cistack 3.2.0 → 5.0.0

package/src/analyzers/monorepo.js

@@ -43,17 +43,17 @@ class MonorepoAnalyzer {
 
       for (const relDir of matches) {
         if (seen.has(relDir)) continue;
-        seen.add(relDir);
 
         const absPath = path.join(this.root, relDir);
         const pkgJsonPath = path.join(absPath, 'package.json');
-        let pkgJson = null;
+        if (!fs.existsSync(pkgJsonPath)) continue;
 
-        if (fs.existsSync(pkgJsonPath)) {
-          try {
-            pkgJson = JSON.parse(fs.readFileSync(pkgJsonPath, 'utf8'));
-          } catch (_) {}
-        }
+        seen.add(relDir);
+
+        let pkgJson = null;
+        try {
+          pkgJson = JSON.parse(fs.readFileSync(pkgJsonPath, 'utf8'));
+        } catch (_) {}
 
         const name = (pkgJson && pkgJson.name) || path.basename(relDir);
 

package/src/analyzers/workflow.js

@@ -25,6 +25,7 @@ class WorkflowAnalyzer {
       'docker/build-push-action': 'v5',
       'docker/metadata-action': 'v5',
       'pnpm/action-setup': 'v3',
+      'oven-sh/setup-bun': 'v2',
       'codecov/codecov-action': 'v4',
       'github/codeql-action/init': 'v3',
       'github/codeql-action/analyze': 'v3',
@@ -70,6 +71,15 @@ class WorkflowAnalyzer {
 
   _auditFile(filename, parsed, rawContent) {
     const issues = [];
+    if (!parsed || typeof parsed !== 'object') {
+      issues.push({
+        type: 'invalid_workflow',
+        severity: 'high',
+        message: 'Workflow file does not parse to a valid YAML object',
+        fix: 'Ensure the workflow root is a YAML mapping with top-level workflow keys',
+      });
+      return issues;
+    }
 
     // 1. Check for concurrency
     if (!parsed.concurrency) {
@@ -85,7 +95,6 @@ class WorkflowAnalyzer {
     const actionRegex = /uses:\s*([\w\-\/]+)@([\w\.]+)/g;
     let match;
     while ((match = actionRegex.exec(rawContent)) !== null) {
-      const fullAction = match[0];
       const actionName = match[1];
       const currentVersion = match[2];
 
@@ -148,7 +157,6 @@ class WorkflowAnalyzer {
     for (const filename of files) {
       const filePath = path.join(this.workflowsDir, filename);
       let content = fs.readFileSync(filePath, 'utf8');
-      let originalContent = content;
       let fileChanges = 0;
 
       for (const [action, latest] of Object.entries(this.latestVersions)) {

package/src/config/loader.js

@@ -2,6 +2,7 @@
 
 const fs = require('fs');
 const path = require('path');
+const chalk = require('chalk');
 
 /**
  * Loads cistack.config.js (or .cjs / .mjs) from the project root.
@@ -12,8 +13,10 @@ const path = require('path');
  *   packageManager   – override detected PM: 'npm'|'yarn'|'pnpm'|'bun'
  *   hosting          – array of hosting names to force e.g. ['Firebase']
  *   branches         – branches to run CI on e.g. ['main', 'staging']
+ *                      (default: detected git default branch, then main/master/develop)
  *   cache            – { npm: bool, cargo: bool, pip: bool, ... } enable/disable caches
  *   monorepo         – { perPackage: bool } generate one file per workspace
+ *   workflowLayout   – 'single' | 'split' (default: 'single')
  *   release          – { tool: 'semantic-release'|'changesets'|'standard-version'|'release-it' }
  *   secrets          – extra secret names to document in workflow comments
  *   outputDir        – override default '.github/workflows'
@@ -23,7 +26,7 @@ class ConfigLoader {
     this.projectPath = projectPath;
   }
 
-  load() {
+  async load() {
     const candidates = [
       'cistack.config.js',
       'cistack.config.cjs',
@@ -40,10 +43,11 @@ class ConfigLoader {
           // Since this is a CLI, we can afford a bit of hackiness or just support CommonJS primarily.
           
