ghcr-manager 0.9.7 → 0.9.8

package/CHANGELOG.md

@@ -7,6 +7,44 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 
 ## [Unreleased]
 
+## [0.9.8] - 2026-06-03
+
+### Added
+
+- Added dedicated graph-matrix GHCR scenarios and workflows to exercise shared-image, multi-arch, cosign, and
+  attestation cleanup cases in isolation.
+- Added a local manifest-graph visualizer with browser UI for `ghcr-manager` SQLite databases, including manifest
+  details, zoom controls, one-hop expansion, and scan-to-scan compare mode.
+- Added a separately publishable npm package, `ghcr-manager-visualizer`, plus user-facing visualizer documentation.
+- Added repo-local manual visualizer demo scripts for seeding and updating GHCR packages during graph investigation.
+
+### Changed
+
+- Cleanup planning was reworked around the current graph model, including direct SQL-backed tagged/untagged root
+  selection, graph-scoped closure walking, and refined `untag-only` vs `fully-deletable` decisions for complex
+  multi-arch, cosign, and attestation shapes.
+- Large planner SQL bodies were split into smaller internal modules, and direct-target root selection logic was split
+  into smaller planner helpers.
+- Orphaned digest-tag resolution now uses a direct latest-scan query instead of relying on older helper views.
+- Manifest platform display now derives from descriptor data in the visualizer instead of relying on manifest-level
+  platform fields.
+- Cross-architecture terminology is now consistently named `multi-arch` across runtime, tests, and docs.
+- The root action and public CLI surface are now centered on `scan` and `cleanup` only.
+
+### Fixed
+
+- Fixed digest-tag helper-edge direction and root-detection behavior so helper-tagged artifacts no longer interfere with
+  normal cleanup root semantics.
+- Fixed shared-graph cleanup handling so selected indexes and helper-linked artifacts are deleted or retained according
+  to surviving real tags instead of simplistic descendant-only closure rules.
+
+### Removed
+
+- The public `untag` CLI command, root-action mode, and dedicated direct-untag workflow coverage were removed. Internal
+  tag detachment for partial-tag cleanup matches remains part of `cleanup`.
+- Several older cleanup helper views were removed after the planner rewrite moved the live logic into direct SQL query
+  paths.
+
 ## [0.9.7] - 2026-05-23
 
 ### Added
@@ -20,7 +58,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 
 - Cleanup dry-run output and GitHub step summaries were reworked to explain the plan more clearly, including a filters
   table and clearer counts for tags, images, and cross-arch manifests.
-- Informational manifest classification was tuned so only real multi-arch roots are labeled `cross_arch_manifest`, while
+- Informational manifest classification was tuned so only real multi-arch roots are labeled `multi_arch_manifest`, while
   helper-tagged indexes remain `index_manifest`.
 - `merge-run-artifacts` now uses a simpler current-run download flow with direct artifact download handling.
 - Cleanup selected-tag audit and DB-merge metadata handling were tightened alongside the summary/output refactor.

package/LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2026 gh-workflow
+Copyright (c) 2026 Stefan Kuhn
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

package/README.md

@@ -1,9 +1,9 @@
 # ghcr-manager
 
-[![Release](https://img.shields.io/github/v/release/gh-workflow/ghcr-manager?style=flat-square)](https://github.com/gh-workflow/ghcr-manager/releases)
-[![Immutable Releases](https://img.shields.io/badge/releases-immutable-blue?labelColor=333)](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/immutable-releases)
 [![GitHub Marketplace](https://img.shields.io/badge/marketplace-ghcr--manager-blue?logo=github&labelColor=333&style=flat-square)](https://github.com/marketplace/actions/ghcr-manager)
-[![Tests](https://img.shields.io/github/actions/workflow/status/gh-workflow/ghcr-manager/.github/workflows/ci_change-validation.yml?branch=main&label=test&style=flat-square)](https://github.com/gh-workflow/ghcr-manager/actions/workflows/change-validation.yml)
+[![Release](https://img.shields.io/github/v/release/ghcr-manager/ghcr-manager?style=flat-square)](https://github.com/ghcr-manager/ghcr-manager/releases)
+[![Immutable Releases](https://img.shields.io/badge/releases-immutable-blue?labelColor=333)](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/immutable-releases)
+[![Tests](https://img.shields.io/github/actions/workflow/status/ghcr-manager/ghcr-manager/.github/workflows/ci_change-validation.yml?branch=main&label=test&style=flat-square)](https://github.com/ghcr-manager/ghcr-manager/actions/workflows/ci_change-validation.yml)
 
 Inspect, review, and manage GitHub Container Registry packages.
 
