socket 1.1.113 → 1.1.115

package/dist/cli.js

@@ -3738,343 +3738,151 @@ async function extractBazelToMaven(opts) {
   }
 }
 
-async function convertGradleToFacts({
+// Delegates Socket facts generation for a JVM build tool to the Coana CLI's
+// `manifest <ecosystem>` command. The build-tool resolution scripts (the Gradle
+// init script and the sbt plugin) live in Coana now, so socket-cli no longer
+// runs them itself; it only asks Coana for the uploadable `.socket.facts.json`.
+//
+// The resolved artifact-paths sidecar is intentionally NOT requested here: it
+// only matters for reachability analysis, which is internal to Coana, so Coana
+// emits it itself when it runs reachability. `socket manifest` only needs the
+// facts file.
+//
+// `spawnCoanaDlx` resolves the Coana CLI via dlx (or a local build when
+// `SOCKET_CLI_COANA_LOCAL_PATH` is set). `bin` (the gradle/sbt executable) is
+// always resolved by the caller to a concrete default (`<cwd>/gradlew`, or
+// `sbt` on PATH) before we get here, so it is forwarded verbatim; the empty
+// guard below is just a cheap safeguard against passing `--bin ''`.
+async function runCoanaManifestFacts({
   bin,
-  configs,
+  buildOpts,
+  buildOptsFlag,
   cwd,
-  gradleOpts,
+  ecosystem,
+  excludeConfigs,
   ignoreUnresolved,
+  includeConfigs,
   verbose
 }) {
-  const rBin = path.resolve(cwd, bin);
-  const binExists = fs$1.existsSync(rBin);
-  const cwdExists = fs$1.existsSync(cwd);
-  logger.logger.group('gradle2facts:');
-  logger.logger.info(`- executing: \`${rBin}\``);
-  if (!binExists) {
-    logger.logger.warn(`Warning: It appears the executable could not be found. An error might be printed later because of that.`);
+  // Pin the facts output location explicitly rather than relying on Coana's
+  // "project root" default. `factsPath` is then the single source of truth for
+  // both what we tell Coana to write and what we verify exists below, so the
+  // two can't drift apart if Coana's default ever changes. This is deliberately
+  // NOT user-configurable: Socket facts always land in the project root so that
+  // `socket scan create <project>` finds them (see cmd-manifest-scala.mts, which
+  // rejects --out/--stdout in facts mode).
+  const factsDir = cwd;
+  const factsFile = constants.default.DOT_SOCKET_DOT_FACTS_JSON;
+  const factsPath = path.join(factsDir, factsFile);
+  // `coana manifest <ecosystem> <path>` emits `.socket.facts.json` by default;
+  // there is no `--facts` flag (the artifact-paths sidecar is reachability-
+  // internal and not requested here).
+  const coanaArgs = ['manifest', ecosystem, cwd, '--output-dir', factsDir, '--output-file', factsFile];
+  if (bin) {
+    coanaArgs.push('--bin', bin);
+  }
+  if (includeConfigs) {
+    coanaArgs.push('--include-configs', includeConfigs);
+  }
+  if (excludeConfigs) {
+    coanaArgs.push('--exclude-configs', excludeConfigs);
+  }
+  if (ignoreUnresolved) {
+    coanaArgs.push('--ignore-unresolved');
   }
-  logger.logger.info(`- src dir: \`${cwd}\``);
-  if (!cwdExists) {
-    logger.logger.warn(`Warning: It appears the src dir could not be found. An error might be printed later because of that.`);
+  if (verbose) {
+    coanaArgs.push('--debug');
   }
-  logger.logger.groupEnd();
-  try {
-    // The init script is bundled alongside the existing pom-generating one.
-    // See .config/rollup.dist.config.mjs:copySocketFactsInitGradle.
-    const initLocation = path.join(constants.default.distPath, 'socket-facts.init.gradle');
-    // Disable Gradle's configuration cache for the facts run. The init
-    // script resolves dependencies via the legacy
-    // `Configuration.resolvedConfiguration` API (the only public API that
-    // surfaces classifier + extension metadata) and registers per-
-    // subproject tasks that share a `gradle.ext` accumulator — neither
-    // pattern is compatible with the configuration cache, which would
-    // otherwise be on by default for projects with
-    // `org.gradle.configuration-cache=true` in `gradle.properties`. The
-    // Provider-based CC-safe alternatives (`ResolutionResult` /
-    // `ArtifactView.resolvedArtifacts`) only exist in Gradle 7.4+ and
-    // they don't expose classifier/extension, so they aren't a usable
-    // replacement here. Using `-D` rather than `--no-configuration-cache`
-    // keeps us compatible with older Gradle versions that don't recognize
-    // the flag — the system property is silently ignored when the
-    // feature doesn't exist.
-    // Both knobs are passed as Gradle project properties so the init script
-    // can read them via `rp.findProperty(...)`, matching how
-    // `socket.outputDirectory` / `socket.outputFile` are already wired.
-    const socketProps = [];
-    if (ignoreUnresolved) {
-      socketProps.push('-Psocket.ignoreUnresolved=true');
-    }
-    if (configs) {
-      socketProps.push(`-Psocket.configs=${configs}`);
-    }
-    const commandArgs = ['-Dorg.gradle.configuration-cache=false', ...socketProps, '--init-script', initLocation, ...gradleOpts, 'socketFacts'];
-    if (verbose) {
-      logger.logger.log('[VERBOSE] Executing:', [bin], ', args:', commandArgs);
-    }
-    logger.logger.log(`Generating Socket facts from \`${bin}\` on \`${cwd}\` ...`);
-    const output = await execGradle$1(rBin, commandArgs, cwd, verbose);
-    if (output.code) {
-      process.exitCode = 1;
-      logger.logger.fail(`Gradle exited with exit code ${output.code}`);
-      if (!verbose) {
-        logger.logger.group('stderr:');
-        logger.logger.error(output.stderr);
-        logger.logger.groupEnd();
-      }
-      return;
-    }
-    logger.logger.success('Executed gradle successfully');
-    if (verbose) {
-      // Output already streamed; the "Reported exports:" summary lines were
-      // visible inline. No need to repeat them from a captured stdout.
-      logger.logger.log('');
-      logger.logger.log('Next step is to generate a Scan by running the `socket scan create` command on the same directory.');
-      return;
-    }
-    const exports = Array.from(output.stdout.matchAll(/^Socket facts file written to: (.*)/gm), m => m[1]);
-    if (exports.length) {
-      logger.logger.log('Reported exports:');
-      for (const fn of exports) {
-        logger.logger.log('- ', fn);
-      }
-    } else {
-      // Gradle script may have skipped emission when no resolvable
-      // dependencies were found (see the `components.isEmpty()` branch in
-      // socket-facts.init.gradle). Surface the skip reason if present so
-      // the user understands why nothing was written.
-      const skipMatch = output.stdout.match(/^\[socket-facts\] no resolvable dependencies.*/m);
-      if (skipMatch) {
-        logger.logger.warn(skipMatch[0]);
-      }
-    }
-    logger.logger.log('');
-    logger.logger.log('Next step is to generate a Scan by running the `socket scan create` command on the same directory.');
-  } catch (e) {
-    process.exitCode = 1;
-    logger.logger.fail('There was an unexpected error while generating Socket facts' + (verbose ? '' : '  (use --verbose for details)'));
-    if (verbose) {
-      logger.logger.group('[VERBOSE] error:');
-      logger.logger.log(e);
-      logger.logger.groupEnd();
-    }
+  // `--gradle-opts` / `--sbt-opts` are variadic on the Coana side; keep them
+  // last so the pass-through values don't swallow any following flags.
+  if (buildOpts.length) {
+    coanaArgs.push(buildOptsFlag, ...buildOpts);
   }
-}
-async function execGradle$1(bin, commandArgs, cwd, verbose) {
-  // When verbose, stream gradle stdout/stderr directly to the user's
-  // terminal — no spinner, no capture. The trade-off is that the post-run
-  // "Reported exports:" summary is skipped (the lines were already visible
-  // inline). For huge builds where the user wants to see progress, this is
-  // the right default. Non-verbose runs still get the spinner + summary.
+  logger.logger.log(`Generating Socket facts for the ${ecosystem} project at \`${cwd}\` ...`);
   if (verbose) {
-    logger.logger.info('(Running gradle with output streaming. This can take a while.)');
-    const output = await spawn.spawn(bin, commandArgs, {
-      cwd,
-      stdio: 'inherit'
-    });
-    return {
-      code: output.code,
-      stdout: '',
-      stderr: ''
-    };
+    logger.logger.log('[VERBOSE] coana args:', coanaArgs);
   }
-  const {
-    spinner
-  } = constants.default;
-  let pass = false;
-  try {
-    logger.logger.info('(Running gradle can take a while, depending on the size of the project)');
-    logger.logger.info('(No live output. Pass --verbose to stream gradle output instead.)');
-    spinner.start(`Running gradlew...`);
-    const output = await spawn.spawn(bin, commandArgs, {
-      cwd
-    });
-    pass = true;
-    const {
-      code,
-      stderr,
-      stdout
-    } = output;
-    return {
-      code,
-      stdout,
-      stderr
-    };
-  } finally {
-    if (pass) {
-      spinner.successAndStop('Gracefully completed gradlew execution.');
-    } else {
-      spinner.failAndStop('There was an error while trying to run gradlew.');
-    }
+
+  // Stream Coana's output so the user sees build-tool progress and Coana's own
+  // "Socket facts file written to: ..." line.
+  const result = await utils.spawnCoanaDlx(coanaArgs, undefined, {
+    cwd
+  }, {
+    stdio: 'inherit'
+  });
+  if (!result.ok) {
+    process.exitCode = 1;
+    logger.logger.fail(result.message || 'Coana failed to generate Socket facts');
+    return;
   }
+  // A zero exit code doesn't guarantee a facts file was written: Coana skips
+  // emitting it when there are no resolvable dependencies (e.g. with
+  // --ignore-unresolved). We pinned the output to `factsPath` above, so confirm
+  // it exists before claiming success; otherwise the "next step: socket scan
+  // create" line would mislead.
+  if (!fs$1.existsSync(factsPath)) {
+    logger.logger.warn(`Coana completed but wrote no ${factsFile} (no resolvable dependencies?); nothing to upload.`);
+    return;
+  }
+  logger.logger.success('Generated Socket facts');
+  logger.logger.log('');
+  logger.logger.log('Next step is to generate a Scan by running the `socket scan create` command on the same directory.');
 }
 
