react-doctor 0.5.8-dev.441e6af → 0.5.8-dev.5774deb

package/dist/cli.js

@@ -1,5 +1,5 @@
 
-!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="7e6ea254-9fcd-5076-8bd6-01ad63633c24")}catch(e){}}();
+!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="498477a7-1f41-5ecb-9999-c48cfef57259")}catch(e){}}();
 import { createRequire } from "node:module";
 import * as NodeChildProcess from "node:child_process";
 import { execFile, execFileSync, spawn, spawnSync } from "node:child_process";
@@ -9041,7 +9041,7 @@ const composePassthrough = /* @__PURE__ */ dual(2, (left, right) => (input) => {
 * @since 2.0.0
 */
 const Scheduler = /* @__PURE__ */ Reference("effect/Scheduler", { defaultValue: () => new MixedScheduler() });
-const setImmediate = "setImmediate" in globalThis ? (f) => {
+const setImmediate$1 = "setImmediate" in globalThis ? (f) => {
 	const timer = globalThis.setImmediate(f);
 	return () => globalThis.clearImmediate(timer);
 } : (f) => {
@@ -9085,7 +9085,7 @@ var PriorityBuckets = class {
 var MixedScheduler = class {
 	executionMode;
 	setImmediate;
-	constructor(executionMode = "async", setImmediateFn = setImmediate) {
+	constructor(executionMode = "async", setImmediateFn = setImmediate$1) {
 		this.executionMode = executionMode;
 		this.setImmediate = setImmediateFn;
 	}
@@ -9110,7 +9110,7 @@ var MixedSchedulerDispatcher = class {
 	tasks = /* @__PURE__ */ new PriorityBuckets();
 	running = void 0;
 	setImmediate;
-	constructor(setImmediateFn = setImmediate) {
+	constructor(setImmediateFn = setImmediate$1) {
 		this.setImmediate = setImmediateFn;
 	}
 	/**
@@ -36947,6 +36947,7 @@ const DEAD_CODE_PHASE_TIMEOUT_MS = 15e4;
 const LINT_PHASE_TIMEOUT_MS = 3e5;
 const SCAN_TOTAL_DEADLINE_MS = 9e5;
 const DEAD_CODE_WORKER_MAX_OLD_SPACE_MB = 8192;
+const DEAD_CODE_WORKER_MEM_BUDGET_BYTES = 2 * 1024 * 1024 * 1024;
 const DEAD_CODE_TIMEOUT_CEILING_MS = 6e5;
 const DEAD_CODE_PHASE_TIMEOUT_OVER_WORKER_MS = 3e4;
 const DEAD_CODE_OVERLAP_PARSE_SHARE = .4;
@@ -38557,7 +38558,7 @@ const resolveScanConcurrency = (requested) => {
 	if (!Number.isFinite(requested) || requested < 1) return 1;
 	return Math.min(Math.floor(requested), 32);
 };
-const readSystemFacts = () => ({
+const readSystemFacts$1 = () => ({
 	availableCores: os.availableParallelism(),
 	totalMemoryBytes: os.totalmem(),
 	cgroupMemoryLimitBytes: readCgroupMemoryLimitBytes()
@@ -38578,7 +38579,7 @@ const readSystemFacts = () => ({
 * `facts` is injectable so tests exercise core-bound, memory-bound, cgroup-
 * limited, and ceiling cases without mocking `os` or the filesystem.
 */
-const resolveAutoScanConcurrency = (facts = readSystemFacts()) => {
+const resolveAutoScanConcurrency = (facts = readSystemFacts$1()) => {
 	const availableMemoryBytes = Math.min(facts.totalMemoryBytes, facts.cgroupMemoryLimitBytes ?? Number.POSITIVE_INFINITY);
 	const memoryBoundedWorkers = Math.floor(availableMemoryBytes / PER_WORKER_MEM_BUDGET_BYTES);
 	return resolveScanConcurrency(Math.min(facts.availableCores, memoryBoundedWorkers));
@@ -40139,7 +40140,10 @@ const shouldEnableRule = (requires, tags, capabilities, ignoredTags, disabledBy)
 	}
 	return true;
 };
-const checkSecurityScan = (rootDirectory, options = {}) => {
+const yieldToEventLoop = () => new Promise((resolve) => {
+	setImmediate(resolve);
+});
+const createSecurityScanSession = (rootDirectory, options) => {
 	const capabilities = options.project ? buildCapabilities(options.project) : /* @__PURE__ */ new Set();
 	const ignoredTags = options.ignoredTags ?? /* @__PURE__ */ new Set();
 	const enabledScanRules = REACT_DOCTOR_RULES.flatMap((entry) => {
@@ -40154,7 +40158,7 @@ const checkSecurityScan = (rootDirectory, options = {}) => {
 			committedFilesOnly: rule.committedFilesOnly === true
 		}];
 	});
-	if (enabledScanRules.length === 0) return [];
+	if (enabledScanRules.length === 0) return null;
 	const diagnostics = [];
 	const seen = /* @__PURE__ */ new Set();
 	const gitIgnoredCache = /* @__PURE__ */ new Map();
@@ -40166,15 +40170,34 @@ const checkSecurityScan = (rootDirectory, options = {}) => {
 		}
 		return status === true;
 	};
-	for (const file of collectSecurityScanFiles(rootDirectory)) for (const { entry, scan, committedFilesOnly } of enabledScanRules) for (const finding of scan(file)) {
-		if (committedFilesOnly && isFileGitIgnored(file)) continue;
-		const diagnostic = buildSecurityScanDiagnostic(finding, entry, file.relativePath);
-		const key = `${diagnostic.rule}:${diagnostic.filePath}:${diagnostic.line}:${diagnostic.column}:${diagnostic.message}`;
-		if (seen.has(key)) continue;
-		seen.add(key);
-		diagnostics.push(diagnostic);
+	const scanFile = (file) => {
+		for (const { entry, scan, committedFilesOnly } of enabledScanRules) for (const finding of scan(file)) {
+			if (committedFilesOnly && isFileGitIgnored(file)) continue;
+			const diagnostic = buildSecurityScanDiagnostic(finding, entry, file.relativePath);
+			const key = `${diagnostic.rule}:${diagnostic.filePath}:${diagnostic.line}:${diagnostic.column}:${diagnostic.message}`;
+			if (seen.has(key)) continue;
+			seen.add(key);
+			diagnostics.push(diagnostic);
+		}
+	};
+	return {
+		scanFile,
+		diagnostics
+	};
+};
+const checkSecurityScanCooperative = async (rootDirectory, options = {}) => {
+	const session = createSecurityScanSession(rootDirectory, options);
+	if (session === null) return [];
+	let filesSinceYield = 0;
+	for (const file of collectSecurityScanFiles(rootDirectory)) {
+		session.scanFile(file);
+		filesSinceYield += 1;
+		if (filesSinceYield >= 16) {
+			filesSinceYield = 0;
+			await yieldToEventLoop();
+		}
 	}
-	return diagnostics;
+	return session.diagnostics;
 };
 var import_picocolors = /* @__PURE__ */ __toESM((/* @__PURE__ */ __commonJSMin(((exports, module) => {
 	let p = process || {}, argv = p.argv || [], env = p.env || {};
@@ -40407,6 +40430,74 @@ const collectDeadCodeIgnorePatterns = (rootDirectory) => {
 	return [...seen].filter((pattern) => pattern.length > 0);
 };
 const collectDeadCodeEntryPatterns = (rootDirectory) => [...new Set(collectKnipPatterns(rootDirectory, "entry"))].filter((pattern) => pattern.length > 0);
+const readSystemFacts = () => ({
+	availableCores: os.availableParallelism(),
+	totalMemoryBytes: os.totalmem(),
+	cgroupMemoryLimitBytes: readCgroupMemoryLimitBytes()
+});
+/**
+* How many real deslop dead-code child processes may run at once, across the
+* concurrent per-project `runInspect` fibers of one CLI run. The cap is the
+* smaller of the core count and the number of `DEAD_CODE_WORKER_MEM_BUDGET_BYTES`
+* workers that fit in available memory, floored at 1.
