autoremediator 0.11.0 → 0.12.0

package/dist/{chunk-GYCZ6L3O.js → chunk-575GEUAY.js}

@@ -40,7 +40,14 @@ var OPTION_DESCRIPTIONS = {
   installPreferOffline: "Override prefer-offline flag behavior for install commands",
   enforceFrozenLockfile: "Override frozen lockfile behavior for install commands",
   workspace: "Workspace/package selector for scoped remediation in monorepos",
-  includeTransitive: "Include indirect/transitive dependencies in the outdated check. Default: false.",
+  createChangeRequest: "Enable creation of native pull request / merge request after remediation",
+  changeRequestProvider: "Change request provider (github|gitlab)",
+  changeRequestGrouping: "Grouping strategy for change requests (all|per-cve|per-package)",
+  changeRequestRepository: "Repository slug override for change request creation",
+  changeRequestBaseBranch: "Base branch used for change request targeting",
+  changeRequestBranchPrefix: "Branch prefix for generated change request branches",
+  changeRequestTitlePrefix: "Title prefix for generated change requests",
+  includeTransitive: "Include transitive dependencies in the outdated check. Default: false.",
   updateOutdated: "Run in update-outdated mode: bump all outdated npm packages without requiring a CVE.",
   kevMandatory: "If true, CVEs with active CISA KEV status bypass severity filtering and are treated as mandatory",
   epssThreshold: "EPSS probability threshold (0..1) above which a CVE is treated as mandatory regardless of severity",
@@ -104,6 +111,26 @@ function createRemediateOptionSchemaProperties(options) {
       type: "object",
       properties: createConstraintSchemaProperties()
     },
+    changeRequest: {
+      type: "object",
+      properties: {
+        enabled: { type: "boolean", description: OPTION_DESCRIPTIONS.createChangeRequest },
+        provider: {
+          type: "string",
+          enum: ["github", "gitlab"],
+          description: OPTION_DESCRIPTIONS.changeRequestProvider
+        },
+        grouping: {
+          type: "string",
+          enum: ["all", "per-cve", "per-package"],
+          description: OPTION_DESCRIPTIONS.changeRequestGrouping
+        },
+        repository: { type: "string", description: OPTION_DESCRIPTIONS.changeRequestRepository },
+        baseBranch: { type: "string", description: OPTION_DESCRIPTIONS.changeRequestBaseBranch },
+        branchPrefix: { type: "string", description: OPTION_DESCRIPTIONS.changeRequestBranchPrefix },
+        titlePrefix: { type: "string", description: OPTION_DESCRIPTIONS.changeRequestTitlePrefix }
+      }
+    },
     kevMandatory: { type: "boolean", description: OPTION_DESCRIPTIONS.kevMandatory },
     epssThreshold: { type: "number", minimum: 0, maximum: 1, description: OPTION_DESCRIPTIONS.epssThreshold },
     suppressionsFile: { type: "string", description: OPTION_DESCRIPTIONS.suppressionsFile },
@@ -152,7 +179,8 @@ function createScanReportSchemaProperties() {
     idempotencyKey: { type: "string" },
     llmUsageCount: { type: "number" },
     estimatedCostUsd: { type: "number" },
-    totalLlmLatencyMs: { type: "number" }
+    totalLlmLatencyMs: { type: "number" },
+    changeRequests: { type: "array", items: { type: "object" } }
   };
 }
 function createUpdateOutdatedOptionSchemaProperties() {
@@ -477,8 +505,13 @@ async function inspectPatchArtifact(patchFilePath, options = {}) {
   };
 }
 
-// src/remediation/tools/check-inventory.ts
+// src/remediation/tools/tool-compat.ts
 import { tool } from "ai";
+function defineTool(config) {
+  return tool(config);
+}
+
+// src/remediation/tools/check-inventory.ts
 import { z } from "zod";
 import { readFileSync as readFileSync3 } from "fs";
 import { join as join5 } from "path";
@@ -602,7 +635,7 @@ function checkSlaBreach(cveId, severity, publishedAt, slaPolicy) {
 }
 
