@westbayberry/dg 1.1.2 → 1.1.4

package/dist/index.mjs

@@ -1649,7 +1649,7 @@ function initTelemetry(version) {
   });
 }
 function redact(s) {
-  return s.replace(/dg_(?:live|test)_[A-Za-z0-9_-]{3,}/gi, "[DG_KEY_REDACTED]").replace(/\/Users\/[^\s:]+/g, "[USER_PATH]").replace(/\/home\/[^\s:]+/g, "[USER_PATH]").replace(/C:\\Users\\[^\s:]+/g, "[USER_PATH]").replace(/Bearer [^\s]+/g, "Bearer [REDACTED]");
+  return s.replace(/(--token(?:=|\s+))\S+/gi, "$1[REDACTED]").replace(/dg_(?:live|test)_[A-Za-z0-9_-]{3,}/gi, "[DG_KEY_REDACTED]").replace(/\/Users\/[^\s:]+/g, "[USER_PATH]").replace(/\/home\/[^\s:]+/g, "[USER_PATH]").replace(/C:\\Users\\[^\s:]+/g, "[USER_PATH]").replace(/Bearer [^\s]+/g, "Bearer [REDACTED]");
 }
 function suppressNudge() {
   return !telemetryEnabled();
@@ -1669,7 +1669,7 @@ function trimStack(raw, debug) {
 }
 function buildIssueUrl(error, ctx) {
   const msg = redact(error.message || error.name || "Unknown error").slice(0, 120);
-  const cmd = process.argv.slice(2).join(" ") || "(none)";
+  const cmd = redact(process.argv.slice(2).join(" ")) || "(none)";
   const stack = trimStack(error.stack, false).join("\n");
   const body = [
     "**dg crashed**",
@@ -1730,7 +1730,7 @@ function captureError(error, context) {
       process.exitCode = 1;
       return;
     }
-    const cmd = process.argv.slice(2).join(" ") || "(none)";
+    const cmd = redact(process.argv.slice(2).join(" ")) || "(none)";
     process.stderr.write("\n" + chalk18.dim(SEPARATOR) + "\n\n");
     process.stderr.write(
       "  " + chalk18.red.bold("\u2718 dg crashed: ") + chalk18.red(redact(err.message || err.name)) + "\n\n"
@@ -1801,70 +1801,50 @@ __export(paths_exports, {
   dgCachePath: () => dgCachePath,
   dgConfigDir: () => dgConfigDir,
   dgConfigPath: () => dgConfigPath,
-  dgMigrationBreadcrumb: () => dgMigrationBreadcrumb,
-  dgMigrationLock: () => dgMigrationLock,
   dgPaths: () => dgPaths,
   dgReadme: () => dgReadme,
   dgRoot: () => dgRoot,
   dgStateDir: () => dgStateDir,
-  dgStatePath: () => dgStatePath,
-  legacyPaths: () => legacyPaths
+  dgStatePath: () => dgStatePath
 });
 import { homedir } from "node:os";
-import { join as join2, isAbsolute } from "node:path";
+import { join, isAbsolute } from "node:path";
 function safeAbsolute(p, fallback) {
   if (!p || typeof p !== "string") return fallback;
   if (!isAbsolute(p)) return fallback;
   return p;
 }
 function dgRoot() {
-  return join2(homedir(), `.${ROOT_DIR_NAME}`);
+  return join(homedir(), `.${ROOT_DIR_NAME}`);
 }
 function dgConfigDir() {
   const xdg = safeAbsolute(process.env.XDG_CONFIG_HOME, "");
-  if (xdg) return join2(xdg, ROOT_DIR_NAME);
+  if (xdg) return join(xdg, ROOT_DIR_NAME);
   return dgRoot();
 }
 function dgCacheDir() {
   const explicit = safeAbsolute(process.env.DG_CACHE_DIR, "");
   if (explicit) return explicit;
   const xdg = safeAbsolute(process.env.XDG_CACHE_HOME, "");
-  if (xdg) return join2(xdg, ROOT_DIR_NAME);
-  return join2(dgRoot(), "cache");
+  if (xdg) return join(xdg, ROOT_DIR_NAME);
+  return join(dgRoot(), "cache");
 }
 function dgStateDir() {
   const xdg = safeAbsolute(process.env.XDG_STATE_HOME, "");
-  if (xdg) return join2(xdg, ROOT_DIR_NAME);
-  return join2(dgRoot(), "state");
+  if (xdg) return join(xdg, ROOT_DIR_NAME);
+  return join(dgRoot(), "state");
 }
 function dgConfigPath() {
-  return join2(dgConfigDir(), "config.json");
+  return join(dgConfigDir(), "config.json");
 }
 function dgCachePath(name) {
-  return join2(dgCacheDir(), name);
+  return join(dgCacheDir(), name);
 }
 function dgStatePath(name) {
-  return join2(dgStateDir(), name);
-}
-function dgMigrationBreadcrumb() {
-  return join2(dgRoot(), ".migrated-from-v1");
-}
-function dgMigrationLock() {
-  return join2(dgRoot(), ".migration.lock");
+  return join(dgStateDir(), name);
 }
 function dgReadme() {
-  return join2(dgRoot(), "README.txt");
-}
-function legacyPaths() {
-  const home = homedir();
-  const depGuardianDir = join2(home, ".dependency-guardian");
-  return {
-    dgrc: join2(home, ".dgrc.json"),
-    cacheDir: depGuardianDir,
-    updateCheck: join2(home, ".dg-update-check.json"),
-    aliasesShOld: join2(depGuardianDir, "aliases.sh"),
-    depGuardianDir
-  };
+  return join(dgRoot(), "README.txt");
 }
 function dgPaths() {
   return {
@@ -1876,9 +1856,7 @@ function dgPaths() {
     updateCheck: dgCachePath("update-check.json"),
     aliasesSh: dgStatePath("aliases.sh"),
     hooksRegistry: dgStatePath("hooks-installed.json"),
-    readme: dgReadme(),
-    migrationBreadcrumb: dgMigrationBreadcrumb(),
-    migrationLock: dgMigrationLock()
+    readme: dgReadme()
   };
 }
 var ROOT_DIR_NAME;
@@ -1958,49 +1936,64 @@ function authBase() {
   }
 }
 async function createAuthSession() {
-  let res;
+  const ctrl = new AbortController();
+  const timer = setTimeout(() => ctrl.abort(), 1e4);
   try {
-    res = await globalThis.fetch(`${authBase()}/cli/auth/sessions`, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" }
-    });
-  } catch {
-    throw new Error("Could not connect to westbayberry.com");
-  }
-  if (!res.ok) {
-    const body = await res.text().catch(() => "");
-    throw new Error(
-      `Failed to create auth session (HTTP ${res.status})${body ? `: ${body}` : ""}`
-    );
+    let res;
+    try {
+      res = await globalThis.fetch(`${authBase()}/cli/auth/sessions`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        signal: ctrl.signal
+      });
+    } catch {
+      throw new Error("Could not connect to westbayberry.com");
+    }
+    if (!res.ok) {
+      const body = await res.text().catch(() => "");
+      throw new Error(
+        `Failed to create auth session (HTTP ${res.status})${body ? `: ${body}` : ""}`
+      );
+    }
+    const json = await res.json();
+    return {
+      sessionId: json.session_id,
+      verifyUrl: json.verify_url,
+      expiresIn: json.expires_in
+    };
+  } finally {
+    clearTimeout(timer);
   }
-  const json = await res.json();
-  return {
-    sessionId: json.session_id,
-    verifyUrl: json.verify_url,
-    expiresIn: json.expires_in
-  };
 }
 async function pollAuthSession(sessionId) {
-  let res;
+  const ctrl = new AbortController();
+  const timer = setTimeout(() => ctrl.abort(), 8e3);
   try {
-    res = await globalThis.fetch(
-      `${authBase()}/cli/auth/sessions/${sessionId}/token`
-    );
-  } catch {
-    return { status: "expired" };
-  }
-  if (res.status === 404) {
-    return { status: "expired" };
-  }
-  if (!res.ok) {
-    return { status: "expired" };
+    let res;
+    try {
+      res = await globalThis.fetch(
+        `${authBase()}/cli/auth/sessions/${sessionId}/token`,
+        { signal: ctrl.signal }
+      );
+    } catch (e) {
+      if (e instanceof Error && e.name === "AbortError") return { status: "pending" };
+      return { status: "expired" };
+    }
+    if (res.status === 404) {
+      return { status: "expired" };
+    }
+    if (!res.ok) {
+      return { status: "expired" };
+    }
+    const json = await res.json();
+    return {
+      status: json.status,
+      apiKey: json.api_key,
+      email: json.email
+    };
+  } finally {
+    clearTimeout(timer);
   }
-  const json = await res.json();
-  return {
-    status: json.status,
-    apiKey: json.api_key,
-    email: json.email
-  };
 }
 function configPath() {
   return dgConfigPath();
@@ -2297,7 +2290,7 @@ async function preflightAuthCheck(apiUrl) {
   const cached = readCachedAuthStatus();
   if (cached) {
     if (cached.freeTierCapReached) {
-      throw new PreflightFreeCapReachedError(cached.scansUsed, cached.scansLimit ?? cached.scansUsed);
+      throw new PreflightFreeCapReachedError(cached.scansUsed, cached.scansLimit ?? cached.scansUsed, cached.capReason ?? "monthly_limit");
     }
     return cached;
   }
@@ -2331,15 +2324,17 @@ async function preflightAuthCheck(apiUrl) {
     } catch {
     }
     if (body.freeTierCapReached) {
+      const capReason = body.capReason === "prefix_cap" ? "prefix_cap" : "monthly_limit";
       const status2 = {
         authenticated: !!apiKey,
         freeTierCapReached: true,
         scansUsed: body.scansUsed ?? 0,
         scansLimit: body.maxScans ?? 0,
+        capReason,
         fetchedAt: Date.now()
       };
       writeCachedAuthStatus(status2);
-      throw new PreflightFreeCapReachedError(status2.scansUsed, status2.scansLimit ?? 0);
+      throw new PreflightFreeCapReachedError(status2.scansUsed, status2.scansLimit ?? 0, capReason);
     }
   }
   if (!resp.ok) {
@@ -2476,10 +2471,13 @@ var init_auth = __esm({
     init_paths();
     DEFAULT_WEB_BASE = "https://westbayberry.com";
     PreflightFreeCapReachedError = class extends Error {
-      constructor(scansUsed, maxScans) {
-        super("Free tier monthly cap reached. Run `dg upgrade` for Pro.");
+      constructor(scansUsed, maxScans, reason = "monthly_limit") {
+        super(
+          reason === "prefix_cap" ? "Too many anonymous devices from your network this month. Sign in with `dg login` to keep scanning." : "Free tier monthly package limit reached. Run `dg upgrade` for Pro."
+        );
         this.scansUsed = scansUsed;
         this.maxScans = maxScans;
+        this.reason = reason;
         this.name = "PreflightFreeCapReachedError";
       }
     };
@@ -2499,7 +2497,7 @@ __export(config_exports, {
 });
 import { parseArgs } from "node:util";
 import { readFileSync as readFileSync2, existsSync as existsSync2 } from "node:fs";
-import { join as join3, dirname as dirname2 } from "node:path";
+import { join as join2, dirname as dirname2 } from "node:path";
 import { fileURLToPath } from "node:url";
 function levenshtein(a, b) {
   if (a === b) return 0;
@@ -2540,28 +2538,24 @@ function warnUnknownDgrcKeys(parsed, source) {
   }
 }
 function loadDgrc() {
-  const cwdPath = join3(process.cwd(), ".dgrc.json");
+  const cwdPath = join2(process.cwd(), ".dgrc.json");
   const homePath = dgConfigPath();
-  const legacyHomePath = legacyPaths().dgrc;
   let config = {};
-  const sources = [homePath, legacyHomePath].filter((p, i, arr) => arr.indexOf(p) === i);
-  for (const src of sources) {
-    if (!existsSync2(src)) continue;
+  if (existsSync2(homePath)) {
     try {
-      const data = JSON.parse(readFileSync2(src, "utf-8"));
-      warnUnknownDgrcKeys(data, src);
+      const data = JSON.parse(readFileSync2(homePath, "utf-8"));
+      warnUnknownDgrcKeys(data, homePath);
       const filtered = {};
       for (const k of KNOWN_DGRC_KEYS) {
         if (k in data) filtered[k] = data[k];
       }
       config = filtered;
-      break;
     } catch {
-      process.stderr.write(`Warning: Failed to parse ${src}, ignoring.
+      process.stderr.write(`Warning: Failed to parse ${homePath}, ignoring.
 `);
     }
   }
-  if (cwdPath !== homePath && cwdPath !== legacyHomePath && existsSync2(cwdPath) && process.env.DG_QUIET !== "1") {
+  if (cwdPath !== homePath && existsSync2(cwdPath) && process.env.DG_QUIET !== "1") {
     process.stderr.write(
       `dg: note: ./.dgrc.json is ignored (repo-controlled config is no longer honored). Use ~/.dg/.dgrc.json, env vars (DG_MODE, DG_API_URL), or CLI flags.
 `
@@ -2599,7 +2593,7 @@ function getVersion() {
   try {
     const thisDir = dirname2(fileURLToPath(import.meta.url));
     const pkg = JSON.parse(
-      readFileSync2(join3(thisDir, "..", "package.json"), "utf-8")
+      readFileSync2(join2(thisDir, "..", "package.json"), "utf-8")
     );
     return pkg.version ?? "1.0.0";
   } catch {
@@ -3047,8 +3041,8 @@ var init_terminal_state = __esm({
 });
 
 // src/shims/safe-fs.ts
-import { existsSync as existsSync5, lstatSync as lstatSync3, mkdirSync as mkdirSync4, renameSync, statSync as statSync2, unlinkSync as unlinkSync4, writeFileSync as writeFileSync4 } from "node:fs";
-import { dirname as dirname5, sep } from "node:path";
+import { existsSync as existsSync4, lstatSync as lstatSync3, mkdirSync as mkdirSync3, renameSync, statSync, unlinkSync as unlinkSync3, writeFileSync as writeFileSync3 } from "node:fs";
+import { dirname as dirname4, sep } from "node:path";
 import { homedir as homedir2 } from "node:os";
 function ensureUnderHome(target) {
   const home = homedir2();
@@ -3077,28 +3071,28 @@ function safeMkdirRecursive(target, mode = 493) {
   for (const segment of rel) {
     cur = cur + sep + segment;
     lstatNoSymlink(cur);
-    if (!existsSync5(cur)) {
-      mkdirSync4(cur, { mode });
+    if (!existsSync4(cur)) {
+      mkdirSync3(cur, { mode });
     }
   }
 }
 function safeWriteFile(target, content, mode = 420) {
   ensureUnderHome(target);
-  lstatNoSymlink(dirname5(target));
+  lstatNoSymlink(dirname4(target));
   lstatNoSymlink(target);
-  writeFileSync4(target, content, { mode });
+  writeFileSync3(target, content, { mode });
 }
 function atomicWriteFile(target, content, mode = 420) {
   ensureUnderHome(target);
-  lstatNoSymlink(dirname5(target));
+  lstatNoSymlink(dirname4(target));
   lstatNoSymlink(target);
   const tmp = `${target}.tmp.${process.pid}.${Date.now()}`;
-  writeFileSync4(tmp, content, { mode });
+  writeFileSync3(tmp, content, { mode });
   renameSync(tmp, target);
 }
 function isExecutable(path2) {
   try {
-    const st = statSync2(path2);
+    const st = statSync(path2);
     return st.isFile() && (st.mode & 73) !== 0;
   } catch {
     return false;
@@ -3112,7 +3106,7 @@ function safeUnlink(target) {
     if (e instanceof UnsafePathError) throw e;
   }
   try {
-    unlinkSync4(target);
+    unlinkSync3(target);
   } catch (e) {
     const code = e.code;
     if (code !== "ENOENT") throw e;
@@ -3241,10 +3235,10 @@ exit /b 127
 
