terramend 0.2.0

package/src/mcp/terraform/currency.test.ts

@@ -0,0 +1,338 @@
+import { mkdirSync, mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { dirname, join } from "node:path";
+import { afterEach, describe, expect, it, vi } from "vitest";
+
+// Unwrap the ToolResult envelope so tests assert on the raw object a tool
+// returns instead of decoding the encoded MCP text content.
+vi.mock("#app/mcp/shared", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("#app/mcp/shared")>();
+  return {
+    ...actual,
+    execute: <T, R>(fn: (params: T) => Promise<R>): ((params: T) => Promise<R>) => fn,
+  };
+});
+
+import type { LocalToolContext } from "#app/mcp/localContext";
+import {
+  checkVersionCurrency,
+  classifyCurrency,
+  fetchModuleVersions,
+  fetchProviderVersions,
+  terraformConstraintToRange,
+} from "#app/mcp/terraform/currency";
+import { TerraformVersionCurrencyTool } from "#app/mcp/terraform/tools";
+
+const tempDirs: string[] = [];
+
+function makeDir(files: Record<string, string> = {}): string {
+  const dir = mkdtempSync(join(tmpdir(), "terramend-currency-"));
+  tempDirs.push(dir);
+  for (const [rel, content] of Object.entries(files)) {
+    const abs = join(dir, rel);
+    mkdirSync(dirname(abs), { recursive: true });
+    writeFileSync(abs, content);
+  }
+  return dir;
+}
+
+function makeCtx(cwd: string): LocalToolContext {
+  return {
+    payload: { cwd },
+    toolState: {},
+    tmpdir: makeDir(),
+  } as unknown as LocalToolContext;
+}
+
+/** stub global fetch with a per-URL dispatcher returning JSON bodies. */
+function stubFetch(dispatch: (url: string) => { status: number; body?: unknown } | "reject") {
+  vi.stubGlobal(
+    "fetch",
+    vi.fn(async (input: string | URL) => {
+      const result = dispatch(String(input));
+      if (result === "reject") throw new Error("network down");
+      return {
+        ok: result.status >= 200 && result.status < 300,
+        status: result.status,
+        json: async () => result.body,
+      } as Response;
+    }),
+  );
+}
+
+function providerBody(versions: string[]): unknown {
+  return { versions: versions.map((v) => ({ version: v })) };
+}
+
+function moduleBody(versions: string[]): unknown {
+  return { modules: [{ versions: versions.map((v) => ({ version: v })) }] };
+}
+
+afterEach(() => {
+  vi.unstubAllGlobals();
+  for (const dir of tempDirs.splice(0)) {
+    rmSync(dir, { recursive: true, force: true });
+  }
+});
+
+describe("terraformConstraintToRange", () => {
+  it.each([
+    ["~> 5.0", ">=5.0.0 <6.0.0"],
+    ["~> 5.1.2", ">=5.1.2 <5.2.0"],
+    ["~> 5", ">=5.0.0 <6.0.0"],
+    [">= 1.2, < 2.0", ">=1.2.0 <2.0.0"],
+    ["= 5.1.0", "5.1.0"],
+    ["5.1.0", "5.1.0"],
+    ["v1.2", "1.2.0"],
+    ["<= 3", "<=3.0.0"],
+  ])("converts %s → %s", (constraint, expected) => {
+    expect(terraformConstraintToRange(constraint)).toBe(expected);
+  });
+
+  it("skips != comparators but keeps the rest", () => {
+    expect(terraformConstraintToRange(">= 1.0, != 1.5")).toBe(">=1.0.0");
+  });
+
+  it("returns null for garbage or empty input", () => {
+    expect(terraformConstraintToRange("latest")).toBeNull();
+    expect(terraformConstraintToRange("")).toBeNull();
+    expect(terraformConstraintToRange("~> banana")).toBeNull();
+  });
+});
+
+describe("classifyCurrency", () => {
+  const available = ["4.9.0", "5.0.0", "5.31.0", "6.2.1", "7.0.0-beta1"];
+
+  it("flags a pessimistic pin a major behind (prereleases ignored)", () => {
+    const verdict = classifyCurrency({ constraint: "~> 5.0", available });
+    expect(verdict).toEqual({
+      latest: "6.2.1",
+      newestSatisfying: "5.31.0",
+      outdated: true,
+      majorsBehind: 1,
+    });
+  });
+
+  it("reports current when the constraint admits the latest", () => {
+    const verdict = classifyCurrency({ constraint: ">= 5.0", available });
+    expect(verdict).toEqual({
+      latest: "6.2.1",
+      newestSatisfying: "6.2.1",
+      outdated: false,
+      majorsBehind: 0,
+    });
+  });
+
+  it("is never outdated without a constraint (that's `unpinned`, not outdated)", () => {
+    const verdict = classifyCurrency({ constraint: null, available });
