trawly 0.0.2 → 0.1.1

package/dist/cli.js

@@ -1,26 +1,56 @@
 #!/usr/bin/env node
 
 // src/cli.ts
+import { mkdirSync as mkdirSync2, writeFileSync as writeFileSync3 } from "fs";
+import { dirname as dirname4, resolve as resolve11 } from "path";
 import { Command, InvalidArgumentError } from "commander";
-import kleur4 from "kleur";
+import kleur5 from "kleur";
 
 // src/commands/add.ts
 import kleur from "kleur";
 
+// src/fingerprint.ts
+import { createHash } from "crypto";
+function fingerprintFinding(input) {
+  return stableHash([
+    input.source,
+    input.type,
+    input.id,
+    input.ecosystem,
+    input.packageName,
+    input.installedVersion
+  ]);
+}
+function packageKey(pkg) {
+  return pkg.purl ?? `${pkg.ecosystem}:${pkg.name}@${pkg.version}`;
+}
+function stableHash(parts) {
+  return createHash("sha256").update(parts.join("\0")).digest("hex");
+}
+
 // src/sources/osv.ts
 var OSV_QUERYBATCH_URL = "https://api.osv.dev/v1/querybatch";
 var OSV_VULN_URL = "https://api.osv.dev/v1/vulns";
 var QUERY_CHUNK_SIZE = 500;
 var REQUEST_TIMEOUT_MS = 15e3;
 var MAX_RETRIES = 2;
+var DETAIL_CONCURRENCY = 8;
 function dedupeForQuery(packages) {
   const seen = /* @__PURE__ */ new Set();
   const out = [];
   for (const pkg of packages) {
-    const key = `${pkg.name}@${pkg.version}`;
+    const key = packageKey(pkg);
     if (seen.has(key)) continue;
     seen.add(key);
-    out.push({ name: pkg.name, version: pkg.version });
+    if (pkg.purl) out.push({ name: pkg.name, version: pkg.version, purl: pkg.purl });
+    else if (pkg.ecosystem === "npm") out.push({ name: pkg.name, version: pkg.version });
+    else {
+      out.push({
+        name: pkg.name,
+        version: pkg.version,
+        ecosystem: pkg.ecosystem
+      });
+    }
   }
   return out;
 }
@@ -30,33 +60,14 @@ async function queryOsv(packages, deps = {}) {
   if (unique.length === 0) return [];
   const idsByPackage = /* @__PURE__ */ new Map();
   for (const chunk of chunked(unique, QUERY_CHUNK_SIZE)) {
-    const body = {
-      queries: chunk.map((q) => ({
-        package: { ecosystem: "npm", name: q.name },
-        version: q.version
-      }))
-    };
-    const res = await postJson(
-      fetchImpl,
-      OSV_QUERYBATCH_URL,
-      body
-    );
-    res.results.forEach((result, i) => {
-      const q = chunk[i];
-      if (!q) return;
-      const key = `${q.name}@${q.version}`;
-      if (!result.vulns || result.vulns.length === 0) return;
-      const ids = idsByPackage.get(key) ?? /* @__PURE__ */ new Set();
-      for (const v of result.vulns) ids.add(v.id);
-      idsByPackage.set(key, ids);
-    });
+    await queryBatchWithPagination(fetchImpl, chunk, idsByPackage);
   }
   const allIds = /* @__PURE__ */ new Set();
   for (const ids of idsByPackage.values()) {
     for (const id of ids) allIds.add(id);
   }
   const detailsById = /* @__PURE__ */ new Map();
-  for (const id of allIds) {
+  await mapWithConcurrency([...allIds], DETAIL_CONCURRENCY, async (id) => {
     try {
       const detail = await getJson(
         fetchImpl,
@@ -65,10 +76,10 @@ async function queryOsv(packages, deps = {}) {
       detailsById.set(id, detail);
     } catch {
     }
-  }
+  });
   const findings = [];
   for (const pkg of packages) {
-    const key = `${pkg.name}@${pkg.version}`;
+    const key = packageKey(pkg);
     const ids = idsByPackage.get(key);
     if (!ids) continue;
     for (const id of ids) {
@@ -78,28 +89,88 @@ async function queryOsv(packages, deps = {}) {
   }
   return findings;
 }
+async function queryBatchWithPagination(fetchImpl, initial, idsByPackage) {
+  let pending = initial;
+  const pageTokens = /* @__PURE__ */ new Map();
+  while (pending.length > 0) {
+    const res = await postJson(
+      fetchImpl,
+      OSV_QUERYBATCH_URL,
+      { queries: pending.map((q) => toOsvQuery(q, pageTokens.get(queryKey(q)))) }
+    );
+    const next = [];
+    res.results.forEach((result, i) => {
+      const q = pending[i];
+      if (!q) return;
+      const key = queryKey(q);
+      if (result.vulns && result.vulns.length > 0) {
+        const ids = idsByPackage.get(key) ?? /* @__PURE__ */ new Set();
+        for (const v of result.vulns) ids.add(v.id);
+        idsByPackage.set(key, ids);
+      }
+      if (result.next_page_token) {
+        pageTokens.set(key, result.next_page_token);
+        next.push(q);
+      } else {
+        pageTokens.delete(key);
+      }
+    });
+    pending = next;
+  }
+}
+function toOsvQuery(q, pageToken) {
+  const query = q.purl ? { package: { purl: q.purl } } : {
+    package: { ecosystem: q.ecosystem ?? "npm", name: q.name },
+    version: q.version
+  };
+  return pageToken ? { ...query, page_token: pageToken } : query;
+}
+function queryKey(q) {
+  return q.purl ?? `${q.ecosystem ?? "npm"}:${q.name}@${q.version}`;
+}
 function buildFinding(pkg, id, detail) {
-  const severity = detail ? parseSeverity(detail) : "unknown";
+  const severity = detail ? parseSeverity(detail, pkg.name) : "unknown";
   const summary = detail?.summary ?? detail?.details ?? id;
+  const aliases = detail?.aliases ?? [];
+  const fingerprint = fingerprintFinding({
+    source: "osv",
+    type: "vulnerability",
+    id,
+    ecosystem: pkg.ecosystem,
+    packageName: pkg.name,
+    installedVersion: pkg.version
+  });
   return {
     id,
     source: "osv",
     type: "vulnerability",
     severity,
+    ecosystem: pkg.ecosystem,
     packageName: pkg.name,
     installedVersion: pkg.version,
     summary: truncate(summary, 240),
     url: pickAdvisoryUrl(detail) ?? `https://osv.dev/vulnerability/${id}`,
     fixedVersions: detail ? collectFixedVersions(detail, pkg.name) : [],
-    affectedPaths: [pkg.path]
+    affectedPaths: [pkg.path],
+    fingerprint,
+    aliases,
+    sourceFile: pkg.sourceFile,
+    line: pkg.line
   };
 }
-function parseSeverity(detail) {
+function parseSeverity(detail, packageName) {
   const dbSpecific = detail.database_specific?.severity?.toLowerCase();
   if (dbSpecific === "critical" || dbSpecific === "high" || dbSpecific === "moderate" || dbSpecific === "low") {
     return dbSpecific;
   }
   if (dbSpecific === "medium") return "moderate";
+  for (const aff of matchingAffected(detail, packageName)) {
+    const ecosystemSeverity = aff.ecosystem_specific?.severity?.toLowerCase();
+    if (ecosystemSeverity === "critical" || ecosystemSeverity === "high" || ecosystemSeverity === "moderate" || ecosystemSeverity === "low") {
+      return ecosystemSeverity;
+    }
+    if (ecosystemSeverity === "medium") return "moderate";
+  }
   const cvss = detail.severity?.find((s) => s.type?.startsWith("CVSS_"));
   if (cvss) {
     const score = parseCvssScore(cvss.score);
@@ -123,8 +194,7 @@ function pickAdvisoryUrl(detail) {
 }
 function collectFixedVersions(detail, packageName) {
   const out = /* @__PURE__ */ new Set();
-  for (const aff of detail.affected ?? []) {
-    if (aff.package?.name && aff.package.name !== packageName) continue;
+  for (const aff of matchingAffected(detail, packageName)) {
     for (const range of aff.ranges ?? []) {
       for (const event of range.events ?? []) {
         if (event.fixed) out.add(event.fixed);
@@ -133,11 +203,31 @@ function collectFixedVersions(detail, packageName) {
   }
   return [...out];
 }
+function matchingAffected(detail, packageName) {
+  if (!packageName) return detail.affected ?? [];
+  return (detail.affected ?? []).filter((aff) => {
+    const affectedName = aff.package?.name;
+    return !affectedName || affectedName === packageName;
+  });
+}
 function* chunked(items, size) {
   for (let i = 0; i < items.length; i += size) {
     yield items.slice(i, i + size);
   }
 }
+async function mapWithConcurrency(items, concurrency, worker) {
+  let next = 0;
+  const workers = Array.from(
+    { length: Math.min(concurrency, items.length) },
+    async () => {
+      while (next < items.length) {
+        const item = items[next++];
+        if (item !== void 0) await worker(item);
+      }
+    }
+  );
+  await Promise.all(workers);
+}
 async function postJson(fetchImpl, url, body) {
   return withRetry(async () => {
     const controller = new AbortController();
@@ -150,7 +240,11 @@ async function postJson(fetchImpl, url, body) {
         signal: controller.signal
       });
       if (!res.ok) {
-        throw new HttpError(`OSV ${res.status}: ${res.statusText}`, res.status);
+        throw new HttpError(
+          `OSV ${res.status}: ${res.statusText}`,
+          res.status,
+          retryAfterMs(res.headers)
+        );
       }
       return await res.json();
     } finally {
@@ -165,7 +259,11 @@ async function getJson(fetchImpl, url) {
     try {
       const res = await fetchImpl(url, { signal: controller.signal });
       if (!res.ok) {
-        throw new HttpError(`OSV ${res.status}: ${res.statusText}`, res.status);
+        throw new HttpError(
+          `OSV ${res.status}: ${res.statusText}`,
+          res.status,
+          retryAfterMs(res.headers)
+        );
       }
       return await res.json();
     } finally {
@@ -174,11 +272,13 @@ async function getJson(fetchImpl, url) {
   });
 }
 var HttpError = class extends Error {
-  constructor(message, status) {
+  constructor(message, status, retryAfterMs3) {
     super(message);
     this.status = status;
+    this.retryAfterMs = retryAfterMs3;
   }
   status;
+  retryAfterMs;
 };
 async function withRetry(fn) {
   let lastErr;
@@ -188,30 +288,452 @@ async function withRetry(fn) {
     } catch (err) {
       lastErr = err;
       if (!isRetryable(err) || attempt === MAX_RETRIES) break;
-      await new Promise((r) => setTimeout(r, 250 * 2 ** attempt));
+      const delay = err instanceof HttpError && err.retryAfterMs !== void 0 ? err.retryAfterMs : 250 * 2 ** attempt;
+      await new Promise((r) => setTimeout(r, delay));
     }
   }
   throw lastErr;
 }
 function isRetryable(err) {
-  if (err instanceof HttpError) return err.status >= 500;
+  if (err instanceof HttpError) return err.status === 429 || err.status >= 500;
   return true;
 }
+function retryAfterMs(headers) {
+  const value = headers.get("retry-after");
+  if (!value) return void 0;
+  const seconds = Number(value);
+  if (Number.isFinite(seconds) && seconds >= 0) return seconds * 1e3;
+  const date = Date.parse(value);
+  if (Number.isNaN(date)) return void 0;
+  return Math.max(0, date - Date.now());
+}
 function truncate(s, max) {
   if (s.length <= max) return s;
   return `${s.slice(0, max - 1)}\u2026`;
 }
 
