@visulima/vis 1.0.0-alpha.1 → 1.0.0-alpha.11

package/dist/packem_chunks/handler30.js

@@ -0,0 +1,170 @@
+import { detectAllProviders, runProvider } from '@visulima/find-ai-runner';
+import { renderToString, Table } from '@visulima/tui';
+import React from 'react';
+import { a as resolveProvider, D as DEFAULT_PRIORITY } from '../packem_shared/ai-analysis-CHeB1joD.js';
+import { bold, dim, cyan, green, yellow } from '@visulima/colorize';
+
+const AI_DISCOVERY_META = {
+  command: "ai",
+  description: "AI-assisted commands: provider detection, cache management, and failure-fix proposals."
+};
+const typeName = (type) => {
+  if (typeof type !== "function") {
+    return String(type);
+  }
+  const { name } = type;
+  if (name === "Boolean") {
+    return "boolean";
+  }
+  if (name === "Number") {
+    return "number";
+  }
+  if (name === "String") {
+    return "string";
+  }
+  return name ?? "unknown";
+};
+const buildSubcommand = (command) => {
+  const path = [...command.commandPath ?? [], command.name].join(" ");
+  const examples = (command.examples ?? []).map(([cmd, description]) => {
+    return {
+      command: cmd ?? "",
+      description: description ?? ""
+    };
+  });
+  const options = (command.options ?? []).map((option) => {
+    return {
+      defaultValue: option.defaultValue,
+      description: option.description,
+      name: option.name,
+      type: typeName(option.type)
+    };
+  });
+  return {
+    argument: command.argument ? { description: command.argument.description, name: command.argument.name } : void 0,
+    description: command.description ?? "",
+    examples,
+    name: command.name,
+    options,
+    path
+  };
+};
+const buildDiscoveryPayload = (subcommands, meta = AI_DISCOVERY_META) => {
+  return {
+    command: meta.command,
+    description: meta.description,
+    subcommands: subcommands.map((subcommand) => buildSubcommand(subcommand))
+  };
+};
+const renderDiscoveryJson = (subcommands, meta = AI_DISCOVERY_META) => `${JSON.stringify(buildDiscoveryPayload(subcommands, meta), void 0, 2)}
+`;
+const renderDiscoveryText = (subcommands, meta = AI_DISCOVERY_META) => {
+  const payload = buildDiscoveryPayload(subcommands, meta);
+  const lines = [];
+  lines.push(bold(`vis ${payload.command} — ${payload.description}`));
+  lines.push("");
+  lines.push(dim("Subcommands:"));
+  for (const subcommand of payload.subcommands) {
+    const argumentSegment = subcommand.argument ? ` ${cyan(`<${subcommand.argument.name}>`)}` : "";
+    lines.push("");
+    lines.push(`  ${green(`vis ${subcommand.path}`)}${argumentSegment}`);
+    if (subcommand.description) {
+      lines.push(`    ${subcommand.description}`);
+    }
+    if (subcommand.options.length > 0) {
+      const optionList = subcommand.options.map((option) => `--${option.name}${option.type === "boolean" ? "" : `=<${option.type}>`}`).join(", ");
+      lines.push(dim(`    options: ${optionList}`));
+    }
+    if (subcommand.examples.length > 0) {
+      lines.push(dim("    examples:"));
+      for (const example of subcommand.examples) {
+        const trailing = example.description ? dim(` — ${example.description}`) : "";
+        lines.push(`      ${yellow(example.command)}${trailing}`);
+      }
+    }
+  }
+  lines.push("");
+  lines.push(dim(`Run \`vis ${payload.command} discover-help\` for the machine-readable JSON catalogue (designed for AI agents).`));