+*
+* On a roomy dev box / CI runner this resolves high enough that every
+* concurrently-scanned project still spawns its own worker (no serialization vs
+* the prior uncapped behavior); on a memory-constrained runner it collapses
+* toward 1, so the `withDeadCodeWorkerSlot` semaphore serializes the spawns
+* instead of oversubscribing memory with N simultaneous children — the global
+* cap the per-project spawn path lacked.
+*
+* Mirrors `resolveAutoScanConcurrency` (lint), but budgets memory per the
+* heavier dead-code worker. `facts` is injectable for tests.
+*/
+const resolveDeadCodeConcurrency = (facts = readSystemFacts()) => {
+	const availableMemoryBytes = Math.min(facts.totalMemoryBytes, facts.cgroupMemoryLimitBytes ?? Number.POSITIVE_INFINITY);
+	const memoryBoundedWorkers = Math.floor(availableMemoryBytes / DEAD_CODE_WORKER_MEM_BUDGET_BYTES);
+	return Math.max(1, Math.min(facts.availableCores, memoryBoundedWorkers));
+};
+let availableSlots = -1;
+const waiters = [];
+const releaseSlot = () => {
+	const nextWaiter = waiters.shift();
+	if (nextWaiter !== void 0) nextWaiter();
+	else availableSlots += 1;
+};
+/**
+* Runs `task` once a dead-code worker slot is free, releasing the slot when the
+* task settles (success or failure). With a high cap (roomy machine) every
+* caller proceeds immediately; with a low cap (constrained runner) callers
+* queue and run as slots free.
+*
+* `abortSignal` short-circuits the WAIT: if it's already aborted, or fires while
+* this caller is queued, the call rejects without acquiring a slot or running
+* `task` — so a cancelled scan (e.g. lint failed) doesn't sit in the queue and
+* then spawn a child only to tear it down. A queued caller that aborts removes
+* its own waiter so a later release never hands a slot to a dead request.
+*/
+const withDeadCodeWorkerSlot = async (task, abortSignal) => {
+	if (abortSignal?.aborted) throw new Error("Dead-code worker aborted.");
+	if (availableSlots < 0) availableSlots = resolveDeadCodeConcurrency();
+	if (availableSlots > 0) availableSlots -= 1;
+	else await new Promise((resolve, reject) => {
+		const waiter = () => {
+			abortSignal?.removeEventListener("abort", onAbort);
+			resolve();
+		};
+		const onAbort = () => {
+			const queuedIndex = waiters.indexOf(waiter);
+			if (queuedIndex !== -1) waiters.splice(queuedIndex, 1);
+			reject(/* @__PURE__ */ new Error("Dead-code worker aborted."));
+		};
+		waiters.push(waiter);
+		abortSignal?.addEventListener("abort", onAbort, { once: true });
+	});
+	try {
+		return await task();
+	} finally {
+		releaseSlot();
+	}
+};
 /**
 * Resolves a path to its canonical, symlink-free form, falling back to
 * the input when it cannot be realpath'd (broken symlink, permission
@@ -40697,14 +40788,17 @@ const checkDeadCode = async (options) => {
 	if (!NFS.existsSync(Path.join(rootDirectory, "package.json"))) return [];
 	const entryPatterns = collectDeadCodeEntryPatterns(rootDirectory);
 	const ignorePatterns = collectDeadCodeIgnorePatterns(rootDirectory);
-	const result = parseDeadCodeWorkerResult(await runDeadCodeWorkerWithTimeout((options.createWorker ?? createDeadCodeWorker)({
-		rootDirectory,
-		entryPatterns,
-		tsConfigPath: resolveTsConfigPath(rootDirectory),
-		ignorePatterns,
-		deslopJsModuleSpecifier: options.deslopJsModuleSpecifier ?? import.meta.resolve("deslop-js"),
-		parseConcurrency: options.parseConcurrency
-	}), options.workerTimeoutMs ?? 12e4, options.abortSignal));
+	const spawnAndRun = () => {
+		return runDeadCodeWorkerWithTimeout((options.createWorker ?? createDeadCodeWorker)({
+			rootDirectory,
+			entryPatterns,
+			tsConfigPath: resolveTsConfigPath(rootDirectory),
+			ignorePatterns,
+			deslopJsModuleSpecifier: options.deslopJsModuleSpecifier ?? import.meta.resolve("deslop-js"),
+			parseConcurrency: options.parseConcurrency
+		}), options.workerTimeoutMs ?? 12e4, options.abortSignal);
+	};
+	const result = parseDeadCodeWorkerResult(options.createWorker === void 0 ? await withDeadCodeWorkerSlot(spawnAndRun, options.abortSignal) : await spawnAndRun());
 	const toRelative = (filePath) => toRelativeFilePath(rootDirectory, filePath);
 	const diagnostics = [];
 	for (const unusedFile of result.unusedFiles) diagnostics.push({
@@ -43868,7 +43962,10 @@ const formatLintFailText = (reasonTag, nodeVersion) => {
 *      diagnostics).
 *   2. beforeLint hook (e.g. CLI renders the project-detection block)
 *   3. environment checks (reduced-motion + pnpm hardening +
-*      expo/react-native + security scan), collected synchronously
+*      expo/react-native), collected synchronously. The heavier
+*      content-regex security scan is forked instead (like supply-chain
+*      below) and joined before the concat, so its CPU overlaps lint
+*      rather than blocking the event loop before it.
