@westbayberry/dg 2.0.7 → 2.0.10

package/dist/commands/explain.js

@@ -60,6 +60,134 @@ export const EXPLANATIONS = {
     "proxy-setup-failure": {
         what: "dg's per-install enforcement proxy could not start, so protected installs fail closed rather than run unverified.",
         next: "Run 'dg doctor' for the failing check, then retry."
+    },
+    "needs-login": {
+        what: "This install needed a verdict that requires an authenticated account, so it was blocked rather than installed unverified.",
+        next: "Run 'dg login', then retry the install."
+    },
+    lifecycle: {
+        what: "The scanner flagged an install lifecycle script (preinstall/install/postinstall) that runs arbitrary code during install.",
+        next: "Review the script in the package source, or install with --ignore-scripts."
+    },
+    "install-script": {
+        what: "The scanner found an install-time script in this package that executes code on your machine during install.",
+        next: "Review the script before installing; prefer a version without install scripts."
+    },
+    "archive-path-traversal": {
+        what: "The package archive contains an entry whose path escapes the extraction directory, a classic overwrite attack.",
+        next: "Do not install it; report the package and pin a known-safe version."
+    },
+    "archive-path-too-long": {
+        what: "The package archive contains an entry path long enough to break extraction or smuggle content past tooling.",
+        next: "Treat the artifact as untrusted and verify it out of band."
+    },
+    "archive-size-limit": {
+        what: "The package archive expands past dg's size limit, so its contents were not fully verified (possible zip bomb).",
+        next: "Verify the artifact out of band before trusting it."
+    },
+    "encrypted-archive-entry": {
+        what: "The package archive contains an encrypted entry dg cannot inspect, so part of the package is unverified.",
+        next: "Treat it as unverified; ask the publisher why the archive is encrypted."
+    },
+    "zip-data-descriptor": {
+        what: "The package archive uses zip data descriptors that can make different tools see different contents.",
+        next: "Verify the artifact out of band before trusting it."
+    },
+    "license-policy-denied": {
+        what: "The dependency's license is denied by your license policy.",
+        next: "Replace the dependency, or update the policy if the obligation is acceptable."
+    },
+    "lockfile-url-fallback": {
+        what: "A lockfile entry resolves to a raw URL instead of a registry version, so it has no registry identity to verify.",
+        next: "Re-pin the dependency to a registry version and regenerate the lockfile."
+    },
+    "unverified-lockfile-url": {
+        what: "A lockfile entry downloads from a URL the scanner could not verify against a registry artifact.",
+        next: "Pin a registry version, or run 'dg verify <url>' before installing."
+    },
+    "unverified-network-spec": {
+        what: "A dependency spec points at a raw http/git source instead of the registry, so its contents are unverified.",
+        next: "Pin the dependency to a registry version, or run 'dg verify <url>' first."
+    },
+    "unpinned-package-spec": {
+        what: "A dependency spec has no pinned version, so installs can silently pull a different artifact than was reviewed.",
+        next: "Pin an exact version (or use a lockfile) and re-run the scan."
+    },
+    "unsupported-package-spec": {
+        what: "A dependency spec uses a form dg cannot resolve to a registry artifact, so it was not verified.",
+        next: "Rewrite the spec as a registry name@version, or verify the artifact out of band."
+    },
+    "malformed-lockfile": {
+        what: "A lockfile could not be parsed, so the packages it pins were not verified.",
+        next: "Regenerate the lockfile with your package manager and re-run the scan."
+    },
+    "malformed-package-manifest": {
+        what: "A package manifest could not be parsed, so its dependencies were not verified.",
+        next: "Fix the manifest syntax and re-run the scan."
+    },
+    "missing-artifact-integrity": {
+        what: "A lockfile entry has no integrity hash, so the downloaded artifact cannot be checked against what was reviewed.",
+        next: "Regenerate the lockfile so every entry carries an integrity hash."
+    },
+    "credential-file": {
+        what: "Your publish set includes a credentials file (for example .npmrc, .netrc, or cloud keys) that would ship to the registry.",