+    expect(verdict).toEqual({
+      latest: "6.2.1",
+      newestSatisfying: null,
+      outdated: false,
+      majorsBehind: 0,
+    });
+  });
+
+  it("degrades green when the registry publishes nothing stable", () => {
+    const verdict = classifyCurrency({ constraint: "~> 1.0", available: ["2.0.0-rc1"] });
+    expect(verdict).toEqual({
+      latest: null,
+      newestSatisfying: null,
+      outdated: false,
+      majorsBehind: 0,
+    });
+  });
+
+  it("treats an exact old pin as outdated", () => {
+    const verdict = classifyCurrency({ constraint: "4.9.0", available });
+    expect(verdict.outdated).toBe(true);
+    expect(verdict.majorsBehind).toBe(2);
+  });
+});
+
+describe("registry fetchers", () => {
+  it("fetches provider versions from the v1 providers endpoint", async () => {
+    stubFetch((url) => {
+      expect(url).toBe("https://registry.terraform.io/v1/providers/hashicorp/aws/versions");
+      return { status: 200, body: providerBody(["5.0.0", "5.1.0"]) };
+    });
+    await expect(fetchProviderVersions("hashicorp/aws")).resolves.toEqual({
+      status: "ok",
+      versions: ["5.0.0", "5.1.0"],
+    });
+  });
+
+  it("strips the default registry host and rejects other hosts", async () => {
+    stubFetch((url) => {
+      expect(url).toContain("/v1/providers/hashicorp/aws/versions");
+      return { status: 200, body: providerBody(["5.0.0"]) };
+    });
+    await expect(
+      fetchProviderVersions("registry.terraform.io/hashicorp/aws"),
+    ).resolves.toMatchObject({ status: "ok" });
+    await expect(fetchProviderVersions("tfe.example.com/org/aws")).resolves.toEqual({
+      status: "unsupported_source",
+      versions: [],
+    });
+  });
+
+  it("reads the first module record from the modules endpoint", async () => {
+    stubFetch((url) => {
+      expect(url).toBe(
+        "https://registry.terraform.io/v1/modules/terraform-aws-modules/vpc/aws/versions",
+      );
+      return { status: 200, body: moduleBody(["5.0.0", "5.8.1"]) };
+    });
+    await expect(fetchModuleVersions("terraform-aws-modules/vpc/aws")).resolves.toEqual({
+      status: "ok",
+      versions: ["5.0.0", "5.8.1"],
+    });
+  });
+
+  it("maps 404 / network failure / bad body to per-lookup statuses", async () => {
+    stubFetch(() => ({ status: 404 }));
+    await expect(fetchProviderVersions("hashicorp/gone")).resolves.toMatchObject({
+      status: "not_found",
+    });
+    stubFetch(() => "reject");
+    await expect(fetchProviderVersions("hashicorp/aws")).resolves.toMatchObject({
+      status: "error",
+    });
+    stubFetch(() => ({ status: 200, body: { unexpected: true } }));
+    await expect(fetchProviderVersions("hashicorp/aws")).resolves.toMatchObject({
+      status: "error",
+    });
+  });
+});
+
+const tf = `
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.0"
+    }
+  }
+}
+
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "3.0.0"
+}
+
+module "unpinned" {
+  source = "terraform-aws-modules/s3-bucket/aws"
+}
+
+module "local_helper" {
+  source = "./modules/helper"
+}
+`;
+
+describe("checkVersionCurrency", () => {
+  it("reports outdated providers + modules, unpinned modules, and skips local modules", async () => {
+    const cwd = makeDir({ "main.tf": tf, "modules/helper/main.tf": "" });
+    stubFetch((url) => {
+      if (url.includes("/v1/providers/hashicorp/aws/"))
+        return { status: 200, body: providerBody(["4.67.0", "5.31.0"]) };
+      if (url.includes("/v1/modules/terraform-aws-modules/vpc/aws/"))
+        return { status: 200, body: moduleBody(["3.0.0", "5.8.1"]) };
+      if (url.includes("/v1/modules/terraform-aws-modules/s3-bucket/aws/"))
+        return { status: 200, body: moduleBody(["4.1.2"]) };
+      throw new Error(`unexpected url: ${url}`);
+    });
+
+    const report = await checkVersionCurrency(cwd);
+
+    expect(report.providers).toEqual([
+      {
+        name: "aws",
+        source: "hashicorp/aws",
+        constraint: "~> 4.0",
+        latest: "5.31.0",
+        newest_satisfying: "4.67.0",
+        outdated: true,
+        majors_behind: 1,
+        lookup: "ok",
+      },
+    ]);
+    // local module dropped; registry modules classified.
