preship 1.0.5 → 2.0.2

package/dist/cli.js

@@ -29,6 +29,8 @@ var import_commander = require("commander");
 var path = __toESM(require("path"));
 var import_core = require("@preship/core");
 var import_license = require("@preship/license");
+var import_security = require("@preship/security");
+var import_secrets = require("@preship/secrets");
 async function scan(options) {
   const startTime = Date.now();
   const projectPath = path.resolve(options?.projectPath ?? process.cwd());
@@ -84,6 +86,121 @@ async function scan(options) {
     scanDurationMs
   };
 }
+async function unifiedScan(options) {
+  const startTime = Date.now();
+  const projectPath = path.resolve(options?.projectPath ?? process.cwd());
+  let config = (0, import_core.loadConfig)(projectPath);
+  if (options?.config) {
+    config = {
+      ...config,
+      ...options.config,
+      modules: { ...config.modules, ...options.config.modules },
+      security: { ...config.security, ...options.config.security },
+      secrets: { ...config.secrets, ...options.config.secrets }
+    };
+  }
+  const modules = {
+    license: config.modules?.license ?? true,
+    security: config.modules?.security ?? true,
+    secrets: config.modules?.secrets ?? true
+  };
+  if (!modules.license && !modules.security && !modules.secrets) {
+    console.warn("\u26A0\uFE0F  No scan modules enabled. Use --no-license, --no-security, --no-secrets to selectively disable.");
+  }
+  const mode = config.mode ?? "auto";
+  const policy = config.policy ?? "commercial-safe";
+  const projects = (0, import_core.detectProjects)(projectPath);
+  const project = projects[0];
+  const packageJsonPath = path.join(project.path, "package.json");
+  let parsedDeps;
+  switch (project.type) {
+    case "npm":
+      parsedDeps = (0, import_core.parseNpmLockfile)(project.lockFile, packageJsonPath);
+      break;
+    case "yarn":
+      parsedDeps = (0, import_core.parseYarnLockfile)(project.lockFile, packageJsonPath);
+      break;
+    case "pnpm":
+      parsedDeps = (0, import_core.parsePnpmLockfile)(project.lockFile, packageJsonPath);
+      break;
+    default:
+      throw new Error(`Unsupported project type: ${project.type}`);
+  }
+  if (!config.scanDevDependencies) {
+    parsedDeps = parsedDeps.filter((dep) => !dep.isDevDependency);
+  }
+  let licenseResult;
+  let securityResult;
+  let secretsResult;
+  const promises = [];
+  if (modules.license) {
+    promises.push(
+      (async () => {
+        const licenseStart = Date.now();
+        const dependencies = await (0, import_license.resolveLicenses)(parsedDeps, projectPath, {
+          mode,
+          networkTimeout: config.networkTimeout ?? 5e3,
+          networkConcurrency: config.networkConcurrency ?? 10,
+          cache: config.cache ?? true,
+          cacheTTL: config.cacheTTL ?? 604800,
+          scanTimeout: config.scanTimeout ?? 6e4
+        });
+        const results = (0, import_license.evaluatePolicy)(dependencies, config);
+        const allowed = results.filter((r) => r.verdict === "allowed");
+        const warned = results.filter((r) => r.verdict === "warned");
+        const rejected = results.filter((r) => r.verdict === "rejected");
+        const unknown = results.filter((r) => r.verdict === "unknown");
+        licenseResult = {
+          projectPath,
+          projectType: project.type,
+          framework: project.framework,
+          timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+          totalPackages: dependencies.length,
+          allowed,
+          warned,
+          rejected,
+          unknown,
+          passed: rejected.length === 0,
+          scanDurationMs: Date.now() - licenseStart
+        };
+      })()
+    );
+  }
+  if (modules.security) {
+    promises.push(
+      (async () => {
+        const securityConfig = (0, import_security.mergeSecurityConfig)(config.security);
+        securityResult = await (0, import_security.scanSecurity)(parsedDeps, projectPath, securityConfig, mode);
+      })()
+    );
+  }
+  if (modules.secrets) {
+    promises.push(
+      (async () => {
+        secretsResult = await (0, import_secrets.scanSecrets)(projectPath, config.secrets);
+      })()
+    );
+  }
+  await Promise.all(promises);
+  const allPassed = (licenseResult?.passed ?? true) && (securityResult?.passed ?? true) && (secretsResult?.passed ?? true);
+  const totalScanDurationMs = Date.now() - startTime;
+  return {
+    version: "2.0.0",
+    projectPath,
+    projectType: project.type,
+    framework: project.framework,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    passed: allPassed,
+    mode,
+    policy,
+    modules: {
+      license: licenseResult,
+      security: securityResult,
+      secrets: secretsResult
+    },
+    totalScanDurationMs
+  };
+}
 