-// Shown when the sbt launcher dies on a modern JDK. sbt 0.13 (and some early
-// 1.x) install a SecurityManager, which JDK 18+ removed, so the launcher
-// throws before our plugin runs. We don't pick a JDK for the user — they own
-// their toolchain — but we point them at the fix.
-const JDK_HINT = 'Hint: old sbt (0.13.x and early 1.x) cannot run on modern JDKs because the Java Security Manager was removed in JDK 18+. Run with a compatible JDK by setting JAVA_HOME (e.g. Java 11) or passing `--sbt-opts "--java-home <path>"`.';
-
-// The socket-owned global base sbt compiles our plugin into. Living under the
-// app data dir (not the user's `~/.sbt`) means we never mutate their sbt
-// config, while persisting the compiled plugin between runs. sbt namespaces
-// the compiled output by Scala/sbt version (`target/scala-2.10/sbt-0.13`,
-// `target/scala-2.12/sbt-1.0`, ...), so a single base safely serves every sbt
-// version with no version detection needed.
-function resolveGlobalBase() {
-  const {
-    socketAppDataPath
-  } = constants.default;
-  return socketAppDataPath ? path.join(path.dirname(socketAppDataPath), 'sbt-facts') : path.join(os.tmpdir(), 'socket-sbt-facts');
+// Generates a `.socket.facts.json` for a Gradle project by delegating to the
+// Coana CLI's `manifest gradle` command (which owns the Gradle init script that
+// resolves the dependency graph). socket-cli no longer runs gradle itself; an
+// explicit `bin` is forwarded as `--bin`, otherwise Coana defaults to
+// `./gradlew`.
+async function convertGradleToFacts({
+  bin,
+  cwd,
+  excludeConfigs,
+  gradleOpts,
+  ignoreUnresolved,
+  includeConfigs,
+  verbose
+}) {
+  await runCoanaManifestFacts({
+    bin,
+    buildOpts: gradleOpts,
+    buildOptsFlag: '--gradle-opts',
+    cwd,
+    ecosystem: 'gradle',
+    excludeConfigs,
+    ignoreUnresolved,
+    includeConfigs,
+    verbose
+  });
 }
 
