@westbayberry/dg 2.0.8 → 2.0.11

package/README.md

@@ -2,7 +2,7 @@
 
 Dependency Guardian's command-line scanner. It checks the packages you are
 about to install or publish and tells you whether Dependency Guardian
-verified them, flagged them, or blocked them — before they reach your machine.
+verified them, flagged them, or blocked them before they reach your machine.
 
 ## Install
 
@@ -29,7 +29,7 @@ the project, 2 means DG blocked it.
 ## Core concepts
 
 **Verdicts.** Every result is one of three states: **PASS** (DG verified),
-**WARN** (DG flagged — review advised), or **BLOCK** (DG blocked — do not
+**WARN** (DG flagged, review advised), or **BLOCK** (DG blocked, do not
 install). The exit code follows the verdict.
 
 **The server is the verdict source.** For authenticated registry checks and the
@@ -91,7 +91,7 @@ dg guard-commit install
 ### dg scan [path]
 
 Scans package manifests and supported lockfiles for the project at `path` (the
-current directory by default). Reads manifests only — it never runs package
+current directory by default). Reads manifests only; it never runs package
 scripts, installs dependencies, loads project-local config, or changes setup
 state.
 
@@ -118,8 +118,8 @@ Two paths, one exit-code contract.
 
 ### dg audit [path]
 
-Inspects exactly the resolved publish set of one package — never the whole
-repo — for leaked secrets, private keys, source-control and build-artifact
+Inspects exactly the resolved publish set of one package, never the whole
+repo, for leaked secrets, private keys, source-control and build-artifact
 leakage, and suspicious lifecycle-script strings. Basic checks run 100% locally
 and upload nothing. On a paid plan, with org policy allowing it and only after
 explicit consent, the deep audit uploads a packed copy of an npm package to the
@@ -184,7 +184,7 @@ Installs a per-repo, reversible git pre-commit hook that scans staged changes.
 Explicit, reversible service mode: `dg service start | stop | restart | status
 | doctor | uninstall`, plus consent-gated `dg service trust install |
 uninstall`. Trust records store only public certificate fingerprints, provider,
-target, and timestamps — never private keys. `dg service status`/`doctor`
+target, and timestamps, never private keys. `dg service status`/`doctor`
 detect stale runtime state and `dg service restart` clears it.
 
 ### dg login / dg logout
@@ -233,18 +233,23 @@ set`.
 Project-local allowlists never suppress an install firewall block unless
 user-global or org policy explicitly trusts them.
 
+Telemetry is disabled by default. When enabled, the CLI appends command and
+install-decision events to a local `telemetry.jsonl` file in the dg state
+directory, limited to a fixed attribute allowlist. Nothing is transmitted
+anywhere; the file never leaves your machine.
+
 ### Environment variables
 
-- `DG_API_TOKEN` — auth token; overrides the token stored in the config file.
-- `DG_PRIVATE_REGISTRY_HOSTS` — comma-separated hosts whose URL-fallback
+- `DG_API_TOKEN`: auth token; overrides the token stored in the config file.
+- `DG_PRIVATE_REGISTRY_HOSTS`: comma-separated hosts whose URL-fallback
   artifacts are eligible for private-registry scan upload.
-- `DG_SCAN_TARBALL_UPLOAD` — set to `1` to enable private-registry artifact
+- `DG_SCAN_TARBALL_UPLOAD`: set to `1` to enable private-registry artifact
   upload to `/v1/scan-tarball` (requires `DG_API_TOKEN`).
-- `DG_SERVICE_TRUST_STORE_BACKEND` / `DG_SERVICE_TRUST_STORE_DIR` — for
+- `DG_SERVICE_TRUST_STORE_BACKEND` / `DG_SERVICE_TRUST_STORE_DIR`: for
   CI/Docker, set the backend to `file` and a directory to copy the active
   public CA certificate into an image-local trust directory without touching
   the host OS trust store.
-- `NO_COLOR` / `FORCE_COLOR` — disable or force ANSI color output.
+- `NO_COLOR` / `FORCE_COLOR`: disable or force ANSI color output.
 