@@ -12,7 +12,6 @@ Inspect, review, and manage GitHub Container Registry packages.
 - scanning one GHCR package into a SQLite database artifact
 - running cleanup with a GitHub step summary and optional DB artifact
 - previewing cleanup decisions with `dry-run` before making changes
-- directly removing selected tags with `untag`
 
 ## Quick Start
 
@@ -33,7 +32,7 @@ jobs:
 
       - name: Preview GHCR cleanup
         id: ghcr-manager
-        uses: gh-workflow/ghcr-manager@0.9.7
+        uses: ghcr-manager/ghcr-manager@0.9.8
         with:
           command: cleanup
           token: ${{ github.token }}
@@ -55,16 +54,14 @@ After the run:
 
 ## Commands
 
-The action supports three commands:
+The action supports two commands:
 
 - `cleanup`: Cleans using filters; use `dry-run` to preview the result
-- `untag`: Removes one or more tags directly
 - `scan`: Scans one package and uploads the resulting DB artifact
 
 ### Purpose of commands
 
 - `cleanup`: Normal entry point for registry maintenance
-- `untag`: Works directly without a full package scan
 - `scan`: For investigation and audit
 
 ## Common Usage
@@ -72,7 +69,7 @@ The action supports three commands:
 ### Preview cleanup
 
 ```yaml
-- uses: gh-workflow/ghcr-manager@0.9.7
+- uses: ghcr-manager/ghcr-manager@0.9.8
   with:
     command: cleanup
     token: ${{ github.token }}
@@ -93,7 +90,7 @@ The action supports three commands:
 ### Apply cleanup
 
 ```yaml
-- uses: gh-workflow/ghcr-manager@0.9.7
+- uses: ghcr-manager/ghcr-manager@0.9.8
   with:
     command: cleanup
     token: ${{ github.token }}
@@ -109,26 +106,10 @@ If `scan-after-cleanup` is `true`, `cleanup` performs a second scan so the uploa
 
 Note: the second scan only runs if cleanup actually makes changes.
 
