dependency-radar 0.5.0 → 0.6.0

package/dist/cli.js

@@ -13,6 +13,7 @@ const npmAudit_1 = require("./runners/npmAudit");
 const npmLs_1 = require("./runners/npmLs");
 const npmOutdated_1 = require("./runners/npmOutdated");
 const report_1 = require("./report");
+const failOn_1 = require("./failOn");
 const promises_1 = __importDefault(require("fs/promises"));
 const utils_1 = require("./utils");
 function normalizeSlashes(p) {
@@ -908,6 +909,16 @@ function buildCombinedDependencyGraph(rootPath, packageMetas, dependencyGraphs)
     }
     return { name: "dependency-radar-workspace", version: "0.0.0", dependencies };
 }
+/**
+ * Parse command-line tokens into a populated CliOptions object.
+ *
+ * Recognizes a leading non-flag token as the command and the following flags:
+ * --project, --out, --keep-temp, --offline, --json, --open, --no-report, --fail-on, and --help / -h.
+ * The --offline flag disables both audit and outdated checks.
+ *
+ * @param argv - Array of CLI tokens (typically process.argv.slice(2))
+ * @returns The resolved CliOptions with defaults applied and values overridden by argv
+ */
 function parseArgs(argv) {
     const opts = {
         command: "scan",
@@ -918,6 +929,8 @@ function parseArgs(argv) {
         outdated: true,
         json: false,
         open: false,
+        noReport: false,
+        failOn: new Set(),
     };
     const args = [...argv];
     if (args[0] && !args[0].startsWith("-")) {
@@ -941,6 +954,27 @@ function parseArgs(argv) {
             opts.json = true;
         else if (arg === "--open")
             opts.open = true;
+        else if (arg === "--no-report")
+            opts.noReport = true;
+        else if (arg === "--fail-on") {
+            const value = args.shift();
+            if (!value) {
+                console.error("Missing value for --fail-on. Provide a comma-separated list of rules.");
+                process.exit(1);
+            }
+            let rules;
+            try {
+                rules = (0, failOn_1.parseFailOnRules)(value);
+            }
+            catch (err) {
+                console.error(err instanceof Error ? err.message : "Invalid --fail-on rules.");
+                process.exit(1);
+                return opts;
+            }
+            for (const rule of rules) {
+                opts.failOn.add(rule);
+            }
+        }
         else if (arg === "--help" || arg === "-h") {
             printHelp();
             process.exit(0);
@@ -948,6 +982,12 @@ function parseArgs(argv) {
     }
     return opts;
 }
+/**
+ * Print the CLI usage and available options to the console.
+ *
+ * Displays the command synopsis and descriptions for supported flags including
+ * --project, --out, --json, --no-report, --keep-temp, --offline, --open, and --fail-on.
+ */
 function printHelp() {
     console.log(`dependency-radar [scan] [options]
 
@@ -957,11 +997,22 @@ Options:
   --project <path>   Project folder (default: cwd)
   --out <path>       Output HTML file (default: dependency-radar.html)
   --json             Write aggregated data to JSON (default filename: dependency-radar.json)
+  --no-report        Do not write HTML/JSON report files or temp artifacts to disk
   --keep-temp        Keep .dependency-radar folder
   --offline          Skip npm audit and npm outdated (useful for offline scans)
   --open             Open the generated report using the system default application
+  --fail-on <rules>  Fail with exit code 1 when selected rules are violated
+                     Supported: reachable-vuln, production-vuln, high-severity-vuln,
+                                licence-mismatch, copyleft-detected, unknown-licence
 `);
 }
+/**
+ * Attempts to open the given file in the system's default application.
+ *
+ * Spawns a detached OS-specific opener process (so the function returns immediately). If the spawn fails, a warning is logged to the console.
