@westbayberry/dg 2.0.7 → 2.0.10

package/dist/scan/command.js

@@ -5,53 +5,70 @@ import { renderJsonReport, renderSarifReport, renderTextReport } from "./render.
 import { resolvePresentation } from "../presentation/mode.js";
 import { createTheme } from "../presentation/theme.js";
 import { launchScanTui, shouldLaunchScanTui } from "../scan-ui/launch.js";
-import { tryScannerScan } from "./scanner-report.js";
-import { runStagedScan } from "./staged.js";
+import { runScannerScan } from "./scanner-report.js";
+import { runStagedScan, stagedScanReport } from "./staged.js";
 import { scanExitCode } from "../scan-ui/shims.js";
 import { loadUserConfig } from "../config/settings.js";
-import { EXIT_USAGE } from "../commands/types.js";
+import { EXIT_USAGE_VERDICT } from "../commands/types.js";
 export function runScanCommand(context) {
     const parsed = parseScanArgs(context.args);
     if ("error" in parsed) {
         return usageError(parsed.error);
     }
-    if (parsed.staged) {
-        return runStagedScan({ hook: parsed.hook });
-    }
-    if (shouldLaunchScanTui({
-        targetPath: parsed.targetPath,
-        format: parsed.format,
-        outputPath: parsed.outputPath ?? undefined
-    })) {
-        void launchScanTui().catch((error) => {
-            process.stderr.write(`dg scan TUI failed: ${error instanceof Error ? error.message : "unknown error"}\n`);
-            process.exitCode = 1;
-        });
-        return {
-            exitCode: 0,
-            stdout: "",
-            stderr: ""
-        };
+    const stagedTarget = parsed.sawTarget ? parsed.targetPath : null;
+    const machineOutput = parsed.format !== "text" || parsed.outputPath !== null;
+    if (parsed.staged && !machineOutput) {
+        return runStagedScan({ hook: parsed.hook, targetPath: stagedTarget });
     }
     let report;
-    try {
-        report = scanProject({
-            targetPath: parsed.targetPath
-        });
+    let outcome;
+    if (parsed.staged) {
+        const staged = stagedScanReport({ targetPath: stagedTarget });
+        if ("result" in staged) {
+            return staged.result;
+        }
+        report = staged.report;
+        outcome = staged.outcome;
     }
-    catch (error) {
-        return {
-            exitCode: 1,
-            stdout: "",
-            stderr: `dg scan failed: ${error instanceof Error ? error.message : "unknown scan error"}\n`
-        };
+    else {
+        if (shouldLaunchScanTui({
+            targetPath: parsed.targetPath,
+            format: parsed.format,
+            outputPath: parsed.outputPath ?? undefined
+        })) {
+            void launchScanTui().catch((error) => {
+                process.stderr.write(`dg scan TUI failed: ${error instanceof Error ? error.message : "unknown error"}\n`);
+                process.exitCode = 1;
+            });
+            return {
+                exitCode: 0,
+                stdout: "",
+                stderr: ""
+            };
+        }
+        try {
+            report = scanProject({
+                targetPath: parsed.targetPath
+            });
+        }
+        catch (error) {
+            return {
+                exitCode: 1,
+                stdout: "",
+                stderr: `dg scan failed: ${error instanceof Error ? error.message : "unknown scan error"}\n`
+            };
+        }
+        outcome = runScannerScan(parsed.targetPath, report);
+    }
+    if (outcome.kind === "report") {
+        report = outcome.report;
     }
-    const scannerReport = tryScannerScan(parsed.targetPath, report);
-    if (scannerReport) {
-        report = scannerReport;
+    else if (outcome.kind === "failed") {
+        report = degradeReport(report, outcome.error);
     }
-    const scannerUnavailable = scannerReport === null && report.summary.projectCount > 0;
-    const rendered = renderReport(report, parsed.format, scannerUnavailable);
+    const skipNotice = skipNoticeFor(outcome, report);
