@@ -6795,7 +6797,7 @@ function parsePubspecYaml(content) {
   for (const line of content.split(/\r?\n/)) {
     const trimmed = line.trim();
     if (trimmed.startsWith("sdk:")) {
-      const match = trimmed.match(/sdk:\s*['"]?>=?([^<'"]+)/);
+      const match = trimmed.match(/sdk:\s*['"]?>?=?\s*(\d[^<'"]*)/);
       if (match) dartVersion = match[1].trim();
       continue;
     }
@@ -6805,7 +6807,7 @@ function parsePubspecYaml(content) {
     } else if (trimmed === "dev_dependencies:") {
       currentSection = "dev_dependencies";
       continue;
-    } else if (/^\w+:/.test(trimmed) && !trimmed.startsWith(" ")) {
+    } else if (/^\w+:/.test(line)) {
       currentSection = null;
       continue;
     }
@@ -6833,7 +6835,7 @@ async function parsePubspecLock(filePath, cache) {
     let currentPackage = null;
     for (const line of content.split(/\r?\n/)) {
       const trimmed = line.trim();
-      const pkgMatch = trimmed.match(/^(\w+):$/);
+      const pkgMatch = line.match(/^ {2}(\w+):$/);
       if (pkgMatch) {
         currentPackage = pkgMatch[1];
         continue;
@@ -6884,7 +6886,7 @@ async function scanDartProjects(rootDir, pubCache, cache, projectScanTimeout) {
   return results;
 }
 async function findDartManifests(rootDir) {
-  const { findFiles: findFiles2 } = await import("./fs-CMSVYM7J-QRLLRZ2J.js");
+  const { findFiles: findFiles2 } = await import("./fs-PXXYZATK-EW5LCUA7.js");
   return findFiles2(rootDir, (name) => DART_MANIFEST_FILES.has(name));
 }
 async function scanOneDartProject(dir, manifestFile, rootDir, pubCache, cache) {
@@ -7254,6 +7256,7 @@ async function scanElixirProjects(rootDir, manifest, cache, projectScanTimeout,
     try {
       const scan = await scanElixir(dir, cache, manifest, offline);
       if (scan) {
+        scan.path = path13.relative(rootDir, dir) || ".";
         results.push(scan);
       }
     } catch (error) {
@@ -7511,6 +7514,7 @@ async function scanDockerProjects(rootDir, manifest, cache, projectScanTimeout,
     try {
       const scan = await scanDocker(dir, cache, manifest, offline);
       if (scan) {
+        scan.path = path14.relative(rootDir, dir) || ".";
         results.push(scan);
       }
     } catch (error) {
@@ -7747,6 +7751,7 @@ async function scanHelmProjects(rootDir, manifest, cache, projectScanTimeout, of
     try {
       const scan = await scanHelm(dir, cache, manifest, offline);
       if (scan) {
+        scan.path = path15.relative(rootDir, dir) || ".";
         results.push(scan);
       }
     } catch (error) {
@@ -8123,6 +8128,7 @@ async function scanTerraformProjects(rootDir, manifest, cache, projectScanTimeou
     try {
       const scan = await scanTerraform(dir, cache, manifest, offline);
       if (scan) {
+        scan.path = path16.relative(rootDir, dir) || ".";
         results.push(scan);
       }
     } catch (error) {
@@ -8184,6 +8190,9 @@ function parseLineDependencies(content, regex, capture = 1) {
 function getProjectName(projectPath, rootDir) {
   return path17.basename(projectPath) || path17.basename(rootDir);
 }
+function makefileHasCSignals(content) {
+  return /^\s*(CC|CFLAGS|LDFLAGS)\s*[:?+]?=/m.test(content) || /\b(gcc|clang)\b/.test(content) || /\.(c|o)\b/.test(content);
+}
 function addProject(projects, seen, type, projectPath, rootDir, dependencies = []) {
   const normalizedPath = projectPath || ".";
   const key = `${type}:${normalizedPath}`;
@@ -8254,6 +8263,10 @@ async function scanPolyglotProjects(rootDir, cache) {
   for (const file of candidateFiles) {
     const mapping = MANIFEST_TO_LANGUAGE.find((m) => m.name === file.name || m.name.startsWith("*.") && file.name.endsWith(m.name.slice(1)));