+ *
+ * @param filePath - Path (absolute or relative) to the file to open
+ */
 function openInBrowser(filePath) {
     const normalizedPath = filePath.replace(/\\/g, "/");
     let child;
@@ -993,14 +1044,267 @@ function openInBrowser(filePath) {
     });
     child.unref();
 }
+const ANSI = {
+    reset: "\x1b[0m",
+    bold: "\x1b[1m",
+    green: "\x1b[32m",
+    red: "\x1b[31m",
+    yellow: "\x1b[33m",
+    cyan: "\x1b[36m",
+};
+/**
+ * Determine whether ANSI color output should be enabled for the current process.
+ *
+ * Considers the `NO_COLOR` and `FORCE_COLOR` environment variables and falls back to whether `stdout` is a TTY.
+ *
+ * @returns `true` if ANSI color output should be enabled, `false` otherwise.
+ */
+function shouldUseColor() {
+    if (process.env.NO_COLOR !== undefined)
+        return false;
+    const forceColor = process.env.FORCE_COLOR;
+    if (forceColor === "0")
+        return false;
+    if (forceColor !== undefined)
+        return true;
+    return Boolean(process.stdout.isTTY);
+}
+const COLOR_ENABLED = shouldUseColor();
+/**
+ * Wraps text with ANSI color or style escape sequences when terminal coloring is enabled.
+ *
+ * @param value - The text to style
+ * @param color - The style to apply; one of `'bold'`, `'green'`, `'red'`, `'yellow'`, or `'cyan'`
+ * @returns The input string wrapped with the selected ANSI escape codes if colors are enabled, otherwise the original `value`
+ */
+function styleText(value, color) {
+    if (!COLOR_ENABLED)
+        return value;
+    return `${ANSI[color]}${value}${ANSI.reset}`;
+}
+/**
+ * Extracts the first Unicode character from a string and the remaining substring.
+ *
+ * @param value - The input string to split
+ * @returns An object with `head` set to the first character (empty string if input is empty) and `tail` set to the remainder of the string after `head`
+ */
+function splitFirstGlyph(value) {
+    const chars = Array.from(value);
+    const head = chars[0] || "";
+    const tail = value.slice(head.length);
+    return { head, tail };
+}
+/**
+ * Apply ANSI color styling to recognized status glyphs at the start of a string.
+ *
+ * Recognized leading glyphs are colored as follows: "✔" → green, "✖" → red, "⚠" → yellow,
+ * "↗", "ℹ", "📦" → cyan, and "📉" → yellow. If the first grapheme is not one of these,
+ * the input is returned unchanged.
+ *
+ * @param symbol - The string whose leading glyph should be colorized (if recognized)
+ * @returns The input string with the leading glyph wrapped in color styling when recognized, otherwise the original string
+ */
+function colorSymbol(symbol) {
+    const { head, tail } = splitFirstGlyph(symbol);
+    if (!head)
+        return symbol;
+    if (head === "✔")
+        return `${styleText(head, "green")}${tail}`;
+    if (head === "✖")
+        return `${styleText(head, "red")}${tail}`;
+    if (head === "⚠")
+        return `${styleText(head, "yellow")}${tail}`;
+    if (head === "↗" || head === "ℹ" || head === "📦") {
+        return `${styleText(head, "cyan")}${tail}`;
+    }
+    if (head === "📉")
+        return `${styleText(head, "yellow")}${tail}`;
+    return symbol;
+}
+/**
+ * Applies ANSI color styling to a leading status glyph in a text line when present.
+ *
+ * @param line - The input line; if it starts with a recognized status glyph (e.g., ✔, ✖, ⚠, ↗, ℹ, 📦, 📉), that glyph will be replaced with its colored equivalent.
+ * @returns The line with the leading glyph colorized when applicable, or the original line unchanged.
+ */
+function colorLeadingSymbol(line) {
+    const { head } = splitFirstGlyph(line);
+    if (!head)
+        return line;
+    if (head !== "✔" &&
+        head !== "✖" &&
+        head !== "⚠" &&
+        head !== "↗" &&
+        head !== "ℹ" &&
+        head !== "📦" &&
+        head !== "📉") {
+        return line;
+    }
+    return `${colorSymbol(head)}${line.slice(head.length)}`;
+}
+/**
+ * Format a CLI status line with a colored leading symbol and message.
