@westbayberry/dg 1.0.53 → 1.0.56

package/dist/index.mjs

@@ -46241,9 +46241,10 @@ __export(auth_exports, {
   maskKey: () => maskKey,
   openBrowser: () => openBrowser,
   pollAuthSession: () => pollAuthSession,
-  saveCredentials: () => saveCredentials
+  saveCredentials: () => saveCredentials,
+  scrubAuthToken: () => scrubAuthToken
 });
-import { readFileSync as readFileSync2, writeFileSync, unlinkSync, existsSync as existsSync2, chmodSync } from "node:fs";
+import { readFileSync as readFileSync2, writeFileSync, unlinkSync, existsSync as existsSync2, chmodSync, lstatSync, openSync, fchmodSync, closeSync, constants as fsConstants } from "node:fs";
 import { join as join4 } from "node:path";
 import { homedir } from "node:os";
 import { spawn } from "node:child_process";
@@ -46296,7 +46297,47 @@ async function pollAuthSession(sessionId) {
 function configPath() {
   return join4(homedir(), CONFIG_FILE);
 }
+function ensureConfigPerms(path2) {
+  let st;
+  try {
+    st = lstatSync(path2);
+  } catch {
+    return;
+  }
+  if (!st || typeof st.isSymbolicLink !== "function") return;
+  if (st.isSymbolicLink()) {
+    process.stderr.write(
+      `Warning: ${path2} is a symlink; refusing to chmod (would affect the symlink target). Replace with a regular file to enforce 0o600.
+`
+    );
+    return;
+  }
+  if (typeof st.isFile === "function" && !st.isFile()) return;
+  const mode = (st.mode ?? 384) & 511;
+  if (mode === 384) return;
+  process.stderr.write(
+    `Warning: ${path2} has perms 0o${mode.toString(8)} (expected 0o600); re-tightening.
+`
+  );
+  let fd;
+  try {
+    fd = openSync(path2, fsConstants.O_RDONLY | fsConstants.O_NOFOLLOW);
+    fchmodSync(fd, 384);
+  } catch {
+  } finally {
+    if (fd !== void 0) {
+      try {
+        closeSync(fd);
+      } catch {
+      }
+    }
+  }
+}
+function scrubAuthToken(s) {
+  return s.replace(/\bdgk_[A-Za-z0-9]{16,}\b/g, "dgk_<REDACTED>").replace(/\bBearer\s+[A-Za-z0-9_.-]{24,}\b/g, "Bearer <REDACTED>");
+}
 function readConfig() {
+  ensureConfigPerms(configPath());
   let raw;
   try {
     raw = readFileSync2(configPath(), "utf-8");
@@ -46418,20 +46459,65 @@ var config_exports = {};
 __export(config_exports, {
   USAGE: () => USAGE,
   getVersion: () => getVersion,
-  parseConfig: () => parseConfig
+  parseConfig: () => parseConfig,
+  warnUnknownDgrcKeys: () => warnUnknownDgrcKeys
 });
 import { parseArgs } from "node:util";
 import { readFileSync as readFileSync3, existsSync as existsSync3 } from "node:fs";
 import { join as join5, dirname as dirname3 } from "node:path";
 import { fileURLToPath } from "node:url";
 import { homedir as homedir2 } from "node:os";
+function levenshtein(a, b) {
+  if (a === b) return 0;
+  if (a.length === 0) return b.length;
+  if (b.length === 0) return a.length;
+  const m = a.length;
+  const n = b.length;
+  let prev = Array.from({ length: n + 1 }, (_, i) => i);
+  let curr = new Array(n + 1);
+  for (let i = 1; i <= m; i++) {
+    curr[0] = i;
+    for (let j = 1; j <= n; j++) {
+      const cost = a[i - 1] === b[j - 1] ? 0 : 1;
+      curr[j] = Math.min(curr[j - 1] + 1, prev[j] + 1, prev[j - 1] + cost);
+    }
+    [prev, curr] = [curr, prev];
+  }
+  return prev[n];
+}
+function warnUnknownDgrcKeys(parsed, source) {
+  for (const key of Object.keys(parsed)) {
+    if (KNOWN_DGRC_KEYS.includes(key)) continue;
+    if (INTERNAL_DGRC_KEYS.includes(key)) continue;
+    let bestKey = null;
+    let bestDistance = Infinity;
+    for (const known of KNOWN_DGRC_KEYS) {
+      const d = levenshtein(key, known);
+      if (d < bestDistance) {
+        bestDistance = d;
+        bestKey = known;
+      }
+    }
+    const suggestion = bestKey && bestDistance <= 2 ? ` (did you mean "${bestKey}"?)` : ` (valid keys: ${KNOWN_DGRC_KEYS.join(", ")})`;
+    process.stderr.write(
+      `Warning: unknown key "${key}" in ${source}${suggestion}; ignored.
