depwire-cli 0.9.24 → 0.9.26

package/dist/index.js

@@ -17,7 +17,7 @@ import {
   stashChanges,
   updateFileInGraph,
   watchProject
-} from "./chunk-ORGAO3HT.js";
+} from "./chunk-B2KGFBZL.js";
 import {
   SimulationEngine,
   analyzeDeadCode,
@@ -29,14 +29,15 @@ import {
   getHealthTrend,
   getImpact,
   parseProject,
+  scanSecurity,
   searchSymbols
-} from "./chunk-QHVWDUSX.js";
+} from "./chunk-YYY5TNG7.js";
 
 // src/index.ts
 import { Command } from "commander";
-import { resolve as resolve2, dirname as dirname2, join as join3 } from "path";
-import { writeFileSync, readFileSync as readFileSync2, existsSync } from "fs";
-import { fileURLToPath as fileURLToPath2 } from "url";
+import { resolve as resolve3, dirname as dirname4, join as join5 } from "path";
+import { writeFileSync, readFileSync as readFileSync3, existsSync } from "fs";
+import { fileURLToPath as fileURLToPath4 } from "url";
 
 // src/graph/serializer.ts
 import { DirectedGraph } from "graphology";
@@ -305,10 +306,10 @@ async function findAvailablePort(startPort) {
   const net = await import("net");
   for (let attempt = 0; attempt < 10; attempt++) {
     const testPort = startPort + attempt;
-    const isAvailable = await new Promise((resolve3) => {
-      const server = net.createServer().once("error", () => resolve3(false)).once("listening", () => {
+    const isAvailable = await new Promise((resolve4) => {
+      const server = net.createServer().once("error", () => resolve4(false)).once("listening", () => {
         server.close();
-        resolve3(true);
+        resolve4(true);
       }).listen(testPort, "127.0.0.1");
     });
     if (isAvailable) {
@@ -349,13 +350,13 @@ async function startTemporalServer(snapshots, projectRoot, preferredPort = 3334)
       console.log("  (Could not open browser automatically)");
     });
   });
-  await new Promise((resolve3, reject) => {
+  await new Promise((resolve4, reject) => {
     server.on("error", reject);
     process.on("SIGINT", () => {
       console.log("\n\nShutting down temporal server...");
       server.close(() => {
         console.log("Server stopped");
-        resolve3();
+        resolve4();
         process.exit(0);
       });
     });
@@ -502,13 +503,269 @@ async function trackCommand(command, version = "unknown") {
 // src/commands/whatif.ts
 import { resolve } from "path";
 import chalk from "chalk";
+
+// src/viz/whatif-server.ts
+import express2 from "express";
+import open2 from "open";
+import { fileURLToPath as fileURLToPath2 } from "url";
+import { dirname as dirname2, join as join3 } from "path";
+
+// src/viz/generate-whatif-html.ts
+function generateWhatIfHtml(currentVizData, simulatedVizData, simulationResult, operation, target) {
+  const { healthDelta, diff } = simulationResult;
+  const deltaSign = healthDelta.delta >= 0 ? "+" : "";
+  const deltaLabel = healthDelta.delta === 0 ? "unchanged" : healthDelta.improved ? `${deltaSign}${healthDelta.delta} \u2713 improved` : `${healthDelta.delta} \u2717 degraded`;
+  const deltaColor = healthDelta.delta === 0 ? "#fbbf24" : healthDelta.improved ? "#4ade80" : "#f87171";
+  const opBadge = operation !== "none" ? `<span style="background:${deltaColor};color:#000;padding:4px 12px;border-radius:4px;font-weight:700;font-size:13px;text-transform:uppercase;margin-left:12px;">${operation} ${target}</span>` : "";
+  const brokenImportsHtml = diff.brokenImports.length > 0 ? `<details style="margin-top:16px;background:#16213e;border:1px solid #2a2a4a;border-radius:8px;padding:12px 16px;">
+        <summary style="cursor:pointer;color:#f87171;font-weight:600;font-size:14px;">Broken Imports (${diff.brokenImports.length})</summary>