+ *
+ * @param symbol - The single-character or glyph to display as the leading symbol
+ * @param message - The text message that follows the symbol
+ * @returns The formatted status line with the colored symbol, a single separating space, and the message
+ */
+function statusLine(symbol, message) {
+    return `${colorSymbol(symbol)} ${message}`;
+}
+/**
+ * Print policy violation messages to stdout as a human-readable list when any exist.
+ *
+ * @param violations - An array of policy violations to display; each violation's `message` will be printed as a list item. If the array is empty, nothing is printed.
+ */
+function printPolicyViolations(violations) {
+    if (violations.length === 0)
+        return;
+    console.log("");
+    console.log(colorLeadingSymbol("✖ Policy violations detected:"));
+    for (const violation of violations) {
+        console.log(`- ${violation.message}`);
+    }
+}
+/**
+ * Produce a concise CLI summary from aggregated workspace data.
+ *
+ * @param aggregated - Aggregated workspace data produced by the scan
+ * @param options.importGraphComplete - `true` when import graph collection completed for all packages; affects unused dependency counting
+ * @returns An object with:
+ * - `directDeps`: number of direct dependencies in the workspace
+ * - `transitiveDeps`: number of transitive dependencies in the workspace
+ * - `vulnerablePackages`: count of dependencies with at least one reported vulnerability
+ * - `reachableVulnerablePackages`: count of vulnerable dependencies that are reachable according to import usage
+ * - `unusedInstalledDeps`: count of direct runtime dependencies that appear unused (only when `importGraphComplete` is `true`)
+ * - `licenseMismatches`: count of dependencies whose license status is `mismatch`
+ * - `majorUpgradeBlockers`: count of dependencies that have one or more upgrade blockers
+ * - `majorUpgradeBlockerBreakdown`: object with counts for specific blocker types (`peerDependency`, `nodeEngine`, `deprecated`, `nativeBindings`, `installScripts`)
+ */
+function buildCliSummary(aggregated, options) {
+    var _a;
+    let vulnerablePackages = 0;
+    let reachableVulnerablePackages = 0;
+    let unusedInstalledDeps = 0;
+    let licenseMismatches = 0;
+    let majorUpgradeBlockers = 0;
+    const majorUpgradeBlockerBreakdown = {
+        peerDependency: 0,
+        nodeEngine: 0,
+        deprecated: 0,
+        nativeBindings: 0,
+        installScripts: 0,
+    };
+    const deps = Object.values(aggregated.dependencies || {});
+    for (const dep of deps) {
+        const vulnTotal = (dep.security.summary.critical || 0) +
+            (dep.security.summary.high || 0) +
+            (dep.security.summary.moderate || 0) +
+            (dep.security.summary.low || 0);
+        if (vulnTotal > 0) {
+            vulnerablePackages += 1;
+            if ((((_a = dep.usage.importUsage) === null || _a === void 0 ? void 0 : _a.fileCount) || 0) > 0) {
+                reachableVulnerablePackages += 1;
+            }
+        }
+        // Count "unused" only when import graph collection succeeded for all packages.
+        // `importUsage` is an optional object (or undefined), not a boolean/string state.
+        // Otherwise, missing importUsage can mean "unknown" rather than "unused".
