depwire-cli 0.9.25 → 0.9.27

package/dist/{chunk-ORGAO3HT.js → chunk-RGD3YJYQ.js}

@@ -14,8 +14,9 @@ import {
   loadMetadata,
   parseProject,
   parseTypeScriptFile,
+  scanSecurity,
   searchSymbols
-} from "./chunk-QHVWDUSX.js";
+} from "./chunk-DA5LWNJ4.js";
 
 // src/viz/data.ts
 import { basename } from "path";
@@ -170,14 +171,14 @@ async function findAvailablePort(startPort, maxAttempts = 10) {
   const net = await import("net");
   for (let attempt = 0; attempt < maxAttempts; attempt++) {
     const testPort = startPort + attempt;
-    const isAvailable = await new Promise((resolve2) => {
+    const isAvailable = await new Promise((resolve4) => {
       const server = net.createServer();
       server.once("error", () => {
-        resolve2(false);
+        resolve4(false);
       });
       server.once("listening", () => {
         server.close();
-        resolve2(true);
+        resolve4(true);
       });
       server.listen(testPort, "127.0.0.1");
     });
@@ -376,7 +377,7 @@ import { Server } from "@modelcontextprotocol/sdk/server/index.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 
 // src/mcp/tools.ts
-import { dirname as dirname2, join as join5 } from "path";
+import { dirname as dirname2, join as join5, resolve as resolve3 } from "path";
 import { existsSync as existsSync3, readFileSync as readFileSync2 } from "fs";
 
 // src/mcp/connect.ts
@@ -625,8 +626,8 @@ async function getCurrentBranch(dir) {
   }
 }
 async function checkoutCommit(dir, hash) {
-  if (!/^[a-zA-Z0-9_.\-\/]+$/.test(hash)) {
-    throw new Error(`Invalid git ref: ${hash}`);
+  if (!/^[a-f0-9]+$/.test(hash)) {
+    throw new Error(`Invalid commit hash: ${hash}`);
   }
   try {
     execSync(`git checkout -q ${hash}`, { cwd: dir, stdio: "ignore" });
@@ -635,11 +636,12 @@ async function checkoutCommit(dir, hash) {
   }
 }
 async function restoreOriginal(dir, originalBranch) {
-  if (!/^[a-zA-Z0-9_.\-\/]+$/.test(originalBranch)) {
-    throw new Error(`Invalid git ref: ${originalBranch}`);
+  if (!/^[a-zA-Z0-9/_.\-]+$/.test(originalBranch)) {
+    throw new Error(`Invalid branch name: ${originalBranch}`);
   }
   try {
     execSync(`git checkout -q ${originalBranch}`, {
+      // depwire-security-reviewed: branch validated above
       cwd: dir,
       stdio: "ignore"
     });
@@ -787,19 +789,22 @@ function getWeekNumber(date) {
 
