npm - autoremediator - Versions diffs - 0.5.0 → 0.7.0 - Mend

autoremediator 0.5.0 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/README.md +7 -3
package/dist/chunk-7XSZTGU7.js +16 -0
package/dist/chunk-7XSZTGU7.js.map +1 -0
package/dist/{chunk-VLXGEH7U.js → chunk-MUFP2DQX.js} +2623 -1732
package/dist/chunk-MUFP2DQX.js.map +1 -0
package/dist/cli.js +114 -13
package/dist/cli.js.map +1 -1
package/dist/index.d.ts +5 -210
package/dist/index.js +17 -1
package/dist/mcp/server.d.ts +3 -241
package/dist/mcp/server.js +14 -69
package/dist/mcp/server.js.map +1 -1
package/dist/openapi/server.d.ts +9 -242
package/dist/openapi/server.js +16 -90
package/dist/openapi/server.js.map +1 -1
package/dist/options-schema-DfLBOsPI.d.ts +37 -0
package/dist/remediate-from-scan-C-E7gqxF.d.ts +211 -0
package/llms.txt +21 -6
package/package.json +2 -2
package/dist/chunk-VLXGEH7U.js.map +0 -1

package/dist/{chunk-VLXGEH7U.js → chunk-MUFP2DQX.js} RENAMED Viewed

@@ -1,8 +1,5 @@
 // src/remediation/pipeline.ts
 import { generateText as generateText2 } from "ai";
-import { existsSync as existsSync4, readFileSync as readFileSync4 } from "fs";
-import { join as join8 } from "path";
-import semver4 from "semver";
 // src/platform/config.ts
 function resolveProvider(options = {}) {
@@ -162,567 +159,1108 @@ function parseListOutput(pm, stdout) {
   return versions;
 }
-// src/remediation/tools/lookup-cve.ts
+// src/remediation/tools/apply-version-bump.ts
 import { tool } from "ai";
 import { z } from "zod";
+import { join as join4 } from "path";
+import { readFileSync as readFileSync2, writeFileSync } from "fs";
+import { execa } from "execa";
+import semver from "semver";
-// src/intelligence/sources/osv.ts
-var OSV_BASE = "https://api.osv.dev/v1";
-async function fetchOsvVuln(cveId) {
-  const url = `${OSV_BASE}/vulns/${encodeURIComponent(cveId)}`;
-  const res = await fetch(url, {
-    headers: { Accept: "application/json" }
-  });
-  if (res.status === 404) return null;
-  if (!res.ok) {
-    throw new Error(`OSV API error ${res.status} for ${cveId}: ${await res.text()}`);
-  }
-  return res.json();
-}
-function osvEventsToSemverRange(events) {
-  const parts = [];
-  for (const event of events) {
-    if (event.introduced !== void 0) {
-      const v = event.introduced === "0" ? "0.0.0" : event.introduced;
-      parts.push(`>=${v}`);
-    }
-    if (event.fixed !== void 0) {
-      parts.push(`<${event.fixed}`);
-    }
-    if (event.last_affected !== void 0) {
-      parts.push(`<=${event.last_affected}`);
-    }
+// src/platform/policy.ts
+import { existsSync as existsSync2, readFileSync } from "fs";
+import { join as join2 } from "path";
+var DEFAULT_POLICY = {
+  allowMajorBumps: false,
+  denyPackages: [],
+  allowPackages: [],
+  constraints: {
+    directDependenciesOnly: false,
+    preferVersionBump: false
   }
-  return parts.join(" ") || ">=0.0.0";
-}
-function parseOsvVuln(vuln) {
-  const npmAffected = [];
-  for (const affected of vuln.affected ?? []) {
-    const ecosystem = affected.package?.ecosystem;
-    const packageName = affected.package?.name;
-    if (!ecosystem || typeof ecosystem !== "string") continue;
-    if (!packageName || typeof packageName !== "string") continue;
-    if (ecosystem.toLowerCase() !== "npm") continue;
-    const semverRange = affected.ranges?.find((r) => r.type === "SEMVER");
-    const vulnerableRange = semverRange ? osvEventsToSemverRange(semverRange.events) : ">=0.0.0";
-    const fixedEvent = semverRange?.events.find((e) => e.fixed !== void 0);
-    npmAffected.push({
-      name: packageName,
-      ecosystem: "npm",
-      vulnerableRange,
-      firstPatchedVersion: fixedEvent?.fixed,
-      source: "osv"
-    });
+};
+function loadPolicy(cwd, explicitPath) {
+  const candidate = explicitPath ?? join2(cwd, ".autoremediator.json");
+  if (!existsSync2(candidate)) return DEFAULT_POLICY;
+  try {
+    const parsed = JSON.parse(readFileSync(candidate, "utf8"));
+    return {
+      allowMajorBumps: parsed.allowMajorBumps ?? DEFAULT_POLICY.allowMajorBumps,
+      denyPackages: parsed.denyPackages ?? DEFAULT_POLICY.denyPackages,
+      allowPackages: parsed.allowPackages ?? DEFAULT_POLICY.allowPackages,
+      constraints: {
+        directDependenciesOnly: parsed.constraints?.directDependenciesOnly ?? DEFAULT_POLICY.constraints?.directDependenciesOnly ?? false,
+        preferVersionBump: parsed.constraints?.preferVersionBump ?? DEFAULT_POLICY.constraints?.preferVersionBump ?? false
+      }
+    };
+  } catch {
+    return DEFAULT_POLICY;
   }
-  const severity = deriveSeverity(vuln.severity);
-  return {
-    id: vuln.id,
-    summary: vuln.summary ?? vuln.details ?? "No summary available.",
-    severity,
-    references: vuln.references?.map((r) => r.url) ?? [],
-    affectedPackages: npmAffected
-  };
 }
-function deriveSeverity(severityEntries) {
-  if (!severityEntries?.length) return "UNKNOWN";
-  const cvssEntry = severityEntries.find((s) => s.type === "CVSS_V3") ?? severityEntries[0];
-  const scoreMatch = cvssEntry.score.match(/(\d+\.\d+)$/);
-  if (scoreMatch) {
-    const score = parseFloat(scoreMatch[1]);
-    if (score >= 9) return "CRITICAL";
-    if (score >= 7) return "HIGH";
-    if (score >= 4) return "MEDIUM";
-    return "LOW";
+function isPackageAllowed(policy, packageName) {
+  if (policy.denyPackages.includes(packageName)) return false;
+  if (policy.allowPackages.length > 0 && !policy.allowPackages.includes(packageName)) {
+    return false;
   }
-  return "UNKNOWN";
-}
-async function lookupCveOsv(cveId) {
-  const vuln = await fetchOsvVuln(cveId);
-  if (!vuln) return null;
-  return parseOsvVuln(vuln);
+  return true;
 }
-// src/intelligence/sources/github-advisory.ts
-var GH_ADVISORY_BASE = "https://api.github.com/advisories";
-function buildHeaders() {
-  const headers = {
-    Accept: "application/vnd.github+json",
-    "X-GitHub-Api-Version": "2022-11-28"
-  };
-  const token = getGitHubToken();
-  if (token) {
-    headers.Authorization = `Bearer ${token}`;
-  }
-  return headers;
-}
-async function fetchGhAdvisories(cveId) {
-  const url = new URL(GH_ADVISORY_BASE);
-  url.searchParams.set("cve_id", cveId);
-  url.searchParams.set("ecosystem", "npm");
-  url.searchParams.set("type", "reviewed");
-  url.searchParams.set("per_page", "10");
-  const res = await fetch(url.toString(), { headers: buildHeaders() });
-  if (res.status === 404) return [];
-  if (!res.ok) {
-    console.warn(
-      `[autoremediator] GitHub Advisory API returned ${res.status} for ${cveId} \u2014 skipping.`
-    );
-    return [];
-  }
-  return res.json();
-}
-function parseGhAdvisories(advisories) {
-  const packages = [];
-  for (const advisory of advisories) {
-    for (const vuln of advisory.vulnerabilities) {
-      if (vuln.package.ecosystem.toLowerCase() !== "npm") continue;
-      packages.push({
-        name: vuln.package.name,
-        ecosystem: "npm",
-        vulnerableRange: vuln.vulnerable_version_range ?? ">=0.0.0",
-        firstPatchedVersion: vuln.first_patched_version ?? void 0,
-        source: "github-advisory"
-      });
-    }
-  }
-  return packages;
+// src/platform/repo-lock.ts
+import { mkdir, rm } from "fs/promises";
+import { join as join3 } from "path";
+async function sleep(ms) {
+  await new Promise((resolve) => setTimeout(resolve, ms));
 }
-function mergeGhDataIntoCveDetails(details, ghPackages) {
-  const enriched = { ...details };
-  for (const ghPkg of ghPackages) {
-    const existing = enriched.affectedPackages.find(
-      (p) => p.name === ghPkg.name
-    );
-    if (existing) {
-      if (!existing.firstPatchedVersion && ghPkg.firstPatchedVersion) {
-        existing.firstPatchedVersion = ghPkg.firstPatchedVersion;
+async function acquireRepoLock(cwd, options = {}) {
+  const timeoutMs = options.timeoutMs ?? 15e3;
+  const retryDelayMs = options.retryDelayMs ?? 125;
+  const lockRoot = join3(cwd, ".autoremediator", "locks");
+  const lockPath = join3(cwd, ".autoremediator", "locks", "remediation.lock");
+  const startedAt = Date.now();
+  await mkdir(lockRoot, { recursive: true });
+  while (true) {
+    try {
+      await mkdir(lockPath, { recursive: false });
+      return {
+        lockPath,
+        release: async () => {
+          await rm(lockPath, { recursive: true, force: true });
+        }
+      };
+    } catch {
+      if (Date.now() - startedAt > timeoutMs) {
+        throw new Error(`Timed out waiting for repository lock at ${lockPath}.`);
       }
-    } else {
-      enriched.affectedPackages.push(ghPkg);
+      await sleep(retryDelayMs);
     }
   }
-  return enriched;
-}
-async function lookupCveGitHub(cveId) {
-  const advisories = await fetchGhAdvisories(cveId);
-  return parseGhAdvisories(advisories);
-}
-// src/intelligence/sources/nvd.ts
-var NVD_BASE = "https://services.nvd.nist.gov/rest/json/cves/2.0";
-function buildNvdHeaders() {
-  const { apiKey } = getNvdConfig();
-  const headers = { Accept: "application/json" };
-  if (apiKey) {
-    headers.apiKey = apiKey;
-  }
-  return headers;
 }
-async function fetchNvdCvss(cveId) {
-  const url = `${NVD_BASE}?cveId=${encodeURIComponent(cveId)}`;
+async function withRepoLock(cwd, fn, options) {
+  const lock = await acquireRepoLock(cwd, options);
   try {
-    const res = await fetch(url, { headers: buildNvdHeaders() });
-    if (!res.ok) return void 0;
-    const data = await res.json();
-    const vuln = data.vulnerabilities?.[0];
-    if (!vuln) return void 0;
-    const metrics = vuln.cve.metrics;
-    const metric = metrics?.cvssMetricV31?.[0] ?? metrics?.cvssMetricV30?.[0] ?? metrics?.cvssMetricV2?.[0];
-    if (!metric) return void 0;
-    const score = metric.cvssData.baseScore;
-    const rawSeverity = metric.cvssData.baseSeverity.toUpperCase();
-    const severityMap = {
-      CRITICAL: "CRITICAL",
-      HIGH: "HIGH",
-      MEDIUM: "MEDIUM",
-      LOW: "LOW"
-    };
-    return {
-      score,
-      severity: severityMap[rawSeverity] ?? "UNKNOWN"
-    };
-  } catch {
-    return void 0;
-  }
-}
-async function enrichWithNvd(details) {
-  const cvss = await fetchNvdCvss(details.id);
-  if (cvss) {
-    details.cvssScore = cvss.score;
-    if (details.severity === "UNKNOWN") {
-      details.severity = cvss.severity;
-    }
+    return await fn();
+  } finally {
+    await lock.release();
   }
-  return details;
 }
-// src/intelligence/sources/cisa-kev.ts
-var CISA_KEV_URL = "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json";
-async function fetchCisaKevFeed() {
-  try {
-    const res = await fetch(CISA_KEV_URL, {
-      headers: { Accept: "application/json" }
-    });
-    if (!res.ok) return void 0;
-    return await res.json();
-  } catch {
-    return void 0;
-  }
-}
-function findKevEntry(feed, cveId) {
-  if (!feed?.vulnerabilities?.length) return void 0;
-  const normalized = cveId.toUpperCase();
-  return feed.vulnerabilities.find((v) => v.cveID.toUpperCase() === normalized);
+// src/remediation/tools/apply-version-bump.ts
+var applyVersionBumpTool = tool({
+  description: "Update package.json to use the safe version of a vulnerable package and run the project's package manager install. In dry-run mode, only reports what would change.",
+  parameters: z.object({
+    cwd: z.string().describe("Absolute path to the consumer project root"),
+    packageManager: z.enum(["npm", "pnpm", "yarn"]).optional().describe("Package manager used by the target project (auto-detected if omitted)"),
+    packageName: z.string().describe("The npm package to upgrade"),
+    fromVersion: z.string().describe("The currently installed vulnerable version"),
+    toVersion: z.string().describe("The safe target version to upgrade to"),
+    dryRun: z.boolean().default(false).describe("If true, report changes but do not write"),
+    policy: z.string().optional().describe("Optional path to .autoremediator policy file"),
+    runTests: z.boolean().default(false).describe("If true, run test validation after applying the fix")
+  }),
+  execute: async ({
+    cwd,
+    packageManager,
+    packageName,
+    fromVersion,
+    toVersion,
+    dryRun,
+    policy,
+    runTests
+  }) => {
+    const pm = packageManager ?? detectPackageManager(cwd);
+    const commands = getPackageManagerCommands(pm);
+    const pkgPath = join4(cwd, "package.json");
+    const loadedPolicy = loadPolicy(cwd, policy);
+    if (!isPackageAllowed(loadedPolicy, packageName)) {
+      return {
+        packageName,
+        strategy: "none",
+        fromVersion,
+        toVersion,
+        applied: false,
+        dryRun,
+        unresolvedReason: "policy-blocked",
+        message: `Policy blocked changes for package "${packageName}".`
+      };
+    }
+    const isMajorBump = semver.valid(fromVersion) && semver.valid(toVersion) && semver.major(toVersion) > semver.major(fromVersion);
+    if (isMajorBump && !loadedPolicy.allowMajorBumps) {
+      return {
+        packageName,
+        strategy: "none",
+        fromVersion,
+        toVersion,
+        applied: false,
+        dryRun,
+        unresolvedReason: "major-bump-required",
+        message: `Policy blocked major bump for "${packageName}" (${fromVersion} -> ${toVersion}).`
+      };
+    }
+    let pkgJson;
+    try {
+      pkgJson = JSON.parse(readFileSync2(pkgPath, "utf8"));
+    } catch {
+      return {
+        packageName,
+        strategy: "none",
+        fromVersion,
+        applied: false,
+        dryRun,
+        unresolvedReason: "package-json-not-found",
+        message: `Could not read package.json at "${pkgPath}".`
+      };
+    }
+    const depField = ["dependencies", "devDependencies", "peerDependencies"].find(
+      (f) => pkgJson[f]?.[packageName] !== void 0
+    );
+    if (!depField) {
+      return {
+        packageName,
+        strategy: "none",
+        fromVersion,
+        applied: false,
+        dryRun,
+        unresolvedReason: "indirect-dependency",
+        message: `"${packageName}" was not found in package.json dependencies (it may be a transitive dep). Cannot auto-bump.`
+      };
+    }
+    const currentRange = pkgJson[depField][packageName];
+    const prefixMatch = currentRange.match(/^([~^]?)/);
+    const prefix = prefixMatch?.[1] ?? "";
+    const newRange = `${prefix}${toVersion}`;
+    if (dryRun) {
+      const installCmd = commands.installPreferOffline.join(" ");
+      const testCmd = commands.test.join(" ");
+      return {
+        packageName,
+        strategy: "version-bump",
+        fromVersion,
+        toVersion,
+        applied: false,
+        dryRun: true,
+        message: `[DRY RUN] Would update ${depField}.${packageName}: "${currentRange}" -> "${newRange}", then run ${installCmd}${runTests ? ` and ${testCmd}` : ""}.`
+      };
+    }
+    return withRepoLock(cwd, async () => {
+      pkgJson[depField][packageName] = newRange;
+      writeFileSync(pkgPath, JSON.stringify(pkgJson, null, 2) + "\n", "utf8");
+      try {
+        const [installCmd, ...installArgs] = commands.installPreferOffline;
+        await execa(installCmd, installArgs, {
+          cwd,
+          stdio: "pipe"
+        });
+      } catch (err) {
+        pkgJson[depField][packageName] = currentRange;
+        writeFileSync(pkgPath, JSON.stringify(pkgJson, null, 2) + "\n", "utf8");
+        const message = err instanceof Error ? err.message : String(err);
+        return {
+          packageName,
+          strategy: "version-bump",
+          fromVersion,
+          toVersion,
+          applied: false,
+          dryRun: false,
+          unresolvedReason: "install-failed",
+          message: `${commands.installPreferOffline.join(" ")} failed after updating "${packageName}" to ${toVersion}. Reverted. Error: ${message}`
+        };
+      }
+      if (runTests) {
+        try {
+          const [testCmd, ...testArgs] = commands.test;
+          await execa(testCmd, testArgs, {
+            cwd,
+            stdio: "pipe"
+          });
+        } catch (err) {
+          pkgJson[depField][packageName] = currentRange;
+          writeFileSync(pkgPath, JSON.stringify(pkgJson, null, 2) + "\n", "utf8");
+          try {
+            const [rollbackCmd, ...rollbackArgs] = commands.installPreferOffline;
+            await execa(rollbackCmd, rollbackArgs, {
+              cwd,
+              stdio: "pipe"
+            });
+          } catch {
+          }
+          const message = err instanceof Error ? err.message : String(err);
+          return {
+            packageName,
+            strategy: "version-bump",
+            fromVersion,
+            toVersion,
+            applied: false,
+            dryRun: false,
+            unresolvedReason: "validation-failed",
+            message: `${commands.test.join(" ")} failed after upgrading "${packageName}" to ${toVersion}. Rolled back to ${currentRange}. Error: ${message}`
+          };
+        }
+      }
+      return {
+        packageName,
+        strategy: "version-bump",
+        fromVersion,
+        toVersion,
+        applied: true,
+        dryRun: false,
+        message: `Successfully upgraded "${packageName}" from ${fromVersion} to ${toVersion}, ran ${commands.installPreferOffline.join(" ")}${runTests ? `, and passed ${commands.test.join(" ")}` : ""}.`
+      };
+    });
+  }
+});
+// src/remediation/tools/apply-package-override.ts
+import { tool as tool2 } from "ai";
+import { z as z2 } from "zod";
+import { join as join5 } from "path";
+import { readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
+import { execa as execa2 } from "execa";
+import semver2 from "semver";
+var applyPackageOverrideTool = tool2({
+  description: "Apply a package-manager-native package.json override for a vulnerable transitive dependency and reinstall. Uses npm overrides, pnpm.overrides, or yarn resolutions.",
+  parameters: z2.object({
+    cwd: z2.string().describe("Absolute path to the consumer project root"),
+    packageManager: z2.enum(["npm", "pnpm", "yarn"]).optional().describe("Package manager used by the target project (auto-detected if omitted)"),
+    packageName: z2.string().describe("The npm package to override"),
+    fromVersion: z2.string().describe("The currently installed vulnerable version"),
+    toVersion: z2.string().describe("The safe target version to override to"),
+    dryRun: z2.boolean().default(false).describe("If true, report changes but do not write"),
+    policy: z2.string().optional().describe("Optional path to .autoremediator policy file"),
+    runTests: z2.boolean().default(false).describe("If true, run test validation after applying the override")
+  }),
+  execute: async ({
+    cwd,
+    packageManager,
+    packageName,
+    fromVersion,
+    toVersion,
+    dryRun,
+    policy,
+    runTests
+  }) => {
+    const pm = packageManager ?? detectPackageManager(cwd);
+    const commands = getPackageManagerCommands(pm);
+    const pkgPath = join5(cwd, "package.json");
+    const loadedPolicy = loadPolicy(cwd, policy);
+    if (!isPackageAllowed(loadedPolicy, packageName)) {
+      return {
+        packageName,
+        strategy: "none",
+        fromVersion,
+        toVersion,
+        applied: false,
+        dryRun,
+        unresolvedReason: "policy-blocked",
+        message: `Policy blocked changes for package "${packageName}".`
+      };
+    }
+    const isMajorBump = semver2.valid(fromVersion) && semver2.valid(toVersion) && semver2.major(toVersion) > semver2.major(fromVersion);
+    if (isMajorBump && !loadedPolicy.allowMajorBumps) {
+      return {
+        packageName,
+        strategy: "none",
+        fromVersion,
+        toVersion,
+        applied: false,
+        dryRun,
+        unresolvedReason: "major-bump-required",
+        message: `Policy blocked major override for "${packageName}" (${fromVersion} -> ${toVersion}).`
+      };
+    }
+    let pkgJson;
+    try {
+      pkgJson = JSON.parse(readFileSync3(pkgPath, "utf8"));
+    } catch {
+      return {
+        packageName,
+        strategy: "none",
+        fromVersion,
+        toVersion,
+        applied: false,
+        dryRun,
+        unresolvedReason: "package-json-not-found",
+        message: `Could not read package.json at "${pkgPath}".`
+      };
+    }
+    const overrideLabel = describeOverrideField(pm);
+    const previousValue = getOverrideValue(pkgJson, pm, packageName);
+    if (dryRun) {
+      return {
+        packageName,
+        strategy: "override",
+        fromVersion,
+        toVersion,
+        applied: false,
+        dryRun: true,
+        message: `[DRY RUN] Would set ${overrideLabel}.${packageName} to "${toVersion}", then run ${commands.installPreferOffline.join(" ")}${runTests ? ` and ${commands.test.join(" ")}` : ""}.`
+      };
+    }
+    return withRepoLock(cwd, async () => {
+      setOverrideValue(pkgJson, pm, packageName, toVersion);
+      writeFileSync2(pkgPath, JSON.stringify(pkgJson, null, 2) + "\n", "utf8");
+      try {
+        const [installCmd, ...installArgs] = commands.installPreferOffline;
+        await execa2(installCmd, installArgs, { cwd, stdio: "pipe" });
+      } catch (err) {
+        restoreOverrideValue(pkgJson, pm, packageName, previousValue);
+        writeFileSync2(pkgPath, JSON.stringify(pkgJson, null, 2) + "\n", "utf8");
+        const message = err instanceof Error ? err.message : String(err);
+        return {
+          packageName,
+          strategy: "override",
+          fromVersion,
+          toVersion,
+          applied: false,
+          dryRun: false,
