npm - socket - Versions diffs - 1.1.119 → 1.1.121 - Mend

socket 1.1.119 → 1.1.121

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (30) hide show

package/dist/cli.js CHANGED Viewed

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 'use strict';
-var require$$0 = require('node:url');
+var require$$0$1 = require('node:url');
 var vendor = require('./vendor.js');
 var require$$9 = require('../external/@socketsecurity/registry/lib/debug');
 var logger = require('../external/@socketsecurity/registry/lib/logger');
@@ -15,6 +15,7 @@ var words = require('../external/@socketsecurity/registry/lib/words');
 var fs$1 = require('node:fs');
 var arrays = require('../external/@socketsecurity/registry/lib/arrays');
 var prompts = require('../external/@socketsecurity/registry/lib/prompts');
+var require$$0 = require('node:crypto');
 var os = require('node:os');
 var spawn = require('../external/@socketsecurity/registry/lib/spawn');
 var bin = require('../external/@socketsecurity/registry/lib/bin');
@@ -67,7 +68,7 @@ async function fetchRepoAnalyticsData(repo, time, options) {
 // Note: Widgets does not seem to actually work as code :'(
-const require$7 = require$$5.createRequire((typeof document === 'undefined' ? require$$0.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
+const require$7 = require$$5.createRequire((typeof document === 'undefined' ? require$$0$1.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
 const METRICS = ['total_critical_alerts', 'total_high_alerts', 'total_medium_alerts', 'total_low_alerts', 'total_critical_added', 'total_medium_added', 'total_low_added', 'total_high_added', 'total_critical_prevented', 'total_high_prevented', 'total_medium_prevented', 'total_low_prevented'];
 // Note: This maps `new Date(date).getMonth()` to English three letters
@@ -503,7 +504,7 @@ async function fetchAuditLog(config, options) {
   });
 }
-const require$6 = require$$5.createRequire((typeof document === 'undefined' ? require$$0.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
+const require$6 = require$$5.createRequire((typeof document === 'undefined' ? require$$0$1.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
 async function outputAuditLog(result, {
   logType,
   orgSlug,
@@ -1802,10 +1803,26 @@ async function performReachabilityAnalysis(options) {
   spinner?.start();
   spinner?.infoAndStop('Running reachability analysis with Coana...');
   const outputFilePath = outputPath || constants.default.DOT_SOCKET_DOT_FACTS_JSON;
+  // Coana reads `--auto-manifest-config` from a JSON file, so write the resolved
+  // per-ecosystem build-tool config (mapped from socket.json) to a temp file and
+  // pass its absolute path. Cleaned up in the finally below.
+  let autoManifestConfigPath;
+  const {
+    autoManifestConfig
+  } = reachabilityOptions;
+  if (autoManifestConfig && !utils.isAutoManifestConfigEmpty(autoManifestConfig)) {
+    autoManifestConfigPath = path.join(os.tmpdir(), `socket-auto-manifest-config-${require$$0.randomUUID()}.json`);
+    await fs$1.promises.writeFile(autoManifestConfigPath, JSON.stringify(autoManifestConfig), 'utf8');
+  }
   // Build Coana arguments.
   const coanaArgs = ['run', analysisTarget, '--output-dir', path.dirname(outputFilePath), '--socket-mode', outputFilePath, '--disable-report-submission', ...(reachabilityOptions.reachAnalysisTimeout ? ['--analysis-timeout', `${reachabilityOptions.reachAnalysisTimeout}`] : []), ...(reachabilityOptions.reachAnalysisMemoryLimit ? ['--memory-limit', `${reachabilityOptions.reachAnalysisMemoryLimit}`] : []), ...(reachabilityOptions.reachConcurrency ? ['--concurrency', `${reachabilityOptions.reachConcurrency}`] : []), ...(reachabilityOptions.reachContinueOnAnalysisErrors ? ['--reach-continue-on-analysis-errors'] : []), ...(reachabilityOptions.reachContinueOnInstallErrors ? ['--reach-continue-on-install-errors'] : []), ...(reachabilityOptions.reachContinueOnMissingLockFiles ? ['--reach-continue-on-missing-lock-files'] : []), ...(reachabilityOptions.reachContinueOnNoSourceFiles ? ['--reach-continue-on-no-source-files'] : []), ...(reachabilityOptions.reachDebug ? ['--debug'] : []), ...(reachabilityOptions.reachDetailedAnalysisLogFile ? ['--print-analysis-log-file'] : []), ...(reachabilityOptions.reachDisableAnalytics ? ['--disable-analytics-sharing'] : []), ...(reachabilityOptions.reachDisableExternalToolChecks ? ['--disable-external-tool-checks'] : []), ...(reachabilityOptions.reachEnableAnalysisSplitting ? [] : ['--disable-analysis-splitting']), ...(tarHash ? ['--run-without-docker', '--manifests-tar-hash', tarHash] : []),
   // Empty reachEcosystems implies scanning all ecosystems.
-  ...(reachabilityOptions.reachEcosystems.length ? ['--purl-types', ...reachabilityOptions.reachEcosystems] : []), ...(reachabilityOptions.reachExcludePaths.length ? ['--exclude-dirs', ...reachabilityOptions.reachExcludePaths] : []), ...(reachabilityOptions.reachLazyMode ? ['--lazy-mode'] : []), ...(reachabilityOptions.reachSkipCache ? ['--skip-cache-usage'] : []), ...(reachabilityOptions.reachUseOnlyPregeneratedSboms ? ['--use-only-pregenerated-sboms'] : [])];
+  ...(reachabilityOptions.reachEcosystems.length ? ['--purl-types', ...reachabilityOptions.reachEcosystems] : []), ...(reachabilityOptions.reachExcludePaths.length ? ['--exclude-dirs', ...reachabilityOptions.reachExcludePaths] : []), ...(reachabilityOptions.reachLazyMode ? ['--lazy-mode'] : []), ...(reachabilityOptions.reachSkipCache ? ['--skip-cache-usage'] : []), ...(reachabilityOptions.reachUseOnlyPregeneratedSboms ? ['--use-only-pregenerated-sboms'] : []),
+  // Hand the per-ecosystem build-tool config (mapped from socket.json) to
+  // Coana's reach-time resolution, as a temp JSON file path.
+  ...(autoManifestConfigPath ? ['--auto-manifest-config', autoManifestConfigPath] : [])];
   // Build environment variables.
   const coanaEnv = {};
@@ -1817,43 +1834,53 @@ async function performReachabilityAnalysis(options) {
   if (branchName && branchName !== constants.default.SOCKET_DEFAULT_BRANCH) {
     coanaEnv['SOCKET_BRANCH_NAME'] = branchName;
   }
-  // Run Coana with the manifests tar hash.
-  const coanaResult = await utils.spawnCoanaDlx(coanaArgs, orgSlug, {
-    coanaVersion: reachabilityOptions.reachVersion,
-    cwd,
-    env: coanaEnv,
-    spinner,
-    stdio: 'inherit'
-  });
-  if (wasSpinning) {
-    spinner.start();
-  }
-  if (!coanaResult.ok) {
-    const coanaVersion = reachabilityOptions.reachVersion || constants.default.ENV.INLINED_SOCKET_CLI_COANA_TECH_CLI_VERSION;
-    logger.logger.error(`Coana reachability analysis failed. Version: ${coanaVersion}, target: ${analysisTarget}, cwd: ${cwd}`);
-    if (coanaResult.message) {
-      logger.logger.error(`Details: ${coanaResult.message}`);
+  try {
+    // Run Coana with the manifests tar hash.
