@westbayberry/dg 1.0.59 → 1.0.61

package/dist/index.mjs

@@ -6477,7 +6477,7 @@ var require_has_flag = __commonJS({
 var require_supports_color = __commonJS({
   "node_modules/supports-color/index.js"(exports, module2) {
     "use strict";
-    var os6 = __require("os");
+    var os5 = __require("os");
     var tty2 = __require("tty");
     var hasFlag2 = require_has_flag();
     var { env: env3 } = process;
@@ -6525,7 +6525,7 @@ var require_supports_color = __commonJS({
         return min;
       }
       if (process.platform === "win32") {
-        const osRelease = os6.release().split(".");
+        const osRelease = os5.release().split(".");
         if (Number(osRelease[0]) >= 10 && Number(osRelease[2]) >= 10586) {
           return Number(osRelease[2]) >= 14931 ? 3 : 2;
         }
@@ -6827,7 +6827,7 @@ var require_require_in_the_middle = __commonJS({
     } else {
       throw new Error("'require-in-the-middle' requires Node.js >=v9.3.0 or >=v8.10.0");
     }
-    var normalize3 = /([/\\]index)?(\.js)?$/;
+    var normalize4 = /([/\\]index)?(\.js)?$/;
     var ExportsCache = class {
       constructor() {
         this._localCache = /* @__PURE__ */ new Map();
@@ -7024,7 +7024,7 @@ var require_require_in_the_middle = __commonJS({
     };
     function resolveModuleName(stat) {
       const normalizedPath = path3.sep !== "/" ? stat.path.split(path3.sep).join("/") : stat.path;
-      return path3.posix.join(stat.name, normalizedPath).replace(normalize3, "");
+      return path3.posix.join(stat.name, normalizedPath).replace(normalize4, "");
     }
   }
 });
@@ -23527,7 +23527,7 @@ var require_ProcessDetector = __commonJS({
     exports.processDetector = void 0;
     var api_1 = (init_esm(), __toCommonJS(esm_exports));
     var semconv_1 = require_semconv3();
-    var os6 = __require("os");
+    var os5 = __require("os");
     var ProcessDetector = class {
       detect(_config) {
         const attributes = {
@@ -23547,7 +23547,7 @@ var require_ProcessDetector = __commonJS({
           attributes[semconv_1.ATTR_PROCESS_COMMAND] = process.argv[1];
         }
         try {
-          const userInfo = os6.userInfo();
+          const userInfo = os5.userInfo();
           attributes[semconv_1.ATTR_PROCESS_OWNER] = userInfo.username;
         } catch (e) {
           api_1.diag.debug(`error obtaining process owner: ${e}`);
@@ -26807,7 +26807,7 @@ var init_childProcess = __esm({
 import { execFile } from "node:child_process";
 import { readFile, readdir } from "node:fs";
 import * as os from "node:os";
-import { join as join2 } from "node:path";
+import { join as join3 } from "node:path";
 import { promisify } from "node:util";
 function _updateContext(contexts) {
   if (contexts.app?.app_memory) {
@@ -26935,7 +26935,7 @@ async function getLinuxInfo() {
     if (!distroFile) {
       return linuxInfo;
     }
-    const distroPath = join2("/etc", distroFile.name);
+    const distroPath = join3("/etc", distroFile.name);
     const contents = (await readFileAsync(distroPath, { encoding: "utf-8" })).toLowerCase();
     const { distros } = distroFile;
     linuxInfo.name = distros.find((d) => contents.indexOf(getLinuxDistroId(d)) >= 0) || distros[0];
@@ -27847,7 +27847,7 @@ var init_detection = __esm({
 
 // node_modules/@sentry/node-core/build/esm/integrations/modules.js
 import { existsSync, readFileSync } from "node:fs";
-import { dirname as dirname2, join as join3 } from "node:path";
+import { dirname as dirname2, join as join4 } from "node:path";
 function getRequireCachePaths() {
   try {
     return __require.cache ? Object.keys(__require.cache) : [];
@@ -27878,7 +27878,7 @@ function collectRequireModules() {
       if (mainPaths.indexOf(dir) < 0) {
         return updir();
       }
-      const pkgfile = join3(orig, "package.json");
+      const pkgfile = join4(orig, "package.json");
       seen.add(orig);
       if (!existsSync(pkgfile)) {
         return updir();
@@ -27901,7 +27901,7 @@ function _getModules() {
 }
 function getPackageJson() {
   try {
-    const filePath = join3(process.cwd(), "package.json");
+    const filePath = join4(process.cwd(), "package.json");
     const packageJson = JSON.parse(readFileSync(filePath, "utf8"));
     return packageJson;
   } catch {
@@ -29172,6 +29172,8 @@ var init_esm5 = __esm({
     init_logger();
     init_instrument();
     init_sdk();
+    init_onuncaughtexception();
+    init_onunhandledrejection();
     init_addOriginToSpan();
     init_getRequestUrl();
     init_nodeVersion();
@@ -46144,6 +46146,7 @@ var init_esm6 = __esm({
   "node_modules/@sentry/node/build/esm/index.js"() {
     init_sdk2();
     init_esm3();
+    init_esm5();
   }
 });
 
@@ -46155,9 +46158,13 @@ function initTelemetry(version) {
       dsn: CLI_DSN,
       release: `dg-cli@${version}`,
       environment: process.env.CI ? "ci" : "local",
-      // TODO: reduce sample rate when CLI usage exceeds ~10k DAU
       sampleRate: 1,
       sendDefaultPii: false,
+      defaultIntegrations: false,
+      integrations: [
+        onUncaughtExceptionIntegration({ exitEvenIfOtherHandlersAreRegistered: false }),
+        onUnhandledRejectionIntegration()
+      ],
       beforeSend(event) {
         if (event.exception?.values?.some(
           (ex) => ex.value && /\.(invalid|test|example|localhost)\b/i.test(ex.value)
@@ -46229,6 +46236,92 @@ var init_telemetry = __esm({
   }
 });
 
+// src/paths.ts
+import { homedir } from "node:os";
+import { join as join5, isAbsolute as isAbsolute2 } from "node:path";
+function safeAbsolute(p, fallback) {
+  if (!p || typeof p !== "string") return fallback;
+  if (!isAbsolute2(p)) return fallback;
+  return p;
+}
+function dgRoot() {
+  return join5(homedir(), `.${ROOT_DIR_NAME}`);
+}
+function dgConfigDir() {
+  const xdg = safeAbsolute(process.env.XDG_CONFIG_HOME, "");
+  if (xdg) return join5(xdg, ROOT_DIR_NAME);
+  return dgRoot();
+}
+function dgCacheDir() {
+  const explicit = safeAbsolute(process.env.DG_CACHE_DIR, "");
+  if (explicit) return explicit;
+  const xdg = safeAbsolute(process.env.XDG_CACHE_HOME, "");
+  if (xdg) return join5(xdg, ROOT_DIR_NAME);
+  return join5(dgRoot(), "cache");
+}
+function dgStateDir() {
+  const xdg = safeAbsolute(process.env.XDG_STATE_HOME, "");
+  if (xdg) return join5(xdg, ROOT_DIR_NAME);
+  return join5(dgRoot(), "state");
+}
+function dgConfigPath() {
+  return join5(dgConfigDir(), "config.json");
+}
+function dgCachePath(name) {
+  return join5(dgCacheDir(), name);
+}
+function dgStatePath(name) {
+  return join5(dgStateDir(), name);
+}
+function dgMigrationBreadcrumb() {
+  return join5(dgRoot(), ".migrated-from-v1");
+}
+function dgMigrationLock() {
+  return join5(dgRoot(), ".migration.lock");
+}
+function dgReadme() {
+  return join5(dgRoot(), "README.txt");
+}
+function legacyPaths() {
+  const home = homedir();
+  const depGuardianDir = join5(home, ".dependency-guardian");
+  return {
+    dgrc: join5(home, ".dgrc.json"),
+    cacheDir: depGuardianDir,
+    cacheSqlite: join5(home, ".dg", "cache.sqlite"),
+    routingHint: join5(home, ".dg", "scan-routing-hint.json"),
+    updateCheck: join5(home, ".dg-update-check.json"),
+    trialBannerOld: join5(depGuardianDir, "last-trial-banner"),
+    aliasesShOld: join5(depGuardianDir, "aliases.sh"),
+    depGuardianDir
+  };
+}
+function dgPaths() {
+  return {
+    root: dgRoot(),
+    configDir: dgConfigDir(),
+    cacheDir: dgCacheDir(),
+    stateDir: dgStateDir(),
+    config: dgConfigPath(),
+    cacheSqlite: dgCachePath("scans.sqlite"),
+    updateCheck: dgCachePath("update-check.json"),
+    routingHint: dgCachePath("routing-hint.json"),
+    trialBanner: dgStatePath("trial-banner"),
+    aliasesSh: dgStatePath("aliases.sh"),
+    hooksRegistry: dgStatePath("hooks-installed.json"),
+    readme: dgReadme(),
+    migrationBreadcrumb: dgMigrationBreadcrumb(),
+    migrationLock: dgMigrationLock()
+  };
+}
+var ROOT_DIR_NAME;
+var init_paths = __esm({
+  "src/paths.ts"() {
+    "use strict";
+    ROOT_DIR_NAME = "dg";
+  }
+});
+
 // src/auth/auth.ts
 var auth_exports = {};
 __export(auth_exports, {
@@ -46259,9 +46352,8 @@ __export(auth_exports, {
   scrubAuthToken: () => scrubAuthToken,
   setProtectConfig: () => setProtectConfig
 });
-import { readFileSync as readFileSync2, writeFileSync, unlinkSync, existsSync as existsSync2, chmodSync, lstatSync, openSync, fchmodSync, closeSync, constants as fsConstants } from "node:fs";
-import { join as join4 } from "node:path";
-import { homedir } from "node:os";
+import { readFileSync as readFileSync2, writeFileSync, unlinkSync, existsSync as existsSync2, mkdirSync, chmodSync, lstatSync, openSync, fchmodSync, closeSync, constants as fsConstants } from "node:fs";
+import { dirname as dirname3 } from "node:path";
 import { spawn } from "node:child_process";
 import { randomUUID } from "node:crypto";
 function authBase() {
@@ -46339,7 +46431,13 @@ async function pollAuthSession(sessionId) {
   };
 }
 function configPath() {
-  return join4(homedir(), CONFIG_FILE);
+  return dgConfigPath();
+}
+function ensureConfigDir() {
+  const dir = dgConfigDir();
+  if (!existsSync2(dir)) {
+    mkdirSync(dir, { recursive: true, mode: 448 });
+  }
 }
 function ensureConfigPerms(path3) {
   let st;
@@ -46401,7 +46499,19 @@ function readConfig() {
   }
 }
 function writeDgrc(payload) {
+  ensureConfigDir();
   const p = configPath();
+  const parent = dirname3(p);
+  if (parent !== p) {
+    try {
+      const st = lstatSync(parent);
+      if (st && typeof st.isSymbolicLink === "function" && st.isSymbolicLink()) {
+        throw new Error(`refusing to write ${p}: parent ${parent} is a symlink`);
+      }
+    } catch (e) {
+      if (e instanceof Error && e.message.startsWith("refusing")) throw e;
+    }
+  }
   writeFileSync(p, JSON.stringify(payload, null, 2) + "\n", { encoding: "utf-8", mode: 384 });
   try {
     chmodSync(p, 384);
@@ -46651,12 +46761,12 @@ function openBrowser(url) {
   } catch {
   }
 }
-var DEFAULT_WEB_BASE, CONFIG_FILE, MAX_QUEUED_EVENTS;
+var DEFAULT_WEB_BASE, MAX_QUEUED_EVENTS;
 var init_auth = __esm({
   "src/auth/auth.ts"() {
     "use strict";
+    init_paths();
     DEFAULT_WEB_BASE = "https://westbayberry.com";
-    CONFIG_FILE = ".dgrc.json";
     MAX_QUEUED_EVENTS = 50;
   }
 });
@@ -46672,9 +46782,8 @@ __export(config_exports, {
 });
 import { parseArgs } from "node:util";
 import { readFileSync as readFileSync3, existsSync as existsSync3 } from "node:fs";
-import { join as join5, dirname as dirname3 } from "node:path";
+import { join as join6, dirname as dirname4 } from "node:path";
 import { fileURLToPath } from "node:url";
-import { homedir as homedir2 } from "node:os";
 function levenshtein(a, b) {
   if (a === b) return 0;
   if (a.length === 0) return b.length;
@@ -46714,24 +46823,28 @@ function warnUnknownDgrcKeys(parsed, source) {
   }
 }
 function loadDgrc() {
-  const cwdPath = join5(process.cwd(), ".dgrc.json");
-  const homePath = join5(homedir2(), ".dgrc.json");
+  const cwdPath = join6(process.cwd(), ".dgrc.json");
+  const homePath = dgConfigPath();
+  const legacyHomePath = legacyPaths().dgrc;
   let config3 = {};
-  if (existsSync3(homePath)) {
+  const sources = [homePath, legacyHomePath].filter((p, i, arr) => arr.indexOf(p) === i);
+  for (const src of sources) {
+    if (!existsSync3(src)) continue;
     try {
-      const home = JSON.parse(readFileSync3(homePath, "utf-8"));
-      warnUnknownDgrcKeys(home, homePath);
-      const homeFiltered = {};
+      const data = JSON.parse(readFileSync3(src, "utf-8"));
+      warnUnknownDgrcKeys(data, src);
+      const filtered = {};
       for (const k of KNOWN_DGRC_KEYS) {
-        if (k in home) homeFiltered[k] = home[k];
+        if (k in data) filtered[k] = data[k];
       }
-      config3 = homeFiltered;
+      config3 = filtered;
+      break;
     } catch {
-      process.stderr.write(`Warning: Failed to parse ${homePath}, ignoring.
+      process.stderr.write(`Warning: Failed to parse ${src}, ignoring.
 `);
     }
   }
-  if (existsSync3(cwdPath) && cwdPath !== homePath) {
+  if (existsSync3(cwdPath) && cwdPath !== homePath && cwdPath !== legacyHomePath) {
     try {
       const cwd2 = JSON.parse(readFileSync3(cwdPath, "utf-8"));
       warnUnknownDgrcKeys(cwd2, cwdPath);
@@ -46759,10 +46872,7 @@ function validateApiUrl(url) {
       );
       process.exit(1);
     }
-    const isLocal = host === "localhost" || // IPv4: loopback, RFC 1918, CGNAT. Proper octet regex — not prefix matching,
-    // which would wrongly accept `192.1680.0.1` or `100.1.2.3` (public).
-    /^(127\.|10\.|192\.168\.|172\.(1[6-9]|2\d|3[01])\.|100\.(6[4-9]|[7-9]\d|1[01]\d|12[0-7])\.)/.test(host) || // IPv6: loopback and unique local (fc00::/7 → fc** or fd**)
-    host === "::1" || /^f[cd][0-9a-f]{2}:/i.test(host);
+    const isLocal = host === "localhost" || /^(127\.|10\.|192\.168\.|172\.(1[6-9]|2\d|3[01])\.|100\.(6[4-9]|[7-9]\d|1[01]\d|12[0-7])\.)/.test(host) || host === "::1" || /^f[cd][0-9a-f]{2}:/i.test(host);
     if (parsed.protocol !== "https:" && !isLocal) {
       process.stderr.write(`Error: API URL must use HTTPS (got ${parsed.protocol}). Use localhost for local testing.
 `);
@@ -46777,9 +46887,9 @@ function validateApiUrl(url) {
 }
 function getVersion() {
   try {
-    const thisDir = dirname3(fileURLToPath(import.meta.url));
+    const thisDir = dirname4(fileURLToPath(import.meta.url));
     const pkg = JSON.parse(
-      readFileSync3(join5(thisDir, "..", "package.json"), "utf-8")
+      readFileSync3(join6(thisDir, "..", "package.json"), "utf-8")
     );
     return pkg.version ?? "1.0.0";
   } catch {
@@ -46810,7 +46920,6 @@ function parseConfig(argv, strictFlags = true) {
         strict: { type: "boolean", default: false },
         help: { type: "boolean", default: false },
         version: { type: "boolean", default: false },
-        // Recognized but handled server-side via policy dashboard
         "no-config": { type: "boolean", default: false },
         allowlist: { type: "string" },
         "block-threshold": { type: "string" },
@@ -46890,6 +46999,7 @@ var init_config = __esm({
   "src/config.ts"() {
     "use strict";
     init_auth();
+    init_paths();
     KNOWN_DGRC_KEYS = ["apiKey", "apiUrl", "mode", "maxPackages"];
     INTERNAL_DGRC_KEYS = [
       "deviceId",
@@ -46903,26 +47013,27 @@ var init_config = __esm({
     USAGE = `
   Dependency Guardian \u2014 Supply chain security scanner
 
-  Get protected in two steps:
-    dg login                # free account, higher scan limits
-    dg protect              # opt in to auto-scan on \`npm install\` / \`pip install\`
+  Get protected:
+    dg init                 Set up this project (hook + protect + first scan)
+    dg login                Free account, higher scan limits
+    dg protect              Auto-scan on \`npm install\` / \`pip install\`
 
   Common commands:
     dg scan                 Audit this project's dependencies (read-only)
     dg status               Show your coverage at a glance
-    dg protect              Enable opt-in protection (stored in ~/.dgrc.json)
-    dg protect off          Disable protection
     dg npm install <pkg>    One-shot: scan + install a package
     dg pip install <pkg>    Same, for pip
     dg hook install         Block risky lockfile changes at commit time
     dg login / dg logout    Manage authentication
     dg update               Check for and install the latest dg version
+    dg uninstall            Remove everything dg has written locally
 
   Common flags:
     --json                  Machine-readable output (CI/scripts)
     --quiet                 Suppress login + update nudges
     --output, -o <file>     Save scan result to a file (requires \`dg login\`)
 
+  Local state lives in ~/.dg/.
   Need more? Advanced flags + env vars: \`dg --help-all\`.
 `.trimStart();
     USAGE_ALL = `
@@ -46934,22 +47045,24 @@ var init_config = __esm({
     dg pip install <pkg> [pip-flags]
 
   Commands:
+    init            Fast per-project setup (hook + protect + first scan)
     scan            Read-only audit: scans the project's lockfiles + reports
     npm             Protective install wrapper for npm (default mode: BLOCK)
     pip             Protective install wrapper for pip (default mode: BLOCK)
-    protect         Enable opt-in low-friction protection (stored in
-                    ~/.dgrc.json + per-user shell-alias snippet \u2014 opt in
-                    by sourcing it)
+    protect         Enable opt-in low-friction protection (config under
+                    ~/.dg/ + per-user shell-alias snippet
+                    \u2014 opt in by sourcing it)
     protect off     Disable protection in the current project
     hook install    Install git pre-commit hook to scan lockfile changes
     hook uninstall  Remove the pre-commit hook
     login           Authenticate with your WestBayBerry account
     logout          Remove saved credentials
-    cleanup         Wipe local state (creds, shell snippet) before npm uninstall
+    uninstall       Remove every file dg has written locally (config, cache,
+                    hooks across repos, shell-rc lines)
     status          Show coverage overview (auth, protect, hook, npm/pip, update)
     update          Check for and install the latest version
     wrap            Show instructions to alias npm to dg (manual)
-    kitty           Re-run the guided tour
+    kitty           Re-run the first-time intro tour
     help            Show short help (\`dg --help-all\` for this view)
     version         Show version number
 
@@ -47036,7 +47149,7 @@ __export(npm_wrapper_exports, {
 });
 import { spawn as spawn2 } from "node:child_process";
 import { readFileSync as readFileSync4, existsSync as existsSync4, mkdtempSync, writeFileSync as writeFileSync2, rmSync } from "node:fs";
-import { join as join6 } from "node:path";
+import { join as join7 } from "node:path";
 import { tmpdir } from "node:os";
 function parseNpmArgs(args) {
   let dgForce = false;
@@ -47245,9 +47358,9 @@ async function resolveTreeNpm(specs) {
   if (safe.length === 0) {
     return { packages: [], ok: false, errorMessage: "all specs were flag-shaped (refused)" };
   }
-  const dir = mkdtempSync(join6(tmpdir(), "dg-resolve-"));
+  const dir = mkdtempSync(join7(tmpdir(), "dg-resolve-"));
   try {
-    writeFileSync2(join6(dir, "package.json"), '{"name":"_dg_resolve","version":"1.0.0","private":true}');
+    writeFileSync2(join7(dir, "package.json"), '{"name":"_dg_resolve","version":"1.0.0","private":true}');
     const stdout = await new Promise((resolve3) => {
       const child = spawn2(
         "npm",
@@ -47327,7 +47440,7 @@ function pinTopLevelArgs(rawArgs, userSpecs, tree) {
   });
 }
 function readLockfilePins(cwd2) {
-  const lockPath = join6(cwd2, "package-lock.json");
+  const lockPath = join7(cwd2, "package-lock.json");
   if (!existsSync4(lockPath)) return null;
   try {
     const lock = JSON.parse(readFileSync4(lockPath, "utf-8"));
@@ -47357,7 +47470,7 @@ function readBareInstallPackages(cwd2) {
   return readBareInstallPackagesTyped(cwd2).map((s) => s.spec);
 }
 function readBareInstallPackagesTyped(cwd2) {
-  const pkgPath = join6(cwd2, "package.json");
+  const pkgPath = join7(cwd2, "package.json");
   if (!existsSync4(pkgPath)) return [];
   try {
     const pkg = JSON.parse(readFileSync4(pkgPath, "utf-8"));
@@ -48630,14 +48743,14 @@ var require_templates = __commonJS({
       }
       return results;
     }
-    function buildStyle(chalk15, styles8) {
+    function buildStyle(chalk17, styles8) {
       const enabled = {};
       for (const layer of styles8) {
         for (const style of layer.styles) {
           enabled[style[0]] = layer.inverse ? null : style.slice(1);
         }
       }
-      let current = chalk15;
+      let current = chalk17;
       for (const [styleName, styles9] of Object.entries(enabled)) {
         if (!Array.isArray(styles9)) {
           continue;
@@ -48649,7 +48762,7 @@ var require_templates = __commonJS({
       }
       return current;
     }
-    module2.exports = (chalk15, temporary) => {
+    module2.exports = (chalk17, temporary) => {
       const styles8 = [];
       const chunks = [];
       let chunk = [];
@@ -48659,13 +48772,13 @@ var require_templates = __commonJS({
         } else if (style) {
           const string = chunk.join("");
           chunk = [];
-          chunks.push(styles8.length === 0 ? string : buildStyle(chalk15, styles8)(string));
+          chunks.push(styles8.length === 0 ? string : buildStyle(chalk17, styles8)(string));
           styles8.push({ inverse, styles: parseStyle(style) });
         } else if (close2) {
           if (styles8.length === 0) {
             throw new Error("Found extraneous } in Chalk template literal");
           }
-          chunks.push(buildStyle(chalk15, styles8)(chunk.join("")));
+          chunks.push(buildStyle(chalk17, styles8)(chunk.join("")));
           chunk = [];
           styles8.pop();
         } else {
@@ -48713,16 +48826,16 @@ var require_source = __commonJS({
       }
     };
     var chalkFactory2 = (options) => {
-      const chalk16 = {};
-      applyOptions2(chalk16, options);
-      chalk16.template = (...arguments_) => chalkTag(chalk16.template, ...arguments_);
-      Object.setPrototypeOf(chalk16, Chalk.prototype);
-      Object.setPrototypeOf(chalk16.template, chalk16);
-      chalk16.template.constructor = () => {
+      const chalk18 = {};
+      applyOptions2(chalk18, options);
+      chalk18.template = (...arguments_) => chalkTag(chalk18.template, ...arguments_);
+      Object.setPrototypeOf(chalk18, Chalk.prototype);
+      Object.setPrototypeOf(chalk18.template, chalk18);
+      chalk18.template.constructor = () => {
         throw new Error("`chalk.constructor()` is deprecated. Use `new chalk.Instance()` instead.");
       };
-      chalk16.template.Instance = ChalkClass;
-      return chalk16.template;
+      chalk18.template.Instance = ChalkClass;
+      return chalk18.template;
     };
     function Chalk(options) {
       return chalkFactory2(options);
@@ -48833,7 +48946,7 @@ var require_source = __commonJS({
       return openAll + string + closeAll;
     };
     var template;
-    var chalkTag = (chalk16, ...strings) => {
+    var chalkTag = (chalk18, ...strings) => {
       const [firstString] = strings;
       if (!isArray(firstString) || !isArray(firstString.raw)) {
         return strings.join(" ");
@@ -48849,25 +48962,27 @@ var require_source = __commonJS({
       if (template === void 0) {
         template = require_templates();
       }
-      return template(chalk16, parts.join(""));
+      return template(chalk18, parts.join(""));
     };
     Object.defineProperties(Chalk.prototype, styles8);
-    var chalk15 = Chalk();
-    chalk15.supportsColor = stdoutColor2;
-    chalk15.stderr = Chalk({ level: stderrColor2 ? stderrColor2.level : 0 });
-    chalk15.stderr.supportsColor = stderrColor2;
-    module2.exports = chalk15;
+    var chalk17 = Chalk();
+    chalk17.supportsColor = stdoutColor2;
+    chalk17.stderr = Chalk({ level: stderrColor2 ? stderrColor2.level : 0 });
+    chalk17.stderr.supportsColor = stderrColor2;
+    module2.exports = chalk17;
   }
 });
 