 // src/shims/rc-syntax.ts
 import { homedir as homedir3 } from "node:os";
-import { join as join4 } from "node:path";
-import { existsSync as existsSync6, readFileSync as readFileSync5, lstatSync as lstatSync4, appendFileSync, writeFileSync as writeFileSync5 } from "node:fs";
+import { join as join3 } from "node:path";
+import { existsSync as existsSync5, readFileSync as readFileSync4, lstatSync as lstatSync4, appendFileSync, writeFileSync as writeFileSync4 } from "node:fs";
 function expandHome(path2) {
-  if (path2.startsWith("~/")) return join4(homedir3(), path2.slice(2));
+  if (path2.startsWith("~/")) return join3(homedir3(), path2.slice(2));
   return path2;
 }
 function detectShellKind(envShell) {
@@ -3258,13 +3252,13 @@ function rcCandidates(kind) {
   const home = homedir3();
   switch (kind) {
     case "zsh":
-      return [join4(home, ".zshrc")];
+      return [join3(home, ".zshrc")];
     case "bash":
-      return [join4(home, ".bashrc"), join4(home, ".bash_profile")];
+      return [join3(home, ".bashrc"), join3(home, ".bash_profile")];
     case "fish":
-      return [join4(home, ".config", "fish", "config.fish")];
+      return [join3(home, ".config", "fish", "config.fish")];
     case "sh":
-      return [join4(home, ".profile")];
+      return [join3(home, ".profile")];
   }
 }
 function pathSnippet(kind) {
@@ -3287,12 +3281,12 @@ function appendSentinelBlock(rcPath, snippet) {
       return { status: "failed", path: resolved, reason: e.message };
     }
   }
-  if (existsSync6(resolved)) {
+  if (existsSync5(resolved)) {
     const st = lstatSync4(resolved);
     if (!st.isFile()) {
       return { status: "failed", path: resolved, reason: "rc path is not a regular file" };
     }
-    const existing = readFileSync5(resolved, "utf-8");
+    const existing = readFileSync4(resolved, "utf-8");
     if (existing.includes(RC_SENTINEL_OPEN)) {
       return { status: "already-present", path: resolved };
     }
@@ -3303,10 +3297,10 @@ ${snippet}
 ${RC_SENTINEL_CLOSE}
 `;
   try {
-    if (existsSync6(resolved)) {
+    if (existsSync5(resolved)) {
       appendFileSync(resolved, block, { encoding: "utf-8" });
     } else {
-      writeFileSync5(resolved, block, { encoding: "utf-8", mode: 420 });
+      writeFileSync4(resolved, block, { encoding: "utf-8", mode: 420 });
     }
     return { status: "appended", path: resolved };
   } catch (e) {
@@ -3320,7 +3314,7 @@ function stripSentinelBlock(rcPath) {
   } catch (e) {
     return { status: "failed", path: resolved, reason: e.message };
   }
-  if (!existsSync6(resolved)) {
+  if (!existsSync5(resolved)) {
     return { status: "already-present", path: resolved };
   }
   try {
@@ -3330,7 +3324,7 @@ function stripSentinelBlock(rcPath) {
       return { status: "failed", path: resolved, reason: e.message };
     }
   }
-  const original = readFileSync5(resolved, "utf-8");
+  const original = readFileSync4(resolved, "utf-8");
   if (!original.includes(RC_SENTINEL_OPEN)) {
     return { status: "already-present", path: resolved };
   }
@@ -3357,7 +3351,7 @@ function stripSentinelBlock(rcPath) {
   if (original.endsWith("\n") && !result.endsWith("\n")) result += "\n";
   if (!original.endsWith("\n") && result.endsWith("\n")) result = result.slice(0, -1);
   try {
-    writeFileSync5(resolved, result, { encoding: "utf-8" });
+    writeFileSync4(resolved, result, { encoding: "utf-8" });
     return { status: "appended", path: resolved };
   } catch (e) {
     return { status: "failed", path: resolved, reason: e.message };
@@ -3381,11 +3375,11 @@ __export(resolve_exports, {
   resolveRealBinary: () => resolveRealBinary,
   walkPathExcludingShimDir: () => walkPathExcludingShimDir
 });
-import { existsSync as existsSync7, readFileSync as readFileSync6 } from "node:fs";
-import { join as join5, delimiter, sep as sep2 } from "node:path";
+import { existsSync as existsSync6, readFileSync as readFileSync5 } from "node:fs";
+import { join as join4, delimiter, sep as sep2 } from "node:path";
 import { homedir as homedir4 } from "node:os";
 function shimDir() {
-  return join5(homedir4(), ".dg", "shims");
+  return join4(homedir4(), ".dg", "shims");
 }
 function walkPathExcludingShimDir(name, extraExtensions = []) {
   const raw = process.env.PATH ?? "/usr/bin:/bin";
@@ -3395,7 +3389,7 @@ function walkPathExcludingShimDir(name, extraExtensions = []) {
   for (const dir of parts) {
     if (dir === shims || dir.startsWith(shims + sep2)) continue;
     for (const ext of ["", ...exts]) {
-      const candidate = join5(dir, name + ext);
+      const candidate = join4(dir, name + ext);
       if (isExecutable(candidate)) return candidate;
     }
   }
@@ -3410,7 +3404,7 @@ function platformExtensions() {
 }
 function readCache2() {
   try {
-    const raw = readFileSync6(CACHE_PATH(), "utf-8");
+    const raw = readFileSync5(CACHE_PATH(), "utf-8");
     const parsed = JSON.parse(raw);
     if (typeof parsed === "object" && parsed !== null) {
       return parsed;
@@ -3432,7 +3426,7 @@ function resolveRealBinary(ecosystem) {
   }
   const cache3 = readCache2();
   const cached = cache3[ecosystem];
-  if (cached && existsSync7(cached) && isExecutable(cached)) {
+  if (cached && existsSync6(cached) && isExecutable(cached)) {
     return cached;
   }
   const resolved = walkPath(ecosystem, exts);
@@ -3479,13 +3473,13 @@ __export(install_exports, {
   uninstallShims: () => uninstallShims
 });
 import { homedir as homedir5 } from "node:os";
-import { join as join6, dirname as dirname6 } from "node:path";
+import { join as join5, dirname as dirname5 } from "node:path";
 import { fileURLToPath as fileURLToPath2 } from "node:url";
-import { chmodSync as chmodSync4, chownSync, existsSync as existsSync8, readdirSync, readFileSync as readFileSync7, statSync as statSync3, appendFileSync as appendFileSync2, writeFileSync as writeFileSync6 } from "node:fs";
+import { chmodSync as chmodSync3, chownSync, existsSync as existsSync7, readdirSync, readFileSync as readFileSync6, statSync as statSync2, appendFileSync as appendFileSync2, writeFileSync as writeFileSync5 } from "node:fs";
 import { spawnSync } from "node:child_process";
 import { randomBytes } from "node:crypto";
 function dgShimDir() {
-  return join6(homedir5(), ".dg", "shims");
+  return join5(homedir5(), ".dg", "shims");
 }
 function noncePath() {
   return dgStatePath("shim-nonce");
@@ -3497,12 +3491,12 @@ function bypassLogPath() {
   return dgStatePath("bypass.log");
 }
 function dgEntryStatePath(targetHome) {
-  return join6(targetHome, ".dg", "state", "dg-entry");
+  return join5(targetHome, ".dg", "state", "dg-entry");
 }
 function currentDgEntry() {
   try {
-    const entry = join6(dirname6(fileURLToPath2(import.meta.url)), "index.mjs");
-    if (existsSync8(entry)) return entry;
+    const entry = join5(dirname5(fileURLToPath2(import.meta.url)), "index.mjs");
+    if (existsSync7(entry)) return entry;
   } catch {
   }
   try {
@@ -3518,18 +3512,18 @@ function ensureDgEntryRecorded(targetHome = homedir5()) {
     const path2 = dgEntryStatePath(targetHome);
     let existing = null;
     try {
-      existing = readFileSync7(path2, "utf-8").trim();
+      existing = readFileSync6(path2, "utf-8").trim();
     } catch {
     }
     if (existing === entry) return;
-    safeMkdirRecursive(dirname6(path2), 493);
+    safeMkdirRecursive(dirname5(path2), 493);
     safeWriteFile(path2, entry + "\n", 420);
   } catch {
   }
 }
 function readNonce() {
   try {
-    const raw = readFileSync7(noncePath(), "utf-8").trim();
+    const raw = readFileSync6(noncePath(), "utf-8").trim();
     return raw.length > 0 ? raw : null;
   } catch {
     return null;
@@ -3571,13 +3565,13 @@ function persistWindowsPath(shimsDir, outcomes) {
 }
 function updatePowerShellProfile(targetHome, shimsDir, outcomes) {
   if (process.platform !== "win32") return;
-  const profilePath = join6(targetHome, "Documents", "PowerShell", "Microsoft.PowerShell_profile.ps1");
-  if (!existsSync8(profilePath)) {
+  const profilePath = join5(targetHome, "Documents", "PowerShell", "Microsoft.PowerShell_profile.ps1");
+  if (!existsSync7(profilePath)) {
     outcomes.push({ status: "already-present", path: profilePath });
     return;
   }
   try {
-    const existing = readFileSync7(profilePath, "utf-8");
+    const existing = readFileSync6(profilePath, "utf-8");
     if (existing.includes(">>> dg-managed >>>")) {
       outcomes.push({ status: "already-present", path: profilePath });
       return;
@@ -3596,12 +3590,12 @@ $env:Path = "${shimsDir};$env:Path"
 function chownTreeIfNeeded(root, uid, gid) {
   if (uid === void 0 || gid === void 0) return;
   if (process.platform === "win32") return;
-  if (!existsSync8(root)) return;
+  if (!existsSync7(root)) return;
   chownIfNeeded(root, uid, gid);
   try {
     for (const entry of readdirSync(root)) {
-      const child = join6(root, entry);
-      const st = statSync3(child);
+      const child = join5(root, entry);
+      const st = statSync2(child);
       if (st.isDirectory()) {
         chownTreeIfNeeded(child, uid, gid);
       } else {
@@ -3614,18 +3608,18 @@ function chownTreeIfNeeded(root, uid, gid) {
 function installShims(opts = {}) {
   const targetHome = opts.targetHome ?? homedir5();
   const platform3 = opts.platform ?? (process.platform === "win32" ? "windows" : "unix");
-  const dgRoot2 = join6(targetHome, ".dg");
-  const shimsDir = join6(targetHome, ".dg", "shims");
-  const stateDir = join6(targetHome, ".dg", "state");
+  const dgRoot2 = join5(targetHome, ".dg");
+  const shimsDir = join5(targetHome, ".dg", "shims");
+  const stateDir = join5(targetHome, ".dg", "state");
   safeMkdirRecursive(dgRoot2, 493);
   safeMkdirRecursive(stateDir, 493);
   safeMkdirRecursive(shimsDir, 493);
   const nonce = randomBytes(16).toString("hex");
-  const noncePathResolved = join6(stateDir, "shim-nonce");
+  const noncePathResolved = join5(stateDir, "shim-nonce");
   safeWriteFile(noncePathResolved, nonce, 384);
   chownIfNeeded(noncePathResolved, opts.targetUid, opts.targetGid);
   const dgEntry = currentDgEntry();
-  const dgEntryPathResolved = join6(stateDir, "dg-entry");
+  const dgEntryPathResolved = join5(stateDir, "dg-entry");
   if (dgEntry) {
     safeWriteFile(dgEntryPathResolved, dgEntry + "\n", 420);
     chownIfNeeded(dgEntryPathResolved, opts.targetUid, opts.targetGid);
@@ -3633,10 +3627,10 @@ function installShims(opts = {}) {
   const shimsCreated = [];
   for (const eco of ECOSYSTEMS) {
     const filename = shimFilename(eco, platform3);
-    const fullPath = join6(shimsDir, filename);
+    const fullPath = join5(shimsDir, filename);
     const body = renderShim({ ecosystem: eco, platform: platform3 });
     safeWriteFile(fullPath, body, platform3 === "windows" ? 420 : 493);
-    if (platform3 !== "windows") chmodSync4(fullPath, 493);
+    if (platform3 !== "windows") chmodSync3(fullPath, 493);
     chownIfNeeded(fullPath, opts.targetUid, opts.targetGid);
     shimsCreated.push(filename);
   }
@@ -3648,7 +3642,7 @@ function installShims(opts = {}) {
     resolvedRealBinaries[eco] = resolveRealBinary(eco);
   }
   const cachePathResolved = realBinaryCachePath();
-  if (existsSync8(cachePathResolved)) {
+  if (existsSync7(cachePathResolved)) {
     chownIfNeeded(cachePathResolved, opts.targetUid, opts.targetGid);
   }
   const rcOutcomes = [];
@@ -3683,7 +3677,7 @@ function installShims(opts = {}) {
     nodeVersion: process.version,
     dgVersion: process.env.DG_CLI_VERSION ?? "unknown"
   };
-  const receiptResolved = join6(stateDir, "install-receipt.json");
+  const receiptResolved = join5(stateDir, "install-receipt.json");
   safeWriteFile(receiptResolved, JSON.stringify(receipt, null, 2), 420);
   chownIfNeeded(receiptResolved, opts.targetUid, opts.targetGid);
   chownTreeIfNeeded(dgRoot2, opts.targetUid, opts.targetGid);
@@ -3699,31 +3693,31 @@ function installShims(opts = {}) {
 function uninstallShims(opts = {}) {
   const targetHome = opts.targetHome ?? homedir5();
   const platform3 = opts.platform ?? (process.platform === "win32" ? "windows" : "unix");
-  const shimsDir = join6(targetHome, ".dg", "shims");
-  const stateDir = join6(targetHome, ".dg", "state");
+  const shimsDir = join5(targetHome, ".dg", "shims");
+  const stateDir = join5(targetHome, ".dg", "state");
   const shimsRemoved = [];
-  if (existsSync8(shimsDir)) {
+  if (existsSync7(shimsDir)) {
     for (const eco of ECOSYSTEMS) {
       const filename = shimFilename(eco, platform3);
-      const fullPath = join6(shimsDir, filename);
-      if (existsSync8(fullPath)) {
+      const fullPath = join5(shimsDir, filename);
+      if (existsSync7(fullPath)) {
         safeUnlink(fullPath);
         shimsRemoved.push(filename);
       }
     }
   }
   const stateFiles = [
-    join6(stateDir, "shim-nonce"),
-    join6(stateDir, "dg-entry"),
-    join6(stateDir, "install-receipt.json"),
-    join6(stateDir, "real-binaries.json"),
-    join6(stateDir, "bypass.log"),
-    join6(stateDir, "wiring-hint-shown"),
-    join6(stateDir, "first-run-shown")
+    join5(stateDir, "shim-nonce"),
+    join5(stateDir, "dg-entry"),
+    join5(stateDir, "install-receipt.json"),
+    join5(stateDir, "real-binaries.json"),
+    join5(stateDir, "bypass.log"),
+    join5(stateDir, "wiring-hint-shown"),
+    join5(stateDir, "first-run-shown")
   ];
   const stateFilesRemoved = [];
   for (const f of stateFiles) {
-    if (existsSync8(f)) {
+    if (existsSync7(f)) {
       safeUnlink(f);
       stateFilesRemoved.push(f);
     }
@@ -3743,7 +3737,7 @@ function uninstallShims(opts = {}) {
 }
 function revertWindowsPath(targetHome, outcomes) {
   if (process.platform !== "win32") return;
-  const shimsDir = join6(targetHome, ".dg", "shims");
+  const shimsDir = join5(targetHome, ".dg", "shims");
   const currentPath = process.env.PATH ?? "";
   if (!currentPath.toLowerCase().includes(shimsDir.toLowerCase())) {
     outcomes.push({ status: "already-present", path: "user PATH (HKCU\\Environment)" });
@@ -3767,19 +3761,19 @@ function revertWindowsPath(targetHome, outcomes) {
 }
 function revertPowerShellProfile(targetHome, outcomes) {
   if (process.platform !== "win32") return;
-  const profilePath = join6(targetHome, "Documents", "PowerShell", "Microsoft.PowerShell_profile.ps1");
-  if (!existsSync8(profilePath)) {
+  const profilePath = join5(targetHome, "Documents", "PowerShell", "Microsoft.PowerShell_profile.ps1");
+  if (!existsSync7(profilePath)) {
     outcomes.push({ status: "already-present", path: profilePath });
     return;
   }
   try {
-    const existing = readFileSync7(profilePath, "utf-8");
+    const existing = readFileSync6(profilePath, "utf-8");
     if (!existing.includes(">>> dg-managed >>>")) {
       outcomes.push({ status: "already-present", path: profilePath });
       return;
     }
     const stripped = existing.replace(/\n?# >>> dg-managed >>>[\s\S]*?# <<< dg-managed <<<\n?/g, "");
-    writeFileSync6(profilePath, stripped, "utf-8");
+    writeFileSync5(profilePath, stripped, "utf-8");
     outcomes.push({ status: "appended", path: profilePath });
   } catch (e) {
     outcomes.push({ status: "failed", path: profilePath, reason: e.message });
@@ -3945,7 +3939,7 @@ unset it manually if you want fully anonymous behavior.
     UPGRADE = `
 dg upgrade \u2014 start Stripe checkout for Pro
 
-Free tier is 1000 scans/mo per device. Pro is 5000/mo + watchlists +
+Free tier is 50,000 packages/mo per device. Pro is 250,000/mo + watchlists +
 saved reports + Dashboard analytics.
 
 Usage:
@@ -4000,8 +3994,8 @@ var first_run_exports = {};
 __export(first_run_exports, {
   maybeShowWelcomePanel: () => maybeShowWelcomePanel
 });
-import { existsSync as existsSync9, writeFileSync as writeFileSync7, mkdirSync as mkdirSync5 } from "node:fs";
-import { dirname as dirname7 } from "node:path";
+import { existsSync as existsSync8, writeFileSync as writeFileSync6, mkdirSync as mkdirSync4 } from "node:fs";
+import { dirname as dirname6 } from "node:path";
 function welcomeShownPath() {
   return dgStatePath("first-run-shown");
 }
@@ -4011,10 +4005,10 @@ function installReceiptPath2() {
 async function maybeShowWelcomePanel(opts) {
   if (SKIP_LIST.has(opts.rawCommand)) return;
   if (!opts.isInteractive) return;
-  if (existsSync9(welcomeShownPath())) return;
-  if (!existsSync9(installReceiptPath2())) return;
+  if (existsSync8(welcomeShownPath())) return;
+  if (!existsSync8(installReceiptPath2())) return;
   try {
-    const chalk18 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
+    const chalk18 = (await Promise.resolve().then(() => __toESM(require_source(), 1))).default;
     const lines = [
       "",
       chalk18.bold("  \u2713 Dependency Guardian is active.") + "",
@@ -4029,8 +4023,8 @@ async function maybeShowWelcomePanel(opts) {
     ];
     process.stderr.write(lines.join("\n"));
     try {
-      mkdirSync5(dirname7(welcomeShownPath()), { recursive: true });
-      writeFileSync7(welcomeShownPath(), (/* @__PURE__ */ new Date()).toISOString(), { encoding: "utf-8", mode: 420 });
+      mkdirSync4(dirname6(welcomeShownPath()), { recursive: true });
+      writeFileSync6(welcomeShownPath(), (/* @__PURE__ */ new Date()).toISOString(), { encoding: "utf-8", mode: 420 });
     } catch {
     }
   } catch {
@@ -4065,7 +4059,7 @@ __export(upgrade_exports, {
   handleUpgradeCommand: () => handleUpgradeCommand
 });
 async function handleUpgradeCommand(opts) {
-  const chalk18 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
+  const chalk18 = (await Promise.resolve().then(() => __toESM(require_source(), 1))).default;
   const webUrl = opts?.webUrl ?? process.env.DG_WEB_URL ?? "https://westbayberry.com";
   const deviceId = getOrCreateDeviceId();
   const url = `${webUrl}/upgrade?device=${encodeURIComponent(deviceId)}`;
@@ -39038,9 +39032,9 @@ var import_react22, import_jsx_runtime, CHAR_POOL, COLOR_POOL, GRAVITY, DRAG, FR
 var init_Confetti = __esm({
   async "src/ui/components/Confetti.tsx"() {
     "use strict";
-    import_react22 = __toESM(require_react());
+    import_react22 = __toESM(require_react(), 1);
     await init_build2();
-    import_jsx_runtime = __toESM(require_jsx_runtime());
+    import_jsx_runtime = __toESM(require_jsx_runtime(), 1);
     CHAR_POOL = [
       "*",
       "*",
@@ -39155,7 +39149,7 @@ var import_react23;
 var init_useTerminalSize = __esm({
   async "src/ui/hooks/useTerminalSize.ts"() {
     "use strict";
-    import_react23 = __toESM(require_react());
+    import_react23 = __toESM(require_react(), 1);
     await init_build2();
   }
 });
@@ -39169,11 +39163,11 @@ var import_react24, import_jsx_runtime2, LoginCelebrateApp;
 var init_LoginCelebrateApp = __esm({
   async "src/ui/apps/LoginCelebrateApp.tsx"() {
     "use strict";
-    import_react24 = __toESM(require_react());
+    import_react24 = __toESM(require_react(), 1);
     await init_build2();
     await init_Confetti();
     await init_useTerminalSize();
-    import_jsx_runtime2 = __toESM(require_jsx_runtime());
+    import_jsx_runtime2 = __toESM(require_jsx_runtime(), 1);
     LoginCelebrateApp = ({ email, durationMs = 2500 }) => {
       const { exit } = use_app_default();
       const { cols, rows } = useTerminalSize();
@@ -39207,13 +39201,13 @@ var celebrate_exports = {};
 __export(celebrate_exports, {
   celebrateFirstLoginIfNew: () => celebrateFirstLoginIfNew
 });
-import { existsSync as existsSync11, writeFileSync as writeFileSync8, mkdirSync as mkdirSync6 } from "node:fs";
-import { dirname as dirname8 } from "node:path";
+import { existsSync as existsSync10, writeFileSync as writeFileSync7, mkdirSync as mkdirSync5 } from "node:fs";
+import { dirname as dirname7 } from "node:path";
 function celebratedMarker() {
   return dgStatePath("login-celebrated");
 }
 function shouldCelebrate() {
-  if (existsSync11(celebratedMarker())) return false;
+  if (existsSync10(celebratedMarker())) return false;
   if (process.env.CI === "1" || process.env.CI === "true") return false;
   if (process.env.DG_NO_CELEBRATE === "1") return false;
   if (!process.stderr.isTTY) return false;
@@ -39221,8 +39215,8 @@ function shouldCelebrate() {
 }
 function writeCelebratedMarker() {
   try {
-    mkdirSync6(dirname8(celebratedMarker()), { recursive: true });
-    writeFileSync8(celebratedMarker(), (/* @__PURE__ */ new Date()).toISOString(), { encoding: "utf-8", mode: 420 });
+    mkdirSync5(dirname7(celebratedMarker()), { recursive: true });
+    writeFileSync7(celebratedMarker(), (/* @__PURE__ */ new Date()).toISOString(), { encoding: "utf-8", mode: 420 });
   } catch {
   }
 }
@@ -39230,7 +39224,7 @@ async function celebrateFirstLoginIfNew(email) {
   if (!shouldCelebrate()) return;
   try {
     const { render: render2 } = await init_build2().then(() => build_exports);
-    const React22 = await Promise.resolve().then(() => __toESM(require_react()));
+    const React22 = await Promise.resolve().then(() => __toESM(require_react(), 1));
     const { LoginCelebrateApp: LoginCelebrateApp2 } = await init_LoginCelebrateApp().then(() => LoginCelebrateApp_exports);
     const { enterTui: enterTui2, leaveTui: leaveTui2 } = await Promise.resolve().then(() => (init_terminal_state(), terminal_state_exports));
     enterTui2();
@@ -39284,7 +39278,7 @@ function parseLoginArgs(args) {
   return { kind: "token", value: token, force };
 }
 async function handleLoginWithToken(raw, opts) {
-  const chalk18 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
+  const chalk18 = (await Promise.resolve().then(() => __toESM(require_source(), 1))).default;
   const existing = getStoredApiKey();
   if (existing && !opts.force) {
     process.stderr.write(
@@ -39439,7 +39433,7 @@ var import_react25, POLL_INTERVAL_MS, MAX_POLL_ATTEMPTS;
 var init_useLogin = __esm({
   "src/ui/hooks/useLogin.ts"() {
     "use strict";
-    import_react25 = __toESM(require_react());
+    import_react25 = __toESM(require_react(), 1);
     init_auth();
     POLL_INTERVAL_MS = 2e3;
     MAX_POLL_ATTEMPTS = 150;
@@ -41125,7 +41119,7 @@ var init_Spinner = __esm({
     "use strict";
     await init_build2();
     await init_build3();
-    import_jsx_runtime3 = __toESM(require_jsx_runtime());
+    import_jsx_runtime3 = __toESM(require_jsx_runtime(), 1);
     Spinner2 = ({ label }) => /* @__PURE__ */ (0, import_jsx_runtime3.jsxs)(Box_default, { children: [
       /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(Text, { color: "cyan", children: /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(build_default, { type: "dots" }) }),
       /* @__PURE__ */ (0, import_jsx_runtime3.jsxs)(Text, { children: [
@@ -41145,11 +41139,11 @@ var import_react27, import_jsx_runtime4, LoginApp;
 var init_LoginApp = __esm({
   async "src/ui/apps/LoginApp.tsx"() {
     "use strict";
-    import_react27 = __toESM(require_react());
+    import_react27 = __toESM(require_react(), 1);
     await init_build2();
     init_useLogin();
     await init_Spinner();
-    import_jsx_runtime4 = __toESM(require_jsx_runtime());
+    import_jsx_runtime4 = __toESM(require_jsx_runtime(), 1);
     LoginApp = () => {
       const { state, openAndPoll } = useLogin();
       const { exit } = use_app_default();
@@ -41289,7 +41283,8 @@ __export(client_exports, {
   callAnalyzeAPI: () => callAnalyzeAPI,
   callPyPIAnalyzeAPI: () => callPyPIAnalyzeAPI,
   fetchLicenses: () => fetchLicenses,
-  fetchPyPILicenses: () => fetchPyPILicenses
+  fetchPyPILicenses: () => fetchPyPILicenses,
+  mergeResponses: () => mergeResponses
 });
 import { randomUUID as randomUUID2 } from "node:crypto";
 function batchConcurrency() {
@@ -41328,7 +41323,11 @@ async function handleFreeCapReached(response) {
     const body = await response.json().catch(() => ({}));
     if (body && body.freeTierCapReached) {
       const b = body;
-      throw new FreeCapReachedError(b.scansUsed, b.maxScans);
+      throw new FreeCapReachedError(
+        b.scansUsed,
+        b.maxScans,
+        b.capReason === "prefix_cap" ? "prefix_cap" : "monthly_limit"
+      );
     }
     throw new APIError("Forbidden", 403, JSON.stringify(body));
   }
@@ -41462,17 +41461,24 @@ function mergeResponses(results) {
   const anyBlock = results.some((r) => r.action === "block");
   const anyWarn = results.some((r) => r.action === "warn");
   const anyIncomplete = results.some((r) => r.action === "analysis_incomplete") || allPackages.some((p) => Array.isArray(p.findings) && p.findings.some((f) => f.id === "analysis_incomplete"));
-  const action = maxScore >= 70 || anyBlock ? "block" : maxScore >= 60 || anyWarn ? "warn" : anyIncomplete ? "analysis_incomplete" : "pass";
+  const action = anyBlock ? "block" : anyWarn ? "warn" : anyIncomplete ? "analysis_incomplete" : "pass";
   const safeVersions = {};
   for (const r of results) {
     Object.assign(safeVersions, r.safeVersions);
   }
+  const remaining = results.map((r) => r.freeScansRemaining).filter((v) => typeof v === "number");
+  const usage = results.map((r) => r.usage).filter((u) => !!u).reduce(
+    (best, u) => best === void 0 || u.used > best.used ? u : best,
+    void 0
+  );
   return {
     score: maxScore,
     action,
     packages: allPackages,
     safeVersions,
-    durationMs: results.reduce((s, r) => s + (r.durationMs || 0), 0)
+    durationMs: results.reduce((s, r) => s + (r.durationMs || 0), 0),
+    ...remaining.length > 0 ? { freeScansRemaining: Math.min(...remaining) } : {},
+    ...usage ? { usage } : {}
   };
 }
 function formatApiErrorMessage(status, rawBody, config) {
@@ -41858,10 +41864,13 @@ var init_client = __esm({
       }
     };
     FreeCapReachedError = class extends Error {
-      constructor(scansUsed, maxScans) {
-        super("Free trial scans used up. Run `dg login` to create a free account and continue scanning.");
+      constructor(scansUsed, maxScans, reason = "monthly_limit") {
+        super(
+          reason === "prefix_cap" ? "Too many anonymous devices from your network this month. Sign in with `dg login` to keep scanning." : "Free tier monthly package limit reached. Run `dg upgrade` for Pro."
+        );
         this.scansUsed = scansUsed;
         this.maxScans = maxScans;
+        this.reason = reason;
         this.name = "FreeCapReachedError";
       }
     };
@@ -42255,27 +42264,31 @@ var init_parse_package_json = __esm({
 });
 