+    const coanaResult = await utils.spawnCoanaDlx(coanaArgs, orgSlug, {
+      coanaVersion: reachabilityOptions.reachVersion,
+      cwd,
+      env: coanaEnv,
+      spinner,
+      stdio: 'inherit'
+    });
+    if (wasSpinning) {
+      spinner.start();
+    }
+    if (!coanaResult.ok) {
+      const coanaVersion = reachabilityOptions.reachVersion || constants.default.ENV.INLINED_SOCKET_CLI_COANA_TECH_CLI_VERSION;
+      logger.logger.error(`Coana reachability analysis failed. Version: ${coanaVersion}, target: ${analysisTarget}, cwd: ${cwd}`);
+      if (coanaResult.message) {
+        logger.logger.error(`Details: ${coanaResult.message}`);
+      }
+      return coanaResult;
     }
-    return coanaResult;
-  }
-  // Coana writes the facts file relative to the scan `cwd` (it is spawned
-  // with `cwd` above), so resolve the read path against `cwd` too. Reading
-  // the bare relative path would resolve against `process.cwd()` and miss
-  // the file whenever `cwd !== process.cwd()` (e.g. `--cwd <dir>`), silently
-  // dropping the tier 1 scan id and skipping finalize downstream.
-  const resolvedReportPath = path.resolve(cwd, outputFilePath);
-  return {
-    ok: true,
-    data: {
-      // Use the actual output filename for the scan. Keep this `cwd`-relative
-      // so the upload (which relativizes against `cwd`) and the post-success
-      // unlink (`path.resolve(cwd, reachabilityReport)`) keep working.
-      reachabilityReport: outputFilePath,
-      tier1ReachabilityScanId: utils.extractTier1ReachabilityScanId(resolvedReportPath)
+    // Coana writes the facts file relative to the scan `cwd` (it is spawned
+    // with `cwd` above), so resolve the read path against `cwd` too. Reading
+    // the bare relative path would resolve against `process.cwd()` and miss
+    // the file whenever `cwd !== process.cwd()` (e.g. `--cwd <dir>`), silently
+    // dropping the tier 1 scan id and skipping finalize downstream.
+    const resolvedReportPath = path.resolve(cwd, outputFilePath);
+    return {
+      ok: true,
+      data: {
+        // Use the actual output filename for the scan. Keep this `cwd`-relative
+        // so the upload (which relativizes against `cwd`) and the post-success
+        // unlink (`path.resolve(cwd, reachabilityReport)`) keep working.
+        reachabilityReport: outputFilePath,
+        tier1ReachabilityScanId: utils.extractTier1ReachabilityScanId(resolvedReportPath)
+      }
+    };
+  } finally {
+    // The run no longer needs the temp config file; best-effort cleanup.
+    if (autoManifestConfigPath) {
+      try {
+        await fs$1.promises.unlink(autoManifestConfigPath);
+      } catch {
+        // File may already be gone or unwritable.
+      }
     }
-  };
+  }
 }
 // The point here is to attempt to detect the various supported manifest files
@@ -1982,6 +2009,10 @@ function buildBazelModShowVisibleReposArgv(opts) {
 function buildBazelModShowMavenExtensionArgv(opts) {
   const userFlags = splitBazelFlags(opts.bazelFlags);
   return [...buildStartupFlags(opts), 'mod', 'show_extension', '@rules_jvm_external//:extensions.bzl%maven',
+  // A read-only scan must never rewrite the user's MODULE.bazel.lock; pin
+  // the lockfile read-only before user flags, mirroring the query/cquery
+  // argv builders.
+  '--lockfile_mode=off',
   // Belt-and-suspenders output reducer mirroring the PyPI path: bias the
   // report toward the root module's usages. The authoritative pruning is
   // the importers-filter applied to the parsed output, so this is not
@@ -1990,7 +2021,11 @@ function buildBazelModShowMavenExtensionArgv(opts) {
 }
 function buildBazelModShowPipExtensionArgv(opts) {
   const userFlags = splitBazelFlags(opts.bazelFlags);
-  return [...buildStartupFlags(opts), 'mod', 'show_extension', '@rules_python//python/extensions:pip.bzl%pip', '--extension_usages=<root>', ...userFlags];
+  return [...buildStartupFlags(opts), 'mod', 'show_extension', '@rules_python//python/extensions:pip.bzl%pip',
+  // A read-only scan must never rewrite the user's MODULE.bazel.lock; pin
+  // the lockfile read-only before user flags, mirroring the query/cquery
+  // argv builders.
+  '--lockfile_mode=off', '--extension_usages=<root>', ...userFlags];
 }
 function buildBazelArgv(queryStr, opts, output = 'build') {
   // Startup flags MUST precede the `query` subcommand.
@@ -2670,7 +2705,10 @@ async function runMetadataCqueryForRepo(args) {
     const err = e;
     const stdout = typeof err.stdout === 'string' ? err.stdout : '';
     const stderr = typeof err.stderr === 'string' ? err.stderr : '';
-    const timedOut = err.timedOut === true || err.killed === true || err.signal === 'SIGTERM' || err.signal === 'SIGKILL';
+    // On a `timeout`, the registry spawn kills the child, so Node sets
+    // `killed: true` and `signal: 'SIGTERM'` (or `SIGKILL`). There is no
+    // `timedOut` flag on the real rejection, so do not test for one.
+    const timedOut = err.killed === true || err.signal === 'SIGTERM' || err.signal === 'SIGKILL';
     const {
       artifacts,
       unresolvedLabels
@@ -2850,6 +2888,13 @@ const ROOT_MODULE_IMPORTER = '<root>';
 // modules that imported it (the `(imported by …)` annotation), merged across
 // every line the repo appears on.
+// `indeterminate` means the probe could not be classified: an unrecognized
+// non-zero exit, or the probe threw outright (the Bazel invocation itself
+// failed). It is NOT evidence that the repo is undefined — treating it as
+// `not-defined` would silently under-report a hub that may well hold Maven
+// deps. The orchestrator must propagate it so the run is never reported
+// `complete` when a probe was indeterminate.
 // Conventional Maven hub names rules_jvm_external sets up under
 // WORKSPACE-mode invocations. Probing each one is cheap (a failed visibility
 // lookup never triggers a `repository_rule` fetch) so the orchestrator can
@@ -2879,6 +2924,101 @@ const SHOW_EXT_SECTION_HEADER_RE = /^## @@?[A-Za-z0-9._+~-]+\/\/:extensions\.bzl
 // generated per-artifact repos and are skipped.
 const FETCHED_HUB_BULLET_RE = /^ {2}- (?<name>\S+) \(imported by (?<importers>[^)]+)\)\s*$/;
+// `bazel mod show_extension @rules_jvm_external//:extensions.bzl%maven`
+// exits non-zero in two very different situations, and conflating them is
+// dangerous for a security tool:
+//
+//   (a) `@rules_jvm_external` simply isn't in the root module's resolved
+//       dependency graph. This is the COMMON case for any bzlmod repo that
+//       doesn't use rules_jvm_external (no Maven at all). Bazel's ModCommand
+//       resolves the extension argument up front via
+//       `ExtensionArg.resolveToExtensionId`, which throws
+//       `InvalidArgumentException` and exits non-zero before evaluating any
+//       Starlark. This is NOT a failure to analyze; it is a positive,
+//       authoritative "there is no maven extension here". It must map to
+//       `not-defined` so the workspace cleanly contributes no Maven.
+//
+//   (b) The module graph genuinely fails to evaluate: a Starlark eval error,
+//       an unbound name (e.g. a MODULE.bazel referencing `PYTHON_VERSION` /
+//       `pip` before definition), a syntax error, or the bazel binary itself
+//       being missing/spawn-failed (normalized to code -1). Here we have NO
+//       evidence about whether a maven extension exists, so it must map to
+//       `indeterminate` and the run can never be reported complete.
+//
+// We classify by stderr shape. The exact wording differs across Bazel
+// versions; the regex families below are intentionally broad and SHOULD be
+// confirmed against live `bazel mod show_extension` output.
