projscan 0.9.0 → 0.9.2

package/README.md

@@ -6,7 +6,7 @@
 [![license](https://img.shields.io/npm/l/projscan.svg)](https://github.com/abhiyoheswaran1/projscan/blob/main/LICENSE)
 [![node](https://img.shields.io/node/v/projscan.svg)](https://nodejs.org)
 
-**Agent-first code intelligence.** An MCP server that lets AI coding agents (Claude Code, Cursor, Windsurf) query your codebase — with a CLI for humans on the side.
+**Agent-first code intelligence.** An MCP server that lets AI coding agents (Claude Code, Cursor, Windsurf) query your codebase - with a CLI for humans on the side.
 
 [AI Agent Quick Start](#ai-agent-integration-mcp) · [CLI Quick Start](#quick-start) · [Commands](#commands) · [Full Guide](docs/GUIDE.md) · [Roadmap](docs/ROADMAP.md)
 
@@ -18,9 +18,9 @@
 
 ## Why?
 
-AI coding agents are becoming the primary interface to code. Today, when you ask your agent *"which files implement auth?"* or *"what breaks if I bump React from 18 to 19?"* — it either guesses from names, or it shells out to grep and reads raw output not built for it.
+AI coding agents are becoming the primary interface to code. Today, when you ask your agent *"which files implement auth?"* or *"what breaks if I bump React from 18 to 19?"* - it either guesses from names, or it shells out to grep and reads raw output not built for it.
 
-**projscan is the first code-intelligence tool built for agents, not for humans.** Your agent gets a fast, AST-accurate, context-budget-aware view of your codebase through 13 structured MCP tools. It can query the import graph, find symbol definitions, preview upgrades, rank hotspots — without loading the file tree into its context.
+**projscan is the first code-intelligence tool built for agents, not for humans.** Your agent gets a fast, AST-accurate, context-budget-aware view of your codebase through 13 structured MCP tools. It can query the import graph, find symbol definitions, preview upgrades, rank hotspots - without loading the file tree into its context.
 
 Humans get the same thing through the CLI.
 
@@ -61,7 +61,7 @@ projscan                            # Full project analysis
 projscan doctor                     # Health check
 projscan hotspots                   # Rank files by risk (churn × complexity × issues × ownership)
 projscan search <query>             # BM25-ranked search (content + symbols + path)
-projscan file <path>                # Drill into a file — purpose, risk, ownership, issues
+projscan file <path>                # Drill into a file - purpose, risk, ownership, issues
 projscan fix                        # Auto-fix detected issues
 projscan ci                         # CI health gate (exits 1 on low score)
 projscan ci --changed-only          # Gate only on this PR's diff
@@ -69,7 +69,7 @@ projscan ci --format sarif          # SARIF 2.1.0 for GitHub Code Scanning
 projscan outdated                   # Declared-vs-installed drift (offline)
 projscan audit                      # npm audit, normalized + SARIF-ready
 projscan upgrade <pkg>              # Preview upgrade impact (local CHANGELOG + importers)
-projscan coverage                   # Coverage × hotspots — scariest untested files
+projscan coverage                   # Coverage × hotspots - scariest untested files
 projscan diff                       # Compare health + hotspot trends against a baseline
 projscan diagram                    # Architecture visualization
 projscan structure                  # Directory tree
@@ -84,22 +84,22 @@ For a comprehensive walkthrough, see the **[Full Guide](docs/GUIDE.md)**.
 