+  lines.push(dim(`Run \`vis ${payload.command} <subcommand> --help\` for full usage of a specific subcommand.`));
+  return `${lines.join("\n")}
+`;
+};
+
+const loadDiscoverableSubcommands = async () => {
+  const { default: aiCommands } = await import('./bin.js').then(n => n.ac);
+  return aiCommands.filter((cmd) => cmd.name !== "ai");
+};
+const aiRootExecute = async () => {
+  const subcommands = await loadDiscoverableSubcommands();
+  process.stderr.write(renderDiscoveryText(subcommands));
+};
+const aiDiscoverHelpExecute = async () => {
+  const subcommands = await loadDiscoverableSubcommands();
+  process.stdout.write(renderDiscoveryJson(subcommands));
+};
+const aiTestExecute = async ({ logger, visConfig }) => {
+  const aiConfig = visConfig?.ai;
+  const provider = resolveProvider(aiConfig);
+  if (!provider) {
+    logger.error("No AI provider available to test.");
+    process.exitCode = 1;
+    return;
+  }
+  logger.info(`Testing ${provider.name}...`);
+  try {
+    const result = await runProvider(provider, "Reply with exactly: OK", { timeoutMs: 3e4 });
+    logger.info(`Provider ${provider.name} responded: ${result.stdout.trim().slice(0, 200)}`);
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    logger.error(`Provider ${provider.name} failed: ${message}`);
+    process.exitCode = 1;
+  }
+};
+const aiProvidersExecute = ({ logger, options, visConfig }) => {
+  const format = options.format ?? "table";
+  const aiConfig = visConfig?.ai;
+  const allProviders = detectAllProviders();
+  const selected = resolveProvider(aiConfig);
+  if (format === "json") {
+    const output2 = allProviders.map((p) => {
+      return {
+        available: p.available,
+        method: p.detectionMethod,
+        name: p.name,
+        path: p.path,
+        priority: DEFAULT_PRIORITY[p.name] ?? 0,
+        selected: p.name === selected?.name,
+        version: p.version
+      };
+    });
+    process.stdout.write(`${JSON.stringify(output2, void 0, 2)}
+`);
+    return;
+  }
+  const tableData = allProviders.map((provider) => {
+    return {
+      method: provider.detectionMethod ?? "-",
+      path: provider.path ?? "-",
+      priority: String(DEFAULT_PRIORITY[provider.name] ?? 0),
+      provider: provider.name,
+      selected: provider.name === selected?.name ? ">>>" : "",
+      status: provider.available ? "available" : "not found",
+      version: provider.version ?? "-"
+    };
+  });
+  const columns = process.stdout.columns || 80;
+  const output = renderToString(React.createElement(Table, { data: tableData }), { columns });
+  logger.info(output);
+  if (selected) {
+    logger.info(`
+Selected provider: ${selected.name} (priority ${String(DEFAULT_PRIORITY[selected.name] ?? 0)})`);
+  } else {
+    logger.info("\nNo AI provider available. Install one of the supported AI CLI tools.");
+  }
+};
+const aiFixExecute = async (toolbox) => {
+  const { aiFix } = await import('./fix.js');
+  await aiFix(toolbox);
+};
+
+export { aiDiscoverHelpExecute, aiFixExecute, aiProvidersExecute, aiRootExecute, aiTestExecute };

package/dist/packem_chunks/handler31.js

@@ -0,0 +1,530 @@
+import { dim, yellow, cyan, magenta, red } from '@visulima/colorize';
+import { isAccessibleSync, readFileSync, writeFileSync } from '@visulima/fs';
+import { readYamlSync } from '@visulima/fs/yaml';
+import { join } from '@visulima/path';
+import { c as detectPm, p as pail, f as fetchSocketReports, t as findAcceptedRisk, D as DEFAULT_LOW_SCORE_THRESHOLD, a as buildSocketOptions, H as scoreLabel, J as getFullPackageName } from './bin.js';