+        <ul style="margin:8px 0 0 16px;padding:0;list-style:none;">
+          ${diff.brokenImports.map((bi) => `<li style="color:#e0e0e0;font-size:13px;padding:4px 0;font-family:monospace;">${bi.file} \u2192 <span style="color:#f87171;">${bi.importedSymbol}</span></li>`).join("")}
+        </ul>
+      </details>` : "";
+  const currentDataJson = JSON.stringify(currentVizData);
+  const simulatedDataJson = JSON.stringify(simulatedVizData);
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Depwire \u2014 What If Simulation</title>
+  <link rel="stylesheet" href="/style.css">
+  <style>
+    body { overflow: auto; height: auto; }
+    .whatif-header {
+      background: #16213e;
+      border-bottom: 1px solid #2a2a4a;
+      padding: 16px 24px;
+      display: flex;
+      align-items: center;
+      gap: 16px;
+    }
+    .whatif-header h1 {
+      margin: 0;
+      font-size: 20px;
+      font-weight: 600;
+      background: linear-gradient(135deg, #4a9eff, #7c3aed);
+      -webkit-background-clip: text;
+      -webkit-text-fill-color: transparent;
+      background-clip: text;
+    }
+    .health-banner {
+      background: #0f1729;
+      border: 1px solid #2a2a4a;
+      border-radius: 8px;
+      padding: 16px 24px;
+      margin: 16px 24px;
+      display: flex;
+      align-items: center;
+      gap: 32px;
+      flex-wrap: wrap;
+    }
+    .health-score {
+      font-size: 22px;
+      font-weight: 700;
+    }
+    .health-stat {
+      font-size: 14px;
+      color: #a0a0a0;
+    }
+    .health-stat strong {
+      color: #e0e0e0;
+      font-size: 18px;
+    }
+    .panels {
+      display: flex;
+      flex-direction: row;
+      gap: 0;
+      width: 100%;
+      height: calc(100vh - 180px);
+      min-height: 400px;
+    }
+    .panel {
+      flex: 1;
+      min-width: 0;
+      display: flex;
+      flex-direction: column;
+      border-right: 1px solid #2a2a4a;
+      overflow: hidden;
+      position: relative;
+    }
+    .panel:last-child { border-right: none; }
+    .panel-label {
+      background: #16213e;
+      padding: 8px 16px;
+      font-size: 13px;
+      font-weight: 600;
+      color: #a0a0a0;
+      border-bottom: 1px solid #2a2a4a;
+      display: flex;
+      justify-content: space-between;
+      flex-shrink: 0;
+    }
+    .panel-diagram {
+      flex: 1;
+      overflow: hidden;
+      position: relative;
+    }
+    .panel-diagram svg {
+      display: block;
+      width: 100%;
+      height: 100%;
+    }
+    .broken-section {
+      padding: 0 24px 24px;
+    }
+  </style>
+</head>
+<body>
+  <div class="whatif-header">
+    <h1>depwire \u2014 What If Simulation</h1>
+    ${opBadge}
+  </div>
+
+  <div class="health-banner">
+    <div class="health-score" style="color:${deltaColor}">
+      Health Score: ${healthDelta.before} \u2192 ${healthDelta.after}
+      <span style="font-size:16px;margin-left:8px;">(${deltaLabel})</span>
+    </div>
+    <div class="health-stat"><strong>${diff.affectedNodes.length}</strong> Affected Nodes</div>
+    <div class="health-stat"><strong>${diff.brokenImports.length}</strong> Broken Imports</div>
+    <div class="health-stat"><strong>${diff.removedEdges.length}</strong> Removed Edges</div>
+  </div>
+
+  <div class="panels">
+    <div class="panel">
+      <div class="panel-label">
+        <span>Current</span>
+        <span>${currentVizData.stats.totalFiles} files</span>
+      </div>
+      <div class="panel-diagram" id="arc-diagram-current">
+        <svg id="svg-current"></svg>
+      </div>
+      <div class="tooltip" id="tooltip-current"></div>
+    </div>
+    <div class="panel">