-### Remove selected tags directly
-
-```yaml
-- uses: gh-workflow/ghcr-manager@0.9.7
-  with:
-    command: untag
-    token: ${{ github.token }}
-    owner: OWNER
-    package: PACKAGE
-    delete-tags: |
-      old-tag
-      test-tag
-```
-
-`untag` does not use a scan DB and does not support DB artifact upload.
-
 ### Scan one package
 
 ```yaml
-- uses: gh-workflow/ghcr-manager@0.9.7
+- uses: ghcr-manager/ghcr-manager@0.9.8
   with:
     command: scan
     token: ${{ github.token }}
@@ -142,32 +123,32 @@ Note: the second scan only runs if cleanup actually makes changes.
 
 <!-- markdownlint-disable MD013 MD060 -->
 
-| Input                        | Description                         | Cmds | Required    | Default                        |
-| ---------------------------- | ----------------------------------- | ---- | ----------- | ------------------------------ |
-| `command`                    | `scan`, `cleanup`, or `untag`       | all  | Yes         |                                |
-| `token`                      | GitHub token for API calls          | all  | Yes         | `${{ github.token }}`          |
-| `owner`                      | Package owner                       | all  | Yes         |                                |
-| `package`                    | Package name                        | all  | Yes         |                                |
-| `db-path`                    | Local SQLite DB path                | s,c  | No          |                                |
-| `upload-artifacts`           | Upload DB and summary artifacts     | s,c  | No          | `false`                        |
-| `scan-after-cleanup`         | Run a second scan after cleanup     | c    | No          | `false`                        |
-| `db-artifact-retention-days` | Override artifact retention days    | s,c  | No          | `${{ github.retention_days }}` |
-| `delete-tags`                | Newline-separated tags to delete    | c,u  | for `untag` |                                |
-| `exclude-tags`               | Newline-separated tags to exclude   | c    | No          |                                |
-| `keep-n-tagged`              | Keep newest tagged roots            | c    | No          |                                |
-| `keep-n-untagged`            | Keep newest untagged roots          | c    | No          |                                |
-| `delete-untagged`            | Delete untagged roots               | c    | No          | `false`                        |
-| `delete-ghost-images`        | Delete ghost multi-arch roots       | c    | No          | `false`                        |
-| `delete-partial-images`      | Delete partial multi-arch roots     | c    | No          | `false`                        |
-| `delete-orphaned-images`     | Delete orphaned digest-derived tags | c    | No          | `false`                        |
-| `older-than`                 | Age cutoff for cleanup selectors    | c    | No          |                                |
-| `use-regex`                  | Use regex for cleanup tag selectors | c    | No          | `false`                        |
-| `dry-run`                    | Show changes without mutating GHCR  | c,u  | No          | `false`                        |
-| `log-level`                  | CLI log level                       | all  | No          | `info`                         |
+| Input                        | Description                         | Cmds | Required | Default                        |
+| ---------------------------- | ----------------------------------- | ---- | -------- | ------------------------------ |
+| `command`                    | `scan` or `cleanup`                 | all  | Yes      |                                |
+| `token`                      | GitHub token for API calls          | all  | Yes      | `${{ github.token }}`          |
+| `owner`                      | Package owner                       | all  | Yes      |                                |
+| `package`                    | Package name                        | all  | Yes      |                                |
+| `db-path`                    | Local SQLite DB path                | s,c  | No       |                                |
+| `upload-artifacts`           | Upload DB and summary artifacts     | s,c  | No       | `false`                        |