 // src/remediation/tools/check-inventory.ts
-var checkInventoryTool = tool({
+var checkInventoryTool = defineTool({
   description: "Read the project's package.json and installed dependencies to list packages and exact versions. Must be called before checking version matches.",
   parameters: z.object({
     cwd: z.string().describe("Absolute path to the consumer project's root directory"),
@@ -643,7 +676,7 @@ var checkInventoryTool = tool({
       packages.push({
         name,
         version,
-        type: isDirect ? "direct" : "indirect"
+        type: isDirect ? "direct" : "transitive"
       });
     }
     if (packages.length === 0) {
@@ -1188,7 +1221,6 @@ async function enrichWithNvd(details) {
 }
 
 // src/remediation/tools/check-reachability.ts
-import { tool as tool2 } from "ai";
 import { z as z2 } from "zod";
 import { readdirSync, readFileSync as readFileSync5, statSync } from "fs";
 import { join as join7, extname } from "path";
@@ -1264,7 +1296,7 @@ function assessPackageReachability(cwd, packageName) {
     reason: `No import or require of '${packageName}' found in ${files.length} source file(s).`
   };
 }
-var checkReachabilityTool = tool2({
+var checkReachabilityTool = defineTool({
   description: "Assess whether an npm package is statically reachable (imported) from the project's source files. Returns reachable, not-reachable, or unknown.",
   parameters: z2.object({
     cwd: z2.string().describe("Project root directory"),
@@ -1276,7 +1308,6 @@ var checkReachabilityTool = tool2({
 });
 
 // src/remediation/tools/check-exploit-signal.ts
-import { tool as tool3 } from "ai";
 import { z as z3 } from "zod";
 var kevSchema = z3.object({
   knownExploited: z3.boolean(),
@@ -1294,7 +1325,7 @@ var exploitSignalPolicySchema = z3.object({
   kev: z3.object({ mandatory: z3.boolean() }).optional(),
   epss: z3.object({ mandatory: z3.boolean(), threshold: z3.number() }).optional()
 }).optional();
-var checkExploitSignalTool = tool3({
+var checkExploitSignalTool = defineTool({
   description: "Evaluate KEV and EPSS exploit signals for a CVE against policy thresholds. Returns whether the exploit signal overrides severity filtering (mandatory gate).",
   parameters: z3.object({
     cveDetails: z3.object({
@@ -1385,7 +1416,7 @@ function buildSbom(packages, vulnerableNames, results) {
     const entry = {
       name: pkg.name,
       version: pkg.version,
-      scope: pkg.type === "direct" ? "direct" : "indirect"
+      scope: pkg.type === "direct" ? "direct" : "transitive"
     };
     if (isVulnerable) {
       entry.status = statusByPackage.get(pkg.name) ?? "unpatched";
@@ -1579,8 +1610,8 @@ async function queryOutdatedPackages(cwd, options = {}) {
     const wantedVersion = entry.wanted ?? currentVersion;
     const latestVersion = entry.latest ?? currentVersion;
     if (!currentVersion || !latestVersion) continue;
-    const dependencyScope = directDeps.has(name) ? "direct" : "indirect";
-    if (!options.includeTransitive && dependencyScope === "indirect") continue;
+    const dependencyScope = directDeps.has(name) ? "direct" : "transitive";
+    if (!options.includeTransitive && dependencyScope === "transitive") continue;
     const isMajorBump = semver.valid(currentVersion) !== null && semver.valid(latestVersion) !== null && semver.major(latestVersion) > semver.major(currentVersion);
     result.set(name, {
       currentVersion,
@@ -1594,7 +1625,6 @@ async function queryOutdatedPackages(cwd, options = {}) {
 }
 
 // src/remediation/tools/apply-version-bump.ts
-import { tool as tool4 } from "ai";
 import { z as z4 } from "zod";
 import { join as join10 } from "path";
 import { readFileSync as readFileSync7, writeFileSync as writeFileSync3 } from "fs";
@@ -1641,7 +1671,7 @@ async function withRepoLock(cwd, fn, options) {
 }
 
 // src/remediation/tools/apply-version-bump.ts
-var applyVersionBumpTool = tool4({
+var applyVersionBumpTool = defineTool({
   description: "Update package.json to use the safe version of a vulnerable package and run the project's package manager install. In dry-run mode, only reports what would change.",
   parameters: z4.object({
     cwd: z4.string().describe("Absolute path to the consumer project root"),
@@ -1734,8 +1764,8 @@ var applyVersionBumpTool = tool4({
         fromVersion,
         applied: false,
         dryRun,
-        unresolvedReason: "indirect-dependency",
-        message: `"${packageName}" was not found in package.json dependencies (it may be a transitive dep). Cannot auto-bump.`
+        unresolvedReason: "transitive-dependency",
+        message: `"${packageName}" was not found in package.json dependencies (it may be a transitive dependency). Cannot auto-bump.`
       };
     }
     const currentRange = pkgJson[depField][packageName];
@@ -1835,7 +1865,6 @@ var applyVersionBumpTool = tool4({
 });
 