+      <div class="panel-label">
+        <span>After ${operation !== "none" ? operation.toUpperCase() : "\u2014"}</span>
+        <span>${simulatedVizData.stats.totalFiles} files</span>
+      </div>
+      <div class="panel-diagram" id="arc-diagram-simulated">
+        <svg id="svg-simulated"></svg>
+      </div>
+      <div class="tooltip" id="tooltip-simulated"></div>
+    </div>
+  </div>
+
+  <div class="broken-section">
+    ${brokenImportsHtml}
+  </div>
+
+  <script>window.__depwireWhatIf = true;</script>
+  <script src="https://cdnjs.cloudflare.com/ajax/libs/d3/7.9.0/d3.min.js"></script>
+  <script src="/arc.js"></script>
+  <script>
+    const currentData = ${currentDataJson};
+    const simulatedData = ${simulatedDataJson};
+
+    const left = window.createArcDiagram('arc-diagram-current', 'svg-current', 'tooltip-current', currentData);
+    const right = window.createArcDiagram('arc-diagram-simulated', 'svg-simulated', 'tooltip-simulated', simulatedData);
+
+    left.render();
+    right.render();
+
+    window.addEventListener('resize', () => {
+      left.render();
+      right.render();
+    });
+  </script>
+</body>
+</html>`;
+}
+
+// src/viz/whatif-server.ts
+var __filename2 = fileURLToPath2(import.meta.url);
+var __dirname2 = dirname2(__filename2);
+async function findAvailablePort2(startPort, maxAttempts = 10) {
+  const net = await import("net");
+  for (let attempt = 0; attempt < maxAttempts; attempt++) {
+    const testPort = startPort + attempt;
+    const isAvailable = await new Promise((resolve4) => {
+      const server = net.createServer();
+      server.once("error", () => {
+        resolve4(false);
+      });
+      server.once("listening", () => {
+        server.close();
+        resolve4(true);
+      });
+      server.listen(testPort, "127.0.0.1");
+    });
+    if (isAvailable) {
+      if (attempt > 0) {
+        console.error(`Port ${startPort} in use, using port ${testPort} instead`);
+      }
+      return testPort;
+    }
+  }
+  throw new Error(`No available ports found between ${startPort} and ${startPort + maxAttempts - 1}`);
+}
+async function serveWhatIfViz(currentVizData, simulatedVizData, simulationResult, operation, target) {
+  const availablePort = await findAvailablePort2(3335);
+  const app = express2();
+  app.get("/", (_req, res) => {
+    const html = generateWhatIfHtml(currentVizData, simulatedVizData, simulationResult, operation, target);
+    res.type("html").send(html);
+  });
+  app.get("/favicon.ico", (_req, res) => {
+    res.sendFile(join3(__dirname2, "..", "..", "icon.png"));
+  });
+  const publicDir = join3(__dirname2, "viz", "public");
+  app.use(express2.static(publicDir));
+  app.get("/api/graph", (_req, res) => {
+    res.json(currentVizData);
+  });
+  app.get("/api/current", (_req, res) => {
+    res.json(currentVizData);
+  });
+  app.get("/api/simulated", (_req, res) => {
+    res.json(simulatedVizData);
+  });
+  app.get("/api/result", (_req, res) => {
+    res.json(simulationResult);
+  });
+  const server = app.listen(availablePort, "127.0.0.1", () => {
+    const url = `http://127.0.0.1:${availablePort}`;
+    console.error(`
+Opening What If UI at ${url}`);
+    console.error("Press Ctrl+C to stop\n");
+    open2(url);
+  });
+  process.on("SIGINT", () => {
+    console.error("\nShutting down What If server...");
+    server.close(() => {
+      process.exit(0);
+    });
+  });
+}
+
+// src/commands/whatif.ts
 async function whatif(dir, options) {
   if (!options.simulate) {
-    console.log("Usage: depwire whatif [dir] --simulate <action> --target <file> [options]");
-    console.log("");