+    const scannerUnavailable = !report.scanner && report.summary.projectCount > 0;
+    const rendered = renderReport(report, parsed.format, scannerUnavailable, skipNotice);
     if (parsed.outputPath) {
         try {
             writeFileSync(resolve(parsed.outputPath), rendered, "utf8");
@@ -111,7 +128,7 @@ function parseScanArgs(args) {
         }
         if (arg === "--output" || arg === "-o") {
             const next = args[index + 1];
-            if (!next) {
+            if (!next || next.startsWith("-")) {
                 return { error: `${arg} requires a path` };
             }
             outputPath = next;
@@ -131,29 +148,52 @@ function parseScanArgs(args) {
         format,
         outputPath,
         targetPath,
+        sawTarget,
         staged,
         hook
     };
 }
 function usageError(message) {
     return {
-        exitCode: EXIT_USAGE,
+        exitCode: EXIT_USAGE_VERDICT,
         stdout: "",
         stderr: `dg scan: ${message}. Usage: dg scan [path] [--json|--sarif] [--output <path>]\n`
     };
 }
-function renderReport(report, format, scannerUnavailable) {
+function degradeReport(report, error) {
+    const status = report.status === "block" || report.status === "warn" ? report.status : "unknown";
+    return { ...report, status, scannerError: error };
+}
+function skipNoticeFor(outcome, report) {
+    if (outcome.kind !== "skipped") {
+        return undefined;
+    }
+    if (outcome.reason === "no_lockfiles") {
+        return report.summary.projectCount > 0 ? "no_lockfile" : undefined;
+    }
+    return "empty_lockfile";
+}
+function renderReport(report, format, scannerUnavailable, skipNotice) {
     if (format === "json") {
         return renderJsonReport(report, scannerUnavailable);
     }
     if (format === "sarif") {
         return renderSarifReport(report);
     }
-    return renderTextReport(report, undefined, createTheme(resolvePresentation().color), scannerUnavailable);
+    return renderTextReport(report, undefined, createTheme(resolvePresentation().color), skipNotice);
 }
 function exitCodeForReport(report) {
     if (report.scanner) {
         return scanExitCode(report.scanner.action, loadUserConfig().policy.mode);
     }
-    return report.status === "block" || report.status === "error" ? 1 : 0;
+    if (report.status === "block") {
+        return 2;
+    }
+    if (report.status === "warn") {
+        return 1;
+    }
+    if (report.status === "error" || report.status === "unknown") {
+        return 4;
+    }
+    return 0;
 }

package/dist/scan/discovery.js

@@ -82,9 +82,15 @@ function walk(directory, depth, manifests) {
     if (depth > MAX_DISCOVERY_DEPTH) {
         return;
     }
-    const entries = readdirSync(directory, {
-        withFileTypes: true
-    }).sort((left, right) => left.name.localeCompare(right.name));
+    let entries;
+    try {
+        entries = readdirSync(directory, {
+            withFileTypes: true
+        }).sort((left, right) => left.name.localeCompare(right.name));
+    }
+    catch {
+        return;
+    }
     for (const entry of entries) {
         const absolutePath = resolve(directory, entry.name);
         if (entry.isDirectory()) {

package/dist/scan/render.js

@@ -9,7 +9,14 @@ const SCAN_STATUS_ROLE = {
     unknown: "unknown",
     error: "block"
 };
-export function renderTextReport(report, terminalWidth = terminalWidthFromEnv(), theme = createTheme(false), scannerUnavailable = false) {
+export function displayScanStatus(report) {
+    return report.scannerError && report.status === "unknown" ? "analysis_incomplete" : report.status;
+}
+const SCANNER_SKIP_MESSAGES = {
+    no_lockfile: "no lockfile found — server verification skipped (local heuristics only)",
+    empty_lockfile: "lockfile contains no scannable packages — server verification skipped (local heuristics only)"
+};
+export function renderTextReport(report, terminalWidth = terminalWidthFromEnv(), theme = createTheme(false), scannerNotice) {