+    expect(report.modules).toHaveLength(2);
+    expect(report.modules[0]).toMatchObject({
+      name: "vpc",
+      version: "3.0.0",
+      latest: "5.8.1",
+      outdated: true,
+      unpinned: false,
+      declared_in: "main.tf",
+    });
+    expect(report.modules[1]).toMatchObject({
+      name: "unpinned",
+      latest: "4.1.2",
+      outdated: false,
+      unpinned: true,
+    });
+    expect(report.outdated_count).toBe(2);
+    expect(report.unpinned_count).toBe(1);
+    expect(report.lookups_failed).toBe(0);
+  });
+
+  it("degrades one failed lookup to its row without hiding the rest", async () => {
+    const cwd = makeDir({ "main.tf": tf, "modules/helper/main.tf": "" });
+    stubFetch((url) => {
+      if (url.includes("/v1/providers/")) return "reject";
+      return { status: 200, body: moduleBody(["9.0.0"]) };
+    });
+
+    const report = await checkVersionCurrency(cwd);
+
+    expect(report.providers[0]).toMatchObject({ lookup: "error", outdated: false });
+    expect(report.modules.every((m) => m.lookup === "ok")).toBe(true);
+    expect(report.lookups_failed).toBe(1);
+    expect(report.lookups_attempted).toBe(3);
+  });
+});
+
+describe("TerraformVersionCurrencyTool", () => {
+  it("returns the ok envelope with the report", async () => {
+    const cwd = makeDir({ "main.tf": tf, "modules/helper/main.tf": "" });
+    stubFetch((url) =>
+      url.includes("/v1/providers/")
+        ? { status: 200, body: providerBody(["4.67.0", "5.31.0"]) }
+        : { status: 200, body: moduleBody(["5.8.1"]) },
+    );
+    const fn = TerraformVersionCurrencyTool(makeCtx(cwd)).execute as (
+      p: Record<string, unknown>,
+    ) => Promise<Record<string, unknown>>;
+
+    const result = await fn({});
+
+    expect(result).toMatchObject({ ok: true, outdated_count: 2, unpinned_count: 1 });
+  });
+
+  it("returns the registry_unreachable skip envelope when every lookup fails", async () => {
+    const cwd = makeDir({ "main.tf": tf, "modules/helper/main.tf": "" });
+    stubFetch(() => "reject");
+    const fn = TerraformVersionCurrencyTool(makeCtx(cwd)).execute as (
+      p: Record<string, unknown>,
+    ) => Promise<Record<string, unknown>>;
+
+    const result = await fn({});
+
+    expect(result).toMatchObject({ ok: false, code: "registry_unreachable" });
+  });
+
+  it("degrades green on a workspace with nothing to check", async () => {
+    const cwd = makeDir({ "main.tf": `resource "null_resource" "x" {}` });
+    stubFetch(() => {
+      throw new Error("no lookups expected");
+    });
+    const fn = TerraformVersionCurrencyTool(makeCtx(cwd)).execute as (
+      p: Record<string, unknown>,
+    ) => Promise<Record<string, unknown>>;
+
+    const result = await fn({});
+
+    expect(result).toMatchObject({ ok: true, outdated_count: 0, unpinned_count: 0 });
+  });
+});

package/src/mcp/terraform/currency.ts

@@ -0,0 +1,336 @@
+/**
+ * Version currency (§P1 provider currency / M3 module upgrades).
+ *
+ * Answers one question the scanners can't: "is a NEWER version available?"
+ * tflint checks that versions are *pinned*; nothing we run checks that they're
+ * *current*. This module compares the workspace's pinned provider requirements
+ * and registry-module pins against the Terraform Registry's published versions.
+ *
+ * Deliberately NOT a scanner source: results are advisory intelligence the
+ * Remediate mode turns into `chore(deps)` upgrade PRs, not `Concern`s — the
+ * finding baseline stays scanner-owned (see docs/workplan/04-implementation-plan.md).