-    console.log("Actions: move, delete, rename, split, merge");
-    console.log("");
-    console.log("Run without --simulate to open interactive browser UI (Phase B)");
+    const projectRoot2 = dir === "." ? findProjectRoot() : resolve(dir);
+    console.error(`Parsing project: ${projectRoot2}`);
+    const parsedFiles2 = await parseProject(projectRoot2);
+    const graph2 = buildGraph(parsedFiles2);
+    console.error(`Built graph: ${graph2.order} symbols, ${graph2.size} edges`);
+    const vizData = prepareVizData(graph2, projectRoot2);
+    const emptyResult = {
+      action: { type: "delete", target: "" },
+      originalGraph: { nodeCount: graph2.order, edgeCount: graph2.size, healthScore: 0 },
+      simulatedGraph: { nodeCount: graph2.order, edgeCount: graph2.size, healthScore: 0 },
+      diff: { addedEdges: [], removedEdges: [], affectedNodes: [], brokenImports: [], circularDepsIntroduced: [], circularDepsResolved: [] },
+      healthDelta: { before: 0, after: 0, delta: 0, improved: false, dimensionChanges: [] }
+    };
+    await serveWhatIfViz(vizData, vizData, emptyResult, "none", "");
     return;
   }
   const validActions = ["move", "delete", "rename", "split", "merge"];
@@ -522,11 +779,11 @@ async function whatif(dir, options) {
   }
   const action = buildAction(options);
   const projectRoot = dir === "." ? findProjectRoot() : resolve(dir);
-  console.log(`Parsing project: ${projectRoot}`);
+  console.error(`Parsing project: ${projectRoot}`);
   const parsedFiles = await parseProject(projectRoot);
   const graph = buildGraph(parsedFiles);
-  console.log(`Built graph: ${graph.order} symbols, ${graph.size} edges`);
-  console.log("");
+  console.error(`Built graph: ${graph.order} symbols, ${graph.size} edges`);
+  console.error("");
   const engine = new SimulationEngine(graph);
   try {
     const result = engine.simulate(action);
@@ -631,18 +888,198 @@ function formatAction(action) {
   }
 }
 
+// src/commands/security.ts
+import { resolve as resolve2, dirname as dirname3, join as join4 } from "path";
+import { readFileSync as readFileSync2 } from "fs";
+import { fileURLToPath as fileURLToPath3 } from "url";
+
+// src/security/reporter.ts
+import chalk2 from "chalk";
+var SEVERITY_COLORS = {
+  critical: chalk2.red.bold,
+  high: chalk2.red,
+  medium: chalk2.yellow,
+  low: chalk2.blue,
+  info: chalk2.dim
+};
+var SEVERITY_LABELS = {
+  critical: "CRITICAL",
+  high: "HIGH",
+  medium: "MEDIUM",
+  low: "LOW",
+  info: "INFO"
+};
+function formatTable(result, elapsedMs) {
+  const lines = [];
+  const sep = "\u2500".repeat(62);
+  lines.push("");
+  lines.push(chalk2.bold("Depwire Security Scan"));
+  lines.push("");
+  const summaryParts = [
+    result.summary.critical > 0 ? chalk2.red.bold(`${result.summary.critical} Critical`) : null,
+    result.summary.high > 0 ? chalk2.red(`${result.summary.high} High`) : null,
+    result.summary.medium > 0 ? chalk2.yellow(`${result.summary.medium} Medium`) : null,
+    result.summary.low > 0 ? chalk2.blue(`${result.summary.low} Low`) : null,
+    result.summary.info > 0 ? chalk2.dim(`${result.summary.info} Info`) : null
+  ].filter(Boolean);
+  if (summaryParts.length > 0) {
+    lines.push(`\u250C${sep}\u2510`);
+    lines.push(`\u2502  ${summaryParts.join("  \u2502  ")}  \u2502`);
+    lines.push(`\u2514${sep}\u2518`);
+  } else {
+    lines.push(chalk2.green.bold("  No security findings detected."));
+  }
+  lines.push("");
+  const severityOrder = ["critical", "high", "medium", "low", "info"];
+  for (const severity of severityOrder) {
+    const group = result.findings.filter((f) => f.severity === severity);