+| `scan-after-cleanup`         | Run a second scan after cleanup     | c    | No       | `false`                        |
+| `db-artifact-retention-days` | Override artifact retention days    | s,c  | No       | `${{ github.retention_days }}` |
+| `delete-tags`                | Newline-separated tags to delete    | c    | No       |                                |
+| `exclude-tags`               | Newline-separated tags to exclude   | c    | No       |                                |
+| `keep-n-tagged`              | Keep newest tagged roots            | c    | No       |                                |
+| `keep-n-untagged`            | Keep newest untagged roots          | c    | No       |                                |
+| `delete-untagged`            | Delete untagged roots               | c    | No       | `false`                        |
+| `delete-ghost-images`        | Delete ghost multi-arch roots       | c    | No       | `false`                        |
+| `delete-partial-images`      | Delete partial multi-arch roots     | c    | No       | `false`                        |
+| `delete-orphaned-images`     | Delete orphaned digest-derived tags | c    | No       | `false`                        |
+| `older-than`                 | Age cutoff for cleanup selectors    | c    | No       |                                |
+| `use-regex`                  | Use regex for cleanup tag selectors | c    | No       | `false`                        |
+| `dry-run`                    | Show changes without mutating GHCR  | c    | No       | `false`                        |
+| `log-level`                  | CLI log level                       | all  | No       | `info`                         |
 
 <!-- markdownlint-enable MD013 MD060 -->
 
-`Cmds`: `s` = `scan`, `c` = `cleanup`, `u` = `untag`
+`Cmds`: `s` = `scan`, `c` = `cleanup`
 
 Cleanup command notes:
 
@@ -180,10 +161,10 @@ Cleanup command notes:
 
 ## Outputs
 
-| Output              | Description                                      |
-| ------------------- | ------------------------------------------------ |
-| `db-path`           | SQLite DB path on the runner                     |
-| `summary-json-path` | Summary JSON file path for `cleanup` and `untag` |
+| Output              | Description                          |
+| ------------------- | ------------------------------------ |
+| `db-path`           | SQLite DB path on the runner         |
+| `summary-json-path` | Summary JSON file path for `cleanup` |
 
 ## Artifacts
 
@@ -191,7 +172,6 @@ When artifacts are enabled:
 
 - `scan` always uploads one SQLite DB artifact
 - `cleanup` optionally uploads the DB artifact and a cleanup summary JSON artifact
-- `untag` uploads no artifacts
 
 Current naming:
 
@@ -202,7 +182,8 @@ Current naming:
 
 ## Documentation Map
 
-- [GitHub Action usage](docs/action-usage.md): action commands, including `cleanup`, `scan`, and `untag`
+- [GitHub Action usage](docs/action-usage.md): action commands, including `cleanup` and `scan`
+- [Visualizer](docs/visualizer.md): local graph inspection and scan-to-scan comparison
 - [Multi-package workflows](docs/db-merge-workflows.md): cleaning up multiple packages with one combined DB
 - [SQLite schema guide](docs/schema-description.md): practical explanation of the SQLite schema
 - [CLI usage](docs/cli-usage.md): companion CLI usage

package/dist/cleanup-summary/_cleanup-summary-markdown.js

@@ -16,7 +16,7 @@ export function renderCleanupSummaryMarkdown(summary, options) {
         `| 🏷️ Selected tags | ${summary.directTargetTags.length} |`,
         `| 🔖 Deleted tags | ${summary.changes.deletedTags} |`,
         `| 🖼️ Deleted images | ${summary.changes.deletedImages} |`,
-        `| 📚 Deleted cross-arch manifests | ${summary.changes.deletedCrossArchManifests} |`,
+        `| 📚 Deleted multi-arch manifests | ${summary.changes.deletedMultiArchManifests} |`,
         `| 🧱 Deleted indexes | ${summary.changes.deletedIndexes} |`,
         `| 📄 Deleted total | ${summary.changes.deletedTotal} |`,
         `| 🔗 Tag-only updates | ${summary.untagOnlyRoots.length} |`,
@@ -29,7 +29,7 @@ export function renderCleanupSummaryMarkdown(summary, options) {
     lines.push(..._renderRootSection("🗑️ Deleted items", summary.fullyDeletableRoots, maxRootsPerSection));
     lines.push(..._renderRootSection("🔗 Tags removed only", summary.untagOnlyRoots, maxRootsPerSection));
     lines.push(..._renderRootSection("🛡️ Blocked items", summary.blockedRoots, maxRootsPerSection));