 // src/remediation/tools/apply-package-override/index.ts
-import { tool as tool5 } from "ai";
 import { z as z5 } from "zod";
 import { join as join11 } from "path";
 import { readFileSync as readFileSync8, writeFileSync as writeFileSync4 } from "fs";
@@ -1918,7 +1947,7 @@ function restoreRecord(record, key, previousValue) {
 }
 
 // src/remediation/tools/apply-package-override/index.ts
-var applyPackageOverrideTool = tool5({
+var applyPackageOverrideTool = defineTool({
   description: "Apply a package-manager-native package.json override for a vulnerable transitive dependency and reinstall. Uses npm overrides, pnpm.overrides, or yarn resolutions.",
   parameters: z5.object({
     cwd: z5.string().describe("Absolute path to the consumer project root"),
@@ -2092,7 +2121,7 @@ async function resolvePrimaryResult(params) {
   const { vulnerable, cwd, packageManager, dryRun, policy, runTests, constraints } = params;
   const pkg = vulnerable.installed;
   const firstPatchedVersion = vulnerable.affected.firstPatchedVersion;
-  if (pkg.type === "indirect") {
+  if (pkg.type === "transitive") {
     if (constraints.directDependenciesOnly) {
       return {
         steps: 0,
@@ -2103,7 +2132,7 @@ async function resolvePrimaryResult(params) {
           applied: false,
           dryRun,
           unresolvedReason: "constraint-blocked",
-          message: `Constraint blocked remediation for indirect dependency "${pkg.name}".`
+          message: `Constraint blocked remediation for transitive dependency "${pkg.name}".`
         }
       };
     }
@@ -2229,12 +2258,11 @@ async function resolvePrimaryResult(params) {
 }
 
 // src/remediation/tools/fetch-package-source.ts
-import { tool as tool6 } from "ai";
 import { z as z6 } from "zod";
 import { mkdir as mkdir2, readdir as readdir2, readFile as readFile3, rm as rm2 } from "fs/promises";
 import { join as join12 } from "path";
 import { execa as execa8 } from "execa";
-var fetchPackageSourceTool = tool6({
+var fetchPackageSourceTool = defineTool({
   description: "Download package tarball from npm and extract source files for CVE analysis. Supports custom file patterns (default: *.js, *.ts).",
   parameters: z6.object({
     packageName: z6.string().min(1).describe("The npm package name (e.g., 'lodash', '@scope/package')"),
@@ -2328,7 +2356,6 @@ var fetchPackageSourceTool = tool6({
 });
 
 // src/remediation/tools/generate-patch/index.ts
-import { tool as tool7 } from "ai";
 import { z as z7 } from "zod";
 import { generateText } from "ai";
 
@@ -2462,14 +2489,14 @@ function generateUnifiedDiff(original, fixed, filePath) {
 }
 
 // src/remediation/tools/generate-patch/index.ts
-var generatePatchTool = tool7({
+var generatePatchTool = defineTool({
   description: "Generate a unified diff patch for a CVE using LLM analysis of vulnerable source code.",
   parameters: z7.object({
     packageName: z7.string().min(1).describe("The npm package name"),
     vulnerableVersion: z7.string().describe("The vulnerable version string"),
     cveId: z7.string().regex(/^CVE-\d{4}-\d+$/i).describe("CVE ID (e.g., CVE-2021-23337)"),
     cveSummary: z7.string().min(10).describe("CVE description and impact"),
-    sourceFiles: z7.record(z7.string()).describe(
+    sourceFiles: z7.record(z7.string(), z7.string()).describe(
       "Map of file paths to source code contents from fetch-package-source"
     ),
     vulnerabilityCategory: z7.enum(["redos", "code-injection", "path-traversal", "unknown"]).optional().default("unknown").describe("Category of the vulnerability for better context"),
@@ -2531,7 +2558,7 @@ var generatePatchTool = tool7({
       }
       const inputChars = JSON.stringify(resolvedSourceFiles).length + cveSummary.length;
       const modelInstance = await createModel(effectiveOptions, { inputChars });
-      const modelName = modelInstance.modelId || "unknown-model";
+      const modelName = typeof modelInstance === "string" ? modelInstance : "modelId" in modelInstance && typeof modelInstance.modelId === "string" ? modelInstance.modelId : "unknown-model";
       const prompt = buildPatchPrompt({
         cveId,
         packageName,
@@ -2636,7 +2663,6 @@ var generatePatchTool = tool7({
 });
 