+import { l as lockedPackages, f as findDuplicateDependencies, s as startScanProgress } from '../packem_shared/dependency-scan-A0KSklpG.js';
+import { a as fetchVulnerabilities } from '../packem_shared/catalog-BJTtyi-O.js';
+
+const toStringArray = (value) => {
+  if (!Array.isArray(value)) {
+    return [];
+  }
+  return value.filter((v) => typeof v === "string");
+};
+const matchesGlobList = (value, patterns) => {
+  for (const pattern of patterns) {
+    if (pattern === value) {
+      return true;
+    }
+    if (pattern.endsWith("*") && value.startsWith(pattern.slice(0, -1))) {
+      return true;
+    }
+  }
+  return false;
+};
+const readPnpmAuditExclusions = (workspaceRoot) => {
+  const filePath = join(workspaceRoot, "pnpm-workspace.yaml");
+  if (!isAccessibleSync(filePath)) {
+    return { excludedPackages: [], ignoredAdvisories: [] };
+  }
+  try {
+    const data = readYamlSync(filePath);
+    return {
+      excludedPackages: [],
+      ignoredAdvisories: [...toStringArray(data?.auditConfig?.ignoreCves), ...toStringArray(data?.auditConfig?.ignoreGhsas)]
+    };
+  } catch {
+    return { excludedPackages: [], ignoredAdvisories: [] };
+  }
+};
+const readYarnAuditExclusions = (workspaceRoot) => {
+  const filePath = join(workspaceRoot, ".yarnrc.yml");
+  if (!isAccessibleSync(filePath)) {
+    return { excludedPackages: [], ignoredAdvisories: [] };
+  }
+  try {
+    const data = readYamlSync(filePath);
+    return {
+      excludedPackages: toStringArray(data?.npmAuditExcludePackages),
+      ignoredAdvisories: toStringArray(data?.npmAuditIgnoreAdvisories)
+    };
+  } catch {
+    return { excludedPackages: [], ignoredAdvisories: [] };
+  }
+};
+const readNativeAuditExclusions = (workspaceRoot, pm) => {
+  switch (pm) {
+    case "pnpm": {
+      return readPnpmAuditExclusions(workspaceRoot);
+    }
+    case "yarn": {
+      return readYarnAuditExclusions(workspaceRoot);
+    }
+    default: {
+      return { excludedPackages: [], ignoredAdvisories: [] };
+    }
+  }
+};
+const isAdvisoryExcluded = (vulnId, exclusions, aliases) => {
+  if (matchesGlobList(vulnId, exclusions.ignoredAdvisories)) {
+    return true;
+  }
+  if (aliases) {
+    for (const alias of aliases) {
+      if (matchesGlobList(alias, exclusions.ignoredAdvisories)) {
+        return true;
+      }
+    }
+  }
+  return false;
+};
+const isPackageExcluded = (packageName, exclusions) => matchesGlobList(packageName, exclusions.excludedPackages);
+const syncAcceptedRisksToNativeConfig = (pm, workspaceRoot, advisoryIds) => {
+  if (advisoryIds.length === 0) {
+    return ["No advisory IDs to sync."];
+  }
+  const actions = [];
+  switch (pm) {
+    case "bun": {
+      actions.push(`bun has no audit config file. Use CLI flags: bun audit ${advisoryIds.map((id) => `--ignore ${id}`).join(" ")}`);
+      break;
+    }
+    case "npm": {
+      actions.push("npm has no native audit exclusion config. vis accepted risks are the only layer.");
+      break;
+    }
+    case "pnpm": {
+      const filePath = join(workspaceRoot, "pnpm-workspace.yaml");
+      if (!isAccessibleSync(filePath)) {
+        actions.push("pnpm-workspace.yaml not found. Cannot sync.");
+        break;
+      }
+      const existing = readPnpmAuditExclusions(workspaceRoot);
+      const existingCves = new Set(existing.ignoredAdvisories.filter((id) => id.startsWith("CVE-")));