-    if (!summary.dryRun && (summary.deletedPackageVersions.length > 0 || summary.untaggedTags.length > 0)) {
+    if (!summary.dryRun && (summary.deletedPackageVersionCount > 0 || summary.detachedTagCount > 0)) {
         lines.push(..._renderLiveEffects(summary));
     }
     return `${lines.join("\n").trimEnd()}\n`;
@@ -37,7 +37,7 @@ export function renderCleanupSummaryMarkdown(summary, options) {
 function _renderPlannedDeleteBreakdown(summary) {
     const rows = [
         { label: "Images", count: summary.changes.deletedImages },
-        { label: "Cross-arch manifests", count: summary.changes.deletedCrossArchManifests },
+        { label: "Multi-arch manifests", count: summary.changes.deletedMultiArchManifests },
         { label: "Artifact manifests", count: summary.changes.deletedArtifactManifests },
         { label: "Signatures", count: summary.changes.deletedSignatures },
         { label: "Attestations", count: summary.changes.deletedAttestations },
@@ -105,11 +105,8 @@ function _renderRootSection(title, roots, maxRootsPerSection) {
 }
 function _renderLiveEffects(summary) {
     const lines = ["### Applied changes", ""];
-    lines.push(`- Deleted package versions: ${summary.deletedPackageVersions.length}`);
-    lines.push(`- Detached tags: ${summary.untaggedTags.length}`);
-    if (summary.unsupportedUntagRoots.length > 0) {
-        lines.push(`- Unsupported untag roots: ${summary.unsupportedUntagRoots.length}`);
-    }
+    lines.push(`- Deleted package versions: ${summary.deletedPackageVersionCount}`);
+    lines.push(`- Detached tags: ${summary.detachedTagCount}`);
     lines.push("");
     return lines;
 }
@@ -211,8 +208,8 @@ function _describeManifestKind(manifestKind) {
     switch (manifestKind) {
         case ManifestKinds.imageManifest:
             return "image";
-        case ManifestKinds.crossArchManifest:
-            return "cross-arch";
+        case ManifestKinds.multiArchManifest:
+            return "multi-arch";
         case ManifestKinds.indexManifest:
             return "index";
         case ManifestKinds.signatureManifest:

package/dist/cleanup-summary/_cleanup-summary.d.ts

@@ -25,7 +25,7 @@ export interface CleanupSummaryChanges {
     deletedTags: number;
     deletedImages: number;
     deletedIndexes: number;
-    deletedCrossArchManifests: number;
+    deletedMultiArchManifests: number;
     deletedArtifactManifests: number;
     deletedAttestations: number;
     deletedSignatures: number;
@@ -45,9 +45,8 @@ export interface CleanupSummary {
     blockedRoots: CleanupSummaryRoot[];
     affectedManifests: CleanupSummaryAffectedManifest[];
     changes: CleanupSummaryChanges;
-    deletedPackageVersions: DeleteExecutionSummary["deletedPackageVersions"];
-    untaggedTags: DeleteExecutionSummary["untaggedTags"];
-    unsupportedUntagRoots: DeleteExecutionSummary["unsupportedUntagRoots"];
+    deletedPackageVersionCount: DeleteExecutionSummary["deletedPackageVersionCount"];
+    detachedTagCount: DeleteExecutionSummary["detachedTagCount"];
 }
 export declare function buildCleanupSummary(plan: DeletePlan, options: {
     dryRun: boolean;

package/dist/cleanup-summary/_cleanup-summary.js

@@ -20,9 +20,8 @@ export function buildCleanupSummary(plan, options) {
         blockedRoots,
         affectedManifests,
         changes: options.changes,
-        deletedPackageVersions: options.executionSummary?.deletedPackageVersions ?? [],
-        untaggedTags: options.executionSummary?.untaggedTags ?? [],
-        unsupportedUntagRoots: options.executionSummary?.unsupportedUntagRoots ?? []
+        deletedPackageVersionCount: options.executionSummary?.deletedPackageVersionCount ?? 0,
+        detachedTagCount: options.executionSummary?.detachedTagCount ?? 0
     };
 }
 function _mapRootDecision(decision, directTargetTagSet, rootTagsByVersionId) {

package/dist/cli/_cleanup-command.js

@@ -133,7 +133,7 @@ function _loadSummaryChanges(database, cleanupRunId) {
         deletedTags,
         deletedImages: countsByKind.get(ManifestKinds.imageManifest) ?? 0,
         deletedIndexes: countsByKind.get(ManifestKinds.indexManifest) ?? 0,
-        deletedCrossArchManifests: countsByKind.get(ManifestKinds.crossArchManifest) ?? 0,
+        deletedMultiArchManifests: countsByKind.get(ManifestKinds.multiArchManifest) ?? 0,
         deletedArtifactManifests: countsByKind.get(ManifestKinds.artifactManifest) ?? 0,