+ *
+ * Degrades green everywhere: a per-source lookup failure is reported on that
+ * row (`lookup: "error" | "not_found" | "unsupported_source"`), and only a
+ * fully-unreachable registry (every lookup failed) becomes a tool-level skip.
+ */
+
+import semver from "semver";
+import { collectModuleGraph, splitModuleSource } from "#app/mcp/modules";
+import { collectProviderRequirements } from "#app/mcp/terraform/scanners";
+
+export const DEFAULT_REGISTRY_BASE_URL = "https://registry.terraform.io";
+const FETCH_TIMEOUT_MS = 5_000;
+
+// --- constraint parsing (pure) ----------------------------------------------
+
+/** one comparator of a Terraform constraint: `~> 5.0`, `>= 1.2`, `5.1.0`. */
+const COMPARATOR_RE = /^(~>|>=|<=|!=|=|>|<)?\s*v?(\d+(?:\.\d+){0,2})$/;
+
+/** pad a 1-3 part version to full semver: `5` → `5.0.0`, `5.1` → `5.1.0`. */
+function padVersion(version: string): string {
+  const parts = version.split(".");
+  while (parts.length < 3) parts.push("0");
+  return parts.join(".");
+}
+
+/**
+ * Convert ONE Terraform version constraint string (comma-separated comparators,
+ * AND semantics) into an npm semver range, or null when any comparator is
+ * unparseable. `~>` is Terraform's pessimistic operator: the RIGHTMOST given
+ * component may float (`~> 5.0` → `>=5.0.0 <6.0.0`, `~> 5.1.2` → `>=5.1.2 <5.2.0`,
+ * `~> 5` → `>=5.0.0 <6.0.0`). `!=` comparators have no single-range npm
+ * equivalent and are skipped — acceptable here because the result only ranks
+ * candidate versions, it never selects what gets installed.
+ */
+export function terraformConstraintToRange(constraint: string): string | null {
+  const parts = constraint
+    .split(",")
+    .map((p) => p.trim())
+    .filter(Boolean);
+  if (parts.length === 0) return null;
+
+  const ranges: string[] = [];
+  for (const part of parts) {
+    const m = part.match(COMPARATOR_RE);
+    if (!m) return null;
+    const op = m[1] ?? "=";
+    const raw = m[2];
+    if (raw === undefined) return null;
+    if (op === "!=") continue; // see docstring — skipped, never fatal
+    const full = padVersion(raw);
+    if (op === "~>") {
+      const given = raw.split(".").length;
+      // bump the component LEFT of the floating one: `~> 5.1.2` floats patch
+      // (< 5.2.0); `~> 5.0` and `~> 5` float minor/major-rightmost (< 6.0.0).
+      const upper =
+        given >= 3
+          ? `${semver.major(full)}.${semver.minor(full) + 1}.0`
+          : `${semver.major(full) + 1}.0.0`;
+      ranges.push(`>=${full} <${upper}`);
+    } else if (op === "=") {
+      ranges.push(full);
+    } else {
+      ranges.push(`${op}${full}`);
+    }
+  }
+  return ranges.length > 0 ? ranges.join(" ") : null;
+}
+
+// --- currency classification (pure) -----------------------------------------
+
+export interface CurrencyVerdict {
+  /** newest stable version the registry publishes (null: nothing published). */
+  latest: string | null;
+  /** newest published version the written constraint admits (null: no
+   * constraint, unparseable constraint, or nothing satisfies). */
+  newestSatisfying: string | null;
+  /** true when the registry has a stable version the constraint does NOT admit
+   * — i.e. an upgrade PR is available. Always false without a constraint. */
+  outdated: boolean;
+  /** how many MAJORs the constraint's best version trails the latest by —
+   * >0 signals an interface-risk upgrade that must be `needs-human`. */
+  majorsBehind: number;
+}
+
+/** drop non-semver tokens and prereleases; registries publish plain versions
+ * but git refs (`v1.2.0-rc1`, branch names) also land here via module pins.