+        next: "Remove the file from the publish set and rotate any leaked credential."
+    },
+    "private-key": {
+        what: "Your publish set includes a private key file that would become public on publish.",
+        next: "Remove it from the publish set and rotate the key."
+    },
+    "bundled-secret": {
+        what: "A file in your publish set contains what looks like a live secret (API key, token, or password).",
+        next: "Remove or redact the secret, rotate it, and re-run 'dg audit'."
+    },
+    "scm-leakage": {
+        what: "Your publish set includes version-control internals (for example a .git directory) that leak history and remotes.",
+        next: "Exclude the directory via the files allowlist or an ignore file."
+    },
+    "ci-config": {
+        what: "Your publish set includes CI configuration that often references internal infrastructure and secrets.",
+        next: "Exclude it from the publish set unless consumers need it."
+    },
+    "iac-secret": {
+        what: "Your publish set includes infrastructure-as-code state or vaults (for example tfstate) that commonly embed secrets.",
+        next: "Remove the file and rotate anything it contains."
+    },
+    "source-map": {
+        what: "Your publish set includes source maps that expose your original source to every consumer.",
+        next: "Exclude .map files from the publish set unless that is intended."
+    },
+    "build-artifact": {
+        what: "Your publish set includes build or coverage output that bloats the package and can leak internal paths.",
+        next: "Exclude the directory via the files allowlist."
+    },
+    "editor-os-junk": {
+        what: "Your publish set includes editor or OS junk files (for example .DS_Store or editor swap files).",
+        next: "Exclude them; they add noise and can leak local paths."
+    },
+    "data-dump": {
+        what: "Your publish set includes database dumps, logs, or captures that frequently contain real user data.",
+        next: "Remove the file and check whether the data requires disclosure."
+    },
+    "internal-leak": {
+        what: "Your publish set includes files that look internal-only (for example memory dumps or HAR captures).",
+        next: "Remove them from the publish set before publishing."
+    },
+    "lifecycle-risk": {
+        what: "Your package declares install lifecycle scripts that will run arbitrary code on every consumer's machine.",
+        next: "Drop the script if possible; consumers increasingly refuse install scripts."
+    },
+    structural: {
+        what: "The publish set has a structural problem (for example no files allowlist or a symlink escaping the package root).",
+        next: "Fix the structure so the publish set is exactly what you reviewed."
+    },
+    "pem-private-key": {
+        what: "A PEM-encoded private key is inside your publish set and would become public on publish.",
+        next: "Remove it from the publish set and rotate the key."
+    },
+    "no-files-allowlist": {
+        what: "package.json has no files allowlist, so npm publishes nearly everything in the directory by default.",
+        next: "Add a files allowlist so the publish set is explicit."
     }
 };
 export const explainCommand = {
@@ -82,14 +210,18 @@ function runExplain(args) {
             stderr: "dg explain: expected exactly one finding or cause id. Run 'dg explain --help'.\n"
         };
     }
-    const explanation = EXPLANATIONS[id];
+    const normalized = id.toLowerCase().replaceAll("_", "-");
+    const explanation = EXPLANATIONS[id] ?? EXPLANATIONS[normalized];
     if (!explanation) {
-        const suggestion = closestCommand(id, Object.keys(EXPLANATIONS));
-        const hint = suggestion ? ` Did you mean '${suggestion}'?` : "";
+        const suggestion = closestCommand(normalized, Object.keys(EXPLANATIONS));
+        const hint = suggestion ? `Did you mean '${suggestion}'? ` : "";
         return {
-            exitCode: EXIT_USAGE,
-            stdout: "",
-            stderr: `dg explain: unknown id '${id}'.${hint} Run 'dg explain --help' for the list.\n`
+            exitCode: 0,
+            stdout: `${id}\n\n` +
+                `dg has no local entry for '${id}'. ${hint}` +
+                "Scanner finding ids evolve faster than this glossary, so the id may still be real.\n\n" +
+                `Next: open the affected package's page on westbayberry.com — its findings list shows the evidence and remediation for '${id}'.\n`,
+            stderr: ""
         };
     }
     return {