 // src/output/terminal.ts
 var import_chalk = __toESM(require("chalk"));
@@ -95,9 +212,9 @@ function formatTerminalScan(result, warnOnly = false) {
   }
   lines.push("");
   lines.push(import_chalk.default.bold("\u{1F50D} PreShip: Scanning project..."));
-  lines.push(`   Project: ${import_chalk.default.cyan(getProjectName(result))}${result.framework ? ` (${result.framework})` : ""}`);
-  lines.push(`   Lock file: ${import_chalk.default.cyan(getLockFileName(result))} (${result.projectType})`);
-  lines.push(`   Policy: ${import_chalk.default.cyan(getPolicyName(result))}`);
+  lines.push(`   Project: ${import_chalk.default.cyan(getProjectName(result.projectPath))}${result.framework ? ` (${result.framework})` : ""}`);
+  lines.push(`   Lock file: ${import_chalk.default.cyan(getLockFileName(result.projectType))} (${result.projectType})`);
+  lines.push(`   Policy: ${import_chalk.default.cyan(getPolicyName())}`);
   lines.push("");
   lines.push(`\u{1F4E6} Scanned ${import_chalk.default.bold(String(result.totalPackages))} packages in ${(result.scanDurationMs / 1e3).toFixed(1)}s`);
   lines.push("");
@@ -146,7 +263,7 @@ function formatTerminalList(result) {
   const allResults = [...result.allowed, ...result.warned, ...result.rejected, ...result.unknown];
   allResults.sort((a, b) => a.dependency.name.localeCompare(b.dependency.name));
   lines.push("");
-  lines.push(`\u{1F4E6} ${result.totalPackages} packages in ${getProjectName(result)}`);
+  lines.push(`\u{1F4E6} ${result.totalPackages} packages in ${getProjectName(result.projectPath)}`);
   lines.push("");
   const table = new import_cli_table3.default({
     head: ["Package", "Version", "License", "Source", "Status"],
@@ -181,6 +298,135 @@ function formatTerminalList(result) {
   lines.push("");
   return lines.join("\n");
 }
+function formatTerminalUnified(result, warnOnly = false) {
+  const lines = [];
+  if (warnOnly) {
+    return formatWarnOnlyUnified(result);
+  }
+  lines.push("");
+  lines.push(import_chalk.default.bold("\u{1F50D} PreShip: Pre-ship verification"));
+  lines.push(`   Project: ${import_chalk.default.cyan(getProjectName(result.projectPath))}${result.framework ? ` (${result.framework})` : ""}`);
+  lines.push(`   Lock file: ${import_chalk.default.cyan(getLockFileName(result.projectType))} (${result.projectType})`);
+  lines.push(`   Policy: ${import_chalk.default.cyan(result.policy)}`);
+  lines.push(`   Mode: ${import_chalk.default.cyan(result.mode)}`);
+  const enabledModules = [];
+  if (result.modules.license) enabledModules.push("license");
+  if (result.modules.security) enabledModules.push("security");
+  if (result.modules.secrets) enabledModules.push("secrets");
+  if (enabledModules.length === 0) {
+    lines.push(`   Modules: ${import_chalk.default.yellow("none (all disabled)")}`);
+    lines.push("");
+    lines.push(import_chalk.default.yellow("\u26A0\uFE0F  No scan modules are enabled. Nothing to check."));
+    lines.push(import_chalk.default.dim("   Enable modules in preship-config.yml or remove --no-* flags."));
+    lines.push("");
+    lines.push("\u2501".repeat(60));
+    lines.push(import_chalk.default.yellow.bold("\u26A0\uFE0F  RESULT: No modules enabled \u2014 scan skipped"));
+    lines.push("");
+    return lines.join("\n");
+  }
+  lines.push(`   Modules: ${import_chalk.default.cyan(enabledModules.join(", "))}`);
+  lines.push("");
+  if (result.modules.license) {
+    const license = result.modules.license;
+    lines.push(import_chalk.default.bold.underline("\u{1F4DC} License Compliance"));
+    lines.push(`   Scanned ${import_chalk.default.bold(String(license.totalPackages))} packages in ${(license.scanDurationMs / 1e3).toFixed(1)}s`);
+    lines.push("");
+    if (license.rejected.length === 0 && license.warned.length === 0 && license.unknown.length === 0) {
+      lines.push(import_chalk.default.green(`   \u2705 All ${license.totalPackages} packages passed license check`));
+    } else {
+      if (license.allowed.length > 0) {
+        lines.push(import_chalk.default.green(`   \u2705 ${license.allowed.length} packages \u2014 Allowed`));
+      }
+      if (license.warned.length > 0) {
+        lines.push(import_chalk.default.yellow(`   \u26A0\uFE0F  ${license.warned.length} package${license.warned.length > 1 ? "s" : ""} \u2014 Warning (weak copyleft)`));
+        formatPolicyResultsIndented(license.warned, lines, import_chalk.default.yellow);
+      }
+      if (license.rejected.length > 0) {
+        lines.push(import_chalk.default.red(`   \u274C ${license.rejected.length} package${license.rejected.length > 1 ? "s" : ""} \u2014 Rejected`));
+        formatPolicyResultsIndented(license.rejected, lines, import_chalk.default.red);
+      }
+      if (license.unknown.length > 0) {
+        lines.push(import_chalk.default.yellow(`   \u26A0\uFE0F  ${license.unknown.length} package${license.unknown.length > 1 ? "s" : ""} \u2014 Unknown License`));
+        formatPolicyResultsIndented(license.unknown, lines, import_chalk.default.yellow);
+      }
+    }
+    lines.push("");
+  }
+  if (result.modules.security) {
+    const security = result.modules.security;
+    lines.push(import_chalk.default.bold.underline("\u{1F6E1}\uFE0F  Security Vulnerabilities"));
+    lines.push(`   Scanned ${import_chalk.default.bold(String(security.totalPackages))} packages in ${(security.scanDurationMs / 1e3).toFixed(1)}s`);
+    lines.push("");
+    if (security.findings.length === 0) {
+      lines.push(import_chalk.default.green("   \u2705 No security issues found"));
+    } else {
+      const statParts = [];
+      if (security.stats.critical > 0) statParts.push(import_chalk.default.red(`${security.stats.critical} critical`));
+      if (security.stats.high > 0) statParts.push(import_chalk.default.red(`${security.stats.high} high`));
+      if (security.stats.medium > 0) statParts.push(import_chalk.default.yellow(`${security.stats.medium} medium`));
+      if (security.stats.low > 0) statParts.push(import_chalk.default.dim(`${security.stats.low} low`));
+      if (security.stats.deprecated > 0) statParts.push(import_chalk.default.yellow(`${security.stats.deprecated} deprecated`));
+      if (security.stats.outdated > 0) statParts.push(import_chalk.default.yellow(`${security.stats.outdated} outdated`));
+      if (security.stats.unmaintained > 0) statParts.push(import_chalk.default.yellow(`${security.stats.unmaintained} unmaintained`));
+      lines.push(`   ${statParts.join(" \u2502 ")}`);
+      lines.push("");
+      const vulnFindings = security.findings.filter((f) => f.type === "vulnerability");
+      const healthFindings = security.findings.filter((f) => f.type !== "vulnerability");
+      if (vulnFindings.length > 0) {
+        formatSecurityFindings(vulnFindings, lines, "Vulnerabilities");
+      }
+      if (healthFindings.length > 0) {
+        formatSecurityFindings(healthFindings, lines, "Health Issues");
+      }
+    }
+    lines.push("");
+  }
+  if (result.modules.secrets) {
+    const secrets = result.modules.secrets;
+    lines.push(import_chalk.default.bold.underline("\u{1F511} Secret Detection"));
+    lines.push(`   Scanned ${import_chalk.default.bold(String(secrets.filesScanned))} files in ${(secrets.scanDurationMs / 1e3).toFixed(1)}s`);
+    lines.push("");
+    if (secrets.findings.length === 0) {
+      lines.push(import_chalk.default.green("   \u2705 No leaked secrets found"));
+    } else {
+      const statParts = [];
+      if (secrets.stats.critical > 0) statParts.push(import_chalk.default.red(`${secrets.stats.critical} critical`));
+      if (secrets.stats.high > 0) statParts.push(import_chalk.default.red(`${secrets.stats.high} high`));
+      if (secrets.stats.medium > 0) statParts.push(import_chalk.default.yellow(`${secrets.stats.medium} medium`));
+      if (secrets.stats.low > 0) statParts.push(import_chalk.default.dim(`${secrets.stats.low} low`));
+      lines.push(`   ${statParts.join(" \u2502 ")}`);
+      lines.push("");
+      formatSecretFindings(secrets.findings, lines);
+    }
+    lines.push("");
+  }
+  lines.push("\u2501".repeat(60));
+  if (result.passed) {
+    lines.push(import_chalk.default.green.bold(`\u2705 RESULT: All checks passed (${(result.totalScanDurationMs / 1e3).toFixed(1)}s)`));
+  } else {
+    const failedModules = [];
+    if (result.modules.license && !result.modules.license.passed) failedModules.push("license");
+    if (result.modules.security && !result.modules.security.passed) failedModules.push("security");
