@westbayberry/dg 1.0.52 → 1.0.56

package/dist/index.mjs

@@ -19192,9 +19192,9 @@ function handleContentBlockStart(event, state) {
 function handleContentBlockDelta(event, state, recordOutputs) {
   if (event.type !== "content_block_delta" || !event.delta) return;
   if (typeof event.index === "number" && "partial_json" in event.delta && typeof event.delta.partial_json === "string") {
-    const active = state.activeToolBlocks[event.index];
-    if (active) {
-      active.inputJsonParts.push(event.delta.partial_json);
+    const active2 = state.activeToolBlocks[event.index];
+    if (active2) {
+      active2.inputJsonParts.push(event.delta.partial_json);
     }
   }
   if (recordOutputs && typeof event.delta.text === "string") {
@@ -19203,9 +19203,9 @@ function handleContentBlockDelta(event, state, recordOutputs) {
 }
 function handleContentBlockStop(event, state) {
   if (event.type !== "content_block_stop" || typeof event.index !== "number") return;
-  const active = state.activeToolBlocks[event.index];
-  if (!active) return;
-  const raw = active.inputJsonParts.join("");
+  const active2 = state.activeToolBlocks[event.index];
+  if (!active2) return;
+  const raw = active2.inputJsonParts.join("");
   let parsedInput;
   try {
     parsedInput = raw ? JSON.parse(raw) : {};
@@ -19214,8 +19214,8 @@ function handleContentBlockStop(event, state) {
   }
   state.toolCalls.push({
     type: "tool_use",
-    id: active.id,
-    name: active.name,
+    id: active2.id,
+    name: active2.name,
     input: parsedInput
   });
   delete state.activeToolBlocks[event.index];
@@ -46241,9 +46241,10 @@ __export(auth_exports, {
   maskKey: () => maskKey,
   openBrowser: () => openBrowser,
   pollAuthSession: () => pollAuthSession,
-  saveCredentials: () => saveCredentials
+  saveCredentials: () => saveCredentials,
+  scrubAuthToken: () => scrubAuthToken
 });
-import { readFileSync as readFileSync2, writeFileSync, unlinkSync, existsSync as existsSync2, chmodSync } from "node:fs";
+import { readFileSync as readFileSync2, writeFileSync, unlinkSync, existsSync as existsSync2, chmodSync, lstatSync, openSync, fchmodSync, closeSync, constants as fsConstants } from "node:fs";
 import { join as join4 } from "node:path";
 import { homedir } from "node:os";
 import { spawn } from "node:child_process";
@@ -46296,7 +46297,47 @@ async function pollAuthSession(sessionId) {
 function configPath() {
   return join4(homedir(), CONFIG_FILE);
 }
+function ensureConfigPerms(path2) {
+  let st;
+  try {
+    st = lstatSync(path2);
+  } catch {
+    return;
+  }
+  if (!st || typeof st.isSymbolicLink !== "function") return;
+  if (st.isSymbolicLink()) {
+    process.stderr.write(
+      `Warning: ${path2} is a symlink; refusing to chmod (would affect the symlink target). Replace with a regular file to enforce 0o600.
+`
+    );
+    return;
+  }
+  if (typeof st.isFile === "function" && !st.isFile()) return;
+  const mode = (st.mode ?? 384) & 511;
+  if (mode === 384) return;
+  process.stderr.write(
+    `Warning: ${path2} has perms 0o${mode.toString(8)} (expected 0o600); re-tightening.
+`
+  );
+  let fd;
+  try {
+    fd = openSync(path2, fsConstants.O_RDONLY | fsConstants.O_NOFOLLOW);
+    fchmodSync(fd, 384);
+  } catch {
+  } finally {
+    if (fd !== void 0) {
+      try {
+        closeSync(fd);
+      } catch {
+      }
+    }
+  }
+}
+function scrubAuthToken(s) {
+  return s.replace(/\bdgk_[A-Za-z0-9]{16,}\b/g, "dgk_<REDACTED>").replace(/\bBearer\s+[A-Za-z0-9_.-]{24,}\b/g, "Bearer <REDACTED>");
+}
 function readConfig() {
+  ensureConfigPerms(configPath());
   let raw;
   try {
     raw = readFileSync2(configPath(), "utf-8");
@@ -46418,20 +46459,65 @@ var config_exports = {};
 __export(config_exports, {
   USAGE: () => USAGE,
   getVersion: () => getVersion,
-  parseConfig: () => parseConfig
+  parseConfig: () => parseConfig,
+  warnUnknownDgrcKeys: () => warnUnknownDgrcKeys
 });
 import { parseArgs } from "node:util";
 import { readFileSync as readFileSync3, existsSync as existsSync3 } from "node:fs";
 import { join as join5, dirname as dirname3 } from "node:path";
 import { fileURLToPath } from "node:url";
 import { homedir as homedir2 } from "node:os";
+function levenshtein(a, b) {
+  if (a === b) return 0;
+  if (a.length === 0) return b.length;
+  if (b.length === 0) return a.length;
+  const m = a.length;
+  const n = b.length;
+  let prev = Array.from({ length: n + 1 }, (_, i) => i);
+  let curr = new Array(n + 1);
+  for (let i = 1; i <= m; i++) {
+    curr[0] = i;
+    for (let j = 1; j <= n; j++) {
+      const cost = a[i - 1] === b[j - 1] ? 0 : 1;
+      curr[j] = Math.min(curr[j - 1] + 1, prev[j] + 1, prev[j - 1] + cost);
+    }
+    [prev, curr] = [curr, prev];
+  }
+  return prev[n];
+}
+function warnUnknownDgrcKeys(parsed, source) {
+  for (const key of Object.keys(parsed)) {
+    if (KNOWN_DGRC_KEYS.includes(key)) continue;
+    if (INTERNAL_DGRC_KEYS.includes(key)) continue;
+    let bestKey = null;
+    let bestDistance = Infinity;
+    for (const known of KNOWN_DGRC_KEYS) {
+      const d = levenshtein(key, known);
+      if (d < bestDistance) {
+        bestDistance = d;
+        bestKey = known;
+      }
+    }
+    const suggestion = bestKey && bestDistance <= 2 ? ` (did you mean "${bestKey}"?)` : ` (valid keys: ${KNOWN_DGRC_KEYS.join(", ")})`;
+    process.stderr.write(
+      `Warning: unknown key "${key}" in ${source}${suggestion}; ignored.
