@visulima/vis 1.0.0-alpha.21 → 1.0.0-alpha.23

package/dist/packem_chunks/handler45.js

@@ -1,213 +1,24 @@
-var wt=Object.defineProperty;var x=(e,t)=>wt(e,"name",{value:t,configurable:!0});import{createRequire as St}from"node:module";import{ay as Rt,u as Ee,ax as U,h as Ot,k as Pt,a9 as G,a$ as Lt,E as j,e as fe,q as tt,bu as st,a as Ie,a8 as jt,ab as Et,A as It,p as f,i as Dt,J as Wt,T as Mt,N as Ft,y as Ht,m as Vt,ae as Tt,s as Re,af as Ut}from"./bin.js";import{M as H,i as K,$ as ne,B as Ge,n as nt,O as Gt,C as rt}from"./config.js";import{t as _t,n as De,b as qt}from"../packem_shared/cyclonedx-CiHXuG8M.js";import{s as Bt}from"../packem_shared/scan-progress-CMynp3eA.js";import{r as Jt,A as _e,q as qe}from"../packem_shared/advisories-DsynpacV.js";import{L as ot,l as Yt,f as Xt}from"../packem_shared/dependency-scan-DC3nAFHS.js";import{r as Zt}from"../packem_shared/manifests-B0fMp872.js";import{x as Qt}from"../packem_shared/build-scripts-DsWMSWDs.js";import{F as es}from"../packem_shared/lockfile-C5DYMHVq.js";const xt=St(import.meta.url),ee=typeof globalThis<"u"&&typeof globalThis.process<"u"?globalThis.process:process,je=x(e=>{if(typeof ee<"u"&&ee.versions&&ee.versions.node){const[t,s]=ee.versions.node.split(".").map(Number);if(t>22||t===22&&s>=3||t===20&&s>=16)return ee.getBuiltinModule(e)}return xt(e)},"__cjs_getBuiltinModule"),{existsSync:Ze,readFileSync:Qe,writeFileSync:et,renameSync:Ct,unlinkSync:At}=je("node:fs"),{createInterface:Nt}=je("node:readline"),{relative:Kt,join:zt}=je("node:path");var ts=Object.defineProperty,ss=x((e,t)=>ts(e,"name",{value:t,configurable:!0}),"t"),ns=Object.defineProperty,rs=ss((e,t)=>ns(e,"name",{value:t,configurable:!0}),"s"),os=Object.defineProperty,is=rs((e,t)=>os(e,"name",{value:t,configurable:!0}),"n");const Ke=is((e,t={})=>{Array.isArray(t.extensions)||(t.extensions=["js","mjs","cjs","ts"]);const s=[];for(const n of Rt(e,t))s.push(n.path);return s},"collectSync");var as=Object.defineProperty,_=x((e,t)=>as(e,"name",{value:t,configurable:!0}),"o$1");const ge=_(e=>Array.isArray(e)?e.filter(t=>typeof t=="string"):[],"toStringArray"),Oe=_((e,t)=>{for(const s of t)if(s===e||s.endsWith("*")&&e.startsWith(s.slice(0,-1)))return!0;return!1},"matchesGlobList"),it=_(e=>{const t=H(e,"pnpm-workspace.yaml");if(!K(t))return{excludedPackages:[],ignoredAdvisories:[]};try{const s=Ee(t);return{excludedPackages:[],ignoredAdvisories:[...ge(s?.auditConfig?.ignoreCves),...ge(s?.auditConfig?.ignoreGhsas)]}}catch{return{excludedPackages:[],ignoredAdvisories:[]}}},"readPnpmAuditExclusions"),at=_(e=>{const t=H(e,".yarnrc.yml");if(!K(t))return{excludedPackages:[],ignoredAdvisories:[]};try{const s=Ee(t);return{excludedPackages:ge(s?.npmAuditExcludePackages),ignoredAdvisories:ge(s?.npmAuditIgnoreAdvisories)}}catch{return{excludedPackages:[],ignoredAdvisories:[]}}},"readYarnAuditExclusions"),cs=_((e,t)=>{switch(t){case"pnpm":return it(e);case"yarn":return at(e);default:return{excludedPackages:[],ignoredAdvisories:[]}}},"readNativeAuditExclusions"),te=_((e,t,s)=>{if(Oe(e,t.ignoredAdvisories))return!0;if(s){for(const n of s)if(Oe(n,t.ignoredAdvisories))return!0}return!1},"isAdvisoryExcluded"),ls=_((e,t)=>Oe(e,t.excludedPackages),"isPackageExcluded"),ps=_((e,t,s)=>{if(s.length===0)return["No advisory IDs to sync."];const n=[];switch(e){case"bun":{n.push(`bun has no audit config file. Use CLI flags: bun audit ${s.map(r=>`--ignore ${r}`).join(" ")}`);break}case"npm":{n.push("npm has no native audit exclusion config. vis accepted risks are the only layer.");break}case"pnpm":{const r=H(t,"pnpm-workspace.yaml");if(!K(r)){n.push("pnpm-workspace.yaml not found. Cannot sync.");break}const i=it(t),o=new Set(i.ignoredAdvisories.filter($=>$.startsWith("CVE-"))),a=new Set(i.ignoredAdvisories.filter($=>$.startsWith("GHSA-"))),p=s.filter($=>$.startsWith("CVE-")),d=s.filter($=>$.startsWith("GHSA-")),u=[...new Set([...o,...p])],k=[...new Set([...a,...d])],m=p.filter($=>!o.has($)).length,b=d.filter($=>!a.has($)).length;if(m===0&&b===0){n.push("All advisory IDs already present in pnpm-workspace.yaml.");break}let h=ne(r);if(u.length>0){const $=`  ignoreCves:
-${u.map(w=>`    - ${w}`).join(`
-`)}
-`;/auditConfig:/.test(h)?h=/ignoreCves:/.test(h)?h.replace(/ignoreCves:\s*\n(?:\s+-\s+(?:\S.*|[\t\v\f \u00A0\u1680\u2000-\u200A\u202F\u205F\u3000\uFEFF])\n)*/,$):h.replace(/auditConfig:\s*\n/,`auditConfig:
-${$}`):h=`${h.trimEnd()}
+var Fe=Object.defineProperty;var $=(e,o)=>Fe(e,"name",{value:o,configurable:!0});import{createRequire as Ae}from"node:module";import{M as g,i as S,$ as M}from"../packem_shared/readFileSync-CGmzMUF2-D6rUjGDn.js";import{aV as pe,aW as Z,aX as Ne,aY as Me,aZ as Q,a_ as Be,a$ as He,aO as De,a8 as We,aN as Le,b0 as he,b1 as me,b2 as ke}from"./bin.js";import{b as ye}from"./config.js";import{NATIVE_BINDING_VERSION as ie,allKnownTags as qe,tagsFromPath as Ge,tagsFromPaths as Je,parseShebang as Ke}from"#native";const _e=Ae(import.meta.url),I=typeof globalThis<"u"&&typeof globalThis.process<"u"?globalThis.process:process,V=$(e=>{if(typeof I<"u"&&I.versions&&I.versions.node){const[o,t]=I.versions.node.split(".").map(Number);if(o>22||o===22&&t>=3||o===20&&t>=16)return I.getBuiltinModule(e)}return _e(e)},"__cjs_getBuiltinModule"),{readdirSync:de,statSync:z,readFileSync:B,existsSync:H,writeFileSync:x,unlinkSync:Pe,rmSync:Te,chmodSync:Ce}=V("node:fs"),{cwd:N}=I,{createInterface:Ie}=V("node:readline"),{spawnSync:R}=V("node:child_process"),{basename:Ve}=V("node:path");var Ue=Object.defineProperty,q=$((e,o)=>Ue(e,"name",{value:o,configurable:!0}),"c$5");const ze=/^# ([^:\s]\S*)(?::\s+(.+))?$/,Ye=q(e=>{const o=[],t=e.split(`
+`);let r;for(const s of t){if(s.startsWith("#!")||s.startsWith("# Generated by")||s.startsWith("# NOTE:")||s==="set -e"||s==="")continue;const n=ze.exec(s);if(n){r&&o.push(r),r={command:"",id:n[1]??"",...n[2]?{name:n[2]}:{}};continue}r?r.command=r.command.length>0?`${r.command}
+${s}`:s:r={command:s,id:"(custom)"}}return r&&o.push(r),o},"parseStageScript"),Xe=q((e,o)=>{const t=g(e,o),r=[],s=new Set(pe);if(S(t))for(const n of de(t)){if(n.startsWith(".")||n==="_"||!s.has(n))continue;const i=g(t,n);if(!z(i).isFile())continue;const a=M(i),c=Ye(a);r.push({blocks:c,rawLineCount:a.split(`
+`).length,stage:n})}return r.sort((n,i)=>n.stage.localeCompare(i.stage)),{hooksDirectory:o,stages:r}},"listHooks"),Ze=q(e=>{const o=[];if(e.stages.length===0)return o.push(`No hooks installed in ${e.hooksDirectory}/.`),o;o.push(`Hooks in ${e.hooksDirectory}/:`);for(const t of e.stages)if(o.push("",`${t.stage} (${t.rawLineCount} lines)`),t.blocks.length===0)o.push("  (empty)");else for(const r of t.blocks){const s=r.name?`${r.id} — ${r.name}`:r.id;o.push(`  - ${s}`);const n=r.command.split(`
+`).find(i=>i.trim()!=="");if(n){const i=n.length>120?`${n.slice(0,117)}...`:n;o.push(`      ${i}`)}}return o},"formatListResult"),Qe=q((e,o)=>{const t=Xe(N(),e);for(const r of Ze(t))o.info(r)},"runList");var eo=Object.defineProperty,O=$((e,o)=>eo(e,"name",{value:o,configurable:!0}),"o$2");const ae=5;if(ie!==ae)throw new Error(`vis native binding ABI mismatch: expected ${ae}, got ${ie}. Rebuild via \`pnpm --filter @visulima/vis run build:native\` or reinstall the platform binding package.`);const $e={".releaserc":["release-config","vis-config"],".releaserc.json":["release-config","vis-config"],"aube-lock.yaml":["aube-lock","lockfile"],"aube-workspace.yaml":["aube-workspace","vis-config"],"nx.json":["nx-workspace","vis-config"],"packem.config.js":["packem-config","vis-config"],"packem.config.mjs":["packem-config","vis-config"],"packem.config.ts":["packem-config","vis-config"],"pnpm-workspace.yaml":["pnpm-workspace","vis-config"],"project.json":["nx-project","vis-config"],"turbo.json":["turbo-config","vis-config"],"vis.config.js":["vis-config"],"vis.config.ts":["vis-config"]},ve=[[".releaserc.json",["release-config","vis-config"]]],we=O(e=>{const o=new Set,t=Ve(e),r=$e[t];if(r)for(const n of r)o.add(n);const s=t.toLowerCase();for(const[n,i]of ve)if(s.endsWith(n))for(const a of i)o.add(a);return o},"classifyVis"),be=new Set([...Object.values($e).flat(),...ve.flatMap(([,e])=>e)]);let K;const xe=O(()=>(K||(K=new Set(qe())),K),"getPrekUniverse");O(e=>{const o=new Set(Ge(e)),t=we(e);return{all:new Set([...o,...t]),prek:o,vis:t}},"classify");const oo=O(e=>{const o=Je([...e]),t=new Map;for(const[r,s]of e.entries()){const n=new Set(o[r]),i=we(s),a=new Set([...n,...i]);t.set(s,{all:a,prek:n,vis:i})}return t},"classifyMany");O(e=>Ke(e),"parseShebang");const to=O(e=>xe().has(e)||be.has(e),"isKnownTag");O(e=>xe().has(e),"isPrekTag");O(e=>be.has(e),"isVisTag");const ro=O((e,o)=>{const{all:t}=e;if(o.types&&o.types.length>0){for(const r of o.types)if(!t.has(r))return!1}if(o.typesOr&&o.typesOr.length>0){let r=!1;for(const s of o.typesOr)if(t.has(s)){r=!0;break}if(!r)return!1}if(o.excludeTypes&&o.excludeTypes.length>0){for(const r of o.excludeTypes)if(t.has(r))return!1}return!0},"matchesFilter");var no=Object.defineProperty,_=$((e,o)=>no(e,"name",{value:o,configurable:!0}),"i$3");const so=_(e=>{let o=0;const{length:t}=e,r=_(()=>{for(;o<t&&/\s/.test(e[o]);)o+=1},"skipWs"),s=_(()=>{if(e[o]!=='"')throw new Error(`expected string at ${o}`);o+=1;const c=o;for(;o<t&&e[o]!=='"';)o+=e[o]==="\\"?2:1;const l=e.slice(c,o);return o+=1,JSON.parse(`"${l}"`)},"parseString"),n=_(()=>{switch(r(),e[o]){case'"':{s();break}case"[":{i();break}case"{":{a();break}default:for(;o<t&&!",}]".includes(e[o])&&!/\s/.test(e[o]);)o+=1}},"parseValue"),i=_(()=>{if(o+=1,r(),e[o]==="]"){o+=1;return}for(;o<t;)if(n(),r(),e[o]===",")o+=1,r();else if(e[o]==="]"){o+=1;return}},"parseArray"),a=_(()=>{o+=1,r();const c=new Set;if(e[o]==="}"){o+=1;return}for(;o<t;){r();const l=s();if(c.has(l))throw new Error(`Duplicate key: ${l}`);if(c.add(l),r(),e[o]!==":")throw new Error(`expected colon at ${o}`);if(o+=1,n(),r(),e[o]===",")o+=1,r();else if(e[o]==="}"){o+=1;return}}},"parseObject");r(),n()},"detectDuplicateJsonKeys"),io=_((e,o,t)=>{let r=0;for(const s of e){const n=B(g(t.root,s),"utf8");try{JSON.parse(n),so(n)}catch(i){const a=i instanceof Error?i.message:String(i);t.logger.info(`${s}: Failed to json decode (${a})`),r=1}}return r},"runCheckJson");var ao=Object.defineProperty,Ee=$((e,o)=>ao(e,"name",{value:o,configurable:!0}),"c$4");const co=Ee(e=>{const o=R("git",["rev-parse","--git-dir"],{cwd:e,encoding:"utf8"});if(o.status!==0)return!1;const t=o.stdout.trim(),r=t.startsWith("/")?t:g(e,t);return H(g(r,"MERGE_MSG"))?H(g(r,"MERGE_HEAD"))||H(g(r,"rebase-apply"))||H(g(r,"rebase-merge")):!1},"isInMerge"),fo=["<<<<<<< ","======= ",`=======\r
+`,`=======
+`,">>>>>>> "],lo=Ee((e,o,t)=>{if(!o.includes("--assume-in-merge")&&!co(t.root))return 0;let r=0;for(const s of e){const n=B(g(t.root,s),"utf8").split(`
+`);for(let i=0;i<n.length;i+=1){const a=n[i]+(i<n.length-1?`
