@westbayberry/dg 1.3.2 → 2.0.0

package/dist/scan-ui/components/InteractiveResultsView.js

@@ -0,0 +1,1166 @@
+import { jsxs as _jsxs, jsx as _jsx, Fragment as _Fragment } from "react/jsx-runtime";
+import { useReducer, useMemo, useRef, useEffect, useState } from "react";
+import { Box, Text, useInput } from "ink";
+import chalk from "chalk";
+import { writeFileSync } from "node:fs";
+import { resolve as resolvePath } from "node:path";
+import { isLoggedIn } from "../shims.js";
+import { ScoreHeader } from "./ScoreHeader.js";
+import { useExpandAnimation } from "../hooks/useExpandAnimation.js";
+import { useTerminalSize } from "../hooks/useTerminalSize.js";
+import { clearScreen } from "../alt-screen.js";
+import { pad, truncate, groupPackages as sharedGroupPackages, formatUsage } from "../format-helpers.js";
+function groupPackages(packages) {
+    return sharedGroupPackages(packages, "fingerprint");
+}
+const SEVERITY_LABELS = {
+    5: "CRIT",
+    4: "HIGH",
+    3: "MED",
+    2: "LOW",
+    1: "INFO",
+};
+const SEVERITY_COLORS = {
+    5: (s) => chalk.red.bold(s),
+    4: (s) => chalk.red(s),
+    3: (s) => chalk.yellow(s),
+    2: (s) => chalk.cyan(s),
+    1: (s) => chalk.gray(s),
+};
+function actionBadge(action) {
+    // Scanner is the source of truth — badge from the server's action, not score.
+    if (action === "block")
+        return { label: "Block", color: chalk.red };
+    if (action === "warn")
+        return { label: "Warn", color: chalk.yellow };
+    if (action === "analysis_incomplete")
+        return { label: "Unknown", color: chalk.cyan };
+    return { label: "Pass", color: chalk.green };
+}
+const EVIDENCE_LIMIT = 2;
+// Fixed lines outside the scrollable group area:
+//  5  ScoreHeader box  |  2  Flagged box top  |  2  scroll indicators
+//  1  Flagged box bottom  |  4  Clean/Duration box  |  1  help bar  |  1  margin
+const FIXED_CHROME = 21;
+function firstPackage(group) {
+    const rep = group.packages[0];
+    if (!rep)
+        throw new Error("package group cannot be empty");
+    return rep;
+}
+function findingsSummaryHeight(group) {
+    const rep = firstPackage(group);
+    const visibleFindings = rep.findings.filter((f) => f.severity > 1);
+    const isFree = visibleFindings.length > 0 && !visibleFindings[0]?.title;
+    let h = 0;
+    if (rep.license)
+        h += 1; // license info line
+    if (isFree) {
+        // Free tier: just the upgrade prompt line
+        h += 1;
+    }
+    else if (visibleFindings.length > 0) {
+        // Paid tier: one line per finding
+        h += visibleFindings.length;
+    }
+    else if (rep.score > 0) {
+        h += 1; // score-only fallback
+    }
+    if (group.packages.length > 3)
+        h += 1;
+    return h;
+}
+function findingsDetailHeight(group, safeVersions) {
+    const rep = firstPackage(group);
+    const visibleFindings = rep.findings
+        .filter((f) => f.severity > 1)
+        .sort((a, b) => b.severity - a.severity);
+    let h = 0;
+    if (rep.license)
+        h += 1; // license info line
+    if (group.packages.length > 3)
+        h += 1;
+    // Free tier: reasons + upgrade hint
+    if (visibleFindings.length === 0 && rep.score > 0) {
+        h += (rep.reasons ?? []).length;
+        h += 1; // upgrade hint
+    }
+    const hasEvidence = visibleFindings.some((f) => f.evidence && f.evidence.length > 0);
+    for (const finding of visibleFindings) {
+        h += 1; // badge + id
+        h += 1; // title
+        const evidence = finding.evidence ?? [];
+        h += Math.min(evidence.length, EVIDENCE_LIMIT);
+        if (evidence.length > EVIDENCE_LIMIT)
+            h += 1;
+    }
+    // Upgrade hint for pro tier (findings but no evidence)
+    if (visibleFindings.length > 0 && !hasEvidence)
+        h += 1;
+    if (rep.recommendation)
+        h += 1;
+    if (safeVersions[rep.name])
+        h += 1;
+    return h;
+}
+function groupRowHeight(group, level, safeVersions) {
+    if (level === null)
+        return 1;
+    if (level === "summary")
+        return 1 + findingsSummaryHeight(group);
+    return 1 + findingsDetailHeight(group, safeVersions);
+}
+function nameVer(p) {
+    return p.version ? `${p.name}@${p.version}` : p.name;
+}
+function groupNames(group) {
+    if (group.packages.length === 1)
+        return nameVer(firstPackage(group));
+    if (group.packages.length <= 3)
+        return group.packages.map(nameVer).join(", ");
+    return `${nameVer(firstPackage(group))} + ${group.packages.length - 1} similar`;
+}
+function affectsLine(group) {
+    const labels = group.packages.map(nameVer);
+    if (labels.length <= 5)
+        return labels.join(", ");
+    return labels.slice(0, 5).join(", ") + ` + ${labels.length - 5} more`;
+}
+// Chrome lines in detail pane mode:
+//  7  ScoreHeader  |  3  detail pane borders+header  |  2  scroll indicators
+//  4  Clean/Duration box  |  1  separator  |  1  help bar
+const DETAIL_PANE_CHROME = 20;
+function buildDetailLines(group, safeVersion, maxWidth) {
+    const rep = firstPackage(group);
+    const visibleFindings = rep.findings
+        .filter((f) => f.severity > 1)
+        .sort((a, b) => b.severity - a.severity);
+    const lines = [];
+    if (group.packages.length > 3) {
+        lines.push(_jsxs(Text, { dimColor: true, children: ["Affects: ", affectsLine(group)] }, "affects"));
+        lines.push(_jsx(Text, { children: "" }, "affects-gap"));
+    }
+    if (rep.score > 0) {
+        lines.push(_jsxs(Text, { dimColor: true, children: ["Score: ", rep.score, "/100"] }, "score-info"));
+        lines.push(_jsx(Text, { children: "" }, "score-gap"));
+    }
+    // Paid tier: show findings with category + severity
+    if (visibleFindings.length > 0) {
+        for (let i = 0; i < visibleFindings.length; i++) {
+            const f = visibleFindings[i];
+            if (!f)
+                continue;
+            const sevLabel = SEVERITY_LABELS[f.severity] ?? "INFO";
+            const sevColor = SEVERITY_COLORS[f.severity] ?? SEVERITY_COLORS[1] ?? chalk.dim;
+            const connector = i === visibleFindings.length - 1 ? T.last : T.branch;
+            lines.push(_jsxs(Text, { children: [connector, " ", sevColor(pad(sevLabel, 8)), chalk.dim(f.category ?? "")] }, `finding-${i}`));
+        }
+        lines.push(_jsx(Text, { children: "" }, "findings-gap"));
+    }
+    else if (rep.score > 0) {
+        // Free tier: no findings returned — show upgrade prompt
+        lines.push(_jsxs(Text, { color: "yellow", children: [chalk.yellow("\u2192"), " Upgrade to Pro to see risk categories"] }, "upgrade"));
+        lines.push(_jsx(Text, { children: "" }, "upgrade-gap"));
+    }
+    if (rep.recommendation) {
+        lines.push(_jsxs(Text, { children: [chalk.dim("Recommendation:"), " ", chalk.cyan(truncate(rep.recommendation, maxWidth - 18))] }, "recommendation"));
+    }
+    if (safeVersion) {
+        lines.push(_jsx(Text, { children: chalk.green(`Safe version: ${rep.name}@${safeVersion}`) }, "safe"));
+    }
+    return lines;
+}
+function viewReducer(_state, action) {
+    switch (action.type) {
+        case "MOVE":
+            return { ..._state, cursor: action.cursor, viewport: action.viewport };
+        case "EXPAND":
+            return { ..._state, expandedIndex: action.expandedIndex, expandLevel: action.expandLevel, viewport: action.viewport };
+        case "MOVE_EXPAND":
+            return { cursor: action.cursor, expandedIndex: action.expandedIndex, expandLevel: action.expandLevel, viewport: action.viewport };
+    }
+}
+export const InteractiveResultsView = ({ result, config: _config, durationMs, onExit, onBack, discoveredTotal, userStatus, scanUsage: scanUsageProp, initialView, }) => {
+    // Prefer the server's uniform usage block ("used / limit packages this
+    // month"); fall back to the legacy freeScansRemaining field, then to the
+    // generic placeholder from bin.ts. usageNearLimit drives the yellow + nudge.