+// Family (a): the extension / module is not resolvable in the dependency
+// graph — an argument-resolution error, not an evaluation failure. These all
+// mean "rules_jvm_external (and thus the maven extension) is not present",
+// i.e. legitimately not-defined. The `no module ... exists in the dependency
+// graph` branch is Bazel's verified real wording (`bazel mod show_extension`
+// against a bzlmod repo without rules_jvm_external: "No module with the
+// apparent repo name @rules_jvm_external exists in the dependency graph").
+const SHOW_EXT_NOT_IN_GRAPH_STDERR_RE = /(?:in extension argument|extension argument)?.*(?:not (?:found|resolvable|defined)|no such (?:module|repo(?:sitory)?)|cannot be resolved|is not (?:a )?(?:visible |known )?(?:module|repo(?:sitory)?|extension)|not in the (?:dependency )?graph|no module[^\n]*exists in the (?:dependency )?graph|unknown (?:module|extension)|does not (?:exist|use the extension))/i;
+// Bazel's canonical phrasing when the named module backing the extension
+// (here `rules_jvm_external`) isn't a dependency of the root module.
+const SHOW_EXT_MODULE_NOT_DEP_STDERR_RE = /(?:rules_jvm_external|module ['"`]?[A-Za-z0-9._+~-]+['"`]?).*(?:is not (?:a )?(?:direct )?dep(?:endenc(?:y|ies))?|not (?:a )?dependency)/i;
+// Family (b): a genuine evaluation / load failure of the module graph. These
+// mean we could not determine whether a maven extension exists, so the result
+// is indeterminate, never a clean not-defined.
+const SHOW_EXT_EVAL_FAILURE_STDERR_RE = /(?:error (?:evaluating|loading|computing)|failed to (?:evaluate|load)|evaluation (?:of|failed)|cannot load|syntax error|name ['"`]?[A-Za-z0-9_]+['"`]? is not defined|variable ['"`]?[A-Za-z0-9_]+['"`]? (?:is|was) (?:referenced|not)|unbound|invalid MODULE\.bazel|MODULE\.bazel.*(?:error|failed)|Traceback|Error in)/i;
+// Outcome of running `bazel mod show_extension` for the maven extension,
+// distinct from the per-repo `ProbeStatus`:
+//   `not-defined`   — authoritative: no maven extension in this workspace
+//                     (clean run with zero kept hubs, OR rules_jvm_external is
+//                     not in the dependency graph).
+//   `indeterminate` — enumeration could not be performed (eval/load failure,
+//                     binary missing); the run must not be reported complete.
+//   `defined`       — the report parsed and yielded one or more root hubs;
+//                     the caller uses the parsed hub list directly.
+// Classify a `bazel mod show_extension` result. `keptRootHubCount` is the
+// number of root-imported hubs the caller parsed from a code-0 run (see
+// `parseShowExtensionOutput` + the `<root>` importer filter); it disambiguates
+// the code-0 cases without re-parsing here.
+//
+// IMPORTANT (security correctness): a non-zero exit is the DEFAULT outcome for
+// every bzlmod repo that does not use rules_jvm_external, so we must NOT treat
+// non-zero as indeterminate by default. We only escalate to `indeterminate`
+// when stderr looks like a real evaluation/load failure; an argument/resolution
+// error about the missing extension is the legitimate no-Maven case.
+function classifyShowExtensionResult(result, keptRootHubCount) {
+  if (result.code === 0) {
+    // Clean run. Either it enumerated root hubs (`defined`) or it ran fine and
+    // found no maven extension for the root (`not-defined`).
+    return keptRootHubCount > 0 ? 'defined' : 'not-defined';
+  }
+  // A spawn failure / missing binary is normalized to code -1 upstream; there
+  // is no usable stderr classification and we definitely could not enumerate.
+  if (result.code === -1) {
+    return 'indeterminate';
+  }
+  const {
+    stderr
+  } = result;
+  // A genuine module-graph evaluation/load failure wins: we cannot conclude
+  // anything about maven presence, so surface it as indeterminate.
+  if (SHOW_EXT_EVAL_FAILURE_STDERR_RE.test(stderr)) {
+    return 'indeterminate';
+  }
+  // The maven extension / rules_jvm_external is simply not in the dependency
+  // graph: an argument-resolution error. This is the common no-Maven bzlmod
+  // repo and is authoritatively not-defined.
+  if (SHOW_EXT_NOT_IN_GRAPH_STDERR_RE.test(stderr) || SHOW_EXT_MODULE_NOT_DEP_STDERR_RE.test(stderr)) {
+    return 'not-defined';
+  }
+  // Truly unrecognized non-zero exit. Bias toward not-defined: the dominant
+  // real-world non-zero case is "extension not in the graph", and a missing
+  // bullet here would otherwise abort the user's entire scan. We only reach
+  // `indeterminate` above when stderr positively looks like an eval/load
+  // failure, which is the case the flag exists for.
+  return 'not-defined';
+}
 // Pure parser for `bazel mod show_extension @rules_jvm_external//:extensions.bzl%maven`
 // stdout. Returns the hub repos listed under `Fetched repositories:` — i.e.
 // items annotated with `(imported by ...)` — each carrying the set of modules
@@ -2950,13 +3090,16 @@ function classifyProbeResult(result) {
     return 'empty';
   }
   // Code 0 with empty stdout: WORKSPACE-mode probes do this when the repo
-  // name isn't declared (Exp 5c). Treat as not-defined.
+  // name isn't declared. Treat as not-defined.
   if (result.code === 0) {
     return 'not-defined';
   }
-  // Code 1 with no recognizable message: be conservative and call it
-  // not-defined so the orchestrator skips it without erroring the workspace.
-  return 'not-defined';
+  // Non-zero exit with no recognizable message: the probe failed for a reason
+  // we can't classify (Bazel infra error, analysis crash, unexpected stderr).
+  // This is NOT proof the repo is undefined, so do NOT downgrade it to
+  // not-defined — surface it as indeterminate so the orchestrator can flag
+  // the workspace as not fully analyzable rather than silently skipping it.
+  return 'indeterminate';
 }
 // Convenience: probe a single candidate and return its classified status,
@@ -2968,10 +3111,14 @@ async function probeCandidate(repoName, probe, verbose) {
   try {
     result = await probe(repoName);
   } catch (e) {
+    // A thrown probe means the Bazel invocation itself failed; we have no
+    // evidence about whether the repo exists. Surface it as indeterminate so
+    // the run is not reported complete, rather than swallowing it as a
+    // not-defined skip.
     if (verbose) {
-      logger.logger.log(`[VERBOSE] discovery: probe @${repoName}: not-defined (probe threw: ${e instanceof Error ? e.message : String(e)})`);
+      logger.logger.log(`[VERBOSE] discovery: probe @${repoName}: indeterminate (probe threw: ${e instanceof Error ? e.message : String(e)})`);
     }
-    return 'not-defined';
+    return 'indeterminate';
   }
   const status = classifyProbeResult(result);
   if (verbose) {
@@ -3154,9 +3301,34 @@ function findWorkspaceRoots(opts) {
 //                    (discovery threw, or every discovered hub failed).
 //                    Always an error for every caller.
+// Per-hub extraction state inside one workspace. Recorded so the CLI can emit
+// a machine-readable completeness signal instead of presenting a partial
+// extraction as complete.
+//  - `populated`     — the hub yielded >=1 artifact and a manifest was written.
+//  - `empty`         — the hub is defined but has no Maven targets.
+//  - `not-defined`   — the probed conventional name does not exist here.
+//  - `skipped-lockfile` — a committed maven_install.json already covers this
+//                    hub, so the CLI deliberately did not re-emit it.
+//  - `failed`        — the hub's cquery errored, timed out, or its graph was
+//                    known-incomplete (dropped/pruned edges, --keep_going).
+//  - `indeterminate` — discovery could not classify the hub (probe threw or
+//                    returned an unrecognized error); NOT evidence of absence.