+      const existingGhsas = new Set(existing.ignoredAdvisories.filter((id) => id.startsWith("GHSA-")));
+      const newCves = advisoryIds.filter((id) => id.startsWith("CVE-"));
+      const newGhsas = advisoryIds.filter((id) => id.startsWith("GHSA-"));
+      const mergedCves = [.../* @__PURE__ */ new Set([...existingCves, ...newCves])];
+      const mergedGhsas = [.../* @__PURE__ */ new Set([...existingGhsas, ...newGhsas])];
+      const addedCves = newCves.filter((id) => !existingCves.has(id)).length;
+      const addedGhsas = newGhsas.filter((id) => !existingGhsas.has(id)).length;
+      if (addedCves === 0 && addedGhsas === 0) {
+        actions.push("All advisory IDs already present in pnpm-workspace.yaml.");
+        break;
+      }
+      let content = readFileSync(filePath);
+      if (mergedCves.length > 0) {
+        const cveBlock = `  ignoreCves:
+${mergedCves.map((id) => `    - ${id}`).join("\n")}
+`;
+        if (/auditConfig:/.test(content)) {
+          content = /ignoreCves:/.test(content) ? content.replace(/ignoreCves:\s*\n(?:\s+-\s+(?:\S.*|[\t\v\f \u00A0\u1680\u2000-\u200A\u202F\u205F\u3000\uFEFF])\n)*/, cveBlock) : content.replace(/auditConfig:\s*\n/, `auditConfig:
+${cveBlock}`);
+        } else {
+          content = `${content.trimEnd()}
+
+auditConfig:
+${cveBlock}`;
+        }
+        if (addedCves > 0) {
+          actions.push(`Added ${String(addedCves)} new CVE${addedCves === 1 ? "" : "s"} to pnpm-workspace.yaml (${String(mergedCves.length)} total)`);
+        }
+      }
+      if (mergedGhsas.length > 0) {
+        const ghsaBlock = `  ignoreGhsas:
+${mergedGhsas.map((id) => `    - ${id}`).join("\n")}
+`;
+        if (/auditConfig:/.test(content)) {
+          content = /ignoreGhsas:/.test(content) ? content.replace(/ignoreGhsas:\s*\n(?:\s+-\s+(?:\S.*|[\t\v\f \u00A0\u1680\u2000-\u200A\u202F\u205F\u3000\uFEFF])\n)*/, ghsaBlock) : content.replace(/(auditConfig:[\s\S]*?)(\n\S|\n?$)/m, `$1${ghsaBlock}$2`);
+        }
+        if (addedGhsas > 0) {
+          actions.push(
+            `Added ${String(addedGhsas)} new GHSA${addedGhsas === 1 ? "" : "s"} to pnpm-workspace.yaml (${String(mergedGhsas.length)} total)`
+          );
+        }
+      }
+      writeFileSync(filePath, content);
+      break;
+    }
+    case "yarn": {
+      const filePath = join(workspaceRoot, ".yarnrc.yml");
+      if (!isAccessibleSync(filePath)) {
+        actions.push(".yarnrc.yml not found. Cannot sync.");
+        break;
+      }
+      const existingYarn = readYarnAuditExclusions(workspaceRoot);
+      const existingSet = new Set(existingYarn.ignoredAdvisories);
+      const merged = [.../* @__PURE__ */ new Set([...existingSet, ...advisoryIds])];
+      const added = advisoryIds.filter((id) => !existingSet.has(id)).length;
+      if (added === 0) {
+        actions.push("All advisory IDs already present in .yarnrc.yml.");
+        break;
+      }
+      let content = readFileSync(filePath);
+      const advisoryBlock = `npmAuditIgnoreAdvisories:
+${merged.map((id) => `  - "${id}"`).join("\n")}
+`;
+      content = /npmAuditIgnoreAdvisories:/.test(content) ? content.replace(
+        /npmAuditIgnoreAdvisories:\s*\n(?:\s+-\s+(?:\S.*|[\t\v\f \u00A0\u1680\u2000-\u200A\u202F\u205F\u3000\uFEFF])\n)*/,
+        advisoryBlock
+      ) : `${content.trimEnd()}
+
+${advisoryBlock}`;
+      writeFileSync(filePath, content);
+      actions.push(`Synced ${String(added)} advisor${added === 1 ? "y" : "ies"} to .yarnrc.yml (${String(merged.length)} total)`);