 | Command | Description |
 |---------|-------------|
-| `projscan analyze` | Full analysis — languages, frameworks, dependencies, issues |
-| `projscan doctor` | Health check — missing tooling, architecture smells, security risks |
-| `projscan hotspots` | Rank files by risk — churn × complexity × issues × ownership |
-| `projscan search <query>` | **BM25-ranked search** — content + symbols + path, with excerpts |
-| `projscan file <path>` | Drill into a file — purpose, risk, ownership, related issues |
+| `projscan analyze` | Full analysis - languages, frameworks, dependencies, issues |
+| `projscan doctor` | Health check - missing tooling, architecture smells, security risks |
+| `projscan hotspots` | Rank files by risk - churn × complexity × issues × ownership |
+| `projscan search <query>` | **BM25-ranked search** - content + symbols + path, with excerpts |
+| `projscan file <path>` | Drill into a file - purpose, risk, ownership, related issues |
 | `projscan fix` | Auto-fix issues (ESLint, Prettier, Vitest, .editorconfig) |
-| `projscan ci` | CI health gate — SARIF output, `--changed-only` PR-diff mode, exits 1 if score below threshold |
+| `projscan ci` | CI health gate - SARIF output, `--changed-only` PR-diff mode, exits 1 if score below threshold |
 | `projscan diff` | Compare current health **and hotspot trends** against a baseline |
 | `projscan explain <file>` | Explain a file's purpose, imports, exports, and issues |
 | `projscan diagram` | ASCII architecture diagram of your project |
 | `projscan structure` | Directory tree with file counts |
-| `projscan dependencies` | Dependency analysis — counts, risks, recommendations |
+| `projscan dependencies` | Dependency analysis - counts, risks, recommendations |
 | `projscan outdated` | Declared-vs-installed drift check (offline) |
-| `projscan audit` | `npm audit`-powered vulnerability report — SARIF-ready for Code Scanning |
-| `projscan upgrade <pkg>` | Preview upgrade impact — local CHANGELOG + importer list, offline |
-| `projscan coverage` | **Coverage × hotspots — rank the scariest untested files** |
+| `projscan audit` | `npm audit`-powered vulnerability report - SARIF-ready for Code Scanning |
+| `projscan upgrade <pkg>` | Preview upgrade impact - local CHANGELOG + importer list, offline |
+| `projscan coverage` | **Coverage × hotspots - rank the scariest untested files** |
 | `projscan badge` | Generate a health score badge for your README |
 | `projscan mcp` | Run as an MCP server for AI coding agents (Claude Code, Cursor, …) |
 
@@ -112,31 +112,31 @@ projscan --help
 ### Command Screenshots
 
 <details>
-<summary><strong>projscan structure</strong> — Directory tree with file counts</summary>
+<summary><strong>projscan structure</strong> - Directory tree with file counts</summary>
 
 <img src="docs/npx%20projscan%20structure.png" alt="npx projscan structure" width="700">
 </details>
 
 <details>
-<summary><strong>projscan diagram</strong> — Architecture visualization</summary>
+<summary><strong>projscan diagram</strong> - Architecture visualization</summary>
 
 <img src="docs/npx%20projscan%20diagram.png" alt="npx projscan diagram" width="700">
 </details>
 
 <details>
-<summary><strong>projscan dependencies</strong> — Dependency analysis</summary>
+<summary><strong>projscan dependencies</strong> - Dependency analysis</summary>
 
 <img src="docs/npx%20projscan%20dependencies.png" alt="npx projscan dependencies" width="700">
 </details>
 
 <details>
-<summary><strong>projscan explain</strong> — File explanation</summary>
+<summary><strong>projscan explain</strong> - File explanation</summary>
 
 <img src="docs/npx%20projscan%20explain.png" alt="npx projscan explain" width="700">
 </details>
 
 <details>
-<summary><strong>projscan badge</strong> — Health badge generation</summary>
+<summary><strong>projscan badge</strong> - Health badge generation</summary>
 
 <img src="docs/npx%20projscan%20badge.png" alt="npx projscan badge" width="700">
 </details>
@@ -172,11 +172,11 @@ Every `projscan doctor` run calculates a health score (0–100) and letter grade
 
 | Grade | Score | Meaning |
 |-------|-------|---------|
-| A | 90–100 | Excellent — project follows best practices |
-| B | 80–89 | Good — minor improvements possible |
-| C | 70–79 | Fair — several issues to address |
-| D | 60–69 | Poor — significant issues found |
-| F | < 60 | Critical — major issues need attention |
+| A | 90–100 | Excellent - project follows best practices |
+| B | 80–89 | Good - minor improvements possible |
+| C | 70–79 | Fair - several issues to address |
+| D | 60–69 | Poor - significant issues found |
+| F | < 60 | Critical - major issues need attention |
 
 Generate a badge for your README:
 
@@ -202,15 +202,15 @@ This outputs a [shields.io](https://shields.io) badge URL and markdown snippet y
 - Excessive, deprecated, or wildcard-versioned dependencies
 - Missing lockfile
 - Committed `.env` files and private keys (security)
-- Hardcoded secrets — AWS keys, GitHub tokens, Slack tokens, generic passwords (security)
+- Hardcoded secrets - AWS keys, GitHub tokens, Slack tokens, generic passwords (security)
 - Missing `.env` in `.gitignore` (security)
 
 ## Performance
 
 - **5,000 files** analyzed in under 1.5 seconds
 - **20,000 files** analyzed in under 3 seconds
-- **Zero network requests** — everything runs locally
-- **4 runtime dependencies** — minimal footprint
+- **Zero network requests** - everything runs locally
+- **4 runtime dependencies** - minimal footprint
 
 ## CI/CD Integration
 
@@ -264,7 +264,7 @@ If you'd rather not upload SARIF, [`.github/projscan-ci.yml`](.github/projscan-c
 
