trawly 0.0.2 → 0.1.1

package/dist/index.js

@@ -1,13 +1,446 @@
 // src/scanner.ts
-import { existsSync as existsSync2, statSync } from "fs";
-import { basename, resolve as resolve4, join as join2 } from "path";
+import { existsSync as existsSync4, statSync as statSync2 } from "fs";
+import { dirname as dirname3, resolve as resolve7, join as join4 } from "path";
+
+// src/baseline.ts
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
+import { dirname, resolve } from "path";
+var BaselineError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "BaselineError";
+  }
+};
+function applyBaseline(findings, cwd, baselinePath) {
+  if (!baselinePath) return void 0;
+  const absolute = resolve(cwd, baselinePath);
+  const loaded = readBaseline(absolute);
+  const fingerprints = new Set(loaded.findings);
+  let existing = 0;
+  let fresh = 0;
+  const marked = findings.map((finding) => {
+    if (fingerprints.has(finding.fingerprint)) {
+      existing++;
+      return { ...finding, baseline: "existing" };
+    }
+    fresh++;
+    return { ...finding, baseline: "new" };
+  });
+  return {
+    result: {
+      path: absolute,
+      loaded: true,
+      total: findings.length,
+      existing,
+      new: fresh
+    },
+    findings: marked
+  };
+}
+function writeBaseline(findings, cwd, baselinePath, existing) {
+  const absolute = resolve(cwd, baselinePath);
+  const unique = [...new Set(findings.map((f) => f.fingerprint))].sort();
+  const payload = {
+    version: 1,
+    generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    findings: unique
+  };
+  mkdirSync(dirname(absolute), { recursive: true });
+  writeFileSync(absolute, `${JSON.stringify(payload, null, 2)}
+`);
+  return {
+    path: existing?.path,
+    loaded: existing?.loaded ?? false,
+    written: absolute,
+    total: findings.length,
+    existing: existing?.existing ?? 0,
+    new: existing?.new ?? findings.length
+  };
+}
+function readBaseline(path) {
+  if (!existsSync(path)) {
+    throw new BaselineError(`Baseline file does not exist: ${path}`);
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(readFileSync(path, "utf8"));
+  } catch (err) {
+    throw new BaselineError(
+      `Failed to parse baseline ${path}: ${err.message}`
+    );
+  }
+  if (!isRecord(parsed) || parsed.version !== 1) {
+    throw new BaselineError(`${path}: unsupported baseline format.`);
+  }
+  if (!Array.isArray(parsed.findings)) {
+    throw new BaselineError(`${path}: findings must be an array.`);
+  }
+  const findings = parsed.findings.filter((v) => typeof v === "string");
+  return {
+    version: 1,
+    generatedAt: typeof parsed.generatedAt === "string" ? parsed.generatedAt : "",
+    findings
+  };
+}
+function isRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+
+// src/config.ts
+import { existsSync as existsSync2, readFileSync as readFileSync2 } from "fs";
+import { resolve as resolve2, join } from "path";
+import { parse as parseToml } from "smol-toml";
+var CONFIG_NAME = "trawly.toml";
+var FAIL_ON_VALUES = /* @__PURE__ */ new Set([
+  "critical",
+  "high",
+  "moderate",
+  "low",
+  "none"
+]);
+var POLICY_VALUES = /* @__PURE__ */ new Set([
+  "ci",
+  "strict",
+  "library",
+  "app"
+]);
+var ConfigError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "ConfigError";
+  }
+};
+function loadConfig(cwd, explicitPath) {
+  const configPath = explicitPath ? resolve2(cwd, explicitPath) : findConfig(cwd);
+  if (!configPath) return { config: { ignore: [] } };
+  if (!existsSync2(configPath)) {
+    throw new ConfigError(`Config file does not exist: ${configPath}`);
+  }
+  let raw;
+  try {
+    raw = parseToml(readFileSync2(configPath, "utf8"));
+  } catch (err) {
+    throw new ConfigError(
+      `Failed to parse ${configPath}: ${err.message}`
+    );
+  }
+  return { path: configPath, config: normalizeConfig(raw, configPath) };
+}
+function findConfig(cwd) {
+  const candidate = join(cwd, CONFIG_NAME);
+  return existsSync2(candidate) ? candidate : void 0;
+}
+function normalizeConfig(raw, path) {
