socket 1.1.104 → 1.1.107

package/CHANGELOG.md

@@ -12,6 +12,25 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 ### Changed
 - **Bazel diagnostics** — `socket manifest bazel --verbose` now emits bounded subprocess traces with argv, cwd, duration, exit status, output sizes, and failure stderr tails to make customer log-only triage safer and faster.
 
+## [1.1.107](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.107) - 2026-05-28
+
+### Changed
+- **`socket manifest gradle --facts [beta]`** (and its `kotlin` alias) gained `--configs` and `--ignore-unresolved`, matching `socket manifest scala --facts`. `--configs` takes comma-separated glob patterns (e.g. `*CompileClasspath,*RuntimeClasspath`) to restrict resolution to matching Gradle configurations; unresolved dependencies are now a fatal error by default — pass `--ignore-unresolved` for the previous lenient behavior.
+- **`socket manifest scala --facts --configs`** now accepts glob patterns too (e.g. `*Test*`) for consistency with the gradle command. Bare names (no `*`/`?`) keep working as exact-name filters, so existing usages are unchanged.
+
+### Fixed
+- **`socket manifest gradle --facts`** now works on Gradle builds with the configuration cache enabled (default on Gradle 9), which previously failed with `Task.project at execution time` errors.
+
+## [1.1.106](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.106) - 2026-05-27
+
+### Added
+- **`socket manifest scala --facts [beta]`** — Emit a `.socket.facts.json` dependency graph from an sbt build for `socket scan create` to consume as a pregenerated SBOM. Toggle also exposed via the `socket manifest setup` wizard for use with `--auto-manifest`.
+
+## [1.1.105](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.105) - 2026-05-27
+
+### Changed
+- Updated the Coana CLI to v `15.3.11`.
+
 ## [1.1.104](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.104) - 2026-05-26
 
 ### Fixed
@@ -25,7 +44,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 ## [1.1.98](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.98) - 2026-05-22
 
 ### Added
-- **`socket manifest gradle --facts [beta]`** (and its `socket manifest kotlin --facts` alias) — Emit a `.socket.facts.json` dependency graph from a Gradle build, consumable by `socket scan create --reach` as pregenerated SBOM input for Tier 1 reachability. Toggle also exposed via the `socket manifest setup` wizard for use with `--auto-manifest`.
+- **`socket manifest gradle --facts [beta]`** (and its `socket manifest kotlin --facts` alias) — Emit a `.socket.facts.json` dependency graph from a Gradle build for `socket scan create` to consume as a pregenerated SBOM. Toggle also exposed via the `socket manifest setup` wizard for use with `--auto-manifest`.
 