     if (!mapping) continue;
+    if (file.name === "Makefile") {
+      const text = cache ? await cache.readTextFile(file.absPath) : await readTextFile(file.absPath);
+      if (!makefileHasCSignals(text)) continue;
+    }
     const projectPath = path17.dirname(file.relPath) || ".";
     const dependencies = await parseDepsByManifest(file.absPath, cache);
     addProject(projects, seen, mapping.type, projectPath, rootDir, dependencies);
@@ -13406,6 +13419,54 @@ async function computeTreeMetadataHash(rootDir, options) {
   }
   return digest.digest("hex");
 }
+var ProgressTrace = class _ProgressTrace {
+  constructor(outPath) {
+    this.outPath = outPath;
+  }
+  events = [];
+  start = Date.now();
+  lastThrottled = /* @__PURE__ */ new Map();
+  flushed = false;
+  /** Returns a trace when VIBGRATE_TRACE_EVENTS is set, else null. */
+  static fromEnv() {
+    const path34 = process.env.VIBGRATE_TRACE_EVENTS;
+    return path34 ? new _ProgressTrace(path34) : null;
+  }
+  record(op, data = {}) {
+    if (this.flushed) return;
+    this.events.push({ t: Date.now() - this.start, op, ...data });
+  }
+  /**
+   * Record at most one event per key per interval. Used for high-frequency
+   * updates (sub-step progress, live stats) so traces stay compact.
+   */
+  recordThrottled(key, op, data = {}, intervalMs = 120) {
+    if (this.flushed) return;
+    const now = Date.now();
+    const last = this.lastThrottled.get(key) ?? 0;
+    if (now - last < intervalMs) return;
+    this.lastThrottled.set(key, now);
+    this.record(op, data);
+  }
+  /** Write the trace document. Safe to call once; later calls are no-ops. */
+  flush(meta) {
+    if (this.flushed) return;
+    this.flushed = true;
+    const doc = {
+      traceVersion: 1,
+      cliVersion: meta.cliVersion,
+      workspace: basename192(meta.rootDir) || meta.rootDir,
+      recordedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      durationMs: Date.now() - this.start,
+      events: this.events
+    };
+    try {
+      mkdirSync(dirname182(this.outPath), { recursive: true });
+      writeFileSync(this.outPath, JSON.stringify(doc));
+    } catch {
+    }
+  }
+};
 var ROBOT = [
   chalk2.cyan("    \u256D\u2500\u2500\u2500\u256E") + chalk2.greenBright("\u279C"),
   chalk2.cyan("   \u256D\u2524") + chalk2.greenBright("\u25C9 \u25C9") + chalk2.cyan("\u251C\u256E"),
@@ -13449,8 +13510,11 @@ var ScanProgress = class {
   /** Last emitted step snapshot for append-only output modes */
   lastLoggedStates = /* @__PURE__ */ new Map();
   version;
+  /** Optional semantic event recorder (VIBGRATE_TRACE_EVENTS) for the web simulator */
+  trace;
   constructor(rootDir, version = "unknown") {
     this.version = version;
+    this.trace = ProgressTrace.fromEnv();
     this.isTTY = process.stderr.isTTY ?? false;
     this.useLiveUpdates = this.isTTY && process.env.VIBGRATE_PROGRESS_MODE !== "plain";
     this.rootDir = rootDir;
@@ -13475,6 +13539,7 @@ var ScanProgress = class {
   /** Set the estimated total duration from scan history */
   setEstimatedTotal(estimatedMs) {
     this.estimatedTotalMs = estimatedMs;
+    this.trace?.record("setEstimatedTotal", { estimatedMs });
   }
   /** Set per-step estimated durations from scan history */
   setStepEstimates(estimates) {
@@ -13487,6 +13552,7 @@ var ScanProgress = class {
   /** Register all steps up front, optionally with weights */
   setSteps(steps) {
     this.steps = steps.map((s) => ({ ...s, status: "pending", weight: s.weight ?? 1 }));
+    this.trace?.record("setSteps", { steps: steps.map((s) => ({ id: s.id, label: s.label, weight: s.weight ?? 1 })) });