+`
+    );
+  }
+}
 function loadDgrc() {
   const cwdPath = join5(process.cwd(), ".dgrc.json");
   const homePath = join5(homedir2(), ".dgrc.json");
   let config3 = {};
   if (existsSync3(homePath)) {
     try {
-      config3 = JSON.parse(readFileSync3(homePath, "utf-8"));
+      const home = JSON.parse(readFileSync3(homePath, "utf-8"));
+      warnUnknownDgrcKeys(home, homePath);
+      const homeFiltered = {};
+      for (const k of KNOWN_DGRC_KEYS) {
+        if (k in home) homeFiltered[k] = home[k];
+      }
+      config3 = homeFiltered;
     } catch {
       process.stderr.write(`Warning: Failed to parse ${homePath}, ignoring.
 `);
@@ -46440,8 +46526,11 @@ function loadDgrc() {
   if (existsSync3(cwdPath) && cwdPath !== homePath) {
     try {
       const cwd2 = JSON.parse(readFileSync3(cwdPath, "utf-8"));
-      const { apiKey: _k, apiUrl: _u, ...safeKeys } = cwd2;
-      Object.assign(config3, safeKeys);
+      warnUnknownDgrcKeys(cwd2, cwdPath);
+      for (const k of KNOWN_DGRC_KEYS) {
+        if (k === "apiKey" || k === "apiUrl") continue;
+        if (k in cwd2) config3[k] = cwd2[k];
+      }
     } catch {
       process.stderr.write(`Warning: Failed to parse ${cwdPath}, ignoring.
 `);
@@ -46454,6 +46543,14 @@ function validateApiUrl(url) {
     const parsed = new URL(url);
     const rawHost = parsed.hostname;
     const host = rawHost.startsWith("[") && rawHost.endsWith("]") ? rawHost.slice(1, -1) : rawHost;
+    const isLinkLocal = /^169\.254\./.test(host) || /^fe[89ab][0-9a-f]:/i.test(host);
+    if (isLinkLocal) {
+      process.stderr.write(
+        `Error: API URL host ${host} is link-local / metadata; refusing (SSRF defense). If you genuinely need this, set DG_API_URL to the explicit hostname of your test target.
+`
+      );
+      process.exit(1);
+    }
     const isLocal = host === "localhost" || // IPv4: loopback, RFC 1918, CGNAT. Proper octet regex — not prefix matching,
     // which would wrongly accept `192.1680.0.1` or `100.1.2.3` (public).