+        if (options.importGraphComplete &&
+            dep.usage.direct &&
+            dep.usage.scope === "runtime" &&
+            !dep.usage.importUsage) {
+            unusedInstalledDeps += 1;
+        }
+        if (dep.compliance.license.status === "mismatch") {
+            licenseMismatches += 1;
+        }
+        const blockers = dep.upgrade.blockers || [];
+        if (blockers.length > 0) {
+            majorUpgradeBlockers += 1;
+        }
+        if (blockers.includes("peerDependency")) {
+            majorUpgradeBlockerBreakdown.peerDependency += 1;
+        }
+        if (blockers.includes("nodeEngine")) {
+            majorUpgradeBlockerBreakdown.nodeEngine += 1;
+        }
+        if (blockers.includes("deprecated")) {
+            majorUpgradeBlockerBreakdown.deprecated += 1;
+        }
+        if (blockers.includes("nativeBindings")) {
+            majorUpgradeBlockerBreakdown.nativeBindings += 1;
+        }
+        if (blockers.includes("installScripts")) {
+            majorUpgradeBlockerBreakdown.installScripts += 1;
+        }
+    }
+    return {
+        directDeps: aggregated.summary.directCount,
+        transitiveDeps: aggregated.summary.transitiveCount,
+        vulnerablePackages,
+        reachableVulnerablePackages,
+        unusedInstalledDeps,
+        licenseMismatches,
+        majorUpgradeBlockers,
+        majorUpgradeBlockerBreakdown,
+    };
+}
+/**
+ * Choose the correct singular or plural form based on a numeric count.
+ *
+ * @param value - The numeric count that determines which form to use
+ * @param singular - The singular form to use when `value` equals 1
+ * @param plural - The plural form to use for any other `value`
+ * @returns The `singular` string if `value` is 1, `plural` otherwise
+ */
+function pluralize(value, singular, plural) {
+    return value === 1 ? singular : plural;
+}
+/**
+ * Print a concise, human-readable CLI summary of scan results to standard output.
+ *
+ * @param summary - Aggregated counts and breakdowns (dependencies, vulnerabilities, unused deps, license mismatches, and major-upgrade blocker details) used to compose the printed summary
+ */
+function printCliSummary(summary) {
+    const bullet = "•";
+    console.log("");
+    console.log("Summary:");
+    console.log(`${bullet} Direct deps scanned: ${summary.directDeps}`);
+    console.log(`${bullet} Transitive deps scanned: ${summary.transitiveDeps}`);
+    console.log(`${bullet} Vulnerable packages: ${summary.vulnerablePackages} (${summary.reachableVulnerablePackages} reachable)`);
+    console.log(`${bullet} Unused installed deps: ${summary.unusedInstalledDeps}`);
+    console.log(`${bullet} License mismatches: ${summary.licenseMismatches}`);
+    console.log(`${bullet} Major upgrade blockers: ${summary.majorUpgradeBlockers}`);
+    const blockerDetails = [];
+    if (summary.majorUpgradeBlockerBreakdown.peerDependency > 0) {
+        blockerDetails.push(`   - ${summary.majorUpgradeBlockerBreakdown.peerDependency} ${pluralize(summary.majorUpgradeBlockerBreakdown.peerDependency, "strict peer dependency constraint", "strict peer dependency constraints")}`);
+    }
+    if (summary.majorUpgradeBlockerBreakdown.nodeEngine > 0) {
+        blockerDetails.push(`   - ${summary.majorUpgradeBlockerBreakdown.nodeEngine} ${pluralize(summary.majorUpgradeBlockerBreakdown.nodeEngine, "narrow engine range", "narrow engine ranges")}`);
+    }
+    if (summary.majorUpgradeBlockerBreakdown.deprecated > 0) {
+        blockerDetails.push(`   - ${summary.majorUpgradeBlockerBreakdown.deprecated} ${pluralize(summary.majorUpgradeBlockerBreakdown.deprecated, "deprecated package", "deprecated packages")}`);
+    }
+    if (summary.majorUpgradeBlockerBreakdown.nativeBindings > 0) {
+        blockerDetails.push(`   - ${summary.majorUpgradeBlockerBreakdown.nativeBindings} ${pluralize(summary.majorUpgradeBlockerBreakdown.nativeBindings, "native binding", "native bindings")}`);
+    }
+    if (summary.majorUpgradeBlockerBreakdown.installScripts > 0) {
+        blockerDetails.push(`   - ${summary.majorUpgradeBlockerBreakdown.installScripts} ${pluralize(summary.majorUpgradeBlockerBreakdown.installScripts, "install lifecycle script", "install lifecycle scripts")}`);
+    }
+    for (const line of blockerDetails) {
+        console.log(line);
+    }
+    console.log("");
+}
 /**
- * Orchestrates the CLI "scan" command to collect, merge, and output dependency data for a project or workspace.