+      break;
+    }
+    default: {
+      actions.push(`Unknown package manager: ${pm}`);
+    }
+  }
+  return actions;
+};
+
+const SEVERITY_ORDER = {
+  CRITICAL: 0,
+  HIGH: 1,
+  LOW: 3,
+  MODERATE: 2,
+  UNKNOWN: 4
+};
+const SOCKET_ALERT_COLORS = {
+  critical: red,
+  high: magenta,
+  low: cyan,
+  medium: yellow
+};
+const severityPassesFilter = (severity, filter) => {
+  const filterLevel = SEVERITY_ORDER[filter.toUpperCase()] ?? SEVERITY_ORDER.MODERATE ?? 2;
+  const vulnLevel = SEVERITY_ORDER[severity.toUpperCase()] ?? 4;
+  return vulnLevel <= filterLevel;
+};
+const SEVERITY_COLOR_FN = {
+  CRITICAL: red,
+  HIGH: magenta,
+  LOW: cyan,
+  MODERATE: yellow,
+  UNKNOWN: dim
+};
+const formatVulnLine = (name, version, vuln, isAccepted) => {
+  const colorFunction = SEVERITY_COLOR_FN[vuln.severity] ?? dim;
+  const badge = isAccepted ? ` ${dim("[acknowledged]")}` : "";
+  const fixedVersions = vuln.fixedVersions ?? [];
+  const fixed = fixedVersions.length > 0 ? ` (fix: ${fixedVersions.join(", ")})` : "";
+  return `  ${colorFunction(vuln.severity)} ${vuln.id} — ${name}@${version}${badge}
+    ${vuln.summary}${fixed}`;
+};
+const formatSocketLine = (report, isAccepted) => {
+  const name = getFullPackageName(report);
+  const pct = `${String(Math.round(report.score.overall * 100))}%`;
+  const badge = isAccepted ? ` ${dim("[acknowledged]")}` : "";
+  const alerts = report.alerts.length > 0 ? `, ${String(report.alerts.length)} alert${report.alerts.length === 1 ? "" : "s"}` : "";
+  return `  ${pct} ${name}@${report.version} (${scoreLabel(report.score.overall)}${alerts})${badge}`;
+};
+const executeAudit = async (workspaceRoot, options, visConfig, _logger) => {
+  const severityFilter = options.severity ?? "low";
+  const isJson = options.format === "json" || Boolean(options.json);
+  const showFixes = Boolean(options.fix);
+  const showAccepted = Boolean(options.showAccepted);
+  const socketConfig = visConfig?.security?.socket;
+  const acceptedRisks = socketConfig?.acceptedRisks;
+  const pm = detectPm(workspaceRoot);
+  const nativeExclusions = readNativeAuditExclusions(workspaceRoot, pm.name);
+  if (nativeExclusions.ignoredAdvisories.length > 0 || nativeExclusions.excludedPackages.length > 0) {
+    pail.info(
+      `Loaded ${String(nativeExclusions.ignoredAdvisories.length)} ignored advisor${nativeExclusions.ignoredAdvisories.length === 1 ? "y" : "ies"} and ${String(nativeExclusions.excludedPackages.length)} excluded package${nativeExclusions.excludedPackages.length === 1 ? "" : "s"} from ${pm.name} config.`
+    );
+  }
+  const installed = lockedPackages(workspaceRoot, pm.name);
+  if (installed.length === 0) {
+    pail.info(`No ${pm.name} lockfile entries found. Run ${pm.name} install first.`);
+    return;
+  }
+  if (!isJson) {
+    pail.info(`Scanning ${String(installed.length)} installed packages…`);
+  }
+  const packagesToScan = installed.map((p) => {
+    return { name: p.name, version: p.version };
+  });
+  const socketOptions = buildSocketOptions(socketConfig);
+  const duplicates = findDuplicateDependencies(workspaceRoot, pm.name);
+  const progressTasks = [
+    { id: "vulnerabilities", label: "Known vulnerabilities (OSV)" },
+    ...socketOptions ? [{ id: "socket", label: "Socket.dev supply-chain reports" }] : []
+  ];
+  const progress = startScanProgress(progressTasks, { live: !isJson });
+  const startedAt = Date.now();
+  const fmtElapsed = (start) => {