     /^(127\.|10\.|192\.168\.|172\.(1[6-9]|2\d|3[01])\.|100\.(6[4-9]|[7-9]\d|1[01]\d|12[0-7])\.)/.test(host) || // IPv6: loopback and unique local (fc00::/7 → fc** or fd**)
@@ -46492,7 +46589,8 @@ function parseConfig(argv, strictFlags = true) {
         mode: { type: "string" },
         "max-packages": { type: "string" },
         json: { type: "boolean", default: false },
-        "scan-all": { type: "boolean", default: false },
+        "scan-all": { type: "boolean", default: true },
+        "changed-only": { type: "boolean", default: false },
         "base-lockfile": { type: "string" },
         workspace: { type: "string", short: "w" },
         output: { type: "string", short: "o" },
@@ -46533,8 +46631,7 @@ function parseConfig(argv, strictFlags = true) {
   }
   const command = positionals[0] ?? "scan";
   const dgrc = loadDgrc();
-  const apiKey = dgrc.apiKey && typeof dgrc.apiKey === "string" && dgrc.apiKey.startsWith("dg_live_") ? dgrc.apiKey : null;
-  const deviceId = getOrCreateDeviceId();
+  const apiKey = dgrc.apiKey && typeof dgrc.apiKey === "string" && (dgrc.apiKey.startsWith("dg_live_") || dgrc.apiKey.startsWith("dg_test_")) ? dgrc.apiKey : null;
   const modeRaw = values.mode ?? process.env.DG_MODE ?? dgrc.mode ?? "warn";
   if (!["block", "warn", "off"].includes(modeRaw)) {
     process.stderr.write(
@@ -46549,16 +46646,18 @@ function parseConfig(argv, strictFlags = true) {
     process.stderr.write("Error: --max-packages must be a number between 1 and 10000\n");
     process.exit(1);
   }
+  const apiUrl = validateApiUrl(
+    values["api-url"] ?? process.env.DG_API_URL ?? dgrc.apiUrl ?? "https://api.westbayberry.com"
+  );
+  const deviceId = getOrCreateDeviceId();
   return {
     apiKey,
     deviceId,
-    apiUrl: validateApiUrl(
-      values["api-url"] ?? process.env.DG_API_URL ?? dgrc.apiUrl ?? "https://api.westbayberry.com"
-    ),
+    apiUrl,
     mode: modeRaw,
     maxPackages,
     json: values.json,
-    scanAll: values["scan-all"],
+    scanAll: values["changed-only"] ? false : values["scan-all"],
     baseLockfile: values["base-lockfile"] ?? null,
     workspace: values.workspace ?? process.env.DG_WORKSPACE ?? null,
     outputFile: values.output ?? null,
@@ -46566,11 +46665,13 @@ function parseConfig(argv, strictFlags = true) {
     debug: debug2
   };
 }
-var USAGE;
+var KNOWN_DGRC_KEYS, INTERNAL_DGRC_KEYS, USAGE;
 var init_config = __esm({
   "src/config.ts"() {
     "use strict";
     init_auth();
+    KNOWN_DGRC_KEYS = ["apiKey", "apiUrl", "mode", "maxPackages"];
+    INTERNAL_DGRC_KEYS = ["deviceId", "firstRunCompletedAt"];
     USAGE = `
   Dependency Guardian \u2014 Supply chain security scanner
 
@@ -46603,7 +46704,8 @@ var init_config = __esm({
     --mode <mode>            block | warn | off (default: warn)
     --max-packages <n>       Max packages per scan (default: 10000)
     --json                   Output JSON for CI parsing
-    --scan-all               Scan all packages, not just changed
+    --scan-all               Scan all packages (default)
+    --changed-only           Only scan packages changed since base lockfile
     --base-lockfile <path>   Path to base lockfile for explicit diff
     --workspace <dir>        Scan a specific workspace subdirectory
     --output, -o <file>      Save JSON results to file (use with --json)
@@ -46718,7 +46820,13 @@ function parsePackageSpec(spec) {
     versionSpec: spec.slice(atIdx + 1)
   };
 }
+function isFlagLikeSpec(spec) {
+  return spec.startsWith("-");
+}
 async function resolveVersion(spec) {
+  if (isFlagLikeSpec(spec)) {
+    return null;
+  }
   return new Promise((resolve2) => {