+`
+    );
+  }
+}
 function loadDgrc() {
   const cwdPath = join5(process.cwd(), ".dgrc.json");
   const homePath = join5(homedir2(), ".dgrc.json");
   let config3 = {};
   if (existsSync3(homePath)) {
     try {
-      config3 = JSON.parse(readFileSync3(homePath, "utf-8"));
+      const home = JSON.parse(readFileSync3(homePath, "utf-8"));
+      warnUnknownDgrcKeys(home, homePath);
+      const homeFiltered = {};
+      for (const k of KNOWN_DGRC_KEYS) {
+        if (k in home) homeFiltered[k] = home[k];
+      }
+      config3 = homeFiltered;
     } catch {
       process.stderr.write(`Warning: Failed to parse ${homePath}, ignoring.
 `);
@@ -46440,8 +46526,11 @@ function loadDgrc() {
   if (existsSync3(cwdPath) && cwdPath !== homePath) {
     try {
       const cwd2 = JSON.parse(readFileSync3(cwdPath, "utf-8"));
-      const { apiKey: _k, apiUrl: _u, ...safeKeys } = cwd2;
-      Object.assign(config3, safeKeys);
+      warnUnknownDgrcKeys(cwd2, cwdPath);
+      for (const k of KNOWN_DGRC_KEYS) {
+        if (k === "apiKey" || k === "apiUrl") continue;
+        if (k in cwd2) config3[k] = cwd2[k];
+      }
     } catch {
       process.stderr.write(`Warning: Failed to parse ${cwdPath}, ignoring.
 `);
@@ -46454,6 +46543,14 @@ function validateApiUrl(url) {
     const parsed = new URL(url);
     const rawHost = parsed.hostname;
     const host = rawHost.startsWith("[") && rawHost.endsWith("]") ? rawHost.slice(1, -1) : rawHost;
+    const isLinkLocal = /^169\.254\./.test(host) || /^fe[89ab][0-9a-f]:/i.test(host);
+    if (isLinkLocal) {
+      process.stderr.write(
+        `Error: API URL host ${host} is link-local / metadata; refusing (SSRF defense). If you genuinely need this, set DG_API_URL to the explicit hostname of your test target.
+`
+      );
+      process.exit(1);
+    }
     const isLocal = host === "localhost" || // IPv4: loopback, RFC 1918, CGNAT. Proper octet regex — not prefix matching,
     // which would wrongly accept `192.1680.0.1` or `100.1.2.3` (public).
     /^(127\.|10\.|192\.168\.|172\.(1[6-9]|2\d|3[01])\.|100\.(6[4-9]|[7-9]\d|1[01]\d|12[0-7])\.)/.test(host) || // IPv6: loopback and unique local (fc00::/7 → fc** or fd**)
@@ -46492,7 +46589,8 @@ function parseConfig(argv, strictFlags = true) {
         mode: { type: "string" },
         "max-packages": { type: "string" },
         json: { type: "boolean", default: false },
-        "scan-all": { type: "boolean", default: false },
+        "scan-all": { type: "boolean", default: true },
+        "changed-only": { type: "boolean", default: false },
         "base-lockfile": { type: "string" },
         workspace: { type: "string", short: "w" },
         output: { type: "string", short: "o" },
@@ -46533,8 +46631,7 @@ function parseConfig(argv, strictFlags = true) {
   }
   const command = positionals[0] ?? "scan";
   const dgrc = loadDgrc();
-  const apiKey = dgrc.apiKey && typeof dgrc.apiKey === "string" && dgrc.apiKey.startsWith("dg_live_") ? dgrc.apiKey : null;
-  const deviceId = getOrCreateDeviceId();
+  const apiKey = dgrc.apiKey && typeof dgrc.apiKey === "string" && (dgrc.apiKey.startsWith("dg_live_") || dgrc.apiKey.startsWith("dg_test_")) ? dgrc.apiKey : null;
   const modeRaw = values.mode ?? process.env.DG_MODE ?? dgrc.mode ?? "warn";
   if (!["block", "warn", "off"].includes(modeRaw)) {
     process.stderr.write(
@@ -46549,16 +46646,18 @@ function parseConfig(argv, strictFlags = true) {
     process.stderr.write("Error: --max-packages must be a number between 1 and 10000\n");
     process.exit(1);
   }
+  const apiUrl = validateApiUrl(
+    values["api-url"] ?? process.env.DG_API_URL ?? dgrc.apiUrl ?? "https://api.westbayberry.com"
+  );
+  const deviceId = getOrCreateDeviceId();
   return {
     apiKey,
     deviceId,
-    apiUrl: validateApiUrl(
-      values["api-url"] ?? process.env.DG_API_URL ?? dgrc.apiUrl ?? "https://api.westbayberry.com"
-    ),
+    apiUrl,
     mode: modeRaw,
     maxPackages,
     json: values.json,
-    scanAll: values["scan-all"],
+    scanAll: values["changed-only"] ? false : values["scan-all"],
     baseLockfile: values["base-lockfile"] ?? null,
     workspace: values.workspace ?? process.env.DG_WORKSPACE ?? null,
     outputFile: values.output ?? null,
@@ -46566,11 +46665,13 @@ function parseConfig(argv, strictFlags = true) {
     debug: debug2
   };
 }
-var USAGE;
+var KNOWN_DGRC_KEYS, INTERNAL_DGRC_KEYS, USAGE;
 var init_config = __esm({
   "src/config.ts"() {
     "use strict";
     init_auth();
+    KNOWN_DGRC_KEYS = ["apiKey", "apiUrl", "mode", "maxPackages"];
+    INTERNAL_DGRC_KEYS = ["deviceId", "firstRunCompletedAt"];
     USAGE = `
   Dependency Guardian \u2014 Supply chain security scanner
 
@@ -46603,7 +46704,8 @@ var init_config = __esm({
     --mode <mode>            block | warn | off (default: warn)
     --max-packages <n>       Max packages per scan (default: 10000)
     --json                   Output JSON for CI parsing
-    --scan-all               Scan all packages, not just changed
+    --scan-all               Scan all packages (default)