 // src/scanner.ts
-import { existsSync as existsSync2, statSync } from "fs";
-import { basename, resolve as resolve4, join as join2 } from "path";
+import { existsSync as existsSync4, statSync as statSync2 } from "fs";
+import { dirname as dirname3, resolve as resolve7, join as join4 } from "path";
+
+// src/baseline.ts
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
+import { dirname, resolve } from "path";
+var BaselineError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "BaselineError";
+  }
+};
+function applyBaseline(findings, cwd, baselinePath) {
+  if (!baselinePath) return void 0;
+  const absolute = resolve(cwd, baselinePath);
+  const loaded = readBaseline(absolute);
+  const fingerprints = new Set(loaded.findings);
+  let existing = 0;
+  let fresh = 0;
+  const marked = findings.map((finding) => {
+    if (fingerprints.has(finding.fingerprint)) {
+      existing++;
+      return { ...finding, baseline: "existing" };
+    }
+    fresh++;
+    return { ...finding, baseline: "new" };
+  });
+  return {
+    result: {
+      path: absolute,
+      loaded: true,
+      total: findings.length,
+      existing,
+      new: fresh
+    },
+    findings: marked
+  };
+}
+function writeBaseline(findings, cwd, baselinePath, existing) {
+  const absolute = resolve(cwd, baselinePath);
+  const unique = [...new Set(findings.map((f) => f.fingerprint))].sort();
+  const payload = {
+    version: 1,
+    generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    findings: unique
+  };
+  mkdirSync(dirname(absolute), { recursive: true });
+  writeFileSync(absolute, `${JSON.stringify(payload, null, 2)}
+`);
+  return {
+    path: existing?.path,
+    loaded: existing?.loaded ?? false,
+    written: absolute,
+    total: findings.length,
+    existing: existing?.existing ?? 0,
+    new: existing?.new ?? findings.length
+  };
+}
+function readBaseline(path) {
+  if (!existsSync(path)) {
+    throw new BaselineError(`Baseline file does not exist: ${path}`);
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(readFileSync(path, "utf8"));
+  } catch (err) {
+    throw new BaselineError(
+      `Failed to parse baseline ${path}: ${err.message}`
+    );
+  }
+  if (!isRecord(parsed) || parsed.version !== 1) {
+    throw new BaselineError(`${path}: unsupported baseline format.`);
+  }
+  if (!Array.isArray(parsed.findings)) {
+    throw new BaselineError(`${path}: findings must be an array.`);
+  }
+  const findings = parsed.findings.filter((v) => typeof v === "string");
+  return {
+    version: 1,
+    generatedAt: typeof parsed.generatedAt === "string" ? parsed.generatedAt : "",
+    findings
+  };
+}
+function isRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+
+// src/config.ts
+import { existsSync as existsSync2, readFileSync as readFileSync2 } from "fs";
+import { resolve as resolve2, join } from "path";
+import { parse as parseToml } from "smol-toml";
+var CONFIG_NAME = "trawly.toml";
+var FAIL_ON_VALUES = /* @__PURE__ */ new Set([
+  "critical",
+  "high",
+  "moderate",
+  "low",
+  "none"
+]);
+var POLICY_VALUES = /* @__PURE__ */ new Set([
+  "ci",
+  "strict",
+  "library",
+  "app"
+]);
+var ConfigError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "ConfigError";
+  }
+};
+function loadConfig(cwd, explicitPath) {
+  const configPath = explicitPath ? resolve2(cwd, explicitPath) : findConfig(cwd);
+  if (!configPath) return { config: { ignore: [] } };
+  if (!existsSync2(configPath)) {
+    throw new ConfigError(`Config file does not exist: ${configPath}`);
+  }
+  let raw;
+  try {
+    raw = parseToml(readFileSync2(configPath, "utf8"));
+  } catch (err) {
+    throw new ConfigError(
+      `Failed to parse ${configPath}: ${err.message}`
+    );
+  }
+  return { path: configPath, config: normalizeConfig(raw, configPath) };
+}
+function findConfig(cwd) {
+  const candidate = join(cwd, CONFIG_NAME);
+  return existsSync2(candidate) ? candidate : void 0;
+}
+function normalizeConfig(raw, path) {
+  if (!isRecord2(raw)) throw new ConfigError(`${path} must be a TOML table.`);
+  const failOn = optionalString(raw.failOn, "failOn", path);
+  if (failOn !== void 0 && !FAIL_ON_VALUES.has(failOn)) {
+    throw new ConfigError(
+      `${path}: failOn must be one of ${[...FAIL_ON_VALUES].join(", ")}.`
+    );
+  }
+  const policy = optionalString(raw.policy, "policy", path);
+  if (policy !== void 0 && !POLICY_VALUES.has(policy)) {
+    throw new ConfigError(
+      `${path}: policy must be one of ${[...POLICY_VALUES].join(", ")}.`
+    );
+  }
+  const risk = optionalBoolean(raw.risk, "risk", path);
+  const env = optionalBoolean(raw.env, "env", path);
+  const allowedRegistries = normalizeStringArray(
+    raw.allowedRegistries,
+    "allowedRegistries",
+    path
+  );
+  if (raw.ignore !== void 0 && raw.IgnoredVulns !== void 0) {
+    console.warn(
+      `${path}: both "ignore" and legacy "IgnoredVulns" are defined; using "ignore".`
+    );
+  }
+  const ignore = normalizeIgnore(raw.ignore ?? raw.IgnoredVulns ?? [], path);
+  return {
+    failOn,
+    policy,
+    risk,
+    env,
+    allowedRegistries,
+    ignore
+  };
+}
+function normalizeIgnore(raw, path) {
+  if (raw === void 0) return [];
+  if (!Array.isArray(raw)) {
+    throw new ConfigError(`${path}: ignore must be an array of tables.`);
+  }
+  return raw.map((item, idx) => {
+    if (!isRecord2(item)) {
+      throw new ConfigError(`${path}: ignore[${idx}] must be a table.`);
+    }
+    const id = requiredString(item.id, `ignore[${idx}].id`, path);
+    const expires = requiredDateString(
+      item.expires,
+      `ignore[${idx}].expires`,
+      path
+    );
+    const reason = requiredString(item.reason, `ignore[${idx}].reason`, path);
+    return {
+      id,
+      expires,
+      reason,
+      package: optionalString(item.package, `ignore[${idx}].package`, path),
+      ecosystem: optionalString(item.ecosystem, `ignore[${idx}].ecosystem`, path),
+      version: optionalString(item.version, `ignore[${idx}].version`, path)
+    };
+  });
+}
+function normalizeStringArray(raw, field, path) {
+  if (raw === void 0) return void 0;
+  if (!Array.isArray(raw) || raw.some((v) => typeof v !== "string")) {
+    throw new ConfigError(`${path}: ${field} must be an array of strings.`);
+  }
+  return raw;
+}
+function requiredDateString(raw, field, path) {
+  const value = requiredString(raw, field, path);
+  if (!isIsoDate(value)) {
+    throw new ConfigError(`${path}: ${field} must be YYYY-MM-DD.`);
+  }
+  return value;
+}
+function requiredString(raw, field, path) {
+  if (typeof raw !== "string" || raw.trim() === "") {
+    throw new ConfigError(`${path}: ${field} is required.`);
+  }
+  return raw;
+}
+function optionalString(raw, field, path) {
+  if (raw === void 0) return void 0;
+  if (typeof raw !== "string") {
+    throw new ConfigError(`${path}: ${field} must be a string.`);
+  }
+  return raw;
+}
+function optionalBoolean(raw, field, path) {
+  if (raw === void 0) return void 0;
+  if (typeof raw !== "boolean") {
+    throw new ConfigError(`${path}: ${field} must be true or false.`);
+  }
+  return raw;
+}
+function isIsoDate(s) {
+  if (!/^\d{4}-\d{2}-\d{2}$/.test(s)) return false;
+  const date = /* @__PURE__ */ new Date(`${s}T00:00:00.000Z`);
+  return !Number.isNaN(date.getTime()) && date.toISOString().startsWith(s);
+}
+function isRecord2(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+
+// src/env.ts
+import {
+  lstatSync,
+  readdirSync,
+  readFileSync as readFileSync3,
+  statSync
+} from "fs";
+import { join as join2, relative } from "path";
+var MAX_ENV_FILE_BYTES = 1024 * 1024;
+var SKIP_DIRS = /* @__PURE__ */ new Set([
+  ".git",
+  ".hg",
+  ".svn",
+  "coverage",
+  "dist",
+  "node_modules",
+  "vendor"
+]);
+var SAFE_ENV_SUFFIXES = /* @__PURE__ */ new Set([
+  "default",
+  "defaults",
+  "dist",
+  "example",
+  "sample",
+  "template"
+]);
+var SECRET_KEY_RE = /(?:^|_)(?:SECRET|TOKEN|PASSWORD|PASS|PWD|PRIVATE_KEY|API_KEY|ACCESS_KEY|AUTH|CREDENTIAL|DATABASE_URL|DB_URL|REDIS_URL|MONGO_URI|CONNECTION_STRING|WEBHOOK|CLIENT_SECRET)(?:$|_)/i;
+var PRIVATE_KEY_RE = /PRIVATE_KEY|BEGIN_[A-Z0-9_]+_PRIVATE_KEY/i;
+var PLACEHOLDER_RE = /^(?:|changeme|change_me|change-me|example|example-value|placeholder|replace_me|replace-me|todo|test|dummy|your_.+|<.+>|\$\{.+\}|x+)$/i;
+function scanEnvFiles(cwd) {
+  const warnings = [];
+  const findings = [];
+  let filesScanned = 0;
+  for (const file of findEnvFiles(cwd)) {
+    let raw;
+    try {
+      const stat = statSync(file);
+      if (stat.size > MAX_ENV_FILE_BYTES) {
+        warnings.push(
+          `Skipped env file ${relative(cwd, file)} because it is larger than 1 MiB.`
+        );
+        continue;
+      }
+      raw = readFileSync3(file, "utf8");
+    } catch (err) {
+      warnings.push(
+        `Could not read env file ${relative(cwd, file)}: ${err.message}`
+      );
+      continue;
+    }
+    filesScanned++;
+    const rel = normalizePath(relative(cwd, file));
+    findings.push(envFileFinding(file, rel));
+    for (const assignment of parseEnvAssignments(raw)) {
+      if (!isSensitiveAssignment(assignment)) continue;
+      findings.push(envSecretFinding(file, rel, assignment));
+    }
+  }
+  return { findings, warnings, filesScanned };
+}
+function findEnvFiles(root) {
+  const out = [];
+  const stack = [root];
+  while (stack.length > 0) {
+    const dir = stack.pop();
+    let entries;
+    try {
+      entries = readdirSync(dir);
+    } catch {
+      continue;
+    }
+    for (const entry of entries) {
+      const path = join2(dir, entry);
+      let stat;
+      try {
+        stat = lstatSync(path);
+      } catch {
+        continue;
+      }
+      if (stat.isSymbolicLink()) continue;
+      if (stat.isDirectory()) {
+        if (!SKIP_DIRS.has(entry)) stack.push(path);
+        continue;
+      }
+      if (stat.isFile() && isEnvFile(entry)) out.push(path);
+    }
+  }
+  return out.sort();
+}
+function isEnvFile(name) {
+  if (name === ".env") return true;
+  if (!name.startsWith(".env.")) return false;
+  const suffixes = name.slice(".env.".length).toLowerCase().split(".").filter(Boolean);
+  return !suffixes.some((suffix) => SAFE_ENV_SUFFIXES.has(suffix));
+}
+function parseEnvAssignments(raw) {
+  const out = [];
+  raw.split(/\r?\n/).forEach((line, index) => {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) return;
+    const match = /^(?:export\s+)?([A-Za-z_][A-Za-z0-9_]*)\s*=\s*(.*)$/.exec(
+      trimmed
+    );
+    if (!match) return;
+    const key = match[1];
+    const value = unquote(match[2].trim());
+    out.push({ key, value, line: index + 1 });
+  });
+  return out;
+}
+function isSensitiveAssignment(assignment) {
+  if (!SECRET_KEY_RE.test(assignment.key)) return false;
+  return !PLACEHOLDER_RE.test(assignment.value.trim());
+}
+function envFileFinding(sourceFile, rel) {
+  const id = "TRAWLY-ENV-FILE";
+  return {
+    id,
+    source: "trawly",
+    type: "secret",
+    severity: "moderate",
+    ecosystem: "env",
+    packageName: ".env file",
+    installedVersion: rel,
+    summary: "Committed env file detected. Verify it does not contain secrets and prefer committing an example/template file instead.",
+    fixedVersions: [],
+    affectedPaths: [rel],
+    fingerprint: fingerprintFinding({
+      source: "trawly",
+      type: "secret",
+      id,
+      ecosystem: "env",
+      packageName: ".env file",
+      installedVersion: rel
+    }),
+    aliases: [],
+    sourceFile,
+    line: 1
+  };
+}
+function envSecretFinding(sourceFile, rel, assignment) {
+  const id = "TRAWLY-ENV-SECRET";
+  return {
+    id,
+    source: "trawly",
+    type: "secret",
+    severity: PRIVATE_KEY_RE.test(assignment.key) ? "critical" : "high",
+    ecosystem: "env",
+    packageName: assignment.key,
+    installedVersion: rel,
+    summary: "Committed env file contains a secret-like variable. The value is intentionally omitted from this report.",
+    fixedVersions: [],
+    affectedPaths: [rel],
+    fingerprint: fingerprintFinding({
+      source: "trawly",
+      type: "secret",
+      id,
+      ecosystem: "env",
+      packageName: assignment.key,
+      installedVersion: rel
+    }),
+    aliases: [],
+    sourceFile,
+    line: assignment.line
+  };
+}
+function unquote(value) {
+  if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+    return value.slice(1, -1);
+  }
+  return value;
+}
+function normalizePath(path) {
+  return path.split(/[\\/]/).join("/");
+}
+
+// src/extractors/lockfile.ts
+import { basename as basename2 } from "path";
 
 // src/extractors/npm-package-lock.ts
-import { readFileSync } from "fs";
-import { resolve } from "path";
+import { readFileSync as readFileSync4 } from "fs";
+import { resolve as resolve3 } from "path";
 function parseNpmPackageLock(filePath) {
-  const absolute = resolve(filePath);
-  const raw = readFileSync(absolute, "utf8");
+  const absolute = resolve3(filePath);
+  const raw = readFileSync4(absolute, "utf8");
   let parsed;
   try {
     parsed = JSON.parse(raw);
@@ -249,8 +771,14 @@ function parseNpmPackageLock(filePath) {
       direct: directDeps.has(name) && isTopLevelInstance(path),
       dev: Boolean(entry.dev || entry.devOptional),
       optional: Boolean(entry.optional || entry.devOptional),
+      inputKind: "lockfile",
+      sourceFile: absolute,
+      line: lineOf(raw, JSON.stringify(path)),
+      manager: "npm",
       resolved: entry.resolved,
-      integrity: entry.integrity
+      integrity: entry.integrity,
+      registry: registryFromResolved(entry.resolved),
+      hasInstallScript: Boolean(entry.hasInstallScript)
     });
   }
   return instances;
@@ -289,264 +817,834 @@ function isTopLevelInstance(path) {
   if (first === -1) return false;
   return path.indexOf("node_modules/", first + 1) === -1;
 }
+function registryFromResolved(resolved) {
+  if (!resolved) return void 0;
+  try {
+    const url = new URL(resolved);
+    return `${url.protocol}//${url.host}`;
+  } catch {
+    return void 0;
+  }
+}
+function lineOf(raw, needle) {
+  const idx = raw.indexOf(needle);
+  if (idx === -1) return void 0;
+  return raw.slice(0, idx).split(/\r?\n/).length;
+}
+
+// src/extractors/pnpm-lock.ts
+import { readFileSync as readFileSync6 } from "fs";
+import { resolve as resolve4 } from "path";
+import { parse as parseYaml } from "yaml";
+
+// src/extractors/package-json.ts
+import { existsSync as existsSync3, readFileSync as readFileSync5 } from "fs";
+import { dirname as dirname2, join as join3 } from "path";
+function readPackageJsonInfoFrom(filePath) {
+  return readPackageJsonInfo(dirname2(filePath));
+}
+function readPackageJsonInfo(cwd) {
+  const info = {
+    dependencies: /* @__PURE__ */ new Set(),
+    devDependencies: /* @__PURE__ */ new Set(),
+    optionalDependencies: /* @__PURE__ */ new Set(),
+    allDirect: /* @__PURE__ */ new Set()
+  };
+  const path = join3(cwd, "package.json");
+  if (!existsSync3(path)) return info;
+  try {
+    const raw = JSON.parse(readFileSync5(path, "utf8"));
+    collect(raw.dependencies, info.dependencies, info.allDirect);
+    collect(raw.devDependencies, info.devDependencies, info.allDirect);
+    collect(raw.optionalDependencies, info.optionalDependencies, info.allDirect);
+    collect(raw.peerDependencies, info.dependencies, info.allDirect);
+  } catch {
+    return info;
+  }
+  return info;
+}
+function collect(value, target, allDirect) {
+  if (typeof value !== "object" || value === null || Array.isArray(value)) return;
+  for (const name of Object.keys(value)) {
+    target.add(name);
+    allDirect.add(name);
+  }
+}
 
 // src/extractors/pnpm-lock.ts
-import { readFileSync as readFileSync2 } from "fs";
-import { resolve as resolve2 } from "path";
-import yaml from "js-yaml";
 var SUPPORTED_MAJOR_VERSIONS = /* @__PURE__ */ new Set([6, 9]);
 function parsePnpmLock(filePath) {
-  const absolute = resolve2(filePath);
-  const raw = readFileSync2(absolute, "utf8");
+  const absolute = resolve4(filePath);
+  const raw = readFileSync6(absolute, "utf8");
   let parsed;
   try {
-    parsed = yaml.load(raw) ?? {};
+    parsed = parseYaml(raw);
   } catch (err) {
     throw new Error(
       `Failed to parse ${absolute}: ${err.message}`
     );
   }
-  const versionRaw = parsed.lockfileVersion;
-  const major = parseLockfileMajor(versionRaw);
+  const major = parseLockfileMajor(parsed.lockfileVersion);
   if (major === null || !SUPPORTED_MAJOR_VERSIONS.has(major)) {
     throw new Error(
-      `Unsupported pnpm lockfileVersion ${String(versionRaw)} in ${absolute}. Supported: 6.x, 9.x.`
+      `Unsupported pnpm lockfileVersion ${String(parsed.lockfileVersion)} in ${absolute}. Supported: 6.x, 9.x.`
     );
   }
-  const packages = parsed.packages;
-  if (!packages || typeof packages !== "object") {
-    throw new Error(
-      `Lockfile ${absolute} has no "packages" map; cannot extract installed versions.`
-    );
+  if (!parsed.packages || typeof parsed.packages !== "object") {
+    throw new Error(`Lockfile ${absolute} has no "packages" map.`);
   }
-  const importers = parsed.importers ?? {
-    ".": {
-      dependencies: parsed.dependencies,
-      devDependencies: parsed.devDependencies,
-      optionalDependencies: parsed.optionalDependencies
-    }
-  };
-  const direct = collectDirectFromImporters(importers);
+  const rootInfo = readPackageJsonInfoFrom(absolute);
+  const importerDirect = collectImporterDirect(parsed);
+  const directDeps = importerDirect.all.size > 0 ? importerDirect.all : rootInfo.allDirect;
+  const devDeps = importerDirect.dev.size > 0 ? importerDirect.dev : rootInfo.devDependencies;
+  const optionalDeps = importerDirect.optional.size > 0 ? importerDirect.optional : rootInfo.optionalDependencies;
   const instances = [];
-  for (const [key, entry] of Object.entries(packages)) {
-    const parsed2 = parsePnpmPackageKey(key);
-    if (!parsed2) continue;
-    const name = entry.name ?? parsed2.name;
-    const version = entry.version ?? parsed2.version;
-    if (!name || !version) continue;
-    const isDirect = direct.prod.has(name) || direct.dev.has(name) || direct.optional.has(name);
-    const onlyDev = direct.dev.has(name) && !direct.prod.has(name);
-    const onlyOptional = direct.optional.has(name) && !direct.prod.has(name) && !direct.dev.has(name);
+  for (const [key, entry] of Object.entries(parsed.packages)) {
+    const parsedKey = parsePnpmPackageKey(key);
+    if (!parsedKey) continue;
+    const direct = directDeps.has(parsedKey.name);
     instances.push({
-      name,
-      version,
+      name: parsedKey.name,
+      version: parsedKey.version,
       ecosystem: "npm",
       path: key,
-      direct: isDirect,
-      dev: Boolean(entry.dev) || onlyDev,
-      optional: Boolean(entry.optional) || onlyOptional,
+      direct,
+      dev: direct ? devDeps.has(parsedKey.name) : Boolean(entry.dev),
+      optional: direct ? optionalDeps.has(parsedKey.name) : Boolean(entry.optional),
+      inputKind: "lockfile",
+      sourceFile: absolute,
+      line: lineOf2(raw, key),
+      manager: "pnpm",
       resolved: entry.resolution?.tarball,
-      integrity: entry.resolution?.integrity
+      integrity: entry.resolution?.integrity,
+      registry: registryFromResolved2(entry.resolution?.tarball),
+      hasInstallScript: Boolean(entry.requiresBuild)
     });
   }
   return instances;
 }
+function parsePnpmPackageKey(key) {
+  let normalized = key.replace(/^\/+/, "");
+  const peerStart = normalized.indexOf("(");
+  if (peerStart !== -1) normalized = normalized.slice(0, peerStart);
+  normalized = normalized.split("_")[0] ?? normalized;
+  const at = normalized.lastIndexOf("@");
+  if (at <= 0) return null;
+  const name = normalized.slice(0, at);
+  const version = normalized.slice(at + 1);
+  if (!name || !version) return null;
+  return { name, version };
+}
+function collectImporterDirect(lock) {
+  const all = /* @__PURE__ */ new Set();
+  const dev = /* @__PURE__ */ new Set();
+  const optional = /* @__PURE__ */ new Set();
+  const importers = lock.importers ?? {
+    ".": {
+      dependencies: lock.dependencies,
+      devDependencies: lock.devDependencies,
+      optionalDependencies: lock.optionalDependencies
+    }
+  };
+  for (const importer of Object.values(importers)) {
+    addKeys(importer.dependencies, all);
+    addKeys(importer.devDependencies, all, dev);
+    addKeys(importer.optionalDependencies, all, optional);
+  }
+  return { all, dev, optional };
+}
 function parseLockfileMajor(value) {
   if (typeof value === "number") return Math.trunc(value);
   if (typeof value === "string") {
-    const num = parseInt(value, 10);
-    return Number.isNaN(num) ? null : num;
+    const major = Number.parseInt(value, 10);
+    return Number.isNaN(major) ? null : major;
   }
   return null;
 }
-function collectDirectFromImporters(importers) {
-  const prod = /* @__PURE__ */ new Set();
-  const dev = /* @__PURE__ */ new Set();
-  const optional = /* @__PURE__ */ new Set();
-  for (const importer of Object.values(importers)) {
-    if (!importer) continue;
-    addDepNames(importer.dependencies, prod);
-    addDepNames(importer.devDependencies, dev);
-    addDepNames(importer.optionalDependencies, optional);
+function addKeys(value, all, bucket) {
+  if (!value) return;
+  for (const name of Object.keys(value)) {
+    all.add(name);
+    bucket?.add(name);
   }
-  return { prod, dev, optional };
 }
-function addDepNames(block, into) {
-  if (!block) return;
-  for (const name of Object.keys(block)) into.add(name);
+function registryFromResolved2(resolved) {
+  if (!resolved) return void 0;
+  try {
+    const url = new URL(resolved);
+    return `${url.protocol}//${url.host}`;
+  } catch {
+    return void 0;
+  }
 }
-function parsePnpmPackageKey(key) {
-  let working = key.startsWith("/") ? key.slice(1) : key;
-  const parenIdx = working.indexOf("(");
-  if (parenIdx !== -1) working = working.slice(0, parenIdx);
-  const startSearch = working.startsWith("@") ? 1 : 0;
-  const atIdx = working.indexOf("@", startSearch);
-  if (atIdx <= 0) return null;
-  const name = working.slice(0, atIdx);
-  const version = working.slice(atIdx + 1);
-  if (!name || !version) return null;
-  return { name, version };
+function lineOf2(raw, needle) {
+  const idx = raw.indexOf(needle);
+  if (idx === -1) return void 0;
+  return raw.slice(0, idx).split(/\r?\n/).length;
 }
 