 ## Configuration (`.projscanrc`)
 
-Drop a `.projscanrc.json` at your repo root to set defaults — CLI flags always win over config. A `"projscan"` key in `package.json` and plain `.projscanrc` are also supported.
+Drop a `.projscanrc.json` at your repo root to set defaults - CLI flags always win over config. A `"projscan"` key in `package.json` and plain `.projscanrc` are also supported.
 
 ```json
 {
@@ -284,12 +284,12 @@ Drop a `.projscanrc.json` at your repo root to set defaults — CLI flags always
 
 Fields:
 
-- `minScore` — default `ci` threshold (0–100)
-- `baseRef` — default base ref for `--changed-only`
-- `ignore` — extra glob patterns added to the built-in ignore list
-- `disableRules` — silence rules by id; supports wildcard `prefix-*`
-- `severityOverrides` — remap a rule's severity (`info` / `warning` / `error`)
-- `hotspots.limit` / `hotspots.since` — defaults for the `hotspots` command
+- `minScore` - default `ci` threshold (0–100)
+- `baseRef` - default base ref for `--changed-only`
+- `ignore` - extra glob patterns added to the built-in ignore list
+- `disableRules` - silence rules by id; supports wildcard `prefix-*`
+- `severityOverrides` - remap a rule's severity (`info` / `warning` / `error`)
+- `hotspots.limit` / `hotspots.since` - defaults for the `hotspots` command
 
 ## Tracking Health Over Time
 
@@ -304,9 +304,9 @@ projscan diff --format markdown     # Markdown diff for PRs
 
 <img src="docs/npx%20projscan%20diff%20--save-baseline.png" alt="npx projscan diff --save-baseline" width="700">
 
-## Hotspots — Where to Fix First
+## Hotspots - Where to Fix First
 
-A flat health score doesn't tell you what to do. **`projscan hotspots`** combines `git log` churn, file complexity, open issues, recency, and **ownership** into a single risk score per file — so you know where refactoring or review will actually pay off.
+A flat health score doesn't tell you what to do. **`projscan hotspots`** combines `git log` churn, file complexity, open issues, recency, and **ownership** into a single risk score per file - so you know where refactoring or review will actually pay off.
 
 ```bash
 projscan hotspots                       # Top 10 hotspots
@@ -324,7 +324,7 @@ Hotspot ranking follows the classic Feathers "churn × complexity" heuristic wit
 projscan file src/cli/index.ts
 ```
 
-Combines the file's purpose, imports, exports, hotspot risk, ownership, and every open issue that references it — the natural follow-up to `projscan hotspots`.
+Combines the file's purpose, imports, exports, hotspot risk, ownership, and every open issue that references it - the natural follow-up to `projscan hotspots`.
 
 ### Track Trends Over Time
 
@@ -338,7 +338,7 @@ The baseline file now captures top hotspots too, so `diff` surfaces files that a
 
 ## Dependency Health
 
-projscan ships three focused commands for keeping your dependency graph healthy — all **offline** by default, no registry calls.
+projscan ships three focused commands for keeping your dependency graph healthy - all **offline** by default, no registry calls.
 
 ```bash
 projscan outdated                       # Which declared deps drift from what's installed?
@@ -351,9 +351,9 @@ projscan upgrade chalk --format markdown # Paste-ready review comment
 
 ### What each one tells you
 
-- **`outdated`** — reads `package.json` and `node_modules/<pkg>/package.json` to classify drift (`major` / `minor` / `patch` / `same` / `unknown`). No network.
-- **`audit`** — wraps `npm audit --json`, normalizes the output, and emits SARIF with per-finding rules anchored to `package.json`. Graceful fallback message for yarn/pnpm projects.
-- **`upgrade <pkg>`** — reads `node_modules/<pkg>/CHANGELOG.md`, slices the section between your installed version and the previous one, flags `BREAKING CHANGE` / `deprecated` / `removed support` markers, and lists every file in your repo that imports the package. All offline.
+- **`outdated`** - reads `package.json` and `node_modules/<pkg>/package.json` to classify drift (`major` / `minor` / `patch` / `same` / `unknown`). No network.
+- **`audit`** - wraps `npm audit --json`, normalizes the output, and emits SARIF with per-finding rules anchored to `package.json`. Graceful fallback message for yarn/pnpm projects.
+- **`upgrade <pkg>`** - reads `node_modules/<pkg>/CHANGELOG.md`, slices the section between your installed version and the previous one, flags `BREAKING CHANGE` / `deprecated` / `removed support` markers, and lists every file in your repo that imports the package. All offline.
 