     const width = Math.max(48, Math.min(terminalWidth, 140));
     const cleanProjects = report.projects.filter((project) => project.findings.length === 0);
     const findingProjects = report.projects.filter((project) => project.findings.length > 0);
@@ -18,7 +25,7 @@ export function renderTextReport(report, terminalWidth = terminalWidthFromEnv(),
         "Dependency Guardian scan",
         `Target: ${report.target}`,
         `Scanning: checked ${report.summary.projectCount} project manifest${report.summary.projectCount === 1 ? "" : "s"}.`,
-        `Status: ${theme.paint(SCAN_STATUS_ROLE[report.status], report.status)}`,
+        `Status: ${theme.paint(SCAN_STATUS_ROLE[report.status], displayScanStatus(report))}`,
         `Projects: ${report.summary.projectCount}`,
         `Dependencies: ${report.summary.dependencyCount}`,
         `Findings: ${report.summary.findingCount} (${report.summary.warnCount} warn, ${report.summary.blockCount} block)`,
@@ -27,11 +34,20 @@ export function renderTextReport(report, terminalWidth = terminalWidthFromEnv(),
             : []),
         ""
     ];
-    if (scannerUnavailable) {
-        lines.push("server scan unavailable — local heuristics only (run 'dg doctor' to diagnose)");
+    if (report.scannerError) {
+        const scannerError = report.scannerError;
+        lines.push(theme.paint(scannerError.kind === "quota_exceeded" ? "warn" : "block", `server scan failed: ${scannerError.message}`));
+        if (scannerError.scansUsed !== undefined || scannerError.scansLimit !== undefined) {
+            lines.push(`scans used: ${scannerError.scansUsed ?? "?"} of ${scannerError.scansLimit ?? "?"}`);
+        }
+        lines.push("local heuristics only — no server verdict (run 'dg doctor' to diagnose)");
+        lines.push("");
+    }
+    else if (scannerNotice) {
+        lines.push(SCANNER_SKIP_MESSAGES[scannerNotice]);
         lines.push("");
     }
-    if (report.projects.length === 0 && report.errors.length === 0) {
+    if (report.projects.length === 0 && report.errors.length === 0 && !report.scanner && !report.scannerError) {
         lines.push("No supported project manifests found.");
     }
     if (findingProjects.length > 0) {
@@ -96,7 +112,7 @@ function formatProject(project, width) {
     return lines;
 }
 export function renderJsonReport(report, scannerUnavailable = false) {
-    return `${JSON.stringify({ ...report, scannerUnavailable }, null, 2)}\n`;
+    return `${JSON.stringify({ ...report, status: displayScanStatus(report), scannerUnavailable }, null, 2)}\n`;
 }
 export function renderSarifReport(report) {
     const rules = uniqueFindings(report.findings).map((finding) => ({

package/dist/scan/scanner-report.js

@@ -1,43 +1,120 @@
 import { spawnSync } from "node:child_process";
+import { randomUUID } from "node:crypto";
 import { existsSync } from "node:fs";
 import { resolve } from "node:path";
 import { fileURLToPath } from "node:url";
+import { sanitize } from "../security/sanitize.js";
 import { collectScanPackages, discoverScanProjects } from "./collect.js";
-const WORKER_TIMEOUT_MS = 180_000;
-export function tryScannerScan(targetPath, localReport, env = process.env) {
+const WORKER_TIMEOUT_BASE_MS = 180_000;
+const SERVER_PER_PACKAGE_WORST_CASE_MS = 660_000;
+const SERVER_SCAN_CONCURRENCY = 64;
+const WORKER_MAX_BUFFER = 64 * 1024 * 1024;
+export function scanWorkerTimeoutMs(packageCount) {
+    return WORKER_TIMEOUT_BASE_MS + packageCount * Math.ceil(SERVER_PER_PACKAGE_WORST_CASE_MS / SERVER_SCAN_CONCURRENCY);
+}
+export function runScannerScan(targetPath, localReport, env = process.env) {
     const projects = discoverScanProjects(resolve(targetPath));
     if (projects.length === 0) {
-        return null;
+        return { kind: "skipped", reason: "no_lockfiles" };
     }
-    const { byEcosystem } = collectScanPackages(projects);