+    const ms = Date.now() - start;
+    return ms >= 1e3 ? `${(ms / 1e3).toFixed(1)}s` : `${String(Math.round(ms))}ms`;
+  };
+  let vulnMap;
+  let socketReports;
+  try {
+    const vulnStart = Date.now();
+    const socketStart = Date.now();
+    progress.start("vulnerabilities");
+    if (socketOptions) {
+      progress.start("socket");
+    }
+    [vulnMap, socketReports] = await Promise.all([
+      fetchVulnerabilities(packagesToScan).then((map) => {
+        let count = 0;
+        for (const list of map.values()) {
+          count += list.length;
+        }
+        progress.finish(
+          "vulnerabilities",
+          count > 0 ? "warn" : "ok",
+          count > 0 ? `${String(count)} found · ${fmtElapsed(vulnStart)}` : `none found · ${fmtElapsed(vulnStart)}`
+        );
+        return map;
+      }).catch((error) => {
+        const message = error instanceof Error ? error.message : String(error);
+        progress.finish("vulnerabilities", "error", message);
+        return /* @__PURE__ */ new Map();
+      }),
+      socketOptions ? fetchSocketReports(packagesToScan, socketOptions).then((reports) => {
+        let alerts = 0;
+        let low = 0;
+        for (const report of reports.values()) {
+          alerts += report.alerts.length;
+          if (report.score.overall < DEFAULT_LOW_SCORE_THRESHOLD) {
+            low += 1;
+          }
+        }
+        const total = alerts + low;
+        progress.finish(
+          "socket",
+          total > 0 ? "warn" : "ok",
+          total > 0 ? `${String(alerts)} alert${alerts === 1 ? "" : "s"}, ${String(low)} low-score · ${fmtElapsed(socketStart)}` : `clean · ${fmtElapsed(socketStart)}`
+        );
+        return reports;
+      }).catch((error) => {
+        const message = error instanceof Error ? error.message : String(error);
+        progress.finish("socket", "error", message);
+        return /* @__PURE__ */ new Map();
+      }) : Promise.resolve(/* @__PURE__ */ new Map())
+    ]);
+  } finally {
+    progress.stop();
+  }
+  if (!isJson) {
+    pail.info(dim(`Scan completed in ${fmtElapsed(startedAt)}`));
+  }
+  const entries = [];
+  for (const pkg of installed) {
+    if (isPackageExcluded(pkg.name, nativeExclusions)) {
+      continue;
+    }
+    const vulns = vulnMap.get(pkg.name) ?? [];
+    const report = socketReports.get(`${pkg.name}@${pkg.version}`);
+    const accepted = findAcceptedRisk(pkg.name, pkg.version, acceptedRisks);
+    const hasVulns = vulns.length > 0;
+    const hasLowScore = report ? report.score.overall < DEFAULT_LOW_SCORE_THRESHOLD : false;
+    const hasAlerts = report ? report.alerts.length > 0 : false;
+    if (hasVulns || hasLowScore || hasAlerts) {
+      entries.push({
+        acceptedRisk: accepted,
+        name: pkg.name,
+        socketReport: report,
+        version: pkg.version,
+        vulnerabilities: vulns
+      });
+    }
+  }
+  const filtered = entries.filter((entry) => {
+    const vulnPasses = entry.vulnerabilities.some((v) => severityPassesFilter(v.severity, severityFilter));
+    const socketPasses = entry.socketReport?.alerts.some(
+      (a) => severityPassesFilter(a.severity === "medium" ? "MODERATE" : a.severity.toUpperCase(), severityFilter)
+    );
+    const lowScorePasses = entry.socketReport && entry.socketReport.score.overall < DEFAULT_LOW_SCORE_THRESHOLD;
+    return vulnPasses || socketPasses || lowScorePasses;
+  });
+  if (isJson) {
+    const jsonResult = {