+    --changed-only           Only scan packages changed since base lockfile
     --base-lockfile <path>   Path to base lockfile for explicit diff
     --workspace <dir>        Scan a specific workspace subdirectory
     --output, -o <file>      Save JSON results to file (use with --json)
@@ -46718,7 +46820,13 @@ function parsePackageSpec(spec) {
     versionSpec: spec.slice(atIdx + 1)
   };
 }
+function isFlagLikeSpec(spec) {
+  return spec.startsWith("-");
+}
 async function resolveVersion(spec) {
+  if (isFlagLikeSpec(spec)) {
+    return null;
+  }
   return new Promise((resolve2) => {
     const child = spawn2("npm", ["view", spec, "version"], {
       stdio: ["pipe", "pipe", "pipe"]
@@ -48378,6 +48486,34 @@ var init_update_check = __esm({
   }
 });
 
+// src/alt-screen.ts
+var alt_screen_exports = {};
+__export(alt_screen_exports, {
+  altScreenActive: () => altScreenActive,
+  enterAltScreen: () => enterAltScreen,
+  leaveAltScreen: () => leaveAltScreen
+});
+function enterAltScreen() {
+  if (!process.stdout.isTTY || active) return;
+  process.stdout.write("\x1B[?1049h\x1B[2J\x1B[H");
+  active = true;
+}
+function leaveAltScreen() {
+  if (!active) return;
+  process.stdout.write("\x1B[?1049l\x1B[?25h");
+  active = false;
+}
+function altScreenActive() {
+  return active;
+}
+var active;
+var init_alt_screen = __esm({
+  "src/alt-screen.ts"() {
+    "use strict";
+    active = false;
+  }
+});
+
 // node_modules/react/cjs/react.production.min.js
 var require_react_production_min = __commonJS({
   "node_modules/react/cjs/react.production.min.js"(exports) {
@@ -82374,18 +82510,26 @@ var discover_exports = {};
 __export(discover_exports, {
   discoverProjects: () => discoverProjects
 });
-import { existsSync as existsSync6, readFileSync as readFileSync7, readdirSync, lstatSync } from "node:fs";
+import { readFileSync as readFileSync7, readdirSync, lstatSync as lstatSync2 } from "node:fs";
 import { join as join8, relative as relative2, basename as basename2 } from "node:path";
 function discoverProjects(root) {
   const projects = [];
   walk(root, root, 0, projects);
   return projects.sort((a, b) => a.relativePath.localeCompare(b.relativePath));
 }
+function isSafeRegularFile(path2) {
+  try {
+    const st = lstatSync2(path2);
+    return st.isFile() && !st.isSymbolicLink();
+  } catch {
+    return false;
+  }
+}
 function walk(dir, root, depth, out) {
   if (depth > MAX_DEPTH) return;
   for (const lockfile of NPM_LOCKFILES) {
     const lockPath = join8(dir, lockfile);
-    if (existsSync6(lockPath)) {
+    if (isSafeRegularFile(lockPath)) {
       const count = countNpmPackages(lockPath);
       if (count > 0) {
         out.push({
@@ -82401,7 +82545,7 @@ function walk(dir, root, depth, out) {
   }
   for (const depFile of PYTHON_DEPFILES) {
     const depPath = join8(dir, depFile);
-    if (existsSync6(depPath)) {
+    if (isSafeRegularFile(depPath)) {
       const count = countPythonPackages(depPath, depFile);
       if (count > 0) {
         out.push({
@@ -82425,7 +82569,7 @@ function walk(dir, root, depth, out) {
     if (SKIP_DIRS.has(entry) || entry.startsWith(".")) continue;
     const full = join8(dir, entry);
     try {
-      const st = lstatSync(full);
+      const st = lstatSync2(full);
       if (st.isDirectory() && !st.isSymbolicLink()) {
         walk(full, root, depth + 1, out);
       }
@@ -82518,7 +82662,8 @@ __export(hook_exports, {
 });
 import { execFileSync as execFileSync2 } from "node:child_process";
 import {
-  existsSync as existsSync7,
+  existsSync as existsSync6,
+  lstatSync as lstatSync3,
   readFileSync as readFileSync8,
   writeFileSync as writeFileSync3,
   mkdirSync,
@@ -82526,9 +82671,40 @@ import {
   unlinkSync as unlinkSync2
 } from "node:fs";
 import { join as join9, dirname as dirname4 } from "node:path";
-function findGitDir() {
+function assertSafeWriteTarget(target) {
+  const parent = dirname4(target);
   try {
-    return execFileSync2("git", ["rev-parse", "--git-dir"], {
+    const parentStat = lstatSync3(parent);
+    if (parentStat.isSymbolicLink()) {
+      throw new Error(
+        `refusing to write to ${target}: parent dir ${parent} is a symlink (possible path-traversal attack)`
+      );
+    }
+  } catch (e) {
+    if (e instanceof Error && e.message.startsWith("refusing")) {
+      throw e;
+    }
+  }
+  try {
+    const targetStat = lstatSync3(target);
+    if (targetStat.isSymbolicLink()) {
+      throw new Error(
+        `refusing to write to ${target}: target is a symlink (possible path-traversal attack)`
+      );
+    }
+  } catch (e) {
+    if (e instanceof Error && e.message.startsWith("refusing")) {
+      throw e;
+    }
+  }
+}
+function safeWriteFileSync(target, content) {
+  assertSafeWriteTarget(target);
+  writeFileSync3(target, content);
+}
+function findHooksDir() {
+  try {
+    return execFileSync2("git", ["rev-parse", "--git-path", "hooks"], {
       encoding: "utf-8",
       stdio: ["pipe", "pipe", "pipe"]
     }).trim();
@@ -82551,9 +82727,9 @@ function detectHookFramework(repoRoot) {
   const huskyHook = join9(root, ".husky", "pre-commit");