 ### Changed
 - Updated the Coana CLI to v `15.3.8`.

package/dist/cli.js

@@ -3220,8 +3220,10 @@ async function extractBazelToMaven(opts) {
 
 async function convertGradleToFacts({
   bin,
+  configs,
   cwd,
   gradleOpts,
+  ignoreUnresolved,
   verbose
 }) {
   const rBin = path.resolve(cwd, bin);
@@ -3241,7 +3243,32 @@ async function convertGradleToFacts({
     // The init script is bundled alongside the existing pom-generating one.
     // See .config/rollup.dist.config.mjs:copySocketFactsInitGradle.
     const initLocation = path.join(constants.default.distPath, 'socket-facts.init.gradle');
-    const commandArgs = ['--init-script', initLocation, ...gradleOpts, 'socketFacts'];
+    // Disable Gradle's configuration cache for the facts run. The init
+    // script resolves dependencies via the legacy
+    // `Configuration.resolvedConfiguration` API (the only public API that
+    // surfaces classifier + extension metadata) and registers per-
+    // subproject tasks that share a `gradle.ext` accumulator — neither
+    // pattern is compatible with the configuration cache, which would
+    // otherwise be on by default for projects with
+    // `org.gradle.configuration-cache=true` in `gradle.properties`. The
+    // Provider-based CC-safe alternatives (`ResolutionResult` /
+    // `ArtifactView.resolvedArtifacts`) only exist in Gradle 7.4+ and
+    // they don't expose classifier/extension, so they aren't a usable
+    // replacement here. Using `-D` rather than `--no-configuration-cache`
+    // keeps us compatible with older Gradle versions that don't recognize
+    // the flag — the system property is silently ignored when the
+    // feature doesn't exist.
+    // Both knobs are passed as Gradle project properties so the init script
+    // can read them via `rp.findProperty(...)`, matching how
+    // `socket.outputDirectory` / `socket.outputFile` are already wired.
+    const socketProps = [];
+    if (ignoreUnresolved) {
+      socketProps.push('-Psocket.ignoreUnresolved=true');
+    }
+    if (configs) {
+      socketProps.push(`-Psocket.configs=${configs}`);
+    }
+    const commandArgs = ['-Dorg.gradle.configuration-cache=false', ...socketProps, '--init-script', initLocation, ...gradleOpts, 'socketFacts'];
     if (verbose) {
       logger.logger.log('[VERBOSE] Executing:', [bin], ', args:', commandArgs);
     }
@@ -3342,6 +3369,194 @@ async function execGradle$1(bin, commandArgs, cwd, verbose) {
   }
 }
 