+          unresolvedReason: "override-apply-failed",
+          message: `${commands.installPreferOffline.join(" ")} failed after applying ${overrideLabel} for "${packageName}" to ${toVersion}. Reverted. Error: ${message}`
+        };
+      }
+      if (runTests) {
+        try {
+          const [testCmd, ...testArgs] = commands.test;
+          await execa2(testCmd, testArgs, { cwd, stdio: "pipe" });
+        } catch (err) {
+          restoreOverrideValue(pkgJson, pm, packageName, previousValue);
+          writeFileSync2(pkgPath, JSON.stringify(pkgJson, null, 2) + "\n", "utf8");
+          try {
+            const [rollbackCmd, ...rollbackArgs] = commands.installPreferOffline;
+            await execa2(rollbackCmd, rollbackArgs, { cwd, stdio: "pipe" });
+          } catch {
+          }
+          const message = err instanceof Error ? err.message : String(err);
+          return {
+            packageName,
+            strategy: "override",
+            fromVersion,
+            toVersion,
+            applied: false,
+            dryRun: false,
+            unresolvedReason: "validation-failed",
+            message: `${commands.test.join(" ")} failed after applying ${overrideLabel} for "${packageName}" to ${toVersion}. Reverted. Error: ${message}`
+          };
+        }
+      }
+      return {
+        packageName,
+        strategy: "override",
+        fromVersion,
+        toVersion,
+        applied: true,
+        dryRun: false,
+        message: `Successfully applied ${overrideLabel} for "${packageName}" from ${fromVersion} to ${toVersion}, then ran ${commands.installPreferOffline.join(" ")}${runTests ? ` and passed ${commands.test.join(" ")}` : ""}.`
+      };
+    });
+  }
+});
+function describeOverrideField(packageManager) {
+  if (packageManager === "npm") return "overrides";
+  if (packageManager === "pnpm") return "pnpm.overrides";
+  return "resolutions";
+}
+function getOverrideValue(pkgJson, packageManager, packageName) {
+  if (packageManager === "npm") return pkgJson.overrides?.[packageName];
+  if (packageManager === "pnpm") return pkgJson.pnpm?.overrides?.[packageName];
+  return pkgJson.resolutions?.[packageName];
+}
+function setOverrideValue(pkgJson, packageManager, packageName, version) {
+  if (packageManager === "npm") {
+    pkgJson.overrides = { ...pkgJson.overrides ?? {}, [packageName]: version };
+    return;
+  }
+  if (packageManager === "pnpm") {
+    pkgJson.pnpm = {
+      ...pkgJson.pnpm ?? {},
+      overrides: {
+        ...pkgJson.pnpm?.overrides ?? {},
+        [packageName]: version
+      }
+    };
+    return;
+  }
+  pkgJson.resolutions = { ...pkgJson.resolutions ?? {}, [packageName]: version };
+}
+function restoreOverrideValue(pkgJson, packageManager, packageName, previousValue) {
+  if (packageManager === "npm") {
+    pkgJson.overrides = restoreRecord(pkgJson.overrides, packageName, previousValue);
+    return;
+  }
+  if (packageManager === "pnpm") {
+    pkgJson.pnpm = {
+      ...pkgJson.pnpm ?? {},
+      overrides: restoreRecord(pkgJson.pnpm?.overrides, packageName, previousValue)
+    };
+    if (!pkgJson.pnpm.overrides) {
+      delete pkgJson.pnpm.overrides;
+    }
+    if (Object.keys(pkgJson.pnpm).length === 0) {
+      delete pkgJson.pnpm;
+    }
+    return;
+  }
+  pkgJson.resolutions = restoreRecord(pkgJson.resolutions, packageName, previousValue);
+}
+function restoreRecord(record, key, previousValue) {
+  const nextRecord = { ...record ?? {} };
+  if (previousValue === void 0) {
+    delete nextRecord[key];
+  } else {
+    nextRecord[key] = previousValue;
+  }
+  return Object.keys(nextRecord).length > 0 ? nextRecord : void 0;
+}
+// src/remediation/tools/apply-patch-file.ts
+import { tool as tool3 } from "ai";
+import { z as z3 } from "zod";
+import { existsSync as existsSync4 } from "fs";
+import { mkdir as mkdir2, mkdtemp, readFile, rm as rm2, writeFile } from "fs/promises";
+import { tmpdir } from "os";
+import { join as join7 } from "path";
+import { execa as execa4 } from "execa";
+// src/remediation/strategies/patch-utils.ts
+import { existsSync as existsSync3, mkdirSync, writeFileSync as writeFileSync3, readFileSync as readFileSync4 } from "fs";
+import { join as join6 } from "path";
+import { execa as execa3 } from "execa";
+function validatePatchDiff(patchContent) {
+  if (!patchContent || typeof patchContent !== "string") {
+    return {
+      valid: false,
+      error: "Patch content must be a non-empty string"
+    };
+  }
+  const hasFromLine = /^---\s+\S+/m.test(patchContent);
+  const hasToLine = /^\+\+\+\s+\S+/m.test(patchContent);
+  const hasHunkHeader = /^@@\s+-\d+/m.test(patchContent);
+  if (!hasFromLine) {
+    return {
+      valid: false,
+      error: 'Missing "---" line in patch format'
+    };
+  }
+  if (!hasToLine) {
+    return {
+      valid: false,
+      error: 'Missing "+++" line in patch format'
+    };
+  }
+  if (!hasHunkHeader) {
+    return {
+      valid: false,
+      error: "No hunk headers (@@...) found in patch"
+    };
+  }
+  return { valid: true };
+}
+// src/remediation/tools/apply-patch-file.ts
+var applyPatchFileTool = tool3({
+  description: "Write generated patch file and apply it using package-manager-native patch flow when available, falling back to patch-package when needed.",
+  parameters: z3.object({
+    packageName: z3.string().min(1).describe("The npm package name"),
+    vulnerableVersion: z3.string().describe("The vulnerable version string"),
+    patchContent: z3.string().min(10).optional().describe("Unified diff patch content from generate-patch"),
+    patches: z3.array(
+      z3.object({
+        filePath: z3.string().min(1),
+        unifiedDiff: z3.string().min(10)
+      })
+    ).optional().describe("Patch list from generate-patch; first patch is applied"),
+    patchesDir: z3.string().optional().default("./patches").describe("Directory to store patch files"),
+    cwd: z3.string().describe("Project root directory (for package.json)"),
+    packageManager: z3.enum(["npm", "pnpm", "yarn"]).optional().describe("Package manager used by the target project (auto-detected if omitted)"),
+    validateWithTests: z3.boolean().optional().default(true).describe("Run package manager test command to validate patch doesn't break anything"),
+    dryRun: z3.boolean().optional().default(false).describe("If true, report but do not mutate files")
+  }).refine((value) => Boolean(value.patchContent || value.patches && value.patches.length > 0), {
+    message: "Either patchContent or patches must be provided"
+  }),
+  execute: async ({
+    packageName,
+    vulnerableVersion,
+    patchContent,
+    patches,
+    patchesDir,
+    cwd,
+    packageManager,
+    validateWithTests,
+    dryRun
+  }) => {
+    try {
+      const pm = packageManager ?? detectPackageManager(cwd);
+      const selectedPatch = patchContent ?? patches?.[0]?.unifiedDiff;
+      if (!selectedPatch) {
+        return {
+          success: false,
+          packageName,
+          vulnerableVersion,
+          applied: false,
+          dryRun,
+          message: "No patch content provided.",
+          error: "No patch content provided."
+        };
+      }
+      const patchValidation = validatePatchDiff(selectedPatch);
+      if (!patchValidation.valid) {
+        return {
+          success: false,
+          packageName,
+          vulnerableVersion,
+          applied: false,
+          dryRun,
+          message: patchValidation.error ?? "Patch content is not a valid unified diff.",
+          error: patchValidation.error ?? "Patch content is not a valid unified diff."
+        };
+      }
+      const patchFileName = buildPatchFileName(packageName, vulnerableVersion);
+      const patchFilePath = join7(cwd, patchesDir, patchFileName);
+      if (dryRun) {
+        return {
+          success: true,
+          packageName,
+          vulnerableVersion,
+          applied: false,
+          dryRun: true,
+          message: `[DRY RUN] Would write and configure patch at ${patchFilePath}.`,
+          patchFilePath,
+          patchPath: patchFilePath
+        };
+      }
+      return withRepoLock(cwd, async () => {
+        const packageJsonSnapshot = patchModeRequiresPackageJsonSnapshot(pm, cwd) ? await capturePackageJsonSnapshot(cwd) : void 0;
+        const patchesDirPath = join7(cwd, patchesDir);
+        await mkdir2(patchesDirPath, { recursive: true });
+        await writeFile(patchFilePath, selectedPatch, "utf8");
+        let validationResult;
+        const patchMode = await resolvePatchMode(pm, cwd);
+        const commands = getPackageManagerCommands(pm);
+        const applyResult = patchMode === "patch-package" ? await configurePatchPackagePostinstall(cwd, pm) : await applyNativePatch({
+          cwd,
+          packageName,
+          vulnerableVersion,
+          patchContent: selectedPatch,
+          patchMode
+        });
+        if (!applyResult.success) {
+          await cleanupPatchArtifacts({
+            cwd,
+            packageManager: pm,
+            patchFilePath,
+            patchMode,
+            packageJsonSnapshot,
+            rerunInstall: patchMode === "patch-package"
+          });
+          return {
+            success: false,
+            packageName,
+            vulnerableVersion,
+            applied: false,
+            dryRun: false,
+            message: applyResult.error,
+            patchFilePath,
+            patchPath: patchFilePath,
+            patchMode,
+            postinstallConfigured: patchMode === "patch-package" ? false : void 0,
+            error: applyResult.error
+          };
+        }
+        if (patchMode === "patch-package") {
+          try {
+            const [installCmd, ...installArgs] = commands.installPreferOffline;
+            await execa4(installCmd, installArgs, {
+              cwd,
+              stdio: "pipe"
+            });
+          } catch (err) {
+            await cleanupPatchArtifacts({
+              cwd,
+              packageManager: pm,
+              patchFilePath,
+              patchMode,
+              packageJsonSnapshot,
+              rerunInstall: true
+            });
+            const error = err instanceof Error ? err.message : String(err);
+            return {
+              success: false,
+              packageName,
+              vulnerableVersion,
+              applied: false,
+              dryRun: false,
+              message: `Failed to apply patch-package workflow for ${packageName}@${vulnerableVersion}: ${error}`,
+              patchFilePath,
+              patchPath: patchFilePath,
+              patchMode,
+              postinstallConfigured: false,
+              error: `Failed to apply patch-package workflow for ${packageName}@${vulnerableVersion}: ${error}`
+            };
+          }
+        }
+        if (validateWithTests) {
+          validationResult = await validatePatchWithTests(cwd, pm);
+          if (!validationResult.passed) {
+            await cleanupPatchArtifacts({
+              cwd,
+              packageManager: pm,
+              patchFilePath,
+              patchMode,
+              packageJsonSnapshot,
+              rerunInstall: patchMode === "patch-package"
+            });
+            const validationError = "Patch validation failed after apply; patch marked unresolved.";
+            return {
+              success: false,
+              packageName,
+              vulnerableVersion,
+              applied: false,
+              dryRun: false,
+              message: validationError,
+              patchFilePath,
+              patchPath: patchFilePath,
+              patchMode,
+              postinstallConfigured: false,
+              validation: validationResult,
+              error: validationError
+            };
+          }
+        }
+        return {
+          success: true,
+          packageName,
+          vulnerableVersion,
+          applied: true,
+          dryRun: false,
+          message: `Patch applied successfully for ${packageName}@${vulnerableVersion}.`,
+          patchFilePath,
+          patchPath: patchFilePath,
+          patchMode,
+          postinstallConfigured: patchMode === "patch-package",
+          validation: validationResult
+        };
+      });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return {
+        success: false,
+        packageName,
+        vulnerableVersion,
+        applied: false,
+        dryRun,
+        message: `Failed to apply patch file: ${message}`,
+        error: `Failed to apply patch file: ${message}`
+      };
+    }
+  }
+});
+async function resolvePatchMode(packageManager, cwd) {
+  if (packageManager === "npm") return "patch-package";
+  if (packageManager === "pnpm") return "native-pnpm";
+  try {
+    const result = await execa4("yarn", ["--version"], {
+      cwd,
+      stdio: "pipe"
+    });
+    const version = result.stdout.trim();
+    const major = Number.parseInt(version.split(".")[0] || "0", 10);
+    return major >= 2 ? "native-yarn" : "patch-package";
+  } catch {
+    return "patch-package";
+  }
 }
-async function enrichWithCisaKev(details) {
-  const feed = await fetchCisaKevFeed();
-  const entry = findKevEntry(feed, details.id);
-  if (!entry) return details;
-  details.kev = {
-    knownExploited: true,
-    dateAdded: entry.dateAdded,
-    dueDate: entry.dueDate,
-    requiredAction: entry.requiredAction,
-    knownRansomwareCampaignUse: entry.knownRansomwareCampaignUse
-  };
-  if (!details.references.includes(CISA_KEV_URL)) {
-    details.references.push(CISA_KEV_URL);
+function patchModeRequiresPackageJsonSnapshot(packageManager, cwd) {
+  if (packageManager === "npm") return true;
+  if (packageManager === "pnpm") return false;
+  return true;
+}
+function buildPatchFileName(packageName, vulnerableVersion) {
+  const safeName = packageName.replace(/^@/, "").replace(/\//g, "+");
+  return `${safeName}+${vulnerableVersion}.patch`;
+}
+async function configurePatchPackagePostinstall(cwd, packageManager) {
+  const pkgJsonPath = join7(cwd, "package.json");
+  let pkgJson;
+  try {
+    pkgJson = JSON.parse(await readFile(pkgJsonPath, "utf8"));
+  } catch {
+    return {
+      success: false,
+      error: `Could not read package.json at ${pkgJsonPath}`
+    };
   }
-  return details;
+  const devDependencies = pkgJson.devDependencies ?? {};
+  if (!devDependencies["patch-package"]) {
+    try {
+      const commands = getPackageManagerCommands(packageManager);
+      const [cmd, ...args] = commands.installDev("patch-package");
+      await execa4(cmd, args, {
+        cwd,
+        stdio: "pipe"
+      });
+    } catch (err) {
+      return {
+        success: false,
+        error: `Failed to install patch-package: ${err instanceof Error ? err.message : String(err)}`
+      };
+    }
+  }
+  if (!pkgJson.scripts) {
+    pkgJson.scripts = {};
+  }
+  const patchApplyCmd = "patch-package";
+  const currentPostinstall = pkgJson.scripts.postinstall || "";
+  if (currentPostinstall && !currentPostinstall.includes("patch-package")) {
+    pkgJson.scripts.postinstall = `${currentPostinstall} && ${patchApplyCmd}`;
+  } else if (!currentPostinstall) {
+    pkgJson.scripts.postinstall = patchApplyCmd;
+  }
+  await writeFile(pkgJsonPath, JSON.stringify(pkgJson, null, 2) + "\n", "utf8");
+  return { success: true };
 }
-// src/intelligence/sources/epss.ts
-async function fetchEpss(cveId) {
-  const { epssApi } = getIntelligenceSourceConfig();
-  if (!epssApi) return void 0;
+async function capturePackageJsonSnapshot(cwd) {
+  const path = join7(cwd, "package.json");
   try {
-    const url = new URL(epssApi);
-    url.searchParams.set("cve", cveId);
-    const res = await fetch(url.toString(), {
-      headers: { Accept: "application/json" }
-    });
-    if (!res.ok) return void 0;
-    const body = await res.json();
-    return body.data?.[0];
+    const content = await readFile(path, "utf8");
+    return { path, content };
   } catch {
     return void 0;
   }
 }
-async function enrichWithEpss(details) {
-  const row = await fetchEpss(details.id);
-  if (!row) return details;
-  const score = Number.parseFloat(row.epss);
-  const percentile = Number.parseFloat(row.percentile);
-  if (!Number.isFinite(score) || !Number.isFinite(percentile)) {
-    return details;
+async function cleanupPatchArtifacts(params) {
+  const { cwd, packageManager, patchFilePath, patchMode, packageJsonSnapshot, rerunInstall } = params;
+  await rm2(patchFilePath, { force: true }).catch(() => void 0);
+  if (patchMode === "patch-package" && packageJsonSnapshot) {
+    await writeFile(packageJsonSnapshot.path, packageJsonSnapshot.content, "utf8").catch(() => void 0);
+  }
+  if (!rerunInstall) return;
+  try {
+    const commands = getPackageManagerCommands(packageManager);
+    const [installCmd, ...installArgs] = commands.installPreferOffline;
+    await execa4(installCmd, installArgs, {
+      cwd,
+      stdio: "pipe"
+    });
+  } catch {
+  }
+}
+async function applyNativePatch(params) {
+  const { cwd, packageName, vulnerableVersion, patchContent, patchMode } = params;
+  const packageSpec = `${packageName}@${vulnerableVersion}`;
+  const createCommand = patchMode === "native-pnpm" ? "pnpm" : "yarn";
+  const createArgs = ["patch", packageSpec];
+  let patchDir;
+  try {
+    const createResult = await execa4(createCommand, createArgs, {
+      cwd,
+      stdio: "pipe"
+    });
+    patchDir = extractPatchDirectory(`${createResult.stdout}
+${createResult.stderr}`);
+  } catch (err) {
+    return {
+      success: false,
+      error: `Failed to create native patch workspace for ${packageSpec}: ${err instanceof Error ? err.message : String(err)}`
+    };
+  }
+  if (!patchDir) {
+    return {
+      success: false,
+      error: `Could not determine native patch directory for ${packageSpec}.`
+    };
+  }
+  const tempPatchDir = await mkdtemp(join7(tmpdir(), "autoremediator-native-patch-"));
+  const tempPatchFile = join7(tempPatchDir, "change.patch");
+  try {
+    await writeFile(tempPatchFile, patchContent, "utf8");
+    await execa4("patch", ["-p1", "-i", tempPatchFile], {
+      cwd: patchDir,
+      stdio: "pipe"
+    });
+    const commitCommand = patchMode === "native-pnpm" ? "pnpm" : "yarn";
+    const commitArgs = patchMode === "native-pnpm" ? ["patch-commit", patchDir] : ["patch-commit", "-s", patchDir];
+    await execa4(commitCommand, commitArgs, {
+      cwd,
+      stdio: "pipe"
+    });
+  } catch (err) {
+    return {
+      success: false,
+      error: `Failed to apply native patch for ${packageSpec}: ${err instanceof Error ? err.message : String(err)}`
+    };
+  } finally {
+    await rm2(tempPatchDir, { recursive: true, force: true });
   }
-  details.epss = {
-    score,
-    percentile,
-    date: row.date
-  };
-  return details;
-}
-// src/intelligence/sources/cve-services.ts
-function pickEnglishDescription(container) {
-  if (!container?.descriptions?.length) return void 0;
-  const en = container.descriptions.find((d) => d.lang === "en" && d.value);
-  return (en?.value ?? container.descriptions[0]?.value)?.trim() || void 0;
+  return { success: true };
 }
-function collectReferences(record) {
-  const refs = /* @__PURE__ */ new Set();
-  const cnaRefs = record.containers?.cna?.references ?? [];
-  const adpRefs = (record.containers?.adp ?? []).flatMap((c) => c.references ?? []);
-  for (const ref of [...cnaRefs, ...adpRefs]) {
-    if (ref.url) refs.add(ref.url);
+function extractPatchDirectory(output) {
+  const lines = output.split(/\r?\n/).map((line) => line.trim()).filter(Boolean);
+  for (const line of lines) {
+    if (existsSync4(line)) {
+      return line;
+    }
+    const tokens = line.split(/\s+/).map((token) => token.replace(/^['"]|['"]$/g, ""));
+    for (const token of tokens) {
+      if (token.startsWith("/") && existsSync4(token)) {
+        return token;
+      }
+    }
   }
-  return Array.from(refs);
+  return "";
 }
-async function fetchCveServicesRecord(cveId) {
-  const { cveServicesApi } = getIntelligenceSourceConfig();
-  if (!cveServicesApi) return void 0;
+async function validatePatchWithTests(cwd, packageManager) {
   try {
-    const res = await fetch(`${cveServicesApi}/${encodeURIComponent(cveId)}`, {
-      headers: { Accept: "application/json" }
+    const commands = getPackageManagerCommands(packageManager);
+    const [cmd, ...args] = commands.test;
+    const result = await execa4(cmd, args, {
+      cwd,
+      timeout: 6e4,
+      // 60 second timeout
+      stdio: "pipe"
     });
-    if (!res.ok) return void 0;
-    return await res.json();
-  } catch {
-    return void 0;
+    return {
+      passed: true,
+      output: result.stdout
+    };
+  } catch (err) {
+    const errorOutput = typeof err === "object" && err !== null && "stdout" in err ? String(err.stdout ?? "") : "";
+    const failedTests = extractFailedTests(errorOutput);
+    return {
+      passed: false,
+      error: failedTests.length > 0 ? `Failed tests: ${failedTests.join(", ")}` : "Package-manager test validation failed.",
+      output: errorOutput,
+      failedTests
+    };
   }
 }
-async function enrichWithCveServices(details) {
-  const record = await fetchCveServicesRecord(details.id);
-  if (!record) return details;
-  const summary = pickEnglishDescription(record.containers?.cna);
-  if (summary && (!details.summary || details.summary.includes("No summary available"))) {
-    details.summary = summary;
-  }
-  const refs = collectReferences(record);