   const lefthookConfig = join9(root, "lefthook.yml");
   const lefthookConfigYaml = join9(root, "lefthook.yaml");
-  const gitDir = findGitDir();
-  const bareHook = join9(gitDir, "hooks", "pre-commit");
-  if (existsSync7(huskyHook)) {
+  const hooksDir = findHooksDir();
+  const bareHook = join9(hooksDir, "pre-commit");
+  if (existsSync6(huskyHook)) {
     const content = readFileSync8(huskyHook, "utf-8");
     return {
       framework: "husky",
@@ -82562,7 +82738,7 @@ function detectHookFramework(repoRoot) {
     };
   }
   for (const cfg of [lefthookConfig, lefthookConfigYaml]) {
-    if (existsSync7(cfg)) {
+    if (existsSync6(cfg)) {
       const content = readFileSync8(cfg, "utf-8");
       const installed2 = /^\s+dependency-guardian\s*:/m.test(content);
       return {
@@ -82573,7 +82749,7 @@ function detectHookFramework(repoRoot) {
     }
   }
   let installed = false;
-  if (existsSync7(bareHook)) {
+  if (existsSync6(bareHook)) {
     installed = readFileSync8(bareHook, "utf-8").includes(HOOK_MARKER);
   }
   return {
@@ -82595,7 +82771,7 @@ ${HUSKY_SNIPPET}`;
 
 ${LEFTHOOK_ENTRY}`;
     case "bare":
-      if (existsSync7(info.targetFile)) {
+      if (existsSync6(info.targetFile)) {
         return `Will append to existing hook at ${info.targetFile}:
 ${HOOK_SECTION}`;
       }
@@ -82609,7 +82785,7 @@ function installHuskyHook(targetFile) {
     process.stderr.write("  Hook already installed in Husky.\n");
     return;
   }
-  writeFileSync3(targetFile, existing.trimEnd() + "\n" + HUSKY_SNIPPET);
+  safeWriteFileSync(targetFile, existing.trimEnd() + "\n" + HUSKY_SNIPPET);
   try {
     chmodSync2(targetFile, 493);
   } catch {
@@ -82631,7 +82807,7 @@ function installLefthookHook(targetFile) {
         /^(\s{2}commands\s*:\s*)$/m,
         `$1
     ${LEFTHOOK_MARKER}:
-      glob: "{package-lock.json,yarn.lock,pnpm-lock.yaml,npm-shrinkwrap.json}"
+      glob: "**/{package-lock.json,yarn.lock,pnpm-lock.yaml,npm-shrinkwrap.json,requirements.txt,requirements-*.txt,Pipfile.lock,poetry.lock}"
       run: dg scan --mode block`
       );
     } else {
@@ -82645,20 +82821,20 @@ function installLefthookHook(targetFile) {
   } else {
     updated = existing.trimEnd() + "\n\n" + LEFTHOOK_ENTRY;
   }
-  writeFileSync3(targetFile, updated);
+  safeWriteFileSync(targetFile, updated);
   process.stderr.write(`  Added Dependency Guardian to ${targetFile}
 `);
 }
 function installBareHook(targetFile) {
   const hooksDir = dirname4(targetFile);
   mkdirSync(hooksDir, { recursive: true });
-  if (existsSync7(targetFile)) {
+  if (existsSync6(targetFile)) {
     const existing = readFileSync8(targetFile, "utf-8");
     if (existing.includes(HOOK_MARKER)) {
       process.stderr.write("  Hook already installed.\n");
       return;
     }
-    writeFileSync3(targetFile, existing.trimEnd() + "\n" + HOOK_SECTION);
+    safeWriteFileSync(targetFile, existing.trimEnd() + "\n" + HOOK_SECTION);
     chmodSync2(targetFile, 493);
     process.stderr.write(
       `  Appended Dependency Guardian hook to existing ${targetFile}
@@ -82666,7 +82842,7 @@ function installBareHook(targetFile) {
     );
     return;
   }
-  writeFileSync3(targetFile, HOOK_SCRIPT);
+  safeWriteFileSync(targetFile, HOOK_SCRIPT);
   chmodSync2(targetFile, 493);
   process.stderr.write(`  Installed git pre-commit hook at ${targetFile}
 `);
@@ -82689,12 +82865,12 @@ function installHook() {
   installHookForFramework(info);
 }
 function uninstallHook() {
-  const gitDir = findGitDir();
-  const hookPath = join9(gitDir, "hooks", "pre-commit");
+  const hooksDir = findHooksDir();
+  const hookPath = join9(hooksDir, "pre-commit");
   try {
     const root = findRepoRoot();
     const huskyPath = join9(root, ".husky", "pre-commit");
-    if (existsSync7(huskyPath)) {
+    if (existsSync6(huskyPath)) {
       const content2 = readFileSync8(huskyPath, "utf-8");
       if (content2.includes(HOOK_MARKER)) {
         const startIdx2 = content2.indexOf(MARKER_START);
@@ -82703,7 +82879,7 @@ function uninstallHook() {
           const before = content2.slice(0, startIdx2).trimEnd();
           const after = content2.slice(endIdx2 + MARKER_END.length).trimStart();
           const remaining = (before + (after ? "\n" + after : "")).trimEnd() + "\n";
-          writeFileSync3(huskyPath, remaining);
+          safeWriteFileSync(huskyPath, remaining);
           process.stderr.write(
             `  Removed Dependency Guardian section from ${huskyPath}
 `
@@ -82713,14 +82889,14 @@ function uninstallHook() {
       }
     }
     for (const cfg of [join9(root, "lefthook.yml"), join9(root, "lefthook.yaml")]) {
-      if (existsSync7(cfg)) {
+      if (existsSync6(cfg)) {
         const content2 = readFileSync8(cfg, "utf-8");
         if (/^\s+dependency-guardian\s*:/m.test(content2)) {
           const stripped = content2.replace(
             /^\s+dependency-guardian\s*:\s*\n(?:\s{6,}.*\n)+/gm,
             ""
           );
-          writeFileSync3(cfg, stripped);
+          safeWriteFileSync(cfg, stripped);
           process.stderr.write(