 // src/lockfile/index.ts
-import { readFileSync as readFileSync9, existsSync as existsSync12, statSync as statSync4 } from "node:fs";
-import { join as join7 } from "node:path";
+import { readFileSync as readFileSync8, existsSync as existsSync11, statSync as statSync3 } from "node:fs";
+import { join as join6 } from "node:path";
 function readFileSafe(path2) {
-  const size = statSync4(path2).size;
+  const size = statSync3(path2).size;
   if (size > MAX_LOCKFILE_BYTES) {
     throw new Error(`Lockfile too large (${(size / 1024 / 1024).toFixed(0)} MB, max 50 MB): ${path2}`);
   }
-  return readFileSync9(path2, "utf-8");
+  return readFileSync8(path2, "utf-8");
 }
 function discoverChanges(cwd2, config) {
   if (config.workspace) {
-    cwd2 = join7(cwd2, config.workspace);
+    cwd2 = join6(cwd2, config.workspace);
   }
   const lockfileInfo = findLockfile(cwd2);
-  const pythonDepFiles = ["requirements.txt", "Pipfile.lock", "poetry.lock"];
+  const pythonDepFiles = ["requirements.txt", "Pipfile.lock", "poetry.lock", "uv.lock"];
   let pythonPackages = [];
+  const pythonSkipped = [];
   for (const pyFile of pythonDepFiles) {
-    if (existsSync12(join7(cwd2, pyFile))) {
+    if (existsSync11(join6(cwd2, pyFile))) {
       const pyPkgs = parsePythonDepFile(cwd2, pyFile);
       for (const p of pyPkgs) {
-        if (p.version === "latest") continue;
+        if (p.version === "latest") {
+          pythonSkipped.push(`${p.name} (unpinned \u2014 pin with == to scan)`);
+          continue;
+        }
         pythonPackages.push({
           name: sanitize(p.name),
           version: sanitize(p.version),
@@ -42287,8 +42300,8 @@ function discoverChanges(cwd2, config) {
     }
   }
   if (!lockfileInfo) {
-    if (pythonPackages.length > 0) {
-      const skipped2 = [];
+    if (pythonPackages.length > 0 || pythonSkipped.length > 0) {
+      const skipped2 = [...pythonSkipped];
       if (pythonPackages.length > config.maxPackages) {
         skipped2.push(...pythonPackages.slice(config.maxPackages).map((p) => `${p.name}@${p.version}`));
         pythonPackages = pythonPackages.slice(0, config.maxPackages);
@@ -42296,14 +42309,14 @@ function discoverChanges(cwd2, config) {
       return { packages: [], pythonPackages, method: "scan-all", skipped: skipped2 };
     }
     throw new Error(
-      "No lockfile found (package-lock.json, yarn.lock, pnpm-lock.yaml, requirements.txt, Pipfile.lock, or poetry.lock). Run from your project root or use --base-lockfile."
+      "No lockfile found (package-lock.json, yarn.lock, pnpm-lock.yaml, requirements.txt, Pipfile.lock, poetry.lock, or uv.lock). Run from your project root or use --base-lockfile."
     );
   }
   const headContent = readFileSafe(lockfileInfo.path);
   const headParsed = parseLockfileByType(headContent, lockfileInfo.type);
   const directDeps = getDirectDeps(cwd2);
   if (config.baseLockfile) {
-    if (!existsSync12(config.baseLockfile)) {
+    if (!existsSync11(config.baseLockfile)) {
       throw new Error(`Base lockfile not found: ${config.baseLockfile}`);
     }
     const baseContent = readFileSafe(config.baseLockfile);
@@ -42313,7 +42326,7 @@ function discoverChanges(cwd2, config) {
       packages: diff2.changes.map(toPackageInput).filter((p) => p.name !== SELF_PACKAGE),
       pythonPackages,
       method: "base-lockfile",
-      skipped: diff2.skipped
+      skipped: [...diff2.skipped, ...pythonSkipped]
     };
   }
   if (!config.scanAll) {
@@ -42325,11 +42338,11 @@ function discoverChanges(cwd2, config) {
         packages: diff2.changes.map(toPackageInput).filter((p) => p.name !== SELF_PACKAGE),
         pythonPackages,
         method: "git-diff",
-        skipped: diff2.skipped
+        skipped: [...diff2.skipped, ...pythonSkipped]
       };
     }
-    const pkgJsonPath = join7(cwd2, "package.json");
-    if (existsSync12(pkgJsonPath)) {
+    const pkgJsonPath = join6(cwd2, "package.json");
+    if (existsSync11(pkgJsonPath)) {
       const headPkgJson = readFileSafe(pkgJsonPath);
       const basePkgJson = getGitBaseFile(cwd2, "package.json");
       if (basePkgJson !== null) {
@@ -42346,7 +42359,7 @@ function discoverChanges(cwd2, config) {
           packages: resolved.map(toPackageInput).filter((p) => p.name !== SELF_PACKAGE),
           pythonPackages,
           method: "fallback",
-          skipped: []
+          skipped: [...pythonSkipped]
         };
       }
     }
@@ -42369,7 +42382,7 @@ function discoverChanges(cwd2, config) {
       });
     }
   }
-  return { packages, pythonPackages, method: "scan-all", skipped };
+  return { packages, pythonPackages, method: "scan-all", skipped: [...skipped, ...pythonSkipped] };
 }
 function findLockfile(cwd2) {
   const candidates = [
@@ -42379,8 +42392,8 @@ function findLockfile(cwd2) {
     ["pnpm-lock.yaml", "pnpm"]
   ];
   for (const [name, type] of candidates) {
-    const p = join7(cwd2, name);
-    if (existsSync12(p)) return { path: p, type };
+    const p = join6(cwd2, name);
+    if (existsSync11(p)) return { path: p, type };
   }
   return null;
 }
@@ -42396,7 +42409,7 @@ function parseLockfileByType(content, type) {
 }
 function getDirectDeps(cwd2) {
   try {
-    const content = readFileSafe(join7(cwd2, "package.json"));
+    const content = readFileSafe(join6(cwd2, "package.json"));
     const pkg = JSON.parse(content);
     return /* @__PURE__ */ new Set([
       ...Object.keys(pkg.dependencies ?? {}),
@@ -42457,7 +42470,7 @@ function toPackageInput(change) {
   };
 }
 function parsePythonDepFile(projectDir, depFile) {
-  const content = readFileSafe(join7(projectDir, depFile));
+  const content = readFileSafe(join6(projectDir, depFile));
   if (depFile === "Pipfile.lock") {
     try {
       const parsed = JSON.parse(content);
@@ -42476,10 +42489,11 @@ function parsePythonDepFile(projectDir, depFile) {
       return [];
     }
   }
-  if (depFile === "poetry.lock") {
+  if (depFile === "poetry.lock" || depFile === "uv.lock") {
     const packages2 = [];
     const blocks = content.split(/^\[\[package\]\]/gm);
     for (const block of blocks) {
+      if (/source\s*=\s*\{[^}]*\b(editable|virtual|directory)\b/.test(block)) continue;
       const nameMatch = block.match(/^name\s*=\s*"([^"]+)"/m);
       const versionMatch = block.match(/^version\s*=\s*"([^"]+)"/m);
       if (nameMatch && versionMatch) {
@@ -42594,8 +42608,8 @@ var init_wrapper_shared = __esm({
 
 // src/commands/npm-wrapper.ts
 import { spawn as spawn2 } from "node:child_process";
-import { readFileSync as readFileSync10, existsSync as existsSync13, mkdtempSync, writeFileSync as writeFileSync9, rmSync as rmSync2 } from "node:fs";
-import { join as join8 } from "node:path";
+import { readFileSync as readFileSync9, existsSync as existsSync12, mkdtempSync, writeFileSync as writeFileSync8, rmSync } from "node:fs";
+import { join as join7 } from "node:path";
 import { tmpdir } from "node:os";
 function realNpmBinary() {
   const real = resolveRealBinary("npm");
@@ -42781,9 +42795,9 @@ async function resolveTreeNpm(specs) {
   if (safe.length === 0) {
     return { packages: [], ok: false, errorMessage: "all specs were flag-shaped (refused)" };
   }
-  const dir = mkdtempSync(join8(tmpdir(), "dg-resolve-"));
+  const dir = mkdtempSync(join7(tmpdir(), "dg-resolve-"));
   try {
-    writeFileSync9(join8(dir, "package.json"), '{"name":"_dg_resolve","version":"1.0.0","private":true}');
+    writeFileSync8(join7(dir, "package.json"), '{"name":"_dg_resolve","version":"1.0.0","private":true}');
     const stdout = await new Promise((resolve3) => {
       const child = spawn2(
         realNpmBinary(),
@@ -42842,7 +42856,7 @@ async function resolveTreeNpm(specs) {
     return { packages: [], ok: false, errorMessage: e.message };
   } finally {
     try {
-      rmSync2(dir, { recursive: true, force: true });
+      rmSync(dir, { recursive: true, force: true });
     } catch {
     }
   }
@@ -42863,10 +42877,10 @@ function pinTopLevelArgs(rawArgs, userSpecs, tree) {
   });
 }
 function readLockfilePins(cwd2) {
-  const lockPath = join8(cwd2, "package-lock.json");
-  if (!existsSync13(lockPath)) return null;
+  const lockPath = join7(cwd2, "package-lock.json");
+  if (!existsSync12(lockPath)) return null;
   try {
-    const lock = JSON.parse(readFileSync10(lockPath, "utf-8"));
+    const lock = JSON.parse(readFileSync9(lockPath, "utf-8"));
     const pins = /* @__PURE__ */ new Map();
     const root = lock.packages?.[""] ?? {};
     const directDeps = /* @__PURE__ */ new Set([
@@ -42893,10 +42907,10 @@ function readBareInstallPackages(cwd2) {
   return readBareInstallPackagesTyped(cwd2).map((s) => s.spec);
 }
 function readBareInstallPackagesTyped(cwd2) {
-  const pkgPath = join8(cwd2, "package.json");
-  if (!existsSync13(pkgPath)) return [];
+  const pkgPath = join7(cwd2, "package.json");
+  if (!existsSync12(pkgPath)) return [];
   try {
-    const pkg = JSON.parse(readFileSync10(pkgPath, "utf-8"));
+    const pkg = JSON.parse(readFileSync9(pkgPath, "utf-8"));
     const lockPins = readLockfilePins(cwd2) ?? /* @__PURE__ */ new Map();
     const out = [];
     const addOne = (name, range) => {
@@ -42946,7 +42960,7 @@ var init_npm_wrapper = __esm({
 
 // src/commands/pip-wrapper.ts
 import { spawn as spawn3 } from "node:child_process";
-import { existsSync as existsSync14 } from "node:fs";
+import { existsSync as existsSync13 } from "node:fs";
 function parsePipArgs(args) {
   const { filtered, dgForce, dgForceReason, dgNoScripts } = stripDgFlags(args);
   const command = filtered[0] ?? "";
@@ -43006,7 +43020,7 @@ function parseRequirementsFile(filePath) {
   return parseRequirementsFileInternal(filePath, /* @__PURE__ */ new Set());
 }
 function parseRequirementsFileInternal(filePath, visited) {
-  if (!existsSync14(filePath)) return [];
+  if (!existsSync13(filePath)) return [];
   let absPath;
   try {
     absPath = __require("node:path").resolve(filePath);
@@ -43460,6 +43474,24 @@ var init_artifact_integrity = __esm({
 });
 
 // src/ui/format-helpers.ts
+var format_helpers_exports = {};
+__export(format_helpers_exports, {
+  USAGE_NEAR_LIMIT_RATIO: () => USAGE_NEAR_LIMIT_RATIO,
+  formatUsage: () => formatUsage,
+  groupPackages: () => groupPackages,
+  pad: () => pad,
+  truncate: () => truncate
+});
+function formatUsage(usage) {
+  const used = usage.used.toLocaleString();
+  if (usage.limit === null) {
+    return { text: `${used} packages this month`, nearLimit: false };
+  }
+  return {
+    text: `${used} / ${usage.limit.toLocaleString()} packages this month`,
+    nearLimit: usage.used / usage.limit >= USAGE_NEAR_LIMIT_RATIO
+  };
+}
 function pad(s, len) {
   return s + " ".repeat(Math.max(0, len - s.length));
 }
@@ -43479,9 +43511,11 @@ function groupPackages(packages, keyBy = "name") {
     key: keyBy === "fingerprint" ? fingerprint : pkgs[0].name
   })).sort((a, b) => b.packages[0].score - a.packages[0].score);
 }
+var USAGE_NEAR_LIMIT_RATIO;
 var init_format_helpers = __esm({
   "src/ui/format-helpers.ts"() {
     "use strict";
+    USAGE_NEAR_LIMIT_RATIO = 0.8;
   }
 });
 
@@ -43490,8 +43524,8 @@ var FileSavePrompt_exports = {};
 __export(FileSavePrompt_exports, {
   FileSavePrompt: () => FileSavePrompt
 });
-import { existsSync as existsSync15, readdirSync as readdirSync2, writeFileSync as writeFileSync10 } from "node:fs";
-import { dirname as dirname9, join as join9 } from "node:path";
+import { existsSync as existsSync14, readdirSync as readdirSync2, writeFileSync as writeFileSync9 } from "node:fs";
+import { dirname as dirname8, join as join8 } from "node:path";
 function listDirectory(dir) {
   try {
     const raw = readdirSync2(dir, { withFileTypes: true });
@@ -43499,7 +43533,7 @@ function listDirectory(dir) {
       if (a.isDirectory !== b.isDirectory) return a.isDirectory ? -1 : 1;
       return a.name.localeCompare(b.name);
     });
-    if (dirname9(dir) !== dir) {
+    if (dirname8(dir) !== dir) {
       entries.unshift({ name: "..", isDirectory: true });
     }
     return entries;
@@ -43545,11 +43579,11 @@ var import_react28, import_chalk4, import_jsx_runtime5, VISIBLE_ROWS, FileSavePr
 var init_FileSavePrompt = __esm({
   async "src/ui/components/FileSavePrompt.tsx"() {
     "use strict";
-    import_react28 = __toESM(require_react());
+    import_react28 = __toESM(require_react(), 1);
     await init_build2();
-    import_chalk4 = __toESM(require_source());
+    import_chalk4 = __toESM(require_source(), 1);
     await init_useTerminalSize();
-    import_jsx_runtime5 = __toESM(require_jsx_runtime());
+    import_jsx_runtime5 = __toESM(require_jsx_runtime(), 1);
     VISIBLE_ROWS = 15;
     FileSavePrompt = ({
       defaultName,
@@ -43594,13 +43628,13 @@ var init_FileSavePrompt = __esm({
         if (state.focus === "filename") {
           if (key.return) {
             const fullName = ensureJsonExtension(state.filename);
-            const fullPath = join9(state.directory, fullName);
-            if (!state.confirmOverwrite && existsSync15(fullPath)) {
+            const fullPath = join8(state.directory, fullName);
+            if (!state.confirmOverwrite && existsSync14(fullPath)) {
               dispatch({ type: "CONFIRM_OVERWRITE" });
               return;
             }
             try {
-              writeFileSync10(fullPath, json + "\n");
+              writeFileSync9(fullPath, json + "\n");
             } catch (err) {
               const msg = err instanceof Error ? err.message : String(err);
               dispatch({ type: "SET_ERROR", error: `Write failed: ${msg}` });
@@ -43824,7 +43858,7 @@ async function countPythonPackages(depPath, depFile) {
       const parsed = JSON.parse(content);
       return Object.keys(parsed.default || {}).length + Object.keys(parsed.develop || {}).length;
     }
-    if (depFile === "poetry.lock") {
+    if (depFile === "poetry.lock" || depFile === "uv.lock") {
       return (content.match(/^\[\[package\]\]/gm) || []).length;
     }
     return content.split("\n").filter(
@@ -43843,7 +43877,7 @@ var init_count_packages = __esm({
   "src/discover/count-packages.ts"() {
     "use strict";
     NPM_LOCKFILES = ["package-lock.json", "yarn.lock", "pnpm-lock.yaml", "npm-shrinkwrap.json"];
-    PYTHON_DEPFILES = ["requirements.txt", "Pipfile.lock", "poetry.lock"];
+    PYTHON_DEPFILES = ["requirements.txt", "Pipfile.lock", "poetry.lock", "uv.lock"];
   }
 });
 