package/dist/commands/licenses.js

@@ -3,7 +3,7 @@ import { launchScanTui, shouldLaunchScanTui } from "../scan-ui/launch.js";
 import { basename, dirname, relative, resolve, sep } from "node:path";
 import { scanProject } from "../scan/discovery.js";
 import { isSupportedLockfilePath, verifyLockfile } from "../verify/preflight.js";
-import { EXIT_USAGE } from "./types.js";
+import { EXIT_USAGE_VERDICT } from "./types.js";
 const LICENSE_RISKS = [
     "network-copyleft",
     "no-license",
@@ -72,8 +72,9 @@ async function runLicensesCommand(args) {
         };
     }
     let report;
+    let skippedDirectories;
     try {
-        report = buildLicenseReport(parsed);
+        ({ report, skippedDirectories } = buildLicenseReport(parsed));
     }
     catch (error) {
         return {
@@ -82,6 +83,7 @@ async function runLicensesCommand(args) {
             stderr: `dg licenses failed: ${error instanceof Error ? error.message : "unknown license error"}\n`
         };
     }
+    const notices = skippedDirectories.map((directory) => `dg licenses: skipped unreadable directory ${directory}\n`).join("");
     const rendered = renderLicenseReport(report, parsed.format);
     if (parsed.outputPath) {
         try {
@@ -97,13 +99,13 @@ async function runLicensesCommand(args) {
         return {
             exitCode: exitCodeForReport(report),
             stdout: `Wrote ${parsed.format} license report to ${parsed.outputPath}\n`,
-            stderr: ""
+            stderr: notices
         };
     }
     return {
         exitCode: exitCodeForReport(report),
         stdout: rendered,
-        stderr: ""
+        stderr: notices
     };
 }
 function parseLicensesArgs(args) {
@@ -196,9 +198,10 @@ function buildLicenseReport(parsed) {
     const targetPath = resolve(parsed.target);
     const targetInfo = statSync(targetPath);
     const root = targetInfo.isFile() ? dirname(targetPath) : targetPath;
+    const unreadable = [];
     const lockfiles = targetInfo.isFile() && isSupportedLockfilePath(targetPath)
         ? [targetPath]
-        : discoverLockfiles(root);
+        : discoverLockfiles(root, unreadable);
     const entries = dedupeEntries([
         ...manifestLicenseEntries(parsed.target),
         ...lockfiles.flatMap((lockfile) => lockfileLicenseEntries(root, lockfile))
@@ -214,18 +217,21 @@ function buildLicenseReport(parsed) {
         byRisk[entry.risk] += 1;
     }
     return {
-        target: displayPath(process.cwd(), targetPath),
-        status: blocked.length > 0 ? "block" : "pass",
-        entries,
-        policy: {
-            deniedLicenses: [...denied].sort(),
-            failOn: [...failOn].sort()
+        report: {
+            target: displayPath(process.cwd(), targetPath),
+            status: blocked.length > 0 ? "block" : "pass",
+            entries,
+            policy: {
+                deniedLicenses: [...denied].sort(),
+                failOn: [...failOn].sort()
+            },
+            summary: {
+                packageCount: entries.length,
+                blockedCount: blocked.length,
+                byRisk
+            }
         },
-        summary: {
-            packageCount: entries.length,
-            blockedCount: blocked.length,
-            byRisk
-        }
+        skippedDirectories: unreadable.map((directory) => displayPath(root, directory)).sort()
     };
 }
 function manifestLicenseEntries(target) {
@@ -267,23 +273,30 @@ function licenseEntryFromIdentity(root, lockfile, identity) {
         version: identity.version
     };
 }
-function discoverLockfiles(root) {
+function discoverLockfiles(root, unreadable) {
     const lockfiles = [];
-    walk(root, 0, lockfiles);
+    walk(root, 0, lockfiles, unreadable);
     return lockfiles.sort((left, right) => displayPath(root, left).localeCompare(displayPath(root, right)));
 }
-function walk(directory, depth, lockfiles) {
+function walk(directory, depth, lockfiles, unreadable) {
     if (depth > MAX_DISCOVERY_DEPTH) {
         return;
     }
-    const entries = readdirSync(directory, {
-        withFileTypes: true
-    }).sort((left, right) => left.name.localeCompare(right.name));
+    let entries;
+    try {
+        entries = readdirSync(directory, {
+            withFileTypes: true
+        }).sort((left, right) => left.name.localeCompare(right.name));
+    }
+    catch {
+        unreadable.push(directory);
+        return;
+    }
     for (const entry of entries) {
         const absolutePath = resolve(directory, entry.name);
         if (entry.isDirectory()) {
             if (!IGNORED_DIRECTORIES.has(entry.name)) {
-                walk(absolutePath, depth + 1, lockfiles);
+                walk(absolutePath, depth + 1, lockfiles, unreadable);
             }
             continue;
         }
@@ -383,7 +396,7 @@ function exitCodeForReport(report) {
 }
 function usageError(message) {
     return {
-        exitCode: EXIT_USAGE,
+        exitCode: EXIT_USAGE_VERDICT,
         stdout: "",
         stderr: `dg licenses: ${message}. Usage: dg licenses [path] [--json|--csv|--markdown] [--output <path>] [--fail-on <risk[,risk...]>] [--deny-license <id>]\n`
     };