 ### Unused dependencies (automatic in `doctor`)
 
@@ -361,9 +361,9 @@ projscan upgrade chalk --format markdown # Paste-ready review comment
 
 Implicit-use packages (typescript, eslint/prettier plugins, `@types/*`, and anything invoked from a `package.json` script) are allowlisted. Override via `.projscanrc` → `disableRules` if projscan flags something that is used but not imported.
 
-## Coverage × Hotspots — Scariest Untested Files
+## Coverage × Hotspots - Scariest Untested Files
 
-`projscan coverage` joins your test coverage with the hotspot ranking. A file with high churn and low coverage is where a bug is most likely to bite you — so that's where you want tests first.
+`projscan coverage` joins your test coverage with the hotspot ranking. A file with high churn and low coverage is where a bug is most likely to bite you - so that's where you want tests first.
 
 ```bash
 projscan coverage                       # Top 30 scariest untested files
@@ -371,23 +371,23 @@ projscan coverage --format markdown     # Paste into a tech-debt ticket
 projscan coverage --format json         # Machine-readable for dashboards
 ```
 
-**How it decides "scariest":** `priority = riskScore × (0.3 + 0.7 × uncoveredFraction)` — so a file with 50 risk and 10% coverage outranks a file with 50 risk and 95% coverage.
+**How it decides "scariest":** `priority = riskScore × (0.3 + 0.7 × uncoveredFraction)` - so a file with 50 risk and 10% coverage outranks a file with 50 risk and 95% coverage.
 
 **Which coverage files are supported:**
 
-- `coverage/lcov.info` (lcov — Vitest, Jest, c8)
+- `coverage/lcov.info` (lcov - Vitest, Jest, c8)
 - `coverage/coverage-final.json` (Istanbul per-file detail)
 - `coverage/coverage-summary.json` (Istanbul summary)
 
-Coverage is also automatically joined into `projscan hotspots` when one of those files exists — no flag needed. Uncovered churning files get a score bump and a `low coverage (X%)` reason tag.
+Coverage is also automatically joined into `projscan hotspots` when one of those files exists - no flag needed. Uncovered churning files get a score bump and a `low coverage (X%)` reason tag.
 
 ### Dead-code detection (automatic in `doctor`)
 
-`projscan doctor` now flags source files whose exports nothing imports — dead code left over from refactors or utilities that were never wired up. Respects `package.json` public entry points (`main`, `exports`, `bin`, `types`), skips test files and barrel (`index`) files.
+`projscan doctor` now flags source files whose exports nothing imports - dead code left over from refactors or utilities that were never wired up. Respects `package.json` public entry points (`main`, `exports`, `bin`, `types`), skips test files and barrel (`index`) files.
 
 ## AI Agent Integration (MCP)
 
-**This is the primary way to use projscan.** `projscan mcp` starts an [MCP](https://modelcontextprotocol.io) server over stdio so AI coding agents can query your codebase with real structural accuracy — not regex, not grep.
+**This is the primary way to use projscan.** `projscan mcp` starts an [MCP](https://modelcontextprotocol.io) server over stdio so AI coding agents can query your codebase with real structural accuracy - not regex, not grep.
 
 ### Claude Code
 
@@ -419,28 +419,28 @@ claude mcp add projscan -- npx projscan mcp
 
 ### The 13 MCP tools
 
-**Structural (0.6.0 — new, agent-native):**
-- **`projscan_graph`** — query the AST-based code graph. Directions: `imports`, `exports`, `importers`, `symbol_defs`, `package_importers`. Millisecond responses on a warm cache.
-- **`projscan_search`** — fast search across `symbols` (exported names), `files` (path substring), or `content` (source substring with line + excerpt). Replaces the temptation to shell out to grep.
+**Structural (0.6.0 - new, agent-native):**
+- **`projscan_graph`** - query the AST-based code graph. Directions: `imports`, `exports`, `importers`, `symbol_defs`, `package_importers`. Millisecond responses on a warm cache.
+- **`projscan_search`** - fast search across `symbols` (exported names), `files` (path substring), or `content` (source substring with line + excerpt). Replaces the temptation to shell out to grep.
 
 **Analysis:**
-- `projscan_analyze` — full project report
-- `projscan_doctor` — health score + issues
-- `projscan_hotspots` — risk-ranked files (churn × complexity × issues × ownership × coverage)
-- `projscan_file` — per-file risk + ownership + related issues
-- `projscan_explain` — per-file purpose, imports, exports, smells
-- `projscan_structure` — directory tree
-- `projscan_coverage` — scariest untested files (coverage × hotspots)
+- `projscan_analyze` - full project report
+- `projscan_doctor` - health score + issues
+- `projscan_hotspots` - risk-ranked files (churn × complexity × issues × ownership × coverage)
+- `projscan_file` - per-file risk + ownership + related issues
+- `projscan_explain` - per-file purpose, imports, exports, smells
+- `projscan_structure` - directory tree
+- `projscan_coverage` - scariest untested files (coverage × hotspots)
 