-  if (refs.length > 0) {
-    const merged = /* @__PURE__ */ new Set([...details.references, ...refs]);
-    details.references = Array.from(merged);
+function extractFailedTests(output) {
+  const failedTests = [];
+  const patterns = [
+    /✖\s+(.+?)(?:\n|$)/g,
+    // Mocha style
+    /●\s+(.+)(?:\n|$)/g,
+    // Jest style
+    /^FAIL\s+(.+?)(?:\n|$)/gm
+    // Generic FAIL
+  ];
+  for (const pattern of patterns) {
+    let match;
+    while ((match = pattern.exec(output)) !== null) {
+      if (match[1]) {
+        failedTests.push(match[1].trim());
+      }
+    }
   }
-  details.intelligence = {
-    ...details.intelligence ?? {},
-    cveServicesEnriched: true
-  };
-  return details;
+  return failedTests.slice(0, 5);
 }
-// src/intelligence/sources/gitlab-advisory.ts
-function advisoryMatchesCve(advisory, cveId) {
-  const normalized = cveId.toUpperCase();
-  return (advisory.identifiers ?? []).some(
-    (id) => id.type?.toUpperCase() === "CVE" && id.value?.toUpperCase() === normalized
-  );
+// src/remediation/local/run.ts
+import semver4 from "semver";
+// src/intelligence/sources/osv.ts
+var OSV_BASE = "https://api.osv.dev/v1";
+async function fetchOsvVuln(cveId) {
+  const url = `${OSV_BASE}/vulns/${encodeURIComponent(cveId)}`;
+  const res = await fetch(url, {
+    headers: { Accept: "application/json" }
+  });
+  if (res.status === 404) return null;
+  if (!res.ok) {
+    throw new Error(`OSV API error ${res.status} for ${cveId}: ${await res.text()}`);
+  }
+  return res.json();
 }
-async function fetchGitLabAdvisories(cveId) {
-  const { gitLabAdvisoryApi } = getIntelligenceSourceConfig();
-  if (!gitLabAdvisoryApi) return [];
-  try {
-    const url = new URL(gitLabAdvisoryApi);
-    url.searchParams.set("identifier", cveId);
-    url.searchParams.set("ecosystem", "npm");
-    const res = await fetch(url.toString(), {
-      headers: { Accept: "application/json" }
-    });
-    if (!res.ok) return [];
-    const body = await res.json();
-    return Array.isArray(body) ? body : [];
-  } catch {
-    return [];
+function osvEventsToSemverRange(events) {
+  const parts = [];
+  for (const event of events) {
+    if (event.introduced !== void 0) {
+      const v = event.introduced === "0" ? "0.0.0" : event.introduced;
+      parts.push(`>=${v}`);
+    }
+    if (event.fixed !== void 0) {
+      parts.push(`<${event.fixed}`);
+    }
+    if (event.last_affected !== void 0) {
+      parts.push(`<=${event.last_affected}`);
+    }
   }
+  return parts.join(" ") || ">=0.0.0";
 }
-async function enrichWithGitLabAdvisory(details) {
-  const advisories = await fetchGitLabAdvisories(details.id);
-  const matched = advisories.filter((a) => advisoryMatchesCve(a, details.id));
-  if (matched.length === 0) return details;
-  const refs = matched.flatMap((m) => m.references ?? []);
-  if (refs.length > 0) {
-    const merged = /* @__PURE__ */ new Set([...details.references, ...refs]);
-    details.references = Array.from(merged);
+function parseOsvVuln(vuln) {
+  const npmAffected = [];
+  for (const affected of vuln.affected ?? []) {
+    const ecosystem = affected.package?.ecosystem;
+    const packageName = affected.package?.name;
+    if (!ecosystem || typeof ecosystem !== "string") continue;
+    if (!packageName || typeof packageName !== "string") continue;
+    if (ecosystem.toLowerCase() !== "npm") continue;
+    const semverRange = affected.ranges?.find((r) => r.type === "SEMVER");
+    const vulnerableRange = semverRange ? osvEventsToSemverRange(semverRange.events) : ">=0.0.0";
+    const fixedEvent = semverRange?.events.find((e) => e.fixed !== void 0);
+    npmAffected.push({
+      name: packageName,
+      ecosystem: "npm",
+      vulnerableRange,
+      firstPatchedVersion: fixedEvent?.fixed,
+      source: "osv"
+    });
   }
-  details.intelligence = {
-    ...details.intelligence ?? {},
-    gitlabAdvisoryMatched: true
+  const severity = deriveSeverity(vuln.severity);
+  return {
+    id: vuln.id,
+    summary: vuln.summary ?? vuln.details ?? "No summary available.",
+    severity,
+    references: vuln.references?.map((r) => r.url) ?? [],
+    affectedPackages: npmAffected
   };
-  return details;
+}
+function deriveSeverity(severityEntries) {
+  if (!severityEntries?.length) return "UNKNOWN";
+  const cvssEntry = severityEntries.find((s) => s.type === "CVSS_V3") ?? severityEntries[0];
+  const scoreMatch = cvssEntry.score.match(/(\d+\.\d+)$/);
+  if (scoreMatch) {
+    const score = parseFloat(scoreMatch[1]);
+    if (score >= 9) return "CRITICAL";
+    if (score >= 7) return "HIGH";
+    if (score >= 4) return "MEDIUM";
+    return "LOW";
+  }
+  return "UNKNOWN";
+}
+async function lookupCveOsv(cveId) {
+  const vuln = await fetchOsvVuln(cveId);
+  if (!vuln) return null;
+  return parseOsvVuln(vuln);
 }
-// src/intelligence/sources/certcc.ts
-var CERTCC_HOME = "https://www.kb.cert.org/vuls/";
-async function findCertCcReference(cveId) {
-  const { certCcSearchUrl } = getIntelligenceSourceConfig();
-  if (!certCcSearchUrl) return void 0;
-  try {
-    const url = new URL(certCcSearchUrl);
-    url.searchParams.set("query", cveId);
-    const res = await fetch(url.toString(), {
-      headers: { Accept: "text/html" }
-    });
-    if (!res.ok) return void 0;
-    const html = await res.text();
-    const match = html.match(/https:\/\/www\.kb\.cert\.org\/vuls\/id\/\d+/i);
-    return match?.[0] ?? void 0;
-  } catch {
-    return void 0;
+// src/intelligence/sources/github-advisory.ts
+var GH_ADVISORY_BASE = "https://api.github.com/advisories";
+function buildHeaders() {
+  const headers = {
+    Accept: "application/vnd.github+json",
+    "X-GitHub-Api-Version": "2022-11-28"
+  };
+  const token = getGitHubToken();
+  if (token) {
+    headers.Authorization = `Bearer ${token}`;
   }
+  return headers;
 }
-async function enrichWithCertCc(details) {
-  const ref = await findCertCcReference(details.id);
-  if (!ref) return details;
-  if (!details.references.includes(ref)) {
-    details.references.push(ref);
+async function fetchGhAdvisories(cveId) {
+  const url = new URL(GH_ADVISORY_BASE);
+  url.searchParams.set("cve_id", cveId);
+  url.searchParams.set("ecosystem", "npm");
+  url.searchParams.set("type", "reviewed");
+  url.searchParams.set("per_page", "10");
+  const res = await fetch(url.toString(), { headers: buildHeaders() });
+  if (res.status === 404) return [];
+  if (!res.ok) {
+    console.warn(
+      `[autoremediator] GitHub Advisory API returned ${res.status} for ${cveId} \u2014 skipping.`
+    );
+    return [];
   }
-  details.intelligence = {
-    ...details.intelligence ?? {},
-    certCcMatched: true
-  };
-  if (!details.references.includes(CERTCC_HOME)) {
-    details.references.push(CERTCC_HOME);
+  return res.json();
+}
+function parseGhAdvisories(advisories) {
+  const packages = [];
+  for (const advisory of advisories) {
+    for (const vuln of advisory.vulnerabilities) {
+      if (vuln.package.ecosystem.toLowerCase() !== "npm") continue;
+      packages.push({
+        name: vuln.package.name,
+        ecosystem: "npm",
+        vulnerableRange: vuln.vulnerable_version_range ?? ">=0.0.0",
+        firstPatchedVersion: vuln.first_patched_version ?? void 0,
+        source: "github-advisory"
+      });
+    }
   }
-  return details;
+  return packages;
 }
-// src/intelligence/sources/deps-dev.ts
-async function fetchDepsDevPackage(name) {
-  const { depsDevApi } = getIntelligenceSourceConfig();
-  if (!depsDevApi) return false;
-  try {
-    const url = `${depsDevApi}/systems/npm/packages/${encodeURIComponent(name)}`;
-    const res = await fetch(url, { headers: { Accept: "application/json" } });
-    return res.ok;
-  } catch {
-    return false;
+function mergeGhDataIntoCveDetails(details, ghPackages) {
+  const enriched = { ...details };
+  for (const ghPkg of ghPackages) {
+    const existing = enriched.affectedPackages.find(
+      (p) => p.name === ghPkg.name
+    );
+    if (existing) {
+      if (!existing.firstPatchedVersion && ghPkg.firstPatchedVersion) {
+        existing.firstPatchedVersion = ghPkg.firstPatchedVersion;
+      }
+    } else {
+      enriched.affectedPackages.push(ghPkg);
+    }
   }
+  return enriched;
 }
-async function enrichWithDepsDev(details) {
-  const names = Array.from(new Set(details.affectedPackages.map((p) => p.name))).slice(0, 20);
-  if (names.length === 0) return details;
-  const checks = await Promise.all(names.map((name) => fetchDepsDevPackage(name)));
-  const matched = checks.filter(Boolean).length;
-  if (matched === 0) return details;
-  details.intelligence = {
-    ...details.intelligence ?? {},
-    depsDevEnrichedPackages: matched
-  };
-  return details;
+async function lookupCveGitHub(cveId) {
+  const advisories = await fetchGhAdvisories(cveId);
+  return parseGhAdvisories(advisories);
 }
-// src/intelligence/sources/ossf-scorecard.ts
-async function checkProject(project) {
-  const { scorecardApi } = getIntelligenceSourceConfig();
-  if (!scorecardApi) return false;
-  try {
-    const url = new URL(`${scorecardApi}/projects`);
-    url.searchParams.set("project", project);
-    const res = await fetch(url.toString(), {
-      headers: { Accept: "application/json" }
-    });
-    return res.ok;
-  } catch {
-    return false;
+// src/intelligence/sources/nvd.ts
+var NVD_BASE = "https://services.nvd.nist.gov/rest/json/cves/2.0";
+function buildNvdHeaders() {
+  const { apiKey } = getNvdConfig();
+  const headers = { Accept: "application/json" };
+  if (apiKey) {
+    headers.apiKey = apiKey;
   }
+  return headers;
 }
-async function enrichWithOssfScorecard(details) {
-  const projects = Array.from(
-    new Set(details.affectedPackages.map((p) => `github.com/${p.name}/${p.name}`))
-  ).slice(0, 10);
-  if (projects.length === 0) return details;
-  const checks = await Promise.all(projects.map((project) => checkProject(project)));
-  const matched = checks.filter(Boolean).length;
-  if (matched === 0) return details;
-  details.intelligence = {
-    ...details.intelligence ?? {},
-    scorecardProjects: matched
-  };
-  return details;
-}
-// src/intelligence/sources/external-feeds.ts
-async function probeFeed(url, cveId, token) {
+async function fetchNvdCvss(cveId) {
+  const url = `${NVD_BASE}?cveId=${encodeURIComponent(cveId)}`;
   try {
-    const feedUrl = new URL(url);
-    feedUrl.searchParams.set("cve", cveId);
-    const headers = { Accept: "application/json" };
-    if (token) headers.Authorization = `Bearer ${token}`;
-    const res = await fetch(feedUrl.toString(), { headers });
+    const res = await fetch(url, { headers: buildNvdHeaders() });
     if (!res.ok) return void 0;
-    return feedUrl.toString();
+    const data = await res.json();
+    const vuln = data.vulnerabilities?.[0];
+    if (!vuln) return void 0;
+    const metrics = vuln.cve.metrics;
+    const metric = metrics?.cvssMetricV31?.[0] ?? metrics?.cvssMetricV30?.[0] ?? metrics?.cvssMetricV2?.[0];
+    if (!metric) return void 0;
+    const score = metric.cvssData.baseScore;
+    const rawSeverity = metric.cvssData.baseSeverity.toUpperCase();
+    const severityMap = {
+      CRITICAL: "CRITICAL",
+      HIGH: "HIGH",
+      MEDIUM: "MEDIUM",
+      LOW: "LOW"
+    };
+    return {
+      score,
+      severity: severityMap[rawSeverity] ?? "UNKNOWN"
+    };
   } catch {
     return void 0;
   }
 }
-async function enrichWithExternalFeeds(details) {
-  const {
-    vendorAdvisoryFeeds,
-    commercialFeeds,
-    commercialFeedToken
-  } = getIntelligenceSourceConfig();
-  const vendorHits = (await Promise.all(vendorAdvisoryFeeds.map((url) => probeFeed(url, details.id)))).filter((v) => Boolean(v));
-  const commercialHits = (await Promise.all(
-    commercialFeeds.map((url) => probeFeed(url, details.id, commercialFeedToken))
-  )).filter((v) => Boolean(v));
-  if (vendorHits.length === 0 && commercialHits.length === 0) {
-    return details;
+async function enrichWithNvd(details) {
+  const cvss = await fetchNvdCvss(details.id);
+  if (cvss) {
+    details.cvssScore = cvss.score;
+    if (details.severity === "UNKNOWN") {
+      details.severity = cvss.severity;
+    }
   }
-  details.intelligence = {
-    ...details.intelligence ?? {},
-    vendorAdvisories: vendorHits.length > 0 ? vendorHits : details.intelligence?.vendorAdvisories,
-    commercialFeeds: commercialHits.length > 0 ? commercialHits : details.intelligence?.commercialFeeds
-  };
-  const mergedRefs = /* @__PURE__ */ new Set([...details.references, ...vendorHits, ...commercialHits]);
-  details.references = Array.from(mergedRefs);
   return details;
 }
-// src/remediation/tools/lookup-cve.ts
-var lookupCveTool = tool({
-  description: "Look up a CVE ID and return the list of affected npm packages, their vulnerable version ranges, and the first patched version. Always call this first.",
-  parameters: z.object({
-    cveId: z.string().regex(/^CVE-\d{4}-\d+$/i, "Must be a valid CVE ID like CVE-2021-23337")
-  }),
-  execute: async ({ cveId }) => {
-    const normalizedId = cveId.toUpperCase();
-    const [osvDetails, ghPackages] = await Promise.all([
-      lookupCveOsv(normalizedId),
-      lookupCveGitHub(normalizedId)
-    ]);
-    if (!osvDetails && ghPackages.length === 0) {
-      return {
-        success: false,
-        error: `CVE "${normalizedId}" was not found in OSV or GitHub Advisory databases. It may be too new, or not affect npm packages.`
-      };
-    }
-    let details = osvDetails ?? {
-      id: normalizedId,
-      summary: "Details sourced from GitHub Advisory Database.",
-      severity: "UNKNOWN",
-      references: [],
-      affectedPackages: []
-    };
-    if (ghPackages.length > 0) {
-      details = mergeGhDataIntoCveDetails(details, ghPackages);
-    }
-    const sourceHealth = {};
-    const applyEnricher = async (sourceName, enricher) => {
-      const before = JSON.stringify(details);
-      try {
-        details = await enricher(details);
-        const after = JSON.stringify(details);
-        sourceHealth[sourceName] = {
-          attempted: true,
-          changed: before !== after
-        };
-      } catch (error) {
-        sourceHealth[sourceName] = {
-          attempted: true,
-          changed: false,
-          error: error instanceof Error ? error.message : String(error)
-        };
-      }
-    };
-    await applyEnricher("nvd", enrichWithNvd);
-    await applyEnricher("cisa-kev", enrichWithCisaKev);
-    await applyEnricher("epss", enrichWithEpss);
-    await applyEnricher("cve-services", enrichWithCveServices);
-    await applyEnricher("gitlab-advisory", enrichWithGitLabAdvisory);
-    await applyEnricher("certcc", enrichWithCertCc);
-    await applyEnricher("deps-dev", enrichWithDepsDev);
-    await applyEnricher("ossf-scorecard", enrichWithOssfScorecard);
-    await applyEnricher("external-feeds", enrichWithExternalFeeds);
-    details.intelligence = {
-      ...details.intelligence ?? {},
-      sourceHealth
-    };
-    if (details.affectedPackages.length === 0) {
-      return {
-        success: false,
-        error: `CVE "${normalizedId}" was found but has no npm-specific affected packages listed. It may affect a different ecosystem.`
-      };
-    }
-    return { success: true, data: details };
-  }
-});
 // src/remediation/tools/check-inventory.ts
-import { tool as tool2 } from "ai";
-import { z as z2 } from "zod";
-import { readFileSync } from "fs";
-import { join as join2 } from "path";
-import { execa } from "execa";
-var checkInventoryTool = tool2({
+import { tool as tool4 } from "ai";
+import { z as z4 } from "zod";
+import { readFileSync as readFileSync5 } from "fs";
+import { join as join8 } from "path";
+import { execa as execa5 } from "execa";
+var checkInventoryTool = tool4({
   description: "Read the project's package.json and installed dependencies to list packages and exact versions. Must be called before checking version matches.",
-  parameters: z2.object({
-    cwd: z2.string().describe("Absolute path to the consumer project's root directory"),
-    packageManager: z2.enum(["npm", "pnpm", "yarn"]).optional().describe("Package manager used by the target project (auto-detected if omitted)")
+  parameters: z4.object({
+    cwd: z4.string().describe("Absolute path to the consumer project's root directory"),
+    packageManager: z4.enum(["npm", "pnpm", "yarn"]).optional().describe("Package manager used by the target project (auto-detected if omitted)")
   }),
   execute: async ({ cwd, packageManager }) => {
     let pkgJson;
     try {
-      pkgJson = JSON.parse(readFileSync(join2(cwd, "package.json"), "utf8"));
+      pkgJson = JSON.parse(readFileSync5(join8(cwd, "package.json"), "utf8"));
     } catch {
       return {
         packages: [],
@@ -734,7 +1272,7 @@ var checkInventoryTool = tool2({
     let installedVersions = /* @__PURE__ */ new Map();
     try {
       const [cmd, ...args] = commands.list;
-      const listResult = await execa(cmd, args, {
+      const listResult = await execa5(cmd, args, {
         cwd,
         stdio: "pipe",
         reject: false
@@ -761,66 +1299,12 @@ var checkInventoryTool = tool2({
         packages.push({ name, version: cleaned, type: "direct" });
       }
     }
-    return { packages };
-  }
-});
-// src/remediation/tools/check-version-match.ts
-import { tool as tool3 } from "ai";
-import { z as z3 } from "zod";
-import semver from "semver";
-var affectedPackageSchema = z3.object({
-  name: z3.string(),
-  ecosystem: z3.literal("npm"),
-  vulnerableRange: z3.string(),
-  firstPatchedVersion: z3.string().optional(),
-  source: z3.enum(["osv", "github-advisory"])
-});
-var inventoryPackageSchema = z3.object({
-  name: z3.string(),
-  version: z3.string(),
-  type: z3.enum(["direct", "indirect"])
-});
-var checkVersionMatchTool = tool3({
-  description: "Check which of the project's installed packages fall within the CVE's vulnerable version ranges. Returns only the packages that are actually vulnerable.",
-  parameters: z3.object({
-    installedPackages: z3.array(inventoryPackageSchema).describe("Output from the check-inventory tool"),
-    affectedPackages: z3.array(affectedPackageSchema).describe("affectedPackages array from the lookup-cve tool result")
-  }),
-  execute: async ({ installedPackages, affectedPackages }) => {
-    const vulnerable = [];
-    for (const affected of affectedPackages) {
-      const matches = installedPackages.filter(
-        (p) => p.name === affected.name
-      );
-      for (const installed of matches) {
-        if (!semver.valid(installed.version)) continue;
-        let isVulnerable = false;
-        try {
-          isVulnerable = semver.satisfies(installed.version, affected.vulnerableRange, {
-            includePrerelease: false
-          });
-        } catch {
-          continue;
-        }
-        if (isVulnerable) {
-          vulnerable.push({ installed, affected });
-        }
-      }
-    }
-    return {
-      vulnerablePackages: vulnerable,
-      checkedCount: installedPackages.length
-    };
+    return { packages };
   }
 });
-// src/remediation/tools/find-fixed-version.ts
-import { tool as tool4 } from "ai";
-import { z as z4 } from "zod";
 // src/intelligence/sources/registry.ts
-import semver2 from "semver";
+import semver3 from "semver";
 var NPM_REGISTRY = "https://registry.npmjs.org";
 async function fetchPackageVersions(packageName) {
   const url = `${NPM_REGISTRY}/${encodeURIComponent(packageName)}`;
@@ -836,322 +1320,218 @@ async function fetchPackageVersions(packageName) {
   const data = await res.json();
   return Object.keys(data.versions);
 }
-async function findSafeUpgradeVersion(packageName, installedVersion, firstPatchedVersion, vulnerableRange) {
+async function resolveSafeUpgradeVersion(packageName, installedVersion, firstPatchedVersion, vulnerableRange) {
   const versions = await fetchPackageVersions(packageName);
-  if (!versions.length) return void 0;
-  const installedMajor = semver2.major(installedVersion);
-  const candidates = versions.filter((v) => semver2.valid(v) && semver2.gte(v, firstPatchedVersion)).filter((v) => {
+  if (!versions.length) {
+    return {
+      candidates: {},
+      majorOnlyFixAvailable: false
+    };
+  }
+  const installed = semver3.parse(installedVersion);
+  const candidates = versions.filter((v) => semver3.valid(v) && semver3.gte(v, firstPatchedVersion)).filter((v) => {
     if (!vulnerableRange) return true;
     try {
-      return !semver2.satisfies(v, vulnerableRange, { includePrerelease: false });
+      return !semver3.satisfies(v, vulnerableRange, { includePrerelease: false });
     } catch {
       return true;
     }
-  }).sort(semver2.compare);
-  if (!candidates.length) return void 0;
-  const sameMajor = candidates.find(
-    (v) => semver2.major(v) === installedMajor
-  );
-  if (sameMajor) return sameMajor;
-  return candidates[0];
-}
-// src/remediation/tools/find-fixed-version.ts
-var findFixedVersionTool = tool4({
-  description: "Query the npm registry to find the lowest published version of a package that is >= the first patched version. Prefer same-major upgrades. Returns undefined if no safe version exists.",
-  parameters: z4.object({
-    packageName: z4.string().describe("The npm package name"),
-    installedVersion: z4.string().describe("The currently installed version (exact semver)"),
-    firstPatchedVersion: z4.string().describe(
-      "The first version that is NOT vulnerable (from lookup-cve). Use this as the floor."