-// Drop the shipped plugin source into `<globalBase>/plugins/`, rewriting only
-// when its content changed so sbt's incremental compiler can reuse the cache.
-async function ensurePluginSource(pluginSrcPath, pluginsDir) {
-  const source = await fs$1.promises.readFile(pluginSrcPath, 'utf8');
-  const destPath = path.join(pluginsDir, 'SocketFactsPlugin.scala');
-  let current;
-  if (fs$1.existsSync(destPath)) {
-    current = await fs$1.promises.readFile(destPath, 'utf8');
-  }
-  if (current !== source) {
-    await fs$1.promises.mkdir(pluginsDir, {
-      recursive: true
-    });
-    await fs$1.promises.writeFile(destPath, source, 'utf8');
-  }
-}
+// Generates a `.socket.facts.json` for an sbt project by delegating to the
+// Coana CLI's `manifest sbt` command (which owns the sbt plugin that resolves
+// the dependency graph). socket-cli no longer runs sbt itself; an explicit
+// `bin` is forwarded as `--bin`, otherwise Coana defaults to `sbt` on PATH.
+// JDK-compatibility guidance (sbt 0.13/early 1.x cannot run on modern JDKs) is
+// handled by Coana; pass a compatible JDK via `--sbt-opts "--java-home <path>"`
+// or `JAVA_HOME`.
 async function convertSbtToFacts({
   bin,
-  configs,
   cwd,
+  excludeConfigs,
   ignoreUnresolved,
+  includeConfigs,
   sbtOpts,
   verbose
 }) {
-  logger.logger.group('sbt2facts:');
-  logger.logger.info(`- executing: \`${bin}\``);
-  logger.logger.info(`- src dir: \`${cwd}\``);
-  if (!fs$1.existsSync(cwd)) {
-    logger.logger.warn('Warning: It appears the src dir could not be found. An error might be printed later because of that.');
-  }
-  logger.logger.groupEnd();
-  try {
-    const pluginSrcPath = path.join(constants.default.distPath, 'socket-facts.plugin.scala');
-    const globalBase = resolveGlobalBase();
-    await ensurePluginSource(pluginSrcPath, path.join(globalBase, 'plugins'));
-
-    // `-Dsbt.global.base` points sbt at our isolated plugins dir, so the
-    // source-only plugin activates without touching the user's `~/.sbt`. The
-    // resolution options are passed as JVM system properties the plugin reads.
-    const socketProps = [];
-    if (ignoreUnresolved) {
-      socketProps.push('-Dsocket.ignoreUnresolved=true');
-    }
-    if (configs) {
-      socketProps.push(`-Dsocket.configs=${configs}`);
-    }
-    const commandArgs = [`-Dsbt.global.base=${globalBase}`, ...socketProps, ...sbtOpts, '--batch', 'socketFacts'];
-    if (verbose) {
-      logger.logger.log('[VERBOSE] Executing:', [bin], ', args:', commandArgs);
-    }
-    logger.logger.log(`Generating Socket facts from \`${bin}\` on \`${cwd}\` ...`);
-    const output = await execSbt(bin, commandArgs, cwd, verbose);
-    if (output.code) {
-      process.exitCode = 1;
-      logger.logger.fail(`sbt exited with exit code ${output.code}`);
-      if (!verbose) {
-        const errorLines = extractErrorLines(output.stdout, output.stderr);
-        if (errorLines) {
-          logger.logger.group('sbt output:');
-          logger.logger.error(errorLines);
-          logger.logger.groupEnd();
-        }
-      }
-      if (/security ?manager/i.test(output.stdout + output.stderr)) {
-        logger.logger.warn(JDK_HINT);
-      }
-      return;
-    }
-    logger.logger.success('Executed sbt successfully');
-    if (verbose) {
-      // Output already streamed inline; nothing to re-summarize.
-      logger.logger.log('');
-      logger.logger.log('Next step is to generate a Scan by running the `socket scan create` command on the same directory.');
-      return;
-    }
-    // `spawn` already strips ANSI from captured output, and the plugin prints
-    // these lines bare (via println, no sbt `[info]` prefix), so plain line
-    // matching is stable.
-    const exports = [];
-    for (const m of output.stdout.matchAll(/Socket facts file written to: (.+)/g)) {
-      const reported = m[1]?.trim();
-      if (reported) {
-        exports.push(reported);
-      }
-    }
-    if (exports.length) {
-      logger.logger.log('Reported exports:');
-      for (const fn of exports) {
-        logger.logger.log('- ', fn);
-      }
-    } else {
-      // The plugin skips emission when the build has no resolvable deps.
-      const skipMatch = output.stdout.match(/\[socket-facts\] no resolvable dependencies.*/);
-      if (skipMatch) {
-        logger.logger.warn(skipMatch[0]);
-      }
-    }
-    logger.logger.log('');
-    logger.logger.log('Next step is to generate a Scan by running the `socket scan create` command on the same directory.');
-  } catch (e) {
-    process.exitCode = 1;
-    // A missing sbt launcher is the most common setup failure; surface it
-    // clearly instead of the generic message.
-    if (e instanceof Error && e.code === 'ENOENT') {
-      logger.logger.fail(`Could not run \`${bin}\`. Make sure sbt is installed and on your PATH, or pass --bin with the path to your sbt launcher.`);
-    } else {
-      logger.logger.fail('There was an unexpected error while generating Socket facts' + (verbose ? '' : '  (use --verbose for details)'));
-    }
-    if (verbose) {
-      logger.logger.group('[VERBOSE] error:');
-      logger.logger.log(e);
-      logger.logger.groupEnd();
-    }
-  }
-}
-
-// Pull the actionable lines out of a noisy sbt run so a failure surfaces the
-// plugin's own message (and sbt's `[error]` lines) without dumping the whole
-// resolution log.
-function extractErrorLines(stdout, stderr) {
-  return `${stdout}\n${stderr}`.split('\n').filter(line => /\[error]|Socket facts|could not resolve|unresolved/i.test(line)).join('\n').trim();
-}
-async function execSbt(bin, commandArgs, cwd, verbose) {
-  // When verbose, stream sbt output straight to the terminal so the user can
-  // watch resolution progress; otherwise show a spinner and capture output for
-  // the post-run summary.
-  if (verbose) {
-    logger.logger.info('(Running sbt with output streaming. This can take a while.)');
-    const output = await spawn.spawn(bin, commandArgs, {
-      cwd,
-      stdio: 'inherit'
-    });
-    return {
-      code: output.code,
-      stdout: '',
-      stderr: ''
-    };
-  }
-  const {
-    spinner
-  } = constants.default;
-  let pass = false;
-  try {
-    logger.logger.info('(Running sbt can take a while, depending on the size of the project)');
-    logger.logger.info('(No live output. Pass --verbose to stream sbt output instead.)');
-    spinner.start('Running sbt...');
-    const output = await spawn.spawn(bin, commandArgs, {
-      cwd
-    });
-    pass = true;
-    const {
-      code,
-      stderr,
-      stdout
-    } = output;
-    return {
-      code,
-      stdout,
-      stderr
-    };
-  } finally {
-    if (pass) {
-      spinner.successAndStop('Gracefully completed sbt execution.');
-    } else {
-      spinner.failAndStop('There was an error while trying to run sbt.');
-    }
-  }
+  await runCoanaManifestFacts({
+    bin,
+    buildOpts: sbtOpts,
+    buildOptsFlag: '--sbt-opts',
+    cwd,
+    ecosystem: 'sbt',
+    excludeConfigs,
+    ignoreUnresolved,
+    includeConfigs,
+    verbose
+  });
 }
 