+`:"");for(const c of fo)a.startsWith(c)&&(t.logger.info(`${s}:${i+1}: Merge conflict string ${JSON.stringify(c.trim())} found`),r=1)}}return r},"runCheckMergeConflict");var uo=Object.defineProperty,go=$((e,o)=>uo(e,"name",{value:o,configurable:!0}),"c$3");const po=go((e,o,t)=>{let r=0;for(const s of e){const n=g(t.root,s),i=B(n);if(i.length===0)continue;let a=i.length;const c=i[a-1];if(c!==10&&c!==13){x(n,Buffer.concat([i,Buffer.from([10])])),t.logger.info(`Fixing ${s}`),r=1;continue}for(;a>0&&(i[a-1]===10||i[a-1]===13);)a-=1;if(a===0){x(n,Buffer.alloc(0)),t.logger.info(`Fixing ${s}`),r=1;continue}const l=i.subarray(a);let d;l[0]===13&&l[1]===10?d=Buffer.from([13,10]):l[0]===13?d=Buffer.from([13]):d=Buffer.from([10]),!l.equals(d)&&(x(n,Buffer.concat([i.subarray(0,a),d])),t.logger.info(`Fixing ${s}`),r=1)}return r},"runEndOfFileFixer");var ho=Object.defineProperty,ce=$((e,o)=>ho(e,"name",{value:o,configurable:!0}),"h$2");const mo={cr:Buffer.from([13]),crlf:Buffer.from([13,10]),lf:Buffer.from([10])},ko=new Set(["auto","cr","crlf","lf","no"]),yo=ce((e,o,t)=>{let r="auto";for(let n=0;n<o.length;n+=1){const i=o[n];if(i==="-f"||i==="--fix"){n+=1;const a=o[n];if(a===void 0)return t.logger.error(`mixed-line-ending: ${i} requires a value (auto|no|lf|crlf|cr)`),2;r=a}else i.startsWith("--fix=")&&(r=i.slice(6))}if(!ko.has(r))return t.logger.error(`mixed-line-ending: invalid --fix value ${r}`),2;let s=0;for(const n of e){const i=g(t.root,n),a=B(i),c=[],l=ce(f=>{const p=c.find(b=>b.kind===f);p?p.count+=1:c.push({count:1,kind:f})},"bumpCount"),d=[];let u=0;for(let f=0;f<a.length;f+=1){const p=a[f];p===13&&a[f+1]===10?(d.push({content:a.subarray(u,f),ending:"crlf"}),l("crlf"),f+=1,u=f+1):p===13?(d.push({content:a.subarray(u,f),ending:"cr"}),l("cr"),u=f+1):p===10&&(d.push({content:a.subarray(u,f),ending:"lf"}),l("lf"),u=f+1)}u<a.length&&d.push({content:a.subarray(u),ending:null});const m=c.length>1;if(r==="no"){m&&(t.logger.info(`${n}: mixed line endings`),s=1);continue}let k;if(r==="auto"){if(!m)continue;let f;for(const p of c)(!f||p.count>f.count)&&(f=p);k=f?.kind}else if(k=r,!c.some(f=>f.kind!==k&&f.count>0))continue;const w=mo[k],h=[];for(const f of d)h.push(f.content),f.ending!==null&&h.push(w);x(i,Buffer.concat(h)),t.logger.info(`${n}: fixed mixed line endings`),s=1}return s},"runMixedLineEnding");var $o=Object.defineProperty,vo=$((e,o)=>$o(e,"name",{value:o,configurable:!0}),"g$3");const fe=new Set([9,11,12,13,32]),wo=/\.(?:md|markdown|mdown|mdx)$/i,bo=vo((e,o,t)=>{let r=0;for(const s of e){const n=wo.test(s),i=g(t.root,s),a=B(i),c=[];let l=0;for(;l<=a.length;){let u=l;for(;u<a.length&&a[u]!==10;)u+=1;const m=u<a.length&&a[u]===10;let k=u,w=!1;m&&u>l&&a[u-1]===13&&(w=!0,k=u-1);const h=a.subarray(l,k);let f=h.length;for(;f>0&&fe.has(h[f-1]);)f-=1;const p=h.some(b=>!fe.has(b));if(n&&h.length>=2&&h[h.length-1]===32&&h[h.length-2]===32&&p&&(f=Math.min(f+2,h.length)),c.push(h.subarray(0,f)),w&&c.push(Buffer.from([13])),m&&c.push(Buffer.from([10])),!m)break;l=u+1}const d=Buffer.concat(c);d.equals(a)||(x(i,d),t.logger.info(`Fixing ${s}`),r=1)}return r},"runTrailingWhitespace");var xo=Object.defineProperty,Se=$((e,o)=>xo(e,"name",{value:o,configurable:!0}),"t");const ee={"check-json":io,"check-merge-conflict":lo,"end-of-file-fixer":po,"mixed-line-ending":yo,"trailing-whitespace":bo},Eo=Object.keys(ee).sort();Se(e=>Object.hasOwn(ee,e),"isBuiltin");const So=Se(e=>ee[e],"getBuiltin");var Ro=Object.defineProperty,j=$((e,o)=>Ro(e,"name",{value:o,configurable:!0}),"r");const F="config.json",W=1,Oo=new Set(["alwaysRun","args","builtin","entry","exclude","excludeTypes","fail","files","id","name","passFilenames","types","typesOr","verbose"]),jo=new Set(["failFast","stages","version"]),Fo=["args","exclude","excludeTypes","files","passFilenames","types","typesOr"],Re=j((e,o)=>g(e,o,F),"configPath"),Y=j(e=>e!==null&&typeof e=="object"&&!Array.isArray(e),"isStringRecord"),D=j(e=>{if(!Array.isArray(e))return;const o=[];for(const t of e){if(typeof t!="string")return;o.push(t)}return o},"asStringArray"),L=j(e=>typeof e=="boolean"?e:void 0,"asBoolean"),C=j(e=>typeof e=="string"&&e.length>0?e:void 0,"asNonEmptyString"),Ao=j((e,o,t)=>{if(!Y(e))throw new TypeError("hook entry must be an object");if(typeof e.id!="string"||e.id.length===0)throw new TypeError("hook entry is missing `id`");const r={id:e.id},s=L(e.alwaysRun);s!==void 0&&(r.alwaysRun=s);const n=D(e.args);n&&(r.args=n);const i=C(e.builtin);i&&(r.builtin=i);const a=C(e.entry);a&&(r.entry=a);const c=C(e.exclude);c&&(r.exclude=c);const l=D(e.excludeTypes);l&&(r.excludeTypes=l);const d=C(e.fail);d&&(r.fail=d);const u=C(e.files);u&&(r.files=u);const m=C(e.name);m&&(r.name=m);const k=L(e.passFilenames);k!==void 0&&(r.passFilenames=k);const w=D(e.types);w&&(r.types=w);const h=D(e.typesOr);h&&(r.typesOr=h);const f=L(e.verbose);if(f!==void 0&&(r.verbose=f),[r.builtin,r.entry,r.fail].filter(p=>p!==void 0).length!==1)throw new TypeError(`hook "${r.id}" must set exactly one of \`builtin\`, \`entry\`, \`fail\``);if(r.fail!==void 0){const p=Fo.filter(b=>r[b]!==void 0);if(p.length>0)throw new TypeError(`hook "${r.id}" is a \`fail\` entry — remove ${p.join(", ")} (filters do not apply)`)}for(const p of Object.keys(e))Oo.has(p)||o.push({hookId:r.id,message:`unknown field "${p}" ignored`,stage:t});return r},"parseEntry"),_o=j((e,o)=>{if(!Y(e))throw new TypeError("hook config must be an object");if(e.version!==W)throw new TypeError(`unsupported hook config version: expected ${W}, got ${String(e.version)}`);if(!Y(e.stages))throw new TypeError("hook config is missing `stages` map");const t={};for(const[n,i]of Object.entries(e.stages)){if(!Array.isArray(i))throw new TypeError(`hook config: stage "${n}" must be an array`);t[n]=i.map(a=>Ao(a,o,n))}const r={stages:t,version:W},s=L(e.failFast);s!==void 0&&(r.failFast=s);for(const n of Object.keys(e))jo.has(n)||o.push({message:`unknown top-level field "${n}" ignored`});return r},"parseConfig"),Oe=j((e,o=Z,t)=>{const r=Re(e,o);if(!S(r))return;const s=M(r);let n;try{n=JSON.parse(s)}catch(i){const a=i instanceof Error?i.message:String(i);throw new TypeError(`failed to parse ${r}: ${a}`,{cause:i})}return _o(n,t??[])},"loadHookConfig"),Po=j((e,o,t)=>{const r=Re(e,o);x(r,`${JSON.stringify(t,void 0,4)}
+`,"utf8")},"writeHookConfig");var To=Object.defineProperty,v=$((e,o)=>To(e,"name",{value:o,configurable:!0}),"d");const Co=new Map([["pre-commit/pre-commit-hooks#check-json","check-json"],["pre-commit/pre-commit-hooks#check-merge-conflict","check-merge-conflict"],["pre-commit/pre-commit-hooks#end-of-file-fixer","end-of-file-fixer"],["pre-commit/pre-commit-hooks#mixed-line-ending","mixed-line-ending"],["pre-commit/pre-commit-hooks#trailing-whitespace","trailing-whitespace"]]),Io=/[<>=!~]=/,No=/github\.com[/:]([^/\s]+\/[^/\s.]+)/i,Mo="# Generated by `vis hook migrate` from prek",Bo=v(e=>`#!/usr/bin/env sh
+${Mo}
+exec vis hook run ${e} "$@"
+`,"stageScriptBody"),oe=v(e=>{for(const o of Ne)if(S(g(e,o)))return o},"detectPrekConfig"),Ho=v(e=>Me[e]??e,"mapPrekStage"),Do=v(e=>No.exec(e)?.[1]??e,"normalizeRepoKey"),Wo=v(e=>{if(Io.test(e))return;if(e.startsWith("@")){const r=e.indexOf("@",1);if(r===-1)return{name:e,version:"latest"};const s=e.slice(r+1).trim();return{name:e.slice(0,r),version:s||"latest"}}const o=e.indexOf("@");if(o===-1)return{name:e,version:"latest"};const t=e.slice(o+1).trim();return{name:e.slice(0,o),version:t||"latest"}},"parseAdditionalDep"),Lo=v(e=>{const o=[];for(const t of[e.types,e.types_or,e.exclude_types])for(const r of t??[])to(r)||o.push(r);return o},"unknownTypes"),Vo=v((e,o)=>(e.stages&&e.stages.length>0?e.stages:o??["pre-commit"]).map(t=>Ho(t)),"resolveStages"),qo=v((e,o,t)=>{const r=e.id??"<unknown>",s=Q.has(o),n={id:r};return e.name&&(n.name=e.name),e.language==="fail"?(n.fail=e.entry??e.name??r,n):(t?n.builtin=t:e.entry&&(n.entry=e.entry),Array.isArray(e.args)&&e.args.length>0&&(n.args=[...e.args]),s||(e.files&&(n.files=e.files),e.exclude&&(n.exclude=e.exclude),e.types&&e.types.length>0&&(n.types=[...e.types]),e.types_or&&e.types_or.length>0&&(n.typesOr=[...e.types_or]),e.exclude_types&&e.exclude_types.length>0&&(n.excludeTypes=[...e.exclude_types])),(e.pass_filenames===!1||s)&&(n.passFilenames=!1),(e.always_run||s)&&(n.alwaysRun=!0),e.verbose&&(n.verbose=!0),n)},"buildHookEntry"),Go=v((e,o,t,r)=>{if(Array.isArray(e.additional_dependencies))for(const s of e.additional_dependencies){const n=Wo(s);if(!n){r.push(`"${o}": additional_dependency "${s}" uses a pip-style pin and cannot be added to package.json — install manually.`);continue}t.push({hookId:o,name:n.name,raw:s,version:n.version})}},"collectAdditionalDeps"),Jo=v(e=>{const o={},t=[],r=[],s=[],n=[];(e.files||e.exclude)&&r.push("top-level files/exclude filter dropped — apply it per hook if needed");for(const a of e.repos??[]){const c=a.repo??"<unknown>",l=c==="local",d=l?void 0:Do(c);for(const u of a.hooks??[]){const m=u.id??"<unknown>";let k;if(l){const f=u.language??"system";if(!Be.has(f)){t.push({hookId:m,reason:`language "${f}" needs an isolated toolchain — run via prek or reimplement as a system command`,repo:c});continue}if(f!=="fail"&&!u.entry){t.push({hookId:m,reason:"missing `entry`",repo:c});continue}}else if(d&&(k=Co.get(`${d}#${m}`)),!k){t.push({hookId:m,reason:`remote repo "${c}"@${a.rev??"?"} has no bundled equivalent — run via prek or replace with a system command`,repo:c});continue}Go(u,m,n,s);const w=Lo(u);w.length>0&&r.push(`hook "${m}": unsupported types ${w.join(", ")} — those entries are ignored by the dispatcher`);const h=Vo(u,e.default_stages);for(const f of h){if(f==="manual")continue;if(!He.has(f)){t.push({hookId:m,reason:`unsupported stage "${f}"`,repo:c});continue}const p=qo(u,f,k),b=o[f];b?b.push(p):o[f]=[p]}}}const i={stages:o,version:W};return e.fail_fast&&(i.failFast=!0),{additionalDeps:n,config:i,droppedFilters:r,manualSteps:s,skippedHooks:t}},"convertPrekConfig"),Ko=v(e=>{const o=De(e);if(o&&typeof o=="object")return o},"parsePrekConfig"),Uo=v(e=>{if(e.endsWith(".toml")){const t=We(e);return t&&typeof t=="object"?t:void 0}const o=M(e);return Ko(o)},"loadPrekConfig"),zo=v((e,o,t)=>{const r=g(e,"package.json"),s=[],n=[];if(!S(r)||o.length===0)return{added:s,skipped:n};const i=M(r),a=JSON.parse(i),c=a.devDependencies??{},l=a.dependencies??{};for(const u of o){if(u.name in c||u.name in l){n.push(u.name);continue}c[u.name]=u.version,s.push(u.name)}if(s.length===0)return{added:s,skipped:n};a.devDependencies=c;const d=Le(r,i,{defaultIndent:"    ",useEditorconfig:t});return x(r,`${JSON.stringify(a,void 0,d)}
+`,"utf8"),{added:s,skipped:n}},"mergeAdditionalDependencies"),Yo=v((e,o)=>{const t=g(e,o);ye(t),x(g(t,"README.md"),["# Vis hook config","","`config.json` is the single source of truth for what each stage","script runs. Auto-generated by `vis hook migrate`. Edit by hand","or re-run the migrator after updating your prek config.","",`Bundled builtins: ${Eo.join(", ")}`,""].join(`