+    if (group.length === 0) continue;
+    const colorFn = SEVERITY_COLORS[severity];
+    lines.push(colorFn(SEVERITY_LABELS[severity]));
+    for (const finding of group) {
+      lines.push(`  ${colorFn(`[${finding.id}]`)} ${finding.title}`);
+      lines.push(`  File: ${finding.file}${finding.line ? `:${finding.line}` : ""}`);
+      lines.push(`  ${chalk2.dim(finding.description)}`);
+      lines.push(`  ${chalk2.dim("Fix:")} ${finding.suggestedFix}`);
+      if (finding.graphReachability?.elevatedBy) {
+        lines.push(`  ${chalk2.magenta("\u2191 Elevated:")} ${finding.graphReachability.elevatedBy}`);
+      }
+      lines.push("");
+    }
+  }
+  const elapsed = (elapsedMs / 1e3).toFixed(1);
+  lines.push(chalk2.dim(`Scanned ${result.filesScanned} files in ${elapsed}s`));
+  lines.push(chalk2.dim("Run with --format json for machine output"));
+  lines.push(chalk2.dim("Run with --format sarif for GitHub Security integration"));
+  lines.push("");
+  return lines.join("\n");
+}
+function formatJSON(result) {
+  return JSON.stringify(result, null, 2);
+}
+function formatSARIF(result, version) {
+  const rules = result.findings.map((f) => ({
+    id: f.id,
+    shortDescription: { text: f.title },
+    fullDescription: { text: f.description },
+    help: { text: f.suggestedFix },
+    properties: {
+      severity: f.severity,
+      vulnerabilityClass: f.vulnerabilityClass
+    }
+  }));
+  const uniqueRules = Array.from(
+    new Map(rules.map((r) => [r.id, r])).values()
+  );
+  const results = result.findings.map((f) => {
+    let level;
+    if (f.severity === "critical" || f.severity === "high") level = "error";
+    else if (f.severity === "medium") level = "warning";
+    else level = "note";
+    const sarifResult = {
+      ruleId: f.id,
+      level,
+      message: { text: `${f.title}: ${f.description}` },
+      locations: [
+        {
+          physicalLocation: {
+            artifactLocation: { uri: f.file },
+            region: f.line ? { startLine: f.line } : void 0
+          }
+        }
+      ]
+    };
+    return sarifResult;
+  });
+  const sarif = {
+    $schema: "https://json.schemastore.org/sarif-2.1.0.json",
+    version: "2.1.0",
+    runs: [
+      {
+        tool: {
+          driver: {
+            name: "depwire",
+            version,
+            rules: uniqueRules
+          }
+        },
+        results
+      }
+    ]
+  };
+  return JSON.stringify(sarif, null, 2);
+}
+
+// src/commands/security.ts
+var __filename3 = fileURLToPath3(import.meta.url);
+var __dirname3 = dirname3(__filename3);
+function getVersion() {
+  try {
+    let dir = __dirname3;
+    for (let i = 0; i < 5; i++) {
+      const pkgPath = join4(dir, "package.json");
+      try {
+        const pkg = JSON.parse(readFileSync2(pkgPath, "utf-8"));
+        if (pkg.name === "depwire-cli") return pkg.version;
+      } catch {
+      }
+      dir = dirname3(dir);
+    }
+  } catch {
+  }
+  return "0.0.0";
+}
+var SEVERITY_ORDER = ["critical", "high", "medium", "low", "info"];
+async function securityCommand(dir, options) {
+  const projectRoot = dir === "." ? findProjectRoot() : resolve2(dir);
+  console.error(`Scanning: ${projectRoot}`);
+  const startTime = Date.now();
+  const parsedFiles = await parseProject(projectRoot);
+  console.error(`Parsed ${parsedFiles.length} files`);
+  const graph = buildGraph(parsedFiles);
+  console.error(`Built graph: ${graph.order} symbols, ${graph.size} edges`);
+  const result = await scanSecurity(projectRoot, graph, {
+    target: options.target,
+    classes: options.class,
+    format: options.format || "table",
+    graphAware: true
+  });