         deletedAttestations: countsByKind.get(ManifestKinds.attestationManifest) ?? 0,
         deletedSignatures: countsByKind.get(ManifestKinds.signatureManifest) ?? 0,

package/dist/cli/_tag-selector-resolver.js

@@ -96,16 +96,36 @@ function _listLatestBrokenIndexTags(database, owner, packageName, cutoffTimestam
 function _listLatestOrphanedTags(database, owner, packageName, cutoffTimestamp) {
     const rows = database
         .prepare(`
-        SELECT DISTINCT dtr.tag
-        FROM v_digest_tag_relations dtr
-        INNER JOIN package_versions pv
-          ON pv.scan_id = dtr.scan_id
-         AND pv.version_id = dtr.artifact_version_id
-        WHERE dtr.owner = ?
-          AND dtr.package_name = ?
-          AND dtr.parent_exists = 0
+        WITH latest_scan AS (
+          SELECT scan_id
+          FROM v_latest_scan_per_package
+          WHERE owner = ?
+            AND package_name = ?
+        ),
+        digest_tag_artifacts AS (
+          SELECT
+            t.tag,
+            t.scan_id,
+            t.version_id AS artifact_version_id,
+            'sha256:' || SUBSTR(t.tag, 8, 64) AS parent_digest
+          FROM latest_scan ls
+          JOIN tags t
+            ON t.scan_id = ls.scan_id
+          WHERE t.is_digest_tag = 1
+        )
+        SELECT DISTINCT dta.tag
+        FROM digest_tag_artifacts dta
+        JOIN package_versions pv
+          ON pv.scan_id = dta.scan_id
+         AND pv.version_id = dta.artifact_version_id
+        WHERE NOT EXISTS (
+            SELECT 1
+            FROM manifests parent
+            WHERE parent.scan_id = dta.scan_id
+              AND parent.digest = dta.parent_digest
+          )
           AND (? IS NULL OR pv.created_at < ?)
-        ORDER BY dtr.tag
+        ORDER BY dta.tag
       `)
         .all(owner, packageName, cutoffTimestamp ?? null, cutoffTimestamp ?? null);
     return rows.map((row) => row.tag);

package/dist/cli/index.js

@@ -4,7 +4,6 @@ import { fileURLToPath } from "node:url";
 import { handleCleanup } from "./_cleanup-command.js";
 import { handleDbMerge } from "./_db-merge-command.js";
 import { handleScan } from "./_scan-command.js";
-import { handleUntag } from "./_untag-command.js";
 export async function main(argv) {
     const [command, ...rest] = argv;
     if (!command) {
@@ -18,8 +17,6 @@ export async function main(argv) {
             return handleDbMerge(rest);
         case "scan":
             return handleScan(rest);
-        case "untag":
-            return handleUntag(rest);
         default:
             throw new Error(`unknown command: ${command}`);
     }
@@ -29,7 +26,6 @@ function printUsage() {
   ghcr-manager cleanup --db <path> [--log-level <trace|debug|info|warn|error|silent>] [--dry-run] [--summary-json-path <path>] --owner <org> --package <name> [--token <token>] <cleanup selectors...> [--exclude-tag <tag> ...] [--use-regex] [--older-than <interval>]
   ghcr-manager db-merge --db <target-path> --source-db <path> [--source-db <path> ...]
   ghcr-manager scan --db <path> [--log-level <trace|debug|info|warn|error|silent>] [--github-output <path>] --owner <org> --package <name> --token <token>
-  ghcr-manager untag [--log-level <trace|debug|info|warn|error|silent>] [--dry-run] [--summary-json-path <path>] --owner <org> --package <name> --token <token> --tag <tag> [--tag <tag> ...]
 
 Cleanup selectors:
   --delete-untagged

package/dist/core/_types.d.ts

@@ -1,6 +1,6 @@
 export declare const ManifestKinds: {
     readonly indexManifest: "index_manifest";
-    readonly crossArchManifest: "cross_arch_manifest";
+    readonly multiArchManifest: "multi_arch_manifest";
     readonly imageManifest: "image_manifest";
     readonly artifactManifest: "artifact_manifest";
     readonly attestationManifest: "attestation_manifest";
@@ -27,11 +27,6 @@ export interface ManifestRecord {
     subjectDigest?: string;
     annotations?: Record<string, unknown>;
     manifestKind?: ManifestKind;
-    platform?: {
-        architecture?: string;
-        os?: string;
-        variant?: string;
-    };
 }
 export interface ManifestDescriptorRecord {
     parentDigest: string;

package/dist/core/_types.js

@@ -1,6 +1,6 @@
 export const ManifestKinds = {
     indexManifest: "index_manifest",
-    crossArchManifest: "cross_arch_manifest",
+    multiArchManifest: "multi_arch_manifest",
     imageManifest: "image_manifest",
