socket 1.1.102 → 1.1.104

package/dist/cli.js

@@ -2245,6 +2245,8 @@ async function provisionPythonShim() {
 // Default per-invocation timeout for bazel queries. Bazel cold-cache starts
 // can take several minutes; 10 minutes is generous while still bounding CI hangs.
 const BAZEL_QUERY_TIMEOUT_MS = 600_000;
+const STDERR_TAIL_BYTES = 4_096;
+const STDOUT_EXCERPT_BYTES = 1_024;
 
 // Splits the user-supplied --bazel-flags string on whitespace.
 // Empty / undefined returns []. No shell parsing — quoted args with embedded
@@ -2265,11 +2267,22 @@ function buildBazelModShowVisibleReposArgv(opts) {
     startup.push(`--output_base=${opts.bazelOutputBase}`);
   }
   const userFlags = splitBazelFlags(opts.bazelFlags);
-  return [...startup, 'mod', 'show_repo', '--all_visible_repos', '--output=streamed_jsonproto', ...userFlags];
+  return [...startup, 'mod', 'dump_repo_mapping', '', '--output=json', ...userFlags];
 }
-function buildBazelArgv(queryStr, opts) {
+function buildBazelModShowPipExtensionArgv(opts) {
+  const startup = [];
+  if (opts.bazelRc) {
+    startup.push(`--bazelrc=${opts.bazelRc}`);
+  }
+  if (opts.bazelOutputBase) {
+    startup.push(`--output_base=${opts.bazelOutputBase}`);
+  }
+  const userFlags = splitBazelFlags(opts.bazelFlags);
+  return [...startup, 'mod', 'show_extension', '@rules_python//python/extensions:pip.bzl%pip', '--extension_usages=<root>', ...userFlags];
+}
+function buildBazelArgv(queryStr, opts, output = 'build') {
   // Startup flags MUST precede the `query` subcommand.
-  // Bazel argv shape: <startup> query <queryFlags> <invocationFlags> <queryStr> --output=build <userFlags>
+  // Bazel argv shape: <startup> query <queryFlags> <invocationFlags> <queryStr> --output=<output> <userFlags>
   const startup = [];
   if (opts.bazelRc) {
     startup.push(`--bazelrc=${opts.bazelRc}`);
@@ -2280,7 +2293,7 @@ function buildBazelArgv(queryStr, opts) {
   // Keep query output stable and avoid updating Bazel lockfiles while extracting.
   const queryFlags = ['--lockfile_mode=off', '--noshow_progress'];
   const userFlags = splitBazelFlags(opts.bazelFlags);
-  return [...startup, 'query', ...queryFlags, ...opts.invocationFlags, queryStr, '--output=build', ...userFlags];
+  return [...startup, 'query', ...queryFlags, ...opts.invocationFlags, queryStr, `--output=${output}`, ...userFlags];
 }
 function stringField(value) {
   return typeof value === 'string' ? value : '';
@@ -2288,6 +2301,46 @@ function stringField(value) {
 function numericExitCode(value) {
   return typeof value === 'number' && Number.isFinite(value) ? value : undefined;
 }
+function byteLength(value) {
+  return Buffer.byteLength(value, 'utf8');
+}
+function excerpt(value, maxBytes) {
+  if (byteLength(value) <= maxBytes) {
+    return value;
+  }
+  return value.slice(0, maxBytes) + '\n[truncated]';
+}
+function logBazelTrace({
+  argv,
+  durationMs,
+  opts,
+  result,
+  step
+}) {
+  if (!opts.verbose) {
+    return;
+  }
+  const stderrBytes = byteLength(result.stderr);
+  const stdoutBytes = byteLength(result.stdout);
+  const category = result.code === 0 ? 'ok' : 'bazel-query-failed';
+  logger.logger.log('[VERBOSE] bazel subprocess trace:', `category=${category}`, {
+    argv,
+    category,
+    code: result.code,
+    cwd: opts.cwd,
+    durationMs,
+    stderrBytes,
+    stdoutBytes,
+    step,
+    timedOut: false,
+    timeoutMs: BAZEL_QUERY_TIMEOUT_MS
+  });
+  if (result.code !== 0 && result.stderr) {
+    logger.logger.log('[VERBOSE] bazel stderr tail:', excerpt(result.stderr.slice(-STDERR_TAIL_BYTES), STDERR_TAIL_BYTES));
+  } else if (result.stdout && stdoutBytes <= STDOUT_EXCERPT_BYTES) {
+    logger.logger.log('[VERBOSE] bazel stdout excerpt:', result.stdout);
+  }
+}
 function normalizeSpawnError(error) {
   const e = error;
   return {
@@ -2303,11 +2356,12 @@ function normalizeSpawnError(error) {
  * and fails on non-zero exit. Rejected spawn calls are normalized into a
  * BazelQueryResult so retry/skip handling can inspect stderr.
  */
-async function runBazelQuery(queryStr, opts) {
-  const argv = buildBazelArgv(queryStr, opts);
+async function runBazelQuery(queryStr, opts, output) {
+  const argv = buildBazelArgv(queryStr, opts, output);
   if (opts.verbose) {
     logger.logger.log('[VERBOSE] Executing:', opts.bin, ', args:', argv);
   }
+  const startedAt = Date.now();
   const {
     spinner
   } = constants.default;
@@ -2342,19 +2396,30 @@ async function runBazelQuery(queryStr, opts) {
     } else {
       spinner.failAndStop(`bazel query failed (${truncated}).`);
     }
+    if (result) {
+      logBazelTrace({
+        argv,
+        durationMs: Date.now() - startedAt,
+        opts,
+        result,
+        step: `bazel query ${truncated}`
+      });
+    }
   }
 }
 
 /**
  * Bzlmod-native visible repository enumeration. This is only a candidate
  * source; callers must still validate each returned apparent repo name with a
- * semantic query for generated JVM Maven rules.
+ * semantic query for generated ecosystem rules.
  */
 async function runBazelModShowVisibleRepos(opts) {
   const argv = buildBazelModShowVisibleReposArgv(opts);
   if (opts.verbose) {
     logger.logger.log('[VERBOSE] Executing:', opts.bin, ', args:', argv);
   }
+  const startedAt = Date.now();
+  let result;
   try {
     const output = await spawn.spawn(opts.bin, argv, {
       cwd: opts.cwd,
@@ -2368,14 +2433,65 @@ async function runBazelModShowVisibleRepos(opts) {
       stderr,
       stdout
     } = output;
-    return {
+    result = {
+      code,
+      stdout,
+      stderr
+    };
+  } catch (e) {
+    result = normalizeSpawnError(e);
+  }
+  logBazelTrace({
+    argv,
+    durationMs: Date.now() - startedAt,
+    opts,
+    result,
+    step: 'bazel mod dump_repo_mapping'
+  });
+  return result;
+}
+
+/**
+ * Bzlmod-native rules_python pip extension usage inspection. This is the
+ * authoritative source for root-module pip.parse metadata when Bazel supports
+ * the command; callers keep bounded static parsing as fallback.
+ */
+async function runBazelModShowPipExtension(opts) {
+  const argv = buildBazelModShowPipExtensionArgv(opts);
+  if (opts.verbose) {
+    logger.logger.log('[VERBOSE] Executing:', opts.bin, ', args:', argv);
+  }
+  const startedAt = Date.now();
+  let result;
+  try {
+    const output = await spawn.spawn(opts.bin, argv, {
+      cwd: opts.cwd,
+      timeout: BAZEL_QUERY_TIMEOUT_MS,
+      ...(opts.env ? {
+        env: opts.env
+      } : {})
+    });
+    const {
+      code,
+      stderr,
+      stdout
+    } = output;
+    result = {
       code,
       stdout,
       stderr
     };
   } catch (e) {
-    return normalizeSpawnError(e);
+    result = normalizeSpawnError(e);
   }
+  logBazelTrace({
+    argv,
+    durationMs: Date.now() - startedAt,
+    opts,
+    result,
+    step: 'bazel mod show_extension rules_python pip'
+  });
+  return result;
 }
 
 /**
@@ -2394,13 +2510,31 @@ function buildProbeFor(opts) {
   };
 }
 
+/**
+ * Build a `RepoProbe` for validating pip hub candidates.
+ * Queries the hub for package targets (e.g. `@<hub>//...`) and returns
+ * stdout so the caller can check for `:pkg` labels or alias rules.
+ * Does NOT require `pypi_name=` tags in the hub output, because those
+ * tags live on spoke repos, not the hub alias layer.
+ */
+function buildPypiProbeFor(opts) {
+  return async hubName => {
+    const queryStr = `@${hubName}//...`;
+    const result = await runBazelQuery(queryStr, opts);
+    return {
+      stdout: result.stdout,
+      code: result.code
+    };
+  };
+}
+
 // Maximum size (bytes) we will read for any single Bazel workspace file.
 // Prevents DoS via maliciously large MODULE.bazel / WORKSPACE / .bzl files.
-const MAX_WORKSPACE_FILE_BYTES = 5 * 1024 * 1024;
+const MAX_WORKSPACE_FILE_BYTES$1 = 5 * 1024 * 1024;
 