+`),"utf8")},"writeConfigReadme"),Xo=v((e,o)=>{R("prek",["--version"],{cwd:e,encoding:"utf8"}).status===0?R("prek",["uninstall"],{cwd:e,encoding:"utf8"}).status===0?o.info("Detached prek via `prek uninstall`."):o.info("`prek uninstall` did not exit cleanly — continuing. You may need to run it manually."):o.info("prek binary not found on PATH — skipping `prek uninstall`. Run it manually if prek is installed elsewhere.")},"detachPrek"),je=v((e,o,t,r={})=>{const s=oe(e),n=r.dryRun===!0;if(!s)return{isError:!0,message:"No prek configuration found (.pre-commit-config.yaml, .pre-commit-config.yml, or prek.toml)"};t.info(`Found prek config at ${s}`);const i=g(e,s),a=M(i),c=Uo(i);if(!c)return{isError:!0,message:`Could not parse ${s}`};const{additionalDeps:l,config:d,droppedFilters:u,manualSteps:m,skippedHooks:k}=Jo(c),w=Object.keys(d.stages);if(w.length===0&&k.length===0)return{isError:!0,message:`${s} has no hooks to migrate`};if(!n){const y=R("git",["config","--local","core.hooksPath"],{cwd:e,encoding:"utf8"});if(y.status===0){const J=y.stdout?.toString().trim();J&&(J.includes(".prek")||J.includes("prek-hooks"))&&R("git",["config","--local","--unset","core.hooksPath"],{cwd:e})}const T=he(o);if(T.isError)return T;T.message&&t.info(T.message)}const h=g(e,o);n||ye(h),n?t.info(`  (would write) ${o}/${F}`):(Po(e,o,d),Yo(e,o),t.info(`  Wrote ${o}/${F}`));let f=0;for(const y of w){const T=Bo(y);n?t.info(`  (would write) ${o}/${y}`):(x(g(h,y),T,{mode:493}),t.info(`  Wrote ${o}/${y}`)),f+=1}const{added:p,skipped:b}=n?{added:l.map(y=>y.name),skipped:[]}:zo(e,l,r.useEditorconfig);if(p.length>0){const y=n?"would add":"Added";t.info(`${y} ${p.length} package${p.length===1?"":"s"} to devDependencies: ${p.join(", ")}`),n||t.info("Run your package manager's install (e.g. `pnpm install`) to pick up the new devDependencies.")}b.length>0&&t.info(`Skipped ${b.length} already-declared package${b.length===1?"":"s"}: ${b.join(", ")}`),n||Xo(e,t);const se=`${i}.bak`;if(n?t.info(`  (would remove) ${s} and back it up to ${s}.bak`):(S(se)||x(se,a,"utf8"),Pe(i),t.info(`Removed ${s} (backup at ${s}.bak)`)),k.length>0){t.warn(`Skipped ${k.length} hook${k.length===1?"":"s"} that cannot run without prek:`);for(const y of k)t.warn(`  - ${y.repo}::${y.hookId} — ${y.reason}`)}if(u.length>0){t.warn("Partial filter translations:");for(const y of u)t.warn(`  - ${y}`)}if(m.length>0){t.warn("Manual follow-up required:");for(const y of m)t.warn(`  - ${y}`)}return{isError:!1,message:`${n?"would migrate":"Migration complete:"} ${f} stage script${f===1?"":"s"} ${n?"into":"written to"} ${o}/`}},"migrateFromPrek");var Zo=Object.defineProperty,te=$((e,o)=>Zo(e,"name",{value:o,configurable:!0}),"i$2");const Qo=te(e=>{const o=[];let t=0;for(let r=0;r<e.length;r+=1)e[r]===0&&(r>t&&o.push(e.subarray(t,r).toString("utf8")),t=r+1);return t<e.length&&o.push(e.subarray(t).toString("utf8")),o},"splitNulBuffer"),U=te((e,o,t)=>{const r=R("git",[...e],{cwd:t,encoding:"buffer"});if(r.status!==0){const s=r.stderr?r.stderr.toString():"";throw new Error(`git ${o} failed${s?`: ${s.trim()}`:""}`)}return r.stdout.length===0?[]:Qo(r.stdout)},"gitListFiles"),et=te((e,o)=>{switch(e.kind){case"all":return U(["ls-files","-z"],"ls-files",o);case"range":return U(["diff","--name-only","--diff-filter=ACM","-z",e.fromRef,e.toRef],"diff --from-ref/--to-ref",o);case"staged":return U(["diff","--cached","--name-only","--diff-filter=ACM","-z"],"diff --cached",o);default:{const t=e;throw new Error(`unknown discover mode: ${JSON.stringify(t)}`)}}},"discoverFiles");var ot=Object.defineProperty,re=$((e,o)=>ot(e,"name",{value:o,configurable:!0}),"i$1");const le=re((e,o)=>{try{return new RegExp(e)}catch(t){const r=t instanceof Error?t.message:String(t);throw new Error(`invalid ${o} regex ${JSON.stringify(e)}: ${r}`,{cause:t})}},"compileRegex"),tt=re(e=>e.types&&e.types.length>0||e.typesOr&&e.typesOr.length>0||e.excludeTypes&&e.excludeTypes.length>0||!1,"hasTagFilters"),rt=re((e,o)=>{let t=e;if(o.files){const n=le(o.files,"files");t=t.filter(i=>n.test(i))}if(o.exclude){const n=le(o.exclude,"exclude");t=t.filter(i=>!n.test(i))}if(!tt(o))return[...t];const r=oo(t),s={excludeTypes:o.excludeTypes,types:o.types,typesOr:o.typesOr};return t.filter(n=>{const i=r.get(n);return i?ro(i,s):!1})},"applyHookFilter");var nt=Object.defineProperty,A=$((e,o)=>nt(e,"name",{value:o,configurable:!0}),"u$2");const st=32*1024,it=A((e,o)=>{const t=[],r=Math.max(1024,st-o);let s=[],n=0;for(const i of e){const a=Buffer.byteLength(i,"utf8")+8;n+a>r&&s.length>0&&(t.push(s),s=[],n=0),s.push(i),n+=a}return s.length>0&&t.push(s),t},"chunkFiles"),at=A(e=>({error:A(o=>{e.error(o)},"error"),info:A(o=>{e.info(o)},"info")}),"builtinLoggerFor"),ue=A((e,o,t)=>t?t.message:o?`terminated by signal ${o}`:`exited with status ${String(e)}`,"describeSpawnFailure"),ct=A((e,o,t,r,s)=>{const n=r?s.extraArgs:[];if(!t||o.length===0){const c=R("sh",["-c",e,"sh",...n],{cwd:s.root,stdio:"inherit"});return c.status===null?(s.logger.error(`hook command failed: ${ue(c.status,c.signal,c.error)}`),1):c.status}const i=Buffer.byteLength(e,"utf8")+Buffer.byteLength("sh","utf8")+Buffer.byteLength("-c","utf8")+n.reduce((c,l)=>c+Buffer.byteLength(l,"utf8")+8,0)+64;let a=0;for(const c of it(o,i)){const l=R("sh",["-c",`${e} "$@"`,"sh",...n,...c],{cwd:s.root,stdio:"inherit"});l.status===null?(s.logger.error(`hook command failed: ${ue(l.status,l.signal,l.error)}`),a|=1):a|=l.status}return a},"runShellCommand"),ft=A((e,o,t)=>{if(e.fail!==void 0)return t.logger.info(e.fail),1;const r=Q.has(t.stage);let s;try{s=rt(o,e)}catch(c){const l=c instanceof Error?c.message:String(c);return t.logger.error(`hook "${e.id}": ${l}`),2}if(s.length===0&&e.alwaysRun!==!0&&!r)return 0;const n=e.passFilenames!==!1;if(e.verbose){const c=e.name??e.id;t.logger.info(`+ ${c}`)}if(e.builtin){const c=So(e.builtin);if(!c)return t.logger.error(`unknown builtin "${e.builtin}" referenced by hook "${e.id}"`),2;const l={logger:at(t.logger),root:t.root};try{return c(s,e.args??[],l)}catch(d){const u=d instanceof Error?d.message:String(d);return t.logger.error(`builtin "${e.builtin}" crashed: ${u}`),1}}if(e.entry===void 0)return t.logger.error(`hook "${e.id}" has no \`entry\`, \`builtin\`, or \`fail\` to run`),2;const i=(e.args??[]).map(c=>`'${c.replaceAll("'",String.raw`'\''`)}'`).join(" "),a=i?`${e.entry} ${i}`:e.entry;return ct(a,s,n,r,t)},"runHookEntry"),lt=A((e,o,t,r)=>{const s=e.stages[o];if(!s||s.length===0)return 0;let n=0;for(const i of s){const a=ft(i,t,r);if(a!==0&&(n|=a,e.failFast))return n}return n},"runStage");var ut=Object.defineProperty,ne=$((e,o)=>ut(e,"name",{value:o,configurable:!0}),"s");const gt="pre-commit",dt=ne(e=>{if(e.lastCommit&&(e.fromRef||e.toRef))throw new Error("--last-commit cannot be combined with --from-ref or --to-ref");const o=e.lastCommit?"HEAD~1":e.fromRef,t=e.lastCommit?"HEAD":e.toRef;if(o&&!t||t&&!o)throw new Error("--from-ref and --to-ref must be specified together");return o&&t?{fromRef:o,kind:"range",toRef:t}:e.allFiles?{kind:"all"}:{kind:"staged"}},"resolveDiscoverMode"),pt=ne((e,o,t,r)=>{const s=t.stage??gt,n=Oe(e,o);if(!n)throw new Error(`No hook config found at ${o}/config.json. Install or migrate hooks first.`);const i=n.stages[s];if(!i||i.length===0)return r.info(`No hooks configured for stage "${s}".`),0;const a=Q.has(s)?void 0:dt(t),c=a?.kind==="all"?" (--all-files)":a?.kind==="range"?` (${a.fromRef}..${a.toRef})`:"";r.info(`Running ${s}${c}`);const l=a?et(a,e):[],d={extraArgs:t.extraArgs??[],logger:r,root:e,stage:s};return lt(n,s,l,d)},"runHookStage"),ht=ne((e,o,t)=>{const r=pt(N(),e,o,t);if(r!==0)throw new Error(`Hook stage exited with code ${r}`)},"runRun");var mt=Object.defineProperty,kt=$((e,o)=>mt(e,"name",{value:o,configurable:!0}),"e");const yt=kt((e=Z)=>{if(R("git",["config","--local","core.hooksPath"]).status!==0)return{isError:!1,message:"No custom hooks path configured"};const{status:o,stderr:t}=R("git",["config","--local","--unset","core.hooksPath"]);if(o===null)return{isError:!0,message:"git command not found"};if(o&&o!==5)return{isError:!0,message:String(t)};const r=g(e,"_");return S(r)&&Te(r,{force:!0,recursive:!0}),{isError:!1,message:""}},"uninstallHooks");var $t=Object.defineProperty,G=$((e,o)=>$t(e,"name",{value:o,configurable:!0}),"u");const vt=new Set(pe),wt=G(e=>{const o=R("sh",["-n",e],{encoding:"utf8"});if(o.status===null)return`failed to run "sh -n" (${o.error?.message??"unknown error"})`;if(o.status!==0)return o.stderr.trim()||`sh -n exited with ${o.status}`},"runSyntaxCheck"),bt=G((e,o)=>{const t=[],r=g(e,o),s=R("git",["config","--local","core.hooksPath"],{cwd:e,encoding:"utf8"});if(s.status===0){const i=s.stdout.trim(),a=`${o}/_`;i&&i!==a&&t.push({kind:"warning",message:`core.hooksPath is "${i}" — expected "${a}". Re-run \`vis hook install\` to fix.`})}else t.push({kind:"warning",message:"core.hooksPath is not set — run `vis hook install`."});if(S(g(r,"_"))||t.push({kind:"error",message:`Dispatcher directory ${o}/_ is missing. Run \`vis hook install\`.`}),!S(r))return t.push({kind:"error",message:`Hooks directory ${o}/ is missing.`}),{issues:t,ok:!1};let n=!1;for(const i of de(r)){if(i.startsWith(".")||i==="_"||i===F||i==="README.md")continue;if(!vt.has(i)){t.push({kind:"warning",message:`Unknown hook "${i}" — not a standard git hook.`,path:g(o,i)});continue}const a=g(r,i);if(!z(a).isFile())continue;n=!0;const c=z(a).mode&511;(c&64)===0&&t.push({kind:"warning",message:`Script is not owner-executable (mode ${c.toString(8)}).`,path:g(o,i)});const l=wt(a);l&&t.push({kind:"error",message:`Shell syntax error: ${l}`,path:g(o,i)})}if(n){const i=g(r,F);if(S(i))try{Oe(e,o)}catch(a){t.push({kind:"error",message:`${F} is malformed: ${a instanceof Error?a.message:String(a)}`,path:g(o,F)})}else t.push({kind:"error",message:`Stage scripts are present but ${o}/${F} is missing. Re-run \`vis hook migrate\`.`})}return{issues:t,ok:!t.some(i=>i.kind==="error")}},"validateHooks"),xt=G((e,o)=>{if(e.issues.length===0)return[`Hook directory ${o}/ looks good.`];const t=[];for(const r of e.issues){const s=r.kind==="error"?"ERROR":"WARN ",n=r.path?` (${r.path})`:"";t.push(`${s} ${r.message}${n}`)}return t.push("",e.ok?"No errors — warnings only.":`${e.issues.filter(r=>r.kind==="error").length} error(s).`),t},"formatValidationResult"),Et=G((e,o)=>{const t=bt(N(),e),r=xt(t,e);for(const s of r)s.startsWith("ERROR")||s.startsWith("WARN")?o.warn(s):o.info(s);if(!t.ok)throw new Error("Hook validation failed")},"runValidate");var St=Object.defineProperty,E=$((e,o)=>St(e,"name",{value:o,configurable:!0}),"i");const P=E(e=>e.hooksDir??Z,"resolveHooksDirectory"),ge=E(e=>new Promise(o=>{const t=Ie({input:process.stdin,output:process.stdout});t.question(`${e} (y/N) `,r=>{t.close();const s=r.trim().toLowerCase();o(s==="y"||s==="yes")})}),"confirmPrompt"),Rt=E(async(e,o,t)=>{const r=N(),s=me(r),n=oe(r);if(s&&n)throw new Error(`Found both husky (${s}/) and prek (${n}). Remove or migrate one before running \`vis hook install\`.`);if(s){if(o.info(`Existing husky installation found at ${s}/`),await ge("Would you like to migrate your husky hooks to vis?")){const a=ke(r,e,o,{useEditorconfig:t});if(a.isError)throw new Error(a.message);a.message&&o.info(a.message);return}o.info("Aborting install. Remove husky first or run 'vis hook migrate' to migrate.");return}if(n){if(o.info(`Existing prek configuration found at ${n}`),await ge("Would you like to migrate your prek hooks to vis?")){const a=je(r,e,o,{useEditorconfig:t});if(a.isError)throw new Error(a.message);a.message&&o.info(a.message);return}o.info("Aborting install. Remove the prek config first or run 'vis hook migrate' to migrate.");return}o.info(`Installing git hooks in ${e}/...`);const i=he(e);if(i.message){if(i.isError)throw new Error(i.message);o.info(i.message);return}S(g(r,e,"pre-commit"))||x(g(r,e,"pre-commit"),`#!/usr/bin/env sh
+`,{mode:493}),o.info("Git hooks installed successfully.")},"executeInstall"),Ot=E((e,o,t,r)=>{const s=N(),n=me(s),i=oe(s);if(n&&i)throw new Error(`Found both husky (${n}/) and prek (${i}). Migrate one at a time — rename or remove one before retrying.`);if(!n&&!i)throw new Error("No husky (.husky/) or prek (.pre-commit-config.yaml / prek.toml) configuration found to migrate.");o&&t.info("(dry-run) no files will be written");const a=n?ke(s,e,t,{dryRun:o,useEditorconfig:r}):je(s,e,t,{dryRun:o,useEditorconfig:r});if(a.isError)throw new Error(a.message);a.message&&t.info(a.message)},"executeMigrate"),X="# vis:secrets-hook",jt=`#!/usr/bin/env sh
+${X}
+# Scan staged files for secrets before each commit. Remove this block or the whole file to disable.