+ * Run the CLI "scan" command to collect and aggregate dependency data for a project or workspace.
  *
  * Detects workspace type and package manager, runs per-package collectors (audit, dependency tree, import graph, outdated),
- * merges collected signals into a workspace-level model, and writes a JSON or HTML report to the configured output path.
- * Manages a temporary working directory (created under the project as .dependency-radar), respects CLI options such as
- * JSON output, audit/outdated toggles, keeping the temp directory, and optionally opening the generated output with the
- * system default application. Exits the process with a non-zero code on fatal errors. */
+ * merges collected signals into a workspace-level model, and writes a JSON or HTML report according to CLI options.
+ * Manages a temporary working directory and optionally opens the generated report. Exits the process with a non-zero code
+ * on fatal errors or when configured policy violations are detected.
+ */
 async function run() {
     var _a;
     const opts = parseArgs(process.argv.slice(2));
@@ -1009,7 +1313,13 @@ async function run() {
         process.exit(1);
         return;
     }
+    const shouldWriteArtifacts = !opts.noReport;
     const projectPath = path_1.default.resolve(opts.project);
+    let summary;
+    let policyViolations = [];
+    if (opts.noReport && opts.keepTemp) {
+        console.log(statusLine("⚠", "--keep-temp is ignored when --no-report is enabled."));
+    }
     if (opts.json && opts.out === "dependency-radar.html") {
         opts.out = "dependency-radar.json";
     }
@@ -1017,18 +1327,20 @@ async function run() {
     const startTime = Date.now();
     let dependencyCount = 0;
     let outputCreated = false;
-    try {
-        const stat = await promises_1.default.stat(outputPath).catch(() => undefined);
-        const endsWithSeparator = opts.out.endsWith("/") || opts.out.endsWith("\\");
-        const hasExtension = Boolean(path_1.default.extname(outputPath));
-        if ((stat && stat.isDirectory()) ||
-            endsWithSeparator ||
-            (!stat && !hasExtension)) {
-            outputPath = path_1.default.join(outputPath, opts.json ? "dependency-radar.json" : "dependency-radar.html");
+    if (shouldWriteArtifacts) {
+        try {
+            const stat = await promises_1.default.stat(outputPath).catch(() => undefined);
+            const endsWithSeparator = opts.out.endsWith("/") || opts.out.endsWith("\\");
+            const hasExtension = Boolean(path_1.default.extname(outputPath));
+            if ((stat && stat.isDirectory()) ||
+                endsWithSeparator ||
+                (!stat && !hasExtension)) {
+                outputPath = path_1.default.join(outputPath, opts.json ? "dependency-radar.json" : "dependency-radar.html");
+            }
+        }
+        catch (e) {
+            // ignore, best-effort path normalization
         }
-    }
-    catch (e) {
-        // ignore, best-effort path normalization
     }
     const tempDir = path_1.default.join(projectPath, ".dependency-radar");
     // Stage 1: detect workspace/package-manager context and collect tool versions.
@@ -1048,7 +1360,7 @@ async function run() {
         const yarnHint = yarnPnP
             ? " Yarn Plug'n'Play appears enabled; Dependency Radar currently requires node_modules linker."