 // src/temporal/snapshots.ts
 import { writeFileSync, readFileSync, mkdirSync, existsSync as existsSync2, readdirSync } from "fs";
-import { join as join4 } from "path";
+import { resolve as resolve2 } from "path";
 function saveSnapshot(snapshot, outputDir) {
   if (!existsSync2(outputDir)) {
     mkdirSync(outputDir, { recursive: true });
   }
   const filename = `${snapshot.commitHash.substring(0, 8)}.json`;
-  const filepath = join4(outputDir, filename);
+  const filepath = resolve2(outputDir, filename);
+  if (!filepath.startsWith(resolve2(outputDir))) {
+    throw new Error(`Path traversal attempt blocked: ${filepath}`);
+  }
   writeFileSync(filepath, JSON.stringify(snapshot, null, 2), "utf-8");
 }
 function loadSnapshot(commitHash, outputDir) {
   const shortHash = commitHash.substring(0, 8);
-  const filepath = join4(outputDir, `${shortHash}.json`);
-  if (!existsSync2(filepath)) {
+  const filepath = resolve2(outputDir, `${shortHash}.json`);
+  if (!filepath.startsWith(resolve2(outputDir)) || !existsSync2(filepath)) {
     return null;
   }
   try {
@@ -1127,6 +1132,50 @@ Always run this before any refactor that touches file structure.`,
         },
         required: ["operation", "target"]
       }
+    },
+    {
+      name: "security_scan",
+      description: `Scan the codebase for security vulnerabilities using deterministic checks + graph-aware severity scoring. No API key required.
+
+Checks: dependency CVEs, shell injection, hardcoded secrets, path traversal, auth bypass, input validation, information disclosure, cryptography weaknesses, frontend XSS, architecture-level risks.
+
+Graph-aware severity: vulnerabilities reachable from MCP tools or HTTP routes are automatically elevated. A medium shell injection reachable from connect_repo becomes Critical.
+
+Returns ranked findings (Critical \u2192 Low) with attack scenarios and suggested fixes. Use --target for single-file scan.`,
+      inputSchema: {
+        type: "object",
+        properties: {
+          target: {
+            type: "string",
+            description: "Relative file path to scan. Omit to scan entire repo."
+          },
+          classes: {
+            type: "array",
+            items: {
+              type: "string",
+              enum: [
+                "dependency-cve",
+                "shell-injection",
+                "code-injection",
+                "secrets",
+                "path-traversal",
+                "auth",
+                "input-validation",
+                "information-disclosure",
+                "architecture",
+                "cryptography",
+                "supply-chain",
+                "frontend-xss"
+              ]
+            },
+            description: "Vulnerability classes to check. Omit for all."
+          },
+          graphAware: {
+            type: "boolean",
+            description: "Enable graph-aware severity elevation (recommended). Default: true."
+          }
+        }
+      }
     }
   ];
 }
@@ -1209,6 +1258,19 @@ async function handleToolCall(name, args, state) {
       } else {
         result = handleSimulateChange(args, state);
       }
+    } else if (name === "security_scan") {
+      if (!isProjectLoaded(state)) {
+        result = {
+          error: "No project loaded",
+          message: "Use connect_repo to connect to a codebase first"
+        };
+      } else {
+        result = await scanSecurity(state.projectRoot, state.graph, {
+          target: args.target,
+          classes: args.classes,
+          graphAware: args.graphAware !== false
+        });
+      }
     } else {
       if (!isProjectLoaded(state)) {
         result = {
@@ -1679,6 +1741,10 @@ Available document types:
       continue;
     }
     const filePath = join5(docsDir, metadata.documents[doc].file);
+    if (!resolve3(filePath).startsWith(resolve3(docsDir))) {
+      missing.push(doc);
+      continue;
+    }
     if (!existsSync3(filePath)) {
       missing.push(doc);
       continue;

package/dist/index.js

@@ -17,7 +17,7 @@ import {
   stashChanges,
   updateFileInGraph,
   watchProject
-} from "./chunk-ORGAO3HT.js";
+} from "./chunk-RGD3YJYQ.js";
 import {
   SimulationEngine,
   analyzeDeadCode,
@@ -29,14 +29,15 @@ import {
   getHealthTrend,
   getImpact,
   parseProject,
+  scanSecurity,
   searchSymbols
-} from "./chunk-QHVWDUSX.js";
+} from "./chunk-DA5LWNJ4.js";
 
 // src/index.ts
 import { Command } from "commander";
-import { resolve as resolve2, dirname as dirname3, join as join4 } from "path";
-import { writeFileSync, readFileSync as readFileSync2, existsSync } from "fs";
-import { fileURLToPath as fileURLToPath3 } from "url";
+import { resolve as resolve4, dirname as dirname4, join as join5 } from "path";
+import { writeFileSync, readFileSync as readFileSync3, existsSync } from "fs";
+import { fileURLToPath as fileURLToPath4 } from "url";
 
 // src/graph/serializer.ts
 import { DirectedGraph } from "graphology";
@@ -230,7 +231,7 @@ import { join as join2 } from "path";
 import express from "express";
 import { readFileSync } from "fs";
 import { fileURLToPath } from "url";
-import { dirname, join } from "path";
+import { dirname, resolve } from "path";
 import open from "open";
 