 // src/remediation/tools/apply-patch-file/index.ts
-import { tool as tool8 } from "ai";
 import { z as z8 } from "zod";
 import { mkdir as mkdir3, writeFile as writeFile2 } from "fs/promises";
 import { join as join14 } from "path";
@@ -2878,7 +2904,7 @@ function extractFailedTests(output) {
 }
 
 // src/remediation/tools/apply-patch-file/index.ts
-var applyPatchFileTool = tool8({
+var applyPatchFileTool = defineTool({
   description: "Write generated patch file and apply it using package-manager-native patch flow when available, falling back to patch-package when needed.",
   parameters: z8.object({
     packageName: z8.string().min(1).describe("The npm package name"),
@@ -3224,7 +3250,7 @@ function resolvePatchProvider(provider) {
 function shouldAttemptPatchFallback(result, preferVersionBump) {
   if (preferVersionBump) return false;
   if (result.applied || result.dryRun) return false;
-  return result.unresolvedReason === "no-safe-version" || result.unresolvedReason === "install-failed" || result.unresolvedReason === "override-apply-failed" || result.unresolvedReason === "validation-failed" || result.unresolvedReason === "major-bump-required" || result.unresolvedReason === "indirect-dependency";
+  return result.unresolvedReason === "no-safe-version" || result.unresolvedReason === "install-failed" || result.unresolvedReason === "override-apply-failed" || result.unresolvedReason === "validation-failed" || result.unresolvedReason === "major-bump-required" || result.unresolvedReason === "transitive-dependency";
 }
 async function tryLocalPatchFallback(params) {
   const usage = [];
@@ -3844,7 +3870,6 @@ function createProgressEmitter(options) {
 }
 
 // src/remediation/tools/lookup-cve.ts
-import { tool as tool9 } from "ai";
 import { z as z9 } from "zod";
 
 // src/intelligence/sources/cisa-kev.ts
@@ -4123,7 +4148,7 @@ async function enrichWithExternalFeeds(details) {
 }
 
 // src/remediation/tools/lookup-cve.ts
-var lookupCveTool = tool9({
+var lookupCveTool = defineTool({
   description: "Look up a CVE ID and return the list of affected npm packages, their vulnerable version ranges, and the first patched version. Always call this first.",
   parameters: z9.object({
     cveId: z9.string().regex(/^CVE-\d{4}-\d+$/i, "Must be a valid CVE ID like CVE-2021-23337")
@@ -4192,7 +4217,6 @@ var lookupCveTool = tool9({
 });
 
 // src/remediation/tools/check-version-match.ts
-import { tool as tool10 } from "ai";
 import { z as z10 } from "zod";
 import semver6 from "semver";
 var affectedPackageSchema = z10.object({
@@ -4205,9 +4229,9 @@ var affectedPackageSchema = z10.object({
 var inventoryPackageSchema = z10.object({
   name: z10.string(),
   version: z10.string(),
-  type: z10.enum(["direct", "indirect"])
+  type: z10.enum(["direct", "transitive"])
 });
-var checkVersionMatchTool = tool10({
+var checkVersionMatchTool = defineTool({
   description: "Check which of the project's installed packages fall within the CVE's vulnerable version ranges. Returns only the packages that are actually vulnerable.",
   parameters: z10.object({
     installedPackages: z10.array(inventoryPackageSchema).describe("Output from the check-inventory tool"),
@@ -4242,9 +4266,8 @@ var checkVersionMatchTool = tool10({
 });
 
 // src/remediation/tools/find-fixed-version.ts
-import { tool as tool11 } from "ai";
 import { z as z11 } from "zod";
-var findFixedVersionTool = tool11({
+var findFixedVersionTool = defineTool({
   description: "Query the npm registry to find the safest published upgrade version for a package that is >= the first patched version. Prefer patch upgrades first, then minor, and only fall back to major when no same-major fix exists.",
   parameters: z11.object({
     packageName: z11.string().describe("The npm package name"),
@@ -4290,7 +4313,6 @@ var findFixedVersionTool = tool11({
 });
 