 // src/extractors/yarn-lock.ts
-import { existsSync, readFileSync as readFileSync3 } from "fs";
-import { dirname, join, resolve as resolve3 } from "path";
-import yaml2 from "js-yaml";
+import { readFileSync as readFileSync7 } from "fs";
+import { resolve as resolve5 } from "path";
+import { parse as parseYaml2 } from "yaml";
+import * as yarnClassicModule from "@yarnpkg/lockfile";
+var yarnClassic = "parse" in yarnClassicModule ? yarnClassicModule : yarnClassicModule.default;
+var LOCAL_YARN_PROTOCOLS = ["workspace:", "patch:", "portal:", "file:"];
 function parseYarnLock(filePath) {
-  const absolute = resolve3(filePath);
-  const content = readFileSync3(absolute, "utf8");
-  const projectDir = dirname(absolute);
-  const directs = readDirectDepsFromPackageJson(projectDir);
-  const isBerry = /^__metadata:/m.test(content);
-  return isBerry ? parseBerry(absolute, content, directs) : parseClassic(absolute, content, directs);
+  const absolute = resolve5(filePath);
+  const raw = readFileSync7(absolute, "utf8");
+  return isBerryLock(raw) ? parseYarnBerryLock(absolute, raw) : parseYarnClassicLock(absolute, raw);
 }
-function readDirectDepsFromPackageJson(projectDir) {
-  const result = {
-    prod: /* @__PURE__ */ new Set(),
-    dev: /* @__PURE__ */ new Set(),
-    optional: /* @__PURE__ */ new Set(),
-    any: /* @__PURE__ */ new Set()
-  };
-  const pkgPath = join(projectDir, "package.json");
-  if (!existsSync(pkgPath)) return result;
-  try {
-    const pkg = JSON.parse(readFileSync3(pkgPath, "utf8"));
-    for (const name of Object.keys(pkg.dependencies ?? {})) result.prod.add(name);
-    for (const name of Object.keys(pkg.devDependencies ?? {})) result.dev.add(name);
-    for (const name of Object.keys(pkg.optionalDependencies ?? {}))
-      result.optional.add(name);
-    for (const set of [result.prod, result.dev, result.optional]) {
-      for (const n of set) result.any.add(n);
-    }
-    for (const name of Object.keys(pkg.peerDependencies ?? {})) result.any.add(name);
-  } catch {
+function parseYarnClassicLock(absolute, raw) {
+  const parsed = yarnClassic.parse(raw);
+  if (parsed.type === "conflict") {
+    throw new Error(`Yarn lockfile ${absolute} contains merge conflicts.`);
   }
-  return result;
-}
-function parseClassic(absolute, content, directs) {
-  const entries = parseClassicEntries(content);
+  const rootInfo = readPackageJsonInfoFrom(absolute);
   const instances = [];
-  for (const entry of entries) {
-    const version = entry.fields.version;
-    if (!version) continue;
-    const names = uniq(entry.specs.map((s) => parseYarnSpec(s).name).filter(Boolean));
-    const name = names[0];
+  for (const [descriptor, value] of Object.entries(parsed.object)) {
+    if (!isRecord3(value)) continue;
+    const entry = value;
+    if (!entry.version) continue;
+    const name = parseYarnDescriptorName(descriptor);
     if (!name) continue;
-    const isDirect = names.some((n) => directs.any.has(n));
-    const inProd = names.some((n) => directs.prod.has(n));
-    const inDev = names.some((n) => directs.dev.has(n));
-    const inOpt = names.some((n) => directs.optional.has(n));
+    const direct = rootInfo.allDirect.has(name);
     instances.push({
       name,
-      version,
+      version: entry.version,
       ecosystem: "npm",
-      path: `${name}@${version}`,
-      direct: isDirect,
-      dev: inDev && !inProd,
-      optional: inOpt && !inProd && !inDev,
-      resolved: entry.fields.resolved,
-      integrity: entry.fields.integrity
+      path: descriptor,
+      direct,
+      dev: direct ? rootInfo.devDependencies.has(name) : false,
+      optional: direct ? rootInfo.optionalDependencies.has(name) : false,
+      inputKind: "lockfile",
+      sourceFile: absolute,
+      line: lineOf3(raw, descriptor),
+      manager: "yarn",
+      resolved: entry.resolved,
+      integrity: entry.integrity,
+      registry: registryFromResolved3(entry.resolved),
+      hasInstallScript: false
     });
   }
-  void absolute;
-  return instances;
-}
-function parseClassicEntries(content) {
-  const lines = content.split(/\r?\n/);
-  const entries = [];
-  let current = null;
-  for (const rawLine of lines) {
-    if (rawLine === "" || rawLine.trimStart().startsWith("#")) continue;
-    if (!/^\s/.test(rawLine)) {
-      if (current) entries.push(current);
-      const header = rawLine.replace(/:\s*$/, "");
-      current = { specs: splitClassicSpecs(header), fields: {} };
-      continue;
-    }
-    if (!current) continue;
-    const indent = rawLine.match(/^ +/)?.[0].length ?? 0;
-    if (indent !== 2) continue;
-    const trimmed = rawLine.trim();
-    const m = trimmed.match(/^([^\s"]+)\s+"((?:[^"\\]|\\.)*)"$/) ?? trimmed.match(/^([^\s"]+)\s+(\S+)$/);
-    if (m && m[1] !== void 0 && m[2] !== void 0) {
-      current.fields[m[1]] = m[2];
-    }
-  }
-  if (current) entries.push(current);
-  return entries;
-}
-function splitClassicSpecs(header) {
-  const out = [];
-  let cur = "";
-  let inQuote = false;
-  for (const ch of header) {
-    if (ch === '"') {
-      inQuote = !inQuote;
-      continue;
-    }
-    if (ch === "," && !inQuote) {
-      const spec = cur.trim();
-      if (spec) out.push(spec);
-      cur = "";
-      continue;
-    }
-    cur += ch;
-  }
-  const last = cur.trim();
-  if (last) out.push(last);
-  return out;
+  return dedupeInstances(instances);
 }
-function parseBerry(absolute, content, directs) {
+function parseYarnBerryLock(absolute, raw) {
   let parsed;
   try {
-    parsed = yaml2.load(content) ?? {};
+    parsed = parseYaml2(raw);
   } catch (err) {
     throw new Error(
       `Failed to parse ${absolute}: ${err.message}`
     );
   }
+  const rootInfo = readPackageJsonInfoFrom(absolute);
   const instances = [];
-  for (const [key, value] of Object.entries(parsed)) {
-    if (key === "__metadata") continue;
-    if (!value || typeof value !== "object") continue;
+  for (const [descriptor, value] of Object.entries(parsed)) {
+    if (descriptor === "__metadata" || !isRecord3(value)) continue;
     const entry = value;
     if (!entry.version) continue;
-    const specs = splitClassicSpecs(key);
-    const names = uniq(specs.map((s) => parseYarnSpec(s).name).filter(Boolean));
-    const name = names[0];
+    const resolution = entry.resolution ?? descriptor;
+    if (hasLocalYarnProtocol(resolution) || hasLocalYarnProtocol(descriptor)) {
+      continue;
+    }
+    const name = parseYarnDescriptorName(resolution) ?? parseYarnDescriptorName(descriptor);
     if (!name) continue;
-    const isDirect = names.some((n) => directs.any.has(n));
-    const inProd = names.some((n) => directs.prod.has(n));
-    const inDev = names.some((n) => directs.dev.has(n));
-    const inOpt = names.some((n) => directs.optional.has(n));
+    const direct = rootInfo.allDirect.has(name);
     instances.push({
       name,
       version: entry.version,
       ecosystem: "npm",
-      path: `${name}@${entry.version}`,
-      direct: isDirect,
-      dev: inDev && !inProd,
-      optional: inOpt && !inProd && !inDev,
-      resolved: entry.resolution,
-      integrity: entry.checksum
+      path: descriptor,
+      direct,
+      dev: direct ? rootInfo.devDependencies.has(name) : false,
+      optional: direct ? rootInfo.optionalDependencies.has(name) : false,
+      inputKind: "lockfile",
+      sourceFile: absolute,
+      line: lineOf3(raw, descriptor),
+      manager: "yarn",
+      integrity: entry.checksum,
+      hasInstallScript: false
     });
   }
-  return instances;
+  return dedupeInstances(instances);
+}
+function hasLocalYarnProtocol(value) {
+  const normalized = value.trim().replace(/^"|"$/g, "");
+  return LOCAL_YARN_PROTOCOLS.some(
+    (protocol) => normalized.startsWith(protocol) || normalized.includes(`@${protocol}`)
+  );
 }
-function parseYarnSpec(spec) {
-  const startSearch = spec.startsWith("@") ? 1 : 0;
-  const atIdx = spec.indexOf("@", startSearch);
-  if (atIdx <= 0) return { name: spec, selector: "" };
-  const name = spec.slice(0, atIdx);
-  let selector = spec.slice(atIdx + 1);
-  if (selector.startsWith("npm:")) selector = selector.slice(4);
-  return { name, selector };
+function parseYarnDescriptorName(descriptor) {
+  const first = descriptor.split(",")[0]?.trim().replace(/^"|"$/g, "");
+  if (!first) return null;
+  for (const marker of ["@npm:", "@patch:", "@workspace:", "@portal:", "@file:"]) {
+    const idx = first.lastIndexOf(marker);
+    if (idx > 0) return first.slice(0, idx);
+  }
+  if (first.startsWith("@")) {
+    const slash = first.indexOf("/");
+    if (slash === -1) return null;
+    const at2 = first.indexOf("@", slash + 1);
+    return at2 === -1 ? first : first.slice(0, at2);
+  }
+  const at = first.indexOf("@");
+  return at === -1 ? first : first.slice(0, at);
+}
+function isBerryLock(raw) {
+  return raw.includes("__metadata:") || raw.includes("cacheKey:");
+}
+function dedupeInstances(instances) {
+  const seen = /* @__PURE__ */ new Set();
+  const out = [];
+  for (const instance of instances) {
+    const key = `${instance.name}@${instance.version}`;
+    if (seen.has(key)) continue;
+    seen.add(key);
+    out.push(instance);
+  }
+  return out;
+}
+function registryFromResolved3(resolved) {
+  if (!resolved) return void 0;
+  try {
+    const url = new URL(resolved);
+    return `${url.protocol}//${url.host}`;
+  } catch {
+    return void 0;
+  }
 }
-function uniq(values) {
-  return Array.from(new Set(values));
+function lineOf3(raw, needle) {
+  const idx = raw.indexOf(needle);
+  if (idx === -1) return void 0;
+  return raw.slice(0, idx).split(/\r?\n/).length;
+}
+function isRecord3(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
 }
 