     if (this.isTTY) {
       const header = [
         "",
@@ -13512,6 +13578,7 @@ var ScanProgress = class {
     } else {
       this.steps.push(newStep);
     }
+    this.trace?.record("insertStepBefore", { beforeId, step: { id: step.id, label: step.label, weight: step.weight ?? 1 } });
   }
   /** Mark a step as active (currently running), optionally with expected total */
   startStep(id, subTotal) {
@@ -13524,6 +13591,7 @@ var ScanProgress = class {
       step.subTotal = subTotal;
     }
     this.stepStartTimes.set(id, Date.now());
+    this.trace?.record("startStep", { id, subTotal });
     this.render();
   }
   /** Mark a step as completed */
@@ -13538,6 +13606,7 @@ var ScanProgress = class {
     if (started) {
       this.stepTimings.push({ id, durationMs: Date.now() - started });
     }
+    this.trace?.record("completeStep", { id, detail, count });
     this.render();
   }
   /** Mark a step as skipped */
@@ -13547,6 +13616,7 @@ var ScanProgress = class {
       step.status = "skipped";
       step.detail = "disabled";
     }
+    this.trace?.record("skipStep", { id });
     this.render();
   }
   /** Update sub-step progress for the active step (files processed, etc.) */
@@ -13557,32 +13627,51 @@ var ScanProgress = class {
       if (total !== void 0) step.subTotal = total;
       if (label !== void 0) step.subLabel = label;
     }
+    this.trace?.recordThrottled(`sub:${id}`, "updateStepProgress", { id, current, total, label });
     this.render();
   }
   /** Update live stats */
   updateStats(partial) {
     Object.assign(this.stats, partial);
+    this.traceStats(true);
     this.render();
   }
   /** Increment stats */
   addProjects(n) {
     this.stats.projects += n;
+    this.traceStats();
     this.render();
   }
   addDependencies(n) {
     this.stats.dependencies += n;
+    this.traceStats();
     this.render();
   }
   addFrameworks(n) {
     this.stats.frameworks += n;
+    this.traceStats();
     this.render();
   }
   addFindings(warnings, errors, notes) {
     this.stats.findings.warnings += warnings;
     this.stats.findings.errors += errors;
     this.stats.findings.notes += notes;
+    this.traceStats();
     this.render();
   }
+  /** Record a (throttled) snapshot of live stats into the trace */
+  traceStats(force = false) {
+    if (!this.trace) return;
+    const snapshot = {
+      stats: {
+        ...this.stats,
+        findings: { ...this.stats.findings },
+        treeSummary: this.stats.treeSummary ? { ...this.stats.treeSummary } : void 0
+      }
+    };
+    if (force) this.trace.record("stats", snapshot);
+    else this.trace.recordThrottled("stats", "stats", snapshot);
+  }
   /** Stop the progress display and clear it */
   finish() {
     if (this.timer) {
@@ -13607,6 +13696,8 @@ var ScanProgress = class {
 
 `)
     );
+    this.trace?.record("finish", { doneCount, elapsedMs: Date.now() - this.startTime, summary: `${doneCount} scanners completed in ${elapsed}` });
+    this.trace?.flush({ cliVersion: this.version, rootDir: this.rootDir });
     if (this.isTTY && process.platform === "win32") {
       process.stdout.write("\x1B[0G\x1B[K");
     }
@@ -13980,7 +14071,7 @@ async function runScan(rootDir, opts) {
   const composerCache = new ComposerCache(sem, packageManifest, offlineMode);
   const pubCache = new PubCache(sem, packageManifest, offlineMode);
   const fileCache = new FileCache();
-  const excludePatterns = config.exclude ?? [];
+  const excludePatterns = [.../* @__PURE__ */ new Set([...config.exclude ?? [], ...opts.exclude ?? []])];