 // src/update-check.ts
-import { readFileSync as readFileSync5, writeFileSync as writeFileSync3 } from "node:fs";
-import { homedir as homedir3 } from "node:os";
-import { join as join7 } from "node:path";
+import { existsSync as existsSync5, mkdirSync as mkdirSync2, readFileSync as readFileSync5, writeFileSync as writeFileSync3 } from "node:fs";
+import { dirname as dirname5 } from "node:path";
 import { execFileSync } from "node:child_process";
+function cacheFile() {
+  return dgCachePath("update-check.json");
+}
 function readCache() {
   try {
-    const raw = readFileSync5(CACHE_FILE, "utf-8");
+    const raw = readFileSync5(cacheFile(), "utf-8");
     const data = JSON.parse(raw);
     if (typeof data.latest === "string" && typeof data.checkedAt === "number") {
       return data;
@@ -48878,7 +48993,10 @@ function readCache() {
 }
 function writeCache(entry) {
   try {
-    writeFileSync3(CACHE_FILE, JSON.stringify(entry), "utf-8");
+    const path3 = cacheFile();
+    const parent = dirname5(path3);
+    if (!existsSync5(parent)) mkdirSync2(parent, { recursive: true, mode: 448 });
+    writeFileSync3(path3, JSON.stringify(entry), "utf-8");
   } catch {
   }
 }
@@ -48939,45 +49057,45 @@ async function checkForUpdate(currentVersion) {
   return null;
 }
 async function runUpdate(currentVersion) {
-  const chalk15 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
-  process.stderr.write(chalk15.dim("  Checking for updates...\n"));
+  const chalk17 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
+  process.stderr.write(chalk17.dim("  Checking for updates...\n"));
   const latest = await fetchLatestVersion();
   if (!latest) {
-    process.stderr.write(chalk15.red("  Could not reach npm registry.\n"));
+    process.stderr.write(chalk17.red("  Could not reach npm registry.\n"));
     process.exit(1);
   }
   if (!isNewer(latest, currentVersion)) {
     process.stderr.write(
-      chalk15.green(`  Already on latest version (${currentVersion}).
+      chalk17.green(`  Already on latest version (${currentVersion}).
 `)
     );
     return;
   }
-  process.stderr.write(chalk15.dim(`  Installing ${PKG_NAME}@${latest}...
+  process.stderr.write(chalk17.dim(`  Installing ${PKG_NAME}@${latest}...
 `));
   try {
     execFileSync("npm", ["install", "-g", `${PKG_NAME}@${latest}`], { stdio: "inherit" });
     writeCache({ latest, checkedAt: Date.now() });
     process.stderr.write(
-      chalk15.green(`
+      chalk17.green(`
   Updated ${currentVersion} \u2192 ${latest}
 `)
     );
   } catch {
     process.stderr.write(
-      chalk15.red(`
+      chalk17.red(`
   Update failed. Try manually: npm i -g ${PKG_NAME}@${latest}
 `)
     );
     process.exit(1);
   }
 }
-var PKG_NAME, CACHE_FILE, CHECK_INTERVAL_MS;
+var PKG_NAME, CHECK_INTERVAL_MS;
 var init_update_check = __esm({
   "src/update-check.ts"() {
     "use strict";
+    init_paths();
     PKG_NAME = "@westbayberry/dg";
-    CACHE_FILE = join7(homedir3(), ".dg-update-check.json");
     CHECK_INTERVAL_MS = 24 * 60 * 60 * 1e3;
   }
 });
@@ -49946,12 +50064,12 @@ var require_react_development = __commonJS({
         var SEPARATOR = ".";
         var SUBSEPARATOR = ":";
         function escape2(key) {
-          var escapeRegex = /[=:]/g;
+          var escapeRegex2 = /[=:]/g;
           var escaperLookup = {
             "=": "=0",
             ":": "=2"
           };
-          var escapedString = key.replace(escapeRegex, function(match) {
+          var escapedString = key.replace(escapeRegex2, function(match) {
             return escaperLookup[match];
           });
           return "$" + escapedString;
@@ -79974,10 +80092,10 @@ var init_source = __esm({
       object.level = options.level === void 0 ? colorLevel : options.level;
     };
     chalkFactory = (options) => {
-      const chalk15 = (...strings) => strings.join(" ");
-      applyOptions(chalk15, options);
-      Object.setPrototypeOf(chalk15, createChalk.prototype);
-      return chalk15;
+      const chalk17 = (...strings) => strings.join(" ");
+      applyOptions(chalk17, options);
+      Object.setPrototypeOf(chalk17, createChalk.prototype);
+      return chalk17;
     };
     Object.setPrototypeOf(createChalk.prototype, Function.prototype);
     for (const [styleName, style] of Object.entries(ansi_styles_default3)) {
@@ -83063,22 +83181,18 @@ var init_skip_list = __esm({
   "src/discover/skip-list.ts"() {
     "use strict";
     SKIP_DIRS = /* @__PURE__ */ new Set([
-      // Package caches
       "node_modules",
       ".venv",
       "venv",
       "__pycache__",
       "vendor",
       "bower_components",
-      // VCS + tooling
       ".git",
       ".tox",
       ".eggs",
-      // Build outputs
       "dist",
       "build",
       "target",
-      // target: Rust + Java
       ".next",
       ".nuxt",
       ".turbo",
@@ -83087,24 +83201,17 @@ var init_skip_list = __esm({
       ".parcel-cache",
       ".gradle",
       ".terraform",
-      // Test caches
       "coverage",
       ".cache",
       ".pytest_cache",
       ".mypy_cache",
-      // Project-local: validation outputs, fixture sandboxes, archives,
-      // and temp scratch (no project lives inside a tmp dir; corpus dumps
-      // for validation runs frequently land in tmp subtrees with 100k+
-      // entries that lock the walker on their readdir).
       "validation-results",
       "test-fixtures",
       "fixtures",
       "archive",
       "tmp",
       "temp",
-      // Vendored Ansible collections (WBB monorepo specific; harmless on others)
       "ansible_collections",
-      // IDE / editor
       ".idea",
       ".vscode"
     ]);
@@ -83205,7 +83312,7 @@ async function discoverProjectsAsync(root, opts = {}) {
   const nonEmpty = projects.filter((p) => p.packageCount > 0);
   return nonEmpty.sort((a, b) => a.relativePath.localeCompare(b.relativePath));
 }
-function discoverProjects(root) {
+function discoverProjects(_root) {
   throw new Error(
     "discoverProjects (sync) is no longer implemented. Use `await discoverProjectsAsync(root)` instead. See dependency-guardian/cli/src/discover/walker.ts."
   );
@@ -83268,27 +83375,137 @@ var init_walker = __esm({
   }
 });
 
+// src/state/hooks_registry.ts
+import { existsSync as existsSync8, mkdirSync as mkdirSync4, readFileSync as readFileSync8, writeFileSync as writeFileSync5, chmodSync as chmodSync3 } from "node:fs";
+import { dirname as dirname7, isAbsolute as isAbsolute3, normalize as normalize2 } from "node:path";
+import { homedir as homedir2 } from "node:os";
+function registryPath() {
+  return dgStatePath("hooks-installed.json");
+}
+function isSafeAbsolute(p) {
+  if (typeof p !== "string" || p.length === 0) return false;
+  if (!isAbsolute3(p)) return false;
+  if (p.includes("\0")) return false;
+  if (p.split("/").some((seg) => seg === "..")) return false;
+  if (normalize2(p) !== p) return false;
+  return true;
+}
+function isWithinHomeOrTmp(p) {
+  const home = homedir2();
+  if (p === home || p.startsWith(home + "/")) return true;
+  const rawTmp = process.env.TMPDIR || "/tmp";
+  const tmpdir2 = rawTmp.endsWith("/") ? rawTmp.slice(0, -1) : rawTmp;
+  if (p === tmpdir2 || p.startsWith(tmpdir2 + "/")) return true;
+  if (p === "/tmp" || p.startsWith("/tmp/")) return true;
+  if (p === "/private/tmp" || p.startsWith("/private/tmp/")) return true;
+  if (p.startsWith("/private/var/")) return true;
+  return false;
+}
+function validateEntry(raw) {
+  if (!raw || typeof raw !== "object") return null;
+  const o = raw;
+  if (!isSafeAbsolute(o.repoPath)) return null;
+  if (!isSafeAbsolute(o.hookPath)) return null;
+  if (!isWithinHomeOrTmp(o.repoPath)) return null;
+  if (!isWithinHomeOrTmp(o.hookPath)) return null;
+  if (o.framework !== "husky" && o.framework !== "lefthook" && o.framework !== "bare") return null;
+  if (typeof o.installedAt !== "string" || o.installedAt.length === 0) return null;
+  return {
+    repoPath: o.repoPath,
+    framework: o.framework,
+    hookPath: o.hookPath,
+    installedAt: o.installedAt
+  };
+}
+function readRegistry() {
+  const path3 = registryPath();
+  if (!existsSync8(path3)) return [];
+  let raw;
+  try {
+    raw = readFileSync8(path3, "utf-8");
+  } catch {
+    return [];
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    return [];
+  }
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) return [];
+  const file = parsed;
+  if (file.version !== 1 || !Array.isArray(file.entries)) return [];
+  const out = [];
+  for (const e of file.entries) {
+    const v = validateEntry(e);
+    if (v) out.push(v);
+  }
+  return out;
+}
+function writeRegistry(entries) {
+  const path3 = registryPath();
+  const parent = dirname7(path3);
+  if (!existsSync8(parent)) mkdirSync4(parent, { recursive: true, mode: 448 });
+  const payload = { version: 1, entries };
+  writeFileSync5(path3, JSON.stringify(payload, null, 2) + "\n", { encoding: "utf-8", mode: 384 });
+  try {
+    chmodSync3(path3, 384);
+  } catch {
+  }
+}
+function sameEntry(a, b) {
+  return a.repoPath === b.repoPath && a.hookPath === b.hookPath;
+}
+function addEntry(entry) {
+  if (!isSafeAbsolute(entry.repoPath) || !isWithinHomeOrTmp(entry.repoPath)) return;
+  if (!isSafeAbsolute(entry.hookPath) || !isWithinHomeOrTmp(entry.hookPath)) return;
+  const next = { ...entry, installedAt: (/* @__PURE__ */ new Date()).toISOString() };
+  const existing = readRegistry();
+  const filtered = existing.filter((e) => !sameEntry(e, next));
+  filtered.push(next);
+  writeRegistry(filtered);
+}
+function removeEntry(repoPath, hookPath) {
+  const existing = readRegistry();
+  const filtered = existing.filter((e) => !(e.repoPath === repoPath && e.hookPath === hookPath));
+  if (filtered.length === existing.length) return false;
+  writeRegistry(filtered);
+  return true;
+}
+function listEntries() {
+  return readRegistry();
+}
+var init_hooks_registry = __esm({
+  "src/state/hooks_registry.ts"() {
+    "use strict";
+    init_paths();
+  }
+});
+
 // src/commands/hook.ts
 var hook_exports = {};
 __export(hook_exports, {
   detectHookFramework: () => detectHookFramework,
   handleHookCommand: () => handleHookCommand,
   installHookForFramework: () => installHookForFramework,
-  previewHookInstall: () => previewHookInstall
+  previewHookInstall: () => previewHookInstall,
+  stripDgFromHookFile: () => stripDgFromHookFile,
+  uninstallHookFromRepo: () => uninstallHookFromRepo,
+  verifyHookInstalled: () => verifyHookInstalled
 });
 import { execFileSync as execFileSync2 } from "node:child_process";
 import {
-  existsSync as existsSync6,
+  existsSync as existsSync9,
   lstatSync as lstatSync2,
-  readFileSync as readFileSync7,
-  writeFileSync as writeFileSync4,
-  mkdirSync,
-  chmodSync as chmodSync2,
-  unlinkSync as unlinkSync2
+  readFileSync as readFileSync9,
+  writeFileSync as writeFileSync6,
+  mkdirSync as mkdirSync5,
+  chmodSync as chmodSync4,
+  unlinkSync as unlinkSync3
 } from "node:fs";
-import { join as join9, dirname as dirname4 } from "node:path";
+import { join as join9, dirname as dirname8, resolve as resolvePath, isAbsolute as isAbsolute4 } from "node:path";
 function assertSafeWriteTarget(target) {
-  const parent = dirname4(target);
+  const parent = dirname8(target);
   try {
     const parentStat = lstatSync2(parent);
     if (parentStat.isSymbolicLink()) {
@@ -83316,7 +83533,7 @@ function assertSafeWriteTarget(target) {
 }
 function safeWriteFileSync(target, content) {
   assertSafeWriteTarget(target);
-  writeFileSync4(target, content);
+  writeFileSync6(target, content);
 }
 function findHooksDir() {
   try {
@@ -83345,8 +83562,8 @@ function detectHookFramework(repoRoot) {
   const lefthookConfigYaml = join9(root, "lefthook.yaml");
   const hooksDir = findHooksDir();
   const bareHook = join9(hooksDir, "pre-commit");
-  if (existsSync6(huskyHook)) {
-    const content = readFileSync7(huskyHook, "utf-8");
+  if (existsSync9(huskyHook)) {
+    const content = readFileSync9(huskyHook, "utf-8");
     return {
       framework: "husky",
       targetFile: huskyHook,
@@ -83354,8 +83571,8 @@ function detectHookFramework(repoRoot) {
     };
   }
   for (const cfg of [lefthookConfig, lefthookConfigYaml]) {
-    if (existsSync6(cfg)) {
-      const content = readFileSync7(cfg, "utf-8");
+    if (existsSync9(cfg)) {
+      const content = readFileSync9(cfg, "utf-8");
       const installed2 = /^\s+dependency-guardian\s*:/m.test(content);
       return {
         framework: "lefthook",
@@ -83365,8 +83582,8 @@ function detectHookFramework(repoRoot) {
     }
   }
   let installed = false;
-  if (existsSync6(bareHook)) {
-    installed = readFileSync7(bareHook, "utf-8").includes(HOOK_MARKER);
+  if (existsSync9(bareHook)) {
+    installed = readFileSync9(bareHook, "utf-8").includes(HOOK_MARKER);
   }
   return {
     framework: "bare",
@@ -83374,6 +83591,37 @@ function detectHookFramework(repoRoot) {
     alreadyInstalled: installed
   };
 }
+function verifyHookInstalled(info) {
+  if (!existsSync9(info.targetFile)) {
+    return { ok: false, reason: `hook file missing: ${info.targetFile}` };
+  }
+  let content;
+  try {
+    content = readFileSync9(info.targetFile, "utf-8");
+  } catch (e) {
+    return { ok: false, reason: `cannot read ${info.targetFile}: ${e.message}` };
+  }
+  if (info.framework === "lefthook") {
+    if (!/^\s+dependency-guardian\s*:/m.test(content)) {
+      return { ok: false, reason: `lefthook entry missing in ${info.targetFile}` };
+    }
+    return { ok: true };
+  }
+  if (!content.includes(HOOK_MARKER)) {
+    return { ok: false, reason: `hook marker missing in ${info.targetFile}` };
+  }
+  if (info.framework === "bare" || info.framework === "husky") {
+    try {
+      const mode = lstatSync2(info.targetFile).mode & 511;
+      if ((mode & 73) === 0) {
+        return { ok: false, reason: `hook is not executable (mode ${mode.toString(8)})` };
+      }
+    } catch (e) {
+      return { ok: false, reason: `cannot stat ${info.targetFile}: ${e.message}` };
+    }
+  }
+  return { ok: true };
+}
 function previewHookInstall(info) {
   if (info.alreadyInstalled) {
     return `(already installed in ${info.targetFile} \u2014 no changes needed)`;
@@ -83387,7 +83635,7 @@ ${HUSKY_SNIPPET}`;
 
 ${LEFTHOOK_ENTRY}`;
     case "bare":
-      if (existsSync6(info.targetFile)) {
+      if (existsSync9(info.targetFile)) {
         return `Will append to existing hook at ${info.targetFile}:
 ${HOOK_SECTION}`;
       }
@@ -83396,21 +83644,21 @@ ${HOOK_SCRIPT}`;
   }
 }
 function installHuskyHook(targetFile) {
-  const existing = readFileSync7(targetFile, "utf-8");
+  const existing = readFileSync9(targetFile, "utf-8");
   if (existing.includes(HOOK_MARKER)) {
     process.stderr.write("  Hook already installed in Husky.\n");
     return;
   }
   safeWriteFileSync(targetFile, existing.trimEnd() + "\n" + HUSKY_SNIPPET);
   try {
-    chmodSync2(targetFile, 493);
+    chmodSync4(targetFile, 493);
   } catch {
   }
   process.stderr.write(`  Appended Dependency Guardian to ${targetFile}
 `);
 }
 function installLefthookHook(targetFile) {
-  const existing = readFileSync7(targetFile, "utf-8");
+  const existing = readFileSync9(targetFile, "utf-8");
   if (/^\s+dependency-guardian\s*:/m.test(existing)) {
     process.stderr.write("  Hook already installed in lefthook.\n");
     return;
@@ -83442,16 +83690,16 @@ function installLefthookHook(targetFile) {
 `);
 }
 function installBareHook(targetFile) {
-  const hooksDir = dirname4(targetFile);
-  mkdirSync(hooksDir, { recursive: true });
-  if (existsSync6(targetFile)) {
-    const existing = readFileSync7(targetFile, "utf-8");
+  const hooksDir = dirname8(targetFile);
+  mkdirSync5(hooksDir, { recursive: true });
+  if (existsSync9(targetFile)) {
+    const existing = readFileSync9(targetFile, "utf-8");
     if (existing.includes(HOOK_MARKER)) {
       process.stderr.write("  Hook already installed.\n");
       return;
     }
     safeWriteFileSync(targetFile, existing.trimEnd() + "\n" + HOOK_SECTION);
-    chmodSync2(targetFile, 493);
+    chmodSync4(targetFile, 493);
     process.stderr.write(
       `  Appended Dependency Guardian hook to existing ${targetFile}
 `
@@ -83459,7 +83707,7 @@ function installBareHook(targetFile) {
     return;
   }
   safeWriteFileSync(targetFile, HOOK_SCRIPT);
-  chmodSync2(targetFile, 493);
+  chmodSync4(targetFile, 493);
   process.stderr.write(`  Installed git pre-commit hook at ${targetFile}
 `);
 }
@@ -83479,71 +83727,107 @@ function installHookForFramework(info) {
 async function installHook() {
   const info = detectHookFramework();
   installHookForFramework(info);
+  try {
+    const repoPath = findRepoRoot();
+    const hookPath = isAbsolute4(info.targetFile) ? info.targetFile : resolvePath(repoPath, info.targetFile);
+    addEntry({
+      repoPath,
+      framework: info.framework,
+      hookPath
+    });
+  } catch {
+  }
   try {
     const { pingSetupEvent: pingSetupEvent2 } = await Promise.resolve().then(() => (init_auth(), auth_exports));
     await pingSetupEvent2("hook_installed");
   } catch {
   }
 }
-async function uninstallHook() {
+function stripDgFromHookFile(hookPath, framework, repoPath) {
+  if (!existsSync9(hookPath)) {
+    return { status: "not-found", hookPath, repoPath };
+  }
+  const content = readFileSync9(hookPath, "utf-8");
+  if (framework === "lefthook") {
+    if (!/^\s+dependency-guardian\s*:/m.test(content)) {
+      return { status: "not-found", hookPath, repoPath };
+    }
+    const stripped = content.replace(
+      /^\s+dependency-guardian\s*:\s*\n(?:\s{6,}.*\n)+/gm,
+      ""
+    );
+    safeWriteFileSync(hookPath, stripped);
+    removeEntry(repoPath, hookPath);
+    return { status: "removed", hookPath, repoPath };
+  }
+  if (!content.includes(HOOK_MARKER)) {
+    return { status: "not-found", hookPath, repoPath };
+  }
+  if (framework === "bare" && content.trimStart().startsWith("#!/bin/sh\n" + HOOK_MARKER)) {
+    unlinkSync3(hookPath);
+    removeEntry(repoPath, hookPath);
+    return { status: "removed", hookPath, repoPath };
+  }
+  const startIdx = content.indexOf(MARKER_START);
+  const endIdx = content.indexOf(MARKER_END);
+  if (startIdx === -1 || endIdx === -1) {
+    return { status: "not-found", hookPath, repoPath };
+  }
+  const before = content.slice(0, startIdx).trimEnd();
+  const after = content.slice(endIdx + MARKER_END.length).trimStart();
+  const remaining = (before + (after ? "\n" + after : "")).trimEnd() + "\n";
+  if (remaining.trim() === "" || remaining.trim() === "#!/bin/sh") {
+    unlinkSync3(hookPath);
+  } else {
+    safeWriteFileSync(hookPath, remaining);
+  }
+  removeEntry(repoPath, hookPath);
+  return { status: "removed", hookPath, repoPath };
+}
+function uninstallHookFromRepo(repoRootOverride) {
+  const root = repoRootOverride ?? findRepoRoot();
   const hooksDir = findHooksDir();
   const hookPath = join9(hooksDir, "pre-commit");
-  try {
-    const root = findRepoRoot();
-    const huskyPath = join9(root, ".husky", "pre-commit");
-    if (existsSync6(huskyPath)) {
-      const content2 = readFileSync7(huskyPath, "utf-8");
-      if (content2.includes(HOOK_MARKER)) {
-        const startIdx2 = content2.indexOf(MARKER_START);
-        const endIdx2 = content2.indexOf(MARKER_END);
-        if (startIdx2 !== -1 && endIdx2 !== -1) {
-          const before = content2.slice(0, startIdx2).trimEnd();
-          const after = content2.slice(endIdx2 + MARKER_END.length).trimStart();
-          const remaining = (before + (after ? "\n" + after : "")).trimEnd() + "\n";
-          safeWriteFileSync(huskyPath, remaining);
-          process.stderr.write(
-            `  Removed Dependency Guardian section from ${huskyPath}
-`
-          );
-          return;
-        }
-      }
-    }
-    for (const cfg of [join9(root, "lefthook.yml"), join9(root, "lefthook.yaml")]) {
-      if (existsSync6(cfg)) {
-        const content2 = readFileSync7(cfg, "utf-8");
-        if (/^\s+dependency-guardian\s*:/m.test(content2)) {
-          const stripped = content2.replace(
-            /^\s+dependency-guardian\s*:\s*\n(?:\s{6,}.*\n)+/gm,
-            ""
-          );
-          safeWriteFileSync(cfg, stripped);
-          process.stderr.write(
-            `  Removed Dependency Guardian section from ${cfg}
-`
-          );
-          return;
-        }
-      }
+  const huskyPath = join9(root, ".husky", "pre-commit");
+  if (existsSync9(huskyPath)) {
+    const content2 = readFileSync9(huskyPath, "utf-8");
+    if (content2.includes(HOOK_MARKER)) {
+      const startIdx2 = content2.indexOf(MARKER_START);
+      const endIdx2 = content2.indexOf(MARKER_END);
+      if (startIdx2 !== -1 && endIdx2 !== -1) {
+        const before = content2.slice(0, startIdx2).trimEnd();
+        const after = content2.slice(endIdx2 + MARKER_END.length).trimStart();
+        const remaining = (before + (after ? "\n" + after : "")).trimEnd() + "\n";
+        safeWriteFileSync(huskyPath, remaining);
+        removeEntry(root, huskyPath);
+        return { status: "removed", hookPath: huskyPath, repoPath: root };
+      }
+    }
+  }
+  for (const cfg of [join9(root, "lefthook.yml"), join9(root, "lefthook.yaml")]) {
+    if (!existsSync9(cfg)) continue;
+    const content2 = readFileSync9(cfg, "utf-8");
+    if (/^\s+dependency-guardian\s*:/m.test(content2)) {
+      const stripped = content2.replace(
+        /^\s+dependency-guardian\s*:\s*\n(?:\s{6,}.*\n)+/gm,
+        ""
+      );
+      safeWriteFileSync(cfg, stripped);
+      removeEntry(root, cfg);
+      return { status: "removed", hookPath: cfg, repoPath: root };
     }
-  } catch {
   }
-  if (!existsSync6(hookPath)) {
-    process.stderr.write("  No hook to remove.\n");
-    return;
+  if (!existsSync9(hookPath)) {
+    return { status: "not-found", hookPath, repoPath: root };
   }
-  const content = readFileSync7(hookPath, "utf-8");
+  const content = readFileSync9(hookPath, "utf-8");
   if (!content.includes(HOOK_MARKER)) {
-    process.stderr.write(
-      "  No Dependency Guardian hook found in pre-commit.\n"
-    );
-    return;
+    return { status: "not-found", hookPath, repoPath: root };
   }
   if (content.trimStart().startsWith("#!/bin/sh\n" + HOOK_MARKER)) {
-    unlinkSync2(hookPath);
-    process.stderr.write(`  Removed pre-commit hook at ${hookPath}
-`);
-    return;
+    unlinkSync3(hookPath);
+    removeEntry(root, hookPath);
+    return { status: "removed", hookPath, repoPath: root };
   }
   const startIdx = content.indexOf(MARKER_START);
   const endIdx = content.indexOf(MARKER_END);
@@ -83552,19 +83836,32 @@ async function uninstallHook() {
     const after = content.slice(endIdx + MARKER_END.length).trimStart();
     const remaining = (before + (after ? "\n" + after : "")).trimEnd() + "\n";
     safeWriteFileSync(hookPath, remaining);
-    process.stderr.write(
-      `  Removed Dependency Guardian section from ${hookPath}
-`
-    );
+    removeEntry(root, hookPath);
+    return { status: "removed", hookPath, repoPath: root };
+  }
+  unlinkSync3(hookPath);
+  removeEntry(root, hookPath);
+  return { status: "removed", hookPath, repoPath: root };
+}
+async function uninstallHook() {
+  let result;
+  try {
+    result = uninstallHookFromRepo();
+  } catch (e) {
+    process.stderr.write(`  Error: ${e.message}
+`);
     return;
   }
-  unlinkSync2(hookPath);
-  process.stderr.write(`  Removed pre-commit hook at ${hookPath}
+  if (result.status === "removed") {
+    process.stderr.write(`  Removed Dependency Guardian section from ${result.hookPath}
 `);
-  try {
-    const { pingSetupEvent: pingSetupEvent2 } = await Promise.resolve().then(() => (init_auth(), auth_exports));
-    await pingSetupEvent2("hook_uninstalled");
-  } catch {
+    try {
+      const { pingSetupEvent: pingSetupEvent2 } = await Promise.resolve().then(() => (init_auth(), auth_exports));
+      await pingSetupEvent2("hook_uninstalled");
+    } catch {
+    }
+  } else {
+    process.stderr.write("  No Dependency Guardian hook found in this repo.\n");
   }
 }
 async function handleHookCommand(args) {
@@ -83578,11 +83875,6 @@ async function handleHookCommand(args) {
       await installHook();
     } else if (subcommand === "uninstall") {
       await uninstallHook();
-      try {
-        const { pingSetupEvent: pingSetupEvent2 } = await Promise.resolve().then(() => (init_auth(), auth_exports));
-        await pingSetupEvent2("hook_uninstalled");
-      } catch {
-      }
     } else {
       process.stderr.write(`  Unknown hook command: ${subcommand}
 `);
@@ -83600,6 +83892,7 @@ var HOOK_MARKER, MARKER_START, MARKER_END, LEFTHOOK_MARKER, HOOK_SCRIPT, HOOK_SE
 var init_hook = __esm({
   "src/commands/hook.ts"() {
     "use strict";
+    init_hooks_registry();
     HOOK_MARKER = "# dependency-guardian-hook";
     MARKER_START = "# dependency-guardian-hook-start";
     MARKER_END = "# dependency-guardian-hook-end";
@@ -83968,14 +84261,14 @@ var init_parse_package_json = __esm({
 