package/dist/commands/login.js

@@ -1,4 +1,4 @@
-import { EXIT_USAGE } from "./types.js";
+import { EXIT_TOOL_ERROR, EXIT_USAGE } from "./types.js";
 import { AuthError, writeAuthState } from "../auth/store.js";
 import { ConfigError, loadUserConfig } from "../config/settings.js";
 export const loginCommand = {
@@ -46,7 +46,11 @@ function loginHandler(args) {
                 stderr: `dg login: ${error.message}\n`
             };
         }
-        throw error;
+        return {
+            exitCode: EXIT_TOOL_ERROR,
+            stdout: "",
+            stderr: `dg login: could not save auth state: ${error instanceof Error ? error.message : "unknown error"}\n`
+        };
     }
 }
 function parseLoginArgs(args) {
@@ -66,9 +70,14 @@ function parseLoginArgs(args) {
         else if (arg?.startsWith("--token=")) {
             token = arg.slice("--token=".length);
         }
+        else if (arg?.startsWith("-")) {
+            return {
+                error: `unknown option '${arg}'`
+            };
+        }
         else {
             return {
-                error: `unknown option '${arg ?? ""}'`
+                error: `unexpected argument '${arg ?? ""}'. dg login takes no arguments: run 'dg login' for browser sign-in, or 'dg login --token <key>' for CI`
             };
         }
     }

package/dist/commands/logout.js

@@ -1,4 +1,4 @@
-import { EXIT_USAGE } from "./types.js";
+import { EXIT_TOOL_ERROR, EXIT_USAGE } from "./types.js";
 import { clearAuthState } from "../auth/store.js";
 export const logoutCommand = {
     name: "logout",
@@ -24,10 +24,21 @@ function logoutHandler(args, env = process.env) {
             stderr: "dg logout requires --yes to confirm.\n"
         };
     }
-    const removed = clearAuthState();
+    let removed;
+    try {
+        removed = clearAuthState();
+    }
+    catch (error) {
+        return {
+            exitCode: EXIT_TOOL_ERROR,
+            stdout: "",
+            stderr: `dg logout: could not remove the local auth token: ${error instanceof Error ? error.message : "unknown error"}\n`
+        };
+    }
     const lines = [removed ? "Removed local dg auth token." : "No local dg auth token was present."];
-    if (env.DG_API_TOKEN) {
-        lines.push("DG_API_TOKEN is still set, so env-var auth remains active (file token removed only).");
+    const activeEnvVars = ["DG_API_KEY", "DG_API_TOKEN"].filter((name) => env[name]);
+    if (activeEnvVars.length > 0) {
+        lines.push(`${activeEnvVars.join(" and ")} ${activeEnvVars.length === 1 ? "is" : "are"} still set, so env-var auth remains active (file token removed only).`);
     }
     return {
         exitCode: 0,