 *   4. The supply-chain check (Socket.dev) is forked onto a background
 *      fiber so its ~100% network-bound time overlaps the ~100%
 *      CPU/subprocess-bound lint pass below, collapsing two serial
@@ -43888,7 +43985,7 @@ const formatLintFailText = (reasonTag, nodeVersion) => {
 *      order, so terminal output is identical either way; supply-chain
 *      rides alongside without a spinner.
 *   6. Join the supply-chain fiber, then assemble the diagnostics in a
-*      FIXED order (env, supply-chain, lint, dead-code) so the output is
+*      FIXED order (env, security-scan, supply-chain, lint, dead-code) so the output is
 *      byte-identical regardless of which fiber settled first. The
 *      viewer-permission fiber is joined later, during score-metadata
 *      assembly (it feeds score metadata, not diagnostics). The per-element
@@ -43949,12 +44046,12 @@ const runInspect = (input, hooks = {}) => gen(function* () {
 		...checkPnpmHardening(scanDirectory),
 		...checkReactServerComponentsAdvisory(scanDirectory, project),
 		...checkExpoProject(scanDirectory, project),
-		...checkReactNativeProject(scanDirectory, project),
-		...checkSecurityScan(scanDirectory, {
-			project,
-			ignoredTags: input.ignoredTags
-		})
+		...checkReactNativeProject(scanDirectory, project)
 	])));
+	const securityScanFiber = yield* forkChild(runCollect(applyPerElementPipeline(isDiffMode ? empty$4 : unwrap(promise(() => checkSecurityScanCooperative(scanDirectory, {
+		project,
+		ignoredTags: input.ignoredTags
+	})).pipe(map$3((diagnostics) => fromIterable$1(diagnostics)))))).pipe(withSpan("SecurityScan.run")));
 	const shouldRunSupplyChain = !isDiffMode || (input.supplyChainManifestChanged ?? false);
 	const supplyChainOverlapTimeout = yield* SupplyChainOverlapTimeoutMs;
 	const supplyChainFiber = yield* forkChild(shouldRunSupplyChain ? runCollect(applyPerElementPipeline(supplyChainService.run({
@@ -44090,9 +44187,11 @@ const runInspect = (input, hooks = {}) => gen(function* () {
 	else yield* scanProgress.succeed(`Scanned ${scannedFilesLabel} in ${scanElapsedSeconds}s${workerCountSuffix}`);
 	const supplyChainResult = yield* join(supplyChainFiber);
 	const supplyChainCollected = supplyChainResult.diagnostics;
+	const securityScanCollected = yield* join(securityScanFiber);
 	yield* reporterService.finalize;
 	const finalDiagnostics = sortDiagnosticsStable(assignFixGroups([
 		...envCollected,
+		...securityScanCollected,
 		...supplyChainCollected,
 		...lintCollected,
 		...deadCodeCollected
@@ -44926,7 +45025,7 @@ const makeNoopConsole = () => ({
 });
 //#endregion
 //#region src/cli/utils/version.ts
-const VERSION = "0.5.8-dev.441e6af";
+const VERSION = "0.5.8-dev.5774deb";
 //#endregion
 //#region src/cli/utils/json-mode.ts
 let context = null;
@@ -45290,13 +45389,13 @@ const isDevVersion = (version) => version === "0.0.0" || version.includes("-");
 * uploads source-map artifacts under, so stack frames symbolicate. Honors the
 * standard `SENTRY_RELEASE` override.
 */
-const resolveSentryRelease = () => process.env.SENTRY_RELEASE || `react-doctor@0.5.8-dev.441e6af`;
+const resolveSentryRelease = () => process.env.SENTRY_RELEASE || `react-doctor@0.5.8-dev.5774deb`;
 /**
 * Deployment environment shown in Sentry's environment filter. Defaults to
 * `production` for tagged releases and `development` for dev/unbuilt versions,
 * overridable via the standard `SENTRY_ENVIRONMENT` env var.
 */
-const resolveSentryEnvironment = () => process.env.SENTRY_ENVIRONMENT || (isDevVersion("0.5.8-dev.441e6af") ? "development" : "production");
+const resolveSentryEnvironment = () => process.env.SENTRY_ENVIRONMENT || (isDevVersion("0.5.8-dev.5774deb") ? "development" : "production");
 /**
 * Performance-tracing sample rate in `[0, 1]`. Reads `SENTRY_TRACES_SAMPLE_RATE`
 * (set to `0` to disable tracing) and falls back to
@@ -51089,7 +51188,8 @@ const getStagedSourceFiles = async (directory) => {
 		return [...await runPromise(gen(function* () {
 			return yield* (yield* StagedFiles).discoverSourceFiles(directory);
 		}).pipe(provide(stagedFilesLayer)))];
-	} catch {
+	} catch (error) {
+		cliLogger.warn(`Failed to discover staged files: ${error instanceof Error ? error.message : String(error)}`);
 		return [];
 	}
 };
@@ -53976,6 +54076,7 @@ const resolveRequestedProjects = (requestedNames, workspacePackages, rootDirecto
 	return requestedNames.map((requestedName) => {
 		const matched = workspacePackages.find((workspacePackage) => workspacePackage.name === requestedName || Path.basename(workspacePackage.directory) === requestedName);
 		if (matched) return matched.directory;
+		if (Path.basename(rootDirectory) === requestedName) return rootDirectory;
 		const candidateDirectory = Path.resolve(rootDirectory, requestedName);
 		if (isDirectory(candidateDirectory)) {
 			recordCount(METRIC.projectPathSelected);
@@ -55481,4 +55582,4 @@ Promise.resolve().then(() => assertNoRemovedFlags(process.argv)).then(() => prog
 export {};
 
 //# sourceMappingURL=cli.js.map
-//# debugId=7e6ea254-9fcd-5076-8bd6-01ad63633c24
+//# debugId=498477a7-1f41-5ecb-9999-c48cfef57259

package/dist/index.js

@@ -1,5 +1,5 @@
 
-!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="dccb6d63-63d4-5e91-af21-2756a08fe93a")}catch(e){}}();
+!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="b9d1a98e-f5ec-5357-a08b-f84864fdfa20")}catch(e){}}();
 import { r as __toESM$1, t as __commonJSMin$1 } from "./chunk-N93fKeF6.js";
 import { createRequire } from "node:module";
 import * as NFS from "node:fs";
@@ -5996,7 +5996,7 @@ const composePassthrough = /* @__PURE__ */ dual(2, (left, right) => (input) => {
 * @since 2.0.0
 */
 const Scheduler = /* @__PURE__ */ Reference("effect/Scheduler", { defaultValue: () => new MixedScheduler() });
-const setImmediate = "setImmediate" in globalThis ? (f) => {