+    if (result.modules.secrets && !result.modules.secrets.passed) failedModules.push("secrets");
+    lines.push(import_chalk.default.red.bold(`\u274C RESULT: Failed \u2014 ${failedModules.join(", ")} check${failedModules.length > 1 ? "s" : ""} did not pass`));
+    lines.push("");
+    lines.push(import_chalk.default.dim("\u{1F4A1} To fix:"));
+    if (result.modules.license && !result.modules.license.passed) {
+      lines.push(import_chalk.default.dim("   \u2022 Remove or replace rejected packages"));
+      lines.push(import_chalk.default.dim('   \u2022 Or add exceptions: preship allow <package> --reason "justification"'));
+    }
+    if (result.modules.security && !result.modules.security.passed) {
+      lines.push(import_chalk.default.dim("   \u2022 Update packages with known vulnerabilities"));
+      lines.push(import_chalk.default.dim("   \u2022 Replace deprecated or unmaintained packages"));
+    }
+    if (result.modules.secrets && !result.modules.secrets.passed) {
+      lines.push(import_chalk.default.dim("   \u2022 Remove leaked secrets from source code"));
+      lines.push(import_chalk.default.dim("   \u2022 Use environment variables or secret managers instead"));
+    }
+  }
+  lines.push("");
+  return lines.join("\n");
+}
 function formatWarnOnly(result) {
   const lines = [];
   lines.push("\u{1F4E6} PreShip: Quick license check...");
@@ -197,6 +443,39 @@ function formatWarnOnly(result) {
   }
   return lines.join("\n");
 }
+function formatWarnOnlyUnified(result) {
+  const lines = [];
+  lines.push("\u{1F4E6} PreShip: Quick check...");
+  lines.push("");
+  let issueCount = 0;
+  if (result.modules.license) {
+    for (const r of [...result.modules.license.rejected, ...result.modules.license.warned]) {
+      lines.push(`\u26A0\uFE0F  [license] ${r.dependency.name}@${r.dependency.version} \u2014 ${r.dependency.license} (${r.reason})`);
+      issueCount++;
+    }
+  }
+  if (result.modules.security) {
+    for (const f of result.modules.security.findings) {
+      const icon = f.severity === "critical" || f.severity === "high" ? "\u274C" : "\u26A0\uFE0F";
+      lines.push(`${icon}  [security] ${f.package}@${f.version} \u2014 ${f.message}`);
+      issueCount++;
+    }
+  }
+  if (result.modules.secrets) {
+    for (const f of result.modules.secrets.findings) {
+      const icon = f.severity === "critical" || f.severity === "high" ? "\u274C" : "\u26A0\uFE0F";
+      lines.push(`${icon}  [secrets] ${f.file}:${f.line} \u2014 ${f.description} (${f.match})`);
+      issueCount++;
+    }
+  }
+  if (issueCount === 0) {
+    lines.push(`\u2705 All checks passed. Run 'preship scan' for full report.`);
+  } else {
+    lines.push("");
+    lines.push(`${issueCount} issue${issueCount > 1 ? "s" : ""} found. Run 'preship scan' for full report.`);
+  }
+  return lines.join("\n");
+}
 function formatPolicyResults(results, lines, colorFn) {
   for (let i = 0; i < results.length; i++) {
     const r = results[i];
@@ -207,6 +486,109 @@ function formatPolicyResults(results, lines, colorFn) {
     lines.push(import_chalk.default.dim(`${reasonPrefix}Reason: ${getShortReason(r)}`));
   }
 }
+function formatPolicyResultsIndented(results, lines, colorFn) {
+  for (let i = 0; i < results.length; i++) {
+    const r = results[i];
+    const isLast = i === results.length - 1;
+    const prefix = isLast ? "      \u2514\u2500\u2500 " : "      \u251C\u2500\u2500 ";
+    const reasonPrefix = isLast ? "          " : "      \u2502   ";
+    lines.push(colorFn(`${prefix}${r.dependency.name}@${r.dependency.version} \u2014 ${r.dependency.license}`));
+    lines.push(import_chalk.default.dim(`${reasonPrefix}Reason: ${getShortReason(r)}`));
+  }
+}
+function formatSecurityFindings(findings, lines, heading) {
+  const MAX_FINDINGS = 15;
+  const sorted = [...findings].sort((a, b) => severityRank(a.severity) - severityRank(b.severity));
+  lines.push(import_chalk.default.dim(`   ${heading}:`));
+  const showCount = Math.min(sorted.length, MAX_FINDINGS);
+  for (let i = 0; i < showCount; i++) {
+    const f = sorted[i];
+    const isLast = i === showCount - 1 && sorted.length <= MAX_FINDINGS;
+    const prefix = isLast ? "      \u2514\u2500\u2500 " : "      \u251C\u2500\u2500 ";
+    const severityColor = getSeverityColor(f.severity);
+    const severityBadge = severityColor(`[${f.severity.toUpperCase()}]`);
+    lines.push(`${prefix}${severityBadge} ${f.package}@${f.version}`);
+    lines.push(import_chalk.default.dim(`${isLast ? "          " : "      \u2502   "}${f.message}`));
+  }
+  if (sorted.length > MAX_FINDINGS) {
+    const remaining = sorted.length - MAX_FINDINGS;
+    lines.push(import_chalk.default.dim(`      \u2514\u2500\u2500 ... and ${remaining} more ${heading.toLowerCase()}`));
+    lines.push(import_chalk.default.dim("          Run with --format json for full details"));
+  }
+}
+function formatSecretFindings(findings, lines) {
+  const MAX_FINDINGS_PER_FILE = 5;
+  const MAX_FILES = 10;
+  const byFile = /* @__PURE__ */ new Map();
+  for (const f of findings) {
+    const existing = byFile.get(f.file) || [];
+    existing.push(f);
+    byFile.set(f.file, existing);
+  }
+  const sortedFiles = [...byFile.entries()].sort((a, b) => {
+    const aSeverity = Math.min(...a[1].map((f) => severityRank(f.severity)));
+    const bSeverity = Math.min(...b[1].map((f) => severityRank(f.severity)));
+    return aSeverity - bSeverity;
+  });
+  let filesShown = 0;
+  let totalHidden = 0;
+  for (const [file, fileFindings] of sortedFiles) {
+    if (filesShown >= MAX_FILES) {
+      totalHidden += fileFindings.length;
+      continue;
+    }
+    filesShown++;
+    lines.push(import_chalk.default.dim(`   ${file}:`));
+    const showCount = Math.min(fileFindings.length, MAX_FINDINGS_PER_FILE);
+    for (let i = 0; i < showCount; i++) {
+      const f = fileFindings[i];
+      const isLast = i === showCount - 1 && fileFindings.length <= MAX_FINDINGS_PER_FILE;
+      const prefix = isLast ? "      \u2514\u2500\u2500 " : "      \u251C\u2500\u2500 ";
+      const severityColor = getSeverityColor(f.severity);
+      const severityBadge = severityColor(`[${f.severity.toUpperCase()}]`);
+      lines.push(`${prefix}${severityBadge} Line ${f.line}: ${f.description}`);
+      lines.push(import_chalk.default.dim(`${isLast ? "          " : "      \u2502   "}Match: ${f.match}`));
+    }
+    if (fileFindings.length > MAX_FINDINGS_PER_FILE) {
+      const remaining = fileFindings.length - MAX_FINDINGS_PER_FILE;
+      lines.push(import_chalk.default.dim(`      \u2514\u2500\u2500 ... and ${remaining} more finding${remaining > 1 ? "s" : ""} in this file`));
+    }
+  }
+  if (totalHidden > 0) {
+    const hiddenFiles = sortedFiles.length - MAX_FILES;
+    lines.push("");
+    lines.push(import_chalk.default.dim(`   ... and ${totalHidden} more finding${totalHidden > 1 ? "s" : ""} in ${hiddenFiles} more file${hiddenFiles > 1 ? "s" : ""}`));
+    lines.push(import_chalk.default.dim("   Run with --format json for full details"));
+  }
+}
+function severityRank(severity) {
+  switch (severity) {
+    case "critical":
+      return 0;
+    case "high":
+      return 1;
+    case "medium":
+      return 2;
+    case "low":
+      return 3;
+    default:
+      return 4;
+  }
+}
+function getSeverityColor(severity) {
+  switch (severity) {
+    case "critical":
+      return import_chalk.default.red.bold;
+    case "high":
+      return import_chalk.default.red;
+    case "medium":
+      return import_chalk.default.yellow;
+    case "low":
+      return import_chalk.default.dim;
+    default:
+      return import_chalk.default.white;
+  }
+}
 function getShortReason(r) {
   if (r.dependency.license === "UNKNOWN") return "unable to detect license";
   if (r.verdict === "rejected") return "strong copyleft \u2014 requires source disclosure";
@@ -249,12 +631,12 @@ function getSourceLabel(source) {
       return "\u2014";
   }
 }
-function getProjectName(result) {
-  const parts = result.projectPath.split("/");
+function getProjectName(projectPath) {
+  const parts = projectPath.split("/");
   return parts[parts.length - 1] || "project";
 }
-function getLockFileName(result) {
-  switch (result.projectType) {
+function getLockFileName(projectType) {
+  switch (projectType) {
     case "npm":
       return "package-lock.json";
     case "yarn":
@@ -265,7 +647,7 @@ function getLockFileName(result) {
       return "unknown";
   }
 }
-function getPolicyName(_result) {
+function getPolicyName() {
   return "commercial-safe";
 }
 