     const child = spawn2("npm", ["view", spec, "version"], {
       stdio: ["pipe", "pipe", "pipe"]
@@ -82402,18 +82510,26 @@ var discover_exports = {};
 __export(discover_exports, {
   discoverProjects: () => discoverProjects
 });
-import { existsSync as existsSync6, readFileSync as readFileSync7, readdirSync, lstatSync } from "node:fs";
+import { readFileSync as readFileSync7, readdirSync, lstatSync as lstatSync2 } from "node:fs";
 import { join as join8, relative as relative2, basename as basename2 } from "node:path";
 function discoverProjects(root) {
   const projects = [];
   walk(root, root, 0, projects);
   return projects.sort((a, b) => a.relativePath.localeCompare(b.relativePath));
 }
+function isSafeRegularFile(path2) {
+  try {
+    const st = lstatSync2(path2);
+    return st.isFile() && !st.isSymbolicLink();
+  } catch {
+    return false;
+  }
+}
 function walk(dir, root, depth, out) {
   if (depth > MAX_DEPTH) return;
   for (const lockfile of NPM_LOCKFILES) {
     const lockPath = join8(dir, lockfile);
-    if (existsSync6(lockPath)) {
+    if (isSafeRegularFile(lockPath)) {
       const count = countNpmPackages(lockPath);
       if (count > 0) {
         out.push({
@@ -82429,7 +82545,7 @@ function walk(dir, root, depth, out) {
   }
   for (const depFile of PYTHON_DEPFILES) {
     const depPath = join8(dir, depFile);
-    if (existsSync6(depPath)) {
+    if (isSafeRegularFile(depPath)) {
       const count = countPythonPackages(depPath, depFile);
       if (count > 0) {
         out.push({
@@ -82453,7 +82569,7 @@ function walk(dir, root, depth, out) {
     if (SKIP_DIRS.has(entry) || entry.startsWith(".")) continue;
     const full = join8(dir, entry);
     try {
-      const st = lstatSync(full);
+      const st = lstatSync2(full);
       if (st.isDirectory() && !st.isSymbolicLink()) {
         walk(full, root, depth + 1, out);
       }
@@ -82546,7 +82662,8 @@ __export(hook_exports, {
 });
 import { execFileSync as execFileSync2 } from "node:child_process";
 import {
-  existsSync as existsSync7,
+  existsSync as existsSync6,
+  lstatSync as lstatSync3,
   readFileSync as readFileSync8,
   writeFileSync as writeFileSync3,
   mkdirSync,
@@ -82554,9 +82671,40 @@ import {
   unlinkSync as unlinkSync2
 } from "node:fs";
 import { join as join9, dirname as dirname4 } from "node:path";
-function findGitDir() {
+function assertSafeWriteTarget(target) {
+  const parent = dirname4(target);
+  try {
+    const parentStat = lstatSync3(parent);
+    if (parentStat.isSymbolicLink()) {
+      throw new Error(
+        `refusing to write to ${target}: parent dir ${parent} is a symlink (possible path-traversal attack)`
+      );
+    }
+  } catch (e) {
+    if (e instanceof Error && e.message.startsWith("refusing")) {
+      throw e;
+    }
+  }
+  try {
+    const targetStat = lstatSync3(target);
+    if (targetStat.isSymbolicLink()) {
+      throw new Error(
+        `refusing to write to ${target}: target is a symlink (possible path-traversal attack)`
+      );
+    }
+  } catch (e) {
+    if (e instanceof Error && e.message.startsWith("refusing")) {
+      throw e;
+    }
+  }
+}
+function safeWriteFileSync(target, content) {
+  assertSafeWriteTarget(target);
+  writeFileSync3(target, content);
+}
+function findHooksDir() {
   try {
-    return execFileSync2("git", ["rev-parse", "--git-dir"], {
+    return execFileSync2("git", ["rev-parse", "--git-path", "hooks"], {
       encoding: "utf-8",
       stdio: ["pipe", "pipe", "pipe"]
     }).trim();
@@ -82579,9 +82727,9 @@ function detectHookFramework(repoRoot) {
   const huskyHook = join9(root, ".husky", "pre-commit");