@@ -43854,7 +43888,7 @@ __export(walker_exports, {
   discoverProjectsAsync: () => discoverProjectsAsync
 });
 import { readdir, lstat } from "node:fs/promises";
-import { join as join10, relative } from "node:path";
+import { join as join9, relative } from "node:path";
 async function discoverProjectsAsync(root, opts = {}) {
   const queue = [{ dir: root, depth: 0 }];
   const projects = [];
@@ -43907,7 +43941,7 @@ async function scanDir(dir, depth, _root) {
   for (const lockfile of NPM_LOCKFILES) {
     const e = byName.get(lockfile);
     if (e && e.isFile() && !e.isSymbolicLink()) {
-      const lockPath = join10(dir, lockfile);
+      const lockPath = join9(dir, lockfile);
       if (await isSafeRegularFile(lockPath)) {
         lockfileHits.push({ dir, lockPath, depFile: lockfile, isNpm: true });
       }
@@ -43917,7 +43951,7 @@ async function scanDir(dir, depth, _root) {
   for (const depFile of PYTHON_DEPFILES) {
     const e = byName.get(depFile);
     if (e && e.isFile() && !e.isSymbolicLink()) {
-      const lockPath = join10(dir, depFile);
+      const lockPath = join9(dir, depFile);
       if (await isSafeRegularFile(lockPath)) {
         lockfileHits.push({ dir, lockPath, depFile, isNpm: false });
       }
@@ -43928,7 +43962,7 @@ async function scanDir(dir, depth, _root) {
     for (const e of entries) {
       if (!e.isDirectory() || e.isSymbolicLink()) continue;
       if (SKIP_DIRS.has(e.name) || e.name.startsWith(".")) continue;
-      subdirs.push({ dir: join10(dir, e.name), depth: depth + 1 });
+      subdirs.push({ dir: join9(dir, e.name), depth: depth + 1 });
     }
   }
   return { subdirs, lockfileHits };
@@ -44020,8 +44054,10 @@ async function scanProjectAtPath(cwd2, config, onProgress) {
       };
     }
     const maxScore = allPackages.length > 0 ? Math.max(0, ...allPackages.map((p) => p.score)) : 0;
+    const anyBlock = responses.some((r) => r.action === "block") || allPackages.some((p) => p.action === "block");
+    const anyWarn = responses.some((r) => r.action === "warn") || allPackages.some((p) => p.action === "warn");
     const anyIncomplete = responses.some((r) => r.action === "analysis_incomplete") || allPackages.some((p) => Array.isArray(p.findings) && p.findings.some((f) => f?.id === "analysis_incomplete"));
-    const action = maxScore >= 70 ? "block" : maxScore >= 60 ? "warn" : anyIncomplete ? "analysis_incomplete" : "pass";
+    const action = anyBlock ? "block" : anyWarn ? "warn" : anyIncomplete ? "analysis_incomplete" : "pass";
     const safeVersions = {};
     for (const r of responses) Object.assign(safeVersions, r.safeVersions);
     const totalDuration = elapsedMs();
@@ -44147,8 +44183,10 @@ async function scanConsolidated(projectPaths, config, onProgress) {
       };
     }
     const maxScore = allPackages.length > 0 ? Math.max(0, ...allPackages.map((p) => p.score)) : 0;
+    const anyBlock = responses.some((r) => r.action === "block") || allPackages.some((p) => p.action === "block");
+    const anyWarn = responses.some((r) => r.action === "warn") || allPackages.some((p) => p.action === "warn");
     const anyIncomplete = responses.some((r) => r.action === "analysis_incomplete") || allPackages.some((p) => Array.isArray(p.findings) && p.findings.some((f) => f?.id === "analysis_incomplete"));
-    const action = maxScore >= 70 ? "block" : maxScore >= 60 ? "warn" : anyIncomplete ? "analysis_incomplete" : "pass";
+    const action = anyBlock ? "block" : anyWarn ? "warn" : anyIncomplete ? "analysis_incomplete" : "pass";
     const safeVersions = {};
     for (const r of responses) Object.assign(safeVersions, r.safeVersions);
     const totalDuration = elapsedMs();
@@ -44215,8 +44253,8 @@ __export(allowlist_exports, {
   loadAllowlist: () => loadAllowlist,
   validateAllowlist: () => validateAllowlist
 });
-import { existsSync as existsSync16, readFileSync as readFileSync11 } from "node:fs";
-import { join as join11, dirname as dirname10 } from "node:path";
+import { existsSync as existsSync15, readFileSync as readFileSync10 } from "node:fs";
+import { join as join10, dirname as dirname9 } from "node:path";
 function isExpired(expires) {
   if (!expires) return false;
   const date = new Date(expires);
@@ -44226,9 +44264,9 @@ function isExpired(expires) {
 function findAllowlistFile(startDir) {
   let dir = startDir;
   for (let i = 0; i < 32; i++) {
-    const candidate = join11(dir, ALLOWLIST_FILENAME);
-    if (existsSync16(candidate)) return candidate;
-    const parent = dirname10(dir);
+    const candidate = join10(dir, ALLOWLIST_FILENAME);
+    if (existsSync15(candidate)) return candidate;
+    const parent = dirname9(dir);
     if (parent === dir) return null;
     dir = parent;
   }
@@ -44337,7 +44375,7 @@ function loadAllowlist(cwd2) {
   if (!path2) return null;
   let raw;
   try {
-    raw = JSON.parse(readFileSync11(path2, "utf-8"));
+    raw = JSON.parse(readFileSync10(path2, "utf-8"));
   } catch (e) {
     process.stderr.write(
       `dg: .dg-allowlist.json at ${path2} is not valid JSON (${e.message}). Ignoring.
@@ -44368,30 +44406,23 @@ function packageMatches(entry, pkg, apiKind) {
   if (entry.version && entry.version !== pkg.version) return false;
   return true;
 }
-function derivePackageActionFromFindings(pkg) {
-  const findings = pkg.findings ?? [];
-  if (findings.length === 0) return "pass";
-  const maxSev = findings.reduce((m, f) => Math.max(m, f.severity ?? 0), 0);
-  if (maxSev >= 4) return "block";
-  if (maxSev >= 2) return "warn";
-  return "pass";
-}
 function derivePackageAction(pkg) {
-  if (pkg.action === "block" || pkg.action === "warn" || pkg.action === "pass") return pkg.action;
-  if (pkg.score >= 70) return "block";
-  if (pkg.score >= 60) return "warn";
+  if (pkg.action === "block" || pkg.action === "warn") return pkg.action;
   return "pass";
 }
 function overallAction(packages) {
   let hasBlock = false;
   let hasWarn = false;
+  let hasIncomplete = false;
   for (const p of packages) {
-    const a = derivePackageActionFromFindings(p);
+    const a = derivePackageAction(p);
     if (a === "block") hasBlock = true;
     else if (a === "warn") hasWarn = true;
+    if (p.action === "analysis_incomplete") hasIncomplete = true;
   }
   if (hasBlock) return "block";
   if (hasWarn) return "warn";
+  if (hasIncomplete) return "analysis_incomplete";
   return "pass";
 }
 function applyAllowlist(allowlist, result, apiKind) {
@@ -44423,6 +44454,7 @@ function applyAllowlist(allowlist, result, apiKind) {
   let suppressedCount = 0;
   const filteredPackages = result.packages.map((pkg) => {
     const matchingEntry = activePackages.find((e) => packageMatches(e, pkg, apiKind));
+    const originalCount = (pkg.findings ?? []).length;
     let findings = pkg.findings ?? [];
     if (matchingEntry) {
       if (!matchingEntry.rules) {
@@ -44437,8 +44469,9 @@ function applyAllowlist(allowlist, result, apiKind) {
     const globallySupressed = findings.filter((f) => activeGlobalRules[findingRuleId(f)] !== void 0);
     suppressedCount += globallySupressed.length;
     findings = findings.filter((f) => activeGlobalRules[findingRuleId(f)] === void 0);
-    const newPkg = { ...pkg, findings };
-    return newPkg;
+    const fullyAllowlisted = originalCount > 0 && findings.length === 0;
+    const action = fullyAllowlisted ? "pass" : pkg.action ?? "pass";
+    return { ...pkg, findings, action };
   });
   const newAction = overallAction(filteredPackages);
   return {
@@ -44622,8 +44655,8 @@ __export(audit_dispatcher_exports, {
   recordBypassLocally: () => recordBypassLocally,
   shouldFireAudit: () => shouldFireAudit
 });
-import { appendFileSync as appendFileSync3, mkdirSync as mkdirSync7, existsSync as existsSync17 } from "node:fs";
-import { dirname as dirname11 } from "node:path";
+import { appendFileSync as appendFileSync3, mkdirSync as mkdirSync6, existsSync as existsSync16 } from "node:fs";
+import { dirname as dirname10 } from "node:path";
 function _setPolicyFetcherForTests(fn) {
   _policyOverride = fn;
 }
@@ -44672,8 +44705,8 @@ function bypassLogPath2() {
 function recordBypassLocally(record) {
   try {
     const path2 = bypassLogPath2();
-    const dir = dirname11(path2);
-    if (!existsSync17(dir)) mkdirSync7(dir, { recursive: true, mode: 448 });
+    const dir = dirname10(path2);
+    if (!existsSync16(dir)) mkdirSync6(dir, { recursive: true, mode: 448 });
     const full = {
       ts: (/* @__PURE__ */ new Date()).toISOString(),
       cwd: record.cwd ?? process.cwd(),
@@ -44733,10 +44766,11 @@ __export(static_output_exports, {
   runStatic: () => runStatic,
   runStaticLogin: () => runStaticLogin,
   runStaticNpm: () => runStaticNpm,
-  runStaticPip: () => runStaticPip
+  runStaticPip: () => runStaticPip,
+  scanExitCode: () => scanExitCode
 });
-import { writeFileSync as writeFileSync11, readFileSync as readFileSync12, existsSync as existsSync18, mkdirSync as mkdirSync8, lstatSync as lstatSync5 } from "node:fs";
-import { resolve as resolvePath, dirname as dirname12 } from "node:path";
+import { writeFileSync as writeFileSync10, readFileSync as readFileSync11, existsSync as existsSync17, mkdirSync as mkdirSync7, lstatSync as lstatSync5 } from "node:fs";
+import { resolve as resolvePath, dirname as dirname11 } from "node:path";
 function note(config, text) {
   if (config.quiet) return;
   process.stderr.write(text);
@@ -44756,12 +44790,12 @@ function wrapperPackagesFromResult(result, topLevelNames) {
 }
 function loadPackageLockJson(cwd2 = process.cwd()) {
   const path2 = resolvePath(cwd2, "package-lock.json");
-  if (!existsSync18(path2)) return null;
+  if (!existsSync17(path2)) return null;
   try {
     const st = lstatSync5(path2);
     if (!st.isFile()) return null;
     if (st.size > MAX_PACKAGE_LOCK_BYTES) return null;
-    return JSON.parse(readFileSync12(path2, "utf8"));
+    return JSON.parse(readFileSync11(path2, "utf8"));
   } catch {
     return null;
   }
@@ -44769,7 +44803,7 @@ function loadPackageLockJson(cwd2 = process.cwd()) {
 function writeJsonFile(filepath, json) {
   const resolved = resolvePath(filepath);
   try {
-    writeFileSync11(resolved, json + "\n");
+    writeFileSync10(resolved, json + "\n");
     process.stderr.write(import_chalk5.default.green(`  \u2713 Saved to ${resolved}
 
 `));
@@ -44806,7 +44840,7 @@ async function handleJsonOutput(result, config) {
   const localDate = (/* @__PURE__ */ new Date()).toLocaleDateString("sv-SE");
   const defaultName = `dg-scan-${localDate}`;
   const { render: render2 } = await init_build2().then(() => build_exports);
-  const React22 = await Promise.resolve().then(() => __toESM(require_react()));
+  const React22 = await Promise.resolve().then(() => __toESM(require_react(), 1));
   const { FileSavePrompt: FileSavePrompt2 } = await init_FileSavePrompt().then(() => FileSavePrompt_exports);
   await new Promise((resolve3) => {
     const inkInstance = render2(
@@ -44854,11 +44888,11 @@ function printTrialBanner(result, config) {
   if (process.env.CI === "1" || process.env.CI === "true") return;
   try {
     const stampPath = dgStatePath("trial-banner");
-    const lastMs = existsSync18(stampPath) ? Number(readFileSync12(stampPath, "utf-8").trim()) || 0 : 0;
+    const lastMs = existsSync17(stampPath) ? Number(readFileSync11(stampPath, "utf-8").trim()) || 0 : 0;
     const now = Date.now();
     if (now - lastMs < NUDGE_INTERVAL_MS) return;
-    mkdirSync8(dirname12(stampPath), { recursive: true, mode: 448 });
-    writeFileSync11(stampPath, String(now) + "\n", { mode: 384 });
+    mkdirSync7(dirname11(stampPath), { recursive: true, mode: 448 });
+    writeFileSync10(stampPath, String(now) + "\n", { mode: 384 });
   } catch {
     return;
   }
@@ -44874,7 +44908,7 @@ function handleFreeCapReached2(error, jsonMode = false) {
       hasKey = !!getStoredApiKey();
     } catch {
     }
-    const message = hasKey ? "Your API key may be invalid or expired. Run `dg logout` then `dg login` to re-authenticate." : `Free tier monthly cap reached (${error.scansUsed}/${error.maxScans}). Run \`dg upgrade\` for Pro (5000/mo) or wait until next month.`;
+    const message = hasKey ? "Your API key may be invalid or expired. Run `dg logout` then `dg login` to re-authenticate." : `Free tier monthly package limit reached (${error.scansUsed.toLocaleString()}/${error.maxScans.toLocaleString()}). Run \`dg upgrade\` for Pro or wait until next month.`;
     if (jsonMode) {
       process.stdout.write(JSON.stringify({
         error: true,
@@ -44892,8 +44926,8 @@ function handleFreeCapReached2(error, jsonMode = false) {
       } else {
         process.stderr.write(
           import_chalk5.default.yellow(`
-  Free tier monthly cap reached (${error.scansUsed}/${error.maxScans}).
-`) + import_chalk5.default.white(`  Run \`dg upgrade\` for Pro (5000/mo) or wait until next month.
+  Free tier monthly package limit reached (${error.scansUsed.toLocaleString()}/${error.maxScans.toLocaleString()}).
+`) + import_chalk5.default.white(`  Run \`dg upgrade\` for Pro or wait until next month.
 
 `)
         );
@@ -44915,15 +44949,13 @@ function actionBadge(pkg) {
   if (a === "warn") return { label: "Warn", color: import_chalk5.default.yellow };
   if (a === "pass") return { label: "Pass", color: import_chalk5.default.green };
   if (a === "analysis_incomplete") return { label: "Unknown", color: import_chalk5.default.cyan };
-  if (pkg.score >= 70) return { label: "Block", color: import_chalk5.default.red };
-  if (pkg.score >= 60) return { label: "Warn", color: import_chalk5.default.yellow };
   return { label: "Pass", color: import_chalk5.default.green };
 }
 function isBlocked(p) {
-  return p.action === "block" || p.action === void 0 && p.score >= 70;
+  return p.action === "block";
 }
 function isWarned(p) {
-  return p.action === "warn" || p.action === void 0 && p.score >= 60 && p.score < 70;
+  return p.action === "warn";
 }
 function renderResultClean(result, _config) {
   const lines = [];
@@ -45045,6 +45077,12 @@ function renderResultDetails(result, _config) {
 function renderResultStatic(result, config) {
   return config.details ? renderResultDetails(result, config) : renderResultClean(result, config);
 }
+function scanExitCode(action, mode) {
+  if (action === "block" && mode === "block") return 2;
+  if (action === "block" || action === "warn") return 1;
+  if (action === "analysis_incomplete") return 4;
+  return 0;
+}
 async function runStatic(config) {
   const dbg = (msg) => {
     if (config.debug)
@@ -45107,7 +45145,7 @@ async function runStatic(config) {
 `
     )
   );
-  if (discovery.skipped.length > 0 && config.maxPackages < 1e4) {
+  if (discovery.skipped.length > 0) {
     note(
       config,
       import_chalk5.default.dim(
@@ -45183,34 +45221,31 @@ async function runStatic(config) {
     const sarif = emitSarif2(result, {});
     const outputPath = config.outputFile;
     if (outputPath) {
-      const { writeFileSync: writeFileSync16 } = await import("node:fs");
-      writeFileSync16(outputPath, sarif);
+      const { writeFileSync: writeFileSync15 } = await import("node:fs");
+      writeFileSync15(outputPath, sarif);
       process.stderr.write(import_chalk5.default.green(`  \u2713 Wrote SARIF to ${outputPath}
 `));
     } else {
       process.stdout.write(sarif + "\n");
     }
     printTrialBanner(result, config);
-    if (result.action === "block" && config.mode === "block") process.exit(2);
-    else if (result.action === "block" || result.action === "warn") process.exit(1);
-    process.exit(0);
+    process.exit(scanExitCode(result.action, config.mode));
   }
   const jsonHandled = await handleJsonOutput(result, config);
   if (jsonHandled) {
     printTrialBanner(result, config);
-    if (result.action === "block" && config.mode === "block") process.exit(2);
-    else if (result.action === "block" || result.action === "warn") process.exit(1);
-    process.exit(0);
+    process.exit(scanExitCode(result.action, config.mode));
   }
   const output = renderResultStatic(result, config);
   process.stdout.write(output + "\n");
-  printTrialBanner(result, config);
-  if (result.action === "block" && config.mode === "block") {
-    process.exit(2);
-  } else if (result.action === "block" || result.action === "warn") {
-    process.exit(1);
+  if (result.usage) {
+    const u = formatUsage(result.usage);
+    process.stdout.write(
+      (u.nearLimit ? import_chalk5.default.yellow(`  ${u.text}  \u2191 dg upgrade for Pro`) : import_chalk5.default.dim(`  ${u.text}`)) + "\n"
+    );
   }
-  process.exit(0);
+  printTrialBanner(result, config);
+  process.exit(scanExitCode(result.action, config.mode));
 }
 function mergeProjectConfig(config, _argv) {
   return config;
@@ -45927,7 +45962,7 @@ var import_chalk5, MAX_PACKAGE_LOCK_BYTES, NUDGE_INTERVAL_MS;
 var init_static_output = __esm({
   "src/formatters/static-output.ts"() {
     "use strict";
-    import_chalk5 = __toESM(require_source());
+    import_chalk5 = __toESM(require_source(), 1);
     init_paths();
     init_client();
     init_auth();
@@ -45948,13 +45983,13 @@ __export(status_exports, {
   collectStatusSnapshot: () => collectStatusSnapshot,
   handleStatusCommand: () => handleStatusCommand
 });
-import { existsSync as existsSync19, readFileSync as readFileSync13 } from "node:fs";
-import { join as join12 } from "node:path";
+import { existsSync as existsSync18, readFileSync as readFileSync12 } from "node:fs";
+import { join as join11 } from "node:path";
 import { homedir as homedir6 } from "node:os";
 function readPythonReceipt() {
   try {
-    const { readFileSync: readFileSync18 } = __require("node:fs");
-    const receipt = JSON.parse(readFileSync18(dgStatePath("python-hook-receipt.json"), "utf-8"));
+    const { readFileSync: readFileSync17 } = __require("node:fs");
+    const receipt = JSON.parse(readFileSync17(dgStatePath("python-hook-receipt.json"), "utf-8"));
     const rows = receipt?.results ?? [];
     return rows.map((r) => ({ pythonVersion: r.pythonVersion, status: r.status, reason: r.reason }));
   } catch {
@@ -45997,12 +46032,12 @@ async function collectStatusSnapshot(cliVersion2) {
       authPart.reachable = false;
     }
   }
-  const shimDir2 = join12(homedir6(), ".dg", "shims");
+  const shimDir2 = join11(homedir6(), ".dg", "shims");
   const shimRows = ECOSYSTEMS.map((eco) => {
     const filename = process.platform === "win32" ? `${eco}.cmd` : eco;
     return {
       ecosystem: eco,
-      shimPresent: existsSync19(join12(shimDir2, filename))
+      shimPresent: existsSync18(join11(shimDir2, filename))
     };
   });
   const engineResolvable = isEngineResolvable();
@@ -46010,11 +46045,11 @@ async function collectStatusSnapshot(cliVersion2) {
   const cwd2 = process.cwd();
   const hookPart = { installed: false };
   try {
-    const { existsSync: ex, readFileSync: readFileSync18 } = await import("node:fs");
-    const candidates = [join12(cwd2, ".husky", "pre-commit"), join12(cwd2, ".git", "hooks", "pre-commit")];
+    const { existsSync: ex, readFileSync: readFileSync17 } = await import("node:fs");
+    const candidates = [join11(cwd2, ".husky", "pre-commit"), join11(cwd2, ".git", "hooks", "pre-commit")];
     for (const p of candidates) {
       if (ex(p)) {
-        const content = readFileSync18(p, "utf-8");
+        const content = readFileSync17(p, "utf-8");
         if (content.includes("dependency-guardian")) {
           hookPart.installed = true;
           break;
@@ -46045,8 +46080,8 @@ async function collectStatusSnapshot(cliVersion2) {
 }
 function isEngineResolvable() {
   try {
-    const recorded = readFileSync13(join12(homedir6(), ".dg", "state", "dg-entry"), "utf-8").trim();
-    if (recorded && existsSync19(recorded)) return true;
+    const recorded = readFileSync12(join11(homedir6(), ".dg", "state", "dg-entry"), "utf-8").trim();
+    if (recorded && existsSync18(recorded)) return true;
   } catch {
   }
   try {
@@ -46056,7 +46091,7 @@ function isEngineResolvable() {
   }
 }
 async function renderStatusHuman(s) {
-  const chalk18 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
+  const chalk18 = (await Promise.resolve().then(() => __toESM(require_source(), 1))).default;
   const out = [];
   out.push("\n");
   out.push(`  ${chalk18.bold("Dependency Guardian")} ${chalk18.dim(s.update.current)}
@@ -46074,7 +46109,7 @@ async function renderStatusHuman(s) {
     authGlyph = chalk18.green("\u2713");
     authLine = "signed in";
   } else {
-    const usage = s.auth.scansLimit === null ? "unlimited scans" : `${s.auth.scansUsed ?? 0}/${s.auth.scansLimit} scans this month`;
+    const usage = s.auth.scansLimit === null ? "unlimited packages" : `${(s.auth.scansUsed ?? 0).toLocaleString()}/${s.auth.scansLimit.toLocaleString()} packages this month`;
     authGlyph = chalk18.green("\u2713");
     authLine = `${s.auth.tier ?? "free"} tier \xB7 ${usage}`;
   }
@@ -46198,7 +46233,7 @@ var import_chalk6, USAGE2;
 var init_config2 = __esm({
   "src/commands/config.ts"() {
     "use strict";
-    import_chalk6 = __toESM(require_source());
+    import_chalk6 = __toESM(require_source(), 1);
     init_auth();
     USAGE2 = `
   dg config \u2014 view or set persisted CLI preferences
@@ -46304,7 +46339,7 @@ var import_chalk7, SINK_RANKS, CSV_FORMULA_PREFIXES;
 var init_license_export = __esm({
   "src/formatters/license-export.ts"() {
     "use strict";
-    import_chalk7 = __toESM(require_source());
+    import_chalk7 = __toESM(require_source(), 1);
     SINK_RANKS = { "no-license": 2, unknown: 1 };
     CSV_FORMULA_PREFIXES = /* @__PURE__ */ new Set(["=", "+", "-", "@", "	", "\r"]);
   }
@@ -46367,9 +46402,9 @@ var init_ScoreHeader = __esm({
   async "src/ui/components/ScoreHeader.tsx"() {
     "use strict";
     await init_build2();
-    import_chalk8 = __toESM(require_source());
+    import_chalk8 = __toESM(require_source(), 1);
     await init_useTerminalSize();
-    import_jsx_runtime6 = __toESM(require_jsx_runtime());
+    import_jsx_runtime6 = __toESM(require_jsx_runtime(), 1);
     LOGO_DATA = (() => {
       const W = 22, H = 28;
       const grid = Array.from({ length: H }, () => Array(W).fill(0));
@@ -46417,7 +46452,8 @@ var init_ScoreHeader = __esm({
       flagged,
       clean,
       userStatus,
-      scanUsage
+      scanUsage,
+      usageNearLimit
     }) => {
       const logo = renderLogo(action);
       const { cols } = useTerminalSize();
@@ -46457,7 +46493,10 @@ var init_ScoreHeader = __esm({
                     import_chalk8.default.green("all clean")
                   ] })
                 ] }),
-                scanUsage && /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { dimColor: true, children: scanUsage })
+                scanUsage && (usageNearLimit ? /* @__PURE__ */ (0, import_jsx_runtime6.jsxs)(Text, { color: "yellow", children: [
+                  scanUsage,
+                  "  \u2191 dg upgrade for Pro"
+                ] }) : /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { dimColor: true, children: scanUsage }))
               ] })
             ] }),
             showLogo && /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Box_default, { flexDirection: "column", marginLeft: 2, children: logo.map((line, i) => /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(Text, { children: line }, i)) })
@@ -46510,7 +46549,7 @@ var import_react29;
 var init_useExpandAnimation = __esm({
   "src/ui/hooks/useExpandAnimation.ts"() {
     "use strict";
-    import_react29 = __toESM(require_react());
+    import_react29 = __toESM(require_react(), 1);
   }
 });
 