+      duplicates: duplicates.map((d) => {
+        return {
+          name: d.name,
+          versionCount: d.versions.length,
+          versions: d.versions
+        };
+      }),
+      packages: installed.length,
+      results: filtered.map((e) => {
+        return {
+          acceptedRisk: e.acceptedRisk ?? null,
+          name: e.name,
+          socketAlerts: e.socketReport?.alerts ?? [],
+          socketScore: e.socketReport?.score.overall ?? null,
+          version: e.version,
+          vulnerabilities: e.vulnerabilities
+        };
+      }),
+      summary: {
+        accepted: filtered.filter((e) => e.acceptedRisk).length,
+        duplicatePackages: duplicates.length,
+        issues: filtered.filter((e) => !e.acceptedRisk).length,
+        total: filtered.length
+      }
+    };
+    process.stdout.write(`${JSON.stringify(jsonResult, void 0, 2)}
+`);
+    if (options.exitCode && jsonResult.summary.issues > 0) {
+      process.exitCode = 1;
+    }
+    return;
+  }
+  if (filtered.length === 0) {
+    pail.success(`No security issues found across ${String(installed.length)} packages.`);
+    return;
+  }
+  const vulnsBySeverity = {
+    CRITICAL: [],
+    HIGH: [],
+    LOW: [],
+    MODERATE: []
+  };
+  for (const entry of filtered) {
+    for (const vuln of entry.vulnerabilities) {
+      if (severityPassesFilter(vuln.severity, severityFilter)) {
+        const key = vuln.severity === "UNKNOWN" ? "LOW" : vuln.severity;
+        vulnsBySeverity[key]?.push({ entry, vuln });
+      }
+    }
+  }
+  let totalVulns = 0;
+  let acknowledgedVulns = 0;
+  for (const severity of ["CRITICAL", "HIGH", "MODERATE", "LOW"]) {
+    const items = vulnsBySeverity[severity];
+    if (!items || items.length === 0) {
+      continue;
+    }
+    pail.info(`
+── ${severity} (${String(items.length)}) ──`);
+    for (const { entry, vuln } of items) {
+      const isExcluded = Boolean(entry.acceptedRisk) || isAdvisoryExcluded(vuln.id, nativeExclusions, vuln.aliases);
+      if (isExcluded) {
+        acknowledgedVulns++;
+        if (!showAccepted) {
+          continue;
+        }
+      }
+      totalVulns++;
+      pail.info(formatVulnLine(entry.name, entry.version, vuln, isExcluded));
+      if (showFixes && (vuln.fixedVersions ?? []).length > 0) {
+        pail.notice(`    Fix: update to ${vuln.fixedVersions.at(-1)}`);
+      }
+    }
+  }
+  const socketIssues = filtered.filter(
+    (e) => e.socketReport && (e.socketReport.score.overall < DEFAULT_LOW_SCORE_THRESHOLD || e.socketReport.alerts.length > 0)
+  );
+  if (socketIssues.length > 0) {
+    pail.info(`
+── Socket.dev Supply Chain (${String(socketIssues.length)}) ──`);
+    for (const entry of socketIssues) {
+      if (!entry.socketReport) {
+        continue;
+      }
+      const isExcluded = Boolean(entry.acceptedRisk);
+      if (isExcluded && !showAccepted) {
+        continue;
+      }
+      pail.info(formatSocketLine(entry.socketReport, isExcluded));
+      for (const alert of entry.socketReport.alerts) {
+        const alertColorFunction = SOCKET_ALERT_COLORS[alert.severity] ?? dim;
+        pail.info(`    ${alertColorFunction(`[${alert.severity.toUpperCase()}]`)} ${alert.type} — ${alert.category}`);
+      }
+    }
+  }
+  if (duplicates.length > 0) {
+    pail.info(`
+── Duplicate Dependencies (${String(duplicates.length)}) ──`);
+    for (const dup of duplicates) {
+      const versionList = dup.versions.join(", ");