             : "";
-        console.warn(`⚠ node_modules was not found at ${projectPath}. Scan completeness may be reduced for this ${workspaceHint}. Run your package manager install (npm install, pnpm install, or yarn install) before scanning.${yarnHint}`);
+        console.warn(colorLeadingSymbol(`⚠ node_modules was not found at ${projectPath}. Scan completeness may be reduced for this ${workspaceHint}. Run your package manager install (npm install, pnpm install, or yarn install) before scanning.${yarnHint}`));
     }
     const rootPkg = await readJsonFile(path_1.default.join(projectPath, "package.json"));
     const projectDependencyPolicy = workspace.pnpmWorkspaceOverrides
@@ -1087,13 +1399,15 @@ async function run() {
     const workspaceLabel = workspace.type === "none"
         ? "Single project"
         : `${workspace.type.toUpperCase()} workspace`;
-    console.log(`✔ ${workspaceLabel} detected`);
+    console.log(statusLine("✔", `${workspaceLabel} detected`));
     if (workspace.type !== "none" && scanManager !== workspace.type) {
-        console.log(`✔ Using ${scanManager.toUpperCase()} for dependency data (lockfile detected)`);
+        console.log(statusLine("✔", `Using ${scanManager.toUpperCase()} for dependency data (lockfile detected)`));
     }
     const spinner = startSpinner(`Scanning ${workspaceLabel} at ${projectPath}`);
     try {
-        await (0, utils_1.ensureDir)(tempDir);
+        if (shouldWriteArtifacts) {
+            await (0, utils_1.ensureDir)(tempDir);
+        }
         // Stage 2: run per-package collectors and persist raw tool outputs.
         const packageMetas = await readWorkspacePackageMeta(projectPath, packagePaths);
         const workspaceClassification = buildWorkspaceClassification(projectPath, packageMetas);
@@ -1104,19 +1418,24 @@ async function run() {
         for (const meta of packageMetas) {
             spinner.update(`Scanning ${workspaceLabel} (${perPackageLs.length + 1}/${packageMetas.length}) at ${projectPath}`);
             const pkgTempDir = path_1.default.join(tempDir, meta.name.replace(/[^a-zA-Z0-9._-]/g, "_"));
-            await (0, utils_1.ensureDir)(pkgTempDir);
+            if (shouldWriteArtifacts) {
+                await (0, utils_1.ensureDir)(pkgTempDir);
+            }
             const [a, l, ig, o] = await Promise.all([
                 opts.audit
-                    ? (0, npmAudit_1.runPackageAudit)(meta.path, pkgTempDir, scanManager, yarnVersion).catch((err) => ({ ok: false, error: String(err) }))
+                    ? (0, npmAudit_1.runPackageAudit)(meta.path, pkgTempDir, scanManager, yarnVersion, { persistToDisk: shouldWriteArtifacts }).catch((err) => ({ ok: false, error: String(err) }))
                     : Promise.resolve(undefined),
                 (0, npmLs_1.runNpmLs)(meta.path, pkgTempDir, scanManager, {
                     contextLabel: meta.name,
                     lockfileSearchRoot: projectPath,
                     onProgress: (line) => spinner.log(line),
+                    persistToDisk: shouldWriteArtifacts,
+                }).catch((err) => ({ ok: false, error: String(err) })),
+                (0, importGraphRunner_1.runImportGraph)(meta.path, pkgTempDir, {
+                    persistToDisk: shouldWriteArtifacts,
                 }).catch((err) => ({ ok: false, error: String(err) })),
-                (0, importGraphRunner_1.runImportGraph)(meta.path, pkgTempDir).catch((err) => ({ ok: false, error: String(err) })),
                 opts.outdated
-                    ? (0, npmOutdated_1.runPackageOutdated)(meta.path, pkgTempDir, scanManager).catch((err) => ({ ok: false, error: String(err) }))
+                    ? (0, npmOutdated_1.runPackageOutdated)(meta.path, pkgTempDir, scanManager, { persistToDisk: shouldWriteArtifacts }).catch((err) => ({ ok: false, error: String(err) }))
                     : Promise.resolve(undefined),