   fileCache.setExcludePatterns(excludePatterns);
   const projectScanTimeoutMs = (opts.projectScanTimeout ?? config.projectScanTimeout ?? 180) * 1e3;
   fileCache.setMaxFileSize(config.maxFileSizeToScan ?? 5242880);
@@ -14260,14 +14351,17 @@ async function runScan(rootDir, opts) {
     progress.addProjects(polyglotProjects.length);
     progress.completeStep("polyglot", `${polyglotProjects.length} project${polyglotProjects.length !== 1 ? "s" : ""}`, polyglotProjects.length);
   }
+  const OVERLAY_PROJECT_TYPES = /* @__PURE__ */ new Set(["docker", "helm", "terraform"]);
+  const dedupeKey = (p) => OVERLAY_PROJECT_TYPES.has(p.type) ? `${p.type}:${p.path}` : p.path;
   const rawProjects = [...nodeProjects, ...dotnetProjects, ...pythonProjects, ...javaProjects, ...rubyProjects, ...swiftProjects, ...goProjects, ...rustProjects, ...phpProjects, ...dartProjects, ...elixirProjects, ...dockerProjects, ...helmProjects, ...terraformProjects, ...polyglotProjects];
   const deduplicatedMap = /* @__PURE__ */ new Map();
   for (const project of rawProjects) {
-    const existing = deduplicatedMap.get(project.path);
+    const existing = deduplicatedMap.get(dedupeKey(project));
     if (!existing) {
-      deduplicatedMap.set(project.path, project);
+      deduplicatedMap.set(dedupeKey(project), project);
     } else {
-      const keepNew = project.dependencies.length > existing.dependencies.length;
+      const resolvedCount = (p) => p.dependencies.filter((d) => d.resolvedVersion || d.latestStable).length;
+      const keepNew = resolvedCount(project) > resolvedCount(existing) || resolvedCount(project) === resolvedCount(existing) && project.dependencies.length > existing.dependencies.length;
       const winner = keepNew ? project : existing;
       const loser = keepNew ? existing : project;
       if (loser.projectReferences?.length) {
@@ -14280,7 +14374,7 @@ async function runScan(rootDir, opts) {
           }
         }
       }
-      deduplicatedMap.set(project.path, winner);
+      deduplicatedMap.set(dedupeKey(project), winner);
     }
   }
   const allProjects = [...deduplicatedMap.values()];

package/dist/cli.js

@@ -6,7 +6,7 @@ import {
   pathExists,
   readJsonFile,
   writeTextFile
-} from "./chunk-HQCB2BTS.js";
+} from "./chunk-4CDBCG4I.js";
 import {
   computeRepoFingerprint,
   detectVcs,
@@ -16,13 +16,14 @@ import {
   resolveRepositoryName,
   runScan,
   writeDefaultConfig
-} from "./chunk-X2MPRPZ6.js";
+} from "./chunk-EIZZ6VC3.js";
 import {
   require_semver
 } from "./chunk-74ZJFYEM.js";
 import {
+  parseExcludePatterns,
   pathExists as pathExists2
-} from "./chunk-RAQ76CZO.js";
+} from "./chunk-C7LU6YIL.js";
 import {
   __toESM
 } from "./chunk-JSBRDJBE.js";
@@ -48,7 +49,7 @@ var initCommand = new Command("init").description("Initialize vibgrate in a proj
     console.log(chalk.green("\u2714") + ` Created ${chalk.bold("vibgrate.config.ts")}`);
   }
   if (opts.baseline) {
-    const { runBaseline } = await import("./baseline-Q3S7D7RQ.js");
+    const { runBaseline } = await import("./baseline-QRGGTCJD.js");
     await runBaseline(rootDir);
   }
   console.log("");
@@ -302,6 +303,9 @@ async function autoPush(artifact, rootDir, opts) {
     if (opts.strict) process.exit(1);
   }
 }
+function collectExcludes(value, previous) {
+  return [...previous, ...parseExcludePatterns(value)];
+}
 function parseNonNegativeNumber(value, label) {
   if (value === void 0) return void 0;
   const parsed = Number(value);
@@ -310,7 +314,12 @@ function parseNonNegativeNumber(value, label) {
   }
   return parsed;
 }