 async function convertGradleToMaven({
@@ -4534,9 +4342,9 @@ async function generateAutoManifest({
     logger.logger.info(`Using this ${constants.SOCKET_JSON} for defaults:`, sockJson);
   }
   if (!sockJson?.defaults?.manifest?.sbt?.disabled && detected.sbt) {
-    // Args shared by both paths. The facts-only knobs (`configs`,
-    // `ignoreUnresolved`) and the pom-only `out` are added per branch so
-    // neither handler is spread properties it doesn't accept.
+    // Args shared by both paths. The facts-only knobs (`includeConfigs`,
+    // `excludeConfigs`, `ignoreUnresolved`) and the pom-only `out` are added
+    // per branch so neither handler is spread properties it doesn't accept.
     const sbtArgs = {
       // Note: `sbt` is more likely to be resolved against PATH env.
       bin: sockJson.defaults?.manifest?.sbt?.bin ?? 'sbt',
@@ -4544,12 +4352,15 @@ async function generateAutoManifest({
       sbtOpts: sockJson.defaults?.manifest?.sbt?.sbtOpts?.split(' ').map(s => s.trim()).filter(Boolean) ?? [],
       verbose: Boolean(sockJson.defaults?.manifest?.sbt?.verbose)
     };
-    if (sockJson.defaults?.manifest?.sbt?.facts) {
+    // Socket facts is the default; opt into pom generation with
+    // `defaults.manifest.sbt.facts: false` in socket.json.
+    if (sockJson.defaults?.manifest?.sbt?.facts !== false) {
       logger.logger.log('Detected a Scala sbt build, generating Socket facts...');
       await convertSbtToFacts({
         ...sbtArgs,
-        configs: sockJson.defaults?.manifest?.sbt?.configs ?? '',
-        ignoreUnresolved: Boolean(sockJson.defaults?.manifest?.sbt?.ignoreUnresolved)
+        excludeConfigs: sockJson.defaults?.manifest?.sbt?.excludeConfigs ?? '',
+        ignoreUnresolved: Boolean(sockJson.defaults?.manifest?.sbt?.ignoreUnresolved),
+        includeConfigs: sockJson.defaults?.manifest?.sbt?.includeConfigs ?? ''
       });
     } else {
       logger.logger.log('Detected a Scala sbt build, generating pom files with sbt...');
@@ -4569,12 +4380,15 @@ async function generateAutoManifest({
       verbose: Boolean(sockJson.defaults?.manifest?.gradle?.verbose),
       gradleOpts: sockJson.defaults?.manifest?.gradle?.gradleOpts?.split(' ').map(s => s.trim()).filter(Boolean) ?? []
     };
-    if (sockJson.defaults?.manifest?.gradle?.facts) {
+    // Socket facts is the default; opt into pom generation with
+    // `defaults.manifest.gradle.facts: false` in socket.json.
+    if (sockJson.defaults?.manifest?.gradle?.facts !== false) {
       logger.logger.log('Detected a gradle build (Gradle, Kotlin, Scala), generating Socket facts...');
       await convertGradleToFacts({
         ...gradleArgs,
-        configs: sockJson.defaults?.manifest?.gradle?.configs ?? '',
-        ignoreUnresolved: Boolean(sockJson.defaults?.manifest?.gradle?.ignoreUnresolved)
+        excludeConfigs: sockJson.defaults?.manifest?.gradle?.excludeConfigs ?? '',
+        ignoreUnresolved: Boolean(sockJson.defaults?.manifest?.gradle?.ignoreUnresolved),
+        includeConfigs: sockJson.defaults?.manifest?.gradle?.includeConfigs ?? ''
       });
     } else {
       logger.logger.log('Detected a gradle build (Gradle, Kotlin, Scala), running default gradle generator...');
@@ -9793,7 +9607,7 @@ async function run$D(argv, importMeta, {
 
 const config$b = {
   commandName: 'gradle',
-  description: '[beta] Use Gradle to generate a manifest file (`pom.xml`) for a Gradle/Java/Kotlin/etc project',
+  description: '[beta] Generate a Socket facts file (or `pom.xml` with --pom) for a Gradle/Java/Kotlin/etc project',
   hidden: false,
   flags: {
     ...flags.commonFlags,
@@ -9803,15 +9617,23 @@ const config$b = {
     },
     facts: {
       type: 'boolean',
-      description: 'Emit a Socket facts JSON file (`.socket.facts.json`) describing the resolved dependency graph instead of generating `pom.xml` files'
+      description: 'Emit a Socket facts JSON file (`.socket.facts.json`) describing the resolved dependency graph. This is the default; pass `--pom` to generate `pom.xml` files instead'
+    },
+    pom: {
+      type: 'boolean',
+      description: 'Generate `pom.xml` manifest file(s) instead of the default Socket facts file (`.socket.facts.json`)'
+    },
+    includeConfigs: {
+      type: 'string',
+      description: 'When generating facts: comma-separated glob patterns matched against Gradle configuration names (case-sensitive, `*` and `?` wildcards). Only configurations matching at least one pattern are resolved. e.g. `*CompileClasspath,*RuntimeClasspath`. Default: every resolvable configuration except AGP instrumented-test classpaths'
     },
-    configs: {
+    excludeConfigs: {
       type: 'string',
-      description: 'With --facts: comma-separated glob patterns matched against Gradle configuration names (case-sensitive, `*` and `?` wildcards). e.g. `*CompileClasspath,*RuntimeClasspath` to skip tooling configs. Default: every resolvable configuration except AGP instrumented-test classpaths'
+      description: 'When generating facts: comma-separated glob patterns; Gradle configurations matching any pattern are skipped (applied after --include-configs)'
     },
     ignoreUnresolved: {
       type: 'boolean',
-      description: 'With --facts: warn on unresolved dependencies instead of failing the run (unresolved deps are not emitted to the facts file)'
+      description: 'When generating facts: warn on unresolved dependencies instead of failing the run (unresolved deps are not emitted to the facts file)'
     },
     gradleOpts: {
       type: 'string',
@@ -9829,38 +9651,32 @@ const config$b = {
     Options
       ${utils.getFlagListOutput(config.flags)}
 
-    Uses gradle, preferably through your local project \`gradlew\`, to generate a
-    \`pom.xml\` file for each task. If you have no \`gradlew\` you can try the
-    global \`gradle\` binary but that may not work (hard to predict).
-
-    The \`pom.xml\` is a manifest file similar to \`package.json\` for npm or
-    or ${constants.REQUIREMENTS_TXT} for PyPi), but specifically for Maven, which is Java's
-    dependency repository. Languages like Kotlin and Scala piggy back on it too.
+    By default, emits a single \`.socket.facts.json\` describing the resolved
+    dependency graph of the whole build, using gradle (preferably your local
+    \`gradlew\`). An unresolved dependency is a fatal error. You can pass
+    --include-configs / --exclude-configs (comma-separated glob patterns) to
+    control which configurations are resolved (e.g.
+    --include-configs=\`*CompileClasspath,*RuntimeClasspath\`), and
+    --ignore-unresolved to warn on unresolved dependencies instead of failing.
 
-    There are some caveats with the gradle to \`pom.xml\` conversion:
+    Pass --pom to instead generate \`pom.xml\` manifest files via gradle (one per
+    task). The \`pom.xml\` is a manifest file similar to \`package.json\` for npm
+    (or ${constants.REQUIREMENTS_TXT} for PyPi), but specifically for Maven, which is
+    Java's dependency repository. Caveats of the \`pom.xml\` conversion:
 
-    - each task will generate its own xml file and by default it generates one xml
-      for every task. (This may be a good thing!)
+    - each task generates its own xml file (one per task by default)
 
-    - it's possible certain features don't translate well into the xml. If you
-      think something is missing that could be supported please reach out.
+    - certain features may not translate well into the xml; reach out if
+      something you need is missing
 
     - it works with your \`gradlew\` from your repo and local settings and config
 
-    Pass --facts to instead emit a single \`.socket.facts.json\` describing the
-    resolved dependency graph of the whole build (no \`pom.xml\` files). An
-    unresolved dependency is a fatal error. With --facts you can pass
-    --configs=<comma-separated glob patterns> to restrict resolution to
-    matching configurations (e.g. \`*CompileClasspath,*RuntimeClasspath\`),
-    and --ignore-unresolved to warn on unresolved dependencies instead of
-    failing the run.
-
     Support is beta. Please report issues or give us feedback on what's missing.
 