+    const usageDisplay = result.usage ? formatUsage(result.usage) : null;
+    const scanUsage = usageDisplay
+        ? usageDisplay.text
+        : result.freeScansRemaining !== undefined
+            ? `${result.freeScansRemaining.toLocaleString()} packages left`
+            : scanUsageProp;
+    const usageNearLimit = usageDisplay?.nearLimit ?? false;
+    // Bucket by the server `action`, never by score: the server can return
+    // block/warn at score 0 (policy verdict / yanked / cooldown), and those must
+    // surface as flagged, not hide in "clean".
+    const flagged = useMemo(() => result.packages.filter((p) => (p.action ?? "pass") !== "pass"), [result.packages]);
+    const clean = useMemo(() => result.packages.filter((p) => (p.action ?? "pass") === "pass"), [result.packages]);
+    const total = result.packages.length;
+    const [searchQuery, setSearchQuery] = useState("");
+    const allGroups = useMemo(() => groupPackages(flagged), [flagged]);
+    const allGroupCount = allGroups.length;
+    const groups = useMemo(() => {
+        if (!searchQuery)
+            return allGroups;
+        const q = searchQuery.toLowerCase();
+        return allGroups.filter(g => g.packages.some(p => p.name.toLowerCase().includes(q)));
+    }, [allGroups, searchQuery]);
+    const [view, dispatchView] = useReducer(viewReducer, {
+        cursor: 0,
+        expandLevel: null,
+        expandedIndex: null,
+        viewport: 0,
+    });
+    const viewRef = useRef(view);
+    viewRef.current = view;
+    const [detailPane, setDetailPane] = useState(null);
+    const detailPaneRef = useRef(detailPane);
+    detailPaneRef.current = detailPane;
+    const [showHelp, setShowHelp] = useState(false);
+    const showHelpRef = useRef(showHelp);
+    showHelpRef.current = showHelp;
+    // License-grouped overlay. Toggled with `l`. Shows packages grouped by
+    // SPDX license id, sorted by count desc, color-coded by risk category.
+    // Up/Down to select a row, Enter to drill into the packages for that
+    // license, Esc to back out, l/Esc again to close the overlay.
+    const [showLicenses, setShowLicenses] = useState(initialView === "licenses");
+    const showLicensesRef = useRef(showLicenses);
+    showLicensesRef.current = showLicenses;
+    const [licenseCursor, setLicenseCursor] = useState(0);
+    const licenseCursorRef = useRef(licenseCursor);
+    licenseCursorRef.current = licenseCursor;
+    const [licenseDetailIdx, setLicenseDetailIdx] = useState(null);
+    const licenseDetailIdxRef = useRef(licenseDetailIdx);
+    licenseDetailIdxRef.current = licenseDetailIdx;
+    const [licenseDetailScroll, setLicenseDetailScroll] = useState(0);
+    // Search inside the license drill-in: type-to-filter packages by name.
+    const [licenseSearchMode, setLicenseSearchMode] = useState(false);
+    const licenseSearchModeRef = useRef(licenseSearchMode);
+    licenseSearchModeRef.current = licenseSearchMode;
+    const [licenseSearchQuery, setLicenseSearchQuery] = useState("");
+    // Export status (shown briefly in the footer after `e`).
+    const [exportMsg, setExportMsg] = useState(null);
+    const exportMsgRef = useRef(null);
+    const showExportMsg = (s) => {
+        setExportMsg(s);
+        if (exportMsgRef.current)
+            clearTimeout(exportMsgRef.current);
+        exportMsgRef.current = setTimeout(() => setExportMsg(null), 4000);
+    };
+    const [exportMenu, setExportMenu] = useState(null);
+    const exportMenuRef = useRef(exportMenu);
+    exportMenuRef.current = exportMenu;
+    const openExportMenu = (defaultScope = "all") => {
+        if (!isLoggedIn()) {
+            // Saved reports are a logged-in feature. Show the calm nudge instead
+            // of letting the user navigate a menu they can't actually use.
+            showExportMsg("Export requires `dg login` (free account)");
+            return;
+        }
+        setExportMenu({ scope: defaultScope, format: "json", activeRow: "scope" });
+    };
+    /** Build the JS object for a given export scope. The `currentLicenseIdx`
+     *  parameter scopes "current-license" to the drill-in user is viewing. */
+    const buildExportPayload = (scope, currentLicenseIdx) => {
+        const blocked = result.packages.filter((p) => p.action === "block");
+        const warned = result.packages.filter((p) => p.action === "warn");
+        const cleanPkgs = result.packages.filter((p) => (p.action ?? "pass") === "pass");
+        const incomplete = result.packages.filter((p) => p.action === "analysis_incomplete");
+        const summary = {
+            scannedAt: new Date().toISOString(),
+            score: result.score,
+            action: result.action,
+            packagesScanned: result.packages.length,
+            blocked: blocked.length,
+            warned: warned.length,
+            passLowRisk: incomplete.length,
+            clean: cleanPkgs.length,
+            durationMs,
+        };
+        if (scope === "summary")
+            return summary;
+        if (scope === "packages") {
+            return result.packages.map((p) => ({
+                name: p.name,
+                version: p.version,
+                score: p.score,
+                license: p.license?.spdx ?? p.license?.raw ?? null,
+                riskCategory: p.license?.riskCategory ?? null,
+            }));
+        }
+        if (scope === "licenses") {
+            return licenseGroups.map((g) => ({
+                spdx: g.spdx,
+                riskCategory: g.risk,
+                count: g.count,
+                packages: g.pkgs.map((p) => ({ name: p.name, version: p.version, score: p.score })),
+            }));
+        }
+        if (scope === "current-license" && currentLicenseIdx !== null) {
+            const g = licenseGroups[currentLicenseIdx];
+            if (!g)
+                return null;
+            return {
+                spdx: g.spdx,
+                riskCategory: g.risk,
+                count: g.count,
+                packages: g.pkgs.map((p) => ({ name: p.name, version: p.version, score: p.score })),
+            };
+        }
+        if (scope === "findings") {
+            return [...blocked, ...warned].map((p) => ({
+                name: p.name,
+                version: p.version,
+                score: p.score,
+                action: p.action,
+                findings: p.findings.map((f) => ({
+                    severity: f.severity,
+                    category: f.category ?? null,
+                    title: f.title ?? null,
+                })),
+                reasons: p.reasons,
+            }));
+        }
+        // scope === "all"
+        return {
+            ...summary,
+            packages: result.packages,
+            safeVersions: result.safeVersions,
+            licenses: licenseGroups.map((g) => ({
+                spdx: g.spdx,
+                riskCategory: g.risk,
+                count: g.count,
+                packages: g.pkgs.map((p) => ({ name: p.name, version: p.version, score: p.score })),
+            })),
+        };
+    };
+    /** Quote a CSV cell — escape double-quotes by doubling, wrap in quotes if
+     *  the value contains a comma, quote, or newline. */
+    const csvCell = (v) => {
+        const s = v === null || v === undefined ? "" : String(v);
+        return /[",\n\r]/.test(s) ? `"${s.replace(/"/g, '""')}"` : s;
+    };
+    /** Convert a payload + scope to a serialized string in the chosen format
+     *  plus the file extension. Some combinations are nonsensical (CSV of the
+     *  full scan tree); we degrade those to JSON with a comment. */
+    const formatExport = (payload, scope, format) => {
+        if (format === "json") {
+            return { body: JSON.stringify(payload, null, 2) + "\n", ext: "json" };
+        }
+        if (format === "csv") {
+            // Tabular scopes only — flatten to header + rows.
+            if (scope === "packages") {
+                const rows = payload;
+                const lines = ["name,version,score,license,riskCategory"];
+                for (const r of rows) {
+                    lines.push([r.name, r.version, r.score, r.license, r.riskCategory].map(csvCell).join(","));
+                }
+                return { body: lines.join("\n") + "\n", ext: "csv" };
+            }
+            if (scope === "licenses") {
+                const rows = payload;
+                const lines = ["spdx,riskCategory,count,package_names"];
+                for (const r of rows) {
+                    const names = r.packages.map((p) => `${p.name}@${p.version}`).join(";");
+                    lines.push([r.spdx, r.riskCategory, r.count, names].map(csvCell).join(","));
+                }
+                return { body: lines.join("\n") + "\n", ext: "csv" };
+            }
+            if (scope === "current-license") {
+                const r = payload;
+                const lines = ["name,version,score,spdx,riskCategory"];
+                for (const p of r.packages) {
+                    lines.push([p.name, p.version, p.score, r.spdx, r.riskCategory].map(csvCell).join(","));
+                }
+                return { body: lines.join("\n") + "\n", ext: "csv" };
+            }
+            if (scope === "findings") {
+                const rows = payload;
+                const lines = ["name,version,score,action,top_finding_severity,top_finding_category,top_finding_title"];
+                for (const r of rows) {
+                    const f = r.findings[0] ?? { severity: "", category: "", title: "" };
+                    lines.push([r.name, r.version, r.score, r.action, f.severity, f.category, f.title].map(csvCell).join(","));
+                }
+                return { body: lines.join("\n") + "\n", ext: "csv" };
+            }
+            // CSV doesn't make sense for `all` or `summary` — fall back to JSON.