+// Shown when the sbt launcher dies on a modern JDK. sbt 0.13 (and some early
+// 1.x) install a SecurityManager, which JDK 18+ removed, so the launcher
+// throws before our plugin runs. We don't pick a JDK for the user — they own
+// their toolchain — but we point them at the fix.
+const JDK_HINT = 'Hint: old sbt (0.13.x and early 1.x) cannot run on modern JDKs because the Java Security Manager was removed in JDK 18+. Run with a compatible JDK by setting JAVA_HOME (e.g. Java 11) or passing `--sbt-opts "--java-home <path>"`.';
+
+// The socket-owned global base sbt compiles our plugin into. Living under the
+// app data dir (not the user's `~/.sbt`) means we never mutate their sbt
+// config, while persisting the compiled plugin between runs. sbt namespaces
+// the compiled output by Scala/sbt version (`target/scala-2.10/sbt-0.13`,
+// `target/scala-2.12/sbt-1.0`, ...), so a single base safely serves every sbt
+// version with no version detection needed.
+function resolveGlobalBase() {
+  const {
+    socketAppDataPath
+  } = constants.default;
+  return socketAppDataPath ? path.join(path.dirname(socketAppDataPath), 'sbt-facts') : path.join(os.tmpdir(), 'socket-sbt-facts');
+}
+
+// Drop the shipped plugin source into `<globalBase>/plugins/`, rewriting only
+// when its content changed so sbt's incremental compiler can reuse the cache.
+async function ensurePluginSource(pluginSrcPath, pluginsDir) {
+  const source = await fs$1.promises.readFile(pluginSrcPath, 'utf8');
+  const destPath = path.join(pluginsDir, 'SocketFactsPlugin.scala');
+  let current;
+  if (fs$1.existsSync(destPath)) {
+    current = await fs$1.promises.readFile(destPath, 'utf8');
+  }
+  if (current !== source) {
+    await fs$1.promises.mkdir(pluginsDir, {
+      recursive: true
+    });
+    await fs$1.promises.writeFile(destPath, source, 'utf8');
+  }
+}
+async function convertSbtToFacts({
+  bin,
+  configs,
+  cwd,
+  ignoreUnresolved,
+  sbtOpts,
+  verbose
+}) {
+  logger.logger.group('sbt2facts:');
+  logger.logger.info(`- executing: \`${bin}\``);
+  logger.logger.info(`- src dir: \`${cwd}\``);
+  if (!fs$1.existsSync(cwd)) {
+    logger.logger.warn('Warning: It appears the src dir could not be found. An error might be printed later because of that.');
+  }
+  logger.logger.groupEnd();
+  try {
+    const pluginSrcPath = path.join(constants.default.distPath, 'socket-facts.plugin.scala');
+    const globalBase = resolveGlobalBase();
+    await ensurePluginSource(pluginSrcPath, path.join(globalBase, 'plugins'));
+
+    // `-Dsbt.global.base` points sbt at our isolated plugins dir, so the
+    // source-only plugin activates without touching the user's `~/.sbt`. The
+    // resolution options are passed as JVM system properties the plugin reads.
+    const socketProps = [];
+    if (ignoreUnresolved) {
+      socketProps.push('-Dsocket.ignoreUnresolved=true');
+    }
+    if (configs) {
+      socketProps.push(`-Dsocket.configs=${configs}`);
+    }
+    const commandArgs = [`-Dsbt.global.base=${globalBase}`, ...socketProps, ...sbtOpts, '--batch', 'socketFacts'];
+    if (verbose) {
+      logger.logger.log('[VERBOSE] Executing:', [bin], ', args:', commandArgs);
+    }
+    logger.logger.log(`Generating Socket facts from \`${bin}\` on \`${cwd}\` ...`);
+    const output = await execSbt(bin, commandArgs, cwd, verbose);
+    if (output.code) {
+      process.exitCode = 1;
+      logger.logger.fail(`sbt exited with exit code ${output.code}`);
+      if (!verbose) {
+        const errorLines = extractErrorLines(output.stdout, output.stderr);
+        if (errorLines) {
+          logger.logger.group('sbt output:');