 **Dependencies:**
-- `projscan_dependencies` — declared deps, risks
-- `projscan_outdated` — declared-vs-installed drift (offline)
-- `projscan_audit` — normalized `npm audit`
-- `projscan_upgrade` — upgrade preview (CHANGELOG + importers, offline)
+- `projscan_dependencies` - declared deps, risks
+- `projscan_outdated` - declared-vs-installed drift (offline)
+- `projscan_audit` - normalized `npm audit`
+- `projscan_upgrade` - upgrade preview (CHANGELOG + importers, offline)
 
 ### Context-window budgeting
 
-**Every MCP tool accepts an optional `max_tokens` argument.** Set it and projscan serializes the result, and — if over budget — truncates the largest array field record-by-record until it fits. Responses include a `_budget` sidecar when truncated so your agent knows it got a partial view.
+**Every MCP tool accepts an optional `max_tokens` argument.** Set it and projscan serializes the result, and - if over budget - truncates the largest array field record-by-record until it fits. Responses include a `_budget` sidecar when truncated so your agent knows it got a partial view.
 
 ```json
 { "name": "projscan_hotspots", "arguments": { "limit": 100, "max_tokens": 800 } }
@@ -448,7 +448,7 @@ claude mcp add projscan -- npx projscan mcp
 
 ### Semantic search (0.9.0+, opt-in)
 
-projscan ships with BM25-ranked lexical search by default. To unlock **true semantic search** — embeddings over file content so queries like *"which file implements auth"* hit files that don't literally contain the word "auth" — install the optional peer:
+projscan ships with BM25-ranked lexical search by default. To unlock **true semantic search** - embeddings over file content so queries like *"which file implements auth"* hit files that don't literally contain the word "auth" - install the optional peer:
 