@@ -46519,16 +46558,15 @@ var InteractiveResultsView_exports = {};
 __export(InteractiveResultsView_exports, {
   InteractiveResultsView: () => InteractiveResultsView
 });
-import { writeFileSync as writeFileSync12 } from "node:fs";
+import { writeFileSync as writeFileSync11 } from "node:fs";
 import { resolve as resolvePath2 } from "node:path";
 function groupPackages2(packages) {
   return groupPackages(packages, "fingerprint");
 }
-function actionBadge2(score) {
-  if (score >= 70)
-    return { label: "Block", color: import_chalk9.default.red };
-  if (score >= 60)
-    return { label: "Warn", color: import_chalk9.default.yellow };
+function actionBadge2(action) {
+  if (action === "block") return { label: "Block", color: import_chalk9.default.red };
+  if (action === "warn") return { label: "Warn", color: import_chalk9.default.yellow };
+  if (action === "analysis_incomplete") return { label: "Unknown", color: import_chalk9.default.cyan };
   return { label: "Pass", color: import_chalk9.default.green };
 }
 function findingsSummaryHeight(group) {
@@ -46683,16 +46721,16 @@ var import_react30, import_chalk9, import_jsx_runtime7, SEVERITY_LABELS, SEVERIT
 var init_InteractiveResultsView = __esm({
   async "src/ui/components/InteractiveResultsView.tsx"() {
     "use strict";
-    import_react30 = __toESM(require_react());
+    import_react30 = __toESM(require_react(), 1);
     await init_build2();
-    import_chalk9 = __toESM(require_source());
+    import_chalk9 = __toESM(require_source(), 1);
     init_auth();
     await init_ScoreHeader();
     init_useExpandAnimation();
     await init_useTerminalSize();
     init_terminal_state();
     init_format_helpers();
-    import_jsx_runtime7 = __toESM(require_jsx_runtime());
+    import_jsx_runtime7 = __toESM(require_jsx_runtime(), 1);
     SEVERITY_LABELS = {
       5: "CRIT",
       4: "HIGH",
@@ -46721,7 +46759,9 @@ var init_InteractiveResultsView = __esm({
       scanUsage: scanUsageProp,
       initialView
     }) => {
-      const scanUsage = result.freeScansRemaining !== void 0 ? `${result.freeScansRemaining} scans left` : scanUsageProp;
+      const usageDisplay = result.usage ? formatUsage(result.usage) : null;
+      const scanUsage = usageDisplay ? usageDisplay.text : result.freeScansRemaining !== void 0 ? `${result.freeScansRemaining.toLocaleString()} packages left` : scanUsageProp;
+      const usageNearLimit = usageDisplay?.nearLimit ?? false;
       const flagged = (0, import_react30.useMemo)(
         () => result.packages.filter((p) => p.score > 0),
         [result.packages]
@@ -46785,8 +46825,8 @@ var init_InteractiveResultsView = __esm({
         setExportMenu({ scope: defaultScope, format: "json", activeRow: "scope" });
       };
       const buildExportPayload = (scope, currentLicenseIdx) => {
-        const blocked = result.packages.filter((p) => p.score >= 70);
-        const warned = result.packages.filter((p) => p.score >= 60 && p.score < 70);
+        const blocked = result.packages.filter((p) => p.action === "block");
+        const warned = result.packages.filter((p) => p.action === "warn");
         const cleanPkgs = result.packages.filter((p) => p.score === 0);
         const passWithScore = result.packages.filter((p) => p.score > 0 && p.score < 60);
         const summary = {
@@ -46833,7 +46873,7 @@ var init_InteractiveResultsView = __esm({
             name: p.name,
             version: p.version,
             score: p.score,
-            action: p.score >= 70 ? "block" : "warn",
+            action: p.action,
             findings: p.findings.map((f) => ({
               severity: f.severity,
               category: f.category ?? null,
@@ -47024,7 +47064,7 @@ var init_InteractiveResultsView = __esm({
           const scopeTag = scope === "current-license" && currentLicenseIdx !== null ? `${(licenseGroups[currentLicenseIdx]?.spdx ?? "license").replace(/[^A-Za-z0-9._-]/g, "_").slice(0, 32)}` : scope;
           const filename = `dg-scan-${ts}-${scopeTag}.${ext}`;
           const path2 = resolvePath2(process.cwd(), filename);
-          writeFileSync12(path2, body, "utf-8");
+          writeFileSync11(path2, body, "utf-8");
           showExportMsg(`\u2713 Exported to ${filename}`);
         } catch (e) {
           showExportMsg(`Export failed: ${e.message}`);
@@ -47422,7 +47462,8 @@ var init_InteractiveResultsView = __esm({
               flagged: flagged.length,
               clean: clean.length,
               userStatus,
-              scanUsage
+              scanUsage,
+              usageNearLimit
             }
           ),
           /* @__PURE__ */ (0, import_jsx_runtime7.jsxs)(Box_default, { flexDirection: "column", borderStyle: "round", borderColor: "cyan", paddingLeft: 2, paddingRight: 2, children: [
@@ -47466,7 +47507,8 @@ var init_InteractiveResultsView = __esm({
               flagged: flagged.length,
               clean: clean.length,
               userStatus,
-              scanUsage
+              scanUsage,
+              usageNearLimit
             }
           ),
           /* @__PURE__ */ (0, import_jsx_runtime7.jsxs)(
@@ -47613,7 +47655,8 @@ var init_InteractiveResultsView = __esm({
                 flagged: flagged.length,
                 clean: clean.length,
                 userStatus,
-                scanUsage
+                scanUsage,
+                usageNearLimit
               }
             ),
             /* @__PURE__ */ (0, import_jsx_runtime7.jsxs)(Box_default, { flexDirection: "column", borderStyle: "round", borderColor: "cyan", paddingLeft: 2, paddingRight: 2, width: "100%", children: [
@@ -47714,7 +47757,8 @@ var init_InteractiveResultsView = __esm({
               flagged: flagged.length,
               clean: clean.length,
               userStatus,
-              scanUsage
+              scanUsage,
+              usageNearLimit
             }
           ),
           /* @__PURE__ */ (0, import_jsx_runtime7.jsx)(Text, { dimColor: true, children: import_chalk9.default.dim("\u2500".repeat(Math.max(20, termCols - 4))) }),
@@ -47805,7 +47849,7 @@ var init_InteractiveResultsView = __esm({
           setDetailPane(null);
         } else {
           const dpRep = dpGroup.packages[0];
-          const { color: dpColor } = actionBadge2(dpRep.score);
+          const { color: dpColor } = actionBadge2(dpRep.action);
           const dpScroll = detailPane.scroll;
           const dpAbove = dpScroll;
           const dpBelow = Math.max(0, detailLines.length - dpScroll - detailContentRows);
@@ -47820,7 +47864,8 @@ var init_InteractiveResultsView = __esm({
                 flagged: flagged.length,
                 clean: clean.length,
                 userStatus,
-                scanUsage
+                scanUsage,
+                usageNearLimit
               }
             ),
             /* @__PURE__ */ (0, import_jsx_runtime7.jsx)(Text, { dimColor: true, children: import_chalk9.default.dim("\u2500".repeat(Math.max(20, termCols - 4))) }),
@@ -47908,7 +47953,8 @@ var init_InteractiveResultsView = __esm({
             flagged: flagged.length,
             clean: clean.length,
             userStatus,
-            scanUsage
+            scanUsage,
+            usageNearLimit
           }
         ),
         groups.length > 0 && /* @__PURE__ */ (0, import_jsx_runtime7.jsxs)(import_jsx_runtime7.Fragment, { children: [
@@ -47936,7 +47982,7 @@ var init_InteractiveResultsView = __esm({
                   const isCursor = globalIdx === clampedCursor;
                   const level = getLevel(globalIdx);
                   const rep = group.packages[0];
-                  const { label, color } = actionBadge2(rep.score);
+                  const { label, color } = actionBadge2(rep.action);
                   const names = groupNames(group);
                   const scoreStr = String(rep.score);
                   const lcInfo = rep.license;
@@ -48260,7 +48306,7 @@ function toAPIResponse(results) {
   };
 }
 async function renderTui(results) {
-  const React22 = (await Promise.resolve().then(() => __toESM(require_react()))).default;
+  const React22 = (await Promise.resolve().then(() => __toESM(require_react(), 1))).default;
   const { render: render2, Box: Box2 } = await init_build2().then(() => build_exports);
   const { InteractiveResultsView: InteractiveResultsView2 } = await init_InteractiveResultsView().then(() => InteractiveResultsView_exports);
   const { enterTui: enterTui2, leaveTui: leaveTui2 } = await Promise.resolve().then(() => (init_terminal_state(), terminal_state_exports));
@@ -48302,7 +48348,7 @@ async function handleLicensesCommand() {
     return;
   }
   const config = parseConfig(process.argv, false);
-  const chalk18 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
+  const chalk18 = (await Promise.resolve().then(() => __toESM(require_source(), 1))).default;
   let discovery;
   try {
     discovery = await discoverLicenseTargets(process.cwd(), config);
@@ -48422,8 +48468,8 @@ __export(publish_check_exports, {
   summarize: () => summarize
 });
 import { spawn as spawn4 } from "node:child_process";
-import { readFileSync as readFileSync14, existsSync as existsSync20, readdirSync as readdirSync3 } from "node:fs";
-import { join as join13, basename as basename2 } from "node:path";
+import { readFileSync as readFileSync13, existsSync as existsSync19, readdirSync as readdirSync3 } from "node:fs";
+import { join as join12, basename as basename2 } from "node:path";
 import { createGunzip } from "node:zlib";
 import { createReadStream } from "node:fs";
 function sanitizeSnippet(s, max = 40) {
@@ -48470,7 +48516,7 @@ async function npmPackDryRun(cwd2 = process.cwd()) {
         }));
         let packageJson;
         try {
-          const raw = readFileSync14(join13(cwd2, "package.json"), "utf-8");
+          const raw = readFileSync13(join12(cwd2, "package.json"), "utf-8");
           packageJson = JSON.parse(raw);
         } catch {
         }
@@ -48482,9 +48528,9 @@ async function npmPackDryRun(cwd2 = process.cwd()) {
   });
 }
 function findPypiArtifacts(cwd2 = process.cwd()) {
-  const dist = join13(cwd2, "dist");
-  if (!existsSync20(dist)) return [];
-  return readdirSync3(dist).filter((f) => f.endsWith(".tar.gz") || f.endsWith(".whl")).map((f) => join13(dist, f));
+  const dist = join12(cwd2, "dist");
+  if (!existsSync19(dist)) return [];
+  return readdirSync3(dist).filter((f) => f.endsWith(".tar.gz") || f.endsWith(".whl")).map((f) => join12(dist, f));
 }
 function scanPayload(files) {
   const findings = [];
@@ -48558,7 +48604,7 @@ async function runNpmPublishCheck(cwd2 = process.cwd()) {
   const payload = pack.files.map((f) => ({
     path: f.path,
     size: f.size,
-    read: () => readFileSync14(join13(cwd2, f.path))
+    read: () => readFileSync13(join12(cwd2, f.path))
   }));
   const findings = scanPayload(payload);
   const scripts = pack.packageJson?.scripts ?? {};
@@ -48806,8 +48852,8 @@ var init_publish_check = __esm({
 });
 
 // src/state/hooks_registry.ts
-import { existsSync as existsSync21, mkdirSync as mkdirSync9, readFileSync as readFileSync15, writeFileSync as writeFileSync13, chmodSync as chmodSync5 } from "node:fs";
-import { dirname as dirname13, isAbsolute as isAbsolute2, normalize as normalize2 } from "node:path";
+import { existsSync as existsSync20, mkdirSync as mkdirSync8, readFileSync as readFileSync14, writeFileSync as writeFileSync12, chmodSync as chmodSync4 } from "node:fs";
+import { dirname as dirname12, isAbsolute as isAbsolute2, normalize as normalize2 } from "node:path";
 import { homedir as homedir7 } from "node:os";
 function registryPath() {
   return dgStatePath("hooks-installed.json");
@@ -48849,10 +48895,10 @@ function validateEntry(raw) {
 }
 function readRegistry() {
   const path2 = registryPath();
-  if (!existsSync21(path2)) return [];
+  if (!existsSync20(path2)) return [];
   let raw;
   try {
-    raw = readFileSync15(path2, "utf-8");
+    raw = readFileSync14(path2, "utf-8");
   } catch {
     return [];
   }
@@ -48874,12 +48920,12 @@ function readRegistry() {
 }
 function writeRegistry(entries) {
   const path2 = registryPath();
-  const parent = dirname13(path2);
-  if (!existsSync21(parent)) mkdirSync9(parent, { recursive: true, mode: 448 });
+  const parent = dirname12(path2);
+  if (!existsSync20(parent)) mkdirSync8(parent, { recursive: true, mode: 448 });
   const payload = { version: 1, entries };
-  writeFileSync13(path2, JSON.stringify(payload, null, 2) + "\n", { encoding: "utf-8", mode: 384 });
+  writeFileSync12(path2, JSON.stringify(payload, null, 2) + "\n", { encoding: "utf-8", mode: 384 });
   try {
-    chmodSync5(path2, 384);
+    chmodSync4(path2, 384);
   } catch {
   }
 }
@@ -48925,20 +48971,20 @@ __export(hook_exports, {
 });
 import { createHash } from "node:crypto";
 import {
-  existsSync as existsSync22,
+  existsSync as existsSync21,
   lstatSync as lstatSync6,
-  readFileSync as readFileSync16,
-  writeFileSync as writeFileSync14,
-  mkdirSync as mkdirSync10,
-  chmodSync as chmodSync6,
-  unlinkSync as unlinkSync5
+  readFileSync as readFileSync15,
+  writeFileSync as writeFileSync13,
+  mkdirSync as mkdirSync9,
+  chmodSync as chmodSync5,
+  unlinkSync as unlinkSync4
 } from "node:fs";
-import { join as join14, dirname as dirname14, resolve as resolvePath3, isAbsolute as isAbsolute3 } from "node:path";
+import { join as join13, dirname as dirname13, resolve as resolvePath3, isAbsolute as isAbsolute3 } from "node:path";
 function hashRepoPath(repoPath) {
   return createHash("sha256").update(repoPath).digest("hex");
 }
 function assertSafeWriteTarget(target) {
-  const parent = dirname14(target);
+  const parent = dirname13(target);
   try {
     const parentStat = lstatSync6(parent);
     if (parentStat.isSymbolicLink()) {
@@ -48966,7 +49012,7 @@ function assertSafeWriteTarget(target) {
 }
 function safeWriteFileSync(target, content) {
   assertSafeWriteTarget(target);
-  writeFileSync14(target, content);
+  writeFileSync13(target, content);
 }
 function findHooksDir() {
   try {
@@ -48984,13 +49030,13 @@ function findRepoRoot() {
 }
 function detectHookFramework(repoRoot) {
   const root = repoRoot ?? findRepoRoot();
-  const huskyHook = join14(root, ".husky", "pre-commit");
-  const lefthookConfig = join14(root, "lefthook.yml");
-  const lefthookConfigYaml = join14(root, "lefthook.yaml");
+  const huskyHook = join13(root, ".husky", "pre-commit");
+  const lefthookConfig = join13(root, "lefthook.yml");
+  const lefthookConfigYaml = join13(root, "lefthook.yaml");
   const hooksDir = findHooksDir();
-  const bareHook = join14(hooksDir, "pre-commit");
-  if (existsSync22(huskyHook)) {
-    const content = readFileSync16(huskyHook, "utf-8");
+  const bareHook = join13(hooksDir, "pre-commit");
+  if (existsSync21(huskyHook)) {
+    const content = readFileSync15(huskyHook, "utf-8");
     return {
       framework: "husky",
       targetFile: huskyHook,
@@ -48998,8 +49044,8 @@ function detectHookFramework(repoRoot) {
     };
   }
   for (const cfg of [lefthookConfig, lefthookConfigYaml]) {
-    if (existsSync22(cfg)) {
-      const content = readFileSync16(cfg, "utf-8");
+    if (existsSync21(cfg)) {
+      const content = readFileSync15(cfg, "utf-8");
       const installed2 = /^\s+dependency-guardian\s*:/m.test(content);
       return {
         framework: "lefthook",
@@ -49009,8 +49055,8 @@ function detectHookFramework(repoRoot) {
     }
   }
   let installed = false;
-  if (existsSync22(bareHook)) {
-    installed = readFileSync16(bareHook, "utf-8").includes(HOOK_MARKER);
+  if (existsSync21(bareHook)) {
+    installed = readFileSync15(bareHook, "utf-8").includes(HOOK_MARKER);
   }
   return {
     framework: "bare",
@@ -49019,12 +49065,12 @@ function detectHookFramework(repoRoot) {
   };
 }
 function verifyHookInstalled(info) {
-  if (!existsSync22(info.targetFile)) {
+  if (!existsSync21(info.targetFile)) {
     return { ok: false, reason: `hook file missing: ${info.targetFile}` };
   }
   let content;
   try {
-    content = readFileSync16(info.targetFile, "utf-8");
+    content = readFileSync15(info.targetFile, "utf-8");
   } catch (e) {
     return { ok: false, reason: `cannot read ${info.targetFile}: ${e.message}` };
   }
@@ -49062,7 +49108,7 @@ ${HUSKY_SNIPPET}`;
 