 // src/lockfile/index.ts
 import { execFileSync as execFileSync3 } from "node:child_process";
-import { readFileSync as readFileSync8, existsSync as existsSync7, statSync } from "node:fs";
+import { readFileSync as readFileSync10, existsSync as existsSync10, statSync as statSync2 } from "node:fs";
 import { join as join10 } from "node:path";
 function readFileSafe(path3) {
-  const size = statSync(path3).size;
+  const size = statSync2(path3).size;
   if (size > MAX_LOCKFILE_BYTES) {
     throw new Error(`Lockfile too large (${(size / 1024 / 1024).toFixed(0)} MB, max 50 MB): ${path3}`);
   }
-  return readFileSync8(path3, "utf-8");
+  return readFileSync10(path3, "utf-8");
 }
 function discoverChanges(cwd2, config3) {
   if (config3.workspace) {
@@ -83985,7 +84278,7 @@ function discoverChanges(cwd2, config3) {
   const pythonDepFiles = ["requirements.txt", "Pipfile.lock", "poetry.lock"];
   let pythonPackages = [];
   for (const pyFile of pythonDepFiles) {
-    if (existsSync7(join10(cwd2, pyFile))) {
+    if (existsSync10(join10(cwd2, pyFile))) {
       const pyPkgs = parsePythonDepFile(cwd2, pyFile);
       for (const p of pyPkgs) {
         if (p.version === "latest") continue;
@@ -84011,7 +84304,7 @@ function discoverChanges(cwd2, config3) {
   const headParsed = parseLockfileByType(headContent, lockfileInfo.type);
   const directDeps = getDirectDeps(cwd2);
   if (config3.baseLockfile) {
-    if (!existsSync7(config3.baseLockfile)) {
+    if (!existsSync10(config3.baseLockfile)) {
       throw new Error(`Base lockfile not found: ${config3.baseLockfile}`);
     }
     const baseContent = readFileSafe(config3.baseLockfile);
@@ -84037,7 +84330,7 @@ function discoverChanges(cwd2, config3) {
       };
     }
     const pkgJsonPath = join10(cwd2, "package.json");
-    if (existsSync7(pkgJsonPath)) {
+    if (existsSync10(pkgJsonPath)) {
       const headPkgJson = readFileSafe(pkgJsonPath);
       const basePkgJson = getGitBaseFile(cwd2, "package.json");
       if (basePkgJson !== null) {
@@ -84081,7 +84374,7 @@ function findLockfile(cwd2) {
   ];
   for (const [name, type] of candidates) {
     const p = join10(cwd2, name);
-    if (existsSync7(p)) return { path: p, type };
+    if (existsSync10(p)) return { path: p, type };
   }
   return null;
 }
@@ -84285,16 +84578,20 @@ var init_sanitize = __esm({
 // src/cache/local_cache.ts
 import * as path2 from "node:path";
 import * as fs2 from "node:fs";
-import * as os5 from "node:os";
 import { createRequire } from "node:module";
 function defaultDbPath() {
-  const baseDir = process.env.DG_CACHE_DIR ?? path2.join(os5.homedir(), ".dg");
-  return path2.join(baseDir, "cache.sqlite");
+  return dgCachePath("scans.sqlite");
 }
 function tryLoadDriver() {
   try {
     const mod = moduleRequire("node-sqlite3-wasm");
     const Ctor = mod.Database;
+    if (typeof Ctor !== "function") {
+      if (process.env.DG_PERF) {
+        console.warn(`[CLI-CACHE] node-sqlite3-wasm did not export Database (got ${typeof Ctor})`);
+      }
+      return null;
+    }
     return (p) => new Ctor(p);
   } catch (err) {
     if (process.env.DG_PERF) {
@@ -84311,6 +84608,7 @@ var moduleRequire, DEFAULT_MAX_ROWS, DEFAULT_TTL_SECONDS, LocalScanCache, _share
 var init_local_cache = __esm({
   "src/cache/local_cache.ts"() {
     "use strict";
+    init_paths();
     moduleRequire = createRequire(import.meta.url);
     DEFAULT_MAX_ROWS = 1e5;
     DEFAULT_TTL_SECONDS = 24 * 60 * 60;
@@ -84338,6 +84636,15 @@ var init_local_cache = __esm({
           this.db.exec("PRAGMA busy_timeout = 5000");
           this.initSchema();
           this.vacuumExpired();
+          if (!fs2.existsSync(dbPath)) {
+            if (process.env.DG_PERF) {
+              console.warn(`[CLI-CACHE] cache file ${dbPath} did not materialize after init \u2014 disabling`);
+            }
+            this.disabled = true;
+            this.db = null;
+            return;
+          }
+          this.mergeLegacyIfPresent();
         } catch (err) {
           this.disabled = true;
           if (process.env.DG_PERF) {
@@ -84346,6 +84653,61 @@ var init_local_cache = __esm({
           this.db = null;
         }
       }
+      mergeLegacyIfPresent() {
+        if (!this.db || !this.insertStmt) return;
+        const legacy = legacyPaths().cacheSqlite;
+        if (!fs2.existsSync(legacy)) return;
+        const driver = tryLoadDriver();
+        if (!driver) return;
+        let legacyDb = null;
+        try {
+          legacyDb = driver(legacy);
+          const rows = legacyDb.all(
+            "SELECT name, version, score, payload, fetched_at, expires_at FROM scan_cache_v2 WHERE expires_at > ?",
+            [Date.now()]
+          );
+          if (rows.length === 0) {
+            try {
+              legacyDb.close();
+            } catch {
+            }
+            try {
+              fs2.unlinkSync(legacy);
+            } catch {
+            }
+            return;
+          }
+          const stmt = this.insertStmt;
+          this.db.exec("BEGIN");
+          for (const r of rows) {
+            stmt.run([r.name, r.version, r.score, r.payload, r.fetched_at, r.expires_at]);
+          }
+          this.db.exec("COMMIT");
+          if (process.env.DG_PERF) {
+            console.warn(`[CLI-CACHE] merged ${rows.length} rows from legacy ${legacy}`);
+          }
+          try {
+            legacyDb.close();
+          } catch {
+          }
+          try {
+            fs2.unlinkSync(legacy);
+          } catch {
+          }
+        } catch (err) {
+          try {
+            legacyDb?.close();
+          } catch {
+          }
+          try {
+            this.db.exec("ROLLBACK");
+          } catch {
+          }
+          if (process.env.DG_PERF) {
+            console.warn(`[CLI-CACHE] legacy cache merge failed: ${err instanceof Error ? err.message : err}`);
+          }
+        }
+      }
       initSchema() {
         if (!this.db) return;
         this.db.exec(`
@@ -84372,21 +84734,9 @@ var init_local_cache = __esm({
         expires_at = excluded.expires_at
     `);
       }
-      /**
-       * Collision-free key for the in-memory Map returned by `lookup()`. Uses
-       * a NUL separator (illegal in npm + PyPI package names — JS strings
-       * handle NUL fine; the v1 `${name}@${version}` form was string-collidable
-       * when names contained "@"). Callers must use this same helper to look
-       * entries up — never reconstruct by hand.
-       */
       static cacheKey(name, version) {
         return `${name}\0${version}`;
       }
-      /**
-       * Batch lookup. Returns a Map keyed by the v2 key (`name\0version`). Expired
-       * rows are excluded by the WHERE clause; the caller can treat absence as
-       * "go ask the server."
-       */
       lookup(packages) {
         const out = /* @__PURE__ */ new Map();
         if (this.disabled || !this.db || packages.length === 0) return out;
@@ -84427,11 +84777,6 @@ var init_local_cache = __esm({
         }
         return out;
       }
-      /**
-       * Persist fresh scan results. Uses a single transaction so all rows commit
-       * together (fast + crash-safe). Inserts past maxRows trigger LRU eviction
-       * on the oldest fetched_at.
-       */
       insert(rows) {
         if (this.disabled || !this.db || !this.insertStmt || rows.length === 0) return;
         const now = Date.now();
@@ -84516,7 +84861,10 @@ var init_local_cache = __esm({
 // src/api/client.ts
 var client_exports = {};
 __export(client_exports, {
+  ANON_BATCH_SIZE: () => ANON_BATCH_SIZE,
   APIError: () => APIError,
+  BATCH_SIZE: () => BATCH_SIZE,
+  BatchPoolPartialError: () => BatchPoolPartialError,
   ClientOutdatedError: () => ClientOutdatedError,
   TrialExhaustedError: () => TrialExhaustedError,
   callAnalyzeAPI: () => callAnalyzeAPI,
@@ -84594,23 +84942,32 @@ async function callAnalyzeAPI(packages, config3, onProgress) {
       batches.push(uncached.slice(i, i + batchSize));
     }
     const tTotal = Date.now();
-    const results = await runBatchPool(
-      batches,
-      (batch, onRateLimit, onPackageProgress) => callBatchWithRetry(batch, config3, onRateLimit, onPackageProgress),
-      {
-        onBatchDone: (_batchIndex, batch, completed) => {
-          if (adjustedOnProgress) {
-            adjustedOnProgress(completed, uncached.length, batch.map((p) => p.name));
-          }
-        },
-        onPackageProgress: (completed, latestName) => {
-          if (adjustedOnProgress) {
-            adjustedOnProgress(completed, uncached.length, latestName ? [latestName] : []);
-          }
-        },
-        totalBatches: batches.length
+    let results;
+    try {
+      results = await runBatchPool(
+        batches,
+        (batch, onRateLimit, onPackageProgress) => callBatchWithRetry(batch, config3, onRateLimit, onPackageProgress),
+        {
+          onBatchDone: (_batchIndex, batch, completed) => {
+            if (adjustedOnProgress) {
+              adjustedOnProgress(completed, uncached.length, batch.map((p) => p.name));
+            }
+          },
+          onPackageProgress: (completed, latestName) => {
+            if (adjustedOnProgress) {
+              adjustedOnProgress(completed, uncached.length, latestName ? [latestName] : []);
+            }
+          },
+          totalBatches: batches.length
+        }
+      );
+    } catch (e) {
+      if (e instanceof BatchPoolPartialError && e.partialResults.length > 0) {
+        const partial = mergeResponses(e.partialResults);
+        persistServerResponse(cache3, partial);
       }
-    );
+      throw e instanceof BatchPoolPartialError ? e.cause : e;
+    }
     if (process.env.DG_PERF) console.error(`[CLI-PERF] total: ${uncached.length} uncached packages \u2192 ${Date.now() - tTotal}ms`);
     serverResponse = mergeResponses(results);
   }
@@ -84755,8 +85112,8 @@ async function runBatchPool(batches, fn, opts) {
         if (catchup > 0) completedPackages += catchup;
         if (opts.onBatchDone) opts.onBatchDone(i, batch, completedPackages);
       } catch (e) {
-        firstError = e;
-        throw e;
+        if (firstError === null) firstError = e;
+        return;
       }
     }
   }
@@ -84764,7 +85121,10 @@ async function runBatchPool(batches, fn, opts) {
   const workers = [];
   for (let s = 0; s < workerCount; s++) workers.push(worker(s));
   await Promise.allSettled(workers);
-  if (firstError !== null) throw firstError;
+  if (firstError !== null) {
+    const partials = results.filter((r) => r !== void 0);
+    throw new BatchPoolPartialError(firstError, partials);
+  }
   return results;
 }
 async function callBatchWithRetry(packages, config3, onRateLimit, onPackageProgress) {
@@ -84818,7 +85178,6 @@ function mergeResponses(results) {
     action,
     packages: allPackages,
     safeVersions,
-    // Sum, not max — batches run sequentially, total wall-clock is the sum
     durationMs: results.reduce((s, r) => s + (r.durationMs || 0), 0)
   };
 }
@@ -84970,26 +85329,52 @@ async function readNdjsonAnalyzeResponse(response, onPackageProgress) {
 async function callPyPIAnalyzeAPI(packages, config3, onProgress) {
   const batchSize = config3.apiKey ? BATCH_SIZE : ANON_BATCH_SIZE;
   _currentScanId = randomUUID2();
-  if (packages.length <= batchSize) {
-    return callPyPIBatch(packages, config3);
+  const cache3 = getSharedLocalCache();
+  const tLocalLookup = Date.now();
+  const localHits = cache3.lookup(packages.map((p) => ({ name: p.name, version: p.version })));
+  if (process.env.DG_PERF && !cache3.isDisabled) {
+    console.error(`[CLI-PERF] pypi local cache: ${localHits.size}/${packages.length} hits \u2192 ${Date.now() - tLocalLookup}ms`);
   }
-  const batches = [];
-  for (let i = 0; i < packages.length; i += batchSize) {
-    batches.push(packages.slice(i, i + batchSize));
+  const uncached = packages.filter((p) => !localHits.has(LocalScanCache.cacheKey(p.name, p.version)));
+  if (uncached.length === 0) {
+    if (onProgress) onProgress(packages.length, packages.length);
+    return localHitsToResponse(packages, localHits);
   }
-  const tTotal = Date.now();
-  const results = await runBatchPool(
-    batches,
-    (batch) => callPyPIBatch(batch, config3),
-    {
-      onBatchDone: (_i, _batch, completed) => {
-        if (onProgress) onProgress(completed, packages.length);
-      },
-      totalBatches: batches.length
+  let serverResponse;
+  if (uncached.length <= batchSize) {
+    serverResponse = await callPyPIBatch(uncached, config3);
+    if (onProgress) onProgress(localHits.size + uncached.length, packages.length);
+  } else {
+    const batches = [];
+    for (let i = 0; i < uncached.length; i += batchSize) {
+      batches.push(uncached.slice(i, i + batchSize));
     }
-  );
-  if (process.env.DG_PERF) console.error(`[CLI-PERF] pypi total: ${packages.length} packages \u2192 ${Date.now() - tTotal}ms`);
-  return mergeResponses(results);
+    const tTotal = Date.now();
+    let results;
+    try {
+      results = await runBatchPool(
+        batches,
+        (batch) => callPyPIBatch(batch, config3),
+        {
+          onBatchDone: (_i, _batch, completed) => {
+            if (onProgress) onProgress(localHits.size + completed, packages.length);
+          },
+          totalBatches: batches.length
+        }
+      );
+    } catch (e) {
+      if (e instanceof BatchPoolPartialError && e.partialResults.length > 0) {
+        const partial = mergeResponses(e.partialResults);
+        persistServerResponse(cache3, partial);
+      }
+      throw e instanceof BatchPoolPartialError ? e.cause : e;
+    }
+    if (process.env.DG_PERF) console.error(`[CLI-PERF] pypi total: ${uncached.length} uncached \u2192 ${Date.now() - tTotal}ms`);
+    serverResponse = mergeResponses(results);
+  }
+  persistServerResponse(cache3, serverResponse);
+  if (localHits.size === 0) return serverResponse;
+  return mergeLocalHitsWithServer(packages, localHits, serverResponse);
 }
 async function callPyPIBatch(packages, config3) {
   const url = `${config3.apiUrl}/v1/pypi/analyze`;
@@ -85052,7 +85437,7 @@ async function callPyPIBatch(packages, config3) {
   checkVersionFloor(raw);
   return sanitizeResponse(raw);
 }
-var APIError, TrialExhaustedError, ClientOutdatedError, BATCH_SIZE, ANON_BATCH_SIZE, MAX_RETRIES, RETRY_DELAY_MS, DEFAULT_BATCH_CONCURRENCY, _currentScanId;
+var APIError, TrialExhaustedError, ClientOutdatedError, BATCH_SIZE, ANON_BATCH_SIZE, MAX_RETRIES, RETRY_DELAY_MS, DEFAULT_BATCH_CONCURRENCY, _currentScanId, BatchPoolPartialError;
 var init_client3 = __esm({
   "src/api/client.ts"() {
     "use strict";
@@ -85087,12 +85472,20 @@ var init_client3 = __esm({
         this.name = "ClientOutdatedError";
       }
     };
-    BATCH_SIZE = 200;
-    ANON_BATCH_SIZE = 200;
+    BATCH_SIZE = 50;
+    ANON_BATCH_SIZE = 50;
     MAX_RETRIES = 2;
     RETRY_DELAY_MS = 5e3;
     DEFAULT_BATCH_CONCURRENCY = 4;
     _currentScanId = "";
+    BatchPoolPartialError = class extends Error {
+      constructor(cause, partialResults) {
+        super(cause instanceof Error ? cause.message : String(cause));
+        this.cause = cause;
+        this.partialResults = partialResults;
+        this.name = "BatchPoolPartialError";
+      }
+    };
   }
 });
 
@@ -85143,6 +85536,19 @@ async function scanProjectAtPath(cwd2, config3, onProgress) {
       cumulativeDone += pyPackages.length;
     }
     const allPackages = responses.flatMap((r) => r.packages);
+    if (allPackages.length === 0) {
+      const elapsed = elapsedMs();
+      return {
+        status: "api_returned_empty",
+        result: {
+          result: { score: 0, action: "pass", packages: [], safeVersions: {}, durationMs: elapsed },
+          durationMs: elapsed,
+          scannedCount: 0,
+          skippedCount: discovery.skipped?.length ?? 0
+        },
+        message: `Analyze API returned 0 results for ${totalDiscovered} discovered packages (npm: ${npmPackages.length}, pypi: ${pyPackages.length}). This is not a 'nothing to scan' state \u2014 the API call succeeded but returned an empty packages list. Check API status and re-run.`
+      };
+    }
     const maxScore = allPackages.length > 0 ? Math.max(0, ...allPackages.map((p) => p.score)) : 0;
     const anyIncomplete = responses.some((r) => r.action === "analysis_incomplete") || allPackages.some((p) => Array.isArray(p.findings) && p.findings.some((f) => f?.id === "analysis_incomplete"));
     const action = maxScore >= 70 ? "block" : maxScore >= 60 ? "warn" : anyIncomplete ? "analysis_incomplete" : "pass";
@@ -85216,11 +85622,11 @@ __export(protect_exports, {
   stripAliasSourceFromRc: () => stripAliasSourceFromRc,
   suggestedShellRc: () => suggestedShellRc
 });
-import { existsSync as existsSync9, readFileSync as readFileSync9, writeFileSync as writeFileSync5, unlinkSync as unlinkSync3, mkdirSync as mkdirSync3, lstatSync as lstatSync3, appendFileSync } from "node:fs";
-import { join as join12, dirname as dirname6 } from "node:path";
-import { homedir as homedir5 } from "node:os";
+import { existsSync as existsSync12, readFileSync as readFileSync11, writeFileSync as writeFileSync7, unlinkSync as unlinkSync5, mkdirSync as mkdirSync7, lstatSync as lstatSync3, appendFileSync } from "node:fs";
+import { join as join11, dirname as dirname10 } from "node:path";
+import { homedir as homedir3 } from "node:os";
 function aliasFile() {
-  return join12(homedir5(), ".dependency-guardian", "aliases.sh");
+  return dgStatePath("aliases.sh");
 }
 function safeIsRegularFile(path3) {
   try {
@@ -85231,7 +85637,7 @@ function safeIsRegularFile(path3) {
   }
 }
 function safeWriteFileSync2(target, content, mode = 420) {
-  const parent = dirname6(target);
+  const parent = dirname10(target);
   try {
     const parentStat = lstatSync3(parent);
     if (parentStat.isSymbolicLink()) {
@@ -85248,34 +85654,23 @@ function safeWriteFileSync2(target, content, mode = 420) {
   } catch (e) {
     if (e instanceof Error && e.message.startsWith("refusing")) throw e;
   }
-  writeFileSync5(target, content, { encoding: "utf-8", mode });
+  writeFileSync7(target, content, { encoding: "utf-8", mode });
 }
-function readProtectConfig(cwd2) {
-  const stored = getProtectConfig();
-  if (stored) return stored;
-  const legacyPath = join12(cwd2, LEGACY_PROJECT_FILE);
-  if (safeIsRegularFile(legacyPath)) {
-    try {
-      const data = JSON.parse(readFileSync9(legacyPath, "utf-8"));
-      if (typeof data === "object" && data !== null) {
-        const cfg = data;
-        setProtectConfig(cfg);
-        return cfg;
-      }
-    } catch {
-    }
-  }
-  return null;
+function readProtectConfig(_cwd) {
+  return getProtectConfig() ?? null;
 }
 function writeProtectConfig(_cwd, cfg) {
   setProtectConfig(cfg);
 }
 function writeAliasSnippet() {
-  const dir = dirname6(aliasFile());
-  mkdirSync3(dir, { recursive: true });
+  const dir = dirname10(aliasFile());
+  mkdirSync7(dir, { recursive: true, mode: 448 });
   safeWriteFileSync2(aliasFile(), ALIAS_SNIPPET);
   return aliasFile();
 }
+function legacyAliasPath() {
+  return legacyPaths().aliasesShOld;
+}
 function suggestedShellRc() {
   const shell = (process.env.SHELL ?? "").toLowerCase();
   if (shell.includes("zsh")) return { rc: "~/.zshrc", shellName: "zsh" };
@@ -85284,19 +85679,19 @@ function suggestedShellRc() {
   return { rc: "~/.zshrc", shellName: "your shell rc" };
 }
 function expandHome(path3) {
-  if (path3.startsWith("~/")) return join12(homedir5(), path3.slice(2));
-  if (path3 === "~") return homedir5();
+  if (path3.startsWith("~/")) return join11(homedir3(), path3.slice(2));
+  if (path3 === "~") return homedir3();
   return path3;
 }
 function appendAliasSourceToRc(rcPathRaw, sourceLine) {
   const rcPath = expandHome(rcPathRaw);
-  const home = homedir5();
+  const home = homedir3();
   if (!rcPath.startsWith(home + "/") && rcPath !== home) {
     return { status: "failed", rcPath, reason: "rc path is outside the home directory" };
   }
   try {
-    const parent = dirname6(rcPath);
-    if (existsSync9(parent)) {
+    const parent = dirname10(rcPath);
+    if (existsSync12(parent)) {
       const parentStat = lstatSync3(parent);
       if (parentStat.isSymbolicLink()) {
         return { status: "failed", rcPath, reason: "parent directory is a symlink" };
@@ -85305,7 +85700,7 @@ function appendAliasSourceToRc(rcPathRaw, sourceLine) {
   } catch (e) {
     return { status: "failed", rcPath, reason: e.message };
   }
-  if (existsSync9(rcPath)) {
+  if (existsSync12(rcPath)) {
     let st;
     try {
       st = lstatSync3(rcPath);
@@ -85319,8 +85714,8 @@ function appendAliasSourceToRc(rcPathRaw, sourceLine) {
       return { status: "failed", rcPath, reason: "rc path is not a regular file" };
     }
     try {
-      const existing = readFileSync9(rcPath, "utf-8");
-      if (existing.includes(aliasFile()) || existing.includes(".dependency-guardian/aliases.sh") || existing.includes(sourceLine.trim())) {
+      const existing = readFileSync11(rcPath, "utf-8");
+      if (existing.includes(RC_SENTINEL_OPEN) || existing.includes(aliasFile()) || existing.includes(legacyAliasPath()) || existing.includes(sourceLine.trim())) {
         return { status: "already-present", rcPath };
       }
     } catch (e) {
@@ -85329,8 +85724,9 @@ function appendAliasSourceToRc(rcPathRaw, sourceLine) {
   }
   try {
     const block = `
-# Added by dg kitty \u2014 auto-scan via Dependency Guardian.
+${RC_SENTINEL_OPEN}
 ${sourceLine}
+${RC_SENTINEL_CLOSE}
 `;
     appendFileSync(rcPath, block, { encoding: "utf-8" });
     return { status: "appended", rcPath };
@@ -85363,12 +85759,14 @@ function aliasSnippetExists() {
 }
 function aliasSnippetSourced() {
   const candidates = [".zshrc", ".bashrc", ".bash_profile", ".profile"];
+  const aliasFilePath = aliasFile();
+  const legacyAlias = legacyAliasPath();
   for (const rc of candidates) {
-    const path3 = join12(homedir5(), rc);
+    const path3 = join11(homedir3(), rc);
     if (!safeIsRegularFile(path3)) continue;
     try {
-      const content = readFileSync9(path3, "utf-8");
-      if (content.includes(aliasFile()) || content.includes(".dependency-guardian/aliases.sh")) {
+      const content = readFileSync11(path3, "utf-8");
+      if (content.includes(RC_SENTINEL_OPEN) || content.includes(aliasFilePath) || content.includes(legacyAlias) || content.includes(".dependency-guardian/aliases.sh")) {
         return { sourced: true, rcFile: path3 };
       }
     } catch {
@@ -85379,33 +85777,51 @@ function aliasSnippetSourced() {
 function stripAliasSourceFromRc() {
   const candidates = [".zshrc", ".bashrc", ".bash_profile", ".profile"];
   const modified = [];
+  const manualReviewNeeded = [];
   const aliasFilePath = aliasFile();
+  const legacyAlias = legacyAliasPath();
   for (const rc of candidates) {
-    const path3 = join12(homedir5(), rc);
+    const path3 = join11(homedir3(), rc);
     if (!safeIsRegularFile(path3)) continue;
     let content;
     try {
-      content = readFileSync9(path3, "utf-8");
+      content = readFileSync11(path3, "utf-8");
     } catch {
       continue;
     }
-    if (!content.includes(aliasFilePath) && !content.includes(".dependency-guardian/aliases.sh")) {
+    const hasOpen = content.includes(RC_SENTINEL_OPEN);
+    const hasClose = content.includes(RC_SENTINEL_CLOSE);
+    const hasPath = content.includes(aliasFilePath) || content.includes(legacyAlias) || content.includes(".dependency-guardian/aliases.sh");
+    if (!hasOpen && !hasPath) continue;
+    if (hasOpen && !hasClose) {
+      manualReviewNeeded.push(path3);
       continue;
     }
-    const lines = content.split("\n");
-    const out = [];
-    for (let i = 0; i < lines.length; i++) {
-      const line = lines[i];
-      const isSourceLine = line.includes(aliasFilePath) || line.includes(".dependency-guardian/aliases.sh");
-      if (isSourceLine && (line.trimStart().startsWith("source ") || line.trimStart().startsWith(". "))) {
-        if (out.length > 0 && out[out.length - 1].trim().startsWith("# Added by dg kitty")) {
-          out.pop();
+    let next = content;
+    if (hasOpen && hasClose) {
+      const pattern = new RegExp(
+        `\\n?${escapeRegex(RC_SENTINEL_OPEN)}[\\s\\S]*?${escapeRegex(RC_SENTINEL_CLOSE)}\\n?`,
+        "g"
+      );
+      next = next.replace(pattern, "\n");
+    }
+    if (hasPath) {
+      const lines = next.split("\n");
+      const out = [];
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        const isSourceLine = line.includes(aliasFilePath) || line.includes(legacyAlias) || line.includes(".dependency-guardian/aliases.sh");
+        if (isSourceLine && (line.trimStart().startsWith("source ") || line.trimStart().startsWith(". "))) {
+          if (out.length > 0 && out[out.length - 1].trim().startsWith("# Added by dg kitty")) {
+            out.pop();
+          }
+          continue;
         }
-        continue;
+        out.push(line);
       }
-      out.push(line);
+      next = out.join("\n");
     }
-    const next = out.join("\n");
+    next = next.replace(/\n{3,}/g, "\n\n");
     if (next === content) continue;
     try {
       safeWriteFileSync2(path3, next, 420);
@@ -85413,7 +85829,10 @@ function stripAliasSourceFromRc() {
     } catch {
     }
   }
-  return modified;
+  return { modified, manualReviewNeeded };
+}
+function escapeRegex(s) {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
 async function runProtectInit(cwd2, opts = {}) {
   const now = (/* @__PURE__ */ new Date()).toISOString();
@@ -85441,7 +85860,7 @@ async function runProtectInit(cwd2, opts = {}) {
   }
   process.stderr.write("\n");
   process.stderr.write(import_chalk4.default.green("  \u2713 ") + import_chalk4.default.bold("Dependency Guardian protection: ENABLED") + "\n");
-  process.stderr.write(import_chalk4.default.dim("    Stored in ~/.dgrc.json.\n"));
+  process.stderr.write(import_chalk4.default.dim("    Stored under ~/.dg/.\n"));
   process.stderr.write(import_chalk4.default.dim(`    Mode: ${cfg.mode}${cfg.strict ? " \xB7 strict" : ""}
 `));
   process.stderr.write("\n");
@@ -85475,7 +85894,7 @@ async function runProtectOff(cwd2, opts = {}) {
   if (getProtectConfig()) {
     try {
       clearProtectConfig();
-      process.stderr.write(import_chalk4.default.green("  \u2713 ") + "Cleared protect config in ~/.dgrc.json\n");
+      process.stderr.write(import_chalk4.default.green("  \u2713 ") + "Cleared protect config\n");
       removed += 1;
       try {
         const { pingSetupEvent: pingSetupEvent2 } = await Promise.resolve().then(() => (init_auth(), auth_exports));
@@ -85489,21 +85908,10 @@ async function runProtectOff(cwd2, opts = {}) {
   } else {
     process.stderr.write(import_chalk4.default.dim("  Protect config already cleared.\n"));
   }
-  const legacyPath = join12(cwd2, LEGACY_PROJECT_FILE);
-  if (safeIsRegularFile(legacyPath)) {
-    try {
-      unlinkSync3(legacyPath);
-      process.stderr.write(import_chalk4.default.green("  \u2713 ") + `Removed legacy ${legacyPath}
-`);
-      removed += 1;
-    } catch (e) {
-      process.stderr.write(import_chalk4.default.red(`  Could not remove ${legacyPath}: ${e.message}
-`));
-    }
-  }
+  void cwd2;
   if (opts.removeShell && aliasSnippetExists()) {
     try {
-      unlinkSync3(aliasFile());
+      unlinkSync5(aliasFile());
       process.stderr.write(import_chalk4.default.green("  \u2713 ") + `Removed ${aliasFile()}
 `);
       removed += 1;
@@ -85511,12 +85919,18 @@ async function runProtectOff(cwd2, opts = {}) {
       process.stderr.write(import_chalk4.default.red(`  Could not remove ${aliasFile()}: ${e.message}
 `));
     }
-    const stripped = stripAliasSourceFromRc();
-    for (const p of stripped) {
+    const stripResult = stripAliasSourceFromRc();
+    for (const p of stripResult.modified) {
       process.stderr.write(import_chalk4.default.green("  \u2713 ") + `Removed source line from ${p}
 `);
       removed += 1;
     }
+    for (const p of stripResult.manualReviewNeeded) {
+      process.stderr.write(
+        import_chalk4.default.yellow("  \u26A0 ") + `Could not safely strip ${p}: opening sentinel without matching close. Remove the dg block by hand.
+`
+      );
+    }
   } else if (aliasSnippetExists()) {
     process.stderr.write(
       import_chalk4.default.dim(`  Shell snippet at ${aliasFile()} kept (other projects may use it).
@@ -85574,13 +85988,15 @@ function runInit(flags, cwd2) {
   }
   return runProtectInit(cwd2, opts);
 }
-var import_chalk4, LEGACY_PROJECT_FILE, DEFAULT_CONFIG, ALIAS_SNIPPET, USAGE3;
+var import_chalk4, RC_SENTINEL_OPEN, RC_SENTINEL_CLOSE, DEFAULT_CONFIG, ALIAS_SNIPPET, USAGE3;
 var init_protect = __esm({
   "src/commands/protect.ts"() {
     "use strict";
     import_chalk4 = __toESM(require_source());
     init_auth();
-    LEGACY_PROJECT_FILE = ".dgprotect.json";
+    init_paths();
+    RC_SENTINEL_OPEN = "# >>> dependency-guardian (managed) >>>";
+    RC_SENTINEL_CLOSE = "# <<< dependency-guardian (managed) <<<";
     DEFAULT_CONFIG = {
       version: 1,
       enabled: true,
@@ -85589,7 +86005,7 @@ var init_protect = __esm({
     };
     ALIAS_SNIPPET = `# Dependency Guardian \u2014 opt-in shell aliases
 # Source this from your shell rc to route npm/pip through dg:
-#   echo 'source ~/.dependency-guardian/aliases.sh' >> ~/.zshrc   # or ~/.bashrc
+#   echo 'source ~/.dg/aliases.sh' >> ~/.zshrc   # or ~/.bashrc
 # To turn it off, remove that line.
 