 ```bash
 npm install @xenova/transformers
@@ -461,11 +461,11 @@ Or via the MCP tool:
 ```
 
 Modes on `projscan_search`:
-- `lexical` (default) — BM25 over content + symbol + path boosts. No peer needed.
-- `semantic` — cosine similarity on `Xenova/all-MiniLM-L6-v2` embeddings. Requires peer.
-- `hybrid` — both, fused via Reciprocal Rank Fusion. Requires peer.
+- `lexical` (default) - BM25 over content + symbol + path boosts. No peer needed.
+- `semantic` - cosine similarity on `Xenova/all-MiniLM-L6-v2` embeddings. Requires peer.
+- `hybrid` - both, fused via Reciprocal Rank Fusion. Requires peer.
 
-Semantic embeddings are cached at `.projscan-cache/embeddings.bin` keyed by `(model, mtime, content hash)` — invalidates automatically on file change. All offline after the first-run model download (~25MB).
+Semantic embeddings are cached at `.projscan-cache/embeddings.bin` keyed by `(model, mtime, content hash)` - invalidates automatically on file change. All offline after the first-run model download (~25MB).
 
 ### Pagination, progress, and streaming (0.8.0+)
 
@@ -475,15 +475,15 @@ Large responses can be walked incrementally:
 - **Progress notifications**: set `_meta.progressToken` on the tool-call request. The server emits `notifications/progress` at coarse milestones (scanning → analyzing → ranking → done) so your agent can display progress or cancel.
 - **Response chunking**: set `stream: true` in arguments to split large arrays into multiple `content` blocks (header + N chunks of ~20 records each).
 
-All opt-in — default behavior is unchanged.
+All opt-in - default behavior is unchanged.
 
 ### Incremental index cache
 
 projscan caches parsed ASTs at `.projscan-cache/graph.json` (auto-gitignored). First run populates it; subsequent runs re-parse only files whose `mtime` changed. Agent queries on a warm cache are milliseconds, not seconds.
 
 ### Prompts (2, parameterized with live project data)
-- `prioritize_refactoring` — ranked plan grounded in current hotspots
-- `investigate_file` — senior-engineer brief for a specific file
+- `prioritize_refactoring` - ranked plan grounded in current hotspots
+- `investigate_file` - senior-engineer brief for a specific file
 
 ### Resources (3, readable on demand)
 - `projscan://health` · `projscan://hotspots` · `projscan://structure`

package/dist/analyzers/deadCodeCheck.d.ts

@@ -6,12 +6,12 @@ import type { FileEntry, Issue } from '../types.js';
  *
  * Does NOT flag:
  * - files listed as the package's public entry points (main, exports, types, bin)
- * - default exports (too many false positives — framework conventions)
+ * - default exports (too many false positives - framework conventions)
  * - test files (they're not supposed to export)
  * - index files (barrels re-export for public use)
  *
  * False-positive guard: if a file is the target of at least one import, we treat
- * all its exports as "possibly used" — the regex-based graph can't tell which
+ * all its exports as "possibly used" - the regex-based graph can't tell which
  * named export is imported via `import { ... } from './barrel'`. This keeps
  * noise low at the cost of missing some dead exports that live in used files.
  */

package/dist/analyzers/deadCodeCheck.js

@@ -3,7 +3,7 @@ import path from 'node:path';
 import { buildImportGraph } from '../core/importGraph.js';
 import { extractExports } from '../core/fileInspector.js';
 const SOURCE_EXTENSIONS = new Set(['.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs', '.mts', '.cts']);
-// Never flag these — they're public API by definition
+// Never flag these - they're public API by definition
 const PUBLIC_PATH_PREFIXES = ['src/index', 'index.'];
 /**
  * Flag exports that are never imported anywhere in the project. This catches:
@@ -12,12 +12,12 @@ const PUBLIC_PATH_PREFIXES = ['src/index', 'index.'];
  *
  * Does NOT flag:
  * - files listed as the package's public entry points (main, exports, types, bin)
- * - default exports (too many false positives — framework conventions)
+ * - default exports (too many false positives - framework conventions)
  * - test files (they're not supposed to export)
  * - index files (barrels re-export for public use)
  *
  * False-positive guard: if a file is the target of at least one import, we treat
- * all its exports as "possibly used" — the regex-based graph can't tell which
+ * all its exports as "possibly used" - the regex-based graph can't tell which
  * named export is imported via `import { ... } from './barrel'`. This keeps
  * noise low at the cost of missing some dead exports that live in used files.
  */
@@ -143,7 +143,7 @@ async function loadPublicEntries(rootPath) {
         collectExports(pkg.exports, entries);
     }
     catch {
-        // package.json missing/unreadable — don't guard, every file is a candidate
+        // package.json missing/unreadable - don't guard, every file is a candidate
     }
     return entries;
 }

package/dist/analyzers/unusedDependencyCheck.js

@@ -101,7 +101,7 @@ export async function check(rootPath, files) {
             continue;
         if (scriptUsedBinaries.has(name))
             continue;
-        // skip scoped bin lookups (e.g., "npx some-tool") — covered by scriptUsedBinaries
+        // skip scoped bin lookups (e.g., "npx some-tool") - covered by scriptUsedBinaries
         const isDev = name in devDependencies;
         const line = locations?.lineOfDependency.get(name);
         unused.push({

package/dist/cli/index.js

@@ -42,7 +42,7 @@ import { reportAnalysisSarif, reportHealthSarif, reportCiSarif, issuesToSarif, }