 ${LEFTHOOK_ENTRY}`;
     case "bare":
-      if (existsSync22(info.targetFile)) {
+      if (existsSync21(info.targetFile)) {
         return `Will append to existing hook at ${info.targetFile}:
 ${HOOK_SECTION}`;
       }
@@ -49071,21 +49117,21 @@ ${HOOK_SCRIPT}`;
   }
 }
 function installHuskyHook(targetFile) {
-  const existing = readFileSync16(targetFile, "utf-8");
+  const existing = readFileSync15(targetFile, "utf-8");
   if (existing.includes(HOOK_MARKER)) {
     process.stderr.write("  Hook already installed in Husky.\n");
     return;
   }
   safeWriteFileSync(targetFile, existing.trimEnd() + "\n" + HUSKY_SNIPPET);
   try {
-    chmodSync6(targetFile, 493);
+    chmodSync5(targetFile, 493);
   } catch {
   }
   process.stderr.write(`  Appended Dependency Guardian to ${targetFile}
 `);
 }
 function installLefthookHook(targetFile) {
-  const existing = readFileSync16(targetFile, "utf-8");
+  const existing = readFileSync15(targetFile, "utf-8");
   if (/^\s+dependency-guardian\s*:/m.test(existing)) {
     process.stderr.write("  Hook already installed in lefthook.\n");
     return;
@@ -49117,16 +49163,16 @@ function installLefthookHook(targetFile) {
 `);
 }
 function installBareHook(targetFile) {
-  const hooksDir = dirname14(targetFile);
-  mkdirSync10(hooksDir, { recursive: true });
-  if (existsSync22(targetFile)) {
-    const existing = readFileSync16(targetFile, "utf-8");
+  const hooksDir = dirname13(targetFile);
+  mkdirSync9(hooksDir, { recursive: true });
+  if (existsSync21(targetFile)) {
+    const existing = readFileSync15(targetFile, "utf-8");
     if (existing.includes(HOOK_MARKER)) {
       process.stderr.write("  Hook already installed.\n");
       return;
     }
     safeWriteFileSync(targetFile, existing.trimEnd() + "\n" + HOOK_SECTION);
-    chmodSync6(targetFile, 493);
+    chmodSync5(targetFile, 493);
     process.stderr.write(
       `  Appended Dependency Guardian hook to existing ${targetFile}
 `
@@ -49134,7 +49180,7 @@ function installBareHook(targetFile) {
     return;
   }
   safeWriteFileSync(targetFile, HOOK_SCRIPT);
-  chmodSync6(targetFile, 493);
+  chmodSync5(targetFile, 493);
   process.stderr.write(`  Installed git pre-commit hook at ${targetFile}
 `);
 }
@@ -49177,10 +49223,10 @@ async function installHook() {
   }
 }
 function stripDgFromHookFile(hookPath, framework, repoPath) {
-  if (!existsSync22(hookPath)) {
+  if (!existsSync21(hookPath)) {
     return { status: "not-found", hookPath, repoPath };
   }
-  const content = readFileSync16(hookPath, "utf-8");
+  const content = readFileSync15(hookPath, "utf-8");
   if (framework === "lefthook") {
     if (!/^\s+dependency-guardian\s*:/m.test(content)) {
       return { status: "not-found", hookPath, repoPath };
@@ -49197,7 +49243,7 @@ function stripDgFromHookFile(hookPath, framework, repoPath) {
     return { status: "not-found", hookPath, repoPath };
   }
   if (framework === "bare" && content.trimStart().startsWith("#!/bin/sh\n" + HOOK_MARKER)) {
-    unlinkSync5(hookPath);
+    unlinkSync4(hookPath);
     removeEntry(repoPath, hookPath);
     return { status: "removed", hookPath, repoPath };
   }
@@ -49210,7 +49256,7 @@ function stripDgFromHookFile(hookPath, framework, repoPath) {
   const after = content.slice(endIdx + MARKER_END.length).trimStart();
   const remaining = (before + (after ? "\n" + after : "")).trimEnd() + "\n";
   if (remaining.trim() === "" || remaining.trim() === "#!/bin/sh") {
-    unlinkSync5(hookPath);
+    unlinkSync4(hookPath);
   } else {
     safeWriteFileSync(hookPath, remaining);
   }
@@ -49220,10 +49266,10 @@ function stripDgFromHookFile(hookPath, framework, repoPath) {
 function uninstallHookFromRepo(repoRootOverride) {
   const root = repoRootOverride ?? findRepoRoot();
   const hooksDir = findHooksDir();
-  const hookPath = join14(hooksDir, "pre-commit");
-  const huskyPath = join14(root, ".husky", "pre-commit");
-  if (existsSync22(huskyPath)) {
-    const content2 = readFileSync16(huskyPath, "utf-8");
+  const hookPath = join13(hooksDir, "pre-commit");
+  const huskyPath = join13(root, ".husky", "pre-commit");
+  if (existsSync21(huskyPath)) {
+    const content2 = readFileSync15(huskyPath, "utf-8");
     if (content2.includes(HOOK_MARKER)) {
       const startIdx2 = content2.indexOf(MARKER_START);
       const endIdx2 = content2.indexOf(MARKER_END);
@@ -49237,9 +49283,9 @@ function uninstallHookFromRepo(repoRootOverride) {
       }
     }
   }
-  for (const cfg of [join14(root, "lefthook.yml"), join14(root, "lefthook.yaml")]) {
-    if (!existsSync22(cfg)) continue;
-    const content2 = readFileSync16(cfg, "utf-8");
+  for (const cfg of [join13(root, "lefthook.yml"), join13(root, "lefthook.yaml")]) {
+    if (!existsSync21(cfg)) continue;
+    const content2 = readFileSync15(cfg, "utf-8");
     if (/^\s+dependency-guardian\s*:/m.test(content2)) {
       const stripped = content2.replace(
         /^\s+dependency-guardian\s*:\s*\n(?:\s{6,}.*\n)+/gm,
@@ -49250,15 +49296,15 @@ function uninstallHookFromRepo(repoRootOverride) {
       return { status: "removed", hookPath: cfg, repoPath: root };
     }
   }
-  if (!existsSync22(hookPath)) {
+  if (!existsSync21(hookPath)) {
     return { status: "not-found", hookPath, repoPath: root };
   }
-  const content = readFileSync16(hookPath, "utf-8");
+  const content = readFileSync15(hookPath, "utf-8");
   if (!content.includes(HOOK_MARKER)) {
     return { status: "not-found", hookPath, repoPath: root };
   }
   if (content.trimStart().startsWith("#!/bin/sh\n" + HOOK_MARKER)) {
-    unlinkSync5(hookPath);
+    unlinkSync4(hookPath);
     removeEntry(root, hookPath);
     return { status: "removed", hookPath, repoPath: root };
   }
@@ -49272,7 +49318,7 @@ function uninstallHookFromRepo(repoRootOverride) {
     removeEntry(root, hookPath);
     return { status: "removed", hookPath, repoPath: root };
   }
-  unlinkSync5(hookPath);
+  unlinkSync4(hookPath);
   removeEntry(root, hookPath);
   return { status: "removed", hookPath, repoPath: root };
 }
@@ -49426,7 +49472,7 @@ __export(update_exports, {
   runUpdate: () => runUpdate
 });
 import { spawnSync as spawnSync2 } from "node:child_process";
-import { accessSync, constants as constants2, realpathSync, unlinkSync as unlinkSync6 } from "node:fs";
+import { accessSync, constants as constants2, realpathSync, unlinkSync as unlinkSync5 } from "node:fs";
 import { sep as sep3 } from "node:path";
 function parseUpdateArgs(args) {
   return {
@@ -49537,7 +49583,7 @@ function printUpgradeCommand(latest, kind) {
 }
 function invalidateUpdateCache() {
   try {
-    unlinkSync6(dgCachePath("update-check.json"));
+    unlinkSync5(dgCachePath("update-check.json"));
   } catch {
   }
 }
@@ -49661,7 +49707,7 @@ var import_chalk10, PKG_NAME2, FETCH_TIMEOUT_MS, USAGE4;
 var init_update = __esm({
   "src/commands/update.ts"() {
     "use strict";
-    import_chalk10 = __toESM(require_source());
+    import_chalk10 = __toESM(require_source(), 1);
     init_paths();
     init_update_check();
     PKG_NAME2 = "@westbayberry/dg";
@@ -49687,8 +49733,8 @@ var init_update = __esm({
 });
 
 // src/python-hook/install.ts
-import { existsSync as existsSync23, readFileSync as readFileSync17, unlinkSync as unlinkSync7, readdirSync as readdirSync4, statSync as statSync5 } from "node:fs";
-import { dirname as dirname15, join as join15, resolve } from "node:path";
+import { existsSync as existsSync22, readFileSync as readFileSync16, unlinkSync as unlinkSync6, readdirSync as readdirSync4, statSync as statSync4 } from "node:fs";
+import { dirname as dirname14, join as join14, resolve } from "node:path";
 import { spawnSync as spawnSync3 } from "node:child_process";
 import { homedir as homedir8 } from "node:os";
 function probeUserSite(pythonName) {
@@ -49712,8 +49758,8 @@ function uninstallPythonHooks(_opts = {}) {
   const removed = [];
   let receipt = null;
   try {
-    if (existsSync23(receiptPath)) {
-      receipt = JSON.parse(readFileSync17(receiptPath, "utf-8"));
+    if (existsSync22(receiptPath)) {
+      receipt = JSON.parse(readFileSync16(receiptPath, "utf-8"));
     }
   } catch {
     receipt = null;
@@ -49731,9 +49777,9 @@ function uninstallPythonHooks(_opts = {}) {
   }
   for (const site of sites) {
     for (const filename of ["dg_pip_hook.py", "dg_pip_hook.pth"]) {
-      const full = join15(site, filename);
+      const full = join14(site, filename);
       try {
-        if (existsSync23(full)) {
+        if (existsSync22(full)) {
           safeUnlink(full);
           removed.push(full);
         }
@@ -49741,13 +49787,13 @@ function uninstallPythonHooks(_opts = {}) {
       }
     }
     try {
-      const pyCache = join15(site, "__pycache__");
-      if (existsSync23(pyCache) && statSync5(pyCache).isDirectory()) {
+      const pyCache = join14(site, "__pycache__");
+      if (existsSync22(pyCache) && statSync4(pyCache).isDirectory()) {
         for (const f of readdirSync4(pyCache)) {
           if (f.startsWith("dg_pip_hook.")) {
             try {
-              safeUnlink(join15(pyCache, f));
-              removed.push(join15(pyCache, f));
+              safeUnlink(join14(pyCache, f));
+              removed.push(join14(pyCache, f));
             } catch {
             }
           }
@@ -49757,8 +49803,8 @@ function uninstallPythonHooks(_opts = {}) {
     }
   }
   try {
-    if (existsSync23(receiptPath)) {
-      unlinkSync7(receiptPath);
+    if (existsSync22(receiptPath)) {
+      unlinkSync6(receiptPath);
     }
   } catch {
   }
@@ -49789,7 +49835,7 @@ __export(uninstall_exports, {
   parseUninstallArgs: () => parseUninstallArgs,
   runUninstall: () => runUninstall
 });
-import { existsSync as existsSync24, rmSync as rmSync3, unlinkSync as unlinkSync8, statSync as statSync6 } from "node:fs";
+import { existsSync as existsSync23, rmSync as rmSync2, unlinkSync as unlinkSync7 } from "node:fs";
 function parseUninstallArgs(args) {
   return {
     assumeYes: args.includes("--yes") || args.includes("-y"),
@@ -49800,21 +49846,18 @@ function parseUninstallArgs(args) {
 }
 function safeExists(p) {
   try {
-    return existsSync24(p);
+    return existsSync23(p);
   } catch {
     return false;
   }
 }
 function buildPlan(opts) {
   const p = dgPaths();
-  const legacy = legacyPaths();
   const plan = {
     configFiles: [],
     cacheDir: null,
     stateDir: null,
     rootDir: null,
-    legacyFiles: [],
-    legacyDirs: [],
     hooks: [],
     rcCleanup: false
   };
@@ -49823,10 +49866,6 @@ function buildPlan(opts) {
     if (safeExists(p.cacheDir)) plan.cacheDir = p.cacheDir;
     if (safeExists(p.stateDir)) plan.stateDir = p.stateDir;
     if (safeExists(p.root)) plan.rootDir = p.root;
-    for (const f of [legacy.dgrc, legacy.updateCheck]) {
-      if (safeExists(f)) plan.legacyFiles.push(f);
-    }
-    if (safeExists(legacy.cacheDir)) plan.legacyDirs.push(legacy.cacheDir);
     if (!opts.keepHooks) {
       plan.hooks = listEntries();
     }
@@ -49850,10 +49889,6 @@ function printPlan(plan, opts) {
     process.stderr.write(`    ${plan.rootDir}/ (entire tree)
 `);
   }
-  for (const f of plan.legacyFiles) process.stderr.write(`    ${f}  (legacy)
-`);
-  for (const d of plan.legacyDirs) process.stderr.write(`    ${d}/  (legacy)
-`);
   if (plan.hooks.length > 0) {
     process.stderr.write(`    pre-commit hooks in ${plan.hooks.length} repo(s):
 `);
@@ -49916,7 +49951,7 @@ async function revokeApiKey(apiKey) {
 }
 function rmFile(path2) {
   try {
-    unlinkSync8(path2);
+    unlinkSync7(path2);
     return { ok: true };
   } catch (e) {
     const code = e.code;
@@ -49926,20 +49961,12 @@ function rmFile(path2) {
 }
 function rmTree(path2) {
   try {
-    rmSync3(path2, { recursive: true, force: true });
+    rmSync2(path2, { recursive: true, force: true });
     return { ok: true };
   } catch (e) {
     return { ok: false, reason: e.message };
   }
 }
-function isWritableTarget(path2) {
-  try {
-    const st = statSync6(path2);
-    return st.isDirectory() || st.isFile();
-  } catch {
-    return false;
-  }
-}
 async function runUninstall(args) {
   if (args.includes("--help") || args.includes("-h")) {
     process.stdout.write(USAGE5);
@@ -49985,7 +50012,7 @@ async function runUninstall(args) {
   }
   if (!opts.keepHooks && !opts.soft) {
     for (const h of plan.hooks) {
-      if (!existsSync24(h.repoPath)) {
+      if (!existsSync23(h.repoPath)) {
         process.stderr.write(import_chalk11.default.dim(`  \xB7 ${h.repoPath} no longer exists \u2014 skipping registered hook
 `));
         continue;
@@ -50051,22 +50078,6 @@ async function runUninstall(args) {
 `);
     }
   } else {
-    for (const f of plan.legacyFiles) {
-      if (!isWritableTarget(f)) continue;
-      const r = rmFile(f);
-      if (r.ok) process.stderr.write(import_chalk11.default.green("  \u2713 ") + `Removed ${f}
-`);
-      else process.stderr.write(import_chalk11.default.red("  \u2718 ") + `${f}: ${r.reason}
-`);
-    }
-    for (const d of plan.legacyDirs) {
-      if (!isWritableTarget(d)) continue;
-      const r = rmTree(d);
-      if (r.ok) process.stderr.write(import_chalk11.default.green("  \u2713 ") + `Removed ${d}
-`);
-      else process.stderr.write(import_chalk11.default.red("  \u2718 ") + `${d}: ${r.reason}
-`);
-    }
     if (plan.rootDir) {
       const r = rmTree(plan.rootDir);
       if (r.ok) process.stderr.write(import_chalk11.default.green("  \u2713 ") + `Removed ${plan.rootDir}
@@ -50092,7 +50103,7 @@ var import_chalk11, REVOKE_TIMEOUT_MS, USAGE5;
 var init_uninstall = __esm({
   "src/commands/uninstall.ts"() {
     "use strict";
-    import_chalk11 = __toESM(require_source());
+    import_chalk11 = __toESM(require_source(), 1);
     init_paths();
     init_hooks_registry();
     init_hook();
@@ -50116,9 +50127,6 @@ var init_uninstall = __esm({
 
   Removes:
     ~/.dg/        (config + cache + state + hooks registry)
-    ~/.dgrc.json                   (legacy, if still present)
-    ~/.dg/                         (legacy, if still present)
-    ~/.dg-update-check.json        (legacy, if still present)
     every per-repo pre-commit hook installed via 'dg hook install'
     the dg sentinel block in your shell rc files
 
@@ -50135,7 +50143,7 @@ var verify_exports = {};
 __export(verify_exports, {
   handleVerifyCommand: () => handleVerifyCommand
 });
-import { writeFileSync as writeFileSync15 } from "node:fs";
+import { writeFileSync as writeFileSync14 } from "node:fs";
 function detectEcosystem(spec) {
   if (/[<>=!~]=?|~=/.test(spec)) return "pypi";
   if (spec.startsWith("@")) return "npm";
@@ -50250,7 +50258,7 @@ async function callApi(packages, ecosystem, config) {
 }
 function writeOutput(content, outputPath) {
   if (outputPath) {
-    writeFileSync15(outputPath, content);
+    writeFileSync14(outputPath, content);
     process.stderr.write(import_chalk12.default.green(`  \u2713 Wrote ${content.length} bytes to ${outputPath}
 `));
   } else {
@@ -50375,7 +50383,7 @@ var import_chalk12, USAGE6;
 var init_verify = __esm({
   "src/commands/verify.ts"() {
     "use strict";
-    import_chalk12 = __toESM(require_source());
+    import_chalk12 = __toESM(require_source(), 1);
     init_config();
     init_client();
     init_npm_wrapper();
@@ -50434,11 +50442,11 @@ var import_react31, import_jsx_runtime8, ConfettiDemoApp;
 var init_ConfettiDemoApp = __esm({
   async "src/ui/apps/ConfettiDemoApp.tsx"() {
     "use strict";
-    import_react31 = __toESM(require_react());
+    import_react31 = __toESM(require_react(), 1);
     await init_build2();
     await init_Confetti();
     await init_useTerminalSize();
-    import_jsx_runtime8 = __toESM(require_jsx_runtime());
+    import_jsx_runtime8 = __toESM(require_jsx_runtime(), 1);
     ConfettiDemoApp = () => {
       const { exit } = use_app_default();
       const { cols, rows } = useTerminalSize();
@@ -50490,7 +50498,7 @@ var import_react32, USAGE7;
 var init_confetti = __esm({
   "src/commands/confetti.ts"() {
     "use strict";
-    import_react32 = __toESM(require_react());
+    import_react32 = __toESM(require_react(), 1);
     USAGE7 = `
   dg confetti \u2014 preview the terminal confetti effect (dev)
 