     Examples
 
       $ ${command} .
-      $ ${command} --facts .
+      $ ${command} --pom .
       $ ${command} --bin=../gradlew .
   `
 };
@@ -9894,10 +9710,11 @@ async function run$C(argv, importMeta, {
   require$$9.debugFn('inspect', `override: ${constants.SOCKET_JSON} gradle`, sockJson?.defaults?.manifest?.gradle);
   let {
     bin,
-    configs,
+    excludeConfigs,
     facts,
     gradleOpts,
     ignoreUnresolved,
+    includeConfigs,
     verbose
   } = cli.flags;
 
@@ -9930,16 +9747,34 @@ async function run$C(argv, importMeta, {
     if (sockJson.defaults?.manifest?.gradle?.facts !== undefined) {
       facts = sockJson.defaults?.manifest?.gradle?.facts;
       logger.logger.info(`Using default --facts from ${constants.SOCKET_JSON}:`, facts);
+    } else {
+      // Socket facts generation is the default; pass --pom to generate poms.
+      facts = true;
+    }
+  }
+  // --pom opts into legacy pom.xml generation. It overrides the facts default
+  // (and the socket.json default) but conflicts with an explicit --facts.
+  if (cli.flags['pom']) {
+    if (cli.flags['facts'] !== undefined) {
+      logger.logger.warn('The `--facts` and `--pom` options are mutually exclusive; generating Socket facts.');
     } else {
       facts = false;
     }
   }
-  if (configs === undefined) {
-    if (sockJson.defaults?.manifest?.gradle?.configs !== undefined) {
-      configs = sockJson.defaults?.manifest?.gradle?.configs;
-      logger.logger.info(`Using default --configs from ${constants.SOCKET_JSON}:`, configs);
+  if (includeConfigs === undefined) {
+    if (sockJson.defaults?.manifest?.gradle?.includeConfigs !== undefined) {
+      includeConfigs = sockJson.defaults?.manifest?.gradle?.includeConfigs;
+      logger.logger.info(`Using default --include-configs from ${constants.SOCKET_JSON}:`, includeConfigs);
     } else {
-      configs = '';
+      includeConfigs = '';
+    }
+  }
+  if (excludeConfigs === undefined) {
+    if (sockJson.defaults?.manifest?.gradle?.excludeConfigs !== undefined) {
+      excludeConfigs = sockJson.defaults?.manifest?.gradle?.excludeConfigs;
+      logger.logger.info(`Using default --exclude-configs from ${constants.SOCKET_JSON}:`, excludeConfigs);
+    } else {
+      excludeConfigs = '';
     }
   }
   if (ignoreUnresolved === undefined) {
@@ -9951,13 +9786,12 @@ async function run$C(argv, importMeta, {
     }
   }
 
-  // `--configs` and `--ignore-unresolved` only affect --facts; the pom path
-  // (the legacy `socketGenerateMaven` task) has no equivalent knobs. Warn
-  // rather than silently ignore an explicitly-passed flag. (socket.json
-  // defaults don't trip this — only a flag actually present on the command
-  // line does.)
-  if (!facts && (cli.flags['configs'] !== undefined || cli.flags['ignoreUnresolved'] !== undefined)) {
-    logger.logger.warn('The `--configs` and `--ignore-unresolved` options only apply with `--facts`; ignoring them.');
+  // `--include-configs`, `--exclude-configs`, and `--ignore-unresolved` only
+  // affect facts generation; the pom path has no equivalent knobs. Warn rather
+  // than silently ignore an explicitly-passed flag. (socket.json defaults don't
+  // trip this — only a flag actually present on the command line does.)
+  if (!facts && (cli.flags['includeConfigs'] !== undefined || cli.flags['excludeConfigs'] !== undefined || cli.flags['ignoreUnresolved'] !== undefined)) {
+    logger.logger.warn('The `--include-configs`, `--exclude-configs`, and `--ignore-unresolved` options only apply when generating Socket facts (not with `--pom`); ignoring them.');
   }
   if (verbose) {
     logger.logger.group('- ', parentName, config$b.commandName, ':');
@@ -9994,10 +9828,11 @@ async function run$C(argv, importMeta, {
   if (facts) {
     await convertGradleToFacts({
       bin: String(bin),
-      configs: String(configs || ''),
       cwd,
+      excludeConfigs: String(excludeConfigs || ''),
       gradleOpts: parsedGradleOpts,
       ignoreUnresolved: Boolean(ignoreUnresolved),
+      includeConfigs: String(includeConfigs || ''),
       verbose: Boolean(verbose)
     });
     return;
@@ -10017,7 +9852,7 @@ async function run$C(argv, importMeta, {
 //       command. Room for improvement.
 const config$a = {
   commandName: 'kotlin',
-  description: '[beta] Use Gradle to generate a manifest file (`pom.xml`) for a Kotlin project',
+  description: '[beta] Generate a Socket facts file (or `pom.xml` with --pom) for a Kotlin project',
   hidden: false,
   flags: {
     ...flags.commonFlags,
@@ -10027,15 +9862,23 @@ const config$a = {
     },
     facts: {
       type: 'boolean',
-      description: 'Emit a Socket facts JSON file (`.socket.facts.json`) describing the resolved dependency graph instead of generating `pom.xml` files'
+      description: 'Emit a Socket facts JSON file (`.socket.facts.json`) describing the resolved dependency graph. This is the default; pass `--pom` to generate `pom.xml` files instead'
+    },
+    pom: {
+      type: 'boolean',
+      description: 'Generate `pom.xml` manifest file(s) instead of the default Socket facts file (`.socket.facts.json`)'
     },
-    configs: {
+    includeConfigs: {
       type: 'string',
-      description: 'With --facts: comma-separated glob patterns matched against Gradle configuration names (case-sensitive, `*` and `?` wildcards). e.g. `*CompileClasspath,*RuntimeClasspath` to skip tooling configs. Default: every resolvable configuration except AGP instrumented-test classpaths'
+      description: 'When generating facts: comma-separated glob patterns matched against Gradle configuration names (case-sensitive, `*` and `?` wildcards). Only configurations matching at least one pattern are resolved. e.g. `*CompileClasspath,*RuntimeClasspath`. Default: every resolvable configuration except AGP instrumented-test classpaths'
+    },
+    excludeConfigs: {
+      type: 'string',
+      description: 'When generating facts: comma-separated glob patterns; Gradle configurations matching any pattern are skipped (applied after --include-configs)'
     },
     ignoreUnresolved: {
       type: 'boolean',
-      description: 'With --facts: warn on unresolved dependencies instead of failing the run (unresolved deps are not emitted to the facts file)'
+      description: 'When generating facts: warn on unresolved dependencies instead of failing the run (unresolved deps are not emitted to the facts file)'
     },
     gradleOpts: {
       type: 'string',
@@ -10053,21 +9896,23 @@ const config$a = {
     Options
       ${utils.getFlagListOutput(config.flags)}
 
-    Uses gradle, preferably through your local project \`gradlew\`, to generate a
-    \`pom.xml\` file for each task. If you have no \`gradlew\` you can try the
-    global \`gradle\` binary but that may not work (hard to predict).
-
-    The \`pom.xml\` is a manifest file similar to \`package.json\` for npm or
-    or ${constants.REQUIREMENTS_TXT} for PyPi), but specifically for Maven, which is Java's
-    dependency repository. Languages like Kotlin and Scala piggy back on it too.
+    By default, emits a single \`.socket.facts.json\` describing the resolved
+    dependency graph of the whole build, using gradle (preferably your local
+    \`gradlew\`). An unresolved dependency is a fatal error. You can pass
+    --include-configs / --exclude-configs (comma-separated glob patterns) to
+    control which configurations are resolved (e.g.
+    --include-configs=\`*CompileClasspath,*RuntimeClasspath\`), and
+    --ignore-unresolved to warn on unresolved dependencies instead of failing.
 