+            return { body: JSON.stringify(payload, null, 2) + "\n", ext: "json" };
+        }
+        // Markdown — for `all`, render summary + packages table + licenses table
+        // in one document so the file matches what the user sees in the TUI.
+        // For `findings` with an empty list, surface that explicitly so the
+        // file isn't just a title and nothing else.
+        if (format === "md") {
+            const lines = [`# Dependency Guardian — ${scope}`, ""];
+            lines.push(`*Scanned at ${new Date().toISOString()}*`, "");
+            const renderSummary = (s) => {
+                lines.push(`**Score:** ${s.score} (${s.action})`);
+                lines.push(`**Scanned:** ${s.packagesScanned} packages in ${(s.durationMs / 1000).toFixed(1)}s`);
+                lines.push(`**Block:** ${s.blocked}  ·  **Warn:** ${s.warned}  ·  **Clean:** ${s.clean}`, "");
+            };
+            const renderPkgRows = (rows) => {
+                lines.push("## Packages", "", "| Name | Version | Score | License |", "|---|---|---|---|");
+                for (const r of rows)
+                    lines.push(`| ${r.name} | ${r.version} | ${r.score} | ${r.license ?? "—"} |`);
+                lines.push("");
+            };
+            const renderLicRows = (rows) => {
+                lines.push("## Licenses", "", "| License | Risk | Count |", "|---|---|---|");
+                for (const r of rows)
+                    lines.push(`| ${r.spdx} | ${r.riskCategory} | ${r.count} |`);
+                lines.push("");
+            };
+            if (scope === "summary") {
+                renderSummary(payload);
+            }
+            else if (scope === "all") {
+                const a = payload;
+                renderSummary(a);
+                renderPkgRows(a.packages.map((p) => ({
+                    name: p.name,
+                    version: p.version,
+                    score: p.score,
+                    license: p.license?.spdx ?? p.license?.raw ?? null,
+                })));
+                renderLicRows(a.licenses);
+            }
+            else if (scope === "packages") {
+                renderPkgRows(payload);
+            }
+            else if (scope === "licenses") {
+                renderLicRows(payload);
+            }
+            else if (scope === "current-license") {
+                const r = payload;
+                lines.push(`## ${r.spdx}  ·  ${r.riskCategory}  ·  ${r.count} packages`, "");
+                lines.push("| Name | Version | Score |", "|---|---|---|");
+                for (const p of r.packages)
+                    lines.push(`| ${p.name} | ${p.version} | ${p.score} |`);
+            }
+            else if (scope === "findings") {
+                const rows = payload;
+                if (rows.length === 0) {
+                    lines.push("> **No warn or block findings.** All scanned packages passed the gate.", "");
+                }
+                else {
+                    for (const r of rows) {
+                        lines.push(`### ${r.name}@${r.version}  ·  ${r.action.toUpperCase()}  ·  score ${r.score}`);
+                        for (const f of r.findings)
+                            lines.push(`- sev ${f.severity}: ${f.title ?? "(hidden)"}`);
+                        lines.push("");
+                    }
+                }
+            }
+            return { body: lines.join("\n"), ext: "md" };
+        }
+        // format === "txt" — quick human-readable, mirrors the md structure
+        const txt = [`Dependency Guardian — ${scope}`, "=".repeat(40), ""];
+        const txtSummary = (s) => {
+            txt.push(`Score:    ${s.score} (${s.action})`);
+            txt.push(`Scanned:  ${s.packagesScanned} packages in ${(s.durationMs / 1000).toFixed(1)}s`);
+            txt.push(`Block:    ${s.blocked}`);
+            txt.push(`Warn:     ${s.warned}`);
+            txt.push(`Clean:    ${s.clean}`, "");
+        };
+        const txtPackages = (rows) => {
+            txt.push("Packages", "-".repeat(40));
+            for (const r of rows)
+                txt.push(`${r.name}@${r.version}  score=${r.score}  ${r.license ?? "no-license"}`);
+            txt.push("");
+        };
+        const txtLicenses = (rows) => {
+            txt.push("Licenses", "-".repeat(40));
+            for (const r of rows)
+                txt.push(`${r.spdx.padEnd(36)}  ${r.riskCategory.padEnd(18)}  ${r.count}`);
+            txt.push("");
+        };
+        if (scope === "summary") {
+            txtSummary(payload);
+        }
+        else if (scope === "all") {
+            const a = payload;
+            txtSummary(a);
+            txtPackages(a.packages.map((p) => ({
+                name: p.name,
+                version: p.version,
+                score: p.score,
+                license: p.license?.spdx ?? p.license?.raw ?? null,
+            })));
+            txtLicenses(a.licenses);
+        }
+        else if (scope === "packages") {
+            txtPackages(payload);
+        }
+        else if (scope === "licenses") {
+            txtLicenses(payload);
+        }
+        else if (scope === "current-license") {
+            const r = payload;
+            txt.push(`${r.spdx} (${r.riskCategory})`, "");
+            for (const p of r.packages)
+                txt.push(`  ${p.name}@${p.version}  score=${p.score}`);
+        }
+        else if (scope === "findings") {
+            const rows = payload;
+            if (rows.length === 0) {
+                txt.push("No warn or block findings.", "All scanned packages passed the gate.");
+            }
+            else {
+                for (const r of rows) {
+                    txt.push(`${r.action.toUpperCase()}  ${r.name}@${r.version}  score=${r.score}`);
+                    for (const f of r.findings)
+                        txt.push(`  sev ${f.severity}: ${f.title ?? "(hidden)"}`);
+                    txt.push("");
+                }
+            }
+        }
+        return { body: txt.join("\n") + "\n", ext: "txt" };
+    };
+    /** Run the export with the given scope/format. Writes
+     *  ./dg-scan-<ts>-<scope>.<ext> and shows a footer toast. Requires login —
+     *  saved reports are a logged-in feature. */
+    const runExport = (scope, format, currentLicenseIdx) => {
+        if (!isLoggedIn()) {
+            showExportMsg("Export requires `dg login` (free account)");
+            return;
+        }
+        try {
+            const ts = new Date().toISOString().replace(/[:T]/g, "-").replace(/\..*$/, "");
+            const payload = buildExportPayload(scope, currentLicenseIdx);
+            if (payload === null) {
+                showExportMsg(`Nothing to export for scope "${scope}"`);
+                return;
+            }
+            const { body, ext } = formatExport(payload, scope, format);
+            const scopeTag = scope === "current-license" && currentLicenseIdx !== null
+                ? `${(licenseGroups[currentLicenseIdx]?.spdx ?? "license").replace(/[^A-Za-z0-9._-]/g, "_").slice(0, 32)}`
+                : scope;
+            const filename = `dg-scan-${ts}-${scopeTag}.${ext}`;
+            const path = resolvePath(process.cwd(), filename);
+            writeFileSync(path, body, "utf-8");
+            showExportMsg(`✓ Exported to ${filename}`);
+        }
+        catch (e) {
+            showExportMsg(`Export failed: ${e.message}`);
+        }
+    };
+    const licenseGroups = useMemo(() => {
+        const buckets = new Map();
+        for (const pkg of result.packages) {
+            const lc = pkg.license;
+            const spdx = lc?.spdx ?? lc?.raw ?? "(no license)";
+            const risk = lc?.riskCategory ?? "unknown";
+            const key = `${risk}::${spdx}`;
+            const ex = buckets.get(key);
+            if (ex) {
+                ex.count += 1;
+                ex.pkgs.push(pkg);
+            }
+            else
+                buckets.set(key, { spdx, risk, count: 1, pkgs: [pkg] });
+        }
+        for (const b of buckets.values()) {