           let cfg;
-          if (candidate.endsWith('.mjs')) {
-            // Very basic support for .mjs if the environment supports it, but require usually fails.
-            // We'll try to use the fact that many environments now support require('.mjs') or just warn.
-            cfg = require(fullPath);
+          if (candidate.endsWith('.mjs') || (candidate.endsWith('.js') && !candidate.endsWith('.cjs'))) {
+            // Dynamic import() for ESM support
+            const modulePath = path.resolve(this.projectPath, candidate);
+            const imported = await import(`file://${modulePath}`);
+            cfg = imported.default || imported;
           } else {
             delete require.cache[require.resolve(fullPath)];
             cfg = require(fullPath);
@@ -103,6 +107,30 @@ class ConfigLoader {
     if (!cfg || Object.keys(cfg).length === 0) return detected;
 
     const result = { ...detected };
+    const runScript = (scriptName) => {
+      const packageManager =
+        (result.languages && result.languages[0] && result.languages[0].packageManager) ||
+        cfg.packageManager ||
+        'npm';
+      if (packageManager === 'yarn') return `yarn run ${scriptName}`;
+      if (packageManager === 'pnpm') return `pnpm run ${scriptName}`;
+      if (packageManager === 'bun') return `bun run ${scriptName}`;
+      return `npm run ${scriptName}`;
+    };
+    const canonicalHostingNames = {
+      firebase: 'Firebase',
+      vercel: 'Vercel',
+      netlify: 'Netlify',
+      aws: 'AWS',
+      'gcp app engine': 'GCP App Engine',
+      gcp: 'GCP App Engine',
+      azure: 'Azure',
+      heroku: 'Heroku',
+      render: 'Render',
+      railway: 'Railway',
+      'github pages': 'GitHub Pages',
+      'github-pages': 'GitHub Pages',
+    };
 
     // 1. Language overrides (Node version, package manager)
     if (cfg.nodeVersion && result.languages && result.languages.length > 0) {
@@ -114,23 +142,41 @@ class ConfigLoader {
     }
 
     if (cfg.packageManager && result.languages && result.languages.length > 0) {
-      result.languages = result.languages.map((l, i) =>
-        i === 0 ? { ...l, packageManager: cfg.packageManager, manual: true } : l
+      result.languages = result.languages.map((l) =>
+        ({ ...l, packageManager: cfg.packageManager, manual: true })
       );
     }
 
     // 2. Hosting overrides
     if (cfg.hosting) {
       const hostingNames = Array.isArray(cfg.hosting) ? cfg.hosting : [cfg.hosting];
+      const hostingSecrets = {
+        Firebase: ['FIREBASE_SERVICE_ACCOUNT'],
+        Vercel: ['VERCEL_TOKEN', 'VERCEL_ORG_ID', 'VERCEL_PROJECT_ID'],
+        Netlify: ['NETLIFY_AUTH_TOKEN', 'NETLIFY_SITE_ID'],
+        AWS: ['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'AWS_REGION', 'AWS_S3_BUCKET', 'CLOUDFRONT_DISTRIBUTION_ID'],
+        'GCP App Engine': ['GCP_SA_KEY'],
+        Azure: ['AZURE_APP_NAME', 'AZURE_WEBAPP_PUBLISH_PROFILE'],
+        Heroku: ['HEROKU_API_KEY', 'HEROKU_APP_NAME', 'HEROKU_EMAIL'],
+        Render: ['RENDER_DEPLOY_HOOK_URL'],
+        Railway: ['RAILWAY_TOKEN'],
+        'GitHub Pages': [],
+      };
       result.hosting = hostingNames.map((name) => ({
-        name,
+        name: canonicalHostingNames[String(name).toLowerCase()] || name,
         confidence: 1.0,
         manual: true,
-        secrets: [],
+        secrets: hostingSecrets[canonicalHostingNames[String(name).toLowerCase()] || name] || [],
         notes: ['set via cistack.config.js'],
       }));
     }
 
+    // 2b. Release override
+    if (cfg.release) {
+      const releaseOverride = typeof cfg.release === 'string' ? { tool: cfg.release } : cfg.release;
+      result.releaseInfo = { ...(result.releaseInfo || {}), ...releaseOverride };
+    }
+
     // 3. Framework overrides
     if (cfg.frameworks) {
       const frameworkNames = Array.isArray(cfg.frameworks) ? cfg.frameworks : [cfg.frameworks];
@@ -149,10 +195,20 @@ class ConfigLoader {
         confidence: 1.0,
         manual: true,
         type: 'unit', // default
-        command: `npm run test` // fallback
+        command: runScript('test') // fallback
       }));
     }
 