+// Per-workspace outcome. `load` distinguishes a workspace we could not even
+// read (`failed` — e.g. an unbound-var MODULE.bazel fragment) from one we
+// analyzed (`loaded`). A workspace that failed to load contributes to a
+// hard failure when nothing else was analyzable, and to a partial otherwise.
 const DEFAULT_PER_REPO_TIMEOUT_MS = 60_000;
 const REAP_TIMEOUT_MS = 10_000;
+// Machine-readable completeness signal emitted alongside the synthetic
+// manifests. A `complete: false` summary tells a downstream consumer (e.g.
+// depscan) that the uploaded SBOM is known-incomplete so it must not be
+// treated as an authoritative full closure. Enforcement of this signal is a
+// separate downstream follow-up; the CLI only emits it.
+const COMPLETENESS_SUMMARY_FILE_NAME = 'socket-bazel-manifest-summary.json';
 // Default directory-prune policy for the Bazel workspace walk. The
 // orchestrator applies this unconditionally so neither caller (the explicit
 // `socket manifest bazel` command nor `--auto-manifest`) can omit it and let
@@ -3302,6 +3474,102 @@ function dedupArtifactsByCoord(artifacts) {
   }
   return [...byCoord.values()];
 }
+// The committed lockfile name the server-side walker already ingests for a
+// hub: `maven_install.json` for a hub literally named `maven`, else
+// `<hub>_maven_install.json`. Centralised so the gate and the synthetic
+// writer agree on the name.
+function hubManifestFileName(repoName) {
+  return repoName === 'maven' ? 'maven_install.json' : `${repoName}_maven_install.json`;
+}
+// Directory basenames the CLI itself writes synthetic manifests into. A file
+// living inside one of these is our own output, NOT a committed lockfile, no
+// matter which run wrote it: the auto-manifest sibling dir (flat layout) and
+// the explicit-command default output dir. The gate must never read a file in
+// one of these as evidence of committed coverage, or a stale prior-run
+// synthetic file would let a later run wrongly skip a hub.
+const CLI_SYNTHETIC_OUTPUT_DIR_NAMES = new Set(['.socket-auto-manifest', 'bazel-manifests']);
+// Does a committed lockfile already cover THIS hub at THIS hub's own workspace
+// root? Each workspace is processed independently by the caller, and a
+// committed lockfile covers the workspace it lives IN — a nested workspace's
+// `maven_install.json` covers that nested hub, not this one. The server-side
+// walker ingests every committed `**/*_maven_install.json`, but each one only
+// covers its own workspace. So the gate checks DEPTH-0 only: a lockfile named
+// for this hub sitting directly in `workspaceRoot`. A recursive descent would
+// let an unrelated nested/fixture lockfile mask an uncovered root hub —
+// silently dropping its distinct coordinates.
+//
+// The CLI's own synthetic output is never a committed lockfile: we skip the
+// current run's `manifestDir` and any known synthetic output dir basename so a
+// stale prior-run file can't be misread as committed.
+function committedLockfileCovers(args) {
+  const {
+    fileName,
+    manifestDir,
+    workspaceRoot
+  } = args;
+  // The current run's synthetic output dir, resolved for an exact compare.
+  const manifestDirResolved = path.resolve(manifestDir);
+  const workspaceRootResolved = path.resolve(workspaceRoot);
+  // The committed lockfile, if any, lives directly in the hub's own workspace
+  // root — not in a nested workspace and not in the CLI's output dir.
+  if (workspaceRootResolved === manifestDirResolved || CLI_SYNTHETIC_OUTPUT_DIR_NAMES.has(path.basename(workspaceRootResolved))) {
+    // The workspace root IS an output location; nothing here is committed.
+    return undefined;
+  }
+  let entries;
+  try {
+    entries = fs$1.readdirSync(workspaceRootResolved, {
+      withFileTypes: true
+    });
+  } catch {
+    return undefined;
+  }
+  for (const entry of entries) {
+    if (entry.isFile() && entry.name === fileName) {
+      return path.join(workspaceRootResolved, entry.name);
+    }
+  }
+  return undefined;
+}
+// Emit the machine-readable completeness summary next to the manifests. This
+// is the CLI's honest "is this SBOM complete?" signal in the emitted output;
+// it carries the run status plus the per-workspace / per-hub breakdown so a
+// downstream consumer can detect a known-incomplete upload. Best-effort: a
+// failure to write the summary must never sink an otherwise-usable run, so it
+// is logged (under verbose) and swallowed.
+async function writeCompletenessSummary(args) {
+  const {
+    artifactCount,
+    complete,
+    manifestDir,
+    manifestPaths,
+    status,
+    verbose,
+    workspaceOutcomes
+  } = args;
+  const summary = {
+    artifactCount,
+    complete,
+    ecosystem: 'maven',
+    manifestCount: manifestPaths.length,
+    status,
+    workspaces: workspaceOutcomes
+  };
+  try {
+    fs$1.mkdirSync(manifestDir, {
+      recursive: true
+    });
+    await fs$1.promises.writeFile(path.join(manifestDir, COMPLETENESS_SUMMARY_FILE_NAME), JSON.stringify(summary, null, 2), 'utf8');
+  } catch (e) {
+    if (verbose) {
+      logger.logger.log(`[VERBOSE] completeness summary not written (${utils.getErrorCause(e)}); the run result still carries the signal`);
+    }
+  }
+}
 // Dedup, normalize, and write one hub's manifest. The path mirrors the
 // workspace tree: `<manifestDir>/<relPath>/<name>.json`, where `<name>` is
 // `maven_install.json` for a hub literally named `maven`, else
@@ -3332,7 +3600,7 @@ async function writeHubManifest(args) {
       prunedEdges
     };
   }
-  const fileName = repoName === 'maven' ? 'maven_install.json' : `${repoName}_maven_install.json`;
+  const fileName = hubManifestFileName(repoName);
   const hubDir = relPath ? path.join(manifestDir, relPath) : manifestDir;
   fs$1.mkdirSync(hubDir, {
     recursive: true
@@ -3358,18 +3626,28 @@ async function writeHubManifest(args) {
 // On `show_extension` failure (or a parse that yields zero root hubs) under
 // Bzlmod, fall through to the conventional-name probe so partial discovery
 // is still possible.
 async function discoverCandidatesForWorkspace(workspaceRoot, mode, queryOpts, verbose) {
   const candidates = [];
+  const indeterminateProbes = [];
   let showExtensionSucceeded = false;
+  let discoveryIndeterminate = false;
   if (mode.bzlmod) {
     const extResult = await runBazelModShowMavenExtension(queryOpts);
-    if (extResult.code === 0) {
-      // The maven extension generates a hub for EVERY module that uses it —
-      // the root's own `maven.install` hub(s) plus the rulesets' internal
-      // hubs (rules_jvm_external_deps, stardoc_maven, …). Keep only hubs
-      // imported by <root>; the rest are build-tooling, not the user's SBOM.
-      const entries = parseShowExtensionOutput(extResult.stdout);
-      const kept = entries.filter(e => e.importers.includes(ROOT_MODULE_IMPORTER));
+    // The maven extension generates a hub for EVERY module that uses it — the
+    // root's own `maven.install` hub(s) plus the rulesets' internal hubs
+    // (rules_jvm_external_deps, stardoc_maven, …). Keep only hubs imported by
+    // <root>; the rest are build-tooling, not the user's SBOM. On a non-zero
+    // exit the output is empty, so `kept` is naturally empty too.
+    const entries = parseShowExtensionOutput(extResult.stdout);
+    const kept = entries.filter(e => e.importers.includes(ROOT_MODULE_IMPORTER));
+    // Classify the run rather than treating ANY non-zero exit as a failure:
+    // `bazel mod show_extension` exits non-zero on every bzlmod repo that
+    // doesn't depend on rules_jvm_external (its argument resolution throws
+    // before any Starlark runs), so a blanket non-zero=indeterminate would
+    // wrongly flag the common no-Maven repo and abort the user's whole scan.