+          logger.logger.error(errorLines);
+          logger.logger.groupEnd();
+        }
+      }
+      if (/security ?manager/i.test(output.stdout + output.stderr)) {
+        logger.logger.warn(JDK_HINT);
+      }
+      return;
+    }
+    logger.logger.success('Executed sbt successfully');
+    if (verbose) {
+      // Output already streamed inline; nothing to re-summarize.
+      logger.logger.log('');
+      logger.logger.log('Next step is to generate a Scan by running the `socket scan create` command on the same directory.');
+      return;
+    }
+    // `spawn` already strips ANSI from captured output, and the plugin prints
+    // these lines bare (via println, no sbt `[info]` prefix), so plain line
+    // matching is stable.
+    const exports = [];
+    for (const m of output.stdout.matchAll(/Socket facts file written to: (.+)/g)) {
+      const reported = m[1]?.trim();
+      if (reported) {
+        exports.push(reported);
+      }
+    }
+    if (exports.length) {
+      logger.logger.log('Reported exports:');
+      for (const fn of exports) {
+        logger.logger.log('- ', fn);
+      }
+    } else {
+      // The plugin skips emission when the build has no resolvable deps.
+      const skipMatch = output.stdout.match(/\[socket-facts\] no resolvable dependencies.*/);
+      if (skipMatch) {
+        logger.logger.warn(skipMatch[0]);
+      }
+    }
+    logger.logger.log('');
+    logger.logger.log('Next step is to generate a Scan by running the `socket scan create` command on the same directory.');
+  } catch (e) {
+    process.exitCode = 1;
+    // A missing sbt launcher is the most common setup failure; surface it
+    // clearly instead of the generic message.
+    if (e instanceof Error && e.code === 'ENOENT') {
+      logger.logger.fail(`Could not run \`${bin}\`. Make sure sbt is installed and on your PATH, or pass --bin with the path to your sbt launcher.`);
+    } else {
+      logger.logger.fail('There was an unexpected error while generating Socket facts' + (verbose ? '' : '  (use --verbose for details)'));
+    }
+    if (verbose) {
+      logger.logger.group('[VERBOSE] error:');
+      logger.logger.log(e);
+      logger.logger.groupEnd();
+    }
+  }
+}
+
+// Pull the actionable lines out of a noisy sbt run so a failure surfaces the
+// plugin's own message (and sbt's `[error]` lines) without dumping the whole
+// resolution log.
+function extractErrorLines(stdout, stderr) {
+  return `${stdout}\n${stderr}`.split('\n').filter(line => /\[error]|Socket facts|could not resolve|unresolved/i.test(line)).join('\n').trim();
+}
+async function execSbt(bin, commandArgs, cwd, verbose) {
+  // When verbose, stream sbt output straight to the terminal so the user can
+  // watch resolution progress; otherwise show a spinner and capture output for
+  // the post-run summary.
+  if (verbose) {
+    logger.logger.info('(Running sbt with output streaming. This can take a while.)');
+    const output = await spawn.spawn(bin, commandArgs, {
+      cwd,
+      stdio: 'inherit'
+    });
+    return {
+      code: output.code,
+      stdout: '',
+      stderr: ''
+    };
+  }
+  const {
+    spinner
+  } = constants.default;
+  let pass = false;
+  try {
+    logger.logger.info('(Running sbt can take a while, depending on the size of the project)');
+    logger.logger.info('(No live output. Pass --verbose to stream sbt output instead.)');
+    spinner.start('Running sbt...');
+    const output = await spawn.spawn(bin, commandArgs, {
+      cwd
+    });
+    pass = true;
+    const {
+      code,
+      stderr,
+      stdout
+    } = output;
+    return {
+      code,
+      stdout,
+      stderr