+    // 5. Extra documented secrets
+    if (cfg.secrets) {
+      const extraSecrets = Array.isArray(cfg.secrets) ? cfg.secrets : [cfg.secrets];
+      const envVars = result.envVars || { secrets: [], public: [], all: [], sourceFile: null };
+      result.envVars = {
+        ...envVars,
+        secrets: [...new Set([...(envVars.secrets || []), ...extraSecrets])],
+      };
+    }
+
     // Pass through raw extras for generators to consume
     result._config = { ...(result._config || {}), ...cfg };
 

package/src/detectors/framework.js

@@ -17,26 +17,24 @@ class FrameworkDetector {
   }
 
   async detect() {
-    const results = [];
-
-    const checks = [
+    const results = [
       // JS / TS frontend
-      this._check('Next.js', ['next'], ['next.config.js', 'next.config.ts', 'next.config.mjs'], { buildDir: '.next', nodeVersion: '20' }),
-      this._check('Nuxt', ['nuxt', 'nuxt3'], ['nuxt.config.js', 'nuxt.config.ts'], { buildDir: '.nuxt', nodeVersion: '20' }),
-      this._check('SvelteKit', ['@sveltejs/kit'], ['svelte.config.js'], { buildDir: '.svelte-kit', nodeVersion: '20' }),
-      this._check('Remix', ['@remix-run/react', '@remix-run/node'], [], { nodeVersion: '20' }),
-      this._check('Astro', ['astro'], ['astro.config.mjs', 'astro.config.ts'], { buildDir: 'dist', nodeVersion: '20' }),
-      this._check('Vite', ['vite'], ['vite.config.js', 'vite.config.ts'], { buildDir: 'dist' }),
-      this._check('React', ['react', 'react-dom'], [], { buildDir: 'build' }),
-      this._check('Vue', ['vue'], [], { buildDir: 'dist' }),
-      this._check('Angular', ['@angular/core'], [], { buildDir: 'dist', nodeVersion: '20' }),
-      this._check('Svelte', ['svelte'], ['svelte.config.js'], { buildDir: 'public' }),
-      this._check('Gatsby', ['gatsby'], [], { buildDir: 'public', nodeVersion: '20' }),
-      this._check('Ember', ['ember-cli'], [], {}),
+      this._check('Next.js', ['next'], ['next.config.js', 'next.config.ts', 'next.config.mjs'], { buildDir: '.next', priority: 10 }),
+      this._check('Nuxt', ['nuxt', 'nuxt3'], ['nuxt.config.js', 'nuxt.config.ts'], { buildDir: '.nuxt', priority: 10 }),
+      this._check('SvelteKit', ['@sveltejs/kit'], ['svelte.config.js'], { buildDir: '.svelte-kit', priority: 10 }),
+      this._check('Remix', ['@remix-run/react', '@remix-run/node'], [], { priority: 10 }),
+      this._check('Astro', ['astro'], ['astro.config.mjs', 'astro.config.ts'], { buildDir: 'dist', priority: 10 }),
+      this._check('Vite', ['vite'], ['vite.config.js', 'vite.config.ts'], { buildDir: 'dist', priority: 5 }),
+      this._check('React', ['react', 'react-dom'], [], { buildDir: 'build', priority: 1 }),
+      this._check('Vue', ['vue'], [], { buildDir: 'dist', priority: 1 }),
+      this._check('Angular', ['@angular/core'], [], { buildDir: 'dist', priority: 1 }),
+      this._check('Svelte', ['svelte'], ['svelte.config.js'], { buildDir: 'public', priority: 1 }),
+      this._check('Gatsby', ['gatsby'], [], { buildDir: 'public', priority: 1 }),
+      this._check('Ember', ['ember-cli'], [], { priority: 1 }),
       // Node / backend
       this._check('Express', ['express'], [], { isServer: true }),
       this._check('Fastify', ['fastify'], [], { isServer: true }),
-      this._check('NestJS', ['@nestjs/core'], [], { isServer: true, nodeVersion: '20' }),
+      this._check('NestJS', ['@nestjs/core'], [], { isServer: true }),
       this._check('Hono', ['hono'], [], { isServer: true }),
       this._check('Koa', ['koa'], [], { isServer: true }),
       this._check('tRPC', ['@trpc/server', '@trpc/client'], [], { isServer: true }),
@@ -47,7 +45,7 @@ class FrameworkDetector {
       // Ruby
       this._checkRuby('Rails', 'rails'),
       // Java / Kotlin
-      this._checkJVM('Spring Boot', 'spring-boot'),
+      this._checkJVM('Spring Boot', ['spring-boot', 'org.springframework.boot']),
       // PHP
       this._checkComposer('Laravel', 'laravel/framework'),
       // Go
@@ -56,8 +54,12 @@ class FrameworkDetector {
       this._checkRust('Rust'),
     ].filter(Boolean);
 