             `  Removed Dependency Guardian section from ${cfg}
 `
@@ -82731,7 +82907,7 @@ function uninstallHook() {
     }
   } catch {
   }
-  if (!existsSync7(hookPath)) {
+  if (!existsSync6(hookPath)) {
     process.stderr.write("  No hook to remove.\n");
     return;
   }
@@ -82754,7 +82930,7 @@ function uninstallHook() {
     const before = content.slice(0, startIdx).trimEnd();
     const after = content.slice(endIdx + MARKER_END.length).trimStart();
     const remaining = (before + (after ? "\n" + after : "")).trimEnd() + "\n";
-    writeFileSync3(hookPath, remaining);
+    safeWriteFileSync(hookPath, remaining);
     process.stderr.write(
       `  Removed Dependency Guardian section from ${hookPath}
 `
@@ -82800,16 +82976,12 @@ var init_hook = __esm({
     HOOK_SCRIPT = `#!/bin/sh
 ${HOOK_MARKER} \u2014 installed by \`dg hook install\`
 
-# Check if any lockfiles are staged
-STAGED=""
-for f in package-lock.json npm-shrinkwrap.json yarn.lock pnpm-lock.yaml; do
-  if git diff --cached --name-only | grep -q "^\${f}$"; then
-    STAGED="yes"
-    break
-  fi
-done
-
-if [ -z "$STAGED" ]; then
+# Match any of the watched lockfiles, including in subdirectories
+# (monorepos) \u2014 the regex anchors at start-of-path OR after a slash.
+# Mirrors the GitHub-App side which is monorepo-aware via basename
+# matching against NPM_DEPENDENCY_FILES + isPythonDepFile.
+if ! git diff --cached --name-only | grep -qE \\
+  '(^|/)(package-lock\\.json|npm-shrinkwrap\\.json|yarn\\.lock|pnpm-lock\\.yaml|requirements(-[^/]+)?\\.txt|Pipfile\\.lock|poetry\\.lock)$'; then
   exit 0
 fi
 
@@ -82846,7 +83018,7 @@ ${MARKER_START}
 ${HOOK_MARKER} \u2014 installed by \`dg hook install\`
 DG_BIN=$(command -v dg 2>/dev/null || command -v dependency-guardian 2>/dev/null)
 if [ -n "$DG_BIN" ]; then
-  if git diff --cached --name-only | grep -qE '^(package-lock\\.json|npm-shrinkwrap\\.json|yarn\\.lock|pnpm-lock\\.yaml)$'; then
+  if git diff --cached --name-only | grep -qE '(^|/)(package-lock\\.json|npm-shrinkwrap\\.json|yarn\\.lock|pnpm-lock\\.yaml|requirements(-[^/]+)?\\.txt|Pipfile\\.lock|poetry\\.lock)$'; then
     echo "Dependency Guardian: lockfile change detected, scanning..." >&2
     NO_COLOR=1 "$DG_BIN" scan --mode block
     DG_EXIT=$?
@@ -82861,7 +83033,7 @@ ${MARKER_END}
     LEFTHOOK_ENTRY = `  pre-commit:
     commands:
       ${LEFTHOOK_MARKER}:
-        glob: "{package-lock.json,yarn.lock,pnpm-lock.yaml,npm-shrinkwrap.json}"
+        glob: "**/{package-lock.json,yarn.lock,pnpm-lock.yaml,npm-shrinkwrap.json,requirements.txt,requirements-*.txt,Pipfile.lock,poetry.lock}"
         run: dg scan --mode block
 `;
     USAGE2 = `
@@ -83126,7 +83298,7 @@ var init_parse_package_json = __esm({
 
 // src/lockfile.ts
 import { execFileSync as execFileSync3 } from "node:child_process";
-import { readFileSync as readFileSync9, existsSync as existsSync8, statSync } from "node:fs";
+import { readFileSync as readFileSync9, existsSync as existsSync7, statSync } from "node:fs";
 import { join as join10 } from "node:path";
 function readFileSafe(path2) {
   const size = statSync(path2).size;
@@ -83143,7 +83315,7 @@ function discoverChanges(cwd2, config3) {
   const pythonDepFiles = ["requirements.txt", "Pipfile.lock", "poetry.lock"];
   let pythonPackages = [];
   for (const pyFile of pythonDepFiles) {
-    if (existsSync8(join10(cwd2, pyFile))) {
+    if (existsSync7(join10(cwd2, pyFile))) {
       const pyPkgs = parsePythonDepFile(cwd2, pyFile);
       for (const p of pyPkgs) {
         if (p.version === "latest") continue;
@@ -83168,66 +83340,53 @@ function discoverChanges(cwd2, config3) {
   const headContent = readFileSafe(lockfileInfo.path);
   const headParsed = parseLockfileByType(headContent, lockfileInfo.type);
   const directDeps = getDirectDeps(cwd2);
-  if (config3.scanAll) {
-    const packages2 = [];
-    for (const [name, entry] of headParsed.packages) {
-      if (packages2.length >= config3.maxPackages) break;
-      if (entry.optional && entry.hasPlatformRestriction) continue;
-      if (name === SELF_PACKAGE) continue;
-      packages2.push({
-        name,
-        version: entry.version,
-        previousVersion: null,
-        isNew: true
-      });
-    }
-    return { packages: packages2, pythonPackages, method: "scan-all", skipped: [] };
-  }
   if (config3.baseLockfile) {
-    if (!existsSync8(config3.baseLockfile)) {
+    if (!existsSync7(config3.baseLockfile)) {
       throw new Error(`Base lockfile not found: ${config3.baseLockfile}`);
     }
-    const baseContent2 = readFileSafe(config3.baseLockfile);
-    const baseParsed = parseLockfile(baseContent2);
-    const diff2 = diffLockfiles(baseParsed, headParsed, config3.maxPackages, directDeps);
-    return {
-      packages: diff2.changes.map(toPackageInput).filter((p) => p.name !== SELF_PACKAGE),
-      pythonPackages,
-      method: "base-lockfile",
-      skipped: diff2.skipped
-    };
-  }
-  const baseContent = getGitBaseLockfile(cwd2);
-  if (baseContent !== null) {
+    const baseContent = readFileSafe(config3.baseLockfile);
     const baseParsed = parseLockfile(baseContent);