-// src/types.ts
+// src/extractors/lockfile.ts
+function parseLockfile(filePath) {
+  const file = basename2(filePath);
+  if (file === "package-lock.json" || file === "npm-shrinkwrap.json") {
+    return parseNpmPackageLock(filePath);
+  }
+  if (file === "pnpm-lock.yaml") return parsePnpmLock(filePath);
+  if (file === "yarn.lock") return parseYarnLock(filePath);
+  throw new Error(
+    `Unsupported lockfile ${filePath}. Supported: package-lock.json, npm-shrinkwrap.json, pnpm-lock.yaml, yarn.lock.`
+  );
+}
+
+// src/extractors/sbom.ts
+import { readFileSync as readFileSync8 } from "fs";
+import { basename as basename3, resolve as resolve6 } from "path";
+import { XMLParser } from "fast-xml-parser";
+import { PackageURL } from "packageurl-js";
+function parseSbom(filePath) {
+  const absolute = resolve6(filePath);
+  const raw = readFileSync8(absolute, "utf8");
+  const trimmed = raw.trimStart();
+  if (trimmed.startsWith("{")) return parseJsonSbom(absolute, raw);
+  if (trimmed.startsWith("<")) return parseCycloneDxXml(absolute, raw);
+  return parseSpdxTagValue(absolute, raw);
+}
+function parseJsonSbom(absolute, raw) {
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch (err) {
+    throw new Error(
+      `Failed to parse ${absolute}: ${err.message}`
+    );
+  }
+  if (!isRecord4(parsed)) {
+    throw new Error(`SBOM ${absolute} must contain a JSON object.`);
+  }
+  if (Array.isArray(parsed.components)) {
+    return parseCycloneDxJson(absolute, raw, parsed.components);
+  }
+  if (Array.isArray(parsed.packages)) {
+    return parseSpdxJson(absolute, raw, parsed.packages);
+  }
+  throw new Error(
+    `Could not detect SBOM format for ${absolute}; expected CycloneDX or SPDX.`
+  );
+}
+function parseCycloneDxJson(absolute, raw, components) {
+  const instances = [];
+  for (const component of components) {
+    if (!isRecord4(component) || typeof component.purl !== "string") continue;
+    const pkg = parsePurlPackage(component.purl);
+    if (!pkg) continue;
+    instances.push(sbomPackage(pkg, absolute, raw, component.purl));
+  }
+  return dedupe(instances);
+}
+function parseCycloneDxXml(absolute, raw) {
+  const parser = new XMLParser({
+    ignoreAttributes: false,
+    attributeNamePrefix: "",
+    textNodeName: "#text"
+  });
+  let parsed;
+  try {
+    parsed = parser.parse(raw);
+  } catch (err) {
+    throw new Error(
+      `Failed to parse ${absolute}: ${err.message}`
+    );
+  }
+  const bom = isRecord4(parsed) ? parsed.bom : void 0;
+  const components = isRecord4(bom) && isRecord4(bom.components) ? arrayify(bom.components.component) : [];
+  const instances = [];
+  for (const component of components) {
+    if (!isRecord4(component) || typeof component.purl !== "string") continue;
+    const pkg = parsePurlPackage(component.purl);
+    if (!pkg) continue;
+    instances.push(sbomPackage(pkg, absolute, raw, component.purl));
+  }
+  return dedupe(instances);
+}
+function parseSpdxJson(absolute, raw, packages) {
+  const instances = [];
+  for (const pkgRecord of packages) {
+    if (!isRecord4(pkgRecord)) continue;
+    const externalRefs = Array.isArray(pkgRecord.externalRefs) ? pkgRecord.externalRefs : [];
+    for (const ref of externalRefs) {
+      if (!isRecord4(ref)) continue;
+      const locator = ref.referenceLocator;
+      const type = String(ref.referenceType ?? "").toLowerCase();
+      if (type !== "purl" || typeof locator !== "string") continue;
+      const pkg = parsePurlPackage(locator);
+      if (!pkg) continue;
+      instances.push(sbomPackage(pkg, absolute, raw, locator));
+    }
+  }
+  return dedupe(instances);
+}
+function parseSpdxTagValue(absolute, raw) {
+  if (!raw.includes("SPDXVersion:")) {
+    throw new Error(
+      `Could not detect SBOM format for ${absolute}; expected CycloneDX or SPDX.`
+    );
+  }
+  const instances = [];
+  for (const line of raw.split(/\r?\n/)) {
+    const match = line.match(/^ExternalRef:\s+PACKAGE-MANAGER\s+purl\s+(\S+)/);
+    if (!match?.[1]) continue;
+    const pkg = parsePurlPackage(match[1]);
+    if (!pkg) continue;
+    instances.push(sbomPackage(pkg, absolute, raw, match[1]));
+  }
+  return dedupe(instances);
+}
+function parsePurlPackage(purl) {
+  let parsed;
+  try {
+    parsed = PackageURL.fromString(purl);
+  } catch {
+    return null;
+  }
+  if (!parsed.version) return null;
+  const ecosystem = purlTypeToOsvEcosystem(parsed.type);
+  if (!ecosystem) return null;
+  return {
+    name: purlName(parsed),
+    version: parsed.version,
+    ecosystem,
+    purl
+  };
+}
+function sbomPackage(pkg, absolute, raw, needle) {
+  return {
+    name: pkg.name,
+    version: pkg.version,
+    ecosystem: pkg.ecosystem,
+    path: `${basename3(absolute)}:${pkg.purl}`,
+    direct: false,
+    dev: false,
+    optional: false,
+    inputKind: "sbom",
+    purl: pkg.purl,
+    sourceFile: absolute,
+    line: lineOf4(raw, needle),
+    manager: "sbom"
+  };
+}
+function purlTypeToOsvEcosystem(type) {
+  switch (type.toLowerCase()) {
+    case "npm":
+      return "npm";
+    case "pypi":
+      return "PyPI";
+    case "maven":
+      return "Maven";
+    case "gem":
+      return "RubyGems";
+    case "nuget":
+      return "NuGet";
+    case "golang":
+    case "go":
+      return "Go";
+    case "cargo":
+      return "crates.io";
+    case "composer":
+      return "Packagist";
+    case "deb":
+      return "Debian";
+    case "apk":
+      return "Alpine";
+    default:
+      return null;
+  }
+}
+function purlName(purl) {
+  if (purl.type.toLowerCase() === "npm" && purl.namespace) {
+    const scope = purl.namespace.startsWith("@") ? purl.namespace : `@${purl.namespace}`;
+    return `${scope}/${purl.name}`;
+  }
+  if (purl.type.toLowerCase() === "maven" && purl.namespace) {
+    return `${purl.namespace}:${purl.name}`;
+  }
+  return purl.namespace ? `${purl.namespace}/${purl.name}` : purl.name;
+}
+function dedupe(instances) {
+  const seen = /* @__PURE__ */ new Set();
+  const out = [];
+  for (const instance of instances) {
+    const key = instance.purl ?? `${instance.ecosystem}:${instance.name}@${instance.version}`;
+    if (seen.has(key)) continue;
+    seen.add(key);
+    out.push(instance);
+  }
+  return out;
+}
+function arrayify(value) {
+  if (value === void 0) return [];
+  return Array.isArray(value) ? value : [value];
+}
+function lineOf4(raw, needle) {
+  const idx = raw.indexOf(needle);
+  if (idx === -1) return void 0;
+  return raw.slice(0, idx).split(/\r?\n/).length;
+}
+function isRecord4(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+
+// src/ignore.ts
+function applyIgnores(findings, ignores, now) {
+  if (ignores.length === 0) return { active: findings, ignored: [], warnings: [] };
+  const warnings = [];
+  const activeIgnores = ignores.filter((entry) => {
+    const expires = /* @__PURE__ */ new Date(`${entry.expires}T23:59:59.999Z`);
+    if (Number.isNaN(expires.getTime()) || expires < now) {
+      warnings.push(
+        `Ignore for ${entry.id} expired on ${entry.expires} and was not applied.`
+      );
+      return false;
+    }
+    return true;
+  });
+  const active = [];
+  const ignored = [];
+  for (const finding of findings) {
+    const matched = activeIgnores.some((entry) => matchesIgnore(finding, entry));
+    if (matched) {
+      ignored.push({ ...finding, ignored: true });
+    } else {
+      active.push(finding);
+    }
+  }
+  return { active, ignored, warnings };
+}
+function matchesIgnore(finding, entry) {
+  const ids = /* @__PURE__ */ new Set([finding.id, ...finding.aliases]);
+  if (!ids.has(entry.id)) return false;
+  if (entry.package && entry.package !== finding.packageName) return false;
+  if (entry.ecosystem && entry.ecosystem !== finding.ecosystem) return false;
+  if (entry.version && entry.version !== finding.installedVersion) return false;
+  return true;
+}
+
+// src/policy.ts
+var POLICY_PRESETS = {
+  ci: {
+    failOn: "high",
+    risk: true,
+    env: false,
+    includeDev: true
+  },
+  strict: {
+    failOn: "moderate",
+    risk: true,
+    env: true,
+    includeDev: true
+  },
+  library: {
+    failOn: "moderate",
+    risk: true,
+    env: false,
+    includeDev: false
+  },
+  app: {
+    failOn: "high",
+    risk: true,
+    env: true,
+    includeDev: true
+  }
+};
+function resolvePolicy(requested, configured) {
+  const name = requested ?? configured;
+  return name ? POLICY_PRESETS[name] : void 0;
+}
+
+// src/risk.ts
+var REGISTRY_URL = "https://registry.npmjs.org";
+var REGISTRY_ENV = "TRAWLY_NPM_REGISTRY_URL";
+var REQUEST_TIMEOUT_MS2 = 15e3;
+var NEW_VERSION_DAYS = 30;
+var NEW_PACKAGE_DAYS = 90;
+var PACKUMENT_CONCURRENCY = 8;
+var PACKUMENT_MAX_RETRIES = 3;
+var PACKUMENT_BACKOFF_MS = 250;
+async function collectRiskSignals(packages, options) {
+  if (!options.enabled) return { findings: [], warnings: [] };
+  const findings = [];
+  const warnings = [];
+  for (const pkg of packages) {
+    if (pkg.hasInstallScript) {
+      findings.push(riskFinding(pkg, {
+        id: "TRAWLY-INSTALL-SCRIPT",
+        severity: "moderate",
+        summary: `${pkg.name}@${pkg.version} declares install-time scripts or requires a build step.`
+      }));
+    }
+    const registry = normalizeRegistry(pkg.registry);
+    if (registry && !isAllowedRegistry(registry, options.allowedRegistries)) {
+      findings.push(riskFinding(pkg, {
+        id: "TRAWLY-UNEXPECTED-REGISTRY",
+        severity: "moderate",
+        summary: `${pkg.name}@${pkg.version} was resolved from unexpected registry ${registry}.`
+      }));
+    }
+  }
+  const npmPackageGroups = groupNpmPackages(packages);
+  const fetchImpl = options.fetchImpl ?? fetch;
+  const groupsByName = /* @__PURE__ */ new Map();
+  for (const group of npmPackageGroups) {
+    const name = group[0]?.name;
+    if (!name) continue;
+    const list = groupsByName.get(name) ?? [];
+    list.push(group);
+    groupsByName.set(name, list);
+  }
+  await mapWithConcurrency2(
+    [...groupsByName.entries()],
+    PACKUMENT_CONCURRENCY,
+    async ([name, groups]) => {
+      let packument;
+      try {
+        packument = await fetchPackument(fetchImpl, name);
+      } catch (err) {
+        warnings.push(
+          `Could not fetch npm publish metadata for ${name}: ${err.message}`
+        );
+        return;
+      }
+      const createdAt = parseDate(packument.time?.created);
+      const isNewPackage = !!createdAt && daysBetween(createdAt, options.now) < NEW_PACKAGE_DAYS;
+      for (const group of groups) {
+        const representative = group[0];
+        if (!representative) continue;
+        const versionAt = parseDate(packument.time?.[representative.version]);
+        const deprecated = packument.versions?.[representative.version]?.deprecated;
+        if (isNewPackage) {
+          for (const pkg of group) {
+            findings.push(
+              riskFinding(pkg, {
+                id: "TRAWLY-NEW-PACKAGE",
+                severity: "moderate",
+                summary: `${pkg.name} was first published less than ${NEW_PACKAGE_DAYS} days ago.`
+              })
+            );
+          }
+        }
+        if (deprecated) {
+          for (const pkg of group) {
+            findings.push(
+              riskFinding(pkg, {
+                id: "TRAWLY-DEPRECATED-PACKAGE",
+                severity: "moderate",
+                summary: `${pkg.name}@${pkg.version} is deprecated: ${deprecated}`
+              })
+            );
+          }
+        }
+        if (versionAt && daysBetween(versionAt, options.now) < NEW_VERSION_DAYS) {
+          for (const pkg of group) {
+            findings.push(
+              riskFinding(pkg, {
+                id: "TRAWLY-NEW-VERSION",
+                severity: "low",
+                summary: `${pkg.name}@${pkg.version} was published less than ${NEW_VERSION_DAYS} days ago.`
+              })
+            );
+          }
+        }
+      }
+    }
+  );
+  return { findings, warnings };
+}
+function riskFinding(pkg, input) {
+  return {
+    id: input.id,
+    source: "trawly",
+    type: "risk-signal",
+    severity: input.severity,
+    ecosystem: pkg.ecosystem,
+    packageName: pkg.name,
+    installedVersion: pkg.version,
+    summary: input.summary,
+    fixedVersions: [],
+    affectedPaths: [pkg.path],
+    fingerprint: fingerprintFinding({
+      source: "trawly",
+      type: "risk-signal",
+      id: input.id,
+      ecosystem: pkg.ecosystem,
+      packageName: pkg.name,
+      installedVersion: pkg.version
+    }),
+    aliases: [],
+    sourceFile: pkg.sourceFile,
+    line: pkg.line
+  };
+}
+function groupNpmPackages(packages) {
+  const groups = /* @__PURE__ */ new Map();
+  for (const pkg of packages) {
+    if (pkg.ecosystem !== "npm") continue;
+    const key = `${pkg.name}@${pkg.version}`;
+    const group = groups.get(key) ?? [];
+    group.push(pkg);
+    groups.set(key, group);
+  }
+  return [...groups.values()];
+}
+async function fetchPackument(fetchImpl, name) {
+  const registry = (process.env[REGISTRY_ENV] ?? REGISTRY_URL).replace(/\/+$/, "");
+  const url = `${registry}/${encodePackageName(name)}`;
+  let lastErr;
+  for (let attempt = 0; attempt <= PACKUMENT_MAX_RETRIES; attempt++) {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS2);
+    try {
+      const res = await fetchImpl(url, {
+        signal: controller.signal,
+        headers: { accept: "application/json" }
+      });
+      if (res.ok) return await res.json();
+      const err = new RegistryHttpError(
+        `registry ${res.status}: ${res.statusText}`,
+        res.status,
+        retryAfterMs2(res.headers)
+      );
+      if (!isRetryableRegistryError(err) || attempt === PACKUMENT_MAX_RETRIES) {
+        throw err;
+      }
+      lastErr = err;
+      await sleep(retryDelayMs(err, attempt));
+    } catch (err) {
+      if (err instanceof RegistryHttpError) throw err;
+      lastErr = err;
+      if (attempt === PACKUMENT_MAX_RETRIES) break;
+      await sleep(retryDelayMs(void 0, attempt));
+    } finally {
+      clearTimeout(timer);
+    }
+  }
+  throw lastErr;
+}
+async function mapWithConcurrency2(items, concurrency, worker) {
+  let next = 0;
+  const workers = Array.from(
+    { length: Math.min(concurrency, items.length) },
+    async () => {
+      while (next < items.length) {
+        const item = items[next++];
+        if (item !== void 0) await worker(item);
+      }
+    }
+  );
+  await Promise.all(workers);
+}
+var RegistryHttpError = class extends Error {
+  constructor(message, status, retryAfterMs3) {
+    super(message);
+    this.status = status;
+    this.retryAfterMs = retryAfterMs3;
+  }
+  status;
+  retryAfterMs;
+};
+function isRetryableRegistryError(err) {
+  return err.status === 429 || err.status >= 500;
+}
+function retryDelayMs(err, attempt) {
+  if (err?.retryAfterMs !== void 0) return err.retryAfterMs;
+  const base = PACKUMENT_BACKOFF_MS * 2 ** attempt;
+  return base + Math.floor(Math.random() * Math.min(base, 100));
+}
+function retryAfterMs2(headers) {
+  const value = headers.get("retry-after");
+  if (!value) return void 0;
+  const seconds = Number(value);
+  if (Number.isFinite(seconds) && seconds >= 0) return seconds * 1e3;
+  const date = Date.parse(value);
+  if (Number.isNaN(date)) return void 0;
+  return Math.max(0, date - Date.now());
+}
+function sleep(ms) {
+  return new Promise((resolve12) => setTimeout(resolve12, ms));
+}
+function isAllowedRegistry(registry, allowed) {
+  const normalizedAllowed = allowed.map(normalizeRegistry).filter(isString);
+  return normalizedAllowed.includes(registry);
+}
+function normalizeRegistry(value) {
+  if (!value) return void 0;
+  try {
+    const url = new URL(value);
+    return `${url.protocol}//${url.host}`;
+  } catch {
+    return value.replace(/\/+$/, "");
+  }
+}
+function encodePackageName(name) {
+  if (name.startsWith("@")) {
+    const slash = name.indexOf("/");
+    if (slash !== -1) {
+      return `${encodeURIComponent(name.slice(0, slash))}%2F${encodeURIComponent(name.slice(slash + 1))}`;
+    }
+  }
+  return encodeURIComponent(name);
+}
+function parseDate(value) {
+  if (!value) return void 0;
+  const date = new Date(value);
+  return Number.isNaN(date.getTime()) ? void 0 : date;
+}
+function daysBetween(a, b) {
+  return (b.getTime() - a.getTime()) / 864e5;
+}
+function isString(value) {
+  return typeof value === "string";
+}
+
+// src/types.ts
 var SEVERITY_RANK = {
   critical: 4,
   high: 3,
@@ -556,80 +1654,125 @@ var SEVERITY_RANK = {
 };
 
 // src/scanner.ts
+var DEFAULT_ALLOWED_REGISTRIES = [
+  "https://registry.npmjs.org",
+  "https://registry.yarnpkg.com"
+];
 async function scanProject(options = {}) {
-  const cwd = resolve4(options.cwd ?? process.cwd());
-  const lockfilePath = options.lockfile ? resolve4(cwd, options.lockfile) : detectLockfile(cwd);
-  if (!lockfilePath) {
+  const cwd = resolve7(options.cwd ?? process.cwd());
+  const loadedConfig = loadConfig(cwd, options.config);
+  const policy = resolvePolicy(options.policy, loadedConfig.config.policy);
+  const lockfilePaths = options.lockfile ? normalizePaths(cwd, options.lockfile) : detectLockfiles(cwd);
+  const sbomPaths = normalizePaths(cwd, options.sbom);
+  const envEnabled = options.env ?? loadedConfig.config.env ?? policy?.env ?? false;
+  if (lockfilePaths.length === 0 && sbomPaths.length === 0 && !envEnabled) {
     throw new ScanInputError(
-      `No supported lockfile found in ${cwd}. Pass --lockfile or run in a directory with package-lock.json, pnpm-lock.yaml, or yarn.lock.`
+      `No supported lockfile or SBOM found in ${cwd}. Pass --lockfile/--sbom or run in a directory with package-lock.json, pnpm-lock.yaml, or yarn.lock.`
     );
   }
   return scanLockfile({
-    lockfilePath,
-    includeDev: options.includeDev,
+    lockfilePath: lockfilePaths,
+    sbom: sbomPaths,
+    cwd,
+    config: options.config,
+    policy: options.policy,
+    baseline: options.baseline,
+    writeBaseline: options.writeBaseline,
+    risk: options.risk ?? loadedConfig.config.risk ?? policy?.risk,
+    env: envEnabled,
+    allowedRegistries: options.allowedRegistries ?? loadedConfig.config.allowedRegistries,
+    includeDev: options.includeDev ?? policy?.includeDev,
     prodOnly: options.prodOnly,
-    fetchImpl: options.fetchImpl
+    fetchImpl: options.fetchImpl,
+    now: options.now
   });
 }
 async function scanLockfile(options) {
-  const { lockfilePath } = options;
-  if (!existsSync2(lockfilePath)) {
-    throw new ScanInputError(`Lockfile does not exist: ${lockfilePath}`);
-  }
-  const stat = statSync(lockfilePath);
-  if (!stat.isFile()) {
-    throw new ScanInputError(`Lockfile path is not a file: ${lockfilePath}`);
-  }
-  const allInstances = parseLockfile(lockfilePath);
-  const instances = filterInstances(allInstances, options);
+  const initialCwd = resolve7(options.cwd ?? process.cwd());
+  const lockfilePaths = normalizePaths(initialCwd, options.lockfilePath);
+  const sbomPaths = normalizePaths(initialCwd, options.sbom);
+  const cwd = options.cwd ? initialCwd : deriveCwdFromInputs(lockfilePaths, sbomPaths, initialCwd);
+  const now = options.now ?? /* @__PURE__ */ new Date();
+  const loadedConfig = loadConfig(cwd, options.config);
+  const policy = resolvePolicy(options.policy, loadedConfig.config.policy);
+  const envEnabled = options.env ?? loadedConfig.config.env ?? policy?.env ?? false;
+  for (const path of [...lockfilePaths, ...sbomPaths]) validateFile(path);
+  const allInstances = [
+    ...lockfilePaths.flatMap((path) => parseLockfile(path)),
+    ...sbomPaths.flatMap((path) => parseSbom(path))
+  ];
+  const instances = filterInstances(allInstances, {
+    ...options,
+    includeDev: options.includeDev ?? policy?.includeDev
+  });
   const errors = [];
-  let findings = [];
+  const warnings = [];
+  const envResult = envEnabled ? scanEnvFiles(cwd) : { findings: [], warnings: [], filesScanned: 0 };
+  warnings.push(...envResult.warnings);
+  let findings = [...envResult.findings];
   try {
-    findings = await queryOsv(instances, { fetchImpl: options.fetchImpl });
+    findings.push(...await queryOsv(instances, { fetchImpl: options.fetchImpl }));
   } catch (err) {
     errors.push({
       message: "Failed to query OSV advisory database",
       cause: err.message
     });
   }
+  const riskEnabled = options.risk ?? loadedConfig.config.risk ?? policy?.risk ?? true;
+  const risk = await collectRiskSignals(instances, {
+    enabled: riskEnabled,
+    allowedRegistries: options.allowedRegistries ?? loadedConfig.config.allowedRegistries ?? DEFAULT_ALLOWED_REGISTRIES,
+    fetchImpl: options.fetchImpl,
+    now
+  });
+  findings.push(...risk.findings);
+  warnings.push(...risk.warnings);
+  const ignoreResult = applyIgnores(
+    findings,
+    loadedConfig.config.ignore,
+    now
+  );
+  warnings.push(...ignoreResult.warnings);
+  findings = ignoreResult.active;
   findings.sort(compareFindings);
+  ignoreResult.ignored.sort(compareFindings);
+  const appliedBaseline = applyBaseline(findings, cwd, options.baseline);
+  let baseline = appliedBaseline?.result;
+  if (appliedBaseline) {
+    findings = appliedBaseline.findings;
+  }
+  if (options.writeBaseline) {
+    baseline = writeBaseline(findings, cwd, options.writeBaseline, baseline);
+  }
   return {
-    scannedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    scannedAt: now.toISOString(),
     packagesScanned: instances.length,
     findings,
+    ignoredFindings: ignoreResult.ignored,
     summary: summarize(findings),
-    errors
+    errors,
+    warnings,
+    baseline
   };
 }
+function deriveCwdFromInputs(lockfilePaths, sbomPaths, fallback) {
+  const firstInput = lockfilePaths[0] ?? sbomPaths[0];
+  return firstInput ? dirname3(firstInput) : fallback;
+}
 var ScanInputError = class extends Error {
   constructor(message) {
     super(message);
     this.name = "ScanInputError";
   }
 };
-var LOCKFILE_CANDIDATES = [
-  "pnpm-lock.yaml",
-  "yarn.lock",
-  "package-lock.json",
-  "npm-shrinkwrap.json"
-];
-function detectLockfile(cwd) {
-  for (const file of LOCKFILE_CANDIDATES) {
-    const candidate = join2(cwd, file);
-    if (existsSync2(candidate)) return candidate;
-  }
-  return void 0;
-}
-function parseLockfile(lockfilePath) {
-  const name = basename(lockfilePath);
-  if (name === "pnpm-lock.yaml") return parsePnpmLock(lockfilePath);
-  if (name === "yarn.lock") return parseYarnLock(lockfilePath);
-  if (name === "package-lock.json" || name === "npm-shrinkwrap.json") {
-    return parseNpmPackageLock(lockfilePath);
-  }
-  throw new ScanInputError(
-    `Unsupported lockfile name: ${name}. Supported: package-lock.json, npm-shrinkwrap.json, pnpm-lock.yaml, yarn.lock.`
-  );
+function detectLockfiles(cwd) {
+  const candidates = [
+    "package-lock.json",
+    "npm-shrinkwrap.json",
+    "pnpm-lock.yaml",
+    "yarn.lock"
+  ].map((file) => join4(cwd, file));
+  return candidates.filter((candidate) => existsSync4(candidate));
 }
 function filterInstances(instances, options) {
   const includeDev = options.prodOnly ? false : options.includeDev !== false;
@@ -639,6 +1782,7 @@ function filterInstances(instances, options) {
 function compareFindings(a, b) {
   const sev = SEVERITY_RANK[b.severity] - SEVERITY_RANK[a.severity];
   if (sev !== 0) return sev;
+  if (a.source !== b.source) return a.source.localeCompare(b.source);
   if (a.packageName !== b.packageName) {
     return a.packageName.localeCompare(b.packageName);
   }
@@ -661,12 +1805,28 @@ function summarize(findings) {
 function meetsThreshold(findings, threshold) {
   if (threshold === "none") return false;
   const min = SEVERITY_RANK[threshold];
-  return findings.some((f) => SEVERITY_RANK[f.severity] >= min);
+  return findings.some(
+    (f) => f.baseline !== "existing" && SEVERITY_RANK[f.severity] >= min
+  );
+}
+function normalizePaths(cwd, value) {
+  if (!value) return [];
+  const values = Array.isArray(value) ? value : [value];
+  return [...new Set(values.map((path) => resolve7(cwd, path)))];
+}
+function validateFile(path) {
+  if (!existsSync4(path)) {
+    throw new ScanInputError(`Input file does not exist: ${path}`);
+  }
+  const stat = statSync2(path);
+  if (!stat.isFile()) {
+    throw new ScanInputError(`Input path is not a file: ${path}`);
+  }
 }
 