 // Maximum candidate count we will return (deduped) before truncating.
 // Real repos have <20; this is a hard ceiling against pathological inputs.
-const MAX_CANDIDATES = 256;
+const MAX_CANDIDATES$1 = 256;
 
 // Regex strategy: anchored, bounded character classes, no nested quantifiers.
 // Match `use_repo(maven, "X", "Y", ...)` with a bounded arg-list window to
@@ -2421,13 +2555,13 @@ const MAVEN_COORDINATES_MARKER_RE = /\bmaven_coordinates\s*=/;
 
 // Reads file contents, refusing files that exceed MAX_WORKSPACE_FILE_BYTES.
 // Returns null when the file is missing, oversized, or unreadable.
-function safeReadFile(file) {
+function safeReadFile$1(file) {
   if (!fs$1.existsSync(file)) {
     return null;
   }
   try {
     const stat = fs$1.statSync(file);
-    if (stat.size > MAX_WORKSPACE_FILE_BYTES) {
+    if (stat.size > MAX_WORKSPACE_FILE_BYTES$1) {
       return null;
     }
     return fs$1.readFileSync(file, 'utf8');
@@ -2439,7 +2573,7 @@ function safeReadFile(file) {
 // Walks workspace root for legacy Starlark sources we can scan: WORKSPACE
 // (and WORKSPACE.bazel) plus top-level .bzl files. Non-recursive by design;
 // Phase 1 explicitly avoids static Starlark parsing at depth.
-function listLegacyStarlarkFiles(cwd) {
+function listLegacyStarlarkFiles$1(cwd) {
   const files = [];
   const candidates = ['WORKSPACE', 'WORKSPACE.bazel'];
   for (const c of candidates) {
@@ -2469,7 +2603,7 @@ function uniqueSorted(items) {
     if (!seen.has(item)) {
       seen.add(item);
       out.push(item);
-      if (out.length >= MAX_CANDIDATES) {
+      if (out.length >= MAX_CANDIDATES$1) {
         break;
       }
     }
@@ -2493,14 +2627,29 @@ function apparentNameFromJsonValue(value) {
   }
   return undefined;
 }
+function apparentNamesFromRepoMapping(value) {
+  if (!value || typeof value !== 'object' || Array.isArray(value)) {
+    return [];
+  }
+  const candidates = [];
+  for (const [name, canonicalName] of Object.entries(value)) {
+    if (name.startsWith('@') || typeof canonicalName !== 'string') {
+      continue;
+    }
+    if (BAZEL_REPO_NAME_RE.test(name)) {
+      candidates.push(name);
+    }
+  }
+  return candidates;
+}
 function normalizeRepoName(name) {
   const repo = name.startsWith('@') ? name.slice(1) : name;
   return BAZEL_REPO_NAME_RE.test(repo) ? repo : undefined;
 }
 
-// Parse `bazel mod show_repo --all_visible_repos --output=streamed_jsonproto`
-// output. Bazel's JSON proto field casing may vary by formatter; accept both
-// lowerCamel and snake_case, and tolerate wrapper objects around Repository.
+// Parse `bazel mod dump_repo_mapping "" --output=json` output. Also accept the
+// older streamed jsonproto shape in case older Bazel versions or fixtures still
+// return repository records with apparentName fields.
 function parseVisibleRepoCandidates(output) {
   const candidates = [];
   for (const line of output.split(/\r?\n/)) {
@@ -2510,6 +2659,7 @@ function parseVisibleRepoCandidates(output) {
     }
     try {
       const parsed = JSON.parse(trimmed);
+      candidates.push(...apparentNamesFromRepoMapping(parsed));
       const apparentName = apparentNameFromJsonValue(parsed);
       if (apparentName) {
         const repo = normalizeRepoName(apparentName);
@@ -2531,7 +2681,7 @@ function parseMavenRepoCandidates(cwd, verbose) {
 
   // Bzlmod path: parse MODULE.bazel for use_repo(maven, ...).
   const moduleBazel = path.join(cwd, 'MODULE.bazel');
-  const moduleContent = safeReadFile(moduleBazel);
+  const moduleContent = safeReadFile$1(moduleBazel);
   if (moduleContent) {
     const bzlmodHits = [];
     for (const m of moduleContent.matchAll(USE_REPO_RE)) {
@@ -2549,12 +2699,12 @@ function parseMavenRepoCandidates(cwd, verbose) {
   }
 
   // Legacy path: scan WORKSPACE + top-level .bzl files for maven_install(name=...).
-  const legacyFiles = listLegacyStarlarkFiles(cwd);
+  const legacyFiles = listLegacyStarlarkFiles$1(cwd);
   if (verbose) {
     logger.logger.log('[VERBOSE] discovery: legacy files considered:', legacyFiles.length ? legacyFiles : '(none)');
   }
   for (const file of legacyFiles) {
-    const content = safeReadFile(file);
+    const content = safeReadFile$1(file);
     if (!content) {
       continue;
     }
@@ -3025,8 +3175,18 @@ async function extractBazelToMaven(opts) {
       });
     }
     if (!allArtifacts.length) {
-      process.exitCode = 1;
-      logger.logger.fail('No Maven artifacts extracted. See warnings above.');
+      if (!repos.size) {
+        if (verbose) {
+          logger.logger.info('No Maven artifacts extracted. failureCategory=no-supported-ecosystem');
+        }
+        return {
+          artifactCount: 0,
+          manifestPath,
+          noEcosystemFound: true,
+          ok: false
+        };
+      }
+      logger.logger.fail(`Discovered Maven repo(s) ${repoNames.join(', ')} but extracted zero artifacts. failureCategory=ecosystem-detected-but-empty`);
       return {
         artifactCount: 0,
         manifestPath,
@@ -3040,7 +3200,6 @@ async function extractBazelToMaven(opts) {
       ok: true
     };
   } catch (e) {
-    process.exitCode = 1;
     // Always surface the error message; users should not have to
     // re-run a multi-minute bazel build with --verbose just to see whether
     // the failure was a missing dependency, permission error, or network blip.
@@ -3681,24 +3840,23 @@ async function generateAutoManifest({
   if (!sockJson?.defaults?.manifest?.bazel?.disabled && detected.bazel) {
     const bazelConfig = sockJson?.defaults?.manifest?.bazel;
     logger.logger.log('Detected a Bazel workspace, extracting Maven dependencies via bazel query...');
-    const bazelResult = await extractBazelToMaven({
+    const mavenResult = await extractBazelToMaven({
       bazelFlags: bazelConfig?.bazelFlags,
       bazelOutputBase: bazelConfig?.bazelOutputBase,
       bazelRc: bazelConfig?.bazelRc,
       bin: bazelConfig?.bazel ?? bazelConfig?.bin,
       cwd,
-      // Auto-manifest writes into a sibling directory instead of the repo root
-      // so scan discovery can pick it up without colliding with a checked-in
-      // rules_jvm_external lockfile or repo-root gitignore patterns.
       out: bazelConfig?.out ?? cwd,
       outLayout: 'flat',
       verbose: Boolean(bazelConfig?.verbose) || verbose
     });
-    if (!bazelResult.ok) {
-      throw new Error('Bazel auto-manifest generation failed');
+    if (!mavenResult.ok && !mavenResult.noEcosystemFound) {
+      throw new Error('Bazel auto-manifest generation failed for ecosystem(s): maven');
     }
-    if (bazelResult.manifestPath) {
-      generatedFiles.push(bazelResult.manifestPath);
+    if (mavenResult.ok && mavenResult.manifestPath) {
+      generatedFiles.push(mavenResult.manifestPath);
+    } else if (mavenResult.noEcosystemFound) {
+      logger.logger.info('No supported Bazel Maven ecosystem detected.');
     }
   }
   return {
@@ -7302,149 +7460,1087 @@ async function run$G(argv, importMeta, context) {
   await spawnPromise;
 }
 