+const setImmediate$1 = "setImmediate" in globalThis ? (f) => {
 	const timer = globalThis.setImmediate(f);
 	return () => globalThis.clearImmediate(timer);
 } : (f) => {
@@ -6040,7 +6040,7 @@ var PriorityBuckets = class {
 var MixedScheduler = class {
 	executionMode;
 	setImmediate;
-	constructor(executionMode = "async", setImmediateFn = setImmediate) {
+	constructor(executionMode = "async", setImmediateFn = setImmediate$1) {
 		this.executionMode = executionMode;
 		this.setImmediate = setImmediateFn;
 	}
@@ -6065,7 +6065,7 @@ var MixedSchedulerDispatcher = class {
 	tasks = /* @__PURE__ */ new PriorityBuckets();
 	running = void 0;
 	setImmediate;
-	constructor(setImmediateFn = setImmediate) {
+	constructor(setImmediateFn = setImmediate$1) {
 		this.setImmediate = setImmediateFn;
 	}
 	/**
@@ -33752,6 +33752,7 @@ const DEAD_CODE_PHASE_TIMEOUT_MS = 15e4;
 const LINT_PHASE_TIMEOUT_MS = 3e5;
 const SCAN_TOTAL_DEADLINE_MS = 9e5;
 const DEAD_CODE_WORKER_MAX_OLD_SPACE_MB = 8192;
+const DEAD_CODE_WORKER_MEM_BUDGET_BYTES = 2 * 1024 * 1024 * 1024;
 const DEAD_CODE_TIMEOUT_CEILING_MS = 6e5;
 const DEAD_CODE_PHASE_TIMEOUT_OVER_WORKER_MS = 3e4;
 const DEAD_CODE_OVERLAP_PARSE_SHARE = .4;
@@ -35369,7 +35370,7 @@ const resolveScanConcurrency = (requested) => {
 	if (!Number.isFinite(requested) || requested < 1) return 1;
 	return Math.min(Math.floor(requested), 32);
 };
-const readSystemFacts = () => ({
+const readSystemFacts$1 = () => ({
 	availableCores: os.availableParallelism(),
 	totalMemoryBytes: os.totalmem(),
 	cgroupMemoryLimitBytes: readCgroupMemoryLimitBytes()
@@ -35390,7 +35391,7 @@ const readSystemFacts = () => ({
 * `facts` is injectable so tests exercise core-bound, memory-bound, cgroup-
 * limited, and ceiling cases without mocking `os` or the filesystem.
 */
-const resolveAutoScanConcurrency = (facts = readSystemFacts()) => {
+const resolveAutoScanConcurrency = (facts = readSystemFacts$1()) => {
 	const availableMemoryBytes = Math.min(facts.totalMemoryBytes, facts.cgroupMemoryLimitBytes ?? Number.POSITIVE_INFINITY);
 	const memoryBoundedWorkers = Math.floor(availableMemoryBytes / PER_WORKER_MEM_BUDGET_BYTES);
 	return resolveScanConcurrency(Math.min(facts.availableCores, memoryBoundedWorkers));
@@ -36923,7 +36924,10 @@ const shouldEnableRule = (requires, tags, capabilities, ignoredTags, disabledBy)
 	}
 	return true;
 };
-const checkSecurityScan = (rootDirectory, options = {}) => {
+const yieldToEventLoop = () => new Promise((resolve) => {
+	setImmediate(resolve);
+});
+const createSecurityScanSession = (rootDirectory, options) => {
 	const capabilities = options.project ? buildCapabilities(options.project) : /* @__PURE__ */ new Set();
 	const ignoredTags = options.ignoredTags ?? /* @__PURE__ */ new Set();
 	const enabledScanRules = REACT_DOCTOR_RULES.flatMap((entry) => {
@@ -36938,7 +36942,7 @@ const checkSecurityScan = (rootDirectory, options = {}) => {
 			committedFilesOnly: rule.committedFilesOnly === true
 		}];
 	});
-	if (enabledScanRules.length === 0) return [];
+	if (enabledScanRules.length === 0) return null;
 	const diagnostics = [];
 	const seen = /* @__PURE__ */ new Set();
 	const gitIgnoredCache = /* @__PURE__ */ new Map();
@@ -36950,15 +36954,34 @@ const checkSecurityScan = (rootDirectory, options = {}) => {
 		}
 		return status === true;
 	};
-	for (const file of collectSecurityScanFiles(rootDirectory)) for (const { entry, scan, committedFilesOnly } of enabledScanRules) for (const finding of scan(file)) {
-		if (committedFilesOnly && isFileGitIgnored(file)) continue;
-		const diagnostic = buildSecurityScanDiagnostic(finding, entry, file.relativePath);
-		const key = `${diagnostic.rule}:${diagnostic.filePath}:${diagnostic.line}:${diagnostic.column}:${diagnostic.message}`;
-		if (seen.has(key)) continue;
-		seen.add(key);
-		diagnostics.push(diagnostic);
+	const scanFile = (file) => {
+		for (const { entry, scan, committedFilesOnly } of enabledScanRules) for (const finding of scan(file)) {
+			if (committedFilesOnly && isFileGitIgnored(file)) continue;
+			const diagnostic = buildSecurityScanDiagnostic(finding, entry, file.relativePath);
+			const key = `${diagnostic.rule}:${diagnostic.filePath}:${diagnostic.line}:${diagnostic.column}:${diagnostic.message}`;
+			if (seen.has(key)) continue;
+			seen.add(key);
+			diagnostics.push(diagnostic);
+		}
+	};
+	return {
+		scanFile,
+		diagnostics
+	};
+};
+const checkSecurityScanCooperative = async (rootDirectory, options = {}) => {
+	const session = createSecurityScanSession(rootDirectory, options);
+	if (session === null) return [];
+	let filesSinceYield = 0;
+	for (const file of collectSecurityScanFiles(rootDirectory)) {
+		session.scanFile(file);
+		filesSinceYield += 1;
+		if (filesSinceYield >= 16) {
+			filesSinceYield = 0;
+			await yieldToEventLoop();
+		}
 	}
-	return diagnostics;
+	return session.diagnostics;
 };
 var import_picocolors = /* @__PURE__ */ __toESM((/* @__PURE__ */ __commonJSMin(((exports, module) => {
 	let p = process || {}, argv = p.argv || [], env = p.env || {};
@@ -37175,6 +37198,74 @@ const collectDeadCodeIgnorePatterns = (rootDirectory) => {
 	return [...seen].filter((pattern) => pattern.length > 0);
 };
 const collectDeadCodeEntryPatterns = (rootDirectory) => [...new Set(collectKnipPatterns(rootDirectory, "entry"))].filter((pattern) => pattern.length > 0);
+const readSystemFacts = () => ({
+	availableCores: os.availableParallelism(),
+	totalMemoryBytes: os.totalmem(),
+	cgroupMemoryLimitBytes: readCgroupMemoryLimitBytes()
+});
+/**
+* How many real deslop dead-code child processes may run at once, across the
+* concurrent per-project `runInspect` fibers of one CLI run. The cap is the
+* smaller of the core count and the number of `DEAD_CODE_WORKER_MEM_BUDGET_BYTES`
+* workers that fit in available memory, floored at 1.