 // src/installer/pm-detect.ts
-import { existsSync as existsSync3, readFileSync as readFileSync4 } from "fs";
-import { join as join3 } from "path";
+import { existsSync as existsSync5, readFileSync as readFileSync9 } from "fs";
+import { join as join5 } from "path";
 var LOCKFILES = [
   { file: "pnpm-lock.yaml", pm: "pnpm" },
   { file: "yarn.lock", pm: "yarn" },
@@ -681,15 +1841,15 @@ function detectPackageManager(opts = {}) {
   const fromField = readPackageManagerField(cwd);
   if (fromField) return fromField;
   for (const { file, pm } of LOCKFILES) {
-    if (existsSync3(join3(cwd, file))) return pm;
+    if (existsSync5(join5(cwd, file))) return pm;
   }
   return "npm";
 }
 function readPackageManagerField(cwd) {
-  const pkgPath = join3(cwd, "package.json");
-  if (!existsSync3(pkgPath)) return void 0;
+  const pkgPath = join5(cwd, "package.json");
+  if (!existsSync5(pkgPath)) return void 0;
   try {
-    const pkg = JSON.parse(readFileSync4(pkgPath, "utf8"));
+    const pkg = JSON.parse(readFileSync9(pkgPath, "utf8"));
     if (typeof pkg.packageManager !== "string") return void 0;
     const name = pkg.packageManager.split("@")[0];
     if (name === "npm" || name === "pnpm" || name === "yarn" || name === "bun") {
@@ -730,14 +1890,14 @@ function buildRemoveCommand(pm, packages, flags) {
 // src/installer/runner.ts
 import { spawn } from "child_process";
 function runPackageManager(cmd, opts = {}) {
-  return new Promise((resolve5, reject) => {
+  return new Promise((resolve12, reject) => {
     const child = spawn(cmd.bin, cmd.args, {
       cwd: opts.cwd,
       stdio: "inherit",
       shell: process.platform === "win32"
     });
     child.on("error", reject);
-    child.on("close", (code) => resolve5(code ?? 0));
+    child.on("close", (code) => resolve12(code ?? 0));
   });
 }
 