 // src/remediation/tools/check-suppression.ts
-import { tool as tool12 } from "ai";
 import { z as z12 } from "zod";
 var suppressionSchema = z12.object({
   cveId: z12.string(),
@@ -4298,7 +4320,7 @@ var suppressionSchema = z12.object({
   notes: z12.string().optional(),
   expiresAt: z12.string().optional()
 });
-var checkSuppressionTool = tool12({
+var checkSuppressionTool = defineTool({
   description: "Check whether a CVE is suppressed by an active VEX suppression entry in the policy. Returns suppressed=true and the justification if an active match is found. Call this after check-version-match.",
   parameters: z12.object({
     cveId: z12.string().describe("The CVE ID to look up in suppressions"),
@@ -4413,7 +4435,7 @@ async function createPipelineRuntime(cveId, options) {
   const constraints = options.constraints ?? {};
   const prompt = `Patch vulnerable dependencies affected by ${cveId} in the project at: ${cwd}. Package manager: ${packageManager}.`;
   const model = await createModel(options, { inputChars: prompt.length });
-  const modelName = model.modelId ?? "unknown-model";
+  const modelName = typeof model === "string" ? model : "modelId" in model && typeof model.modelId === "string" ? model.modelId : "unknown-model";
   const systemPrompt = loadOrchestrationPrompt({
     cveId,
     cwd,
@@ -4465,7 +4487,7 @@ async function runRemediationPipeline(cveId, options = {}) {
     system: systemPrompt,
     prompt,
     tools,
-    maxSteps: 25,
+    stopWhen: ({ steps }) => steps.length >= 25,
     onStepFinish(stepResult) {
       agentSteps += 1;
       const toolResults = stepResult.toolResults ?? [];
@@ -4520,6 +4542,188 @@ async function runRemediationPipeline(cveId, options = {}) {
   };
 }
 