+            b.pkgs.sort((a, b) => a.name.localeCompare(b.name));
+        }
+        const sinkRanks = { "no-license": 2, unknown: 1 };
+        return [...buckets.values()].sort((a, b) => {
+            const ra = sinkRanks[a.risk] ?? 0;
+            const rb = sinkRanks[b.risk] ?? 0;
+            if (ra !== rb)
+                return ra - rb;
+            return b.count - a.count;
+        });
+    }, [result.packages]);
+    const [searchMode, setSearchMode] = useState(false);
+    const searchModeRef = useRef(searchMode);
+    searchModeRef.current = searchMode;
+    const { rows: termRows, cols: termCols } = useTerminalSize();
+    const availableRows = Math.max(5, termRows - FIXED_CHROME);
+    const innerWidth = Math.max(40, termCols - 6);
+    const detailGroupIdx = detailPane?.groupIndex ?? -1;
+    const detailLines = useMemo(() => {
+        if (detailGroupIdx < 0)
+            return [];
+        const group = groups[detailGroupIdx];
+        if (!group)
+            return [];
+        return buildDetailLines(group, result.safeVersions[firstPackage(group).name], innerWidth);
+    }, [detailGroupIdx, groups, result.safeVersions, innerWidth]);
+    const detailContentRows = Math.max(3, termRows - DETAIL_PANE_CHROME);
+    const getLevel = (idx) => {
+        return view.expandedIndex === idx ? view.expandLevel : null;
+    };
+    const expandTargetHeight = useMemo(() => {
+        if (view.expandedIndex === null || view.expandLevel === null)
+            return 0;
+        const group = groups[view.expandedIndex];
+        if (!group)
+            return 0;
+        if (view.expandLevel === "summary")
+            return findingsSummaryHeight(group);
+        return findingsDetailHeight(group, result.safeVersions);
+    }, [view.expandedIndex, view.expandLevel, groups, result.safeVersions]);
+    const { visibleLines: animVisibleLines } = useExpandAnimation(expandTargetHeight, view.expandedIndex !== null);
+    const animatedGroupHeight = (group, level, idx) => {
+        if (level === null)
+            return 1;
+        if (idx === view.expandedIndex)
+            return 1 + animVisibleLines;
+        return groupRowHeight(group, level, result.safeVersions);
+    };
+    const visibleEnd = useMemo(() => {
+        let consumed = 0;
+        let end = view.viewport;
+        while (end < groups.length) {
+            const level = getLevel(end);
+            const endGroup = groups[end];
+            if (!endGroup)
+                break;
+            const h = animatedGroupHeight(endGroup, level, end);
+            if (consumed + h > availableRows)
+                break;
+            consumed += h;
+            end++;
+        }
+        if (end === view.viewport && groups.length > 0)
+            end = view.viewport + 1;
+        return end;
+    }, [view.viewport, groups, view.expandedIndex, view.expandLevel, animVisibleLines, availableRows, result.safeVersions]);
+    const adjustViewport = (cursor, expIdx, expLvl, currentStart) => {
+        if (cursor < currentStart)
+            return cursor;
+        const getLvl = (i) => (expIdx === i ? expLvl : null);
+        let consumed = 0;
+        for (let i = currentStart; i <= cursor && i < groups.length; i++) {
+            const g = groups[i];
+            if (!g)
+                continue;
+            consumed += groupRowHeight(g, getLvl(i), result.safeVersions);
+        }
+        if (consumed <= availableRows)
+            return currentStart;
+        let newStart = currentStart;
+        while (newStart < cursor) {
+            newStart++;
+            consumed = 0;
+            for (let i = newStart; i <= cursor; i++) {
+                const g = groups[i];
+                if (!g)
+                    continue;
+                consumed += groupRowHeight(g, getLvl(i), result.safeVersions);
+            }
+            if (consumed <= availableRows)
+                break;
+        }
+        return newStart;
+    };
+    // Re-clamp viewport when terminal is resized
+    useEffect(() => {
+        if (groups.length === 0)
+            return;
+        const { cursor, expandedIndex, expandLevel, viewport } = viewRef.current;
+        const clamped = Math.min(viewport, Math.max(0, groups.length - 1));
+        const newVp = adjustViewport(cursor, expandedIndex, expandLevel, clamped);
+        dispatchView({ type: "MOVE", cursor, viewport: newVp });
+    }, [availableRows]);
+    // Clamp detail pane scroll when terminal resizes
+    useEffect(() => {
+        const dp = detailPaneRef.current;
+        if (dp && detailLines.length > 0) {
+            const maxScroll = Math.max(0, detailLines.length - detailContentRows);
+            if (dp.scroll > maxScroll) {
+                setDetailPane({ groupIndex: dp.groupIndex, scroll: maxScroll });
+            }
+        }
+    }, [detailContentRows, detailLines.length]);
+    useEffect(() => {
+        if (detailPane !== null && !groups[detailPane.groupIndex]) {
+            setDetailPane(null);
+        }
+    }, [detailPane, groups]);
+    useInput((input, key) => {
+        // Export menu has the highest priority — once opened, all keys go here
+        // until ⏎/Esc dismisses it. Arrow-driven: ↑↓ scrolls within the active
+        // row, ←→ or Tab switches rows. No letter shortcuts (the user found
+        // them clunky and they collide with `q` / other meaningful keys).
+        if (exportMenuRef.current) {
+            const menu = exportMenuRef.current;
+            const SCOPES = ["all", "summary", "packages", "licenses", "findings"];
+            const FORMATS = ["json", "csv", "md", "txt"];
+            const scopes = licenseDetailIdxRef.current !== null
+                ? [...SCOPES, "current-license"]
+                : SCOPES;
+            const move = (arr, cur, dir) => {
+                const i = arr.indexOf(cur);
+                if (i < 0)
+                    return arr[0] ?? cur;
+                // Clamp at boundaries (no wrap-around) — feels more like a list.
+                return arr[Math.max(0, Math.min(arr.length - 1, i + dir))] ?? cur;
+            };
+            if (key.escape) {
+                setExportMenu(null);
+                return;
+            }
+            if (key.return) {
+                const m = exportMenuRef.current;
+                setExportMenu(null);
+                clearScreen();
+                runExport(m.scope, m.format, licenseDetailIdxRef.current);
+                return;
+            }
+            if (key.tab || key.leftArrow || key.rightArrow) {
+                setExportMenu({ ...menu, activeRow: menu.activeRow === "scope" ? "format" : "scope" });
+                return;
+            }
+            if (key.upArrow || input === "k") {
+                if (menu.activeRow === "scope") {
+                    setExportMenu({ ...menu, scope: move(scopes, menu.scope, -1) });
+                }
+                else {
+                    setExportMenu({ ...menu, format: move(FORMATS, menu.format, -1) });
+                }
+                return;
+            }
+            if (key.downArrow || input === "j") {
+                if (menu.activeRow === "scope") {
+                    setExportMenu({ ...menu, scope: move(scopes, menu.scope, 1) });
+                }
+                else {
+                    setExportMenu({ ...menu, format: move(FORMATS, menu.format, 1) });
+                }
+                return;
+            }
+            if (input === "q") {
+                setExportMenu(null);
+                return;
+            }
+            return;
+        }
+        if (showHelpRef.current) {
+            if (input === "?" || key.escape)
+                setShowHelp(false);
+            else if (input === "q")
+                onExit();
+            return;
+        }
+        if (showLicensesRef.current) {
+            // Drill-in mode: viewing the package list for one license.
+            if (licenseDetailIdxRef.current !== null) {
+                // Search-typing mode inside drill-in: capture text input.