 ## Exit codes
 
@@ -272,7 +277,7 @@ Per-command specifics:
 
 ## Troubleshooting
 
-Run `dg doctor` first — it reports Node version, package health, config
+Run `dg doctor` first; it reports Node version, package health, config
 readability, shim/PATH state, and which optional gates are unavailable.
 
 - "Scanner unavailable" / `scannerUnavailable` in JSON: the API was

package/dist/api/analyze.js

@@ -1,7 +1,7 @@
 import { randomUUID } from "node:crypto";
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
 import { dirname, join } from "node:path";
-import { readAuthState } from "../auth/store.js";
+import { readAuthStateOrWarn } from "../auth/store.js";
 import { envAuthToken } from "../auth/env-token.js";
 import { loadUserConfig } from "../config/settings.js";
 import { sanitize, sanitizeResponse } from "../security/sanitize.js";
@@ -10,12 +10,81 @@ import { dgVersion } from "../commands/version.js";
 export class AnalyzeError extends Error {
     statusCode;
     body;
-    constructor(message, statusCode, body) {
+    code;
+    scansUsed;
+    scansLimit;
+    constructor(message, statusCode, body, code) {
         super(message);
         this.statusCode = statusCode;
         this.body = body;
         this.name = "AnalyzeError";
+        const quota = quotaBodyFields(body);
+        if (quota?.scansUsed !== undefined) {
+            this.scansUsed = quota.scansUsed;
+        }
+        if (quota?.scansLimit !== undefined) {
+            this.scansLimit = quota.scansLimit;
+        }
+        this.code = code ?? classifyAnalyzeError(statusCode, body, quota !== undefined);
+    }
+}
+function quotaBodyFields(body) {
+    if (!body || typeof body !== "object") {
+        return undefined;
+    }
+    const candidate = body;
+    const quotaShaped = candidate.code === "quota_exceeded"
+        || candidate.reason === "monthly_limit"
+        || candidate.reason === "prefix_cap"
+        || typeof candidate.scansUsed === "number"
+        || typeof candidate.scansLimit === "number"
+        || typeof candidate.maxScans === "number";
+    if (!quotaShaped) {
+        return undefined;
+    }
+    const limit = typeof candidate.scansLimit === "number"
+        ? candidate.scansLimit
+        : typeof candidate.maxScans === "number"
+            ? candidate.maxScans
+            : undefined;
+    return {
+        ...(typeof candidate.scansUsed === "number" ? { scansUsed: candidate.scansUsed } : {}),
+        ...(limit !== undefined ? { scansLimit: limit } : {})
+    };
+}
+function classifyAnalyzeError(statusCode, body, quotaShaped) {
+    const bodyCode = body && typeof body === "object" ? body.code : undefined;
+    if (bodyCode === "rate_limited") {
+        return "rate_limited";
+    }
+    if (statusCode === 402 || (quotaShaped && (statusCode === 403 || statusCode === 429))) {
+        return "quota_exceeded";
+    }
+    if (statusCode === 429) {
+        return "rate_limited";
+    }
+    if (statusCode === 401 || statusCode === 403) {
+        return "auth";
+    }
+    if (statusCode === 0) {
+        return "network";
     }
+    return "server";
+}
+export function scannerErrorFromUnknown(error) {
+    if (error instanceof AnalyzeError) {
+        return {
+            kind: error.code,
+            message: error.message,
+            statusCode: error.statusCode,
+            ...(error.scansUsed !== undefined ? { scansUsed: error.scansUsed } : {}),
+            ...(error.scansLimit !== undefined ? { scansLimit: error.scansLimit } : {})
+        };
+    }
+    return {
+        kind: "worker",
+        message: error instanceof Error ? error.message : String(error)
+    };
 }
 const ANALYZE_PATHS = {
     npm: "/v1/analyze",
@@ -26,12 +95,16 @@ const DEFAULT_TIMEOUT_MS = 180_000;
 const BATCH_CONCURRENCY = Math.max(1, Number(process.env.DG_ANALYZE_CONCURRENCY) || 4);
 export async function analyzePackages(packages, options) {
     const env = options.env ?? process.env;
-    const fetchImpl = options.fetchImpl ?? fetch;
     const baseUrl = resolveApiBaseUrl(env);