 # Only alias if a real dg binary is on PATH.
@@ -85616,7 +86032,7 @@ unset __dg_bin
 
   Usage:
     dg protect            Enable protection (same as \`dg protect init\`)
-    dg protect off        Disable protection in this project
+    dg protect off        Disable protection
 
   Flags (for init):
     --no-shell            Skip generating the shell-alias snippet
@@ -85624,10 +86040,10 @@ unset __dg_bin
     --strict              Refuse partial-coverage scans + suppress scripts
 
   What \`dg protect\` does:
-    1. Writes \`.dgprotect.json\` in the project (commit it).
-    2. Generates an opt-in alias snippet at
-       \`~/.dependency-guardian/aliases.sh\` that you can \`source\` from your
-       shell rc. We do NOT touch your rc ourselves.
+    1. Stores protection settings under ~/.dg/.
+    2. Generates a shell-alias snippet at
+       \`~/.dg/state/aliases.sh\` that you can \`source\`
+       from your shell rc. We do NOT touch your rc ourselves.
     3. Tells you exactly what line to add (and how to undo it).
 
   After protection is on, \`npm install\` and \`pip install\` route through
@@ -85635,7 +86051,7 @@ unset __dg_bin
 
   To see current coverage status, run \`dg status\`.
   To disable, run \`dg protect off\`. (Pass --remove-shell to also delete
-  the per-user alias snippet.)
+  the alias snippet and strip the source line from your shell rc.)
 
   Why this is opt-in:
     DG never silently hijacks global npm/pip. Every change is explicit
@@ -85645,8 +86061,8 @@ unset __dg_bin
 });
 
 // src/ui/hooks/useInit.ts
-import { statSync as statSync2 } from "node:fs";
-import { join as join13 } from "node:path";
+import { statSync as statSync3 } from "node:fs";
+import { join as join12 } from "node:path";
 function initialState(dryRun, firstRun) {
   return {
     phase: firstRun ? "greet" : "detect",
@@ -85677,7 +86093,7 @@ function initialState(dryRun, firstRun) {
 function detectCwdIsProject(cwd2) {
   for (const marker of PROJECT_MARKERS) {
     try {
-      const stat = statSync2(join13(cwd2, marker));
+      const stat = statSync3(join12(cwd2, marker));
       if (stat.isFile()) return true;
     } catch {
     }
@@ -85690,7 +86106,6 @@ function reducer(state, action) {
 `);
   }
   switch (action.type) {
-    // ── First-run guided tour transitions ──────────────────────────────────
     case "welcome_yes":
       return { ...state, phase: "value_prop", engaged: true };
     case "welcome_no": {
@@ -85770,6 +86185,9 @@ function reducer(state, action) {
       if (!state.protectInfo) {
         return { ...state, phase: "pitch_app" };
       }
+      if (state.protectInfo.alreadySourced) {
+        return { ...state, phase: "pitch_app" };
+      }
       return { ...state, phase: "optional_protection" };
     case "optional_protection_yes":
       return { ...state, phase: "optional_protection_result" };
@@ -85784,7 +86202,6 @@ function reducer(state, action) {
       return { ...state, phase: "pitch_app" };
     case "pitch_acked":
       return { ...state, phase: "done" };
-    // ── Existing Phase 1b transitions (unchanged) ──────────────────────────
     case "detected":
       return {
         ...state,
@@ -85872,9 +86289,7 @@ function goBack(state) {
     value_prop: "greet",
     demo_result: "value_prop",
     confirm_wrap: "verify_hook",
-    // legacy only
     show_app_link: "confirm_scan"
-    // legacy only
   };
   if (state.phase === "confirm_hook") {
     return { ...state, phase: state.firstRun ? "scenario" : "detect" };
@@ -85929,7 +86344,7 @@ function useInit(opts = {}) {
       dispatch({
         type: "hook_installed",
         protectInfo: {
-          rcLine: "source ~/.dependency-guardian/aliases.sh",
+          rcLine: "source ~/.dg/state/aliases.sh",
           rcFile: "~/.zshrc",
           shellName: "zsh",
           alreadySourced: false
@@ -85943,8 +86358,15 @@ function useInit(opts = {}) {
       let protectInfo;
       try {
         const { rcLine, rcFile, shellName, alreadySourced } = setupProtectQuietly(cwd2);
+        let sourced = alreadySourced;
+        if (!alreadySourced) {
+          const out = appendAliasSourceToRc(rcFile, rcLine);
+          if (out.status === "appended" || out.status === "already-present") {
+            sourced = true;
+          }
+        }
         void Promise.resolve().then(() => (init_auth(), auth_exports)).then((m) => m.enqueueSetupEvent("protect_enabled"));
-        protectInfo = { rcLine, rcFile, shellName, alreadySourced };
+        protectInfo = { rcLine, rcFile, shellName, alreadySourced: sourced };
       } catch {
       }
       dispatch({ type: "hook_installed", protectInfo });
@@ -85960,26 +86382,25 @@ function useInit(opts = {}) {
       dispatch({ type: "hook_verified", durationMs: 0 });
       return;
     }
+    if (!state.hookInfo) {
+      dispatch({ type: "hook_verify_failed", error: "hook framework not detected" });
+      return;
+    }
+    const t0 = Date.now();
     try {
-      const cwd3 = opts.cwd ?? process.cwd();
-      const config3 = parseConfig([process.argv[0] ?? "node", "init"], false);
-      const outcome = await scanFn(cwd3, config3);
-      if (outcome.status === "error" && outcome.error) {
-        dispatch({
-          type: "hook_verify_failed",
-          error: outcome.message ?? outcome.error.message
-        });
+      const result = verifyHookInstalled(state.hookInfo);
+      if (!result.ok) {
+        dispatch({ type: "hook_verify_failed", error: result.reason ?? "verification failed" });
         return;
       }
-      const ms = outcome.result?.durationMs ?? 0;
-      dispatch({ type: "hook_verified", durationMs: ms });
+      dispatch({ type: "hook_verified", durationMs: Date.now() - t0 });
     } catch (e) {
       dispatch({
         type: "hook_verify_failed",
         error: e instanceof Error ? e.message : String(e)
       });
     }
-  }, [state.dryRun, opts.cwd, scanFn]);
+  }, [state.dryRun, state.hookInfo]);
   const runScan = (0, import_react22.useCallback)(async () => {
     if (state.dryRun) {
       dispatch({
@@ -86001,11 +86422,23 @@ function useInit(opts = {}) {
       const config3 = parseConfig([process.argv[0] ?? "node", "init", "--scan-all"], false);
       const projects = state.projects.length > 0 ? state.projects : [{ path: opts.cwd ?? process.cwd() }];
       const allOutcomes = [];
-      for (const proj of projects) {
+      const perProject = /* @__PURE__ */ new Map();
+      const aggregate = (current) => {
+        let done = 0;
+        let total = 0;
+        for (const v of perProject.values()) {
+          done += v.done;
+          total += v.total;
+        }
+        return { done, total, current };
+      };
+      for (let i = 0; i < projects.length; i++) {
+        const proj = projects[i];
         if (process.env.DG_DEBUG_WIZARD) process.stderr.write(`[wizard] scanning ${proj.path}
 `);
         const outcome = await scanFn(proj.path, config3, (p) => {
-          dispatch({ type: "scan_progress", progress: p });
+          perProject.set(i, { done: p.done, total: p.total });
+          dispatch({ type: "scan_progress", progress: aggregate(p.current) });
         });
         if (process.env.DG_DEBUG_WIZARD) process.stderr.write(`[wizard] scan done ${proj.path} status=${outcome.status}
 `);
@@ -86029,18 +86462,26 @@ function useInit(opts = {}) {
       const maxScore = allPackages.length > 0 ? Math.max(0, ...allPackages.map((p) => p.score)) : 0;
       const action = maxScore >= 70 ? "block" : maxScore >= 60 ? "warn" : "pass";
       if (totalScanned === 0) {
-        dispatch({
-          type: "scan_done",
-          outcome: {
-            status: "no_packages",
-            result: {
-              result: { score: 0, action: "pass", packages: [], safeVersions: {}, durationMs: totalDuration },
-              durationMs: totalDuration,
-              scannedCount: 0,
-              skippedCount: 0
+        const errOutcome = allOutcomes.find((o) => o.status === "error");
+        const emptyApiOutcome = allOutcomes.find((o) => o.status === "api_returned_empty");
+        const trialOutcome = allOutcomes.find((o) => o.status === "trial_exhausted");
+        const meaningful = errOutcome ?? emptyApiOutcome ?? trialOutcome;
+        if (meaningful) {
+          dispatch({ type: "scan_done", outcome: meaningful });
+        } else {
+          dispatch({
+            type: "scan_done",
+            outcome: {
+              status: "no_packages",
+              result: {
+                result: { score: 0, action: "pass", packages: [], safeVersions: {}, durationMs: totalDuration },
+                durationMs: totalDuration,
+                scannedCount: 0,
+                skippedCount: 0
+              }
             }
-          }
-        });
+          });
+        }
       } else {
         dispatch({
           type: "scan_done",
@@ -86248,8 +86689,8 @@ __export(ink_controls_exports, {
   setInkClear: () => setInkClear,
   setInkInstance: () => setInkInstance
 });
-import { resolve as resolve2, dirname as dirname7 } from "node:path";
-import { existsSync as existsSync10 } from "node:fs";
+import { resolve as resolve2, dirname as dirname11 } from "node:path";
+import { existsSync as existsSync13 } from "node:fs";
 function locateInkInstancesPath() {
   let cur;
   try {
@@ -86259,13 +86700,13 @@ function locateInkInstancesPath() {
   }
   while (cur && cur !== "/" && cur !== ".") {
     const candidate = resolve2(cur, "node_modules", "ink", "build", "instances.js");
-    if (existsSync10(candidate)) return candidate;
-    const parent = dirname7(cur);
+    if (existsSync13(candidate)) return candidate;
+    const parent = dirname11(cur);
     if (parent === cur) break;
     cur = parent;
   }
   const cwdCandidate = resolve2(process.cwd(), "node_modules", "ink", "build", "instances.js");
-  if (existsSync10(cwdCandidate)) return cwdCandidate;
+  if (existsSync13(cwdCandidate)) return cwdCandidate;
   return null;
 }
 async function initInkInstances() {
@@ -89084,7 +89525,16 @@ var init_demo_data = __esm({
       "Postinstall Curl Pipe": "Downloads code and runs it",
       "Suspicious Network": "Talks to suspicious servers",
       "Typosquatting": "Pretending to be a popular package",
-      "Sandbox Escape": "Tries to break out of safety checks"
+      "Sandbox Escape": "Tries to break out of safety checks",
+      "cross-signal-correlation": "Multiple detector signals correlated",
+      "lifecycle-risk": "Install-time script risk",
+      "runtime-behavior": "Suspicious runtime behavior",
+      "data-exfiltration": "Sends data off-machine",
+      "code-quality": "Obfuscated or low-quality code",
+      "supply-chain-metadata": "Suspicious package metadata",
+      "filesystem-risk": "Reads sensitive paths",
+      "behavioral-anomaly": "Unusual behavior shape",
+      "license-compliance": "License risk"
     };
   }
 });
@@ -89122,6 +89572,12 @@ var init_ScanResultCard = __esm({
           score = 0;
           packages = [];
           extraNote = "Nothing to scan yet. I'll catch new packages as you add them.";
+        } else if (o.status === "api_returned_empty") {
+          verdict = "EMPTY";
+          verdictColor = "yellow";
+          score = 0;
+          packages = [];
+          extraNote = o.message ?? "Analyze API returned no results for discovered packages.";
         } else if (o.status === "trial_exhausted") {
           verdict = "EMPTY";
           verdictColor = "yellow";
@@ -89160,15 +89616,17 @@ var init_ScanResultCard = __esm({
         packages.length === 1 ? packages[0].findings.slice(0, 3).map((f, i) => /* @__PURE__ */ (0, import_jsx_runtime3.jsxs)(Text, { dimColor: true, children: [
           "  \u2022 ",
           friendlyCategory(f.category),
-          f.title ? ` \u2014 ${f.title}` : ""
-        ] }, `f-${i}`)) : packages.slice(0, 3).map((pkg) => /* @__PURE__ */ (0, import_jsx_runtime3.jsxs)(Text, { dimColor: true, children: [
+          f.title && f.title !== f.category ? ` \u2014 ${f.title}` : ""
+        ] }, `f-${i}`)) : [...packages].sort((a, b) => b.score - a.score).slice(0, 3).map((pkg) => /* @__PURE__ */ (0, import_jsx_runtime3.jsxs)(Text, { dimColor: true, children: [
           "  \u2022 ",
           /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(Text, { bold: true, children: pkg.name }),
           " ",
           pkg.score,
-          "/100"
+          "/100",
+          pkg.findings && pkg.findings[0] ? ` \xB7 ${friendlyCategory(pkg.findings[0].category)}` : ""
         ] }, pkg.name)),
-        packages.length > 3 ? /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(Text, { dimColor: true, children: "  + " + (packages.length - 3) + " more" }) : null
+        packages.length > 3 ? /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(Text, { dimColor: true, children: "  + " + (packages.length - 3) + " more" }) : null,
+        packages.length >= 1 && packages.some((p) => p.findings && p.findings.length > 0 && !p.findings[0].title) ? /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(Text, { dimColor: true, children: "  Sign in with `dg login` for full finding details." }) : null
       ] }) : verdict !== "EMPTY" ? /* @__PURE__ */ (0, import_jsx_runtime3.jsxs)(Text, { children: [
         /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(Text, { color: verdictColor, bold: true, children: verdict }),
         /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(Text, { dimColor: true, children: "  \xB7  " }),
@@ -89388,7 +89846,7 @@ var init_InitApp = __esm({
           return /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Spinner2, { label: "Creating login session..." });
         case "ready":
           return /* @__PURE__ */ (0, import_jsx_runtime6.jsxs)(Box_default, { flexDirection: "column", children: [
-            /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { bold: true, children: "Sign in to Dependency Guardian" }),
+            /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { bold: true, children: "Sign in to WestBayBerry Dependency Guardian" }),
             /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { children: " " }),
             /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { children: "Authenticate your account at:" }),
             /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { color: "cyan", children: state.verifyUrl }),
@@ -89397,7 +89855,7 @@ var init_InitApp = __esm({
           ] });
         case "waiting":
           return /* @__PURE__ */ (0, import_jsx_runtime6.jsxs)(Box_default, { flexDirection: "column", children: [
-            /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { bold: true, children: "Sign in to Dependency Guardian" }),
+            /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { bold: true, children: "Sign in to WestBayBerry Dependency Guardian" }),
             /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { children: " " }),
             /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { dimColor: true, children: state.verifyUrl }),
             /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { children: " " }),
@@ -89409,7 +89867,7 @@ var init_InitApp = __esm({
               "\u2713 Signed in as ",
               state.email
             ] }),
-            /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { dimColor: true, children: "Credentials saved to ~/.dgrc.json" })
+            /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { dimColor: true, children: "Credentials saved to ~/.dg/config.json" })
           ] });
         case "already_logged_in":
           return /* @__PURE__ */ (0, import_jsx_runtime6.jsxs)(Box_default, { flexDirection: "column", children: [
@@ -89874,6 +90332,7 @@ var init_InitApp = __esm({
           return "happy";
         }
         if (r.status === "no_packages") return "happy";
+        if (r.status === "api_returned_empty") return "alert";
         return "idle";
       })();
       const content = (() => {
@@ -90078,7 +90537,7 @@ var init_InitApp = __esm({
                   ] }, "p1a"),
                   /* @__PURE__ */ (0, import_jsx_runtime6.jsxs)(Text, { children: [
                     installCmd,
-                    " them. That's where most attacks land."
+                    " them. That's where most attacks happen."
                   ] }, "p1b"),
                   /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { children: " " }, "sp2"),
                   /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(FlowDiagram, {}, "diagram"),
@@ -90206,7 +90665,7 @@ var init_InitApp = __esm({
                 mood: "scanning",
                 color: "cyan",
                 scrollable: false,
-                body: /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Spinner2, { label: "Testing it..." })
+                body: /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Spinner2, { label: "Verifying the hook..." })
               }
             );
           case "confirm_wrap": {
@@ -90284,6 +90743,7 @@ var init_InitApp = __esm({
             const r = state.scanResult;
             const okScan = r?.status === "ok" && r.result;
             const empty = r?.status === "no_packages";
+            const apiEmpty = r?.status === "api_returned_empty";
             const resultBody = [
               /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { bold: true, children: "Scan complete." }, "hdr"),
               /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { children: " " }, "sp1"),
@@ -90291,6 +90751,10 @@ var init_InitApp = __esm({
                 "I scanned ",
                 /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { bold: true, color: "cyan", children: projectName }),
                 "."
+              ] }, "line") : apiEmpty ? /* @__PURE__ */ (0, import_jsx_runtime6.jsxs)(Text, { children: [
+                "I found packages in ",
+                /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { bold: true, color: "cyan", children: projectName }),
+                " but the analyze API returned nothing back. This is a server-side problem, not your project."
               ] }, "line") : empty ? /* @__PURE__ */ (0, import_jsx_runtime6.jsxs)(Text, { children: [
                 "I didn't find any packages to scan in ",
                 /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { bold: true, color: "cyan", children: projectName }),
@@ -90302,6 +90766,13 @@ var init_InitApp = __esm({
               ] }, "line"),
               /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { children: " " }, "sp2")
             ];
+            if (apiEmpty && r?.message) {
+              resultBody.push(
+                /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { color: "yellow", children: r.message }, "api-empty-detail")
+              );
+              resultBody.push(/* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { dimColor: true, children: "Check westbayberry.com/status and re-run." }, "api-empty-hint"));
+              resultBody.push(/* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { children: " " }, "api-empty-sp"));
+            }
             if (state.scanResult) {
               resultBody.push(
                 /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(ScanResultCard, { maxWidth: cardMaxWidth, outcome: { kind: "real", outcome: state.scanResult } }, "card")
@@ -90415,7 +90886,7 @@ var init_InitApp = __esm({
             );
           case "optional_protection": {
             const p = state.protectInfo;
-            const rcLine = p?.rcLine ?? "source ~/.dependency-guardian/aliases.sh";
+            const rcLine = p?.rcLine ?? "source ~/.dg/state/aliases.sh";
             const rcFile = p?.rcFile ?? "~/.zshrc";
             const shellLabel = p?.shellName && p.shellName !== "your shell rc" ? p.shellName : null;
             const stackBoth = state.stackNpm && state.stackPypi;
@@ -90554,7 +91025,7 @@ var init_InitApp = __esm({
               );
             }
             if (r.kind === "failed") {
-              const rcLine = state.protectInfo?.rcLine ?? "source ~/.dependency-guardian/aliases.sh";
+              const rcLine = state.protectInfo?.rcLine ?? "source ~/.dg/state/aliases.sh";
               const rcFile = state.protectInfo?.rcFile ?? "~/.zshrc";
               return /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(
                 Scene,
@@ -90644,6 +91115,8 @@ var init_InitApp = __esm({
                   scan.result?.durationMs ?? 0,
                   "ms)"
                 ] }, "scan-empty"));
+              } else if (scan.status === "api_returned_empty") {
+                scanLine.push(/* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { color: "yellow", children: "\u26A0 Analyze API returned no results \u2014 try again or check status" }, "scan-api-empty"));
               } else if (scan.status === "trial_exhausted") {
                 scanLine.push(/* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { color: "yellow", children: "\u26A0 Free trial scans used up \u2014 `dg login` to continue" }, "scan-trial"));
               } else if (scan.status === "error") {
@@ -90887,7 +91360,14 @@ var init_first_run = __esm({
       "status",
       "protect",
       "login",
-      "cleanup"
+      "cleanup",
+      "uninstall",
+      "init",
+      "scan",
+      "npm",
+      "pip",
+      "wrap",
+      "publish-check"
     ]);
   }
 });
@@ -91089,7 +91569,7 @@ __export(pip_wrapper_exports, {
   runPip: () => runPip
 });
 import { spawn as spawn3 } from "node:child_process";
-import { existsSync as existsSync11 } from "node:fs";
+import { existsSync as existsSync14 } from "node:fs";
 function parsePipArgs(args) {
   let dgForce = false;
   let dgForceReason;
@@ -91188,7 +91668,7 @@ function parseRequirementsFile(filePath) {
   return parseRequirementsFileInternal(filePath, /* @__PURE__ */ new Set());
 }
 function parseRequirementsFileInternal(filePath, visited) {
-  if (!existsSync11(filePath)) return [];
+  if (!existsSync14(filePath)) return [];
   let absPath;
   try {
     absPath = __require("node:path").resolve(filePath);
@@ -91506,7 +91986,7 @@ var init_pip_wrapper = __esm({
 });
 
 // src/security/artifact_integrity.ts
-function normalize2(h, algo) {
+function normalize3(h, algo) {
   if (!h) return void 0;
   const trimmed = h.trim();
   const re2 = algo === "sha512" ? SHA512_HEX : SHA256_HEX;
@@ -91523,8 +92003,8 @@ function compareArtifactHashes(pairs) {
   };
   for (const p of pairs) {
     const key = `${p.name}@${p.version}`;
-    const api = normalize2(p.apiHash, p.algorithm);
-    const local = normalize2(p.localHash, p.algorithm);
+    const api = normalize3(p.apiHash, p.algorithm);
+    const local = normalize3(p.localHash, p.algorithm);
     const apiRaw = (p.apiHash ?? "").toString();
     const localRaw = (p.localHash ?? "").toString();
     const apiPresent = apiRaw.length > 0;
@@ -91650,8 +92130,8 @@ var FileSavePrompt_exports = {};
 __export(FileSavePrompt_exports, {
   FileSavePrompt: () => FileSavePrompt
 });
-import { existsSync as existsSync12, readdirSync, writeFileSync as writeFileSync6 } from "node:fs";
-import { dirname as dirname8, join as join14 } from "node:path";
+import { existsSync as existsSync15, readdirSync, writeFileSync as writeFileSync8 } from "node:fs";
+import { dirname as dirname12, join as join13 } from "node:path";
 function listDirectory(dir) {
   try {
     const raw = readdirSync(dir, { withFileTypes: true });
@@ -91659,7 +92139,7 @@ function listDirectory(dir) {
       if (a.isDirectory !== b.isDirectory) return a.isDirectory ? -1 : 1;
       return a.name.localeCompare(b.name);
     });
-    if (dirname8(dir) !== dir) {
+    if (dirname12(dir) !== dir) {
       entries.unshift({ name: "..", isDirectory: true });
     }
     return entries;
@@ -91751,13 +92231,13 @@ var init_FileSavePrompt = __esm({
         if (state.focus === "filename") {
           if (key.return) {
             const fullName = ensureJsonExtension(state.filename);
-            const fullPath = join14(state.directory, fullName);
-            if (!state.confirmOverwrite && existsSync12(fullPath)) {
+            const fullPath = join13(state.directory, fullName);
+            if (!state.confirmOverwrite && existsSync15(fullPath)) {
               dispatch({ type: "CONFIRM_OVERWRITE" });
               return;
             }
             try {
-              writeFileSync6(fullPath, json + "\n");
+              writeFileSync8(fullPath, json + "\n");
             } catch (err) {
               const msg = err instanceof Error ? err.message : String(err);
               dispatch({ type: "SET_ERROR", error: `Write failed: ${msg}` });
@@ -92009,25 +92489,24 @@ __export(static_output_exports, {
   runStaticNpm: () => runStaticNpm,
   runStaticPip: () => runStaticPip
 });
-import { writeFileSync as writeFileSync7, readFileSync as readFileSync10, existsSync as existsSync13, mkdirSync as mkdirSync4, lstatSync as lstatSync4 } from "node:fs";
-import { resolve as resolvePath, join as join15, dirname as dirname9 } from "node:path";
-import { homedir as homedir6 } from "node:os";
+import { writeFileSync as writeFileSync9, readFileSync as readFileSync12, existsSync as existsSync16, mkdirSync as mkdirSync8, lstatSync as lstatSync4 } from "node:fs";
+import { resolve as resolvePath2, dirname as dirname13 } from "node:path";
 function loadPackageLockJson(cwd2 = process.cwd()) {
-  const path3 = resolvePath(cwd2, "package-lock.json");
-  if (!existsSync13(path3)) return null;
+  const path3 = resolvePath2(cwd2, "package-lock.json");
+  if (!existsSync16(path3)) return null;
   try {
     const st = lstatSync4(path3);
     if (!st.isFile()) return null;
     if (st.size > MAX_PACKAGE_LOCK_BYTES) return null;
-    return JSON.parse(readFileSync10(path3, "utf8"));
+    return JSON.parse(readFileSync12(path3, "utf8"));
   } catch {
     return null;
   }
 }
 function writeJsonFile(filepath, json) {
-  const resolved = resolvePath(filepath);
+  const resolved = resolvePath2(filepath);
   try {
-    writeFileSync7(resolved, json + "\n");
+    writeFileSync9(resolved, json + "\n");
     process.stderr.write(import_chalk8.default.green(`  \u2713 Saved to ${resolved}
 