-    ),
-    vulnerableRange: z4.string().optional().describe("Optional vulnerable semver range used to exclude still-vulnerable versions")
-  }),
-  execute: async ({
-    packageName,
-    installedVersion,
-    firstPatchedVersion,
-    vulnerableRange
-  }) => {
-    const safeVersion = await findSafeUpgradeVersion(
-      packageName,
-      installedVersion,
-      firstPatchedVersion,
-      vulnerableRange
-    );
-    if (!safeVersion) {
-      return {
-        isMajorBump: false,
-        message: `No safe upgrade version found for "${packageName}". The patch-file path will be needed.`
-      };
-    }
-    const installedMajor = parseInt(installedVersion.split(".")[0] ?? "0", 10);
-    const safeMajor = parseInt(safeVersion.split(".")[0] ?? "0", 10);
-    const isMajorBump = safeMajor > installedMajor;
+  }).sort(semver3.compare);
+  if (!candidates.length) {
     return {
-      safeVersion,
-      isMajorBump,
-      message: isMajorBump ? `Found safe version ${safeVersion} for "${packageName}", but it is a major bump from ${installedVersion}. Applying anyway \u2014 consumer should review for breaking changes.` : `Found safe version ${safeVersion} for "${packageName}" (from ${installedVersion}).`
+      candidates: {},
+      majorOnlyFixAvailable: false
     };
   }
-});
-// src/remediation/tools/apply-version-bump.ts
-import { tool as tool5 } from "ai";
-import { z as z5 } from "zod";
-import { join as join5 } from "path";
-import { readFileSync as readFileSync3, writeFileSync } from "fs";
-import { execa as execa2 } from "execa";
-import semver3 from "semver";
-// src/platform/policy.ts
-import { existsSync as existsSync2, readFileSync as readFileSync2 } from "fs";
-import { join as join3 } from "path";
-var DEFAULT_POLICY = {
-  allowMajorBumps: false,
-  denyPackages: [],
-  allowPackages: [],
-  constraints: {
-    directDependenciesOnly: false,
-    preferVersionBump: false
+  const categorizedCandidates = {};
+  for (const candidate of candidates) {
+    const level = classifyUpgradeLevel(installedVersion, candidate);
+    if (!level) continue;
+    if (!categorizedCandidates[level]) {
+      categorizedCandidates[level] = candidate;
+    }
   }
-};
-function loadPolicy(cwd, explicitPath) {
-  const candidate = explicitPath ?? join3(cwd, ".autoremediator.json");
-  if (!existsSync2(candidate)) return DEFAULT_POLICY;
-  try {
-    const parsed = JSON.parse(readFileSync2(candidate, "utf8"));
+  const safeVersion = categorizedCandidates.patch ?? categorizedCandidates.minor ?? categorizedCandidates.major;
+  if (!safeVersion) {
     return {
-      allowMajorBumps: parsed.allowMajorBumps ?? DEFAULT_POLICY.allowMajorBumps,
-      denyPackages: parsed.denyPackages ?? DEFAULT_POLICY.denyPackages,
-      allowPackages: parsed.allowPackages ?? DEFAULT_POLICY.allowPackages,
-      constraints: {
-        directDependenciesOnly: parsed.constraints?.directDependenciesOnly ?? DEFAULT_POLICY.constraints?.directDependenciesOnly ?? false,
-        preferVersionBump: parsed.constraints?.preferVersionBump ?? DEFAULT_POLICY.constraints?.preferVersionBump ?? false
-      }
+      candidates: categorizedCandidates,
+      majorOnlyFixAvailable: false
     };
-  } catch {
-    return DEFAULT_POLICY;
-  }
-}
-function isPackageAllowed(policy, packageName) {
-  if (policy.denyPackages.includes(packageName)) return false;
-  if (policy.allowPackages.length > 0 && !policy.allowPackages.includes(packageName)) {
-    return false;
   }
-  return true;
-}
-// src/platform/repo-lock.ts
-import { mkdir, rm } from "fs/promises";
-import { join as join4 } from "path";
-async function sleep(ms) {
-  await new Promise((resolve) => setTimeout(resolve, ms));
-}
-async function acquireRepoLock(cwd, options = {}) {
-  const timeoutMs = options.timeoutMs ?? 15e3;
-  const retryDelayMs = options.retryDelayMs ?? 125;
-  const lockRoot = join4(cwd, ".autoremediator", "locks");
-  const lockPath = join4(cwd, ".autoremediator", "locks", "remediation.lock");
-  const startedAt = Date.now();
-  await mkdir(lockRoot, { recursive: true });
-  while (true) {
-    try {
-      await mkdir(lockPath, { recursive: false });
-      return {
-        lockPath,
-        release: async () => {
-          await rm(lockPath, { recursive: true, force: true });
-        }
-      };
-    } catch {
-      if (Date.now() - startedAt > timeoutMs) {
-        throw new Error(`Timed out waiting for repository lock at ${lockPath}.`);
-      }
-      await sleep(retryDelayMs);
-    }
+  const upgradeLevel = classifyUpgradeLevel(installedVersion, safeVersion);
+  const majorOnlyFixAvailable = !categorizedCandidates.patch && !categorizedCandidates.minor && Boolean(categorizedCandidates.major);
+  if (!installed || !upgradeLevel) {
+    return {
+      safeVersion,
+      upgradeLevel,
+      candidates: categorizedCandidates,
+      majorOnlyFixAvailable
+    };
   }
+  return {
+    safeVersion,
+    upgradeLevel,
+    candidates: categorizedCandidates,
+    majorOnlyFixAvailable
+  };
 }
-async function withRepoLock(cwd, fn, options) {
-  const lock = await acquireRepoLock(cwd, options);
-  try {
-    return await fn();
-  } finally {
-    await lock.release();
+function classifyUpgradeLevel(installedVersion, candidateVersion) {
+  const installed = semver3.parse(installedVersion);
+  const candidate = semver3.parse(candidateVersion);
+  if (!installed || !candidate) return void 0;
+  if (candidate.major > installed.major) return "major";
+  if (candidate.minor > installed.minor) return "minor";
+  if (candidate.patch > installed.patch || candidate.version === installed.version) {
+    return "patch";
   }
+  return void 0;
 }
-// src/remediation/tools/apply-version-bump.ts
-var applyVersionBumpTool = tool5({
-  description: "Update package.json to use the safe version of a vulnerable package and run the project's package manager install. In dry-run mode, only reports what would change.",
-  parameters: z5.object({
-    cwd: z5.string().describe("Absolute path to the consumer project root"),
-    packageManager: z5.enum(["npm", "pnpm", "yarn"]).optional().describe("Package manager used by the target project (auto-detected if omitted)"),
-    packageName: z5.string().describe("The npm package to upgrade"),
-    fromVersion: z5.string().describe("The currently installed vulnerable version"),
-    toVersion: z5.string().describe("The safe target version to upgrade to"),
-    dryRun: z5.boolean().default(false).describe("If true, report changes but do not write"),
-    policy: z5.string().optional().describe("Optional path to .autoremediator policy file"),
-    runTests: z5.boolean().default(false).describe("If true, run test validation after applying the fix")
-  }),
-  execute: async ({
-    cwd,
-    packageManager,
-    packageName,
-    fromVersion,
-    toVersion,
-    dryRun,
-    policy,
-    runTests
-  }) => {
-    const pm = packageManager ?? detectPackageManager(cwd);
-    const commands = getPackageManagerCommands(pm);
-    const pkgPath = join5(cwd, "package.json");
-    const loadedPolicy = loadPolicy(cwd, policy);
-    if (!isPackageAllowed(loadedPolicy, packageName)) {
+// src/remediation/local/primary-strategy.ts
+async function resolvePrimaryResult(params) {
+  const { vulnerable, cwd, packageManager, dryRun, policy, runTests, constraints } = params;
+  const pkg = vulnerable.installed;
+  const firstPatchedVersion = vulnerable.affected.firstPatchedVersion;
+  if (pkg.type === "indirect") {
+    if (constraints.directDependenciesOnly) {
       return {
-        packageName,
-        strategy: "none",
-        fromVersion,
-        toVersion,
-        applied: false,
-        dryRun,
-        message: `Policy blocked changes for package "${packageName}".`
+        steps: 0,
+        result: {
+          packageName: pkg.name,
+          strategy: "none",
+          fromVersion: pkg.version,
+          applied: false,
+          dryRun,
+          unresolvedReason: "constraint-blocked",
+          message: `Constraint blocked remediation for indirect dependency "${pkg.name}".`
+        }
       };
     }
-    const isMajorBump = semver3.valid(fromVersion) && semver3.valid(toVersion) && semver3.major(toVersion) > semver3.major(fromVersion);
-    if (isMajorBump && !loadedPolicy.allowMajorBumps) {
+    if (constraints.preferVersionBump) {
       return {
-        packageName,
-        strategy: "none",
-        fromVersion,
-        toVersion,
-        applied: false,
-        dryRun,
-        message: `Policy blocked major bump for "${packageName}" (${fromVersion} -> ${toVersion}).`
+        steps: 0,
+        result: {
+          packageName: pkg.name,
+          strategy: "none",
+          fromVersion: pkg.version,
+          applied: false,
+          dryRun,
+          unresolvedReason: "constraint-blocked",
+          message: `Constraint prefers version-bump and rejected override remediation for "${pkg.name}".`
+        }
       };
     }
-    let pkgJson;
-    try {
-      pkgJson = JSON.parse(readFileSync3(pkgPath, "utf8"));
-    } catch {
+    if (!firstPatchedVersion) {
       return {
-        packageName,
-        strategy: "none",
-        fromVersion,
-        applied: false,
-        dryRun,
-        message: `Could not read package.json at "${pkgPath}".`
+        steps: 0,
+        result: {
+          packageName: pkg.name,
+          strategy: "none",
+          fromVersion: pkg.version,
+          applied: false,
+          dryRun,
+          unresolvedReason: "no-safe-version",
+          message: `No firstPatchedVersion available for ${pkg.name}; cannot resolve deterministic override in local mode.`
+        }
       };
     }
-    const depField = ["dependencies", "devDependencies", "peerDependencies"].find(
-      (f) => pkgJson[f]?.[packageName] !== void 0
+    const safeUpgrade2 = await resolveSafeUpgradeVersion(
+      pkg.name,
+      pkg.version,
+      firstPatchedVersion,
+      vulnerable.affected.vulnerableRange
     );
-    if (!depField) {
-      return {
-        packageName,
-        strategy: "none",
-        fromVersion,
-        applied: false,
-        dryRun,
-        message: `"${packageName}" was not found in package.json dependencies (it may be a transitive dep). Cannot auto-bump.`
-      };
-    }
-    const currentRange = pkgJson[depField][packageName];
-    const prefixMatch = currentRange.match(/^([~^]?)/);
-    const prefix = prefixMatch?.[1] ?? "";
-    const newRange = `${prefix}${toVersion}`;
-    if (dryRun) {
-      const installCmd = commands.installPreferOffline.join(" ");
-      const testCmd = commands.test.join(" ");
+    if (!safeUpgrade2.safeVersion) {
       return {
-        packageName,
-        strategy: "version-bump",
-        fromVersion,
-        toVersion,
-        applied: false,
-        dryRun: true,
-        message: `[DRY RUN] Would update ${depField}.${packageName}: "${currentRange}" -> "${newRange}", then run ${installCmd}${runTests ? ` and ${testCmd}` : ""}.`
-      };
-    }
-    return withRepoLock(cwd, async () => {
-      pkgJson[depField][packageName] = newRange;
-      writeFileSync(pkgPath, JSON.stringify(pkgJson, null, 2) + "\n", "utf8");
-      try {
-        const [installCmd, ...installArgs] = commands.installPreferOffline;
-        await execa2(installCmd, installArgs, {
-          cwd,
-          stdio: "pipe"
-        });
-      } catch (err) {
-        pkgJson[depField][packageName] = currentRange;
-        writeFileSync(pkgPath, JSON.stringify(pkgJson, null, 2) + "\n", "utf8");
-        const message = err instanceof Error ? err.message : String(err);
-        return {
-          packageName,
-          strategy: "version-bump",
-          fromVersion,
-          toVersion,
+        steps: 1,
+        result: {
+          packageName: pkg.name,
+          strategy: "none",
+          fromVersion: pkg.version,
           applied: false,
-          dryRun: false,
-          message: `${commands.installPreferOffline.join(" ")} failed after updating "${packageName}" to ${toVersion}. Reverted. Error: ${message}`
-        };
-      }
-      if (runTests) {
-        try {
-          const [testCmd, ...testArgs] = commands.test;
-          await execa2(testCmd, testArgs, {
-            cwd,
-            stdio: "pipe"
-          });
-        } catch (err) {
-          pkgJson[depField][packageName] = currentRange;
-          writeFileSync(pkgPath, JSON.stringify(pkgJson, null, 2) + "\n", "utf8");
-          try {
-            const [rollbackCmd, ...rollbackArgs] = commands.installPreferOffline;
-            await execa2(rollbackCmd, rollbackArgs, {
-              cwd,
-              stdio: "pipe"
-            });
-          } catch {
-          }
-          const message = err instanceof Error ? err.message : String(err);
-          return {
-            packageName,
-            strategy: "version-bump",
-            fromVersion,
-            toVersion,
-            applied: false,
-            dryRun: false,
-            message: `${commands.test.join(" ")} failed after upgrading "${packageName}" to ${toVersion}. Rolled back to ${currentRange}. Error: ${message}`
-          };
+          dryRun,
+          unresolvedReason: "no-safe-version",
+          message: `No safe override version found for ${pkg.name}.`
         }
-      }
-      return {
-        packageName,
-        strategy: "version-bump",
-        fromVersion,
-        toVersion,
-        applied: true,
-        dryRun: false,
-        message: `Successfully upgraded "${packageName}" from ${fromVersion} to ${toVersion}, ran ${commands.installPreferOffline.join(" ")}${runTests ? `, and passed ${commands.test.join(" ")}` : ""}.`
       };
+    }
+    const overrideResult = await applyPackageOverrideTool.execute({
+      cwd,
+      packageManager,
+      packageName: pkg.name,
+      fromVersion: pkg.version,
+      toVersion: safeUpgrade2.safeVersion,
+      dryRun,
+      policy,
+      runTests
     });
+    return {
+      steps: 2,
+      result: overrideResult
+    };
   }
-});
+  if (!firstPatchedVersion) {
+    return {
+      steps: 0,
+      result: {
+        packageName: pkg.name,
+        strategy: "none",
+        fromVersion: pkg.version,
+        applied: false,
+        dryRun,
+        unresolvedReason: "no-safe-version",
+        message: `No firstPatchedVersion available for ${pkg.name}; cannot resolve deterministic upgrade in local mode.`
+      }
+    };
+  }
+  const safeUpgrade = await resolveSafeUpgradeVersion(
+    pkg.name,
+    pkg.version,
+    firstPatchedVersion,
+    vulnerable.affected.vulnerableRange
+  );
+  if (!safeUpgrade.safeVersion) {
+    return {
+      steps: 1,
+      result: {
+        packageName: pkg.name,
+        strategy: "none",
+        fromVersion: pkg.version,
+        applied: false,
+        dryRun,
+        unresolvedReason: "no-safe-version",
+        message: `No safe upgrade version found for ${pkg.name}.`
+      }
+    };
+  }
+  const applyResult = await applyVersionBumpTool.execute({
+    cwd,
+    packageManager,
+    packageName: pkg.name,
+    fromVersion: pkg.version,
+    toVersion: safeUpgrade.safeVersion,
+    dryRun,
+    policy,
+    runTests
+  });
+  return {
+    steps: 2,
+    result: applyResult
+  };
+}
 // src/remediation/tools/fetch-package-source.ts
-import { tool as tool6 } from "ai";
-import { z as z6 } from "zod";
-import { mkdir as mkdir2, readdir, readFile, rm as rm2 } from "fs/promises";
-import { join as join6 } from "path";
-import { execa as execa3 } from "execa";
-var fetchPackageSourceTool = tool6({
+import { tool as tool5 } from "ai";
+import { z as z5 } from "zod";
+import { mkdir as mkdir3, readdir, readFile as readFile2, rm as rm3 } from "fs/promises";
+import { join as join9 } from "path";
+import { execa as execa6 } from "execa";
+var fetchPackageSourceTool = tool5({
   description: "Download package tarball from npm and extract source files for CVE analysis. Supports custom file patterns (default: *.js, *.ts).",
-  parameters: z6.object({
-    packageName: z6.string().min(1).describe("The npm package name (e.g., 'lodash', '@scope/package')"),
-    version: z6.string().regex(/^\d+\.\d+\.\d+/, "Must be a valid semver version").describe("Exact package version to download"),
-    filePatterns: z6.array(z6.string()).optional().default(["*.js", "*.ts"]).describe(
+  parameters: z5.object({
+    packageName: z5.string().min(1).describe("The npm package name (e.g., 'lodash', '@scope/package')"),
+    version: z5.string().regex(/^\d+\.\d+\.\d+/, "Must be a valid semver version").describe("Exact package version to download"),
+    filePatterns: z5.array(z5.string()).optional().default(["*.js", "*.ts"]).describe(
       "File patterns to extract (glob patterns, default: *.js, *.ts)"
     )
   }),
@@ -1161,23 +1541,23 @@ var fetchPackageSourceTool = tool6({
     filePatterns
   }) => {
     const tempBaseDir = `/tmp/autoremediator-pkg-${Date.now()}`;
-    const extractDir = join6(tempBaseDir, "out");
+    const extractDir = join9(tempBaseDir, "out");
     try {
       const npmUrl = `https://registry.npmjs.org/${packageName}/-/${packageName.split("/").pop()}-${version}.tgz`;
-      await mkdir2(tempBaseDir, { recursive: true });
-      const tarballPath = join6(tempBaseDir, "package.tgz");
-      await execa3("curl", ["-L", "-o", tarballPath, npmUrl]);
-      await mkdir2(extractDir, { recursive: true });
-      await execa3("tar", ["-xzf", tarballPath, "-C", extractDir]);
+      await mkdir3(tempBaseDir, { recursive: true });
+      const tarballPath = join9(tempBaseDir, "package.tgz");
+      await execa6("curl", ["-L", "-o", tarballPath, npmUrl]);
+      await mkdir3(extractDir, { recursive: true });
+      await execa6("tar", ["-xzf", tarballPath, "-C", extractDir]);
       const extractedContents = await readdir(extractDir);
-      const packageRootDir = extractedContents.includes("package") ? join6(extractDir, "package") : extractDir;
+      const packageRootDir = extractedContents.includes("package") ? join9(extractDir, "package") : extractDir;
       const sourceCode = {};
       async function walkDir(dir, relativeBase) {
         try {
           const files = await readdir(dir, { withFileTypes: true });
           for (const file of files) {
-            const fullPath = join6(dir, file.name);
-            const relPath = join6(relativeBase, file.name);
+            const fullPath = join9(dir, file.name);
+            const relPath = join9(relativeBase, file.name);
             if (file.isDirectory()) {
               if (![
                 "node_modules",
@@ -1199,7 +1579,7 @@ var fetchPackageSourceTool = tool6({
               });
               if (matches) {
                 try {
-                  const content = await readFile(fullPath, "utf8");
+                  const content = await readFile2(fullPath, "utf8");
                   sourceCode[relPath] = content;
                 } catch {
                 }
@@ -1234,14 +1614,14 @@ var fetchPackageSourceTool = tool6({
         error: `Failed to fetch and extract package ${packageName}@${version}: ${message}`
       };
     } finally {
-      await rm2(tempBaseDir, { recursive: true, force: true });
+      await rm3(tempBaseDir, { recursive: true, force: true });
     }
   }
 });
 // src/remediation/tools/generate-patch.ts
-import { tool as tool7 } from "ai";
-import { z as z7 } from "zod";
+import { tool as tool6 } from "ai";
+import { z as z6 } from "zod";
 import { generateText } from "ai";
 var VULNERABILITY_DESCRIPTIONS = {
   redos: "Regular Expression Denial of Service (ReDoS): The vulnerability is caused by poorly constructed regular expressions that cause excessive backtracking when processing certain inputs. The fix should optimize the regex to avoid catastrophic backtracking or replace it with a safer alternative.",
@@ -1249,18 +1629,18 @@ var VULNERABILITY_DESCRIPTIONS = {
   "path-traversal": "Path Traversal: The vulnerability allows access to files outside intended directories through path traversal sequences (../, etc.). The fix must validate and normalize file paths, use path.resolve() and path.relative() checks.",
   unknown: "Unknown vulnerability type: Analyze the CVE summary carefully and implement the most appropriate fix for the security issue described."
 };
-var generatePatchTool = tool7({
+var generatePatchTool = tool6({
   description: "Generate a unified diff patch for a CVE using LLM analysis of vulnerable source code.",
-  parameters: z7.object({
-    packageName: z7.string().min(1).describe("The npm package name"),
-    vulnerableVersion: z7.string().describe("The vulnerable version string"),
-    cveId: z7.string().regex(/^CVE-\d{4}-\d+$/i).describe("CVE ID (e.g., CVE-2021-23337)"),
-    cveSummary: z7.string().min(10).describe("CVE description and impact"),
-    sourceFiles: z7.record(z7.string()).describe(
+  parameters: z6.object({
+    packageName: z6.string().min(1).describe("The npm package name"),
+    vulnerableVersion: z6.string().describe("The vulnerable version string"),
+    cveId: z6.string().regex(/^CVE-\d{4}-\d+$/i).describe("CVE ID (e.g., CVE-2021-23337)"),
+    cveSummary: z6.string().min(10).describe("CVE description and impact"),
+    sourceFiles: z6.record(z6.string()).describe(
       "Map of file paths to source code contents from fetch-package-source"
     ),
-    vulnerabilityCategory: z7.enum(["redos", "code-injection", "path-traversal", "unknown"]).optional().default("unknown").describe("Category of the vulnerability for better context"),
-    dryRun: z7.boolean().optional().default(false).describe("If true, return analysis without generating patches")
+    vulnerabilityCategory: z6.enum(["redos", "code-injection", "path-traversal", "unknown"]).optional().default("unknown").describe("Category of the vulnerability for better context"),
+    dryRun: z6.boolean().optional().default(false).describe("If true, return analysis without generating patches")
   }),
   execute: async ({
     packageName,
@@ -1446,589 +1826,730 @@ function generateUnifiedDiff(original, fixed, filePath) {
   return diff.join("\n");
 }
-// src/remediation/tools/apply-patch-file.ts
-import { tool as tool8 } from "ai";
-import { z as z8 } from "zod";
-import { existsSync as existsSync3 } from "fs";
-import { mkdir as mkdir3, mkdtemp, readFile as readFile2, rm as rm3, writeFile } from "fs/promises";
-import { tmpdir } from "os";
-import { join as join7 } from "path";
-import { execa as execa4 } from "execa";
-var applyPatchFileTool = tool8({
-  description: "Write generated patch file and apply it using package-manager-native patch flow when available, falling back to patch-package when needed.",
-  parameters: z8.object({
-    packageName: z8.string().min(1).describe("The npm package name"),
-    vulnerableVersion: z8.string().describe("The vulnerable version string"),
-    patchContent: z8.string().min(10).optional().describe("Unified diff patch content from generate-patch"),
-    patches: z8.array(
-      z8.object({
-        filePath: z8.string().min(1),
-        unifiedDiff: z8.string().min(10)
-      })
-    ).optional().describe("Patch list from generate-patch; first patch is applied"),
-    patchesDir: z8.string().optional().default("./patches").describe("Directory to store patch files"),
-    cwd: z8.string().describe("Project root directory (for package.json)"),
-    packageManager: z8.enum(["npm", "pnpm", "yarn"]).optional().describe("Package manager used by the target project (auto-detected if omitted)"),
-    validateWithTests: z8.boolean().optional().default(true).describe("Run package manager test command to validate patch doesn't break anything"),
-    dryRun: z8.boolean().optional().default(false).describe("If true, report but do not mutate files")
-  }).refine((value) => Boolean(value.patchContent || value.patches && value.patches.length > 0), {
-    message: "Either patchContent or patches must be provided"
-  }),
-  execute: async ({
-    packageName,
-    vulnerableVersion,
-    patchContent,
-    patches,
-    patchesDir,
-    cwd,
-    packageManager,
-    validateWithTests,
-    dryRun
-  }) => {
-    try {
-      const pm = packageManager ?? detectPackageManager(cwd);
-      const selectedPatch = patchContent ?? patches?.[0]?.unifiedDiff;
-      if (!selectedPatch) {
-        return {
-          success: false,
-          packageName,
-          vulnerableVersion,
-          applied: false,
-          dryRun,
-          message: "No patch content provided.",
-          error: "No patch content provided."