   const lefthookConfig = join9(root, "lefthook.yml");
   const lefthookConfigYaml = join9(root, "lefthook.yaml");
-  const gitDir = findGitDir();
-  const bareHook = join9(gitDir, "hooks", "pre-commit");
-  if (existsSync7(huskyHook)) {
+  const hooksDir = findHooksDir();
+  const bareHook = join9(hooksDir, "pre-commit");
+  if (existsSync6(huskyHook)) {
     const content = readFileSync8(huskyHook, "utf-8");
     return {
       framework: "husky",
@@ -82590,7 +82738,7 @@ function detectHookFramework(repoRoot) {
     };
   }
   for (const cfg of [lefthookConfig, lefthookConfigYaml]) {
-    if (existsSync7(cfg)) {
+    if (existsSync6(cfg)) {
       const content = readFileSync8(cfg, "utf-8");
       const installed2 = /^\s+dependency-guardian\s*:/m.test(content);
       return {
@@ -82601,7 +82749,7 @@ function detectHookFramework(repoRoot) {
     }
   }
   let installed = false;
-  if (existsSync7(bareHook)) {
+  if (existsSync6(bareHook)) {
     installed = readFileSync8(bareHook, "utf-8").includes(HOOK_MARKER);
   }
   return {
@@ -82623,7 +82771,7 @@ ${HUSKY_SNIPPET}`;
 
 ${LEFTHOOK_ENTRY}`;
     case "bare":
-      if (existsSync7(info.targetFile)) {
+      if (existsSync6(info.targetFile)) {
         return `Will append to existing hook at ${info.targetFile}:
 ${HOOK_SECTION}`;
       }
@@ -82637,7 +82785,7 @@ function installHuskyHook(targetFile) {
     process.stderr.write("  Hook already installed in Husky.\n");
     return;
   }
-  writeFileSync3(targetFile, existing.trimEnd() + "\n" + HUSKY_SNIPPET);
+  safeWriteFileSync(targetFile, existing.trimEnd() + "\n" + HUSKY_SNIPPET);
   try {
     chmodSync2(targetFile, 493);
   } catch {
@@ -82659,7 +82807,7 @@ function installLefthookHook(targetFile) {
         /^(\s{2}commands\s*:\s*)$/m,
         `$1
     ${LEFTHOOK_MARKER}:
-      glob: "{package-lock.json,yarn.lock,pnpm-lock.yaml,npm-shrinkwrap.json}"
+      glob: "**/{package-lock.json,yarn.lock,pnpm-lock.yaml,npm-shrinkwrap.json,requirements.txt,requirements-*.txt,Pipfile.lock,poetry.lock}"
       run: dg scan --mode block`
       );
     } else {
@@ -82673,20 +82821,20 @@ function installLefthookHook(targetFile) {
   } else {
     updated = existing.trimEnd() + "\n\n" + LEFTHOOK_ENTRY;
   }
-  writeFileSync3(targetFile, updated);
+  safeWriteFileSync(targetFile, updated);
   process.stderr.write(`  Added Dependency Guardian to ${targetFile}
 `);
 }
 function installBareHook(targetFile) {
   const hooksDir = dirname4(targetFile);
   mkdirSync(hooksDir, { recursive: true });
-  if (existsSync7(targetFile)) {
+  if (existsSync6(targetFile)) {
     const existing = readFileSync8(targetFile, "utf-8");
     if (existing.includes(HOOK_MARKER)) {
       process.stderr.write("  Hook already installed.\n");
       return;
     }
-    writeFileSync3(targetFile, existing.trimEnd() + "\n" + HOOK_SECTION);
+    safeWriteFileSync(targetFile, existing.trimEnd() + "\n" + HOOK_SECTION);
     chmodSync2(targetFile, 493);
     process.stderr.write(
       `  Appended Dependency Guardian hook to existing ${targetFile}
@@ -82694,7 +82842,7 @@ function installBareHook(targetFile) {
     );
     return;
   }
-  writeFileSync3(targetFile, HOOK_SCRIPT);
+  safeWriteFileSync(targetFile, HOOK_SCRIPT);
   chmodSync2(targetFile, 493);
   process.stderr.write(`  Installed git pre-commit hook at ${targetFile}
 `);
@@ -82717,12 +82865,12 @@ function installHook() {
   installHookForFramework(info);
 }
 function uninstallHook() {
-  const gitDir = findGitDir();
-  const hookPath = join9(gitDir, "hooks", "pre-commit");
+  const hooksDir = findHooksDir();
+  const hookPath = join9(hooksDir, "pre-commit");
   try {
     const root = findRepoRoot();