-    return checks
-      .filter((r) => r.confidence > 0)
+    // Filter by confidence and priority
+    const filtered = results.filter((r) => r.confidence > 0);
+    const hasMeta = filtered.some(r => (r.priority || 0) >= 10);
+    
+    return filtered
+      .filter(r => !hasMeta || (r.priority || 0) >= 10)
       .sort((a, b) => b.confidence - a.confidence);
   }
 
@@ -115,22 +117,24 @@ class FrameworkDetector {
     return confidence > 0 ? { name, confidence, isServer: true, isRuby: true, reasons } : null;
   }
 
-  _checkJVM(name, keyword) {
+  _checkJVM(name, keywords) {
     const gradlePath = path.join(this.root, 'build.gradle');
+    const gradleKtsPath = path.join(this.root, 'build.gradle.kts');
     const pomPath = path.join(this.root, 'pom.xml');
     let confidence = 0;
     let foundIn = '';
-    for (const p of [gradlePath, pomPath]) {
+    const candidates = Array.isArray(keywords) ? keywords : [keywords];
+    for (const p of [gradlePath, gradleKtsPath, pomPath]) {
       if (fs.existsSync(p)) {
         const content = fs.readFileSync(p, 'utf8').toLowerCase();
-        if (content.includes(keyword.toLowerCase())) { 
-          confidence = 0.9; 
+        if (candidates.some((keyword) => content.includes(keyword.toLowerCase()))) {
+          confidence = 0.9;
           foundIn = path.basename(p);
-          break; 
+          break;
         }
       }
     }
-    const reasons = confidence > 0 ? [`found ${keyword} in ${foundIn}`] : [];
+    const reasons = confidence > 0 ? [`found ${name} markers in ${foundIn}`] : [];
     return confidence > 0 ? { name, confidence, isServer: true, isJVM: true, reasons } : null;
   }
 

package/src/detectors/hosting.js

@@ -84,7 +84,7 @@ class HostingDetector {
       name: 'Firebase',
       confidence: Math.min(confidence, 1),
       deployCommand: `firebase deploy --only ${deployTarget}`,
-      secrets: ['FIREBASE_TOKEN'],
+      secrets: ['FIREBASE_SERVICE_ACCOUNT'],
       reasons,
       buildStep: this._detectBuildScript(),
     };
@@ -102,7 +102,7 @@ class HostingDetector {
     return {
       name: 'Vercel',
       confidence: Math.min(confidence, 1),
-      deployCommand: 'vercel --prod --token $VERCEL_TOKEN',
+      deployCommand: 'vercel deploy --prod',
       secrets: ['VERCEL_TOKEN', 'VERCEL_ORG_ID', 'VERCEL_PROJECT_ID'],
       reasons,
       buildStep: this._detectBuildScript(),
@@ -118,7 +118,7 @@ class HostingDetector {
     if (this.deps['netlify-cli'] || this.deps['netlify']) { confidence += 0.3; reasons.push('netlify dependency found'); }
     if (Object.values(this.scripts).some((s) => s.includes('netlify'))) { confidence += 0.3; reasons.push('netlify script found'); }
 