+*
+* On a roomy dev box / CI runner this resolves high enough that every
+* concurrently-scanned project still spawns its own worker (no serialization vs
+* the prior uncapped behavior); on a memory-constrained runner it collapses
+* toward 1, so the `withDeadCodeWorkerSlot` semaphore serializes the spawns
+* instead of oversubscribing memory with N simultaneous children — the global
+* cap the per-project spawn path lacked.
+*
+* Mirrors `resolveAutoScanConcurrency` (lint), but budgets memory per the
+* heavier dead-code worker. `facts` is injectable for tests.
+*/
+const resolveDeadCodeConcurrency = (facts = readSystemFacts()) => {
+	const availableMemoryBytes = Math.min(facts.totalMemoryBytes, facts.cgroupMemoryLimitBytes ?? Number.POSITIVE_INFINITY);
+	const memoryBoundedWorkers = Math.floor(availableMemoryBytes / DEAD_CODE_WORKER_MEM_BUDGET_BYTES);
+	return Math.max(1, Math.min(facts.availableCores, memoryBoundedWorkers));
+};
+let availableSlots = -1;
+const waiters = [];
+const releaseSlot = () => {
+	const nextWaiter = waiters.shift();
+	if (nextWaiter !== void 0) nextWaiter();
+	else availableSlots += 1;
+};
+/**
+* Runs `task` once a dead-code worker slot is free, releasing the slot when the
+* task settles (success or failure). With a high cap (roomy machine) every
+* caller proceeds immediately; with a low cap (constrained runner) callers
+* queue and run as slots free.
+*
+* `abortSignal` short-circuits the WAIT: if it's already aborted, or fires while
+* this caller is queued, the call rejects without acquiring a slot or running
+* `task` — so a cancelled scan (e.g. lint failed) doesn't sit in the queue and
+* then spawn a child only to tear it down. A queued caller that aborts removes
+* its own waiter so a later release never hands a slot to a dead request.
+*/
+const withDeadCodeWorkerSlot = async (task, abortSignal) => {
+	if (abortSignal?.aborted) throw new Error("Dead-code worker aborted.");
+	if (availableSlots < 0) availableSlots = resolveDeadCodeConcurrency();
+	if (availableSlots > 0) availableSlots -= 1;
+	else await new Promise((resolve, reject) => {
+		const waiter = () => {
+			abortSignal?.removeEventListener("abort", onAbort);
+			resolve();
+		};
+		const onAbort = () => {
+			const queuedIndex = waiters.indexOf(waiter);
+			if (queuedIndex !== -1) waiters.splice(queuedIndex, 1);
+			reject(/* @__PURE__ */ new Error("Dead-code worker aborted."));
+		};
+		waiters.push(waiter);
+		abortSignal?.addEventListener("abort", onAbort, { once: true });
+	});
+	try {
+		return await task();
+	} finally {
+		releaseSlot();
+	}
+};
 /**
 * Resolves a path to its canonical, symlink-free form, falling back to
 * the input when it cannot be realpath'd (broken symlink, permission
@@ -37465,14 +37556,17 @@ const checkDeadCode = async (options) => {
 	if (!NFS.existsSync(Path.join(rootDirectory, "package.json"))) return [];
 	const entryPatterns = collectDeadCodeEntryPatterns(rootDirectory);
 	const ignorePatterns = collectDeadCodeIgnorePatterns(rootDirectory);
-	const result = parseDeadCodeWorkerResult(await runDeadCodeWorkerWithTimeout((options.createWorker ?? createDeadCodeWorker)({
-		rootDirectory,
-		entryPatterns,
-		tsConfigPath: resolveTsConfigPath(rootDirectory),
-		ignorePatterns,
-		deslopJsModuleSpecifier: options.deslopJsModuleSpecifier ?? import.meta.resolve("deslop-js"),
-		parseConcurrency: options.parseConcurrency
-	}), options.workerTimeoutMs ?? 12e4, options.abortSignal));
+	const spawnAndRun = () => {
+		return runDeadCodeWorkerWithTimeout((options.createWorker ?? createDeadCodeWorker)({
+			rootDirectory,
+			entryPatterns,
+			tsConfigPath: resolveTsConfigPath(rootDirectory),
+			ignorePatterns,
+			deslopJsModuleSpecifier: options.deslopJsModuleSpecifier ?? import.meta.resolve("deslop-js"),
+			parseConcurrency: options.parseConcurrency
+		}), options.workerTimeoutMs ?? 12e4, options.abortSignal);
+	};
+	const result = parseDeadCodeWorkerResult(options.createWorker === void 0 ? await withDeadCodeWorkerSlot(spawnAndRun, options.abortSignal) : await spawnAndRun());
 	const toRelative = (filePath) => toRelativeFilePath(rootDirectory, filePath);
 	const diagnostics = [];
 	for (const unusedFile of result.unusedFiles) diagnostics.push({
@@ -40636,7 +40730,10 @@ const formatLintFailText = (reasonTag, nodeVersion) => {
 *      diagnostics).
 *   2. beforeLint hook (e.g. CLI renders the project-detection block)
 *   3. environment checks (reduced-motion + pnpm hardening +
-*      expo/react-native + security scan), collected synchronously
+*      expo/react-native), collected synchronously. The heavier
+*      content-regex security scan is forked instead (like supply-chain
+*      below) and joined before the concat, so its CPU overlaps lint
+*      rather than blocking the event loop before it.
 *   4. The supply-chain check (Socket.dev) is forked onto a background
 *      fiber so its ~100% network-bound time overlaps the ~100%
 *      CPU/subprocess-bound lint pass below, collapsing two serial
@@ -40656,7 +40753,7 @@ const formatLintFailText = (reasonTag, nodeVersion) => {
 *      order, so terminal output is identical either way; supply-chain
 *      rides alongside without a spinner.