+// src/api/change-request/index.ts
+import { execa as execa11 } from "execa";
+function sanitizeBranchToken(value) {
+  return value.toLowerCase().replace(/[^a-z0-9._/-]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 80);
+}
+function buildPlan(reports) {
+  const cveIds = Array.from(new Set(reports.map((report) => report.cveId)));
+  const packageNames = Array.from(
+    new Set(
+      reports.flatMap((report) => report.results.map((result) => result.packageName))
+    )
+  );
+  const titleSuffix = cveIds.length === 1 ? cveIds[0] : `${cveIds.length} CVEs`;
+  const title = `security remediation: ${titleSuffix}`;
+  const body = [
+    "Automated remediation generated by autoremediator.",
+    "",
+    `CVEs: ${cveIds.join(", ")}`,
+    `Packages: ${packageNames.join(", ")}`
+  ].join("\n");
+  return {
+    cveIds,
+    packageNames,
+    title,
+    body
+  };
+}
+function resolveProvider2(options) {
+  return options.provider ?? "github";
+}
+function resolveGrouping(options) {
+  if (options.grouping && options.grouping !== "all") {
+    throw new Error(
+      "changeRequest.grouping currently supports only 'all' for deterministic branch creation."
+    );
+  }
+  return "all";
+}
+async function detectCurrentBranch(cwd) {
+  const result = await execa11("git", ["rev-parse", "--abbrev-ref", "HEAD"], {
+    cwd,
+    stdio: "pipe"
+  });
+  return result.stdout.trim();
+}
+async function ensureRepoHasChanges(cwd) {
+  const diff = await execa11("git", ["status", "--porcelain"], {
+    cwd,
+    stdio: "pipe"
+  });
+  return diff.stdout.trim().length > 0;
+}
+function toBranchName(prefix, cveIds) {
+  const token = sanitizeBranchToken(cveIds.join("-") || "remediation");
+  return `${sanitizeBranchToken(prefix)}/${token}-${Date.now()}`;
+}
+async function createGitHubRequest(params) {
+  const args = ["pr", "create", "--head", params.head, "--base", params.base, "--title", params.title, "--body", params.body];
+  if (params.repository) {
+    args.push("--repo", params.repository);
+  }
+  if (params.draft) {
+    args.push("--draft");
+  }
+  const result = await execa11("gh", args, {
+    cwd: params.cwd,
+    stdio: "pipe"
+  });
+  return result.stdout.trim() || void 0;
+}
+async function createGitLabRequest(params) {
+  const args = [
+    "mr",
+    "create",
+    "--source-branch",
+    params.source,
+    "--target-branch",
+    params.target,
+    "--title",
+    params.title,
+    "--description",
+    params.body
+  ];
+  if (params.repository) {
+    args.push("-R", params.repository);
+  }
+  if (params.draft) {
+    args.push("--draft");
+  }
+  const result = await execa11("glab", args, {
+    cwd: params.cwd,
+    stdio: "pipe"
+  });
+  return result.stdout.trim() || void 0;
+}
+async function createChangeRequestsForReports(params) {
+  const { cwd, options, reports } = params;
+  const provider = resolveProvider2(options);
+  const grouping = resolveGrouping(options);
+  const plan = buildPlan(reports);
+  const titlePrefix = options.titlePrefix?.trim();
+  const title = titlePrefix ? `${titlePrefix} ${plan.title}` : plan.title;
+  const body = options.bodyFooter ? `${plan.body}
+
+${options.bodyFooter}` : plan.body;
+  try {
+    const hasChanges = await ensureRepoHasChanges(cwd);
+    if (!hasChanges) {
+      return [
+        {
+          provider,
+          grouping,
+          repository: options.repository,
+          branchName: "",
+          title,
+          body,
+          created: false,
+          cveIds: plan.cveIds,
+          packageNames: plan.packageNames,
+          error: "No repository changes to include in change request."
+        }
+      ];
+    }
+    const baseBranch = options.baseBranch ?? await detectCurrentBranch(cwd);
+    const branchPrefix = options.branchPrefix ?? "autoremediator";
+    const branchName = toBranchName(branchPrefix, plan.cveIds);
+    const pushRemote = options.pushRemote ?? "origin";
+    await execa11("git", ["checkout", "-b", branchName], { cwd, stdio: "pipe" });
+    await execa11("git", ["add", "-A"], { cwd, stdio: "pipe" });
+    await execa11("git", ["commit", "-m", title], { cwd, stdio: "pipe" });
+    await execa11("git", ["push", "-u", pushRemote, branchName], { cwd, stdio: "pipe" });
+    const url = provider === "github" ? await createGitHubRequest({
+      cwd,
+      repository: options.repository,
+      head: branchName,
+      base: baseBranch,
+      title,
+      body,
+      draft: options.draft
+    }) : await createGitLabRequest({
+      cwd,
+      repository: options.repository,
+      source: branchName,
+      target: baseBranch,
+      title,
+      body,
+      draft: options.draft
+    });
+    return [
+      {
+        provider,
+        grouping,
+        repository: options.repository,
+        branchName,
+        title,
+        body,
+        created: true,
+        draft: options.draft,
+        url,
+        cveIds: plan.cveIds,
+        packageNames: plan.packageNames
+      }
+    ];
+  } catch (error) {
+    return [
+      {
+        provider,
+        grouping,
+        repository: options.repository,
+        branchName: "",
+        title,
+        body,
+        created: false,
+        draft: options.draft,
+        cveIds: plan.cveIds,
+        packageNames: plan.packageNames,
+        error: error instanceof Error ? error.message : String(error)
+      }
+    ];
+  }
+}
+
 // src/api/context.ts
 function buildRequestId() {
   return `req-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
@@ -4752,12 +4956,24 @@ async function remediate(cveId, options = {}) {
     constraints,
     resumedFromCache: false
   };
+  if (options.changeRequest?.enabled) {
+    finalReport.changeRequests = await createChangeRequestsForReports({
+      cwd,
+      options: options.changeRequest,
+      reports: [finalReport]
+    });
+  }
   if (options.idempotencyKey && !options.dryRun && !options.preview) {
     storeIdempotentReport(cwd, options.idempotencyKey, normalizedCveId, finalReport);
   }
   return finalReport;
 }
 async function planRemediation(cveId, options = {}) {
+  if (Object.hasOwn(options, "dryRun") || Object.hasOwn(options, "preview")) {
+    throw new Error(
+      "planRemediation always runs with dryRun=true and preview=true. Remove dryRun/preview from options."
+    );
+  }
   return remediate(cveId, {
     ...options,
     preview: true,
@@ -4768,7 +4984,7 @@ async function planRemediation(cveId, options = {}) {
 // src/scanner/parse-input.ts
 import { extname as extname2 } from "path";
 import { readFileSync as readFileSync13 } from "fs";
-import { execa as execa11 } from "execa";
+import { execa as execa12 } from "execa";
 