+  if (!isRecord2(raw)) throw new ConfigError(`${path} must be a TOML table.`);
+  const failOn = optionalString(raw.failOn, "failOn", path);
+  if (failOn !== void 0 && !FAIL_ON_VALUES.has(failOn)) {
+    throw new ConfigError(
+      `${path}: failOn must be one of ${[...FAIL_ON_VALUES].join(", ")}.`
+    );
+  }
+  const policy = optionalString(raw.policy, "policy", path);
+  if (policy !== void 0 && !POLICY_VALUES.has(policy)) {
+    throw new ConfigError(
+      `${path}: policy must be one of ${[...POLICY_VALUES].join(", ")}.`
+    );
+  }
+  const risk = optionalBoolean(raw.risk, "risk", path);
+  const env = optionalBoolean(raw.env, "env", path);
+  const allowedRegistries = normalizeStringArray(
+    raw.allowedRegistries,
+    "allowedRegistries",
+    path
+  );
+  if (raw.ignore !== void 0 && raw.IgnoredVulns !== void 0) {
+    console.warn(
+      `${path}: both "ignore" and legacy "IgnoredVulns" are defined; using "ignore".`
+    );
+  }
+  const ignore = normalizeIgnore(raw.ignore ?? raw.IgnoredVulns ?? [], path);
+  return {
+    failOn,
+    policy,
+    risk,
+    env,
+    allowedRegistries,
+    ignore
+  };
+}
+function normalizeIgnore(raw, path) {
+  if (raw === void 0) return [];
+  if (!Array.isArray(raw)) {
+    throw new ConfigError(`${path}: ignore must be an array of tables.`);
+  }
+  return raw.map((item, idx) => {
+    if (!isRecord2(item)) {
+      throw new ConfigError(`${path}: ignore[${idx}] must be a table.`);
+    }
+    const id = requiredString(item.id, `ignore[${idx}].id`, path);
+    const expires = requiredDateString(
+      item.expires,
+      `ignore[${idx}].expires`,
+      path
+    );
+    const reason = requiredString(item.reason, `ignore[${idx}].reason`, path);
+    return {
+      id,
+      expires,
+      reason,
+      package: optionalString(item.package, `ignore[${idx}].package`, path),
+      ecosystem: optionalString(item.ecosystem, `ignore[${idx}].ecosystem`, path),
+      version: optionalString(item.version, `ignore[${idx}].version`, path)
+    };
+  });
+}
+function normalizeStringArray(raw, field, path) {
+  if (raw === void 0) return void 0;
+  if (!Array.isArray(raw) || raw.some((v) => typeof v !== "string")) {
+    throw new ConfigError(`${path}: ${field} must be an array of strings.`);
+  }
+  return raw;
+}
+function requiredDateString(raw, field, path) {
+  const value = requiredString(raw, field, path);
+  if (!isIsoDate(value)) {
+    throw new ConfigError(`${path}: ${field} must be YYYY-MM-DD.`);
+  }
+  return value;
+}
+function requiredString(raw, field, path) {
+  if (typeof raw !== "string" || raw.trim() === "") {
+    throw new ConfigError(`${path}: ${field} is required.`);
+  }
+  return raw;
+}
+function optionalString(raw, field, path) {
+  if (raw === void 0) return void 0;
+  if (typeof raw !== "string") {
+    throw new ConfigError(`${path}: ${field} must be a string.`);
+  }
+  return raw;
+}
+function optionalBoolean(raw, field, path) {
+  if (raw === void 0) return void 0;
+  if (typeof raw !== "boolean") {
+    throw new ConfigError(`${path}: ${field} must be true or false.`);
+  }
+  return raw;
+}
+function isIsoDate(s) {
+  if (!/^\d{4}-\d{2}-\d{2}$/.test(s)) return false;
+  const date = /* @__PURE__ */ new Date(`${s}T00:00:00.000Z`);
+  return !Number.isNaN(date.getTime()) && date.toISOString().startsWith(s);
+}
+function isRecord2(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+
+// src/env.ts
+import {
+  lstatSync,
+  readdirSync,
+  readFileSync as readFileSync3,
+  statSync
+} from "fs";
+import { join as join2, relative } from "path";
+
+// src/fingerprint.ts
+import { createHash } from "crypto";
+function fingerprintFinding(input) {
+  return stableHash([
+    input.source,
+    input.type,
+    input.id,
+    input.ecosystem,
+    input.packageName,
+    input.installedVersion
+  ]);
+}
+function packageKey(pkg) {
+  return pkg.purl ?? `${pkg.ecosystem}:${pkg.name}@${pkg.version}`;
+}
+function stableHash(parts) {
+  return createHash("sha256").update(parts.join("\0")).digest("hex");