-        };
+// src/remediation/local/fallback.ts
+function shouldAttemptPatchFallback(result, preferVersionBump) {
+  if (preferVersionBump) return false;
+  if (result.applied || result.dryRun) return false;
+  return result.unresolvedReason === "no-safe-version" || result.unresolvedReason === "install-failed" || result.unresolvedReason === "override-apply-failed" || result.unresolvedReason === "validation-failed" || result.unresolvedReason === "major-bump-required" || result.unresolvedReason === "indirect-dependency";
+}
+async function tryLocalPatchFallback(params) {
+  let steps = 0;
+  const sourceResult = await fetchPackageSourceTool.execute({
+    packageName: params.packageName,
+    version: params.vulnerableVersion
+  });
+  steps += 1;
+  if (!sourceResult?.success || !sourceResult.sourceFiles) {
+    return {
+      steps,
+      result: {
+        packageName: params.packageName,
+        strategy: "none",
+        fromVersion: params.vulnerableVersion,
+        applied: false,
+        dryRun: params.dryRun,
+        unresolvedReason: "source-fetch-failed",
+        message: sourceResult?.error ?? `Failed to fetch source for ${params.packageName}@${params.vulnerableVersion}.`
       }
-      const patchFileName = buildPatchFileName(packageName, vulnerableVersion);
-      const patchFilePath = join7(cwd, patchesDir, patchFileName);
-      if (dryRun) {
-        return {
-          success: true,
-          packageName,
-          vulnerableVersion,
-          applied: false,
-          dryRun: true,
-          message: `[DRY RUN] Would write and configure patch at ${patchFilePath}.`,
-          patchFilePath,
-          patchPath: patchFilePath
-        };
+    };
+  }
+  const patchResult = await generatePatchTool.execute({
+    packageName: params.packageName,
+    vulnerableVersion: params.vulnerableVersion,
+    cveId: params.cveId,
+    cveSummary: params.cveSummary,
+    sourceFiles: sourceResult.sourceFiles,
+    vulnerabilityCategory: "unknown",
+    dryRun: params.dryRun
+  });
+  steps += 1;
+  if (!patchResult?.success) {
+    const error = patchResult?.error ?? "Patch generation failed.";
+    const unresolvedReason = error.includes("API_KEY") || error.includes("does not create a language model") ? "requires-llm-fallback" : "patch-generation-failed";
+    return {
+      steps,
+      result: {
+        packageName: params.packageName,
+        strategy: "none",
+        fromVersion: params.vulnerableVersion,
+        applied: false,
+        dryRun: params.dryRun,
+        unresolvedReason,
+        message: error
       }
-      return withRepoLock(cwd, async () => {
-        const patchesDirPath = join7(cwd, patchesDir);
-        await mkdir3(patchesDirPath, { recursive: true });
-        await writeFile(patchFilePath, selectedPatch, "utf8");
-        let validationResult;
-        const patchMode = await resolvePatchMode(pm, cwd);
-        const applyResult = patchMode === "patch-package" ? await configurePatchPackagePostinstall(cwd, pm) : await applyNativePatch({
-          cwd,
-          packageName,
-          vulnerableVersion,
-          patchContent: selectedPatch,
-          patchMode
-        });
-        if (!applyResult.success) {
-          return {
-            success: false,
-            packageName,
-            vulnerableVersion,
-            applied: false,
-            dryRun: false,
-            message: applyResult.error,
-            patchFilePath,
-            patchPath: patchFilePath,
-            patchMode,
-            postinstallConfigured: patchMode === "patch-package" ? false : void 0,
-            error: applyResult.error
-          };
-        }
-        if (validateWithTests) {
-          validationResult = await validatePatchWithTests(cwd, pm);
-          if (!validationResult.passed) {
-            const validationError = "Patch validation failed after apply; patch marked unresolved.";
-            return {
-              success: false,
-              packageName,
-              vulnerableVersion,
-              applied: false,
-              dryRun: false,
-              message: validationError,
-              patchFilePath,
-              patchPath: patchFilePath,
-              patchMode,
-              postinstallConfigured: patchMode === "patch-package",
-              validation: validationResult,
-              error: validationError
-            };
-          }
-        }
-        return {
-          success: true,
-          packageName,
-          vulnerableVersion,
-          applied: true,
-          dryRun: false,
-          message: `Patch applied successfully for ${packageName}@${vulnerableVersion}.`,
-          patchFilePath,
-          patchPath: patchFilePath,
-          patchMode,
-          postinstallConfigured: patchMode === "patch-package",
-          validation: validationResult
-        };
-      });
-    } catch (err) {
-      const message = err instanceof Error ? err.message : String(err);
-      return {
-        success: false,
-        packageName,
-        vulnerableVersion,
+    };
+  }
+  if (typeof patchResult.confidence === "number" && patchResult.confidence < 0.7) {
+    return {
+      steps,
+      result: {
+        packageName: params.packageName,
+        strategy: "none",
+        fromVersion: params.vulnerableVersion,
         applied: false,
+        dryRun: params.dryRun,
+        unresolvedReason: "patch-confidence-too-low",
+        message: `Patch confidence ${patchResult.confidence.toFixed(2)} is below threshold 0.70.`
+      }
+    };
+  }
+  const applyResult = await applyPatchFileTool.execute({
+    packageName: params.packageName,
+    vulnerableVersion: params.vulnerableVersion,
+    patchContent: patchResult.patchContent,
+    patches: patchResult.patches,
+    patchesDir: params.patchesDir,
+    cwd: params.cwd,
+    packageManager: params.packageManager,
+    validateWithTests: params.runTests,
+    dryRun: params.dryRun
+  });
+  steps += 1;
+  return {
+    steps,
+    result: {
+      packageName: params.packageName,
+      strategy: "patch-file",
+      fromVersion: params.vulnerableVersion,
+      patchFilePath: applyResult.patchFilePath ?? applyResult.patchPath,
+      applied: Boolean(applyResult.applied),
+      dryRun: Boolean(applyResult.dryRun),
+      unresolvedReason: !Boolean(applyResult.applied) && !Boolean(applyResult.dryRun) ? applyResult.validation?.passed === false ? "patch-validation-failed" : "patch-apply-failed" : void 0,
+      message: applyResult.message ?? applyResult.error ?? "Patch-file strategy finished.",
+      validation: typeof applyResult.validation?.passed === "boolean" ? {
+        passed: applyResult.validation.passed,
+        error: applyResult.validation.error
+      } : void 0
+    }
+  };
+}
+// src/remediation/local/run.ts
+async function runLocalRemediationPipeline(cveId, options = {}) {
+  const cwd = options.cwd ?? process.cwd();
+  const packageManager = options.packageManager ?? detectPackageManager(cwd);
+  const preview = options.preview ?? false;
+  const dryRun = (options.dryRun ?? false) || preview;
+  const runTests = options.runTests ?? false;
+  const policy = options.policy ?? "";
+  const patchesDir = options.patchesDir || "./patches";
+  const constraints = options.constraints ?? {};
+  const collectedResults = [];
+  const vulnerablePackages = [];
+  let cveDetails = null;
+  let agentSteps = 0;
+  const normalizedId = cveId.toUpperCase();
+  const [osvDetails, ghPackages] = await Promise.all([
+    lookupCveOsv(normalizedId),
+    lookupCveGitHub(normalizedId).catch(() => [])
+  ]);
+  agentSteps += 2;
+  if (!osvDetails && ghPackages.length === 0) {
+    return {
+      cveId,
+      cveDetails: null,
+      vulnerablePackages,
+      results: collectedResults,
+      agentSteps,
+      summary: `Local mode failed at lookup-cve: ${normalizedId} not found in OSV or GitHub advisory data.`,
+      correlation: {
+        requestId: options.requestId,
+        sessionId: options.sessionId,
+        parentRunId: options.parentRunId
+      }
+    };
+  }
+  cveDetails = osvDetails ?? {
+    id: normalizedId,
+    summary: "Details sourced from GitHub Advisory Database.",
+    severity: "UNKNOWN",
+    references: [],
+    affectedPackages: []
+  };
+  if (ghPackages.length > 0) {
+    cveDetails = mergeGhDataIntoCveDetails(cveDetails, ghPackages);
+  }
+  cveDetails = await enrichWithNvd(cveDetails);
+  if (cveDetails.affectedPackages.length === 0) {
+    return {
+      cveId,
+      cveDetails,
+      vulnerablePackages,
+      results: collectedResults,
+      agentSteps,
+      summary: `Local mode lookup succeeded but no npm affected packages were found for ${normalizedId}.`,
+      correlation: {
+        requestId: options.requestId,
+        sessionId: options.sessionId,
+        parentRunId: options.parentRunId
+      }
+    };
+  }
+  const inventory = await checkInventoryTool.execute({ cwd, packageManager });
+  agentSteps += 1;
+  if (inventory?.error) {
+    return {
+      cveId,
+      cveDetails,
+      vulnerablePackages,
+      results: collectedResults,
+      agentSteps,
+      summary: `Local mode failed at check-inventory: ${inventory.error}`,
+      correlation: {
+        requestId: options.requestId,
+        sessionId: options.sessionId,
+        parentRunId: options.parentRunId
+      }
+    };
+  }
+  const installedPackages = inventory.packages ?? [];
+  for (const affected of cveDetails.affectedPackages) {
+    if (!affected || typeof affected !== "object") continue;
+    if (!affected.name || !affected.vulnerableRange) continue;
+    if (affected.ecosystem !== "npm") continue;
+    const matches = installedPackages.filter((pkg) => pkg.name === affected.name);
+    for (const installed of matches) {
+      if (!semver4.valid(installed.version)) continue;
+      let isVulnerable = false;
+      try {
+        isVulnerable = semver4.satisfies(installed.version, affected.vulnerableRange, {
+          includePrerelease: false
+        });
+      } catch {
+        continue;
+      }
+      if (isVulnerable) {
+        vulnerablePackages.push({ installed, affected });
+      }
+    }
+  }
+  agentSteps += 1;
+  for (const vulnerable of vulnerablePackages) {
+    const primary = await resolvePrimaryResult({
+      vulnerable,
+      cwd,
+      packageManager,
+      dryRun,
+      policy,
+      runTests,
+      constraints
+    });
+    agentSteps += primary.steps;
+    if (shouldAttemptPatchFallback(primary.result, constraints.preferVersionBump ?? false)) {
+      const fallback = await tryLocalPatchFallback({
+        cwd,
+        packageManager,
+        packageName: vulnerable.installed.name,
+        vulnerableVersion: vulnerable.installed.version,
+        cveId: normalizedId,
+        cveSummary: cveDetails?.summary ?? normalizedId,
         dryRun,
-        message: `Failed to apply patch file: ${message}`,
-        error: `Failed to apply patch file: ${message}`
-      };
+        runTests,
+        patchesDir
+      });
+      agentSteps += fallback.steps;
+      collectedResults.push(fallback.result);
+      continue;
     }
+    collectedResults.push(primary.result);
   }
-});
-async function resolvePatchMode(packageManager, cwd) {
-  if (packageManager === "npm") return "patch-package";
-  if (packageManager === "pnpm") return "native-pnpm";
+  const appliedCount = collectedResults.filter((result) => result.applied).length;
+  const unresolvedCount = collectedResults.filter((result) => !result.applied && !result.dryRun).length;
+  const dryRunCount = collectedResults.filter((result) => result.dryRun).length;
+  return {
+    cveId,
+    cveDetails,
+    vulnerablePackages,
+    results: collectedResults,
+    agentSteps,
+    summary: `Local mode completed: vulnerable=${vulnerablePackages.length}, applied=${appliedCount}, dryRun=${dryRunCount}, unresolved=${unresolvedCount}`,
+    correlation: {
+      requestId: options.requestId,
+      sessionId: options.sessionId,
+      parentRunId: options.parentRunId
+    }
+  };
+}
+// src/remediation/tools/lookup-cve.ts
+import { tool as tool7 } from "ai";
+import { z as z7 } from "zod";
+// src/intelligence/sources/cisa-kev.ts
+var CISA_KEV_URL = "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json";
+async function fetchCisaKevFeed() {
   try {
-    const result = await execa4("yarn", ["--version"], {
-      cwd,
-      stdio: "pipe"
+    const res = await fetch(CISA_KEV_URL, {
+      headers: { Accept: "application/json" }
     });
-    const version = result.stdout.trim();
-    const major = Number.parseInt(version.split(".")[0] || "0", 10);
-    return major >= 2 ? "native-yarn" : "patch-package";
+    if (!res.ok) return void 0;
+    return await res.json();
   } catch {
-    return "patch-package";
+    return void 0;
   }
 }
-function buildPatchFileName(packageName, vulnerableVersion) {
-  const safeName = packageName.replace(/^@/, "").replace(/\//g, "+");
-  return `${safeName}+${vulnerableVersion}.patch`;
+function findKevEntry(feed, cveId) {
+  if (!feed?.vulnerabilities?.length) return void 0;
+  const normalized = cveId.toUpperCase();
+  return feed.vulnerabilities.find((v) => v.cveID.toUpperCase() === normalized);
 }
-async function configurePatchPackagePostinstall(cwd, packageManager) {
-  const pkgJsonPath = join7(cwd, "package.json");
-  let pkgJson;
+async function enrichWithCisaKev(details) {
+  const feed = await fetchCisaKevFeed();
+  const entry = findKevEntry(feed, details.id);
+  if (!entry) return details;
+  details.kev = {
+    knownExploited: true,
+    dateAdded: entry.dateAdded,
+    dueDate: entry.dueDate,
+    requiredAction: entry.requiredAction,
+    knownRansomwareCampaignUse: entry.knownRansomwareCampaignUse
+  };
+  if (!details.references.includes(CISA_KEV_URL)) {
+    details.references.push(CISA_KEV_URL);
+  }
+  return details;
+}
+// src/intelligence/sources/epss.ts
+async function fetchEpss(cveId) {
+  const { epssApi } = getIntelligenceSourceConfig();
+  if (!epssApi) return void 0;
   try {
-    pkgJson = JSON.parse(await readFile2(pkgJsonPath, "utf8"));
+    const url = new URL(epssApi);
+    url.searchParams.set("cve", cveId);
+    const res = await fetch(url.toString(), {
+      headers: { Accept: "application/json" }
+    });
+    if (!res.ok) return void 0;
+    const body = await res.json();
+    return body.data?.[0];
   } catch {
-    return {
-      success: false,
-      error: `Could not read package.json at ${pkgJsonPath}`
-    };
-  }
-  const devDependencies = pkgJson.devDependencies ?? {};
-  if (!devDependencies["patch-package"]) {
-    try {
-      const commands = getPackageManagerCommands(packageManager);
-      const [cmd, ...args] = commands.installDev("patch-package");
-      await execa4(cmd, args, {
-        cwd,
-        stdio: "pipe"
-      });
-    } catch (err) {
-      return {
-        success: false,
-        error: `Failed to install patch-package: ${err instanceof Error ? err.message : String(err)}`
-      };
-    }
+    return void 0;
   }
-  if (!pkgJson.scripts) {
-    pkgJson.scripts = {};
+}
+async function enrichWithEpss(details) {
+  const row = await fetchEpss(details.id);
+  if (!row) return details;
+  const score = Number.parseFloat(row.epss);
+  const percentile = Number.parseFloat(row.percentile);
+  if (!Number.isFinite(score) || !Number.isFinite(percentile)) {
+    return details;
   }
-  const patchApplyCmd = "patch-package";
-  const currentPostinstall = pkgJson.scripts.postinstall || "";
-  if (currentPostinstall && !currentPostinstall.includes("patch-package")) {
-    pkgJson.scripts.postinstall = `${currentPostinstall} && ${patchApplyCmd}`;
-  } else if (!currentPostinstall) {
-    pkgJson.scripts.postinstall = patchApplyCmd;
+  details.epss = {
+    score,
+    percentile,
+    date: row.date
+  };
+  return details;
+}
+// src/intelligence/sources/cve-services.ts
+function pickEnglishDescription(container) {
+  if (!container?.descriptions?.length) return void 0;
+  const en = container.descriptions.find((d) => d.lang === "en" && d.value);
+  return (en?.value ?? container.descriptions[0]?.value)?.trim() || void 0;
+}
+function collectReferences(record) {
+  const refs = /* @__PURE__ */ new Set();
+  const cnaRefs = record.containers?.cna?.references ?? [];
+  const adpRefs = (record.containers?.adp ?? []).flatMap((c) => c.references ?? []);
+  for (const ref of [...cnaRefs, ...adpRefs]) {
+    if (ref.url) refs.add(ref.url);
   }
-  await writeFile(pkgJsonPath, JSON.stringify(pkgJson, null, 2) + "\n", "utf8");
-  return { success: true };
+  return Array.from(refs);
 }
-async function applyNativePatch(params) {
-  const { cwd, packageName, vulnerableVersion, patchContent, patchMode } = params;
-  const packageSpec = `${packageName}@${vulnerableVersion}`;
-  const createCommand = patchMode === "native-pnpm" ? "pnpm" : "yarn";
-  const createArgs = ["patch", packageSpec];
-  let patchDir;
+async function fetchCveServicesRecord(cveId) {
+  const { cveServicesApi } = getIntelligenceSourceConfig();
+  if (!cveServicesApi) return void 0;
   try {
-    const createResult = await execa4(createCommand, createArgs, {
-      cwd,
-      stdio: "pipe"
+    const res = await fetch(`${cveServicesApi}/${encodeURIComponent(cveId)}`, {
+      headers: { Accept: "application/json" }
     });
-    patchDir = extractPatchDirectory(`${createResult.stdout}
-${createResult.stderr}`);
-  } catch (err) {
-    return {
-      success: false,
-      error: `Failed to create native patch workspace for ${packageSpec}: ${err instanceof Error ? err.message : String(err)}`
-    };
+    if (!res.ok) return void 0;
+    return await res.json();
+  } catch {
+    return void 0;
   }
-  if (!patchDir) {
-    return {
-      success: false,
-      error: `Could not determine native patch directory for ${packageSpec}.`
-    };
+}
+async function enrichWithCveServices(details) {
+  const record = await fetchCveServicesRecord(details.id);
+  if (!record) return details;
+  const summary = pickEnglishDescription(record.containers?.cna);
+  if (summary && (!details.summary || details.summary.includes("No summary available"))) {
+    details.summary = summary;
   }
-  const tempPatchDir = await mkdtemp(join7(tmpdir(), "autoremediator-native-patch-"));
-  const tempPatchFile = join7(tempPatchDir, "change.patch");
+  const refs = collectReferences(record);
+  if (refs.length > 0) {
+    const merged = /* @__PURE__ */ new Set([...details.references, ...refs]);
+    details.references = Array.from(merged);
+  }
+  details.intelligence = {
+    ...details.intelligence ?? {},
+    cveServicesEnriched: true
+  };
+  return details;
+}
+// src/intelligence/sources/gitlab-advisory.ts
+function advisoryMatchesCve(advisory, cveId) {
+  const normalized = cveId.toUpperCase();
+  return (advisory.identifiers ?? []).some(
+    (id) => id.type?.toUpperCase() === "CVE" && id.value?.toUpperCase() === normalized
+  );
+}
+async function fetchGitLabAdvisories(cveId) {
+  const { gitLabAdvisoryApi } = getIntelligenceSourceConfig();
+  if (!gitLabAdvisoryApi) return [];
   try {
-    await writeFile(tempPatchFile, patchContent, "utf8");
-    await execa4("patch", ["-p1", "-i", tempPatchFile], {
-      cwd: patchDir,
-      stdio: "pipe"
-    });
-    const commitCommand = patchMode === "native-pnpm" ? "pnpm" : "yarn";
-    const commitArgs = patchMode === "native-pnpm" ? ["patch-commit", patchDir] : ["patch-commit", "-s", patchDir];
-    await execa4(commitCommand, commitArgs, {
-      cwd,
-      stdio: "pipe"
+    const url = new URL(gitLabAdvisoryApi);
+    url.searchParams.set("identifier", cveId);
+    url.searchParams.set("ecosystem", "npm");
+    const res = await fetch(url.toString(), {
+      headers: { Accept: "application/json" }
     });
-  } catch (err) {
-    return {
-      success: false,
-      error: `Failed to apply native patch for ${packageSpec}: ${err instanceof Error ? err.message : String(err)}`
-    };
-  } finally {
-    await rm3(tempPatchDir, { recursive: true, force: true });
+    if (!res.ok) return [];
+    const body = await res.json();
+    return Array.isArray(body) ? body : [];
+  } catch {
+    return [];
   }
-  return { success: true };
 }
-function extractPatchDirectory(output) {
-  const lines = output.split(/\r?\n/).map((line) => line.trim()).filter(Boolean);
-  for (const line of lines) {
-    if (existsSync3(line)) {
-      return line;
-    }
-    const tokens = line.split(/\s+/).map((token) => token.replace(/^['"]|['"]$/g, ""));
-    for (const token of tokens) {
-      if (token.startsWith("/") && existsSync3(token)) {
-        return token;
-      }
-    }
+async function enrichWithGitLabAdvisory(details) {
+  const advisories = await fetchGitLabAdvisories(details.id);
+  const matched = advisories.filter((a) => advisoryMatchesCve(a, details.id));
+  if (matched.length === 0) return details;
+  const refs = matched.flatMap((m) => m.references ?? []);
+  if (refs.length > 0) {
+    const merged = /* @__PURE__ */ new Set([...details.references, ...refs]);
+    details.references = Array.from(merged);
   }
-  return "";
+  details.intelligence = {
+    ...details.intelligence ?? {},
+    gitlabAdvisoryMatched: true
+  };
+  return details;
 }
-async function validatePatchWithTests(cwd, packageManager) {
+// src/intelligence/sources/certcc.ts
+var CERTCC_HOME = "https://www.kb.cert.org/vuls/";
+async function findCertCcReference(cveId) {
+  const { certCcSearchUrl } = getIntelligenceSourceConfig();
+  if (!certCcSearchUrl) return void 0;
   try {
-    const commands = getPackageManagerCommands(packageManager);
-    const [cmd, ...args] = commands.test;
-    const result = await execa4(cmd, args, {
-      cwd,
-      timeout: 6e4,
-      // 60 second timeout
-      stdio: "pipe"
+    const url = new URL(certCcSearchUrl);
+    url.searchParams.set("query", cveId);
+    const res = await fetch(url.toString(), {
+      headers: { Accept: "text/html" }
     });
-    return {
-      passed: true,
-      output: result.stdout
-    };
-  } catch (err) {