-    const token = resolveToken(env);
-    const deviceId = getOrCreateDeviceId(env);
-    const url = `${baseUrl}${ANALYZE_PATHS[options.ecosystem]}`;
-    const timeoutMs = options.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+    const context = {
+        url: `${baseUrl}${ANALYZE_PATHS[options.ecosystem]}`,
+        token: resolveToken(env),
+        deviceId: getOrCreateDeviceId(env),
+        scanId: options.scanId ?? randomUUID(),
+        fetchImpl: options.fetchImpl ?? fetch,
+        timeoutMs: options.timeoutMs ?? DEFAULT_TIMEOUT_MS,
+        ...(options.signal ? { signal: options.signal } : {})
+    };
     const total = packages.length;
     const batches = [];
     for (let index = 0; index < packages.length; index += BATCH_SIZE) {
@@ -52,7 +125,7 @@ export async function analyzePackages(packages, options) {
             const batch = batches[i];
             if (!batch)
                 continue;
-            const response = await analyzeBatchWithRetry(url, batch, token, deviceId, fetchImpl, timeoutMs, (batchDone) => {
+            const response = await analyzeBatchWithRetry(context, batch, (batchDone) => {
                 perBatchDone[i] = Math.min(batchDone, batch.length);
                 reportProgress();
             });
@@ -67,21 +140,21 @@ export async function analyzePackages(packages, options) {
     return mergeAnalyzeResponses(responses);
 }
 const MAX_BATCH_ATTEMPTS = 3;
-async function analyzeBatchWithRetry(url, batch, token, deviceId, fetchImpl, timeoutMs, onBatchProgress) {
+async function analyzeBatchWithRetry(context, batch, onBatchProgress) {
     let lastError;
     for (let attempt = 1; attempt <= MAX_BATCH_ATTEMPTS; attempt += 1) {
         try {
-            return await analyzeBatch(url, batch, token, deviceId, fetchImpl, timeoutMs, onBatchProgress);
+            return await analyzeBatch(context, batch, onBatchProgress);
         }
         catch (error) {
             lastError = error;
-            if (attempt === MAX_BATCH_ATTEMPTS || !isRetryableAnalyzeError(error)) {
+            if (context.signal?.aborted || attempt === MAX_BATCH_ATTEMPTS || !isRetryableAnalyzeError(error)) {
                 break;
             }
             await delay(300 * attempt);
         }
     }
-    if (lastError instanceof AnalyzeError) {
+    if (context.signal?.aborted || lastError instanceof AnalyzeError) {
         throw lastError;
     }
     if (isNetworkFailure(lastError)) {
@@ -104,9 +177,24 @@ function isRetryableAnalyzeError(error) {
 function delay(ms) {
     return new Promise((resolve) => setTimeout(resolve, ms));
 }
-async function analyzeBatch(url, batch, token, deviceId, fetchImpl, timeoutMs, onBatchProgress) {
+async function analyzeBatch(context, batch, onBatchProgress) {
+    const { url, token, deviceId, scanId, fetchImpl, timeoutMs, signal } = context;
     const controller = new AbortController();
-    const timeout = setTimeout(() => controller.abort(), timeoutMs);
+    let timedOut = false;
+    let silenceTimer;
+    const armSilenceTimer = () => {
+        clearTimeout(silenceTimer);
+        silenceTimer = setTimeout(() => {
+            timedOut = true;
+            controller.abort();
+        }, timeoutMs);
+    };
+    const forwardAbort = () => controller.abort();
+    signal?.addEventListener("abort", forwardAbort, { once: true });
+    if (signal?.aborted) {
+        controller.abort();
+    }
+    armSilenceTimer();
     try {
         const response = await fetchImpl(url, {
             method: "POST",
@@ -114,6 +202,7 @@ async function analyzeBatch(url, batch, token, deviceId, fetchImpl, timeoutMs, o
                 "Content-Type": "application/json",
                 "Accept": "application/x-ndjson",
                 "X-Device-Id": deviceId,
+                "X-Scan-Id": scanId,
                 "X-Dg-Version": dgVersion(),
                 ...(token ? { Authorization: `Bearer ${token}` } : {})
             },
@@ -122,31 +211,49 @@ async function analyzeBatch(url, batch, token, deviceId, fetchImpl, timeoutMs, o