             ]);
             perPackageAudit.push(a);
@@ -1128,19 +1447,19 @@ async function run() {
         if (opts.audit) {
             const auditOk = perPackageAudit.every((r) => r && r.ok);
             if (auditOk) {
-                spinner.log(`✔ ${scanManager.toUpperCase()} audit data collected`);
+                spinner.log(statusLine("✔", `${scanManager.toUpperCase()} audit data collected`));
             }
             else {
-                spinner.log(`✖ ${scanManager.toUpperCase()} audit data unavailable`);
+                spinner.log(statusLine("✖", `${scanManager.toUpperCase()} audit data unavailable`));
             }
         }
         if (opts.outdated) {
             const outdatedOk = perPackageOutdated.every((r) => r.result && r.result.ok);
             if (outdatedOk) {
-                spinner.log(`✔ ${scanManager.toUpperCase()} outdated data collected`);
+                spinner.log(statusLine("✔", `${scanManager.toUpperCase()} outdated data collected`));
             }
             else {
-                spinner.log(`✖ ${scanManager.toUpperCase()} outdated data unavailable`);
+                spinner.log(statusLine("✖", `${scanManager.toUpperCase()} outdated data unavailable`));
             }
         }
         const mergedAuditData = mergeAuditResults(perPackageAudit.map((r) => (r && r.ok ? r.data : undefined)));
@@ -1213,10 +1532,15 @@ async function run() {
             ...(toolVersions ? { toolVersions } : {}),
         });
         dependencyCount = Object.keys(aggregated.dependencies).length;
+        const importGraphComplete = perPackageImportGraph.every((result) => result.ok);
+        summary = buildCliSummary(aggregated, {
+            importGraphComplete,
+        });
+        policyViolations = (0, failOn_1.evaluatePolicyViolations)(aggregated, opts.failOn);
         if (workspace.type !== "none") {
             console.log(`Detected ${workspace.type.toUpperCase()} workspace with ${packagePaths.length} package${packagePaths.length === 1 ? "" : "s"}.`);
         }
-        if (dependencyCount > 0) {
+        if (dependencyCount > 0 && shouldWriteArtifacts) {
             if (opts.json) {
                 await promises_1.default.mkdir(path_1.default.dirname(outputPath), { recursive: true });
                 await promises_1.default.writeFile(outputPath, JSON.stringify(aggregated, null, 2), "utf8");
@@ -1228,12 +1552,15 @@ async function run() {
         }
         spinner.stop(true);
         const elapsed = ((Date.now() - startTime) / 1000).toFixed(1);
-        console.log(`✔ Scan complete: ${dependencyCount} dependencies analysed in ${elapsed}s`);
-        if (outputCreated) {
-            console.log(`✔ ${opts.json ? "JSON" : "Report"} written to ${outputPath}`);
+        console.log(statusLine("✔", `Scan complete: ${dependencyCount} dependencies analysed in ${elapsed}s`));
+        if (!shouldWriteArtifacts) {
+            console.log(statusLine("ℹ", "Report output disabled (--no-report); no report artifacts written."));
+        }
+        else if (outputCreated) {
+            console.log(statusLine("✔", `${opts.json ? "JSON" : "Report"} written to ${outputPath}`));
         }
         else {
-            console.log(`✖ No dependencies were found - ${opts.json ? "JSON file" : "Report"} not created`);
+            console.log(statusLine("✖", `No dependencies were found - ${opts.json ? "JSON file" : "Report"} not created`));
         }
     }
     catch (err) {
@@ -1242,25 +1569,48 @@ async function run() {
         process.exit(1);
     }
     finally {
-        if (!opts.keepTemp) {
-            await (0, utils_1.removeDir)(tempDir);
-        }
-        else {
-            console.log(`✔ Temporary data kept at ${tempDir}`);
+        if (shouldWriteArtifacts) {
+            if (!opts.keepTemp) {
+                await (0, utils_1.removeDir)(tempDir);
+            }
+            else {