+ * Valid-but-prerelease versions must be dropped BEFORE any coercion — coercing
+ * `7.0.0-beta1` would strip the suffix and misreport a beta as stable. */
+function stableVersions(available: string[]): string[] {
+  const out: string[] = [];
+  for (const raw of available) {
+    const exact = semver.valid(raw);
+    if (exact !== null) {
+      if (semver.prerelease(exact) === null) out.push(exact);
+      continue;
+    }
+    const coerced = semver.coerce(raw);
+    if (coerced !== null) out.push(coerced.version);
+  }
+  return out;
+}
+
+export function classifyCurrency(params: {
+  constraint: string | null;
+  available: string[];
+}): CurrencyVerdict {
+  const versions = stableVersions(params.available);
+  const latest = versions.length > 0 ? (versions.sort(semver.rcompare)[0] ?? null) : null;
+  if (latest === null) {
+    return { latest: null, newestSatisfying: null, outdated: false, majorsBehind: 0 };
+  }
+  if (params.constraint === null) {
+    return { latest, newestSatisfying: null, outdated: false, majorsBehind: 0 };
+  }
+  const range = terraformConstraintToRange(params.constraint);
+  if (range === null) {
+    return { latest, newestSatisfying: null, outdated: false, majorsBehind: 0 };
+  }
+  const newestSatisfying = semver.maxSatisfying(versions, range);
+  const outdated = newestSatisfying === null || semver.lt(newestSatisfying, latest);
+  const majorsBehind = newestSatisfying
+    ? Math.max(0, semver.major(latest) - semver.major(newestSatisfying))
+    : Math.max(0, semver.major(latest));
+  return { latest, newestSatisfying, outdated, majorsBehind };
+}
+
+// --- registry lookups (I/O) --------------------------------------------------
+
+export type LookupStatus = "ok" | "not_found" | "error" | "unsupported_source";
+
+/** strip a leading default-registry host; reject other hosts (private/TFE
+ * registries use different auth + paths — out of scope for the public check). */
+function normalizeRegistryPath(base: string, expectedSegments: number): string | null {
+  const segments = base.split("/").filter(Boolean);
+  if (segments.length === expectedSegments + 1 && segments[0]?.includes(".")) {
+    if (segments[0] !== "registry.terraform.io") return null;
+    segments.shift();
+  }
+  return segments.length === expectedSegments ? segments.join("/") : null;
+}
+
+async function fetchVersionList(
+  url: string,
+  extract: (body: unknown) => string[] | null,
+): Promise<{ status: LookupStatus; versions: string[] }> {
+  let response: Response;
+  try {
+    response = await fetch(url, { signal: AbortSignal.timeout(FETCH_TIMEOUT_MS) });
+  } catch {
+    return { status: "error", versions: [] };
+  }
+  if (response.status === 404) return { status: "not_found", versions: [] };
+  if (!response.ok) return { status: "error", versions: [] };
+  let body: unknown;
+  try {
+    body = await response.json();
+  } catch {
+    return { status: "error", versions: [] };
+  }
+  const versions = extract(body);
+  if (versions === null) return { status: "error", versions: [] };
+  return { status: "ok", versions };
+}
+
+function isRecord(value: unknown): value is Record<string, unknown> {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+
+/** pull `[{version}, …]` out of a `{ …, versions: [...] }` payload. */
+function extractVersionsArray(container: unknown): string[] | null {
+  if (!isRecord(container) || !Array.isArray(container.versions)) return null;
+  const out: string[] = [];
+  for (const entry of container.versions) {
+    if (isRecord(entry) && typeof entry.version === "string") out.push(entry.version);
+  }
+  return out;
+}
+
+/** GET /v1/providers/{namespace}/{type}/versions — provider release list. */
+export async function fetchProviderVersions(
+  source: string,
+  opts: { baseUrl?: string } = {},
+): Promise<{ status: LookupStatus; versions: string[] }> {
+  const path = normalizeRegistryPath(source, 2);
+  if (path === null) return { status: "unsupported_source", versions: [] };
+  const base = opts.baseUrl ?? DEFAULT_REGISTRY_BASE_URL;
+  return fetchVersionList(`${base}/v1/providers/${path}/versions`, extractVersionsArray);
+}
+
+/** GET /v1/modules/{namespace}/{name}/{provider}/versions — registry-module
+ * release list (the response nests per-module records; the first is the
+ * requested module, the rest are dependency records we don't want). */
+export async function fetchModuleVersions(
+  sourceBase: string,
+  opts: { baseUrl?: string } = {},
+): Promise<{ status: LookupStatus; versions: string[] }> {
+  const path = normalizeRegistryPath(sourceBase, 3);
+  if (path === null) return { status: "unsupported_source", versions: [] };