+                if (licenseSearchModeRef.current) {
+                    if (key.escape) {
+                        setLicenseSearchMode(false);
+                        setLicenseSearchQuery("");
+                        setLicenseDetailScroll(0);
+                    }
+                    else if (key.return) {
+                        setLicenseSearchMode(false);
+                    }
+                    else if (key.backspace || key.delete) {
+                        setLicenseSearchQuery((q) => q.slice(0, -1));
+                        setLicenseDetailScroll(0);
+                    }
+                    else if (input && !key.upArrow && !key.downArrow && /^[\x20-\x7e]+$/.test(input)) {
+                        setLicenseSearchQuery((q) => q + input);
+                        setLicenseDetailScroll(0);
+                    }
+                    return;
+                }
+                if (input === "q") {
+                    onExit();
+                    return;
+                }
+                if (input === "/") {
+                    setLicenseSearchMode(true);
+                    return;
+                }
+                if (input === "e") {
+                    openExportMenu("current-license");
+                    return;
+                }
+                if (key.escape) {
+                    clearScreen();
+                    licenseDetailIdxRef.current = null;
+                    setLicenseDetailIdx(null);
+                    setLicenseDetailScroll(0);
+                    if (licenseSearchQuery)
+                        setLicenseSearchQuery("");
+                    return;
+                }
+                if (key.upArrow || input === "k") {
+                    setLicenseDetailScroll((s) => Math.max(0, s - 1));
+                    return;
+                }
+                if (key.downArrow || input === "j") {
+                    const grp = licenseGroups[licenseDetailIdxRef.current];
+                    if (grp) {
+                        const q = licenseSearchQuery.toLowerCase();
+                        const filtered = q
+                            ? grp.pkgs.filter((p) => p.name.toLowerCase().includes(q))
+                            : grp.pkgs;
+                        setLicenseDetailScroll((s) => Math.min(Math.max(0, filtered.length - 1), s + 1));
+                    }
+                    return;
+                }
+                return;
+            }
+            if (input === "q") {
+                onExit();
+                return;
+            }
+            if (input === "e") {
+                openExportMenu("licenses");
+                return;
+            }
+            if (key.escape) {
+                if (initialView === "licenses")
+                    return;
+                setShowLicenses(false);
+                return;
+            }
+            if (key.upArrow || input === "k") {
+                setLicenseCursor((c) => Math.max(0, c - 1));
+                return;
+            }
+            if (key.downArrow || input === "j") {
+                setLicenseCursor((c) => Math.min(licenseGroups.length - 1, c + 1));
+                return;
+            }
+            if (key.return) {
+                setLicenseDetailIdx(licenseCursorRef.current);
+                setLicenseDetailScroll(0);
+                return;
+            }
+            return;
+        }
+        if (searchModeRef.current) {
+            if (key.escape) {
+                setSearchMode(false);
+                setSearchQuery("");
+                dispatchView({ type: "MOVE", cursor: 0, viewport: 0 });
+            }
+            else if (key.return) {
+                setSearchMode(false);
+            }
+            else if (key.backspace || key.delete) {
+                setSearchQuery(prev => prev.slice(0, -1));
+                dispatchView({ type: "MOVE", cursor: 0, viewport: 0 });
+            }
+            else if (input && !key.upArrow && !key.downArrow && /^[\x20-\x7e]+$/.test(input)) {
+                setSearchQuery(prev => prev + input);
+                dispatchView({ type: "MOVE", cursor: 0, viewport: 0 });
+            }
+            return;
+        }
+        const dp = detailPaneRef.current;
+        if (dp !== null) {
+            const maxScroll = Math.max(0, detailLines.length - detailContentRows);
+            if (key.upArrow || input === "k") {
+                setDetailPane({ groupIndex: dp.groupIndex, scroll: Math.max(0, dp.scroll - 1) });
+            }
+            else if (key.downArrow || input === "j") {
+                setDetailPane({ groupIndex: dp.groupIndex, scroll: Math.min(maxScroll, dp.scroll + 1) });
+            }
+            else if (input === "g") {
+                setDetailPane({ groupIndex: dp.groupIndex, scroll: 0 });
+            }
+            else if (input === "G") {
+                setDetailPane({ groupIndex: dp.groupIndex, scroll: maxScroll });
+            }
+            else if (key.escape) {
+                setDetailPane(null);
+            }
+            else if (input === "q") {
+                onExit();
+            }
+            return;
+        }
+        if (input === "?") {
+            setShowHelp(true);
+            return;
+        }
+        if (input === "l") {
+            setShowLicenses(true);
+            setLicenseCursor(0);
+            return;
+        }
+        if (input === "e") {
+            openExportMenu("all");
+            return;
+        }
+        if (key.escape && onBack) {
+            onBack();
+            return;
+        }
+        if (input === "q") {
+            onExit();
+            return;
+        }
+        if (groups.length === 0) {
+            if (key.return)
+                onExit();
+            else if (input === "/")
+                setSearchMode(true);
+            return;
+        }
+        const { cursor, expandLevel: expLvl, expandedIndex: expIdx, viewport: vpStart } = viewRef.current;
+        if (key.upArrow || input === "k") {
+            const next = Math.max(0, cursor - 1);
+            const newVp = adjustViewport(next, expIdx, expLvl, vpStart < next ? vpStart : next);
+            dispatchView({ type: "MOVE", cursor: next, viewport: newVp });
+        }
+        else if (key.downArrow || input === "j") {
+            const next = Math.min(groups.length - 1, cursor + 1);
+            const newVp = adjustViewport(next, expIdx, expLvl, vpStart);
+            dispatchView({ type: "MOVE", cursor: next, viewport: newVp });
+        }
+        else if (input === "g") {
+            const newVp = adjustViewport(0, expIdx, expLvl, 0);
+            dispatchView({ type: "MOVE", cursor: 0, viewport: newVp });
+        }
+        else if (input === "G") {
+            const last = groups.length - 1;
+            const newVp = adjustViewport(last, expIdx, expLvl, vpStart);
+            dispatchView({ type: "MOVE", cursor: last, viewport: newVp });
+        }
+        else if (key.pageDown) {
+            const next = Math.min(groups.length - 1, cursor + availableRows);
+            const newVp = adjustViewport(next, expIdx, expLvl, vpStart);
+            dispatchView({ type: "MOVE", cursor: next, viewport: newVp });
+        }
+        else if (key.pageUp) {
+            const next = Math.max(0, cursor - availableRows);
+            const newVp = adjustViewport(next, expIdx, expLvl, next);
+            dispatchView({ type: "MOVE", cursor: next, viewport: newVp });
+        }
+        else if (key.return) {
+            const newLevel = expIdx === cursor && expLvl === "summary" ? null : "summary";
+            const newExpIdx = newLevel === null ? null : cursor;
+            const newVp = adjustViewport(cursor, newExpIdx, newLevel, vpStart);
+            dispatchView({ type: "EXPAND", expandedIndex: newExpIdx, expandLevel: newLevel, viewport: newVp });
+        }
+        else if (input === "/") {
+            setSearchMode(true);
+        }
+    });
+    const visibleGroups = groups.slice(view.viewport, visibleEnd);
+    const aboveCount = view.viewport;
+    const belowCount = groups.length - visibleEnd;
+    const lcCol = 16; // fixed width for license column
+    const nameCol = Math.max(20, innerWidth - 22 - lcCol);
+    // Clamp cursor to valid range (groups may shrink via search filter)
+    const clampedCursor = groups.length > 0 ? Math.min(view.cursor, groups.length - 1) : 0;
+    // ── Export menu overlay ──
+    if (exportMenu) {
+        const SCOPES_RENDER = [
+            { value: "all", label: "All" },
+            { value: "summary", label: "Summary" },
+            { value: "packages", label: "Packages" },
+            { value: "licenses", label: "Licenses" },
+            { value: "findings", label: "Findings (warn+block)" },
+        ];
+        if (licenseDetailIdxRef.current !== null) {
+            const focus = licenseGroups[licenseDetailIdxRef.current];
+            SCOPES_RENDER.push({
+                value: "current-license",
+                label: `Current license (${focus?.spdx ?? "—"})`,
+            });
+        }
+        const FORMATS_RENDER = [
+            { value: "json", label: "JSON" },
+            { value: "csv", label: "CSV" },
+            { value: "md", label: "Markdown" },
+            { value: "txt", label: "Plain text" },
+        ];
+        const stackedLayout = termCols < 80;