 *   6. Join the supply-chain fiber, then assemble the diagnostics in a
-*      FIXED order (env, supply-chain, lint, dead-code) so the output is
+*      FIXED order (env, security-scan, supply-chain, lint, dead-code) so the output is
 *      byte-identical regardless of which fiber settled first. The
 *      viewer-permission fiber is joined later, during score-metadata
 *      assembly (it feeds score metadata, not diagnostics). The per-element
@@ -40717,12 +40814,12 @@ const runInspect = (input, hooks = {}) => gen(function* () {
 		...checkPnpmHardening(scanDirectory),
 		...checkReactServerComponentsAdvisory(scanDirectory, project),
 		...checkExpoProject(scanDirectory, project),
-		...checkReactNativeProject(scanDirectory, project),
-		...checkSecurityScan(scanDirectory, {
-			project,
-			ignoredTags: input.ignoredTags
-		})
+		...checkReactNativeProject(scanDirectory, project)
 	])));
+	const securityScanFiber = yield* forkChild(runCollect(applyPerElementPipeline(isDiffMode ? empty$4 : unwrap(promise(() => checkSecurityScanCooperative(scanDirectory, {
+		project,
+		ignoredTags: input.ignoredTags
+	})).pipe(map$3((diagnostics) => fromIterable$1(diagnostics)))))).pipe(withSpan("SecurityScan.run")));
 	const shouldRunSupplyChain = !isDiffMode || (input.supplyChainManifestChanged ?? false);
 	const supplyChainOverlapTimeout = yield* SupplyChainOverlapTimeoutMs;
 	const supplyChainFiber = yield* forkChild(shouldRunSupplyChain ? runCollect(applyPerElementPipeline(supplyChainService.run({
@@ -40858,9 +40955,11 @@ const runInspect = (input, hooks = {}) => gen(function* () {
 	else yield* scanProgress.succeed(`Scanned ${scannedFilesLabel} in ${scanElapsedSeconds}s${workerCountSuffix}`);
 	const supplyChainResult = yield* join(supplyChainFiber);
 	const supplyChainCollected = supplyChainResult.diagnostics;
+	const securityScanCollected = yield* join(securityScanFiber);
 	yield* reporterService.finalize;
 	const finalDiagnostics = sortDiagnosticsStable(assignFixGroups([
 		...envCollected,
+		...securityScanCollected,
 		...supplyChainCollected,
 		...lintCollected,
 		...deadCodeCollected
@@ -41483,4 +41582,4 @@ const toJsonReport = (result, options) => buildJsonReport({
 export { AmbiguousProjectError, NoReactDependencyError, NotADirectoryError, PackageJsonNotFoundError, ProjectNotFoundError, ReactDoctorError, buildJsonReport, buildJsonReportError, clearCaches, defineConfig, diagnose, filterSourceFiles, getDiffInfo, isProjectDiscoveryError, isReactDoctorError, summarizeDiagnostics, toJsonReport };
 
 //# sourceMappingURL=index.js.map
-//# debugId=dccb6d63-63d4-5e91-af21-2756a08fe93a
+//# debugId=b9d1a98e-f5ec-5357-a08b-f84864fdfa20

package/dist/lsp.js

@@ -6021,7 +6021,7 @@ const composePassthrough = /* @__PURE__ */ dual(2, (left, right) => (input) => {
 * @since 2.0.0
 */
 const Scheduler = /* @__PURE__ */ Reference("effect/Scheduler", { defaultValue: () => new MixedScheduler() });
-const setImmediate = "setImmediate" in globalThis ? (f) => {
+const setImmediate$1 = "setImmediate" in globalThis ? (f) => {
 	const timer = globalThis.setImmediate(f);
 	return () => globalThis.clearImmediate(timer);
 } : (f) => {
@@ -6065,7 +6065,7 @@ var PriorityBuckets = class {
 var MixedScheduler = class {
 	executionMode;
 	setImmediate;
-	constructor(executionMode = "async", setImmediateFn = setImmediate) {
+	constructor(executionMode = "async", setImmediateFn = setImmediate$1) {
 		this.executionMode = executionMode;
 		this.setImmediate = setImmediateFn;
 	}
@@ -6090,7 +6090,7 @@ var MixedSchedulerDispatcher = class {
 	tasks = /* @__PURE__ */ new PriorityBuckets();
 	running = void 0;
 	setImmediate;
-	constructor(setImmediateFn = setImmediate) {
+	constructor(setImmediateFn = setImmediate$1) {
 		this.setImmediate = setImmediateFn;
 	}
 	/**
@@ -33811,6 +33811,7 @@ const DEAD_CODE_PHASE_TIMEOUT_MS = 15e4;
 const LINT_PHASE_TIMEOUT_MS = 3e5;
 const SCAN_TOTAL_DEADLINE_MS = 9e5;
 const DEAD_CODE_WORKER_MAX_OLD_SPACE_MB = 8192;
+const DEAD_CODE_WORKER_MEM_BUDGET_BYTES = 2 * 1024 * 1024 * 1024;
 const DEAD_CODE_TIMEOUT_CEILING_MS = 6e5;
 const DEAD_CODE_PHASE_TIMEOUT_OVER_WORKER_MS = 3e4;
 const DEAD_CODE_OVERLAP_PARSE_SHARE = .4;
@@ -35402,7 +35403,7 @@ const resolveScanConcurrency = (requested) => {
 	if (!Number.isFinite(requested) || requested < 1) return 1;
 	return Math.min(Math.floor(requested), 32);
 };
-const readSystemFacts = () => ({
+const readSystemFacts$1 = () => ({
 	availableCores: os.availableParallelism(),
 	totalMemoryBytes: os.totalmem(),
 	cgroupMemoryLimitBytes: readCgroupMemoryLimitBytes()
@@ -35423,7 +35424,7 @@ const readSystemFacts = () => ({
 * `facts` is injectable so tests exercise core-bound, memory-bound, cgroup-
 * limited, and ceiling cases without mocking `os` or the filesystem.