     const huskyPath = join9(root, ".husky", "pre-commit");
-    if (existsSync7(huskyPath)) {
+    if (existsSync6(huskyPath)) {
       const content2 = readFileSync8(huskyPath, "utf-8");
       if (content2.includes(HOOK_MARKER)) {
         const startIdx2 = content2.indexOf(MARKER_START);
@@ -82731,7 +82879,7 @@ function uninstallHook() {
           const before = content2.slice(0, startIdx2).trimEnd();
           const after = content2.slice(endIdx2 + MARKER_END.length).trimStart();
           const remaining = (before + (after ? "\n" + after : "")).trimEnd() + "\n";
-          writeFileSync3(huskyPath, remaining);
+          safeWriteFileSync(huskyPath, remaining);
           process.stderr.write(
             `  Removed Dependency Guardian section from ${huskyPath}
 `
@@ -82741,14 +82889,14 @@ function uninstallHook() {
       }
     }
     for (const cfg of [join9(root, "lefthook.yml"), join9(root, "lefthook.yaml")]) {
-      if (existsSync7(cfg)) {
+      if (existsSync6(cfg)) {
         const content2 = readFileSync8(cfg, "utf-8");
         if (/^\s+dependency-guardian\s*:/m.test(content2)) {
           const stripped = content2.replace(
             /^\s+dependency-guardian\s*:\s*\n(?:\s{6,}.*\n)+/gm,
             ""
           );
-          writeFileSync3(cfg, stripped);
+          safeWriteFileSync(cfg, stripped);
           process.stderr.write(
             `  Removed Dependency Guardian section from ${cfg}
 `
@@ -82759,7 +82907,7 @@ function uninstallHook() {
     }
   } catch {
   }
-  if (!existsSync7(hookPath)) {
+  if (!existsSync6(hookPath)) {
     process.stderr.write("  No hook to remove.\n");
     return;
   }
@@ -82782,7 +82930,7 @@ function uninstallHook() {
     const before = content.slice(0, startIdx).trimEnd();
     const after = content.slice(endIdx + MARKER_END.length).trimStart();
     const remaining = (before + (after ? "\n" + after : "")).trimEnd() + "\n";
-    writeFileSync3(hookPath, remaining);
+    safeWriteFileSync(hookPath, remaining);
     process.stderr.write(
       `  Removed Dependency Guardian section from ${hookPath}
 `
@@ -82828,16 +82976,12 @@ var init_hook = __esm({
     HOOK_SCRIPT = `#!/bin/sh
 ${HOOK_MARKER} \u2014 installed by \`dg hook install\`
 
-# Check if any lockfiles are staged
-STAGED=""
-for f in package-lock.json npm-shrinkwrap.json yarn.lock pnpm-lock.yaml; do
-  if git diff --cached --name-only | grep -q "^\${f}$"; then
-    STAGED="yes"
-    break
-  fi
-done
-
-if [ -z "$STAGED" ]; then
+# Match any of the watched lockfiles, including in subdirectories
+# (monorepos) \u2014 the regex anchors at start-of-path OR after a slash.
+# Mirrors the GitHub-App side which is monorepo-aware via basename
+# matching against NPM_DEPENDENCY_FILES + isPythonDepFile.
+if ! git diff --cached --name-only | grep -qE \\
+  '(^|/)(package-lock\\.json|npm-shrinkwrap\\.json|yarn\\.lock|pnpm-lock\\.yaml|requirements(-[^/]+)?\\.txt|Pipfile\\.lock|poetry\\.lock)$'; then
   exit 0
 fi
 
@@ -82874,7 +83018,7 @@ ${MARKER_START}
 ${HOOK_MARKER} \u2014 installed by \`dg hook install\`
 DG_BIN=$(command -v dg 2>/dev/null || command -v dependency-guardian 2>/dev/null)
 if [ -n "$DG_BIN" ]; then
-  if git diff --cached --name-only | grep -qE '^(package-lock\\.json|npm-shrinkwrap\\.json|yarn\\.lock|pnpm-lock\\.yaml)$'; then
+  if git diff --cached --name-only | grep -qE '(^|/)(package-lock\\.json|npm-shrinkwrap\\.json|yarn\\.lock|pnpm-lock\\.yaml|requirements(-[^/]+)?\\.txt|Pipfile\\.lock|poetry\\.lock)$'; then
     echo "Dependency Guardian: lockfile change detected, scanning..." >&2
     NO_COLOR=1 "$DG_BIN" scan --mode block
     DG_EXIT=$?