-    There are some caveats with the gradle to \`pom.xml\` conversion:
+    Pass --pom to instead generate \`pom.xml\` manifest files via gradle (one per
+    task). The \`pom.xml\` is a manifest file similar to \`package.json\` for npm
+    (or ${constants.REQUIREMENTS_TXT} for PyPi), but specifically for Maven, which is
+    Java's dependency repository. Caveats of the \`pom.xml\` conversion:
 
-    - each task will generate its own xml file and by default it generates one xml
-      for every task. (This may be a good thing!)
+    - each task generates its own xml file (one per task by default)
 
-    - it's possible certain features don't translate well into the xml. If you
-      think something is missing that could be supported please reach out.
+    - certain features may not translate well into the xml; reach out if
+      something you need is missing
 
     - it works with your \`gradlew\` from your repo and local settings and config
 
@@ -10076,6 +9921,7 @@ const config$a = {
     Examples
 
       $ ${command} .
+      $ ${command} --pom .
       $ ${command} --bin=../gradlew .
   `
 };
@@ -10109,10 +9955,11 @@ async function run$B(argv, importMeta, {
   require$$9.debugFn('inspect', `override: ${constants.SOCKET_JSON} gradle`, sockJson?.defaults?.manifest?.gradle);
   let {
     bin,
-    configs,
+    excludeConfigs,
     facts,
     gradleOpts,
     ignoreUnresolved,
+    includeConfigs,
     verbose
   } = cli.flags;
 
@@ -10145,16 +9992,34 @@ async function run$B(argv, importMeta, {
     if (sockJson.defaults?.manifest?.gradle?.facts !== undefined) {
       facts = sockJson.defaults?.manifest?.gradle?.facts;
       logger.logger.info(`Using default --facts from ${constants.SOCKET_JSON}:`, facts);
+    } else {
+      // Socket facts generation is the default; pass --pom to generate poms.
+      facts = true;
+    }
+  }
+  // --pom opts into legacy pom.xml generation. It overrides the facts default
+  // (and the socket.json default) but conflicts with an explicit --facts.
+  if (cli.flags['pom']) {
+    if (cli.flags['facts'] !== undefined) {
+      logger.logger.warn('The `--facts` and `--pom` options are mutually exclusive; generating Socket facts.');
     } else {
       facts = false;
     }
   }
-  if (configs === undefined) {
-    if (sockJson.defaults?.manifest?.gradle?.configs !== undefined) {
-      configs = sockJson.defaults?.manifest?.gradle?.configs;
-      logger.logger.info(`Using default --configs from ${constants.SOCKET_JSON}:`, configs);
+  if (includeConfigs === undefined) {
+    if (sockJson.defaults?.manifest?.gradle?.includeConfigs !== undefined) {
+      includeConfigs = sockJson.defaults?.manifest?.gradle?.includeConfigs;
+      logger.logger.info(`Using default --include-configs from ${constants.SOCKET_JSON}:`, includeConfigs);
+    } else {
+      includeConfigs = '';
+    }
+  }
+  if (excludeConfigs === undefined) {
+    if (sockJson.defaults?.manifest?.gradle?.excludeConfigs !== undefined) {
+      excludeConfigs = sockJson.defaults?.manifest?.gradle?.excludeConfigs;
+      logger.logger.info(`Using default --exclude-configs from ${constants.SOCKET_JSON}:`, excludeConfigs);
     } else {
-      configs = '';
+      excludeConfigs = '';
     }
   }
   if (ignoreUnresolved === undefined) {
@@ -10165,8 +10030,11 @@ async function run$B(argv, importMeta, {
       ignoreUnresolved = false;
     }
   }
-  if (!facts && (cli.flags['configs'] !== undefined || cli.flags['ignoreUnresolved'] !== undefined)) {
-    logger.logger.warn('The `--configs` and `--ignore-unresolved` options only apply with `--facts`; ignoring them.');
+
+  // `--include-configs`, `--exclude-configs`, and `--ignore-unresolved` only
+  // affect facts generation; the pom path has no equivalent knobs.
+  if (!facts && (cli.flags['includeConfigs'] !== undefined || cli.flags['excludeConfigs'] !== undefined || cli.flags['ignoreUnresolved'] !== undefined)) {
+    logger.logger.warn('The `--include-configs`, `--exclude-configs`, and `--ignore-unresolved` options only apply when generating Socket facts (not with `--pom`); ignoring them.');
   }
   if (verbose) {
     logger.logger.group('- ', parentName, config$a.commandName, ':');
@@ -10203,10 +10071,11 @@ async function run$B(argv, importMeta, {
   if (facts) {
     await convertGradleToFacts({
       bin: String(bin),
-      configs: String(configs || ''),
       cwd,
+      excludeConfigs: String(excludeConfigs || ''),
       gradleOpts: parsedGradleOpts,
       ignoreUnresolved: Boolean(ignoreUnresolved),
+      includeConfigs: String(includeConfigs || ''),
       verbose: Boolean(verbose)
     });
     return;
@@ -10221,7 +10090,7 @@ async function run$B(argv, importMeta, {
 
 const config$9 = {
   commandName: 'scala',
-  description: "[beta] Generate a manifest file (`pom.xml`) from Scala's `build.sbt` file",
+  description: '[beta] Generate a Socket facts file (or `pom.xml` with --pom) from a Scala `build.sbt` project',
   hidden: false,
   flags: {
     ...flags.commonFlags,
@@ -10231,23 +10100,31 @@ const config$9 = {
     },
     facts: {
       type: 'boolean',
-      description: 'Emit a Socket facts JSON file (`.socket.facts.json`) describing the resolved dependency graph instead of generating `pom.xml` files'
+      description: 'Emit a Socket facts JSON file (`.socket.facts.json`) describing the resolved dependency graph. This is the default; pass `--pom` to generate `pom.xml` files instead'
+    },
+    pom: {
+      type: 'boolean',
+      description: 'Generate `pom.xml` manifest file(s) instead of the default Socket facts file (`.socket.facts.json`)'
+    },
+    includeConfigs: {
+      type: 'string',
+      description: 'When generating facts: comma-separated glob patterns matched against sbt configuration names (case-sensitive, `*` and `?` wildcards). Only configurations matching at least one pattern are resolved. e.g. `compile,test`. Default: compile,optional,provided,runtime,test'
     },
-    configs: {
+    excludeConfigs: {
       type: 'string',
-      description: 'With --facts: comma-separated glob patterns matched against sbt configuration names (case-sensitive, `*` and `?` wildcards). Bare names (no wildcards) act as exact-name filters. Default: compile,optional,provided,runtime,test'
+      description: 'When generating facts: comma-separated glob patterns; sbt configurations matching any pattern are skipped (applied after --include-configs)'
     },
     ignoreUnresolved: {
       type: 'boolean',
-      description: 'With --facts: warn on unresolved dependencies instead of failing the run (unresolved deps are not emitted to the facts file)'
+      description: 'When generating facts: warn on unresolved dependencies instead of failing the run (unresolved deps are not emitted to the facts file)'
     },
     out: {
       type: 'string',
-      description: 'Path of output file; where to store the resulting manifest, see also --stdout'
+      description: 'Only with --pom: path of the output `pom.xml`, see also --stdout. Does not apply when generating Socket facts (always written to the project root as `.socket.facts.json`)'
     },
     stdout: {
       type: 'boolean',
-      description: 'Print resulting pom.xml to stdout (supersedes --out)'
+      description: 'Only with --pom: print the resulting `pom.xml` to stdout (supersedes --out). Does not apply when generating Socket facts'
     },
     sbtOpts: {
       type: 'string',
@@ -10265,11 +10142,18 @@ const config$9 = {
     Options
       ${utils.getFlagListOutput(config.flags)}
 
-    Uses \`sbt makePom\` to generate a \`pom.xml\` from your \`build.sbt\` file.
-    This xml file is the dependency manifest (like a package.json
-    for Node.js or ${constants.REQUIREMENTS_TXT} for PyPi), but specifically for Scala.
+    By default, emits a single \`.socket.facts.json\` describing the resolved
+    dependency graph of the whole build. It reads dependency metadata only and
+    never downloads artifacts; an unresolved dependency is a fatal error. You
+    can pass --include-configs / --exclude-configs (comma-separated glob
+    patterns) to control which sbt configurations are resolved (e.g.
+    --include-configs=\`compile,test\`), and --ignore-unresolved to warn on
+    unresolved dependencies instead of failing the run.
 