     const diff2 = diffLockfiles(baseParsed, headParsed, config3.maxPackages, directDeps);
     return {
       packages: diff2.changes.map(toPackageInput).filter((p) => p.name !== SELF_PACKAGE),
       pythonPackages,
-      method: "git-diff",
+      method: "base-lockfile",
       skipped: diff2.skipped
     };
   }
-  const pkgJsonPath = join10(cwd2, "package.json");
-  if (existsSync8(pkgJsonPath)) {
-    const headPkgJson = readFileSafe(pkgJsonPath);
-    const basePkgJson = getGitBaseFile(cwd2, "package.json");
-    if (basePkgJson !== null) {
-      const diff2 = diffPackageJsons(basePkgJson, headPkgJson, config3.maxPackages);
-      const resolved = diff2.changes.map((change) => {
-        const lockEntry = headParsed.packages.get(change.name);
-        return {
-          ...change,
-          newVersion: lockEntry?.version ?? change.newVersion
-        };
-      });
+  if (!config3.scanAll) {
+    const baseContent = getGitBaseLockfile(cwd2);
+    if (baseContent !== null) {
+      const baseParsed = parseLockfile(baseContent);
+      const diff2 = diffLockfiles(baseParsed, headParsed, config3.maxPackages, directDeps);
       return {
-        packages: resolved.map(toPackageInput).filter((p) => p.name !== SELF_PACKAGE),
+        packages: diff2.changes.map(toPackageInput).filter((p) => p.name !== SELF_PACKAGE),
         pythonPackages,
-        method: "fallback",
-        skipped: []
+        method: "git-diff",
+        skipped: diff2.skipped
       };
     }
+    const pkgJsonPath = join10(cwd2, "package.json");
+    if (existsSync7(pkgJsonPath)) {
+      const headPkgJson = readFileSafe(pkgJsonPath);
+      const basePkgJson = getGitBaseFile(cwd2, "package.json");
+      if (basePkgJson !== null) {
+        const diff2 = diffPackageJsons(basePkgJson, headPkgJson, config3.maxPackages);
+        const resolved = diff2.changes.map((change) => {
+          const lockEntry = headParsed.packages.get(change.name);
+          return {
+            ...change,
+            newVersion: lockEntry?.version ?? change.newVersion
+          };
+        });
+        return {
+          packages: resolved.map(toPackageInput).filter((p) => p.name !== SELF_PACKAGE),
+          pythonPackages,
+          method: "fallback",
+          skipped: []
+        };
+      }
+    }
   }
   const packages = [];
   for (const [name, entry] of headParsed.packages) {
@@ -83241,7 +83400,7 @@ function discoverChanges(cwd2, config3) {
       isNew: true
     });
   }
-  return { packages, pythonPackages, method: "fallback", skipped: [] };
+  return { packages, pythonPackages, method: "scan-all", skipped: [] };
 }
 function findLockfile(cwd2) {
   const candidates = [
@@ -83252,7 +83411,7 @@ function findLockfile(cwd2) {
   ];
   for (const [name, type] of candidates) {
     const p = join10(cwd2, name);
-    if (existsSync8(p)) return { path: p, type };
+    if (existsSync7(p)) return { path: p, type };
   }
   return null;
 }
@@ -83514,7 +83673,7 @@ async function callAnalyzeAPI(packages, config3, onProgress) {
   const results = [];
   let completed = 0;
   const tTotal = Date.now();
-  if (onProgress) onProgress(0, packages.length, batches[0]?.map((p) => p.name) ?? []);
+  if (onProgress) onProgress(0, packages.length, []);
   for (let i = 0; i < batches.length; i++) {
     const batch = batches[i];
     const tBatch = Date.now();
@@ -83522,7 +83681,7 @@ async function callAnalyzeAPI(packages, config3, onProgress) {
     if (process.env.DG_PERF) console.error(`[CLI-PERF] batch ${i + 1}/${batches.length}: ${batch.length} packages \u2192 ${Date.now() - tBatch}ms`);
     completed += batch.length;
     if (onProgress) {
-      onProgress(completed, packages.length, batches[i + 1]?.map((p) => p.name) ?? batch.map((p) => p.name));
+      onProgress(completed, packages.length, batch.map((p) => p.name));
     }
     results.push(result);
   }
@@ -83901,6 +84060,10 @@ function initialState(dryRun, firstRun) {
   };
 }
 function reducer(state, action) {
+  if (process.env.DG_DEBUG_WIZARD && action.type !== "scan_progress") {
+    process.stderr.write(`[wizard] action=${action.type} phase=${state.phase}
+`);
+  }
   switch (action.type) {
     // ── First-run guided tour transitions ──────────────────────────────────
     case "welcome_yes":
@@ -84119,18 +84282,26 @@ function useInit(opts = {}) {
       const projects = state.projects.length > 0 ? state.projects : [{ path: opts.cwd ?? process.cwd() }];
       const allOutcomes = [];
       for (const proj of projects) {
+        if (process.env.DG_DEBUG_WIZARD) process.stderr.write(`[wizard] scanning ${proj.path}
+`);
         const outcome = await scanFn(proj.path, config3, (p) => {
           dispatch({ type: "scan_progress", progress: p });
         });
+        if (process.env.DG_DEBUG_WIZARD) process.stderr.write(`[wizard] scan done ${proj.path} status=${outcome.status}
+`);
         allOutcomes.push(outcome);
       }
-      const allPackages = allOutcomes.flatMap(
-        (o) => o.result?.result.packages ?? []
-      );
-      const totalScanned = allOutcomes.reduce(