@@ -287,6 +669,9 @@ function formatJsonList(result) {
   }));
   return JSON.stringify({ totalPackages: result.totalPackages, dependencies: deps }, null, 2);
 }
+function formatJsonUnified(result) {
+  return JSON.stringify(result, null, 2);
+}
 
 // src/output/csv.ts
 function formatCsvScan(result) {
@@ -310,6 +695,72 @@ function formatCsvScan(result) {
 function formatCsvList(result) {
   return formatCsvScan(result);
 }
+function formatCsvUnified(result) {
+  const sections = [];
+  if (!result.modules.license && !result.modules.security && !result.modules.secrets) {
+    return "# No modules enabled \u2014 scan skipped";
+  }
+  if (result.modules.license) {
+    const lines = [];
+    lines.push("# License Compliance");
+    lines.push("Module,Package,Version,License,Source,Verdict,Reason,IsDirect,IsDevDependency");
+    const allResults = [
+      ...result.modules.license.allowed,
+      ...result.modules.license.warned,
+      ...result.modules.license.rejected,
+      ...result.modules.license.unknown
+    ];
+    for (const r of allResults) {
+      lines.push([
+        "license",
+        escapeCsv(r.dependency.name),
+        escapeCsv(r.dependency.version),
+        escapeCsv(r.dependency.license),
+        escapeCsv(r.dependency.licenseSource),
+        escapeCsv(r.verdict),
+        escapeCsv(r.reason),
+        String(r.dependency.isDirect),
+        String(r.dependency.isDevDependency)
+      ].join(","));
+    }
+    sections.push(lines.join("\n"));
+  }
+  if (result.modules.security) {
+    const lines = [];
+    lines.push("# Security Findings");
+    lines.push("Module,Package,Version,Type,Severity,Message");
+    for (const f of result.modules.security.findings) {
+      lines.push([
+        "security",
+        escapeCsv(f.package),
+        escapeCsv(f.version),
+        escapeCsv(f.type),
+        escapeCsv(f.severity),
+        escapeCsv(f.message)
+      ].join(","));
+    }
+    sections.push(lines.join("\n"));
+  }
+  if (result.modules.secrets) {
+    const lines = [];
+    lines.push("# Secret Detection Findings");
+    lines.push("Module,File,Line,Column,RuleId,Severity,Description,Match");
+    for (const f of result.modules.secrets.findings) {
+      lines.push([
+        "secrets",
+        escapeCsv(f.file),
+        String(f.line),
+        String(f.column),
+        escapeCsv(f.ruleId),
+        escapeCsv(f.severity),
+        escapeCsv(f.description),
+        escapeCsv(f.match)
+      ].join(","));
+    }
+    sections.push(lines.join("\n"));
+  }
+  return sections.join("\n\n");
+}
 function escapeCsv(value) {
   if (value.includes(",") || value.includes('"') || value.includes("\n")) {
     return `"${value.replace(/"/g, '""')}"`;
@@ -319,9 +770,47 @@ function escapeCsv(value) {
 