+        const colWidth = stackedLayout ? undefined : Math.max(24, Math.floor((termCols - 8) / 2));
+        const renderColumn = (title, rows, current, isActive) => (_jsxs(Box, { flexDirection: "column", width: colWidth, flexShrink: 1, marginBottom: stackedLayout ? 1 : 0, children: [_jsxs(Text, { children: [isActive ? chalk.cyan("▌ ") : "  ", isActive ? chalk.bold(title) : chalk.dim(title)] }), rows.map((r) => {
+                    const selected = r.value === current;
+                    const bullet = selected
+                        ? (isActive ? chalk.cyan("●") : chalk.green("●"))
+                        : chalk.dim("○");
+                    const text = selected ? chalk.bold(r.label) : r.label;
+                    return (_jsxs(Box, { children: [_jsx(Box, { width: 5, flexShrink: 0, children: _jsxs(Text, { children: ["   ", bullet] }) }), _jsx(Box, { flexShrink: 1, children: _jsx(Text, { wrap: "truncate-end", children: text }) })] }, r.value));
+                })] }));
+        return (_jsxs(Box, { flexDirection: "column", children: [_jsx(ScoreHeader, { score: result.score, action: result.action, total: total, flagged: flagged.length, clean: clean.length, userStatus: userStatus, scanUsage: scanUsage, usageNearLimit: usageNearLimit }), _jsxs(Box, { flexDirection: "column", borderStyle: "round", borderColor: "cyan", paddingLeft: 2, paddingRight: 2, children: [_jsx(Text, { bold: true, children: "Export" }), _jsx(Text, { children: "" }), _jsxs(Box, { flexDirection: stackedLayout ? "column" : "row", children: [renderColumn("What", SCOPES_RENDER, exportMenu.scope, exportMenu.activeRow === "scope"), renderColumn("Format", FORMATS_RENDER, exportMenu.format, exportMenu.activeRow === "format")] })] }), _jsx(Text, { dimColor: true, children: chalk.dim("─".repeat(Math.max(20, termCols - 4))) }), _jsxs(Text, { children: [" ", chalk.bold.cyan("↑↓"), " ", chalk.dim("scroll"), "   ", chalk.bold.cyan("←→/Tab"), " ", chalk.dim("switch row"), "   ", chalk.bold.cyan("⏎"), " ", chalk.dim("export"), "   ", chalk.bold.cyan("Esc"), " ", chalk.dim("cancel")] })] }));
+    }
+    // ── Help overlay ──
+    if (showHelp) {
+        const isDetail = detailPane !== null;
+        return (_jsxs(Box, { flexDirection: "column", children: [_jsx(ScoreHeader, { score: result.score, action: result.action, total: total, flagged: flagged.length, clean: clean.length, userStatus: userStatus, scanUsage: scanUsage, usageNearLimit: usageNearLimit }), _jsxs(Box, { flexDirection: "column", borderStyle: "round", borderColor: "cyan", paddingLeft: 2, paddingRight: 2, width: "100%", children: [_jsx(Text, { bold: true, children: "Keyboard Shortcuts" }), _jsx(Text, { children: "" }), _jsx(Text, { bold: true, children: " Navigation" }), _jsxs(Text, { children: ["   ", chalk.cyan("\u2191 k"), "     ", chalk.dim("Move up")] }), _jsxs(Text, { children: ["   ", chalk.cyan("\u2193 j"), "     ", chalk.dim("Move down")] }), _jsxs(Text, { children: ["   ", chalk.cyan("g"), "       ", chalk.dim("Jump to top")] }), _jsxs(Text, { children: ["   ", chalk.cyan("G"), "       ", chalk.dim("Jump to bottom")] }), !isDetail && _jsxs(Text, { children: ["   ", chalk.cyan("PgUp"), "    ", chalk.dim("Page up")] }), !isDetail && _jsxs(Text, { children: ["   ", chalk.cyan("PgDn"), "    ", chalk.dim("Page down")] }), _jsx(Text, { children: "" }), _jsx(Text, { bold: true, children: " Actions" }), !isDetail && _jsxs(Text, { children: ["   ", chalk.cyan("\u23CE"), "       ", chalk.dim("Expand findings")] }), isDetail && _jsxs(Text, { children: ["   ", chalk.cyan("Esc"), "     ", chalk.dim("Back to list")] }), !isDetail && _jsxs(Text, { children: ["   ", chalk.cyan("/"), "       ", chalk.dim("Search packages")] }), !isDetail && _jsxs(Text, { children: ["   ", chalk.cyan("l"), "       ", chalk.dim("License breakdown (browse + drill-in)")] }), !isDetail && _jsxs(Text, { children: ["   ", chalk.cyan("e"), "       ", chalk.dim("Export menu — pick scope (all / summary / packages / licenses / findings) and format (JSON / CSV / Markdown / text)")] }), !isDetail && onBack && _jsxs(Text, { children: ["   ", chalk.cyan("Esc"), "     ", chalk.dim("Back to project selector")] }), _jsxs(Text, { children: ["   ", chalk.cyan("q"), "       ", chalk.dim("Quit")] }), _jsx(Text, { children: "" }), _jsxs(Text, { dimColor: true, children: [" Press ", chalk.bold.cyan("?"), " or ", chalk.bold.cyan("Esc"), " to close"] })] })] }));
+    }
+    // ── License overlay ──
+    if (showLicenses) {
+        const lcColor = (risk) => {
+            if (risk === "permissive")
+                return chalk.green;
+            if (risk === "weak-copyleft")
+                return chalk.yellow;
+            if (risk === "strong-copyleft")
+                return chalk.yellow.bold;
+            if (risk === "no-license" || risk === "network-copyleft" || risk === "unlicensed")
+                return chalk.red;
+            return chalk.dim;
+        };
+        const totalCount = result.packages.length;
+        const maxCount = licenseGroups[0]?.count ?? 1;
+        if (licenseDetailIdx !== null && licenseGroups[licenseDetailIdx]) {
+            const g = licenseGroups[licenseDetailIdx];
+            const color = lcColor(g.risk);
+            const visibleRows = Math.max(5, termRows - 20);
+            const q = licenseSearchQuery.toLowerCase();
+            const filtered = q
+                ? g.pkgs.filter((p) => p.name.toLowerCase().includes(q))
+                : g.pkgs;
+            const cursorIdx = Math.min(licenseDetailScroll, Math.max(0, filtered.length - 1));
+            const top = Math.max(0, Math.min(cursorIdx - Math.floor((visibleRows - 1) / 2), Math.max(0, filtered.length - visibleRows)));
+            const bottom = Math.min(top + visibleRows, filtered.length);
+            const _above = top;
+            const _below = filtered.length - bottom;
+            const _slice = filtered.slice(top, bottom);
+            return (_jsxs(Box, { flexDirection: "column", children: [_jsx(ScoreHeader, { score: result.score, action: result.action, total: total, flagged: flagged.length, clean: clean.length, userStatus: userStatus, scanUsage: scanUsage, usageNearLimit: usageNearLimit }), _jsxs(Box, { flexDirection: "column", borderStyle: "round", borderColor: "cyan", paddingLeft: 2, paddingRight: 2, width: "100%", children: [_jsxs(Box, { children: [_jsx(Text, { bold: true, children: color(g.spdx) }), _jsxs(Text, { dimColor: true, children: ["  \u00B7  ", g.risk, "  \u00B7  ", g.count, " package", g.count !== 1 ? "s" : "", q ? `  ·  ${filtered.length} match${filtered.length !== 1 ? "es" : ""}` : ""] })] }), licenseSearchMode || q ? (_jsx(Box, { children: _jsxs(Text, { children: [" ", chalk.bold.cyan("/"), " ", q || chalk.dim("(type to filter; Esc clears, Enter confirms)"), licenseSearchMode ? chalk.cyan("█") : ""] }) })) : (_jsx(Text, { children: "" })), _above > 0 && _jsx(Text, { dimColor: true, children: `  ↑ ${_above} more above` }), _slice.length === 0 && _jsx(Text, { dimColor: true, children: `  (no packages match "${q}")` }), _slice.map((p, i) => {
+                                const absIdx = top + i;
+                                const isSelected = absIdx === cursorIdx;
+                                const nameCol = Math.max(28, Math.floor(termCols * 0.55));
+                                if (isSelected) {
+                                    return (_jsxs(Text, { backgroundColor: "#1a1a2e", children: [chalk.cyan("▌"), " ", chalk.bold(pad(truncate(p.name, nameCol - 2), nameCol)), chalk.dim(pad(p.version, 16))] }, `${p.name}@${p.version}`));
+                                }
+                                return (_jsxs(Text, { children: ["  ", pad(truncate(p.name, nameCol - 2), nameCol), chalk.dim(pad(p.version, 16))] }, `${p.name}@${p.version}`));
+                            }), _below > 0 && _jsx(Text, { dimColor: true, children: `  ↓ ${_below} more below` })] }), _jsx(Text, { dimColor: true, children: chalk.dim("─".repeat(Math.max(20, termCols - 4))) }), _jsxs(Text, { children: [" ", chalk.bold.cyan("↑↓"), " ", chalk.dim("scroll"), "   ", chalk.bold.cyan("/"), " ", chalk.dim("search"), "   ", chalk.bold.cyan("e"), " ", chalk.dim("export"), "   ", chalk.bold.cyan("Esc"), " ", chalk.dim("back"), "   ", chalk.bold.cyan("q"), " ", chalk.dim("quit"), exportMsg && _jsxs(_Fragment, { children: ["   ", chalk.green(exportMsg)] })] })] }));
+        }
+        // ── License list (default overlay view) ──
+        // Column widths: pick from terminal so long SPDX strings (e.g.
+        // "(BSD-2-Clause OR MIT OR Apache-2.0)") don't blow the layout.
+        const innerCols = Math.max(60, termCols - 6);
+        const spdxCol = Math.min(40, Math.max(22, Math.floor(innerCols * 0.35)));
+        const riskCol = 18;
+        const countCol = 7;
+        const barCol = Math.max(8, innerCols - spdxCol - riskCol - countCol - 4);
+        const visibleRows = Math.max(5, termRows - 20);
+        const cursor = Math.min(licenseCursor, licenseGroups.length - 1);
+        // Scrolling viewport: keep the cursor visible inside a window of
+        // `visibleRows` rows, clamped at the start/end. Replaces the prior
+        // "resize terminal to see all" dead end — ↑↓ now genuinely scrolls
+        // through the full list on any terminal height.