+    };
+  } finally {
+    if (pass) {
+      spinner.successAndStop('Gracefully completed sbt execution.');
+    } else {
+      spinner.failAndStop('There was an error while trying to run sbt.');
+    }
+  }
+}
+
 async function convertGradleToMaven({
   bin,
   cwd,
@@ -3799,15 +4014,30 @@ async function generateAutoManifest({
     logger.logger.info(`Using this ${constants.SOCKET_JSON} for defaults:`, sockJson);
   }
   if (!sockJson?.defaults?.manifest?.sbt?.disabled && detected.sbt) {
-    logger.logger.log('Detected a Scala sbt build, generating pom files with sbt...');
-    await convertSbtToMaven({
-      // Note: `sbt` is more likely to be resolved against PATH env
+    // Args shared by both paths. The facts-only knobs (`configs`,
+    // `ignoreUnresolved`) and the pom-only `out` are added per branch so
+    // neither handler is spread properties it doesn't accept.
+    const sbtArgs = {
+      // Note: `sbt` is more likely to be resolved against PATH env.
       bin: sockJson.defaults?.manifest?.sbt?.bin ?? 'sbt',
       cwd,
-      out: sockJson.defaults?.manifest?.sbt?.outfile ?? './pom.xml',
       sbtOpts: sockJson.defaults?.manifest?.sbt?.sbtOpts?.split(' ').map(s => s.trim()).filter(Boolean) ?? [],
       verbose: Boolean(sockJson.defaults?.manifest?.sbt?.verbose)
-    });
+    };
+    if (sockJson.defaults?.manifest?.sbt?.facts) {
+      logger.logger.log('Detected a Scala sbt build, generating Socket facts...');
+      await convertSbtToFacts({
+        ...sbtArgs,
+        configs: sockJson.defaults?.manifest?.sbt?.configs ?? '',
+        ignoreUnresolved: Boolean(sockJson.defaults?.manifest?.sbt?.ignoreUnresolved)
+      });
+    } else {
+      logger.logger.log('Detected a Scala sbt build, generating pom files with sbt...');
+      await convertSbtToMaven({
+        ...sbtArgs,
+        out: sockJson.defaults?.manifest?.sbt?.outfile ?? './pom.xml'
+      });
+    }
   }
   if (!sockJson?.defaults?.manifest?.gradle?.disabled && detected.gradle) {
     const gradleArgs = {
@@ -3821,7 +4051,11 @@ async function generateAutoManifest({
     };
     if (sockJson.defaults?.manifest?.gradle?.facts) {
       logger.logger.log('Detected a gradle build (Gradle, Kotlin, Scala), generating Socket facts...');
-      await convertGradleToFacts(gradleArgs);
+      await convertGradleToFacts({
+        ...gradleArgs,
+        configs: sockJson.defaults?.manifest?.gradle?.configs ?? '',
+        ignoreUnresolved: Boolean(sockJson.defaults?.manifest?.gradle?.ignoreUnresolved)
+      });
     } else {
       logger.logger.log('Detected a gradle build (Gradle, Kotlin, Scala), running default gradle generator...');
       await convertGradleToMaven(gradleArgs);
@@ -8878,6 +9112,14 @@ const config$b = {
       type: 'boolean',
       description: 'Emit a Socket facts JSON file (`.socket.facts.json`) describing the resolved dependency graph instead of generating `pom.xml` files'
     },
+    configs: {
+      type: 'string',
+      description: 'With --facts: comma-separated glob patterns matched against Gradle configuration names (case-sensitive, `*` and `?` wildcards). e.g. `*CompileClasspath,*RuntimeClasspath` to skip tooling configs. Default: every resolvable configuration except AGP instrumented-test classpaths'
+    },
+    ignoreUnresolved: {
+      type: 'boolean',
+      description: 'With --facts: warn on unresolved dependencies instead of failing the run (unresolved deps are not emitted to the facts file)'
+    },
     gradleOpts: {
       type: 'string',
       description: 'Additional options to pass on to ./gradlew, see `./gradlew --help`'
@@ -8912,11 +9154,20 @@ const config$b = {
 