-const config$e = {
-  commandName: 'bazel',
-  description: '[beta] Bazel JVM SBOM support — generate manifest files (`maven_install.json`) for a Bazel/Maven project',
-  hidden: false,
-  flags: {
-    ...flags.commonFlags,
-    bazel: {
-      type: 'string',
-      description: 'Path to bazel/bazelisk binary; default: $(which bazelisk) || $(which bazel)'
-    },
-    bazelFlags: {
-      type: 'string',
-      description: 'Flags forwarded to every bazel invocation (single quoted string)'
-    },
-    bazelOutputBase: {
-      type: 'string',
-      description: 'Bazel --output_base for read-only-cache CI environments'
-    },
-    bazelRc: {
-      type: 'string',
-      description: 'Path to additional .bazelrc fragments forwarded to bazel'
-    },
-    out: {
-      type: 'string',
-      description: 'Output directory for generated manifests; default: ./.socket/bazel-manifests/'
-    },
-    verbose: {
-      type: 'boolean',
-      description: 'Stream bazel stdout/stderr'
-    }
-  },
-  help: (command, config) => `
-    Usage
-      $ ${command} [options] [CWD=.]
-
-    Options
-      ${utils.getFlagListOutput(config.flags)}
-
-    [beta] Generates Bazel JVM SBOM manifests (\`maven_install.json\`-shaped)
-    by running \`bazel query\` against discovered Maven repos. Output is
-    consumed by \`socket scan create\`'s server-side parser.
-
-    Note: this command generates Maven dependency manifests for Bazel JVM
-    workspaces. It does not run reachability analysis.
-
-    To generate AND upload in one step, use \`socket scan create --auto-manifest\`
-    instead — it detects Bazel workspaces, runs the same extraction, and uploads
-    the result. This subcommand is for generation only.
+// Maximum size (bytes) we will read for any single Bazel workspace file.
+// Prevents DoS via maliciously large MODULE.bazel / WORKSPACE / .bzl files.
+const MAX_WORKSPACE_FILE_BYTES = 5 * 1024 * 1024;
 
-    Examples
-      $ ${command} .
-      $ ${command} --bazel=/usr/local/bin/bazelisk .
-  `
-};
-const cmdManifestBazel = {
-  description: config$e.description,
-  hidden: config$e.hidden,
-  run: run$F
-};
-async function run$F(argv, importMeta, {
-  parentName
-}) {
-  const cli = utils.meowOrExit({
-    argv,
-    config: config$e,
-    importMeta,
-    parentName
-  });
-  const {
-    json = false,
-    markdown = false
-  } = cli.flags;
-  const dryRun = !!cli.flags['dryRun'];
+// Maximum candidate count we will return (deduped) before failing.
+// Real repos have <20; this is a hard ceiling against pathological inputs.
+const MAX_CANDIDATES = 256;
 
-  // TODO: Implement json/md further.
-  const outputKind = utils.getOutputKind(json, markdown);
-  let [cwd = '.'] = cli.input;
-  // Note: path.resolve vs .join:
-  // If given path is absolute then cwd should not affect it.
-  cwd = path.resolve(process.cwd(), cwd);
-  const sockJson = utils.readOrDefaultSocketJson(cwd);
-  require$$9.debugFn('inspect', `override: ${constants.SOCKET_JSON} bazel`, sockJson?.defaults?.manifest?.bazel);
-  let {
-    bazel,
-    bazelFlags,
-    bazelOutputBase,
-    bazelRc,
-    out,
-    verbose
-  } = cli.flags;
+// Regex strategy: anchored, bounded character classes, no nested quantifiers.
 