-    let publishDir = 'dist';
+    let publishDir = null;
     try {
       const toml = fs.readFileSync(path.join(this.root, 'netlify.toml'), 'utf8');
       const match = toml.match(/publish\s*=\s*["']?([^"'\n]+)/);
@@ -173,7 +173,7 @@ class HostingDetector {
       name: 'Heroku',
       confidence,
       deployCommand: 'git push heroku main',
-      secrets: ['HEROKU_API_KEY', 'HEROKU_APP_NAME'],
+      secrets: ['HEROKU_API_KEY', 'HEROKU_APP_NAME', 'HEROKU_EMAIL'],
       reasons,
     };
   }
@@ -187,7 +187,7 @@ class HostingDetector {
       name: 'GCP App Engine',
       confidence,
       deployCommand: 'gcloud app deploy',
-      secrets: ['GCP_PROJECT_ID', 'GCP_SA_KEY'],
+      secrets: ['GCP_SA_KEY'],
       reasons,
     };
   }
@@ -199,11 +199,12 @@ class HostingDetector {
     if (this.configs.has('serverless.yml') || this.configs.has('serverless.yaml')) { confidence += 0.6; reasons.push('serverless.yml found'); }
     if (this.configs.has('cdk.json')) { confidence += 0.4; reasons.push('cdk.json found'); }
     if (this.deps['aws-sdk'] || this.deps['@aws-sdk/client-s3']) { confidence += 0.15; reasons.push('aws-sdk found'); }
+    const buildDir = this._detectBuildDir();
     return {
       name: 'AWS',
       confidence: Math.min(confidence, 1),
-      deployCommand: 'aws s3 sync ./dist s3://$AWS_S3_BUCKET --delete',
-      secrets: ['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'AWS_REGION'],
+      deployCommand: `aws s3 sync ./${buildDir} s3://$AWS_S3_BUCKET --delete`,
+      secrets: ['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'AWS_REGION', 'AWS_S3_BUCKET', 'CLOUDFRONT_DISTRIBUTION_ID'],
       reasons,
     };
   }
@@ -211,13 +212,16 @@ class HostingDetector {
   _checkAzure() {
     let confidence = 0;
     const reasons = [];
-    if (this.files.has('.azure/pipelines.yml')) { confidence += 0.5; reasons.push('.azure/pipelines.yml found'); }
+    if (this.files.has('.azure/pipelines.yml') || this.files.has('azure/pipelines.yml')) {
+      confidence += 0.5;
+      reasons.push('azure/pipelines.yml found');
+    }
     if (this.deps['@azure/core-http']) { confidence += 0.2; reasons.push('azure core-http found'); }
     return {
       name: 'Azure',
       confidence,
       deployCommand: 'az webapp up',
-      secrets: ['AZURE_CREDENTIALS'],
+      secrets: ['AZURE_APP_NAME', 'AZURE_WEBAPP_PUBLISH_PROFILE'],
       reasons,
     };
   }
@@ -242,7 +246,10 @@ class HostingDetector {
   _checkDocker() {
     let confidence = 0;
     const reasons = [];
-    if (this.configs.has('Dockerfile')) { confidence += 0.5; reasons.push('Dockerfile found'); }
+    if (this.configs.has('Dockerfile') || this.configs.has('Dockerfile.prod')) {
+      confidence += 0.5;
+      reasons.push(this.configs.has('Dockerfile') ? 'Dockerfile found' : 'Dockerfile.prod found');
+    }
     if (this.configs.has('docker-compose.yml') || this.configs.has('docker-compose.yaml')) { confidence += 0.3; reasons.push('docker-compose.yml found'); }
     return {
       name: 'Docker',
@@ -259,6 +266,14 @@ class HostingDetector {
     if (scripts['build:prod']) return `npm run build:prod`;
     return null;
   }
+
+  _detectBuildDir() {
+    // If codebase has common build dirs
+    const dirs = this.info.srcStructure.topDirs || [];
+    if (dirs.includes('dist')) return 'dist';
+    if (dirs.includes('build')) return 'build';
+    return 'dist'; // fallback
+  }
 }
 
 module.exports = HostingDetector;