@@ -797,14 +1957,14 @@ function partitionArgs(args) {
 }
 
 // src/installer/version-resolver.ts
-var REGISTRY_URL = "https://registry.npmjs.org";
-var REQUEST_TIMEOUT_MS2 = 15e3;
+var REGISTRY_URL2 = "https://registry.npmjs.org";
+var REQUEST_TIMEOUT_MS3 = 15e3;
 var EXACT_VERSION_RE = /^\d+\.\d+\.\d+(?:[-+][\w.+-]+)?$/;
 var RANGE_CHARS_RE = /[\^~><=|\s*x]/i;
 async function resolveVersion(name, requested, deps = {}) {
   const fetchImpl = deps.fetchImpl ?? fetch;
-  const registry = deps.registryUrl ?? REGISTRY_URL;
-  const packument = await fetchPackument(fetchImpl, registry, name);
+  const registry = deps.registryUrl ?? REGISTRY_URL2;
+  const packument = await fetchPackument2(fetchImpl, registry, name);
   const distTags = packument["dist-tags"] ?? {};
   const latest = distTags.latest;
   if (!requested) {
@@ -843,10 +2003,10 @@ var VersionResolveError = class extends Error {
     this.name = "VersionResolveError";
   }
 };
-async function fetchPackument(fetchImpl, registry, name) {
-  const url = `${registry.replace(/\/$/, "")}/${encodePackageName(name)}`;
+async function fetchPackument2(fetchImpl, registry, name) {
+  const url = `${registry.replace(/\/$/, "")}/${encodePackageName2(name)}`;
   const controller = new AbortController();
-  const timer = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS2);
+  const timer = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS3);
   try {
     const res = await fetchImpl(url, {
       signal: controller.signal,
@@ -865,7 +2025,7 @@ async function fetchPackument(fetchImpl, registry, name) {
     clearTimeout(timer);
   }
 }
-function encodePackageName(name) {
+function encodePackageName2(name) {
   if (name.startsWith("@")) {
     const slash = name.indexOf("/");
     if (slash !== -1) {
@@ -1014,105 +2174,897 @@ function shouldBlock(findings, options) {
   const threshold = SEVERITY_RANK[options.failOn];
   return findings.some((f) => SEVERITY_RANK[f.severity] >= threshold);
 }
-function describeUnsupported(reason) {
-  switch (reason) {
-    case "git":
-      return "git specs cannot be scanned against OSV";
-    case "url":
-      return "URL specs cannot be scanned against OSV";
-    case "file":
-      return "local file specs cannot be scanned against OSV";
-    case "alias":
-      return "npm aliases are not supported in v1";
-    case "workspace":
-      return "workspace protocol specs are not scanned";
-    case "invalid":
-      return "could not parse spec";
+function describeUnsupported(reason) {
+  switch (reason) {
+    case "git":
+      return "git specs cannot be scanned against OSV";
+    case "url":
+      return "URL specs cannot be scanned against OSV";
+    case "file":
+      return "local file specs cannot be scanned against OSV";
+    case "alias":
+      return "npm aliases are not supported in v1";
+    case "workspace":
+      return "workspace protocol specs are not scanned";
+    case "invalid":
+      return "could not parse spec";
+  }
+}
+function describeSeverityCounts(summary) {
+  const parts = [];
+  for (const sev of ["critical", "high", "moderate", "low", "unknown"]) {
+    if (summary[sev] > 0) parts.push(`${summary[sev]} ${sev}`);
+  }
+  return parts.length === 0 ? "no advisories" : `${parts.join(", ")} advisor${total(summary) === 1 ? "y" : "ies"}`;
+}
+function total(summary) {
+  return Object.values(summary).reduce((a, b) => a + b, 0);
+}
+function colorSeverity(sev) {
+  switch (sev) {
+    case "critical":
+      return kleur.bold().red(sev);
+    case "high":
+      return kleur.red(sev);
+    case "moderate":
+      return kleur.yellow(sev);
+    case "low":
+      return kleur.cyan(sev);
+    case "unknown":
+      return kleur.gray(sev);
+  }
+}
+
+// src/env-scan.ts
+import { spawn as spawn2 } from "child_process";
+import { existsSync as existsSync6, readdirSync as readdirSync2, readFileSync as readFileSync10 } from "fs";
+import { join as join6, relative as relative2, resolve as resolve8, sep } from "path";
+var DEFAULT_SKIP_DIRS = /* @__PURE__ */ new Set([
+  "node_modules",
+  ".git",
+  "dist",
+  "build",
+  ".next",
+  ".nuxt",
+  ".svelte-kit",
+  ".turbo",
+  ".cache",
+  "coverage",
+  "out",
+  ".vercel",
+  ".output"
+]);
+var EXAMPLE_NAME = /^\.env(\.[^.]+)*\.(example|sample|template|dist)$/i;
+var EXAMPLE_SUFFIX_NAME = /(\.|^)(example|sample|template)$/i;
+async function scanEnv(options = {}) {
+  const cwd = resolve8(options.cwd ?? process.cwd());
+  const skipDirs = options.skipDirs ? new Set(options.skipDirs) : DEFAULT_SKIP_DIRS;
+  const maxDepth = options.maxDepth ?? 6;
+  const errors = [];
+  const envFiles = discoverEnvFiles(cwd, skipDirs, maxDepth);
+  const inGit = isGitRepo(cwd);
+  const gitignorePath = join6(cwd, ".gitignore");
+  const hasGitignore = existsSync6(gitignorePath);
+  const exampleFiles = envFiles.filter(isExampleFile);
+  const realEnvFiles = envFiles.filter((f) => !isExampleFile(f));
+  const [trackedSet, ignoredMap, publishCheck, exampleSecrets] = await Promise.all([
+    inGit ? gitTracked(cwd, envFiles) : Promise.resolve(/* @__PURE__ */ new Set()),
+    inGit ? gitCheckIgnore(cwd, envFiles) : Promise.resolve(fallbackIgnoreMap(cwd, envFiles)),
+    checkPublishExposure(cwd, realEnvFiles),
+    scanExampleFilesForSecrets(cwd, exampleFiles)
+  ]).catch((err) => {
+    errors.push({
+      message: "env scan: parallel checks failed",
+      cause: err.message
+    });
+    return [
+      /* @__PURE__ */ new Set(),
+      /* @__PURE__ */ new Map(),
+      [],
+      []
+    ];
+  });
+  const issues = [];
+  if (envFiles.length > 0 && !hasGitignore) {
+    issues.push({
+      kind: "no-gitignore",
+      severity: "moderate",
+      file: ".gitignore",
+      message: "Project has env files but no .gitignore.",
+      detail: "Add a .gitignore that includes .env and .env.* before committing."
+    });
+  }
+  for (const file of realEnvFiles) {
+    if (trackedSet.has(file)) {
+      issues.push({
+        kind: "tracked-by-git",
+        severity: "critical",
+        file,
+        message: `${file} is tracked by git.`,
+        detail: "This file is committed to the repo. Run `git rm --cached` and rotate any secrets that were exposed."
+      });
+      continue;
+    }
+    const ignored = ignoredMap.get(file);
+    if (hasGitignore && ignored === false) {
+      issues.push({
+        kind: "not-gitignored",
+        severity: "high",
+        file,
+        message: `${file} exists but is not covered by .gitignore.`,
+        detail: "Add a matching pattern (e.g. `.env*`) to .gitignore."
+      });
+    }
+  }
+  for (const f of publishCheck) {
+    issues.push({
+      kind: "would-be-published",
+      severity: "critical",
+      file: f.file,
+      message: `${f.file} would be included in the published npm tarball.`,
+      detail: f.reason
+    });
+  }
+  for (const f of exampleSecrets) {
+    issues.push({
+      kind: "secret-in-example",
+      severity: "high",
+      file: f.file,
+      message: `${f.file} appears to contain a real secret.`,
+      detail: `Matched pattern: ${f.pattern} on key \`${f.key}\`. Example files should hold placeholder values only.`
+    });
+  }
+  issues.sort(compareIssues);
+  return {
+    scannedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    cwd,
+    envFiles,
+    issues,
+    summary: summarizeIssues(issues),
+    errors
+  };
+}
+function compareIssues(a, b) {
+  const rank = {
+    critical: 4,
+    high: 3,
+    moderate: 2,
+    low: 1,
+    unknown: 0
+  };
+  const sev = rank[b.severity] - rank[a.severity];
+  if (sev !== 0) return sev;
+  if (a.file !== b.file) return a.file.localeCompare(b.file);
+  return a.kind.localeCompare(b.kind);
+}
+function summarizeIssues(issues) {
+  const out = {
+    critical: 0,
+    high: 0,
+    moderate: 0,
+    low: 0,
+    unknown: 0
+  };
+  for (const i of issues) out[i.severity]++;
+  return out;
+}
+function discoverEnvFiles(cwd, skipDirs, maxDepth) {
+  const found = [];
+  walk(cwd, cwd, 0);
+  found.sort();
+  return found;
+  function walk(dir, root, depth) {
+    if (depth > maxDepth) return;
+    let entries;
+    try {
+      entries = readdirSync2(dir, { withFileTypes: true });
+    } catch {
+      return;
+    }
+    for (const entry of entries) {
+      if (entry.isDirectory()) {
+        if (skipDirs.has(entry.name) || entry.name.startsWith(".git")) continue;
+        walk(join6(dir, entry.name), root, depth + 1);
+        continue;
+      }
+      if (!entry.isFile() && !entry.isSymbolicLink()) continue;
+      if (isEnvFilename(entry.name)) {
+        found.push(toPosix(relative2(root, join6(dir, entry.name))));
+      }
+    }
+  }
+}
+function isEnvFilename(name) {
+  if (name === ".env") return true;
+  if (name.startsWith(".env.")) return true;
+  return false;
+}
+function isExampleFile(file) {
+  const base = file.split("/").pop() ?? file;
+  if (EXAMPLE_NAME.test(base)) return true;
+  const segments = base.split(".");
+  const last = segments[segments.length - 1] ?? "";
+  return EXAMPLE_SUFFIX_NAME.test(last);
+}
+function toPosix(p) {
+  return sep === "/" ? p : p.split(sep).join("/");
+}
+function isGitRepo(cwd) {
+  let dir = cwd;
+  for (let i = 0; i < 32; i++) {
+    if (existsSync6(join6(dir, ".git"))) return true;
+    const parent = resolve8(dir, "..");
+    if (parent === dir) return false;
+    dir = parent;
+  }
+  return false;
+}
+async function gitTracked(cwd, files) {
+  if (files.length === 0) return /* @__PURE__ */ new Set();
+  const { stdout, code } = await runGit(cwd, ["ls-files", "-z", "--", ...files]);
+  if (code !== 0) return /* @__PURE__ */ new Set();
+  const tracked = stdout.split("\0").filter(Boolean).map(toPosix);
+  return new Set(tracked);
+}
+async function gitCheckIgnore(cwd, files) {
+  const result = /* @__PURE__ */ new Map();
+  if (files.length === 0) return result;
+  const stdin = `${files.join("\0")}\0`;
+  const { stdout, code } = await runGit(
+    cwd,
+    ["check-ignore", "--no-index", "-v", "-n", "-z", "--stdin"],
+    stdin
+  );
+  if (code !== 0 && code !== 1) {
+    for (const f of files) result.set(f, false);
+    return result;
+  }
+  const parts = stdout.split("\0");
+  for (let i = 0; i + 3 < parts.length; i += 4) {
+    const source = parts[i];
+    const pathname = toPosix(parts[i + 3] ?? "");
+    if (!pathname) continue;
+    result.set(pathname, source !== "");
+  }
+  for (const f of files) {
+    if (!result.has(f)) result.set(f, false);
+  }
+  return result;
+}
+function fallbackIgnoreMap(cwd, files) {
+  const result = /* @__PURE__ */ new Map();
+  const patterns = readIgnoreFile(join6(cwd, ".gitignore"));
+  for (const f of files) result.set(f, matchesAny(f, patterns));
+  return result;
+}
+function runGit(cwd, args, stdin) {
+  return new Promise((resolveP) => {
+    const child = spawn2("git", args, {
+      cwd,
+      stdio: [stdin === void 0 ? "ignore" : "pipe", "pipe", "pipe"]
+    });
+    let stdout = "";
+    let stderr = "";
+    child.stdout?.on("data", (d) => {
+      stdout += d.toString("utf8");
+    });
+    child.stderr?.on("data", (d) => {
+      stderr += d.toString("utf8");
+    });
+    child.on("error", () => resolveP({ stdout, stderr, code: -1 }));
+    child.on(
+      "close",
+      (code) => resolveP({ stdout, stderr, code: code ?? -1 })
+    );
+    if (stdin !== void 0 && child.stdin) {
+      child.stdin.end(stdin);
+    }
+  });
+}
+async function checkPublishExposure(cwd, envFiles) {
+  if (envFiles.length === 0) return [];
+  const pkgPath = join6(cwd, "package.json");
+  if (!existsSync6(pkgPath)) return [];
+  let pkg;
+  try {
+    pkg = JSON.parse(readFileSync10(pkgPath, "utf8"));
+  } catch {
+    return [];
+  }
+  if (pkg.private === true) return [];
+  const findings = [];
+  if (Array.isArray(pkg.files)) {
+    const allowList = pkg.files.filter((x) => typeof x === "string");
+    for (const file of envFiles) {
+      if (matchesAny(file, allowList)) {
+        findings.push({
+          file,
+          reason: `package.json "files" allowlist matches this path. Remove the entry or move the file.`
+        });
+      }
+    }
+    return findings;
+  }
+  const npmignorePath = join6(cwd, ".npmignore");
+  const ignorePath = existsSync6(npmignorePath) ? npmignorePath : join6(cwd, ".gitignore");
+  const ignoreSource = existsSync6(ignorePath) ? ignorePath === npmignorePath ? ".npmignore" : ".gitignore" : null;
+  const patterns = ignoreSource ? readIgnoreFile(ignorePath) : [];
+  for (const file of envFiles) {
+    if (!matchesAny(file, patterns)) {
+      findings.push({
+        file,
+        reason: ignoreSource ? `Not matched by any pattern in ${ignoreSource}. Add an entry like \`.env*\`.` : `No .npmignore or .gitignore present, so npm will include this file in the published tarball. Add an .npmignore.`
+      });
+    }
+  }
+  return findings;
+}
+function readIgnoreFile(path) {
+  if (!existsSync6(path)) return [];
+  try {
+    return readFileSync10(path, "utf8").split(/\r?\n/).map((l) => l.trim()).filter((l) => l.length > 0 && !l.startsWith("#"));
+  } catch {
+    return [];
+  }
+}
+function matchesAny(file, patterns) {
+  let matched = false;
+  for (const raw of patterns) {
+    let pattern = raw;
+    let negate = false;
+    if (pattern.startsWith("!")) {
+      negate = true;
+      pattern = pattern.slice(1);
+    }
+    if (pattern.endsWith("/")) pattern = pattern.slice(0, -1);
+    if (matchesPattern(file, pattern)) matched = !negate;
+  }
+  return matched;
+}
+function matchesPattern(file, pattern) {
+  if (!pattern) return false;
+  const anchored = pattern.startsWith("/");
+  const pat = anchored ? pattern.slice(1) : pattern;
+  const hasSlash = pat.includes("/");
+  const candidates = anchored ? [file] : hasSlash ? [file] : [file, file.split("/").pop() ?? file];
+  const re = globToRegex(pat);
+  return candidates.some((c) => re.test(c));
+}
+function globToRegex(pattern) {
+  let re = "^";
+  for (let i = 0; i < pattern.length; i++) {
+    const ch = pattern[i];
+    if (ch === "*") {
+      if (pattern[i + 1] === "*") {
+        re += ".*";
+        i++;
+        if (pattern[i + 1] === "/") i++;
+      } else {
+        re += "[^/]*";
+      }
+    } else if (ch === "?") {
+      re += "[^/]";
+    } else if (ch === ".") {
+      re += "\\.";
+    } else if (/[\\^$+()=!|{}[\]]/.test(ch ?? "")) {
+      re += `\\${ch}`;
+    } else {
+      re += ch;
+    }
+  }
+  re += "$";
+  return new RegExp(re);
+}
+var SECRET_PATTERNS = [
+  { name: "AWS access key id", re: /\bAKIA[0-9A-Z]{16}\b/ },
+  { name: "GitHub token", re: /\bgh[pousr]_[A-Za-z0-9]{36,}\b/ },
+  { name: "Slack token", re: /\bxox[abprs]-[A-Za-z0-9-]{10,}\b/ },
+  { name: "Stripe live key", re: /\bsk_live_[A-Za-z0-9]{16,}\b/ },
+  { name: "Google API key", re: /\bAIza[0-9A-Za-z_-]{35}\b/ },
+  { name: "Generic JWT", re: /\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/ },
+  { name: "Private key block", re: /-----BEGIN (RSA |EC |OPENSSH |DSA |PGP )?PRIVATE KEY-----/ }
+];
+var PLACEHOLDER_RE2 = /^(?:|x+|y+|<.*>|\{.*\}|change[-_ ]?me|todo|placeholder|your[-_ ].+|example|dummy|fake|test)$/i;
+async function scanExampleFilesForSecrets(cwd, files) {
+  const findings = [];
+  await Promise.all(
+    files.map(async (file) => {
+      let content;
+      try {
+        content = readFileSync10(join6(cwd, file), "utf8");
+      } catch {
+        return;
+      }
+      const lines = content.split(/\r?\n/);
+      for (const line of lines) {
+        const trimmed = line.trim();
+        if (!trimmed || trimmed.startsWith("#")) continue;
+        const eq = trimmed.indexOf("=");
+        if (eq <= 0) continue;
+        const key = trimmed.slice(0, eq).trim();
+        let value = trimmed.slice(eq + 1).trim();
+        if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+          value = value.slice(1, -1);
+        } else {
+          const hashIdx = value.indexOf(" #");
+          if (hashIdx >= 0) value = value.slice(0, hashIdx).trim();
+        }
+        if (!value || PLACEHOLDER_RE2.test(value)) continue;
+        for (const pat of SECRET_PATTERNS) {
+          if (pat.re.test(value)) {
+            findings.push({ file, key, pattern: pat.name });
+            break;
+          }
+        }
+      }
+    })
+  );
+  return findings;
+}
+function envIssuesMeetThreshold(issues, threshold) {
+  if (threshold === "none") return false;
+  const rank = {
+    critical: 4,
+    high: 3,
+    moderate: 2,
+    low: 1,
+    unknown: 0
+  };
+  const min = rank[threshold];
+  return issues.some((i) => rank[i.severity] >= min);
+}
+
+// src/init.ts
+import { existsSync as existsSync7, writeFileSync as writeFileSync2 } from "fs";
+import { resolve as resolve9 } from "path";
+async function initProject(options = {}) {
+  const cwd = resolve9(options.cwd ?? process.cwd());
+  const policy = options.policy ?? "ci";
+  const configPath = resolve9(cwd, options.config ?? "trawly.toml");
+  const baselinePath = options.baseline ?? "trawly-baseline.json";
+  const warnings = [];
+  let configWritten = false;
+  if (options.overwrite || !existsSync7(configPath)) {
+    writeFileSync2(configPath, renderConfig(policy, baselinePath));
+    configWritten = true;
+  } else {
+    warnings.push(`${configPath} already exists; leaving it unchanged.`);
+  }
+  let scan;
+  let baselineWritten = false;
+  if (options.writeBaseline !== false) {
+    try {
+      scan = await scanProject({
+        cwd,
+        config: configPath,
+        policy,
+        risk: options.risk,
+        env: options.env,
+        writeBaseline: baselinePath,
+        fetchImpl: options.fetchImpl
+      });
+      baselineWritten = scan.baseline?.written !== void 0;
+    } catch (err) {
+      if (err instanceof ScanInputError) {
+        warnings.push(
+          "No supported lockfile or SBOM was found, so no baseline was written."
+        );
+      } else {
+        throw err;
+      }
+    }
+  }
+  return {
+    configPath,
+    configWritten,
+    baselinePath: resolve9(cwd, baselinePath),
+    baselineWritten,
+    scan,
+    warnings
+  };
+}
+function renderConfig(policy, baselinePath) {
+  const preset = POLICY_PRESETS[policy];
+  return [
+    `policy = "${policy}"`,
+    `failOn = "${preset.failOn}"`,
+    `risk = ${String(preset.risk)}`,
+    `env = ${String(preset.env)}`,
+    'allowedRegistries = ["https://registry.npmjs.org", "https://registry.yarnpkg.com"]',
+    "",
+    `# Existing findings are tracked in ${baselinePath}.`,
+    "# Ignore entries must expire.",
+    "# [[ignore]]",
+    '# id = "GHSA-example"',
+    '# package = "example-package"',
+    '# expires = "2026-06-30"',
+    '# reason = "Not reachable in this application"',
+    ""
+  ].join("\n");
+}
+
+// src/reporters/env-table.ts
+import kleur3 from "kleur";
+
+// src/reporters/banner.ts
+import kleur2 from "kleur";
+var BORDER = {
+  tl: "\u250C",
+  tr: "\u2510",
+  bl: "\u2514",
+  br: "\u2518",
+  h: "\u2500",
+  v: "\u2502"
+};
+var TITLE = "trawly";
+var SIDE_PAD = 1;
+var MIN_TITLE_FILLER = 4;
+function renderBanner(props) {
+  const contentRows = [props.metrics, props.timestamp];
+  const titleSegment = ` ${TITLE} `;
+  const minTitleWidth = 1 + titleSegment.length + MIN_TITLE_FILLER;
+  const innerWidth = Math.max(
+    ...contentRows.map((r) => r.length + SIDE_PAD * 2),
+    minTitleWidth
+  );
+  const top = renderTop(innerWidth);
+  const bottom = renderBottom(innerWidth);
+  const metricsLine = renderRow(innerWidth, props.metrics, kleur2.bold);
+  const timestampLine = renderRow(innerWidth, props.timestamp, kleur2.gray);
+  return [top, metricsLine, timestampLine, bottom].join("\n");
+}
+function renderTop(innerWidth) {
+  const titleSegment = ` ${kleur2.bold().cyan(TITLE)} `;
+  const titleVisibleLen = TITLE.length + 2;
+  const fillerCount = innerWidth - 1 - titleVisibleLen;
+  return kleur2.gray(BORDER.tl) + kleur2.gray(BORDER.h) + titleSegment + kleur2.gray(BORDER.h.repeat(Math.max(MIN_TITLE_FILLER, fillerCount))) + kleur2.gray(BORDER.tr);
+}
+function renderBottom(innerWidth) {
+  return kleur2.gray(`${BORDER.bl}${BORDER.h.repeat(innerWidth)}${BORDER.br}`);
+}
+function renderRow(innerWidth, content, colorize) {
+  const fill = Math.max(0, innerWidth - SIDE_PAD * 2 - content.length);
+  return kleur2.gray(BORDER.v) + " ".repeat(SIDE_PAD) + colorize(content) + " ".repeat(fill + SIDE_PAD) + kleur2.gray(BORDER.v);
+}
+
+// src/reporters/env-table.ts
+var SEVERITY_COLOR = {
+  critical: (s) => kleur3.bold().red(s),
+  high: (s) => kleur3.red(s),
+  moderate: (s) => kleur3.yellow(s),
+  low: (s) => kleur3.cyan(s),
+  unknown: (s) => kleur3.gray(s)
+};
+var SEVERITY_ORDER = [
+  "critical",
+  "high",
+  "moderate",
+  "low",
+  "unknown"
+];
+var KIND_LABEL = {
+  "tracked-by-git": "tracked-by-git",
+  "not-gitignored": "not-gitignored",
+  "would-be-published": "would-be-published",
+  "secret-in-example": "secret-in-example",
+  "no-gitignore": "no-gitignore"
+};
+function reportEnvTable(result, options = {}) {
+  const lines = [];
+  if (options.brand) {
+    const { metricsLine, timestamp } = headerParts(result);
+    lines.push(renderBanner({ metrics: metricsLine, timestamp }));
+  } else {
+    lines.push(kleur3.bold(formatHeader(result)));
+  }
+  for (const err of result.errors) {
+    lines.push(
+      kleur3.red(`! ${err.message}${err.cause ? ` (${err.cause})` : ""}`)
+    );
+  }
+  if (result.envFiles.length === 0) {
+    lines.push("");
+    lines.push(kleur3.gray("No .env files found in project."));
+    return lines.join("\n");
+  }
+  if (result.issues.length === 0) {
+    lines.push("");
+    lines.push(kleur3.green("\u2713 No env-leak issues found."));
+    lines.push(kleur3.gray("  Files checked:"));
+    for (const f of result.envFiles) lines.push(kleur3.gray(`    ${f}`));
+    return lines.join("\n");
+  }
+  lines.push("");
+  lines.push(formatSummary(result.summary));
+  lines.push("");
+  lines.push(formatIssueRows(result.issues));
+  lines.push("");
+  lines.push(
+    kleur3.gray(
+      "Reminder: trawly env checks ignore coverage and publish exposure. It cannot prove a secret hasn't already leaked elsewhere \u2014 rotate any value you suspect was committed."
+    )
+  );
+  return lines.join("\n");
+}
+function formatIssueRows(issues) {
+  const rows = [["SEV", "KIND", "FILE", "MESSAGE", "HINT"]];
+  for (const issue of issues) {
+    rows.push([
+      issue.severity,
+      KIND_LABEL[issue.kind],
+      issue.file,
+      truncate2(issue.message, 60),
+      issue.detail ? truncate2(issue.detail, 60) : ":"
+    ]);
+  }
+  return renderTable(rows, (rowIdx, row, cells) => {
+    if (rowIdx === 0) return kleur3.bold().underline(cells.join("  "));
+    const sev = row[0];
+    const colorize = SEVERITY_COLOR[sev] ?? ((s) => s);
+    cells[0] = colorize(cells[0]);
+    cells[2] = kleur3.cyan(cells[2]);
+    cells[1] = kleur3.bold(cells[1]);
+    return cells.join("  ");
+  });
+}
+function formatHeader(result) {
+  const { metricsLine, timestamp } = headerParts(result);
+  return `trawly env: ${metricsLine} (${timestamp})`;
+}
+function headerParts(result) {
+  const fileCount = result.envFiles.length;
+  const issueCount = result.issues.length;
+  const metricsLine = [
+    `${fileCount} env file${fileCount === 1 ? "" : "s"} scanned`,
+    `${issueCount} issue${issueCount === 1 ? "" : "s"}`
+  ].join(" \xB7 ");
+  return { metricsLine, timestamp: result.scannedAt };
+}
+function formatSummary(summary) {
+  const parts = [];
+  for (const sev of SEVERITY_ORDER) {
+    const count = summary[sev];
+    if (count === 0) continue;
+    parts.push(SEVERITY_COLOR[sev](`${sev}: ${count}`));
+  }
+  if (parts.length === 0) return kleur3.green("No findings.");
+  return `Issues : ${parts.join("  ")}`;
+}
+function reportEnvJson(result) {
+  return JSON.stringify(result, null, 2);
+}
+function truncate2(s, max) {
+  if (s.length <= max) return s;
+  return `${s.slice(0, max - 1)}\u2026`;
+}
+function renderTable(rows, format) {
+  const widths = rows[0].map(
+    (_, col) => Math.max(...rows.map((r) => visibleLength(r[col])))
+  );
+  return rows.map((row, i) => {
+    const cells = row.map((cell, col) => padEndVisible(cell, widths[col]));
+    return format(i, row, cells);
+  }).join("\n");
+}
+var ANSI_RE = /\u001B\[[0-9;]*m/g;
+function visibleLength(s) {
+  return s.replace(ANSI_RE, "").length;
+}
+function padEndVisible(s, width) {
+  const pad = Math.max(0, width - visibleLength(s));
+  return s + " ".repeat(pad);
+}
+
+// src/reporters/json.ts
+function reportJson(result) {
+  return JSON.stringify(result, null, 2);
+}
+
+// src/reporters/markdown.ts
+var ORDER = ["critical", "high", "moderate", "low", "unknown"];
+function reportMarkdown(result) {
+  const lines = [];
+  lines.push("# trawly report");
+  lines.push("");
+  lines.push(`Scanned at: \`${result.scannedAt}\``);
+  lines.push(`Packages scanned: **${result.packagesScanned}**`);
+  lines.push(`Findings: **${result.findings.length}**`);
+  if (result.ignoredFindings.length > 0) {
+    lines.push(`Ignored findings: **${result.ignoredFindings.length}**`);
+  }
+  if (result.baseline) {
+    lines.push(
+      `Baseline: **${result.baseline.new} new**, **${result.baseline.existing} existing**`
+    );
+  }
+  lines.push("");
+  lines.push(`Severity summary: ${formatSummary2(result.summary)}`);
+  if (result.warnings.length > 0) {
+    lines.push("");
+    lines.push("## Warnings");
+    for (const warning of result.warnings) lines.push(`- ${warning}`);
+  }
+  lines.push("");
+  lines.push("## Findings");
+  if (result.findings.length === 0) {
+    lines.push("");
+    lines.push("No active findings.");
+  } else {
+    lines.push("");
+    lines.push("| Severity | Source | Package | Version | ID | Summary |");
+    lines.push("| --- | --- | --- | --- | --- | --- |");
+    for (const finding of result.findings) {
+      lines.push(findingRow(finding));
+    }
+  }
+  if (result.ignoredFindings.length > 0) {
+    lines.push("");
+    lines.push("## Ignored Findings");
+    lines.push("");
+    lines.push("| Severity | Source | Package | Version | ID | Summary |");
+    lines.push("| --- | --- | --- | --- | --- | --- |");
+    for (const finding of result.ignoredFindings) {
+      lines.push(findingRow(finding));
+    }
+  }
+  return lines.join("\n");
+}
+function formatSummary2(summary) {
+  const parts = ORDER.filter((sev) => summary[sev] > 0).map(
+    (sev) => `${sev}: ${summary[sev]}`
+  );
+  return parts.length === 0 ? "none" : parts.join(", ");
+}
+function findingRow(finding) {
+  const id = finding.url ? `[${escapeCell(finding.id)}](${finding.url})` : escapeCell(finding.id);
+  return [
+    finding.severity,
+    finding.source,
+    escapeCell(finding.packageName),
+    escapeCell(finding.installedVersion),
+    id,
+    escapeCell(finding.summary)
+  ].join(" | ").replace(/^/, "| ").replace(/$/, " |");
+}
+function escapeCell(value) {
+  return value.replace(/\|/g, "\\|").replace(/\n/g, " ");
+}
+
+// src/version.ts
+import { readFileSync as readFileSync11 } from "fs";
+var FALLBACK_VERSION = "0.1.0";
+var TRAWLY_VERSION = readPackageVersion();
+function readPackageVersion() {
+  try {
+    const packageJson = JSON.parse(
+      readFileSync11(new URL("../package.json", import.meta.url), "utf8")
+    );
+    return typeof packageJson.version === "string" ? packageJson.version : FALLBACK_VERSION;
+  } catch {
+    return FALLBACK_VERSION;
+  }
+}
+
+// src/reporters/sarif.ts
+function reportSarif(result) {
+  const allFindings = [...result.findings, ...result.ignoredFindings];
+  const rules = buildRules(allFindings);
+  const sarif = {
+    version: "2.1.0",
+    $schema: "https://json.schemastore.org/sarif-2.1.0.json",
+    runs: [
+      {
+        tool: {
+          driver: {
+            name: "trawly",
+            informationUri: "https://github.com/Arindam200/trawly",
+            semanticVersion: TRAWLY_VERSION,
+            rules
+          }
+        },
+        results: allFindings.map((finding) => findingToResult(finding))
+      }
+    ]
+  };
+  return JSON.stringify(sarif, null, 2);
+}
+function buildRules(findings) {
+  const map = /* @__PURE__ */ new Map();
+  for (const finding of findings) {
+    if (map.has(finding.id)) continue;
+    map.set(finding.id, {
+      id: finding.id,
+      name: finding.id,
+      shortDescription: { text: finding.summary },
+      fullDescription: { text: finding.summary },
+      helpUri: finding.url,
+      properties: {
+        tags: [finding.source, finding.type, finding.ecosystem],
+        precision: finding.source === "osv" ? "high" : "medium",
+        securitySeverity: securitySeverity(finding)
+      }
+    });
   }
+  return [...map.values()];
 }
-function describeSeverityCounts(summary) {
-  const parts = [];
-  for (const sev of ["critical", "high", "moderate", "low", "unknown"]) {
-    if (summary[sev] > 0) parts.push(`${summary[sev]} ${sev}`);
+function findingToResult(finding) {
+  const result = {
+    ruleId: finding.id,
+    level: sarifLevel(finding),
+    message: {
+      text: `${finding.packageName}@${finding.installedVersion}: ${finding.summary}`
+    },
+    locations: [
+      {
+        physicalLocation: {
+          artifactLocation: {
+            uri: artifactUri(finding)
+          },
+          region: finding.line ? { startLine: finding.line } : void 0
+        }
+      }
+    ],
+    partialFingerprints: {
+      trawlyFingerprint: finding.fingerprint
+    },
+    properties: {
+      package: finding.packageName,
+      version: finding.installedVersion,
+      ecosystem: finding.ecosystem,
+      source: finding.source,
+      aliases: finding.aliases,
+      baseline: finding.baseline
+    }
+  };
+  if (finding.ignored) {
+    result.suppressions = [
+      { kind: "external", justification: "Ignored by trawly configuration" }
+    ];
   }
-  return parts.length === 0 ? "no advisories" : `${parts.join(", ")} advisor${total(summary) === 1 ? "y" : "ies"}`;
+  return result;
 }
-function total(summary) {
-  return Object.values(summary).reduce((a, b) => a + b, 0);
+function artifactUri(finding) {
+  const path = finding.sourceFile ?? finding.affectedPaths[0];
+  if (path) return path;
+  const ecosystem = encodeURIComponent(finding.ecosystem || "unknown");
+  const name = encodeURIComponent(finding.packageName || "unknown");
+  const version = encodeURIComponent(finding.installedVersion || "unknown");
+  return `pkg:${ecosystem}/${name}@${version}`;
 }
-function colorSeverity(sev) {
-  switch (sev) {
+function sarifLevel(finding) {
+  if (finding.severity === "critical" || finding.severity === "high") {
+    return "error";
+  }
+  if (finding.severity === "moderate" || finding.severity === "low") {
+    return "warning";
+  }
+  return "note";
+}
+function securitySeverity(finding) {
+  switch (finding.severity) {
     case "critical":
-      return kleur.bold().red(sev);
+      return "9.5";
     case "high":
-      return kleur.red(sev);
+      return "8.0";
     case "moderate":
-      return kleur.yellow(sev);
+      return "5.0";
     case "low":
-      return kleur.cyan(sev);
+      return "2.0";
     case "unknown":
-      return kleur.gray(sev);
+      return "0.0";
   }
 }
 