 `));
@@ -92097,12 +92576,12 @@ function printTrialBanner(result, config3) {
   if (config3?.json || config3?.ci || config3?.quiet) return;
   if (process.env.CI === "1" || process.env.CI === "true") return;
   try {
-    const stampPath = join15(homedir6(), ".dependency-guardian", "last-trial-banner");
-    const lastMs = existsSync13(stampPath) ? Number(readFileSync10(stampPath, "utf-8").trim()) || 0 : 0;
+    const stampPath = dgStatePath("trial-banner");
+    const lastMs = existsSync16(stampPath) ? Number(readFileSync12(stampPath, "utf-8").trim()) || 0 : 0;
     const now = Date.now();
     if (now - lastMs < NUDGE_INTERVAL_MS) return;
-    mkdirSync4(dirname9(stampPath), { recursive: true });
-    writeFileSync7(stampPath, String(now) + "\n");
+    mkdirSync8(dirname13(stampPath), { recursive: true, mode: 448 });
+    writeFileSync9(stampPath, String(now) + "\n");
   } catch {
     return;
   }
@@ -93041,6 +93520,7 @@ var init_static_output = __esm({
   "src/formatters/static-output.ts"() {
     "use strict";
     import_chalk8 = __toESM(require_source());
+    init_paths();
     init_client3();
     init_auth();
     init_lockfile();
@@ -93058,13 +93538,13 @@ __export(status_exports, {
   handleStatusCommand: () => handleStatusCommand
 });
 async function handleStatusCommand(cliVersion) {
-  const chalk15 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
+  const chalk17 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
   const apiKey = getStoredApiKey();
   process.stderr.write("\n");
-  process.stderr.write(chalk15.bold("  Dependency Guardian \u2014 coverage status\n\n"));
+  process.stderr.write(chalk17.bold("  Dependency Guardian \u2014 coverage status\n\n"));
   if (!apiKey) {
     process.stderr.write(
-      `  ${chalk15.yellow("\xB7")} ${chalk15.bold("Auth")}     ` + chalk15.dim("anonymous \u2014 `dg login` (free) for saved scan history, dashboard, and finding titles\n")
+      `  ${chalk17.yellow("\xB7")} ${chalk17.bold("Auth")}     ` + chalk17.dim("anonymous \u2014 `dg login` (free) for saved scan history, dashboard, and finding titles\n")
     );
   } else {
     let tierLine = "signed in";
@@ -93090,29 +93570,29 @@ async function handleStatusCommand(cliVersion) {
     } catch {
       tierLine = "signed in (could not reach API)";
     }
-    process.stderr.write(`  ${chalk15.green("\u2713")} ${chalk15.bold("Auth")}     ` + chalk15.dim(tierLine + "\n"));
+    process.stderr.write(`  ${chalk17.green("\u2713")} ${chalk17.bold("Auth")}     ` + chalk17.dim(tierLine + "\n"));
   }
   const cwd2 = process.cwd();
   const protect = readProtectConfig(cwd2);
   if (protect && protect.enabled) {
     process.stderr.write(
-      `  ${chalk15.green("\u2713")} ${chalk15.bold("Protect")}  ` + chalk15.dim(`enabled in this project (mode=${protect.mode}${protect.strict ? ", strict" : ""})
+      `  ${chalk17.green("\u2713")} ${chalk17.bold("Protect")}  ` + chalk17.dim(`enabled in this project (mode=${protect.mode}${protect.strict ? ", strict" : ""})
 `)
     );
   } else {
     process.stderr.write(
-      `  ${chalk15.yellow("\xB7")} ${chalk15.bold("Protect")}  ` + chalk15.dim("not enabled in this project \u2014 run `dg protect init` for opt-in protection\n")
+      `  ${chalk17.yellow("\xB7")} ${chalk17.bold("Protect")}  ` + chalk17.dim("not enabled in this project \u2014 run `dg protect init` for opt-in protection\n")
     );
   }
   let hookLine = "no pre-commit hook \u2014 `dg hook install` to gate commits";
   let hookOk = false;
   try {
-    const { existsSync: existsSync16, readFileSync: readFileSync12 } = await import("node:fs");
-    const { join: join18 } = await import("node:path");
-    const candidates = [join18(cwd2, ".husky", "pre-commit"), join18(cwd2, ".git", "hooks", "pre-commit")];
+    const { existsSync: existsSync21, readFileSync: readFileSync14 } = await import("node:fs");
+    const { join: join16 } = await import("node:path");
+    const candidates = [join16(cwd2, ".husky", "pre-commit"), join16(cwd2, ".git", "hooks", "pre-commit")];
     for (const path3 of candidates) {
-      if (existsSync16(path3)) {
-        const content = readFileSync12(path3, "utf-8");
+      if (existsSync21(path3)) {
+        const content = readFileSync14(path3, "utf-8");
         if (content.includes("dependency-guardian")) {
           hookLine = `installed in ${path3}`;
           hookOk = true;
@@ -93123,7 +93603,7 @@ async function handleStatusCommand(cliVersion) {
   } catch {
   }
   process.stderr.write(
-    `  ${hookOk ? chalk15.green("\u2713") : chalk15.yellow("\xB7")} ${chalk15.bold("Hook")}     ` + chalk15.dim(hookLine + "\n")
+    `  ${hookOk ? chalk17.green("\u2713") : chalk17.yellow("\xB7")} ${chalk17.bold("Hook")}     ` + chalk17.dim(hookLine + "\n")
   );
   try {
     const banner = await checkForUpdate(cliVersion).catch(() => null);
@@ -93131,20 +93611,20 @@ async function handleStatusCommand(cliVersion) {
       const m = banner.match(/(\d+\.\d+\.\d+)\s+→\s+(\d+\.\d+\.\d+)/);
       const latest = m ? m[2] : "newer";
       process.stderr.write(
-        `  ${chalk15.yellow("!")} ${chalk15.bold("Update")}   ` + chalk15.dim(`available \u2014 ${cliVersion} \u2192 ${latest} (run \`dg update\`)
+        `  ${chalk17.yellow("!")} ${chalk17.bold("Update")}   ` + chalk17.dim(`available \u2014 ${cliVersion} \u2192 ${latest} (run \`dg update\`)
 `)
       );
     } else {
-      process.stderr.write(`  ${chalk15.green("\u2713")} ${chalk15.bold("Update")}   ` + chalk15.dim(`on latest (${cliVersion})
+      process.stderr.write(`  ${chalk17.green("\u2713")} ${chalk17.bold("Update")}   ` + chalk17.dim(`on latest (${cliVersion})
 `));
     }
   } catch {
   }
   try {
-    const { execFileSync: execFileSync4 } = await import("node:child_process");
+    const { execFileSync: execFileSync5 } = await import("node:child_process");
     const npmV = (() => {
       try {
-        return execFileSync4("npm", ["--version"], { encoding: "utf-8", timeout: 5e3 }).trim();
+        return execFileSync5("npm", ["--version"], { encoding: "utf-8", timeout: 5e3 }).trim();
       } catch {
         return null;
       }
@@ -93153,21 +93633,21 @@ async function handleStatusCommand(cliVersion) {
     const pipV = await pipVersion2();
     const pipProbe = pipV ? await pipSupportsDryRunReport2() : null;
     const npmLine = npmV ? `npm ${npmV} (transitive scan supported)` : "npm not found on PATH";
-    const npmGlyph = npmV ? chalk15.green("\u2713") : chalk15.yellow("\xB7");
-    process.stderr.write(`  ${npmGlyph} ${chalk15.bold("npm")}      ` + chalk15.dim(npmLine + "\n"));
+    const npmGlyph = npmV ? chalk17.green("\u2713") : chalk17.yellow("\xB7");
+    process.stderr.write(`  ${npmGlyph} ${chalk17.bold("npm")}      ` + chalk17.dim(npmLine + "\n"));
     let pipLine;
     let pipGlyph;
     if (!pipV) {
       pipLine = "pip not found on PATH (Python projects won't scan)";
-      pipGlyph = chalk15.yellow("\xB7");
+      pipGlyph = chalk17.yellow("\xB7");
     } else if (pipProbe?.ok) {
       pipLine = `pip ${pipV} (transitive scan supported)`;
-      pipGlyph = chalk15.green("\u2713");
+      pipGlyph = chalk17.green("\u2713");
     } else {
       pipLine = `pip ${pipV} \u2014 transitive scan unavailable (${pipProbe?.reason ?? "old pip"}; \`pip install -U pip\`)`;
-      pipGlyph = chalk15.yellow("!");
+      pipGlyph = chalk17.yellow("!");
     }
-    process.stderr.write(`  ${pipGlyph} ${chalk15.bold("pip")}      ` + chalk15.dim(pipLine + "\n"));
+    process.stderr.write(`  ${pipGlyph} ${chalk17.bold("pip")}      ` + chalk17.dim(pipLine + "\n"));
   } catch {
   }
   process.stderr.write("\n");
@@ -93193,8 +93673,8 @@ __export(publish_check_exports, {
   summarize: () => summarize
 });
 import { spawn as spawn4 } from "node:child_process";
-import { readFileSync as readFileSync11, existsSync as existsSync14, readdirSync as readdirSync2 } from "node:fs";
-import { join as join16, basename as basename4 } from "node:path";
+import { readFileSync as readFileSync13, existsSync as existsSync17, readdirSync as readdirSync2 } from "node:fs";
+import { join as join14, basename as basename4 } from "node:path";
 import { createGunzip } from "node:zlib";
 import { createReadStream as createReadStream2 } from "node:fs";
 function sanitizeSnippet(s, max = 40) {
@@ -93241,7 +93721,7 @@ async function npmPackDryRun(cwd2 = process.cwd()) {
         }));
         let packageJson;
         try {
-          const raw = readFileSync11(join16(cwd2, "package.json"), "utf-8");
+          const raw = readFileSync13(join14(cwd2, "package.json"), "utf-8");
           packageJson = JSON.parse(raw);
         } catch {
         }
@@ -93253,9 +93733,9 @@ async function npmPackDryRun(cwd2 = process.cwd()) {
   });
 }
 function findPypiArtifacts(cwd2 = process.cwd()) {
-  const dist = join16(cwd2, "dist");
-  if (!existsSync14(dist)) return [];
-  return readdirSync2(dist).filter((f) => f.endsWith(".tar.gz") || f.endsWith(".whl")).map((f) => join16(dist, f));
+  const dist = join14(cwd2, "dist");
+  if (!existsSync17(dist)) return [];
+  return readdirSync2(dist).filter((f) => f.endsWith(".tar.gz") || f.endsWith(".whl")).map((f) => join14(dist, f));
 }
 function scanPayload(files) {
   const findings = [];
@@ -93329,7 +93809,7 @@ async function runNpmPublishCheck(cwd2 = process.cwd()) {
   const payload = pack.files.map((f) => ({
     path: f.path,
     size: f.size,
-    read: () => readFileSync11(join16(cwd2, f.path))
+    read: () => readFileSync13(join14(cwd2, f.path))
   }));
   const findings = scanPayload(payload);
   const scripts = pack.packageJson?.scripts ?? {};
@@ -93550,11 +94030,6 @@ var init_publish_check = __esm({
         recommendation: "Revoke the token at github.com/settings/tokens and remove the file from the payload."
       },
       {
-        // Slack tokens come in several real shapes:
-        //   xoxb-{teamId}-{botId}-{secret}                 (legacy 3-seg)
-        //   xoxa-2-{teamId}-{userId}-{secret}              (4-seg)
-        //   xoxp-{N}-{N}-{N}-{hex}                         (4-seg user)
-        // Accept ≥2 numeric segments + an alphanumeric tail of length ≥10.
         re: /xox[abp]-[0-9]+-[0-9]+(-[0-9]+)?-[A-Za-z0-9]{10,}/,
         category: "bundled-secret",
         severity: 5,
@@ -93587,9 +94062,7 @@ __export(cleanup_exports, {
   handleCleanupCommand: () => handleCleanupCommand,
   runCleanup: () => runCleanup
 });
-import { existsSync as existsSync15, unlinkSync as unlinkSync4 } from "node:fs";
-import { join as join17 } from "node:path";
-import { homedir as homedir7 } from "node:os";
+import { existsSync as existsSync18, unlinkSync as unlinkSync6 } from "node:fs";
 async function confirm(prompt) {
   process.stderr.write(prompt);
   return new Promise((resolve3) => {
@@ -93620,16 +94093,19 @@ async function revokeKey(apiKey) {
   }
 }
 async function runCleanup(opts = {}) {
+  const configPath2 = dgConfigPath();
+  const legacyDgrc = legacyPaths().dgrc;
   process.stderr.write(import_chalk9.default.bold("\n  Dependency Guardian cleanup\n\n"));
+  process.stderr.write(import_chalk9.default.dim("  Note: `dg cleanup` is deprecated. Use `dg uninstall` for a full removal\n"));
+  process.stderr.write(import_chalk9.default.dim("  that also strips per-repo git hooks and shell-rc lines.\n\n"));
   process.stderr.write("  This will:\n");
   process.stderr.write("    1. Revoke this device's API key on the server\n");
-  process.stderr.write(`    2. Remove ${DGRC_PATH}
+  process.stderr.write(`    2. Remove ${configPath2}
 `);
-  process.stderr.write("    3. Remove the shell-alias snippet (~/.dependency-guardian/aliases.sh)\n");
-  process.stderr.write("    4. Remove any legacy .dgprotect.json in the current directory\n\n");
+  process.stderr.write("    3. Remove the shell-alias snippet\n\n");
   process.stderr.write(import_chalk9.default.dim("  Git pre-commit hooks in your projects are NOT removed.\n"));
-  process.stderr.write(import_chalk9.default.dim("  Run `dg hook uninstall` in each repo separately, or delete\n"));
-  process.stderr.write(import_chalk9.default.dim("  the dg lines from `.git/hooks/pre-commit` by hand.\n\n"));
+  process.stderr.write(import_chalk9.default.dim("  Run `dg uninstall` to remove every dg artifact, or `dg hook uninstall`\n"));
+  process.stderr.write(import_chalk9.default.dim("  per repo to remove just the pre-commit hooks.\n\n"));
   if (!opts.assumeYes) {
     if (!process.stdin.isTTY) {
       process.stderr.write(import_chalk9.default.yellow("  Non-interactive shell \u2014 pass --yes to confirm without prompting.\n\n"));
@@ -93653,18 +94129,17 @@ async function runCleanup(opts = {}) {
   } else {
     process.stderr.write(import_chalk9.default.dim("  \xB7 No saved API key found\n"));
   }
-  if (existsSync15(DGRC_PATH)) {
-    try {
-      unlinkSync4(DGRC_PATH);
-      process.stderr.write(import_chalk9.default.green("  \u2713 ") + `Removed ${DGRC_PATH}
+  for (const p of [configPath2, legacyDgrc]) {
+    if (existsSync18(p)) {
+      try {
+        unlinkSync6(p);
+        process.stderr.write(import_chalk9.default.green("  \u2713 ") + `Removed ${p}
 `);
-    } catch (e) {
-      process.stderr.write(import_chalk9.default.red("  \u2718 ") + `Couldn't remove ${DGRC_PATH}: ${e.message}
+      } catch (e) {
+        process.stderr.write(import_chalk9.default.red("  \u2718 ") + `Couldn't remove ${p}: ${e.message}
 `);
+      }
     }
-  } else {
-    process.stderr.write(import_chalk9.default.dim(`  \xB7 ${DGRC_PATH} already absent
-`));
   }
   process.stderr.write("\n");
   await runProtectOff(process.cwd(), { removeShell: true });
@@ -93676,7 +94151,7 @@ async function handleCleanupCommand(args) {
   const assumeYes = args.includes("--yes") || args.includes("-y");
   return runCleanup({ assumeYes });
 }
-var import_chalk9, DGRC_PATH;
+var import_chalk9;
 var init_cleanup = __esm({
   "src/commands/cleanup.ts"() {
     "use strict";
@@ -93684,7 +94159,572 @@ var init_cleanup = __esm({
     init_protect();
     init_auth();
     init_config();
-    DGRC_PATH = join17(homedir7(), ".dgrc.json");
+    init_paths();
+  }
+});
+
+// src/commands/uninstall.ts
+var uninstall_exports = {};
+__export(uninstall_exports, {
+  handleUninstallCommand: () => handleUninstallCommand,
+  parseUninstallArgs: () => parseUninstallArgs,
+  runUninstall: () => runUninstall
+});
+import { existsSync as existsSync19, rmSync as rmSync3, unlinkSync as unlinkSync7, statSync as statSync5 } from "node:fs";
+function parseUninstallArgs(args) {
+  return {
+    assumeYes: args.includes("--yes") || args.includes("-y"),
+    dryRun: args.includes("--dry-run"),
+    soft: args.includes("--soft"),
+    keepHooks: args.includes("--keep-hooks")
+  };
+}
+function safeExists(p) {
+  try {
+    return existsSync19(p);
+  } catch {
+    return false;
+  }
+}
+function buildPlan(opts) {
+  const p = dgPaths();
+  const legacy = legacyPaths();
+  const plan = {
+    configFiles: [],
+    cacheDir: null,
+    stateDir: null,
+    rootDir: null,
+    legacyFiles: [],
+    legacyDirs: [],
+    hooks: [],
+    rcCleanup: false
+  };
+  if (safeExists(p.config)) plan.configFiles.push(p.config);
+  if (!opts.soft) {
+    if (safeExists(p.cacheDir)) plan.cacheDir = p.cacheDir;
+    if (safeExists(p.stateDir)) plan.stateDir = p.stateDir;
+    if (safeExists(p.root)) plan.rootDir = p.root;
+    for (const f of [legacy.dgrc, legacy.updateCheck]) {
+      if (safeExists(f)) plan.legacyFiles.push(f);
+    }
+    if (safeExists(legacy.cacheDir)) plan.legacyDirs.push(legacy.cacheDir);
+    if (!opts.keepHooks) {
+      plan.hooks = listEntries();
+    }
+    plan.rcCleanup = true;
+  }
+  return plan;
+}
+function printPlan(plan, opts) {
+  process.stderr.write(import_chalk10.default.bold("\n  Dependency Guardian uninstall\n\n"));
+  if (opts.soft) {
+    process.stderr.write(import_chalk10.default.dim("  Soft mode: removing config + api key only.\n\n"));
+  } else if (opts.dryRun) {
+    process.stderr.write(import_chalk10.default.yellow("  Dry run \u2014 no files will be touched.\n\n"));
+  }
+  process.stderr.write("  Will remove:\n");
+  if (plan.configFiles.length > 0) {
+    for (const f of plan.configFiles) process.stderr.write(`    ${f}
+`);
+  }
+  if (plan.rootDir && !opts.soft) {
+    process.stderr.write(`    ${plan.rootDir}/ (entire tree)
+`);
+  }
+  for (const f of plan.legacyFiles) process.stderr.write(`    ${f}  (legacy)
+`);
+  for (const d of plan.legacyDirs) process.stderr.write(`    ${d}/  (legacy)
+`);
+  if (plan.hooks.length > 0) {
+    process.stderr.write(`    pre-commit hooks in ${plan.hooks.length} repo(s):
+`);
+    for (const h of plan.hooks) {
+      process.stderr.write(import_chalk10.default.dim(`      - ${h.repoPath} (${h.framework})
+`));
+    }
+  } else if (!opts.keepHooks && !opts.soft) {
+    process.stderr.write(import_chalk10.default.dim(`    pre-commit hooks: none registered
+`));
+  }
+  if (plan.rcCleanup) {
+    process.stderr.write(`    sentinel block in your shell rc files (~/.zshrc, ~/.bashrc, ~/.bash_profile, ~/.profile)
+`);
+  }
+  process.stderr.write("  Will also:\n");
+  process.stderr.write("    revoke this device's API key on the server (best-effort, 5s timeout)\n\n");
+  if (!opts.soft) {
+    process.stderr.write(import_chalk10.default.dim(
+      "  Note: this does NOT run `npm uninstall -g @westbayberry/dg`.\n  After confirming, run that separately to remove the binary itself.\n\n"
+    ));
+  }
+}
+async function confirm2(prompt) {
+  if (!process.stdin.isTTY) return false;
+  process.stderr.write(prompt);
+  return new Promise((resolve3) => {
+    let buf = "";
+    const onData = (chunk) => {
+      buf += chunk.toString("utf8");
+      const idx = buf.indexOf("\n");
+      if (idx < 0) return;
+      process.stdin.off("data", onData);
+      const ans = buf.slice(0, idx).trim().toLowerCase();
+      resolve3(ans === "y" || ans === "yes");
+    };
+    process.stdin.on("data", onData);
+  });
+}
+async function revokeApiKey(apiKey) {
+  try {
+    const config3 = parseConfig(["node", "dg", "uninstall"], false);
+    const ctrl = new AbortController();
+    const timer = setTimeout(() => ctrl.abort(), REVOKE_TIMEOUT_MS);
+    let resp;
+    try {
+      resp = await fetch(`${config3.apiUrl}/v1/auth/revoke`, {
+        method: "POST",
+        headers: { Authorization: `Bearer ${apiKey}` },
+        signal: ctrl.signal
+      });
+    } finally {
+      clearTimeout(timer);
+    }
+    if (resp.ok || resp.status === 401) return { ok: true };
+    return { ok: false, reason: `HTTP ${resp.status}` };
+  } catch (e) {
+    return { ok: false, reason: e.message };
+  }
+}
+function rmFile(path3) {
+  try {
+    unlinkSync7(path3);
+    return { ok: true };
+  } catch (e) {
+    const code = e.code;
+    if (code === "ENOENT") return { ok: true };
+    return { ok: false, reason: e.message };
+  }
+}
+function rmTree(path3) {
+  try {
+    rmSync3(path3, { recursive: true, force: true });
+    return { ok: true };
+  } catch (e) {
+    return { ok: false, reason: e.message };
+  }
+}
+function isWritableTarget(path3) {
+  try {
+    const st = statSync5(path3);
+    return st.isDirectory() || st.isFile();
+  } catch {
+    return false;
+  }
+}
+async function runUninstall(args) {
+  if (args.includes("--help") || args.includes("-h")) {
+    process.stdout.write(USAGE4);
+    return 0;
+  }
+  const opts = parseUninstallArgs(args);
+  const plan = buildPlan(opts);
+  printPlan(plan, opts);
+  if (opts.dryRun) {
+    process.stderr.write(import_chalk10.default.dim("  Dry run: nothing was changed.\n\n"));
+    return 0;
+  }
+  if (!opts.assumeYes) {
+    if (!process.stdin.isTTY) {
+      process.stderr.write(import_chalk10.default.yellow("  Non-interactive shell \u2014 pass --yes to proceed.\n\n"));
+      return 1;
+    }
+    const ok = await confirm2("  Proceed? [y/N] ");
+    if (!ok) {
+      process.stderr.write(import_chalk10.default.dim("\n  Cancelled. Nothing changed.\n\n"));
+      return 0;
+    }
+    process.stderr.write("\n");
+  }
+  const apiKey = getStoredApiKey();
+  if (apiKey) {
+    const r = await revokeApiKey(apiKey);
+    if (r.ok) {
+      process.stderr.write(import_chalk10.default.green("  \u2713 ") + "Revoked API key server-side\n");
+    } else {
+      process.stderr.write(
+        import_chalk10.default.yellow("  \u26A0 ") + `Could not revoke API key (${r.reason ?? "unknown"}); local removal continues
+`
+      );
+    }
+  } else {
+    process.stderr.write(import_chalk10.default.dim("  \xB7 No stored API key\n"));
+  }
+  if (!opts.keepHooks && !opts.soft) {
+    for (const h of plan.hooks) {
+      if (!existsSync19(h.repoPath)) {
+        process.stderr.write(import_chalk10.default.dim(`  \xB7 ${h.repoPath} no longer exists \u2014 skipping registered hook
+`));
+        continue;
+      }
+      try {
+        const r = stripDgFromHookFile(h.hookPath, h.framework, h.repoPath);
+        if (r.status === "removed") {
+          process.stderr.write(import_chalk10.default.green("  \u2713 ") + `Removed hook ${h.hookPath}
+`);
+        } else {
+          process.stderr.write(import_chalk10.default.dim(`  \xB7 No dg hook found at ${h.hookPath}
+`));
+        }
+      } catch (e) {
+        process.stderr.write(
+          import_chalk10.default.yellow("  \u26A0 ") + `Could not remove hook ${h.hookPath}: ${e.message}
+`
+        );
+      }
+    }
+  }
+  if (plan.rcCleanup) {
+    try {
+      const r = stripAliasSourceFromRc();
+      for (const f of r.modified) {
+        process.stderr.write(import_chalk10.default.green("  \u2713 ") + `Stripped sentinel block from ${f}
+`);
+      }
+      for (const f of r.manualReviewNeeded) {
+        process.stderr.write(
+          import_chalk10.default.yellow("  \u26A0 ") + `${f} has an open sentinel but no close \u2014 leaving it; remove the block by hand
+`
+        );
+      }
+    } catch (e) {
+      process.stderr.write(import_chalk10.default.yellow(`  \u26A0 Shell-rc cleanup failed: ${e.message}
+`));
+    }
+  }
+  if (opts.soft) {
+    for (const f of plan.configFiles) {
+      const r = rmFile(f);
+      if (r.ok) process.stderr.write(import_chalk10.default.green("  \u2713 ") + `Removed ${f}
+`);
+      else process.stderr.write(import_chalk10.default.red("  \u2718 ") + `${f}: ${r.reason}
+`);
+    }
+  } else {
+    for (const f of plan.legacyFiles) {
+      if (!isWritableTarget(f)) continue;
+      const r = rmFile(f);
+      if (r.ok) process.stderr.write(import_chalk10.default.green("  \u2713 ") + `Removed ${f}
+`);
+      else process.stderr.write(import_chalk10.default.red("  \u2718 ") + `${f}: ${r.reason}
+`);
+    }
+    for (const d of plan.legacyDirs) {
+      if (!isWritableTarget(d)) continue;
+      const r = rmTree(d);
+      if (r.ok) process.stderr.write(import_chalk10.default.green("  \u2713 ") + `Removed ${d}
+`);
+      else process.stderr.write(import_chalk10.default.red("  \u2718 ") + `${d}: ${r.reason}
+`);
+    }
+    if (plan.rootDir) {
+      const r = rmTree(plan.rootDir);
+      if (r.ok) process.stderr.write(import_chalk10.default.green("  \u2713 ") + `Removed ${plan.rootDir}
+`);
+      else process.stderr.write(import_chalk10.default.red("  \u2718 ") + `${plan.rootDir}: ${r.reason}
+`);
+    }
+  }
+  process.stderr.write("\n");
+  if (opts.soft) {
+    process.stderr.write(import_chalk10.default.bold("  Soft cleanup complete.\n"));
+  } else {
+    process.stderr.write(import_chalk10.default.bold.green("  Uninstall complete.\n\n"));
+    process.stderr.write("  To remove the binary itself, run:\n");
+    process.stderr.write(import_chalk10.default.cyan("    npm uninstall -g @westbayberry/dg\n\n"));
+  }
+  return 0;
+}
+function handleUninstallCommand(args) {
+  return runUninstall(args);
+}
+var import_chalk10, REVOKE_TIMEOUT_MS, USAGE4;
+var init_uninstall = __esm({
+  "src/commands/uninstall.ts"() {
+    "use strict";
+    import_chalk10 = __toESM(require_source());
+    init_paths();
+    init_hooks_registry();
+    init_hook();
+    init_protect();
+    init_auth();
+    init_config();
+    REVOKE_TIMEOUT_MS = 5e3;
+    USAGE4 = `
+  dg uninstall \u2014 remove every file dg has written locally
+
+  Usage:
+    dg uninstall [flags]
+
+  Flags:
+    --yes, -y         Skip the confirmation prompt
+    --dry-run         Show what would be removed; make no changes
+    --soft            Only revoke API key + remove the config file
+                      (leaves cache, hooks, and rc-source-line in place)
+    --keep-hooks      Leave per-repo pre-commit hooks installed
+
+  Removes:
+    ~/.dg/        (config + cache + state + hooks registry)
+    ~/.dgrc.json                   (legacy, if still present)
+    ~/.dg/                         (legacy, if still present)
+    ~/.dg-update-check.json        (legacy, if still present)
+    every per-repo pre-commit hook installed via 'dg hook install'
+    the dg sentinel block in your shell rc files
+
+  Also revokes this device's API key server-side (5s timeout; offline is OK,
+  local cleanup proceeds either way).
+
+  Does NOT run 'npm uninstall -g @westbayberry/dg' \u2014 run that separately.
+`.trimStart();
+  }
+});
+
+// src/commands/init.ts
+var init_exports3 = {};
+__export(init_exports3, {
+  handleInitCommand: () => handleInitCommand,
+  parseInitArgs: () => parseInitArgs,
+  runInit: () => runInit2
+});
+import { existsSync as existsSync20 } from "node:fs";
+import { join as join15 } from "node:path";
+import * as readline2 from "node:readline";
+import { execFileSync as execFileSync4 } from "node:child_process";
+function parseInitArgs(args) {
+  const opts = {
+    assumeYes: false,
+    installHook: true,
+    enableProtect: true,
+    appendRc: false,
+    runScan: true
+  };
+  for (const a of args) {
+    if (a === "--yes" || a === "-y") opts.assumeYes = true;
+    else if (a === "--no-hook") opts.installHook = false;
+    else if (a === "--no-protect") opts.enableProtect = false;
+    else if (a === "--no-scan") opts.runScan = false;
+    else if (a === "--append-rc") opts.appendRc = true;
+  }
+  return opts;
+}
+async function confirm3(prompt, defaultYes, assumeYes) {
+  if (assumeYes) {
+    process.stderr.write(prompt + (defaultYes ? "yes" : "no") + " (--yes)\n");
+    return defaultYes;
+  }
+  if (!process.stdin.isTTY) {
+    process.stderr.write(prompt + (defaultYes ? "yes" : "no") + " (non-interactive default)\n");
+    return defaultYes;
+  }
+  process.stderr.write(prompt);
+  return new Promise((resolve3) => {
+    const rl = readline2.createInterface({ input: process.stdin });
+    rl.once("line", (line) => {
+      rl.close();
+      const ans = line.trim().toLowerCase();
+      if (ans === "") resolve3(defaultYes);
+      else if (ans === "y" || ans === "yes") resolve3(true);
+      else resolve3(false);
+    });
+  });
+}
+function detectEcosystem(cwd2) {
+  const npm = existsSync20(join15(cwd2, "package.json")) || existsSync20(join15(cwd2, "package-lock.json")) || existsSync20(join15(cwd2, "pnpm-lock.yaml")) || existsSync20(join15(cwd2, "yarn.lock"));
+  const pypi = existsSync20(join15(cwd2, "pyproject.toml")) || existsSync20(join15(cwd2, "setup.py")) || existsSync20(join15(cwd2, "requirements.txt")) || existsSync20(join15(cwd2, "Pipfile")) || existsSync20(join15(cwd2, "poetry.lock"));
+  return { npm, pypi };
+}
+function findRepoRootOrNull(cwd2) {
+  try {
+    return execFileSync4("git", ["-C", cwd2, "rev-parse", "--show-toplevel"], {
+      encoding: "utf-8",
+      stdio: ["pipe", "pipe", "pipe"]
+    }).trim();
+  } catch {
+    return null;
+  }
+}
+async function runInit2(args) {
+  if (args.includes("--help") || args.includes("-h")) {
+    process.stdout.write(USAGE5);
+    return 0;
+  }
+  const opts = parseInitArgs(args);
+  const cwd2 = process.cwd();
+  if (getFirstRunCompletedAt() === null) {
+    process.stderr.write(
+      import_chalk11.default.yellow("  This looks like your first time using dg.\n") + import_chalk11.default.dim("  Run ") + import_chalk11.default.cyan("dg kitty") + import_chalk11.default.dim(" first for the guided intro,\n") + import_chalk11.default.dim("  then come back to ") + import_chalk11.default.cyan("dg init") + import_chalk11.default.dim(" to set up this project.\n\n")
+    );
+    return 1;
+  }
+  process.stderr.write(import_chalk11.default.bold("\n  Setting up Dependency Guardian for this project.\n\n"));
+  const eco = detectEcosystem(cwd2);
+  if (!eco.npm && !eco.pypi) {
+    process.stderr.write(
+      import_chalk11.default.yellow("  No lockfile or manifest found in this directory.\n") + import_chalk11.default.dim("  Expected one of: package.json, pnpm-lock.yaml, yarn.lock,\n") + import_chalk11.default.dim("                   pyproject.toml, requirements.txt, Pipfile.\n") + import_chalk11.default.dim("  cd into your project root and re-run dg init.\n\n")
+    );
+    return 1;
+  }
+  const stacks = [];
+  if (eco.npm) stacks.push("npm");
+  if (eco.pypi) stacks.push("pypi");
+  process.stderr.write(import_chalk11.default.green("  \u2713 ") + `Detected: ${stacks.join(" + ")}
+
+`);
+  if (opts.installHook) {
+    const repoRoot = findRepoRootOrNull(cwd2);
+    if (repoRoot === null) {
+      process.stderr.write(import_chalk11.default.dim("  \xB7 Not a git repo \u2014 skipping pre-commit hook.\n"));
+    } else {
+      let info;
+      try {
+        info = detectHookFramework(repoRoot);
+      } catch (e) {
+        process.stderr.write(import_chalk11.default.yellow(`  \u26A0 Hook detection failed: ${e.message}
+`));
+        info = { framework: "bare", targetFile: join15(repoRoot, ".git", "hooks", "pre-commit"), alreadyInstalled: false };
+      }
+      if (info.alreadyInstalled) {
+        process.stderr.write(import_chalk11.default.dim(`  \xB7 Pre-commit hook already installed at ${info.targetFile}.
+`));
+      } else {
+        const prompt = `  Install git pre-commit hook? (${info.framework} \u2192 ${info.targetFile})
+    Blocks commits that add high-risk lockfile changes. [Y/n] `;
+        const yes = await confirm3(prompt, true, opts.assumeYes);
+        if (yes) {
+          try {
+            installHookForFramework(info);
+            addEntry({
+              repoPath: repoRoot,
+              framework: info.framework,
+              hookPath: info.targetFile
+            });
+          } catch (e) {
+            process.stderr.write(import_chalk11.default.red(`  \u2718 Hook install failed: ${e.message}
+`));
+          }
+        } else {
+          process.stderr.write(import_chalk11.default.dim("  \xB7 Skipped hook install.\n"));
+        }
+      }
+      process.stderr.write("\n");
+    }
+  }
+  if (opts.enableProtect) {
+    const prompt = "  Enable 'dg protect' so 'npm install' / 'pip install' route\n    through dg automatically? [Y/n] ";
+    const yes = await confirm3(prompt, true, opts.assumeYes);
+    if (yes) {
+      try {
+        await runProtectInit(cwd2, { noShell: true });
+        const { rc } = suggestedShellRc();
+        const rcLine = `source ${dgStatePath("aliases.sh")}`;
+        if (opts.appendRc) {
+          const out = appendAliasSourceToRc(rc, rcLine);
+          if (out.status === "appended") {
+            process.stderr.write(import_chalk11.default.green("  \u2713 ") + `Added source line to ${out.rcPath}
+`);
+          } else if (out.status === "already-present") {
+            process.stderr.write(import_chalk11.default.dim(`  \xB7 Source line already present in ${out.rcPath}
+`));
+          } else {
+            process.stderr.write(
+              import_chalk11.default.yellow("  \u26A0 ") + `Could not append to ${out.rcPath}: ${out.reason}. Add this line by hand:
+` + import_chalk11.default.cyan(`    ${rcLine}
+`)
+            );
+          }
+        } else {
+          process.stderr.write(
+            import_chalk11.default.dim(`  Add this line to ${rc} to activate the wrapper:
+`) + import_chalk11.default.cyan(`    ${rcLine}
+`) + import_chalk11.default.dim(`  (re-run with --append-rc to have dg add it for you)
+`)
+          );
+        }
+      } catch (e) {
+        process.stderr.write(import_chalk11.default.red(`  \u2718 Protect setup failed: ${e.message}
+`));
+      }
+    } else {
+      process.stderr.write(import_chalk11.default.dim("  \xB7 Skipped protect setup.\n"));
+    }
+    process.stderr.write("\n");
+  }
+  if (opts.runScan) {
+    const prompt = `  Run an initial scan now? [Y/n] `;
+    const yes = await confirm3(prompt, true, opts.assumeYes);
+    if (yes) {
+      process.stderr.write(import_chalk11.default.dim("  Running 'dg scan'...\n\n"));
+      try {
+        const { runStatic: runStatic2 } = await Promise.resolve().then(() => (init_static_output(), static_output_exports));
+        const { parseConfig: parseConfig2 } = await Promise.resolve().then(() => (init_config(), config_exports));
+        const cfg = parseConfig2(["node", "dg", "scan"], false);
+        await runStatic2(cfg);
+      } catch (e) {
+        process.stderr.write(import_chalk11.default.yellow(`  \u26A0 Initial scan failed: ${e.message}
+`));
+        process.stderr.write(import_chalk11.default.dim(`    Run 'dg scan' manually when ready.
+`));
+      }
+    } else {
+      process.stderr.write(import_chalk11.default.dim("  \xB7 Skipped initial scan.\n"));
+    }
+    process.stderr.write("\n");
+  }
+  process.stderr.write(import_chalk11.default.bold.green("  \u2713 Setup complete.\n"));
+  process.stderr.write(import_chalk11.default.dim("    Run 'dg status' anytime to check this project's coverage.\n"));
+  if (!isLoggedIn()) {
+    process.stderr.write(import_chalk11.default.dim("    Run 'dg login' for a free account + higher scan limits.\n"));
+  }
+  process.stderr.write("\n");
+  return 0;
+}
+function handleInitCommand(args) {
+  return runInit2(args);
+}
+var import_chalk11, USAGE5;
+var init_init = __esm({
+  "src/commands/init.ts"() {
+    "use strict";
+    import_chalk11 = __toESM(require_source());
+    init_auth();
+    init_hook();
+    init_hooks_registry();
+    init_protect();
+    init_paths();
+    USAGE5 = `
+  dg init \u2014 fast per-project setup
+
+  Usage:
+    dg init [flags]
+
+  Flags:
+    --yes, -y         Accept all default answers without prompting (CI-safe)
+    --no-hook         Skip git pre-commit hook installation
+    --no-protect      Skip enabling 'dg protect' (npm/pip wrapper)
+    --no-scan         Skip the initial scan
+    --append-rc       Auto-append the alias source-line to your shell rc
+                      (default: print the line for you to paste)
+
+  What it does (each step asks first):
+    1. Detect ecosystem (npm / pypi) in this directory
+    2. Install a git pre-commit hook that blocks risky lockfile changes
+    3. Enable 'dg protect' so 'npm install' and 'pip install' route
+       through dg
+    4. Run a first scan of your current dependencies
+
+  This is the per-project equivalent of 'dg kitty' \u2014 the one-time intro
+  wizard that auto-runs on your very first dg invocation. Re-run
+  'dg kitty' if you want the full tour again.
+`.trimStart();
   }
 });
 