             }),
             signal: controller.signal
         });
+        armSilenceTimer();
         if (!response.ok) {
             const body = await response.json().catch(() => undefined);
-            const serverMessage = body && typeof body === "object" && "error" in body && typeof body.error === "string"
-                ? sanitize(body.error)
-                : `scanner returned ${response.status}`;
-            throw new AnalyzeError(serverMessage, response.status, body);
+            throw analyzeErrorFromResponse(response.status, body);
         }
         const headers = response.headers;
         const contentType = headers?.get("content-type") ?? "";
         if (contentType.includes("application/x-ndjson") && response.body) {
-            return await consumeAnalyzeStream(response.body, onBatchProgress);
+            return await consumeAnalyzeStream(response.body, onBatchProgress, armSilenceTimer);
         }
-        return normalizeAnalyzeResponse(await response.json());
+        const payload = await response.json().catch(() => {
+            throw new AnalyzeError("scanner returned an unreadable response", response.status, undefined, "invalid_response");
+        });
+        return normalizeAnalyzeResponse(payload);
     }
     catch (error) {
-        if (error instanceof Error && error.name === "AbortError") {
-            throw new AnalyzeError(`scanner did not respond within ${timeoutMs}ms`, 0);
+        if (timedOut && error instanceof Error && error.name === "AbortError") {
+            throw new AnalyzeError(`scanner sent no data for ${timeoutMs}ms — scan timed out`, 0, undefined, "timeout");
         }
         throw error;
     }
     finally {
-        clearTimeout(timeout);
+        clearTimeout(silenceTimer);
+        signal?.removeEventListener("abort", forwardAbort);
     }
 }
-async function consumeAnalyzeStream(body, onBatchProgress) {
+function analyzeErrorFromResponse(status, body) {
+    const serverMessage = body && typeof body === "object" && "error" in body && typeof body.error === "string"
+        ? sanitize(body.error)
+        : undefined;
+    const probe = new AnalyzeError(serverMessage ?? `scanner returned ${status}`, status, body);
+    if (serverMessage) {
+        return probe;
+    }
+    if (probe.code === "quota_exceeded") {
+        return new AnalyzeError("scan limit reached", status, body);
+    }
+    if (probe.code === "rate_limited") {
+        return new AnalyzeError("scanner rate limit reached — wait a moment and retry", status, body);
+    }
+    return probe;
+}
+async function consumeAnalyzeStream(body, onBatchProgress, onActivity) {
     const reader = body.getReader();
     const decoder = new TextDecoder();
     let buffer = "";
@@ -177,6 +284,7 @@ async function consumeAnalyzeStream(body, onBatchProgress) {
             const { done, value } = await reader.read();
             if (done)
                 break;
+            onActivity();
             buffer += decoder.decode(value, { stream: true });
             let newline;
             while ((newline = buffer.indexOf("\n")) >= 0) {
@@ -255,14 +363,14 @@ export function mergeAnalyzeResponses(responses) {
     }));
 }
 function resolveApiBaseUrl(env) {
-    const auth = readAuthStateSafe(env);
+    const auth = readAuthStateOrWarn(env);
     if (auth?.apiBaseUrl) {
         return auth.apiBaseUrl;
     }
     return loadUserConfig(env).api.baseUrl;
 }
 function resolveToken(env) {
-    return envAuthToken(env) ?? readAuthStateSafe(env)?.token;
+    return envAuthToken(env) ?? readAuthStateOrWarn(env)?.token;
 }
 export function identityHeaders(env) {
     const headers = { "X-Device-Id": getOrCreateDeviceId(env) };
@@ -272,14 +380,6 @@ export function identityHeaders(env) {
     }
     return headers;
 }
-function readAuthStateSafe(env) {
-    try {
-        return readAuthState(env);
-    }
-    catch {
-        return undefined;
-    }
-}
 function getOrCreateDeviceId(env) {
     const path = join(resolveDgPaths(env).stateDir, "device-id");
     try {