+}
+
+// src/env.ts
+var MAX_ENV_FILE_BYTES = 1024 * 1024;
+var SKIP_DIRS = /* @__PURE__ */ new Set([
+  ".git",
+  ".hg",
+  ".svn",
+  "coverage",
+  "dist",
+  "node_modules",
+  "vendor"
+]);
+var SAFE_ENV_SUFFIXES = /* @__PURE__ */ new Set([
+  "default",
+  "defaults",
+  "dist",
+  "example",
+  "sample",
+  "template"
+]);
+var SECRET_KEY_RE = /(?:^|_)(?:SECRET|TOKEN|PASSWORD|PASS|PWD|PRIVATE_KEY|API_KEY|ACCESS_KEY|AUTH|CREDENTIAL|DATABASE_URL|DB_URL|REDIS_URL|MONGO_URI|CONNECTION_STRING|WEBHOOK|CLIENT_SECRET)(?:$|_)/i;
+var PRIVATE_KEY_RE = /PRIVATE_KEY|BEGIN_[A-Z0-9_]+_PRIVATE_KEY/i;
+var PLACEHOLDER_RE = /^(?:|changeme|change_me|change-me|example|example-value|placeholder|replace_me|replace-me|todo|test|dummy|your_.+|<.+>|\$\{.+\}|x+)$/i;
+function scanEnvFiles(cwd) {
+  const warnings = [];
+  const findings = [];
+  let filesScanned = 0;
+  for (const file of findEnvFiles(cwd)) {
+    let raw;
+    try {
+      const stat = statSync(file);
+      if (stat.size > MAX_ENV_FILE_BYTES) {
+        warnings.push(
+          `Skipped env file ${relative(cwd, file)} because it is larger than 1 MiB.`
+        );
+        continue;
+      }
+      raw = readFileSync3(file, "utf8");
+    } catch (err) {
+      warnings.push(
+        `Could not read env file ${relative(cwd, file)}: ${err.message}`
+      );
+      continue;
+    }
+    filesScanned++;
+    const rel = normalizePath(relative(cwd, file));
+    findings.push(envFileFinding(file, rel));
+    for (const assignment of parseEnvAssignments(raw)) {
+      if (!isSensitiveAssignment(assignment)) continue;
+      findings.push(envSecretFinding(file, rel, assignment));
+    }
+  }
+  return { findings, warnings, filesScanned };
+}
+function findEnvFiles(root) {
+  const out = [];
+  const stack = [root];
+  while (stack.length > 0) {
+    const dir = stack.pop();
+    let entries;
+    try {
+      entries = readdirSync(dir);
+    } catch {
+      continue;
+    }
+    for (const entry of entries) {
+      const path = join2(dir, entry);
+      let stat;
+      try {
+        stat = lstatSync(path);
+      } catch {
+        continue;
+      }
+      if (stat.isSymbolicLink()) continue;
+      if (stat.isDirectory()) {
+        if (!SKIP_DIRS.has(entry)) stack.push(path);
+        continue;
+      }
+      if (stat.isFile() && isEnvFile(entry)) out.push(path);
+    }
+  }
+  return out.sort();
+}
+function isEnvFile(name) {
+  if (name === ".env") return true;
+  if (!name.startsWith(".env.")) return false;
+  const suffixes = name.slice(".env.".length).toLowerCase().split(".").filter(Boolean);
+  return !suffixes.some((suffix) => SAFE_ENV_SUFFIXES.has(suffix));
+}
+function parseEnvAssignments(raw) {
+  const out = [];
+  raw.split(/\r?\n/).forEach((line, index) => {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) return;
+    const match = /^(?:export\s+)?([A-Za-z_][A-Za-z0-9_]*)\s*=\s*(.*)$/.exec(
+      trimmed
+    );
+    if (!match) return;
+    const key = match[1];
+    const value = unquote(match[2].trim());
+    out.push({ key, value, line: index + 1 });
+  });
+  return out;
+}
+function isSensitiveAssignment(assignment) {
+  if (!SECRET_KEY_RE.test(assignment.key)) return false;
+  return !PLACEHOLDER_RE.test(assignment.value.trim());
+}
+function envFileFinding(sourceFile, rel) {
+  const id = "TRAWLY-ENV-FILE";
+  return {
+    id,
+    source: "trawly",
+    type: "secret",
+    severity: "moderate",
+    ecosystem: "env",
+    packageName: ".env file",
+    installedVersion: rel,
+    summary: "Committed env file detected. Verify it does not contain secrets and prefer committing an example/template file instead.",
+    fixedVersions: [],
+    affectedPaths: [rel],
+    fingerprint: fingerprintFinding({
+      source: "trawly",
+      type: "secret",
+      id,
+      ecosystem: "env",
+      packageName: ".env file",
+      installedVersion: rel
+    }),
+    aliases: [],
+    sourceFile,
+    line: 1
+  };
+}
+function envSecretFinding(sourceFile, rel, assignment) {