+  const elapsedMs = Date.now() - startTime;
+  const format = options.format || "table";
+  if (format === "json") {
+    console.log(formatJSON(result));
+  } else if (format === "sarif") {
+    console.log(formatSARIF(result, getVersion()));
+  } else {
+    console.log(formatTable(result, elapsedMs));
+  }
+  if (options.failOn) {
+    const threshold = options.failOn;
+    const thresholdIdx = SEVERITY_ORDER.indexOf(threshold);
+    if (thresholdIdx >= 0) {
+      const hasFindings = result.findings.some(
+        (f) => SEVERITY_ORDER.indexOf(f.severity) <= thresholdIdx
+      );
+      if (hasFindings) {
+        console.error(`Findings at or above ${threshold} severity detected \u2014 exiting with code 1`);
+        process.exit(1);
+      }
+    }
+  }
+}
+
 // src/index.ts
-var __filename2 = fileURLToPath2(import.meta.url);
-var __dirname2 = dirname2(__filename2);
-var packageJsonPath = join3(__dirname2, "../package.json");
-var packageJson = JSON.parse(readFileSync2(packageJsonPath, "utf-8"));
+var __filename4 = fileURLToPath4(import.meta.url);
+var __dirname4 = dirname4(__filename4);
+var packageJsonPath = join5(__dirname4, "../package.json");
+var packageJson = JSON.parse(readFileSync3(packageJsonPath, "utf-8"));
 var program = new Command();
 program.name("depwire").description("Code cross-reference graph builder for TypeScript projects").version(packageJson.version);
 program.command("parse").description("Parse a TypeScript project and build dependency graph").argument("[directory]", "Project directory to parse (defaults to current directory or auto-detected project root)").option("-o, --output <path>", "Output JSON file path", "depwire-output.json").option("--pretty", "Pretty-print JSON output").option("--stats", "Print summary statistics").option("--exclude <patterns...>", 'Glob patterns to exclude (e.g., "**/*.test.*" "dist/**")').option("--verbose", "Show detailed parsing progress").action(async (directory, options) => {
   trackCommand("parse", packageJson.version);
   const startTime = Date.now();
   try {
-    const projectRoot = directory ? resolve2(directory) : findProjectRoot();
+    const projectRoot = directory ? resolve3(directory) : findProjectRoot();
     console.log(`Parsing project: ${projectRoot}`);
     const parsedFiles = await parseProject(projectRoot, {
       exclude: options.exclude,
@@ -681,12 +1118,12 @@ Orphan Files (no cross-references): ${summary.orphanFiles.length}`);
 program.command("query").description("Query impact analysis for a symbol").argument("<directory>", "Project directory").argument("<symbol-name>", "Symbol name to query").action(async (directory, symbolName) => {
   trackCommand("query", packageJson.version);
   try {
-    const projectRoot = resolve2(directory);
+    const projectRoot = resolve3(directory);
     const cacheFile = "depwire-output.json";
     let graph;
     if (existsSync(cacheFile)) {
       console.log("Loading from cache...");
-      const json = JSON.parse(readFileSync2(cacheFile, "utf-8"));
+      const json = JSON.parse(readFileSync3(cacheFile, "utf-8"));
       graph = importFromJSON(json);
     } else {
       console.log("Parsing project...");
@@ -730,7 +1167,7 @@ Total Transitive Dependents: ${impact.transitiveDependents.length}`);
 program.command("viz").description("Launch interactive arc diagram visualization").argument("[directory]", "Project directory to visualize (defaults to current directory or auto-detected project root)").option("-p, --port <number>", "Server port", "3333").option("--no-open", "Don't auto-open browser").option("--exclude <patterns...>", 'Glob patterns to exclude (e.g., "**/*.test.*" "dist/**")').option("--verbose", "Show detailed parsing progress").action(async (directory, options) => {