-    const groups = [...byEcosystem.entries()].map(([ecosystem, packages]) => ({ ecosystem, packages }));
+    const collected = collectScanPackages(projects);
+    const groups = [...collected.byEcosystem.entries()].map(([ecosystem, packages]) => ({ ecosystem, packages }));
     const total = groups.reduce((sum, group) => sum + group.packages.length, 0);
     if (total === 0) {
-        return null;
+        if (collected.skipped > 0) {
+            return { kind: "failed", error: lockfileParseError(projects, collected) };
+        }
+        return { kind: "skipped", reason: "no_packages" };
     }
     const workerPath = [
         fileURLToPath(new URL("./analyze-worker.js", import.meta.url)),
         fileURLToPath(new URL("../../dist/scan/analyze-worker.js", import.meta.url))
     ].find((candidate) => existsSync(candidate));
     if (!workerPath) {
-        return null;
+        return {
+            kind: "failed",
+            error: { kind: "worker", message: "scanner worker is missing — reinstall @westbayberry/dg" }
+        };
     }
-    const worker = spawnSync(process.execPath, [workerPath, JSON.stringify(groups)], {
+    const timeoutMs = scanWorkerTimeoutMs(total);
+    const worker = spawnSync(process.execPath, [workerPath], {
         encoding: "utf8",
         env,
-        timeout: WORKER_TIMEOUT_MS
+        input: JSON.stringify({ scanId: randomUUID(), groups }),
+        maxBuffer: WORKER_MAX_BUFFER,
+        timeout: timeoutMs
     });
-    if (worker.status !== 0 || !worker.stdout) {
-        return null;
+    const failure = workerFailure(worker, timeoutMs, total);
+    if (failure) {
+        return { kind: "failed", error: failure };
     }
     let response;
     try {
         response = JSON.parse(worker.stdout);
     }
+    catch {
+        return {
+            kind: "failed",
+            error: { kind: "invalid_response", message: "scanner worker returned unreadable output" }
+        };
+    }
+    return { kind: "report", report: buildScannerReport(localReport, response, total) };
+}
+export function tryScannerScan(targetPath, localReport, env = process.env) {
+    const outcome = runScannerScan(targetPath, localReport, env);
+    return outcome.kind === "report" ? outcome.report : null;
+}
+export function workerFailure(worker, timeoutMs, packageCount) {
+    if (worker.error?.code === "ETIMEDOUT") {
+        return {
+            kind: "timeout",
+            message: `server scan timed out after ${Math.round(timeoutMs / 1000)}s without finishing ${packageCount} package${packageCount === 1 ? "" : "s"}`
+        };
+    }
+    if (worker.error) {
+        return { kind: "worker", message: `scanner worker failed to start: ${worker.error.message}` };
+    }
+    if (worker.status === 0 && worker.stdout) {
+        return null;
+    }
+    const reported = parseWorkerError(worker.stdout);
+    if (reported) {
+        return reported;
+    }
+    const stderrLine = (worker.stderr ?? "").trim().split("\n")[0] ?? "";
+    return {
+        kind: "worker",
+        message: stderrLine ? `scanner worker failed: ${sanitize(stderrLine)}` : "scanner worker exited without a result"
+    };
+}
+function parseWorkerError(stdout) {
+    if (!stdout) {
+        return null;
+    }
+    try {
+        const parsed = JSON.parse(stdout);
+        if (parsed.scannerError && typeof parsed.scannerError.message === "string" && typeof parsed.scannerError.kind === "string") {
+            return parsed.scannerError;
+        }
+    }
     catch {
         return null;
     }
-    return buildScannerReport(localReport, response, total);
+    return null;
+}
+function lockfileParseError(projects, collected) {
+    const parseErrors = collected.parseErrors ?? [];
+    const detail = parseErrors
+        .map((entry) => [entry.path, entry.message].filter(Boolean).join(": "))
+        .filter((line) => line.length > 0)
+        .join("; ");