package/src/detectors/language.js

@@ -78,7 +78,7 @@ class LanguageDetector {
     if (lang === 'JavaScript' || lang === 'TypeScript') {
       if (lockFiles.includes('pnpm-lock.yaml')) return 'pnpm';
       if (lockFiles.includes('yarn.lock')) return 'yarn';
-      if (lockFiles.includes('bun.lockb')) return 'bun';
+      if (lockFiles.includes('bun.lock') || lockFiles.includes('bun.lockb')) return 'bun';
       return 'npm';
     }
     if (lang === 'Python') {
@@ -89,7 +89,7 @@ class LanguageDetector {
     if (lang === 'Ruby') return 'bundler';
     if (lang === 'Go') return 'go mod';
     if (lang === 'Rust') return 'cargo';
-    if (lang === 'Java') {
+    if (lang === 'Java' || lang === 'Kotlin') {
       if (fs.existsSync(path.join(this.root, 'pom.xml'))) return 'maven';
       return 'gradle';
     }

package/src/detectors/release.js

@@ -24,6 +24,7 @@ class ReleaseDetector {
       ...(this.pkg.devDependencies || {}),
     };
     this.scripts = this.pkg.scripts || {};
+    this.packageManager = this._detectPackageManager();
   }
 
   async detect() {
@@ -55,12 +56,13 @@ class ReleaseDetector {
     // --- release-it ---
     if (this.deps['release-it']) {
       const config = this._loadReleaseItConfig();
+      const publishToNpm = !!(config && config.npm && config.npm.publish !== false);
       return {
         tool: 'release-it',
         command: 'npx release-it --ci',
         config,
-        publishToNpm: !!(config && config.npm && config.npm.publish !== false),
-        requiresNpmToken: true,
+        publishToNpm,
+        requiresNpmToken: publishToNpm,
       };
     }
 
@@ -77,9 +79,10 @@ class ReleaseDetector {
     // --- fallback: check scripts ---
     const releaseScript = this.scripts['release'] || this.scripts['version'];
     if (releaseScript) {
+      const scriptName = this.scripts['release'] ? 'release' : 'version';
       return {
         tool: 'custom',
-        command: 'npm run release',
+        command: this._runScript(scriptName),
         publishToNpm: releaseScript.includes('publish'),
         requiresNpmToken: releaseScript.includes('publish'),
       };
@@ -90,14 +93,15 @@ class ReleaseDetector {
 
   _loadSemanticReleaseConfig() {
     // Try .releaserc, .releaserc.json, .releaserc.js, package.json#release
-    const candidates = ['.releaserc', '.releaserc.json', '.releaserc.js', '.releaserc.yaml'];
+    const candidates = ['.releaserc', '.releaserc.json', '.releaserc.js', '.releaserc.cjs', '.releaserc.yaml', '.releaserc.yml'];
     for (const c of candidates) {
       const p = path.join(this.root, c);
       if (fs.existsSync(p)) {
         try {
+          if (c.endsWith('.js') || c.endsWith('.cjs')) return require(p);
           const raw = fs.readFileSync(p, 'utf8');
-          if (c.endsWith('.js')) return require(p);
-          return JSON.parse(raw);
+          const yaml = require('js-yaml');
+          return yaml.load(raw);
         } catch (_) {}
       }
     }
@@ -106,19 +110,36 @@ class ReleaseDetector {
   }
 
   _loadReleaseItConfig() {
-    const candidates = ['.release-it.json', '.release-it.js', '.release-it.yaml'];
+    const candidates = ['.release-it.json', '.release-it.js', '.release-it.cjs', '.release-it.yaml', '.release-it.yml'];
     for (const c of candidates) {
       const p = path.join(this.root, c);
       if (fs.existsSync(p)) {
         try {
+          if (c.endsWith('.js') || c.endsWith('.cjs')) return require(p);
           const raw = fs.readFileSync(p, 'utf8');
-          return JSON.parse(raw);
+          const yaml = require('js-yaml');
+          return yaml.load(raw);
         } catch (_) {}
       }
     }
     if (this.pkg['release-it']) return this.pkg['release-it'];
     return {};
   }
+
+  _detectPackageManager() {
+    const lockFiles = this.info.lockFiles || [];
+    if (lockFiles.includes('pnpm-lock.yaml')) return 'pnpm';
+    if (lockFiles.includes('yarn.lock')) return 'yarn';
+    if (lockFiles.includes('bun.lock') || lockFiles.includes('bun.lockb')) return 'bun';
+    return 'npm';
+  }
+
+  _runScript(name) {
+    if (this.packageManager === 'yarn') return `yarn run ${name}`;
+    if (this.packageManager === 'pnpm') return `pnpm run ${name}`;
+    if (this.packageManager === 'bun') return `bun run ${name}`;
+    return `npm run ${name}`;
+  }
 }
 