 const program = new Command();
 program
     .name('projscan')
-    .description('Instant codebase insights — doctor, x-ray, and architecture map for any repository')
+    .description('Instant codebase insights - doctor, x-ray, and architecture map for any repository')
     .version(pkg.version)
     .option('--format <type>', 'output format: console, json, markdown, sarif', 'console')
     .option('--config <path>', 'path to .projscanrc config file')
@@ -78,7 +78,7 @@ async function filterIssuesByChangedFiles(issues, rootPath, baseRef) {
     const result = await getChangedFiles(rootPath, baseRef);
     if (!result.available) {
         if (getFormat() === 'console' && !program.opts().quiet) {
-            console.error(chalk.yellow(`  [--changed-only: ${result.reason ?? 'unavailable'} — reporting all issues]`));
+            console.error(chalk.yellow(`  [--changed-only: ${result.reason ?? 'unavailable'} - reporting all issues]`));
         }
         return issues;
     }
@@ -411,7 +411,7 @@ program
 // ── Command: file ─────────────────────────────────────────
 program
     .command('file <file>')
-    .description('Drill into a file — purpose, risk, ownership, related issues')
+    .description('Drill into a file - purpose, risk, ownership, related issues')
     .action(async (filePath) => {
     setupLogLevel();
     maybeCompactBanner();
@@ -447,7 +447,7 @@ program
 // ── Command: explain ──────────────────────────────────────
 program
     .command('explain <file>')
-    .description('Explain a file — its purpose, dependencies, and exports')
+    .description('Explain a file - its purpose, dependencies, and exports')
     .action(async (filePath) => {
     setupLogLevel();
     maybeCompactBanner();
@@ -630,7 +630,7 @@ program
 // ── Command: outdated ─────────────────────────────────────
 program
     .command('outdated')
-    .description('Detect outdated dependencies (offline — compares declared vs installed)')
+    .description('Detect outdated dependencies (offline - compares declared vs installed)')
     .action(async () => {
     setupLogLevel();
     maybeCompactBanner();
@@ -702,7 +702,7 @@ program
 // ── Command: upgrade ──────────────────────────────────────
 program
     .command('upgrade <package>')
-    .description('Preview the impact of upgrading a package (offline — reads local CHANGELOG + importers)')
+    .description('Preview the impact of upgrading a package (offline - reads local CHANGELOG + importers)')
     .action(async (pkgName) => {
     setupLogLevel();
     maybeCompactBanner();
@@ -736,7 +736,7 @@ program
 // ── Command: search ───────────────────────────────────────
 program
     .command('search <query...>')
-    .description('Ranked search — BM25 by default, semantic or hybrid when @xenova/transformers peer is installed')
+    .description('Ranked search - BM25 by default, semantic or hybrid when @xenova/transformers peer is installed')
     .option('--scope <scope>', 'auto | content | symbols | files', 'auto')
     .option('--mode <mode>', 'lexical | semantic | hybrid (content/auto scope only)', 'lexical')
     .option('--semantic', 'shortcut for --mode semantic')
@@ -881,7 +881,7 @@ program
         }
         if (format === 'markdown') {
             const r = results;
-            console.log(`# Search — \`${r.query}\` (${r.scope})\n`);
+            console.log(`# Search - \`${r.query}\` (${r.scope})\n`);
             if (r.matches.length === 0) {
                 console.log('_No matches._');
                 return;
@@ -890,7 +890,7 @@ program
                 if ('symbol' in m)
                     console.log(`- \`${m.symbol}\` (${m.kind}) → \`${m.file}:${m.line}\``);
                 else if ('score' in m)
-                    console.log(`- \`${m.file}:${m.line}\` — score ${m.score} — ${m.excerpt ?? ''}`);
+                    console.log(`- \`${m.file}:${m.line}\` - score ${m.score} - ${m.excerpt ?? ''}`);
                 else
                     console.log(`- \`${m.file}\``);
             }
@@ -898,7 +898,7 @@ program
         }
         // Console
         const r = results;
-        console.log(`\n  ${chalk.bold(`Search — "${query}"`)} ${chalk.dim(`[${r.scope}]`)}`);
+        console.log(`\n  ${chalk.bold(`Search - "${query}"`)} ${chalk.dim(`[${r.scope}]`)}`);
         if (r.queryTokens)
             console.log(chalk.dim(`  tokens: ${r.queryTokens.join(', ')}`));
         console.log(chalk.dim('  ─'.repeat(20)));
@@ -932,7 +932,7 @@ program
 // ── Command: coverage ─────────────────────────────────────
 program
     .command('coverage')
-    .description('Join test coverage with hotspots — surface the scariest untested files')
+    .description('Join test coverage with hotspots - surface the scariest untested files')
     .option('--limit <n>', 'limit number of entries shown', '30')
     .action(async (cmdOpts) => {
     setupLogLevel();

package/dist/core/ast.d.ts

@@ -28,7 +28,7 @@ export declare function isParseable(filePath: string): boolean;
  * Uses @babel/parser with generous options so we accept real-world code:
  * TypeScript, JSX, decorators, top-level await, class properties, etc.
  *
- * Failures return ok:false with a reason — callers decide whether to fall
+ * Failures return ok:false with a reason - callers decide whether to fall
  * back to regex or skip the file. Never throws.
  */
 export declare function parseSource(filePath: string, content: string): AstResult;

package/dist/core/ast.js

@@ -28,7 +28,7 @@ export function isParseable(filePath) {