@@ -50559,7 +50567,7 @@ function reducer3(_state, action) {
     case "ERROR":
       return { phase: "error", error: action.error };
     case "FREE_CAP_REACHED":
-      return { phase: "free_cap_reached", scansUsed: action.scansUsed, maxScans: action.maxScans };
+      return { phase: "free_cap_reached", scansUsed: action.scansUsed, maxScans: action.maxScans, capReason: action.capReason };
   }
 }
 function useScan(config) {
@@ -50620,7 +50628,7 @@ async function runNpmScan(packages, skippedCount, config, dispatch) {
     dispatch({ type: "SCAN_COMPLETE", result, durationMs: Date.now() - startMs, skippedCount });
   } catch (error) {
     if (error instanceof FreeCapReachedError) {
-      dispatch({ type: "FREE_CAP_REACHED", scansUsed: error.scansUsed, maxScans: error.maxScans });
+      dispatch({ type: "FREE_CAP_REACHED", scansUsed: error.scansUsed, maxScans: error.maxScans, capReason: error.reason });
       return;
     }
     const err = error instanceof Error ? error : new Error(String(error));
@@ -50669,7 +50677,6 @@ async function scanProjects(projects, config, dispatch) {
       dispatch({ type: "DISCOVERY_EMPTY", message: "No packages to scan." });
       return;
     }
-    const startMs = Date.now();
     const results = [];
     let completed = 0;
     if (npmPackages.length > 0) {
@@ -50696,22 +50703,11 @@ async function scanProjects(projects, config, dispatch) {
       });
       results.push(pypiResult);
     }
-    const allPackages = results.flatMap((r) => r.packages);
-    const maxScore = Math.max(0, ...allPackages.map((p) => p.score));
-    const action = maxScore >= 70 ? "block" : maxScore >= 60 ? "warn" : "pass";
-    const safeVersions = {};
-    for (const r of results) Object.assign(safeVersions, r.safeVersions);
-    const merged = {
-      score: maxScore,
-      action,
-      packages: allPackages,
-      safeVersions,
-      durationMs: Date.now() - startMs
-    };
+    const merged = mergeResponses(results);
     dispatch({ type: "SCAN_COMPLETE", result: merged, durationMs: merged.durationMs, skippedCount: 0, discoveredTotal });
   } catch (error) {
     if (error instanceof FreeCapReachedError) {
-      dispatch({ type: "FREE_CAP_REACHED", scansUsed: error.scansUsed, maxScans: error.maxScans });
+      dispatch({ type: "FREE_CAP_REACHED", scansUsed: error.scansUsed, maxScans: error.maxScans, capReason: error.reason });
       return;
     }
     const err = error instanceof Error ? error : new Error(String(error));
@@ -50723,7 +50719,7 @@ var import_react33;
 var init_useScan = __esm({
   "src/ui/hooks/useScan.ts"() {
     "use strict";
-    import_react33 = __toESM(require_react());
+    import_react33 = __toESM(require_react(), 1);
     init_lockfile();
     init_client();
     init_walker();
@@ -50761,12 +50757,12 @@ var import_react34, import_chalk13, import_jsx_runtime9, ProgressBar;
 var init_ProgressBar = __esm({
   async "src/ui/components/ProgressBar.tsx"() {
     "use strict";
-    import_react34 = __toESM(require_react());
+    import_react34 = __toESM(require_react(), 1);
     await init_build2();
     await init_build3();
-    import_chalk13 = __toESM(require_source());
+    import_chalk13 = __toESM(require_source(), 1);
     await init_useTerminalSize();
-    import_jsx_runtime9 = __toESM(require_jsx_runtime());
+    import_jsx_runtime9 = __toESM(require_jsx_runtime(), 1);
     ProgressBar = ({
       value,
       total,
@@ -50863,9 +50859,9 @@ var init_ErrorView = __esm({
   async "src/ui/components/ErrorView.tsx"() {
     "use strict";
     await init_build2();
-    import_chalk14 = __toESM(require_source());
+    import_chalk14 = __toESM(require_source(), 1);
     init_sanitize();
-    import_jsx_runtime10 = __toESM(require_jsx_runtime());
+    import_jsx_runtime10 = __toESM(require_jsx_runtime(), 1);
     ErrorView = ({ error }) => {
       const hint = getHint(error);
       return /* @__PURE__ */ (0, import_jsx_runtime10.jsxs)(
@@ -50896,12 +50892,12 @@ var import_react35, import_chalk15, import_jsx_runtime11, ProjectSelector;
 var init_ProjectSelector = __esm({
   async "src/ui/components/ProjectSelector.tsx"() {
     "use strict";
-    import_react35 = __toESM(require_react());
+    import_react35 = __toESM(require_react(), 1);
     await init_build2();
-    import_chalk15 = __toESM(require_source());
+    import_chalk15 = __toESM(require_source(), 1);
     init_sanitize();
     await init_useTerminalSize();
-    import_jsx_runtime11 = __toESM(require_jsx_runtime());
+    import_jsx_runtime11 = __toESM(require_jsx_runtime(), 1);
     ProjectSelector = ({ projects, onConfirm, onCancel, userStatus }) => {
       const [cursor, setCursor] = (0, import_react35.useState)(0);
       const [selected, setSelected] = (0, import_react35.useState)(() => new Set(projects.map((_, i) => i)));
@@ -50996,7 +50992,7 @@ var init_SetupBanner = __esm({
   async "src/ui/components/SetupBanner.tsx"() {
     "use strict";
     await init_build2();
-    import_jsx_runtime12 = __toESM(require_jsx_runtime());
+    import_jsx_runtime12 = __toESM(require_jsx_runtime(), 1);
     SetupBanner = ({ issues }) => {
       if (issues.length === 0) return null;
       return /* @__PURE__ */ (0, import_jsx_runtime12.jsxs)(
@@ -51039,7 +51035,7 @@ var import_react36, import_jsx_runtime13, App2;
 var init_App2 = __esm({
   async "src/ui/App.tsx"() {
     "use strict";
-    import_react36 = __toESM(require_react());
+    import_react36 = __toESM(require_react(), 1);
     await init_build2();
     init_auth();
     init_useScan();
@@ -51051,7 +51047,7 @@ var init_App2 = __esm({
     await init_SetupBanner();
     await init_useTerminalSize();
     init_terminal_state();
-    import_jsx_runtime13 = __toESM(require_jsx_runtime());
+    import_jsx_runtime13 = __toESM(require_jsx_runtime(), 1);
     App2 = ({ config, userStatus, scanUsage, setupIssues = [] }) => {
       const { state, scanSelectedProjects, restartSelection } = useScan(config);
       const { exit } = use_app_default();
@@ -51135,7 +51131,7 @@ var init_App2 = __esm({
             exit();
           }
         }
-        if (state.phase === "trial_exhausted") {
+        if (state.phase === "free_cap_reached") {
           if (input === "q" || key.escape || key.return) {
             process.exitCode = 1;
             leaveAltScreen();
@@ -51188,7 +51184,7 @@ var init_App2 = __esm({
             return /* @__PURE__ */ (0, import_jsx_runtime13.jsx)(Text, { dimColor: true, children: state.message });
           case "error":
             return /* @__PURE__ */ (0, import_jsx_runtime13.jsx)(ErrorView, { error: state.error });
-          case "trial_exhausted": {
+          case "free_cap_reached": {
             let hasKey = false;
             try {
               hasKey = !!getStoredApiKey();
@@ -51205,12 +51201,25 @@ var init_App2 = __esm({
                   /* @__PURE__ */ (0, import_jsx_runtime13.jsx)(Text, { color: "cyan", bold: true, children: "dg login" }),
                   " to re-authenticate."
                 ] })
-              ] }) : /* @__PURE__ */ (0, import_jsx_runtime13.jsxs)(import_jsx_runtime13.Fragment, { children: [
-                /* @__PURE__ */ (0, import_jsx_runtime13.jsx)(Text, { color: "yellow", bold: true, children: "You've used your 5 free anonymous scans." }),
+              ] }) : state.capReason === "prefix_cap" ? /* @__PURE__ */ (0, import_jsx_runtime13.jsxs)(import_jsx_runtime13.Fragment, { children: [
+                /* @__PURE__ */ (0, import_jsx_runtime13.jsx)(Text, { color: "yellow", bold: true, children: "Too many anonymous devices from your network this month." }),
                 /* @__PURE__ */ (0, import_jsx_runtime13.jsxs)(Text, { children: [
-                  "Run ",
+                  "Sign in with ",
                   /* @__PURE__ */ (0, import_jsx_runtime13.jsx)(Text, { color: "cyan", bold: true, children: "dg login" }),
-                  " to access Dependency Guardian for free."
+                  " to keep scanning."
+                ] })
+              ] }) : /* @__PURE__ */ (0, import_jsx_runtime13.jsxs)(import_jsx_runtime13.Fragment, { children: [
+                /* @__PURE__ */ (0, import_jsx_runtime13.jsxs)(Text, { color: "yellow", bold: true, children: [
+                  "Free monthly limit reached (",
+                  state.scansUsed.toLocaleString(),
+                  "/",
+                  state.maxScans.toLocaleString(),
+                  " packages)."
+                ] }),
+                /* @__PURE__ */ (0, import_jsx_runtime13.jsxs)(Text, { children: [
+                  "Upgrade to Pro with ",
+                  /* @__PURE__ */ (0, import_jsx_runtime13.jsx)(Text, { color: "cyan", bold: true, children: "dg upgrade" }),
+                  " for 250k packages/month."
                 ] })
               ] }),
               /* @__PURE__ */ (0, import_jsx_runtime13.jsx)(Text, { children: " " }),
@@ -51240,8 +51249,8 @@ __export(ink_controls_exports, {
   setInkClear: () => setInkClear,
   setInkInstance: () => setInkInstance
 });
-import { resolve as resolve2, dirname as dirname16 } from "node:path";
-import { existsSync as existsSync25 } from "node:fs";
+import { resolve as resolve2, dirname as dirname15 } from "node:path";
+import { existsSync as existsSync24 } from "node:fs";
 function locateInkInstancesPath() {
   let cur;
   try {
@@ -51251,13 +51260,13 @@ function locateInkInstancesPath() {
   }
   while (cur && cur !== "/" && cur !== ".") {
     const candidate = resolve2(cur, "node_modules", "ink", "build", "instances.js");
-    if (existsSync25(candidate)) return candidate;
-    const parent = dirname16(cur);
+    if (existsSync24(candidate)) return candidate;
+    const parent = dirname15(cur);
     if (parent === cur) break;
     cur = parent;
   }
   const cwdCandidate = resolve2(process.cwd(), "node_modules", "ink", "build", "instances.js");
-  if (existsSync25(cwdCandidate)) return cwdCandidate;
+  if (existsSync24(cwdCandidate)) return cwdCandidate;
   return null;
 }
 async function initInkInstances() {
@@ -51581,7 +51590,7 @@ function useInstallWrapper(rawArgs, config, opts, exit) {
         const result = await opts.callAnalyze(resolved, config);
         if (result.action === "pass") {
           if (exit) exit();
-          const chalk18 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
+          const chalk18 = (await Promise.resolve().then(() => __toESM(require_source(), 1))).default;
           const line = formatPassLine(result, chalk18);
           process.stderr.write("  " + line + "\n\n");
           const code = await opts.runInstall(parsed.rawArgs);
@@ -51700,7 +51709,7 @@ var import_react37, NPM_OPTIONS, PIP_OPTIONS;
 var init_useWrapperBase = __esm({
   "src/ui/hooks/useWrapperBase.ts"() {
     "use strict";
-    import_react37 = __toESM(require_react());
+    import_react37 = __toESM(require_react(), 1);
     init_client();
     init_npm_wrapper();
     init_pip_wrapper();
@@ -51732,7 +51741,7 @@ var init_DurationLine = __esm({
   async "src/ui/components/DurationLine.tsx"() {
     "use strict";
     await init_build2();
-    import_jsx_runtime14 = __toESM(require_jsx_runtime());
+    import_jsx_runtime14 = __toESM(require_jsx_runtime(), 1);
     DurationLine = ({ ms }) => /* @__PURE__ */ (0, import_jsx_runtime14.jsxs)(Text, { dimColor: true, children: [
       "Completed in ",
       (ms / 1e3).toFixed(1),
@@ -51749,9 +51758,10 @@ function severityColor(sev) {
   if (sev >= 2) return import_chalk16.default.dim;
   return import_chalk16.default.dim;
 }
-function actionBadge3(score) {
-  if (score >= 70) return { label: "BLOCK", color: import_chalk16.default.red };
-  if (score >= 60) return { label: "WARN", color: import_chalk16.default.yellow };
+function actionBadge3(action) {
+  if (action === "block") return { label: "BLOCK", color: import_chalk16.default.red };
+  if (action === "warn") return { label: "WARN", color: import_chalk16.default.yellow };
+  if (action === "analysis_incomplete") return { label: "UNKNOWN", color: import_chalk16.default.cyan };
   return { label: "PASS", color: import_chalk16.default.green };
 }
 var import_chalk16, import_jsx_runtime15, SEVERITY_LABELS2, EVIDENCE_LIMIT2, ResultsView;
@@ -51759,11 +51769,11 @@ var init_ResultsView = __esm({
   async "src/ui/components/ResultsView.tsx"() {
     "use strict";
     await init_build2();
-    import_chalk16 = __toESM(require_source());
+    import_chalk16 = __toESM(require_source(), 1);
     await init_ScoreHeader();
     await init_DurationLine();
     init_format_helpers();
-    import_jsx_runtime15 = __toESM(require_jsx_runtime());
+    import_jsx_runtime15 = __toESM(require_jsx_runtime(), 1);
     SEVERITY_LABELS2 = {
       5: "CRITICAL",
       4: "HIGH",
@@ -51803,7 +51813,7 @@ var init_ResultsView = __esm({
           /* @__PURE__ */ (0, import_jsx_runtime15.jsx)(Text, { dimColor: true, children: "\u2500".repeat(60) }),
           groups.map((group) => {
             const rep = group.packages[0];
-            const { label, color } = actionBadge3(rep.score);
+            const { label, color } = actionBadge3(rep.action);
             const names = group.packages.length === 1 ? rep.name : group.packages.length <= 3 ? group.packages.map((p) => p.name).join(", ") : `${group.packages[0].name} + ${group.packages.length - 1} similar`;
             return /* @__PURE__ */ (0, import_jsx_runtime15.jsxs)(Text, { children: [
               "  ",
@@ -51883,8 +51893,8 @@ var init_ConfirmPrompt = __esm({
     "use strict";
     await init_build2();
     await init_build2();
-    import_chalk17 = __toESM(require_source());
-    import_jsx_runtime16 = __toESM(require_jsx_runtime());
+    import_chalk17 = __toESM(require_source(), 1);
+    import_jsx_runtime16 = __toESM(require_jsx_runtime(), 1);
     ConfirmPrompt = ({
       message,
       onConfirm,
@@ -51935,8 +51945,8 @@ function countSummary(result) {
   let warn = 0;
   let clean = 0;
   for (const p of result.packages) {
-    if (p.score >= 70) block++;
-    else if (p.score >= 60) warn++;
+    if (p.action === "block") block++;
+    else if (p.action === "warn") warn++;
     else clean++;
   }
   return { block, warn, clean };
@@ -51946,7 +51956,7 @@ var init_WrapperVerdictLine = __esm({
   async "src/ui/components/WrapperVerdictLine.tsx"() {
     "use strict";
     await init_build2();
-    import_jsx_runtime17 = __toESM(require_jsx_runtime());
+    import_jsx_runtime17 = __toESM(require_jsx_runtime(), 1);
     WrapperVerdictLine = ({
       result,
       verdict,
@@ -52043,7 +52053,7 @@ var import_react38, import_jsx_runtime18, LABELS, WrapperApp;
 var init_WrapperApp = __esm({
   async "src/ui/apps/WrapperApp.tsx"() {
     "use strict";
-    import_react38 = __toESM(require_react());
+    import_react38 = __toESM(require_react(), 1);
     await init_build2();
     init_auth();
     init_useWrapperBase();
@@ -52052,7 +52062,7 @@ var init_WrapperApp = __esm({
     await init_ConfirmPrompt();
     await init_ErrorView();
     await init_WrapperVerdictLine();
-    import_jsx_runtime18 = __toESM(require_jsx_runtime());
+    import_jsx_runtime18 = __toESM(require_jsx_runtime(), 1);
     LABELS = {
       npm: {
         resolving: (n, s) => `Resolving ${n} package${s}...`,
@@ -52080,7 +52090,7 @@ var init_WrapperApp = __esm({
           const timer = setTimeout(() => exit(), 0);
           return () => clearTimeout(timer);
         }
-        if (state.phase === "trial_exhausted") {
+        if (state.phase === "free_cap_reached") {
           process.exitCode = 1;
           const timer = setTimeout(() => exit(), 0);
           return () => clearTimeout(timer);
@@ -52123,7 +52133,7 @@ var init_WrapperApp = __esm({
           return /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(ErrorView, { error: new Error(state.message) });
         case "passthrough":
           return null;
-        case "trial_exhausted": {
+        case "free_cap_reached": {
           let hasKey = false;
           try {
             hasKey = !!getStoredApiKey();
@@ -52215,7 +52225,7 @@ var import_chalk18, INSTALL_COMMANDS3, adapter;
 var init_conda_wrapper = __esm({
   "src/commands/conda-wrapper.ts"() {
     "use strict";
-    import_chalk18 = __toESM(require_source());
+    import_chalk18 = __toESM(require_source(), 1);
     init_wrapper_shared();
     init_resolve();
     init_install();
@@ -53028,7 +53038,7 @@ var import_chalk19;
 var init_wrapper_factory = __esm({
   "src/commands/wrapper-factory.ts"() {
     "use strict";
-    import_chalk19 = __toESM(require_source());
+    import_chalk19 = __toESM(require_source(), 1);
     init_client();
     init_resolve();
     init_install();
@@ -53065,253 +53075,10 @@ function closestCommand(input, commands) {
   return bestDist <= 3 ? best : null;
 }
 