-    There are some caveats with \`build.sbt\` to \`pom.xml\` conversion:
+    Pass --pom to instead generate a \`pom.xml\` via \`sbt makePom\` from your
+    \`build.sbt\`. The xml is the dependency manifest (like a package.json for
+    Node.js or ${constants.REQUIREMENTS_TXT} for PyPi), but specifically for Scala.
+    Caveats of the \`build.sbt\` to \`pom.xml\` conversion:
 
     - the xml is exported as pom.xml at the project root so Socket scan picks
       it up; sbt itself first writes it inside your /target/sbt<version> folder
@@ -10287,15 +10171,6 @@ const config$9 = {
 
     You can specify --bin to override the path to the \`sbt\` binary to invoke.
 
-    Pass --facts to instead emit a single \`.socket.facts.json\` describing the
-    resolved dependency graph of the whole build (no \`pom.xml\` files). It reads
-    dependency metadata only and never downloads artifacts; an unresolved
-    dependency is a fatal error. With --facts you can pass
-    --configs=<comma-separated glob patterns> to choose which sbt configurations
-    to resolve (e.g. \`compile,test\` for exact names or \`*Test*\` for variants),
-    and --ignore-unresolved to warn on unresolved dependencies instead of
-    failing the run.
-
     Support is beta. Please report issues or give us feedback on what's missing.
 
     This is only for SBT. If your Scala setup uses gradle, please see the help
@@ -10304,7 +10179,7 @@ const config$9 = {
     Examples
 
       $ ${command}
-      $ ${command} --facts .
+      $ ${command} --pom .
       $ ${command} ./proj --bin=/usr/bin/sbt --file=boot.sbt
   `
 };
@@ -10338,9 +10213,10 @@ async function run$A(argv, importMeta, {
   require$$9.debugFn('inspect', `override: ${constants.SOCKET_JSON} sbt`, sockJson?.defaults?.manifest?.sbt);
   let {
     bin,
-    configs,
+    excludeConfigs,
     facts,
     ignoreUnresolved,
+    includeConfigs,
     out,
     sbtOpts,
     stdout,
@@ -10360,16 +10236,34 @@ async function run$A(argv, importMeta, {
     if (sockJson.defaults?.manifest?.sbt?.facts !== undefined) {
       facts = sockJson.defaults?.manifest?.sbt?.facts;
       logger.logger.info(`Using default --facts from ${constants.SOCKET_JSON}:`, facts);
+    } else {
+      // Socket facts generation is the default; pass --pom to generate poms.
+      facts = true;
+    }
+  }
+  // --pom opts into legacy pom.xml generation. It overrides the facts default
+  // (and the socket.json default) but conflicts with an explicit --facts.
+  if (cli.flags['pom']) {
+    if (cli.flags['facts'] !== undefined) {
+      logger.logger.warn('The `--facts` and `--pom` options are mutually exclusive; generating Socket facts.');
     } else {
       facts = false;
     }
   }
-  if (configs === undefined) {
-    if (sockJson.defaults?.manifest?.sbt?.configs !== undefined) {
-      configs = sockJson.defaults?.manifest?.sbt?.configs;
-      logger.logger.info(`Using default --configs from ${constants.SOCKET_JSON}:`, configs);
+  if (includeConfigs === undefined) {
+    if (sockJson.defaults?.manifest?.sbt?.includeConfigs !== undefined) {
+      includeConfigs = sockJson.defaults?.manifest?.sbt?.includeConfigs;
+      logger.logger.info(`Using default --include-configs from ${constants.SOCKET_JSON}:`, includeConfigs);
     } else {
-      configs = '';
+      includeConfigs = '';
+    }
+  }
+  if (excludeConfigs === undefined) {
+    if (sockJson.defaults?.manifest?.sbt?.excludeConfigs !== undefined) {
+      excludeConfigs = sockJson.defaults?.manifest?.sbt?.excludeConfigs;
+      logger.logger.info(`Using default --exclude-configs from ${constants.SOCKET_JSON}:`, excludeConfigs);
+    } else {
+      excludeConfigs = '';
     }
   }
   if (ignoreUnresolved === undefined) {
@@ -10409,21 +10303,13 @@ async function run$A(argv, importMeta, {
     verbose = false;
   }
 
-  // `--configs` and `--ignore-unresolved` only affect --facts; the pom path
-  // (`sbt makePom`) has no equivalent knobs. Warn rather than silently ignore
-  // an explicitly-passed flag. (socket.json defaults don't trip this — only a
-  // flag actually present on the command line does.)
-  if (!facts && (cli.flags['configs'] !== undefined || cli.flags['ignoreUnresolved'] !== undefined)) {
-    logger.logger.warn('The `--configs` and `--ignore-unresolved` options only apply with `--facts`; ignoring them.');
-  }
-
-  // Conversely, --out / --stdout only affect the pom path; with --facts the
-  // plugin always writes `.socket.facts.json` to the build root (its
-  // socket.outputDirectory/outputFile JVM props aren't exposed by the CLI), so
-  // warn rather than let `--facts --out custom.json` silently write nothing
-  // there.
-  if (facts && (cli.flags['out'] !== undefined || cli.flags['stdout'] !== undefined)) {
-    logger.logger.warn('The `--out` and `--stdout` options do not apply with `--facts`; the facts file is always written to the build root.');
+  // `--include-configs`, `--exclude-configs`, and `--ignore-unresolved` only
+  // affect facts generation; the pom path (`sbt makePom`) has no equivalent
+  // knobs. Warn rather than silently ignore an explicitly-passed flag.
+  // (socket.json defaults don't trip this — only a flag actually present on the
+  // command line does.)
+  if (!facts && (cli.flags['includeConfigs'] !== undefined || cli.flags['excludeConfigs'] !== undefined || cli.flags['ignoreUnresolved'] !== undefined)) {
+    logger.logger.warn('The `--include-configs`, `--exclude-configs`, and `--ignore-unresolved` options only apply when generating Socket facts (not with `--pom`); ignoring them.');
   }
   if (verbose) {
     logger.logger.group('- ', parentName, config$9.commandName, ':');
@@ -10437,11 +10323,20 @@ async function run$A(argv, importMeta, {
   //       try, store contents in a file in some folder, target that folder... what
   //       would the file name be?
 