+pnpm exec vis secrets --staged --quiet || exit 1
+`,Ft=E((e,o,t)=>{if(e!=="secrets")throw new Error(`Unknown hook add target "${String(e)}". Currently supported: "secrets".`);const r=N(),s=g(r,o,"pre-commit");if(!S(g(r,o)))throw new Error(`Hooks directory ${o}/ does not exist. Run \`vis hook install\` first.`);if(S(s)){const n=M(s);if(n.includes(X)){t.info(`Secrets hook already present in ${s}.`);return}if(/\bvis secrets\b/.test(n)){t.warn(`Found a \`vis secrets\` invocation in ${s} without the managed marker — leaving it untouched.`);return}const i=`${n.trimEnd()}
 
-auditConfig:
-${$}`,m>0&&n.push(`Added ${String(m)} new CVE${m===1?"":"s"} to pnpm-workspace.yaml (${String(u.length)} total)`)}if(k.length>0){const $=`  ignoreGhsas:
-${k.map(w=>`    - ${w}`).join(`
-`)}
-`;/auditConfig:/.test(h)&&(h=/ignoreGhsas:/.test(h)?h.replace(/ignoreGhsas:\s*\n(?:\s+-\s+(?:\S.*|[\t\v\f \u00A0\u1680\u2000-\u200A\u202F\u205F\u3000\uFEFF])\n)*/,$):h.replace(/(auditConfig:[\s\S]*?)(\n\S|\n?$)/m,`$1${$}$2`)),b>0&&n.push(`Added ${String(b)} new GHSA${b===1?"":"s"} to pnpm-workspace.yaml (${String(k.length)} total)`)}Ge(r,h);break}case"yarn":{const r=H(t,".yarnrc.yml");if(!K(r)){n.push(".yarnrc.yml not found. Cannot sync.");break}const i=at(t),o=new Set(i.ignoredAdvisories),a=[...new Set([...o,...s])],p=s.filter(k=>!o.has(k)).length;if(p===0){n.push("All advisory IDs already present in .yarnrc.yml.");break}let d=ne(r);const u=`npmAuditIgnoreAdvisories:
-${a.map(k=>`  - "${k}"`).join(`
-`)}
-`;d=/npmAuditIgnoreAdvisories:/.test(d)?d.replace(/npmAuditIgnoreAdvisories:\s*\n(?:\s+-\s+(?:\S.*|[\t\v\f \u00A0\u1680\u2000-\u200A\u202F\u205F\u3000\uFEFF])\n)*/,u):`${d.trimEnd()}
-
-${u}`,Ge(r,d),n.push(`Synced ${String(p)} advisor${p===1?"y":"ies"} to .yarnrc.yml (${String(a.length)} total)`);break}default:n.push(`Unknown package manager: ${e}`)}return n},"syncAcceptedRisksToNativeConfig");var ds=Object.defineProperty,z=x((e,t)=>ds(e,"name",{value:t,configurable:!0}),"p$2");const us=["CRITICAL","HIGH","MODERATE","LOW","UNKNOWN"],C=z(e=>e.replaceAll("&","&amp;").replaceAll("<","&lt;").replaceAll(">","&gt;").replaceAll('"',"&quot;").replaceAll("'","&#39;"),"escapeHtml"),fs=z(e=>e.startsWith("CVE-")?`https://nvd.nist.gov/vuln/detail/${e}`:e.startsWith("GHSA-")?`https://github.com/advisories/${e}`:`https://osv.dev/vulnerability/${e}`,"advisoryUri"),gs=z((e,t)=>{if(t.length===0)return{kind:"unknown",label:"no fix"};const s=U.coerce(e);if(!s)return{kind:"unknown",label:"non-semver"};let n,r;for(const i of t){const o=U.coerce(i);if(!o)continue;const a=U.diff(s,o);a==="major"||a==="premajor"?n||(n=i):a&&!r&&(r=i)}return r?{kind:"minor-patch",label:`safe to ${r}`}:n?{kind:"major",label:`requires major bump to ${n}`}:{kind:"unknown",label:"no usable fix"}},"breakingMarker"),ze={CRITICAL:0,HIGH:1,LOW:3,MODERATE:2,UNKNOWN:4},ms=z(e=>{const{acknowledged:t,packageName:s,packageVersion:n,remediation:r,vulnerability:i}=e,{severity:o}=i,a=gs(n,i.fixedVersions),p=i.fixedVersions.length>0?i.fixedVersions.join(", "):"—",d=r?`<code class="copyable" data-cmd="${C(r)}">${C(r)}</code>`:'<span class="muted">advisory only</span>';return`<tr data-severity="${o}" data-package="${C(s)}" data-advisory="${C(i.id)}">
-  <td><span class="badge badge-${o.toLowerCase()}">${o}</span></td>
-  <td><span class="marker marker-${a.kind}" title="${C(a.label)}"></span></td>
-  <td><code>${C(s)}</code></td>
-  <td><code>${C(n)}</code></td>
-  <td><a href="${C(fs(i.id))}" rel="noreferrer noopener" target="_blank">${C(i.id)}</a>${t?' <span class="ack">[acknowledged]</span>':""}</td>
-  <td>${C(i.summary)}</td>
-  <td><code>${C(p)}</code></td>
-  <td>${d}</td>
-</tr>`},"renderRow"),vs=z(e=>{const t=e.now??new Date,s=[...e.findings].sort((d,u)=>{const k=ze[d.vulnerability.severity??"UNKNOWN"]??4,m=ze[u.vulnerability.severity??"UNKNOWN"]??4;return k!==m?k-m:d.packageName.localeCompare(u.packageName)||d.packageVersion.localeCompare(u.packageVersion)}),n={CRITICAL:0,HIGH:0,LOW:0,MODERATE:0,UNKNOWN:0};for(const d of s)n[d.vulnerability.severity??"UNKNOWN"]+=1;const r=s.map(d=>ms(d)).join(`
-`),i=us.filter(d=>n[d]>0).map(d=>`<span class="badge badge-${d.toLowerCase()}">${n[d]} ${d}</span>`).join(" "),o=s.length===0,a=(e.policyDecisions??[]).filter(d=>d.policy!=="vulnerability"),p=[...a].sort((d,u)=>{const k=z(m=>m==="block"?0:m==="warn"?1:2,"rank");return k(d.severity)-k(u.severity)||d.policy.localeCompare(u.policy)||d.packageName.localeCompare(u.packageName)}).map(d=>{const u=d.acceptedRisk?' <span class="ack">[acknowledged]</span>':"";return`<tr>
-  <td><span class="policy-badge policy-${d.severity}">${d.severity.toUpperCase()}</span></td>
-  <td><code>${C(d.policy)}</code></td>
-  <td><code>${C(d.packageName)}</code></td>
-  <td><code>${C(d.version)}</code></td>
-  <td>${C(d.reason)}${u}</td>
-</tr>`}).join(`
-`);return`<!doctype html>
-<html lang="en">
-<head>
-<meta charset="utf-8">
-<meta name="viewport" content="width=device-width, initial-scale=1">
-<title>vis audit · ${C(t.toISOString().slice(0,10))}</title>
-<style>
-:root {
-  --bg: #0e1116;
-  --fg: #d6dde6;
-  --muted: #8b95a1;
-  --border: #20262e;
-  --row-hover: #161b22;
-  --critical: #ff4757;
-  --high: #ff8c42;
-  --medium: #fbbf24;
-  --low: #38bdf8;
-  --unknown: #6b7280;
-  --major: #ff4757;
-  --minor: #22c55e;
-}
-@media (prefers-color-scheme: light) {
-  :root {
-    --bg: #ffffff;
-    --fg: #1f2328;
-    --muted: #57606a;
-    --border: #d0d7de;
-    --row-hover: #f6f8fa;
-  }
-}
-* { box-sizing: border-box; }
-body { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif; background: var(--bg); color: var(--fg); margin: 0; padding: 24px; }
-h1 { font-size: 22px; margin: 0 0 8px; }
-.meta { color: var(--muted); font-size: 13px; margin-bottom: 16px; }
-.summary { display: flex; flex-wrap: wrap; gap: 8px; margin-bottom: 20px; }
-.controls { display: flex; gap: 12px; align-items: center; margin-bottom: 12px; }
-.controls input { background: var(--bg); color: var(--fg); border: 1px solid var(--border); padding: 6px 10px; border-radius: 6px; font-size: 13px; min-width: 240px; }
-.controls select { background: var(--bg); color: var(--fg); border: 1px solid var(--border); padding: 6px 10px; border-radius: 6px; font-size: 13px; }
-table { width: 100%; border-collapse: collapse; font-size: 13px; }
-th, td { padding: 8px 10px; border-bottom: 1px solid var(--border); text-align: left; vertical-align: top; }
-th { font-weight: 600; color: var(--muted); cursor: pointer; user-select: none; }
-th:hover { color: var(--fg); }
-tr:hover td { background: var(--row-hover); }
-code { font-family: ui-monospace, "SF Mono", Menlo, monospace; font-size: 12px; }
-code.copyable { cursor: pointer; padding: 2px 4px; border-radius: 4px; }
-code.copyable:hover { background: var(--row-hover); }
-a { color: var(--low); text-decoration: none; }
-a:hover { text-decoration: underline; }
-.muted { color: var(--muted); }
-.ack { color: var(--muted); font-style: italic; font-size: 12px; }
-.badge { display: inline-block; padding: 2px 8px; border-radius: 12px; font-size: 11px; font-weight: 600; text-transform: uppercase; }
-.badge-critical { background: rgba(255, 71, 87, 0.2); color: var(--critical); }
-.badge-high { background: rgba(255, 140, 66, 0.2); color: var(--high); }
-.badge-moderate { background: rgba(251, 191, 36, 0.2); color: var(--medium); }
-.badge-low { background: rgba(56, 189, 248, 0.2); color: var(--low); }
-.badge-unknown { background: rgba(107, 114, 128, 0.2); color: var(--unknown); }
-.marker { display: inline-block; width: 10px; height: 10px; border-radius: 50%; vertical-align: middle; }
-.marker-major { background: var(--major); }
-.marker-minor-patch { background: var(--minor); }
-.marker-unknown { background: var(--unknown); }
-.clean { padding: 32px; text-align: center; color: var(--muted); font-size: 14px; border: 1px dashed var(--border); border-radius: 8px; }
-h2 { font-size: 16px; margin: 24px 0 12px; }
-.policy-badge { display: inline-block; padding: 2px 8px; border-radius: 12px; font-size: 11px; font-weight: 600; }
-.policy-block { background: rgba(255, 71, 87, 0.2); color: var(--critical); }
-.policy-warn { background: rgba(251, 191, 36, 0.2); color: var(--medium); }
-.policy-info { background: rgba(107, 114, 128, 0.2); color: var(--unknown); }
-</style>
-</head>
-<body>
-<h1>vis audit</h1>
-<div class="meta">${C(e.tool.name)} ${C(e.tool.version)} · ${C(t.toISOString())} · ${e.packagesScanned} packages scanned · ${s.length} findings</div>
-<div class="summary">${i||'<span class="badge badge-low">CLEAN</span>'}</div>
-${o?'<div class="clean">No security issues found.</div>':`
-<div class="controls">
-  <input id="filter" type="search" placeholder="Filter by package or advisory…" aria-label="Filter findings" />
-  <select id="severity" aria-label="Filter by severity">
-    <option value="">All severities</option>
-    <option value="CRITICAL">Critical only</option>
-    <option value="HIGH">High and above</option>
-    <option value="MODERATE">Moderate and above</option>
-    <option value="LOW">Low and above</option>
-  </select>
-</div>
-<table id="findings">
-<thead>
-<tr>
-  <th data-sort="severity">Severity</th>
-  <th title="Green = safe upgrade · Red = requires major bump">Δ</th>
-  <th data-sort="package">Package</th>
-  <th>Version</th>
-  <th>Advisory</th>
-  <th>Summary</th>
-  <th>Fix</th>
-  <th>Remediation</th>
-</tr>
-</thead>
-<tbody>
-${r}
-</tbody>
-</table>`}
-${a.length>0?`
-<h2>Policy Decisions (${a.length})</h2>
-<table id="policies">
-<thead>
-<tr>
-  <th>Severity</th>
-  <th>Policy</th>
-  <th>Package</th>
-  <th>Version</th>
-  <th>Reason</th>
-</tr>
-</thead>
-<tbody>
-${p}
-</tbody>
-</table>`:""}
-<script>
-(() => {
-  const rank = { CRITICAL: 0, HIGH: 1, MODERATE: 2, LOW: 3, UNKNOWN: 4 };
-  const filter = document.getElementById('filter');
-  const severity = document.getElementById('severity');
-  const rows = Array.from(document.querySelectorAll('#findings tbody tr'));
-
-  const apply = () => {
-    const q = (filter?.value ?? '').toLowerCase().trim();
-    const minSev = severity?.value ?? '';
-    const sevCap = minSev ? rank[minSev] ?? 4 : 4;
-    for (const row of rows) {
-      const pkg = row.getAttribute('data-package') ?? '';
-      const adv = row.getAttribute('data-advisory') ?? '';
-      const sev = row.getAttribute('data-severity') ?? 'UNKNOWN';
-      const queryHit = !q || pkg.toLowerCase().includes(q) || adv.toLowerCase().includes(q);
-      const sevHit = !minSev || (rank[sev] ?? 4) <= sevCap;
-      row.style.display = queryHit && sevHit ? '' : 'none';
-    }
-  };
-
-  filter?.addEventListener('input', apply);
-  severity?.addEventListener('change', apply);
-
-  // Click-to-copy on remediation cells.