 // src/viz/temporal-data.ts
@@ -305,10 +306,10 @@ async function findAvailablePort(startPort) {
   const net = await import("net");
   for (let attempt = 0; attempt < 10; attempt++) {
     const testPort = startPort + attempt;
-    const isAvailable = await new Promise((resolve3) => {
-      const server = net.createServer().once("error", () => resolve3(false)).once("listening", () => {
+    const isAvailable = await new Promise((resolve5) => {
+      const server = net.createServer().once("error", () => resolve5(false)).once("listening", () => {
         server.close();
-        resolve3(true);
+        resolve5(true);
       }).listen(testPort, "127.0.0.1");
     });
     if (isAvailable) {
@@ -324,19 +325,22 @@ async function startTemporalServer(snapshots, projectRoot, preferredPort = 3334)
   app.get("/api/data", (_req, res) => {
     res.json(vizData);
   });
-  const publicDir = join(__dirname, "viz", "public");
+  const publicDir = resolve(__dirname, "viz", "public");
   app.get("/", (_req, res) => {
-    const htmlPath = join(publicDir, "temporal.html");
+    const htmlPath = resolve(publicDir, "temporal.html");
+    if (!htmlPath.startsWith(publicDir)) return res.status(403).send("Forbidden");
     const html = readFileSync(htmlPath, "utf-8");
     res.send(html);
   });
   app.get("/temporal.js", (_req, res) => {
-    const jsPath = join(publicDir, "temporal.js");
+    const jsPath = resolve(publicDir, "temporal.js");
+    if (!jsPath.startsWith(publicDir)) return res.status(403).send("Forbidden");
     const js = readFileSync(jsPath, "utf-8");
     res.type("application/javascript").send(js);
   });
   app.get("/temporal.css", (_req, res) => {
-    const cssPath = join(publicDir, "temporal.css");
+    const cssPath = resolve(publicDir, "temporal.css");
+    if (!cssPath.startsWith(publicDir)) return res.status(403).send("Forbidden");
     const css = readFileSync(cssPath, "utf-8");
     res.type("text/css").send(css);
   });
@@ -349,13 +353,13 @@ async function startTemporalServer(snapshots, projectRoot, preferredPort = 3334)
       console.log("  (Could not open browser automatically)");
     });
   });
-  await new Promise((resolve3, reject) => {
+  await new Promise((resolve5, reject) => {
     server.on("error", reject);
     process.on("SIGINT", () => {
       console.log("\n\nShutting down temporal server...");
       server.close(() => {
         console.log("Server stopped");
-        resolve3();
+        resolve5();
         process.exit(0);
       });
     });
@@ -500,7 +504,7 @@ async function trackCommand(command, version = "unknown") {
 }
 
 // src/commands/whatif.ts
-import { resolve } from "path";
+import { resolve as resolve2 } from "path";
 import chalk from "chalk";
 
 // src/viz/whatif-server.ts
@@ -689,14 +693,14 @@ async function findAvailablePort2(startPort, maxAttempts = 10) {
   const net = await import("net");
   for (let attempt = 0; attempt < maxAttempts; attempt++) {
     const testPort = startPort + attempt;
-    const isAvailable = await new Promise((resolve3) => {
+    const isAvailable = await new Promise((resolve5) => {
       const server = net.createServer();
       server.once("error", () => {
-        resolve3(false);
+        resolve5(false);
       });
       server.once("listening", () => {
         server.close();
-        resolve3(true);
+        resolve5(true);
       });
       server.listen(testPort, "127.0.0.1");
     });
@@ -751,7 +755,7 @@ Opening What If UI at ${url}`);
 // src/commands/whatif.ts
 async function whatif(dir, options) {
   if (!options.simulate) {
-    const projectRoot2 = dir === "." ? findProjectRoot() : resolve(dir);
+    const projectRoot2 = dir === "." ? findProjectRoot() : resolve2(dir);
     console.error(`Parsing project: ${projectRoot2}`);
     const parsedFiles2 = await parseProject(projectRoot2);
     const graph2 = buildGraph(parsedFiles2);
@@ -777,7 +781,7 @@ async function whatif(dir, options) {
     process.exit(1);
   }
   const action = buildAction(options);
-  const projectRoot = dir === "." ? findProjectRoot() : resolve(dir);
+  const projectRoot = dir === "." ? findProjectRoot() : resolve2(dir);
   console.error(`Parsing project: ${projectRoot}`);
   const parsedFiles = await parseProject(projectRoot);
   const graph = buildGraph(parsedFiles);
@@ -887,18 +891,198 @@ function formatAction(action) {
   }
 }
 