@@ -93944,14 +94984,14 @@ function formatRate(ratePerSec) {
   if (ratePerSec >= 1) return `${Math.round(ratePerSec)} pkg/s`;
   return `${ratePerSec.toFixed(1)} pkg/s`;
 }
-var import_react32, import_chalk10, import_jsx_runtime9, ProgressBar;
+var import_react32, import_chalk12, import_jsx_runtime9, ProgressBar;
 var init_ProgressBar = __esm({
   async "src/ui/components/ProgressBar.tsx"() {
     "use strict";
     import_react32 = __toESM(require_react());
     await init_build2();
     await init_build3();
-    import_chalk10 = __toESM(require_source());
+    import_chalk12 = __toESM(require_source());
     await init_useTerminalSize();
     import_jsx_runtime9 = __toESM(require_jsx_runtime());
     ProgressBar = ({
@@ -93992,7 +95032,7 @@ var init_ProgressBar = __esm({
       const filledBar = "\u2501".repeat(filled);
       const emptyBar = "\u2501".repeat(empty);
       return /* @__PURE__ */ (0, import_jsx_runtime9.jsxs)(Box_default, { flexDirection: "column", paddingLeft: 2, children: [
-        /* @__PURE__ */ (0, import_jsx_runtime9.jsx)(Text, { children: import_chalk10.default.bold("Dependency Guardian") }),
+        /* @__PURE__ */ (0, import_jsx_runtime9.jsx)(Text, { children: import_chalk12.default.bold("Dependency Guardian") }),
         /* @__PURE__ */ (0, import_jsx_runtime9.jsx)(Text, { children: "" }),
         /* @__PURE__ */ (0, import_jsx_runtime9.jsxs)(Box_default, { children: [
           done ? /* @__PURE__ */ (0, import_jsx_runtime9.jsx)(Text, { color: "green", children: "\u2713" }) : /* @__PURE__ */ (0, import_jsx_runtime9.jsx)(Text, { color: "cyan", children: /* @__PURE__ */ (0, import_jsx_runtime9.jsx)(build_default, { type: "dots" }) }),
@@ -94021,7 +95061,7 @@ var init_ProgressBar = __esm({
         ] }),
         label && !compact && /* @__PURE__ */ (0, import_jsx_runtime9.jsx)(Box_default, { children: /* @__PURE__ */ (0, import_jsx_runtime9.jsxs)(Text, { dimColor: true, children: [
           "  ",
-          import_chalk10.default.dim("\u203A"),
+          import_chalk12.default.dim("\u203A"),
           " ",
           label
         ] }) })
@@ -94032,7 +95072,7 @@ var init_ProgressBar = __esm({
 
 // src/ui/components/ScoreHeader.tsx
 function scoreColor(score, action) {
-  const colorFn = action === "block" ? import_chalk11.default.red.bold : action === "warn" ? import_chalk11.default.yellow.bold : action === "analysis_incomplete" ? import_chalk11.default.cyan.bold : import_chalk11.default.green.bold;
+  const colorFn = action === "block" ? import_chalk13.default.red.bold : action === "warn" ? import_chalk13.default.yellow.bold : action === "analysis_incomplete" ? import_chalk13.default.cyan.bold : import_chalk13.default.green.bold;
   return colorFn(String(score));
 }
 function plot(grid, x, y, type) {
@@ -94064,10 +95104,10 @@ function fillCircle(grid, cx, cy, r, type) {
 }
 function renderLogo(action) {
   const colors = {
-    1: import_chalk11.default.dim,
-    2: import_chalk11.default.white,
-    3: (s) => import_chalk11.default.bold.white(s),
-    4: action === "block" ? import_chalk11.default.red : action === "warn" ? import_chalk11.default.yellow : action === "analysis_incomplete" ? import_chalk11.default.cyan : import_chalk11.default.green
+    1: import_chalk13.default.dim,
+    2: import_chalk13.default.white,
+    3: (s) => import_chalk13.default.bold.white(s),
+    4: action === "block" ? import_chalk13.default.red : action === "warn" ? import_chalk13.default.yellow : action === "analysis_incomplete" ? import_chalk13.default.cyan : import_chalk13.default.green
   };
   const result = [];
   const { chars, types, cols } = LOGO_DATA;
@@ -94076,18 +95116,18 @@ function renderLogo(action) {
     for (let j = 0; j < cols; j++) {
       const ch = chars[i + j];
       const t = types[i + j];
-      row += t > 0 ? (colors[t] ?? import_chalk11.default.dim)(ch) : ch;
+      row += t > 0 ? (colors[t] ?? import_chalk13.default.dim)(ch) : ch;
     }
     result.push(row);
   }
   return result;
 }
-var import_chalk11, import_jsx_runtime10, LOGO_DATA, ScoreHeader;
+var import_chalk13, import_jsx_runtime10, LOGO_DATA, ScoreHeader;
 var init_ScoreHeader = __esm({
   async "src/ui/components/ScoreHeader.tsx"() {
     "use strict";
     await init_build2();
-    import_chalk11 = __toESM(require_source());
+    import_chalk13 = __toESM(require_source());
     import_jsx_runtime10 = __toESM(require_jsx_runtime());
     LOGO_DATA = (() => {
       const W = 22, H = 28;
@@ -94152,28 +95192,28 @@ var init_ScoreHeader = __esm({
           children: /* @__PURE__ */ (0, import_jsx_runtime10.jsxs)(Box_default, { flexDirection: "row", children: [
             /* @__PURE__ */ (0, import_jsx_runtime10.jsxs)(Box_default, { flexDirection: "column", flexGrow: 1, children: [
               /* @__PURE__ */ (0, import_jsx_runtime10.jsxs)(Text, { bold: true, children: [
-                import_chalk11.default.cyan("\u25C6"),
+                import_chalk13.default.cyan("\u25C6"),
                 " Dependency Guardian  ",
-                userStatus ? import_chalk11.default.dim(userStatus) : ""
+                userStatus ? import_chalk13.default.dim(userStatus) : ""
               ] }),
               /* @__PURE__ */ (0, import_jsx_runtime10.jsx)(Text, { children: " " }),
               /* @__PURE__ */ (0, import_jsx_runtime10.jsxs)(Text, { children: [
-                import_chalk11.default.dim("Score"),
+                import_chalk13.default.dim("Score"),
                 "  ",
                 scoreColor(score, action)
               ] }),
               total !== void 0 && /* @__PURE__ */ (0, import_jsx_runtime10.jsxs)(import_jsx_runtime10.Fragment, { children: [
                 /* @__PURE__ */ (0, import_jsx_runtime10.jsx)(Text, { children: " " }),
                 /* @__PURE__ */ (0, import_jsx_runtime10.jsxs)(Text, { children: [
-                  import_chalk11.default.dim(`${total} package${total !== 1 ? "s" : ""} scanned`),
+                  import_chalk13.default.dim(`${total} package${total !== 1 ? "s" : ""} scanned`),
                   flagged !== void 0 && flagged > 0 ? /* @__PURE__ */ (0, import_jsx_runtime10.jsxs)(import_jsx_runtime10.Fragment, { children: [
                     "    ",
-                    import_chalk11.default.yellow(`${flagged} flagged`),
+                    import_chalk13.default.yellow(`${flagged} flagged`),
                     "    ",
-                    import_chalk11.default.green(`${clean ?? 0} clean`)
+                    import_chalk13.default.green(`${clean ?? 0} clean`)
                   ] }) : /* @__PURE__ */ (0, import_jsx_runtime10.jsxs)(import_jsx_runtime10.Fragment, { children: [
                     "    ",
-                    import_chalk11.default.green("all clean")
+                    import_chalk13.default.green("all clean")
                   ] })
                 ] }),
                 scanUsage && /* @__PURE__ */ (0, import_jsx_runtime10.jsx)(Text, { dimColor: true, children: scanUsage })
@@ -94234,8 +95274,8 @@ var init_useExpandAnimation = __esm({
 });
 