-  // Set defaults for any flag/arg that is not given. Check socket.json first.
-  if (!bazel) {
-    const defaultBazel = sockJson.defaults?.manifest?.bazel?.bazel ?? sockJson.defaults?.manifest?.bazel?.bin;
-    if (defaultBazel) {
-      bazel = defaultBazel;
-      logger.logger.info(`Using default --bazel from ${constants.SOCKET_JSON}:`, bazel);
-    }
-    // Otherwise leave undefined; resolveBazelBinary performs the PATH
-    // lookup for bazelisk/bazel.
+// Bzlmod: discover `use_extension(..., "pip")` bindings, then match
+// `${binding}.parse(...)` to find pip hub declarations.
+// Bounded: matches up to ~256 chars of path to avoid catastrophic backtracking.
+const USE_EXTENSION_PIP_RE = /(\w+)\s*=\s*use_extension\s*\(\s*["'][^"']{0,256}pip\.bzl["']\s*,\s*["']pip["']\s*\)/g;
+
+// Extract hub_name, requirements_lock, and python_version from a pip.parse
+// argument blob. Bounded character classes and length caps.
+const HUB_NAME_ATTR_RE = /hub_name\s*=\s*(["'])([A-Za-z0-9_]{1,129})\1/;
+const REQUIREMENTS_LOCK_ATTR_RE = /requirements_lock\s*=\s*(["'])([^"']{1,512})\1/;
+const PYTHON_VERSION_ATTR_RE = /python_version\s*=\s*(["'])([0-9._+!]{1,32})\1/;
+
+// Legacy WORKSPACE patterns: pip_parse, pip_install, pip_repository.
+// Bounded: matches up to ~8KB of argument list.
+const PIP_PARSE_NAME_RE = /pip_parse\s*\(\s*([^)]{0,8192})\)/g;
+const PIP_INSTALL_NAME_RE = /pip_install\s*\(\s*([^)]{0,8192})\)/g;
+const PIP_REPOSITORY_NAME_RE = /pip_repository\s*\(\s*([^)]{0,8192})\)/g;
+const NAME_ATTR_RE = /name\s*=\s*(["'])([A-Za-z0-9_]{1,129})\1/;
+const LEGACY_REQ_LOCK_RE = /requirements_lock\s*=\s*(["'])([^"']{1,512})\1/;
+const MOD_SHOW_PIP_PARSE_RE = /pip\.parse\s*\(\s*([^)]{0,8192})\)/g;
+const MOD_SHOW_USE_REPO_RE = /use_repo\s*\(\s*\w+\s*,\s*(["'])([A-Za-z0-9_]{1,129})\1\s*\)/g;
+
+// Hub validation: accept alias rules or `:pkg` targets in probe stdout.
+// Does NOT require `pypi_name=` (that marker lives on spoke repos).
+const PYPI_HUB_MARKER_RE = /:pkg\b|alias\s*\(/;
+function parseBazelModPipExtensionCandidates(stdout, verbose) {
+  const useRepoNames = new Set();
+  for (const m of stdout.matchAll(MOD_SHOW_USE_REPO_RE)) {
+    useRepoNames.add(m[2]);
   }
-  if (!bazelFlags) {
-    if (sockJson.defaults?.manifest?.bazel?.bazelFlags) {
-      bazelFlags = sockJson.defaults?.manifest?.bazel?.bazelFlags;
-      logger.logger.info(`Using default --bazel-flags from ${constants.SOCKET_JSON}:`, bazelFlags);
-    } else {
-      bazelFlags = '';
+  const candidates = [];
+  for (const m of stdout.matchAll(MOD_SHOW_PIP_PARSE_RE)) {
+    const info = extractHubInfoFromArgBlob(m[1] ?? '', 'bazel-mod-show-extension', 'bzlmod');
+    if (!info) {
+      continue;
     }
-  }
-  if (!bazelOutputBase) {
-    if (sockJson.defaults?.manifest?.bazel?.bazelOutputBase) {
-      bazelOutputBase = sockJson.defaults?.manifest?.bazel?.bazelOutputBase;
-      logger.logger.info(`Using default --bazel-output-base from ${constants.SOCKET_JSON}:`, bazelOutputBase);
+    if (useRepoNames.size && !useRepoNames.has(info.hubName)) {
+      if (verbose) {
+        logger.logger.log(`[VERBOSE] discovery: dropping pip.parse hub '${info.hubName}' because show_extension did not report matching use_repo.`);
+      }
+      continue;
     }
+    candidates.push(info);
   }
-  if (!bazelRc) {
-    if (sockJson.defaults?.manifest?.bazel?.bazelRc) {
-      bazelRc = sockJson.defaults?.manifest?.bazel?.bazelRc;
-      logger.logger.info(`Using default --bazel-rc from ${constants.SOCKET_JSON}:`, bazelRc);
-    }
+  if (verbose) {
+    logger.logger.log('[VERBOSE] discovery: bazel mod show_extension pip.parse hits:', candidates.length, 'use_repo:', Array.from(useRepoNames));
   }
-  if (!out) {
-    if (sockJson.defaults?.manifest?.bazel?.out) {
-      out = sockJson.defaults?.manifest?.bazel?.out;
-      logger.logger.info(`Using default --out from ${constants.SOCKET_JSON}:`, out);
-    } else {
-      out = path.join(cwd, '.socket', 'bazel-manifests');
-    }
+  return dedupCapped(candidates, verbose);
+}
+
+// Reads file contents, refusing files that exceed MAX_WORKSPACE_FILE_BYTES.
+// Returns null when the file is missing, oversized, or unreadable.
+function safeReadFile(file) {
+  if (!fs$1.existsSync(file)) {
+    return null;
   }
-  if (verbose === undefined) {
-    if (sockJson.defaults?.manifest?.bazel?.verbose !== undefined) {
-      verbose = sockJson.defaults?.manifest?.bazel?.verbose;
-      logger.logger.info(`Using default --verbose from ${constants.SOCKET_JSON}:`, verbose);
-    } else {
-      verbose = false;
+  try {
+    const stat = fs$1.statSync(file);
+    if (stat.size > MAX_WORKSPACE_FILE_BYTES) {
+      return null;
     }
+    return fs$1.readFileSync(file, 'utf8');
+  } catch {
+    return null;
   }
-  if (verbose) {
-    logger.logger.group('- ', parentName, config$e.commandName, ':');
-    logger.logger.group('- flags:', cli.flags);
-    logger.logger.groupEnd();
-    logger.logger.log('- input:', cli.input);
-    logger.logger.groupEnd();
+}
+
+// Walks workspace root for legacy Starlark sources we can scan: WORKSPACE
+// (and WORKSPACE.bazel) plus top-level .bzl files. Non-recursive by design;
+// Phase 1 explicitly avoids static Starlark parsing at depth.
+function listLegacyStarlarkFiles(cwd) {
+  const files = [];
+  const candidates = ['WORKSPACE', 'WORKSPACE.bazel'];
+  for (const c of candidates) {
+    const p = path.join(cwd, c);
+    if (fs$1.existsSync(p)) {
+      files.push(p);
+    }
+  }
+  // Top-level .bzl files only.
+  try {
+    for (const entry of fs$1.readdirSync(cwd)) {
+      if (entry.endsWith('.bzl')) {
+        files.push(path.join(cwd, entry));
+      }
+    }
+  } catch {
+    // Ignore unreadable cwd.
+  }
+  return files;
+}
+
+// Returns deduplicated list of items, capped at MAX_CANDIDATES.
+// Precedence: the first occurrence of a given hubName wins. Callers
+// must order inputs so the preferred source comes first (e.g., Bzlmod
+// hits before legacy WORKSPACE hits during migration).
+// Throws a clear error if the cap is exceeded so callers do not silently
+// truncate. Emits a verbose warning when a later entry is dropped due to
+// a name collision so users can see implicit precedence at work.
+function dedupCapped(items, verbose) {
+  const seen = new Map();
+  const out = [];
+  for (const item of items) {
+    const existing = seen.get(item.hubName);
+    if (!existing) {
+      seen.set(item.hubName, item);
+      out.push(item);
+      if (out.length >= MAX_CANDIDATES) {
+        throw new Error(`Discovered more than ${MAX_CANDIDATES} pip hub candidates. ` + 'This exceeds the safety ceiling; aborting discovery.');
+      }
+    } else if (verbose) {
+      logger.logger.log(`[VERBOSE] discovery: dropping duplicate pip hub candidate '${item.hubName}' ` + `(kept first occurrence from ${existing.source}/${existing.workspaceMode}, ` + `dropped ${item.source}/${item.workspaceMode}).`);
+    }
+  }
+  return out;
+}
+
+// Build a dynamic regex for `${binding}.parse(...)` given a validated binding
+// name (word characters only, so safe to embed). Bounded arg list.
+function buildPipParseRe(binding) {
+  return new RegExp(`${binding}\\.parse\\s*\\(\\s*([^)]{0,8192})\\)`, 'g');
+}
+
+// Extract candidate hub fields from a pip.parse / pip_parse / pip_install /
+// pip_repository argument blob (without probeStdout or visibleRepoNames).
+function extractHubInfoFromArgBlob(argBlob, source, workspaceMode) {
+  const hubMatch = HUB_NAME_ATTR_RE.exec(argBlob);
+  const nameMatch = NAME_ATTR_RE.exec(argBlob);
+  const hubName = hubMatch?.[2] ?? nameMatch?.[2];
+  if (!hubName) {
+    return undefined;
+  }
+  const lockMatch = REQUIREMENTS_LOCK_ATTR_RE.exec(argBlob) ?? LEGACY_REQ_LOCK_RE.exec(argBlob);
+  const pythonVersion = PYTHON_VERSION_ATTR_RE.exec(argBlob)?.[2];
+  return {
+    hubName,
+    source,
+    workspaceMode,
+    pythonVersion,
+    requirementsLockLabel: lockMatch?.[2]
+  };
+}
+
+// Step 1: parse candidate pip hub names from Bzlmod MODULE.bazel and legacy
+// WORKSPACE / .bzl entry points.
+//
+// Precedence: Bzlmod (MODULE.bazel pip.parse) hits are pushed first, then
+// legacy (pip_parse / pip_install / pip_repository) hits. dedupCapped keeps
+// the first occurrence, so during migration scenarios where both
+// MODULE.bazel and WORKSPACE define a hub with the same name, the Bzlmod
+// entry wins implicitly. Pass verbose=true to surface dropped duplicates.
+function parsePypiHubCandidates(cwd, verbose) {
+  const candidates = [];
+
+  // Bzlmod path: parse MODULE.bazel for use_extension bindings to pip,
+  // then match ${binding}.parse(...).
+  const moduleBazel = path.join(cwd, 'MODULE.bazel');
+  const moduleContent = safeReadFile(moduleBazel);
+  if (moduleContent) {
+    const bindings = [];
+    for (const m of moduleContent.matchAll(USE_EXTENSION_PIP_RE)) {
+      bindings.push(m[1]);
+    }
+    if (verbose) {
+      logger.logger.log('[VERBOSE] discovery: scanned', moduleBazel, `(${bindings.length} use_extension pip binding(s))`);