-// src/reporters/json.ts
-function reportJson(result) {
-  return JSON.stringify(result, null, 2);
-}
-
-// src/reporters/table.ts
-import kleur3 from "kleur";
-
-// src/reporters/banner.ts
-import kleur2 from "kleur";
-var BORDER = {
-  tl: "\u250C",
-  tr: "\u2510",
-  bl: "\u2514",
-  br: "\u2518",
-  h: "\u2500",
-  v: "\u2502"
-};
-var TITLE = "trawly";
-var SIDE_PAD = 1;
-var MIN_TITLE_FILLER = 4;
-function renderBanner(props) {
-  const contentRows = [props.metrics, props.timestamp];
-  const titleSegment = ` ${TITLE} `;
-  const minTitleWidth = 1 + titleSegment.length + MIN_TITLE_FILLER;
-  const innerWidth = Math.max(
-    ...contentRows.map((r) => r.length + SIDE_PAD * 2),
-    minTitleWidth
-  );
-  const top = renderTop(innerWidth);
-  const bottom = renderBottom(innerWidth);
-  const metricsLine = renderRow(innerWidth, props.metrics, kleur2.bold);
-  const timestampLine = renderRow(innerWidth, props.timestamp, kleur2.gray);
-  return [top, metricsLine, timestampLine, bottom].join("\n");
-}
-function renderTop(innerWidth) {
-  const titleSegment = ` ${kleur2.bold().cyan(TITLE)} `;
-  const titleVisibleLen = TITLE.length + 2;
-  const fillerCount = innerWidth - 1 - titleVisibleLen;
-  return kleur2.gray(BORDER.tl) + kleur2.gray(BORDER.h) + titleSegment + kleur2.gray(BORDER.h.repeat(Math.max(MIN_TITLE_FILLER, fillerCount))) + kleur2.gray(BORDER.tr);
-}
-function renderBottom(innerWidth) {
-  return kleur2.gray(`${BORDER.bl}${BORDER.h.repeat(innerWidth)}${BORDER.br}`);
-}
-function renderRow(innerWidth, content, colorize) {
-  const fill = Math.max(0, innerWidth - SIDE_PAD * 2 - content.length);
-  return kleur2.gray(BORDER.v) + " ".repeat(SIDE_PAD) + colorize(content) + " ".repeat(fill + SIDE_PAD) + kleur2.gray(BORDER.v);
-}
-
 // src/reporters/table.ts
-var SEVERITY_COLOR = {
-  critical: (s) => kleur3.bold().red(s),
-  high: (s) => kleur3.red(s),
-  moderate: (s) => kleur3.yellow(s),
-  low: (s) => kleur3.cyan(s),
-  unknown: (s) => kleur3.gray(s)
+import kleur4 from "kleur";
+var SEVERITY_COLOR2 = {
+  critical: (s) => kleur4.bold().red(s),
+  high: (s) => kleur4.red(s),
+  moderate: (s) => kleur4.yellow(s),
+  low: (s) => kleur4.cyan(s),
+  unknown: (s) => kleur4.gray(s)
 };
-var SEVERITY_ORDER = [
+var SEVERITY_ORDER2 = [
   "critical",
   "high",
   "moderate",
@@ -1122,35 +3074,54 @@ var SEVERITY_ORDER = [
 function reportTable(result, options = {}) {
   const view = options.view ?? (options.details ? "details" : "grouped");
   const lines = [];
+  const warnings = result.warnings ?? [];
+  const ignoredFindings = result.ignoredFindings ?? [];
   if (options.brand) {
-    const { metricsLine, timestamp } = headerParts(result);
+    const { metricsLine, timestamp } = headerParts2(result);
     lines.push(renderBanner({ metrics: metricsLine, timestamp }));
   } else {
-    lines.push(kleur3.bold(formatHeader(result)));
+    lines.push(kleur4.bold(formatHeader2(result)));
   }
   if (result.errors.length > 0) {
     for (const err of result.errors) {
       lines.push(
-        kleur3.red(`! ${err.message}${err.cause ? ` (${err.cause})` : ""}`)
+        kleur4.red(`! ${err.message}${err.cause ? ` (${err.cause})` : ""}`)
       );
     }
   }
+  if (warnings.length > 0) {
+    for (const warning of warnings) {
+      lines.push(kleur4.yellow(`~ ${warning}`));
+    }
+  }
+  if (ignoredFindings.length > 0) {
+    lines.push(
+      kleur4.gray(`${ignoredFindings.length} finding(s) ignored by config.`)
+    );
+  }
+  if (result.baseline) {
+    lines.push(
+      kleur4.gray(
+        `Baseline: ${result.baseline.new} new, ${result.baseline.existing} existing.`
+      )
+    );
+  }
   if (result.findings.length === 0) {
-    lines.push(kleur3.green("\u2713 No known advisories found."));
+    lines.push(kleur4.green("\u2713 No active findings."));
     lines.push(
-      kleur3.gray(
-        "  Note: this only checks known advisories. It cannot prove a package is safe."
+      kleur4.gray(
+        "  Note: absence of findings is not proof of safety."
       )
     );
     return lines.join("\n");
   }
   if (view === "summary") {
-    lines.push(formatSummary(result.summary));
+    lines.push(formatSummary3(result.summary));
     lines.push(reminder());
     return lines.join("\n");
   }
   lines.push("");
-  lines.push(formatSummary(result.summary));
+  lines.push(formatSummary3(result.summary));
   lines.push("");
   if (view === "details") {
     lines.push(formatDetailRows(sortFindings(result.findings)));
@@ -1159,42 +3130,42 @@ function reportTable(result, options = {}) {
     lines.push(formatGroupedRows(groups));
     lines.push("");
     lines.push(
-      kleur3.gray("Run `trawly scan --details` to see individual advisories.")
+      kleur4.gray("Run `trawly scan --details` to see individual findings.")
     );
   }
   lines.push("");
   lines.push(reminder());
   return lines.join("\n");
 }
-function formatHeader(result) {
-  const { metricsLine, timestamp } = headerParts(result);
+function formatHeader2(result) {
+  const { metricsLine, timestamp } = headerParts2(result);
   return `trawly: ${metricsLine} (${timestamp})`;
 }
-function headerParts(result) {
-  const vulnerable = new Set(
+function headerParts2(result) {
+  const affected = new Set(
     result.findings.map((f) => `${f.packageName}@${f.installedVersion}`)
   ).size;
-  const advisories = result.findings.length;
+  const findingCount = result.findings.length;
   const metricsLine = [
     `${result.packagesScanned} packages`,
-    `${vulnerable} vulnerable`,
-    `${advisories} ${advisories === 1 ? "advisory" : "advisories"}`
+    `${affected} affected`,
+    `${findingCount} ${findingCount === 1 ? "finding" : "findings"}`
   ].join(" \xB7 ");
   return { metricsLine, timestamp: result.scannedAt };
 }
-function formatSummary(summary) {
+function formatSummary3(summary) {
   const parts = [];
-  for (const sev of SEVERITY_ORDER) {
+  for (const sev of SEVERITY_ORDER2) {
     const count = summary[sev];
     if (count === 0) continue;
-    parts.push(SEVERITY_COLOR[sev](`${sev}: ${count}`));
+    parts.push(SEVERITY_COLOR2[sev](`${sev}: ${count}`));
   }
-  if (parts.length === 0) return kleur3.green("No findings.");
+  if (parts.length === 0) return kleur4.green("No findings.");
   return `Findings : ${parts.join("  ")}`;
 }
 function reminder() {
-  return kleur3.gray(
-    "Reminder: trawly reports known advisories only. Absence of findings is not proof of safety."
+  return kleur4.gray(
+    "Reminder: absence of findings is not proof of safety."
   );
 }
 function sortFindings(findings) {
@@ -1252,8 +3223,8 @@ function formatGroupedRows(groups) {
       g.recommendedFix ? `>=${g.recommendedFix}` : ":"
     ]);
   }
-  return renderTable(rows, (rowIdx, _row, cells) => {
-    if (rowIdx === 0) return kleur3.bold().underline(cells.join("  "));
+  return renderTable2(rows, (rowIdx, _row, cells) => {
+    if (rowIdx === 0) return kleur4.bold().underline(cells.join("  "));
     return cells.join("  ");
   });
 }
@@ -1268,32 +3239,32 @@ function formatDetailRows(findings) {
       f.installedVersion,
       f.id,
       f.fixedVersions.length ? f.fixedVersions.join(", ") : ":",
-      truncate2(f.summary, 70)
+      truncate3(f.summary, 70)
     ]);
   }
-  return renderTable(rows, (rowIdx, row, cells) => {
-    if (rowIdx === 0) return kleur3.bold().underline(cells.join("  "));
+  return renderTable2(rows, (rowIdx, row, cells) => {
+    if (rowIdx === 0) return kleur4.bold().underline(cells.join("  "));
     const sev = row[0];
-    const colorize = SEVERITY_COLOR[sev] ?? ((s) => s);
+    const colorize = SEVERITY_COLOR2[sev] ?? ((s) => s);
     cells[0] = colorize(cells[0]);
     return cells.join("  ");
   });
 }
 function formatSeverityCounts(counts) {
   const parts = [];
-  for (const sev of SEVERITY_ORDER) {
+  for (const sev of SEVERITY_ORDER2) {
     const n = counts[sev];
     if (n === 0) continue;
-    parts.push(SEVERITY_COLOR[sev](`${n} ${sev}`));
+    parts.push(SEVERITY_COLOR2[sev](`${n} ${sev}`));
   }
   return parts.join(", ");
 }
-function renderTable(rows, format) {
+function renderTable2(rows, format) {
   const widths = rows[0].map(
-    (_, col) => Math.max(...rows.map((r) => visibleLength(r[col])))
+    (_, col) => Math.max(...rows.map((r) => visibleLength2(r[col])))
   );
   return rows.map((row, i) => {
-    const cells = row.map((cell, col) => padEndVisible(cell, widths[col]));
+    const cells = row.map((cell, col) => padEndVisible2(cell, widths[col]));
     return format(i, row, cells);
   }).join("\n");
 }
@@ -1321,28 +3292,96 @@ function parseSemverParts(v) {
   if (!m) return [0, 0, 0];
   return [Number(m[1]), Number(m[2]), Number(m[3])];
 }
-function truncate2(s, max) {
+function truncate3(s, max) {
   if (s.length <= max) return s;
   return `${s.slice(0, max - 1)}\u2026`;
 }
-var ANSI_RE = /\u001B\[[0-9;]*m/g;
-function visibleLength(s) {
-  return s.replace(ANSI_RE, "").length;
+var ANSI_RE2 = /\u001B\[[0-9;]*m/g;
+function visibleLength2(s) {
+  return s.replace(ANSI_RE2, "").length;
 }
-function padEndVisible(s, width) {
-  const pad = Math.max(0, width - visibleLength(s));
+function padEndVisible2(s, width) {
+  const pad = Math.max(0, width - visibleLength2(s));
   return s + " ".repeat(pad);
 }
 