@@ -82889,7 +83033,7 @@ ${MARKER_END}
     LEFTHOOK_ENTRY = `  pre-commit:
     commands:
       ${LEFTHOOK_MARKER}:
-        glob: "{package-lock.json,yarn.lock,pnpm-lock.yaml,npm-shrinkwrap.json}"
+        glob: "**/{package-lock.json,yarn.lock,pnpm-lock.yaml,npm-shrinkwrap.json,requirements.txt,requirements-*.txt,Pipfile.lock,poetry.lock}"
         run: dg scan --mode block
 `;
     USAGE2 = `
@@ -83154,7 +83298,7 @@ var init_parse_package_json = __esm({
 
 // src/lockfile.ts
 import { execFileSync as execFileSync3 } from "node:child_process";
-import { readFileSync as readFileSync9, existsSync as existsSync8, statSync } from "node:fs";
+import { readFileSync as readFileSync9, existsSync as existsSync7, statSync } from "node:fs";
 import { join as join10 } from "node:path";
 function readFileSafe(path2) {
   const size = statSync(path2).size;
@@ -83171,7 +83315,7 @@ function discoverChanges(cwd2, config3) {
   const pythonDepFiles = ["requirements.txt", "Pipfile.lock", "poetry.lock"];
   let pythonPackages = [];
   for (const pyFile of pythonDepFiles) {
-    if (existsSync8(join10(cwd2, pyFile))) {
+    if (existsSync7(join10(cwd2, pyFile))) {
       const pyPkgs = parsePythonDepFile(cwd2, pyFile);
       for (const p of pyPkgs) {
         if (p.version === "latest") continue;
@@ -83196,66 +83340,53 @@ function discoverChanges(cwd2, config3) {
   const headContent = readFileSafe(lockfileInfo.path);
   const headParsed = parseLockfileByType(headContent, lockfileInfo.type);
   const directDeps = getDirectDeps(cwd2);
-  if (config3.scanAll) {
-    const packages2 = [];
-    for (const [name, entry] of headParsed.packages) {
-      if (packages2.length >= config3.maxPackages) break;
-      if (entry.optional && entry.hasPlatformRestriction) continue;
-      if (name === SELF_PACKAGE) continue;
-      packages2.push({
-        name,
-        version: entry.version,
-        previousVersion: null,
-        isNew: true
-      });
-    }
-    return { packages: packages2, pythonPackages, method: "scan-all", skipped: [] };
-  }
   if (config3.baseLockfile) {
-    if (!existsSync8(config3.baseLockfile)) {
+    if (!existsSync7(config3.baseLockfile)) {
       throw new Error(`Base lockfile not found: ${config3.baseLockfile}`);
     }
-    const baseContent2 = readFileSafe(config3.baseLockfile);
-    const baseParsed = parseLockfile(baseContent2);
-    const diff2 = diffLockfiles(baseParsed, headParsed, config3.maxPackages, directDeps);
-    return {
-      packages: diff2.changes.map(toPackageInput).filter((p) => p.name !== SELF_PACKAGE),
-      pythonPackages,
-      method: "base-lockfile",
-      skipped: diff2.skipped
-    };
-  }
-  const baseContent = getGitBaseLockfile(cwd2);
-  if (baseContent !== null) {
+    const baseContent = readFileSafe(config3.baseLockfile);
     const baseParsed = parseLockfile(baseContent);
     const diff2 = diffLockfiles(baseParsed, headParsed, config3.maxPackages, directDeps);
     return {
       packages: diff2.changes.map(toPackageInput).filter((p) => p.name !== SELF_PACKAGE),
       pythonPackages,
-      method: "git-diff",
+      method: "base-lockfile",
       skipped: diff2.skipped
     };
   }
-  const pkgJsonPath = join10(cwd2, "package.json");
-  if (existsSync8(pkgJsonPath)) {
-    const headPkgJson = readFileSafe(pkgJsonPath);
-    const basePkgJson = getGitBaseFile(cwd2, "package.json");
-    if (basePkgJson !== null) {
-      const diff2 = diffPackageJsons(basePkgJson, headPkgJson, config3.maxPackages);
-      const resolved = diff2.changes.map((change) => {
-        const lockEntry = headParsed.packages.get(change.name);
-        return {
-          ...change,
-          newVersion: lockEntry?.version ?? change.newVersion
-        };
-      });
+  if (!config3.scanAll) {
+    const baseContent = getGitBaseLockfile(cwd2);
+    if (baseContent !== null) {
+      const baseParsed = parseLockfile(baseContent);
+      const diff2 = diffLockfiles(baseParsed, headParsed, config3.maxPackages, directDeps);
       return {
-        packages: resolved.map(toPackageInput).filter((p) => p.name !== SELF_PACKAGE),