+    }
+    for (const binding of bindings) {
+      const parseRe = buildPipParseRe(binding);
+      for (const m of moduleContent.matchAll(parseRe)) {
+        const argBlob = m[1] ?? '';
+        const info = extractHubInfoFromArgBlob(argBlob, 'MODULE.bazel', 'bzlmod');
+        if (info) {
+          candidates.push(info);
+        }
+      }
+    }
+    if (verbose) {
+      logger.logger.log('[VERBOSE] discovery: MODULE.bazel pip.parse hits:', candidates.length);
+    }
+  } else if (verbose) {
+    logger.logger.log('[VERBOSE] discovery:', moduleBazel, 'not present (skipping bzlmod scan)');
+  }
+
+  // Legacy path: scan WORKSPACE + top-level .bzl files for pip_parse,
+  // pip_install, and pip_repository.
+  const legacyFiles = listLegacyStarlarkFiles(cwd);
+  if (verbose) {
+    logger.logger.log('[VERBOSE] discovery: legacy files considered:', legacyFiles.length ? legacyFiles : '(none)');
+  }
+  for (const file of legacyFiles) {
+    const content = safeReadFile(file);
+    if (!content) {
+      continue;
+    }
+    const fileHits = [];
+    const source = file.endsWith('.bzl') ? '.bzl' : path.basename(file) === 'WORKSPACE.bazel' ? 'WORKSPACE.bazel' : 'WORKSPACE';
+    for (const m of content.matchAll(PIP_PARSE_NAME_RE)) {
+      const info = extractHubInfoFromArgBlob(m[1] ?? '', source, 'legacy');
+      if (info) {
+        fileHits.push(info);
+      }
+    }
+    for (const m of content.matchAll(PIP_INSTALL_NAME_RE)) {
+      const info = extractHubInfoFromArgBlob(m[1] ?? '', source, 'legacy');
+      if (info) {
+        fileHits.push(info);
+      }
+    }
+    for (const m of content.matchAll(PIP_REPOSITORY_NAME_RE)) {
+      const info = extractHubInfoFromArgBlob(m[1] ?? '', source, 'legacy');
+      if (info) {
+        fileHits.push(info);
+      }
+    }
+    candidates.push(...fileHits);
+    if (verbose) {
+      logger.logger.log('[VERBOSE] discovery: scanned', file, `(${fileHits.length} legacy pip hub match(es))`);
+    }
+  }
+  return dedupCapped(candidates, verbose);
+}
+
+// Step 2: validate a candidate by running the probe and confirming
+// `:pkg` labels or alias rules appear in stdout. Does NOT require
+// `pypi_name=` (that marker lives on spoke repos).
+async function validatePypiHub(hubName, probe, verbose) {
+  try {
+    const result = await probe(hubName);
+    if (result.code !== 0) {
+      if (verbose) {
+        logger.logger.log(`[VERBOSE] discovery: probe @${hubName}: REJECT (code=${result.code})`);
+      }
+      return {
+        valid: false,
+        stdout: result.stdout
+      };
+    }
+    const valid = PYPI_HUB_MARKER_RE.test(result.stdout);
+    if (verbose) {
+      logger.logger.log(`[VERBOSE] discovery: probe @${hubName}:`, valid ? 'ACCEPT (hub alias/pkg marker found)' : 'REJECT (no hub alias/pkg marker in probe stdout)');
+    }
+    return {
+      valid,
+      stdout: result.stdout
+    };
+  } catch (e) {
+    if (verbose) {
+      logger.logger.log(`[VERBOSE] discovery: probe @${hubName}: REJECT (probe threw):`, utils.getErrorCause(e));
+    }
+    return {
+      valid: false,
+      stdout: ''
+    };
+  }
+}
+
+// The default pip hub name when no explicit hub_name/name is given.
+// Included as a seed so repos whose pip.parse is in a sub-module (not
+// found by static scanning) can still be discovered via probe validation.
+const DEFAULT_PYPI_HUB_SEED = 'pypi';
+
+// Composition: parse, then validate each candidate; return validated subset
+// as a Map keyed by hub name with the validated PypiHubInfo.
+// Always seeds with the default 'pypi' hub name first.
+async function discoverPypiHubs(cwd, probe, nativeCandidates, verbose, bazelCommandCandidates) {
+  // Always run the static parse so MODULE.bazel pip.parse metadata
+  // (requirements_lock, python_version) is available for downstream
+  // lockfile resolution. Native repo-mapping candidates are intentionally
+  // corroborating data only: many non-PyPI repositories expose alias or :pkg
+  // targets, so bare visible repos are too broad to probe as PyPI hubs.
+  const parsedAll = bazelCommandCandidates?.length ? dedupCapped(bazelCommandCandidates, verbose) : parsePypiHubCandidates(cwd, verbose);
+  const parsed = parsedAll;
+  if (verbose) {
+    logger.logger.log('[VERBOSE] discovery: candidate source:', bazelCommandCandidates?.length ? `bazel mod show_extension (${parsed.length})` : nativeCandidates && nativeCandidates.length ? `static parse (${parsed.length}) with bzlmod visible-repos (${nativeCandidates.length}) as corroboration` : `static parse (${parsed.length})`);
+  }
+  // Prepend the default hub seed unless parsed metadata already covers it.
+  const candidates = parsed.some(c => c.hubName === DEFAULT_PYPI_HUB_SEED) ? parsed : [{
+    hubName: DEFAULT_PYPI_HUB_SEED,
+    source: 'default-seed',
+    workspaceMode: 'unknown'
+  }, ...parsed];
+  if (verbose) {
+    logger.logger.log('[VERBOSE] discovery: candidate set to probe (seed-first, deduped):', candidates.map(c => c.hubName));
+  }
+  const validated = new Map();
+  for (const c of candidates) {
+    // eslint-disable-next-line no-await-in-loop
+    const result = await validatePypiHub(c.hubName, probe, verbose);
+    if (result.valid) {
+      validated.set(c.hubName, {
+        ...c,
+        probeStdout: result.stdout
+      });
+    }
+  }
+  if (verbose) {
+    logger.logger.log('[VERBOSE] discovery: validated pip hubs:', Array.from(validated.keys()));
+  }
+  return validated;
+}
+
+/**
+ * Parse Bazel PyPI extraction inputs into the pinned `name==version` lines
+ * needed for generated `requirements.txt` output.
+ *
+ * This is deliberately not a general-purpose requirements.txt parser. It only
+ * accepts pinned lockfile-style entries needed to map reached Bazel labels to
+ * exact package versions; depscan remains the owner of full PEP 508
+ * requirements ingestion during scan processing.
+ *
+ * Security gate: every regex uses bounded character classes to prevent
+ * catastrophic backtracking on hostile input.
+ */
+
+
+// Maximum size (bytes) we will read for any requirements lockfile.
+// Prevents DoS via maliciously large lockfiles.
+const MAX_REQUIREMENTS_FILE_BYTES = 5 * 1024 * 1024;
+// Normalize a PyPI package name per PEP 503:
+// lowercase, then collapse `.`, `_`, and `-` runs to a single `-`.
+function normalizePypiName(name) {
+  return name.toLowerCase().replace(/[._-]+/g, '-').replace(/^-+/, '').replace(/-+$/, '');
+}
+
+// Convert a Bazel underscore_name to a PyPI hyphenated-name.
+function bazelNameToPypiName(bazelName) {
+  return bazelName.replace(/_/g, '-');
+}
+
+// Validate that a resolved path stays within the workspace root.
+function isWithinWorkspace(resolved, cwd) {
+  const rel = path.relative(cwd, resolved);
+  return !rel.startsWith('..') && !path.isAbsolute(rel);
+}
+
+// Resolves a Bazel label or workspace-relative path to a filesystem path.
+// Returns undefined for labels that cannot be resolved locally.
+function resolveRequirementsLockPath(label, cwd) {
+  if (!label) {
+    return undefined;
+  }
+  // Reject labels with path-traversal segments.
+  if (label.includes('..')) {
+    return undefined;
+  }
+  // Reject external repository labels.
+  if (label.startsWith('@')) {
+    return undefined;
+  }
+  // Bazel local label forms:
+  //   //:requirements_lock.txt
+  //   //subdir:requirements_lock.txt
+  //   :requirements_lock.txt
+  let filePart;
+  if (label.startsWith('//')) {
+    const colon = label.indexOf(':');
+    if (colon < 0) {
+      return undefined;
+    }
+    const pkgPath = label.slice(2, colon);
+    const filePart = label.slice(colon + 1);
+    if (!filePart) {
+      return undefined;
+    }
+    const resolved = path.join(cwd, pkgPath, filePart);
+    if (!isWithinWorkspace(resolved, cwd)) {
+      return undefined;
+    }
+    return resolved;
+  }
+  if (label.startsWith(':')) {
+    filePart = label.slice(1);
+    if (!filePart) {
+      return undefined;
+    }
+    const resolved = path.join(cwd, filePart);
+    if (!isWithinWorkspace(resolved, cwd)) {
+      return undefined;
+    }
+    return resolved;
+  }
+  // Reject absolute paths (only for non-label inputs).
+  if (path.isAbsolute(label)) {
+    return undefined;
+  }
+  // Bare workspace-relative path (no leading // or :).
+  const resolved = path.join(cwd, label);
+  if (!isWithinWorkspace(resolved, cwd)) {
+    return undefined;
+  }
+  return resolved;
+}
+
+// Parses a single pinned `name==version` lockfile line.
+// Group 1 = package name, Group 2 = version string (includes ==).
+const REQUIREMENT_LINE_RE = /^([A-Za-z0-9][A-Za-z0-9._-]*)==([A-Za-z0-9._+!]+)/;
+const BAZEL_STRING_LABEL_RE = /[@A-Za-z0-9_~/.:+-]+/;
+const ALIAS_ACTUAL_RE = new RegExp(`actual\\s*=\\s*(["'])(${BAZEL_STRING_LABEL_RE.source})\\1`);
+
+// Skippable line prefixes.
+function shouldSkipLine(line) {
+  const trimmed = line.trim();
+  if (!trimmed) {
+    return true;
+  }
+  if (trimmed.startsWith('#')) {
+    return true;
+  }
+  // Hash continuations start with `--hash=`.