   trackCommand("viz", packageJson.version);
   try {
-    const projectRoot = directory ? resolve2(directory) : findProjectRoot();
+    const projectRoot = directory ? resolve3(directory) : findProjectRoot();
     console.log(`Parsing project: ${projectRoot}`);
     const parsedFiles = await parseProject(projectRoot, {
       exclude: options.exclude,
@@ -753,7 +1190,7 @@ program.command("viz").description("Launch interactive arc diagram visualization
 program.command("temporal").description("Visualize how the dependency graph evolved over git history").argument("[directory]", "Project directory to analyze (defaults to current directory or auto-detected project root)").option("--commits <number>", "Number of commits to sample", "20").option("--strategy <type>", "Sampling strategy: even, weekly, monthly", "even").option("-p, --port <number>", "Server port", "3334").option("--output <path>", "Save snapshots to custom path (default: .depwire/temporal/)").option("--verbose", "Show progress for each commit being parsed").option("--stats", "Show summary statistics at end").action(async (directory, options) => {
   trackCommand("temporal", packageJson.version);
   try {
-    const projectRoot = directory ? resolve2(directory) : findProjectRoot();
+    const projectRoot = directory ? resolve3(directory) : findProjectRoot();
     await runTemporalAnalysis(projectRoot, {
       commits: parseInt(options.commits, 10),
       strategy: options.strategy,
@@ -773,11 +1210,11 @@ program.command("mcp").description("Start MCP server for AI coding tools").argum
     const state = createEmptyState();
     let projectRootToConnect = null;
     if (directory) {
-      projectRootToConnect = resolve2(directory);
+      projectRootToConnect = resolve3(directory);
     } else {
       const detectedRoot = findProjectRoot();
       const cwd = process.cwd();
-      if (detectedRoot !== cwd || existsSync(join3(cwd, "package.json")) || existsSync(join3(cwd, "tsconfig.json")) || existsSync(join3(cwd, "go.mod")) || existsSync(join3(cwd, "pyproject.toml")) || existsSync(join3(cwd, "setup.py")) || existsSync(join3(cwd, ".git"))) {
+      if (detectedRoot !== cwd || existsSync(join5(cwd, "package.json")) || existsSync(join5(cwd, "tsconfig.json")) || existsSync(join5(cwd, "go.mod")) || existsSync(join5(cwd, "pyproject.toml")) || existsSync(join5(cwd, "setup.py")) || existsSync(join5(cwd, ".git"))) {
         projectRootToConnect = detectedRoot;
       }
     }
@@ -834,8 +1271,8 @@ program.command("docs").description("Generate comprehensive codebase documentati
   trackCommand("docs", packageJson.version);
   const startTime = Date.now();
   try {
-    const projectRoot = directory ? resolve2(directory) : findProjectRoot();
-    const outputDir = options.output ? resolve2(options.output) : join3(projectRoot, ".depwire");
+    const projectRoot = directory ? resolve3(directory) : findProjectRoot();
+    const outputDir = options.output ? resolve3(options.output) : join5(projectRoot, ".depwire");
     const includeList = options.include.split(",").map((s) => s.trim());
     const onlyList = options.only ? options.only.split(",").map((s) => s.trim()) : void 0;
     if (options.gitignore === void 0 && !existsSyncNode(outputDir)) {
@@ -897,16 +1334,16 @@ async function promptGitignore() {
     input: process.stdin,
     output: process.stdout
   });
-  return new Promise((resolve3) => {
+  return new Promise((resolve4) => {
     rl.question("Add .depwire/ to .gitignore? [Y/n] ", (answer) => {
       rl.close();