 */
-const resolveAutoScanConcurrency = (facts = readSystemFacts()) => {
+const resolveAutoScanConcurrency = (facts = readSystemFacts$1()) => {
 	const availableMemoryBytes = Math.min(facts.totalMemoryBytes, facts.cgroupMemoryLimitBytes ?? Number.POSITIVE_INFINITY);
 	const memoryBoundedWorkers = Math.floor(availableMemoryBytes / PER_WORKER_MEM_BUDGET_BYTES);
 	return resolveScanConcurrency(Math.min(facts.availableCores, memoryBoundedWorkers));
@@ -36908,7 +36909,10 @@ const shouldEnableRule = (requires, tags, capabilities, ignoredTags, disabledBy)
 	}
 	return true;
 };
-const checkSecurityScan = (rootDirectory, options = {}) => {
+const yieldToEventLoop = () => new Promise((resolve) => {
+	setImmediate(resolve);
+});
+const createSecurityScanSession = (rootDirectory, options) => {
 	const capabilities = options.project ? buildCapabilities(options.project) : /* @__PURE__ */ new Set();
 	const ignoredTags = options.ignoredTags ?? /* @__PURE__ */ new Set();
 	const enabledScanRules = REACT_DOCTOR_RULES.flatMap((entry) => {
@@ -36923,7 +36927,7 @@ const checkSecurityScan = (rootDirectory, options = {}) => {
 			committedFilesOnly: rule.committedFilesOnly === true
 		}];
 	});
-	if (enabledScanRules.length === 0) return [];
+	if (enabledScanRules.length === 0) return null;
 	const diagnostics = [];
 	const seen = /* @__PURE__ */ new Set();
 	const gitIgnoredCache = /* @__PURE__ */ new Map();
@@ -36935,15 +36939,34 @@ const checkSecurityScan = (rootDirectory, options = {}) => {
 		}
 		return status === true;
 	};
-	for (const file of collectSecurityScanFiles(rootDirectory)) for (const { entry, scan, committedFilesOnly } of enabledScanRules) for (const finding of scan(file)) {
-		if (committedFilesOnly && isFileGitIgnored(file)) continue;
-		const diagnostic = buildSecurityScanDiagnostic(finding, entry, file.relativePath);
-		const key = `${diagnostic.rule}:${diagnostic.filePath}:${diagnostic.line}:${diagnostic.column}:${diagnostic.message}`;
-		if (seen.has(key)) continue;
-		seen.add(key);
-		diagnostics.push(diagnostic);
+	const scanFile = (file) => {
+		for (const { entry, scan, committedFilesOnly } of enabledScanRules) for (const finding of scan(file)) {
+			if (committedFilesOnly && isFileGitIgnored(file)) continue;
+			const diagnostic = buildSecurityScanDiagnostic(finding, entry, file.relativePath);
+			const key = `${diagnostic.rule}:${diagnostic.filePath}:${diagnostic.line}:${diagnostic.column}:${diagnostic.message}`;
+			if (seen.has(key)) continue;
+			seen.add(key);
+			diagnostics.push(diagnostic);
+		}
+	};
+	return {
+		scanFile,
+		diagnostics
+	};
+};
+const checkSecurityScanCooperative = async (rootDirectory, options = {}) => {
+	const session = createSecurityScanSession(rootDirectory, options);
+	if (session === null) return [];
+	let filesSinceYield = 0;
+	for (const file of collectSecurityScanFiles(rootDirectory)) {
+		session.scanFile(file);
+		filesSinceYield += 1;
+		if (filesSinceYield >= 16) {
+			filesSinceYield = 0;
+			await yieldToEventLoop();
+		}
 	}
-	return diagnostics;
+	return session.diagnostics;
 };
 var import_picocolors = /* @__PURE__ */ __toESM((/* @__PURE__ */ __commonJSMin(((exports, module) => {
 	let p = process || {}, argv = p.argv || [], env = p.env || {};
@@ -37160,6 +37183,74 @@ const collectDeadCodeIgnorePatterns = (rootDirectory) => {
 	return [...seen].filter((pattern) => pattern.length > 0);
 };
 const collectDeadCodeEntryPatterns = (rootDirectory) => [...new Set(collectKnipPatterns(rootDirectory, "entry"))].filter((pattern) => pattern.length > 0);
+const readSystemFacts = () => ({
+	availableCores: os.availableParallelism(),
+	totalMemoryBytes: os.totalmem(),
+	cgroupMemoryLimitBytes: readCgroupMemoryLimitBytes()
+});
+/**
+* How many real deslop dead-code child processes may run at once, across the
+* concurrent per-project `runInspect` fibers of one CLI run. The cap is the
+* smaller of the core count and the number of `DEAD_CODE_WORKER_MEM_BUDGET_BYTES`
+* workers that fit in available memory, floored at 1.
+*
+* On a roomy dev box / CI runner this resolves high enough that every
+* concurrently-scanned project still spawns its own worker (no serialization vs
+* the prior uncapped behavior); on a memory-constrained runner it collapses
+* toward 1, so the `withDeadCodeWorkerSlot` semaphore serializes the spawns
+* instead of oversubscribing memory with N simultaneous children — the global
+* cap the per-project spawn path lacked.
+*
+* Mirrors `resolveAutoScanConcurrency` (lint), but budgets memory per the
+* heavier dead-code worker. `facts` is injectable for tests.
+*/
+const resolveDeadCodeConcurrency = (facts = readSystemFacts()) => {
+	const availableMemoryBytes = Math.min(facts.totalMemoryBytes, facts.cgroupMemoryLimitBytes ?? Number.POSITIVE_INFINITY);
+	const memoryBoundedWorkers = Math.floor(availableMemoryBytes / DEAD_CODE_WORKER_MEM_BUDGET_BYTES);
+	return Math.max(1, Math.min(facts.availableCores, memoryBoundedWorkers));
+};
+let availableSlots = -1;
+const waiters = [];
+const releaseSlot = () => {
+	const nextWaiter = waiters.shift();
+	if (nextWaiter !== void 0) nextWaiter();
+	else availableSlots += 1;
+};
+/**
+* Runs `task` once a dead-code worker slot is free, releasing the slot when the
+* task settles (success or failure). With a high cap (roomy machine) every
+* caller proceeds immediately; with a low cap (constrained runner) callers
+* queue and run as slots free.
+*
+* `abortSignal` short-circuits the WAIT: if it's already aborted, or fires while
+* this caller is queued, the call rejects without acquiring a slot or running
+* `task` — so a cancelled scan (e.g. lint failed) doesn't sit in the queue and
+* then spawn a child only to tear it down. A queued caller that aborts removes
+* its own waiter so a later release never hands a slot to a dead request.