-// src/index.ts
+// src/commands/security.ts
+import { resolve as resolve3, dirname as dirname3, join as join4 } from "path";
+import { readFileSync as readFileSync2 } from "fs";
+import { fileURLToPath as fileURLToPath3 } from "url";
+
+// src/security/reporter.ts
+import chalk2 from "chalk";
+var SEVERITY_COLORS = {
+  critical: chalk2.red.bold,
+  high: chalk2.red,
+  medium: chalk2.yellow,
+  low: chalk2.blue,
+  info: chalk2.dim
+};
+var SEVERITY_LABELS = {
+  critical: "CRITICAL",
+  high: "HIGH",
+  medium: "MEDIUM",
+  low: "LOW",
+  info: "INFO"
+};
+function formatTable(result, elapsedMs) {
+  const lines = [];
+  const sep = "\u2500".repeat(62);
+  lines.push("");
+  lines.push(chalk2.bold("Depwire Security Scan"));
+  lines.push("");
+  const summaryParts = [
+    result.summary.critical > 0 ? chalk2.red.bold(`${result.summary.critical} Critical`) : null,
+    result.summary.high > 0 ? chalk2.red(`${result.summary.high} High`) : null,
+    result.summary.medium > 0 ? chalk2.yellow(`${result.summary.medium} Medium`) : null,
+    result.summary.low > 0 ? chalk2.blue(`${result.summary.low} Low`) : null,
+    result.summary.info > 0 ? chalk2.dim(`${result.summary.info} Info`) : null
+  ].filter(Boolean);
+  if (summaryParts.length > 0) {
+    lines.push(`\u250C${sep}\u2510`);
+    lines.push(`\u2502  ${summaryParts.join("  \u2502  ")}  \u2502`);
+    lines.push(`\u2514${sep}\u2518`);
+  } else {
+    lines.push(chalk2.green.bold("  No security findings detected."));
+  }
+  lines.push("");
+  const severityOrder = ["critical", "high", "medium", "low", "info"];
+  for (const severity of severityOrder) {
+    const group = result.findings.filter((f) => f.severity === severity);
+    if (group.length === 0) continue;
+    const colorFn = SEVERITY_COLORS[severity];
+    lines.push(colorFn(SEVERITY_LABELS[severity]));
+    for (const finding of group) {
+      lines.push(`  ${colorFn(`[${finding.id}]`)} ${finding.title}`);
+      lines.push(`  File: ${finding.file}${finding.line ? `:${finding.line}` : ""}`);
+      lines.push(`  ${chalk2.dim(finding.description)}`);
+      lines.push(`  ${chalk2.dim("Fix:")} ${finding.suggestedFix}`);
+      if (finding.graphReachability?.elevatedBy) {
+        lines.push(`  ${chalk2.magenta("\u2191 Elevated:")} ${finding.graphReachability.elevatedBy}`);
+      }
+      lines.push("");
+    }
+  }
+  const elapsed = (elapsedMs / 1e3).toFixed(1);
+  lines.push(chalk2.dim(`Scanned ${result.filesScanned} files in ${elapsed}s`));
+  lines.push(chalk2.dim("Run with --format json for machine output"));
+  lines.push(chalk2.dim("Run with --format sarif for GitHub Security integration"));
+  lines.push("");
+  return lines.join("\n");
+}
+function formatJSON(result) {
+  return JSON.stringify(result, null, 2);
+}
+function formatSARIF(result, version) {
+  const rules = result.findings.map((f) => ({
+    id: f.id,
+    shortDescription: { text: f.title },
+    fullDescription: { text: f.description },
+    help: { text: f.suggestedFix },
+    properties: {
+      severity: f.severity,
+      vulnerabilityClass: f.vulnerabilityClass
+    }
+  }));
+  const uniqueRules = Array.from(
+    new Map(rules.map((r) => [r.id, r])).values()
+  );
+  const results = result.findings.map((f) => {
+    let level;
+    if (f.severity === "critical" || f.severity === "high") level = "error";
+    else if (f.severity === "medium") level = "warning";
+    else level = "note";
+    const sarifResult = {
+      ruleId: f.id,
+      level,
+      message: { text: `${f.title}: ${f.description}` },
+      locations: [
+        {
+          physicalLocation: {
+            artifactLocation: { uri: f.file },
+            region: f.line ? { startLine: f.line } : void 0
+          }
+        }
+      ]
+    };
+    return sarifResult;
+  });
+  const sarif = {
+    $schema: "https://json.schemastore.org/sarif-2.1.0.json",
+    version: "2.1.0",
+    runs: [
+      {
+        tool: {
+          driver: {
+            name: "depwire",
+            version,
+            rules: uniqueRules
+          }