package/dist/audit-ui/export.js

@@ -33,14 +33,13 @@ function buildMd(input) {
         `**Verdict:** ${input.action.toUpperCase()}  ·  ${input.ecosystem}`,
         `**Files:** ${input.fileCount}  ·  ${countSummaryLine(input.findings)}`,
         input.publishSetSource === "fallback" ? "**Publish set approximated**" : "",
-        `**Deep behavioral scan:** ${deepSummary(input.deep)}`,
-        ""
+        `**Deep behavioral scan:** ${deepSummary(input.deep)}`
     ].filter((line, index) => line !== "" || index === 1);
     if (input.findings.length === 0) {
-        lines.push("> No findings — the publish set is clean.", "");
+        lines.push("", "> No findings — the publish set is clean.", "");
         return `${lines.join("\n")}\n`;
     }
-    lines.push("| Severity | Location | Title | Evidence | Recommendation |", "|---|---|---|---|---|");
+    lines.push("", "| Severity | Location | Title | Evidence | Recommendation |", "|---|---|---|---|---|");
     for (const finding of input.findings) {
         const kind = severityKind(finding.severity);
         const sev = kind === "block" ? "BLOCK" : kind === "warn" ? "WARN" : "NOTE";

package/dist/auth/device-login.js

@@ -12,7 +12,8 @@ export function resolveWebBase(env) {
     if (override) {
         try {
             const url = new URL(override);
-            if (url.protocol === "https:" || url.hostname === "localhost" || url.hostname === "127.0.0.1") {
+            const localhost = url.hostname === "localhost" || url.hostname === "127.0.0.1";
+            if (url.protocol === "https:" || (url.protocol === "http:" && localhost)) {
                 return override.replace(/\/$/, "");
             }
         }
@@ -169,7 +170,7 @@ function waitForEnter() {
         closeSync(tty);
     }
 }
-export async function fetchAccountTier(token, env, fetchImpl) {
+export async function fetchAccountStatus(token, env, fetchImpl, timeoutMs = 5_000) {
     let apiBase;
     try {
         apiBase = loadUserConfig(env).api.baseUrl.replace(/\/$/, "");
@@ -178,7 +179,7 @@ export async function fetchAccountTier(token, env, fetchImpl) {
         return null;
     }
     const controller = new AbortController();
-    const timer = setTimeout(() => controller.abort(), 5_000);
+    const timer = setTimeout(() => controller.abort(), timeoutMs);
     try {
         const response = await fetchImpl(`${apiBase}/v1/auth/status`, {
             headers: { Authorization: `Bearer ${token}` },
@@ -188,10 +189,11 @@ export async function fetchAccountTier(token, env, fetchImpl) {
             return null;
         }
         const body = (await response.json());
-        if (typeof body.tier !== "string" || body.tier.length === 0) {
-            return null;
-        }
-        return body.tier.toLowerCase();
+        return {
+            tier: typeof body.tier === "string" && body.tier.length > 0 ? body.tier.toLowerCase() : null,
+            scansUsed: typeof body.scansUsed === "number" && Number.isFinite(body.scansUsed) ? body.scansUsed : null,
+            scansLimit: typeof body.scansLimit === "number" && Number.isFinite(body.scansLimit) ? body.scansLimit : null
+        };
     }
     catch {
         return null;
@@ -200,6 +202,9 @@ export async function fetchAccountTier(token, env, fetchImpl) {
         clearTimeout(timer);
     }
 }
+export async function fetchAccountTier(token, env, fetchImpl) {
+    return (await fetchAccountStatus(token, env, fetchImpl))?.tier ?? null;
+}
 export async function runDeviceLogin(io = {}) {
     const env = io.env ?? process.env;
     const fetchImpl = io.fetchImpl ?? fetch;
@@ -254,8 +259,7 @@ export async function maybeDeviceLogin(args) {
     if (args[0] !== "login") {
         return { handled: false, result: noop };
     }
-    const rest = args.slice(1);
-    if (rest.some((arg) => arg === "--token" || arg.startsWith("--token=") || arg === "--help" || arg === "-h")) {
+    if (args.length > 1) {
         return { handled: false, result: noop };
     }
     if (!process.stdin.isTTY || !process.stderr.isTTY) {