+    const lockfiles = [...new Set(projects.map((project) => project.depFile))].join(", ");
+    return {
+        kind: "lockfile_unparsed",
+        message: detail
+            ? `could not parse lockfile${parseErrors.length === 1 ? "" : "s"}: ${detail}`
+            : `found ${projects.length} lockfile${projects.length === 1 ? "" : "s"} (${lockfiles}) but no packages could be parsed`
+    };
 }
 export function buildScannerReport(localReport, response, analyzedCount) {
     const findings = response.packages

package/dist/scan/staged.js

@@ -1,6 +1,6 @@
-import { mkdirSync, mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import { mkdirSync, mkdtempSync, realpathSync, rmSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
-import { basename, dirname, join } from "node:path";
+import { basename, dirname, isAbsolute, join, relative, resolve, sep } from "node:path";
 import { createTheme } from "../presentation/theme.js";
 import { resolvePresentation } from "../presentation/mode.js";
 import { loadUserConfig } from "../config/settings.js";
@@ -8,8 +8,8 @@ import { gitSync, gitTrimmed } from "../util/git.js";
 import { promptYesNo } from "../util/tty-prompt.js";
 import { GUARD_SELFTEST_ENV } from "../setup/git-hook.js";
 import { isLockfileName } from "./collect.js";
-import { tryScannerScan } from "./scanner-report.js";
-import { EXIT_USAGE } from "../commands/types.js";
+import { runScannerScan, tryScannerScan } from "./scanner-report.js";
+import { EXIT_USAGE_VERDICT } from "../commands/types.js";
 function emptyLocalReport(target) {
     return {
         target,
@@ -34,6 +34,20 @@ export function stagedLockfilePaths(cwd, env) {
     }
     return diff.stdout.split("\0").filter(Boolean).filter((path) => isLockfileName(basename(path)));
 }
+export function scopeStagedPaths(paths, root, cwd, targetPath) {
+    if (!targetPath) {
+        return [...paths];
+    }
+    const prefix = relative(safeRealpath(root), safeRealpath(resolve(safeRealpath(cwd), targetPath)));
+    if (prefix.startsWith("..") || isAbsolute(prefix)) {
+        return null;
+    }
+    if (prefix === "" || prefix === ".") {
+        return [...paths];
+    }
+    const normalized = prefix.split(sep).join("/");
+    return paths.filter((path) => path === normalized || path.startsWith(`${normalized}/`));
+}
 export function materializeStaged(relPaths, cwd, env) {
     const dir = mkdtempSync(join(tmpdir(), "dg-staged-"));
     let count = 0;
@@ -58,16 +72,20 @@ export function runStagedScan(options) {
     }
     const root = gitTrimmed(["rev-parse", "--show-toplevel"], { cwd, env });
     if (!root) {
-        return { exitCode: EXIT_USAGE, stdout: "", stderr: "dg scan --staged: not a git repository.\n" };
+        return notARepoResult();
     }
     const lockfiles = stagedLockfilePaths(cwd, env);
     if (lockfiles === null) {
         return failOpen(theme, "could not read staged changes");
     }
-    if (lockfiles.length === 0) {
+    const scoped = scopeStagedPaths(lockfiles, root, cwd, options.targetPath ?? null);
+    if (scoped === null) {
+        return outsideRepoResult(options.targetPath ?? "");
+    }
+    if (scoped.length === 0) {
         return { exitCode: 0, stdout: "", stderr: "" };
     }
-    const { dir, count } = materializeStaged(lockfiles, cwd, env);
+    const { dir, count } = materializeStaged(scoped, cwd, env);
     try {
         if (count === 0) {
             return failOpen(theme, "could not read the staged lockfile contents");
@@ -82,6 +100,50 @@ export function runStagedScan(options) {
         rmSync(dir, { recursive: true, force: true });
     }
 }
+export function stagedScanReport(options) {
+    const env = options.env ?? process.env;
+    const cwd = options.cwd ?? process.cwd();
+    const root = gitTrimmed(["rev-parse", "--show-toplevel"], { cwd, env });
+    if (!root) {
+        return { result: notARepoResult() };
+    }
+    const base = { ...emptyLocalReport(root), status: "pass" };