-  document.addEventListener('click', (event) => {
-    const target = event.target;
-    if (!(target instanceof HTMLElement) || !target.classList.contains('copyable')) return;
-    const cmd = target.getAttribute('data-cmd') ?? target.textContent ?? '';
-    navigator.clipboard?.writeText(cmd).then(() => {
-      const orig = target.textContent;
-      target.textContent = '✓ copied';
-      setTimeout(() => { target.textContent = orig; }, 900);
-    }).catch(() => {});
-  });
-})();
-<\/script>
-</body>
-</html>
-`},"emitAuditHtml");var ys=Object.defineProperty,me=x((e,t)=>ys(e,"name",{value:t,configurable:!0}),"u$1");const hs={CRITICAL:"CRITICAL",HIGH:"HIGH",LOW:"LOW",MODERATE:"MEDIUM",UNKNOWN:"NONE"},ks={CRITICAL:9.5,HIGH:8,LOW:2.5,MODERATE:5.5,UNKNOWN:0},xe=me((e,t)=>`pkg:npm/${e}@${t}`,"productId"),$s=me(e=>e.startsWith("CVE-")?`https://nvd.nist.gov/vuln/detail/${e}`:e.startsWith("GHSA-")?`https://github.com/advisories/${e}`:`https://osv.dev/vulnerability/${e}`,"advisoryUri"),Be=me((e,t)=>{const s=new Map;for(const n of e){const r=t(n),i=s.get(r);i?i.push(n):s.set(r,[n])}return s},"groupBy"),bs=me(e=>{const t=e.now??new Date,s=t.toISOString(),n=e.trackingId??`vis-audit-${t.toISOString().slice(0,10)}`,r=[...Be(e.findings,o=>o.packageName).entries()].sort(([o],[a])=>o.localeCompare(a)).map(([o,a])=>({branches:[...new Set(a.map(p=>p.packageVersion))].sort().map(p=>{const d=xe(o,p);return{category:"product_version",name:p,product:{name:`${o}@${p}`,product_id:d,product_identification_helper:{purl:d}}}}),category:"product_name",name:o})),i=[...Be(e.findings,o=>o.vulnerability.id).entries()].sort(([o],[a])=>o.localeCompare(a)).map(([o,a])=>{const p=a[0].vulnerability,d=[...new Set(a.map(w=>xe(w.packageName,w.packageVersion)))].sort(),u=o.startsWith("CVE-"),k=[o,...p.aliases??[]],m=u?o:k.find(w=>w.startsWith("CVE-")),b=k.filter(w=>w!==m).map(w=>({system_name:w.startsWith("GHSA-")?"GitHub Security Advisory":"OSV",text:w})),h=typeof p.cvssScore=="number"&&Number.isFinite(p.cvssScore)?p.cvssScore:ks[p.severity]??0,$=a.filter(w=>w.acknowledged).map(w=>xe(w.packageName,w.packageVersion));return{...m?{cve:m}:{},...b.length>0?{ids:b}:{},notes:[{category:"description",text:p.summary||`Advisory ${o}`,title:"Advisory description"}],product_status:{known_affected:d},references:[{category:"external",summary:`${o} advisory record`,url:$s(o)}],scores:[{cvss_v3:{baseScore:h,baseSeverity:hs[p.severity]??"NONE",vectorString:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",version:"3.1"},products:d}],title:p.summary.split(`
-`)[0]?.slice(0,200)||o,...$.length>0?{flags:[{label:"inline_mitigations_already_exist",product_ids:$}]}:{}}});return{document:{category:"csaf_vex",csaf_version:"2.0",distribution:{tlp:{label:"WHITE"}},publisher:{category:"vendor",name:e.tool.name,namespace:e.tool.informationUri},title:`vis audit · ${n}`,tracking:{current_release_date:s,id:n,initial_release_date:s,revision_history:[{date:s,number:"1",summary:"Initial audit emission"}],status:"final",version:"1"}},...r.length>0?{product_tree:{branches:r}}:{},...i.length>0?{vulnerabilities:i}:{}}},"emitCsaf");var ws=Object.defineProperty,oe=x((e,t)=>ws(e,"name",{value:t,configurable:!0}),"c$3");const Ss={CRITICAL:"critical",HIGH:"high",LOW:"low",MODERATE:"medium",UNKNOWN:"unknown"},xs={CRITICAL:9.5,HIGH:8,LOW:2.5,MODERATE:5.5,UNKNOWN:0},Ce=oe(e=>e.startsWith("CVE-")?`https://nvd.nist.gov/vuln/detail/${e}`:e.startsWith("GHSA-")?`https://github.com/advisories/${e}`:`https://osv.dev/vulnerability/${e}`,"advisoryUri"),Ae=oe(e=>e.startsWith("CVE-")?"NVD":e.startsWith("GHSA-")?"GitHub Advisory Database":"OSV","advisorySourceName"),Je=oe((e,t)=>{const s=new Map;for(const n of e){const r=t(n),i=s.get(r);i?i.push(n):s.set(r,[n])}return s},"groupBy"),Cs=oe((e,t=new Date)=>{const s=Je(e,r=>r.vulnerability.id),n=t.toISOString();return[...s.entries()].sort(([r],[i])=>r.localeCompare(i)).map(([r,i])=>{const o=i[0].vulnerability,a=Ss[o.severity]??"unknown",p=typeof o.cvssScore=="number"&&Number.isFinite(o.cvssScore)?o.cvssScore:xs[o.severity]??0,d=[...Je(i,h=>h.packageName).entries()].sort(([h],[$])=>h.localeCompare($)).map(([h,$])=>{const w=[...new Set($.map(D=>D.packageVersion))].sort();return{ref:_t(h,w[0]),versions:w.map(D=>({status:"affected",version:D}))}}),u=(o.aliases??[]).filter(h=>h!==r).map(h=>({id:h,source:{name:Ae(h),url:Ce(h)}})),k=i.some(h=>h.acknowledged),m=i.every(h=>h.acknowledged)?{justification:"code_not_reachable",response:["will_not_fix"],state:"not_affected"}:k?{state:"in_triage"}:void 0,b=o.fixedVersions??[];return{"bom-ref":`vuln:${r}`,id:r,source:{name:Ae(r),url:Ce(r)},...u.length>0?{references:u}:{},description:o.summary||`Advisory ${r}`,ratings:[{method:"CVSSv31",score:p,severity:a,source:{name:Ae(r),url:Ce(r)}}],...b.length>0?{recommendation:`Upgrade to one of: ${b.join(", ")}`}:{},affects:d,created:n,published:n,...m?{analysis:m}:{}}})},"buildCycloneDxVulnerabilities"),As=oe(e=>{const t=Cs(e.findings,e.now);return{...e.bom,vulnerabilities:t}},"emitCycloneDxVex");var Ns=Object.defineProperty,We=x((e,t)=>Ns(e,"name",{value:t,configurable:!0}),"a$1");const Rs={CRITICAL:"error",HIGH:"error",LOW:"note",MODERATE:"warning",UNKNOWN:"none"},Os={CRITICAL:"9.5",HIGH:"8.0",LOW:"2.5",MODERATE:"5.5",UNKNOWN:"0.0"},Ps={CRITICAL:"critical",HIGH:"high",LOW:"low",MODERATE:"medium",UNKNOWN:"none"},Ls=We(e=>e.startsWith("CVE-")?`https://nvd.nist.gov/vuln/detail/${e}`:e.startsWith("GHSA-")?`https://github.com/advisories/${e}`:`https://osv.dev/vulnerability/${e}`,"advisoryUri"),js=We(e=>typeof e.cvssScore=="number"&&Number.isFinite(e.cvssScore)?e.cvssScore.toFixed(1):Os[e.severity]??"0.0","securitySeverity"),Es=We(e=>{const t=new Map,s=[],n=e.artifactUri??(Kt(e.workspaceRoot,zt(e.workspaceRoot,"package.json"))||"package.json");for(const o of e.findings){const{acknowledged:a,packageName:p,packageVersion:d,vulnerability:u}=o,k=Rs[u.severity]??"none",m=Ps[u.severity]??"none";t.has(u.id)||t.set(u.id,{defaultConfiguration:{level:k},fullDescription:{text:u.summary||`Advisory ${u.id}`},helpUri:Ls(u.id),id:u.id,name:u.id,properties:{precision:"very-high","security-severity":js(u),"severity-label":m,tags:["security","vulnerability","supply-chain",`severity:${m}`]},shortDescription:{text:(u.summary.split(`
-`)[0]??u.id).slice(0,200)}}),s.push({level:k,locations:[{logicalLocations:[{kind:"package",name:`${p}@${d}`}],physicalLocation:{artifactLocation:{uri:n}}}],message:{text:`${u.id}: ${p}@${d} — ${u.summary||"no summary"}${u.fixedVersions.length>0?` (fix: ${u.fixedVersions.join(", ")})`:""}`},partialFingerprints:{advisoryId:u.id,package:p,version:d},properties:{...a?{acknowledged:!0}:{},...u.aliases&&u.aliases.length>0?{aliases:u.aliases}:{},...typeof u.cvssScore=="number"?{cvssScore:u.cvssScore}:{},...u.fixedVersions.length>0?{fixedVersions:u.fixedVersions}:{},packageName:p,packageVersion:d,severityLabel:m},ruleId:u.id})}const r={block:"error",info:"note",warn:"warning"},i={block:"high",info:"none",warn:"medium"};for(const o of e.policyDecisions??[]){if(o.policy==="vulnerability")continue;const a=`vis.policy.${o.policy}`,p=r[o.severity],d=i[o.severity];t.has(a)||t.set(a,{defaultConfiguration:{level:p},fullDescription:{text:`vis policy '${o.policy}' (Socket.dev-style supply-chain gate)`},helpUri:`https://visulima.com/packages/vis/commands/audit#policy-${o.policy}`,id:a,name:a,properties:{precision:"high","security-severity":o.severity==="block"?"8.0":o.severity==="warn"?"5.5":"0.0","severity-label":d,tags:["security","supply-chain","policy",`policy:${o.policy}`]},shortDescription:{text:`vis policy: ${o.policy}`}}),s.push({level:p,locations:[{logicalLocations:[{kind:"package",name:`${o.packageName}@${o.version}`}],physicalLocation:{artifactLocation:{uri:n}}}],message:{text:o.reason},partialFingerprints:{package:o.packageName,policy:o.policy,version:o.version},properties:{...o.acceptedRisk?{acknowledged:!0}:{},packageName:o.packageName,packageVersion:o.version,severityLabel:d},ruleId:a})}return{$schema:"https://json.schemastore.org/sarif-2.1.0.json",runs:[{results:s,tool:{driver:{informationUri:e.tool.informationUri,name:e.tool.name,rules:[...t.values()],version:e.tool.version}}}],version:"2.1.0"}},"emitSarif");var Is=Object.defineProperty,B=x((e,t)=>Is(e,"name",{value:t,configurable:!0}),"c$2");const Ds=["dependencies","devDependencies","optionalDependencies","peerDependencies"],Ye=B(e=>{try{return{path:e,pkg:nt(e)}}catch{return}},"readPackageJsonSafe"),Ws=B(e=>{const t=[],s=Ye(H(e,"package.json"));s&&t.push({path:s.path,pkg:s.pkg,workspaceName:s.pkg.name});const n=Ot(e);let r;if(n?r=n:s?.pkg.workspaces&&(Array.isArray(s.pkg.workspaces)?r=s.pkg.workspaces:s.pkg.workspaces.packages&&(r=s.pkg.workspaces.packages)),!r)return t;for(const i of Pt(e,r)){const o=Ye(H(e,i,"package.json"));o&&t.push({path:o.path,pkg:o.pkg,workspaceName:o.pkg.name})}return t},"collectWorkspaceManifests"),Ms=B((e,t)=>{const s=[];for(const n of e)for(const r of Ds){const i=n.pkg[r]?.[t];typeof i=="string"&&s.push({field:r,manifest:n,range:i})}return s},"findDeclarations"),ct=B(e=>{const t=Ws(e.workspaceRoot),s=[],n=[],r=[],i=new Set;for(const o of e.findings){const a=o.vulnerability.fixedVersions[0];if(!a){r.push({packageName:o.packageName,reason:"no-fixed-version"});continue}const p=Ms(t,o.packageName);if(p.length===0){r.push({packageName:o.packageName,reason:"transitive-only"});continue}const d=U.coerce(a),u=d?`^${d.version}`:a,k=d?d.version:a;for(const m of p){const b=`${m.manifest.path}::${m.field}::${o.packageName}::${k}`;if(i.has(b))continue;i.add(b);const h=Hs(k,m.range),$={currentRange:m.range,field:m.field,inRange:h,manifestPath:m.manifest.path,packageName:o.packageName,targetSpec:u,targetVersion:k,workspaceName:m.manifest.workspaceName};h||e.allowMajor===!0?s.push($):n.push($)}}return{apply:s,skippedMajor:n,unmatched:r}},"buildDirectApplyPlan"),Fs=/^(?:workspace|file|link|portal|patch|git\+|git:|github:|npm:|catalog|jsr|http|https):/i,Hs=B((e,t)=>{if(Fs.test(t))return!0;const s=U.coerce(e)?.version??e;try{return U.satisfies(s,t)}catch{return!0}},"satisfiesRange"),Vs=B(e=>{const t=[];if(e.apply.length>0){t.push(`Apply (${String(e.apply.length)}):`);for(const s of e.apply){const n=s.workspaceName?` [${s.workspaceName}]`:"";t.push(`  + ${s.packageName}: ${s.currentRange} → ${s.targetSpec}${n}`)}}if(e.skippedMajor.length>0){t.push(`Skipped — major bump (${String(e.skippedMajor.length)}, requires --allow-major):`);for(const s of e.skippedMajor){const n=s.workspaceName?` [${s.workspaceName}]`:"";t.push(`  ! ${s.packageName}: ${s.currentRange} → ${s.targetSpec}${n}`)}}if(e.unmatched.length>0){const s=e.unmatched.filter(r=>r.reason==="transitive-only"),n=e.unmatched.filter(r=>r.reason==="no-fixed-version");if(s.length>0){t.push(`Transitive only (${String(s.length)}, requires --fix-transitive):`);for(const r of s)t.push(`  · ${r.packageName}`)}if(n.length>0){t.push(`No fixed version available (${String(n.length)}):`);for(const r of n)t.push(`  · ${r.packageName}`)}}return t.length===0?"No direct-dep fixes to apply.":t.join(`