package/dist/commands/scan.js

@@ -12,7 +12,7 @@ export const scanCommand = {
     ],
     examples: ["dg scan", "dg scan ./packages/api", "dg scan --json -o scan.json", "dg scan --staged"],
     details: [
-        "Reads lockfiles, scores each dependency through the scanner, and never changes project files. In a terminal it opens the full-screen results browser; piped or with --json/--sarif it prints machine output. Exit codes: 0 clean, 1 warn, 2 block, 4 analysis incomplete."
+        "Reads lockfiles, scores each dependency through the scanner, and never changes project files. In a terminal it opens the full-screen results browser; piped or with --json/--sarif it prints machine output. Exit codes: 0 clean, 1 warn, 2 block, 4 analysis incomplete, 64 usage error."
     ],
     handler: runScanCommand
 };

package/dist/commands/service.js

@@ -1,6 +1,6 @@
-import { EXIT_USAGE } from "./types.js";
+import { EXIT_UNAVAILABLE, EXIT_USAGE } from "./types.js";
 import { renderCommandHelp } from "./help.js";
-import { buildServiceUninstallPlan, buildTrustInstallPlan, buildTrustUninstallPlan, installServiceTrust, readServiceState, renderServicePlan, restartService, ServiceNotConfiguredError, ServiceProxyError, ServiceTrustStoreError, startService, stopService, uninstallService, uninstallServiceTrust } from "../service/state.js";
+import { buildServiceUninstallPlan, buildTrustInstallPlan, buildTrustUninstallPlan, installServiceTrust, readServiceState, renderServicePlan, resolveServicePaths, restartService, ServiceNotConfiguredError, ServiceProxyError, ServiceTrustStoreError, ServiceTrustToolMissingError, startService, stopService, uninstallService, uninstallServiceTrust } from "../service/state.js";
 import { LockBusyError } from "../state/locks.js";
 const trustCommand = {
     name: "trust",
@@ -26,27 +26,9 @@ const trustCommand = {
     handler: routeService
 };
 const serviceSubcommands = [
-    {
-        name: "start",
-        summary: "Start explicit service mode.",
-        usage: "dg service start",
-        details: ["Service mode is explicit, reversible, documented, and separate from default setup."],
-        handler: () => serviceMutation("start", () => startService())
-    },
-    {
-        name: "stop",
-        summary: "Stop explicit service mode.",
-        usage: "dg service stop",
-        details: ["Service mode is explicit, reversible, documented, and separate from default setup."],
-        handler: () => serviceMutation("stop", () => stopService())
-    },
-    {
-        name: "restart",
-        summary: "Restart explicit service mode.",
-        usage: "dg service restart",
-        details: ["Service mode is explicit, reversible, documented, and separate from default setup."],
-        handler: () => serviceMutation("restart", () => restartService())
-    },
+    mutationSpec("start", "Start explicit service mode.", () => startService()),
+    mutationSpec("stop", "Stop explicit service mode.", () => stopService()),
+    mutationSpec("restart", "Restart explicit service mode.", () => restartService()),
     {
         name: "status",
         summary: "Show explicit service mode status.",
@@ -76,7 +58,7 @@ export const serviceCommand = {
     examples: ["dg service start", "dg service status --json", "dg service trust install --print"],
     details: [
         "Service mode is never silently enabled by package install or default setup.",
-        "status and doctor accept --json; uninstall and trust accept --print / --yes."
+        "status and doctor accept --json; uninstall and trust accept --print / --yes; start, stop, and restart accept --print."