-    const errorOutput = err instanceof Error && "stdout" in err ? err.stdout : "";
-    const failedTests = extractFailedTests(errorOutput);
-    return {
-      passed: false,
-      output: errorOutput,
-      failedTests
-    };
+    if (!res.ok) return void 0;
+    const html = await res.text();
+    const match = html.match(/https:\/\/www\.kb\.cert\.org\/vuls\/id\/\d+/i);
+    return match?.[0] ?? void 0;
+  } catch {
+    return void 0;
   }
 }
-function extractFailedTests(output) {
-  const failedTests = [];
-  const patterns = [
-    /✖\s+(.+?)(?:\n|$)/g,
-    // Mocha style
-    /●\s+(.+)(?:\n|$)/g,
-    // Jest style
-    /FAIL.*?(.+?)(?:\n|$)/g
-    // Generic FAIL
-  ];
-  for (const pattern of patterns) {
-    let match;
-    while ((match = pattern.exec(output)) !== null) {
-      if (match[1]) {
-        failedTests.push(match[1].trim());
-      }
-    }
+async function enrichWithCertCc(details) {
+  const ref = await findCertCcReference(details.id);
+  if (!ref) return details;
+  if (!details.references.includes(ref)) {
+    details.references.push(ref);
   }
-  return failedTests.slice(0, 5);
+  details.intelligence = {
+    ...details.intelligence ?? {},
+    certCcMatched: true
+  };
+  if (!details.references.includes(CERTCC_HOME)) {
+    details.references.push(CERTCC_HOME);
+  }
+  return details;
 }
-// src/remediation/pipeline.ts
-async function runRemediationPipeline(cveId, options = {}) {
-  const provider = resolveProvider(options);
-  if (provider === "local") {
-    return runLocalRemediationPipeline(cveId, options);
+// src/intelligence/sources/deps-dev.ts
+async function fetchDepsDevPackage(name) {
+  const { depsDevApi } = getIntelligenceSourceConfig();
+  if (!depsDevApi) return false;
+  try {
+    const url = `${depsDevApi}/systems/npm/packages/${encodeURIComponent(name)}`;
+    const res = await fetch(url, { headers: { Accept: "application/json" } });
+    return res.ok;
+  } catch {
+    return false;
   }
-  const cwd = options.cwd ?? process.cwd();
-  const packageManager = options.packageManager ?? detectPackageManager(cwd);
-  const preview = options.preview ?? false;
-  const dryRun = (options.dryRun ?? false) || preview;
-  const runTests = options.runTests ?? false;
-  const policy = options.policy ?? "";
-  const patchesDir = options.patchesDir || "./patches";
-  const model = await createModel(options);
-  const systemPrompt = loadOrchestrationPrompt({
-    cveId,
-    cwd,
-    dryRun,
-    runTests,
-    policy,
-    patchesDir,
-    packageManager
-  });
-  const prompt = `Patch vulnerable dependencies affected by ${cveId} in the project at: ${cwd}. Package manager: ${packageManager}.`;
-  const collectedResults = [];
-  const vulnerablePackages = [];
-  let cveDetails = null;
-  let agentSteps = 0;
-  const applyVersionBumpToolForRun = preview ? {
-    ...applyVersionBumpTool,
-    execute: async (input) => applyVersionBumpTool.execute({ ...input, dryRun: true })
-  } : applyVersionBumpTool;
-  const applyPatchFileToolForRun = preview ? {
-    ...applyPatchFileTool,
-    execute: async (input) => applyPatchFileTool.execute({ ...input, dryRun: true })
-  } : applyPatchFileTool;
-  const result = await generateText2({
-    model,
-    system: systemPrompt,
-    prompt,
-    tools: {
-      "lookup-cve": lookupCveTool,
-      "check-inventory": checkInventoryTool,
-      "check-version-match": checkVersionMatchTool,
-      "find-fixed-version": findFixedVersionTool,
-      "apply-version-bump": applyVersionBumpToolForRun,
-      "fetch-package-source": fetchPackageSourceTool,
-      "generate-patch": generatePatchTool,
-      "apply-patch-file": applyPatchFileToolForRun
-    },
-    maxSteps: 25,
-    onStepFinish(stepResult) {
-      agentSteps += 1;
-      const { toolResults } = stepResult;
-      for (const tr of toolResults ?? []) {
-        const toolResult = tr.result;
-        if (tr.toolName === "lookup-cve" && toolResult?.data) {
-          cveDetails = toolResult.data;
-        }
-        if (tr.toolName === "check-version-match" && toolResult?.vulnerablePackages) {
-          vulnerablePackages.push(...toolResult.vulnerablePackages);
-        }
-        if (tr.toolName === "apply-version-bump") {
-          collectedResults.push(toolResult);
-        }
-        if (tr.toolName === "apply-patch-file" && toolResult) {
-          const validation = toolResult.validation;
-          const message = typeof toolResult.message === "string" ? toolResult.message : typeof toolResult.error === "string" ? toolResult.error : "Patch-file strategy finished.";
-          collectedResults.push({
-            packageName: typeof toolResult.packageName === "string" ? toolResult.packageName : "unknown-package",
-            strategy: "patch-file",
-            fromVersion: typeof toolResult.vulnerableVersion === "string" ? toolResult.vulnerableVersion : "unknown",
-            patchFilePath: typeof toolResult.patchFilePath === "string" ? toolResult.patchFilePath : typeof toolResult.patchPath === "string" ? toolResult.patchPath : void 0,
-            applied: Boolean(toolResult.applied),
-            dryRun: Boolean(toolResult.dryRun),
-            message,
-            validation: validation && typeof validation.passed === "boolean" ? {
-              passed: validation.passed,
-              error: typeof validation.error === "string" ? validation.error : void 0
-            } : void 0
-          });
-        }
-      }
-    }
-  });
-  return {
-    cveId,
-    cveDetails,
-    vulnerablePackages,
-    results: collectedResults,
-    agentSteps,
-    summary: result.text,
-    correlation: {
-      requestId: options.requestId,
-      sessionId: options.sessionId,
-      parentRunId: options.parentRunId
-    }
+}
+async function enrichWithDepsDev(details) {
+  const names = Array.from(new Set(details.affectedPackages.map((p) => p.name))).slice(0, 20);
+  if (names.length === 0) return details;
+  const checks = await Promise.all(names.map((name) => fetchDepsDevPackage(name)));
+  const matched = checks.filter(Boolean).length;
+  if (matched === 0) return details;
+  details.intelligence = {
+    ...details.intelligence ?? {},
+    depsDevEnrichedPackages: matched
   };
+  return details;
 }
-async function runLocalRemediationPipeline(cveId, options = {}) {
-  const cwd = options.cwd ?? process.cwd();
-  const packageManager = options.packageManager ?? detectPackageManager(cwd);
-  const preview = options.preview ?? false;
-  const dryRun = (options.dryRun ?? false) || preview;
-  const runTests = options.runTests ?? false;
-  const policy = options.policy ?? "";
-  const collectedResults = [];
-  const vulnerablePackages = [];
-  let cveDetails = null;
-  let agentSteps = 0;
-  const normalizedId = cveId.toUpperCase();
-  const [osvDetails, ghPackages] = await Promise.all([
-    lookupCveOsv(normalizedId),
-    lookupCveGitHub(normalizedId).catch(() => [])
-  ]);
-  agentSteps += 2;
-  if (!osvDetails && ghPackages.length === 0) {
-    return {
-      cveId,
-      cveDetails: null,
-      vulnerablePackages,
-      results: collectedResults,
-      agentSteps,
-      summary: `Local mode failed at lookup-cve: ${normalizedId} not found in OSV or GitHub advisory data.`,
-      correlation: {
-        requestId: options.requestId,
-        sessionId: options.sessionId,
-        parentRunId: options.parentRunId
-      }
-    };
+// src/intelligence/sources/ossf-scorecard.ts
+async function checkProject(project) {
+  const { scorecardApi } = getIntelligenceSourceConfig();
+  if (!scorecardApi) return false;
+  try {
+    const url = new URL(`${scorecardApi}/projects`);
+    url.searchParams.set("project", project);
+    const res = await fetch(url.toString(), {
+      headers: { Accept: "application/json" }
+    });
+    return res.ok;
+  } catch {
+    return false;
   }
-  cveDetails = osvDetails ?? {
-    id: normalizedId,
-    summary: "Details sourced from GitHub Advisory Database.",
-    severity: "UNKNOWN",
-    references: [],
-    affectedPackages: []
+}
+async function enrichWithOssfScorecard(details) {
+  const projects = Array.from(
+    new Set(details.affectedPackages.map((p) => `github.com/${p.name}/${p.name}`))
+  ).slice(0, 10);
+  if (projects.length === 0) return details;
+  const checks = await Promise.all(projects.map((project) => checkProject(project)));
+  const matched = checks.filter(Boolean).length;
+  if (matched === 0) return details;
+  details.intelligence = {
+    ...details.intelligence ?? {},
+    scorecardProjects: matched
   };
-  if (ghPackages.length > 0) {
-    cveDetails = mergeGhDataIntoCveDetails(cveDetails, ghPackages);
+  return details;
+}
+// src/intelligence/sources/external-feeds.ts
+async function probeFeed(url, cveId, token) {
+  try {
+    const feedUrl = new URL(url);
+    feedUrl.searchParams.set("cve", cveId);
+    const headers = { Accept: "application/json" };
+    if (token) headers.Authorization = `Bearer ${token}`;
+    const res = await fetch(feedUrl.toString(), { headers });
+    if (!res.ok) return void 0;
+    return feedUrl.toString();
+  } catch {
+    return void 0;
   }
-  cveDetails = await enrichWithNvd(cveDetails);
-  if (cveDetails.affectedPackages.length === 0) {
-    return {
-      cveId,
-      cveDetails,
-      vulnerablePackages,
-      results: collectedResults,
-      agentSteps,
-      summary: `Local mode lookup succeeded but no npm affected packages were found for ${normalizedId}.`,
-      correlation: {
-        requestId: options.requestId,
-        sessionId: options.sessionId,
-        parentRunId: options.parentRunId
-      }
-    };
+}
+async function enrichWithExternalFeeds(details) {
+  const {
+    vendorAdvisoryFeeds,
+    commercialFeeds,
+    commercialFeedToken
+  } = getIntelligenceSourceConfig();
+  const vendorHits = (await Promise.all(vendorAdvisoryFeeds.map((url) => probeFeed(url, details.id)))).filter((v) => Boolean(v));
+  const commercialHits = (await Promise.all(
+    commercialFeeds.map((url) => probeFeed(url, details.id, commercialFeedToken))
+  )).filter((v) => Boolean(v));
+  if (vendorHits.length === 0 && commercialHits.length === 0) {
+    return details;
   }
-  const inventory = await checkInventoryTool.execute({ cwd, packageManager });
-  agentSteps += 1;
-  if (inventory?.error) {
-    return {
-      cveId,
-      cveDetails,
-      vulnerablePackages,
-      results: collectedResults,
-      agentSteps,
-      summary: `Local mode failed at check-inventory: ${inventory.error}`,
-      correlation: {
-        requestId: options.requestId,
-        sessionId: options.sessionId,
-        parentRunId: options.parentRunId
-      }
+  details.intelligence = {
+    ...details.intelligence ?? {},
+    vendorAdvisories: vendorHits.length > 0 ? vendorHits : details.intelligence?.vendorAdvisories,
+    commercialFeeds: commercialHits.length > 0 ? commercialHits : details.intelligence?.commercialFeeds
+  };
+  const mergedRefs = /* @__PURE__ */ new Set([...details.references, ...vendorHits, ...commercialHits]);
+  details.references = Array.from(mergedRefs);
+  return details;
+}
+// src/remediation/tools/lookup-cve.ts
+var lookupCveTool = tool7({
+  description: "Look up a CVE ID and return the list of affected npm packages, their vulnerable version ranges, and the first patched version. Always call this first.",
+  parameters: z7.object({
+    cveId: z7.string().regex(/^CVE-\d{4}-\d+$/i, "Must be a valid CVE ID like CVE-2021-23337")
+  }),
+  execute: async ({ cveId }) => {
+    const normalizedId = cveId.toUpperCase();
+    const [osvDetails, ghPackages] = await Promise.all([
+      lookupCveOsv(normalizedId),
+      lookupCveGitHub(normalizedId)
+    ]);
+    if (!osvDetails && ghPackages.length === 0) {
+      return {
+        success: false,
+        error: `CVE "${normalizedId}" was not found in OSV or GitHub Advisory databases. It may be too new, or not affect npm packages.`
+      };
+    }
+    let details = osvDetails ?? {
+      id: normalizedId,
+      summary: "Details sourced from GitHub Advisory Database.",
+      severity: "UNKNOWN",
+      references: [],
+      affectedPackages: []
     };
-  }
-  const installedPackages = inventory.packages ?? [];
-  for (const affected of cveDetails.affectedPackages) {
-    if (!affected || typeof affected !== "object") continue;
-    if (!affected.name || !affected.vulnerableRange) continue;
-    if (affected.ecosystem !== "npm") continue;
-    const matches = installedPackages.filter((p) => p.name === affected.name);
-    for (const installed of matches) {
-      if (!semver4.valid(installed.version)) continue;
-      let isVulnerable = false;
+    if (ghPackages.length > 0) {
+      details = mergeGhDataIntoCveDetails(details, ghPackages);
+    }
+    const sourceHealth = {};
+    const applyEnricher = async (sourceName, enricher) => {
+      const before = JSON.stringify(details);
       try {
-        isVulnerable = semver4.satisfies(installed.version, affected.vulnerableRange, {
-          includePrerelease: false
-        });
-      } catch {
-        continue;
-      }
-      if (isVulnerable) {
-        vulnerablePackages.push({ installed, affected });
+        details = await enricher(details);
+        const after = JSON.stringify(details);
+        sourceHealth[sourceName] = {
+          attempted: true,
+          changed: before !== after
+        };
+      } catch (error) {
+        sourceHealth[sourceName] = {
+          attempted: true,
+          changed: false,
+          error: error instanceof Error ? error.message : String(error)
+        };
       }
+    };
+    await applyEnricher("nvd", enrichWithNvd);
+    await applyEnricher("cisa-kev", enrichWithCisaKev);
+    await applyEnricher("epss", enrichWithEpss);
+    await applyEnricher("cve-services", enrichWithCveServices);
+    await applyEnricher("gitlab-advisory", enrichWithGitLabAdvisory);
+    await applyEnricher("certcc", enrichWithCertCc);
+    await applyEnricher("deps-dev", enrichWithDepsDev);
+    await applyEnricher("ossf-scorecard", enrichWithOssfScorecard);
+    await applyEnricher("external-feeds", enrichWithExternalFeeds);
+    details.intelligence = {
+      ...details.intelligence ?? {},
+      sourceHealth
+    };
+    if (details.affectedPackages.length === 0) {
+      return {
+        success: false,
+        error: `CVE "${normalizedId}" was found but has no npm-specific affected packages listed. It may affect a different ecosystem.`
+      };
     }
+    return { success: true, data: details };
   }
-  agentSteps += 1;
-  for (const vulnerable of vulnerablePackages) {
-    const pkg = vulnerable.installed;
-    const firstPatchedVersion = vulnerable.affected.firstPatchedVersion;
-    if (pkg.type === "indirect") {
-      collectedResults.push({
-        packageName: pkg.name,
-        strategy: "none",
-        fromVersion: pkg.version,
-        applied: false,
-        dryRun,
-        message: `"${pkg.name}" is an indirect dependency; automatic version bump is limited to direct dependencies in local mode.`
-      });
-      continue;
-    }
-    if (!firstPatchedVersion) {
-      collectedResults.push({
-        packageName: pkg.name,
-        strategy: "none",
-        fromVersion: pkg.version,
-        applied: false,
-        dryRun,
-        message: `No firstPatchedVersion available for ${pkg.name}; cannot resolve deterministic upgrade in local mode.`
-      });
-      continue;
+});
+// src/remediation/tools/check-version-match.ts
+import { tool as tool8 } from "ai";
+import { z as z8 } from "zod";
+import semver5 from "semver";
+var affectedPackageSchema = z8.object({
+  name: z8.string(),
+  ecosystem: z8.literal("npm"),
+  vulnerableRange: z8.string(),
+  firstPatchedVersion: z8.string().optional(),
+  source: z8.enum(["osv", "github-advisory"])
+});
+var inventoryPackageSchema = z8.object({
+  name: z8.string(),
+  version: z8.string(),
+  type: z8.enum(["direct", "indirect"])
+});
+var checkVersionMatchTool = tool8({
+  description: "Check which of the project's installed packages fall within the CVE's vulnerable version ranges. Returns only the packages that are actually vulnerable.",
+  parameters: z8.object({
+    installedPackages: z8.array(inventoryPackageSchema).describe("Output from the check-inventory tool"),
+    affectedPackages: z8.array(affectedPackageSchema).describe("affectedPackages array from the lookup-cve tool result")
+  }),
+  execute: async ({ installedPackages, affectedPackages }) => {
+    const vulnerable = [];
+    for (const affected of affectedPackages) {
+      const matches = installedPackages.filter(
+        (p) => p.name === affected.name
+      );
+      for (const installed of matches) {
+        if (!semver5.valid(installed.version)) continue;
+        let isVulnerable = false;
+        try {
+          isVulnerable = semver5.satisfies(installed.version, affected.vulnerableRange, {
+            includePrerelease: false
+          });
+        } catch {
+          continue;
+        }
+        if (isVulnerable) {
+          vulnerable.push({ installed, affected });
+        }
+      }
     }
-    const safeVersion = await findSafeUpgradeVersion(
-      pkg.name,
-      pkg.version,
+    return {
+      vulnerablePackages: vulnerable,
+      checkedCount: installedPackages.length
+    };
+  }
+});
+// src/remediation/tools/find-fixed-version.ts
+import { tool as tool9 } from "ai";
+import { z as z9 } from "zod";
+var findFixedVersionTool = tool9({
+  description: "Query the npm registry to find the safest published upgrade version for a package that is >= the first patched version. Prefer patch upgrades first, then minor, and only fall back to major when no same-major fix exists.",
+  parameters: z9.object({
+    packageName: z9.string().describe("The npm package name"),
+    installedVersion: z9.string().describe("The currently installed version (exact semver)"),
+    firstPatchedVersion: z9.string().describe(
+      "The first version that is NOT vulnerable (from lookup-cve). Use this as the floor."
+    ),
+    vulnerableRange: z9.string().optional().describe("Optional vulnerable semver range used to exclude still-vulnerable versions")
+  }),
+  execute: async ({
+    packageName,
+    installedVersion,
+    firstPatchedVersion,
+    vulnerableRange
+  }) => {
+    const resolution = await resolveSafeUpgradeVersion(
+      packageName,
+      installedVersion,
       firstPatchedVersion,
-      vulnerable.affected.vulnerableRange
+      vulnerableRange
     );
-    agentSteps += 1;
+    const { safeVersion, upgradeLevel, candidates, majorOnlyFixAvailable } = resolution;
     if (!safeVersion) {
-      collectedResults.push({
-        packageName: pkg.name,
-        strategy: "none",
-        fromVersion: pkg.version,
-        applied: false,
-        dryRun,
-        message: `No safe upgrade version found for ${pkg.name}.`
-      });
-      continue;
+      return {
+        candidates,
+        isMajorBump: false,
+        majorOnlyFixAvailable: false,
+        message: `No safe upgrade version found for "${packageName}". The patch-file path will be needed.`
+      };
     }
-    const applyResult = await applyVersionBumpTool.execute({
-      cwd,
-      packageManager,
-      packageName: pkg.name,
-      fromVersion: pkg.version,
-      toVersion: safeVersion,
-      dryRun,
-      policy,
-      runTests
-    });
-    agentSteps += 1;
-    collectedResults.push(applyResult);
+    const installedMajor = parseInt(installedVersion.split(".")[0] ?? "0", 10);
+    const safeMajor = parseInt(safeVersion.split(".")[0] ?? "0", 10);
+    const isMajorBump = safeMajor > installedMajor;
+    return {
+      safeVersion,
+      upgradeLevel,
+      candidates,
+      isMajorBump,
+      majorOnlyFixAvailable,
+      message: isMajorBump ? `Found safe version ${safeVersion} for "${packageName}", but only a major upgrade is available from ${installedVersion}. This should remain blocked unless policy explicitly allows major bumps.` : `Found ${upgradeLevel ?? "safe"} upgrade ${safeVersion} for "${packageName}" (from ${installedVersion}).`
+    };
   }
-  const appliedCount = collectedResults.filter((r) => r.applied).length;
-  const unresolvedCount = collectedResults.filter((r) => !r.applied && !r.dryRun).length;
-  const dryRunCount = collectedResults.filter((r) => r.dryRun).length;
-  return {
-    cveId,
-    cveDetails,
-    vulnerablePackages,
-    results: collectedResults,
-    agentSteps,
-    summary: `Local mode completed: vulnerable=${vulnerablePackages.length}, applied=${appliedCount}, dryRun=${dryRunCount}, unresolved=${unresolvedCount}`,
-    correlation: {
-      requestId: options.requestId,
-      sessionId: options.sessionId,
-      parentRunId: options.parentRunId
-    }
+});
+// src/remediation/runtime-tools.ts
+function buildRuntimeTools(ctx) {
+  const tools = {
+    "lookup-cve": lookupCveTool,
+    "check-inventory": checkInventoryTool,
+    "check-version-match": checkVersionMatchTool,
+    "find-fixed-version": findFixedVersionTool,
+    "apply-version-bump": ctx.applyVersionBumpToolForRun
   };
+  if (!ctx.constraints.directDependenciesOnly && !ctx.constraints.preferVersionBump) {
+    tools["apply-package-override"] = ctx.applyPackageOverrideToolForRun;
+  }
+  if (!ctx.constraints.preferVersionBump) {
+    tools["fetch-package-source"] = fetchPackageSourceTool;
+    tools["generate-patch"] = generatePatchTool;
+    tools["apply-patch-file"] = ctx.applyPatchFileToolForRun;
+  }
+  return tools;
 }
+// src/remediation/orchestration-prompt.ts
+import { existsSync as existsSync5, readFileSync as readFileSync6 } from "fs";
+import { join as join10 } from "path";
 function loadOrchestrationPrompt(ctx) {
-  const promptPath = join8(process.cwd(), ".github", "instructions", "orchestration.instructions.md");
-  if (!existsSync4(promptPath)) {
+  const promptPath = join10(process.cwd(), ".github", "instructions", "orchestration.instructions.md");
+  if (!existsSync5(promptPath)) {
     return `You are autoremediator, an agentic security remediation system for Node.js package dependencies.