+                console.log(statusLine("✔", `Temporary data kept at ${tempDir}`));
+            }
         }
     }
-    if (opts.open && outputCreated && !isCI()) {
-        console.log(`↗ Opening ${path_1.default.basename(outputPath)} using system default ${opts.json ? "application" : "browser"}.`);
+    if (opts.open && !shouldWriteArtifacts) {
+        console.log(statusLine("✖", "Skipping auto-open because --no-report is enabled."));
+    }
+    else if (opts.open && outputCreated && !isCI()) {
+        console.log(statusLine("↗", `Opening ${path_1.default.basename(outputPath)} using system default ${opts.json ? "application" : "browser"}.`));
         openInBrowser(outputPath);
     }
     else if (opts.open && outputCreated && isCI()) {
-        console.log("✖ Skipping auto-open in CI environment.");
+        console.log(statusLine("✖", "Skipping auto-open in CI environment."));
+    }
+    if (summary) {
+        printCliSummary(summary);
     }
+    else {
+        console.log("");
+    }
+    printPolicyViolations(policyViolations);
     // Always show CTA as the last output
-    console.log("");
-    console.log("Get additional risk analysis and a management-ready summary at https://dependency-radar.com");
+    console.log("Enrich this scan with maintenance signals, upgrade readiness, and risk modelling at dependency-radar.com");
+    if (policyViolations.length > 0) {
+        process.exit(1);
+    }
 }
 run();
+/**
+ * Displays a rotating CLI spinner with a message and returns controls to stop, update, or log lines.
+ *
+ * @param text - Initial message shown next to the spinner.
+ * @returns An object with control methods:
+ *  - `stop(success?)` - Stops the spinner and writes a final line using a check mark when `success` is `true` or a cross when `false` (defaults to `true`).
+ *  - `update(nextText)` - Replaces the spinner's message with `nextText`.
+ *  - `log(line)` - Writes `line` as a new output line above the active spinner without stopping it.
+ */
 function startSpinner(text) {
     const frames = ["|", "/", "-", "\\"];
     let i = 0;
@@ -1281,20 +1631,21 @@ function startSpinner(text) {
         return `${head}…/${tail}`;
     };
     const formatLine = (prefix, value) => {
+        const coloredPrefix = colorSymbol(prefix);
         if (!process.stdout.isTTY)
-            return `${prefix} ${value}`;
+            return `${coloredPrefix} ${value}`;
         const displayValue = shortenPathInMessage(value);
         const columns = process.stdout.columns || 0;
         if (columns <= 0)
-            return `${prefix} ${displayValue}`;
+            return `${coloredPrefix} ${displayValue}`;
         const max = columns - (prefix.length + 1);
         if (max <= 0)
-            return prefix;
+            return coloredPrefix;
         if (displayValue.length <= max)
-            return `${prefix} ${displayValue}`;
+            return `${coloredPrefix} ${displayValue}`;
         const ellipsis = "…";
         const keep = Math.max(0, max - ellipsis.length);
-        return `${prefix} ${displayValue.slice(0, keep)}${ellipsis}`;
+        return `${coloredPrefix} ${displayValue.slice(0, keep)}${ellipsis}`;
     };
     process.stdout.write(formatLine(frames[i], currentText));
     const timer = setInterval(() => {
@@ -1316,11 +1667,12 @@ function startSpinner(text) {
         process.stdout.write(`\r\x1b[K${formatLine(frames[i], currentText)}`);
     };
     const log = (line) => {
+        const renderedLine = colorLeadingSymbol(line);
         if (stopped) {
-            process.stdout.write(`${line}\n`);
+            process.stdout.write(`${renderedLine}\n`);
             return;
         }
-        process.stdout.write(`\r\x1b[K${line}\n`);
+        process.stdout.write(`\r\x1b[K${renderedLine}\n`);
         process.stdout.write(formatLine(frames[i], currentText));
     };
     return { stop, update, log };