react-doctor 0.5.7 → 0.5.8-dev.0c19858

package/dist/lsp.js

@@ -8,7 +8,7 @@ import path from "node:path";
 import * as NodeChildProcess from "node:child_process";
 import { spawn, spawnSync } from "node:child_process";
 import * as ts from "typescript";
-import reactDoctorPlugin, { ALL_REACT_DOCTOR_RULE_KEYS, FRAMEWORK_SPECIFIC_RULE_KEYS, MOTION_LIBRARY_PACKAGES, REACT_COMPILER_RULES, REACT_DOCTOR_RULES, classifySecurityScanFile, shouldReadSecurityScanContent } from "oxlint-plugin-react-doctor";
+import reactDoctorPlugin, { ALL_REACT_DOCTOR_RULE_KEYS, CROSS_FILE_RULE_IDS, FRAMEWORK_SPECIFIC_RULE_KEYS, MOTION_LIBRARY_PACKAGES, REACT_COMPILER_RULES, REACT_DOCTOR_RULES, classifySecurityScanFile, shouldReadSecurityScanContent } from "oxlint-plugin-react-doctor";
 import { parseJSON5 } from "confbox";
 import * as NodeUrl from "node:url";
 import { fileURLToPath } from "node:url";
@@ -6021,7 +6021,7 @@ const composePassthrough = /* @__PURE__ */ dual(2, (left, right) => (input) => {
 * @since 2.0.0
 */
 const Scheduler = /* @__PURE__ */ Reference("effect/Scheduler", { defaultValue: () => new MixedScheduler() });
-const setImmediate = "setImmediate" in globalThis ? (f) => {
+const setImmediate$1 = "setImmediate" in globalThis ? (f) => {
 	const timer = globalThis.setImmediate(f);
 	return () => globalThis.clearImmediate(timer);
 } : (f) => {
@@ -6065,7 +6065,7 @@ var PriorityBuckets = class {
 var MixedScheduler = class {
 	executionMode;
 	setImmediate;
-	constructor(executionMode = "async", setImmediateFn = setImmediate) {
+	constructor(executionMode = "async", setImmediateFn = setImmediate$1) {
 		this.executionMode = executionMode;
 		this.setImmediate = setImmediateFn;
 	}
@@ -6090,7 +6090,7 @@ var MixedSchedulerDispatcher = class {
 	tasks = /* @__PURE__ */ new PriorityBuckets();
 	running = void 0;
 	setImmediate;
-	constructor(setImmediateFn = setImmediate) {
+	constructor(setImmediateFn = setImmediate$1) {
 		this.setImmediate = setImmediateFn;
 	}
 	/**
@@ -7224,7 +7224,7 @@ const provideContext$1 = /* @__PURE__ */ dual(2, (self, context) => {
 	return updateContext$1(self, merge$3(context));
 });
 /** @internal */
-const provideService$1 = function() {
+const provideService$3 = function() {
 	if (arguments.length === 1) return dual(2, (self, impl) => provideServiceImpl(self, arguments[0], impl));
 	return dual(3, (self, service, impl) => provideServiceImpl(self, service, impl)).apply(this, arguments);
 };
@@ -7445,7 +7445,7 @@ const constScopeEmpty = { _tag: "Empty" };
 /** @internal */
 const scope = scopeTag;
 /** @internal */
-const provideScope = /* @__PURE__ */ provideService$1(scopeTag);
+const provideScope = /* @__PURE__ */ provideService$3(scopeTag);
 /** @internal */
 const scoped$1 = (self) => withFiber$1((fiber) => {
 	const prev = fiber.context;
@@ -7888,7 +7888,7 @@ const makeLatchUnsafe = (open) => new Latch(open ?? false);
 /** @internal */
 const makeLatch = (open) => sync$2(() => makeLatchUnsafe(open));
 /** @internal */
-const withTracerEnabled$1 = /* @__PURE__ */ provideService$1(TracerEnabled);
+const withTracerEnabled$1 = /* @__PURE__ */ provideService$3(TracerEnabled);
 const bigint0 = /* @__PURE__ */ BigInt(0);
 const NoopSpanProto = {
 	_tag: "Span",
@@ -7969,7 +7969,7 @@ const useSpan$1 = (name, ...args) => {
 		}));
 	});
 };
-const provideParentSpan = /* @__PURE__ */ provideService$1(ParentSpan);
+const provideParentSpan = /* @__PURE__ */ provideService$3(ParentSpan);
 /** @internal */
 const withParentSpan$1 = function() {
 	const dataFirst = isEffect$1(arguments[0]);
@@ -9536,7 +9536,7 @@ var CurrentMemoMap = class extends Service()("effect/Layer/CurrentMemoMap") {
 * @category memo map
 * @since 2.0.0
 */
-const buildWithMemoMap = /* @__PURE__ */ dual(3, (self, memoMap, scope) => provideService$1(map$4(self.build(memoMap, scope), add(CurrentMemoMap, memoMap)), CurrentMemoMap, memoMap));
+const buildWithMemoMap = /* @__PURE__ */ dual(3, (self, memoMap, scope) => provideService$3(map$4(self.build(memoMap, scope), add(CurrentMemoMap, memoMap)), CurrentMemoMap, memoMap));
 /**
 * Builds a layer into an `Effect` value. Any resources associated with this
 * layer will be released when the specified scope is closed unless their scope
@@ -10889,7 +10889,7 @@ const provide$1 = /* @__PURE__ */ dual((args) => isEffect$1(args[0]), (self, sou
 /** @internal */
 const repeatOrElse = /* @__PURE__ */ dual(3, (self, schedule, orElse) => flatMap$4(toStepWithMetadata(schedule), (step) => {
 	let meta = CurrentMetadata.defaultValue();
-	return catch_$2(forever$2(tap$2(flatMap$4(suspend$3(() => provideService$1(self, CurrentMetadata, meta)), step), (meta_) => sync$2(() => {
+	return catch_$2(forever$2(tap$2(flatMap$4(suspend$3(() => provideService$3(self, CurrentMetadata, meta)), step), (meta_) => sync$2(() => {
 		meta = meta_;
 	})), { disableYield: true }), (error) => isDone$2(error) ? succeed$5(error.value) : orElse(error, meta.attempt === 0 ? none() : some(meta)));
 }));
@@ -10897,7 +10897,7 @@ const repeatOrElse = /* @__PURE__ */ dual(3, (self, schedule, orElse) => flatMap
 const retryOrElse = /* @__PURE__ */ dual(3, (self, policy, orElse) => flatMap$4(toStepWithMetadata(policy), (step) => {
 	let meta = CurrentMetadata.defaultValue();
 	let lastError;
-	const loop = catch_$2(suspend$3(() => provideService$1(self, CurrentMetadata, meta)), (error) => {
+	const loop = catch_$2(suspend$3(() => provideService$3(self, CurrentMetadata, meta)), (error) => {
 		lastError = error;
 		return flatMap$4(step(error), (meta_) => {
 			meta = meta_;
@@ -12977,7 +12977,7 @@ const updateContext = updateContext$1;
 * @category Context
 * @since 2.0.0
 */
-const provideService = provideService$1;
+const provideService$2 = provideService$3;
 /**
 * Scopes all resources used in this workflow to the lifetime of the workflow,
 * ensuring that their finalizers are run as soon as this workflow completes
@@ -18019,6 +18019,20 @@ function decodeUnknownOption$1(schema, options) {
 	return asOption(decodeUnknownEffect(schema, options));
 }
 /**
+* Creates a synchronous decoder for `unknown` input.
+*
+* **Details**
+*
+* The returned function returns the decoded `Type` on success and throws an
+* `Error` with the `SchemaIssue.Issue` in its `cause` on decoding failure.
+*
+* @category decoding
+* @since 3.10.0
+*/
+function decodeUnknownSync$1(schema, options) {
+	return asSync(decodeUnknownEffect(schema, options));
+}
+/**
 * Creates an effectful encoder for `unknown` input.
 *
 * **Details**
@@ -18320,6 +18334,40 @@ function isSchemaError(u) {
 */
 const decodeUnknownOption = decodeUnknownOption$1;
 /**
+* Decodes an `unknown` input against a schema synchronously, returning the
+* decoded value or throwing an `Error` whose cause contains the schema issue.
+* Use this when you want to validate data at a boundary and treat a schema
+* mismatch as an exception. For typed input use `decodeSync`.
+*
+* **Details**
+*
+* Only service-free schemas can be decoded synchronously. For non-throwing
+* alternatives see `decodeUnknownOption`, `decodeUnknownExit`, or
+* `decodeUnknownEffect`. Options may be provided either when creating the
+* decoder or when applying it; application options override creation options.
+*
+* **Example** (Decoding with a transformation schema)
+*
+* ```ts
+* import { Schema } from "effect"
+*
+* const NumberFromString = Schema.NumberFromString
+*
+* console.log(Schema.decodeUnknownSync(NumberFromString)("42"))
+* // Output: 42
+*
+* Schema.decodeUnknownSync(NumberFromString)("not a number")
+* // throws SchemaError: NumberFromString
+* //   └─ Encoded side transformation failure
+* //      └─ NumberFromString
+* //         └─ Expected a numeric string, actual "not a number"
+* ```
+*
+* @category decoding
+* @since 4.0.0
+*/
+const decodeUnknownSync = decodeUnknownSync$1;
+/**
 * Encodes an `unknown` input against a schema synchronously, throwing a
 * {@link SchemaError} on failure. Use this when you want to serialize data at a
 * boundary and treat a schema mismatch as an unrecoverable error. For
@@ -25206,6 +25254,14 @@ const runWith = (self, f, onHalt) => suspend$2(() => {
 	return catchDone(flatMap$2(toTransform(self)(done$1(), scope), f), onHalt ? onHalt : succeed$2).pipe(onExit$1((exit) => close(scope, exit)));
 });
 /**
+* Provides a concrete service for a context key, removing that service
+* requirement from the returned channel.
+*
+* @category services
+* @since 2.0.0
+*/
+const provideService$1 = /* @__PURE__ */ dual(3, (self, key, service) => fromTransform$1((upstream, scope) => map$3(provideService$2(toTransform(self)(upstream, scope), key, service), provideService$2(key, service))));
+/**
 * Runs a channel and applies an effect to each output element.
 *
 * **Example** (Running effects for each output)
@@ -26594,6 +26650,44 @@ const splitLines = (self) => self.channel.pipe(pipeTo(splitLines$1()), fromChann
 */
 const ensuring = /* @__PURE__ */ dual(2, (self, finalizer) => fromChannel(ensuring$1(self.channel, finalizer)));
 /**
+* Provides the stream with a single required service, eliminating that
+* requirement from its environment.
+*
+* **Example** (Providing a stream service)
+*
+* ```ts
+* import { Console, Context, Effect, Stream } from "effect"
+*
+* class Greeter extends Context.Service<Greeter, {
+*   greet: (name: string) => string
+* }>()("Greeter") {}
+*
+* const stream = Stream.fromEffect(
+*   Effect.service(Greeter).pipe(
+*     Effect.map((greeter) => greeter.greet("Ada"))
+*   )
+* )
+*
+* const program = Effect.gen(function*() {
+*   const collected = yield* Stream.runCollect(
+*     stream.pipe(
+*       Stream.provideService(Greeter, {
+*         greet: (name) => `Hello, ${name}`
+*       })
+*     )
+*   )
+*   yield* Console.log(collected)
+* })
+*
+* Effect.runPromise(program)
+* //=> ["Hello, Ada"]
+* ```
+*
+* @category services
+* @since 2.0.0
+*/
+const provideService = /* @__PURE__ */ dual(3, (self, key, service) => fromChannel(provideService$1(self.channel, key, service)));
+/**
 * Runs a stream with a sink and returns the sink result.