+        const top = Math.max(0, Math.min(cursor - Math.floor((visibleRows - 1) / 2), licenseGroups.length - visibleRows));
+        const bottom = Math.min(top + visibleRows, licenseGroups.length);
+        const hiddenAbove = top;
+        const hiddenBelow = licenseGroups.length - bottom;
+        return (_jsxs(Box, { flexDirection: "column", children: [_jsx(ScoreHeader, { score: result.score, action: result.action, total: total, flagged: flagged.length, clean: clean.length, userStatus: userStatus, scanUsage: scanUsage, usageNearLimit: usageNearLimit }), _jsx(Text, { dimColor: true, children: chalk.dim("─".repeat(Math.max(20, termCols - 4))) }), _jsxs(Box, { flexDirection: "column", paddingLeft: 2, paddingRight: 2, width: "100%", children: [_jsxs(Text, { bold: true, children: ["Licenses", " ", chalk.dim(`(${licenseGroups.length} unique across ${totalCount} packages)`)] }), _jsx(Text, { children: "" }), _jsxs(Box, { children: [_jsx(Box, { width: 2, flexShrink: 0, children: _jsx(Text, { children: " " }) }), _jsx(Box, { width: spdxCol, flexShrink: 1, children: _jsx(Text, { dimColor: true, children: "SPDX" }) }), _jsx(Box, { width: riskCol, flexShrink: 0, children: _jsx(Text, { dimColor: true, children: "Risk" }) }), _jsx(Box, { width: countCol, flexShrink: 0, children: _jsx(Text, { dimColor: true, children: "Count" }) }), _jsx(Box, { width: barCol, flexShrink: 1, children: _jsx(Text, { dimColor: true, children: "Share" }) })] }), hiddenAbove > 0 && (_jsx(Text, { dimColor: true, children: `  ↑ ${hiddenAbove} more above` })), licenseGroups.slice(top, bottom).map((g, i) => {
+                            const absIdx = top + i;
+                            const color = lcColor(g.risk);
+                            const barLen = Math.max(1, Math.round((g.count / maxCount) * (barCol - 2)));
+                            const bar = "█".repeat(Math.min(barLen, barCol - 2));
+                            const isSelected = absIdx === cursor;
+                            const spdxText = truncate(g.spdx, spdxCol - 1);
+                            const riskText = g.risk;
+                            if (isSelected) {
+                                return (_jsxs(Text, { backgroundColor: "#1a1a2e", children: [chalk.cyan("▌"), " ", chalk.bold(color(pad(spdxText, spdxCol))), chalk.dim(pad(riskText, riskCol)), chalk.bold(pad(String(g.count), countCol)), color(bar)] }, `${g.risk}::${g.spdx}::${absIdx}`));
+                            }
+                            return (_jsxs(Text, { children: ["  ", color(pad(spdxText, spdxCol)), chalk.dim(pad(riskText, riskCol)), chalk.bold(pad(String(g.count), countCol)), color(bar)] }, `${g.risk}::${g.spdx}::${absIdx}`));
+                        }), hiddenBelow > 0 && (_jsx(Text, { dimColor: true, children: `  ↓ ${hiddenBelow} more below` }))] }), _jsx(Text, { dimColor: true, children: chalk.dim("─".repeat(Math.max(20, termCols - 4))) }), _jsxs(Text, { children: [" ", chalk.bold.cyan("↑↓"), " ", chalk.dim("navigate"), "   ", chalk.bold.cyan("⏎"), " ", chalk.dim("view packages"), "   ", chalk.bold.cyan("e"), " ", chalk.dim("export"), "   ", chalk.bold.cyan("Esc"), " ", chalk.dim("close"), "   ", chalk.bold.cyan("q"), " ", chalk.dim("quit"), exportMsg && _jsxs(_Fragment, { children: ["   ", chalk.green(exportMsg)] })] })] }));
+    }
+    // ── Detail pane mode ──
+    if (detailPane !== null) {
+        const dpGroup = groups[detailPane.groupIndex];
+        if (dpGroup) {
+            const dpRep = firstPackage(dpGroup);
+            const { color: dpColor } = actionBadge(dpRep.action);
+            const dpScroll = detailPane.scroll;
+            const dpAbove = dpScroll;
+            const dpBelow = Math.max(0, detailLines.length - dpScroll - detailContentRows);
+            const dpVisible = detailLines.slice(dpScroll, dpScroll + detailContentRows);
+            return (_jsxs(Box, { flexDirection: "column", children: [_jsx(ScoreHeader, { score: result.score, action: result.action, total: total, flagged: flagged.length, clean: clean.length, userStatus: userStatus, scanUsage: scanUsage, usageNearLimit: usageNearLimit }), _jsx(Text, { dimColor: true, children: chalk.dim("\u2500".repeat(Math.max(20, termCols - 4))) }), _jsxs(Box, { flexDirection: "column", paddingLeft: 1, paddingRight: 1, width: "100%", children: [_jsxs(Box, { justifyContent: "space-between", children: [_jsxs(Text, { bold: true, children: [groupNames(dpGroup), dpRep.license ? chalk.dim(" \u00B7 ") + (dpRep.license.riskCategory === "permissive" ? chalk.green(dpRep.license.spdx ?? dpRep.license.raw ?? "") : dpRep.license.riskCategory === "no-license" || dpRep.license.riskCategory === "network-copyleft" ? chalk.red(dpRep.license.spdx ?? dpRep.license.raw ?? "No license") : chalk.yellow(dpRep.license.spdx ?? dpRep.license.raw ?? "")) : ""] }), _jsx(Text, { children: dpColor(`score ${dpRep.score}`) })] }), dpAbove > 0 && (_jsxs(Text, { dimColor: true, children: [chalk.cyan(" \u2191"), " ", dpAbove, " more above"] })), _jsx(Box, { flexDirection: "column", marginLeft: 2, children: dpVisible }), dpBelow > 0 && (_jsxs(Text, { dimColor: true, children: [chalk.cyan(" \u2193"), " ", dpBelow, " more below"] }))] }), _jsx(Text, { dimColor: true, children: chalk.dim("─".repeat(Math.max(20, termCols - 4))) }), _jsx(Box, { flexDirection: "column", paddingLeft: 1, paddingRight: 1, width: "100%", children: _jsxs(Box, { justifyContent: "space-between", children: [clean.length > 0 ? (_jsxs(Text, { children: [chalk.green("\u2713"), " ", chalk.green.bold(String(clean.length)), " ", chalk.dim(`package${clean.length !== 1 ? "s" : ""} passed with score 0`), " ", chalk.dim(`\u00b7 ${(durationMs / 1000).toFixed(1)}s`)] })) : (_jsxs(Text, { dimColor: true, children: [(durationMs / 1000).toFixed(1), "s"] })), result.freeScansRemaining !== undefined && (_jsx(Text, { dimColor: true, children: "Free tier \u00B7 dg login for higher scan limits" }))] }) }), _jsx(Text, { dimColor: true, children: chalk.dim("\u2500".repeat(Math.max(20, termCols - 4))) }), _jsxs(Text, { children: [" ", chalk.bold.cyan("\u2191\u2193"), " ", chalk.dim("scroll"), "   ", chalk.bold.cyan("Esc"), " ", chalk.dim("back"), "   ", chalk.bold.cyan("q"), " ", chalk.dim("quit")] })] }));
+        }
+    }
+    // ── List mode ──
+    return (_jsxs(Box, { flexDirection: "column", children: [_jsx(ScoreHeader, { score: result.score, action: result.action, total: total, flagged: flagged.length, clean: clean.length, userStatus: userStatus, scanUsage: scanUsage, usageNearLimit: usageNearLimit }), groups.length > 0 && (_jsxs(_Fragment, { children: [_jsx(Text, { dimColor: true, children: chalk.dim("─".repeat(Math.max(20, termCols - 4))) }), _jsxs(Box, { flexDirection: "column", paddingLeft: 1, paddingRight: 1, width: "100%", children: [_jsxs(Box, { justifyContent: "space-between", children: [_jsx(Text, { bold: true, children: "Flagged Packages" }), _jsx(Text, { dimColor: true, children: searchQuery ? `${groups.length} of ${allGroupCount}` : `${clampedCursor + 1}/${groups.length}` })] }), aboveCount > 0 && (_jsxs(Text, { dimColor: true, children: [chalk.cyan(" \u2191"), " ", aboveCount, " more above"] })), visibleGroups.map((group, visIdx) => {
+                                const globalIdx = view.viewport + visIdx;
+                                const isCursor = globalIdx === clampedCursor;
+                                const level = getLevel(globalIdx);
+                                const rep = firstPackage(group);
+                                const { label, color } = actionBadge(rep.action);
+                                const names = groupNames(group);