+        packages: diff2.changes.map(toPackageInput).filter((p) => p.name !== SELF_PACKAGE),
         pythonPackages,
-        method: "fallback",
-        skipped: []
+        method: "git-diff",
+        skipped: diff2.skipped
       };
     }
+    const pkgJsonPath = join10(cwd2, "package.json");
+    if (existsSync7(pkgJsonPath)) {
+      const headPkgJson = readFileSafe(pkgJsonPath);
+      const basePkgJson = getGitBaseFile(cwd2, "package.json");
+      if (basePkgJson !== null) {
+        const diff2 = diffPackageJsons(basePkgJson, headPkgJson, config3.maxPackages);
+        const resolved = diff2.changes.map((change) => {
+          const lockEntry = headParsed.packages.get(change.name);
+          return {
+            ...change,
+            newVersion: lockEntry?.version ?? change.newVersion
+          };
+        });
+        return {
+          packages: resolved.map(toPackageInput).filter((p) => p.name !== SELF_PACKAGE),
+          pythonPackages,
+          method: "fallback",
+          skipped: []
+        };
+      }
+    }
   }
   const packages = [];
   for (const [name, entry] of headParsed.packages) {
@@ -83269,7 +83400,7 @@ function discoverChanges(cwd2, config3) {
       isNew: true
     });
   }
-  return { packages, pythonPackages, method: "fallback", skipped: [] };
+  return { packages, pythonPackages, method: "scan-all", skipped: [] };
 }
 function findLockfile(cwd2) {
   const candidates = [
@@ -83280,7 +83411,7 @@ function findLockfile(cwd2) {
   ];
   for (const [name, type] of candidates) {
     const p = join10(cwd2, name);
-    if (existsSync8(p)) return { path: p, type };
+    if (existsSync7(p)) return { path: p, type };
   }
   return null;
 }
@@ -84160,13 +84291,17 @@ function useInit(opts = {}) {
 `);
         allOutcomes.push(outcome);
       }
-      const allPackages = allOutcomes.flatMap(
-        (o) => o.result?.result.packages ?? []
-      );
-      const totalScanned = allOutcomes.reduce(
-        (sum, o) => sum + (o.result?.scannedCount ?? 0),
-        0
-      );
+      const allPackages = [];
+      const seen = /* @__PURE__ */ new Set();
+      for (const outcome of allOutcomes) {
+        for (const pkg of outcome.result?.result.packages ?? []) {
+          const key = `${pkg.name}@${pkg.version}`;
+          if (seen.has(key)) continue;
+          seen.add(key);
+          allPackages.push(pkg);
+        }
+      }
+      const totalScanned = seen.size;
       const totalDuration = allOutcomes.reduce(
         (sum, o) => sum + (o.result?.durationMs ?? 0),
         0
@@ -88204,7 +88339,7 @@ var init_LoginApp = __esm({
 
 // src/pip-wrapper.ts
 import { spawn as spawn3 } from "node:child_process";
-import { readFileSync as readFileSync10, existsSync as existsSync9 } from "node:fs";
+import { readFileSync as readFileSync10, existsSync as existsSync8 } from "node:fs";
 function parsePipArgs(args) {
   let dgForce = false;
   const filtered = [];
@@ -88267,7 +88402,7 @@ function pipFlagTakesValue(flag) {
   return false;
 }
 function parseRequirementsFile(filePath) {
-  if (!existsSync9(filePath)) return [];
+  if (!existsSync8(filePath)) return [];
   try {
     const content = readFileSync10(filePath, "utf-8");
     const specs = [];
@@ -88407,7 +88542,7 @@ var FileSavePrompt_exports = {};
 __export(FileSavePrompt_exports, {
   FileSavePrompt: () => FileSavePrompt
 });
-import { existsSync as existsSync10, readdirSync as readdirSync2, writeFileSync as writeFileSync4 } from "node:fs";
+import { existsSync as existsSync9, readdirSync as readdirSync2, writeFileSync as writeFileSync4 } from "node:fs";
 import { dirname as dirname5, join as join11 } from "node:path";
 function listDirectory(dir) {
   try {
@@ -88509,7 +88644,7 @@ var init_FileSavePrompt = __esm({
           if (key.return) {
             const fullName = ensureJsonExtension(state.filename);
             const fullPath = join11(state.directory, fullName);
-            if (!state.confirmOverwrite && existsSync10(fullPath)) {
+            if (!state.confirmOverwrite && existsSync9(fullPath)) {
               dispatch({ type: "CONFIRM_OVERWRITE" });
               return;
             }