 *
 * **Example** (Running a stream with a sink)
@@ -30023,7 +30117,7 @@ const make$8 = /* @__PURE__ */ fnUntraced(function* (options) {
 	const runFork = runForkWith(services);
 	const exportInterval = max(fromInputUnsafe(options.exportInterval), zero);
 	let disabledUntil = void 0;
-	const client = filterStatusOk(get$4(services, HttpClient)).pipe(transformResponse(provideService(TracerPropagationEnabled, false)), retryTransient({
+	const client = filterStatusOk(get$4(services, HttpClient)).pipe(transformResponse(provideService$2(TracerPropagationEnabled, false)), retryTransient({
 		schedule: policy,
 		times: 3
 	}));
@@ -32753,15 +32847,24 @@ const isMinifiedSource = (absolutePath) => {
 		if (fileDescriptor !== void 0) NFS.closeSync(fileDescriptor);
 	}
 };
-const isLargeMinifiedFile = (absolutePath) => {
-	let sizeBytes;
+const cachedIsLargeMinifiedByPath = /* @__PURE__ */ new Map();
+const clearMinifiedFileCache = () => {
+	cachedIsLargeMinifiedByPath.clear();
+};
+const statSourceFileSize = (absolutePath) => {
 	try {
-		sizeBytes = NFS.statSync(absolutePath).size;
+		return NFS.statSync(absolutePath).size;
 	} catch {
-		return false;
+		return null;
 	}
-	if (sizeBytes < 2e4) return false;
-	return isMinifiedSource(absolutePath);
+};
+const isLargeMinifiedFile = (absolutePath, knownSizeBytes) => {
+	const cached = cachedIsLargeMinifiedByPath.get(absolutePath);
+	if (cached !== void 0) return cached;
+	const sizeBytes = knownSizeBytes === void 0 ? statSourceFileSize(absolutePath) : knownSizeBytes;
+	const result = sizeBytes !== null && sizeBytes >= 2e4 && isMinifiedSource(absolutePath);
+	cachedIsLargeMinifiedByPath.set(absolutePath, result);
+	return result;
 };
 const isErrnoException = (error) => error instanceof Error && "code" in error;
 const IGNORABLE_READDIR_ERROR_CODES = new Set([
@@ -33627,6 +33730,8 @@ const MILLISECONDS_PER_SECOND = 1e3;
 const SCORE_API_URL = "https://www.react.doctor/api/score";
 const FETCH_TIMEOUT_MS = 1e4;
 const GITHUB_VIEWER_PERMISSION_TIMEOUT_MS = 2e3;
+const SPAWN_ARGS_MAX_LENGTH_CHARS = 24e3;
+const PER_WORKER_MEM_BUDGET_BYTES = 1024 * 1024 * 1024;
 const DEFAULT_BRANCH_CANDIDATES = ["main", "master"];
 const ADOPTABLE_LINT_CONFIG_FILENAMES = [".oxlintrc.json", ".eslintrc.json"];
 const GIT_SHOW_MAX_BUFFER_BYTES = 10 * 1024 * 1024;
@@ -33699,7 +33804,17 @@ const CONFIG_FINGERPRINT_FILENAMES = [
 ];
 const OXLINT_OUTPUT_MAX_BYTES = 50 * 1024 * 1024;
 const OXLINT_SPAWN_TIMEOUT_MS = 6e4;
+const NODE_COMPILE_CACHE_DIR_NAME = "node-compile-cache";
+const DEAD_CODE_WORKER_TIMEOUT_MS = 12e4;
+const OXLINT_SPLIT_TOTAL_BUDGET_MS = 18e4;
+const DEAD_CODE_PHASE_TIMEOUT_MS = 15e4;
+const LINT_PHASE_TIMEOUT_MS = 3e5;
+const SCAN_TOTAL_DEADLINE_MS = 9e5;
 const DEAD_CODE_WORKER_MAX_OLD_SPACE_MB = 8192;
+const DEAD_CODE_WORKER_MEM_BUDGET_BYTES = 2 * 1024 * 1024 * 1024;
+const DEAD_CODE_TIMEOUT_CEILING_MS = 6e5;
+const DEAD_CODE_PHASE_TIMEOUT_OVER_WORKER_MS = 3e4;
+const DEAD_CODE_OVERLAP_PARSE_SHARE = .4;
 const RECOMMENDED_PNPM_MINIMUM_RELEASE_AGE_MINUTES = 10080;
 const REACT_SERVER_DOM_PACKAGES = [
 	"react-server-dom-webpack",
@@ -33734,9 +33849,13 @@ const CONFIG_CACHE_TTL_MS = 300 * 1e3;
 const SOCKET_FREE_PURL_API_BASE = "https://firewall-api.socket.dev/purl";
 const SOCKET_PACKAGE_PAGE_BASE = "https://socket.dev/npm/package";
 const SOCKET_FREE_USER_AGENT = "react-doctor-supply-chain";
+const FILE_LINT_CACHE_FILENAME = "file-lint-cache.json";
+const FILE_LINT_CACHE_MAX_FILE_COUNT = 5e4;
 const SUPPLY_CHAIN_PLUGIN = "socket";
 const SUPPLY_CHAIN_RULE = "low-supply-chain-score";
 const SUPPLY_CHAIN_CATEGORY = "Security";
+const SUPPLY_CHAIN_OVERLAP_TIMEOUT_MS = 9e4;
+const SUPPLY_CHAIN_CACHE_SUBDIR = "supply-chain";
 const SUPPLY_CHAIN_IGNORED_PACKAGES = new Set(["next"]);
 const TSCONFIG_FILENAME = "tsconfig.json";
 const isRelativeExtendsValue = (extendsValue) => extendsValue.startsWith("./") || extendsValue.startsWith("../") || Path.isAbsolute(extendsValue);
@@ -34429,7 +34548,10 @@ for (const [legacyRuleKey, nativeRuleKey] of Object.entries(LEGACY_RULE_KEY_TO_N
 	NATIVE_RULE_KEY_TO_LEGACY_RULE_KEYS.set(nativeRuleKey, aliases);
 }
 const getLegacyRuleKeysForNative = (ruleKey) => NATIVE_RULE_KEY_TO_LEGACY_RULE_KEYS.get(ruleKey) ?? [];
-const canonicalizeRuleKey = (ruleKey) => LEGACY_RULE_KEY_TO_NATIVE_RULE_KEY[ruleKey] ?? ruleKey;
+const canonicalizeRuleKey = (ruleKey) => {
+	const nativeRuleKey = LEGACY_RULE_KEY_TO_NATIVE_RULE_KEY[ruleKey];
+	return typeof nativeRuleKey === "string" ? nativeRuleKey : ruleKey;
+};
 const isReactDoctorShortIdOf = (bareRuleKey, qualifiedRuleKey) => !bareRuleKey.includes("/") && qualifiedRuleKey === `react-doctor/${bareRuleKey}`;
 const isSameRuleKey = (candidateRuleKey, targetRuleKey) => {
 	const canonicalCandidate = canonicalizeRuleKey(candidateRuleKey);
@@ -35091,6 +35213,11 @@ var OxlintBatchExceeded = class extends TaggedErrorClass()("OxlintBatchExceeded"
 		}
 	}
 };
+var ScanDeadlineExceeded = class extends TaggedErrorClass()("ScanDeadlineExceeded", { detail: String$1 }) {
+	get message() {
+		return `Scan exceeded its overall time budget: ${this.detail}`;
+	}
+};
 var OxlintSpawnFailed = class extends TaggedErrorClass()("OxlintSpawnFailed", { cause: Unknown }) {
 	get message() {
 		return `Failed to run oxlint: ${pretty(fail$6(this.cause))}`;
@@ -35154,6 +35281,7 @@ var GitBaseBranchInvalid = class extends TaggedErrorClass()("GitBaseBranchInvali
 const ReactDoctorErrorReason = Union([
 	OxlintUnavailable,
 	OxlintBatchExceeded,
+	ScanDeadlineExceeded,
 	OxlintSpawnFailed,
 	OxlintOutputUnparseable,
 	ConfigParseFailed,
@@ -35204,15 +35332,105 @@ const layerOtlp = unwrap$3(gen(function* () {
 	}).pipe(provide$2(layer$8));
 }).pipe(orDie));
 /**
-* Resolves a requested lint worker count to a clamped integer within
-* `[MIN_SCAN_CONCURRENCY, MAX_SCAN_CONCURRENCY]`. `"auto"` uses the
-* machine's CPU cores; out-of-range or non-finite requests degrade to
+* Read a positive-millisecond timeout from an env var, falling back to
+* `defaultMs` when the var is unset, non-finite, or not strictly positive.
+*/
+const readPositiveEnvMs = (envVarName, defaultMs) => {
+	const rawValue = process.env[envVarName];
+	if (rawValue === void 0) return defaultMs;
+	const parsedValue = Number(rawValue);
+	if (!Number.isFinite(parsedValue) || parsedValue <= 0) return defaultMs;
+	return parsedValue;
+};
+const CGROUP_V2_MEMORY_MAX_PATH = "/sys/fs/cgroup/memory.max";
+const CGROUP_V1_MEMORY_LIMIT_PATH = "/sys/fs/cgroup/memory/memory.limit_in_bytes";
+const CGROUP_UNLIMITED_SENTINEL_BYTES = Number.MAX_SAFE_INTEGER;
+/**
+* Parses one raw cgroup memory-limit file value into a positive byte count, or
+* `undefined` when it represents "no limit" (the v2 `"max"` literal, an empty
+* read, a non-positive / non-finite value, or v1's near-2^63 unlimited
+* sentinel). Pure and exported so the classification is unit-testable without
+* touching the filesystem.
+*/
+const parseCgroupMemoryLimitBytes = (raw) => {
+	if (raw === void 0) return void 0;
+	const trimmed = raw.trim();
+	if (trimmed === "" || trimmed === "max") return void 0;
+	const parsed = Number(trimmed);
+	if (!Number.isFinite(parsed) || parsed <= 0 || parsed >= CGROUP_UNLIMITED_SENTINEL_BYTES) return;
+	return parsed;
+};
+const CGROUP_MEMORY_LIMIT_PATHS = [CGROUP_V2_MEMORY_MAX_PATH, CGROUP_V1_MEMORY_LIMIT_PATH];
+/**
+* Reads this process's cgroup memory limit in bytes from the first candidate
+* path that yields a real limit, or `undefined` when none does — no cgroup, no
+* limit, or the files are unreadable (e.g. macOS / Windows dev machines).
+* `os.totalmem()` reports the HOST total and ignores cgroup memory limits, so a
+* memory-constrained container over-reports total memory; `resolveAutoScan-
+* Concurrency` takes `min(totalmem, this)` to honor the limit.
+*
+* The cgroup v2 read is the mount-root `memory.max`, which IS the container's
+* limit under the standard cgroup-namespace setup CI runners use (the
+* container's own cgroup is the root of its namespaced view). A process in a
+* non-namespaced nested/delegated cgroup whose root reads `"max"` is not
+* detected here and falls back to the host total; the EAGAIN/ENOMEM serial
+* replay in `spawnLintBatches` remains the runtime backstop for that case.
+*
+* `candidatePaths` is injectable so tests exercise the v2-wins-over-v1
+* precedence, the skip-unreadable fallback, and the all-missing case without a
+* real `/sys/fs/cgroup`.
+*/
+const readCgroupMemoryLimitBytes = (candidatePaths = CGROUP_MEMORY_LIMIT_PATHS) => {
+	for (const limitPath of candidatePaths) {
+		let raw;
+		try {
+			raw = fs.readFileSync(limitPath, "utf8");
+		} catch {
+			continue;
+		}
+		const limitBytes = parseCgroupMemoryLimitBytes(raw);
+		if (limitBytes !== void 0) return limitBytes;
+	}
+};
+/**
+* Clamps a requested lint worker count to `[MIN_SCAN_CONCURRENCY,
+* HARD_MAX_SCAN_CONCURRENCY]` as a finite integer. This is the explicit-pin and
+* spawn-boundary clamp — the memory-and-core-budgeted auto count comes from
+* `resolveAutoScanConcurrency`. Out-of-range or non-finite requests degrade to
 * `MIN_SCAN_CONCURRENCY` rather than oversubscribing or running zero workers.
 */
 const resolveScanConcurrency = (requested) => {
-	const desired = requested === "auto" ? os.availableParallelism() : requested;
-	if (!Number.isFinite(desired) || desired < 1) return 1;
-	return Math.max(1, Math.min(Math.floor(desired), 16));
+	if (!Number.isFinite(requested) || requested < 1) return 1;
+	return Math.min(Math.floor(requested), 32);
+};
+const readSystemFacts$1 = () => ({
+	availableCores: os.availableParallelism(),
+	totalMemoryBytes: os.totalmem(),
+	cgroupMemoryLimitBytes: readCgroupMemoryLimitBytes()
+});
+/**
+* Auto lint-worker count: the smaller of the (cgroup-CPU-aware) core count and
+* the number of `PER_WORKER_MEM_BUDGET_BYTES` workers that fit in available
+* memory, then clamped to `[MIN, HARD_MAX]` by `resolveScanConcurrency`.
+*
+* `os.availableParallelism()` already respects cgroup CPU quotas, so the core
+* term needs no help. Available memory is `os.totalmem()` floored by the cgroup
+* memory limit — `os.freemem()` is deliberately NOT used: it excludes
+* reclaimable page cache and reads near-zero on macOS / cache-heavy Linux, which
+* would collapse the auto path to a single worker. `os.totalmem()` reports the
+* host total even inside a container, so the cgroup limit (read directly,
+* because Node doesn't fold it into `totalmem()`) is the real ceiling there.
+*
+* `facts` is injectable so tests exercise core-bound, memory-bound, cgroup-
+* limited, and ceiling cases without mocking `os` or the filesystem.
+*/
+const resolveAutoScanConcurrency = (facts = readSystemFacts$1()) => {
+	const availableMemoryBytes = Math.min(facts.totalMemoryBytes, facts.cgroupMemoryLimitBytes ?? Number.POSITIVE_INFINITY);
+	const memoryBoundedWorkers = Math.floor(availableMemoryBytes / PER_WORKER_MEM_BUDGET_BYTES);
+	return resolveScanConcurrency(Math.min(facts.availableCores, memoryBoundedWorkers));
+};
+const resolveLintBatchOrdering = () => {
+	return process.env["REACT_DOCTOR_LINT_BATCH_ORDERING"]?.trim().toLowerCase() === "cost" ? "cost" : "arrival";
 };
 /**
 * Per-batch oxlint wall-clock budget. Reads from the env var on
@@ -35220,11 +35438,38 @@ const resolveScanConcurrency = (requested) => {
 * microVMs without recompiling react-doctor. Tests override via
 * `Layer.succeed(OxlintSpawnTimeoutMs, ...)`.
 */
-var OxlintSpawnTimeoutMs = class extends Reference("react-doctor/OxlintSpawnTimeoutMs", { defaultValue: () => {
-	const raw = process.env["REACT_DOCTOR_OXLINT_SPAWN_TIMEOUT_MS"];
-	if (raw === void 0) return OXLINT_SPAWN_TIMEOUT_MS;
+var OxlintSpawnTimeoutMs = class extends Reference("react-doctor/OxlintSpawnTimeoutMs", { defaultValue: () => readPositiveEnvMs("REACT_DOCTOR_OXLINT_SPAWN_TIMEOUT_MS", OXLINT_SPAWN_TIMEOUT_MS) }) {};
+/**
+* Effect-side cap on the lint phase. The env var lets CI / eval runners
+* raise the phase budget for slow large repos without recompiling.
+* Tests override via `Layer.succeed(LintPhaseTimeoutMs, ...)`.
+*/
+var LintPhaseTimeoutMs = class extends Reference("react-doctor/LintPhaseTimeoutMs", { defaultValue: () => readPositiveEnvMs("REACT_DOCTOR_LINT_PHASE_TIMEOUT_MS", LINT_PHASE_TIMEOUT_MS) }) {};
+/**
+* Effect-side cap on the dead-code phase, sitting above the in-worker
+* timeout as a runtime-independent backstop. The env var raises it for
+* type-heavy projects; tests override via
+* `Layer.succeed(DeadCodePhaseTimeoutMs, ...)`.
+*/
+var DeadCodePhaseTimeoutMs = class extends Reference("react-doctor/DeadCodePhaseTimeoutMs", { defaultValue: () => readPositiveEnvMs("REACT_DOCTOR_DEAD_CODE_PHASE_TIMEOUT_MS", DEAD_CODE_PHASE_TIMEOUT_MS) }) {};
+/**
+* Overall scan deadline backstop, bounding everything the per-phase
+* timeouts don't (wedged git / IO). The env var raises it for very
+* large repos; tests override via `Layer.succeed(ScanDeadlineMs, ...)`.