+*/
+const withDeadCodeWorkerSlot = async (task, abortSignal) => {
+	if (abortSignal?.aborted) throw new Error("Dead-code worker aborted.");
+	if (availableSlots < 0) availableSlots = resolveDeadCodeConcurrency();
+	if (availableSlots > 0) availableSlots -= 1;
+	else await new Promise((resolve, reject) => {
+		const waiter = () => {
+			abortSignal?.removeEventListener("abort", onAbort);
+			resolve();
+		};
+		const onAbort = () => {
+			const queuedIndex = waiters.indexOf(waiter);
+			if (queuedIndex !== -1) waiters.splice(queuedIndex, 1);
+			reject(/* @__PURE__ */ new Error("Dead-code worker aborted."));
+		};
+		waiters.push(waiter);
+		abortSignal?.addEventListener("abort", onAbort, { once: true });
+	});
+	try {
+		return await task();
+	} finally {
+		releaseSlot();
+	}
+};
 /**
 * Resolves a path to its canonical, symlink-free form, falling back to
 * the input when it cannot be realpath'd (broken symlink, permission
@@ -37450,14 +37541,17 @@ const checkDeadCode = async (options) => {
 	if (!NFS.existsSync(Path.join(rootDirectory, "package.json"))) return [];
 	const entryPatterns = collectDeadCodeEntryPatterns(rootDirectory);
 	const ignorePatterns = collectDeadCodeIgnorePatterns(rootDirectory);
-	const result = parseDeadCodeWorkerResult(await runDeadCodeWorkerWithTimeout((options.createWorker ?? createDeadCodeWorker)({
-		rootDirectory,
-		entryPatterns,
-		tsConfigPath: resolveTsConfigPath(rootDirectory),
-		ignorePatterns,
-		deslopJsModuleSpecifier: options.deslopJsModuleSpecifier ?? import.meta.resolve("deslop-js"),
-		parseConcurrency: options.parseConcurrency
-	}), options.workerTimeoutMs ?? 12e4, options.abortSignal));
+	const spawnAndRun = () => {
+		return runDeadCodeWorkerWithTimeout((options.createWorker ?? createDeadCodeWorker)({
+			rootDirectory,
+			entryPatterns,
+			tsConfigPath: resolveTsConfigPath(rootDirectory),
+			ignorePatterns,
+			deslopJsModuleSpecifier: options.deslopJsModuleSpecifier ?? import.meta.resolve("deslop-js"),
+			parseConcurrency: options.parseConcurrency
+		}), options.workerTimeoutMs ?? 12e4, options.abortSignal);
+	};
+	const result = parseDeadCodeWorkerResult(options.createWorker === void 0 ? await withDeadCodeWorkerSlot(spawnAndRun, options.abortSignal) : await spawnAndRun());
 	const toRelative = (filePath) => toRelativeFilePath(rootDirectory, filePath);
 	const diagnostics = [];
 	for (const unusedFile of result.unusedFiles) diagnostics.push({
@@ -40621,7 +40715,10 @@ const formatLintFailText = (reasonTag, nodeVersion) => {
 *      diagnostics).
 *   2. beforeLint hook (e.g. CLI renders the project-detection block)
 *   3. environment checks (reduced-motion + pnpm hardening +
-*      expo/react-native + security scan), collected synchronously
+*      expo/react-native), collected synchronously. The heavier
+*      content-regex security scan is forked instead (like supply-chain
+*      below) and joined before the concat, so its CPU overlaps lint
+*      rather than blocking the event loop before it.
 *   4. The supply-chain check (Socket.dev) is forked onto a background
 *      fiber so its ~100% network-bound time overlaps the ~100%
 *      CPU/subprocess-bound lint pass below, collapsing two serial
@@ -40641,7 +40738,7 @@ const formatLintFailText = (reasonTag, nodeVersion) => {
 *      order, so terminal output is identical either way; supply-chain
 *      rides alongside without a spinner.
 *   6. Join the supply-chain fiber, then assemble the diagnostics in a
-*      FIXED order (env, supply-chain, lint, dead-code) so the output is
+*      FIXED order (env, security-scan, supply-chain, lint, dead-code) so the output is
 *      byte-identical regardless of which fiber settled first. The
 *      viewer-permission fiber is joined later, during score-metadata
 *      assembly (it feeds score metadata, not diagnostics). The per-element
@@ -40702,12 +40799,12 @@ const runInspect = (input, hooks = {}) => gen(function* () {
 		...checkPnpmHardening(scanDirectory),
 		...checkReactServerComponentsAdvisory(scanDirectory, project),
 		...checkExpoProject(scanDirectory, project),
-		...checkReactNativeProject(scanDirectory, project),
-		...checkSecurityScan(scanDirectory, {
-			project,
-			ignoredTags: input.ignoredTags
-		})
+		...checkReactNativeProject(scanDirectory, project)
 	])));
+	const securityScanFiber = yield* forkChild(runCollect(applyPerElementPipeline(isDiffMode ? empty$4 : unwrap(promise(() => checkSecurityScanCooperative(scanDirectory, {
+		project,
+		ignoredTags: input.ignoredTags
+	})).pipe(map$3((diagnostics) => fromIterable$1(diagnostics)))))).pipe(withSpan("SecurityScan.run")));
 	const shouldRunSupplyChain = !isDiffMode || (input.supplyChainManifestChanged ?? false);
 	const supplyChainOverlapTimeout = yield* SupplyChainOverlapTimeoutMs;
 	const supplyChainFiber = yield* forkChild(shouldRunSupplyChain ? runCollect(applyPerElementPipeline(supplyChainService.run({
@@ -40843,9 +40940,11 @@ const runInspect = (input, hooks = {}) => gen(function* () {
 	else yield* scanProgress.succeed(`Scanned ${scannedFilesLabel} in ${scanElapsedSeconds}s${workerCountSuffix}`);
 	const supplyChainResult = yield* join(supplyChainFiber);
 	const supplyChainCollected = supplyChainResult.diagnostics;
+	const securityScanCollected = yield* join(securityScanFiber);
 	yield* reporterService.finalize;
 	const finalDiagnostics = sortDiagnosticsStable(assignFixGroups([
 		...envCollected,
+		...securityScanCollected,
 		...supplyChainCollected,
 		...lintCollected,
 		...deadCodeCollected
@@ -43264,5 +43363,5 @@ const startLanguageServer = () => {
 };
 //#endregion
 export { startLanguageServer };
-!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="d12f3c5d-14fd-59ba-9d8a-7e3f589c88ad")}catch(e){}}();
-//# debugId=d12f3c5d-14fd-59ba-9d8a-7e3f589c88ad
+!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="bb5309e5-ce90-551d-bf0a-7db0ea302f24")}catch(e){}}();
+//# debugId=bb5309e5-ce90-551d-bf0a-7db0ea302f24

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "react-doctor",
-  "version": "0.5.8-dev.441e6af",
+  "version": "0.5.8-dev.5774deb",
   "description": "Your agent writes bad React. This catches it",
   "keywords": [
     "accessibility",
@@ -63,8 +63,8 @@
     "vscode-languageserver": "^9.0.1",
     "vscode-languageserver-textdocument": "^1.0.12",
     "vscode-uri": "^3.1.0",
-    "deslop-js": "0.5.8",
-    "oxlint-plugin-react-doctor": "0.5.8-dev.441e6af"
+    "oxlint-plugin-react-doctor": "0.5.8-dev.5774deb",
+    "deslop-js": "0.5.8"
   },
   "devDependencies": {
     "@types/babel__code-frame": "^7.27.0",
@@ -72,8 +72,8 @@
     "@xterm/headless": "^6.0.0",
     "commander": "^14.0.3",
     "ora": "^9.4.0",
-    "@react-doctor/core": "0.5.8",
     "@react-doctor/api": "0.5.8",
+    "@react-doctor/core": "0.5.8",
     "@react-doctor/language-server": "0.5.8"
   },
   "engines": {