package/dist/auth/store.js

@@ -1,7 +1,7 @@
 import { existsSync, mkdirSync, readFileSync, renameSync, rmSync, unlinkSync, writeFileSync } from "node:fs";
 import { randomUUID } from "node:crypto";
 import { dirname, join } from "node:path";
-import { loadUserConfig, saveUserConfig } from "../config/settings.js";
+import { loadUserConfig, saveUserConfig, withUserConfigLock } from "../config/settings.js";
 import { resolveDgPaths } from "../state/index.js";
 import { envAuthToken } from "./env-token.js";
 export class AuthError extends Error {
@@ -41,38 +41,55 @@ export function readAuthState(env = process.env) {
         throw new AuthError(`Malformed dg auth state at ${path}: ${error instanceof Error ? error.message : "unknown error"}`);
     }
 }
+const warnedAuthPaths = new Set();
+export function readAuthStateOrWarn(env = process.env, options = {}) {
+    try {
+        return readAuthState(env);
+    }
+    catch {
+        const path = authPath(resolveDgPaths(env));
+        if (!warnedAuthPaths.has(path)) {
+            warnedAuthPaths.add(path);
+            const stderr = options.stderr ?? process.stderr;
+            stderr.write(`dg: auth state at ${path} is unreadable; continuing without your account. Run 'dg login' to repair it.\n`);
+        }
+        return undefined;
+    }
+}
 export function writeAuthState(options, env = process.env) {
     const token = options.token.trim();
     if (token.length < 8) {
         throw new AuthError("token must be at least 8 characters");
     }
-    const config = loadUserConfig(env);
-    const apiBaseUrl = options.apiBaseUrl ?? config.api.baseUrl;
-    const orgId = options.orgId ?? config.org.id;
     const email = typeof options.email === "string" && options.email.length > 0 ? options.email : undefined;
     const tier = typeof options.tier === "string" && options.tier.length > 0 ? options.tier : undefined;
-    const state = {
-        version: 1,
-        token,
-        tokenPreview: redactToken(token),
-        apiBaseUrl,
-        orgId,
-        loggedInAt: (options.now ?? new Date()).toISOString(),
-        ...(email ? { email } : {}),
-        ...(tier ? { tier } : {})
-    };
-    const paths = resolveDgPaths(env);
-    writeJsonAtomic(authPath(paths), state);
-    saveUserConfig({
-        ...config,
-        api: {
-            baseUrl: apiBaseUrl
-        },
-        org: {
-            id: orgId
-        }
-    }, env);
-    return state;
+    return withUserConfigLock(env, () => {
+        const config = loadUserConfig(env);
+        const apiBaseUrl = options.apiBaseUrl ?? config.api.baseUrl;
+        const orgId = options.orgId ?? config.org.id;
+        const state = {
+            version: 1,
+            token,
+            tokenPreview: redactToken(token),
+            apiBaseUrl,
+            orgId,
+            loggedInAt: (options.now ?? new Date()).toISOString(),
+            ...(email ? { email } : {}),
+            ...(tier ? { tier } : {})
+        };
+        const paths = resolveDgPaths(env);
+        writeJsonAtomic(authPath(paths), state);
+        saveUserConfig({
+            ...config,
+            api: {
+                baseUrl: apiBaseUrl
+            },
+            org: {
+                id: orgId
+            }
+        }, env);
+        return state;
+    });
 }
 export function clearAuthState(env = process.env) {
     const path = authPath(resolveDgPaths(env));