+// src/why.ts
+import { existsSync as existsSync8 } from "fs";
+import { join as join7, resolve as resolve10 } from "path";
+function explainWhy(packageName, options = {}) {
+  const cwd = resolve10(options.cwd ?? process.cwd());
+  const lockfiles = options.lockfile ? normalizePaths2(cwd, options.lockfile) : detectLockfiles2(cwd);
+  const packages = lockfiles.flatMap((path) => parseLockfile(path));
+  const matches = packages.filter((pkg) => pkg.name === packageName).map((pkg) => ({
+    package: pkg,
+    chain: inferChain(pkg),
+    note: graphNote(pkg)
+  })).sort((a, b) => {
+    const source = (a.package.sourceFile ?? "").localeCompare(
+      b.package.sourceFile ?? ""
+    );
+    if (source !== 0) return source;
+    return a.package.path.localeCompare(b.package.path);
+  });
+  return { packageName, lockfiles, matches };
+}
+function inferChain(pkg) {
+  if (pkg.manager === "npm") {
+    const chain = packageNamesFromNodeModulesPath(pkg.path);
+    if (chain.length > 0) return chain;
+  }
+  return [pkg.name];
+}
+function graphNote(pkg) {
+  if (pkg.manager === "npm") return void 0;
+  if (pkg.direct) return "direct dependency";
+  return `${pkg.manager ?? "lockfile"} lock entry; full parent chain is not available yet`;
+}
+function packageNamesFromNodeModulesPath(path) {
+  const parts = path.split("/");
+  const names = [];
+  for (let i = 0; i < parts.length; i++) {
+    if (parts[i] !== "node_modules") continue;
+    const first = parts[i + 1];
+    if (!first) continue;
+    if (first.startsWith("@")) {
+      const second = parts[i + 2];
+      if (!second) continue;
+      names.push(`${first}/${second}`);
+      i += 2;
+    } else {
+      names.push(first);
+      i += 1;
+    }
+  }
+  return names;
+}
+function detectLockfiles2(cwd) {
+  const candidates = [
+    "package-lock.json",
+    "npm-shrinkwrap.json",
+    "pnpm-lock.yaml",
+    "yarn.lock"
+  ].map((file) => join7(cwd, file));
+  return candidates.filter((candidate) => existsSync8(candidate));
+}
+function normalizePaths2(cwd, value) {
+  if (!value) return [];
+  const values = Array.isArray(value) ? value : [value];
+  return [...new Set(values.map((path) => resolve10(cwd, path)))];
+}
+
 // src/cli.ts
-var FAIL_ON_VALUES = [
+var FAIL_ON_VALUES2 = [
   "critical",
   "high",
   "moderate",
   "low",
   "none"
 ];
-var FORMAT_VALUES = ["table", "json"];
+var FORMAT_VALUES = ["table", "json", "markdown", "sarif"];
+var ENV_FORMAT_VALUES = ["table", "json"];
+var POLICY_VALUES2 = ["ci", "strict", "library", "app"];
 var PM_VALUES = ["npm", "pnpm", "yarn", "bun"];
 var EXIT = {
   ok: 0,
@@ -1351,9 +3390,9 @@ var EXIT = {
   invalidInput: 3
 };
 function parseFailOn(value) {
-  if (!FAIL_ON_VALUES.includes(value)) {
+  if (!FAIL_ON_VALUES2.includes(value)) {
     throw new InvalidArgumentError(
-      `must be one of: ${FAIL_ON_VALUES.join(", ")}`
+      `must be one of: ${FAIL_ON_VALUES2.join(", ")}`
     );
   }
   return value;
@@ -1366,13 +3405,32 @@ function parseFormat(value) {
   }
   return value;
 }
+function parseEnvFormat(value) {
+  if (!ENV_FORMAT_VALUES.includes(value)) {
+    throw new InvalidArgumentError(
+      `must be one of: ${ENV_FORMAT_VALUES.join(", ")}`
+    );
+  }
+  return value;
+}
+function parsePolicy(value) {
+  if (!POLICY_VALUES2.includes(value)) {
+    throw new InvalidArgumentError(
+      `must be one of: ${POLICY_VALUES2.join(", ")}`
+    );
+  }
+  return value;
+}
 function parsePm(value) {
   if (!PM_VALUES.includes(value)) {
     throw new InvalidArgumentError(`must be one of: ${PM_VALUES.join(", ")}`);
   }
   return value;
 }
-var TRAWLY_VERSION = "0.1.0";
+function collectOption(value, previous = []) {
+  previous.push(value);
+  return previous;
+}
 var program = new Command();
 program.name("trawly").description(
   "Dependency sanity scanner. Checks installed npm packages against the OSV advisory database."
@@ -1387,54 +3445,87 @@ program.command("scan", { isDefault: true }).description(
   "Scan a project and gate on findings. Exits non-zero when --fail-on is met. Use `inspect` for a log-only run."
 ).argument("[path]", "Project directory to scan", ".").option(
   "--lockfile <path>",
-  "Explicit path to a lockfile (package-lock.json, pnpm-lock.yaml, or yarn.lock)"
-).option(
+  "Explicit lockfile path. May be repeated.",
+  collectOption
+).option("--sbom <path>", "Explicit SPDX/CycloneDX SBOM path. May be repeated.", collectOption).option(
   "--format <format>",
-  "Output format: table | json",
+  "Output format: table | json | markdown | sarif",
   parseFormat,
   "table"
 ).option(
   "--fail-on <level>",
-  `Exit non-zero when a finding meets this severity (${FAIL_ON_VALUES.join("|")})`,
-  parseFailOn,
-  "high"
-).option("--prod", "Only scan production dependencies (excludes dev)").option("--include-dev", "Include dev dependencies (default)").option("--no-cache", "Bypass any local cache").option(
+  `Exit non-zero when a finding meets this severity (${FAIL_ON_VALUES2.join("|")})`,
+  parseFailOn
+).option("--config <path>", "Path to trawly.toml").option(
+  "--policy <name>",
+  `Use a built-in policy preset (${POLICY_VALUES2.join("|")})`,
+  parsePolicy
+).option("--baseline <path>", "Only fail on findings not present in this baseline").option("--write-baseline <path>", "Write the current active findings baseline").option("--output <path>", "Write report output to a file").option("--risk", "Enable risk signals").option("--no-risk", "Disable risk signals").option("--env", "Scan committed .env files for secret-like values").option("--no-env", "Disable committed .env file scanning").option("--prod", "Only scan production dependencies (excludes dev)").option("--include-dev", "Include dev dependencies (default)").option(
   "-v, --details",
   "Show one row per advisory (full table). Default groups by package."
 ).option(
   "-q, --summary",
   "Show only the one-line severity summary. Mutually exclusive with --details."
-).action(async (path, opts) => {
-  await runScanCommand(path, opts, { gate: true });
+).action(async (path, opts, command) => {
+  await runScanCommand(path, normalizeScanOptions(opts, command), {
+    gate: true
+  });
 });
 program.command("inspect").description(
   "Scan a project and print findings without gating. Always exits 0 unless an operational error occurs. Use `scan` for CI gating."
 ).argument("[path]", "Project directory to scan", ".").option(
   "--lockfile <path>",
-  "Explicit path to a lockfile (package-lock.json, pnpm-lock.yaml, or yarn.lock)"
-).option(
+  "Explicit lockfile path. May be repeated.",
+  collectOption
+).option("--sbom <path>", "Explicit SPDX/CycloneDX SBOM path. May be repeated.", collectOption).option(
   "--format <format>",
-  "Output format: table | json",
+  "Output format: table | json | markdown | sarif",
   parseFormat,
   "table"
-).option("--prod", "Only scan production dependencies (excludes dev)").option("--include-dev", "Include dev dependencies (default)").option("--no-cache", "Bypass any local cache").option(
+).option("--config <path>", "Path to trawly.toml").option(
+  "--policy <name>",
+  `Use a built-in policy preset (${POLICY_VALUES2.join("|")})`,
+  parsePolicy
+).option("--baseline <path>", "Mark findings already present in this baseline").option("--write-baseline <path>", "Write the current active findings baseline").option("--output <path>", "Write report output to a file").option("--risk", "Enable risk signals").option("--no-risk", "Disable risk signals").option("--env", "Scan committed .env files for secret-like values").option("--no-env", "Disable committed .env file scanning").option("--prod", "Only scan production dependencies (excludes dev)").option("--include-dev", "Include dev dependencies (default)").option(
   "-v, --details",
   "Show one row per advisory (full table). Default groups by package."
 ).option(
   "-q, --summary",
   "Show only the one-line severity summary. Mutually exclusive with --details."
-).action(async (path, opts) => {
+).action(async (path, opts, command) => {
   await runScanCommand(
     path,
-    { ...opts, failOn: "none" },
+    {
+      ...normalizeScanOptions(opts, command),
+      failOn: "none"
+    },
     { gate: false }
   );
 });
+program.command("init").description(
+  "Create trawly.toml and write an initial baseline so CI can focus on new findings."
+).argument("[path]", "Project directory to initialize", ".").option("--config <path>", "Config path to write", "trawly.toml").option("--baseline <path>", "Baseline path to write", "trawly-baseline.json").option(
+  "--policy <name>",
+  `Initial policy preset (${POLICY_VALUES2.join("|")})`,
+  parsePolicy,
+  "ci"
+).option("--overwrite", "Overwrite an existing config file").option("--skip-baseline", "Do not scan or write a baseline").action(async (path, opts) => {
+  await runInitCommand(path, opts);
+});
+program.command("why").description(
+  "Explain where a package appears in supported lockfiles."
+).argument("<package>", "Package name to explain").argument("[path]", "Project directory to inspect", ".").option(
+  "--lockfile <path>",
+  "Explicit lockfile path. May be repeated.",
+  collectOption
+).action((packageName, path, opts) => {
+  runWhyCommand(packageName, path, opts);
+});
 program.command("add").description(
   "Resolve, scan, and install packages. Vulnerable packages are blocked; clean ones are forwarded to your package manager."
 ).argument("<args...>", "Packages to add (e.g. next vitest@1) : PM flags after the first package are passed through").option(
   "--fail-on <level>",
-  `Block install when a finding meets this severity (${FAIL_ON_VALUES.join("|")})`,
+  `Block install when a finding meets this severity (${FAIL_ON_VALUES2.join("|")})`,
   parseFailOn,
   "high"
 ).option(
@@ -1451,7 +3542,7 @@ program.command("install").alias("i").description(
   "Run the project's package manager install. With package args, behaves like `add` (gates on vulnerabilities). With none, forwards directly."
 ).argument("[args...]", "Optional packages to add").option(
   "--fail-on <level>",
-  `Block install when a finding meets this severity (${FAIL_ON_VALUES.join("|")})`,
+  `Block install when a finding meets this severity (${FAIL_ON_VALUES2.join("|")})`,
   parseFailOn,
   "high"
 ).option(
@@ -1463,7 +3554,7 @@ program.command("install").alias("i").description(
     const pm = detectPackageManager({ override: opts.pm });
     const command = buildInstallCommand(pm, []);
     process.stdout.write(
-      kleur4.gray(`> ${command.bin} ${command.args.join(" ")}
+      kleur5.gray(`> ${command.bin} ${command.args.join(" ")}
 `)
     );
     try {
@@ -1476,6 +3567,21 @@ program.command("install").alias("i").description(
   }
   await executeAdd(args, opts);
 });
+program.command("env").description(
+  "Scan for env-file leaks: tracked .env files, missing .gitignore coverage, npm-publish exposure, and secrets in .env.example."
+).argument("[path]", "Project directory to scan", ".").option(
+  "--format <format>",
+  "Output format: table | json",
+  parseEnvFormat,
+  "table"
+).option(
+  "--fail-on <level>",
+  `Exit non-zero when an issue meets this severity (${FAIL_ON_VALUES2.join("|")})`,
+  parseFailOn,
+  "high"
+).action(async (path, opts) => {
+  await runEnvCommand(path, opts);
+});
 program.command("remove").alias("uninstall").description(
   "Remove packages by delegating to the project's package manager (no scan)."
 ).argument("<args...>", "Packages to remove").option(
@@ -1487,7 +3593,7 @@ program.command("remove").alias("uninstall").description(
   const { specs, flags } = splitArgs(args);
   const command = buildRemoveCommand(pm, specs, flags);
   process.stdout.write(
-    kleur4.gray(`> ${command.bin} ${command.args.join(" ")}
+    kleur5.gray(`> ${command.bin} ${command.args.join(" ")}
 `)
   );
   try {
@@ -1498,6 +3604,45 @@ program.command("remove").alias("uninstall").description(
     process.exit(EXIT.operational);
   }
 });
+function normalizeScanOptions(opts, command) {
+  return {
+    ...opts,
+    risk: triStateBooleanFlag(command, "risk"),
+    env: triStateBooleanFlag(command, "env")
+  };
+}
+function triStateBooleanFlag(command, name) {
+  return command.getOptionValueSource(name) === "cli" ? command.getOptionValue(name) : void 0;
+}
+async function runEnvCommand(path, opts) {
+  try {
+    const result = await scanEnv({ cwd: path });
+    if (opts.format === "json") {
+      process.stdout.write(`${reportEnvJson(result)}
+`);
+    } else {
+      const brand = process.stdout.isTTY === true;
+      process.stdout.write(`${reportEnvTable(result, { brand })}
+`);
+    }
+    if (result.errors.length > 0) process.exit(EXIT.operational);
+    if (envIssuesMeetThreshold(result.issues, opts.failOn)) {
+      if (opts.format !== "json") {
+        process.stderr.write(
+          `${kleur5.red(
+            `\xD7 Failing because at least one issue meets --fail-on=${opts.failOn}.`
+          )}
+`
+        );
+      }
+      process.exit(EXIT.findings);
+    }
+    process.exit(EXIT.ok);
+  } catch (err) {
+    printErr(`trawly: ${err.message}`);
+    process.exit(EXIT.operational);
+  }
+}
 async function runScanCommand(path, opts, { gate }) {
   if (opts.prod && opts.includeDev) {
     printErr("Cannot combine --prod and --include-dev. Choose one.");
@@ -1508,29 +3653,34 @@ async function runScanCommand(path, opts, { gate }) {
     process.exit(EXIT.invalidInput);
   }
   try {
+    const cwd = resolve11(path);
+    const config = loadConfig(cwd, opts.config).config;
+    const policy = resolvePolicy(opts.policy, config.policy);
+    const failOn = opts.failOn ?? config.failOn ?? policy?.failOn ?? "high";
     const result = await scanProject({
-      cwd: path,
+      cwd,
       lockfile: opts.lockfile,
+      sbom: opts.sbom,
+      config: opts.config,
+      policy: opts.policy,
+      baseline: opts.baseline,
+      writeBaseline: opts.writeBaseline,
+      risk: opts.risk,
+      env: opts.env,
       includeDev: opts.includeDev,
-      prodOnly: opts.prod,
-      cache: opts.cache
+      prodOnly: opts.prod
     });
-    if (opts.format === "json") {
-      process.stdout.write(`${reportJson(result)}
-`);
-    } else {
-      const view = opts.summary ? "summary" : opts.details ? "details" : "grouped";
-      const brand = process.stdout.isTTY === true;
-      process.stdout.write(`${reportTable(result, { view, brand })}
+    const output = renderReport(result, opts);
+    if (opts.output) writeOutput(cwd, opts.output, output);
+    else process.stdout.write(`${output}
 `);
-    }
     if (result.errors.length > 0) {
       process.exit(EXIT.operational);
     }
     if (!gate) {
-      if (opts.format !== "json" && result.findings.length > 0) {
+      if (opts.format === "table" && !opts.output && result.findings.length > 0) {
         process.stdout.write(
-          `${kleur4.gray(
+          `${kleur5.gray(
             "\u2139 inspect mode: exiting 0 regardless of findings. Run `trawly scan` to gate CI."
           )}
 `
@@ -1538,13 +3688,13 @@ async function runScanCommand(path, opts, { gate }) {
       }
       process.exit(EXIT.ok);
     }
-    if (meetsThreshold(result.findings, opts.failOn)) {
+    if (meetsThreshold(result.findings, failOn)) {
       if (opts.format !== "json") {
         process.stderr.write(
-          `${kleur4.red(
-            `\xD7 Failing because at least one finding meets --fail-on=${opts.failOn}.`
+          `${kleur5.red(
+            `\xD7 Failing because at least one finding meets --fail-on=${failOn}.`
           )}
-${kleur4.gray(
+${kleur5.gray(
             "  Run `trawly inspect` to log without exiting non-zero, or `trawly scan --fail-on=none` to disable the gate."
           )}
 `
@@ -1554,7 +3704,48 @@ ${kleur4.gray(
     }
     process.exit(EXIT.ok);
   } catch (err) {
-    if (err instanceof ScanInputError) {
+    if (err instanceof ScanInputError || err instanceof ConfigError) {
+      printErr(err.message);
+      process.exit(EXIT.invalidInput);
+    }
+    printErr(`trawly: ${err.message}`);
+    process.exit(EXIT.operational);
+  }
+}
+async function runInitCommand(path, opts) {
+  try {
+    const result = await initProject({
+      cwd: path,
+      config: opts.config,
+      baseline: opts.baseline,
+      policy: opts.policy,
+      overwrite: opts.overwrite,
+      writeBaseline: !opts.skipBaseline
+    });
+    const lines = [];
+    lines.push(
+      result.configWritten ? kleur5.green(`\u2713 Wrote ${result.configPath}`) : kleur5.gray(`~ Kept existing ${result.configPath}`)
+    );
+    if (!opts.skipBaseline) {
+      if (result.baselineWritten && result.scan?.baseline?.written) {
+        lines.push(kleur5.green(`\u2713 Wrote ${result.scan.baseline.written}`));
+        lines.push(
+          kleur5.gray(
+            `  Baseline contains ${result.scan.baseline.total} active finding(s). Future scans can fail only on new findings with --baseline=${opts.baseline}.`
+          )
+        );
+      } else {
+        lines.push(kleur5.gray("~ Baseline was not written."));
+      }
+    }
+    for (const warning of result.warnings) {
+      lines.push(kleur5.yellow(`~ ${warning}`));
+    }
+    process.stdout.write(`${lines.join("\n")}
+`);
+    process.exit(EXIT.ok);
+  } catch (err) {
+    if (err instanceof ConfigError) {
       printErr(err.message);
       process.exit(EXIT.invalidInput);
     }
@@ -1562,6 +3753,51 @@ ${kleur4.gray(
     process.exit(EXIT.operational);
   }
 }
+function runWhyCommand(packageName, path, opts) {
+  try {
+    const result = explainWhy(packageName, {
+      cwd: path,
+      lockfile: opts.lockfile
+    });
+    if (result.lockfiles.length === 0) {
+      printErr(
+        "No supported lockfile found. Pass --lockfile or run in a project with package-lock.json, pnpm-lock.yaml, or yarn.lock."
+      );
+      process.exit(EXIT.invalidInput);
+    }
+    const lines = [];
+    lines.push(kleur5.bold(`trawly why ${packageName}`));
+    if (result.matches.length === 0) {
+      lines.push(kleur5.yellow("No matching package found in scanned lockfiles."));
+      process.stdout.write(`${lines.join("\n")}
+`);
+      process.exit(EXIT.ok);
+    }
+    for (const match of result.matches) {
+      const pkg = match.package;
+      const kind = pkg.direct ? "direct" : "transitive";
+      lines.push(
+        `${pkg.name}@${pkg.version} (${kind}, ${pkg.manager ?? "lockfile"})`
+      );
+      lines.push(`  path: ${pkg.path}`);
+      lines.push(`  chain: ${match.chain.join(" > ")}`);
+      if (match.note) lines.push(kleur5.gray(`  note: ${match.note}`));
+      if (pkg.sourceFile) {
+        lines.push(
+          kleur5.gray(
+            `  source: ${pkg.sourceFile}${pkg.line ? `:${pkg.line}` : ""}`
+          )
+        );
+      }
+    }
+    process.stdout.write(`${lines.join("\n")}
+`);
+    process.exit(EXIT.ok);
+  } catch (err) {
+    printErr(`trawly: ${err.message}`);
+    process.exit(EXIT.operational);
+  }
+}
 async function executeAdd(args, opts) {
   try {
     const result = await runAdd(args, {
@@ -1591,7 +3827,28 @@ function splitArgs(args) {
   return { specs, flags };
 }
 function printErr(msg) {
-  process.stderr.write(`${kleur4.red(msg)}
+  process.stderr.write(`${kleur5.red(msg)}
+`);
+}
+function renderReport(result, opts) {
+  switch (opts.format) {
+    case "json":
+      return reportJson(result);
+    case "markdown":
+      return reportMarkdown(result);
+    case "sarif":
+      return reportSarif(result);
+    case "table": {
+      const view = opts.summary ? "summary" : opts.details ? "details" : "grouped";
+      const brand = process.stdout.isTTY === true && !opts.output;
+      return reportTable(result, { view, brand });
+    }
+  }
+}
+function writeOutput(cwd, path, content) {
+  const absolute = resolve11(cwd, path);
+  mkdirSync2(dirname4(absolute), { recursive: true });
+  writeFileSync3(absolute, `${content}
 `);
 }
 await program.parseAsync(process.argv);