-`)},"formatDirectApplyPlan");var Ts=Object.defineProperty,E=x((e,t)=>Ts(e,"name",{value:t,configurable:!0}),"i");const Us={"crates.io":["Cargo.lock"],Go:["go.sum"],Maven:["gradle.lockfile","pom.xml"],PyPI:["uv.lock","poetry.lock","Pipfile.lock"],RubyGems:["Gemfile.lock"]},Gs={cargo:"crates.io","crates.io":"crates.io",go:"Go",maven:"Maven",npm:"npm",pypi:"PyPI",rubygems:"RubyGems"},lt=E(e=>Gs[e.toLowerCase()]??e,"canonicalEcosystem"),_s=E((e,t)=>{const s=lt(t),n=Us[s]??[];for(const r of n){const i=H(e,r);if(Ze(i))return i}},"findEcosystemLockfile"),qs=E(e=>{const t=new Set,s=[];for(const n of e){const r=`${n.name}@${n.version}`;t.has(r)||(t.add(r),s.push(n))}return s},"dedupe"),Ks=/\[\[package\]\]([\s\S]*?)(?=\[\[|$)/g,zs=/^\s*name\s*=\s*"([^"]+)"\s*$/m,Bs=/^\s*version\s*=\s*"([^"]+)"\s*$/m,Js=E(e=>{const t=[];for(const s of e.matchAll(Ks)){const n=s[1]??"",r=zs.exec(n)?.[1],i=Bs.exec(n)?.[1];r&&i&&t.push({isDev:!1,name:r,version:i})}return t},"parseTomlPackages"),Ys=E(e=>{let t;try{t=JSON.parse(e)}catch{return[]}if(typeof t!="object"||t===null)return[];const s=[];for(const n of["default","develop"]){const r=t[n];if(!(typeof r!="object"||r===null))for(const[i,o]of Object.entries(r)){if(typeof o!="object"||o===null)continue;const a=o.version;if(typeof a!="string")continue;const p=a.replace(/^==/,"").trim();p.length>0&&s.push({isDev:!1,name:i,version:p})}}return s},"parsePipfileLock"),Xs=/<dependency>([\s\S]*?)<\/dependency>/g,Zs=/<groupId>\s*([^<\s]+)\s*<\/groupId>/,Qs=/<artifactId>\s*([^<\s]+)\s*<\/artifactId>/,en=/<version>\s*([^<\s]+)\s*<\/version>/,tn=E(e=>{const t=[];for(const s of e.matchAll(Xs)){const n=s[1]??"",r=Zs.exec(n)?.[1],i=Qs.exec(n)?.[1],o=en.exec(n)?.[1];!r||!i||!o||o.startsWith("${")||t.push({isDev:!1,name:`${r}:${i}`,version:o})}return t},"parsePomXml"),sn=E(e=>{const t=[];for(const s of e.split(/\r?\n/)){const n=s.trim();if(n.length===0||n.startsWith("#"))continue;const r=n.indexOf("="),i=(r===-1?n:n.slice(0,r)).split(":");if(i.length<3)continue;const[o,a,p]=i;!o||!a||!p||t.push({isDev:!1,name:`${o}:${a}`,version:p})}return t},"parseGradleLockfile"),nn=E(e=>{const t=[];for(const s of e.split(/\r?\n/)){const n=s.trim();if(n.length===0)continue;const r=n.split(/\s+/);if(r.length<3)continue;const[i,o]=r;if(!i||!o?.endsWith("/go.mod"))continue;const a=o.slice(0,-7);a.length!==0&&t.push({isDev:!1,name:i,version:a})}return t},"parseGoSum"),rn=/^ {4}([^ ()]+) \(([^()]+)\)\s*$/,on=E(e=>{const t=[];let s=!1,n=!1;for(const r of e.split(/\r?\n/)){if(r.startsWith("GEM")){s=!0,n=!1;continue}if(s&&/^[A-Z]/.test(r)){s=!1,n=!1;continue}if(s&&r.trim()==="specs:"){n=!0;continue}if(n){const i=rn.exec(r);if(i){const[,o,a]=i;o&&a&&t.push({isDev:!1,name:o,version:a})}}}return t},"parseGemfileLock"),an=E((e,t)=>{const s=_s(e,t);if(!s)return[];let n;try{n=Qe(s,"utf8")}catch{return[]}const r=s.split(/[/\\]/).pop()??"";let i;switch(r){case"Cargo.lock":case"poetry.lock":case"uv.lock":{i=Js(n);break}case"Gemfile.lock":{i=on(n);break}case"go.sum":{i=nn(n);break}case"gradle.lockfile":{i=sn(n);break}case"Pipfile.lock":{i=Ys(n);break}case"pom.xml":{i=tn(n);break}default:return[]}return qs(i)},"lockedPackagesForEcosystem"),pt=["firstSeen","installScripts","license","malware","publisherChange","score","unexpectedDeps","vulnerability"];var cn=Object.defineProperty,ln=x((e,t)=>cn(e,"name",{value:t,configurable:!0}),"n$1");const pn=ln((e,t)=>{const s=t.security?.policies?.installScripts;if(!s)return[];const n=s.allow??{},r=s.strict===!0;if(!r&&Object.keys(n).length===0)return[];const i=Qt(e.workspaceRoot,n,{pinVersions:t.security?.pinVersions===!0});if(i.unapproved.length===0)return[];const o=t.security?.acceptedRisks,a=r?"block":"warn";return i.unapproved.map(p=>({acceptedRisk:G(p.name,p.version??"*",o,"installScripts"),data:{hooks:p.hooks},packageName:p.name,policy:"installScripts",reason:`${p.name}${p.version?`@${p.version}`:""} declares unapproved build script(s): ${p.hooks.join(", ")}`,severity:a,version:p.version??"*"}))},"evaluateInstallScriptsPolicy");var dn=Object.defineProperty,ie=x((e,t)=>dn(e,"name",{value:t,configurable:!0}),"a");const un=new Set(["AND","OR"]),fn=ie(e=>{const t=e.replaceAll("("," ").replaceAll(")"," ").split(/\s+/).map(r=>r.trim()).filter(r=>r.length>0),s=[];let n=!1;for(const r of t){const i=r.toUpperCase();if(n){n=!1;continue}if(i==="WITH"){n=!0;continue}if(un.has(i))continue;const o=r.endsWith("+"),a=o?r.slice(0,-1):r,p=De(a)??a;s.push(p),o&&s.push(`${p}-or-later`)}return s},"extractSpdxLeaves"),gn=ie(e=>{if(typeof e.license=="string"){const t=e.license.trim();return t.length>0?t:void 0}if(e.license&&typeof e.license=="object"&&typeof e.license.type=="string"){const t=e.license.type.trim();if(t.length>0)return t}if(Array.isArray(e.licenses)&&e.licenses.length>0){const t=e.licenses.map(s=>s&&typeof s.type=="string"?s.type.trim():"").filter(s=>s.length>0);if(t.length>0)return t.length===1?t[0]:`(${t.join(" OR ")})`}},"declaredLicense"),mn=ie((e,t)=>{if(t.length===0)return;const s=new Set(t.map(n=>De(n)??n).map(n=>n.toLowerCase()));for(const n of e)if(s.has(n.toLowerCase()))return n},"findDeniedLeaf"),vn=ie((e,t)=>{if(t.length===0)return;const s=new Set(t.map(n=>De(n)??n).map(n=>n.toLowerCase()));for(const n of e)if(!s.has(n.toLowerCase()))return n},"findUnallowedLeaf"),yn=ie((e,t)=>{const s=t.security?.policies?.license;if(!s)return[];const n=s.allow??[],r=s.deny??[];if(n.length===0&&r.length===0)return[];const i=t.security?.acceptedRisks,o=[];for(const a of e.packages){const p=e.manifestData?.get(`${a.name}@${a.version}`),d=p?gn(p):void 0;if(!d){n.length>0&&o.push({acceptedRisk:G(a.name,a.version,i,"license"),data:{declaredLicense:null},packageName:a.name,policy:"license",reason:`${a.name}@${a.version} declares no license; allow-list mode requires one of: ${n.join(", ")}`,severity:"block",version:a.version});continue}const u=fn(d),k=mn(u,r);if(k){o.push({acceptedRisk:G(a.name,a.version,i,"license"),data:{declaredLicense:d,deniedLicense:k},packageName:a.name,policy:"license",reason:`${a.name}@${a.version} uses denied license '${k}' (declared: ${d})`,severity:"block",version:a.version});continue}const m=vn(u,n);m&&o.push({acceptedRisk:G(a.name,a.version,i,"license"),data:{allowList:n,declaredLicense:d,unallowedLicense:m},packageName:a.name,policy:"license",reason:`${a.name}@${a.version} uses license '${m}' which is not on the allow-list (declared: ${d})`,severity:"block",version:a.version})}return o},"evaluateLicensePolicy");var hn=Object.defineProperty,ve=x((e,t)=>hn(e,"name",{value:t,configurable:!0}),"l$1");const kn=ve(e=>{for(const t of Object.values(ot))if(e===t.file||e.endsWith(`/${t.file}`)||e.endsWith(`.${t.file}`))return t.type},"detectLockfileType"),$n=ve((e,t,s)=>{const n=Gt(t)?t:rt(e,t);let r;try{r=ne(n)}catch{return}const i=kn(n)??ot[s]?.type;if(!i)return;const o=es(r,i);if(o.length===0)return;const a=new Set;for(const p of o)a.add(`${p.name}@${p.version}`);return a},"loadBaselineKeys"),bn=ve((e,t)=>{for(const s of t)if(s===e||s.endsWith("*")&&e.startsWith(s.slice(0,-1)))return!0;return!1},"matchesAllowList"),wn=ve((e,t)=>{const s=t.security?.policies?.unexpectedDeps;if(!s)return[];const n=s.allow??[],r=s.baselineLockfile;if(n.length===0&&!r)return[];const i=r?$n(e.workspaceRoot,r,e.packageManager):void 0,o=t.security?.acceptedRisks,a=[];for(const p of e.packages){const d=n.length===0||bn(p.name,n),u=i?i.has(`${p.name}@${p.version}`):!0;if(d&&u)continue;const k=[],m={};d||(k.push(`not on allow-list (${n.length} entr${n.length===1?"y":"ies"})`),m.allowList=n),!u&&i&&(k.push(`not present in baseline lockfile (${r})`),m.baselineLockfile=r),a.push({acceptedRisk:G(p.name,p.version,o,"unexpectedDeps"),data:m,packageName:p.name,policy:"unexpectedDeps",reason:`${p.name}@${p.version} is unexpected: ${k.join("; ")}`,severity:"block",version:p.version})}return a},"evaluateUnexpectedDepsPolicy");var Sn=Object.defineProperty,xn=x((e,t)=>Sn(e,"name",{value:t,configurable:!0}),"E$2");const Xe={CRITICAL:0,HIGH:1,LOW:3,MODERATE:2,UNKNOWN:4},se=xn((e,t)=>{const s=Xe[t.toUpperCase()]??2;return(Xe[e.toUpperCase()]??4)<=s},"severityPassesFilter");var Cn=Object.defineProperty,An=x((e,t)=>Cn(e,"name",{value:t,configurable:!0}),"c$1");const Nn=An((e,t)=>{if(!e.osvFindings||e.osvFindings.size===0)return[];const s=t.security?.policies?.vulnerability?.failOn,n=t.security?.acceptedRisks,r=[];for(const i of e.packages){const o=e.osvFindings.get(i.name);if(!(!o||o.length===0))for(const a of o){const p=s?se(a.severity,s)?"block":"warn":"info";r.push({acceptedRisk:G(i.name,i.version,n,"vulnerability"),data:{advisoryId:a.id,aliases:a.aliases??[],cvssScore:a.cvssScore,fixedVersions:a.fixedVersions,severity:a.severity,summary:a.summary},packageName:i.name,policy:"vulnerability",reason:`${a.severity} ${a.id} affects ${i.name}@${i.version}: ${a.summary}`,severity:p,version:i.version})}}return r},"evaluateVulnerabilityPolicy");var Rn=Object.defineProperty,T=x((e,t)=>Rn(e,"name",{value:t,configurable:!0}),"n");const dt=[{evaluate:Nn,isConfigured:T(e=>e.security?.policies?.vulnerability!==void 0,"isConfigured"),name:"vulnerability",offlineSupported:!0,surfaces:["audit","doctor"]},{evaluate:yn,isConfigured:T(e=>{const t=e.security?.policies?.license;return!!(t&&(t.allow&&t.allow.length>0||t.deny&&t.deny.length>0))},"isConfigured"),name:"license",offlineSupported:!0,surfaces:["audit","doctor","install"]},{evaluate:pn,isConfigured:T(e=>{const t=e.security?.policies?.installScripts;return!!(t&&(t.allow&&Object.keys(t.allow).length>0||t.strict===!0))},"isConfigured"),name:"installScripts",offlineSupported:!0,surfaces:["audit","doctor","install"]},{evaluate:wn,isConfigured:T(e=>{const t=e.security?.policies?.unexpectedDeps;return!!(t&&(t.allow&&t.allow.length>0||typeof t.baselineLockfile=="string"))},"isConfigured"),name:"unexpectedDeps",offlineSupported:!0,surfaces:["audit","doctor","install"]}],On=T((e,t,s)=>dt.filter(n=>n.surfaces.includes(e)?s!==void 0?s.has(n.name):n.isConfigured(t):!1),"selectModules"),Pn=T(async(e,t,s)=>{const n=On(t,s.visConfig,s.enabledPolicies),r=[];for(const i of n){if(e.offline&&!i.offlineSupported){r.push({packageName:"*",policy:i.name,reason:`policy.${i.name} skipped: requires network (--offline)`,severity:"info",version:"*"});continue}try{const o=await i.evaluate(e,s.visConfig);r.push(...o)}catch(o){const a=o instanceof Error?o.message:String(o);r.push({packageName:"*",policy:i.name,reason:`policy.${i.name} failed: ${a}`,severity:"info",version:"*"})}}return r},"evaluatePolicies"),Ln=(()=>{const e=new Map;for(const t of pt)e.set(t.toLowerCase(),t);return e})(),jn=T(()=>dt.map(e=>e.name),"getRegisteredPolicyNames"),En=T((e,t)=>{if(e===void 0)return;const s=e.trim().toLowerCase();if(s===""||s==="none")return new Set;if(s==="all")return new Set(pt);const n=new Set;for(const r of e.split(",").map(i=>i.trim()).filter(i=>i.length>0)){const i=r.replace(/^_+/,"").replaceAll(/_+([a-z])/g,(a,p)=>p.toUpperCase()),o=Ln.get(i.toLowerCase());o===void 0?t?.(r):n.add(o)}return n},"parsePoliciesFlag");var In=Object.defineProperty,re=x((e,t)=>In(e,"name",{value:t,configurable:!0}),"c");const Dn=["ts","tsx","js","jsx","mjs","cjs","mts","cts"],Wn=[/node_modules/,/\.git/,/\.next/,/\.cache/,/dist/,/build/,/coverage/,/\.turbo/,/\.nx/,/\.parcel-cache/],Mn=["dependencies","devDependencies","peerDependencies","optionalDependencies"],Fn=/(?:import|export)\s+(?:[\s\S]*?from\s+)?