  * Uses @babel/parser with generous options so we accept real-world code:
  * TypeScript, JSX, decorators, top-level await, class properties, etc.
  *
- * Failures return ok:false with a reason — callers decide whether to fall
+ * Failures return ok:false with a reason - callers decide whether to fall
  * back to regex or skip the file. Never throws.
  */
 export function parseSource(filePath, content) {
@@ -67,7 +67,7 @@ export function parseSource(filePath, content) {
         visitTopLevel(node, imports, exports);
     }
     // Second pass: extract dynamic imports + call sites. Walk the whole tree
-    // (cheap — we already have the AST in memory).
+    // (cheap - we already have the AST in memory).
     walk(ast.program, (n) => {
         if (n.type === 'CallExpression') {
             const callee = n.callee;

package/dist/core/auditRunner.d.ts

@@ -6,7 +6,7 @@ export interface AuditOptions {
 /**
  * Run `npm audit --json` and normalize the output.
  *
- * npm's audit JSON format has changed between npm 6/7/8/9+ — we handle the
+ * npm's audit JSON format has changed between npm 6/7/8/9+ - we handle the
  * modern format (npm 7+) first and fall back to a friendly error otherwise.
  * Yarn/pnpm projects: we don't try to translate; we report "not available"
  * with a hint.

package/dist/core/auditRunner.js

@@ -13,7 +13,7 @@ const EMPTY_SUMMARY = {
 /**
  * Run `npm audit --json` and normalize the output.
  *
- * npm's audit JSON format has changed between npm 6/7/8/9+ — we handle the
+ * npm's audit JSON format has changed between npm 6/7/8/9+ - we handle the
  * modern format (npm 7+) first and fall back to a friendly error otherwise.
  * Yarn/pnpm projects: we don't try to translate; we report "not available"
  * with a hint.
@@ -28,12 +28,12 @@ export async function runAudit(rootPath, options = {}) {
     const hasPnpmLock = await fileExists(path.join(rootPath, 'pnpm-lock.yaml'));
     if (!hasNpmLock) {
         if (hasYarnLock) {
-            return unavailable('yarn.lock detected — run `yarn npm audit` instead');
+            return unavailable('yarn.lock detected - run `yarn npm audit` instead');
         }
         if (hasPnpmLock) {
-            return unavailable('pnpm-lock.yaml detected — run `pnpm audit` instead');
+            return unavailable('pnpm-lock.yaml detected - run `pnpm audit` instead');
         }
-        return unavailable('No package-lock.json — run `npm install` first, then retry');
+        return unavailable('No package-lock.json - run `npm install` first, then retry');
     }
     const timeoutMs = options.timeoutMs ?? 60_000;
     let stdout;
@@ -46,7 +46,7 @@ export async function runAudit(rootPath, options = {}) {
         stdout = result.stdout;
     }
     catch (err) {
-        // `npm audit` exits non-zero when vulnerabilities exist — this is normal.
+        // `npm audit` exits non-zero when vulnerabilities exist - this is normal.
         // The stdout still contains the JSON payload.
         const e = err;
         if (typeof e.stdout === 'string' && e.stdout) {
@@ -211,7 +211,7 @@ export function auditFindingsToIssues(report) {
         id: `audit-${f.name}`,
         title: f.title,
         description: f.url !== undefined
-            ? `${f.title} — ${f.url}${f.range ? ` (range: ${f.range})` : ''}`
+            ? `${f.title} - ${f.url}${f.range ? ` (range: ${f.range})` : ''}`
             : `${f.title}${f.range ? ` (range: ${f.range})` : ''}`,
         severity: severityMap[f.severity],
         category: 'security',

package/dist/core/coverageJoin.d.ts

@@ -1,6 +1,6 @@
 import type { CoverageJoinedReport, CoverageReport, HotspotReport } from '../types.js';
 /**
  * Join a hotspot report with a coverage report and rank entries by
- * "risk × uncovered fraction" — the files that most deserve tests.
+ * "risk × uncovered fraction" - the files that most deserve tests.
  */
 export declare function joinCoverageWithHotspots(hotspots: HotspotReport, coverage: CoverageReport): CoverageJoinedReport;

package/dist/core/coverageJoin.js

@@ -1,6 +1,6 @@
 /**
  * Join a hotspot report with a coverage report and rank entries by
- * "risk × uncovered fraction" — the files that most deserve tests.
+ * "risk × uncovered fraction" - the files that most deserve tests.
  */
 export function joinCoverageWithHotspots(hotspots, coverage) {
     if (!hotspots.available) {

package/dist/core/coverageParser.js

@@ -64,7 +64,7 @@ function parseByFormat(raw, source, rootPath) {
     return parseCoverageSummary(raw, rootPath);
 }
 /**
- * LCOV — record-oriented plain text:
+ * LCOV - record-oriented plain text:
  *   SF:/abs/path/to/file.ts
  *   LF:100         (lines found)
  *   LH:85          (lines hit)
@@ -104,7 +104,7 @@ function parseLcov(raw, rootPath) {
     return files;
 }
 /**
- * coverage-final.json — Istanbul per-file detail:
+ * coverage-final.json - Istanbul per-file detail:
  *   { "/abs/path/file.ts": { "path": "...", "statementMap": {...}, "s": { "0": 1, "1": 0 }, ... } }
  * We approximate line coverage from statement counts (statements is the closest
  * thing to "line" when line-level data isn't separately broken out).
@@ -132,7 +132,7 @@ function parseCoverageFinal(raw, rootPath) {
     return files;
 }
 /**
- * coverage-summary.json — Istanbul per-file summary:
+ * coverage-summary.json - Istanbul per-file summary:
  *   { "total": {...}, "/abs/path/file.ts": { "lines": { "total": 100, "covered": 85, "pct": 85.0 }, ... } }
  */
 function parseCoverageSummary(raw, rootPath) {