+  if (trimmed.startsWith('--hash=')) {
+    return true;
+  }
+  // Index options, constraint options, editable installs, includes, direct URLs.
+  if (trimmed.startsWith('--') || trimmed.startsWith('-e ') || trimmed.startsWith('-r ') || trimmed.startsWith('https://') || trimmed.startsWith('http://')) {
+    return true;
+  }
+  return false;
+}
+
+// Parse a `requirements_lock.txt`-style file into a map keyed by normalized
+// PyPI name. This intentionally ignores unpinned PEP 508 requirement forms
+// because the Bazel extractor must emit exact package versions.
+function parseRequirementsLock(text) {
+  const out = new Map();
+  const lines = text.split('\n');
+  for (let i = 0; i < lines.length; i++) {
+    const rawLine = lines[i];
+    if (rawLine === undefined) {
+      continue;
+    }
+    if (shouldSkipLine(rawLine)) {
+      continue;
+    }
+    // Handle trailing backslash continuation by concatenating subsequent lines.
+    let line = rawLine.trimEnd();
+    while (line.endsWith('\\') && i + 1 < lines.length) {
+      i++;
+      const next = lines[i];
+      if (next !== undefined) {
+        line = line.slice(0, -1).trimEnd() + ' ' + next.trimStart();
+      }
+    }
+    const m = REQUIREMENT_LINE_RE.exec(line);
+    if (!m) {
+      continue;
+    }
+    const [, rawName, version] = m;
+    if (!rawName || !version) {
+      continue;
+    }
+    const bazelName = rawName.replace(/-/g, '_');
+    const normalized = normalizePypiName(rawName);
+    const existing = out.get(normalized);
+    if (existing) {
+      if (existing.version !== version) {
+        throw new Error(`Conflicting versions for normalized PyPI package ${normalized}: ` + `${existing.originalLine ?? existing.name + '==' + existing.version} ` + `conflicts with ${line}.`);
+      }
+      continue;
+    }
+    out.set(normalized, {
+      name: rawName,
+      version,
+      bazelName,
+      source: 'lockfile',
+      originalLine: line
+    });
+  }
+  return out;
+}
+
+// Read and parse a requirements lockfile from a resolved path, capping file
+// size. Returns undefined when the file is missing, oversized, or unreadable.
+function readRequirementsLockFile(resolvedPath) {
+  if (!resolvedPath) {
+    return undefined;
+  }
+  if (!fs$1.existsSync(resolvedPath)) {
+    return undefined;
+  }
+  let text;
+  try {
+    const stat = fs$1.statSync(resolvedPath);
+    if (stat.size > MAX_REQUIREMENTS_FILE_BYTES) {
+      return undefined;
+    }
+    text = fs$1.readFileSync(resolvedPath, 'utf8');
+  } catch {
+    return undefined;
+  }
+  return parseRequirementsLock(text);
+}
+
+// Extract `pypi_name=` and `pypi_version=` tags from `--output=build` text of a
+// spoke target. Returns null when either tag is missing.
+const PYPI_NAME_TAG_RE = /pypi_name=\s*([A-Za-z0-9][A-Za-z0-9._-]*)/;
+const PYPI_VERSION_TAG_RE = /pypi_version=\s*([A-Za-z0-9._+!]+)/;
+function parsePypiTagsFromBuildOutput(text) {
+  const nameM = PYPI_NAME_TAG_RE.exec(text);
+  const versionM = PYPI_VERSION_TAG_RE.exec(text);
+  if (!nameM || !versionM) {
+    return null;
+  }
+  const rawName = nameM[1];
+  const version = versionM[1];
+  if (!rawName || !version) {
+    return null;
+  }
+  return {
+    name: rawName,
+    version,
+    bazelName: rawName.replace(/-/g, '_'),
+    source: 'spoke-tag'
+  };
+}
+function parseAliasActualFromBuildOutput(text) {
+  const match = ALIAS_ACTUAL_RE.exec(text);
+  return match?.[2];
+}
+
+// Extract hub package labels from `bazel query` output that match
+// `@<hub>//<name>:pkg` patterns (both line-start and embedded in
+// `--output=build` deps arrays).
+function filterReachedPypiPackages(queryOutput, hubName) {
+  const out = [];
+  const prefix = `@${hubName}//`;
+  // Match from the start of a label token (preceded by whitespace, quote, or
+  // start of line) to improve robustness across output formats.
+  const labelRe = new RegExp(`(?:^|[\\s"])${prefix.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}([^\\s:"]+):pkg`, 'g');
+  let m;
+  while ((m = labelRe.exec(queryOutput)) !== null) {
+    const pkgPart = m[1];
+    if (!pkgPart) {
+      continue;
+    }
+    const bazelName = pkgPart;
+    const normalized = normalizePypiName(bazelNameToPypiName(bazelName));
+    const apparentLabel = `${prefix}${bazelName}:pkg`;
+    out.push({
+      hubName,
+      originalLabel: apparentLabel,
+      bazelName,
+      normalizedName: normalized,
+      apparentLabel
+    });
+  }
+  return out;
+}
+
+// Collect name==version pairs for the reached closure, resolving versions
+// from the lockfile fast path or spoke-tag fallback. Enforces version
+// conflict detection and deterministic output.
+function collectPypiPackages(reached, lockfile, spokeTagLookup) {
+  const collected = new Map();
+  for (const r of reached) {
+    const normalized = r.normalizedName;
+    // Lockfile fast path.
+    const lockEntry = lockfile?.get(normalized);
+    if (lockEntry) {
+      const existing = collected.get(normalized);
+      if (existing && existing.version !== lockEntry.version) {
+        throw new Error(`Conflicting versions for ${normalized}: ${existing.label} has ${existing.version}, ${r.originalLabel} has ${lockEntry.version} (lockfile).`);
+      }
+      if (!existing) {
+        collected.set(normalized, {
+          name: lockEntry.name,
+          version: lockEntry.version,
+          source: 'lockfile',
+          label: r.originalLabel
+        });
+      }
+      continue;
+    }
+    // Spoke-tag fallback.
+    const spokeEntry = spokeTagLookup?.get(normalized);
+    if (spokeEntry) {
+      const existing = collected.get(normalized);
+      if (existing && existing.version !== spokeEntry.version) {
+        throw new Error(`Conflicting versions for ${normalized}: ${existing.label} has ${existing.version}, ${r.originalLabel} has ${spokeEntry.version} (spoke tag).`);
+      }
+      if (!existing) {
+        collected.set(normalized, {
+          name: spokeEntry.name,
+          version: spokeEntry.version,
+          source: 'spoke-tag',
+          label: r.originalLabel
+        });
+      }
+      continue;
+    }
+    // Unresolvable package — fail rather than emit an unpinned entry.
+    throw new Error(`No version found for ${r.originalLabel}. ` + 'Check that the package is present in the requirements_lock.txt ' + 'or reachable via a spoke target with pypi_name and pypi_version tags.');
+  }
+  return Array.from(collected.values());
+}
+
+// Sort package lines deterministically (locale-aware, lowercase comparison).
+function sortPackageLines(lines) {
+  return lines.sort((a, b) => {
+    const aLow = a.name.toLowerCase();
+    const bLow = b.name.toLowerCase();
+    if (aLow < bLow) {
+      return -1;
+    }
+    if (aLow > bLow) {
+      return 1;
+    }
+    return a.name.localeCompare(b.name);
+  });
+}
+async function extractBazelToPypi(opts) {
+  const {
+    cwd,
+    out,
+    verbose
+  } = opts;
+  logger.logger.group('bazel2pypi:');
+  logger.logger.info(`- src dir: \`${cwd}\``);
+  logger.logger.info(`- out dir: \`${out}\``);
+  if (!fs$1.existsSync(cwd)) {
+    logger.logger.warn(`Warning: cwd does not exist: ${cwd}`);
+  }
+  logger.logger.groupEnd();
+  try {
+    // Validate caller-provided Bazel filesystem settings before invoking Bazel.
+    if (opts.bazelOutputBase) {
+      validateOutputBase(opts.bazelOutputBase, opts.cwd);
+    }
+    // Python shim (for rules_python workspace discovery).
+    const shim = await provisionPythonShim();
+    const baseEnv = shim.augmentedEnv ?? opts.env;
+
+    // Step 1: workspace detection.
+    const mode = detectWorkspaceMode(cwd);
+    logger.logger.info(`Workspace mode: bzlmod=${mode.bzlmod} workspace=${mode.workspace}`);
+    const invocationFlags = getBazelInvocationFlags(mode);
+
+    // Step 2: bazel binary resolution.
+    const bin = await resolveBazelBinary(opts.bin);
+    logger.logger.info(`Using bazel: ${bin}`);
+    if (verbose) {
+      logger.logger.log('[VERBOSE] resolved options:', {
+        bin,
+        bazelRc: opts.bazelRc ?? '(unset)',
+        bazelOutputBase: opts.bazelOutputBase ?? '(unset)',
+        bazelFlags: opts.bazelFlags ?? '(unset)',
+        invocationFlags
+      });
+    }
+
+    // Step 3: build the shared query options object.
+    const queryOpts = {
+      bin,
+      cwd,
+      invocationFlags,
+      ...(opts.bazelRc ? {
+        bazelRc: opts.bazelRc
+      } : {}),
+      ...(opts.bazelFlags ? {
+        bazelFlags: opts.bazelFlags
+      } : {}),
+      ...(opts.bazelOutputBase ? {
+        bazelOutputBase: opts.bazelOutputBase
+      } : {}),
+      ...(baseEnv ? {
+        env: baseEnv
+      } : {}),
+      verbose
+    };
+
+    // Step 4: discover validated PyPI hubs via the two-step recipe.
+    let bazelCommandCandidates;
+    let nativeCandidates;
+    if (mode.bzlmod) {
+      const extensionResult = await runBazelModShowPipExtension(queryOpts);
+      if (extensionResult.code === 0) {
+        bazelCommandCandidates = parseBazelModPipExtensionCandidates(extensionResult.stdout, verbose);