["']([^"'\n]+)["']/g,Hn=/(?:^|[^.\w$])require\s*\(\s*["']([^"'\n]+)["']\s*\)/g,Vn=/\bimport\s*\(\s*["']([^"'\n]+)["']\s*\)/g,Tn=re(e=>{if(e.startsWith(".")||e.startsWith("/")||/^[a-z][a-z0-9+.-]*:/i.test(e))return;const t=e.trim();if(t.length!==0){if(t.startsWith("@")){const s=t.split("/");return s.length<2?void 0:`${s[0]}/${s[1]}`}return t.split("/")[0]}},"normalizePackageName"),Un=re(e=>{const t=new Set,s=e.replaceAll(/\/\*[\s\S]*?\*\//g,"").replaceAll(/(^|[^:])\/\/.*$/gm,"$1"),n=re(r=>{r.lastIndex=0;let i;for(;(i=r.exec(s))!==null;){const o=Tn(i[1]);o&&t.add(o)}},"collect");return n(Fn),n(Hn),n(Vn),t},"extractImportedNames"),Gn=re(e=>{const t=new Set;try{const s=nt(e);for(const n of Mn){const r=s[n];if(r&&typeof r=="object"&&!Array.isArray(r))for(const i of Object.keys(r))t.add(i)}}catch{}return t},"extractPackageJsonNames"),_n=re(e=>{const t=e.skip??Wn,s=e.extensions??Dn,n=new Set;let r=0;const i=Ke(e.workspaceRoot,{extensions:s,includeDirs:!1,skip:t});for(const p of i){r+=1;try{const d=Qe(p,"utf8");for(const u of Un(d))n.add(u)}catch{}}const o=Ke(e.workspaceRoot,{extensions:["json"],includeDirs:!1,skip:t}).filter(p=>p.endsWith("/package.json")||p.endsWith(String.raw`\package.json`)||p.endsWith("package.json"));for(const p of o)for(const d of Gn(p))n.add(d);if(e.alwaysAssumeUsed)for(const p of e.alwaysAssumeUsed)n.add(p);const a=new Set;for(const p of e.vulnerablePackages)n.has(p)&&a.add(p);return{filesScanned:r,importedTotal:n,reachable:a}},"computeReachableVulnerablePackages");var qn=Object.defineProperty,I=x((e,t)=>qn(e,"name",{value:t,configurable:!0}),"o");const Kn=I(e=>{const t=U.coerce(e)?.major;return t!==void 0&&t>=10},"PNPM_V10_PLUS"),zn=I(e=>Object.fromEntries(Object.entries(e).sort(([t],[s])=>t.localeCompare(s))),"sortByKey"),Bn=I((e,t)=>`${JSON.stringify(e,void 0,t)}
-`,"stringifyJson"),ut=I((e,t)=>{if(t.name==="pnpm"&&Kn(t.version))return{filePath:H(e,"pnpm-workspace.yaml"),surface:"pnpm-workspace.yaml"};const s=H(e,"package.json");return t.name==="pnpm"?{filePath:s,surface:"package.json#pnpm.overrides"}:t.name==="yarn"?{filePath:s,surface:"package.json#resolutions"}:{filePath:s,surface:"package.json#overrides"}},"resolveOverrideSurface"),Jn=I((e,t)=>{const{filePath:s,surface:n}=ut(e,t);if(!K(s))return{};if(n==="pnpm-workspace.yaml")try{return Ee(s)?.overrides??{}}catch{return{}}try{const r=JSON.parse(ne(s));return n==="package.json#pnpm.overrides"?(r.pnpm??{}).overrides??{}:n==="package.json#resolutions"?r.resolutions??{}:r.overrides??{}}catch{return{}}},"readExistingOverrides"),Yn=I((e,t)=>{const s=Object.keys(t).sort();if(s.length===0&&!/^overrides\s*:/m.test(e))return e;const n=`overrides:
-${s.map(r=>`  '${r}': '${t[r]}'`).join(`
-`)}
-`;if(e.length===0)return n;if(/^overrides\s*:/m.test(e)){const r=e.replace(/^overrides\s*:[^\n]*\n(?:[ \t][^\n]*\n)*/m,n);return r.endsWith(`
-`)?r:`${r}
-`}return`${e.endsWith(`
-`)?e:`${e}
-`}
-${n}`},"renderPnpmWorkspaceOverrides"),Xn=I((e,t,s,n)=>{const r=Lt(e,t.length>0?t:void 0),i=t.length>0?JSON.parse(t):{};if(s==="package.json#pnpm.overrides"){const o=i.pnpm??{};o.overrides=n,i.pnpm=o}else s==="package.json#resolutions"?i.resolutions=n:i.overrides=n;return Bn(i,r)},"renderPackageJsonWithOverrides"),Zn=I((e,t,s)=>{const{filePath:n,surface:r}=ut(e,s),i=Jn(e,s),o=K(n)?ne(n):"",a=[],p={...i};for(const m of t.entries){const b=i[m.packageName];if(b===m.spec){a.push({...m,previousSpec:b,status:"unchanged"});continue}b===void 0?a.push({...m,status:"added"}):a.push({...m,previousSpec:b,status:"updated"}),p[m.packageName]=m.spec}const d=zn(p),u=a.some(m=>m.status!=="unchanged"),k=r==="pnpm-workspace.yaml"?Yn(o,d):Xn(n,o,r,d);return{changed:u,entries:a,filePath:n,nextContent:k,previousContent:o,surface:r}},"planOverrideWrite"),Qn=I(e=>{if(!e.changed)return e;if(e.surface==="pnpm-workspace.yaml"&&e.previousContent.length===0)throw new Error(`${e.filePath} not found. Run \`pnpm init\` or create pnpm-workspace.yaml before applying overrides for pnpm v10+.`);const t=`${e.filePath}.tmp`;try{et(t,e.nextContent),Ct(t,e.filePath)}catch(s){try{At(t)}catch{}throw s}return e},"applyOverridePlan"),er=I(e=>{const t=new Map;for(const s of e){const n=s.vulnerability.fixedVersions[0];if(!n)continue;const r=U.coerce(n),i=r?`^${r.version}`:n;t.set(s.packageName,i)}return{entries:[...t.entries()].sort(([s],[n])=>s.localeCompare(n)).map(([s,n])=>({packageName:s,spec:n}))}},"buildOverridePlanFromFindings");var tr=Object.defineProperty,R=x((e,t)=>tr(e,"name",{value:t,configurable:!0}),"y");const sr={critical:Ie,high:st,low:tt,medium:fe},Pe=new Set(["cargo","crates.io","go","maven","npm","pypi","rubygems"]),nr=R(e=>{const t=(e??"npm").split(",").map(r=>r.trim()).filter(r=>r.length>0),s=t.length>0?t:["npm"],n=s.filter(r=>!Pe.has(r.toLowerCase()));return{all:s,unsupported:n}},"parseEcosystems"),rr={CRITICAL:Ie,HIGH:st,LOW:tt,MODERATE:fe,UNKNOWN:j},or=R((e,t,s,n)=>{const r=rr[s.severity]??j,i=n?` ${j("[acknowledged]")}`:"",o=s.fixedVersions??[],a=o.length>0?` (fix: ${o.join(", ")})`:"";return`  ${r(s.severity)} ${s.id} — ${e}@${t}${i}
-    ${s.summary}${a}`},"formatVulnLine"),ir=R((e,t)=>{const s=jt(e),n=`${String(Math.round(e.score.overall*100))}%`,r=t?` ${j("[acknowledged]")}`:"",i=e.alerts.length>0?`, ${String(e.alerts.length)} alert${e.alerts.length===1?"":"s"}`:"";return`  ${n} ${s}@${e.version} (${Et(e.score.overall)}${i})${r}`},"formatSocketLine"),ar=R(async(e,t,s,n)=>{const r=t.severity??"low",i=t.format??"table",o=i==="sarif",a=i==="csaf",p=i==="cyclonedx-vex"||i==="cyclonedx",d=i==="json"||!!t.json,u=t.report,k=s?.security?.audit,m=s?.security?.policies,b=t.offline===void 0?!!k?.offlineByDefault:!!t.offline,h=t.db,$=nr(t.ecosystem),w=!!t.prodOnly,D=t.failOn??m?.vulnerability?.failOn,mt=!!t.showFixes,ae=!!t.showAccepted,vt=s?.security?.socket,ye=s?.security?.acceptedRisks,Me=m?.vulnerability?.usage,yt=t.noUsage?!1:t.usage===void 0?!!Me?.enabled:!!t.usage,W=d||o||a||p,L=It(e),A=cs(e,L.name);if(b){const c=h??Jt(e);if(!Ze(c)){const l=new _e(c);W?process.stderr.write(`${l.message}
-`):f.error(l.message),process.exitCode=1;return}}!W&&(A.ignoredAdvisories.length>0||A.excludedPackages.length>0)&&f.info(`Loaded ${String(A.ignoredAdvisories.length)} ignored advisor${A.ignoredAdvisories.length===1?"y":"ies"} and ${String(A.excludedPackages.length)} excluded package${A.excludedPackages.length===1?"":"s"} from ${L.name} config.`),!W&&$.unsupported.length>0&&f.warn(`Ecosystems ${$.unsupported.map(c=>`'${c}'`).join(", ")} are not yet supported by the audit matcher. Supported: npm, pypi, crates.io, cargo, maven, go, rubygems.`);const M=Yt(e,L.name,{includeDev:!w});if(M.length===0){f.info(`No ${L.name} lockfile entries found. Run ${L.name} install first.`);return}if(!W){const c=w?"production-only packages":"installed packages";f.info(`Scanning ${String(M.length)} ${c}${b?" (offline)":""}…`)}const he=M.map(c=>({name:c.name,version:c.version})),J=b||Dt("socket")?void 0:Wt(vt,m?.score?.minimum),ce=J?.minimumScore??m?.score?.minimum??Tt,V=Xt(e,L.name),ht=[{id:"vulnerabilities",label:b?"Known vulnerabilities (offline OSV cache)":"Known vulnerabilities (OSV)"},...J?[{id:"socket",label:"Socket.dev supply-chain reports"}]:[]],F=Bt(ht,{live:!W}),kt=Date.now(),q=R(c=>{const l=Date.now()-c;return l>=1e3?`${(l/1e3).toFixed(1)}s`:`${String(Math.round(l))}ms`},"fmtElapsed");let ke,$e;try{const c=Date.now(),l=Date.now();F.start("vulnerabilities"),J&&F.start("socket");const v=b?Promise.resolve().then(()=>qe(he,{dbPath:h,ecosystem:$.all.find(g=>Pe.has(g.toLowerCase()))??"npm",workspaceRoot:e})).then(g=>{let y=0;for(const S of g.values())y+=S.length;return F.finish("vulnerabilities",y>0?"warn":"ok",y>0?`${String(y)} found · ${q(c)}`:`none found · ${q(c)}`),g}).catch(g=>{const y=g instanceof Error?g.message:String(g);if(F.finish("vulnerabilities","error",y),g instanceof _e)throw g;return new Map}):Mt(he).then(g=>{let y=0;for(const S of g.values())y+=S.length;return F.finish("vulnerabilities",y>0?"warn":"ok",y>0?`${String(y)} found · ${q(c)}`:`none found · ${q(c)}`),g}).catch(g=>{const y=g instanceof Error?g.message:String(g);return F.finish("vulnerabilities","error",y),new Map});[ke,$e]=await Promise.all([v,J?Ft(he,J).then(g=>{let y=0,S=0;for(const Q of g.values())y+=Q.alerts.length,Q.score.overall<ce&&(S+=1);const P=y+S;return F.finish("socket",P>0?"warn":"ok",P>0?`${String(y)} alert${y===1?"":"s"}, ${String(S)} low-score · ${q(l)}`:`clean · ${q(l)}`),g}).catch(g=>{const y=g instanceof Error?g.message:String(g);return F.finish("socket","error",y),new Map}):Promise.resolve(new Map)])}finally{F.stop()}d||f.info(j(`Scan completed in ${q(kt)}`));const le=[];for(const c of M){if(ls(c.name,A))continue;const l=ke.get(c.name)??[],v=$e.get(`${c.name}@${c.version}`),g=G(c.name,c.version,ye),y=l.length>0,S=v?v.score.overall<ce:!1,P=v?v.alerts.length>0:!1;(y||S||P)&&le.push({acceptedRisk:g,name:c.name,socketReport:v,version:c.version,vulnerabilities:l})}if(b){const c=$.all.filter(l=>Pe.has(l.toLowerCase())&&l.toLowerCase()!=="npm");for(const l of c){const v=lt(l),g=an(e,v);if(g.length!==0){W||f.info(j(`Scanning ${String(g.length)} ${v} packages…`));try{const y=qe(g.map(S=>({name:S.name,version:S.version})),{dbPath:h,ecosystem:v,workspaceRoot:e});for(const S of g){const P=y.get(S.name)??[];P.length!==0&&le.push({acceptedRisk:G(S.name,S.version,ye),name:S.name,version:S.version,vulnerabilities:P})}}catch(y){const S=y instanceof Error?y.message:String(y);f.warn(`Failed to scan ${v}: ${S}`)}}}}let N=le.filter(c=>{const l=c.vulnerabilities.some(y=>se(y.severity,r)),v=c.socketReport?.alerts.some(y=>se(y.severity==="medium"?"MODERATE":y.severity.toUpperCase(),r)),g=c.socketReport&&c.socketReport.score.overall<ce;return l||v||g});const $t=t.policies,be=[],O=await(async()=>{const c=jn().map(P=>`'${P}'`).join(", "),l=En($t,P=>{be.push(P);const Q=`Unknown policy '${P}' — ignoring. Available: ${c}.`;W?process.stderr.write(`vis audit: ${Q}
-`):f.warn(Q)});if(l?.size===0)return[];const v=s?.security?.policies?.license,g=!!(v&&((v.allow?.length??0)>0||(v.deny?.length??0)>0)),y=l===void 0||l.has("license"),S=g&&y?Zt(e):void 0;return Pn({manifestData:S,offline:b,osvFindings:ke,packageManager:L.name,packages:M,socketReports:$e,workspaceRoot:e},"audit",{enabledPolicies:l,visConfig:s??{}})})();if(yt){const c=new Set(N.filter(v=>v.vulnerabilities.length>0).map(v=>v.name)),l=_n({alwaysAssumeUsed:Me?.alwaysAssumeUsed,vulnerablePackages:c,workspaceRoot:e});N=N.filter(v=>v.vulnerabilities.length===0?!0:l.reachable.has(v.name)),W||f.info(j(`Reachability filter: ${String(l.reachable.size)}/${String(c.size)} vulnerable packages reachable (${String(l.filesScanned)} files scanned).`))}const Y=R(()=>N.flatMap(c=>c.vulnerabilities.map(l=>({acknowledged:!!c.acceptedRisk||te(l.id,A,l.aliases),packageName:c.name,packageVersion:c.version,vulnerability:l}))),"findingsForReport"),Fe=!!t.fix,He=!!t.fixTransitive,Ve=!!t.yes,bt=!!t.allowMajor;if(Fe||He){const c=Y().filter(l=>!l.acknowledged);if(Fe){const l=await lr({actionableFindings:c,allowMajor:bt,pm:L,visConfig:s,workspaceRoot:e,yes:Ve});if(l!==void 0){process.exitCode=l;return}}if(He){const l=await pr({actionableFindings:c,pm:L,visConfig:s,workspaceRoot:e,yes:Ve});if(l!==void 0){process.exitCode=l;return}}}if(o){const c=Es({findings:Y(),policyDecisions:O,tool:{informationUri:"https://github.com/visulima/visulima",name:"vis-audit",version:"alpha"},workspaceRoot:e});process.stdout.write(`${JSON.stringify(c,void 0,2)}