+  const id = "TRAWLY-ENV-SECRET";
+  return {
+    id,
+    source: "trawly",
+    type: "secret",
+    severity: PRIVATE_KEY_RE.test(assignment.key) ? "critical" : "high",
+    ecosystem: "env",
+    packageName: assignment.key,
+    installedVersion: rel,
+    summary: "Committed env file contains a secret-like variable. The value is intentionally omitted from this report.",
+    fixedVersions: [],
+    affectedPaths: [rel],
+    fingerprint: fingerprintFinding({
+      source: "trawly",
+      type: "secret",
+      id,
+      ecosystem: "env",
+      packageName: assignment.key,
+      installedVersion: rel
+    }),
+    aliases: [],
+    sourceFile,
+    line: assignment.line
+  };
+}
+function unquote(value) {
+  if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+    return value.slice(1, -1);
+  }
+  return value;
+}
+function normalizePath(path) {
+  return path.split(/[\\/]/).join("/");
+}
+
+// src/extractors/lockfile.ts
+import { basename as basename2 } from "path";
 
 // src/extractors/npm-package-lock.ts
-import { readFileSync } from "fs";
-import { resolve } from "path";
+import { readFileSync as readFileSync4 } from "fs";
+import { resolve as resolve3 } from "path";
 function parseNpmPackageLock(filePath) {
-  const absolute = resolve(filePath);
-  const raw = readFileSync(absolute, "utf8");
+  const absolute = resolve3(filePath);
+  const raw = readFileSync4(absolute, "utf8");
   let parsed;
   try {
     parsed = JSON.parse(raw);
@@ -45,8 +478,14 @@ function parseNpmPackageLock(filePath) {
       direct: directDeps.has(name) && isTopLevelInstance(path),
       dev: Boolean(entry.dev || entry.devOptional),
       optional: Boolean(entry.optional || entry.devOptional),
+      inputKind: "lockfile",
+      sourceFile: absolute,
+      line: lineOf(raw, JSON.stringify(path)),
+      manager: "npm",
       resolved: entry.resolved,
-      integrity: entry.integrity
+      integrity: entry.integrity,
+      registry: registryFromResolved(entry.resolved),
+      hasInstallScript: Boolean(entry.hasInstallScript)
     });
   }
   return instances;
@@ -85,277 +524,856 @@ function isTopLevelInstance(path) {
   if (first === -1) return false;
   return path.indexOf("node_modules/", first + 1) === -1;
 }
+function registryFromResolved(resolved) {
+  if (!resolved) return void 0;
+  try {
+    const url = new URL(resolved);
+    return `${url.protocol}//${url.host}`;
+  } catch {
+    return void 0;
+  }
+}
+function lineOf(raw, needle) {
+  const idx = raw.indexOf(needle);
+  if (idx === -1) return void 0;
+  return raw.slice(0, idx).split(/\r?\n/).length;
+}
+
+// src/extractors/pnpm-lock.ts
+import { readFileSync as readFileSync6 } from "fs";
+import { resolve as resolve4 } from "path";
+import { parse as parseYaml } from "yaml";
+
+// src/extractors/package-json.ts
+import { existsSync as existsSync3, readFileSync as readFileSync5 } from "fs";
+import { dirname as dirname2, join as join3 } from "path";
+function readPackageJsonInfoFrom(filePath) {
+  return readPackageJsonInfo(dirname2(filePath));
+}
+function readPackageJsonInfo(cwd) {
+  const info = {
+    dependencies: /* @__PURE__ */ new Set(),
+    devDependencies: /* @__PURE__ */ new Set(),
+    optionalDependencies: /* @__PURE__ */ new Set(),
+    allDirect: /* @__PURE__ */ new Set()
+  };
+  const path = join3(cwd, "package.json");
+  if (!existsSync3(path)) return info;
+  try {
+    const raw = JSON.parse(readFileSync5(path, "utf8"));
+    collect(raw.dependencies, info.dependencies, info.allDirect);
+    collect(raw.devDependencies, info.devDependencies, info.allDirect);
+    collect(raw.optionalDependencies, info.optionalDependencies, info.allDirect);
+    collect(raw.peerDependencies, info.dependencies, info.allDirect);
+  } catch {
+    return info;
+  }
+  return info;
+}
+function collect(value, target, allDirect) {
+  if (typeof value !== "object" || value === null || Array.isArray(value)) return;
+  for (const name of Object.keys(value)) {
+    target.add(name);
+    allDirect.add(name);
+  }
+}
 