-        (sum, o) => sum + (o.result?.scannedCount ?? 0),
-        0
-      );
+      const allPackages = [];
+      const seen = /* @__PURE__ */ new Set();
+      for (const outcome of allOutcomes) {
+        for (const pkg of outcome.result?.result.packages ?? []) {
+          const key = `${pkg.name}@${pkg.version}`;
+          if (seen.has(key)) continue;
+          seen.add(key);
+          allPackages.push(pkg);
+        }
+      }
+      const totalScanned = seen.size;
       const totalDuration = allOutcomes.reduce(
         (sum, o) => sum + (o.result?.durationMs ?? 0),
         0
@@ -87239,20 +87410,14 @@ var init_InitApp = __esm({
       const { exit } = use_app_default();
       useTerminalSize();
       const [yesNoCursor, setYesNoCursor] = (0, import_react27.useState)(defaultYesNoCursor(state.phase));
-      const altScreenActiveRef = (0, import_react27.useRef)(false);
+      const prevPhaseRef = (0, import_react27.useRef)(state.phase);
+      const [, forceTick] = (0, import_react27.useState)(0);
       (0, import_react27.useEffect)(() => {
-        if (!process.stdout.isTTY) return;
-        process.stdout.write("\x1B[?1049h");
-        process.stdout.write("\x1B[2J\x1B[H");
-        altScreenActiveRef.current = true;
-        return () => {
-          if (altScreenActiveRef.current) {
-            process.stdout.write("\x1B[?1049l");
-            altScreenActiveRef.current = false;
-          }
-          process.stdout.write("\x1B[?25h");
-        };
-      }, []);
+        if (prevPhaseRef.current === "run_scan" && state.phase === "result_first_scan") {
+          Promise.resolve().then(() => forceTick((n) => n + 1));
+        }
+        prevPhaseRef.current = state.phase;
+      }, [state.phase]);
       (0, import_react27.useEffect)(() => {
         if (YES_NO_PHASES.has(state.phase)) {
           setYesNoCursor(defaultYesNoCursor(state.phase));
@@ -87654,8 +87819,7 @@ var init_InitApp = __esm({
         case "run_scan": {
           const p = state.scanProgress;
           if (p && p.total > 0) {
-            const currentLabel = p.current.length > 0 ? p.current[0] : void 0;
-            return /* @__PURE__ */ (0, import_jsx_runtime7.jsx)(ProgressBar, { value: p.done, total: p.total, label: currentLabel });
+            return /* @__PURE__ */ (0, import_jsx_runtime7.jsx)(ProgressBar, { value: p.done, total: p.total });
           }
           return /* @__PURE__ */ (0, import_jsx_runtime7.jsx)(Scene, { mood: "scanning", color: "cyan", children: /* @__PURE__ */ (0, import_jsx_runtime7.jsx)(Spinner2, { label: "Scanning..." }) });
         }
@@ -87907,19 +88071,25 @@ async function maybeOfferFirstRunWizard(opts) {
     const { render: render2 } = await init_build2().then(() => build_exports);
     const React21 = await Promise.resolve().then(() => __toESM(require_react()));
     const { InitApp: InitApp2 } = await init_InitApp().then(() => InitApp_exports);
-    const { waitUntilExit } = render2(
-      React21.createElement(InitApp2, {
-        firstRun: true,
-        onReachedDone: () => {
-          reachedDone = true;
-        },
-        onScanRan: () => {
-          scanRanInWizard = true;
-        }
-      })
-    );
-    mounted = true;
-    await waitUntilExit();
+    const { enterAltScreen: enterAltScreen2, leaveAltScreen: leaveAltScreen2 } = await Promise.resolve().then(() => (init_alt_screen(), alt_screen_exports));
+    enterAltScreen2();
+    try {
+      const { waitUntilExit } = render2(
+        React21.createElement(InitApp2, {
+          firstRun: true,
+          onReachedDone: () => {
+            reachedDone = true;
+          },
+          onScanRan: () => {
+            scanRanInWizard = true;
+          }
+        })
+      );
+      mounted = true;
+      await waitUntilExit();
+    } finally {
+      leaveAltScreen2();
+    }
   } catch {
     return;
   }
@@ -88169,7 +88339,7 @@ var init_LoginApp = __esm({
 
 // src/pip-wrapper.ts
 import { spawn as spawn3 } from "node:child_process";
-import { readFileSync as readFileSync10, existsSync as existsSync9 } from "node:fs";
+import { readFileSync as readFileSync10, existsSync as existsSync8 } from "node:fs";
 function parsePipArgs(args) {
   let dgForce = false;
   const filtered = [];
@@ -88232,7 +88402,7 @@ function pipFlagTakesValue(flag) {
   return false;
 }
 function parseRequirementsFile(filePath) {
-  if (!existsSync9(filePath)) return [];
+  if (!existsSync8(filePath)) return [];
   try {
     const content = readFileSync10(filePath, "utf-8");
     const specs = [];
@@ -88372,7 +88542,7 @@ var FileSavePrompt_exports = {};
 __export(FileSavePrompt_exports, {
   FileSavePrompt: () => FileSavePrompt
 });
-import { existsSync as existsSync10, readdirSync as readdirSync2, writeFileSync as writeFileSync4 } from "node:fs";
+import { existsSync as existsSync9, readdirSync as readdirSync2, writeFileSync as writeFileSync4 } from "node:fs";
 import { dirname as dirname5, join as join11 } from "node:path";
 function listDirectory(dir) {
   try {
@@ -88474,7 +88644,7 @@ var init_FileSavePrompt = __esm({