 // src/commands/scan.ts
 function registerScanCommand(program2) {
-  program2.command("scan").description("Scan the current project for license violations").option("--format <type>", "Output format: table, json, csv", "table").option("--strict", "Exit code 1 on warnings too (not just rejections)").option("--dev", "Include devDependencies in scan").option("--project <path>", "Path to project root", process.cwd()).option("--config <path>", "Path to config file").option("--warn-only", "Never exit with error (for postinstall hook usage)").option("--silent", "No output, only exit code").option("--mode <type>", "Resolution mode: auto (online+local fallback), online (registry only), local (offline only)", "auto").option("--no-cache", "Disable license cache (.preship-cache.json)").option("--cache-ttl <seconds>", "Cache TTL in seconds (default: 604800 = 7 days)", parseInt).option("--scan-timeout <ms>", "Total scan timeout in milliseconds (default: 60000, 0 = disabled)", parseInt).action(async (options) => {
+  program2.command("scan").description("Scan the current project for license, security, and secret issues").option("--format <type>", "Output format: table, json, csv", "table").option("--strict", "Exit code 1 on warnings too (not just rejections)").option("--dev", "Include devDependencies in scan").option("--project <path>", "Path to project root", process.cwd()).option("--config <path>", "Path to config file").option("--warn-only", "Never exit with error (for postinstall hook usage)").option("--silent", "No output, only exit code").option("--mode <type>", "Resolution mode: auto (online+local fallback), online (registry only), local (offline only)", "auto").option("--no-cache", "Disable license cache (.preship-cache.json)").option("--cache-ttl <seconds>", "Cache TTL in seconds (default: 604800 = 7 days)", parseInt).option("--scan-timeout <ms>", "Total scan timeout in milliseconds (default: 60000, 0 = disabled)", parseInt).option("--license-only", "Run license scan only (legacy mode)").option("--no-license", "Disable license scanning").option("--no-security", "Disable security vulnerability scanning").option("--no-secrets", "Disable secret detection scanning").option("--security-severity <level>", "Security policy level: default, strict, lenient").option("--security-fail-on <severity>", "Minimum severity to fail: critical, high, medium, low").option("--no-outdated", "Disable outdated package checks").option("--no-deprecated", "Disable deprecated package checks").option("--no-unmaintained", "Disable unmaintained package checks").action(async (options) => {
     try {
-      const result = await scan({
+      if (options.licenseOnly) {
+        const result2 = await scan({
+          projectPath: options.project,
+          config: {
+            scanDevDependencies: options.dev || void 0,
+            output: options.format !== "table" ? options.format : void 0,
+            mode: options.mode !== "auto" ? options.mode : void 0,
+            cache: options.cache !== void 0 ? options.cache : void 0,
+            cacheTTL: options.cacheTtl !== void 0 ? options.cacheTtl : void 0,
+            scanTimeout: options.scanTimeout !== void 0 ? options.scanTimeout : void 0
+          }
+        });
+        if (!options.silent) {
+          switch (options.format) {
+            case "json":
+              console.log(formatJsonScan(result2));
+              break;
+            case "csv":
+              console.log(formatCsvScan(result2));
+              break;
+            default:
+              console.log(formatTerminalScan(result2, options.warnOnly));
+              break;
+          }
+        }
+        if (options.warnOnly) {
+          process.exit(0);
+          return;
+        }
+        if (result2.rejected.length > 0) {
+          process.exit(1);
+        } else if (options.strict && result2.warned.length > 0) {
+          process.exit(1);
+        } else {
+          process.exit(0);
+        }
+        return;
+      }
+      const result = await unifiedScan({
         projectPath: options.project,
         config: {
           scanDevDependencies: options.dev || void 0,
@@ -329,19 +818,33 @@ function registerScanCommand(program2) {
           mode: options.mode !== "auto" ? options.mode : void 0,
           cache: options.cache !== void 0 ? options.cache : void 0,
           cacheTTL: options.cacheTtl !== void 0 ? options.cacheTtl : void 0,
-          scanTimeout: options.scanTimeout !== void 0 ? options.scanTimeout : void 0
+          scanTimeout: options.scanTimeout !== void 0 ? options.scanTimeout : void 0,
+          // Module toggles from CLI flags
+          modules: {
+            license: options.license !== void 0 ? options.license : void 0,
+            security: options.security !== void 0 ? options.security : void 0,
+            secrets: options.secrets !== void 0 ? options.secrets : void 0
+          },
+          // Security config from CLI flags
+          security: {
+            severity: options.securitySeverity || void 0,
+            failOn: options.securityFailOn || void 0,
+            checkOutdated: options.outdated !== void 0 ? options.outdated : void 0,
+            checkDeprecated: options.deprecated !== void 0 ? options.deprecated : void 0,
+            checkUnmaintained: options.unmaintained !== void 0 ? options.unmaintained : void 0
+          }
         }
       });
       if (!options.silent) {
         switch (options.format) {
           case "json":
-            console.log(formatJsonScan(result));
+            console.log(formatJsonUnified(result));
             break;
           case "csv":
-            console.log(formatCsvScan(result));
+            console.log(formatCsvUnified(result));
             break;
           default:
-            console.log(formatTerminalScan(result, options.warnOnly));
+            console.log(formatTerminalUnified(result, options.warnOnly));
             break;
         }
       }
@@ -349,10 +852,17 @@ function registerScanCommand(program2) {
         process.exit(0);
         return;
       }
-      if (result.rejected.length > 0) {
-        process.exit(1);
-      } else if (options.strict && result.warned.length > 0) {
+      if (!result.passed) {
         process.exit(1);
+      } else if (options.strict) {
+        const hasLicenseWarnings = (result.modules.license?.warned?.length ?? 0) > 0;
+        const hasSecurityFindings = (result.modules.security?.findings?.length ?? 0) > 0;
+        const hasSecretFindings = (result.modules.secrets?.findings?.length ?? 0) > 0;
+        if (hasLicenseWarnings || hasSecurityFindings || hasSecretFindings) {
+          process.exit(1);
+        } else {
+          process.exit(0);
+        }
       } else {
         process.exit(0);
       }
@@ -370,7 +880,7 @@ function registerScanCommand(program2) {
 var fs = __toESM(require("fs"));
 var path2 = __toESM(require("path"));
 function registerInitCommand(program2) {
-  program2.command("init").description("Set up PreShip in the current project").option("--policy <name>", "Policy template: commercial-safe, strict, permissive-only", "commercial-safe").option("--skip-hooks", "Don't add npm lifecycle hooks to package.json").action((options) => {
+  program2.command("init").description("Set up PreShip in the current project").option("--policy <name>", "Policy template: commercial-safe, saas-safe, distribution-safe, strict, permissive-only", "commercial-safe").option("--skip-hooks", "Don't add npm lifecycle hooks to package.json").action((options) => {
     try {
       const projectPath = process.cwd();
       const configContent = generateConfigContent(options.policy);
@@ -407,7 +917,7 @@ function registerInitCommand(program2) {
   });
 }
 function generateConfigContent(policy) {
-  return `# PreShip License Compliance Configuration
+  return `# PreShip Configuration
 # Docs: https://github.com/dipen-code/preship
 #
 # Policy: ${policy}
@@ -415,6 +925,14 @@ ${getPolicyDescription(policy)}
 
 policy: ${policy}
 
+# ===== Module Toggles =====
+# Enable or disable individual scan modules (all enabled by default)
+# modules:
+#   license: true
+#   security: true
+#   secrets: true
+
+# ===== License Compliance =====
 # Scan devDependencies too? (default: false)
 # scanDevDependencies: false
 
@@ -435,12 +953,32 @@ policy: ${policy}
 #     reason: "Used internally only, not distributed"
 #     approvedBy: your-name
 #     date: ${(/* @__PURE__ */ new Date()).toISOString().split("T")[0]}
+
+# ===== Security Scanning =====
+# security:
+#   severity: default        # Policy level: default, strict, lenient
+#   failOn: high             # Minimum severity to fail: critical, high, medium, low
+#   checkOutdated: true      # Flag outdated packages
+#   checkDeprecated: true    # Flag deprecated packages
+#   checkUnmaintained: true  # Flag unmaintained packages
+#   outdatedMajorThreshold: 5  # Major versions behind to flag (direct deps only)
+#   unmaintainedYears: 4       # Years without publish to flag
+
+# ===== Secret Detection =====
+# secrets:
+#   scanPaths: []            # Paths to scan (default: entire project)
+#   allowPaths: []           # Paths to skip (e.g., test fixtures)
+#   allowRules: []           # Disable specific rules (e.g., generic-password)
 `;
 }
 function getPolicyDescription(policy) {
   switch (policy) {
     case "commercial-safe":
       return "# Rejects strong copyleft licenses (GPL, AGPL, EUPL)\n# Warns on weak copyleft (LGPL, MPL)\n# Allows permissive licenses (MIT, Apache-2.0, BSD, ISC)";
+    case "saas-safe":
+      return "# Safe for SaaS applications\n# Rejects strong copyleft and network-trigger licenses (AGPL, SSPL)\n# Warns on weak copyleft (LGPL, MPL)";
+    case "distribution-safe":
+      return "# Safe for distributed software (binaries, desktop apps)\n# Rejects ALL copyleft licenses that pose risk when distributing\n# Only allows permissive + MPL-2.0 (file-level copyleft)";
     case "strict":
       return "# Rejects all copyleft licenses including weak copyleft\n# Only allows permissive licenses";
     case "permissive-only":
@@ -452,31 +990,64 @@ function getPolicyDescription(policy) {
 