 // src/ui/components/InteractiveResultsView.tsx
-import { writeFileSync as writeFileSync8 } from "node:fs";
-import { resolve as resolvePath2 } from "node:path";
+import { writeFileSync as writeFileSync10 } from "node:fs";
+import { resolve as resolvePath3 } from "node:path";
 function groupPackages2(packages) {
   const map = /* @__PURE__ */ new Map();
   for (const pkg of packages) {
@@ -94248,10 +95288,10 @@ function groupPackages2(packages) {
 }
 function actionBadge2(score) {
   if (score >= 70)
-    return { label: "Block", color: import_chalk12.default.red };
+    return { label: "Block", color: import_chalk14.default.red };
   if (score >= 60)
-    return { label: "Warn", color: import_chalk12.default.yellow };
-  return { label: "Pass", color: import_chalk12.default.green };
+    return { label: "Warn", color: import_chalk14.default.yellow };
+  return { label: "Pass", color: import_chalk14.default.green };
 }
 function truncate3(s, max) {
   return s.length <= max ? s : s.slice(0, max - 1) + "\u2026";
@@ -94348,7 +95388,7 @@ function buildDetailLines(group, safeVersion, maxWidth) {
           connector,
           " ",
           sevColor(pad2(sevLabel, 8)),
-          import_chalk12.default.dim(f.category ?? "")
+          import_chalk14.default.dim(f.category ?? "")
         ] }, `finding-${i}`)
       );
     }
@@ -94356,7 +95396,7 @@ function buildDetailLines(group, safeVersion, maxWidth) {
   } else if (rep.score > 0) {
     lines.push(
       /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { color: "yellow", children: [
-        import_chalk12.default.yellow("\u2192"),
+        import_chalk14.default.yellow("\u2192"),
         " Upgrade to Pro to see risk categories"
       ] }, "upgrade")
     );
@@ -94365,15 +95405,15 @@ function buildDetailLines(group, safeVersion, maxWidth) {
   if (rep.recommendation) {
     lines.push(
       /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { children: [
-        import_chalk12.default.dim("Recommendation:"),
+        import_chalk14.default.dim("Recommendation:"),
         " ",
-        import_chalk12.default.cyan(truncate3(rep.recommendation, maxWidth - 18))
+        import_chalk14.default.cyan(truncate3(rep.recommendation, maxWidth - 18))
       ] }, "recommendation")
     );
   }
   if (safeVersion) {
     lines.push(
-      /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { children: import_chalk12.default.green(`Safe version: ${rep.name}@${safeVersion}`) }, "safe")
+      /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { children: import_chalk14.default.green(`Safe version: ${rep.name}@${safeVersion}`) }, "safe")
     );
   }
   return lines;
@@ -94393,24 +95433,24 @@ function licenseLine(rep) {
   if (!lc) return null;
   const spdx = lc.spdx ?? lc.raw ?? "";
   const desc = LICENSE_DESCRIPTIONS[lc.riskCategory] ?? "";
-  const lcColor = lc.riskCategory === "permissive" ? import_chalk12.default.green : lc.riskCategory === "no-license" || lc.riskCategory === "unlicensed" || lc.riskCategory === "network-copyleft" ? import_chalk12.default.red : import_chalk12.default.yellow;
+  const lcColor = lc.riskCategory === "permissive" ? import_chalk14.default.green : lc.riskCategory === "no-license" || lc.riskCategory === "unlicensed" || lc.riskCategory === "network-copyleft" ? import_chalk14.default.red : import_chalk14.default.yellow;
   return /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { children: [
     T.branch,
     " ",
     lcColor(spdx),
     " ",
-    import_chalk12.default.dim("\u2014"),
+    import_chalk14.default.dim("\u2014"),
     " ",
-    import_chalk12.default.dim(desc)
+    import_chalk14.default.dim(desc)
   ] }, "license-info");
 }
-var import_react34, import_chalk12, import_jsx_runtime11, SEVERITY_LABELS, SEVERITY_COLORS, EVIDENCE_LIMIT, FIXED_CHROME, DETAIL_PANE_CHROME, InteractiveResultsView, T, LICENSE_DESCRIPTIONS, FindingsSummary;
+var import_react34, import_chalk14, import_jsx_runtime11, SEVERITY_LABELS, SEVERITY_COLORS, EVIDENCE_LIMIT, FIXED_CHROME, DETAIL_PANE_CHROME, InteractiveResultsView, T, LICENSE_DESCRIPTIONS, FindingsSummary;
 var init_InteractiveResultsView = __esm({
   async "src/ui/components/InteractiveResultsView.tsx"() {
     "use strict";
     import_react34 = __toESM(require_react());
     await init_build2();
-    import_chalk12 = __toESM(require_source());
+    import_chalk14 = __toESM(require_source());
     init_auth();
     await init_ScoreHeader();
     init_useExpandAnimation();
@@ -94425,11 +95465,11 @@ var init_InteractiveResultsView = __esm({
       1: "INFO"
     };
     SEVERITY_COLORS = {
-      5: (s) => import_chalk12.default.red.bold(s),
-      4: (s) => import_chalk12.default.red(s),
-      3: (s) => import_chalk12.default.yellow(s),
-      2: (s) => import_chalk12.default.cyan(s),
-      1: (s) => import_chalk12.default.gray(s)
+      5: (s) => import_chalk14.default.red.bold(s),
+      4: (s) => import_chalk14.default.red(s),
+      3: (s) => import_chalk14.default.yellow(s),
+      2: (s) => import_chalk14.default.cyan(s),
+      1: (s) => import_chalk14.default.gray(s)
     };
     EVIDENCE_LIMIT = 2;
     FIXED_CHROME = 21;
@@ -94746,8 +95786,8 @@ var init_InteractiveResultsView = __esm({
           const { body, ext } = formatExport(payload, scope, format);
           const scopeTag = scope === "current-license" && currentLicenseIdx !== null ? `${(licenseGroups[currentLicenseIdx]?.spdx ?? "license").replace(/[^A-Za-z0-9._-]/g, "_").slice(0, 32)}` : scope;
           const filename = `dg-scan-${ts}-${scopeTag}.${ext}`;
-          const path3 = resolvePath2(process.cwd(), filename);
-          writeFileSync8(path3, body, "utf-8");
+          const path3 = resolvePath3(process.cwd(), filename);
+          writeFileSync10(path3, body, "utf-8");
           showExportMsg(`\u2713 Exported to ${filename}`);
         } catch (e) {
           showExportMsg(`Export failed: ${e.message}`);
@@ -95119,13 +96159,13 @@ var init_InteractiveResultsView = __esm({
         ];
         const renderRow = (title, rows, current, isActive) => /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Box_default, { flexDirection: "column", marginBottom: 1, children: [
           /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { children: [
-            isActive ? import_chalk12.default.cyan("\u258C ") : "  ",
-            isActive ? import_chalk12.default.bold(title) : import_chalk12.default.dim(title)
+            isActive ? import_chalk14.default.cyan("\u258C ") : "  ",
+            isActive ? import_chalk14.default.bold(title) : import_chalk14.default.dim(title)
           ] }),
           rows.map((r) => {
             const selected = r.value === current;
-            const bullet = selected ? isActive ? import_chalk12.default.cyan("\u25CF") : import_chalk12.default.green("\u25CF") : import_chalk12.default.dim("\u25CB");
-            const text = selected ? import_chalk12.default.bold(r.label) : r.label;
+            const bullet = selected ? isActive ? import_chalk14.default.cyan("\u25CF") : import_chalk14.default.green("\u25CF") : import_chalk14.default.dim("\u25CB");
+            const text = selected ? import_chalk14.default.bold(r.label) : r.label;
             return /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Box_default, { children: [
               /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Box_default, { width: 5, children: /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { children: [
                 "   ",
@@ -95151,32 +96191,32 @@ var init_InteractiveResultsView = __esm({
           ),
           /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Box_default, { flexDirection: "column", borderStyle: "round", borderColor: "cyan", paddingLeft: 2, paddingRight: 2, width: "100%", children: [
             /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { bold: true, children: [
-              import_chalk12.default.cyan("\u25C6"),
+              import_chalk14.default.cyan("\u25C6"),
               " Export ",
-              import_chalk12.default.dim("(pick what to export and which format)")
+              import_chalk14.default.dim("(pick what to export and which format)")
             ] }),
             /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { children: "" }),
             renderRow("What", SCOPES_RENDER, exportMenu.scope, exportMenu.activeRow === "scope"),
             renderRow("Format", FORMATS_RENDER, exportMenu.format, exportMenu.activeRow === "format")
           ] }),
-          /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { dimColor: true, children: import_chalk12.default.dim("\u2500".repeat(Math.max(20, termCols - 4))) }),
+          /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { dimColor: true, children: import_chalk14.default.dim("\u2500".repeat(Math.max(20, termCols - 4))) }),
           /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { children: [
             " ",
-            import_chalk12.default.bold.cyan("\u2191\u2193"),
+            import_chalk14.default.bold.cyan("\u2191\u2193"),
             " ",
-            import_chalk12.default.dim("scroll"),
+            import_chalk14.default.dim("scroll"),
             "   ",
-            import_chalk12.default.bold.cyan("\u2190\u2192/Tab"),
+            import_chalk14.default.bold.cyan("\u2190\u2192/Tab"),
             " ",
-            import_chalk12.default.dim("switch row"),
+            import_chalk14.default.dim("switch row"),
             "   ",
-            import_chalk12.default.bold.cyan("\u23CE"),
+            import_chalk14.default.bold.cyan("\u23CE"),
             " ",
-            import_chalk12.default.dim("export"),
+            import_chalk14.default.dim("export"),
             "   ",
-            import_chalk12.default.bold.cyan("Esc"),
+            import_chalk14.default.bold.cyan("Esc"),
             " ",
-            import_chalk12.default.dim("cancel")
+            import_chalk14.default.dim("cancel")
           ] })
         ] });
       }
@@ -95206,97 +96246,97 @@ var init_InteractiveResultsView = __esm({
               width: "100%",
               children: [
                 /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { bold: true, children: [
-                  import_chalk12.default.cyan("\u25C6"),
+                  import_chalk14.default.cyan("\u25C6"),
                   " Keyboard Shortcuts"
                 ] }),
                 /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { children: "" }),
                 /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { bold: true, children: " Navigation" }),
                 /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { children: [
                   "   ",
-                  import_chalk12.default.cyan("\u2191 k"),
+                  import_chalk14.default.cyan("\u2191 k"),
                   "     ",
-                  import_chalk12.default.dim("Move up")
+                  import_chalk14.default.dim("Move up")
                 ] }),
                 /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { children: [
                   "   ",
-                  import_chalk12.default.cyan("\u2193 j"),
+                  import_chalk14.default.cyan("\u2193 j"),
                   "     ",
-                  import_chalk12.default.dim("Move down")
+                  import_chalk14.default.dim("Move down")
                 ] }),
                 /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { children: [
                   "   ",
-                  import_chalk12.default.cyan("g"),
+                  import_chalk14.default.cyan("g"),
                   "       ",
-                  import_chalk12.default.dim("Jump to top")
+                  import_chalk14.default.dim("Jump to top")
                 ] }),
                 /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { children: [
                   "   ",
-                  import_chalk12.default.cyan("G"),
+                  import_chalk14.default.cyan("G"),
                   "       ",
-                  import_chalk12.default.dim("Jump to bottom")
+                  import_chalk14.default.dim("Jump to bottom")
                 ] }),
                 !isDetail && /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { children: [
                   "   ",
-                  import_chalk12.default.cyan("PgUp"),
+                  import_chalk14.default.cyan("PgUp"),
                   "    ",
-                  import_chalk12.default.dim("Page up")
+                  import_chalk14.default.dim("Page up")
                 ] }),
                 !isDetail && /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { children: [
                   "   ",
-                  import_chalk12.default.cyan("PgDn"),
+                  import_chalk14.default.cyan("PgDn"),
                   "    ",
-                  import_chalk12.default.dim("Page down")
+                  import_chalk14.default.dim("Page down")
                 ] }),
                 /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { children: "" }),
                 /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { bold: true, children: " Actions" }),
                 !isDetail && /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { children: [
                   "   ",
-                  import_chalk12.default.cyan("\u23CE"),
+                  import_chalk14.default.cyan("\u23CE"),
                   "       ",
-                  import_chalk12.default.dim("Expand findings")
+                  import_chalk14.default.dim("Expand findings")
                 ] }),
                 isDetail && /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { children: [
                   "   ",
-                  import_chalk12.default.cyan("Esc"),
+                  import_chalk14.default.cyan("Esc"),
                   "     ",
-                  import_chalk12.default.dim("Back to list")
+                  import_chalk14.default.dim("Back to list")
                 ] }),
                 !isDetail && /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { children: [
                   "   ",
-                  import_chalk12.default.cyan("/"),
+                  import_chalk14.default.cyan("/"),
                   "       ",
-                  import_chalk12.default.dim("Search packages")
+                  import_chalk14.default.dim("Search packages")
                 ] }),
                 !isDetail && /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { children: [
                   "   ",
-                  import_chalk12.default.cyan("l"),
+                  import_chalk14.default.cyan("l"),
                   "       ",
-                  import_chalk12.default.dim("License breakdown (browse + drill-in)")
+                  import_chalk14.default.dim("License breakdown (browse + drill-in)")
                 ] }),
                 !isDetail && /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { children: [
                   "   ",
-                  import_chalk12.default.cyan("e"),
+                  import_chalk14.default.cyan("e"),
                   "       ",
-                  import_chalk12.default.dim("Export menu \u2014 pick scope (all / summary / packages / licenses / findings) and format (JSON / CSV / Markdown / text)")
+                  import_chalk14.default.dim("Export menu \u2014 pick scope (all / summary / packages / licenses / findings) and format (JSON / CSV / Markdown / text)")
                 ] }),
                 !isDetail && onBack && /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { children: [
                   "   ",
-                  import_chalk12.default.cyan("b"),
+                  import_chalk14.default.cyan("b"),
                   "       ",
-                  import_chalk12.default.dim("Back to project selector")
+                  import_chalk14.default.dim("Back to project selector")
                 ] }),
                 /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { children: [
                   "   ",
-                  import_chalk12.default.cyan("q"),
+                  import_chalk14.default.cyan("q"),
                   "       ",
-                  import_chalk12.default.dim("Quit")
+                  import_chalk14.default.dim("Quit")
                 ] }),
                 /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { children: "" }),
                 /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { dimColor: true, children: [
                   " Press ",
-                  import_chalk12.default.bold.cyan("?"),
+                  import_chalk14.default.bold.cyan("?"),
                   " or ",
-                  import_chalk12.default.bold.cyan("Esc"),
+                  import_chalk14.default.bold.cyan("Esc"),
                   " to close"
                 ] })
               ]
@@ -95306,11 +96346,11 @@ var init_InteractiveResultsView = __esm({
       }
       if (showLicenses) {
         const lcColor = (risk) => {
-          if (risk === "permissive") return import_chalk12.default.green;
-          if (risk === "weak-copyleft") return import_chalk12.default.yellow;
-          if (risk === "strong-copyleft") return import_chalk12.default.yellow.bold;
-          if (risk === "no-license" || risk === "network-copyleft" || risk === "unlicensed") return import_chalk12.default.red;
-          return import_chalk12.default.dim;
+          if (risk === "permissive") return import_chalk14.default.green;
+          if (risk === "weak-copyleft") return import_chalk14.default.yellow;
+          if (risk === "strong-copyleft") return import_chalk14.default.yellow.bold;
+          if (risk === "no-license" || risk === "network-copyleft" || risk === "unlicensed") return import_chalk14.default.red;
+          return import_chalk14.default.dim;
         };
         const totalCount = result.packages.length;
         const maxCount = licenseGroups[0]?.count ?? 1;
@@ -95342,7 +96382,7 @@ var init_InteractiveResultsView = __esm({
             /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Box_default, { flexDirection: "column", borderStyle: "round", borderColor: "cyan", paddingLeft: 2, paddingRight: 2, width: "100%", children: [
               /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Box_default, { children: [
                 /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { bold: true, children: [
-                  import_chalk12.default.cyan("\u25C6"),
+                  import_chalk14.default.cyan("\u25C6"),
                   " ",
                   color(g.spdx)
                 ] }),
@@ -95358,16 +96398,16 @@ var init_InteractiveResultsView = __esm({
               ] }),
               licenseSearchMode || q ? /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Box_default, { children: /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { children: [
                 " ",
-                import_chalk12.default.bold.cyan("/"),
+                import_chalk14.default.bold.cyan("/"),
                 " ",
-                q || import_chalk12.default.dim("(type to filter; Esc clears, Enter confirms)"),
-                licenseSearchMode ? import_chalk12.default.cyan("\u2588") : ""
+                q || import_chalk14.default.dim("(type to filter; Esc clears, Enter confirms)"),
+                licenseSearchMode ? import_chalk14.default.cyan("\u2588") : ""
               ] }) }) : /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { children: "" }),
               _above > 0 && /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { dimColor: true, children: `  \u2191 ${_above} more above` }),
               _slice.length === 0 && /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { dimColor: true, children: `  (no packages match "${q}")` }),
               _slice.map((p) => {
                 const score = p.score;
-                const scoreColor2 = score >= 70 ? import_chalk12.default.red : score >= 60 ? import_chalk12.default.yellow : score === 0 ? import_chalk12.default.dim : import_chalk12.default.green;
+                const scoreColor2 = score >= 70 ? import_chalk14.default.red : score >= 60 ? import_chalk14.default.yellow : score === 0 ? import_chalk14.default.dim : import_chalk14.default.green;
                 return /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Box_default, { children: [
                   /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Box_default, { width: Math.max(28, Math.floor(termCols * 0.45)), children: /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { children: p.name }) }),
                   /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Box_default, { width: 16, children: /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { dimColor: true, children: p.version }) }),
@@ -95376,35 +96416,35 @@ var init_InteractiveResultsView = __esm({
               }),
               _below > 0 && /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { dimColor: true, children: `  \u2193 ${_below} more below` })
             ] }),
-            /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { dimColor: true, children: import_chalk12.default.dim("\u2500".repeat(Math.max(20, termCols - 4))) }),
+            /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { dimColor: true, children: import_chalk14.default.dim("\u2500".repeat(Math.max(20, termCols - 4))) }),
             /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { children: [
               " ",
-              import_chalk12.default.bold.cyan("\u2191\u2193"),
+              import_chalk14.default.bold.cyan("\u2191\u2193"),
               " ",
-              import_chalk12.default.dim("scroll"),
+              import_chalk14.default.dim("scroll"),
               "   ",
-              import_chalk12.default.bold.cyan("/"),
+              import_chalk14.default.bold.cyan("/"),
               " ",
-              import_chalk12.default.dim("search"),
+              import_chalk14.default.dim("search"),
               "   ",
-              import_chalk12.default.bold.cyan("e"),
+              import_chalk14.default.bold.cyan("e"),
               " ",
-              import_chalk12.default.dim("export"),
+              import_chalk14.default.dim("export"),
               "   ",
-              import_chalk12.default.bold.cyan("Esc"),
+              import_chalk14.default.bold.cyan("Esc"),
               " ",
-              import_chalk12.default.dim("back"),
+              import_chalk14.default.dim("back"),
               "   ",
-              import_chalk12.default.bold.cyan("l"),
+              import_chalk14.default.bold.cyan("l"),
               " ",
-              import_chalk12.default.dim("close"),
+              import_chalk14.default.dim("close"),
               "   ",
-              import_chalk12.default.bold.cyan("q"),
+              import_chalk14.default.bold.cyan("q"),
               " ",
-              import_chalk12.default.dim("quit"),
+              import_chalk14.default.dim("quit"),
               exportMsg && /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(import_jsx_runtime11.Fragment, { children: [
                 "   ",
-                import_chalk12.default.green(exportMsg)
+                import_chalk14.default.green(exportMsg)
               ] })
             ] })
           ] });
@@ -95450,9 +96490,9 @@ var init_InteractiveResultsView = __esm({
               width: "100%",
               children: [
                 /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { bold: true, children: [
-                  import_chalk12.default.cyan("\u25C6"),
+                  import_chalk14.default.cyan("\u25C6"),
                   " Licenses ",
-                  import_chalk12.default.dim(`(${licenseGroups.length} unique across ${totalCount} packages)`)
+                  import_chalk14.default.dim(`(${licenseGroups.length} unique across ${totalCount} packages)`)
                 ] }),
                 /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { children: "" }),
                 /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Box_default, { children: [
@@ -95472,10 +96512,10 @@ var init_InteractiveResultsView = __esm({
                   const spdxText = truncate3(g.spdx, spdxCol - 1);
                   const riskText = g.risk === "unknown" ? "\u2014" : g.risk;
                   return /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Box_default, { children: [
-                    /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Box_default, { width: 2, children: /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { children: isSelected ? import_chalk12.default.cyan("\u258C") : " " }) }),
-                    /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Box_default, { width: spdxCol, children: /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { children: isSelected ? import_chalk12.default.bold(color(spdxText)) : color(spdxText) }) }),
+                    /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Box_default, { width: 2, children: /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { children: isSelected ? import_chalk14.default.cyan("\u258C") : " " }) }),
+                    /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Box_default, { width: spdxCol, children: /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { children: isSelected ? import_chalk14.default.bold(color(spdxText)) : color(spdxText) }) }),
                     /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Box_default, { width: riskCol, children: /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { dimColor: true, children: riskText }) }),
-                    /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Box_default, { width: countCol, children: /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { children: import_chalk12.default.bold(String(g.count)) }) }),
+                    /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Box_default, { width: countCol, children: /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { children: import_chalk14.default.bold(String(g.count)) }) }),
                     /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Box_default, { width: barCol, children: /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { children: color(bar) }) })
                   ] }, `${g.risk}::${g.spdx}::${absIdx}`);
                 }),
@@ -95483,31 +96523,31 @@ var init_InteractiveResultsView = __esm({
               ]
             }
           ),
-          /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { dimColor: true, children: import_chalk12.default.dim("\u2500".repeat(Math.max(20, termCols - 4))) }),
+          /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { dimColor: true, children: import_chalk14.default.dim("\u2500".repeat(Math.max(20, termCols - 4))) }),
           /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { children: [
             " ",
-            import_chalk12.default.bold.cyan("\u2191\u2193"),
+            import_chalk14.default.bold.cyan("\u2191\u2193"),
             " ",
-            import_chalk12.default.dim("navigate"),
+            import_chalk14.default.dim("navigate"),
             "   ",
-            import_chalk12.default.bold.cyan("\u23CE"),
+            import_chalk14.default.bold.cyan("\u23CE"),
             " ",
-            import_chalk12.default.dim("view packages"),
+            import_chalk14.default.dim("view packages"),
             "   ",
-            import_chalk12.default.bold.cyan("e"),
+            import_chalk14.default.bold.cyan("e"),
             " ",
-            import_chalk12.default.dim("export"),
+            import_chalk14.default.dim("export"),
             "   ",
-            import_chalk12.default.bold.cyan("l/Esc"),
+            import_chalk14.default.bold.cyan("l/Esc"),
             " ",
-            import_chalk12.default.dim("close"),
+            import_chalk14.default.dim("close"),
             "   ",
-            import_chalk12.default.bold.cyan("q"),
+            import_chalk14.default.bold.cyan("q"),
             " ",
-            import_chalk12.default.dim("quit"),
+            import_chalk14.default.dim("quit"),
             exportMsg && /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(import_jsx_runtime11.Fragment, { children: [
               "   ",
-              import_chalk12.default.green(exportMsg)
+              import_chalk14.default.green(exportMsg)
             ] })
           ] })
         ] });
@@ -95549,19 +96589,19 @@ var init_InteractiveResultsView = __esm({
                   /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Box_default, { justifyContent: "space-between", children: [
                     /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { bold: true, children: [
                       groupNames(dpGroup),
-                      dpRep.license ? import_chalk12.default.dim(" \xB7 ") + (dpRep.license.riskCategory === "permissive" ? import_chalk12.default.green(dpRep.license.spdx ?? dpRep.license.raw ?? "") : dpRep.license.riskCategory === "no-license" || dpRep.license.riskCategory === "network-copyleft" ? import_chalk12.default.red(dpRep.license.spdx ?? dpRep.license.raw ?? "No license") : import_chalk12.default.yellow(dpRep.license.spdx ?? dpRep.license.raw ?? "")) : ""
+                      dpRep.license ? import_chalk14.default.dim(" \xB7 ") + (dpRep.license.riskCategory === "permissive" ? import_chalk14.default.green(dpRep.license.spdx ?? dpRep.license.raw ?? "") : dpRep.license.riskCategory === "no-license" || dpRep.license.riskCategory === "network-copyleft" ? import_chalk14.default.red(dpRep.license.spdx ?? dpRep.license.raw ?? "No license") : import_chalk14.default.yellow(dpRep.license.spdx ?? dpRep.license.raw ?? "")) : ""
                     ] }),
                     /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { children: dpColor(`score ${dpRep.score}`) })
                   ] }),
                   dpAbove > 0 && /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { dimColor: true, children: [
-                    import_chalk12.default.cyan(" \u2191"),
+                    import_chalk14.default.cyan(" \u2191"),
                     " ",
                     dpAbove,
                     " more above"
                   ] }),
                   /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Box_default, { flexDirection: "column", marginLeft: 2, children: dpVisible }),
                   dpBelow > 0 && /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { dimColor: true, children: [
-                    import_chalk12.default.cyan(" \u2193"),
+                    import_chalk14.default.cyan(" \u2193"),
                     " ",
                     dpBelow,
                     " more below"
@@ -95580,13 +96620,13 @@ var init_InteractiveResultsView = __esm({
                 width: "100%",
                 children: /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Box_default, { justifyContent: "space-between", children: [
                   clean.length > 0 ? /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { children: [
-                    import_chalk12.default.green("\u2713"),
+                    import_chalk14.default.green("\u2713"),
                     " ",
-                    import_chalk12.default.green.bold(String(clean.length)),
+                    import_chalk14.default.green.bold(String(clean.length)),
                     " ",
-                    import_chalk12.default.dim(`package${clean.length !== 1 ? "s" : ""} passed with score 0`),
+                    import_chalk14.default.dim(`package${clean.length !== 1 ? "s" : ""} passed with score 0`),
                     " ",
-                    import_chalk12.default.dim(`\xB7 ${(durationMs / 1e3).toFixed(1)}s`)
+                    import_chalk14.default.dim(`\xB7 ${(durationMs / 1e3).toFixed(1)}s`)
                   ] }) : /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { dimColor: true, children: [
                     (durationMs / 1e3).toFixed(1),
                     "s"
@@ -95595,20 +96635,20 @@ var init_InteractiveResultsView = __esm({
                 ] })
               }
             ),
-            /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { dimColor: true, children: import_chalk12.default.dim("\u2500".repeat(Math.max(20, termCols - 4))) }),
+            /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { dimColor: true, children: import_chalk14.default.dim("\u2500".repeat(Math.max(20, termCols - 4))) }),
             /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { children: [
               " ",
-              import_chalk12.default.bold.cyan("\u2191\u2193"),
+              import_chalk14.default.bold.cyan("\u2191\u2193"),
               " ",
-              import_chalk12.default.dim("scroll"),
+              import_chalk14.default.dim("scroll"),
               "   ",
-              import_chalk12.default.bold.cyan("Esc"),
+              import_chalk14.default.bold.cyan("Esc"),
               " ",
-              import_chalk12.default.dim("back"),
+              import_chalk14.default.dim("back"),
               "   ",
-              import_chalk12.default.bold.cyan("q"),
+              import_chalk14.default.bold.cyan("q"),
               " ",
-              import_chalk12.default.dim("quit")
+              import_chalk14.default.dim("quit")
             ] })
           ] });
         }
@@ -95641,7 +96681,7 @@ var init_InteractiveResultsView = __esm({
                 /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { dimColor: true, children: searchQuery ? `${groups.length} of ${allGroupCount}` : `${clampedCursor + 1}/${groups.length}` })
               ] }),
               aboveCount > 0 && /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { dimColor: true, children: [
-                import_chalk12.default.cyan(" \u2191"),
+                import_chalk14.default.cyan(" \u2191"),
                 " ",
                 aboveCount,
                 " more above"
@@ -95656,22 +96696,22 @@ var init_InteractiveResultsView = __esm({
                 const scoreStr = String(rep.score);
                 const lcInfo = rep.license;
                 const lcStr = lcInfo ? truncate3(lcInfo.spdx ?? lcInfo.raw ?? "", lcCol - 2) : "";
-                const lcColor = !lcInfo ? import_chalk12.default.dim : lcInfo.riskCategory === "permissive" ? import_chalk12.default.green : lcInfo.riskCategory === "no-license" || lcInfo.riskCategory === "unlicensed" || lcInfo.riskCategory === "network-copyleft" ? import_chalk12.default.red : import_chalk12.default.yellow;
+                const lcColor = !lcInfo ? import_chalk14.default.dim : lcInfo.riskCategory === "permissive" ? import_chalk14.default.green : lcInfo.riskCategory === "no-license" || lcInfo.riskCategory === "unlicensed" || lcInfo.riskCategory === "network-copyleft" ? import_chalk14.default.red : import_chalk14.default.yellow;
                 const arrow = level === "summary" ? "\u25BE" : "\u25B8";
                 return /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Box_default, { flexDirection: "column", children: [
                   isCursor ? /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { backgroundColor: "#1a1a2e", children: [
-                    import_chalk12.default.cyan("\u258C"),
+                    import_chalk14.default.cyan("\u258C"),
                     " ",
-                    import_chalk12.default.cyan(arrow),
+                    import_chalk14.default.cyan(arrow),
                     " ",
                     ` `,
                     color(pad2(label, 6)),
-                    import_chalk12.default.bold(pad2(truncate3(names, nameCol - 2), nameCol)),
+                    import_chalk14.default.bold(pad2(truncate3(names, nameCol - 2), nameCol)),
                     lcColor(pad2(lcStr, lcCol)),
                     color(scoreStr.padStart(3)),
                     "  "
                   ] }) : /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { children: [
-                    `  ${import_chalk12.default.dim(arrow)}  `,
+                    `  ${import_chalk14.default.dim(arrow)}  `,
                     color(pad2(label, 6)),
                     pad2(truncate3(names, nameCol - 2), nameCol),
                     lcColor(pad2(lcStr, lcCol)),
@@ -95688,7 +96728,7 @@ var init_InteractiveResultsView = __esm({
                 ] }, group.key);
               }),
               belowCount > 0 && /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { dimColor: true, children: [
-                import_chalk12.default.cyan(" \u2193"),
+                import_chalk14.default.cyan(" \u2193"),
                 " ",
                 belowCount,
                 " more below"
@@ -95715,13 +96755,13 @@ var init_InteractiveResultsView = __esm({
               ] }),
               /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Box_default, { justifyContent: "space-between", children: [
                 clean.length > 0 ? /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { children: [
-                  import_chalk12.default.green("\u2713"),
+                  import_chalk14.default.green("\u2713"),
                   " ",
-                  import_chalk12.default.green.bold(String(clean.length)),
+                  import_chalk14.default.green.bold(String(clean.length)),
                   " ",
-                  import_chalk12.default.dim(`package${clean.length !== 1 ? "s" : ""} passed with score 0`),
+                  import_chalk14.default.dim(`package${clean.length !== 1 ? "s" : ""} passed with score 0`),
                   " ",
-                  import_chalk12.default.dim(`\xB7 ${(durationMs / 1e3).toFixed(1)}s`)
+                  import_chalk14.default.dim(`\xB7 ${(durationMs / 1e3).toFixed(1)}s`)
                 ] }) : /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { dimColor: true, children: [
                   (durationMs / 1e3).toFixed(1),
                   "s"
@@ -95731,66 +96771,66 @@ var init_InteractiveResultsView = __esm({
             ]
           }
         ),
-        /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { dimColor: true, children: import_chalk12.default.dim("\u2500".repeat(Math.max(20, termCols - 4))) }),
+        /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(Text, { dimColor: true, children: import_chalk14.default.dim("\u2500".repeat(Math.max(20, termCols - 4))) }),
         searchMode ? /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { children: [
           " ",
-          import_chalk12.default.bold.cyan("/"),
+          import_chalk14.default.bold.cyan("/"),
           " ",
           searchQuery,
-          import_chalk12.default.cyan("\u2588"),
+          import_chalk14.default.cyan("\u2588"),
           "   ",
-          import_chalk12.default.dim("Esc clear")
+          import_chalk14.default.dim("Esc clear")
         ] }) : /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { children: [
           " ",
           groups.length > 0 ? /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(import_jsx_runtime11.Fragment, { children: [
-            import_chalk12.default.bold.cyan("\u2191\u2193"),
+            import_chalk14.default.bold.cyan("\u2191\u2193"),
             " ",
-            import_chalk12.default.dim("navigate"),
+            import_chalk14.default.dim("navigate"),
             "   ",
-            import_chalk12.default.bold.cyan("\u23CE"),
+            import_chalk14.default.bold.cyan("\u23CE"),
             " ",
-            import_chalk12.default.dim("expand"),
+            import_chalk14.default.dim("expand"),
             "   ",
-            import_chalk12.default.bold.cyan("/"),
+            import_chalk14.default.bold.cyan("/"),
             " ",
-            import_chalk12.default.dim("search"),
+            import_chalk14.default.dim("search"),
             "   ",
-            import_chalk12.default.bold.cyan("l"),
+            import_chalk14.default.bold.cyan("l"),
             " ",
-            import_chalk12.default.dim("licenses"),
+            import_chalk14.default.dim("licenses"),
             "   ",
-            import_chalk12.default.bold.cyan("e"),
+            import_chalk14.default.bold.cyan("e"),
             " ",
-            import_chalk12.default.dim("export"),
+            import_chalk14.default.dim("export"),
             "   ",
             onBack && /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(import_jsx_runtime11.Fragment, { children: [
-              import_chalk12.default.bold.cyan("b"),
+              import_chalk14.default.bold.cyan("b"),
               " ",
-              import_chalk12.default.dim("back"),
+              import_chalk14.default.dim("back"),
               "   "
             ] }),
-            import_chalk12.default.bold.cyan("q"),
+            import_chalk14.default.bold.cyan("q"),
             " ",
-            import_chalk12.default.dim("quit"),
+            import_chalk14.default.dim("quit"),
             exportMsg && /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(import_jsx_runtime11.Fragment, { children: [
               "   ",
-              import_chalk12.default.green(exportMsg)
+              import_chalk14.default.green(exportMsg)
             ] })
           ] }) : /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(import_jsx_runtime11.Fragment, { children: [
             "Press ",
-            import_chalk12.default.bold.cyan("q"),
+            import_chalk14.default.bold.cyan("q"),
             " or ",
-            import_chalk12.default.bold.cyan("Enter"),
+            import_chalk14.default.bold.cyan("Enter"),
             " ",
-            import_chalk12.default.dim("to exit")
+            import_chalk14.default.dim("to exit")
           ] })
         ] })
       ] });
     };
     T = {
-      branch: import_chalk12.default.dim("\u251C\u2500\u2500"),
-      last: import_chalk12.default.dim("\u2514\u2500\u2500"),
-      pipe: import_chalk12.default.dim("\u2502"),
+      branch: import_chalk14.default.dim("\u251C\u2500\u2500"),
+      last: import_chalk14.default.dim("\u2514\u2500\u2500"),
+      pipe: import_chalk14.default.dim("\u2502"),
       blank: " "
     };
     LICENSE_DESCRIPTIONS = {
@@ -95816,9 +96856,9 @@ var init_InteractiveResultsView = __esm({
           /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { dimColor: true, children: [
             hasAffects ? T.branch : T.last,
             " ",
-            import_chalk12.default.yellow("\u2192"),
+            import_chalk14.default.yellow("\u2192"),
             " ",
-            import_chalk12.default.yellow("Upgrade to Pro"),
+            import_chalk14.default.yellow("Upgrade to Pro"),
             " for finding details"
           ] }, "upgrade")
         );
@@ -95836,7 +96876,7 @@ var init_InteractiveResultsView = __esm({
               " ",
               sevColor(pad2(sevLabel, 5)),
               " ",
-              import_chalk12.default.dim(f.category ?? ""),
+              import_chalk14.default.dim(f.category ?? ""),
               title
             ] }, `finding-${idx}`)
           );
@@ -95882,12 +96922,12 @@ function getHint(error2) {
       return null;
   }
 }
-var import_chalk13, import_jsx_runtime12, ErrorView;
+var import_chalk15, import_jsx_runtime12, ErrorView;
 var init_ErrorView = __esm({
   async "src/ui/components/ErrorView.tsx"() {
     "use strict";
     await init_build2();
-    import_chalk13 = __toESM(require_source());
+    import_chalk15 = __toESM(require_source());
     init_sanitize();
     import_jsx_runtime12 = __toESM(require_jsx_runtime());
     ErrorView = ({ error: error2 }) => {
@@ -95901,10 +96941,10 @@ var init_ErrorView = __esm({
           paddingLeft: 1,
           paddingRight: 1,
           children: [
-            /* @__PURE__ */ (0, import_jsx_runtime12.jsx)(Text, { children: import_chalk13.default.red.bold("\u2718 Error") }),
+            /* @__PURE__ */ (0, import_jsx_runtime12.jsx)(Text, { children: import_chalk15.default.red.bold("\u2718 Error") }),
             /* @__PURE__ */ (0, import_jsx_runtime12.jsx)(Text, { children: sanitize(error2.message) }),
             hint && /* @__PURE__ */ (0, import_jsx_runtime12.jsxs)(Text, { children: [
-              import_chalk13.default.yellow("\u2192"),
+              import_chalk15.default.yellow("\u2192"),
               " ",
               hint
             ] })
@@ -95916,13 +96956,13 @@ var init_ErrorView = __esm({
 });
 