 module.exports = ReleaseDetector;

package/src/detectors/testing.js

@@ -15,6 +15,7 @@ class TestingDetector {
     this.scripts = this.pkg.scripts || {};
     this.configs = new Set(codebaseInfo.configFiles);
     this.files = new Set(codebaseInfo.files);
+    this.packageManager = this._detectPackageManager();
   }
 
   async detect() {
@@ -128,10 +129,25 @@ class TestingDetector {
 
   _testScript(tool) {
     const scripts = this.pkg.scripts || {};
-    if (scripts.test && scripts.test.includes(tool)) return 'npm test';
-    if (scripts['test:ci']) return 'npm run test:ci';
+    if (scripts.test && scripts.test.includes(tool)) return this._runScript('test');
+    if (scripts['test:ci']) return this._runScript('test:ci');
     return null;
   }
+
+  _detectPackageManager() {
+    const lockFiles = this.info.lockFiles || [];
+    if (lockFiles.includes('pnpm-lock.yaml')) return 'pnpm';
+    if (lockFiles.includes('yarn.lock')) return 'yarn';
+    if (lockFiles.includes('bun.lock') || lockFiles.includes('bun.lockb')) return 'bun';
+    return 'npm';
+  }
+
+  _runScript(name) {
+    if (this.packageManager === 'yarn') return `yarn run ${name}`;
+    if (this.packageManager === 'pnpm') return `pnpm run ${name}`;
+    if (this.packageManager === 'bun') return `bun run ${name}`;
+    return `npm run ${name}`;
+  }
 }
 
 module.exports = TestingDetector;

package/src/generators/dependabot.js

@@ -6,7 +6,7 @@ const yaml = require('js-yaml');
  * Generates a .github/dependabot.yml based on detected ecosystems.
  *
  * Supported ecosystems:
- *   npm, pip, cargo, bundler, go, maven, gradle, github-actions, composer, docker
+ *   bun, npm, pip, cargo, bundler, go, maven, gradle, github-actions, composer, docker
  */
 class DependabotGenerator {
   constructor(codebaseInfo) {
@@ -18,12 +18,32 @@ class DependabotGenerator {
 
   generate() {
     const updates = [];
+    const hasDeps =
+      Object.keys(this.pkg.dependencies || {}).length > 0 ||
+      Object.keys(this.pkg.devDependencies || {}).length > 0;
+    const hasBunLock = this.lockFiles.has('bun.lock');
+
+    // ── bun ────────────────────────────────────────────────────────────────
+    if (hasBunLock) {
+      updates.push({
+        'package-ecosystem': 'bun',
+        directory: '/',
+        schedule: { interval: 'weekly', day: 'monday' },
+        'open-pull-requests-limit': 10,
+        groups: {
+          'dev-dependencies': {
+            'dependency-type': 'development',
+            'update-types': ['minor', 'patch'],
+          },
+        },
+      });
+    }
 
     // ── npm ────────────────────────────────────────────────────────────────
-    if (this.pkg.dependencies || this.pkg.devDependencies ||
+    if (!hasBunLock && (hasDeps ||
         this.lockFiles.has('package-lock.json') ||
         this.lockFiles.has('yarn.lock') ||
-        this.lockFiles.has('pnpm-lock.yaml')) {
+        this.lockFiles.has('pnpm-lock.yaml'))) {
       updates.push({
         'package-ecosystem': 'npm',
         directory: '/',
@@ -112,6 +132,7 @@ class DependabotGenerator {
 
     // ── Docker ─────────────────────────────────────────────────────────────
     if (this.configFiles.has('Dockerfile') ||
+        this.configFiles.has('Dockerfile.prod') ||
         this.configFiles.has('docker-compose.yml') ||
         this.configFiles.has('docker-compose.yaml')) {
       updates.push({