 // src/scanner/adapters/npm-audit.ts
 import { readFileSync as readFileSync10 } from "fs";
@@ -4917,7 +5133,7 @@ async function parseScanInputFromAudit(params) {
   }
   const command = resolveAuditCommand(pm, { workspace: params.workspace });
   const [cmd, ...args] = command;
-  const result = await execa11(cmd, args, {
+  const result = await execa12(cmd, args, {
     cwd: params.cwd,
     stdio: "pipe",
     reject: false
@@ -5224,6 +5440,11 @@ async function remediateFromScan(inputPath, options = {}) {
   };
   finalizeEvidence(evidence);
   const evidenceFile = options.evidence === false ? void 0 : writeEvidenceLog(cwd, evidence);
+  const changeRequests = options.changeRequest?.enabled ? await createChangeRequestsForReports({
+    cwd,
+    options: options.changeRequest,
+    reports
+  }) : void 0;
   return {
     schemaVersion: "1.0",
     status,
@@ -5246,14 +5467,119 @@ async function remediateFromScan(inputPath, options = {}) {
     idempotencyKey: options.idempotencyKey,
     llmUsageCount: llmUsageTotals.llmUsageCount > 0 ? llmUsageTotals.llmUsageCount : void 0,
     estimatedCostUsd: llmUsageTotals.estimatedCostUsd,
-    totalLlmLatencyMs: llmUsageTotals.totalLlmLatencyMs
+    totalLlmLatencyMs: llmUsageTotals.totalLlmLatencyMs,
+    changeRequests
+  };
+}
+
+// src/api/portfolio/index.ts
+function toTargetStatusFromRemediation(report) {
+  const failed = report.results.some((result) => !result.applied && !result.dryRun);
+  const succeeded = report.results.some((result) => result.applied || result.dryRun);
+  if (!failed) return "ok";
+  return succeeded ? "partial" : "failed";
+}
+function normalizeTargetInput(target) {
+  return {
+    cveId: target.cveId?.trim() || void 0,
+    inputPath: target.inputPath?.trim() || void 0,
+    audit: target.audit ?? false
+  };
+}
+function validateTarget(target, index) {
+  if (!target.cwd || typeof target.cwd !== "string") {
+    throw new Error(`Invalid portfolio target at index ${index}: cwd is required.`);
+  }
+  const { cveId, inputPath, audit } = normalizeTargetInput(target);
+  const hasScanInput = Boolean(inputPath) || audit;
+  if (Boolean(cveId) === hasScanInput) {
+    throw new Error(
+      `Invalid portfolio target at index ${index}: provide exactly one mode (cveId OR inputPath/audit).`
+    );
+  }
+}
+async function remediatePortfolio(targets, options = {}) {
+  const normalizedTargets = Array.isArray(targets) ? targets : [];
+  if (normalizedTargets.length === 0) {
+    throw new Error("Portfolio requires at least one target.");
+  }
+  normalizedTargets.forEach((target, index) => validateTarget(target, index));
+  const results = [];
+  const changeRequests = [];
+  let successCount = 0;
+  let failedCount = 0;
+  for (const target of normalizedTargets) {
+    const { cveId, inputPath, audit } = normalizeTargetInput(target);
+    try {
+      if (cveId) {
+        const remediationReport = await remediate(cveId, {
+          ...options,
+          cwd: target.cwd,
+          source: options.source
+        });
+        const status = toTargetStatusFromRemediation(remediationReport);
+        results.push({
+          target,
+          status,
+          remediationReport,
+          changeRequests: remediationReport.changeRequests
+        });
+        if (remediationReport.changeRequests?.length) {
+          changeRequests.push(...remediationReport.changeRequests);
+        }
+        if (status === "failed") {
+          failedCount += 1;
+        } else {
+          successCount += 1;
+        }
+        continue;
+      }
+      const scanReport = await remediateFromScan(inputPath ?? "", {
+        ...options,
+        cwd: target.cwd,
+        audit,
+        format: target.format,
+        source: options.source
+      });
+      results.push({
+        target,
+        status: scanReport.status,
+        scanReport,
+        changeRequests: scanReport.changeRequests
+      });
+      if (scanReport.changeRequests?.length) {
+        changeRequests.push(...scanReport.changeRequests);
+      }
+      if (scanReport.status === "failed") {
+        failedCount += 1;
+      } else {
+        successCount += 1;
+      }
+    } catch (error) {
+      results.push({
+        target,
+        status: "failed",
+        error: error instanceof Error ? error.message : String(error)
+      });
+      failedCount += 1;
+    }
+  }
+  const overallStatus = failedCount === 0 ? "ok" : successCount > 0 ? "partial" : "failed";
+  return {
+    schemaVersion: "1.0",
+    status: overallStatus,
+    generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    targets: results,
+    successCount,
+    failedCount,
+    changeRequests: changeRequests.length > 0 ? changeRequests : void 0
   };
 }
 