+        },
+        results
+      }
+    ]
+  };
+  return JSON.stringify(sarif, null, 2);
+}
+
+// src/commands/security.ts
 var __filename3 = fileURLToPath3(import.meta.url);
 var __dirname3 = dirname3(__filename3);
-var packageJsonPath = join4(__dirname3, "../package.json");
-var packageJson = JSON.parse(readFileSync2(packageJsonPath, "utf-8"));
+function getVersion() {
+  try {
+    let dir = __dirname3;
+    for (let i = 0; i < 5; i++) {
+      const pkgPath = join4(dir, "package.json");
+      try {
+        const pkg = JSON.parse(readFileSync2(pkgPath, "utf-8"));
+        if (pkg.name === "depwire-cli") return pkg.version;
+      } catch {
+      }
+      dir = dirname3(dir);
+    }
+  } catch {
+  }
+  return "0.0.0";
+}
+var SEVERITY_ORDER = ["critical", "high", "medium", "low", "info"];
+async function securityCommand(dir, options) {
+  const projectRoot = dir === "." ? findProjectRoot() : resolve3(dir);
+  console.error(`Scanning: ${projectRoot}`);
+  const startTime = Date.now();
+  const parsedFiles = await parseProject(projectRoot);
+  console.error(`Parsed ${parsedFiles.length} files`);
+  const graph = buildGraph(parsedFiles);
+  console.error(`Built graph: ${graph.order} symbols, ${graph.size} edges`);
+  const result = await scanSecurity(projectRoot, graph, {
+    target: options.target,
+    classes: options.class,
+    format: options.format || "table",
+    graphAware: true
+  });
+  const elapsedMs = Date.now() - startTime;
+  const format = options.format || "table";
+  if (format === "json") {
+    console.log(formatJSON(result));
+  } else if (format === "sarif") {
+    console.log(formatSARIF(result, getVersion()));
+  } else {
+    console.log(formatTable(result, elapsedMs));
+  }
+  if (options.failOn) {
+    const threshold = options.failOn;
+    const thresholdIdx = SEVERITY_ORDER.indexOf(threshold);
+    if (thresholdIdx >= 0) {
+      const hasFindings = result.findings.some(
+        (f) => SEVERITY_ORDER.indexOf(f.severity) <= thresholdIdx
+      );
+      if (hasFindings) {
+        console.error(`Findings at or above ${threshold} severity detected \u2014 exiting with code 1`);
+        process.exit(1);
+      }
+    }
+  }
+}
+
+// src/index.ts
+var __filename4 = fileURLToPath4(import.meta.url);
+var __dirname4 = dirname4(__filename4);
+var packageJsonPath = join5(__dirname4, "../package.json");
+var packageJson = JSON.parse(readFileSync3(packageJsonPath, "utf-8"));
 var program = new Command();
 program.name("depwire").description("Code cross-reference graph builder for TypeScript projects").version(packageJson.version);
 program.command("parse").description("Parse a TypeScript project and build dependency graph").argument("[directory]", "Project directory to parse (defaults to current directory or auto-detected project root)").option("-o, --output <path>", "Output JSON file path", "depwire-output.json").option("--pretty", "Pretty-print JSON output").option("--stats", "Print summary statistics").option("--exclude <patterns...>", 'Glob patterns to exclude (e.g., "**/*.test.*" "dist/**")').option("--verbose", "Show detailed parsing progress").action(async (directory, options) => {
   trackCommand("parse", packageJson.version);
   const startTime = Date.now();
   try {
-    const projectRoot = directory ? resolve2(directory) : findProjectRoot();
+    const projectRoot = directory ? resolve4(directory) : findProjectRoot();
     console.log(`Parsing project: ${projectRoot}`);
     const parsedFiles = await parseProject(projectRoot, {
       exclude: options.exclude,
@@ -937,12 +1121,12 @@ Orphan Files (no cross-references): ${summary.orphanFiles.length}`);
 program.command("query").description("Query impact analysis for a symbol").argument("<directory>", "Project directory").argument("<symbol-name>", "Symbol name to query").action(async (directory, symbolName) => {
   trackCommand("query", packageJson.version);
   try {
-    const projectRoot = resolve2(directory);
-    const cacheFile = "depwire-output.json";
+    const projectRoot = resolve4(directory);