 // src/ui/components/ProjectSelector.tsx
-var import_react35, import_chalk14, import_jsx_runtime13, ProjectSelector;
+var import_react35, import_chalk16, import_jsx_runtime13, ProjectSelector;
 var init_ProjectSelector = __esm({
   async "src/ui/components/ProjectSelector.tsx"() {
     "use strict";
     import_react35 = __toESM(require_react());
     await init_build2();
-    import_chalk14 = __toESM(require_source());
+    import_chalk16 = __toESM(require_source());
     init_sanitize();
     import_jsx_runtime13 = __toESM(require_jsx_runtime());
     ProjectSelector = ({ projects, onConfirm, onCancel, userStatus }) => {
@@ -95952,14 +96992,14 @@ var init_ProjectSelector = __esm({
           onCancel();
         }
       });
-      const ecosystemLabel = (eco) => eco === "npm" ? import_chalk14.default.magenta("npm") : import_chalk14.default.blue("pip");
+      const ecosystemLabel = (eco) => eco === "npm" ? import_chalk16.default.magenta("npm") : import_chalk16.default.blue("pip");
       return /* @__PURE__ */ (0, import_jsx_runtime13.jsxs)(Box_default, { flexDirection: "column", paddingLeft: 1, children: [
         /* @__PURE__ */ (0, import_jsx_runtime13.jsxs)(Text, { children: [
-          import_chalk14.default.cyan("\u25C6"),
+          import_chalk16.default.cyan("\u25C6"),
           " ",
-          import_chalk14.default.bold("Dependency Guardian"),
+          import_chalk16.default.bold("Dependency Guardian"),
           "  ",
-          userStatus ? import_chalk14.default.dim(userStatus) : ""
+          userStatus ? import_chalk16.default.dim(userStatus) : ""
         ] }),
         /* @__PURE__ */ (0, import_jsx_runtime13.jsx)(Text, { children: "" }),
         /* @__PURE__ */ (0, import_jsx_runtime13.jsxs)(Text, { bold: true, children: [
@@ -95972,30 +97012,30 @@ var init_ProjectSelector = __esm({
         projects.map((proj, i) => {
           const isCursor = i === cursor;
           const isSelected = selected.has(i);
-          const prefix = isCursor ? import_chalk14.default.cyan("\u258C") : " ";
-          const check = isSelected ? import_chalk14.default.green("\u25C9") : import_chalk14.default.dim("\u25CB");
+          const prefix = isCursor ? import_chalk16.default.cyan("\u258C") : " ";
+          const check = isSelected ? import_chalk16.default.green("\u25C9") : import_chalk16.default.dim("\u25CB");
           const line = `${prefix}${check}  ${sanitize(proj.relativePath).padEnd(40)} ${ecosystemLabel(proj.ecosystem).padEnd(5)} ${proj.packageCount} packages`;
           return /* @__PURE__ */ (0, import_jsx_runtime13.jsx)(Text, { backgroundColor: isCursor ? "#1a1a2e" : void 0, children: line }, i);
         }),
         /* @__PURE__ */ (0, import_jsx_runtime13.jsx)(Text, { children: "" }),
-        /* @__PURE__ */ (0, import_jsx_runtime13.jsx)(Text, { dimColor: true, children: selected.size === 0 ? import_chalk14.default.yellow("Select at least 1 project to scan") : `${selected.size} of ${projects.length} selected` }),
+        /* @__PURE__ */ (0, import_jsx_runtime13.jsx)(Text, { dimColor: true, children: selected.size === 0 ? import_chalk16.default.yellow("Select at least 1 project to scan") : `${selected.size} of ${projects.length} selected` }),
         /* @__PURE__ */ (0, import_jsx_runtime13.jsx)(Text, { children: "" }),
         /* @__PURE__ */ (0, import_jsx_runtime13.jsxs)(Text, { children: [
-          import_chalk14.default.bold.cyan("space"),
+          import_chalk16.default.bold.cyan("space"),
           " ",
-          import_chalk14.default.dim("toggle"),
+          import_chalk16.default.dim("toggle"),
           "   ",
-          import_chalk14.default.bold.cyan("a"),
+          import_chalk16.default.bold.cyan("a"),
           " ",
-          import_chalk14.default.dim("all"),
+          import_chalk16.default.dim("all"),
           "   ",
-          import_chalk14.default.bold.hex("#FFD700")("\u23CE"),
+          import_chalk16.default.bold.hex("#FFD700")("\u23CE"),
           " ",
-          import_chalk14.default.bold.hex("#FFD700")("scan"),
+          import_chalk16.default.bold.hex("#FFD700")("scan"),
           "   ",
-          import_chalk14.default.bold.cyan("q"),
+          import_chalk16.default.bold.cyan("q"),
           " ",
-          import_chalk14.default.dim("quit")
+          import_chalk16.default.dim("quit")
         ] })
       ] });
     };
@@ -96339,9 +97379,9 @@ function useInstallWrapper(rawArgs, config3, opts, exit) {
         const result = await opts.callAnalyze(resolved, config3);
         if (result.action === "pass") {
           if (exit) exit();
-          const chalk15 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
+          const chalk17 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
           process.stderr.write(
-            chalk15.green(`  \u2713 ${resolved.length} package${resolved.length !== 1 ? "s" : ""} scanned \u2014 all clear
+            chalk17.green(`  \u2713 ${resolved.length} package${resolved.length !== 1 ? "s" : ""} scanned \u2014 all clear
 `)
           );
           process.stderr.write("\n");
@@ -96352,8 +97392,8 @@ function useInstallWrapper(rawArgs, config3, opts, exit) {
         if (result.action === "warn") {
           if (exit) exit();
           process.stdout.write(renderResultStatic(result, config3) + "\n");
-          const chalk15 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
-          process.stderr.write(chalk15.yellow("  Warnings detected. Proceeding with install.\n\n"));
+          const chalk17 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
+          process.stderr.write(chalk17.yellow("  Warnings detected. Proceeding with install.\n\n"));
           const code = await opts.runInstall(parsed.rawArgs);
           process.exit(code);
           return;
@@ -96466,16 +97506,16 @@ function groupPackages3(packages) {
   return [...map.values()].map((pkgs) => ({ packages: pkgs, key: pkgs[0].name })).sort((a, b) => b.packages[0].score - a.packages[0].score);
 }
 function severityColor(sev) {
-  if (sev >= 5) return (s) => import_chalk15.default.bold.red(s);
-  if (sev >= 4) return import_chalk15.default.magenta;
-  if (sev >= 3) return import_chalk15.default.yellow;
-  if (sev >= 2) return import_chalk15.default.dim;
-  return import_chalk15.default.dim;
+  if (sev >= 5) return (s) => import_chalk17.default.bold.red(s);
+  if (sev >= 4) return import_chalk17.default.magenta;
+  if (sev >= 3) return import_chalk17.default.yellow;
+  if (sev >= 2) return import_chalk17.default.dim;
+  return import_chalk17.default.dim;
 }
 function actionBadge3(score) {
-  if (score >= 70) return { label: "BLOCK", color: import_chalk15.default.red };
-  if (score >= 60) return { label: "WARN", color: import_chalk15.default.yellow };
-  return { label: "PASS", color: import_chalk15.default.green };
+  if (score >= 70) return { label: "BLOCK", color: import_chalk17.default.red };
+  if (score >= 60) return { label: "WARN", color: import_chalk17.default.yellow };
+  return { label: "PASS", color: import_chalk17.default.green };
 }
 function truncate4(s, max) {
   return s.length <= max ? s : s.slice(0, max - 1) + "\u2026";
@@ -96483,12 +97523,12 @@ function truncate4(s, max) {
 function pad3(s, len) {
   return s + " ".repeat(Math.max(0, len - s.length));
 }
-var import_chalk15, import_jsx_runtime17, SEVERITY_LABELS2, EVIDENCE_LIMIT2, ResultsView;
+var import_chalk17, import_jsx_runtime17, SEVERITY_LABELS2, EVIDENCE_LIMIT2, ResultsView;
 var init_ResultsView = __esm({
   async "src/ui/components/ResultsView.tsx"() {
     "use strict";
     await init_build2();
-    import_chalk15 = __toESM(require_source());
+    import_chalk17 = __toESM(require_source());
     await init_ScoreHeader();
     await init_DurationLine();
     import_jsx_runtime17 = __toESM(require_jsx_runtime());
@@ -96514,15 +97554,15 @@ var init_ResultsView = __esm({
         /* @__PURE__ */ (0, import_jsx_runtime17.jsx)(ScoreHeader, { score: result.score, action: result.action }),
         /* @__PURE__ */ (0, import_jsx_runtime17.jsx)(Newline, {}),
         /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(Text, { children: [
-          import_chalk15.default.dim(`${total} package${total !== 1 ? "s" : ""} scanned`),
+          import_chalk17.default.dim(`${total} package${total !== 1 ? "s" : ""} scanned`),
           flagged.length > 0 ? /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(import_jsx_runtime17.Fragment, { children: [
             "    ",
-            import_chalk15.default.yellow(`${flagged.length} flagged`),
+            import_chalk17.default.yellow(`${flagged.length} flagged`),
             "    ",
-            import_chalk15.default.green(`${clean.length} clean`)
+            import_chalk17.default.green(`${clean.length} clean`)
           ] }) : /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(import_jsx_runtime17.Fragment, { children: [
             "    ",
-            import_chalk15.default.green("all clean")
+            import_chalk17.default.green("all clean")
           ] })
         ] }),
         /* @__PURE__ */ (0, import_jsx_runtime17.jsx)(Newline, {}),
@@ -96536,18 +97576,18 @@ var init_ResultsView = __esm({
             return /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(Text, { children: [
               "  ",
               color(pad3(label, 7)),
-              import_chalk15.default.bold(pad3(truncate4(names, 50), 52)),
-              import_chalk15.default.dim(`score ${rep.score}`)
+              import_chalk17.default.bold(pad3(truncate4(names, 50), 52)),
+              import_chalk17.default.dim(`score ${rep.score}`)
             ] }, group.key);
           }),
           /* @__PURE__ */ (0, import_jsx_runtime17.jsx)(Newline, {})
         ] }),
         clean.length > 0 && /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(Text, { children: [
-          import_chalk15.default.green("\u2713"),
+          import_chalk17.default.green("\u2713"),
           " ",
-          import_chalk15.default.green.bold(String(clean.length)),
+          import_chalk17.default.green.bold(String(clean.length)),
           " ",
-          import_chalk15.default.dim(`package${clean.length !== 1 ? "s" : ""} passed with score 0`)
+          import_chalk17.default.dim(`package${clean.length !== 1 ? "s" : ""} passed with score 0`)
         ] }),
         /* @__PURE__ */ (0, import_jsx_runtime17.jsx)(Newline, {}),
         groups.filter((g) => g.packages[0].score > 0).map((group) => {
@@ -96557,9 +97597,9 @@ var init_ResultsView = __esm({
           const safeVersion = result.safeVersions[rep.name];
           return /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(Box_default, { flexDirection: "column", children: [
             /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(Text, { children: [
-              import_chalk15.default.dim("\u2500\u2500"),
+              import_chalk17.default.dim("\u2500\u2500"),
               " ",
-              import_chalk15.default.bold(`${names} (score: ${rep.score})`)
+              import_chalk17.default.bold(`${names} (score: ${rep.score})`)
             ] }),
             group.packages.length > 3 && /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(Text, { dimColor: true, children: [
               "   Affects: ",
@@ -96581,18 +97621,18 @@ var init_ResultsView = __esm({
                 ] }),
                 evidenceSlice.map((ev, i) => /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(Text, { children: [
                   "              ",
-                  import_chalk15.default.dim(truncate4(ev, 76))
+                  import_chalk17.default.dim(truncate4(ev, 76))
                 ] }, i)),
                 overflow > 0 && /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(Text, { children: [
                   "              ",
-                  import_chalk15.default.dim(`... and ${overflow} more`)
+                  import_chalk17.default.dim(`... and ${overflow} more`)
                 ] }),
                 /* @__PURE__ */ (0, import_jsx_runtime17.jsx)(Text, { children: " " })
               ] }, idx);
             }),
             safeVersion && /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(Text, { children: [
               "  ",
-              import_chalk15.default.green(`Safe version: ${rep.name}@${safeVersion}`)
+              import_chalk17.default.green(`Safe version: ${rep.name}@${safeVersion}`)
             ] }),
             /* @__PURE__ */ (0, import_jsx_runtime17.jsx)(Newline, {})
           ] }, group.key);
@@ -96605,13 +97645,13 @@ var init_ResultsView = __esm({
 });
 
 // src/ui/components/ConfirmPrompt.tsx
-var import_chalk16, import_jsx_runtime18, ConfirmPrompt;
+var import_chalk18, import_jsx_runtime18, ConfirmPrompt;
 var init_ConfirmPrompt = __esm({
   async "src/ui/components/ConfirmPrompt.tsx"() {
     "use strict";
     await init_build2();
     await init_build2();
-    import_chalk16 = __toESM(require_source());
+    import_chalk18 = __toESM(require_source());
     import_jsx_runtime18 = __toESM(require_jsx_runtime());
     ConfirmPrompt = ({
       message,
@@ -96627,15 +97667,15 @@ var init_ConfirmPrompt = __esm({
       });
       return /* @__PURE__ */ (0, import_jsx_runtime18.jsxs)(Box_default, { flexDirection: "column", children: [
         /* @__PURE__ */ (0, import_jsx_runtime18.jsxs)(Text, { children: [
-          import_chalk16.default.red.bold("\u26A0"),
+          import_chalk18.default.red.bold("\u26A0"),
           " ",
-          import_chalk16.default.bold(message)
+          import_chalk18.default.bold(message)
         ] }),
         /* @__PURE__ */ (0, import_jsx_runtime18.jsxs)(Text, { children: [
           "Install anyway? [",
-          import_chalk16.default.bold.green("y"),
+          import_chalk18.default.bold.green("y"),
           "es / ",
-          import_chalk16.default.bold.red("N"),
+          import_chalk18.default.bold.red("N"),
           "o]"
         ] })
       ] });
@@ -97022,10 +98062,272 @@ function closestCommand(input, commands) {
   return bestDist <= 3 ? best : null;
 }
 
+// src/migrate.ts
+init_paths();
+import {
+  existsSync as existsSync6,
+  mkdirSync as mkdirSync3,
+  readFileSync as readFileSync6,
+  writeFileSync as writeFileSync4,
+  copyFileSync,
+  unlinkSync as unlinkSync2,
+  rmSync as rmSync2,
+  chmodSync as chmodSync2,
+  statSync,
+  openSync as openSync2,
+  closeSync as closeSync2,
+  constants as fsConstants2
+} from "node:fs";
+import { dirname as dirname6 } from "node:path";
+var README = `dependency-guardian \u2014 local state for the dg CLI.
+
+  config.json          your account + preferences (mode 0600)
+  cache/scans.sqlite   24h package-scan cache
+  cache/update-check.json  latest-version probe (24h TTL)
+  cache/routing-hint.json  scan-routing hint
+  state/aliases.sh         optional shell aliases (npm/pip wrappers)
+  state/trial-banner       throttle stamp for the trial nudge
+  state/hooks-installed.json  registry of git hooks dg installed
+
+To remove everything dg has written to your machine, run:
+  dg uninstall
+
+This directory is created and managed by the dg CLI. Safe to delete.
+`;
+function ensureDir(path3, mode) {
+  if (!existsSync6(path3)) {
+    mkdirSync3(path3, { recursive: true, mode });
+  }
+  try {
+    chmodSync2(path3, mode);
+  } catch {
+  }
+}
+function moveFile(from, to, mode) {
+  const parent = dirname6(to);
+  ensureDir(parent, 448);
+  copyFileSync(from, to);
+  try {
+    chmodSync2(to, mode);
+  } catch {
+  }
+  if (statSync(to).size !== statSync(from).size) {
+    throw new Error(`size mismatch after copy: ${from} -> ${to}`);
+  }
+  unlinkSync2(from);
+}
+function isPidAlive(pid) {
+  if (!Number.isInteger(pid) || pid <= 0) return false;
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch (e) {
+    const code = e.code;
+    return code === "EPERM";
+  }
+}
+var LOCK_STALE_MS = 6e4;
+function acquireLock(lockPath) {
+  ensureDir(dirname6(lockPath), 448);
+  if (existsSync6(lockPath)) {
+    let stale = false;
+    try {
+      const raw = readFileSync6(lockPath, "utf-8").trim();
+      const data = JSON.parse(raw);
+      const age = Date.now() - (data.at ?? 0);
+      const dead = !isPidAlive(data.pid ?? 0);
+      stale = dead || age > LOCK_STALE_MS;
+    } catch {
+      stale = true;
+    }
+    if (!stale) return "held";
+    try {
+      unlinkSync2(lockPath);
+    } catch {
+    }
+  }
+  let fd;
+  try {
+    fd = openSync2(lockPath, fsConstants2.O_CREAT | fsConstants2.O_EXCL | fsConstants2.O_WRONLY, 384);
+  } catch {
+    return "stale-held";
+  }
+  try {
+    writeFileSync4(lockPath, JSON.stringify({ pid: process.pid, at: Date.now() }) + "\n");
+  } catch {
+  }
+  return { fd, lockPath };
+}
+function releaseLock(state) {
+  if (state.fd !== null) {
+    try {
+      closeSync2(state.fd);
+    } catch {
+    }
+  }
+  try {
+    unlinkSync2(state.lockPath);
+  } catch {
+  }
+}
+function rollback(moves) {
+  for (const m of moves) {
+    try {
+      if (existsSync6(m.to) && !existsSync6(m.from)) {
+        copyFileSync(m.to, m.from);
+        unlinkSync2(m.to);
+      }
+    } catch {
+    }
+  }
+}
+function detectLegacy() {
+  const legacy = legacyPaths();
+  return existsSync6(legacy.dgrc) || existsSync6(legacy.cacheSqlite) || existsSync6(legacy.routingHint) || existsSync6(legacy.updateCheck) || existsSync6(legacy.trialBannerOld) || existsSync6(legacy.aliasesShOld) || existsSync6(legacy.depGuardianDir);
+}
+function validateLegacyConfig(path3) {
+  let raw;
+  try {
+    const st = statSync(path3);
+    if (!st.isFile()) return { ok: false, reason: "not a regular file" };
+    if (st.size > 1e6) return { ok: false, reason: `file too large (${st.size} bytes)` };
+    raw = readFileSync6(path3, "utf-8");
+  } catch (e) {
+    return { ok: false, reason: e.message };
+  }
+  let parsed;
+  try {
+    const stripped = raw.charCodeAt(0) === 65279 ? raw.slice(1) : raw;
+    parsed = JSON.parse(stripped);
+  } catch (e) {
+    return { ok: false, reason: `invalid JSON: ${e.message}` };
+  }
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    return { ok: false, reason: "config root is not an object" };
+  }
+  return { ok: true, data: parsed };
+}
+function runMigrationIfNeeded() {
+  const p = dgPaths();
+  if (existsSync6(p.migrationBreadcrumb)) {
+    return { status: "no-op" };
+  }
+  if (!detectLegacy()) {
+    return { status: "no-op" };
+  }
+  ensureDir(p.root, 448);
+  const lock = acquireLock(p.migrationLock);
+  if (lock === "held" || lock === "stale-held") {
+    return { status: "skipped", reason: "another dg process is migrating" };
+  }
+  const legacy = legacyPaths();
+  const moves = [];
+  let movedCount = 0;
+  try {
+    if (existsSync6(legacy.dgrc)) {
+      const validation = validateLegacyConfig(legacy.dgrc);
+      if (!validation.ok) {
+        releaseLock(lock);
+        return {
+          status: "failed",
+          reason: `~/.dgrc.json could not be read (${validation.reason}). Fix or remove the file and re-run dg.`
+        };
+      }
+      ensureDir(p.configDir, 448);
+      writeFileSync4(p.config, JSON.stringify(validation.data, null, 2) + "\n", { mode: 384 });
+      try {
+        chmodSync2(p.config, 384);
+      } catch {
+      }
+      try {
+        unlinkSync2(legacy.dgrc);
+      } catch {
+      }
+      moves.push({ from: legacy.dgrc, to: p.config });
+      movedCount++;
+    }
+    ensureDir(p.cacheDir, 448);
+    if (existsSync6(legacy.cacheSqlite)) {
+      moveFile(legacy.cacheSqlite, p.cacheSqlite, 384);
+      moves.push({ from: legacy.cacheSqlite, to: p.cacheSqlite });
+      movedCount++;
+    }
+    if (existsSync6(legacy.routingHint)) {
+      moveFile(legacy.routingHint, p.routingHint, 384);
+      moves.push({ from: legacy.routingHint, to: p.routingHint });
+      movedCount++;
+    }
+    if (existsSync6(legacy.updateCheck)) {
+      moveFile(legacy.updateCheck, p.updateCheck, 384);
+      moves.push({ from: legacy.updateCheck, to: p.updateCheck });
+      movedCount++;
+    }
+    ensureDir(p.stateDir, 448);
+    if (existsSync6(legacy.trialBannerOld)) {
+      moveFile(legacy.trialBannerOld, p.trialBanner, 384);
+      moves.push({ from: legacy.trialBannerOld, to: p.trialBanner });
+      movedCount++;
+    }
+    if (existsSync6(legacy.aliasesShOld)) {
+      moveFile(legacy.aliasesShOld, p.aliasesSh, 420);
+      moves.push({ from: legacy.aliasesShOld, to: p.aliasesSh });
+      movedCount++;
+    }
+    if (existsSync6(legacy.depGuardianDir) && legacy.depGuardianDir !== p.root) {
+      const candidates = [
+        { from: join(legacy.depGuardianDir, "config.json"), to: p.config, mode: 384 },
+        { from: join(legacy.depGuardianDir, "cache", "scans.sqlite"), to: p.cacheSqlite, mode: 384 },
+        { from: join(legacy.depGuardianDir, "cache", "update-check.json"), to: p.updateCheck, mode: 384 },
+        { from: join(legacy.depGuardianDir, "cache", "routing-hint.json"), to: p.routingHint, mode: 384 },
+        { from: join(legacy.depGuardianDir, "state", "aliases.sh"), to: p.aliasesSh, mode: 420 },
+        { from: join(legacy.depGuardianDir, "state", "trial-banner"), to: p.trialBanner, mode: 384 },
+        { from: join(legacy.depGuardianDir, "state", "hooks-installed.json"), to: p.hooksRegistry, mode: 384 },
+        { from: join(legacy.depGuardianDir, "last-trial-banner"), to: p.trialBanner, mode: 384 },
+        { from: join(legacy.depGuardianDir, "aliases.sh"), to: p.aliasesSh, mode: 420 }
+      ];
+      for (const c of candidates) {
+        if (existsSync6(c.from) && !existsSync6(c.to)) {
+          moveFile(c.from, c.to, c.mode);
+          moves.push({ from: c.from, to: c.to });
+          movedCount++;
+        }
+      }
+      try {
+        rmSync2(legacy.depGuardianDir, { recursive: true, force: true });
+      } catch {
+      }
+    }
+    try {
+      if (existsSync6(legacy.cacheDir) && legacy.cacheDir !== p.root) {
+        rmSync2(legacy.cacheDir, { recursive: true, force: true });
+      }
+    } catch {
+    }
+    try {
+      writeFileSync4(p.readme, README, { mode: 420 });
+    } catch {
+    }
+    writeFileSync4(p.migrationBreadcrumb, (/* @__PURE__ */ new Date()).toISOString() + "\n", { mode: 384 });
+    releaseLock(lock);
+    if (process.stderr.isTTY) {
+      process.stderr.write(
+        `dg: reorganized local state into ${p.root} (one-time, ${movedCount} file${movedCount === 1 ? "" : "s"}; see README inside).
+`
+      );
+    }
+    return { status: "migrated", movedCount };
+  } catch (e) {
+    rollback(moves);
+    releaseLock(lock);
+    return { status: "failed", reason: e.message };
+  }
+}
+
 // src/bin.ts
 init_alt_screen();
 var CLI_VERSION = getVersion();
 initTelemetry(CLI_VERSION);
+runMigrationIfNeeded();
 function setProcessTitle(title) {
   try {
     process.title = title;
@@ -97053,8 +98355,8 @@ var isInteractive = process.stdout.isTTY === true && !process.env.CI && !process
 async function main() {
   const rawCommand = process.argv[2];
   if (!rawCommand || rawCommand === "help" || rawCommand === "--help" || rawCommand === "-h") {
-    const { USAGE: USAGE4 } = await Promise.resolve().then(() => (init_config(), config_exports));
-    process.stdout.write(USAGE4);
+    const { USAGE: USAGE6 } = await Promise.resolve().then(() => (init_config(), config_exports));
+    process.stdout.write(USAGE6);
     return;
   }
   if (rawCommand === "--help-all" || rawCommand === "help-all") {
@@ -97067,15 +98369,15 @@ async function main() {
 `);
     return;
   }
-  const KNOWN_COMMANDS = ["scan", "npm", "pip", "wrap", "login", "logout", "status", "hook", "update", "kitty", "help", "version", "protect", "publish-check", "cleanup"];
+  const KNOWN_COMMANDS = ["init", "scan", "npm", "pip", "wrap", "login", "logout", "status", "hook", "update", "kitty", "help", "version", "protect", "publish-check", "cleanup", "uninstall"];
   if (rawCommand && !rawCommand.startsWith("-") && !KNOWN_COMMANDS.includes(rawCommand)) {
-    const chalk15 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
+    const chalk17 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
     const best = closestCommand(rawCommand, KNOWN_COMMANDS);
     const hint = best ? ` Did you mean '${best}'?` : "";
     process.stderr.write(`
-  ${chalk15.bold.red("Error:")} Unknown command '${rawCommand}'.${hint}
+  ${chalk17.bold.red("Error:")} Unknown command '${rawCommand}'.${hint}
 `);
-    process.stderr.write(chalk15.dim(`  Run 'dg --help' for available commands.
+    process.stderr.write(chalk17.dim(`  Run 'dg --help' for available commands.
 
 `));
     process.exit(1);
@@ -97111,16 +98413,16 @@ async function main() {
         } catch {
         }
       } else {
-        const chalk15 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
+        const chalk17 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
         process.stderr.write(
-          chalk15.dim(
+          chalk17.dim(
             "  note: --fresh skipped marking the first-run sentinel.\n  The next dg command will re-trigger the wizard.\n\n"
           )
         );
       }
     } else {
-      const chalk15 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
-      process.stderr.write(chalk15.yellow("  dg kitty needs an interactive terminal.\n"));
+      const chalk17 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
+      process.stderr.write(chalk17.yellow("  dg kitty needs an interactive terminal.\n"));
     }
     return;
   }
@@ -97168,11 +98470,11 @@ async function main() {
       if (v === "npm" || v === "pypi") ecosystem = v;
     }
     const { runNpmPublishCheck: runNpmPublishCheck2, runPypiPublishCheck: runPypiPublishCheck2, renderPublishCheckResult: renderPublishCheckResult2 } = await Promise.resolve().then(() => (init_publish_check(), publish_check_exports));
-    const { existsSync: existsSync16 } = await import("node:fs");
-    const { join: join18 } = await import("node:path");
+    const { existsSync: existsSync21 } = await import("node:fs");
+    const { join: join16 } = await import("node:path");
     if (ecosystem === "auto") {
-      if (existsSync16(join18(process.cwd(), "package.json"))) ecosystem = "npm";
-      else if (existsSync16(join18(process.cwd(), "pyproject.toml")) || existsSync16(join18(process.cwd(), "setup.py"))) ecosystem = "pypi";
+      if (existsSync21(join16(process.cwd(), "package.json"))) ecosystem = "npm";
+      else if (existsSync21(join16(process.cwd(), "pyproject.toml")) || existsSync21(join16(process.cwd(), "setup.py"))) ecosystem = "pypi";
       else {
         process.stderr.write("\n  publish-check: no package.json, pyproject.toml, or setup.py in current directory.\n  Pass --ecosystem npm|pypi explicitly if your project layout differs.\n\n");
         process.exit(3);
@@ -97183,9 +98485,9 @@ async function main() {
       if (wantJson) {
         process.stdout.write(JSON.stringify({ ok: false, error: out.errorMessage }) + "\n");
       } else {
-        const chalk15 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
+        const chalk17 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
         process.stderr.write(`
-  ${chalk15.red("publish-check error:")} ${out.errorMessage}
+  ${chalk17.red("publish-check error:")} ${out.errorMessage}
 
 `);
       }
@@ -97227,8 +98529,8 @@ async function main() {
     await handleHookCommand2(process.argv.slice(3));
     const updateMsg2 = await updatePromise2;
     if (updateMsg2) {
-      const chalk15 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
-      process.stderr.write(chalk15.dim(updateMsg2));
+      const chalk17 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
+      process.stderr.write(chalk17.dim(updateMsg2));
     }
     return;
   }
@@ -97241,9 +98543,21 @@ async function main() {
     const code = await handleCleanupCommand2(process.argv.slice(3));
     process.exit(code);
   }
+  if (rawCommand === "uninstall") {
+    const { handleUninstallCommand: handleUninstallCommand2 } = await Promise.resolve().then(() => (init_uninstall(), uninstall_exports));
+    const code = await handleUninstallCommand2(process.argv.slice(3));
+    process.exit(code);
+  }
+  if (rawCommand === "init") {
+    const { gateOrExit: gateOrExit2 } = await Promise.resolve().then(() => (init_terms_gate(), terms_gate_exports));
+    await gateOrExit2();
+    const { handleInitCommand: handleInitCommand2 } = await Promise.resolve().then(() => (init_init(), init_exports3));
+    const code = await handleInitCommand2(process.argv.slice(3));
+    process.exit(code);
+  }
   if (rawCommand === "logout") {
     const { getStoredApiKey: getStoredApiKey2, clearCredentials: clearCredentials2 } = await Promise.resolve().then(() => (init_auth(), auth_exports));
-    const chalk15 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
+    const chalk17 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
     const apiKey = getStoredApiKey2();
     if (apiKey) {
       const { parseConfig: parseConfig2 } = await Promise.resolve().then(() => (init_config(), config_exports));
@@ -97258,7 +98572,7 @@ async function main() {
       }
     }
     clearCredentials2();
-    process.stderr.write(chalk15.green("  Logged out.\n"));
+    process.stderr.write(chalk17.green("  Logged out.\n"));
     return;
   }
   const strictFlags = rawCommand !== "npm" && rawCommand !== "pip";
@@ -97282,8 +98596,8 @@ async function main() {
       await runStatic2(config3);
     } else {
       if (config3.mode === "off") {
-        const chalk15 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
-        process.stderr.write(chalk15.dim("  Dependency Guardian: mode is off \u2014 skipping.\n"));
+        const chalk17 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
+        process.stderr.write(chalk17.dim("  Dependency Guardian: mode is off \u2014 skipping.\n"));
         process.exit(0);
       }
       const { getStoredApiKey: getStoredApiKey2 } = await Promise.resolve().then(() => (init_auth(), auth_exports));
@@ -97297,11 +98611,11 @@ async function main() {
             signal: AbortSignal.timeout(3e3)
           });
           if (resp.ok) {
-            const chalk15 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
+            const chalk17 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
             const data = await resp.json();
             const name = data.name || "authenticated";
             const tier = data.tier || "free";
-            const tierColor = tier === "free" ? chalk15.yellow(tier) : chalk15.green(tier);
+            const tierColor = tier === "free" ? chalk17.yellow(tier) : chalk17.green(tier);
             userStatus = `${name} \xB7 ${tierColor}`;
             if (data.scansLimit === null || data.scansLimit === void 0) {
               scanUsage = "unlimited scans";
@@ -97337,8 +98651,8 @@ async function main() {
     }
     const updateMsg2 = await updatePromise;
     if (updateMsg2) {
-      const chalk15 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
-      process.stderr.write(chalk15.dim(updateMsg2));
+      const chalk17 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
+      process.stderr.write(chalk17.dim(updateMsg2));
     }
     try {
       const { pingSetupEvent: pingSetupEvent2 } = await Promise.resolve().then(() => (init_auth(), auth_exports));
@@ -97357,8 +98671,8 @@ async function main() {
     }
     const updateMsg2 = await updatePromise;
     if (updateMsg2) {
-      const chalk15 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
-      process.stderr.write(chalk15.dim(updateMsg2));
+      const chalk17 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
+      process.stderr.write(chalk17.dim(updateMsg2));
     }
     try {
       const { pingSetupEvent: pingSetupEvent2 } = await Promise.resolve().then(() => (init_auth(), auth_exports));
@@ -97384,8 +98698,8 @@ async function main() {
   }
   const updateMsg = await updatePromise;
   if (updateMsg) {
-    const chalk15 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
-    process.stderr.write(chalk15.dim(updateMsg));
+    const chalk17 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
+    process.stderr.write(chalk17.dim(updateMsg));
   }
   try {
     const { pingSetupEvent: pingSetupEvent2 } = await Promise.resolve().then(() => (init_auth(), auth_exports));
@@ -97409,8 +98723,8 @@ main().catch(async (err) => {
       authenticated: isAuthed
     });
     await flush2();
-    const chalk15 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
-    const color = err.securityRelease ? chalk15.bold.red : chalk15.yellow;
+    const chalk17 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
+    const color = err.securityRelease ? chalk17.bold.red : chalk17.yellow;
     if (process.argv.includes("--json")) {
       process.stdout.write(JSON.stringify({
         error: true,