 Working directory: ${ctx.cwd}
   Package manager: ${ctx.packageManager}
@@ -2036,6 +2557,8 @@ Dry run: ${ctx.dryRun}
 Run tests: ${ctx.runTests}
 Policy: ${ctx.policy || "undefined"}
 Patches dir: ${ctx.patchesDir}
+Direct dependencies only: ${String(ctx.constraints.directDependenciesOnly ?? false)}
+Prefer version bump: ${String(ctx.constraints.preferVersionBump ?? false)}
 Required sequence:
 1. lookup-cve
@@ -2043,185 +2566,364 @@ Required sequence:
 3. check-version-match
 4. find-fixed-version
 5. apply-version-bump
+6. apply-package-override
-Fallback sequence (when strategy="none"):
+Fallback sequence (when neither version bump nor override can be applied):
 1. fetch-package-source
 2. generate-patch
 3. apply-patch-file
 Always respect dryRun and policy constraints.`;
   }
-  const template = readFileSync4(promptPath, "utf8");
-  return template.replaceAll("{{cveId}}", ctx.cveId).replaceAll("{{cwd}}", ctx.cwd).replaceAll("{{packageManager}}", ctx.packageManager).replaceAll("{{dryRun}}", String(ctx.dryRun)).replaceAll("{{runTests}}", String(ctx.runTests)).replaceAll("{{policy}}", ctx.policy || "undefined").replaceAll("{{patchesDir}}", ctx.patchesDir);
+  const template = readFileSync6(promptPath, "utf8");
+  return template.replaceAll("{{cveId}}", ctx.cveId).replaceAll("{{cwd}}", ctx.cwd).replaceAll("{{packageManager}}", ctx.packageManager).replaceAll("{{dryRun}}", String(ctx.dryRun)).replaceAll("{{runTests}}", String(ctx.runTests)).replaceAll("{{policy}}", ctx.policy || "undefined").replaceAll("{{patchesDir}}", ctx.patchesDir).replaceAll("{{directDependenciesOnly}}", String(ctx.constraints.directDependenciesOnly ?? false)).replaceAll("{{preferVersionBump}}", String(ctx.constraints.preferVersionBump ?? false));
 }
-// src/scanner/index.ts
-import { extname } from "path";
-import { readFileSync as readFileSync8 } from "fs";
-// src/scanner/adapters/npm-audit.ts
-import { readFileSync as readFileSync5 } from "fs";
-var CVE_REGEX = /CVE-\d{4}-\d+/gi;
-function normalizeSeverity(raw) {
-  if (!raw) return "UNKNOWN";
-  const up = raw.toUpperCase();
-  if (up === "CRITICAL" || up === "HIGH" || up === "MEDIUM" || up === "LOW") {
-    return up;
+// src/remediation/pipeline.ts
+async function runRemediationPipeline(cveId, options = {}) {
+  const provider = resolveProvider(options);
+  if (provider === "local") {
+    return runLocalRemediationPipeline(cveId, options);
   }
-  return "UNKNOWN";
-}
-function parseNpmAuditJsonFromString(content) {
-  const report = JSON.parse(content);
-  const findings = [];
-  const seen = /* @__PURE__ */ new Set();
-  for (const vuln of Object.values(report.vulnerabilities ?? {})) {
-    for (const viaEntry of vuln.via ?? []) {
-      const text = typeof viaEntry === "string" ? viaEntry : `${viaEntry.url ?? ""} ${viaEntry.name ?? ""}`;
-      const matches = text.match(CVE_REGEX) ?? [];
-      for (const match of matches) {
-        const cveId = match.toUpperCase();
-        const key = `${cveId}:${vuln.name}`;
-        if (seen.has(key)) continue;
-        seen.add(key);
-        findings.push({
-          cveId,
-          source: "npm-audit",
-          packageName: vuln.name,
-          severity: normalizeSeverity(vuln.severity)
-        });
+  const cwd = options.cwd ?? process.cwd();
+  const packageManager = options.packageManager ?? detectPackageManager(cwd);
+  const preview = options.preview ?? false;
+  const dryRun = (options.dryRun ?? false) || preview;
+  const runTests = options.runTests ?? false;
+  const policy = options.policy ?? "";
+  const patchesDir = options.patchesDir || "./patches";
+  const constraints = options.constraints ?? {};
+  const model = await createModel(options);
+  const systemPrompt = loadOrchestrationPrompt({
+    cveId,
+    cwd,
+    dryRun,
+    runTests,
+    policy,
+    patchesDir,
+    packageManager,
+    constraints
+  });
+  const prompt = `Patch vulnerable dependencies affected by ${cveId} in the project at: ${cwd}. Package manager: ${packageManager}.`;
+  const collectedResults = [];
+  const vulnerablePackages = [];
+  let cveDetails = null;
+  let agentSteps = 0;
+  const applyVersionBumpToolForRun = preview ? {
+    ...applyVersionBumpTool,
+    execute: async (input) => applyVersionBumpTool.execute({ ...input, dryRun: true })
+  } : applyVersionBumpTool;
+  const applyPackageOverrideToolForRun = preview ? {
+    ...applyPackageOverrideTool,
+    execute: async (input) => applyPackageOverrideTool.execute({ ...input, dryRun: true })
+  } : applyPackageOverrideTool;
+  const applyPatchFileToolForRun = preview ? {
+    ...applyPatchFileTool,
+    execute: async (input) => applyPatchFileTool.execute({ ...input, dryRun: true })
+  } : applyPatchFileTool;
+  const tools = buildRuntimeTools({
+    applyVersionBumpToolForRun,
+    applyPackageOverrideToolForRun,
+    applyPatchFileToolForRun,
+    constraints
+  });
+  const result = await generateText2({
+    model,
+    system: systemPrompt,
+    prompt,
+    tools,
+    maxSteps: 25,
+    onStepFinish(stepResult) {
+      agentSteps += 1;
+      const toolResults = stepResult.toolResults ?? [];
+      for (const tr of toolResults) {
+        const toolResult = tr.result;
+        if (tr.toolName === "lookup-cve" && toolResult?.data) {
+          cveDetails = toolResult.data;
+        }
+        if (tr.toolName === "check-version-match" && toolResult?.vulnerablePackages) {
+          vulnerablePackages.push(...toolResult.vulnerablePackages);
+        }
+        if (tr.toolName === "apply-version-bump") {
+          collectedResults.push(toolResult);
+        }
+        if (tr.toolName === "apply-package-override") {
+          collectedResults.push(toolResult);
+        }
+        if (tr.toolName === "apply-patch-file" && toolResult) {
+          const validation = toolResult.validation;
+          const message = typeof toolResult.message === "string" ? toolResult.message : typeof toolResult.error === "string" ? toolResult.error : "Patch-file strategy finished.";
+          collectedResults.push({
+            packageName: typeof toolResult.packageName === "string" ? toolResult.packageName : "unknown-package",
+            strategy: "patch-file",
+            fromVersion: typeof toolResult.vulnerableVersion === "string" ? toolResult.vulnerableVersion : "unknown",
+            patchFilePath: typeof toolResult.patchFilePath === "string" ? toolResult.patchFilePath : typeof toolResult.patchPath === "string" ? toolResult.patchPath : void 0,
+            applied: Boolean(toolResult.applied),
+            dryRun: Boolean(toolResult.dryRun),
+            unresolvedReason: !Boolean(toolResult.applied) && !Boolean(toolResult.dryRun) ? validation && validation.passed === false ? "patch-validation-failed" : "patch-apply-failed" : void 0,
+            message,
+            validation: validation && typeof validation.passed === "boolean" ? {
+              passed: validation.passed,
+              error: typeof validation.error === "string" ? validation.error : void 0
+            } : void 0
+          });
+        }
       }
     }
-  }
-  return findings;
-}
-function parseNpmAuditJsonFile(filePath) {
-  const content = readFileSync5(filePath, "utf8");
-  return parseNpmAuditJsonFromString(content);
+  });
+  return {
+    cveId,
+    cveDetails,
+    vulnerablePackages,
+    results: collectedResults,
+    agentSteps,
+    summary: result.text,
+    correlation: {
+      requestId: options.requestId,
+      sessionId: options.sessionId,
+      parentRunId: options.parentRunId
+    }
+  };
 }
-// src/scanner/adapters/yarn-audit.ts
-import { readFileSync as readFileSync6 } from "fs";
-var CVE_REGEX2 = /CVE-\d{4}-\d+/gi;
-function normalizeSeverity2(raw) {
-  if (!raw) return "UNKNOWN";
-  const up = raw.toUpperCase();
-  if (up === "CRITICAL" || up === "HIGH" || up === "MEDIUM" || up === "LOW") {
-    return up;
-  }
-  return "UNKNOWN";
+// src/api/options-schema.ts
+var PACKAGE_MANAGER_VALUES = ["npm", "pnpm", "yarn"];
+var LLM_PROVIDER_VALUES = ["openai", "anthropic", "local"];
+var PROVENANCE_SOURCE_VALUES = ["cli", "sdk", "mcp", "openapi", "unknown"];
+var OPTION_DESCRIPTIONS = {
+  cveId: "CVE ID, e.g. CVE-2021-23337",
+  inputPath: "Absolute path to the scanner output file",
+  cwd: "Absolute path to the project root (default: process.cwd())",
+  packageManager: "Package manager override (auto-detected by default)",
+  dryRun: "If true, plan changes but write nothing",
+  preview: "If true, enforce non-mutating preview mode",
+  runTests: "Run package-manager test command after applying fix",
+  llmProvider: "LLM provider override",
+  patchesDir: "Directory to write .patch files (default: ./patches)",
+  policy: "Optional path to .autoremediator policy file",
+  requestId: "Request correlation ID",
+  sessionId: "Session correlation ID",
+  parentRunId: "Parent run correlation ID",
+  idempotencyKey: "Idempotency key for replay-safe execution",
+  resume: "Return cached result for matching idempotency key when available",
+  actor: "Actor identity for evidence provenance",
+  source: "Source system for provenance",
+  format: "Scanner format (default: auto)",
+  evidence: "Write evidence JSON to .autoremediator/evidence/ (default: true)",
+  directDependenciesOnly: "Restrict remediation to direct dependencies only",
+  preferVersionBump: "Reject override and patch remediation when version-bump-only policy is required"
+};
+function createConstraintSchemaProperties() {
+  return {
+    directDependenciesOnly: { type: "boolean", description: OPTION_DESCRIPTIONS.directDependenciesOnly },
+    preferVersionBump: { type: "boolean", description: OPTION_DESCRIPTIONS.preferVersionBump }
+  };
 }
-function parseYarnAuditJsonFromString(content) {
-  const findings = [];
-  const seen = /* @__PURE__ */ new Set();
-  const lines = content.split("\n").map((line) => line.trim()).filter(Boolean);
-  for (const line of lines) {
-    let parsed;
-    try {
-      parsed = JSON.parse(line);
-    } catch {
-      continue;
-    }
-    const event = parsed;
-    if (event.type !== "auditAdvisory") continue;
-    const advisory = event.data?.advisory;
-    const packageName = advisory?.module_name;
-    const severity = normalizeSeverity2(advisory?.severity);
-    const text = `${advisory?.url ?? ""} ${(advisory?.cves ?? []).join(" ")}`;
-    const matches = text.match(CVE_REGEX2) ?? [];
-    for (const match of matches) {
-      const cveId = match.toUpperCase();
-      const key = `${cveId}:${packageName ?? ""}`;
-      if (seen.has(key)) continue;
-      seen.add(key);
-      findings.push({
-        cveId,
-        source: "yarn-audit",
-        packageName,
-        severity
-      });
+function createRemediateOptionSchemaProperties(options) {
+  const includeDryRun = options?.includeDryRun ?? true;
+  const includePreview = options?.includePreview ?? true;
+  const includeEvidence = options?.includeEvidence ?? true;
+  return {
+    cwd: { type: "string", description: OPTION_DESCRIPTIONS.cwd },
+    packageManager: { type: "string", enum: [...PACKAGE_MANAGER_VALUES], description: OPTION_DESCRIPTIONS.packageManager },
+    ...includeDryRun ? { dryRun: { type: "boolean", description: OPTION_DESCRIPTIONS.dryRun } } : {},
+    ...includePreview ? { preview: { type: "boolean", description: OPTION_DESCRIPTIONS.preview } } : {},
+    runTests: { type: "boolean", description: OPTION_DESCRIPTIONS.runTests },
+    llmProvider: { type: "string", enum: [...LLM_PROVIDER_VALUES], description: OPTION_DESCRIPTIONS.llmProvider },
+    patchesDir: { type: "string", description: OPTION_DESCRIPTIONS.patchesDir },
+    policy: { type: "string", description: OPTION_DESCRIPTIONS.policy },
+    ...includeEvidence ? { evidence: { type: "boolean", description: OPTION_DESCRIPTIONS.evidence } } : {},
+    requestId: { type: "string", description: OPTION_DESCRIPTIONS.requestId },
+    sessionId: { type: "string", description: OPTION_DESCRIPTIONS.sessionId },
+    parentRunId: { type: "string", description: OPTION_DESCRIPTIONS.parentRunId },
+    idempotencyKey: { type: "string", description: OPTION_DESCRIPTIONS.idempotencyKey },
+    resume: { type: "boolean", description: OPTION_DESCRIPTIONS.resume },
+    actor: { type: "string", description: OPTION_DESCRIPTIONS.actor },
+    source: { type: "string", enum: [...PROVENANCE_SOURCE_VALUES], description: OPTION_DESCRIPTIONS.source },
+    constraints: {
+      type: "object",
+      properties: createConstraintSchemaProperties()
     }
-  }
-  return findings;
+  };
 }
-function parseYarnAuditJsonFile(filePath) {
-  const content = readFileSync6(filePath, "utf8");
-  return parseYarnAuditJsonFromString(content);
+function createScanOptionSchemaProperties() {
+  return {
+    ...createRemediateOptionSchemaProperties({ includeEvidence: true }),
+    format: { type: "string", enum: ["npm-audit", "yarn-audit", "sarif", "auto"], description: OPTION_DESCRIPTIONS.format }
+  };
+}
+function createScanReportSchemaProperties() {
+  return {
+    schemaVersion: { type: "string" },
+    status: { type: "string", enum: ["ok", "partial", "failed"] },
+    generatedAt: { type: "string" },
+    cveIds: { type: "array", items: { type: "string" } },
+    reports: { type: "array", items: { type: "object" } },
+    successCount: { type: "number" },
+    failedCount: { type: "number" },
+    errors: { type: "array", items: { type: "object" } },
+    evidenceFile: { type: "string" },
+    patchCount: { type: "number" },
+    patchValidationFailures: { type: "array", items: { type: "object" } },
+    strategyCounts: {
+      type: "object",
+      additionalProperties: { type: "number" }
+    },
+    dependencyScopeCounts: {
+      type: "object",
+      additionalProperties: { type: "number" }
+    },
+    unresolvedByReason: {
+      type: "object",
+      additionalProperties: { type: "number" }
+    },
+    patchesDir: { type: "string" },
+    correlation: { type: "object" },
+    provenance: { type: "object" },
+    constraints: { type: "object" },
+    idempotencyKey: { type: "string" }
+  };
 }
-// src/scanner/adapters/sarif.ts
-import { readFileSync as readFileSync7 } from "fs";
-var CVE_REGEX3 = /CVE-\d{4}-\d+/gi;
-function extractPackageName(result) {
-  const pkg = result.properties?.["packageName"];
-  return typeof pkg === "string" ? pkg : void 0;
+// src/api/reporting.ts
+function buildStrategyCounts(reports) {
+  const counts = {};
+  for (const report of reports) {
+    for (const result of report.results) {
+      counts[result.strategy] = (counts[result.strategy] ?? 0) + 1;
+    }
+  }
+  return Object.keys(counts).length > 0 ? counts : void 0;
 }
-function parseSarifFromString(content) {
-  const report = JSON.parse(content);
-  const findings = [];
-  const seen = /* @__PURE__ */ new Set();
-  for (const run of report.runs ?? []) {
-    for (const result of run.results ?? []) {
-      const combined = `${result.ruleId ?? ""} ${result.message?.text ?? ""}`;
-      const matches = combined.match(CVE_REGEX3) ?? [];
-      for (const match of matches) {
-        const cveId = match.toUpperCase();
-        const pkg = extractPackageName(result);
-        const key = `${cveId}:${pkg ?? ""}`;
-        if (seen.has(key)) continue;
-        seen.add(key);
-        findings.push({
-          cveId,
-          source: "sarif",
-          packageName: pkg,
-          severity: "UNKNOWN"
-        });
+function toDependencyScope(installedType) {
+  return installedType === "direct" ? "direct" : "transitive";
+}
+function buildDependencyScopeCounts(reports) {
+  const counts = {};
+  for (const report of reports) {
+    const packageScopes = /* @__PURE__ */ new Map();
+    for (const vulnerablePackage of report.vulnerablePackages) {
+      const scope = toDependencyScope(vulnerablePackage.installed.type);
+      const current = packageScopes.get(vulnerablePackage.installed.name);
+      if (!current || current !== "direct") {
+        packageScopes.set(vulnerablePackage.installed.name, scope);
       }
     }
+    for (const result of report.results) {
+      const scope = packageScopes.get(result.packageName);
+      if (!scope) continue;
+      counts[scope] = (counts[scope] ?? 0) + 1;
+    }
+  }
+  return Object.keys(counts).length > 0 ? counts : void 0;
+}
+function buildUnresolvedReasonCounts(reports) {
+  const counts = {};
+  for (const report of reports) {
+    for (const result of report.results) {
+      if (!result.unresolvedReason) continue;
+      counts[result.unresolvedReason] = (counts[result.unresolvedReason] ?? 0) + 1;
+    }
+  }
+  return Object.keys(counts).length > 0 ? counts : void 0;
+}
+function toCiSummary(report) {
+  let remediationCount = 0;
+  for (const cveReport of report.reports) {
+    remediationCount += cveReport.results.length;
   }
-  return findings;
+  return {
+    schemaVersion: report.schemaVersion,
+    status: report.status,
+    generatedAt: report.generatedAt,
+    cveCount: report.cveIds.length,
+    remediationCount,
+    successCount: report.successCount,
+    failedCount: report.failedCount,
+    errors: report.errors,
+    evidenceFile: report.evidenceFile,
+    patchCount: report.patchCount || 0,
+    patchValidationFailures: report.patchValidationFailures,
+    strategyCounts: report.strategyCounts,
+    dependencyScopeCounts: report.dependencyScopeCounts,
+    unresolvedByReason: report.unresolvedByReason,
+    patchesDir: report.patchesDir,
+    correlation: report.correlation,
+    provenance: report.provenance,
+    constraints: report.constraints,
+    idempotencyKey: report.idempotencyKey
+  };
 }
-function parseSarifFile(filePath) {
-  const content = readFileSync7(filePath, "utf8");
-  return parseSarifFromString(content);
+function ciExitCode(summary) {
+  return summary.failedCount > 0 ? 1 : 0;
 }
-// src/scanner/index.ts
-function parseScanInput(filePath, format) {
-  const resolved = format === "auto" ? inferFormat(filePath) : format;
-  if (resolved === "npm-audit") {
-    return parseNpmAuditJsonFile(filePath);
-  }
-  if (resolved === "yarn-audit") {
-    return parseYarnAuditJsonFile(filePath);
-  }
-  if (resolved === "sarif") {
-    return parseSarifFile(filePath);
-  }
-  throw new Error(`Unsupported input format: ${resolved}`);
+// src/api/sarif.ts
+function severityToSarifLevel(severity) {
+  if (severity === "CRITICAL" || severity === "HIGH") return "error";
+  if (severity === "MEDIUM") return "warning";
+  if (severity === "LOW") return "note";
+  return "warning";
 }
-function inferFormat(filePath) {
-  const ext = extname(filePath).toLowerCase();
-  if (ext === ".sarif") return "sarif";
-  try {
-    const content = readFileSync8(filePath, "utf8");
-    const firstLine = content.split("\n").find((line) => line.trim().startsWith("{"));
-    if (firstLine) {
-      const parsed = JSON.parse(firstLine);
-      if (parsed.type === "auditAdvisory" || parsed.type === "auditSummary") {
-        return "yarn-audit";
-      }
+function toSarifOutput(report) {
+  const rules = [];
+  const results = [];
+  const seenRules = /* @__PURE__ */ new Set();
+  for (const cveReport of report.reports) {
+    const severity = cveReport.cveDetails?.severity ?? "UNKNOWN";
+    const level = severityToSarifLevel(severity);
+    const summary = cveReport.cveDetails?.summary ?? cveReport.cveId;
+    if (!seenRules.has(cveReport.cveId)) {
+      seenRules.add(cveReport.cveId);
+      rules.push({
+        id: cveReport.cveId,
+        name: "VulnerableDependency",
+        shortDescription: { text: cveReport.cveId },
+        fullDescription: { text: summary },
+        defaultConfiguration: { level },
+        helpUri: `https://osv.dev/vulnerability/${cveReport.cveId}`,
+        properties: { severity }
+      });
+    }
+    for (const vulnerablePackage of cveReport.vulnerablePackages) {
+      const fixText = vulnerablePackage.affected.firstPatchedVersion ? ` Fix: upgrade to ${vulnerablePackage.affected.firstPatchedVersion}.` : " No fixed version available.";
+      results.push({
+        ruleId: cveReport.cveId,
+        level,
+        message: {
+          text: `${vulnerablePackage.installed.name}@${vulnerablePackage.installed.version} is vulnerable to ${cveReport.cveId}: ${summary}${fixText}`
+        },
+        locations: [
+          {
+            physicalLocation: {
+              artifactLocation: { uri: "package.json", uriBaseId: "%SRCROOT%" }
+            }
+          }
+        ]
+      });
     }
-  } catch {
   }
-  return "npm-audit";
-}
-function uniqueCveIds(findings) {
-  return [...new Set(findings.map((f) => f.cveId.toUpperCase()))];
+  return {
+    version: "2.1.0",
+    $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Documents/CommitteeSpecifications/2.1.0/sarif-schema-2.1.0.json",
+    runs: [
+      {
+        tool: {
+          driver: {
+            name: "autoremediator",
+            informationUri: "https://github.com/Rawlings/autoremediator",
+            rules
+          }
+        },
+        results
+      }
+    ]
+  };
 }
 // src/platform/evidence.ts
-import { mkdirSync, writeFileSync as writeFileSync2 } from "fs";
-import { join as join9 } from "path";
+import { mkdirSync as mkdirSync2, writeFileSync as writeFileSync4 } from "fs";
+import { join as join11 } from "path";
 function createEvidenceLog(cwd, cveIds, context = {}) {
   return {
     runId: `${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
@@ -2251,31 +2953,31 @@ function finalizeEvidence(log) {
   return log;
 }
 function writeEvidenceLog(cwd, log) {
-  const dir = join9(cwd, ".autoremediator", "evidence");
-  mkdirSync(dir, { recursive: true });
-  const filePath = join9(dir, `${log.runId}.json`);
-  writeFileSync2(filePath, JSON.stringify(log, null, 2) + "\n", "utf8");
+  const dir = join11(cwd, ".autoremediator", "evidence");
+  mkdirSync2(dir, { recursive: true });
+  const filePath = join11(dir, `${log.runId}.json`);
+  writeFileSync4(filePath, JSON.stringify(log, null, 2) + "\n", "utf8");
   return filePath;
 }
 // src/platform/idempotency.ts
-import { existsSync as existsSync5, mkdirSync as mkdirSync2, readFileSync as readFileSync9, writeFileSync as writeFileSync3 } from "fs";
-import { join as join10 } from "path";
+import { existsSync as existsSync6, mkdirSync as mkdirSync3, readFileSync as readFileSync7, writeFileSync as writeFileSync5 } from "fs";
+import { join as join12 } from "path";
 var DEFAULT_INDEX = {
   schemaVersion: "1.0",
   entries: {}
 };
 function indexFilePath(cwd) {
-  return join10(cwd, ".autoremediator", "state", "idempotency.json");
+  return join12(cwd, ".autoremediator", "state", "idempotency.json");
 }
 function entryKey(idempotencyKey, cveId) {