+    const showExtStatus = classifyShowExtensionResult(extResult, kept.length);
+    if (showExtStatus === 'defined') {
       candidates.push(...kept.map(e => e.name));
       // Gate the probe fallback on the KEPT count, not the raw parse: a
       // report listing only transitive ruleset hubs (all filtered out) must
@@ -3384,8 +3662,23 @@ async function discoverCandidatesForWorkspace(workspaceRoot, mode, queryOpts, ve
           }
         }
       }
+    } else if (showExtStatus === 'indeterminate') {
+      // The module graph itself could not be evaluated (Starlark eval error,
+      // unbound name, syntax error, or a missing binary normalized to code
+      // -1). We have NO evidence about whether custom-named maven hubs exist,
+      // so mark discovery indeterminate — the run can never be reported
+      // complete — while still falling through to the conventional probe for
+      // best-effort coverage.
+      discoveryIndeterminate = true;
+      if (verbose) {
+        logger.logger.log(`[VERBOSE] workspace ${workspaceRoot}: show_extension failed to evaluate the module graph (code=${extResult.code}); hub enumeration is indeterminate — falling back to conventional probe`);
+      }
     } else if (verbose) {
-      logger.logger.log(`[VERBOSE] workspace ${workspaceRoot}: show_extension failed (code=${extResult.code}); falling back to conventional probe`);
+      // `not-defined`: either a clean run with no root maven extension, or a
+      // non-zero exit that merely means rules_jvm_external isn't in the
+      // dependency graph. Both are authoritative "no maven here"; we still
+      // probe conventional names for a hybrid WORKSPACE-maven repo.
+      logger.logger.log(`[VERBOSE] workspace ${workspaceRoot}: show_extension reports no root maven extension (code=${extResult.code}); treating as not-defined — probing conventional hub names`);
     }
   }
   // Probe candidates the show_extension path could not authoritatively
@@ -3395,7 +3688,11 @@ async function discoverCandidatesForWorkspace(workspaceRoot, mode, queryOpts, ve
   const seen = new Set(candidates);
   const toProbe = (showExtensionSucceeded ? [] : [...CONVENTIONAL_MAVEN_REPO_NAMES]).filter(name => !seen.has(name));
   if (!toProbe.length) {
-    return candidates;
+    return {
+      candidates,
+      discoveryIndeterminate,
+      indeterminateProbes
+    };
   }
   const probe = buildMavenProbeFor(queryOpts);
   for (const name of toProbe) {
@@ -3404,9 +3701,18 @@ async function discoverCandidatesForWorkspace(workspaceRoot, mode, queryOpts, ve
     if (status === 'populated') {
       candidates.push(name);
       seen.add(name);
+    } else if (status === 'indeterminate') {
+      // The probe failed for a reason we can't classify; we have no proof the
+      // hub is absent. Record it so the run is flagged not-complete rather
+      // than silently treating the hub as "no Maven here".
+      indeterminateProbes.push(name);
     }
   }
-  return candidates;
+  return {
+    candidates,
+    discoveryIndeterminate,
+    indeterminateProbes
+  };
 }
 // Best-effort reap of a Bazel server. Spawned with a short timeout so
@@ -3511,8 +3817,10 @@ async function extractBazelToMaven(opts) {
     }
     return {
       artifactCount: 0,
+      complete: false,
       manifestPaths: [],
-      status: 'hardFailure'
+      status: 'hardFailure',
+      workspaceOutcomes: []
     };
   }
   logger.logger.info(`Using bazel: ${bin}`);
@@ -3533,6 +3841,16 @@ async function extractBazelToMaven(opts) {
   let anyRepos = false;
   let hubsSucceeded = 0;
   let hubsFailed = 0;
+  // Per-workspace / per-hub analyzability breakdown backing the completeness
+  // signal the CLI emits. A run is only `complete` when no workspace failed to
+  // load, no probe was indeterminate, and every queried hub succeeded cleanly.
+  const workspaceOutcomes = [];
+  let anyIndeterminate = false;
+  let anyWorkspaceLoadFailed = false;
+  // A hub we deliberately skipped because a committed lockfile already covers
+  // it. This is a SUCCESSFUL no-op (the server already ingests that lockfile),
+  // so it must not be conflated with "discovered a hub we failed to extract".
+  let anyHubCoveredByLockfile = false;
   try {
     // Always apply the default prune policy so no caller can forget it;
     // callers EXTEND it via ignoreDirNames/ignoreDirPrefixes.
@@ -3548,8 +3866,10 @@ async function extractBazelToMaven(opts) {
       logger.logger.warn(`No Bazel workspace found at ${cwd} or beneath (looked for MODULE.bazel / WORKSPACE / WORKSPACE.bazel).`);
       return {
         artifactCount: 0,
+        complete: false,
         manifestPaths: [],
-        status: 'noEcosystem'
+        status: 'noEcosystem',
+        workspaceOutcomes: []
       };
     }
     if (verbose) {
@@ -3557,13 +3877,27 @@ async function extractBazelToMaven(opts) {
     }
     for (const workspaceRoot of workspaceRoots) {
       const relPath = path.relative(cwd, workspaceRoot);
+      const hubOutcomes = [];
       let mode;
       try {
         mode = detectWorkspaceMode(workspaceRoot);
       } catch (e) {
+        // A workspace we cannot even read is a load failure, NOT "no Maven
+        // here": record it so the run is flagged not-complete (a hard failure
+        // when nothing else was analyzable, partial otherwise) rather than
+        // silently skipped.
+        const reason = utils.getErrorCause(e);
         if (verbose) {
-          logger.logger.log(`[VERBOSE] workspace ${workspaceRoot}: detect failed (${utils.getErrorCause(e)}); skipping`);
+          logger.logger.log(`[VERBOSE] workspace ${workspaceRoot}: load failed (${reason})`);
         }
+        logger.logger.warn(`Workspace ${relPath || '.'}: failed to load (${reason}); it could not be analyzed.`);
+        anyWorkspaceLoadFailed = true;
+        workspaceOutcomes.push({
+          hubs: [],
+          load: 'failed',
+          reason,
+          relPath
+        });
         continue;
       }
       logger.logger.info(`Workspace ${relPath || '.'}: bzlmod=${mode.bzlmod} workspace=${mode.workspace}`);
@@ -3577,11 +3911,63 @@ async function extractBazelToMaven(opts) {
         spawnCwd: workspaceRoot,
         verbose
       });
+      const {
+        candidates,
+        discoveryIndeterminate,
+        indeterminateProbes
+      } =
       // eslint-disable-next-line no-await-in-loop
-      const candidates = await discoverCandidatesForWorkspace(workspaceRoot, mode, queryOptsFor(outputUserRoot), verbose);
+      await discoverCandidatesForWorkspace(workspaceRoot, mode, queryOptsFor(outputUserRoot), verbose);
+      // Authoritative hub enumeration failed to execute (e.g. `bazel mod
+      // show_extension` errored under Bzlmod): custom-named hubs may have been
+      // missed, so the run can never be complete. Record it as an
+      // indeterminate hub outcome under a synthetic name so the completeness
+      // signal carries the gap.
+      if (discoveryIndeterminate) {
+        anyIndeterminate = true;
+        hubOutcomes.push({
+          hub: '(enumeration)',
+          reason: 'show-extension-failed',
+          state: 'indeterminate'
+        });
+        logger.logger.warn(`Workspace ${relPath || '.'}: Maven hub enumeration failed; custom-named hubs may be missing. The run is reported known-incomplete.`);
+      }
+      for (const indeterminate of indeterminateProbes) {
+        anyIndeterminate = true;
+        hubOutcomes.push({
+          hub: indeterminate,
+          reason: 'probe-indeterminate',
+          state: 'indeterminate'
+        });
+      }
       logger.logger.info(`Workspace ${relPath || '.'}: discovered ${candidates.length} Maven repo(s): ${candidates.join(', ') || '(none)'}`);
       for (const repoName of candidates) {
+        // Committed-lockfile gate: the server-side walker already ingests any
+        // committed maven_install.json / <hub>_maven_install.json under the
+        // workspace; the CLI's synthetic manifest is the COMPLEMENT, not a
+        // duplicate. Skip emitting when a committed lockfile already covers
+        // this hub. A skip is a successful no-op, so it runs BEFORE
+        // `anyRepos` is flipped (which marks "a hub we needed to extract").