     - it works with your \`gradlew\` from your repo and local settings and config
 
+    Pass --facts to instead emit a single \`.socket.facts.json\` describing the
+    resolved dependency graph of the whole build (no \`pom.xml\` files). An
+    unresolved dependency is a fatal error. With --facts you can pass
+    --configs=<comma-separated glob patterns> to restrict resolution to
+    matching configurations (e.g. \`*CompileClasspath,*RuntimeClasspath\`),
+    and --ignore-unresolved to warn on unresolved dependencies instead of
+    failing the run.
+
     Support is beta. Please report issues or give us feedback on what's missing.
 
     Examples
 
       $ ${command} .
+      $ ${command} --facts .
       $ ${command} --bin=../gradlew .
   `
 };
@@ -8950,8 +9201,10 @@ async function run$C(argv, importMeta, {
   require$$9.debugFn('inspect', `override: ${constants.SOCKET_JSON} gradle`, sockJson?.defaults?.manifest?.gradle);
   let {
     bin,
+    configs,
     facts,
     gradleOpts,
+    ignoreUnresolved,
     verbose
   } = cli.flags;
 
@@ -8988,6 +9241,31 @@ async function run$C(argv, importMeta, {
       facts = false;
     }
   }
+  if (configs === undefined) {
+    if (sockJson.defaults?.manifest?.gradle?.configs !== undefined) {
+      configs = sockJson.defaults?.manifest?.gradle?.configs;
+      logger.logger.info(`Using default --configs from ${constants.SOCKET_JSON}:`, configs);
+    } else {
+      configs = '';
+    }
+  }
+  if (ignoreUnresolved === undefined) {
+    if (sockJson.defaults?.manifest?.gradle?.ignoreUnresolved !== undefined) {
+      ignoreUnresolved = sockJson.defaults?.manifest?.gradle?.ignoreUnresolved;
+      logger.logger.info(`Using default --ignore-unresolved from ${constants.SOCKET_JSON}:`, ignoreUnresolved);
+    } else {
+      ignoreUnresolved = false;
+    }
+  }
+
+  // `--configs` and `--ignore-unresolved` only affect --facts; the pom path
+  // (the legacy `socketGenerateMaven` task) has no equivalent knobs. Warn
+  // rather than silently ignore an explicitly-passed flag. (socket.json
+  // defaults don't trip this — only a flag actually present on the command
+  // line does.)
+  if (!facts && (cli.flags['configs'] !== undefined || cli.flags['ignoreUnresolved'] !== undefined)) {
+    logger.logger.warn('The `--configs` and `--ignore-unresolved` options only apply with `--facts`; ignoring them.');
+  }
   if (verbose) {
     logger.logger.group('- ', parentName, config$b.commandName, ':');
     logger.logger.group('- flags:', cli.flags);
@@ -9023,8 +9301,10 @@ async function run$C(argv, importMeta, {
   if (facts) {
     await convertGradleToFacts({
       bin: String(bin),
+      configs: String(configs || ''),
       cwd,
       gradleOpts: parsedGradleOpts,
+      ignoreUnresolved: Boolean(ignoreUnresolved),
       verbose: Boolean(verbose)
     });
     return;
@@ -9056,6 +9336,14 @@ const config$a = {
       type: 'boolean',
       description: 'Emit a Socket facts JSON file (`.socket.facts.json`) describing the resolved dependency graph instead of generating `pom.xml` files'
     },
+    configs: {
+      type: 'string',
+      description: 'With --facts: comma-separated glob patterns matched against Gradle configuration names (case-sensitive, `*` and `?` wildcards). e.g. `*CompileClasspath,*RuntimeClasspath` to skip tooling configs. Default: every resolvable configuration except AGP instrumented-test classpaths'
+    },
+    ignoreUnresolved: {
+      type: 'boolean',
+      description: 'With --facts: warn on unresolved dependencies instead of failing the run (unresolved deps are not emitted to the facts file)'
+    },
     gradleOpts: {
       type: 'string',
       description: 'Additional options to pass on to ./gradlew, see `./gradlew --help`'
@@ -9128,8 +9416,10 @@ async function run$B(argv, importMeta, {
   require$$9.debugFn('inspect', `override: ${constants.SOCKET_JSON} gradle`, sockJson?.defaults?.manifest?.gradle);
   let {
     bin,
+    configs,
     facts,
     gradleOpts,
+    ignoreUnresolved,
     verbose
   } = cli.flags;
 
@@ -9166,6 +9456,25 @@ async function run$B(argv, importMeta, {
       facts = false;
     }
   }
+  if (configs === undefined) {
+    if (sockJson.defaults?.manifest?.gradle?.configs !== undefined) {
+      configs = sockJson.defaults?.manifest?.gradle?.configs;
+      logger.logger.info(`Using default --configs from ${constants.SOCKET_JSON}:`, configs);
+    } else {
+      configs = '';
+    }
+  }
+  if (ignoreUnresolved === undefined) {
+    if (sockJson.defaults?.manifest?.gradle?.ignoreUnresolved !== undefined) {
+      ignoreUnresolved = sockJson.defaults?.manifest?.gradle?.ignoreUnresolved;
+      logger.logger.info(`Using default --ignore-unresolved from ${constants.SOCKET_JSON}:`, ignoreUnresolved);
+    } else {
+      ignoreUnresolved = false;
+    }
+  }
+  if (!facts && (cli.flags['configs'] !== undefined || cli.flags['ignoreUnresolved'] !== undefined)) {
+    logger.logger.warn('The `--configs` and `--ignore-unresolved` options only apply with `--facts`; ignoring them.');
+  }
   if (verbose) {
     logger.logger.group('- ', parentName, config$a.commandName, ':');
     logger.logger.group('- flags:', cli.flags);
@@ -9201,8 +9510,10 @@ async function run$B(argv, importMeta, {
   if (facts) {
     await convertGradleToFacts({
       bin: String(bin),
+      configs: String(configs || ''),
       cwd,
       gradleOpts: parsedGradleOpts,
+      ignoreUnresolved: Boolean(ignoreUnresolved),
       verbose: Boolean(verbose)
     });
     return;
@@ -9225,6 +9536,18 @@ const config$9 = {
       type: 'string',
       description: 'Location of sbt binary to use'
     },
+    facts: {
+      type: 'boolean',
+      description: 'Emit a Socket facts JSON file (`.socket.facts.json`) describing the resolved dependency graph instead of generating `pom.xml` files'
+    },
+    configs: {
+      type: 'string',
+      description: 'With --facts: comma-separated glob patterns matched against sbt configuration names (case-sensitive, `*` and `?` wildcards). Bare names (no wildcards) act as exact-name filters. Default: compile,optional,provided,runtime,test'
+    },
+    ignoreUnresolved: {
+      type: 'boolean',
+      description: 'With --facts: warn on unresolved dependencies instead of failing the run (unresolved deps are not emitted to the facts file)'
+    },
     out: {
       type: 'string',
       description: 'Path of output file; where to store the resulting manifest, see also --stdout'
@@ -9271,6 +9594,15 @@ const config$9 = {
 
     You can specify --bin to override the path to the \`sbt\` binary to invoke.
 