   return `${idempotencyKey}::${cveId.toUpperCase()}`;
 }
 function loadIndex(cwd) {
   const filePath = indexFilePath(cwd);
-  if (!existsSync5(filePath)) return DEFAULT_INDEX;
+  if (!existsSync6(filePath)) return DEFAULT_INDEX;
   try {
-    const parsed = JSON.parse(readFileSync9(filePath, "utf8"));
+    const parsed = JSON.parse(readFileSync7(filePath, "utf8"));
     if (parsed && parsed.schemaVersion === "1.0" && parsed.entries) {
       return parsed;
     }
@@ -2286,8 +2988,8 @@ function loadIndex(cwd) {
 }
 function saveIndex(cwd, index) {
   const filePath = indexFilePath(cwd);
-  mkdirSync2(join10(cwd, ".autoremediator", "state"), { recursive: true });
-  writeFileSync3(filePath, JSON.stringify(index, null, 2) + "\n", "utf8");
+  mkdirSync3(join12(cwd, ".autoremediator", "state"), { recursive: true });
+  writeFileSync5(filePath, JSON.stringify(index, null, 2) + "\n", "utf8");
 }
 function readIdempotentReport(cwd, idempotencyKey, cveId) {
   const index = loadIndex(cwd);
@@ -2306,7 +3008,7 @@ function storeIdempotentReport(cwd, idempotencyKey, cveId, report) {
   saveIndex(cwd, index);
 }
-// src/api.ts
+// src/api/context.ts
 function buildRequestId() {
   return `req-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
 }
@@ -2330,118 +3032,312 @@ function resolveConstraints(options, cwd) {
     preferVersionBump: options.constraints?.preferVersionBump ?? policy.constraints?.preferVersionBump ?? false
   };
 }
-function enforceConstraints(report, constraints) {
-  const indirectPackages = new Set(
-    report.vulnerablePackages.filter((vp) => vp.installed.type === "indirect").map((vp) => vp.installed.name)
-  );
-  const nextResults = report.results.map((result) => {
-    if (constraints.directDependenciesOnly && indirectPackages.has(result.packageName)) {
-      return {
-        ...result,
-        strategy: "none",
-        applied: false,
-        message: `Constraint blocked remediation for indirect dependency "${result.packageName}".`
-      };
-    }
-    if (constraints.preferVersionBump && result.strategy === "patch-file") {
-      return {
-        ...result,
-        strategy: "none",
-        applied: false,
-        message: `Constraint prefers version-bump and rejected patch-file remediation for "${result.packageName}".`
-      };
+// src/api/remediate.ts
+async function remediate(cveId, options = {}) {
+  if (!/^CVE-\d{4}-\d+$/i.test(cveId)) {
+    throw new Error(
+      `Invalid CVE ID: "${cveId}". Expected format: CVE-YYYY-NNNNN (e.g. CVE-2021-23337).`
+    );
+  }
+  const normalizedCveId = cveId.toUpperCase();
+  const cwd = options.cwd ?? process.cwd();
+  const constraints = resolveConstraints(options, cwd);
+  const provenance = resolveProvenanceContext(options);
+  const correlation = resolveCorrelationContext(options);
+  const evidenceEnabled = options.evidence !== false;
+  const evidence = evidenceEnabled ? createEvidenceLog(cwd, [normalizedCveId], {
+    ...correlation,
+    actor: provenance.actor,
+    source: provenance.source,
+    idempotencyKey: options.idempotencyKey
+  }) : void 0;
+  if (options.resume && options.idempotencyKey) {
+    const cached = readIdempotentReport(cwd, options.idempotencyKey, normalizedCveId);
+    if (cached) {
+      if (evidence) {
+        addEvidenceStep(evidence, "remediate.resume-cache", { cveId: normalizedCveId });
+        finalizeEvidence(evidence);
+      }
+      const evidenceFile2 = evidence ? writeEvidenceLog(cwd, evidence) : void 0;
+      return {
+        ...cached,
+        summary: `${cached.summary} (resumed from idempotency cache)`,
+        evidenceFile: evidenceFile2,
+        correlation,
+        provenance,
+        constraints,
+        resumedFromCache: true
+      };
+    }
+  }
+  if (evidence) {
+    addEvidenceStep(
+      evidence,
+      "remediate.start",
+      {
+        cveId: normalizedCveId,
+        dryRun: Boolean(options.dryRun),
+        preview: Boolean(options.preview)
+      },
+      {
+        directDependenciesOnly: Boolean(constraints.directDependenciesOnly),
+        preferVersionBump: Boolean(constraints.preferVersionBump)
+      }
+    );
+  }
+  let report;
+  try {
+    report = await runRemediationPipeline(normalizedCveId, {
+      ...options,
+      ...correlation,
+      constraints
+    });
+  } catch (error) {
+    if (evidence) {
+      const message = error instanceof Error ? error.message : String(error);
+      addEvidenceStep(evidence, "remediate.error", { cveId: normalizedCveId }, void 0, message);
+      finalizeEvidence(evidence);
+      writeEvidenceLog(cwd, evidence);
+    }
+    throw error;
+  }
+  if (evidence) {
+    for (const result of report.results) {
+      addEvidenceStep(
+        evidence,
+        "remediate.package-result",
+        {
+          packageName: result.packageName,
+          strategy: result.strategy,
+          fromVersion: result.fromVersion,
+          toVersion: result.toVersion
+        },
+        {
+          applied: result.applied,
+          dryRun: result.dryRun,
+          unresolvedReason: result.unresolvedReason
+        }
+      );
+    }
+    addEvidenceStep(
+      evidence,
+      "remediate.finish",
+      { cveId: normalizedCveId },
+      {
+        resultCount: report.results.length,
+        vulnerableCount: report.vulnerablePackages.length
+      }
+    );
+    finalizeEvidence(evidence);
+  }
+  const evidenceFile = evidence ? writeEvidenceLog(cwd, evidence) : void 0;
+  const finalReport = {
+    ...report,
+    evidenceFile,
+    correlation,
+    provenance,
+    constraints,
+    resumedFromCache: false
+  };
+  if (options.idempotencyKey && !options.dryRun && !options.preview) {
+    storeIdempotentReport(cwd, options.idempotencyKey, normalizedCveId, finalReport);
+  }
+  return finalReport;
+}
+async function planRemediation(cveId, options = {}) {
+  return remediate(cveId, {
+    ...options,
+    preview: true,
+    dryRun: true
+  });
+}
+// src/scanner/parse-input.ts
+import { extname } from "path";
+import { readFileSync as readFileSync11 } from "fs";
+// src/scanner/adapters/npm-audit.ts
+import { readFileSync as readFileSync8 } from "fs";
+var CVE_REGEX = /CVE-\d{4}-\d+/gi;
+function normalizeSeverity(raw) {
+  if (!raw) return "UNKNOWN";
+  const up = raw.toUpperCase();
+  if (up === "CRITICAL" || up === "HIGH" || up === "MEDIUM" || up === "LOW") {
+    return up;
+  }
+  return "UNKNOWN";
+}
+function parseNpmAuditJsonFromString(content) {
+  const report = JSON.parse(content);
+  const findings = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const vuln of Object.values(report.vulnerabilities ?? {})) {
+    for (const viaEntry of vuln.via ?? []) {
+      const text = typeof viaEntry === "string" ? viaEntry : `${viaEntry.url ?? ""} ${viaEntry.name ?? ""}`;
+      const matches = text.match(CVE_REGEX) ?? [];
+      for (const match of matches) {
+        const cveId = match.toUpperCase();
+        const key = `${cveId}:${vuln.name}`;
+        if (seen.has(key)) continue;
+        seen.add(key);
+        findings.push({
+          cveId,
+          source: "npm-audit",
+          packageName: vuln.name,
+          severity: normalizeSeverity(vuln.severity)
+        });
+      }
+    }
+  }
+  return findings;
+}
+function parseNpmAuditJsonFile(filePath) {
+  const content = readFileSync8(filePath, "utf8");
+  return parseNpmAuditJsonFromString(content);
+}
+// src/scanner/adapters/yarn-audit.ts
+import { readFileSync as readFileSync9 } from "fs";
+var CVE_REGEX2 = /CVE-\d{4}-\d+/gi;
+function normalizeSeverity2(raw) {
+  if (!raw) return "UNKNOWN";
+  const up = raw.toUpperCase();
+  if (up === "CRITICAL" || up === "HIGH" || up === "MEDIUM" || up === "LOW") {
+    return up;
+  }
+  return "UNKNOWN";
+}
+function parseYarnAuditJsonFromString(content) {
+  const findings = [];
+  const seen = /* @__PURE__ */ new Set();
+  const lines = content.split("\n").map((line) => line.trim()).filter(Boolean);
+  for (const line of lines) {
+    let parsed;
+    try {
+      parsed = JSON.parse(line);
+    } catch {
+      continue;
+    }
+    const event = parsed;
+    if (event.type !== "auditAdvisory") continue;
+    const advisory = event.data?.advisory;
+    const packageName = advisory?.module_name;
+    const severity = normalizeSeverity2(advisory?.severity);
+    const text = `${advisory?.url ?? ""} ${(advisory?.cves ?? []).join(" ")}`;
+    const matches = text.match(CVE_REGEX2) ?? [];
+    for (const match of matches) {
+      const cveId = match.toUpperCase();
+      const key = `${cveId}:${packageName ?? ""}`;
+      if (seen.has(key)) continue;
+      seen.add(key);
+      findings.push({
+        cveId,
+        source: "yarn-audit",
+        packageName,
+        severity
+      });
+    }
+  }
+  return findings;
+}
+function parseYarnAuditJsonFile(filePath) {
+  const content = readFileSync9(filePath, "utf8");
+  return parseYarnAuditJsonFromString(content);
+}
+// src/scanner/adapters/sarif.ts
+import { readFileSync as readFileSync10 } from "fs";
+var CVE_REGEX3 = /CVE-\d{4}-\d+/gi;
+function extractPackageName(result) {
+  const pkg = result.properties?.["packageName"];
+  return typeof pkg === "string" ? pkg : void 0;
+}
+function parseSarifFromString(content) {
+  const report = JSON.parse(content);
+  const findings = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const run of report.runs ?? []) {
+    for (const result of run.results ?? []) {
+      const combined = `${result.ruleId ?? ""} ${result.message?.text ?? ""}`;
+      const matches = combined.match(CVE_REGEX3) ?? [];
+      for (const match of matches) {
+        const cveId = match.toUpperCase();
+        const pkg = extractPackageName(result);
+        const key = `${cveId}:${pkg ?? ""}`;
+        if (seen.has(key)) continue;
+        seen.add(key);
+        findings.push({
+          cveId,
+          source: "sarif",
+          packageName: pkg,
+          severity: "UNKNOWN"
+        });
+      }
     }
-    return result;
-  });
-  return {
-    ...report,
-    results: nextResults,
-    constraints
-  };
+  }
+  return findings;
 }
-async function remediate(cveId, options = {}) {
-  if (!/^CVE-\d{4}-\d+$/i.test(cveId)) {
-    throw new Error(
-      `Invalid CVE ID: "${cveId}". Expected format: CVE-YYYY-NNNNN (e.g. CVE-2021-23337).`
-    );
+function parseSarifFile(filePath) {
+  const content = readFileSync10(filePath, "utf8");
+  return parseSarifFromString(content);
+}
+// src/scanner/parse-input.ts
+function parseScanInput(filePath, format) {
+  const resolved = format === "auto" ? inferFormat(filePath) : format;
+  if (resolved === "npm-audit") {
+    return parseNpmAuditJsonFile(filePath);
   }
-  const cwd = options.cwd ?? process.cwd();
-  const constraints = resolveConstraints(options, cwd);
-  const provenance = resolveProvenanceContext(options);
-  const correlation = resolveCorrelationContext(options);
-  if (options.resume && options.idempotencyKey) {
-    const cached = readIdempotentReport(cwd, options.idempotencyKey, cveId.toUpperCase());
-    if (cached) {
-      return {
-        ...cached,
-        summary: `${cached.summary} (resumed from idempotency cache)`,
-        correlation,
-        provenance,
-        constraints,
-        resumedFromCache: true
-      };
-    }
+  if (resolved === "yarn-audit") {
+    return parseYarnAuditJsonFile(filePath);
   }
-  const report = await runRemediationPipeline(cveId.toUpperCase(), {
-    ...options,
-    ...correlation,
-    constraints
-  });
-  const constrainedReport = enforceConstraints(report, constraints);
-  const finalReport = {
-    ...constrainedReport,
-    correlation,
-    provenance,
-    constraints,
-    resumedFromCache: false
-  };
-  if (options.idempotencyKey && !options.dryRun && !options.preview) {
-    storeIdempotentReport(cwd, options.idempotencyKey, cveId.toUpperCase(), finalReport);
+  if (resolved === "sarif") {
+    return parseSarifFile(filePath);
   }
-  return {
-    ...finalReport
-  };
+  throw new Error(`Unsupported input format: ${resolved}`);
 }
-async function planRemediation(cveId, options = {}) {
-  return remediate(cveId, {
-    ...options,
-    preview: true,
-    dryRun: true
-  });
+function inferFormat(filePath) {
+  const ext = extname(filePath).toLowerCase();
+  if (ext === ".sarif") return "sarif";
+  try {
+    const content = readFileSync11(filePath, "utf8");
+    const firstLine = content.split("\n").find((line) => line.trim().startsWith("{"));
+    if (firstLine) {
+      const parsed = JSON.parse(firstLine);
+      if (parsed.type === "auditAdvisory" || parsed.type === "auditSummary") {
+        return "yarn-audit";
+      }
+    }
+  } catch {
+  }
+  return "npm-audit";
 }
-async function remediateFromScan(inputPath, options = {}) {
-  const cwd = options.cwd ?? process.cwd();
-  const format = options.format ?? "auto";
-  const patchesDir = options.patchesDir ?? "./patches";
-  const findings = parseScanInput(inputPath, format);
-  const cveIds = uniqueCveIds(findings);
-  const policy = loadPolicy(cwd, options.policy);
-  const correlation = resolveCorrelationContext(options);
-  const provenance = resolveProvenanceContext(options);
-  const constraints = resolveConstraints(options, cwd);
-  const evidence = createEvidenceLog(cwd, cveIds, {
-    ...correlation,
-    actor: provenance.actor,
-    source: provenance.source,
-    idempotencyKey: options.idempotencyKey
-  });
-  addEvidenceStep(evidence, "scan.parse", { inputPath, format }, { findingCount: findings.length, cveCount: cveIds.length });
+// src/scanner/unique-cve-ids.ts
+function uniqueCveIds(findings) {
+  return [...new Set(findings.map((f) => f.cveId.toUpperCase()))];
+}
+// src/api/scan-execution.ts
+async function executeScanRemediations(params) {
   const reports = [];
   const errors = [];
   const patchValidationFailures = [];
   let patchCount = 0;
-  for (const cveId of cveIds) {
+  for (const cveId of params.cveIds) {
     try {
-      addEvidenceStep(evidence, "remediate.start", { cveId });
+      addEvidenceStep(params.evidence, "remediate.start", { cveId });
       const report = await remediate(cveId, {
-        ...options,
-        patchesDir,
-        ...correlation,
-        actor: provenance.actor,
-        source: provenance.source,
-        constraints
+        ...params.options,
+        patchesDir: params.patchesDir,
+        evidence: false,
+        ...params.correlation,
+        actor: params.provenance.actor,
+        source: params.provenance.source,
+        constraints: params.constraints
       });
-      report.results = report.results.filter((r) => isPackageAllowed(policy, r.packageName));
+      report.results = report.results.filter((result) => isPackageAllowed(params.policy, result.packageName));
       for (const result of report.results) {
         if (result.strategy === "patch-file") {
           patchCount += 1;
@@ -2455,16 +3351,26 @@ async function remediateFromScan(inputPath, options = {}) {
         }
       }
       reports.push(report);
-      addEvidenceStep(evidence, "remediate.finish", { cveId }, { results: report.results.length });
+      addEvidenceStep(params.evidence, "remediate.finish", { cveId }, { results: report.results.length });
     } catch (error) {
       const message = error instanceof Error ? error.message : String(error);
       errors.push({ cveId, message });
-      addEvidenceStep(evidence, "remediate.error", { cveId }, void 0, message);
+      addEvidenceStep(params.evidence, "remediate.error", { cveId }, void 0, message);
     }
   }
+  return {
+    reports,
+    errors,
+    patchCount,
+    patchValidationFailures
+  };
+}
+// src/api/scan-outcome.ts
+function buildScanOutcome(params) {
   let successCount = 0;
   let failedCount = 0;
-  for (const report of reports) {
+  for (const report of params.reports) {
     for (const result of report.results) {
       if (result.applied || result.dryRun) {
         successCount += 1;
@@ -2473,13 +3379,75 @@ async function remediateFromScan(inputPath, options = {}) {
       }
     }
   }
-  failedCount += errors.length;
+  failedCount += params.errors.length;
   let status = "ok";
   if (failedCount > 0 && successCount > 0) {
     status = "partial";
   } else if (failedCount > 0 && successCount === 0) {
     status = "failed";
   }
+  const strategyCounts = buildStrategyCounts(params.reports);
+  const dependencyScopeCounts = buildDependencyScopeCounts(params.reports);
+  const unresolvedByReason = buildUnresolvedReasonCounts(params.reports);
+  const remediationCount = params.reports.reduce((sum, report) => sum + report.results.length, 0);
+  return {
+    status,
+    successCount,
+    failedCount,
+    strategyCounts,
+    dependencyScopeCounts,
+    unresolvedByReason,
+    remediationCount
+  };
+}
+// src/api/remediate-from-scan.ts
+async function remediateFromScan(inputPath, options = {}) {
+  const cwd = options.cwd ?? process.cwd();
+  const format = options.format ?? "auto";
+  const patchesDir = options.patchesDir ?? "./patches";
+  const findings = parseScanInput(inputPath, format);
+  const cveIds = uniqueCveIds(findings);
+  const policy = loadPolicy(cwd, options.policy);
+  const correlation = resolveCorrelationContext(options);
+  const provenance = resolveProvenanceContext(options);
+  const constraints = resolveConstraints(options, cwd);
+  const evidence = createEvidenceLog(cwd, cveIds, {
+    ...correlation,
+    actor: provenance.actor,
+    source: provenance.source,
+    idempotencyKey: options.idempotencyKey
+  });
+  addEvidenceStep(evidence, "scan.parse", { inputPath, format }, { findingCount: findings.length, cveCount: cveIds.length });
+  const execution = await executeScanRemediations({
+    cveIds,
+    options,
+    patchesDir,
+    policy,
+    correlation,
+    provenance,
+    constraints,
+    evidence
+  });
+  const reports = execution.reports;
+  const errors = execution.errors;
+  const patchCount = execution.patchCount;
+  const patchValidationFailures = execution.patchValidationFailures;
+  const outcome = buildScanOutcome({ reports, errors });
+  const { status, successCount, failedCount, strategyCounts, dependencyScopeCounts, unresolvedByReason, remediationCount } = outcome;
+  evidence.summary = {
+    status,
+    cveCount: cveIds.length,
+    remediationCount,
+    successCount,
+    failedCount,
+    patchCount,
+    patchValidationFailures: patchValidationFailures.length > 0 ? patchValidationFailures : void 0,
+    strategyCounts,
+    dependencyScopeCounts,
+    unresolvedByReason,
+    patchesDir: patchCount > 0 ? patchesDir : void 0
+  };
   finalizeEvidence(evidence);
   const evidenceFile = options.evidence === false ? void 0 : writeEvidenceLog(cwd, evidence);
   return {
@@ -2494,6 +3462,9 @@ async function remediateFromScan(inputPath, options = {}) {
     evidenceFile,
     patchCount,
     patchValidationFailures: patchValidationFailures.length > 0 ? patchValidationFailures : void 0,
+    strategyCounts,
+    dependencyScopeCounts,
+    unresolvedByReason,
     patchesDir: patchCount > 0 ? patchesDir : void 0,
     correlation,
     provenance,
@@ -2501,102 +3472,22 @@ async function remediateFromScan(inputPath, options = {}) {
     idempotencyKey: options.idempotencyKey
   };
 }
-function toCiSummary(report) {
-  let remediationCount = 0;
-  for (const cveReport of report.reports) {
-    remediationCount += cveReport.results.length;
-  }
-  return {
-    schemaVersion: report.schemaVersion,
-    status: report.status,
-    generatedAt: report.generatedAt,
-    cveCount: report.cveIds.length,
-    remediationCount,
-    successCount: report.successCount,
-    failedCount: report.failedCount,
-    errors: report.errors,
-    evidenceFile: report.evidenceFile,
-    patchCount: report.patchCount || 0,
-    patchValidationFailures: report.patchValidationFailures,
-    patchesDir: report.patchesDir,
-    correlation: report.correlation,
-    provenance: report.provenance,
-    constraints: report.constraints,
-    idempotencyKey: report.idempotencyKey
-  };
-}
-function ciExitCode(summary) {
-  return summary.failedCount > 0 ? 1 : 0;
-}
-function severityToSarifLevel(severity) {
-  if (severity === "CRITICAL" || severity === "HIGH") return "error";
-  if (severity === "MEDIUM") return "warning";
-  if (severity === "LOW") return "note";
-  return "warning";
-}
-function toSarifOutput(report) {
-  const rules = [];
-  const results = [];
-  const seenRules = /* @__PURE__ */ new Set();
-  for (const r of report.reports) {
-    const severity = r.cveDetails?.severity ?? "UNKNOWN";
-    const level = severityToSarifLevel(severity);
-    const summary = r.cveDetails?.summary ?? r.cveId;
-    if (!seenRules.has(r.cveId)) {
-      seenRules.add(r.cveId);
-      rules.push({
-        id: r.cveId,
-        name: "VulnerableDependency",
-        shortDescription: { text: r.cveId },
-        fullDescription: { text: summary },
-        defaultConfiguration: { level },
-        helpUri: `https://osv.dev/vulnerability/${r.cveId}`,
-        properties: { severity }
-      });
-    }
-    for (const vp of r.vulnerablePackages) {
-      const fixText = vp.affected.firstPatchedVersion ? ` Fix: upgrade to ${vp.affected.firstPatchedVersion}.` : " No fixed version available.";
-      results.push({
-        ruleId: r.cveId,
-        level,
-        message: {
-          text: `${vp.installed.name}@${vp.installed.version} is vulnerable to ${r.cveId}: ${summary}${fixText}`
-        },
-        locations: [
-          {
-            physicalLocation: {
-              artifactLocation: { uri: "package.json", uriBaseId: "%SRCROOT%" }
-            }
-          }
-        ]
-      });
-    }
-  }
-  return {
-    version: "2.1.0",
-    $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Documents/CommitteeSpecifications/2.1.0/sarif-schema-2.1.0.json",
-    runs: [
-      {
-        tool: {
-          driver: {
-            name: "autoremediator",
-            informationUri: "https://github.com/Rawlings/autoremediator",
-            rules
-          }
-        },
-        results
-      }
-    ]
-  };
-}
 export {
   runRemediationPipeline,
-  remediate,
-  planRemediation,
-  remediateFromScan,
+  PACKAGE_MANAGER_VALUES,
+  LLM_PROVIDER_VALUES,
+  PROVENANCE_SOURCE_VALUES,
+  OPTION_DESCRIPTIONS,
+  createConstraintSchemaProperties,
+  createRemediateOptionSchemaProperties,
+  createScanOptionSchemaProperties,
+  createScanReportSchemaProperties,
   toCiSummary,
   ciExitCode,
-  toSarifOutput
+  toSarifOutput,
+  remediate,
+  planRemediation,
+  remediateFromScan
 };
-//# sourceMappingURL=chunk-VLXGEH7U.js.map
+//# sourceMappingURL=chunk-MUFP2DQX.js.map