+                                const scoreStr = String(rep.score);
+                                const lcInfo = rep.license;
+                                const lcStr = lcInfo ? truncate(lcInfo.spdx ?? lcInfo.raw ?? "", lcCol - 2) : "";
+                                const lcColor = !lcInfo ? chalk.dim
+                                    : lcInfo.riskCategory === "permissive" ? chalk.green
+                                        : (lcInfo.riskCategory === "no-license" || lcInfo.riskCategory === "unlicensed" || lcInfo.riskCategory === "network-copyleft") ? chalk.red
+                                            : chalk.yellow;
+                                const arrow = level === "summary" ? "\u25BE" : "\u25B8"; // ▾ expanded, ▸ collapsed
+                                return (_jsxs(Box, { flexDirection: "column", children: [isCursor ? (_jsxs(Text, { backgroundColor: "#1a1a2e", children: [chalk.cyan("\u258C"), " ", chalk.cyan(arrow), " ", ` `, color(pad(label, 8)), chalk.bold(pad(truncate(names, nameCol - 2), nameCol)), lcColor(pad(lcStr, lcCol)), color(scoreStr.padStart(3)), "  "] })) : (_jsxs(Text, { children: [`  ${chalk.dim(arrow)}  `, color(pad(label, 8)), pad(truncate(names, nameCol - 2), nameCol), lcColor(pad(lcStr, lcCol)), color(scoreStr.padStart(3))] })), level === "summary" && (_jsx(FindingsSummary, { group: group, maxWidth: innerWidth - 8, maxLines: globalIdx === view.expandedIndex ? animVisibleLines : undefined }))] }, group.key));
+                            }), belowCount > 0 && (_jsxs(Text, { dimColor: true, children: [chalk.cyan(" \u2193"), " ", belowCount, " more below"] }))] })] })), _jsx(Text, { dimColor: true, children: chalk.dim("\u2500".repeat(Math.max(20, termCols - 4))) }), _jsxs(Box, { flexDirection: "column", paddingLeft: 1, paddingRight: 1, width: "100%", children: [discoveredTotal !== undefined && discoveredTotal > total && (_jsxs(Text, { dimColor: true, children: ["Scanned ", total, " of ", discoveredTotal, " packages"] })), _jsxs(Box, { justifyContent: "space-between", children: [clean.length > 0 ? (_jsxs(Text, { children: [chalk.green("\u2713"), " ", chalk.green.bold(String(clean.length)), " ", chalk.dim(`package${clean.length !== 1 ? "s" : ""} passed with score 0`), " ", chalk.dim(`\u00b7 ${(durationMs / 1000).toFixed(1)}s`)] })) : (_jsxs(Text, { dimColor: true, children: [(durationMs / 1000).toFixed(1), "s"] })), result.freeScansRemaining !== undefined && (_jsx(Text, { dimColor: true, children: "Free tier \u00B7 dg login for higher scan limits" }))] })] }), _jsx(Text, { dimColor: true, children: chalk.dim("\u2500".repeat(Math.max(20, termCols - 4))) }), searchMode ? (_jsxs(Text, { children: [" ", chalk.bold.cyan("/"), " ", searchQuery, chalk.cyan("\u2588"), "   ", chalk.dim("Esc clear")] })) : (_jsxs(Text, { children: [" ", groups.length > 0 && (_jsxs(_Fragment, { children: [chalk.bold.cyan("\u2191\u2193"), " ", chalk.dim("navigate"), "   ", chalk.bold.cyan("\u23CE"), " ", chalk.dim("expand"), "   ", chalk.bold.cyan("/"), " ", chalk.dim("search"), "   "] })), chalk.bold.cyan("l"), " ", chalk.dim("licenses"), "   ", chalk.bold.cyan("e"), " ", chalk.dim("export"), "   ", onBack && _jsxs(_Fragment, { children: [chalk.bold.cyan("Esc"), " ", chalk.dim("back"), "   "] }), chalk.bold.cyan("q"), " ", chalk.dim("quit"), "   ", chalk.dim("\u00B7 Ctrl+C or q to exit"), exportMsg && _jsxs(_Fragment, { children: ["   ", chalk.green(exportMsg)] })] }))] }));
+};
+const T = {
+    branch: chalk.dim("\u251C\u2500\u2500"),
+    last: chalk.dim("\u2514\u2500\u2500"),
+    pipe: chalk.dim("\u2502"),
+    blank: " ",
+};
+const LICENSE_DESCRIPTIONS = {
+    "permissive": "Permissive \u2014 free to use, modify, and distribute. Include the copyright notice.",
+    "weak-copyleft": "Weak copyleft \u2014 changes to this library must be shared, but your code stays private.",
+    "strong-copyleft": "Strong copyleft \u2014 your entire project must be open-sourced under the same license.",
+    "network-copyleft": "Network copyleft \u2014 even SaaS/server use requires releasing your source code.",
+    "no-license": "No license found \u2014 legally all rights reserved. Use may require permission from the author.",
+    "unlicensed": "Explicitly unlicensed \u2014 proprietary software. A commercial agreement is required.",
+    "unknown": "Unrecognized license \u2014 have your legal team review before using.",
+    "deferred": "License declared in a file \u2014 check the LICENSE file in the package.",
+};
+function licenseLine(rep) {
+    const lc = rep.license;
+    if (!lc)
+        return null;
+    const spdx = lc.spdx ?? lc.raw ?? "";
+    const desc = LICENSE_DESCRIPTIONS[lc.riskCategory] ?? "";
+    const lcColor = lc.riskCategory === "permissive" ? chalk.green
+        : (lc.riskCategory === "no-license" || lc.riskCategory === "unlicensed" || lc.riskCategory === "network-copyleft") ? chalk.red
+            : chalk.yellow;
+    return (_jsxs(Text, { children: [T.branch, " ", lcColor(spdx), " ", chalk.dim("\u2014"), " ", chalk.dim(desc)] }, "license-info"));
+}
+const FindingsSummary = ({ group, maxWidth, maxLines }) => {
+    const rep = firstPackage(group);
+    const visibleFindings = rep.findings
+        .filter((f) => f.severity > 1)
+        .sort((a, b) => b.severity - a.severity);
+    const hasAffects = group.packages.length > 3;
+    const allLines = [];
+    // License info
+    const lcLine = licenseLine(rep);
+    if (lcLine)
+        allLines.push(lcLine);
+    // Render findings — API returns tier-gated data:
+    //   Free: { category, severity } — don't show raw IDs, just upgrade prompt
+    //   Pro:  { category, severity, title } — show category + title
+    //   Team: { category, severity, title, evidence } — show everything
+    const isFree = visibleFindings.length > 0 && !visibleFindings[0]?.title;
+    if (isFree) {
+        // Free tier: don't show raw category IDs — just the upgrade prompt
+        allLines.push(_jsxs(Text, { dimColor: true, children: [hasAffects ? T.branch : T.last, " ", chalk.yellow("\u2192"), " ", chalk.yellow("Upgrade to Pro"), " for finding details"] }, "upgrade"));
+    }
+    else {
+        // Paid tier: show findings with category + title
+        for (let idx = 0; idx < visibleFindings.length; idx++) {
+            const f = visibleFindings[idx];
+            if (!f)
+                continue;
+            const isLast = !hasAffects && idx === visibleFindings.length - 1;
+            const connector = isLast ? T.last : T.branch;
+            const sevLabel = SEVERITY_LABELS[f.severity] ?? "INFO";
+            const sevColor = SEVERITY_COLORS[f.severity] ?? SEVERITY_COLORS[1] ?? chalk.dim;
+            const title = f.title ? `: ${f.title}` : "";
+            allLines.push(_jsxs(Text, { children: [connector, " ", sevColor(pad(sevLabel, 5)), " ", chalk.dim(f.category ?? ""), title] }, `finding-${idx}`));
+        }
+    }
+    if (visibleFindings.length === 0 && rep.score > 0) {
+        // No findings at all (shouldn't happen after API change, but safety fallback)
+        allLines.push(_jsxs(Text, { dimColor: true, children: [hasAffects ? T.branch : T.last, " Score: ", rep.score, "/100"] }, "score-only"));
+    }
+    if (hasAffects) {
+        allLines.push(_jsxs(Text, { dimColor: true, children: [T.last, " ", truncate(affectsLine(group), maxWidth - 8)] }, "affects"));
+    }
+    const linesToShow = maxLines !== undefined ? allLines.slice(0, maxLines) : allLines;
+    return (_jsx(Box, { flexDirection: "column", marginLeft: 5, children: linesToShow }));
+};