+*/
+var ScanDeadlineMs = class extends Reference("react-doctor/ScanDeadlineMs", { defaultValue: () => readPositiveEnvMs("REACT_DOCTOR_SCAN_DEADLINE_MS", SCAN_TOTAL_DEADLINE_MS) }) {};
+/**
+* Wall-clock budget for the supply-chain check when it runs on a background
+* fiber overlapping the lint pass. Reads from the env var on startup so the
+* eval harness can raise the budget under sandbox microVMs (slower network)
+* without recompiling react-doctor. Tests override via
+* `Layer.succeed(SupplyChainOverlapTimeoutMs, ...)`.
+*/
+var SupplyChainOverlapTimeoutMs = class extends Reference("react-doctor/SupplyChainOverlapTimeoutMs", { defaultValue: () => {
+	const raw = process.env["REACT_DOCTOR_SUPPLY_CHAIN_TIMEOUT_MS"];
+	if (raw === void 0) return SUPPLY_CHAIN_OVERLAP_TIMEOUT_MS;
 	const parsed = Number(raw);
-	if (!Number.isFinite(parsed) || parsed <= 0) return OXLINT_SPAWN_TIMEOUT_MS;
+	if (!Number.isFinite(parsed) || parsed <= 0) return SUPPLY_CHAIN_OVERLAP_TIMEOUT_MS;
 	return parsed;
 } }) {};
 /**
@@ -35235,31 +35480,93 @@ var OxlintSpawnTimeoutMs = class extends Reference("react-doctor/OxlintSpawnTime
 */
 var OxlintOutputMaxBytes = class extends Reference("react-doctor/OxlintOutputMaxBytes", { defaultValue: () => OXLINT_OUTPUT_MAX_BYTES }) {};
 /**
-* Number of oxlint subprocesses the lint pass runs in parallel. Defaults
-* to auto-detected CPU cores (parallel) so large repos scan fast out of
-* the box; `spawnLintBatches` transparently falls back to a single worker
-* if a parallel run exhausts system resources. The CLI's `--no-parallel`
-* flag forces serial via `Layer.succeed`; the `REACT_DOCTOR_PARALLEL` env
-* var seeds the default for programmatic / CI callers that never touch the
-* flag — parallelism is opt-OUT, so only the explicit serial values pin
-* one worker:
-*
-*   - unset / `auto` / `true` / `on`  → available CPU cores (clamped)
+* Number of oxlint subprocesses the lint pass runs in parallel. Defaults to a
+* memory-and-core-budgeted auto count (`resolveAutoScanConcurrency`) so large
+* repos scan fast out of the box without OOMing the native binding on a
+* high-core / low-memory box; `spawnLintBatches` transparently falls back to a
+* single worker if a parallel run still exhausts system resources. The CLI's
+* `--no-parallel` flag forces serial via `Layer.succeed`; the
+* `REACT_DOCTOR_PARALLEL` env var seeds the default for programmatic / CI
+* callers that never touch the flag — parallelism is opt-OUT, so only the
+* explicit serial values pin one worker:
+*
+*   - unset / `auto` / `true` / `on`  → memory-and-core-budgeted auto count
 *   - `0` / `false` / `off`           → `1` (serial)
 *   - a positive integer              → that many workers (clamped)
-*   - any other value                 → available CPU cores (clamped)
+*   - any other value                 → memory-and-core-budgeted auto count
 *
 * The resolved value is always within
-* `[MIN_SCAN_CONCURRENCY, MAX_SCAN_CONCURRENCY]`.
+* `[MIN_SCAN_CONCURRENCY, HARD_MAX_SCAN_CONCURRENCY]`.
 */
 var OxlintConcurrency = class extends Reference("react-doctor/OxlintConcurrency", { defaultValue: () => {
 	const raw = process.env["REACT_DOCTOR_PARALLEL"];
-	if (raw === void 0) return resolveScanConcurrency("auto");
+	if (raw === void 0) return resolveAutoScanConcurrency();
 	const normalized = raw.trim().toLowerCase();
 	if (normalized === "0" || normalized === "false" || normalized === "off") return 1;
 	const parsed = Number.parseInt(normalized, 10);
 	if (Number.isInteger(parsed) && parsed > 0) return resolveScanConcurrency(parsed);
-	return resolveScanConcurrency("auto");
+	return resolveAutoScanConcurrency();
+} }) {};
+/**
+* Three-state control for overlapping the dead-code pass with the lint pass —
+* forking dead-code as a child fiber that runs DURING lint instead of strictly
+* after it.
+*
+*   - `"auto"` (default) / `"off"` → strictly SEQUENTIAL: dead-code runs after
+*     lint with the full core budget. Both deslop's parse pool and the oxlint
+*     pool are CPU-bound and each size themselves to all cores, so overlapping
+*     them only oversubscribes (~2x the cores) and starves the parse pass past
+*     its timeout — for no wall-clock win, since there are no spare cores to
+*     absorb the second pass. Sequential is both faster per-phase and safe.
+*   - `"on"` → force the overlap anyway. The orchestrator then SPLITS the core
+*     budget (`DEAD_CODE_OVERLAP_PARSE_SHARE`): deslop's parse pool is capped
+*     and lint shrinks to the remainder, so the two sum to the cores instead of
+*     doubling them, and the dead-code timeout scales up for the reduced share.
+*
+* Seeded from `REACT_DOCTOR_DEAD_CODE_OVERLAP` so operators get a redeploy-free
+* switch; tests pin it via `Layer.succeed(DeadCodeOverlap, ...)`.
+*/
+var DeadCodeOverlap = class extends Reference("react-doctor/DeadCodeOverlap", { defaultValue: () => {
+	const raw = process.env["REACT_DOCTOR_DEAD_CODE_OVERLAP"]?.trim().toLowerCase();
+	if (raw === "on" || raw === "true" || raw === "1") return "on";
+	if (raw === "off" || raw === "false" || raw === "0") return "off";
+	return "auto";
+} }) {};
+/**
+* How the full-scan lint pass orders its file batches. `"arrival"` (the
+* default) keeps `git ls-files` discovery order. `"cost"` opts into LPT (feed
+* the largest files first); set `REACT_DOCTOR_LINT_BATCH_ORDERING=cost`. NOTE:
+* `cost` is OFF by default because the current sort-desc-then-chunk-100 packs
+* the heaviest files into one wave-1 batch — on size-skewed repos that mega-
+* batch is a straggler (and can trip the per-batch timeout + split), measurably
+* regressing the common full-scan case. LPT needs the heavy files SPREAD across
+* batches before `cost` earns the default. Tests override via
+* `Layer.succeed(LintBatchOrdering, ...)`. Diff / staged scans never reach this
+* — they pass user-scoped `includePaths` that skip discovery and stay in
+* arrival order; only the full-scan branch reads it.
+*/
+var LintBatchOrdering = class extends Reference("react-doctor/LintBatchOrdering", { defaultValue: resolveLintBatchOrdering }) {};
+const CACHE_DISABLED_VALUES = new Set(["1", "true"]);
+/**
+* Whether the per-file lint cache (`runners/oxlint/file-lint-cache.ts`) is
+* active. Defaults ON — repeat scans re-lint only the files whose content
+* changed, and correctness is guaranteed byte-identical to a cold scan by the
+* always-fresh cross-file sidecar. Opt-OUT, two knobs (matching the whole-repo
+* scan cache's `REACT_DOCTOR_NO_CACHE`):
+*
+*   - `REACT_DOCTOR_NO_CACHE` — the global off-switch; disables BOTH the
+*     whole-repo scan cache and this per-file cache.
+*   - `REACT_DOCTOR_NO_FILE_CACHE` — granular: bust only the per-file cache
+*     while keeping the whole-repo short-circuit.
+*
+* Tests override via `Layer.succeed(PerFileLintCacheEnabled, false)`.
+*/
+var PerFileLintCacheEnabled = class extends Reference("react-doctor/PerFileLintCacheEnabled", { defaultValue: () => {
+	const noCache = process.env["REACT_DOCTOR_NO_CACHE"]?.toLowerCase() ?? "";
+	const noFileCache = process.env["REACT_DOCTOR_NO_FILE_CACHE"]?.toLowerCase() ?? "";
+	if (CACHE_DISABLED_VALUES.has(noCache)) return false;
+	if (CACHE_DISABLED_VALUES.has(noFileCache)) return false;
+	return true;
 } }) {};
 const DIAGNOSTIC_SURFACES = [
 	"cli",
@@ -35308,6 +35615,12 @@ const BOOLEAN_FIELD_NAMES = [
 	"adoptExistingLintConfig"
 ];
 const STRING_FIELD_NAMES = ["rootDir"];
+const STRING_ARRAY_FIELD_NAMES = [
+	"projects",
+	"textComponents",
+	"rawTextWrapperComponents",
+	"serverAuthFunctionNames"
+];
 const SURFACE_CONTROL_FIELD_NAMES = [
 	"includeTags",
 	"excludeTags",
@@ -35409,6 +35722,7 @@ const validateConfigTypes = (config) => {
 	const validated = { ...config };
 	for (const fieldName of BOOLEAN_FIELD_NAMES) applyFieldValidator(config, validated, fieldName, (value) => coerceMaybeBooleanString(fieldName, value));
 	for (const fieldName of STRING_FIELD_NAMES) applyFieldValidator(config, validated, fieldName, (value) => validateString(fieldName, value));
+	for (const fieldName of STRING_ARRAY_FIELD_NAMES) applyFieldValidator(config, validated, fieldName, (value) => validateStringArrayField(fieldName, value));
 	applyFieldValidator(config, validated, "surfaces", validateSurfacesField);
 	for (const fieldName of SEVERITY_FIELD_NAMES) applyFieldValidator(config, validated, fieldName, (value) => validateSeverityMap(fieldName, value, fieldName === "categories"));
 	applyFieldValidator(config, validated, "plugins", (value) => validateStringArrayField("plugins", value));
@@ -35617,6 +35931,8 @@ const assignFixGroups = (diagnostics) => {
 		};
 	});
 };
+const compareStrings = (left, right) => left < right ? -1 : left > right ? 1 : 0;
+const sortDiagnosticsStable = (diagnostics) => [...diagnostics].sort((left, right) => compareStrings(left.filePath, right.filePath) || left.line - right.line || left.column - right.column || compareStrings(left.plugin, right.plugin) || compareStrings(left.rule, right.rule) || compareStrings(left.severity, right.severity) || compareStrings(left.message, right.message));
 const getDirectDependencyNames = (packageJson) => new Set([...Object.keys(packageJson.dependencies ?? {}), ...Object.keys(packageJson.devDependencies ?? {})]);
 const buildExpoCheckContext = (rootDirectory, expoVersion) => {
 	const packageJson = readPackageJson(Path.join(rootDirectory, "package.json"));
@@ -36123,10 +36439,15 @@ const buildHardeningDiagnostic = (input) => ({
 	column: input.column ?? 0,
 	category: "Security"
 });
-const checkPnpmHardening = (rootDirectory) => {
-	if (!isPnpmManagedProject(rootDirectory)) return [];
-	const workspacePath = Path.join(rootDirectory, PNPM_WORKSPACE_FILE);
-	const settings = parseHardeningSettings(isFile(workspacePath) ? NFS.readFileSync(workspacePath, "utf-8") : "");
+const checkPnpmHardening = (scanDirectory) => {
+	if (!isPnpmManagedProject(scanDirectory)) return [];
+	const workspacePath = Path.join(scanDirectory, PNPM_WORKSPACE_FILE);
+	const hasWorkspaceFile = isFile(workspacePath);
+	if (!hasWorkspaceFile) {
+		const monorepoRoot = findMonorepoRoot(scanDirectory);
+		if (monorepoRoot !== null && isFile(Path.join(monorepoRoot, PNPM_WORKSPACE_FILE))) return [];
+	}
+	const settings = parseHardeningSettings(hasWorkspaceFile ? NFS.readFileSync(workspacePath, "utf-8") : "");
 	const diagnostics = [];
 	if (settings.minimumReleaseAge === null) diagnostics.push(buildHardeningDiagnostic({
 		message: "pnpm-workspace.yaml is missing `minimumReleaseAge` — newly published versions can ship malware that gets caught and unpublished within hours",
@@ -36588,7 +36909,10 @@ const shouldEnableRule = (requires, tags, capabilities, ignoredTags, disabledBy)
 	}
 	return true;
 };
-const checkSecurityScan = (rootDirectory, options = {}) => {
+const yieldToEventLoop = () => new Promise((resolve) => {
+	setImmediate(resolve);
+});
+const createSecurityScanSession = (rootDirectory, options) => {
 	const capabilities = options.project ? buildCapabilities(options.project) : /* @__PURE__ */ new Set();
 	const ignoredTags = options.ignoredTags ?? /* @__PURE__ */ new Set();
 	const enabledScanRules = REACT_DOCTOR_RULES.flatMap((entry) => {
@@ -36603,7 +36927,7 @@ const checkSecurityScan = (rootDirectory, options = {}) => {
 			committedFilesOnly: rule.committedFilesOnly === true
 		}];
 	});
-	if (enabledScanRules.length === 0) return [];
+	if (enabledScanRules.length === 0) return null;
 	const diagnostics = [];
 	const seen = /* @__PURE__ */ new Set();
 	const gitIgnoredCache = /* @__PURE__ */ new Map();
@@ -36615,15 +36939,34 @@ const checkSecurityScan = (rootDirectory, options = {}) => {
 		}
 		return status === true;
 	};
-	for (const file of collectSecurityScanFiles(rootDirectory)) for (const { entry, scan, committedFilesOnly } of enabledScanRules) for (const finding of scan(file)) {
-		if (committedFilesOnly && isFileGitIgnored(file)) continue;
-		const diagnostic = buildSecurityScanDiagnostic(finding, entry, file.relativePath);
-		const key = `${diagnostic.rule}:${diagnostic.filePath}:${diagnostic.line}:${diagnostic.column}:${diagnostic.message}`;
-		if (seen.has(key)) continue;
-		seen.add(key);
-		diagnostics.push(diagnostic);
+	const scanFile = (file) => {
+		for (const { entry, scan, committedFilesOnly } of enabledScanRules) for (const finding of scan(file)) {
+			if (committedFilesOnly && isFileGitIgnored(file)) continue;
+			const diagnostic = buildSecurityScanDiagnostic(finding, entry, file.relativePath);
+			const key = `${diagnostic.rule}:${diagnostic.filePath}:${diagnostic.line}:${diagnostic.column}:${diagnostic.message}`;
+			if (seen.has(key)) continue;
+			seen.add(key);
+			diagnostics.push(diagnostic);
+		}
+	};
+	return {
+		scanFile,
+		diagnostics
+	};
+};
+const checkSecurityScanCooperative = async (rootDirectory, options = {}) => {
+	const session = createSecurityScanSession(rootDirectory, options);
+	if (session === null) return [];
+	let filesSinceYield = 0;
+	for (const file of collectSecurityScanFiles(rootDirectory)) {
+		session.scanFile(file);
+		filesSinceYield += 1;
+		if (filesSinceYield >= 16) {
+			filesSinceYield = 0;
+			await yieldToEventLoop();
+		}
 	}
-	return diagnostics;
+	return session.diagnostics;
 };
 var import_picocolors = /* @__PURE__ */ __toESM((/* @__PURE__ */ __commonJSMin(((exports, module) => {
 	let p = process || {}, argv = p.argv || [], env = p.env || {};
@@ -36840,6 +37183,74 @@ const collectDeadCodeIgnorePatterns = (rootDirectory) => {
 	return [...seen].filter((pattern) => pattern.length > 0);
 };
 const collectDeadCodeEntryPatterns = (rootDirectory) => [...new Set(collectKnipPatterns(rootDirectory, "entry"))].filter((pattern) => pattern.length > 0);
+const readSystemFacts = () => ({
+	availableCores: os.availableParallelism(),
+	totalMemoryBytes: os.totalmem(),
+	cgroupMemoryLimitBytes: readCgroupMemoryLimitBytes()
+});
+/**
+* How many real deslop dead-code child processes may run at once, across the
+* concurrent per-project `runInspect` fibers of one CLI run. The cap is the
+* smaller of the core count and the number of `DEAD_CODE_WORKER_MEM_BUDGET_BYTES`
+* workers that fit in available memory, floored at 1.