+    const lockfiles = stagedLockfilePaths(cwd, env);
+    if (lockfiles === null) {
+        return { report: base, outcome: { kind: "failed", error: { kind: "worker", message: "could not read staged changes" } } };
+    }
+    const scoped = scopeStagedPaths(lockfiles, root, cwd, options.targetPath ?? null);
+    if (scoped === null) {
+        return { result: outsideRepoResult(options.targetPath ?? "") };
+    }
+    if (scoped.length === 0) {
+        return { report: base, outcome: { kind: "skipped", reason: "no_lockfiles" } };
+    }
+    const { dir, count } = materializeStaged(scoped, cwd, env);
+    try {
+        if (count === 0) {
+            return { report: base, outcome: { kind: "failed", error: { kind: "worker", message: "could not read the staged lockfile contents" } } };
+        }
+        return { report: base, outcome: runScannerScan(dir, base, env) };
+    }
+    finally {
+        rmSync(dir, { recursive: true, force: true });
+    }
+}
+function safeRealpath(path) {
+    try {
+        return realpathSync(path);
+    }
+    catch {
+        return path;
+    }
+}
+function notARepoResult() {
+    return { exitCode: EXIT_USAGE_VERDICT, stdout: "", stderr: "dg scan --staged: not a git repository.\n" };
+}
+function outsideRepoResult(targetPath) {
+    return { exitCode: EXIT_USAGE_VERDICT, stdout: "", stderr: `dg scan --staged: ${targetPath} is outside this repository.\n` };
+}
 export function decideStagedVerdict(report, env = process.env, hook = false) {
     const theme = createTheme(resolvePresentation().color);
     const action = report.scanner?.action ?? report.status;

package/dist/scan-ui/LegacyApp.js

@@ -1,7 +1,6 @@
 import { jsx as _jsx, jsxs as _jsxs, Fragment as _Fragment } from "react/jsx-runtime";
-import { useEffect, useLayoutEffect, useCallback, useRef } from "react";
+import { useEffect, useCallback } from "react";
 import { Box, Text, useApp, useInput } from "ink";
-import { getStoredApiKey } from "./shims.js";
 import { useScan } from "./hooks/useScan.js";
 import { Spinner } from "./components/Spinner.js";
 import { ProgressBar } from "./components/ProgressBar.js";
@@ -11,56 +10,21 @@ import { ProjectSelector } from "./components/ProjectSelector.js";
 import { SetupBanner } from "./components/SetupBanner.js";
 import { useTerminalSize } from "./hooks/useTerminalSize.js";
 import { scanExitCode } from "./shims.js";
-import { enterTui, leaveTui, showCursor } from "./alt-screen.js";
+import { leaveTui, showCursor, tuiIsActive } from "./alt-screen.js";
 import { formatResetDate } from "../install-ui/block-render.js";
-export const App = ({ config, userStatus, scanUsage, setupIssues = [], initialView }) => {
+export const App = ({ config, userStatus, scanUsage, setupIssues = [], initialView, updateAvailable }) => {
     const { state, scanSelectedProjects, restartSelection } = useScan(config);
     const { exit } = useApp();
     useTerminalSize();
-    const prevPhaseRef = useRef(state.phase);
-    const altScreenActiveRef = useRef(false);
-    // Enter the alternate screen ONLY after we leave the discovering phase.
-    // The spinner stays inline on the user's main terminal during discovery so
-    // they see "Searching for dependencies..." in their normal scrollback rather
-    // than a cleared screen. useLayoutEffect runs synchronously after React
-    // commits the new tree but before Ink writes the next frame to stdout, so
-    // post-discovery content lands directly in the alt buffer (avoiding the
-    // "blank until keypress" diff-tracker mismatch documented in alt-screen.ts).
-    useLayoutEffect(() => {
-        if (state.phase === "discovering")
-            return;
-        if (!process.stdout.isTTY)
-            return;
-        if (altScreenActiveRef.current)
-            return;
-        enterTui();
-        altScreenActiveRef.current = true;
-    }, [state.phase]);
-    // Cleanup on unmount: leave alt screen, restore cursor.