-var scanCommand = new Command3("scan").description("Scan a project for upgrade drift").argument("[path]", "Path to scan", ".").option("--out <file>", "Output file path").option("--format <format>", "Output format (text|json|sarif|md)", "text").option("--fail-on <level>", "Fail on warn or error").option("--baseline <file>", "Compare against baseline").option("--changed-only", "Only scan changed files").option("--concurrency <n>", "Max concurrent npm calls", "8").option("--push", "Auto-push results to Vibgrate API after scan").option("--dsn <dsn>", "DSN token for push (or use VIBGRATE_DSN env)").option("--region <region>", "Override data residency region for push (us, eu)").option("--strict", "Fail on push errors").option("--ui-purpose", "Enable optional UI purpose evidence extraction (slower)").option("--no-local-artifacts", "Do not write .vibgrate JSON artifacts to disk").option("--max-privacy", "Enable strongest privacy mode (minimal scanners, no local artifacts)").option("--offline", "Run without network calls; do not upload results").option("--package-manifest <file>", "Use local package-version manifest JSON/ZIP (for offline mode)").option("--project-scan-timeout <seconds>", "Per-project scan timeout in seconds (default: 180)").option("--drift-budget <score>", "Fail if drift score is above budget (0-100)").option("--drift-worsening <percent>", "Fail if drift worsens by more than % since baseline").action(async (targetPath, opts) => {
+var scanCommand = new Command3("scan").description("Scan a project for upgrade drift").argument("[path]", "Path to scan", ".").option("--out <file>", "Output file path").option("--format <format>", "Output format (text|json|sarif|md)", "text").option("--fail-on <level>", "Fail on warn or error").option("--baseline <file>", "Compare against baseline").option("--changed-only", "Only scan changed files").option(
+  "-e, --exclude <glob>",
+  'Exclude paths matching a glob pattern. Repeatable, and a single value may list several patterns separated by commas or semicolons (e.g. --exclude "legacy/**,vendor/**"). Merged with excludes from the config file.',
+  collectExcludes,
+  []
+).option("--concurrency <n>", "Max concurrent npm calls", "8").option("--push", "Auto-push results to Vibgrate API after scan").option("--dsn <dsn>", "DSN token for push (or use VIBGRATE_DSN env)").option("--region <region>", "Override data residency region for push (us, eu)").option("--strict", "Fail on push errors").option("--ui-purpose", "Enable optional UI purpose evidence extraction (slower)").option("--no-local-artifacts", "Do not write .vibgrate JSON artifacts to disk").option("--max-privacy", "Enable strongest privacy mode (minimal scanners, no local artifacts)").option("--offline", "Run without network calls; do not upload results").option("--package-manifest <file>", "Use local package-version manifest JSON/ZIP (for offline mode)").option("--project-scan-timeout <seconds>", "Per-project scan timeout in seconds (default: 180)").option("--drift-budget <score>", "Fail if drift score is above budget (0-100)").option("--drift-worsening <percent>", "Fail if drift worsens by more than % since baseline").action(async (targetPath, opts) => {
   const rootDir = path3.resolve(targetPath);
   if (!await pathExists2(rootDir)) {
     console.error(chalk3.red(`Path does not exist: ${rootDir}`));
@@ -374,6 +383,7 @@ var scanCommand = new Command3("scan").description("Scan a project for upgrade d
     failOn: opts.failOn,
     baseline: opts.baseline,
     changedOnly: opts.changedOnly,
+    exclude: opts.exclude,
     concurrency: parseInt(opts.concurrency, 10) || 8,
     push: opts.push,
     dsn: opts.dsn,