 // src/api/update-outdated/index.ts
 import { join as join17 } from "path";
 import { readFileSync as readFileSync14, writeFileSync as writeFileSync6 } from "fs";
-import { execa as execa12 } from "execa";
+import { execa as execa13 } from "execa";
 async function applyBump(params) {
   const pkgPath = join17(params.cwd, "package.json");
   let pkgJson;
@@ -5283,7 +5609,7 @@ async function applyBump(params) {
     writeFileSync6(pkgPath, JSON.stringify(pkgJson, null, 2) + "\n", "utf8");
     try {
       const [installCmd, ...installArgs] = params.installCommand;
-      await execa12(installCmd, installArgs, { cwd: params.cwd, stdio: "pipe" });
+      await execa13(installCmd, installArgs, { cwd: params.cwd, stdio: "pipe" });
     } catch (err) {
       pkgJson[depField][params.packageName] = currentRange;
       writeFileSync6(pkgPath, JSON.stringify(pkgJson, null, 2) + "\n", "utf8");
@@ -5296,13 +5622,13 @@ async function applyBump(params) {
     if (params.runTests) {
       try {
         const [testCmd, ...testArgs] = params.testCommand;
-        await execa12(testCmd, testArgs, { cwd: params.cwd, stdio: "pipe" });
+        await execa13(testCmd, testArgs, { cwd: params.cwd, stdio: "pipe" });
       } catch (err) {
         pkgJson[depField][params.packageName] = currentRange;
         writeFileSync6(pkgPath, JSON.stringify(pkgJson, null, 2) + "\n", "utf8");
         try {
           const [rollbackCmd, ...rollbackArgs] = params.installCommand;
-          await execa12(rollbackCmd, rollbackArgs, { cwd: params.cwd, stdio: "pipe" });
+          await execa13(rollbackCmd, rollbackArgs, { cwd: params.cwd, stdio: "pipe" });
         } catch {
         }
         const message = err instanceof Error ? err.message : String(err);
@@ -5455,6 +5781,28 @@ async function updateOutdated(options = {}) {
   };
   finalizeEvidence(evidence);
   const evidenceFile = options.evidence === false ? void 0 : writeEvidenceLog(cwd, evidence);
+  const changeRequests = options.changeRequest?.enabled && successCount > 0 ? await createChangeRequestsForReports({
+    cwd,
+    options: options.changeRequest,
+    reports: [
+      {
+        cveId: "UPDATE-OUTDATED",
+        cveDetails: null,
+        vulnerablePackages: [],
+        results: outdatedPackages.filter((pkg) => !pkg.isMajorBump).map((pkg) => ({
+          packageName: pkg.name,
+          strategy: "version-bump",
+          fromVersion: pkg.currentVersion,
+          toVersion: pkg.latestVersion,
+          applied: true,
+          dryRun: Boolean(options.dryRun),
+          message: `Updated ${pkg.name} to ${pkg.latestVersion}`
+        })),
+        agentSteps: 0,
+        summary: "update-outdated"
+      }
+    ]
+  }) : void 0;
   return {
     schemaVersion: "1.0",
     status,
@@ -5468,7 +5816,8 @@ async function updateOutdated(options = {}) {
     patchCount: 0,
     constraints,
     correlation,
-    provenance
+    provenance,
+    changeRequests
   };
 }
 
@@ -5562,7 +5911,8 @@ export {
   remediate,
   planRemediation,
   remediateFromScan,
+  remediatePortfolio,
   updateOutdated,
   PACKAGE_VERSION
 };
-//# sourceMappingURL=chunk-GYCZ6L3O.js.map
+//# sourceMappingURL=chunk-575GEUAY.js.map