-// src/migrate.ts
-init_paths();
-import {
-  existsSync as existsSync4,
-  mkdirSync as mkdirSync3,
-  readFileSync as readFileSync4,
-  writeFileSync as writeFileSync3,
-  copyFileSync,
-  unlinkSync as unlinkSync3,
-  rmSync,
-  chmodSync as chmodSync3,
-  statSync,
-  openSync as openSync2,
-  closeSync as closeSync2,
-  constants as fsConstants2
-} from "node:fs";
-import { dirname as dirname4 } from "node:path";
-var README = `dependency-guardian \u2014 local state for the dg CLI.
-
-  config.json                 your account + preferences (mode 0600)
-  cache/update-check.json     latest-version probe (24h TTL)
-  state/aliases.sh            optional shell aliases (npm/pip wrappers)
-  state/auth-status.json      60s cache of /v1/auth/status
-  state/trial-banner          throttle stamp for the trial nudge
-  state/bypass-log.jsonl      append-only log of install-wrapper bypasses
-  state/hooks-installed.json  registry of git hooks dg installed
-
-To remove everything dg has written to your machine, run:
-  dg uninstall
-
-This directory is created and managed by the dg CLI. Safe to delete.
-`;
-function ensureDir(path2, mode) {
-  if (!existsSync4(path2)) {
-    mkdirSync3(path2, { recursive: true, mode });
-  }
-  try {
-    chmodSync3(path2, mode);
-  } catch {
-  }
-}
-function moveFile(from, to, mode) {
-  const parent = dirname4(to);
-  ensureDir(parent, 448);
-  copyFileSync(from, to);
-  try {
-    chmodSync3(to, mode);
-  } catch {
-  }
-  if (statSync(to).size !== statSync(from).size) {
-    throw new Error(`size mismatch after copy: ${from} -> ${to}`);
-  }
-  unlinkSync3(from);
-}
-function isPidAlive(pid) {
-  if (!Number.isInteger(pid) || pid <= 0) return false;
-  try {
-    process.kill(pid, 0);
-    return true;
-  } catch (e) {
-    const code = e.code;
-    return code === "EPERM";
-  }
-}
-var LOCK_STALE_MS = 6e4;
-function acquireLock(lockPath) {
-  ensureDir(dirname4(lockPath), 448);
-  if (existsSync4(lockPath)) {
-    let stale = false;
-    try {
-      const raw = readFileSync4(lockPath, "utf-8").trim();
-      const data = JSON.parse(raw);
-      const age = Date.now() - (data.at ?? 0);
-      const dead = !isPidAlive(data.pid ?? 0);
-      stale = dead || age > LOCK_STALE_MS;
-    } catch {
-      stale = true;
-    }
-    if (!stale) return "held";
-    try {
-      unlinkSync3(lockPath);
-    } catch {
-    }
-  }
-  let fd;
-  try {
-    fd = openSync2(lockPath, fsConstants2.O_CREAT | fsConstants2.O_EXCL | fsConstants2.O_WRONLY, 384);
-  } catch {
-    return "stale-held";
-  }
-  try {
-    writeFileSync3(lockPath, JSON.stringify({ pid: process.pid, at: Date.now() }) + "\n");
-  } catch {
-  }
-  return { fd, lockPath };
-}
-function releaseLock(state) {
-  if (state.fd !== null) {
-    try {
-      closeSync2(state.fd);
-    } catch {
-    }
-  }
-  try {
-    unlinkSync3(state.lockPath);
-  } catch {
-  }
-}
-function rollback(moves) {
-  for (const m of moves) {
-    try {
-      if (existsSync4(m.to) && !existsSync4(m.from)) {
-        copyFileSync(m.to, m.from);
-        unlinkSync3(m.to);
-      }
-    } catch {
-    }
-  }
-}
-function detectLegacy() {
-  const legacy = legacyPaths();
-  return existsSync4(legacy.dgrc) || existsSync4(legacy.updateCheck) || existsSync4(legacy.aliasesShOld) || existsSync4(legacy.depGuardianDir);
-}
-function validateLegacyConfig(path2) {
-  let raw;
-  try {
-    const st = statSync(path2);
-    if (!st.isFile()) return { ok: false, reason: "not a regular file" };
-    if (st.size > 1e6) return { ok: false, reason: `file too large (${st.size} bytes)` };
-    raw = readFileSync4(path2, "utf-8");
-  } catch (e) {
-    return { ok: false, reason: e.message };
-  }
-  let parsed;
-  try {
-    const stripped = raw.charCodeAt(0) === 65279 ? raw.slice(1) : raw;
-    parsed = JSON.parse(stripped);
-  } catch (e) {
-    return { ok: false, reason: `invalid JSON: ${e.message}` };
-  }
-  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
-    return { ok: false, reason: "config root is not an object" };
-  }
-  return { ok: true, data: parsed };
-}
-function runMigrationIfNeeded() {
-  const p = dgPaths();
-  if (existsSync4(p.migrationBreadcrumb)) {
-    return { status: "no-op" };
-  }
-  if (!detectLegacy()) {
-    return { status: "no-op" };
-  }
-  ensureDir(p.root, 448);
-  const lock = acquireLock(p.migrationLock);
-  if (lock === "held" || lock === "stale-held") {
-    return { status: "skipped", reason: "another dg process is migrating" };
-  }
-  const legacy = legacyPaths();
-  const moves = [];
-  let movedCount = 0;
-  try {
-    if (existsSync4(legacy.dgrc)) {
-      const validation = validateLegacyConfig(legacy.dgrc);
-      if (!validation.ok) {
-        releaseLock(lock);
-        return {
-          status: "failed",
-          reason: `~/.dgrc.json could not be read (${validation.reason}). Fix or remove the file and re-run dg.`
-        };
-      }
-      ensureDir(p.configDir, 448);
-      writeFileSync3(p.config, JSON.stringify(validation.data, null, 2) + "\n", { mode: 384 });
-      try {
-        chmodSync3(p.config, 384);
-      } catch {
-      }
-      try {
-        unlinkSync3(legacy.dgrc);
-      } catch {
-      }
-      moves.push({ from: legacy.dgrc, to: p.config });
-      movedCount++;
-    }
-    ensureDir(p.cacheDir, 448);
-    if (existsSync4(legacy.updateCheck)) {
-      moveFile(legacy.updateCheck, p.updateCheck, 384);
-      moves.push({ from: legacy.updateCheck, to: p.updateCheck });
-      movedCount++;
-    }
-    ensureDir(p.stateDir, 448);
-    if (existsSync4(legacy.aliasesShOld)) {
-      moveFile(legacy.aliasesShOld, p.aliasesSh, 420);
-      moves.push({ from: legacy.aliasesShOld, to: p.aliasesSh });
-      movedCount++;
-    }
-    if (existsSync4(legacy.depGuardianDir) && legacy.depGuardianDir !== p.root) {
-      const candidates = [
-        { from: join(legacy.depGuardianDir, "config.json"), to: p.config, mode: 384 },
-        { from: join(legacy.depGuardianDir, "cache", "update-check.json"), to: p.updateCheck, mode: 384 },
-        { from: join(legacy.depGuardianDir, "state", "aliases.sh"), to: p.aliasesSh, mode: 420 },
-        { from: join(legacy.depGuardianDir, "state", "hooks-installed.json"), to: p.hooksRegistry, mode: 384 },
-        { from: join(legacy.depGuardianDir, "aliases.sh"), to: p.aliasesSh, mode: 420 }
-      ];
-      for (const c of candidates) {
-        if (existsSync4(c.from) && !existsSync4(c.to)) {
-          moveFile(c.from, c.to, c.mode);
-          moves.push({ from: c.from, to: c.to });
-          movedCount++;
-        }
-      }
-      try {
-        rmSync(legacy.depGuardianDir, { recursive: true, force: true });
-      } catch {
-      }
-    }
-    try {
-      if (existsSync4(legacy.cacheDir) && legacy.cacheDir !== p.root) {
-        rmSync(legacy.cacheDir, { recursive: true, force: true });
-      }
-    } catch {
-    }
-    try {
-      writeFileSync3(p.readme, README, { mode: 420 });
-    } catch {
-    }
-    writeFileSync3(p.migrationBreadcrumb, (/* @__PURE__ */ new Date()).toISOString() + "\n", { mode: 384 });
-    releaseLock(lock);
-    if (process.stderr.isTTY) {
-      process.stderr.write(
-        `dg: reorganized local state into ${p.root} (one-time, ${movedCount} file${movedCount === 1 ? "" : "s"}; see README inside).
-`
-      );
-    }
-    return { status: "migrated", movedCount };
-  } catch (e) {
-    rollback(moves);
-    releaseLock(lock);
-    return { status: "failed", reason: e.message };
-  }
-}
-
 // src/bin.ts
 init_terminal_state();
 var CLI_VERSION = getVersion();
 initTelemetry(CLI_VERSION);
-runMigrationIfNeeded();
 function setProcessTitle(title) {
   try {
     process.title = title;
@@ -53343,16 +53110,16 @@ async function maybeShowWiringHint(rawCommand) {
   const SKIP = /* @__PURE__ */ new Set(["uninstall", "__wrap", "version", "--version", "-v", "help", "--help", "-h"]);
   if (SKIP.has(rawCommand)) return;
   try {
-    const { existsSync: existsSync26 } = await import("node:fs");
-    const { join: join16 } = await import("node:path");
+    const { existsSync: existsSync25 } = await import("node:fs");
+    const { join: join15 } = await import("node:path");
     const { homedir: homedir9 } = await import("node:os");
     const { dgStatePath: dgStatePath2 } = await Promise.resolve().then(() => (init_paths(), paths_exports));
-    const receiptPath = join16(homedir9(), ".dg", "state", "install-receipt.json");
-    const shimPath = join16(homedir9(), ".dg", "shims", "npm");
+    const receiptPath = join15(homedir9(), ".dg", "state", "install-receipt.json");
+    const shimPath = join15(homedir9(), ".dg", "shims", "npm");
     const hintMarker = dgStatePath2("wiring-hint-shown");
-    if (existsSync26(receiptPath) || existsSync26(shimPath)) return;
-    if (existsSync26(hintMarker)) return;
-    const chalk18 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
+    if (existsSync25(receiptPath) || existsSync25(shimPath)) return;
+    if (existsSync25(hintMarker)) return;
+    const chalk18 = (await Promise.resolve().then(() => __toESM(require_source(), 1))).default;
     process.stderr.write(
       `
   ${chalk18.yellow("\u2139 Shell wiring not detected.")} Reinstall with ${chalk18.cyan("npm install -g @westbayberry/dg")}
@@ -53361,10 +53128,10 @@ async function maybeShowWiringHint(rawCommand) {
 `
     );
     try {
-      const { writeFileSync: writeFileSync16, mkdirSync: mkdirSync11 } = await import("node:fs");
-      const { dirname: dirname17 } = await import("node:path");
-      mkdirSync11(dirname17(hintMarker), { recursive: true });
-      writeFileSync16(hintMarker, (/* @__PURE__ */ new Date()).toISOString());
+      const { writeFileSync: writeFileSync15, mkdirSync: mkdirSync10 } = await import("node:fs");
+      const { dirname: dirname16 } = await import("node:path");
+      mkdirSync10(dirname16(hintMarker), { recursive: true });
+      writeFileSync15(hintMarker, (/* @__PURE__ */ new Date()).toISOString());
     } catch {
     }
   } catch {
@@ -53395,7 +53162,7 @@ async function main() {
   }
   const KNOWN_COMMANDS = ["scan", "licenses", "login", "logout", "upgrade", "status", "hook", "config", "update", "help", "version", "publish-check", "uninstall", "verify", "gallery", "confetti", "__wrap"];
   if (rawCommand && !rawCommand.startsWith("-") && !KNOWN_COMMANDS.includes(rawCommand)) {
-    const chalk18 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
+    const chalk18 = (await Promise.resolve().then(() => __toESM(require_source(), 1))).default;
     const best = closestCommand(rawCommand, KNOWN_COMMANDS);
     const hint = best ? ` Did you mean '${best}'?` : "";
     process.stderr.write(`
@@ -53431,7 +53198,7 @@ async function main() {
     const loginArgs = process.argv.slice(3);
     const parsed = parseLoginArgs2(loginArgs);
     if (parsed.kind === "unknown-flag") {
-      const chalk18 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
+      const chalk18 = (await Promise.resolve().then(() => __toESM(require_source(), 1))).default;
       process.stderr.write(`
   ${chalk18.red("Error:")} Unknown option '${parsed.flag}'.
 `);
@@ -53441,7 +53208,7 @@ async function main() {
       process.exit(1);
     }
     if (parsed.kind === "missing-value") {
-      const chalk18 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
+      const chalk18 = (await Promise.resolve().then(() => __toESM(require_source(), 1))).default;
       process.stderr.write(`
   ${chalk18.red("Error:")} ${parsed.flag} requires a value.
 
@@ -53454,7 +53221,7 @@ async function main() {
     }
     if (isInteractive) {
       const { render: render2 } = await init_build2().then(() => build_exports);
-      const React22 = await Promise.resolve().then(() => __toESM(require_react()));
+      const React22 = await Promise.resolve().then(() => __toESM(require_react(), 1));
       const { LoginApp: LoginApp2 } = await init_LoginApp().then(() => LoginApp_exports);
       const { waitUntilExit } = render2(React22.createElement(LoginApp2));
       await waitUntilExit();
@@ -53498,11 +53265,11 @@ async function main() {
       if (v === "npm" || v === "pypi") ecosystem = v;
     }
     const { runNpmPublishCheck: runNpmPublishCheck2, runPypiPublishCheck: runPypiPublishCheck2, renderPublishCheckResult: renderPublishCheckResult2 } = await Promise.resolve().then(() => (init_publish_check(), publish_check_exports));
-    const { existsSync: existsSync26 } = await import("node:fs");
-    const { join: join16 } = await import("node:path");
+    const { existsSync: existsSync25 } = await import("node:fs");
+    const { join: join15 } = await import("node:path");
     if (ecosystem === "auto") {
-      if (existsSync26(join16(process.cwd(), "package.json"))) ecosystem = "npm";
-      else if (existsSync26(join16(process.cwd(), "pyproject.toml")) || existsSync26(join16(process.cwd(), "setup.py"))) ecosystem = "pypi";
+      if (existsSync25(join15(process.cwd(), "package.json"))) ecosystem = "npm";
+      else if (existsSync25(join15(process.cwd(), "pyproject.toml")) || existsSync25(join15(process.cwd(), "setup.py"))) ecosystem = "pypi";
       else {
         process.stderr.write("\n  publish-check: no package.json, pyproject.toml, or setup.py in current directory.\n  Pass --ecosystem npm|pypi explicitly if your project layout differs.\n\n");
         process.exit(3);
@@ -53513,7 +53280,7 @@ async function main() {
       if (wantJson) {
         process.stdout.write(JSON.stringify({ ok: false, error: out.errorMessage }) + "\n");
       } else {
-        const chalk18 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
+        const chalk18 = (await Promise.resolve().then(() => __toESM(require_source(), 1))).default;
         process.stderr.write(`
   ${chalk18.red("publish-check error:")} ${out.errorMessage}
 
@@ -53557,7 +53324,7 @@ async function main() {
     await handleHookCommand2(process.argv.slice(3));
     const updateMsg = await updatePromise2;
     if (updateMsg) {
-      const chalk18 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
+      const chalk18 = (await Promise.resolve().then(() => __toESM(require_source(), 1))).default;
       process.stderr.write(chalk18.dim(updateMsg));
     }
     return;
@@ -53589,7 +53356,7 @@ async function main() {
   }
   if (rawCommand === "logout") {
     const { getStoredApiKey: getStoredApiKey2, clearCredentials: clearCredentials2 } = await Promise.resolve().then(() => (init_auth(), auth_exports));
-    const chalk18 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
+    const chalk18 = (await Promise.resolve().then(() => __toESM(require_source(), 1))).default;
     const apiKey = getStoredApiKey2();
     if (apiKey) {
       const { parseConfig: parseConfig2 } = await Promise.resolve().then(() => (init_config(), config_exports));
@@ -53616,7 +53383,7 @@ async function main() {
       await preflightAuthCheck2(config.apiUrl);
     } catch (err) {
       if (err instanceof PreflightFreeCapReachedError2) {
-        const chalk18 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
+        const chalk18 = (await Promise.resolve().then(() => __toESM(require_source(), 1))).default;
         const { getStoredApiKey: getStoredApiKey2 } = await Promise.resolve().then(() => (init_auth(), auth_exports));
         const hasKey = !!getStoredApiKey2();
         process.stderr.write("\n");
@@ -53624,11 +53391,16 @@ async function main() {
           process.stderr.write(chalk18.yellow("  Your API key may be invalid or expired.\n"));
           process.stderr.write(`  Run ${chalk18.cyan("dg logout")} then ${chalk18.cyan("dg login")} to re-authenticate.
 
+`);
+        } else if (err.reason === "prefix_cap") {
+          process.stderr.write(chalk18.yellow("  Too many anonymous devices from your network this month (anti-abuse limit).\n"));
+          process.stderr.write(`  Sign in with ${chalk18.cyan("dg login")} to keep scanning.
+
 `);
         } else {
-          process.stderr.write(chalk18.yellow(`  Free tier monthly cap reached (${err.scansUsed}/${err.maxScans}).
+          process.stderr.write(chalk18.yellow(`  Free tier monthly package limit reached (${err.scansUsed.toLocaleString()}/${err.maxScans.toLocaleString()} packages).
 `));
-          process.stderr.write(`  Run ${chalk18.cyan("dg upgrade")} for Pro (5000/mo) or wait until next month.
+          process.stderr.write(`  Run ${chalk18.cyan("dg upgrade")} for Pro or wait until next month.
 
 `);
         }
@@ -53643,13 +53415,13 @@ async function main() {
       await runStatic2(config);
     } else {
       if (config.mode === "off") {
-        const chalk18 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
+        const chalk18 = (await Promise.resolve().then(() => __toESM(require_source(), 1))).default;
         process.stderr.write(chalk18.dim("  Dependency Guardian: mode is off \u2014 skipping.\n"));
         process.exit(0);
       }
       const { getStoredApiKey: getStoredApiKey2 } = await Promise.resolve().then(() => (init_auth(), auth_exports));
       const apiKey = getStoredApiKey2();
-      const chalkMod = (await Promise.resolve().then(() => __toESM(require_source()))).default;
+      const chalkMod = (await Promise.resolve().then(() => __toESM(require_source(), 1))).default;
       const loginChip = chalkMod.cyan.bold("dg login");
       const freeTierStatus = `${chalkMod.dim("free tier \xB7")} ${loginChip} ${chalkMod.dim("for more")}`;
       const sessionExpiredStatus = `${chalkMod.dim("session expired \xB7")} ${loginChip}`;
@@ -53667,14 +53439,12 @@ async function main() {
             const tier = data.tier || "free";
             const tierColor = tier === "free" ? chalkMod.yellow(tier) : chalkMod.green(tier);
             userStatus = `${chalkMod.dim(name)} ${chalkMod.dim("\xB7")} ${tierColor}`;
-            if (data.scansLimit === null || data.scansLimit === void 0) {
-              scanUsage = "unlimited scans";
-            } else {
-              const used = data.scansUsed ?? 0;
-              const limit = data.scansLimit;
-              const remaining = limit - used;
-              scanUsage = `${remaining}/${limit} scans left`;
-            }
+            const { formatUsage: formatUsage2 } = await Promise.resolve().then(() => (init_format_helpers(), format_helpers_exports));
+            scanUsage = formatUsage2({
+              used: data.scansUsed ?? 0,
+              limit: data.scansLimit ?? null,
+              tier
+            }).text;
           } else if (resp.status === 401) {
             userStatus = sessionExpiredStatus;
           } else {
@@ -53687,7 +53457,7 @@ async function main() {
       const { getSetupIssues: getSetupIssues2 } = await Promise.resolve().then(() => (init_setup_status(), setup_status_exports));
       const setupIssues = getSetupIssues2(process.cwd());
       const { render: render2 } = await init_build2().then(() => build_exports);
-      const React22 = await Promise.resolve().then(() => __toESM(require_react()));
+      const React22 = await Promise.resolve().then(() => __toESM(require_react(), 1));
       const { App: App3 } = await init_App2().then(() => App_exports);
       const { setInkInstance: setInkInstance2, resetInkClear: resetInkClear2, initInkInstances: initInkInstances2, patchInkLogForAbsolutePositioning: patchInkLogForAbsolutePositioning2 } = await Promise.resolve().then(() => (init_ink_controls(), ink_controls_exports));
       await initInkInstances2();
@@ -53702,7 +53472,7 @@ async function main() {
     }
     const updateMsg = await updatePromise;
     if (updateMsg) {
-      const chalk18 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
+      const chalk18 = (await Promise.resolve().then(() => __toESM(require_source(), 1))).default;
       process.stderr.write(chalk18.dim(updateMsg));
     }
     try {
@@ -53778,7 +53548,7 @@ async function handleWrapInternal(argv) {
       return 0;
     }
     const { render: render2 } = await init_build2().then(() => build_exports);
-    const React22 = await Promise.resolve().then(() => __toESM(require_react()));
+    const React22 = await Promise.resolve().then(() => __toESM(require_react(), 1));
     const { WrapperApp: WrapperApp2 } = await init_WrapperApp().then(() => WrapperApp_exports);
     const { waitUntilExit } = render2(
       React22.createElement(WrapperApp2, { config, args: wrapperArgs, ecosystem: "npm" })
@@ -53793,7 +53563,7 @@ async function handleWrapInternal(argv) {
       return 0;
     }
     const { render: render2 } = await init_build2().then(() => build_exports);
-    const React22 = await Promise.resolve().then(() => __toESM(require_react()));
+    const React22 = await Promise.resolve().then(() => __toESM(require_react(), 1));
     const { WrapperApp: WrapperApp2 } = await init_WrapperApp().then(() => WrapperApp_exports);
     const { waitUntilExit } = render2(
       React22.createElement(WrapperApp2, { config, args: wrapperArgs, ecosystem: "pypi" })
@@ -53838,7 +53608,7 @@ main().catch(async (err) => {
       authenticated: isAuthed
     });
     await flush();
-    const chalk18 = (await Promise.resolve().then(() => __toESM(require_source()))).default;
+    const chalk18 = (await Promise.resolve().then(() => __toESM(require_source(), 1))).default;
     const color = err.securityRelease ? chalk18.bold.red : chalk18.yellow;
     if (process.argv.includes("--json")) {
       process.stdout.write(JSON.stringify({
@@ -53876,7 +53646,7 @@ main().catch(async (err) => {
     }, null, 2) + "\n");
   } else {
     try {
-      const chalkMod = await Promise.resolve().then(() => __toESM(require_source()));
+      const chalkMod = await Promise.resolve().then(() => __toESM(require_source(), 1));
       process.stderr.write(`
   ${chalkMod.default.bold.red("Error:")} ${err.message}