 // src/commands/list.ts
 function registerListCommand(program2) {
-  program2.command("list").description("List all dependencies with their licenses").option("--format <type>", "Output format: table, json, csv", "table").option("--dev", "Include devDependencies").option("--filter <license>", "Filter by license (e.g., --filter GPL-3.0)").option("--project <path>", "Path to project root", process.cwd()).action(async (options) => {
+  program2.command("list").description("List all dependencies with their licenses, vulnerabilities, and secrets").option("--format <type>", "Output format: table, json, csv", "table").option("--dev", "Include devDependencies").option("--filter <license>", "Filter by license (e.g., --filter GPL-3.0)").option("--project <path>", "Path to project root", process.cwd()).option("--license-only", "Show license information only (legacy mode)").option("--no-license", "Disable license module").option("--no-security", "Disable security module").option("--no-secrets", "Disable secrets module").action(async (options) => {
     try {
-      const result = await scan({
+      if (options.licenseOnly) {
+        const result2 = await scan({
+          projectPath: options.project,
+          config: {
+            scanDevDependencies: options.dev || void 0
+          }
+        });
+        if (options.filter) {
+          const filter = options.filter.toUpperCase();
+          result2.allowed = result2.allowed.filter((r) => r.dependency.license.toUpperCase().includes(filter));
+          result2.warned = result2.warned.filter((r) => r.dependency.license.toUpperCase().includes(filter));
+          result2.rejected = result2.rejected.filter((r) => r.dependency.license.toUpperCase().includes(filter));
+          result2.unknown = result2.unknown.filter((r) => r.dependency.license.toUpperCase().includes(filter));
+          result2.totalPackages = result2.allowed.length + result2.warned.length + result2.rejected.length + result2.unknown.length;
+        }
+        switch (options.format) {
+          case "json":
+            console.log(formatJsonList(result2));
+            break;
+          case "csv":
+            console.log(formatCsvList(result2));
+            break;
+          default:
+            console.log(formatTerminalList(result2));
+            break;
+        }
+        return;
+      }
+      const result = await unifiedScan({
         projectPath: options.project,
         config: {
-          scanDevDependencies: options.dev || void 0
+          scanDevDependencies: options.dev || void 0,
+          modules: {
+            license: options.license !== void 0 ? options.license : void 0,
+            security: options.security !== void 0 ? options.security : void 0,
+            secrets: options.secrets !== void 0 ? options.secrets : void 0
+          }
         }
       });
-      if (options.filter) {
+      if (options.filter && result.modules.license) {
         const filter = options.filter.toUpperCase();
-        result.allowed = result.allowed.filter((r) => r.dependency.license.toUpperCase().includes(filter));
-        result.warned = result.warned.filter((r) => r.dependency.license.toUpperCase().includes(filter));
-        result.rejected = result.rejected.filter((r) => r.dependency.license.toUpperCase().includes(filter));
-        result.unknown = result.unknown.filter((r) => r.dependency.license.toUpperCase().includes(filter));
-        result.totalPackages = result.allowed.length + result.warned.length + result.rejected.length + result.unknown.length;
+        result.modules.license.allowed = result.modules.license.allowed.filter((r) => r.dependency.license.toUpperCase().includes(filter));
+        result.modules.license.warned = result.modules.license.warned.filter((r) => r.dependency.license.toUpperCase().includes(filter));
+        result.modules.license.rejected = result.modules.license.rejected.filter((r) => r.dependency.license.toUpperCase().includes(filter));
+        result.modules.license.unknown = result.modules.license.unknown.filter((r) => r.dependency.license.toUpperCase().includes(filter));
+        result.modules.license.totalPackages = result.modules.license.allowed.length + result.modules.license.warned.length + result.modules.license.rejected.length + result.modules.license.unknown.length;
       }
       switch (options.format) {
         case "json":
-          console.log(formatJsonList(result));
+          console.log(formatJsonUnified(result));
           break;
         case "csv":
-          console.log(formatCsvList(result));
+          console.log(formatCsvUnified(result));
           break;
         default:
-          console.log(formatTerminalList(result));
+          console.log(formatTerminalUnified(result));
           break;
       }
     } catch (error) {
@@ -491,40 +1062,73 @@ function registerListCommand(program2) {
 var fs2 = __toESM(require("fs"));
 var path3 = __toESM(require("path"));
 function registerReportCommand(program2) {
-  program2.command("report").description("Generate a license attribution/NOTICE file").option("--out <path>", "Output file path", "NOTICE.txt").option("--format <type>", "Format: text, json, csv", "text").option("--project <path>", "Path to project root", process.cwd()).action(async (options) => {
+  program2.command("report").description("Generate a license attribution/NOTICE file or full scan report").option("--out <path>", "Output file path", "NOTICE.txt").option("--format <type>", "Format: text, json, csv", "text").option("--project <path>", "Path to project root", process.cwd()).option("--license-only", "Generate license-only report (legacy mode)").option("--no-license", "Exclude license information from report").option("--no-security", "Exclude security information from report").option("--no-secrets", "Exclude secrets information from report").action(async (options) => {
     try {
-      const result = await scan({
+      if (options.licenseOnly) {
+        const result2 = await scan({
+          projectPath: options.project,
+          config: { scanDevDependencies: true }
+        });
+        const allResults = [...result2.allowed, ...result2.warned, ...result2.rejected, ...result2.unknown];
+        allResults.sort((a, b) => a.dependency.name.localeCompare(b.dependency.name));
+        let content2;
+        switch (options.format) {
+          case "json":
+            content2 = JSON.stringify(
+              allResults.map((r) => ({
+                name: r.dependency.name,
+                version: r.dependency.version,
+                license: r.dependency.license,
+                source: r.dependency.licenseSource
+              })),
+              null,
+              2
+            );
+            break;
+          case "csv":
+            content2 = "Package,Version,License\n" + allResults.map(
+              (r) => `${r.dependency.name},${r.dependency.version},${r.dependency.license}`
+            ).join("\n");
+            break;
+          default:
+            content2 = generateNoticeText(allResults, result2.projectPath);
+            break;
+        }
+        const outPath2 = path3.resolve(options.out);
+        fs2.writeFileSync(outPath2, content2, "utf-8");
+        console.log(`\u2705 Generated ${options.out} with ${allResults.length} package attributions`);
+        return;
+      }
+      const result = await unifiedScan({
         projectPath: options.project,
-        config: { scanDevDependencies: true }
+        config: {
+          scanDevDependencies: true,
+          modules: {
+            license: options.license !== void 0 ? options.license : void 0,
+            security: options.security !== void 0 ? options.security : void 0,
+            secrets: options.secrets !== void 0 ? options.secrets : void 0
+          }
+        }
       });
-      const allResults = [...result.allowed, ...result.warned, ...result.rejected, ...result.unknown];
-      allResults.sort((a, b) => a.dependency.name.localeCompare(b.dependency.name));
       let content;
       switch (options.format) {
         case "json":
-          content = JSON.stringify(
-            allResults.map((r) => ({
-              name: r.dependency.name,
-              version: r.dependency.version,
-              license: r.dependency.license,
-              source: r.dependency.licenseSource
-            })),
-            null,
-            2
-          );
+          content = JSON.stringify(result, null, 2);
           break;
         case "csv":
-          content = "Package,Version,License\n" + allResults.map(
-            (r) => `${r.dependency.name},${r.dependency.version},${r.dependency.license}`
-          ).join("\n");
+          content = generateUnifiedCsvReport(result);
           break;
         default:
-          content = generateNoticeText(allResults, result.projectPath);
+          content = generateUnifiedTextReport(result);
           break;
       }
-      const outPath = path3.resolve(options.out);
+      const outPath = path3.resolve(options.out === "NOTICE.txt" ? "preship-report.txt" : options.out);
       fs2.writeFileSync(outPath, content, "utf-8");
-      console.log(`\u2705 Generated ${options.out} with ${allResults.length} package attributions`);
+      const modulesRan = [];
+      if (result.modules.license) modulesRan.push("license");
+      if (result.modules.security) modulesRan.push("security");
+      if (result.modules.secrets) modulesRan.push("secrets");
+      console.log(`\u2705 Generated ${path3.basename(outPath)} (modules: ${modulesRan.join(", ")})`);
     } catch (error) {
       const message = error instanceof Error ? error.message : String(error);
       console.error(`\u274C ${message}`);
@@ -564,6 +1168,113 @@ function generateNoticeText(results, projectPath) {
   lines.push("=".repeat(80));
   return lines.join("\n");
 }
+function generateUnifiedTextReport(result) {
+  const lines = [];
+  lines.push("PRESHIP SCAN REPORT");
+  lines.push(`Generated: ${result.timestamp}`);
+  lines.push(`Project: ${result.projectPath}`);
+  lines.push(`Mode: ${result.mode}`);
+  lines.push(`Policy: ${result.policy}`);
+  lines.push(`Overall: ${result.passed ? "PASSED" : "FAILED"}`);
+  lines.push("");
+  if (result.modules.license) {
+    const license = result.modules.license;
+    lines.push("=".repeat(80));
+    lines.push("LICENSE COMPLIANCE");
+    lines.push("=".repeat(80));
+    lines.push(`Total packages: ${license.totalPackages}`);
+    lines.push(`Passed: ${license.passed}`);
+    lines.push(`Allowed: ${license.allowed.length}`);
+    lines.push(`Warned: ${license.warned.length}`);
+    lines.push(`Rejected: ${license.rejected.length}`);
+    lines.push(`Unknown: ${license.unknown.length}`);
+    lines.push("");
+    const allResults = [...license.allowed, ...license.warned, ...license.rejected, ...license.unknown];
+    allResults.sort((a, b) => a.dependency.name.localeCompare(b.dependency.name));
+    for (const r of allResults) {
+      lines.push(`  ${r.dependency.name}@${r.dependency.version} \u2014 ${r.dependency.license} [${r.verdict}]`);
+    }
+    lines.push("");
+  }
+  if (result.modules.security) {
+    const security = result.modules.security;
+    lines.push("=".repeat(80));
+    lines.push("SECURITY VULNERABILITIES");
+    lines.push("=".repeat(80));
+    lines.push(`Total packages scanned: ${security.totalPackages}`);
+    lines.push(`Passed: ${security.passed}`);
+    lines.push(`Findings: ${security.findings.length}`);
+    lines.push("");
+    if (security.findings.length > 0) {
+      for (const f of security.findings) {
+        lines.push(`  [${f.severity.toUpperCase()}] ${f.package}@${f.version} \u2014 ${f.type}: ${f.message}`);
+      }
+      lines.push("");
+    }
+  }
+  if (result.modules.secrets) {
+    const secrets = result.modules.secrets;
+    lines.push("=".repeat(80));
+    lines.push("SECRET DETECTION");
+    lines.push("=".repeat(80));
+    lines.push(`Files scanned: ${secrets.filesScanned}`);
+    lines.push(`Passed: ${secrets.passed}`);
+    lines.push(`Findings: ${secrets.findings.length}`);
+    lines.push("");
+    if (secrets.findings.length > 0) {
+      for (const f of secrets.findings) {
+        lines.push(`  [${f.severity.toUpperCase()}] ${f.file}:${f.line} \u2014 ${f.description} (${f.match})`);
+      }
+      lines.push("");
+    }
+  }
+  lines.push("=".repeat(80));
+  lines.push(`Scan duration: ${(result.totalScanDurationMs / 1e3).toFixed(1)}s`);
+  return lines.join("\n");
+}
+function generateUnifiedCsvReport(result) {
+  const sections = [];
+  if (result.modules.license) {
+    const lines = [];
+    lines.push("# License Compliance");
+    lines.push("Module,Package,Version,License,Verdict,Reason");
+    const allResults = [
+      ...result.modules.license.allowed,
+      ...result.modules.license.warned,
+      ...result.modules.license.rejected,
+      ...result.modules.license.unknown
+    ];
+    for (const r of allResults) {
+      lines.push(`license,${escapeCsv2(r.dependency.name)},${escapeCsv2(r.dependency.version)},${escapeCsv2(r.dependency.license)},${r.verdict},${escapeCsv2(r.reason)}`);
+    }
+    sections.push(lines.join("\n"));
+  }
+  if (result.modules.security) {
+    const lines = [];
+    lines.push("# Security Findings");
+    lines.push("Module,Package,Version,Type,Severity,Message");
+    for (const f of result.modules.security.findings) {
+      lines.push(`security,${escapeCsv2(f.package)},${escapeCsv2(f.version)},${f.type},${f.severity},${escapeCsv2(f.message)}`);
+    }
+    sections.push(lines.join("\n"));
+  }
+  if (result.modules.secrets) {
+    const lines = [];
+    lines.push("# Secret Detection Findings");
+    lines.push("Module,File,Line,RuleId,Severity,Description");
+    for (const f of result.modules.secrets.findings) {
+      lines.push(`secrets,${escapeCsv2(f.file)},${f.line},${f.ruleId},${f.severity},${escapeCsv2(f.description)}`);
+    }
+    sections.push(lines.join("\n"));
+  }
+  return sections.join("\n\n");
+}
+function escapeCsv2(value) {
+  if (value.includes(",") || value.includes('"') || value.includes("\n")) {
+    return `"${value.replace(/"/g, '""')}"`;
+  }
+  return value;
+}
 