+*
+* On a roomy dev box / CI runner this resolves high enough that every
+* concurrently-scanned project still spawns its own worker (no serialization vs
+* the prior uncapped behavior); on a memory-constrained runner it collapses
+* toward 1, so the `withDeadCodeWorkerSlot` semaphore serializes the spawns
+* instead of oversubscribing memory with N simultaneous children — the global
+* cap the per-project spawn path lacked.
+*
+* Mirrors `resolveAutoScanConcurrency` (lint), but budgets memory per the
+* heavier dead-code worker. `facts` is injectable for tests.
+*/
+const resolveDeadCodeConcurrency = (facts = readSystemFacts()) => {
+	const availableMemoryBytes = Math.min(facts.totalMemoryBytes, facts.cgroupMemoryLimitBytes ?? Number.POSITIVE_INFINITY);
+	const memoryBoundedWorkers = Math.floor(availableMemoryBytes / DEAD_CODE_WORKER_MEM_BUDGET_BYTES);
+	return Math.max(1, Math.min(facts.availableCores, memoryBoundedWorkers));
+};
+let availableSlots = -1;
+const waiters = [];
+const releaseSlot = () => {
+	const nextWaiter = waiters.shift();
+	if (nextWaiter !== void 0) nextWaiter();
+	else availableSlots += 1;
+};
+/**
+* Runs `task` once a dead-code worker slot is free, releasing the slot when the
+* task settles (success or failure). With a high cap (roomy machine) every
+* caller proceeds immediately; with a low cap (constrained runner) callers
+* queue and run as slots free.
+*
+* `abortSignal` short-circuits the WAIT: if it's already aborted, or fires while
+* this caller is queued, the call rejects without acquiring a slot or running
+* `task` — so a cancelled scan (e.g. lint failed) doesn't sit in the queue and
+* then spawn a child only to tear it down. A queued caller that aborts removes
+* its own waiter so a later release never hands a slot to a dead request.
+*/
+const withDeadCodeWorkerSlot = async (task, abortSignal) => {
+	if (abortSignal?.aborted) throw new Error("Dead-code worker aborted.");
+	if (availableSlots < 0) availableSlots = resolveDeadCodeConcurrency();
+	if (availableSlots > 0) availableSlots -= 1;
+	else await new Promise((resolve, reject) => {
+		const waiter = () => {
+			abortSignal?.removeEventListener("abort", onAbort);
+			resolve();
+		};
+		const onAbort = () => {
+			const queuedIndex = waiters.indexOf(waiter);
+			if (queuedIndex !== -1) waiters.splice(queuedIndex, 1);
+			reject(/* @__PURE__ */ new Error("Dead-code worker aborted."));
+		};
+		waiters.push(waiter);
+		abortSignal?.addEventListener("abort", onAbort, { once: true });
+	});
+	try {
+		return await task();
+	} finally {
+		releaseSlot();
+	}
+};
 /**
 * Resolves a path to its canonical, symlink-free form, falling back to
 * the input when it cannot be realpath'd (broken symlink, permission
@@ -36911,6 +37322,22 @@ process.stdin.on("end", () => {
         ...(workerInput.ignorePatterns.length > 0
           ? { ignorePatterns: workerInput.ignorePatterns }
           : {}),
+        // We consume only deslop's GRAPH-based findings (unusedFiles, unusedExports,
+        // unusedDependencies, circularDependencies). Everything else deslop can compute
+        // is pure wasted work for us, and it's the bulk of the runtime:
+        //   - semantic: a full TS Program for unusedTypes/enum/class-members/
+        //     misclassifiedDependencies (~37-45% of the phase).
+        //   - reportCodeQuality: the duplicate-block, complexity, feature-flag,
+        //     TypeScript-smell, private-type-leak and re-export-cycle detectors. These
+        //     are the single most expensive pass — duplicate-block detection alone was
+        //     ~83s of a ~130s Sentry scan — so skipping them is an ~8.5x dead-code
+        //     speedup on a large repo.
+        // Both are provably safe: the consumed graph findings are computed by their own
+        // detectors, independent of these passes (confirmed byte-identical on
+        // excalidraw + mui-material + sentry). tsConfigPath stays — the module resolver
+        // needs it for path-alias resolution in the import graph.
+        semantic: { enabled: false },
+        reportCodeQuality: false,
       };
       const result = await analyze(defineConfig(config));
       emit({ ok: true, result: normalizeResult(result) });
@@ -37040,7 +37467,11 @@ const createDeadCodeWorker = (input) => {
 			"pipe",
 			"pipe"
 		],
-		windowsHide: true
+		windowsHide: true,
+		env: input.parseConcurrency === void 0 ? process.env : {
+			...process.env,
+			DESLOP_PARSE_CONCURRENCY: String(input.parseConcurrency)
+		}
 	});
 	const stdoutChunks = [];
 	const stderrChunks = [];
@@ -37085,41 +37516,42 @@ const createDeadCodeWorker = (input) => {
 		}
 	};
 };
-const runDeadCodeWorkerWithTimeout = (handle, timeoutMs) => new Promise((resolve, reject) => {
+const runDeadCodeWorkerWithTimeout = (handle, timeoutMs, abortSignal) => new Promise((resolve, reject) => {
 	let didSettle = false;
-	const timeoutHandle = setTimeout(() => {
-		if (didSettle) return;
-		didSettle = true;
-		handle.terminate?.();
-		reject(/* @__PURE__ */ new Error(`Dead-code worker timed out after ${timeoutMs / MILLISECONDS_PER_SECOND}s.`));
-	}, timeoutMs);
-	timeoutHandle.unref?.();
-	handle.result.then((value) => {
+	const settle = (finish) => {
 		if (didSettle) return;
 		didSettle = true;
 		clearTimeout(timeoutHandle);
+		abortSignal?.removeEventListener("abort", onAbort);
 		handle.terminate?.();
-		resolve(value);
-	}, (error) => {
-		if (didSettle) return;
-		didSettle = true;
-		clearTimeout(timeoutHandle);
-		handle.terminate?.();
-		reject(error);
-	});
+		finish();
+	};
+	const onAbort = () => settle(() => reject(/* @__PURE__ */ new Error("Dead-code worker aborted.")));
+	const timeoutHandle = setTimeout(() => settle(() => reject(/* @__PURE__ */ new Error(`Dead-code worker timed out after ${timeoutMs / MILLISECONDS_PER_SECOND}s.`))), timeoutMs);
+	timeoutHandle.unref?.();
+	if (abortSignal?.aborted) {
+		onAbort();
+		return;
+	}
+	abortSignal?.addEventListener("abort", onAbort, { once: true });
+	handle.result.then((value) => settle(() => resolve(value)), (error) => settle(() => reject(error)));
 });
 const checkDeadCode = async (options) => {
 	const rootDirectory = toCanonicalPath(options.rootDirectory);
 	if (!NFS.existsSync(Path.join(rootDirectory, "package.json"))) return [];
 	const entryPatterns = collectDeadCodeEntryPatterns(rootDirectory);
 	const ignorePatterns = collectDeadCodeIgnorePatterns(rootDirectory);
-	const result = parseDeadCodeWorkerResult(await runDeadCodeWorkerWithTimeout((options.createWorker ?? createDeadCodeWorker)({
-		rootDirectory,
-		entryPatterns,
-		tsConfigPath: resolveTsConfigPath(rootDirectory),
-		ignorePatterns,
-		deslopJsModuleSpecifier: options.deslopJsModuleSpecifier ?? import.meta.resolve("deslop-js")
-	}), options.workerTimeoutMs ?? 12e4));
+	const spawnAndRun = () => {
+		return runDeadCodeWorkerWithTimeout((options.createWorker ?? createDeadCodeWorker)({
+			rootDirectory,
+			entryPatterns,
+			tsConfigPath: resolveTsConfigPath(rootDirectory),
+			ignorePatterns,
+			deslopJsModuleSpecifier: options.deslopJsModuleSpecifier ?? import.meta.resolve("deslop-js"),
+			parseConcurrency: options.parseConcurrency
+		}), options.workerTimeoutMs ?? 12e4, options.abortSignal);
+	};
+	const result = parseDeadCodeWorkerResult(options.createWorker === void 0 ? await withDeadCodeWorkerSlot(spawnAndRun, options.abortSignal) : await spawnAndRun());
 	const toRelative = (filePath) => toRelativeFilePath(rootDirectory, filePath);
 	const diagnostics = [];
 	for (const unusedFile of result.unusedFiles) diagnostics.push({
@@ -37217,7 +37649,37 @@ const isDiagnosticOnSurface = (diagnostic, surface, config) => {
 	return true;
 };
 const filterDiagnosticsForSurface = (diagnostics, surface, config) => diagnostics.filter((diagnostic) => isDiagnosticOnSurface(diagnostic, surface, config));
-const excludeMinifiedFiles = (rootDirectory, relativePaths) => relativePaths.filter((relativePath) => !isLargeMinifiedFile(Path.resolve(rootDirectory, relativePath)));
+/**
+* Budget for the dead-code phase, scaled to the work. deslop's graph build is
+* CPU-bound and roughly linear in file count, so a fixed 120s cap is too tight
+* for a large repo (where the pass legitimately runs that long) and is then
+* tipped over by any concurrent load — silently dropping every dead-code
+* finding. Scaling the budget with file count (and inversely with the core
+* share when overlapped) lets the pass complete, while the ceiling still
+* reclaims a genuinely wedged worker. Returns the in-worker SIGKILL deadline
+* and the Effect-side phase backstop that sits a margin above it.
+*/
+const resolveDeadCodeTimeout = (input) => {
+	const coreShareFactor = Math.max(1, input.fullConcurrency / Math.max(1, input.deadCodeConcurrency));
+	const workerTimeoutMs = Math.min(DEAD_CODE_TIMEOUT_CEILING_MS, Math.max(DEAD_CODE_WORKER_TIMEOUT_MS, Math.ceil(input.sourceFileCount * 30 * coreShareFactor)));
+	return {
+		workerTimeoutMs,
+		phaseTimeoutMs: workerTimeoutMs + DEAD_CODE_PHASE_TIMEOUT_OVER_WORKER_MS
+	};
+};
+const collectSizedSourceFiles = (rootDirectory, relativePaths) => {
+	const entries = [];
+	for (const relativePath of relativePaths) {
+		const absolutePath = Path.resolve(rootDirectory, relativePath);
+		const sizeBytes = statSourceFileSize(absolutePath);
+		if (isLargeMinifiedFile(absolutePath, sizeBytes)) continue;
+		entries.push({
+			path: relativePath,
+			sizeBytes: sizeBytes ?? 0
+		});
+	}
+	return entries;
+};
 const listSourceFilesViaGit = (rootDirectory) => {
 	const result = spawnSync("git", [
 		"ls-files",
@@ -37250,7 +37712,8 @@ const listSourceFilesViaFilesystem = (rootDirectory) => {
 	}
 	return filePaths;
 };
-const listSourceFiles = (rootDirectory) => excludeMinifiedFiles(rootDirectory, listSourceFilesViaGit(rootDirectory) ?? listSourceFilesViaFilesystem(rootDirectory));
+const listSourceFilesWithSize = (rootDirectory) => collectSizedSourceFiles(rootDirectory, listSourceFilesViaGit(rootDirectory) ?? listSourceFilesViaFilesystem(rootDirectory));
+const listSourceFiles = (rootDirectory) => listSourceFilesWithSize(rootDirectory).map((entry) => entry.path);
 const resolveLintIncludePaths = (rootDirectory, userConfig, project) => {
 	if (!Array.isArray(userConfig?.ignore?.files) || userConfig.ignore.files.length === 0) return;
 	const ignoredPatterns = compileIgnoredFilePatterns(userConfig);
@@ -37293,9 +37756,12 @@ var Config = class Config extends Service()("react-doctor/Config") {
 var DeadCode = class DeadCode extends Service()("react-doctor/DeadCode") {
 	static layerNode = succeed$3(DeadCode, DeadCode.of({ run: (input) => unwrap(fn("DeadCode.run")(function* () {
 		return yield* tryPromise({
-			try: () => checkDeadCode({
+			try: (signal) => checkDeadCode({
 				rootDirectory: input.rootDirectory,
-				userConfig: input.userConfig
+				userConfig: input.userConfig,
+				parseConcurrency: input.parseConcurrency,
+				workerTimeoutMs: input.workerTimeoutMs,
+				abortSignal: signal
 			}),
 			catch: (cause) => new ReactDoctorError({ reason: new DeadCodeAnalysisFailed({ cause }) })
 		}).pipe(map$3((diagnostics) => fromIterable$1(diagnostics)));
@@ -37486,43 +37952,46 @@ var Git = class Git extends Service()("react-doctor/Git") {
 		* reason: GitInvocationFailed })` so the rest of the codebase
 		* sees a single failure channel.