-    useEffect(() => {
-        return () => {
-            if (altScreenActiveRef.current) {
-                leaveTui();
-                altScreenActiveRef.current = false;
-            }
-            else {
-                showCursor();
-            }
-        };
-    }, []);
-    // Track phase transitions (Ink handles repainting automatically)
-    useEffect(() => {
-        prevPhaseRef.current = state.phase;
-    }, [state.phase]);
     const leaveAltScreen = useCallback(() => {
-        if (altScreenActiveRef.current) {
+        if (tuiIsActive()) {
             leaveTui();
-            altScreenActiveRef.current = false;
         }
         else {
             showCursor();
         }
     }, []);
+    useEffect(() => () => leaveAltScreen(), [leaveAltScreen]);
     const handleResultsExit = useCallback(() => {
         if (state.phase === "results") {
             process.exitCode = scanExitCode(state.result.action, config.mode);
@@ -139,12 +103,7 @@ export const App = ({ config, userStatus, scanUsage, setupIssues = [], initialVi
             case "error":
                 return _jsx(ErrorView, { error: state.error });
             case "free_cap_reached": {
-                let hasKey = false;
-                try {
-                    hasKey = !!getStoredApiKey();
-                }
-                catch { /* ignore — best-effort */ }
-                return (_jsxs(Box, { flexDirection: "column", paddingLeft: 2, children: [hasKey ? (_jsxs(_Fragment, { children: [_jsx(Text, { color: "yellow", bold: true, children: "Your session expired." }), _jsx(Text, { children: " " }), _jsxs(Text, { children: ["Run ", _jsx(Text, { color: "cyan", bold: true, children: "dg logout" }), " then ", _jsx(Text, { color: "cyan", bold: true, children: "dg login" }), " to re-authenticate."] })] })) : state.capReason === "prefix_cap" ? (_jsxs(_Fragment, { children: [_jsx(Text, { color: "yellow", bold: true, children: "Too many anonymous devices from your network this month." }), _jsxs(Text, { children: ["Sign in with ", _jsx(Text, { color: "cyan", bold: true, children: "dg login" }), " to keep scanning."] })] })) : (_jsxs(_Fragment, { children: [_jsxs(Text, { color: "yellow", bold: true, children: ["Free monthly limit reached (", state.scansUsed.toLocaleString(), "/", state.maxScans.toLocaleString(), " packages)."] }), formatResetDate(state.resetsAt) ? _jsxs(Text, { dimColor: true, children: ["Resets ", formatResetDate(state.resetsAt), "."] }) : null, _jsxs(Text, { children: ["Upgrade to Pro with ", _jsx(Text, { color: "cyan", bold: true, children: "dg upgrade" }), " for 250k packages/month."] })] })), _jsx(Text, { children: " " }), _jsx(Text, { dimColor: true, children: "[q] quit" })] }));
+                return (_jsxs(Box, { flexDirection: "column", paddingLeft: 2, children: [state.capReason === "prefix_cap" ? (_jsxs(_Fragment, { children: [_jsx(Text, { color: "yellow", bold: true, children: "Too many anonymous devices from your network this month." }), _jsxs(Text, { children: ["Sign in with ", _jsx(Text, { color: "cyan", bold: true, children: "dg login" }), " to keep scanning."] })] })) : (_jsxs(_Fragment, { children: [_jsxs(Text, { color: "yellow", bold: true, children: ["Free monthly limit reached (", state.scansUsed.toLocaleString(), "/", state.maxScans.toLocaleString(), " packages)."] }), formatResetDate(state.resetsAt) ? _jsxs(Text, { dimColor: true, children: ["Resets ", formatResetDate(state.resetsAt), "."] }) : null, _jsxs(Text, { children: ["Upgrade to Pro at ", _jsx(Text, { color: "cyan", bold: true, children: "westbayberry.com/pricing" }), " for 250k packages/month."] })] })), _jsx(Text, { children: " " }), _jsx(Text, { dimColor: true, children: "[q] quit" })] }));
             }
         }
     })();
@@ -153,5 +112,8 @@ export const App = ({ config, userStatus, scanUsage, setupIssues = [], initialVi
     // actually needs to read.
     const showBanner = state.phase === "selecting" &&
         setupIssues.length > 0;
-    return (_jsxs(Box, { flexDirection: "column", children: [showBanner ? _jsx(SetupBanner, { issues: setupIssues }) : null, content] }));
+    // Results fill the terminal height exactly; an extra line there overflows the alt screen.
+    const showUpdateLine = updateAvailable !== undefined &&
+        (state.phase === "selecting" || state.phase === "scanning");
+    return (_jsxs(Box, { flexDirection: "column", children: [showBanner ? _jsx(SetupBanner, { issues: setupIssues }) : null, content, showUpdateLine ? _jsx(Box, { paddingLeft: 1, children: _jsx(Text, { dimColor: true, children: updateAvailable }) }) : null] }));
 };