 // src/commands/allow.ts
 var fs3 = __toESM(require("fs"));
@@ -3203,7 +3914,7 @@ function registerAllowCommand(program2) {
 
 // src/cli.ts
 var program = new import_commander.Command();
-program.name("preship").description("The ESLint of license compliance. Detect GPL, AGPL, EUPL and other problematic licenses before you ship.").version("1.0.0");
+program.name("preship").description("Pre-ship verification: license compliance, security scanning, and secret detection \u2014 all before you ship.").version("2.0.2");
 registerScanCommand(program);
 registerInitCommand(program);
 registerListCommand(program);

package/dist/index.d.ts

@@ -1,10 +1,19 @@
-import { PreshipConfig, ScanResult } from '@preship/core';
-export { Dependency, DetectedProject, ExceptionEntry, LicenseSource, ParsedDependency, PolicyResult, PolicyTemplate, PolicyVerdict, PreshipConfig, ProjectType, ResolverMode, ScanResult } from '@preship/core';
+import { PreshipConfig, ScanResult, UnifiedScanResult } from '@preship/core';
+export { Dependency, DetectedProject, ExceptionEntry, LicenseSource, ModuleConfig, PackageHealth, ParsedDependency, PolicyResult, PolicyTemplate, PolicyVerdict, PreshipConfig, ProjectType, ResolverMode, ScanResult, SecretFinding, SecretRule, SecretSeverity, SecretsConfig, SecretsResult, SecurityConfig, SecurityFinding, SecurityPolicyLevel, SecurityResult, SecuritySeverity, SecurityVulnerability, UnifiedScanResult } from '@preship/core';
 
 interface ScanOptions {
     projectPath?: string;
     config?: Partial<PreshipConfig>;
 }
+/**
+ * Legacy scan function — license-only scan for backwards compatibility.
+ * Returns ScanResult (license module output only).
+ */
 declare function scan(options?: ScanOptions): Promise<ScanResult>;
+/**
+ * Unified scan — runs all enabled modules (license, security, secrets).
+ * Returns UnifiedScanResult with combined results from all modules.
+ */
+declare function unifiedScan(options?: ScanOptions): Promise<UnifiedScanResult>;
 