 		*/
-		const runCommand = (input) => scoped(gen(function* () {
-			const handle = yield* spawner.spawn(make$1(input.command, [...input.args], {
-				cwd: input.directory,
-				env: input.env,
-				extendEnv: true
-			}));
-			const maxStdoutBytes = input.maxStdoutBytes;
-			const stdoutByteCount = yield* make$13(0);
-			const [stdout, stderr, status] = yield* all([
-				mkString(decodeText(maxStdoutBytes === void 0 ? handle.stdout : handle.stdout.pipe(tap((chunk) => updateAndGet(stdoutByteCount, (total) => total + chunk.length).pipe(flatMap$2((total) => total > maxStdoutBytes ? fail$4(new ReactDoctorError({ reason: new GitInvocationFailed({
-					args: [...input.args],
-					directory: input.directory,
-					cause: /* @__PURE__ */ new Error(`git stdout exceeded ${maxStdoutBytes} bytes`)
-				}) })) : void_)))))),
-				mkString(decodeText(handle.stderr)),
-				handle.exitCode
-			], { concurrency: 3 });
-			return {
-				status,
-				stdout,
-				stderr
-			};
-		})).pipe(catchTag$1("PlatformError", (cause) => {
-			if (input.command !== "git") return succeed$2({
+		const runCommand = (input) => {
+			const foldSpawnFailure = (cause) => input.command !== "git" ? succeed$2({
 				status: 127,
 				stdout: "",
 				stderr: String(cause)
-			});
-			return new ReactDoctorError({ reason: new GitInvocationFailed({
+			}) : fail$4(new ReactDoctorError({ reason: new GitInvocationFailed({
 				args: [...input.args],
 				directory: input.directory,
 				cause
-			}) });
-		}), withSpan("git.exec", { attributes: {
-			"git.command": input.command,
-			"git.subcommand": input.args[0] ?? ""
-		} }));
+			}) }));
+			return scoped(gen(function* () {
+				if (!isDirectory(input.directory)) return yield* foldSpawnFailure(`spawn ENOTDIR (cwd is not a directory: ${input.directory})`);
+				const argvLengthChars = input.command.length + 1 + input.args.reduce((total, arg) => total + arg.length + 1, 0);
+				if (argvLengthChars > 24e3) return yield* foldSpawnFailure(`spawn ENAMETOOLONG (${argvLengthChars} argv chars exceed ${SPAWN_ARGS_MAX_LENGTH_CHARS})`);
+				const handle = yield* spawner.spawn(make$1(input.command, [...input.args], {
+					cwd: input.directory,
+					env: input.env,
+					extendEnv: true
+				}));
+				const maxStdoutBytes = input.maxStdoutBytes;
+				const stdoutByteCount = yield* make$13(0);
+				const [stdout, stderr, status] = yield* all([
+					mkString(decodeText(maxStdoutBytes === void 0 ? handle.stdout : handle.stdout.pipe(tap((chunk) => updateAndGet(stdoutByteCount, (total) => total + chunk.length).pipe(flatMap$2((total) => total > maxStdoutBytes ? fail$4(new ReactDoctorError({ reason: new GitInvocationFailed({
+						args: [...input.args],
+						directory: input.directory,
+						cause: /* @__PURE__ */ new Error(`git stdout exceeded ${maxStdoutBytes} bytes`)
+					}) })) : void_)))))),
+					mkString(decodeText(handle.stderr)),
+					handle.exitCode
+				], { concurrency: 3 });
+				return {
+					status,
+					stdout,
+					stderr
+				};
+			})).pipe(catchTag$1("PlatformError", foldSpawnFailure), withSpan("git.exec", { attributes: {
+				"git.command": input.command,
+				"git.subcommand": input.args[0] ?? ""
+			} }));
+		};
 		const runGit = (directory, args) => runCommand({
 			command: "git",
 			args,
@@ -37555,7 +38024,7 @@ var Git = class Git extends Service()("react-doctor/Git") {
 			"rev-parse",
 			"--verify",
 			branch
-		]).pipe(map$3((result) => result.status === 0));
+		]).pipe(map$3((result) => result.status === 0), catch_$1((error) => error.reason._tag === "GitInvocationFailed" ? succeed$2(false) : fail$4(error)));
 		const headSha = (directory) => runGit(directory, ["rev-parse", "HEAD"]).pipe(map$3((result) => result.status === 0 ? trimOrNull(result.stdout) : null));
 		const mergeBase = (input) => isSafeGitRevision(input.ref) ? runGit(input.directory, [
 			"merge-base",
@@ -37769,7 +38238,7 @@ var Git = class Git extends Service()("react-doctor/Git") {
 				]);
 				if (result.status !== 0) return null;
 				return parseChangedLineRanges(result.stdout);
-			}).pipe(withSpan("Git.changedLineRanges"))
+			}).pipe(catch_$1((error) => error.reason._tag === "GitInvocationFailed" ? succeed$2(null) : fail$4(error)), withSpan("Git.changedLineRanges"))
 		});
 	})).pipe(provide$2(layer$2.pipe(provide$2(mergeAll$1(layer$1, layer)))));
 	/**
@@ -38008,6 +38477,14 @@ const neutralizeDisableDirectives = async (rootDirectory, includePaths) => {
 		process.removeListener("exit", onExit);
 	};
 };
+const ROOT_DIRECTORY_PLACEHOLDER = "<root>";
+const normalizeConfigForHash = (config) => {
+	const clone = JSON.parse(JSON.stringify(config));
+	if (clone?.settings?.["react-doctor"]) clone.settings["react-doctor"].rootDirectory = ROOT_DIRECTORY_PLACEHOLDER;
+	if (Array.isArray(clone?.jsPlugins)) clone.jsPlugins = clone.jsPlugins.map((_, index) => `<plugin:${index}>`);
+	return clone;
+};
+const computeRulesetHash = (input) => crypto.createHash("sha1").update(JSON.stringify(normalizeConfigForHash(input.config))).update("\0").update([...input.toolchainVersions].join("\0")).update("\0").update([...input.ignorePatterns].join("\n")).update(" ").update(input.tsconfigContent ?? "").digest("hex");
 /**
 * Loads a plugin module via the local require resolver and extracts
 * `(name, ruleNames)` from either `module.exports.meta + rules` or
@@ -38034,16 +38511,16 @@ const readPluginShape = (pluginSpecifier, loadModule) => {
 		ruleNames: new Set(Object.keys(rules))
 	};
 };
-const bundledRequire = createRequire(import.meta.url);
+const bundledRequire$1 = createRequire(import.meta.url);
 const resolveReactHooksJsPlugin = (hasReactCompiler, customRulesOnly) => {
 	if (!hasReactCompiler || customRulesOnly) return null;
 	let pluginSpecifier;
 	try {
-		pluginSpecifier = bundledRequire.resolve("eslint-plugin-react-hooks");
+		pluginSpecifier = bundledRequire$1.resolve("eslint-plugin-react-hooks");
 	} catch {
 		return null;
 	}
-	const { ruleNames } = readPluginShape(pluginSpecifier, (spec) => bundledRequire(spec));
+	const { ruleNames } = readPluginShape(pluginSpecifier, (spec) => bundledRequire$1(spec));
 	return {
 		entry: {
 			name: "react-hooks-js",
@@ -38162,8 +38639,8 @@ const buildUserPluginRules = (userPlugin, severityControls) => {
 	}
 	return enabled;
 };
-const createOxlintConfig = ({ pluginPath, project, customRulesOnly = false, extendsPaths = [], ignoredTags = /* @__PURE__ */ new Set(), serverAuthFunctionNames, severityControls, userPlugins = [], disableReactHooksJsPlugin = false }) => {
-	const reactHooksJsPlugin = disableReactHooksJsPlugin ? null : resolveReactHooksJsPlugin(project.hasReactCompiler, customRulesOnly);
+const createOxlintConfig = ({ pluginPath, project, customRulesOnly = false, extendsPaths = [], ignoredTags = /* @__PURE__ */ new Set(), serverAuthFunctionNames, severityControls, userPlugins = [], disableReactHooksJsPlugin = false, ruleSelection }) => {
+	const reactHooksJsPlugin = disableReactHooksJsPlugin || ruleSelection === "sidecar" ? null : resolveReactHooksJsPlugin(project.hasReactCompiler, customRulesOnly);
 	const reactCompilerRules = reactHooksJsPlugin ? applyRuleSeverityControls(filterRulesToAvailable(REACT_COMPILER_RULES, "react-hooks-js", reactHooksJsPlugin.availableRuleNames), severityControls) : {};
 	const jsPlugins = [];
 	if (reactHooksJsPlugin) jsPlugins.push(reactHooksJsPlugin.entry);
@@ -38172,6 +38649,8 @@ const createOxlintConfig = ({ pluginPath, project, customRulesOnly = false, exte
 	for (const registryEntry of REACT_DOCTOR_RULES) {
 		const rule = reactDoctorPlugin.rules[registryEntry.id];
 		if (!rule) continue;
+		if (ruleSelection === "cacheable" && CROSS_FILE_RULE_IDS.has(registryEntry.id)) continue;
+		if (ruleSelection === "sidecar" && !CROSS_FILE_RULE_IDS.has(registryEntry.id)) continue;
 		if (rule.scan !== void 0) continue;
 		if (customRulesOnly && registryEntry.originallyExternal) continue;
 		if (rule.framework !== "global" && !rule.requires) continue;
@@ -38186,7 +38665,7 @@ const createOxlintConfig = ({ pluginPath, project, customRulesOnly = false, exte
 		enabledReactDoctorRules[registryEntry.key] = severity;
 	}
 	const userPluginRules = {};
-	for (const userPlugin of userPlugins) {
+	if (ruleSelection !== "sidecar") for (const userPlugin of userPlugins) {
 		Object.assign(userPluginRules, buildUserPluginRules(userPlugin, severityControls));
 		jsPlugins.push(userPlugin.entry);
 	}
@@ -38216,6 +38695,100 @@ const createOxlintConfig = ({ pluginPath, project, customRulesOnly = false, exte
 		}
 	};
 };
+const atomicWriteJson = (filePath, value) => {
+	try {
+		NFS.mkdirSync(Path.dirname(filePath), { recursive: true });
+		const temporaryPath = `${filePath}.${process.pid}.tmp`;
+		NFS.writeFileSync(temporaryPath, JSON.stringify(value));
+		NFS.renameSync(temporaryPath, filePath);
+	} catch {
+		return;
+	}
+};
+const failOpenReadJson = (filePath, fallback) => {
+	try {
+		return JSON.parse(NFS.readFileSync(filePath, "utf8"));
+	} catch {
+		return fallback;
+	}
+};
+const validateDiagnostic = decodeUnknownSync(Diagnostic);
+const decodeFileDiagnostics = (raw) => {
+	if (!Array.isArray(raw)) return null;
+	try {
+		for (const entry of raw) validateDiagnostic(entry);
+		return raw;
+	} catch {
+		return null;
+	}
+};
+const emptyCache = () => ({
+	version: 1,
+	rulesets: {}
+});
+const loadRulesetEntries = (cacheFilePath, rulesetHash) => {
+	const entries = /* @__PURE__ */ new Map();
+	const persisted = failOpenReadJson(cacheFilePath, emptyCache());
+	if (persisted.version !== 1 || !isRecord(persisted.rulesets)) return entries;
+	const bucket = persisted.rulesets[rulesetHash];
+	if (!isRecord(bucket) || !isRecord(bucket.files)) return entries;
+	for (const [fileKey, rawDiagnostics] of Object.entries(bucket.files)) {
+		const decoded = decodeFileDiagnostics(rawDiagnostics);
+		if (decoded !== null) entries.set(fileKey, decoded);
+	}
+	return entries;
+};
+const createFileLintCache = (cacheDirectory, rulesetHash) => {
+	const cacheFilePath = Path.join(cacheDirectory, FILE_LINT_CACHE_FILENAME);
+	const entries = loadRulesetEntries(cacheFilePath, rulesetHash);
+	return {
+		lookup: (fileKey) => entries.get(fileKey) ?? null,
+		store: (fileKey, diagnostics) => {
+			entries.delete(fileKey);
+			entries.set(fileKey, diagnostics);
+		},
+		persist: () => {
+			const onDisk = failOpenReadJson(cacheFilePath, emptyCache());
+			const rulesets = onDisk.version === 1 && isRecord(onDisk.rulesets) ? { ...onDisk.rulesets } : {};
+			const existingBucket = rulesets[rulesetHash];
+			const existingFiles = isRecord(existingBucket) && isRecord(existingBucket.files) ? existingBucket.files : {};
+			const ourFiles = {};
+			for (const [fileKey, diagnostics] of entries) ourFiles[fileKey] = diagnostics;
+			const cappedEntries = Object.entries({
+				...existingFiles,
+				...ourFiles
+			}).slice(-FILE_LINT_CACHE_MAX_FILE_COUNT);
+			rulesets[rulesetHash] = {
+				updatedAtMs: Date.now(),
+				files: Object.fromEntries(cappedEntries)
+			};
+			const keptHashes = Object.entries(rulesets).sort(([, first], [, second]) => second.updatedAtMs - first.updatedAtMs).slice(0, 8).map(([hash]) => hash);
+			const prunedRulesets = {};
+			for (const hash of keptHashes) prunedRulesets[hash] = rulesets[hash];
+			atomicWriteJson(cacheFilePath, {
+				version: 1,
+				rulesets: prunedRulesets
+			});
+		}
+	};
+};
+const bundledRequire = createRequire(import.meta.url);
+const TOOLCHAIN_PACKAGE_SPECIFIERS = [
+	"oxlint/package.json",
+	"oxlint-plugin-react-doctor/package.json",
+	"eslint-plugin-react-hooks/package.json"
+];
+const resolveOxlintToolchainVersions = () => {
+	const versions = [`node=${process.version}`];
+	for (const specifier of TOOLCHAIN_PACKAGE_SPECIFIERS) try {
+		const packageJson = bundledRequire(specifier);
+		const version = typeof packageJson.version === "string" ? packageJson.version : "unknown";
+		versions.push(`${specifier}=${version}`);
+	} catch {
+		versions.push(`${specifier}=missing`);
+	}
+	return versions;
+};
 const esmRequire = createRequire(import.meta.url);
 const resolveOxlintBinary = () => {
 	const oxlintMainPath = esmRequire.resolve("oxlint");
@@ -38897,15 +39470,19 @@ const parseOxlintOutput = (stdout, project, rootDirectory) => {
 		};
 	});
 };
-const SANITIZED_ENV = (() => {
-	const sanitized = {};
-	for (const [name, value] of Object.entries(process.env)) {
+const buildOxlintChildEnv = (sourceEnv) => {
+	const childEnv = {};
+	for (const [name, value] of Object.entries(sourceEnv)) {
 		if (name === "NODE_OPTIONS" || name === "NODE_DEBUG") continue;
 		if (name.startsWith("npm_config_")) continue;
-		sanitized[name] = value;
+		childEnv[name] = value;
 	}
-	return sanitized;
-})();
+	const isCompileCacheDisabled = Boolean(sourceEnv.NODE_DISABLE_COMPILE_CACHE);
+	const isCompileCacheAlreadySet = childEnv.NODE_COMPILE_CACHE !== void 0;
+	if (!isCompileCacheDisabled && !isCompileCacheAlreadySet) childEnv.NODE_COMPILE_CACHE = Path.join(os.tmpdir(), NODE_COMPILE_CACHE_DIR_NAME);
+	return childEnv;
+};
+const SANITIZED_ENV = buildOxlintChildEnv(process.env);
 /**
 * Spawn one oxlint subprocess with hard ceilings on wall time and
 * output size. Returns stdout on success; raises a tagged
@@ -38922,7 +39499,11 @@ const SANITIZED_ENV = (() => {
 * The first three are splittable (the caller's binary-split retry
 * shrinks the batch and re-spawns); the fourth isn't.