+      } else if (verbose) {
+        logger.logger.log('[VERBOSE] bazel mod show_extension failed; falling back to bounded static candidate parsing:', extensionResult.stderr);
+      }
+      const visibleRepos = await runBazelModShowVisibleRepos(queryOpts);
+      if (visibleRepos.code === 0) {
+        nativeCandidates = parseVisibleRepoCandidates(visibleRepos.stdout);
+        if (verbose) {
+          logger.logger.log('[VERBOSE] Bzlmod visible repo candidates:', nativeCandidates);
+        }
+      } else if (verbose) {
+        logger.logger.log('[VERBOSE] bazel mod show_repo failed; falling back to static candidate parsing:', visibleRepos.stderr);
+      }
+    }
+    const probe = buildPypiProbeFor(queryOpts);
+    const hubs = await discoverPypiHubs(cwd, probe, nativeCandidates, verbose, bazelCommandCandidates);
+    const hubNames = Array.from(hubs.keys());
+    logger.logger.info(`Discovered ${hubs.size} PyPI hub(s): ${hubNames.join(', ') || '(none)'}`);
+    if (!hubs.size) {
+      if (verbose) {
+        logger.logger.info('No PyPI hubs discovered. failureCategory=no-supported-ecosystem');
+      }
+      return {
+        artifactCount: 0,
+        ok: false,
+        noEcosystemFound: true
+      };
+    }
+
+    // Step 5: for each hub, resolve the requirements lockfile (fast path),
+    // run the reached-closure query, and collect name==version pairs.
+    const allLines = [];
+    const warnings = [];
+    for (const [hubName, hubInfo] of hubs) {
+      // eslint-disable-next-line no-await-in-loop
+      const lockfileMap = await resolveHubLockfile(hubInfo, cwd, verbose);
+      // eslint-disable-next-line no-await-in-loop
+      const reached = await queryReachedPypiLabels(hubName, queryOpts, verbose);
+      const labelsToQuery = lockfileMap ? reached.filter(label => !lockfileMap.has(label.normalizedName)) : reached;
+      const divergenceLabels = lockfileMap && verbose ? reached : labelsToQuery;
+      // eslint-disable-next-line no-await-in-loop
+      const spokeTagLookup = await buildSpokeTagLookup(divergenceLabels, queryOpts, verbose);
+
+      // Check for lockfile-vs-spoke-tag divergence and log warnings.
+      if (lockfileMap) {
+        for (const label of reached) {
+          const lockEntry = lockfileMap.get(label.normalizedName);
+          const spokeEntry = spokeTagLookup?.get(label.normalizedName);
+          if (lockEntry && spokeEntry && lockEntry.version !== spokeEntry.version) {
+            warnings.push(`Version divergence for ${label.originalLabel}: lockfile says ${lockEntry.version}, spoke tag says ${spokeEntry.version}. Using lockfile.`);
+          }
+        }
+      }
+      const lines = collectPypiPackages(reached, lockfileMap, spokeTagLookup);
+      for (const l of lines) {
+        allLines.push({
+          name: l.name,
+          version: l.version,
+          source: l.source
+        });
+      }
+      logger.logger.info(`@${hubName}: ${lines.length} package(s)`);
+    }
+
+    // Step 6: cross-hub conflict check (same normalized name, different
+    // version across multiple hubs).
+    const crossHubVersions = new Map();
+    for (const l of allLines) {
+      const normalized = normalizePypiName(l.name);
+      const existing = crossHubVersions.get(normalized);
+      if (existing && existing !== l.version) {
+        throw new Error(`Conflicting versions for ${l.name}: ${existing} vs ${l.version} across hubs.`);
+      }
+      crossHubVersions.set(normalized, l.version);
+    }
+
+    // Step 7: sort and write requirements.txt.
+    const sorted = sortPackageLines(allLines);
+    const lines = sorted.map(p => `${p.name}==${p.version}\n`);
+    const layout = opts.outLayout ?? 'standalone';
+    const manifestDir = layout === 'flat' ? path.join(out, '.socket-auto-manifest') : out;
+    fs$1.mkdirSync(manifestDir, {
+      recursive: true
+    });
+    const manifestPath = path.join(manifestDir, 'requirements.txt');
+    await fs$1.promises.writeFile(manifestPath, lines.join(''), 'utf8');
+    if (verbose) {
+      logger.logger.log('[VERBOSE] outputs:', {
+        artifactCount: allLines.length,
+        generatedManifest: path.relative(out, manifestPath),
+        layout,
+        manifest: manifestPath,
+        pypiHubs: hubNames,
+        tool: 'socket manifest bazel',
+        workspace: {
+          bzlmod: mode.bzlmod,
+          legacyWorkspace: mode.workspace
+        }
+      });
+    }
+    for (const w of warnings) {
+      logger.logger.warn(w);
+    }
+    if (!allLines.length) {
+      logger.logger.fail('No PyPI packages extracted. failureCategory=ecosystem-detected-but-empty. See warnings above.');
+      return {
+        artifactCount: 0,
+        manifestPath,
+        ok: false
+      };
+    }
+    logger.logger.success(`Wrote ${allLines.length} package(s) to ${path.relative(cwd, manifestPath)}.`);
+    return {
+      artifactCount: allLines.length,
+      manifestPath,
+      ok: true
+    };
+  } catch (e) {
+    logger.logger.fail(`Unexpected error in bazel2pypi: ${utils.getErrorCause(e)}`);
+    if (verbose) {
+      logger.logger.group('[VERBOSE] error:');
+      logger.logger.log(e);
+      logger.logger.groupEnd();
+    } else {
+      logger.logger.info('Re-run with --verbose for the full stack.');
+    }
+    return {
+      artifactCount: 0,
+      ok: false
+    };
+  }
+}
+
+// Resolve lockfile path and read/parse if within bounds.
+async function resolveHubLockfile(hubInfo, cwd, verbose) {
+  const resolved = hubInfo.requirementsLockPath ?? resolveRequirementsLockPath(hubInfo.requirementsLockLabel, cwd);
+  if (verbose) {
+    logger.logger.log('[VERBOSE] lockfile resolved:', resolved ?? '(none from label/path)');
+  }
+  const result = readRequirementsLockFile(resolved);
+  if (verbose && result) {
+    logger.logger.log('[VERBOSE] lockfile parsed:', result.size, 'package(s)');
+  }
+  return result;
+}
+
+// Run the reached-closure query for Python targets and filter to hub labels.
+async function queryReachedPypiLabels(hubName, queryOpts, verbose) {
+  const queryStr = 'deps(kind("py_library|py_binary|py_test", //...))';
+  const result = await runBazelQuery(queryStr, queryOpts, 'label');
+  if (result.code !== 0) {
+    if (verbose) {
+      logger.logger.log(`[VERBOSE] reached query failed for ${hubName}:`, result.stderr);
+    }
+    return [];
+  }
+  return filterReachedPypiPackages(result.stdout, hubName);
+}
+
+// Build a spoke-tag lookup map for reached labels that don't have lockfile
+// entries. For each reached label, if the lockfile missed it, resolve the
+// actual target via `--output=build` and extract pypi_name/pypi_version.
+async function buildSpokeTagLookup(reached, queryOpts, verbose) {
+  const lookup = new Map();
+  for (const label of reached) {
+    // Only query the spoke if we haven't already resolved it.
+    if (lookup.has(label.normalizedName)) {
+      continue;
+    }
+    // eslint-disable-next-line no-await-in-loop
+    const buildResult = await runBazelQuery(`${label.apparentLabel}`, {
+      ...queryOpts,
+      verbose: false
+    });
+    if (buildResult.code !== 0) {
+      if (verbose) {
+        logger.logger.log(`[VERBOSE] spoke build query failed for ${label.apparentLabel}:`, buildResult.stderr);
+      }
+      continue;
+    }
+    let parsed = parsePypiTagsFromBuildOutput(buildResult.stdout);
+    if (!parsed) {
+      const actualLabel = parseAliasActualFromBuildOutput(buildResult.stdout);
+      if (actualLabel && actualLabel !== label.apparentLabel) {
+        // eslint-disable-next-line no-await-in-loop
+        const actualResult = await runBazelQuery(actualLabel, {
+          ...queryOpts,
+          verbose: false
+        });
+        if (actualResult.code === 0) {
+          parsed = parsePypiTagsFromBuildOutput(actualResult.stdout);
+        } else if (verbose) {
+          logger.logger.log(`[VERBOSE] spoke actual query failed for ${actualLabel}:`, actualResult.stderr);
+        }
+      }
+    }
+    if (parsed) {
+      lookup.set(normalizePypiName(parsed.name), parsed);
+    }
+  }
+  return lookup;
+}
+
+const config$e = {
+  commandName: 'bazel',
+  description: '[beta] Bazel SBOM support — generate manifest files for a Bazel project (Maven, PyPI)',
+  hidden: false,
+  flags: {
+    ...flags.commonFlags,
+    bazel: {
+      type: 'string',
+      description: 'Path to bazel/bazelisk binary; default: $(which bazelisk) || $(which bazel)'
+    },
+    bazelFlags: {
+      type: 'string',
+      description: 'Flags forwarded to every bazel invocation (single quoted string)'
+    },
+    bazelOutputBase: {
+      type: 'string',
+      description: 'Bazel --output_base for read-only-cache CI environments'
+    },
+    bazelRc: {
+      type: 'string',
+      description: 'Path to additional .bazelrc fragments forwarded to bazel'
+    },
+    ecosystem: {
+      type: 'string',
+      isMultiple: true,
+      description: 'Ecosystem(s) to extract; repeatable. Supported: maven, pypi. Default: maven.'