     artifactManifest: "artifact_manifest",
     attestationManifest: "attestation_manifest",

package/dist/db/_db-merge-scan-copy.js

@@ -26,11 +26,12 @@ export class DbMergeScanCopy {
             "package_versions(scan_id, version_id, created_at, updated_at)",
             "package_version_payloads(scan_id, version_id, raw_json)",
             "tags(scan_id, tag, version_id, is_digest_tag)",
-            "manifests(scan_id, version_id, digest, media_type, artifact_type, config_media_type, subject_digest, annotations_json, platform_os, platform_architecture, platform_variant, manifest_kind)",
+            "manifests(scan_id, version_id, digest, media_type, artifact_type, config_media_type, subject_digest, annotations_json, manifest_kind)",
             "manifest_descriptors(scan_id, parent_digest, child_digest, media_type, artifact_type, platform_os, platform_architecture, platform_variant)",
             "manifest_payloads(scan_id, digest, raw_json)",
             "manifest_edges(scan_id, parent_digest, child_digest, edge_kind)",
-            "manifest_reachability(scan_id, ancestor_digest, descendant_digest, min_distance)"
+            "manifest_reachability(scan_id, ancestor_digest, descendant_digest, min_distance)",
+            "manifest_graphs(scan_id, digest, graph_id)"
         ];
         for (const spec of copySpecs) {
             const [tableName, columnList] = spec.split("(");

package/dist/db/_manifest-reachability.js

@@ -3,14 +3,19 @@ export function rebuildManifestReachability(database, scanId) {
     const manifestDigests = _loadManifestDigests(database, scanId);
     const childDigestsByParent = new Map();
     const parentDigestsByChild = new Map();
+    const neighborDigestsByDigest = new Map();
     for (const digest of manifestDigests) {
         childDigestsByParent.set(digest, new Set());
         parentDigestsByChild.set(digest, new Set());
+        neighborDigestsByDigest.set(digest, new Set());
     }
     for (const manifestEdge of _loadManifestEdges(database, scanId)) {
         childDigestsByParent.get(manifestEdge.parent_digest)?.add(manifestEdge.child_digest);
         parentDigestsByChild.get(manifestEdge.child_digest)?.add(manifestEdge.parent_digest);
+        neighborDigestsByDigest.get(manifestEdge.parent_digest)?.add(manifestEdge.child_digest);
+        neighborDigestsByDigest.get(manifestEdge.child_digest)?.add(manifestEdge.parent_digest);
     }
+    const graphIdsByDigest = _buildGraphIdsByDigest(manifestDigests, neighborDigestsByDigest);
     const remainingChildrenCount = new Map();
     const descendantDistancesByDigest = new Map();
     const readyDigests = [];
@@ -61,9 +66,19 @@ export function rebuildManifestReachability(database, scanId) {
       )
       VALUES(?, ?, ?, ?)
     `);
+    const insertGraphRow = database.prepare(`
+      INSERT OR REPLACE INTO manifest_graphs(
+        scan_id,
+        digest,
+        graph_id
+      )
+      VALUES(?, ?, ?)
+    `);
     const rebuild = database.transaction(() => {
         database.prepare("DELETE FROM manifest_reachability WHERE scan_id = ?").run(scanId);
+        database.prepare("DELETE FROM manifest_graphs WHERE scan_id = ?").run(scanId);
         for (const digest of manifestDigests) {
+            insertGraphRow.run(scanId, digest, graphIdsByDigest.get(digest));
             for (const [descendantDigest, distance] of descendantDistancesByDigest.get(digest) ?? []) {
                 insertRow.run(scanId, digest, descendantDigest, distance);
             }
@@ -71,6 +86,32 @@ export function rebuildManifestReachability(database, scanId) {
     });
     rebuild();
 }
+function _buildGraphIdsByDigest(manifestDigests, neighborDigestsByDigest) {
+    const graphIdsByDigest = new Map();
+    let nextGraphId = 1;
+    for (const rootDigest of manifestDigests) {
+        if (graphIdsByDigest.has(rootDigest)) {
+            continue;
+        }
+        const pendingDigests = [rootDigest];
+        graphIdsByDigest.set(rootDigest, nextGraphId);
+        while (pendingDigests.length > 0) {
+            const digest = pendingDigests.pop();
+            if (!digest) {
+                continue;
+            }
+            for (const neighborDigest of neighborDigestsByDigest.get(digest) ?? []) {
+                if (graphIdsByDigest.has(neighborDigest)) {
+                    continue;
+                }
+                graphIdsByDigest.set(neighborDigest, nextGraphId);