+    Pass --facts to instead emit a single \`.socket.facts.json\` describing the
+    resolved dependency graph of the whole build (no \`pom.xml\` files). It reads
+    dependency metadata only and never downloads artifacts; an unresolved
+    dependency is a fatal error. With --facts you can pass
+    --configs=<comma-separated glob patterns> to choose which sbt configurations
+    to resolve (e.g. \`compile,test\` for exact names or \`*Test*\` for variants),
+    and --ignore-unresolved to warn on unresolved dependencies instead of
+    failing the run.
+
     Support is beta. Please report issues or give us feedback on what's missing.
 
     This is only for SBT. If your Scala setup uses gradle, please see the help
@@ -9279,6 +9611,7 @@ const config$9 = {
     Examples
 
       $ ${command}
+      $ ${command} --facts .
       $ ${command} ./proj --bin=/usr/bin/sbt --file=boot.sbt
   `
 };
@@ -9312,6 +9645,9 @@ async function run$A(argv, importMeta, {
   require$$9.debugFn('inspect', `override: ${constants.SOCKET_JSON} sbt`, sockJson?.defaults?.manifest?.sbt);
   let {
     bin,
+    configs,
+    facts,
+    ignoreUnresolved,
     out,
     sbtOpts,
     stdout,
@@ -9327,6 +9663,30 @@ async function run$A(argv, importMeta, {
       bin = 'sbt';
     }
   }
+  if (facts === undefined) {
+    if (sockJson.defaults?.manifest?.sbt?.facts !== undefined) {
+      facts = sockJson.defaults?.manifest?.sbt?.facts;
+      logger.logger.info(`Using default --facts from ${constants.SOCKET_JSON}:`, facts);
+    } else {
+      facts = false;
+    }
+  }
+  if (configs === undefined) {
+    if (sockJson.defaults?.manifest?.sbt?.configs !== undefined) {
+      configs = sockJson.defaults?.manifest?.sbt?.configs;
+      logger.logger.info(`Using default --configs from ${constants.SOCKET_JSON}:`, configs);
+    } else {
+      configs = '';
+    }
+  }
+  if (ignoreUnresolved === undefined) {
+    if (sockJson.defaults?.manifest?.sbt?.ignoreUnresolved !== undefined) {
+      ignoreUnresolved = sockJson.defaults?.manifest?.sbt?.ignoreUnresolved;
+      logger.logger.info(`Using default --ignore-unresolved from ${constants.SOCKET_JSON}:`, ignoreUnresolved);
+    } else {
+      ignoreUnresolved = false;
+    }
+  }
   if (stdout === undefined && sockJson.defaults?.manifest?.sbt?.stdout !== undefined) {
     stdout = sockJson.defaults?.manifest?.sbt?.stdout;
     logger.logger.info(`Using default --stdout from ${constants.SOCKET_JSON}:`, stdout);
@@ -9355,6 +9715,23 @@ async function run$A(argv, importMeta, {
   } else if (verbose === undefined) {
     verbose = false;
   }
+
+  // `--configs` and `--ignore-unresolved` only affect --facts; the pom path
+  // (`sbt makePom`) has no equivalent knobs. Warn rather than silently ignore
+  // an explicitly-passed flag. (socket.json defaults don't trip this — only a
+  // flag actually present on the command line does.)
+  if (!facts && (cli.flags['configs'] !== undefined || cli.flags['ignoreUnresolved'] !== undefined)) {
+    logger.logger.warn('The `--configs` and `--ignore-unresolved` options only apply with `--facts`; ignoring them.');
+  }
+
+  // Conversely, --out / --stdout only affect the pom path; with --facts the
+  // plugin always writes `.socket.facts.json` to the build root (its