+    },
+    out: {
+      type: 'string',
+      description: 'Output directory for generated manifests; default: ./.socket/bazel-manifests/'
+    },
+    verbose: {
+      type: 'boolean',
+      description: 'Emit bounded Bazel diagnostics with argv, duration, exit status, and output sizes'
+    }
+  },
+  help: (command, config) => `
+    Usage
+      $ ${command} [options] [CWD=.]
+
+    Options
+      ${utils.getFlagListOutput(config.flags)}
+
+    [beta] Generates Bazel SBOM manifests for Maven (\`maven_install.json\`)
+    by running \`bazel query\` against discovered dependency repos.
+    PyPI requirements generation is available with \`--ecosystem pypi\`.
+    Output is consumed by
+    \`socket scan create\`'s server-side parser.
+
+    --ecosystem may be repeated to select which ecosystems to extract.
+    When omitted, Maven is generated by default. PyPI is explicit opt-in.
+
+    Note: this command generates dependency manifests for Bazel workspaces.
+    It does not run reachability analysis.
+
+    To generate AND upload in one step, use \`socket scan create --auto-manifest\`
+    instead — it detects Bazel workspaces, generates Maven manifests by
+    default, and uploads the result. This subcommand is for generation only.
+
+    Examples
+      $ ${command} .
+      $ ${command} --ecosystem pypi .
+      $ ${command} --ecosystem maven --ecosystem pypi .
+      $ ${command} --bazel=/usr/local/bin/bazelisk .
+  `
+};
+const cmdManifestBazel = {
+  description: config$e.description,
+  hidden: config$e.hidden,
+  run: run$F
+};
+// Pure outcome-matrix evaluator. Exported so dispatcher behavior can be
+// unit-tested without spawning the CLI binary. Throws InputError on
+// failures that must propagate to a non-zero CLI exit; returns void on
+// success.
+//
+// - Hard failure: ok === false && !noEcosystemFound. The ecosystem was
+//   detected (or the runner crashed), but extraction failed. Always a
+//   non-zero exit, even when another ecosystem succeeded.
+// - No-discovery: noEcosystemFound === true. Genuinely absent ecosystem.
+//   Auto-detect mode tolerates this when at least one other ecosystem
+//   succeeded; explicit mode treats it as an error.
+function evaluateEcosystemOutcomes(outcomes, isExplicit) {
+  const hardFailures = outcomes.filter(o => !o.ok && !o.noEcosystemFound);
+  const noDiscoveries = outcomes.filter(o => o.noEcosystemFound);
+  const successes = outcomes.filter(o => o.ok && o.manifestPath);
+  if (!isExplicit) {
+    if (hardFailures.length) {
+      throw new utils.InputError(`Bazel auto-manifest generation hit hard failure(s) in ecosystem(s): ${hardFailures.map(f => f.ecosystem).join(', ')}.`);
+    }
+    if (successes.length) {
+      return;
+    }
+    if (noDiscoveries.length === outcomes.length) {
+      throw new utils.InputError('No supported Bazel ecosystems detected (maven, pypi). Ensure rules_jvm_external, rules_python pip_parse/pip_install/pip_repository, or pip.parse is configured.');
+    }
+    return;
+  }
+
+  // Explicit mode: every requested ecosystem must succeed.
+  if (noDiscoveries.length) {
+    throw new utils.InputError(`No Bazel rules found for explicitly requested ecosystem(s): ${noDiscoveries.map(f => f.ecosystem).join(', ')}.`);
+  }
+  if (hardFailures.length) {
+    throw new utils.InputError(`Bazel manifest generation failed for explicitly requested ecosystem(s): ${hardFailures.map(f => f.ecosystem).join(', ')}.`);
+  }
+}
+async function run$F(argv, importMeta, {
+  parentName
+}) {
+  const cli = utils.meowOrExit({
+    argv,
+    config: config$e,
+    importMeta,
+    parentName
+  });
+  const {
+    json = false,
+    markdown = false
+  } = cli.flags;
+  const dryRun = !!cli.flags['dryRun'];
+
+  // TODO: Implement json/md further.
+  const outputKind = utils.getOutputKind(json, markdown);
+  let [cwd = '.'] = cli.input;
+  // Note: path.resolve vs .join:
+  // If given path is absolute then cwd should not affect it.
+  cwd = path.resolve(process.cwd(), cwd);
+  const sockJson = utils.readOrDefaultSocketJson(cwd);
+  require$$9.debugFn('inspect', `override: ${constants.SOCKET_JSON} bazel`, sockJson?.defaults?.manifest?.bazel);
+  const {
+    ecosystem
+  } = cli.flags;
+  let {
+    bazel,
+    bazelFlags,
+    bazelOutputBase,
+    bazelRc,
+    out,
+    verbose
+  } = cli.flags;
+
+  // Set defaults for any flag/arg that is not given. Check socket.json first.
+  if (!bazel) {
+    const defaultBazel = sockJson.defaults?.manifest?.bazel?.bazel ?? sockJson.defaults?.manifest?.bazel?.bin;
+    if (defaultBazel) {
+      bazel = defaultBazel;
+      logger.logger.info(`Using default --bazel from ${constants.SOCKET_JSON}:`, bazel);
+    }
+    // Otherwise leave undefined; resolveBazelBinary performs the PATH
+    // lookup for bazelisk/bazel.
+  }
+  if (!bazelFlags) {
+    if (sockJson.defaults?.manifest?.bazel?.bazelFlags) {
+      bazelFlags = sockJson.defaults?.manifest?.bazel?.bazelFlags;
+      logger.logger.info(`Using default --bazel-flags from ${constants.SOCKET_JSON}:`, bazelFlags);
+    } else {
+      bazelFlags = '';
+    }
+  }
+  if (!bazelOutputBase) {
+    if (sockJson.defaults?.manifest?.bazel?.bazelOutputBase) {
+      bazelOutputBase = sockJson.defaults?.manifest?.bazel?.bazelOutputBase;
+      logger.logger.info(`Using default --bazel-output-base from ${constants.SOCKET_JSON}:`, bazelOutputBase);
+    }
+  }
+  if (!bazelRc) {
+    if (sockJson.defaults?.manifest?.bazel?.bazelRc) {
+      bazelRc = sockJson.defaults?.manifest?.bazel?.bazelRc;
+      logger.logger.info(`Using default --bazel-rc from ${constants.SOCKET_JSON}:`, bazelRc);
+    }
+  }
+  if (!out) {
+    if (sockJson.defaults?.manifest?.bazel?.out) {
+      out = sockJson.defaults?.manifest?.bazel?.out;
+      logger.logger.info(`Using default --out from ${constants.SOCKET_JSON}:`, out);
+    } else {
+      out = path.join(cwd, '.socket', 'bazel-manifests');
+    }
+  }
+  if (verbose === undefined) {
+    if (sockJson.defaults?.manifest?.bazel?.verbose !== undefined) {
+      verbose = sockJson.defaults?.manifest?.bazel?.verbose;
+      logger.logger.info(`Using default --verbose from ${constants.SOCKET_JSON}:`, verbose);
+    } else {
+      verbose = false;
+    }
+  }
+  if (verbose) {
+    logger.logger.group('- ', parentName, config$e.commandName, ':');
+    logger.logger.group('- flags:', cli.flags);
+    logger.logger.groupEnd();
+    logger.logger.log('- input:', cli.input);
+    logger.logger.groupEnd();
   }
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
@@ -7466,15 +8562,56 @@ async function run$F(argv, importMeta, {
     logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
-  await extractBazelToMaven({
-    bazelFlags: bazelFlags,
-    bazelOutputBase: bazelOutputBase,
-    bazelRc: bazelRc,
-    bin: bazel,
-    cwd,
-    out: out,
-    verbose: Boolean(verbose)
-  });
+
+  // Ecosystem dispatch: Maven is the default. PyPI is explicit opt-in because
+  // its no-lockfile recovery value is narrower than Maven's inline-decl path.
+  const wasExplicitEcosystemSelection = Array.isArray(ecosystem) && ecosystem.length > 0;
+  const ecosystems = wasExplicitEcosystemSelection ? ecosystem : ['maven'];
+  for (const eco of ecosystems) {
+    if (!['maven', 'pypi'].includes(eco)) {
+      throw new utils.InputError(`Unsupported --ecosystem value: ${eco}. Supported values: maven, pypi.`);
+    }
+  }
+  const outcomes = [];
+  for (const eco of ecosystems) {
+    if (eco === 'maven') {
+      // eslint-disable-next-line no-await-in-loop
+      const mavenResult = await extractBazelToMaven({
+        bazelFlags: bazelFlags,
+        bazelOutputBase: bazelOutputBase,
+        bazelRc: bazelRc,
+        bin: bazel,
+        cwd,
+        out: out,
+        verbose: Boolean(verbose)
+      });
+      outcomes.push({
+        ecosystem: 'maven',
+        ok: mavenResult.ok,
+        noEcosystemFound: mavenResult.noEcosystemFound,
+        manifestPath: mavenResult.manifestPath
+      });
+    } else if (eco === 'pypi') {
+      // eslint-disable-next-line no-await-in-loop
+      const pypiResult = await extractBazelToPypi({
+        bazelFlags: bazelFlags,
+        bazelOutputBase: bazelOutputBase,
+        bazelRc: bazelRc,
+        bin: bazel,
+        cwd,
+        out: out,
+        verbose: Boolean(verbose),
+        explicitEcosystem: wasExplicitEcosystemSelection
+      });
+      outcomes.push({
+        ecosystem: 'pypi',
+        ok: pypiResult.ok,
+        noEcosystemFound: pypiResult.noEcosystemFound,
+        manifestPath: pypiResult.manifestPath
+      });
+    }
+  }
+  evaluateEcosystemOutcomes(outcomes, wasExplicitEcosystemSelection);
 }
 
 const config$d = {
@@ -17482,5 +18619,5 @@ process.on('unhandledRejection', async (reason, promise) => {
   // eslint-disable-next-line n/no-process-exit
   process.exit(1);
 });
-//# debugId=d1f4c235-f351-4ff4-9652-79299095458b
+//# debugId=932c44e2-d146-411e-8818-31f6bf237a5b
 //# sourceMappingURL=cli.js.map