 */
-const spawnOxlint = (args, rootDirectory, nodeBinaryPath, spawnTimeoutMs = OXLINT_SPAWN_TIMEOUT_MS, outputMaxBytes = OXLINT_OUTPUT_MAX_BYTES) => new Promise((resolve, reject) => {
+const spawnOxlint = (args, rootDirectory, nodeBinaryPath, spawnTimeoutMs = OXLINT_SPAWN_TIMEOUT_MS, outputMaxBytes = OXLINT_OUTPUT_MAX_BYTES, abortSignal) => new Promise((resolve, reject) => {
+	if (abortSignal?.aborted) {
+		reject(new ReactDoctorError({ reason: new OxlintSpawnFailed({ cause: "lint phase aborted" }) }));
+		return;
+	}
 	const child = spawn(nodeBinaryPath, args, {
 		cwd: rootDirectory,
 		env: SANITIZED_ENV,
@@ -38932,7 +39513,14 @@ const spawnOxlint = (args, rootDirectory, nodeBinaryPath, spawnTimeoutMs = OXLIN
 			"pipe"
 		]
 	});
+	const onAbort = () => {
+		child.kill("SIGKILL");
+		reject(new ReactDoctorError({ reason: new OxlintSpawnFailed({ cause: "lint phase aborted" }) }));
+	};
+	abortSignal?.addEventListener("abort", onAbort, { once: true });
+	const clearAbortListener = () => abortSignal?.removeEventListener("abort", onAbort);
 	const timeoutHandle = setTimeout(() => {
+		clearAbortListener();
 		child.kill("SIGKILL");
 		reject(new ReactDoctorError({ reason: new OxlintBatchExceeded({
 			kind: "timeout",
@@ -38967,10 +39555,12 @@ const spawnOxlint = (args, rootDirectory, nodeBinaryPath, spawnTimeoutMs = OXLIN
 	});
 	child.on("error", (error) => {
 		clearTimeout(timeoutHandle);
+		clearAbortListener();
 		reject(new ReactDoctorError({ reason: new OxlintSpawnFailed({ cause: error }) }));
 	});
 	child.on("close", (_code, signal) => {
 		clearTimeout(timeoutHandle);
+		clearAbortListener();
 		if (didKillForSize) {
 			reject(new ReactDoctorError({ reason: new OxlintBatchExceeded({
 				kind: "output-too-large",
@@ -39037,26 +39627,28 @@ const isParallelismRelatedSpawnError = (error) => {
 * loop with a slimmer config in that case.
 */
 const spawnLintBatches = async (input) => {
-	const { baseArgs, fileBatches, rootDirectory, nodeBinaryPath, project, onPartialFailure, onFileProgress, spawnTimeoutMs, outputMaxBytes } = input;
+	const { baseArgs, fileBatches, rootDirectory, nodeBinaryPath, project, onPartialFailure, onFileProgress, spawnTimeoutMs, outputMaxBytes, splitTotalBudgetMs = OXLINT_SPLIT_TOTAL_BUDGET_MS, splitMaxDepth = 8, signal } = input;
 	const requestedConcurrency = resolveScanConcurrency(input.concurrency ?? 1);
 	const totalFileCount = fileBatches.reduce((sum, batch) => sum + batch.length, 0);
 	const runBatchPass = async (concurrency) => {
 		const allDiagnostics = [];
 		const droppedFiles = [];
 		let firstDropReason = null;
-		const spawnLintBatch = async (batch) => {
+		const splitDeadlineMs = Date.now() + splitTotalBudgetMs;
+		const spawnLintBatch = async (batch, depth) => {
 			const batchArgs = [...baseArgs, ...batch];
 			try {
-				return parseOxlintOutput(await spawnOxlint(batchArgs, rootDirectory, nodeBinaryPath, spawnTimeoutMs, outputMaxBytes), project, rootDirectory);
+				return parseOxlintOutput(await spawnOxlint(batchArgs, rootDirectory, nodeBinaryPath, spawnTimeoutMs, outputMaxBytes, signal), project, rootDirectory);
 			} catch (error) {
 				if (!isSplittableReactDoctorError(error)) throw error;
-				if (batch.length <= 1) {
+				const splitBudgetExhausted = Date.now() >= splitDeadlineMs || depth >= splitMaxDepth;
+				if (batch.length <= 1 || splitBudgetExhausted) {
 					droppedFiles.push(...batch);
-					if (firstDropReason === null) firstDropReason = error.message;
+					if (firstDropReason === null) firstDropReason = splitBudgetExhausted && batch.length > 1 ? `${error.message} (split budget exhausted after ${splitMaxDepth} levels / ${splitTotalBudgetMs / MILLISECONDS_PER_SECOND}s)` : error.message;
 					return [];
 				}
 				const splitIndex = Math.ceil(batch.length / 2);
-				return [...await spawnLintBatch(batch.slice(0, splitIndex)), ...await spawnLintBatch(batch.slice(splitIndex))];
+				return [...await spawnLintBatch(batch.slice(0, splitIndex), depth + 1), ...await spawnLintBatch(batch.slice(splitIndex), depth + 1)];
 			}
 		};
 		let startedFileCount = 0;
@@ -39073,7 +39665,7 @@ const spawnLintBatches = async (input) => {
 		try {
 			const batchResults = await mapWithConcurrency(fileBatches, concurrency, async (batch) => {
 				startedFileCount += batch.length;
-				const batchDiagnostics = await spawnLintBatch(batch);
+				const batchDiagnostics = await spawnLintBatch(batch, 0);
 				scannedFileCount += batch.length;
 				if (onFileProgress) {
 					displayedFileCount = Math.min(Math.max(displayedFileCount, scannedFileCount), totalFileCount);
@@ -39134,6 +39726,22 @@ const validateRuleRegistration = () => {
 	].filter((entry) => entry !== null).join("; ");
 	console.warn(`[react-doctor] rule-registration drift: ${detail}`);
 };
+const hashFileContents = (filePath) => {
+	try {
+		return crypto.createHash("sha1").update(NFS.readFileSync(filePath)).digest("hex");
+	} catch {
+		return null;
+	}
+};
+const projectCacheSubdir = (projectDirectory) => crypto.createHash("sha256").update(projectDirectory).digest("hex").slice(0, 16);
+const resolveReactDoctorCacheDir = (projectDirectory) => {
+	const cacheDirOverride = process.env["REACT_DOCTOR_CACHE_DIR"]?.trim();
+	if (cacheDirOverride) return Path.join(cacheDirOverride, projectCacheSubdir(projectDirectory));
+	const nodeModulesDirectory = Path.join(projectDirectory, "node_modules");
+	if (NFS.existsSync(nodeModulesDirectory)) return Path.join(nodeModulesDirectory, ".cache", "react-doctor");
+	return Path.join(os.tmpdir(), "react-doctor-cache", projectCacheSubdir(projectDirectory));
+};
+const sortSourceFilesByCost = (entries) => [...entries].sort((left, right) => right.sizeBytes - left.sizeBytes).map((entry) => entry.path);
 /**
 * Atomically (re)writes the generated oxlintrc.json. Used twice in
 * the runner: once for the primary scan, once for the
@@ -39192,7 +39800,7 @@ const reactHooksJsPluginDropNote = (error) => {
 *   6. always restore disable directives + clean up the temp dir
 */
 const runOxlint = async (options) => {
-	const { rootDirectory, project, includePaths, nodeBinaryPath = process.execPath, customRulesOnly = false, respectInlineDisables = true, adoptExistingLintConfig = true, ignoredTags = /* @__PURE__ */ new Set(), userConfig, configSourceDirectory = rootDirectory, onPartialFailure, spawnTimeoutMs, outputMaxBytes } = options;
+	const { rootDirectory, project, includePaths, nodeBinaryPath = process.execPath, customRulesOnly = false, respectInlineDisables = true, adoptExistingLintConfig = true, ignoredTags = /* @__PURE__ */ new Set(), userConfig, configSourceDirectory = rootDirectory, onPartialFailure, perFileLintCacheEnabled = false, onCacheStats, spawnTimeoutMs, outputMaxBytes, lintBatchOrdering = "arrival" } = options;
 	const serverAuthFunctionNames = Array.isArray(userConfig?.serverAuthFunctionNames) ? userConfig.serverAuthFunctionNames.filter((entry) => typeof entry === "string" && entry.length > 0) : void 0;
 	const severityControls = buildRuleSeverityControls(userConfig);
 	validateRuleRegistration();
@@ -39209,30 +39817,156 @@ const runOxlint = async (options) => {
 		serverAuthFunctionNames,
 		severityControls,
 		userPlugins,
-		disableReactHooksJsPlugin: overrides.disableReactHooksJsPlugin
+		disableReactHooksJsPlugin: overrides.disableReactHooksJsPlugin,
+		ruleSelection: overrides.ruleSelection
 	});
 	const restoreDisableDirectives = respectInlineDisables ? () => {} : await neutralizeDisableDirectives(rootDirectory, includePaths);
 	const configDirectory = NFS.mkdtempSync(Path.join(os.tmpdir(), "react-doctor-oxlintrc-"));
 	const configPath = Path.join(configDirectory, "oxlintrc.json");
 	try {
-		const baseArgs = [
-			resolveOxlintBinary(),
-			"-c",
-			configPath,
-			"--format",
-			"json"
-		];
+		const oxlintBinary = resolveOxlintBinary();
+		const sharedArgs = [];
+		let tsconfigContent = null;
 		if (project.hasTypeScript) {
 			const tsconfigRelativePath = resolveTsConfigRelativePath(rootDirectory);
-			if (tsconfigRelativePath) baseArgs.push("--tsconfig", tsconfigRelativePath);
+			if (tsconfigRelativePath) {
+				sharedArgs.push("--tsconfig", tsconfigRelativePath);
+				try {
+					tsconfigContent = NFS.readFileSync(Path.resolve(rootDirectory, tsconfigRelativePath), "utf8");
+				} catch {
+					tsconfigContent = null;
+				}
+			}
 		}
 		const combinedPatterns = collectIgnorePatterns(rootDirectory);
 		if (combinedPatterns.length > 0) {
 			const combinedIgnorePath = Path.join(configDirectory, "combined.ignore");
 			NFS.writeFileSync(combinedIgnorePath, `${combinedPatterns.join("\n")}\n`);
-			baseArgs.push("--ignore-path", combinedIgnorePath);
+			sharedArgs.push("--ignore-path", combinedIgnorePath);
 		}
-		const fileBatches = batchIncludePaths(baseArgs, includePaths !== void 0 ? includePaths : listSourceFiles(rootDirectory));
+		const makeBaseArgs = (oxlintConfigPath) => [
+			oxlintBinary,
+			"-c",
+			oxlintConfigPath,
+			"--format",
+			"json",
+			...sharedArgs
+		];
+		const discoverScanFiles = () => lintBatchOrdering === "cost" ? sortSourceFilesByCost(listSourceFilesWithSize(rootDirectory)) : listSourceFiles(rootDirectory);
+		const candidateFiles = includePaths !== void 0 ? includePaths : discoverScanFiles();
+		const runConfigOverFiles = async (buildConfigForPass, configFileName, files, fileProgress) => {
+			if (files.length === 0) return {
+				diagnostics: [],
+				didDropReactHooksJsPlugin: false,
+				hadPartialFailure: false
+			};
+			let hadPartialFailure = false;
+			const reportPartialFailure = (reason) => {
+				hadPartialFailure = true;
+				onPartialFailure?.(reason);
+			};
+			const passConfigPath = Path.join(configDirectory, configFileName);
+			const passBaseArgs = makeBaseArgs(passConfigPath);
+			const passFileBatches = batchIncludePaths(passBaseArgs, files);
+			const spawnPass = () => spawnLintBatches({
+				baseArgs: passBaseArgs,
+				fileBatches: passFileBatches,
+				rootDirectory,
+				nodeBinaryPath,
+				project,
+				onPartialFailure: reportPartialFailure,
+				onFileProgress: fileProgress,
+				spawnTimeoutMs,
+				outputMaxBytes,
+				concurrency: options.concurrency,
+				signal: options.signal
+			});
+			writeOxlintConfig(passConfigPath, buildConfigForPass({}));
+			try {
+				return {
+					diagnostics: await spawnPass(),
+					didDropReactHooksJsPlugin: false,
+					hadPartialFailure
+				};
+			} catch (error) {
+				const reactHooksJsDropNote = reactHooksJsPluginDropNote(error);
+				if (reactHooksJsDropNote === null) throw error;
+				writeOxlintConfig(passConfigPath, buildConfigForPass({ disableReactHooksJsPlugin: true }));
+				const diagnostics = await spawnPass();
+				reportPartialFailure(reactHooksJsDropNote);
+				return {
+					diagnostics,
+					didDropReactHooksJsPlugin: true,
+					hadPartialFailure
+				};
+			}
+		};
+		if (perFileLintCacheEnabled && respectInlineDisables && !project.hasReactCompiler && extendsPaths.length === 0 && userPlugins.length === 0) {
+			const rulesetHash = computeRulesetHash({
+				config: buildConfig({
+					extendsPaths: [],
+					ruleSelection: "cacheable"
+				}),
+				toolchainVersions: resolveOxlintToolchainVersions(),
+				ignorePatterns: combinedPatterns,
+				tsconfigContent
+			});