           if (key.return) {
             const fullName = ensureJsonExtension(state.filename);
             const fullPath = join11(state.directory, fullName);
-            if (!state.confirmOverwrite && existsSync10(fullPath)) {
+            if (!state.confirmOverwrite && existsSync9(fullPath)) {
               dispatch({ type: "CONFIRM_OVERWRITE" });
               return;
             }
@@ -89735,7 +89905,7 @@ var init_ScoreHeader = __esm({
 });
 
 // src/ui/hooks/useExpandAnimation.ts
-function useExpandAnimation(targetHeight, active, durationMs = 180) {
+function useExpandAnimation(targetHeight, active2, durationMs = 180) {
   const [visibleLines, setVisibleLines] = (0, import_react32.useState)(0);
   const timerRef = (0, import_react32.useRef)(null);
   (0, import_react32.useEffect)(() => {
@@ -89743,7 +89913,7 @@ function useExpandAnimation(targetHeight, active, durationMs = 180) {
       clearInterval(timerRef.current);
       timerRef.current = null;
     }
-    if (!active || targetHeight <= 0) {
+    if (!active2 || targetHeight <= 0) {
       setVisibleLines(0);
       return;
     }
@@ -89766,10 +89936,10 @@ function useExpandAnimation(targetHeight, active, durationMs = 180) {
         timerRef.current = null;
       }
     };
-  }, [active, targetHeight, durationMs]);
+  }, [active2, targetHeight, durationMs]);
   return {
-    visibleLines: active ? visibleLines : 0,
-    isAnimating: active && visibleLines > 0 && visibleLines < targetHeight
+    visibleLines: active2 ? visibleLines : 0,
+    isAnimating: active2 && visibleLines > 0 && visibleLines < targetHeight
   };
 }
 var import_react32;
@@ -90882,7 +91052,7 @@ var init_App2 = __esm({
       (0, import_react35.useEffect)(() => {
         prevPhaseRef.current = state.phase;
       }, [state.phase]);
-      const leaveAltScreen = (0, import_react35.useCallback)(() => {
+      const leaveAltScreen2 = (0, import_react35.useCallback)(() => {
         if (altScreenActiveRef.current && process.stdout.isTTY) {
           process.stdout.write("\x1B[?1049l");
           altScreenActiveRef.current = false;
@@ -90900,15 +91070,15 @@ var init_App2 = __esm({
             process.exitCode = 0;
           }
         }
-        leaveAltScreen();
+        leaveAltScreen2();
         exit();
-      }, [state, config3, exit, leaveAltScreen]);
+      }, [state, config3, exit, leaveAltScreen2]);
       const exitWithMessage = (0, import_react35.useCallback)((message, exitCode) => {
         process.exitCode = exitCode;
-        leaveAltScreen();
+        leaveAltScreen2();
         process.stderr.write(message);
         return setTimeout(() => exit(), 0);
-      }, [exit, leaveAltScreen]);
+      }, [exit, leaveAltScreen2]);
       (0, import_react35.useEffect)(() => {
         if (state.phase === "empty") {
           const timer = exitWithMessage(`${state.message}
@@ -90936,7 +91106,7 @@ var init_App2 = __esm({
         if (state.phase === "discovering" || state.phase === "scanning") {
           if (input === "q" || key.escape) {
             process.exitCode = 0;
-            leaveAltScreen();
+            leaveAltScreen2();
             exit();
           }
         }
@@ -90953,7 +91123,7 @@ var init_App2 = __esm({
                 onConfirm: scanSelectedProjects,
                 onCancel: () => {
                   process.exitCode = 0;
-                  leaveAltScreen();
+                  leaveAltScreen2();
                   exit();
                 },
                 userStatus
@@ -91859,6 +92029,7 @@ init_telemetry();
 init_config();
 init_npm_wrapper();
 init_update_check();
+init_alt_screen();
 var CLI_VERSION = getVersion();
 initTelemetry(CLI_VERSION);
 function closestCommand(input, commands) {
@@ -91879,9 +92050,14 @@ function closestCommand(input, commands) {
   return bestDist <= 3 ? best : null;
 }
 process.on("SIGINT", () => {
+  leaveAltScreen();
   process.stderr.write("\n");
   process.exit(130);
 });
+process.on("SIGTERM", () => {
+  leaveAltScreen();
+  process.exit(143);
+});
 var isInteractive = process.stdout.isTTY === true && !process.env.CI && !process.env.NO_COLOR;
 async function main() {
   const rawCommand = process.argv[2];
@@ -91913,10 +92089,15 @@ async function main() {
       const { render: render3 } = await init_build2().then(() => build_exports);
       const React22 = await Promise.resolve().then(() => __toESM(require_react()));
       const { InitApp: InitApp2 } = await init_InitApp().then(() => InitApp_exports);
-      const { waitUntilExit } = render3(
-        React22.createElement(InitApp2, { firstRun: true, returning: true })
-      );
-      await waitUntilExit();
+      enterAltScreen();
+      try {
+        const { waitUntilExit } = render3(
+          React22.createElement(InitApp2, { firstRun: true, returning: true })
+        );
+        await waitUntilExit();
+      } finally {
+        leaveAltScreen();
+      }
       try {
         const { markFirstRunComplete: markFirstRunComplete2 } = await Promise.resolve().then(() => (init_auth(), auth_exports));
         markFirstRunComplete2();