package/dist/bin/dg.js

@@ -31,6 +31,11 @@ const { maybeShowFirstRun } = await import("../runtime/first-run.js");
 const { maybePreflightInstallPrompt } = await import("../launcher/preflight-prompt.js");
 const args = process.argv.slice(2);
 maybeShowFirstRun(args);
+import("../state/index.js")
+    .then(({ pruneDeadSessionsSync, resolveDgPaths }) => {
+    pruneDeadSessionsSync(resolveDgPaths());
+})
+    .catch(() => { });
 const { maybeDeviceLogin } = await import("../auth/device-login.js");
 const { maybeVerifyPackage } = await import("../verify/package-check.js");
 const { maybeAudit } = await import("../commands/audit.js");

package/dist/commands/audit.js

@@ -1,6 +1,6 @@
 import { existsSync, readFileSync, statSync, writeFileSync } from "node:fs";
 import { basename, dirname, resolve } from "node:path";
-import { EXIT_TOOL_ERROR, EXIT_USAGE } from "./types.js";
+import { EXIT_TOOL_ERROR, EXIT_USAGE_VERDICT } from "./types.js";
 import { resolvePresentation } from "../presentation/mode.js";
 import { createTheme } from "../presentation/theme.js";
 import { actionForFindings, detectFindings, findingLocation } from "../audit/detectors.js";
@@ -30,7 +30,7 @@ export const auditCommand = {
     examples: ["dg audit", "dg audit ./packages/api", "dg audit --json", "dg audit --local"],
     details: [
         "Audits exactly what you're about to publish — the resolved publish set of one package, never the whole repo.",
-        "Basic checks run 100% locally and never upload anything. If you're on a paid plan (and your org allows it), it also runs a deep behavioral scan of your package on the scanner; raw bytes are never retained. Exit codes: 0 clean (warn counts as clean under the default --fail-on block), 1 warn with --fail-on warn, 2 block, 3 deep audit required but unavailable (--require-deep), 4 analysis incomplete."
+        "Basic checks run 100% locally and never upload anything. If you're on a paid plan (and your org allows it), it also runs a deep behavioral scan of your package on the scanner; raw bytes are never retained. Exit codes: 0 clean (warn counts as clean under the default --fail-on block), 1 warn with --fail-on warn, 2 block, 3 deep audit required but unavailable (--require-deep), 4 analysis incomplete, 64 usage error."
     ],
     handler: (context) => runAuditCommand(context.args)
 };
@@ -82,7 +82,7 @@ function finalize(gathered, deep) {
     return { exitCode: exitCodeFor(report, parsed), stdout: rendered, stderr: "" };
 }
 function gatherError(gathered) {
-    return gathered.usage ? usageError(gathered.error) : { exitCode: EXIT_USAGE, stdout: "", stderr: `dg audit: ${gathered.error}.\n` };
+    return gathered.usage ? usageError(gathered.error) : { exitCode: EXIT_USAGE_VERDICT, stdout: "", stderr: `dg audit: ${gathered.error}.\n` };
 }
 function runAuditCommand(args) {
     const gathered = gather(args);
@@ -327,6 +327,13 @@ function parseAuditArgs(args) {
             failOn = next;
             index += 1;
         }
+        else if (arg.startsWith("--fail-on=")) {
+            const value = arg.slice("--fail-on=".length);
+            if (value !== "warn" && value !== "block") {
+                return { error: "--fail-on requires 'warn' or 'block'" };
+            }
+            failOn = value;
+        }
         else if (arg.startsWith("-")) {
             return { error: `unknown option '${arg}'` };
         }
@@ -338,6 +345,9 @@ function parseAuditArgs(args) {
             sawTarget = true;
         }
     }
+    if (local && requireDeep) {
+        return { error: "--local skips the deep audit, so it cannot be combined with --require-deep" };
+    }
     return { target, format, outputPath, local, requireDeep, failOn };
 }
 export function displayTarget(root) {
@@ -355,7 +365,7 @@ function safeReadJson(path) {
 }
 function usageError(message) {
     return {
-        exitCode: EXIT_USAGE,
+        exitCode: EXIT_USAGE_VERDICT,
         stdout: "",
         stderr: `dg audit: ${message}. Usage: ${auditCommand.usage}\n`
     };