+			const cache = createFileLintCache(resolveReactDoctorCacheDir(rootDirectory), rulesetHash);
+			const cacheKeyByFile = /* @__PURE__ */ new Map();
+			const missFiles = [];
+			const replayedDiagnostics = [];
+			for (const candidateFile of candidateFiles) {
+				const contentHash = hashFileContents(Path.resolve(rootDirectory, candidateFile));
+				if (contentHash === null) {
+					missFiles.push(candidateFile);
+					continue;
+				}
+				const cacheKey = `${candidateFile.replaceAll("\\", "/")}${contentHash}`;
+				cacheKeyByFile.set(candidateFile, cacheKey);
+				const cachedDiagnostics = cache.lookup(cacheKey);
+				if (cachedDiagnostics === null) missFiles.push(candidateFile);
+				else replayedDiagnostics.push(...cachedDiagnostics);
+			}
+			const cacheHitFileCount = candidateFiles.length - missFiles.length;
+			const cacheableResult = await runConfigOverFiles((overrides) => buildConfig({
+				extendsPaths: [],
+				ruleSelection: "cacheable",
+				disableReactHooksJsPlugin: overrides.disableReactHooksJsPlugin
+			}), "oxlintrc.cacheable.json", missFiles, void 0);
+			const sidecarResult = await runConfigOverFiles(() => buildConfig({
+				extendsPaths: [],
+				ruleSelection: "sidecar"
+			}), "oxlintrc.sidecar.json", candidateFiles, options.onFileProgress);
+			onCacheStats?.(cacheHitFileCount, candidateFiles.length);
+			const missFileByNormalizedPath = /* @__PURE__ */ new Map();
+			for (const missFile of missFiles) missFileByNormalizedPath.set(missFile.replaceAll("\\", "/"), missFile);
+			const freshDiagnosticsByFile = /* @__PURE__ */ new Map();
+			let isAttributionSound = true;
+			for (const diagnostic of cacheableResult.diagnostics) {
+				const missFile = missFileByNormalizedPath.get(diagnostic.filePath);
+				if (missFile === void 0) {
+					isAttributionSound = false;
+					break;
+				}
+				const fileDiagnostics = freshDiagnosticsByFile.get(missFile) ?? [];
+				fileDiagnostics.push(diagnostic);
+				freshDiagnosticsByFile.set(missFile, fileDiagnostics);
+			}
+			if (!cacheableResult.didDropReactHooksJsPlugin && !cacheableResult.hadPartialFailure && isAttributionSound) {
+				for (const missFile of missFiles) {
+					const cacheKey = cacheKeyByFile.get(missFile);
+					if (cacheKey !== void 0) cache.store(cacheKey, freshDiagnosticsByFile.get(missFile) ?? []);
+				}
+				cache.persist();
+			}
+			return dedupeDiagnostics([
+				...replayedDiagnostics,
+				...cacheableResult.diagnostics,
+				...sidecarResult.diagnostics
+			]);
+		}
+		const baseArgs = makeBaseArgs(configPath);
+		const fileBatches = batchIncludePaths(baseArgs, candidateFiles);
 		const runBatches = () => spawnLintBatches({
 			baseArgs,
 			fileBatches,
@@ -39243,7 +39977,8 @@ const runOxlint = async (options) => {
 			onFileProgress: options.onFileProgress,
 			spawnTimeoutMs,
 			outputMaxBytes,
-			concurrency: options.concurrency
+			concurrency: options.concurrency,
+			signal: options.signal
 		});
 		writeOxlintConfig(configPath, buildConfig({ extendsPaths }));
 		try {
@@ -39322,9 +40057,11 @@ var Linter = class Linter extends Service()("react-doctor/Linter") {
 		const spawnTimeoutMs = yield* OxlintSpawnTimeoutMs;
 		const outputMaxBytes = yield* OxlintOutputMaxBytes;
 		const concurrency = yield* OxlintConcurrency;
+		const lintBatchOrdering = yield* LintBatchOrdering;
+		const perFileLintCacheEnabled = yield* PerFileLintCacheEnabled;
 		const collectedFailures = [];
 		const diagnostics = yield* tryPromise({
-			try: () => runOxlint({
+			try: (signal) => runOxlint({
 				rootDirectory: input.rootDirectory,
 				project: input.project,
 				includePaths: input.includePaths ? [...input.includePaths] : void 0,
@@ -39339,9 +40076,13 @@ var Linter = class Linter extends Service()("react-doctor/Linter") {
 					collectedFailures.push(reason);
 				},
 				onFileProgress: input.onFileProgress,
+				perFileLintCacheEnabled,
+				onCacheStats: input.onCacheStats,
 				spawnTimeoutMs,
 				outputMaxBytes,
-				concurrency
+				concurrency,
+				signal,
+				lintBatchOrdering
 			}),
 			catch: ensureReactDoctorError
 		});
@@ -39733,14 +40474,49 @@ const parseArtifactFromBody = (body) => {
 	}
 	return null;
 };
-const fetchSocketArtifact = (dependency) => tryPromise(async (signal) => {
+const isSupplyChainCacheDisabled = () => {
+	const noCache = process.env["REACT_DOCTOR_NO_CACHE"]?.toLowerCase() ?? "";
+	return noCache === "1" || noCache === "true";
+};
+const supplyChainCacheFile = (cacheDirectory, dependency) => {
+	const purlHash = crypto.createHash("sha256").update(toPurl(dependency)).digest("hex").slice(0, 16);
+	return Path.join(cacheDirectory, SUPPLY_CHAIN_CACHE_SUBDIR, `${purlHash}.json`);
+};
+const readCachedSocketBody = (cacheFile) => {
+	try {
+		const entry = JSON.parse(NFS.readFileSync(cacheFile, "utf-8"));
+		if (typeof entry === "object" && entry !== null && "fetchedAtMs" in entry && "body" in entry && typeof entry.fetchedAtMs === "number" && typeof entry.body === "string" && Date.now() - entry.fetchedAtMs <= 864e5) return entry.body;
+	} catch {}
+	return null;
+};
+const writeCachedSocketBody = (cacheFile, body) => {
+	try {
+		NFS.mkdirSync(Path.dirname(cacheFile), { recursive: true });
+		NFS.writeFileSync(cacheFile, JSON.stringify({
+			fetchedAtMs: Date.now(),
+			body
+		}));
+	} catch {}
+};
+const fetchSocketArtifact = (dependency, cacheDirectory) => tryPromise(async (signal) => {
+	const cacheFile = cacheDirectory === null ? null : supplyChainCacheFile(cacheDirectory, dependency);
+	if (cacheFile !== null) {
+		const cachedBody = readCachedSocketBody(cacheFile);
+		if (cachedBody !== null) {
+			const cachedArtifact = parseArtifactFromBody(cachedBody);
+			if (cachedArtifact !== null) return cachedArtifact;
+		}
+	}
 	const requestUrl = `${SOCKET_FREE_PURL_API_BASE}/${encodeURIComponent(toPurl(dependency))}`;
 	const response = await fetch(requestUrl, {
 		headers: { "User-Agent": SOCKET_FREE_USER_AGENT },
 		signal
 	});
 	if (!response.ok) return null;
-	return parseArtifactFromBody(await response.text());
+	const body = await response.text();
+	const artifact = parseArtifactFromBody(body);
+	if (artifact !== null && cacheFile !== null) writeCachedSocketBody(cacheFile, body);
+	return artifact;
 }).pipe(timeout(FETCH_TIMEOUT_MS), orElseSucceed(() => null), tap$1((artifact) => {
 	const scoreAttributes = {};
 	if (artifact !== null) {
@@ -39845,7 +40621,8 @@ const checkSupplyChain = (input) => gen(function* () {
 	const packageJsonPath = Path.join(input.rootDirectory, "package.json");
 	const dependencies = collectDependenciesToScore(readPackageJson(packageJsonPath), readPackageJsonText(packageJsonPath), options.includeDevDependencies);
 	if (dependencies.length === 0) return [];
-	const artifacts = yield* forEach$1(dependencies, fetchSocketArtifact, { concurrency: 8 });
+	const cacheDirectory = isSupplyChainCacheDisabled() ? null : resolveReactDoctorCacheDir(input.rootDirectory);
+	const artifacts = yield* forEach$1(dependencies, (dependency) => fetchSocketArtifact(dependency, cacheDirectory), { concurrency: 8 }).pipe(timeoutOption(input.totalTimeoutMs ?? 9e4), map$3((maybeArtifacts) => getOrElse$1(maybeArtifacts, () => [])));
 	const diagnostics = [];
 	for (let index = 0; index < dependencies.length; index += 1) {
 		const artifact = artifacts[index];
@@ -39870,6 +40647,10 @@ const checkSupplyChain = (input) => gen(function* () {
 * The underlying `checkSupplyChain` Effect is total/fail-open — per-package
 * timeouts and network failures recover to "skip" — so the stream never
 * fails, mirroring `DeadCode`'s stream shape so the two compose the same way.
+* The orchestrator (`run-inspect.ts`) consumes this stream on a background
+* fiber whose network time overlaps the lint pass, joined under a generous
+* wall-clock budget; a budget expiry is the same fail-open outcome as a Socket
+* outage.
 */
 var SupplyChain = class SupplyChain extends Service()("react-doctor/SupplyChain") {
 	static layerNode = succeed$3(SupplyChain, SupplyChain.of({ run: (input) => unwrap(checkSupplyChain(input).pipe(map$3((diagnostics) => fromIterable$1(diagnostics)), withSpan("SupplyChain.run"))) }));
@@ -39928,18 +40709,45 @@ const formatLintFailText = (reasonTag, nodeVersion) => {
 *
 * Phases:
 *
-*   1. Config.resolve(directory) → Project.discover → Git metadata
+*   1. Config.resolve(directory) → Project.discover → Git metadata.
+*      The GitHub viewer-permission lookup is forked onto a background
+*      fiber here and joined late (it feeds score metadata, not
+*      diagnostics).
 *   2. beforeLint hook (e.g. CLI renders the project-detection block)
 *   3. environment checks (reduced-motion + pnpm hardening +
-*      expo/react-native + security scan)
-*   4. Linter.run + DeadCode.run — forked as concurrent fibers so
-*      their wall-clock times overlap. Progress spinners stay
-*      sequential (lint first, then dead-code) for clean terminal
-*      output. GitHub viewer permission also runs as a background
-*      fiber during this phase.
-*   5. afterLint hook
-*   6. Reporter.finalize
-*   7. Score.compute against the surface-filtered diagnostic set
+*      expo/react-native), collected synchronously. The heavier
+*      content-regex security scan is forked instead (like supply-chain
+*      below) and joined before the concat, so its CPU overlaps lint
+*      rather than blocking the event loop before it.
+*   4. The supply-chain check (Socket.dev) is forked onto a background
+*      fiber so its ~100% network-bound time overlaps the ~100%
+*      CPU/subprocess-bound lint pass below, collapsing two serial
+*      phases into roughly `max(supplyChain, lint)`. It is capped by
+*      `SupplyChainOverlapTimeoutMs` (measured from fork) so a hung
+*      socket can't drag out its join; on timeout it fails open to no
+*      diagnostics — the same outcome class as a Socket outage.
+*   5. Linter.run runs; DeadCode.run runs concurrently (forked child
+*      fiber) ONLY when the memory gate has headroom to run the 8 GB
+*      dead-code child alongside the oxlint workers — or when overlap is
+*      forced via REACT_DOCTOR_DEAD_CODE_OVERLAP. Otherwise dead-code
+*      runs sequentially after lint, exactly as it did pre-overlap. The
+*      fiber is joined (or interrupted, SIGKILLing its worker, on lint
+*      failure) before diagnostics are concatenated. The afterLint hook
+*      fires between lint and dead-code. Progress spinner labels AND the
+*      final diagnostic / score order stay independent of execution
+*      order, so terminal output is identical either way; supply-chain
+*      rides alongside without a spinner.
+*   6. Join the supply-chain fiber, then assemble the diagnostics in a
+*      FIXED order (env, security-scan, supply-chain, lint, dead-code) so the output is
+*      byte-identical regardless of which fiber settled first. The
+*      viewer-permission fiber is joined later, during score-metadata
+*      assembly (it feeds score metadata, not diagnostics). The per-element
+*      `Reporter.emit` side-channel now interleaves supply-chain with lint
+*      emits, so capture-order assertions must target the deterministic
+*      concat below, not emit order (production `Reporter.layerNoop` makes
+*      emit a no-op).