+  // socket.outputDirectory/outputFile JVM props aren't exposed by the CLI), so
+  // warn rather than let `--facts --out custom.json` silently write nothing
+  // there.
+  if (facts && (cli.flags['out'] !== undefined || cli.flags['stdout'] !== undefined)) {
+    logger.logger.warn('The `--out` and `--stdout` options do not apply with `--facts`; the facts file is always written to the build root.');
+  }
   if (verbose) {
     logger.logger.group('- ', parentName, config$9.commandName, ':');
     logger.logger.group('- flags:', cli.flags);
@@ -9387,11 +9764,23 @@ async function run$A(argv, importMeta, {
     logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
+  const parsedSbtOpts = String(sbtOpts || '').split(' ').map(s => s.trim()).filter(Boolean);
+  if (facts) {
+    await convertSbtToFacts({
+      bin: String(bin),
+      configs: String(configs || ''),
+      cwd,
+      ignoreUnresolved: Boolean(ignoreUnresolved),
+      sbtOpts: parsedSbtOpts,
+      verbose: Boolean(verbose)
+    });
+    return;
+  }
   await convertSbtToMaven({
     bin: String(bin),
-    cwd: cwd,
+    cwd,
     out: String(out),
-    sbtOpts: String(sbtOpts).split(' ').map(s => s.trim()).filter(Boolean),
+    sbtOpts: parsedSbtOpts,
     verbose: Boolean(verbose)
   });
 }
@@ -9668,28 +10057,41 @@ async function setupSbt(config) {
   } else {
     delete config.sbtOpts;
   }
-  const stdout = await askForStdout(config.stdout);
-  if (stdout === undefined) {
+  const facts = await askForFactsFlag(config.facts);
+  if (facts === undefined) {
     return canceledByUser$1();
-  } else if (stdout === 'yes') {
-    config.stdout = true;
-  } else if (stdout === 'no') {
-    config.stdout = false;
+  } else if (facts === 'yes' || facts === 'no') {
+    config.facts = facts === 'yes';
   } else {
-    delete config.stdout;
+    delete config.facts;
   }
-  if (config.stdout !== true) {
-    const out = await askForOutputFile(config.outfile || 'sbt.pom.xml');
-    if (out === undefined) {
+
+  // --facts emits a .socket.facts.json instead of pom.xml files, so the pom
+  // output questions (stdout/outfile) don't apply when it is enabled.
+  if (config.facts !== true) {
+    const stdout = await askForStdout(config.stdout);
+    if (stdout === undefined) {
       return canceledByUser$1();
-    } else if (out === '-') {
+    } else if (stdout === 'yes') {
       config.stdout = true;
+    } else if (stdout === 'no') {
+      config.stdout = false;
     } else {
       delete config.stdout;
-      if (out) {
-        config.outfile = out;
+    }
+    if (config.stdout !== true) {
+      const out = await askForOutputFile(config.outfile || 'sbt.pom.xml');
+      if (out === undefined) {
+        return canceledByUser$1();
+      } else if (out === '-') {
+        config.stdout = true;
       } else {
-        delete config.outfile;
+        delete config.stdout;
+        if (out) {
+          config.outfile = out;
+        } else {
+          delete config.outfile;
+        }
       }
     }
   }
@@ -18619,5 +19021,5 @@ process.on('unhandledRejection', async (reason, promise) => {
   // eslint-disable-next-line n/no-process-exit
   process.exit(1);
 });
-//# debugId=932c44e2-d146-411e-8818-31f6bf237a5b
+//# debugId=f6378cd8-bbe9-49cb-9f3a-76b5f61b86ed
 //# sourceMappingURL=cli.js.map