       const normalized = answer.trim().toLowerCase();
-      resolve3(normalized === "" || normalized === "y" || normalized === "yes");
+      resolve4(normalized === "" || normalized === "y" || normalized === "yes");
     });
   });
 }
 function addToGitignore(projectRoot, pattern) {
-  const gitignorePath = join3(projectRoot, ".gitignore");
+  const gitignorePath = join5(projectRoot, ".gitignore");
   try {
     let content = "";
     if (existsSyncNode(gitignorePath)) {
@@ -931,7 +1368,7 @@ ${pattern}
 program.command("health").description("Analyze dependency architecture health (0-100 score)").argument("[directory]", "Project directory to analyze (defaults to current directory or auto-detected project root)").option("--json", "Output as JSON").option("--verbose", "Show detailed breakdown").action(async (directory, options) => {
   trackCommand("health", packageJson.version);
   try {
-    const projectRoot = directory ? resolve2(directory) : findProjectRoot();
+    const projectRoot = directory ? resolve3(directory) : findProjectRoot();
     const startTime = Date.now();
     const parsedFiles = await parseProject(projectRoot);
     const graph = buildGraph(parsedFiles);
@@ -955,7 +1392,7 @@ program.command("health").description("Analyze dependency architecture health (0
 program.command("dead-code").description("Identify dead code - symbols defined but never referenced").argument("[directory]", "Project directory to analyze (defaults to current directory or auto-detected project root)").option("--confidence <level>", "Minimum confidence level to show: high, medium, low (default: medium)", "medium").option("--json", "Output as JSON (for CI/automation)").option("--verbose", "Show detailed info for each dead symbol").option("--stats", "Show summary statistics").option("--include-tests", "Include test files in analysis").option("--include-low", "Shortcut for --confidence low").option("--debug", "Show debug information (exclusion stats)").action(async (directory, options) => {
   trackCommand("dead-code", packageJson.version);
   try {
-    const projectRoot = directory ? resolve2(directory) : findProjectRoot();
+    const projectRoot = directory ? resolve3(directory) : findProjectRoot();
     const startTime = Date.now();
     const parsedFiles = await parseProject(projectRoot);
     const graph = buildGraph(parsedFiles);
@@ -991,4 +1428,13 @@ program.command("whatif").description("Simulate architectural changes before tou
     process.exit(1);
   }
 });
+program.command("security").description("Scan codebase for security vulnerabilities (deterministic, no API key required)").argument("[directory]", "Project directory to scan (defaults to current directory or auto-detected project root)").option("--target <file>", "Scan a single file instead of the whole repo").option("--class <classes...>", "Only run specific vulnerability class checks").option("--format <format>", "Output format: table (default), json, sarif", "table").option("--fail-on <level>", "Exit with code 1 if findings at this severity or above").action(async (directory, options) => {
+  trackCommand("security", packageJson.version);
+  try {
+    await securityCommand(directory || ".", options);
+  } catch (err) {
+    console.error("Error running security scan:", err);
+    process.exit(1);
+  }
+});
 program.parse();

package/dist/mcpb-entry.js

@@ -4,11 +4,11 @@ import {
   startMcpServer,
   updateFileInGraph,
   watchProject
-} from "./chunk-ORGAO3HT.js";
+} from "./chunk-B2KGFBZL.js";
 import {
   buildGraph,
   parseProject
-} from "./chunk-QHVWDUSX.js";
+} from "./chunk-YYY5TNG7.js";
 
 // src/mcpb-entry.ts
 import { resolve } from "path";