-export { type ScanOptions, scan };
+export { type ScanOptions, scan, unifiedScan };

package/dist/index.js

@@ -30,7 +30,8 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
-  scan: () => scan
+  scan: () => scan,
+  unifiedScan: () => unifiedScan
 });
 module.exports = __toCommonJS(index_exports);
 
@@ -38,6 +39,8 @@ module.exports = __toCommonJS(index_exports);
 var path = __toESM(require("path"));
 var import_core = require("@preship/core");
 var import_license = require("@preship/license");
+var import_security = require("@preship/security");
+var import_secrets = require("@preship/secrets");
 async function scan(options) {
   const startTime = Date.now();
   const projectPath = path.resolve(options?.projectPath ?? process.cwd());
@@ -93,7 +96,123 @@ async function scan(options) {
     scanDurationMs
   };
 }
+async function unifiedScan(options) {
+  const startTime = Date.now();
+  const projectPath = path.resolve(options?.projectPath ?? process.cwd());
+  let config = (0, import_core.loadConfig)(projectPath);
+  if (options?.config) {
+    config = {
+      ...config,
+      ...options.config,
+      modules: { ...config.modules, ...options.config.modules },
+      security: { ...config.security, ...options.config.security },
+      secrets: { ...config.secrets, ...options.config.secrets }
+    };
+  }
+  const modules = {
+    license: config.modules?.license ?? true,
+    security: config.modules?.security ?? true,
+    secrets: config.modules?.secrets ?? true
+  };
+  if (!modules.license && !modules.security && !modules.secrets) {
+    console.warn("\u26A0\uFE0F  No scan modules enabled. Use --no-license, --no-security, --no-secrets to selectively disable.");
+  }
+  const mode = config.mode ?? "auto";
+  const policy = config.policy ?? "commercial-safe";
+  const projects = (0, import_core.detectProjects)(projectPath);
+  const project = projects[0];
+  const packageJsonPath = path.join(project.path, "package.json");
+  let parsedDeps;
+  switch (project.type) {
+    case "npm":
+      parsedDeps = (0, import_core.parseNpmLockfile)(project.lockFile, packageJsonPath);
+      break;
+    case "yarn":
+      parsedDeps = (0, import_core.parseYarnLockfile)(project.lockFile, packageJsonPath);
+      break;
+    case "pnpm":
+      parsedDeps = (0, import_core.parsePnpmLockfile)(project.lockFile, packageJsonPath);
+      break;
+    default:
+      throw new Error(`Unsupported project type: ${project.type}`);
+  }
+  if (!config.scanDevDependencies) {
+    parsedDeps = parsedDeps.filter((dep) => !dep.isDevDependency);
+  }
+  let licenseResult;
+  let securityResult;
+  let secretsResult;
+  const promises = [];
+  if (modules.license) {
+    promises.push(
+      (async () => {
+        const licenseStart = Date.now();
+        const dependencies = await (0, import_license.resolveLicenses)(parsedDeps, projectPath, {
+          mode,
+          networkTimeout: config.networkTimeout ?? 5e3,
+          networkConcurrency: config.networkConcurrency ?? 10,
+          cache: config.cache ?? true,
+          cacheTTL: config.cacheTTL ?? 604800,
+          scanTimeout: config.scanTimeout ?? 6e4
+        });
+        const results = (0, import_license.evaluatePolicy)(dependencies, config);
+        const allowed = results.filter((r) => r.verdict === "allowed");
+        const warned = results.filter((r) => r.verdict === "warned");
+        const rejected = results.filter((r) => r.verdict === "rejected");
+        const unknown = results.filter((r) => r.verdict === "unknown");
+        licenseResult = {
+          projectPath,
+          projectType: project.type,
+          framework: project.framework,
+          timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+          totalPackages: dependencies.length,
+          allowed,
+          warned,
+          rejected,
+          unknown,
+          passed: rejected.length === 0,
+          scanDurationMs: Date.now() - licenseStart
+        };
+      })()
+    );
+  }
+  if (modules.security) {
+    promises.push(
+      (async () => {
+        const securityConfig = (0, import_security.mergeSecurityConfig)(config.security);
+        securityResult = await (0, import_security.scanSecurity)(parsedDeps, projectPath, securityConfig, mode);
+      })()
+    );
+  }
+  if (modules.secrets) {
+    promises.push(
+      (async () => {
+        secretsResult = await (0, import_secrets.scanSecrets)(projectPath, config.secrets);
+      })()
+    );
+  }
+  await Promise.all(promises);
+  const allPassed = (licenseResult?.passed ?? true) && (securityResult?.passed ?? true) && (secretsResult?.passed ?? true);
+  const totalScanDurationMs = Date.now() - startTime;
+  return {
+    version: "2.0.0",
+    projectPath,
+    projectType: project.type,
+    framework: project.framework,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    passed: allPassed,
+    mode,
+    policy,
+    modules: {
+      license: licenseResult,
+      security: securityResult,
+      secrets: secretsResult
+    },
+    totalScanDurationMs
+  };
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
-  scan
+  scan,
+  unifiedScan
 });

package/package.json

@@ -1,11 +1,15 @@
 {
   "name": "preship",
-  "version": "1.0.5",
-  "description": "License compliance for modern dev teams. Detect GPL, AGPL, EUPL and other problematic licenses before you ship. Zero config. Fully offline. Free forever.",
+  "version": "2.0.2",
+  "description": "Pre-ship verification for modern dev teams. License compliance, security vulnerability scanning, and secret detection — all in one CLI. Zero config. Fully offline. Free forever.",
   "keywords": [
     "license",
     "compliance",
     "scanner",
+    "security",
+    "vulnerability",
+    "secrets",
+    "credentials",
     "gpl",
     "agpl",
     "eupl",
@@ -19,7 +23,9 @@
     "fossa-alternative",
     "snyk-alternative",
     "offline",
-    "air-gap"
+    "air-gap",
+    "osv",
+    "cve"
   ],
   "author": "Cyfox Inc.",
   "license": "Apache-2.0",
@@ -49,8 +55,10 @@
     "lint": "tsc --noEmit"
   },
   "dependencies": {
-    "@preship/core": "1.0.2",
-    "@preship/license": "1.0.1",
+    "@preship/core": "2.0.1",
+    "@preship/license": "2.0.0",
+    "@preship/security": "1.0.1",
+    "@preship/secrets": "1.0.2",
     "chalk": "^4.1.2",
     "cli-table3": "^0.6.5",
     "commander": "^12.1.0"