+        const committed = committedLockfileCovers({
+          fileName: hubManifestFileName(repoName),
+          manifestDir,
+          workspaceRoot
+        });
+        if (committed) {
+          anyHubCoveredByLockfile = true;
+          logger.logger.info(`@${repoName}: committed lockfile already covers this hub (${path.relative(cwd, committed) || committed}); skipping synthetic manifest.`);
+          hubOutcomes.push({
+            hub: repoName,
+            reason: 'committed-lockfile',
+            state: 'skipped-lockfile'
+          });
+          if (verbose) {
+            logger.logger.log(`[VERBOSE] @${repoName}: skipped (committed lockfile at ${committed})`);
+          }
+          continue;
+        }
+        // We are about to extract this hub: it is a real candidate we must
+        // analyze, so mark the ecosystem present.
         anyRepos = true;
         if (verbose) {
           logger.logger.log(`[VERBOSE] workspace ${relPath || '.'}: running metadata cquery for @${repoName} (timeout ${perRepoTimeoutMs}ms)`);
@@ -3597,6 +3983,11 @@ async function extractBazelToMaven(opts) {
         if (result.status === 'timeout') {
           logger.logger.warn(`@${repoName}: cquery timed out after ${perRepoTimeoutMs}ms; reaping server`);
           hubsFailed += 1;
+          hubOutcomes.push({
+            hub: repoName,
+            reason: 'cquery-timeout',
+            state: 'failed'
+          });
           // eslint-disable-next-line no-await-in-loop
           await reapBazelServer(bin, outputUserRoot, verbose);
           // eslint-disable-next-line no-await-in-loop
@@ -3611,6 +4002,11 @@ async function extractBazelToMaven(opts) {
         if (result.status === 'error') {
           logger.logger.warn(`@${repoName}: cquery failed; skipping this hub`);
           hubsFailed += 1;
+          hubOutcomes.push({
+            hub: repoName,
+            reason: 'cquery-error',
+            state: 'failed'
+          });
           continue;
         }
         // A scan must never silently upload a graph missing edges it knows
@@ -3642,6 +4038,11 @@ async function extractBazelToMaven(opts) {
           // discard the manifests other hubs already produced.
           logger.logger.warn(`@${repoName}: failed to write manifest (${utils.getErrorCause(e)}); skipping this hub`);
           hubsFailed += 1;
+          hubOutcomes.push({
+            hub: repoName,
+            reason: 'manifest-write-failed',
+            state: 'failed'
+          });
           continue;
         }
         if (written.droppedArtifacts.length) {
@@ -3657,8 +4058,17 @@ async function extractBazelToMaven(opts) {
           totalArtifacts += written.artifactCount;
           if (hubPartial) {
             hubsFailed += 1;
+            hubOutcomes.push({
+              hub: repoName,
+              reason: 'incomplete-graph',
+              state: 'failed'
+            });
           } else {
             hubsSucceeded += 1;
+            hubOutcomes.push({
+              hub: repoName,
+              state: 'populated'
+            });
           }
           if (verbose) {
             logger.logger.log(`[VERBOSE] @${repoName}: status=${result.status}, ${written.artifactCount} artifact(s) -> ${written.manifestPath}`);
@@ -3668,39 +4078,109 @@ async function extractBazelToMaven(opts) {
           // edges were dropped the partial signal still applies.
           if (hubPartial) {
             hubsFailed += 1;
+            hubOutcomes.push({
+              hub: repoName,
+              reason: 'incomplete-graph',
+              state: 'failed'
+            });
+          } else {
+            hubOutcomes.push({
+              hub: repoName,
+              state: 'empty'
+            });
           }
           if (verbose) {
             logger.logger.log(`[VERBOSE] @${repoName}: status=${result.status} (no manifest written)`);
           }
         }
       }
+      workspaceOutcomes.push({
+        hubs: hubOutcomes,
+        load: 'loaded',
+        relPath
+      });
+      if (verbose) {
+        for (const outcome of hubOutcomes) {
+          logger.logger.log(`[VERBOSE] workspace ${relPath || '.'} hub @${outcome.hub}: ${outcome.state}${outcome.reason ? ` (${outcome.reason})` : ''}`);
+        }
+      }
     }
     if (!manifestPaths.length) {
-      if (!anyRepos) {
+      // Every discovered hub was already covered by a committed lockfile and
+      // nothing else needed extraction: writing zero synthetic manifests is
+      // the CORRECT complement, not a failure. The run is complete only when
+      // no workspace failed to load and no probe was indeterminate.
+      if (anyHubCoveredByLockfile && !anyRepos && !anyWorkspaceLoadFailed && !anyIndeterminate) {
+        logger.logger.success('All discovered Maven hub(s) are already covered by committed lockfiles; nothing to generate.');
+        await writeCompletenessSummary({
+          artifactCount: 0,
+          complete: true,
+          manifestDir,
+          manifestPaths: [],
+          status: 'complete',
+          verbose,
+          workspaceOutcomes
+        });
+        return {
+          artifactCount: 0,
+          complete: true,
+          manifestPaths: [],
+          status: 'complete',
+          workspaceOutcomes
+        };
+      }
+      // Nothing was emitted. If nothing was analyzable at all (no repos to
+      // extract, no committed-lockfile coverage, no workspace load failure, no
+      // indeterminate probe) this is a genuine absence; otherwise it's a hard
+      // failure — something was present but we could not extract it.
+      if (!anyRepos && !anyWorkspaceLoadFailed && !anyIndeterminate && !anyHubCoveredByLockfile) {
         if (verbose) {
           logger.logger.info('No Maven artifacts extracted. failureCategory=no-supported-ecosystem');
         }
         return {
           artifactCount: 0,
+          complete: false,
           manifestPaths: [],
-          status: 'noEcosystem'
+          status: 'noEcosystem',
+          workspaceOutcomes
         };
       }
-      logger.logger.fail('Discovered Maven repo(s) but wrote zero manifests. failureCategory=ecosystem-detected-but-empty');
+      logger.logger.fail('Discovered or partially analyzed Maven workspace(s) but wrote zero manifests. failureCategory=ecosystem-detected-but-empty');
+      await writeCompletenessSummary({
+        artifactCount: 0,
+        complete: false,
+        manifestDir,
+        manifestPaths: [],
+        status: 'hardFailure',
+        verbose,
+        workspaceOutcomes
+      });
       return {
         artifactCount: 0,
+        complete: false,
         manifestPaths: [],
-        status: 'hardFailure'
+        status: 'hardFailure',
+        workspaceOutcomes
       };
     }
-    const status = hubsFailed ? 'partial' : 'complete';
+    // Manifests were written, so the run is not a hard failure. It is only
+    // `complete` when every queried hub succeeded cleanly AND no workspace
+    // failed to load AND no probe was indeterminate; any of those means the
+    // emitted SBOM is known-incomplete (partial under the hybrid rule).