+  const base = opts.baseUrl ?? DEFAULT_REGISTRY_BASE_URL;
+  return fetchVersionList(`${base}/v1/modules/${path}/versions`, (body) => {
+    if (!isRecord(body) || !Array.isArray(body.modules)) return null;
+    return extractVersionsArray(body.modules[0]);
+  });
+}
+
+// --- workspace report (orchestration) ----------------------------------------
+
+export interface ProviderCurrencyRow {
+  name: string;
+  source: string;
+  constraint: string | null;
+  latest: string | null;
+  newest_satisfying: string | null;
+  outdated: boolean;
+  majors_behind: number;
+  lookup: LookupStatus;
+}
+
+export interface ModuleCurrencyRow {
+  name: string;
+  source: string;
+  version: string | null;
+  latest: string | null;
+  newest_satisfying: string | null;
+  outdated: boolean;
+  /** registry module with no `version` attribute — pin it (to `latest`). */
+  unpinned: boolean;
+  lookup: LookupStatus;
+  declared_in: string;
+}
+
+export interface CurrencyReport {
+  providers: ProviderCurrencyRow[];
+  modules: ModuleCurrencyRow[];
+  outdated_count: number;
+  unpinned_count: number;
+  lookups_attempted: number;
+  lookups_failed: number;
+}
+
+/** bare `aws` in a legacy required_providers block means `hashicorp/aws`. */
+function providerSource(name: string, source: string | null): string {
+  return source ?? `hashicorp/${name}`;
+}
+
+export async function checkVersionCurrency(
+  cwd: string,
+  opts: { baseUrl?: string } = {},
+): Promise<CurrencyReport> {
+  const providerReqs = collectProviderRequirements(cwd);
+  const registryModules = collectModuleGraph(cwd).modules.filter((m) => m.kind === "registry");
+
+  // one lookup per distinct source — a workspace redeclaring `hashicorp/aws`
+  // in every root must not turn into N identical registry calls.
+  const providerLookups = new Map<string, Promise<{ status: LookupStatus; versions: string[] }>>();
+  for (const req of providerReqs) {
+    const source = providerSource(req.name, req.source);
+    if (!providerLookups.has(source)) {
+      providerLookups.set(source, fetchProviderVersions(source, opts));
+    }
+  }
+  const moduleLookups = new Map<string, Promise<{ status: LookupStatus; versions: string[] }>>();
+  for (const mod of registryModules) {
+    const base = splitModuleSource(mod.source).base;
+    if (!moduleLookups.has(base)) {
+      moduleLookups.set(base, fetchModuleVersions(base, opts));
+    }
+  }
+  // resolve every lookup up front so the row loops below read settled results
+  // (and so a missing map entry can degrade to an error row, not a crash).
+  const noLookup = { status: "error" as LookupStatus, versions: [] as string[] };
+  const providerResults = new Map(
+    await Promise.all([...providerLookups].map(async ([source, p]) => [source, await p] as const)),
+  );
+  const moduleResults = new Map(
+    await Promise.all([...moduleLookups].map(async ([base, p]) => [base, await p] as const)),
+  );
+
+  const providers: ProviderCurrencyRow[] = [];
+  for (const req of providerReqs) {
+    const source = providerSource(req.name, req.source);
+    const result = providerResults.get(source) ?? noLookup;
+    const verdict = classifyCurrency({ constraint: req.version, available: result.versions });
+    providers.push({
+      name: req.name,
+      source,
+      constraint: req.version,
+      latest: verdict.latest,
+      newest_satisfying: verdict.newestSatisfying,
+      outdated: result.status === "ok" && verdict.outdated,
+      majors_behind: result.status === "ok" ? verdict.majorsBehind : 0,
+      lookup: result.status,
+    });
+  }
+
+  const modules: ModuleCurrencyRow[] = [];
+  for (const mod of registryModules) {
+    const base = splitModuleSource(mod.source).base;
+    const result = moduleResults.get(base) ?? noLookup;
+    const verdict = classifyCurrency({ constraint: mod.version, available: result.versions });
+    modules.push({
+      name: mod.name,
+      source: mod.source,
+      version: mod.version,
+      latest: verdict.latest,
+      newest_satisfying: verdict.newestSatisfying,
+      outdated: result.status === "ok" && verdict.outdated,
+      unpinned: mod.version === null,
+      lookup: result.status,
+      declared_in: mod.declaredIn,
+    });
+  }
+
+  const failed = [...providers, ...modules].filter(
+    (row) => row.lookup === "error" || row.lookup === "not_found",
+  ).length;
+  return {
+    providers,
+    modules,
+    outdated_count: [...providers, ...modules].filter((r) => r.outdated).length,
+    unpinned_count: modules.filter((m) => m.unpinned).length,
+    lookups_attempted: providers.length + modules.length,
+    lookups_failed: failed,
+  };
+}