+*   7. Reporter.finalize
+*   8. Score.compute against the surface-filtered diagnostic set
 *
 * The orchestrator owns spinner lifecycle via `Progress`; callers
 * choose `Progress.layerOra(...)` for CLI feedback or
@@ -39991,16 +40799,27 @@ const runInspect = (input, hooks = {}) => gen(function* () {
 		...checkPnpmHardening(scanDirectory),
 		...checkReactServerComponentsAdvisory(scanDirectory, project),
 		...checkExpoProject(scanDirectory, project),
-		...checkReactNativeProject(scanDirectory, project),
-		...checkSecurityScan(scanDirectory, {
-			project,
-			ignoredTags: input.ignoredTags
-		})
+		...checkReactNativeProject(scanDirectory, project)
 	])));
-	const supplyChainCollected = !isDiffMode || (input.supplyChainManifestChanged ?? false) ? yield* runCollect(applyPerElementPipeline(supplyChainService.run({
+	const securityScanFiber = yield* forkChild(runCollect(applyPerElementPipeline(isDiffMode ? empty$4 : unwrap(promise(() => checkSecurityScanCooperative(scanDirectory, {
+		project,
+		ignoredTags: input.ignoredTags
+	})).pipe(map$3((diagnostics) => fromIterable$1(diagnostics)))))).pipe(withSpan("SecurityScan.run")));
+	const shouldRunSupplyChain = !isDiffMode || (input.supplyChainManifestChanged ?? false);
+	const supplyChainOverlapTimeout = yield* SupplyChainOverlapTimeoutMs;
+	const supplyChainFiber = yield* forkChild(shouldRunSupplyChain ? runCollect(applyPerElementPipeline(supplyChainService.run({
 		rootDirectory: scanDirectory,
 		userConfig: resolvedConfig.config
-	}))) : [];
+	}))).pipe(map$3((diagnostics) => ({
+		diagnostics,
+		timedOut: false
+	})), timeout(supplyChainOverlapTimeout), orElseSucceed(() => ({
+		diagnostics: [],
+		timedOut: true
+	}))) : succeed$2({
+		diagnostics: [],
+		timedOut: false
+	}));
 	const lintFailure = yield* make$13({
 		didFail: false,
 		reason: null,
@@ -40011,12 +40830,49 @@ const runInspect = (input, hooks = {}) => gen(function* () {
 		didFail: false,
 		reason: null
 	});
-	const scanConcurrency = yield* OxlintConcurrency;
+	const scanConcurrency = resolveScanConcurrency(yield* OxlintConcurrency);
+	const lintPhaseTimeoutMs = yield* LintPhaseTimeoutMs;
+	const deadCodePhaseTimeoutMs = yield* DeadCodePhaseTimeoutMs;
+	const resolveDeadCodePhaseTimeoutMs = (scaledPhaseTimeoutMs) => deadCodePhaseTimeoutMs === 15e4 ? scaledPhaseTimeoutMs : deadCodePhaseTimeoutMs;
 	const workerCountSuffix = scanConcurrency > 1 ? ` ${highlighter.dim(`[~${scanConcurrency} workers]`)}` : "";
+	const shouldRunDeadCode = input.runDeadCode && !isDiffMode && (showWarnings || deadCodeMaySurfaceWhenWarningsHidden(resolvedConfig.config));
+	const deadCodeOverlapMode = yield* DeadCodeOverlap;
+	const shouldOverlapDeadCode = shouldRunDeadCode && deadCodeOverlapMode === "on";
+	const deadCodeParseConcurrency = shouldOverlapDeadCode ? Math.max(1, Math.floor(scanConcurrency * DEAD_CODE_OVERLAP_PARSE_SHARE)) : void 0;
+	const lintConcurrency = deadCodeParseConcurrency === void 0 ? scanConcurrency : Math.max(1, scanConcurrency - deadCodeParseConcurrency);
+	const buildCollectDeadCode = (deadCodeTimeout) => runCollect(applyPerElementPipeline(deadCodeService.run({
+		rootDirectory: scanDirectory,
+		userConfig: resolvedConfig.config,
+		parseConcurrency: deadCodeParseConcurrency,
+		workerTimeoutMs: deadCodeTimeout.workerTimeoutMs
+	}).pipe(catchTag("ReactDoctorError", (error) => unwrap(gen(function* () {
+		yield* set(deadCodeFailure, {
+			didFail: true,
+			reason: error.message
+		});
+		return empty$4;
+	})))))).pipe(timeoutOption(deadCodeTimeout.phaseTimeoutMs), flatMap$2(match$3({
+		onNone: () => set(deadCodeFailure, {
+			didFail: true,
+			reason: `Dead-code analysis exceeded ${Math.round(deadCodeTimeout.phaseTimeoutMs / MILLISECONDS_PER_SECOND)}s and was skipped.`
+		}).pipe(as([])),
+		onSome: succeed$2
+	})));
+	const overlapDeadCodeTimeout = resolveDeadCodeTimeout({
+		sourceFileCount: project.sourceFileCount,
+		deadCodeConcurrency: deadCodeParseConcurrency ?? scanConcurrency,
+		fullConcurrency: scanConcurrency
+	});
+	const deadCodeFiber = shouldOverlapDeadCode ? yield* forkChild(buildCollectDeadCode({
+		workerTimeoutMs: overlapDeadCodeTimeout.workerTimeoutMs,
+		phaseTimeoutMs: resolveDeadCodePhaseTimeoutMs(overlapDeadCodeTimeout.phaseTimeoutMs)
+	})) : null;
 	const scanProgress = yield* progressService.start("Scanning...");
 	const scanStartTime = Date.now();
 	let lastReportedTotalFileCount = 0;
-	const lintCollected = yield* runCollect(applyPerElementPipeline(linterService.run({
+	let lintCacheHitFileCount = null;
+	let lintCacheTotalFileCount = null;
+	const baseLintStream = linterService.run({
 		rootDirectory: scanDirectory,
 		project,
 		includePaths: lintIncludePaths ?? void 0,
@@ -40030,6 +40886,10 @@ const runInspect = (input, hooks = {}) => gen(function* () {
 		onFileProgress: (scannedFileCount, totalFileCount) => {
 			lastReportedTotalFileCount = totalFileCount;
 			runSync(scanProgress.update(`Scanning files (${scannedFileCount}/${totalFileCount})${workerCountSuffix}...`));
+		},
+		onCacheStats: (cacheHitFileCount, totalConsideredFileCount) => {
+			lintCacheHitFileCount = cacheHitFileCount;
+			lintCacheTotalFileCount = totalConsideredFileCount;
 		}
 	}).pipe(catchTag("ReactDoctorError", (error) => unwrap(gen(function* () {
 		yield* set(lintFailure, {
@@ -40039,36 +40899,56 @@ const runInspect = (input, hooks = {}) => gen(function* () {
 			reasonKind: error.reason._tag === "OxlintUnavailable" ? error.reason.kind : null
 		});
 		return empty$4;
-	}))))));
+	}))));
+	const lintCollected = yield* runCollect(applyPerElementPipeline(shouldOverlapDeadCode ? baseLintStream.pipe(provideService(OxlintConcurrency, lintConcurrency)) : baseLintStream)).pipe(timeoutOption(lintPhaseTimeoutMs), flatMap$2(match$3({
+		onNone: () => set(lintFailure, {
+			didFail: true,
+			reason: `Lint analysis exceeded ${lintPhaseTimeoutMs / MILLISECONDS_PER_SECOND}s and was skipped.`,
+			reasonTag: "OxlintBatchExceeded",
+			reasonKind: null
+		}).pipe(as([])),
+		onSome: succeed$2
+	})));
 	const lintFailureState = yield* get$2(lintFailure);
 	yield* afterLint(lintFailureState.didFail);
 	if (lintFailureState.didFail) yield* scanProgress.fail(formatLintFailText(lintFailureState.reasonTag, process.version));
 	const totalFileCount = lastReportedTotalFileCount || (lintIncludePaths?.length ?? project.sourceFileCount);
 	const scannedFilesLabel = `${totalFileCount} ${totalFileCount === 1 ? "file" : "files"}`;
-	const shouldRunDeadCode = input.runDeadCode && !isDiffMode && (showWarnings || deadCodeMaySurfaceWhenWarningsHidden(resolvedConfig.config));
-	const deadCodeCollected = lintFailureState.didFail || !shouldRunDeadCode ? [] : yield* scanProgress.update(`Scanned ${scannedFilesLabel}, analyzing dead code...`).pipe(andThen(runCollect(applyPerElementPipeline(deadCodeService.run({
-		rootDirectory: scanDirectory,
-		userConfig: resolvedConfig.config
-	}).pipe(catchTag("ReactDoctorError", (error) => unwrap(gen(function* () {
-		yield* set(deadCodeFailure, {
-			didFail: true,
-			reason: error.message
+	let deadCodeCollected = [];
+	if (lintFailureState.didFail) {
+		if (deadCodeFiber !== null) yield* interrupt(deadCodeFiber);
+	} else if (shouldRunDeadCode) {
+		yield* scanProgress.update(`Scanned ${scannedFilesLabel}, analyzing dead code...`);
+		const sequentialDeadCodeTimeout = resolveDeadCodeTimeout({
+			sourceFileCount: totalFileCount,
+			deadCodeConcurrency: scanConcurrency,
+			fullConcurrency: scanConcurrency
 		});
-		return empty$4;
-	}))))))));
-	const deadCodeFailureState = yield* get$2(deadCodeFailure);
+		deadCodeCollected = deadCodeFiber !== null ? yield* join(deadCodeFiber) : yield* buildCollectDeadCode({
+			workerTimeoutMs: sequentialDeadCodeTimeout.workerTimeoutMs,
+			phaseTimeoutMs: resolveDeadCodePhaseTimeoutMs(sequentialDeadCodeTimeout.phaseTimeoutMs)
+		});
+	}
+	const deadCodeFailureState = lintFailureState.didFail ? {
+		didFail: false,
+		reason: null
+	} : yield* get$2(deadCodeFailure);
 	const scanElapsedMilliseconds = Date.now() - scanStartTime;
 	const scanElapsedSeconds = (scanElapsedMilliseconds / MILLISECONDS_PER_SECOND).toFixed(1);
 	if (!lintFailureState.didFail) if (deadCodeFailureState.didFail) yield* scanProgress.fail(DEAD_CODE_FAIL_TEXT);
 	else if (input.suppressScanSummary) yield* scanProgress.stop();
 	else yield* scanProgress.succeed(`Scanned ${scannedFilesLabel} in ${scanElapsedSeconds}s${workerCountSuffix}`);
+	const supplyChainResult = yield* join(supplyChainFiber);
+	const supplyChainCollected = supplyChainResult.diagnostics;
+	const securityScanCollected = yield* join(securityScanFiber);
 	yield* reporterService.finalize;
-	const finalDiagnostics = assignFixGroups([
+	const finalDiagnostics = sortDiagnosticsStable(assignFixGroups([
 		...envCollected,
+		...securityScanCollected,
 		...supplyChainCollected,
 		...lintCollected,
 		...deadCodeCollected
-	]);
+	]));
 	const githubViewerPermission = yield* join(githubViewerPermissionFiber);
 	const scoreMetadata = {
 		...repo !== null ? { repo } : {},
@@ -40104,9 +40984,14 @@ const runInspect = (input, hooks = {}) => gen(function* () {
 		lintPartialFailures,
 		didDeadCodeFail: deadCodeFailureState.didFail,
 		deadCodeFailureReason: deadCodeFailureState.reason,
+		deadCodeOverlapped: shouldOverlapDeadCode,
 		scannedFileCount: totalFileCount,
 		scannedFilePaths,
-		scanElapsedMilliseconds
+		scanElapsedMilliseconds,
+		scanConcurrency,
+		supplyChainOverlapTimedOut: supplyChainResult.timedOut,
+		lintCacheHitFileCount,
+		lintCacheTotalFileCount
 	};
 }).pipe(withSpan("runInspect", { attributes: {
 	"inspect.directory": input.directory,
@@ -40114,7 +40999,7 @@ const runInspect = (input, hooks = {}) => gen(function* () {
 	"inspect.runDeadCode": input.runDeadCode,
 	"inspect.isCi": input.isCi,
 	"inspect.scoreSurface": input.scoreSurface ?? "score"
-} }));
+} }), (scanProgram) => flatMap$2(ScanDeadlineMs, (scanDeadlineMs) => scanProgram.pipe(timeout(scanDeadlineMs), catchTag$1("TimeoutError", () => new ReactDoctorError({ reason: new ScanDeadlineExceeded({ detail: `${scanDeadlineMs / MILLISECONDS_PER_SECOND}s elapsed` }) })))));
 const parseNodeVersion = (versionString) => {
 	const [major = 0, minor = 0, patch = 0] = versionString.replace(/^v/, "").trim().split(".").map(Number);
 	return {
@@ -40435,7 +41320,7 @@ const computeConfigFingerprint = (projectDirectory, version) => {
 /** Display name used in client-facing messages and progress titles. */
 const SERVER_DISPLAY_NAME = "React Doctor";
 /** Server version reported in `serverInfo`; injected at build, `dev` from source. */
-const SERVER_VERSION = "0.5.7";
+const SERVER_VERSION = "0.5.8";
 /** `Diagnostic.source` shown next to every published diagnostic. */
 const DIAGNOSTIC_SOURCE = "react-doctor";
 /**
@@ -41090,6 +41975,7 @@ const createProjectGraph = (options) => {
 			clearPackageJsonCache();
 			clearIgnorePatternsCache();
 			clearAutoSuppressionCaches();
+			clearMinifiedFileCache();
 			projects = null;
 		}
 	};
@@ -42130,6 +43016,7 @@ const SENTRY_FLUSH_TIMEOUT_MS = 2e3;
 const METRIC = {
 	cliInvoked: "cli.invoked",
 	cliError: "cli.error",
+	cliEnvironmentError: "cli.env_error",
 	projectDetected: "project.detected",
 	projectPathSelected: "project.path_selected",
 	projectConfigSelected: "project.config_selected",
@@ -42476,5 +43363,5 @@ const startLanguageServer = () => {
 };
 //#endregion
 export { startLanguageServer };
-!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="1afe1e75-32a9-5e7e-bd02-778b52d7ca8d")}catch(e){}}();
-//# debugId=1afe1e75-32a9-5e7e-bd02-778b52d7ca8d
+!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="bb5309e5-ce90-551d-bf0a-7db0ea302f24")}catch(e){}}();
+//# debugId=bb5309e5-ce90-551d-bf0a-7db0ea302f24