+                pendingDigests.push(neighborDigest);
+            }
+        }
+        nextGraphId += 1;
+    }
+    return graphIdsByDigest;
+}
 function _refreshDigestTagEdges(database, scanId) {
     database.prepare("DELETE FROM manifest_edges WHERE scan_id = ? AND edge_kind = 'digest-tag-referrer'").run(scanId);
     database
@@ -78,20 +119,18 @@ function _refreshDigestTagEdges(database, scanId) {
         INSERT OR IGNORE INTO manifest_edges(scan_id, parent_digest, child_digest, edge_kind)
         SELECT
           t.scan_id,
-          'sha256:' || SUBSTR(t.tag, 8, 64) AS parent_digest,
-          m.digest AS child_digest,
+          m.digest AS parent_digest,
+          'sha256:' || SUBSTR(t.tag, 8, 64) AS child_digest,
           'digest-tag-referrer' AS edge_kind
         FROM tags t
         JOIN manifests m
           ON m.scan_id = t.scan_id
          AND m.version_id = t.version_id
-        JOIN manifests parent_manifest
-          ON parent_manifest.scan_id = t.scan_id
-         AND parent_manifest.digest = 'sha256:' || SUBSTR(t.tag, 8, 64)
+        JOIN manifests child_manifest
+          ON child_manifest.scan_id = t.scan_id
+         AND child_manifest.digest = 'sha256:' || SUBSTR(t.tag, 8, 64)
         WHERE t.scan_id = ?
-          AND t.tag LIKE 'sha256-%'
-          AND LENGTH(t.tag) >= 71
-          AND SUBSTR(t.tag, 8, 64) NOT GLOB '*[^0-9A-Fa-f]*'
+          AND t.is_digest_tag = 1
       `)
         .run(scanId);
 }

package/dist/db/_scan-writer.js

@@ -1,7 +1,6 @@
 import { randomUUID } from "node:crypto";
 import { isDigestTag } from "../core/index.js";
 import { resolveGitHubActionsRunUrl } from "./_github-actions-run-url.js";
-import { refineManifestKinds } from "./_manifest-kind-refinement.js";
 import { rebuildManifestReachability } from "./_manifest-reachability.js";
 export class ScanWriter {
     #database;
@@ -63,9 +62,6 @@ export class ScanWriter {
         config_media_type,
         subject_digest,
         annotations_json,
-        platform_os,
-        platform_architecture,
-        platform_variant,
         manifest_kind
       )
       VALUES(
@@ -77,9 +73,6 @@ export class ScanWriter {
         @configMediaType,
         @subjectDigest,
         @annotationsJson,
-        @platformOs,
-        @platformArchitecture,
-        @platformVariant,
         @manifestKind
       )
     `);
@@ -152,9 +145,6 @@ export class ScanWriter {
             configMediaType: manifest.configMediaType ?? null,
             subjectDigest: manifest.subjectDigest ?? null,
             annotationsJson: manifest.annotations ? JSON.stringify(manifest.annotations) : null,
-            platformOs: manifest.platform?.os ?? null,
-            platformArchitecture: manifest.platform?.architecture ?? null,
-            platformVariant: manifest.platform?.variant ?? null,
             manifestKind: manifest.manifestKind ?? null
         });
     }
@@ -180,9 +170,7 @@ export class ScanWriter {
         });
     }
     rebuildManifestReachability() {
-        const scanId = this.#requireScanId();
-        rebuildManifestReachability(this.#database, scanId);
-        refineManifestKinds(this.#database, scanId);
+        rebuildManifestReachability(this.#database, this.#requireScanId());
     }
     getActiveScanId() {
         return this.#requireScanId();

package/dist/db/planner/_planner-direct-target-root-options.d.ts

@@ -0,0 +1,11 @@
+export interface DirectTargetRootOptions {
+    deleteTags: string[];
+    deleteTagsRequested: boolean;
+    deleteOrphanedImages?: boolean;
+    excludeTags: string[];
+    deleteUntagged: boolean;
+    keepNTagged?: number;
+    keepNUntagged?: number;
+    useRegex?: boolean;
+    cutoffTimestamp?: string;
+}

package/dist/db/planner/_planner-direct-target-root-options.js

@@ -0,0 +1 @@
+export {};

package/dist/db/planner/_planner-direct-target-root-tag-filters.d.ts

@@ -0,0 +1,9 @@
+import type { DirectTargetRootOptions } from "./_planner-direct-target-root-options.js";
+import type { PlannerSql } from "./_planner-sql.js";
+export interface DirectTargetRootTagFilters {
+    selectedTagsSql: string;
+    selectedParams: Array<number | string>;
+    excludedVersionsSql: string;
+    excludedParams: Array<number | string>;
+}
+export declare function buildDirectTargetRootTagFilters(sql: PlannerSql, scanId: number, options: DirectTargetRootOptions): DirectTargetRootTagFilters;