+      pail.info(`  ${dup.name} — ${String(dup.versions.length)} versions: ${yellow(versionList)}`);
+    }
+  }
+  const isEntryExcluded = (e) => Boolean(e.acceptedRisk) || e.vulnerabilities.length > 0 && e.vulnerabilities.every((v) => isAdvisoryExcluded(v.id, nativeExclusions, v.aliases));
+  const unacknowledgedCount = filtered.filter((e) => !isEntryExcluded(e)).length;
+  pail.info("");
+  pail.info(`─ Audit Summary`);
+  pail.info(`  ${String(installed.length)} packages scanned`);
+  if (nativeExclusions.ignoredAdvisories.length > 0) {
+    pail.info(
+      `  ${String(nativeExclusions.ignoredAdvisories.length)} ${pm.name} audit exclusion${nativeExclusions.ignoredAdvisories.length === 1 ? "" : "s"} applied`
+    );
+  }
+  if (totalVulns > 0) {
+    const critCount = vulnsBySeverity.CRITICAL?.filter((i) => !isEntryExcluded(i.entry)).length ?? 0;
+    const highCount = vulnsBySeverity.HIGH?.filter((i) => !isEntryExcluded(i.entry)).length ?? 0;
+    pail.error(`  ${String(totalVulns)} vulnerabilit${totalVulns === 1 ? "y" : "ies"} found`);
+    if (critCount > 0) {
+      pail.error(`    ${String(critCount)} critical`);
+    }
+    if (highCount > 0) {
+      pail.warn(`    ${String(highCount)} high`);
+    }
+  } else {
+    pail.success("  No vulnerabilities found");
+  }
+  if (socketIssues.length > 0) {
+    const unacknowledgedSocket = socketIssues.filter((e) => !isEntryExcluded(e)).length;
+    pail.warn(`  ${String(unacknowledgedSocket)} package${unacknowledgedSocket === 1 ? "" : "s"} with Socket.dev supply chain issues`);
+  }
+  if (duplicates.length > 0) {
+    pail.warn(`  ${String(duplicates.length)} package${duplicates.length === 1 ? "" : "s"} with duplicate versions`);
+    pail.notice("  Run 'vis dedupe' or your package manager's dedupe command to reduce duplicates.");
+  }
+  if (acknowledgedVulns > 0) {
+    pail.info(`  ${String(acknowledgedVulns)} acknowledged (accepted risks)`);
+    if (!showAccepted) {
+      pail.notice("  Use --show-accepted to see acknowledged issues.");
+    }
+  }
+  if (unacknowledgedCount === 0) {
+    pail.success("\n  All issues are acknowledged. No action required.");
+  }
+  if (options.sync && acceptedRisks) {
+    const idSet = /* @__PURE__ */ new Set();
+    for (const entry of entries) {
+      if (entry.acceptedRisk) {
+        for (const vuln of entry.vulnerabilities) {
+          if (vuln.id.startsWith("CVE-") || vuln.id.startsWith("GHSA-")) {
+            idSet.add(vuln.id);
+          }
+          if (vuln.aliases) {
+            for (const alias of vuln.aliases) {
+              if (alias.startsWith("CVE-") || alias.startsWith("GHSA-")) {
+                idSet.add(alias);
+              }
+            }
+          }
+        }
+      }
+    }
+    const advisoryIds = [...idSet];
+    if (advisoryIds.length > 0) {
+      pail.info("");
+      const actions = syncAcceptedRisksToNativeConfig(pm.name, workspaceRoot, advisoryIds);
+      for (const action of actions) {
+        pail.success(`  ${action}`);
+      }
+    } else {
+      pail.info("\nNo advisory IDs to sync to native PM config.");
+    }
+  }
+  if (options.exitCode && unacknowledgedCount > 0) {
+    process.exitCode = 1;
+  }
+};
+const execute = async ({ logger, options, visConfig, workspaceRoot: wsRoot }) => {
+  if (!wsRoot) {
+    throw new Error("Could not determine workspace root. Run this command inside a monorepo.");
+  }
+  await executeAudit(wsRoot, options, visConfig);
+};
+
+export { execute as default };