package/dist/commands/config.js

@@ -1,5 +1,5 @@
 import { EXIT_USAGE } from "./types.js";
-import { ConfigError, getConfigValue, isConfigKey, listConfig, loadUserConfig, saveUserConfig, setConfigValue, unsetConfigValue } from "../config/settings.js";
+import { ConfigError, getConfigValue, isConfigKey, listConfig, loadUserConfig, setConfigValue, unsetConfigValue, updateUserConfig } from "../config/settings.js";
 export const configCommand = {
     name: "config",
     summary: "Inspect or edit trusted dg configuration.",
@@ -54,8 +54,7 @@ function configHandler(args) {
             if (value === undefined) {
                 return usageError("set requires a value");
             }
-            const next = setConfigValue(config, key, value);
-            saveUserConfig(next);
+            const next = updateUserConfig((current) => setConfigValue(current, key, value));
             return {
                 exitCode: 0,
                 stdout: `${key}=${getConfigValue(next, key)}\n`,
@@ -66,8 +65,7 @@ function configHandler(args) {
             if (value) {
                 return usageError("unset accepts only a key");
             }
-            const next = unsetConfigValue(config, key);
-            saveUserConfig(next);
+            const next = updateUserConfig((current) => unsetConfigValue(current, key));
             return {
                 exitCode: 0,
                 stdout: `${key}=${getConfigValue(next, key)}\n`,

package/dist/commands/doctor.js

@@ -1,5 +1,5 @@
 import { EXIT_USAGE } from "./types.js";
-import { doctorReport, renderDoctorReport } from "../setup/plan.js";
+import { doctorReportWithRemote, renderDoctorReport } from "../setup/plan.js";
 import { resolvePresentation } from "../presentation/mode.js";
 import { createTheme } from "../presentation/theme.js";
 export const doctorCommand = {
@@ -17,7 +17,7 @@ export const doctorCommand = {
     ],
     handler: (context) => doctorHandler(context.args)
 };
-function doctorHandler(args) {
+async function doctorHandler(args) {
     const json = args.includes("--json");
     const verbose = args.includes("--verbose") || args.includes("-v");
     const unknown = args.find((arg) => arg !== "--json" && arg !== "--verbose" && arg !== "-v");
@@ -28,7 +28,7 @@ function doctorHandler(args) {
             stderr: `dg doctor: unknown option '${unknown}'. Run 'dg doctor --help'.\n`
         };
     }
-    const report = doctorReport();
+    const report = await doctorReportWithRemote();
     const hasFailure = report.checks.some((check) => check.status === "fail");
     const theme = createTheme(resolvePresentation().color);
     return {