+    const cacheFile = resolve4("depwire-output.json");
     let graph;
     if (existsSync(cacheFile)) {
       console.log("Loading from cache...");
-      const json = JSON.parse(readFileSync2(cacheFile, "utf-8"));
+      const json = JSON.parse(readFileSync3(cacheFile, "utf-8"));
       graph = importFromJSON(json);
     } else {
       console.log("Parsing project...");
@@ -986,7 +1170,7 @@ Total Transitive Dependents: ${impact.transitiveDependents.length}`);
 program.command("viz").description("Launch interactive arc diagram visualization").argument("[directory]", "Project directory to visualize (defaults to current directory or auto-detected project root)").option("-p, --port <number>", "Server port", "3333").option("--no-open", "Don't auto-open browser").option("--exclude <patterns...>", 'Glob patterns to exclude (e.g., "**/*.test.*" "dist/**")').option("--verbose", "Show detailed parsing progress").action(async (directory, options) => {
   trackCommand("viz", packageJson.version);
   try {
-    const projectRoot = directory ? resolve2(directory) : findProjectRoot();
+    const projectRoot = directory ? resolve4(directory) : findProjectRoot();
     console.log(`Parsing project: ${projectRoot}`);
     const parsedFiles = await parseProject(projectRoot, {
       exclude: options.exclude,
@@ -1009,7 +1193,7 @@ program.command("viz").description("Launch interactive arc diagram visualization
 program.command("temporal").description("Visualize how the dependency graph evolved over git history").argument("[directory]", "Project directory to analyze (defaults to current directory or auto-detected project root)").option("--commits <number>", "Number of commits to sample", "20").option("--strategy <type>", "Sampling strategy: even, weekly, monthly", "even").option("-p, --port <number>", "Server port", "3334").option("--output <path>", "Save snapshots to custom path (default: .depwire/temporal/)").option("--verbose", "Show progress for each commit being parsed").option("--stats", "Show summary statistics at end").action(async (directory, options) => {
   trackCommand("temporal", packageJson.version);
   try {
-    const projectRoot = directory ? resolve2(directory) : findProjectRoot();
+    const projectRoot = directory ? resolve4(directory) : findProjectRoot();
     await runTemporalAnalysis(projectRoot, {
       commits: parseInt(options.commits, 10),
       strategy: options.strategy,
@@ -1029,11 +1213,11 @@ program.command("mcp").description("Start MCP server for AI coding tools").argum
     const state = createEmptyState();
     let projectRootToConnect = null;
     if (directory) {
-      projectRootToConnect = resolve2(directory);
+      projectRootToConnect = resolve4(directory);
     } else {
       const detectedRoot = findProjectRoot();
       const cwd = process.cwd();
-      if (detectedRoot !== cwd || existsSync(join4(cwd, "package.json")) || existsSync(join4(cwd, "tsconfig.json")) || existsSync(join4(cwd, "go.mod")) || existsSync(join4(cwd, "pyproject.toml")) || existsSync(join4(cwd, "setup.py")) || existsSync(join4(cwd, ".git"))) {
+      if (detectedRoot !== cwd || existsSync(join5(cwd, "package.json")) || existsSync(join5(cwd, "tsconfig.json")) || existsSync(join5(cwd, "go.mod")) || existsSync(join5(cwd, "pyproject.toml")) || existsSync(join5(cwd, "setup.py")) || existsSync(join5(cwd, ".git"))) {
         projectRootToConnect = detectedRoot;
       }
     }
@@ -1090,8 +1274,8 @@ program.command("docs").description("Generate comprehensive codebase documentati
   trackCommand("docs", packageJson.version);
   const startTime = Date.now();
   try {
-    const projectRoot = directory ? resolve2(directory) : findProjectRoot();
-    const outputDir = options.output ? resolve2(options.output) : join4(projectRoot, ".depwire");
+    const projectRoot = directory ? resolve4(directory) : findProjectRoot();
+    const outputDir = options.output ? resolve4(options.output) : join5(projectRoot, ".depwire");
     const includeList = options.include.split(",").map((s) => s.trim());
     const onlyList = options.only ? options.only.split(",").map((s) => s.trim()) : void 0;