     ],
     subcommands: [...serviceSubcommands, trustCommand],
     handler: routeService
@@ -165,6 +147,64 @@ function serviceDoctorHandler(args) {
         stderr: ""
     };
 }
+function mutationSpec(action, summary, run) {
+    const spec = {
+        name: action,
+        summary,
+        usage: `dg service ${action} [--print]`,
+        flags: [{ flag: "--print", summary: "Show what this would change without acting." }],
+        details: ["Service mode is explicit, reversible, documented, and separate from default setup."],
+        handler: (context) => mutationHandler(spec, action, run, context.args)
+    };
+    return spec;
+}
+function mutationHandler(spec, action, run, args) {
+    let printOnly = false;
+    for (const arg of args) {
+        if (arg === "--help" || arg === "-h" || arg === "help") {
+            return {
+                exitCode: 0,
+                stdout: renderCommandHelp(spec, ["service", action]),
+                stderr: ""
+            };
+        }
+        if (arg === "--print") {
+            printOnly = true;
+            continue;
+        }
+        return {
+            exitCode: EXIT_USAGE,
+            stdout: "",
+            stderr: `dg service ${action}: unknown option '${arg}'. Run 'dg service ${action} --help'.\n`
+        };
+    }
+    if (printOnly) {
+        return {
+            exitCode: 0,
+            stdout: renderServicePlan(`Dependency Guardian service ${action} plan`, { writes: mutationPlanWrites(action) }),
+            stderr: ""
+        };
+    }
+    return serviceMutation(action, run);
+}
+function mutationPlanWrites(action) {
+    const paths = resolveServicePaths();
+    const startWrites = [
+        { action: "start the dg service proxy worker and record its runtime state", path: paths.runtimePath },
+        { action: "mark explicit service mode running", path: paths.statePath }
+    ];
+    const stopWrites = [
+        { action: "stop the dg service proxy worker and remove its runtime state", path: paths.runtimePath },
+        { action: "mark explicit service mode stopped", path: paths.statePath }
+    ];
+    if (action === "start") {
+        return startWrites;
+    }
+    if (action === "stop") {
+        return stopWrites;
+    }
+    return [...stopWrites.slice(0, 1), ...startWrites];
+}
 function serviceMutation(action, run) {
     try {
         const result = run();
@@ -221,6 +261,9 @@ function trustInstallHandler(args) {
         if (error instanceof ServiceNotConfiguredError) {
             return serviceNotConfiguredResult();
         }
+        if (error instanceof ServiceTrustToolMissingError) {
+            return trustToolMissingResult(planText, error.tool);
+        }
         if (error instanceof ServiceTrustStoreError) {
             return trustStoreFailureResult(planText, "install", error.message);
         }
@@ -473,3 +516,12 @@ function trustStoreFailureResult(planText, action, message) {
         stderr: `dg service trust ${action} failed before recording successful trust state: ${message}\n`
     };
 }
+function trustToolMissingResult(planText, tool) {
+    return {
+        exitCode: EXIT_UNAVAILABLE,
+        stdout: planText,
+        stderr: `dg service trust install: '${tool}' is not available on this system, so no trust state was changed.\n` +
+            "Native trust install is supported on macOS (security) and Debian/Ubuntu Linux (update-ca-certificates).\n" +
+            "On other systems, set DG_SERVICE_TRUST_STORE_BACKEND=file with DG_SERVICE_TRUST_STORE_DIR=<dir> and point your tooling at the exported CA file.\n"
+    };
+}