-`),Ne(N,A,t.exitCode,D,O);return}if(a){const c=bs({findings:Y(),tool:{informationUri:"https://github.com/visulima/visulima",name:"vis-audit",version:"alpha"},workspaceRoot:e});process.stdout.write(`${JSON.stringify(c,void 0,2)}
-`),Ne(N,A,t.exitCode,D,O);return}if(p){const{packageJsons:c,workspace:l}=Ht(e,s),v=Vt(e,l,c),g=qt({includeDev:!w,projectGraph:v,workspace:l,workspaceRoot:e}),y=As({bom:g,findings:Y()});process.stdout.write(`${JSON.stringify(y,void 0,2)}
-`),Ne(N,A,t.exitCode,D,O);return}if(u){const c=vs({findings:Y(),packagesScanned:M.length,policyDecisions:O,tool:{name:"vis-audit",version:"alpha"},workspaceRoot:e}),l=rt(e,u);et(l,c,"utf8"),W||f.success(`HTML report written to ${l}`)}if(d){const c={duplicates:V.map(l=>({name:l.name,versionCount:l.versions.length,versions:l.versions})),packages:M.length,policies:O.map(l=>({acceptedRisk:l.acceptedRisk??null,data:l.data??null,packageName:l.packageName,policy:l.policy,reason:l.reason,severity:l.severity,version:l.version})),results:N.map(l=>({acceptedRisk:l.acceptedRisk??null,name:l.name,socketAlerts:l.socketReport?.alerts??[],socketScore:l.socketReport?.score.overall??null,version:l.version,vulnerabilities:l.vulnerabilities})),summary:{accepted:N.filter(l=>l.acceptedRisk).length,duplicatePackages:V.length,issues:N.filter(l=>!l.acceptedRisk).length,policyBlocks:O.filter(l=>l.severity==="block"&&!l.acceptedRisk).length,policyDecisions:O.length,total:N.length},warnings:be.length>0?be.map(l=>({kind:"unknown-policy",token:l})):[]};process.stdout.write(`${JSON.stringify(c,void 0,2)}
-`),t.exitCode&&(c.summary.issues>0||c.summary.policyBlocks>0)&&(process.exitCode=1),Le(N,A,D,O);return}if(N.length===0){f.success(`No security issues found across ${String(M.length)} packages.`);return}const X={CRITICAL:[],HIGH:[],LOW:[],MODERATE:[]};for(const c of N)for(const l of c.vulnerabilities)if(se(l.severity,r)){const v=l.severity==="UNKNOWN"?"LOW":l.severity;X[v]?.push({entry:c,vuln:l})}let pe=0,we=0;for(const c of["CRITICAL","HIGH","MODERATE","LOW"]){const l=X[c];if(!(!l||l.length===0)){f.info(`
-── ${c} (${String(l.length)}) ──`);for(const{entry:v,vuln:g}of l){const y=!!v.acceptedRisk||te(g.id,A,g.aliases);y&&(we++,!ae)||(pe++,f.info(or(v.name,v.version,g,y)),mt&&(g.fixedVersions??[]).length>0&&f.notice(`    Fix: update to ${g.fixedVersions.at(-1)}`))}}}const Z=N.filter(c=>c.socketReport&&(c.socketReport.score.overall<ce||c.socketReport.alerts.length>0));if(Z.length>0){f.info(`
-── Socket.dev Supply Chain (${String(Z.length)}) ──`);for(const c of Z){if(!c.socketReport)continue;const l=!!c.acceptedRisk;if(!(l&&!ae)){f.info(ir(c.socketReport,l));for(const v of c.socketReport.alerts){const g=sr[v.severity]??j;f.info(`    ${g(`[${v.severity.toUpperCase()}]`)} ${v.type} — ${v.category}`)}}}}if(V.length>0){f.info(`
-── Duplicate Dependencies (${String(V.length)}) ──`);for(const c of V){const l=c.versions.join(", ");f.info(`  ${c.name} — ${String(c.versions.length)} versions: ${fe(l)}`)}}const Te=new Set;for(const c of["CRITICAL","HIGH","MODERATE","LOW"]){const l=X[c];if(l)for(const{vuln:v}of l)Te.add(v.id)}const Se=O.filter(c=>{if(c.policy!=="vulnerability")return!0;const l=typeof c.data?.advisoryId=="string"?c.data.advisoryId:void 0;return c.severity==="block"&&l!==void 0&&!Te.has(l)});if(Se.length>0){f.info(`
-── Policy Decisions (${String(Se.length)}) ──`);for(const c of Se){const l=!!c.acceptedRisk;if(l&&!ae)continue;const v=c.severity==="block"?Ie:c.severity==="warn"?fe:j,g=l?` ${j("[acknowledged]")}`:"";f.info(`  ${v(`[${c.severity}]`)} ${c.policy} — ${c.reason}${g}`)}}const de=R(c=>!!c.acceptedRisk||c.vulnerabilities.length>0&&c.vulnerabilities.every(l=>te(l.id,A,l.aliases)),"isEntryExcluded"),Ue=N.filter(c=>!de(c)).length;if(f.info(""),f.info("─ Audit Summary"),f.info(`  ${String(M.length)} packages scanned`),A.ignoredAdvisories.length>0&&f.info(`  ${String(A.ignoredAdvisories.length)} ${L.name} audit exclusion${A.ignoredAdvisories.length===1?"":"s"} applied`),pe>0){const c=X.CRITICAL?.filter(v=>!de(v.entry)).length??0,l=X.HIGH?.filter(v=>!de(v.entry)).length??0;f.error(`  ${String(pe)} vulnerabilit${pe===1?"y":"ies"} found`),c>0&&f.error(`    ${String(c)} critical`),l>0&&f.warn(`    ${String(l)} high`)}else f.success("  No vulnerabilities found");if(Z.length>0){const c=Z.filter(l=>!de(l)).length;f.warn(`  ${String(c)} package${c===1?"":"s"} with Socket.dev supply chain issues`)}V.length>0&&(f.warn(`  ${String(V.length)} package${V.length===1?"":"s"} with duplicate versions`),f.notice("  Run 'vis dedupe' or your package manager's dedupe command to reduce duplicates."));const ue=O.filter(c=>c.severity==="block"&&!c.acceptedRisk);if(ue.length>0&&f.error(`  ${String(ue.length)} policy block${ue.length===1?"":"s"}`),we>0&&(f.info(`  ${String(we)} acknowledged (accepted risks)`),ae||f.notice("  Use --show-accepted to see acknowledged issues.")),Ue===0&&f.success(`
-  All issues are acknowledged. No action required.`),t.sync&&ye){const c=new Set;for(const v of le)if(v.acceptedRisk){for(const g of v.vulnerabilities)if((g.id.startsWith("CVE-")||g.id.startsWith("GHSA-"))&&c.add(g.id),g.aliases)for(const y of g.aliases)(y.startsWith("CVE-")||y.startsWith("GHSA-"))&&c.add(y)}const l=[...c];if(l.length>0){f.info("");const v=ps(L.name,e,l);for(const g of v)f.success(`  ${g}`)}else f.info(`
-No advisory IDs to sync to native PM config.`)}t.exitCode&&(Ue>0||ue.length>0)&&(process.exitCode=1),Le(N,A,D,O)},"executeAudit"),ft=R(e=>!e||e.length===0?!1:e.some(t=>t.severity==="block"&&!t.acceptedRisk),"hasBlockingPolicy"),Le=R((e,t,s,n)=>{ft(n)&&(process.exitCode=1),s&&e.some(r=>r.vulnerabilities.some(i=>r.acceptedRisk||te(i.id,t,i.aliases)?!1:se(i.severity,s)))&&(process.exitCode=1)},"applyFailOnGate"),Ne=R((e,t,s,n,r)=>{s&&(e.filter(i=>!i.acceptedRisk&&i.vulnerabilities.some(o=>!te(o.id,t,o.aliases))).length>0||ft(r))&&(process.exitCode=1),Le(e,t,n,r)},"applyExitGate"),gt=R(async(e,t)=>{if(!process.stdin.isTTY)return t;const s=Nt({input:process.stdin,output:process.stderr});try{const n=t?"[Y/n]":"[y/N]",r=await new Promise(i=>{s.question(`${e} ${j(n)} `,o=>{i(o.trim())})});return r.length===0?t:r.toLowerCase().startsWith("y")}finally{s.close()}},"promptYesNo"),cr=R(e=>e==="pnpm"||e==="npm"||e==="yarn"||e==="bun","isTransitiveOnlyPm"),lr=R(async e=>{const t=ct({allowMajor:e.allowMajor,findings:e.actionableFindings,workspaceRoot:e.workspaceRoot});if(f.info(""),f.info("─ Apply (direct deps)"),f.info(Vs(t)),t.apply.length===0){f.info("Nothing to apply for direct deps.");return}if(Re&&!e.yes)return f.error("Refusing to run --fix in CI without --yes. Re-run with --yes once the plan above looks right."),1;if(!e.yes&&!await gt("Apply these direct-dep upgrades?",!1))return f.info("Aborted — no changes made."),0;const s=new Map;for(const n of t.apply){const r=n.workspaceName??"",i=s.get(r);i?i.push(n):s.set(r,[n])}for(const[n,r]of s){const i=r.map(p=>`${p.packageName}@${p.targetSpec}`),o=n.length>0?[n]:[];f.info(`Running ${e.pm.name} add ${i.join(" ")}${n.length>0?` --filter ${n}`:""}`);const a=Ut(e.pm,{exact:!1,filter:o,global:!1,optional:!1,packages:i,peer:!1,saveDev:!1,workspace:!1,workspaceRoot:!1},e.workspaceRoot,console);if(a!==0)return f.error(`${e.pm.name} add exited ${String(a)} — aborting before rescan.`),a}return f.success("Direct-dep upgrades applied. Re-run `vis audit` to confirm the fixes landed."),0},"runApplyDirect"),pr=R(async e=>{if(!cr(e.pm.name))return f.error(`--fix-transitive is not supported for package manager "${e.pm.name}". Use pnpm, npm, yarn, or bun.`),1;const t=!!e.visConfig?.security?.audit?.apply?.transitive?.enabled;if(Re&&(!e.yes||!t))return f.error("Refusing to run --fix-transitive in CI without both --yes and security.audit.apply.transitive.enabled = true. Overrides have a higher blast radius than direct bumps — gate on config."),1;const s=new Set(ct({findings:e.actionableFindings,workspaceRoot:e.workspaceRoot}).apply.map(o=>o.packageName)),n=e.actionableFindings.filter(o=>!s.has(o.packageName)),r=er(n);if(r.entries.length===0){f.info(""),f.info("─ Apply transitive (overrides)"),f.info("Nothing to override — all vulnerable packages are direct deps or have no fixed version.");return}const i=Zn(e.workspaceRoot,r,{name:e.pm.name,version:e.pm.version});f.info(""),f.info("─ Apply transitive (overrides)"),f.info(`Target: ${i.filePath} (${i.surface})`);for(const o of i.entries){const a=o.status==="added"?"+":o.status==="updated"?"~":"·",p=o.previousSpec?` (was ${o.previousSpec})`:"";f.info(`  ${a} ${o.packageName}: ${o.spec}${p}`)}if(!i.changed){f.info("No changes — overrides already match the plan.");return}if(!e.yes){if(Re)return 1;if(!await gt("Write these overrides?",!1))return f.info("Aborted — no changes made."),0}try{Qn(i)}catch(o){const a=o instanceof Error?o.message:String(o);return f.error(`Failed to write overrides: ${a}`),1}return f.success(`Wrote ${String(i.entries.filter(o=>o.status!=="unchanged").length)} override${i.entries.length===1?"":"s"}. Run \`${e.pm.name} install\` then re-run \`vis audit\` to confirm the fixes landed.`),0},"runApplyTransitive"),wr=R(async({logger:e,options:t,visConfig:s,workspaceRoot:n})=>{if(!n)throw new Error("Could not determine workspace root. Run this command inside a monorepo.");await ar(n,t,s,e)},"execute");export{wr as default};
+${X}
+pnpm exec vis secrets --staged --quiet || exit 1
+`;x(s,i),Ce(s,493),t.info(`Appended secrets scan to ${s}.`);return}x(s,jt,{mode:493}),t.info(`Created ${s} with a secrets-scan pre-commit check.`)},"executeAdd"),At=E((e,o)=>{o.info("Removing git hooks...");const t=yt(e);if(t.message){if(t.isError)throw new Error(t.message);o.info(t.message);return}o.info("Git hooks removed successfully.")},"executeUninstall"),_t=E(async({logger:e,options:o,visConfig:t})=>{await Rt(P(o),e,t?.editorconfig??!0)},"hookInstallImpl"),Pt=E(({logger:e,options:o})=>{At(P(o),e)},"hookUninstallImpl"),Tt=E(({logger:e,options:o,visConfig:t})=>{Ot(P(o),!!o.dryRun,e,t?.editorconfig??!0)},"hookMigrateImpl"),Ct=E(({logger:e,options:o})=>{Qe(P(o),e)},"hookListImpl"),It=E(({logger:e,options:o})=>{Et(P(o),e)},"hookValidateImpl"),Nt=E(({argument:e,logger:o,options:t})=>{ht(P(t),{allFiles:!!t.allFiles,extraArgs:e.slice(1),fromRef:t.fromRef,lastCommit:!!t.lastCommit,stage:e[0],toRef:t.toRef},o)},"hookRunImpl"),Mt=E(({argument:e,logger:o,options:t})=>{Ft(e[0],P(t),o)},"hookAddImpl"),qt=_t,Gt=Pt,Jt=Tt,Kt=Ct,Ut=It,zt=Nt,Yt=Mt;export{Yt as hookAddExecute,qt as hookInstallExecute,Kt as hookListExecute,Jt as hookMigrateExecute,zt as hookRunExecute,Gt as hookUninstallExecute,Ut as hookValidateExecute};