     if (options.gitignore === void 0 && !existsSyncNode(outputDir)) {
@@ -1153,16 +1337,16 @@ async function promptGitignore() {
     input: process.stdin,
     output: process.stdout
   });
-  return new Promise((resolve3) => {
+  return new Promise((resolve5) => {
     rl.question("Add .depwire/ to .gitignore? [Y/n] ", (answer) => {
       rl.close();
       const normalized = answer.trim().toLowerCase();
-      resolve3(normalized === "" || normalized === "y" || normalized === "yes");
+      resolve5(normalized === "" || normalized === "y" || normalized === "yes");
     });
   });
 }
 function addToGitignore(projectRoot, pattern) {
-  const gitignorePath = join4(projectRoot, ".gitignore");
+  const gitignorePath = join5(projectRoot, ".gitignore");
   try {
     let content = "";
     if (existsSyncNode(gitignorePath)) {
@@ -1187,7 +1371,7 @@ ${pattern}
 program.command("health").description("Analyze dependency architecture health (0-100 score)").argument("[directory]", "Project directory to analyze (defaults to current directory or auto-detected project root)").option("--json", "Output as JSON").option("--verbose", "Show detailed breakdown").action(async (directory, options) => {
   trackCommand("health", packageJson.version);
   try {
-    const projectRoot = directory ? resolve2(directory) : findProjectRoot();
+    const projectRoot = directory ? resolve4(directory) : findProjectRoot();
     const startTime = Date.now();
     const parsedFiles = await parseProject(projectRoot);
     const graph = buildGraph(parsedFiles);
@@ -1211,7 +1395,7 @@ program.command("health").description("Analyze dependency architecture health (0
 program.command("dead-code").description("Identify dead code - symbols defined but never referenced").argument("[directory]", "Project directory to analyze (defaults to current directory or auto-detected project root)").option("--confidence <level>", "Minimum confidence level to show: high, medium, low (default: medium)", "medium").option("--json", "Output as JSON (for CI/automation)").option("--verbose", "Show detailed info for each dead symbol").option("--stats", "Show summary statistics").option("--include-tests", "Include test files in analysis").option("--include-low", "Shortcut for --confidence low").option("--debug", "Show debug information (exclusion stats)").action(async (directory, options) => {
   trackCommand("dead-code", packageJson.version);
   try {
-    const projectRoot = directory ? resolve2(directory) : findProjectRoot();
+    const projectRoot = directory ? resolve4(directory) : findProjectRoot();
     const startTime = Date.now();
     const parsedFiles = await parseProject(projectRoot);
     const graph = buildGraph(parsedFiles);
@@ -1247,4 +1431,13 @@ program.command("whatif").description("Simulate architectural changes before tou
     process.exit(1);
   }
 });
+program.command("security").description("Scan codebase for security vulnerabilities (deterministic, no API key required)").argument("[directory]", "Project directory to scan (defaults to current directory or auto-detected project root)").option("--target <file>", "Scan a single file instead of the whole repo").option("--class <classes...>", "Only run specific vulnerability class checks").option("--format <format>", "Output format: table (default), json, sarif", "table").option("--fail-on <level>", "Exit with code 1 if findings at this severity or above").action(async (directory, options) => {
+  trackCommand("security", packageJson.version);
+  try {
+    await securityCommand(directory || ".", options);
+  } catch (err) {
+    console.error("Error running security scan:", err);
+    process.exit(1);
+  }
+});
 program.parse();

package/dist/mcpb-entry.js

@@ -4,11 +4,11 @@ import {
   startMcpServer,
   updateFileInGraph,
   watchProject
-} from "./chunk-ORGAO3HT.js";
+} from "./chunk-RGD3YJYQ.js";
 import {
   buildGraph,
   parseProject
-} from "./chunk-QHVWDUSX.js";
+} from "./chunk-DA5LWNJ4.js";
 
 // src/mcpb-entry.ts
 import { resolve } from "path";