package/dist/commands/status.js

@@ -1,4 +1,7 @@
-import { authStatus, displayTier } from "../auth/store.js";
+import { authStatus, displayTier, readAuthState } from "../auth/store.js";
+import { envAuthToken } from "../auth/env-token.js";
+import { fetchAccountStatus } from "../auth/device-login.js";
+import { formatUsage } from "../scan-ui/format-helpers.js";
 import { loadUserConfig } from "../config/settings.js";
 import { resolvePresentation } from "../presentation/mode.js";
 import { createTheme } from "../presentation/theme.js";
@@ -17,7 +20,8 @@ export const statusCommand = {
     ],
     handler: (context) => runStatusCommand(context.args)
 };
-function runStatusCommand(args) {
+export const STATUS_USAGE_TIMEOUT_MS = 2_500;
+export async function runStatusCommand(args, io = {}) {
     const json = args.includes("--json");
     const unknown = args.find((arg) => arg !== "--json");
     if (unknown) {
@@ -27,7 +31,7 @@ function runStatusCommand(args) {
             stderr: `dg status: unknown option '${unknown}'. Run 'dg status --help'.\n`
         };
     }
-    const report = buildStatusReport();
+    const report = await buildStatusReport(io);
     if (json) {
         return {
             exitCode: 0,
@@ -41,19 +45,39 @@ function runStatusCommand(args) {
         stderr: ""
     };
 }
-function buildStatusReport() {
+async function buildStatusReport(io) {
     const checks = doctorReport().checks;
     const checkPassed = (name) => checks.find((check) => check.name === name)?.status === "pass";
     const auth = safeAuthStatus();
     const policy = loadUserConfig().policy;
     return {
         account: auth,
+        usage: await fetchStatusUsage(auth.connected, io),
         protection: { shims: checkPassed("shims"), path: checkPassed("path"), configured: checkPassed("shell-rc") },
         reloadHint: currentShellActivation(),
         commitGuard: safeCommitGuard(),
         policy: { mode: policy.mode, trustProjectAllowlists: policy.trustProjectAllowlists }
     };
 }
+async function fetchStatusUsage(connected, io) {
+    const token = connected ? resolveStatusToken() : undefined;
+    if (!token) {
+        return { state: "anonymous" };
+    }
+    const account = await fetchAccountStatus(token, process.env, io.fetchImpl ?? fetch, io.usageTimeoutMs ?? STATUS_USAGE_TIMEOUT_MS);
+    if (!account || account.scansUsed === null) {
+        return { state: "unavailable" };
+    }
+    return { state: "ok", used: account.scansUsed, limit: account.scansLimit };
+}
+function resolveStatusToken() {
+    try {
+        return envAuthToken(process.env) ?? readAuthState()?.token;
+    }
+    catch {
+        return undefined;
+    }
+}
 function safeCommitGuard() {
     try {
         return gitHookStatusState();
@@ -91,6 +115,7 @@ function renderStatus(report, theme) {
         "Dependency Guardian status",
         "",
         `  Account      ${account}`,
+        `  Usage        ${usageLine(report, theme)}`,
         `  Installs     ${bare}`
     ];
     const guard = commitGuardLine(report.commitGuard, theme);
@@ -102,6 +127,15 @@ function renderStatus(report, theme) {
     lines.push(`Full diagnostics: ${theme.paint("accent", "dg doctor")}`);
     return `${lines.join("\n")}\n`;
 }
+function usageLine(report, theme) {
+    if (report.usage.state === "anonymous") {
+        return theme.paint("muted", "sign in to see usage");
+    }
+    if (report.usage.state === "unavailable") {
+        return theme.paint("muted", "unavailable offline");
+    }
+    return formatUsage({ used: report.usage.used, limit: report.usage.limit, tier: report.account.tier ?? "" }).text;
+}
 function commitGuardLine(state, theme) {
     if (state === "not-a-repo") {
         return null;

package/dist/commands/types.js

@@ -1,4 +1,5 @@
 export const EXIT_USAGE = 2;
+export const EXIT_USAGE_VERDICT = 64;
 export const EXIT_NOTHING_TO_SCAN = 10;
 export const EXIT_UNAVAILABLE = 69;
 export const EXIT_TOOL_ERROR = 70;