+    const knownIncomplete = hubsFailed > 0 || anyWorkspaceLoadFailed || anyIndeterminate;
+    const status = knownIncomplete ? 'partial' : 'complete';
     if (status === 'complete') {
       logger.logger.success(`Wrote ${manifestPaths.length} manifest(s), ${totalArtifacts} artifact(s) total.`);
     } else {
-      logger.logger.warn(`Wrote ${manifestPaths.length} manifest(s), ${totalArtifacts} artifact(s) total — partial run: ${hubsSucceeded} hub(s) succeeded, ${hubsFailed} failed or incomplete.`);
+      const loadNote = anyWorkspaceLoadFailed ? ', at least one workspace failed to load' : '';
+      const indetNote = anyIndeterminate ? ', at least one hub could not be classified' : '';
+      logger.logger.warn(`Wrote ${manifestPaths.length} manifest(s), ${totalArtifacts} artifact(s) total — partial run: ${hubsSucceeded} hub(s) succeeded, ${hubsFailed} failed or incomplete${loadNote}${indetNote}. The uploaded SBOM is known-incomplete.`);
     }
     if (verbose) {
       logger.logger.log('[VERBOSE] outputs:', {
+        anyIndeterminate,
+        anyWorkspaceLoadFailed,
         artifactCount: totalArtifacts,
         hubsFailed,
         hubsSucceeded,
@@ -3709,10 +4189,21 @@ async function extractBazelToMaven(opts) {
         status
       });
     }
+    await writeCompletenessSummary({
+      artifactCount: totalArtifacts,
+      complete: status === 'complete',
+      manifestDir,
+      manifestPaths,
+      status,
+      verbose,
+      workspaceOutcomes
+    });
     return {
       artifactCount: totalArtifacts,
+      complete: status === 'complete',
       manifestPaths,
-      status
+      status,
+      workspaceOutcomes
     };
   } catch (e) {
     logger.logger.fail(`Unexpected error in bazel2maven: ${utils.getErrorCause(e)}`);
@@ -3725,8 +4216,10 @@ async function extractBazelToMaven(opts) {
     }
     return {
       artifactCount: 0,
+      complete: false,
       manifestPaths: [],
-      status: 'hardFailure'
+      status: 'hardFailure',
+      workspaceOutcomes
     };
   } finally {
     for (const dir of mintedRoots) {
@@ -4429,7 +4922,13 @@ async function generateAutoManifest({
     if (mavenResult.status === 'complete' || mavenResult.status === 'partial') {
       generatedFiles.push(...mavenResult.manifestPaths);
       if (mavenResult.status === 'partial') {
-        logger.logger.warn(`Bazel Maven manifest generation was partial (${mavenResult.manifestPaths.length} manifest(s) written); some hubs failed or had incomplete dependency graphs. Uploading what was generated.`);
+        // Hybrid handling: still upload the partial SBOM, but be loud AND
+        // leave a machine-readable trail. The extractor writes a completeness
+        // summary (complete=false + per-hub/workspace breakdown) into the
+        // manifest dir; that summary is the structured signal a downstream
+        // consumer reads to know this upload is known-incomplete.
+        const incomplete = mavenResult.workspaceOutcomes.flatMap(w => w.load === 'failed' ? [`${w.relPath || '.'} (workspace load failed)`] : w.hubs.filter(h => h.state === 'failed' || h.state === 'indeterminate').map(h => `${w.relPath || '.'}@${h.hub} (${h.state})`)).join(', ');
+        logger.logger.warn(`WARNING: Bazel Maven manifest generation was PARTIAL (${mavenResult.manifestPaths.length} manifest(s) written); the uploaded SBOM is known-incomplete and may under-report dependencies. Incomplete: ${incomplete || 'see completeness summary'}. Uploading what was generated.`);
       }
     } else {
       logger.logger.info('No supported Bazel Maven ecosystem detected.');
@@ -5168,7 +5667,19 @@ async function handleConfigGet({
   key,
   outputKind
 }) {
-  const result = utils.getConfigValue(key);
+  // A Socket API token supplied via the environment (SOCKET_CLI_API_TOKEN /
+  // SOCKET_SECURITY_API_TOKEN and legacy aliases, all aggregated into
+  // constants.ENV.SOCKET_CLI_API_TOKEN) takes precedence over any persisted or
+  // --config value. The env token is no longer mirrored into the in-memory
+  // config (so unrelated keys stay persistable via `config set`), so surface it
+  // explicitly here to preserve "env token wins" for `config get apiToken`.
+  const {
+    ENV
+  } = constants.default;
+  const result = key === constants.CONFIG_KEY_API_TOKEN && !ENV.SOCKET_CLI_NO_API_TOKEN && ENV.SOCKET_CLI_API_TOKEN ? {
+    ok: true,
+    data: ENV.SOCKET_CLI_API_TOKEN
+  } : utils.getConfigValue(key);
   await outputConfigGet(key, result, outputKind);
 }
@@ -5393,18 +5904,10 @@ async function outputConfigSet(result, outputKind) {
     logger.logger.log(`# Update config`);
     logger.logger.log('');
     logger.logger.log(result.message);
-    if (result.data) {
-      logger.logger.log('');
-      logger.logger.log(result.data);
-    }
-  } else {
-    logger.logger.log(`OK`);
-    logger.logger.log(result.message);
-    if (result.data) {
-      logger.logger.log('');
-      logger.logger.log(result.data);
-    }
+    return;
   }
+  logger.logger.log(`OK`);
+  logger.logger.log(result.message);
 }
 async function handleConfigSet({
@@ -5419,11 +5922,24 @@ async function handleConfigSet({
     outputKind
   });
   const result = utils.updateConfigValue(key, value);
-  require$$9.debugFn('notice', `Config update ${result.ok ? 'succeeded' : 'failed'}`);
+  // `config set` is a one-shot command: an in-memory-only change is a no-op
+  // because the process exits before anything reads it. updateConfigValue only
+  // populates `data` when the config is read-only (a full --config /
+  // SOCKET_CLI_CONFIG / SOCKET_CLI_NO_API_TOKEN override), so in that case
+  // report a failure instead of a misleading success.
+  const outcome = result.ok && result.data ? {
+    ok: false,
+    code: 1,
+    message: `Config key '${key}' was not saved`,
+    cause: result.data
+  } : result;
+  require$$9.debugFn('notice', `Config update ${outcome.ok ? 'succeeded' : 'failed'}`);
   require$$9.debugDir('inspect', {
+    outcome,
     result
   });
-  await outputConfigSet(result, outputKind);
+  await outputConfigSet(outcome, outputKind);
 }
 const CMD_NAME$u = 'set';
@@ -7246,7 +7762,7 @@ async function setupTabCompletion(targetName) {
   };
 }
 function getTabCompletionScriptRaw() {
-  const sourceDir = path.dirname(require$$0.fileURLToPath((typeof document === 'undefined' ? require$$0.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href))));
+  const sourceDir = path.dirname(require$$0$1.fileURLToPath((typeof document === 'undefined' ? require$$0$1.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href))));
   const sourcePath = path.join(sourceDir, 'socket-completion.bash');
   if (!fs$1.existsSync(sourcePath)) {
     return {
@@ -9080,6 +9596,10 @@ const config$e = {
       type: 'string',
       description: 'Output directory for generated manifests; default: ./.socket/bazel-manifests/'
     },
+    perRepoTimeout: {
+      type: 'number',
+      description: 'Per-hub bazel cquery timeout in milliseconds; default: 120000'
+    },
     verbose: {
       type: 'boolean',
       description: 'Emit bounded Bazel diagnostics with argv, duration, exit status, and output sizes'
@@ -9122,6 +9642,12 @@ const config$e = {
       $ ${command} --bazel=/usr/local/bin/bazelisk .
   `
 };
+// The explicit `socket manifest bazel` command gives each hub more time than
+// the auto-manifest path: a user running it directly is waiting on this one
+// extraction, whereas auto-manifest must not stall the wider scan. Auto's
+// shorter default lives in extract_bazel_to_maven.mts.