+  // --out / --stdout only affect the pom path. Socket facts are always written
+  // to the project root as `.socket.facts.json` so that `socket scan create`
+  // picks them up, so reject these flags in facts mode rather than silently
+  // ignoring an explicitly-passed output location.
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
     test: cli.input.length <= 1,
     message: 'Can only accept one DIR (make sure to escape spaces!)',
     fail: 'received ' + cli.input.length
+  }, {
+    nook: true,
+    test: !(facts && (cli.flags['out'] !== undefined || cli.flags['stdout'] !== undefined)),
+    message: 'The `--out` and `--stdout` options only apply with `--pom`; Socket facts are always written to the project root as `.socket.facts.json`',
+    fail: 'remove --out/--stdout, or pass --pom'
   });
   if (!wasValidInput) {
     return;
@@ -10461,9 +10356,10 @@ async function run$A(argv, importMeta, {
   if (facts) {
     await convertSbtToFacts({
       bin: String(bin),
-      configs: String(configs || ''),
       cwd,
+      excludeConfigs: String(excludeConfigs || ''),
       ignoreUnresolved: Boolean(ignoreUnresolved),
+      includeConfigs: String(includeConfigs || ''),
       sbtOpts: parsedSbtOpts,
       verbose: Boolean(verbose)
     });
@@ -10524,19 +10420,19 @@ async function setupManifestConfig(cwd, defaultOnReadError = false) {
   }, {
     name: 'Gradle'.padEnd(30, ' '),
     value: 'gradle',
-    description: 'Generate pom.xml files through gradle'
+    description: 'Generate a Socket facts file or pom.xml through gradle'
   }, {
     name: 'Kotlin (gradle)'.padEnd(30, ' '),
     value: 'gradle',
-    description: 'Generate pom.xml files (for Kotlin) through gradle'
+    description: 'Generate a Socket facts file or pom.xml (for Kotlin) through gradle'
   }, {
     name: 'Scala (gradle)'.padEnd(30, ' '),
     value: 'gradle',
-    description: 'Generate pom.xml files (for Scala) through gradle'
+    description: 'Generate a Socket facts file or pom.xml (for Scala) through gradle'
   }, {
     name: 'Scala (sbt)'.padEnd(30, ' '),
     value: 'sbt',
-    description: 'Generate pom.xml files through sbt'
+    description: 'Generate a Socket facts file or pom.xml through sbt'
   }];
   choices.forEach(obj => {
     if (detected[obj.value]) {
@@ -10718,6 +10614,15 @@ async function setupGradle(config) {
   } else {
     delete config.facts;
   }
+
+  // The config filters and --ignore-unresolved only apply to facts generation
+  // (the default); skip them when pom generation (--pom) is selected.
+  if (config.facts !== false) {
+    const factsOptions = await setupFactsOptions(config);
+    if (!factsOptions.ok || factsOptions.data.canceled) {
+      return factsOptions;
+    }
+  }
   const verbose = await askForVerboseFlag(config.verbose);
   if (verbose === undefined) {
     return canceledByUser$1();
@@ -10759,9 +10664,10 @@ async function setupSbt(config) {
     delete config.facts;
   }
 
-  // --facts emits a .socket.facts.json instead of pom.xml files, so the pom
-  // output questions (stdout/outfile) don't apply when it is enabled.
-  if (config.facts !== true) {
+  // Socket facts is the default. The pom output questions (stdout/outfile)
+  // only apply when pom generation (--pom) is explicitly selected; otherwise
+  // ask the facts-only options.
+  if (config.facts === false) {
     const stdout = await askForStdout(config.stdout);
     if (stdout === undefined) {
       return canceledByUser$1();
@@ -10787,6 +10693,11 @@ async function setupSbt(config) {
         }
       }
     }
+  } else {
+    const factsOptions = await setupFactsOptions(config);
+    if (!factsOptions.ok || factsOptions.data.canceled) {
+      return factsOptions;
+    }
   }
   const verbose = await askForVerboseFlag(config.verbose);
   if (verbose === undefined) {
@@ -10881,15 +10792,34 @@ async function askForVerboseFlag(current) {
 }
 async function askForFactsFlag(current) {
   return await prompts.select({
-    message: '(--facts) Emit a Socket facts JSON file instead of generating pom.xml?',
+    message: '(--facts / --pom) Which manifest should this generate?',
+    choices: [{
+      name: 'Socket facts (default)',
+      value: 'yes',
+      description: 'Generate a .socket.facts.json file describing the resolved dependency graph'
+    }, {
+      name: 'pom.xml',
+      value: 'no',
+      description: 'Generate pom.xml manifest files instead (the --pom path)'
+    }, {
+      name: '(leave default)',
+      value: '',
+      description: 'Do not store a setting; uses the default (Socket facts)'
+    }],
+    default: current === true ? 'yes' : current === false ? 'no' : ''
+  });
+}
+async function askForIgnoreUnresolvedFlag(current) {
+  return await prompts.select({
+    message: '(--ignore-unresolved) Warn on unresolved dependencies instead of failing?',
     choices: [{
       name: 'no',
       value: 'no',
-      description: 'Generate pom.xml files (default behavior)'
+      description: 'Fail the run when a declared dependency cannot resolve'
     }, {
       name: 'yes',
       value: 'yes',
-      description: 'Generate a .socket.facts.json file describing the resolved dependency graph'
+      description: 'Warn and continue; unresolved dependencies are omitted from the facts file'
     }, {
       name: '(leave default)',
       value: '',
@@ -10898,6 +10828,44 @@ async function askForFactsFlag(current) {
     default: current === true ? 'yes' : current === false ? 'no' : ''
   });
 }
+
+// Prompts for the facts-only options shared by gradle and sbt: the config
+// include/exclude filters and --ignore-unresolved. Mutates `config` in place.
+async function setupFactsOptions(config) {
+  const includeConfigs = await prompts.input({
+    message: '(--include-configs) Comma-separated config-name globs to resolve (blank = all configurations)',
+    default: config.includeConfigs || '',
+    required: false
+  });
+  if (includeConfigs === undefined) {
+    return canceledByUser$1();
+  } else if (includeConfigs) {
+    config.includeConfigs = includeConfigs;
+  } else {
+    delete config.includeConfigs;
+  }
+  const excludeConfigs = await prompts.input({
+    message: '(--exclude-configs) Comma-separated config-name globs to skip (blank = none)',
+    default: config.excludeConfigs || '',
+    required: false
+  });
+  if (excludeConfigs === undefined) {
+    return canceledByUser$1();
+  } else if (excludeConfigs) {
+    config.excludeConfigs = excludeConfigs;
+  } else {
+    delete config.excludeConfigs;
+  }
+  const ignoreUnresolved = await askForIgnoreUnresolvedFlag(config.ignoreUnresolved);
+  if (ignoreUnresolved === undefined) {
+    return canceledByUser$1();
+  } else if (ignoreUnresolved === 'yes' || ignoreUnresolved === 'no') {
+    config.ignoreUnresolved = ignoreUnresolved === 'yes';
+  } else {
+    delete config.ignoreUnresolved;
+  }
+  return notCanceled$1();
+}
 function canceledByUser$1() {
   logger.logger.log('');
   logger.logger.info('User canceled');
@@ -19741,5 +19709,5 @@ process.on('unhandledRejection', async (reason, promise) => {
   // eslint-disable-next-line n/no-process-exit
   process.exit(1);
 });
-//# debugId=614e598d-c01b-4289-b35e-bff2af2ac507
+//# debugId=b1bb7e64-091d-4be2-bb99-bb2297bb5ec2
 //# sourceMappingURL=cli.js.map