+const EXPLICIT_PER_REPO_TIMEOUT_MS = 120_000;
 const cmdManifestBazel = {
   description: config$e.description,
   hidden: config$e.hidden,
@@ -9145,9 +9671,17 @@ function evaluateEcosystemOutcomes(outcomes, isExplicit) {
   const produced = outcomes.filter(o => (o.status === 'complete' || o.status === 'partial') && o.manifestPaths.length > 0);
   const hardFailures = outcomes.filter(o => o.status === 'hardFailure');
   const noDiscoveries = outcomes.filter(o => o.status === 'noEcosystem');
+  // Surface a machine-readable completeness signal for every produced
+  // ecosystem so a partial upload is never presented as a complete one. The
+  // per-workspace / per-hub detail is written to the manifest dir's
+  // completeness summary by the extractor; this is the human-facing echo.
+  for (const outcome of produced) {
+    logger.logger.info(`Bazel ${outcome.ecosystem} extraction status: ${outcome.status} (complete=${outcome.complete}).`);
+  }
   for (const partial of outcomes) {
     if (partial.status === 'partial') {
-      logger.logger.warn(`Bazel ${partial.ecosystem} manifest generation was partial; the uploaded SBOM is known-incomplete.`);
+      logger.logger.warn(`WARNING: Bazel ${partial.ecosystem} manifest generation was PARTIAL. The uploaded SBOM is known-incomplete and may under-report dependencies; review the completeness summary before relying on the results.`);
     }
   }
   if (!isExplicit) {
@@ -9183,17 +9717,20 @@ function evaluateEcosystemOutcomes(outcomes, isExplicit) {
 function pypiOutcome(result) {
   if (result.noEcosystemFound) {
     return {
+      complete: false,
       manifestPaths: [],
       status: 'noEcosystem'
     };
   }
   if (result.ok && result.manifestPath) {
     return {
+      complete: true,
       manifestPaths: [result.manifestPath],
       status: 'complete'
     };
   }
   return {
+    complete: false,
     manifestPaths: [],
     status: 'hardFailure'
   };
@@ -9232,6 +9769,7 @@ async function run$F(argv, importMeta, {
     out,
     verbose
   } = cli.flags;
+  let perRepoTimeout = cli.flags['perRepoTimeout'];
   // Set defaults for any flag/arg that is not given. Check socket.json first.
   if (!bazel) {
@@ -9279,6 +9817,16 @@ async function run$F(argv, importMeta, {
       verbose = false;
     }
   }
+  if (perRepoTimeout === undefined) {
+    if (sockJson.defaults?.manifest?.bazel?.perRepoTimeout !== undefined) {
+      perRepoTimeout = sockJson.defaults?.manifest?.bazel?.perRepoTimeout;
+      logger.logger.info(`Using default --per-repo-timeout from ${constants.SOCKET_JSON}:`, perRepoTimeout);
+    } else {
+      // Explicit invocation default; longer than the auto-manifest default
+      // because the user is waiting on this single extraction.
+      perRepoTimeout = EXPLICIT_PER_REPO_TIMEOUT_MS;
+    }
+  }
   if (verbose) {
     logger.logger.group('- ', parentName, config$e.commandName, ':');
     logger.logger.group('- flags:', cli.flags);
@@ -9327,9 +9875,11 @@ async function run$F(argv, importMeta, {
         bin: bazel,
         cwd,
         out: out,
+        perRepoTimeoutMs: perRepoTimeout,
         verbose: Boolean(verbose)
       });
       outcomes.push({
+        complete: mavenResult.complete,
         ecosystem: 'maven',
         manifestPaths: mavenResult.manifestPaths,
         status: mavenResult.status
@@ -11004,7 +11554,7 @@ async function run$y(argv, importMeta, {
   });
 }
-const require$5 = require$$5.createRequire((typeof document === 'undefined' ? require$$0.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
+const require$5 = require$$5.createRequire((typeof document === 'undefined' ? require$$0$1.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
 const CMD_NAME$q = constants.NPM;
 const description$w = 'Wraps npm with Socket security scanning';
 const hidden$q = false;
@@ -11090,7 +11640,7 @@ async function run$x(argv, importMeta, context) {
   await spawnPromise;
 }
-const require$4 = require$$5.createRequire((typeof document === 'undefined' ? require$$0.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
+const require$4 = require$$5.createRequire((typeof document === 'undefined' ? require$$0$1.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
 const CMD_NAME$p = constants.NPX;
 const description$v = 'Wraps npx with Socket security scanning';
 const hidden$p = false;
@@ -13819,7 +14369,7 @@ async function run$m(argv, _importMeta, _context) {
   }
 }
-const require$3 = require$$5.createRequire((typeof document === 'undefined' ? require$$0.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
+const require$3 = require$$5.createRequire((typeof document === 'undefined' ? require$$0$1.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
 const CMD_NAME$g = constants.PNPM;
 const description$j = 'Wraps pnpm with Socket security scanning';
 const hidden$g = true;
@@ -15650,6 +16200,13 @@ async function run$d(argv, importMeta, {
     pendingHead: Boolean(pendingHead),
     pullRequest: Number(pullRequest),
     reach: {
+      // Build-tool config for the reach-time resolution, mapped from socket.json
+      // (per-ecosystem). Best-effort on plain --reach; under --auto-manifest the
+      // config carries top-level failOnBuildToolError=true (fail-closed). Only
+      // built when reachability runs.
+      autoManifestConfig: reach ? utils.buildAutoManifestConfig(sockJson, {
+        autoManifest: Boolean(autoManifest)
+      }) : undefined,
       excludePaths,
       reachAnalysisMemoryLimit: Number(reachAnalysisMemoryLimit),
       reachAnalysisTimeout: Number(reachAnalysisTimeout),
@@ -18608,7 +19165,7 @@ async function fetchThreatFeed({
   return await utils.queryApiSafeJson(`orgs/${orgSlug}/threat-feed?${queryParams}`, 'the Threat Feed data');
 }
-const require$2 = require$$5.createRequire((typeof document === 'undefined' ? require$$0.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
+const require$2 = require$$5.createRequire((typeof document === 'undefined' ? require$$0$1.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
 async function outputThreatFeed(result, outputKind) {
   if (!result.ok) {
     process.exitCode = result.code ?? 1;
@@ -19377,7 +19934,7 @@ async function run$1(argv, importMeta, {
   }
 }
-const require$1 = require$$5.createRequire((typeof document === 'undefined' ? require$$0.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
+const require$1 = require$$5.createRequire((typeof document === 'undefined' ? require$$0$1.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
 const CMD_NAME = constants.YARN;
 const description = 'Wraps yarn with Socket security scanning';
 const hidden = true;
@@ -19572,7 +20129,7 @@ const rootAliases = {
   }
 };
-const __filename$1 = require$$0.fileURLToPath((typeof document === 'undefined' ? require$$0.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
+const __filename$1 = require$$0$1.fileURLToPath((typeof document === 'undefined' ? require$$0$1.pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('cli.js', document.baseURI).href)));
 // Capture CLI start time at module level for global error handlers.
 const cliStartTime = Date.now();
@@ -19601,7 +20158,7 @@ void (async () => {
       name: constants.default.SOCKET_CLI_BIN_NAME,
       argv: process.argv.slice(2),
       importMeta: {
-        url: `${require$$0.pathToFileURL(__filename$1)}`
+        url: `${require$$0$1.pathToFileURL(__filename$1)}`
       },
       subcommands: rootCommands
     }, {
@@ -19644,7 +20201,7 @@ void (async () => {
         autoVersion: false,
         flags: {},
         importMeta: {
-          url: `${require$$0.pathToFileURL(__filename$1)}`
+          url: `${require$$0$1.pathToFileURL(__filename$1)}`
         }
       });
       return !!cli.flags['json'];
@@ -19709,5 +20266,5 @@ process.on('unhandledRejection', async (reason, promise) => {
   // eslint-disable-next-line n/no-process-exit
   process.exit(1);
 });
-//# debugId=b1bb7e64-091d-4be2-bb99-bb2297bb5ec2
+//# debugId=85257911-3f47-4452-8e33-51ee5c9c6b59
 //# sourceMappingURL=cli.js.map