 // src/extractors/pnpm-lock.ts
-import { readFileSync as readFileSync2 } from "fs";
-import { resolve as resolve2 } from "path";
-import yaml from "js-yaml";
 var SUPPORTED_MAJOR_VERSIONS = /* @__PURE__ */ new Set([6, 9]);
 function parsePnpmLock(filePath) {
-  const absolute = resolve2(filePath);
-  const raw = readFileSync2(absolute, "utf8");
+  const absolute = resolve4(filePath);
+  const raw = readFileSync6(absolute, "utf8");
   let parsed;
   try {
-    parsed = yaml.load(raw) ?? {};
+    parsed = parseYaml(raw);
   } catch (err) {
     throw new Error(
       `Failed to parse ${absolute}: ${err.message}`
     );
   }
-  const versionRaw = parsed.lockfileVersion;
-  const major = parseLockfileMajor(versionRaw);
+  const major = parseLockfileMajor(parsed.lockfileVersion);
   if (major === null || !SUPPORTED_MAJOR_VERSIONS.has(major)) {
     throw new Error(
-      `Unsupported pnpm lockfileVersion ${String(versionRaw)} in ${absolute}. Supported: 6.x, 9.x.`
+      `Unsupported pnpm lockfileVersion ${String(parsed.lockfileVersion)} in ${absolute}. Supported: 6.x, 9.x.`
     );
   }
-  const packages = parsed.packages;
-  if (!packages || typeof packages !== "object") {
-    throw new Error(
-      `Lockfile ${absolute} has no "packages" map; cannot extract installed versions.`
-    );
+  if (!parsed.packages || typeof parsed.packages !== "object") {
+    throw new Error(`Lockfile ${absolute} has no "packages" map.`);
   }
-  const importers = parsed.importers ?? {
-    ".": {
-      dependencies: parsed.dependencies,
-      devDependencies: parsed.devDependencies,
-      optionalDependencies: parsed.optionalDependencies
-    }
-  };
-  const direct = collectDirectFromImporters(importers);
+  const rootInfo = readPackageJsonInfoFrom(absolute);
+  const importerDirect = collectImporterDirect(parsed);
+  const directDeps = importerDirect.all.size > 0 ? importerDirect.all : rootInfo.allDirect;
+  const devDeps = importerDirect.dev.size > 0 ? importerDirect.dev : rootInfo.devDependencies;
+  const optionalDeps = importerDirect.optional.size > 0 ? importerDirect.optional : rootInfo.optionalDependencies;
   const instances = [];
-  for (const [key, entry] of Object.entries(packages)) {
-    const parsed2 = parsePnpmPackageKey(key);
-    if (!parsed2) continue;
-    const name = entry.name ?? parsed2.name;
-    const version = entry.version ?? parsed2.version;
-    if (!name || !version) continue;
-    const isDirect = direct.prod.has(name) || direct.dev.has(name) || direct.optional.has(name);
-    const onlyDev = direct.dev.has(name) && !direct.prod.has(name);
-    const onlyOptional = direct.optional.has(name) && !direct.prod.has(name) && !direct.dev.has(name);
+  for (const [key, entry] of Object.entries(parsed.packages)) {
+    const parsedKey = parsePnpmPackageKey(key);
+    if (!parsedKey) continue;
+    const direct = directDeps.has(parsedKey.name);
     instances.push({
-      name,
-      version,
+      name: parsedKey.name,
+      version: parsedKey.version,
       ecosystem: "npm",
       path: key,
-      direct: isDirect,
-      dev: Boolean(entry.dev) || onlyDev,
-      optional: Boolean(entry.optional) || onlyOptional,
+      direct,
+      dev: direct ? devDeps.has(parsedKey.name) : Boolean(entry.dev),
+      optional: direct ? optionalDeps.has(parsedKey.name) : Boolean(entry.optional),
+      inputKind: "lockfile",
+      sourceFile: absolute,
+      line: lineOf2(raw, key),
+      manager: "pnpm",
       resolved: entry.resolution?.tarball,
-      integrity: entry.resolution?.integrity
+      integrity: entry.resolution?.integrity,
+      registry: registryFromResolved2(entry.resolution?.tarball),
+      hasInstallScript: Boolean(entry.requiresBuild)
     });
   }
   return instances;
 }
+function parsePnpmPackageKey(key) {
+  let normalized = key.replace(/^\/+/, "");
+  const peerStart = normalized.indexOf("(");
+  if (peerStart !== -1) normalized = normalized.slice(0, peerStart);
+  normalized = normalized.split("_")[0] ?? normalized;
+  const at = normalized.lastIndexOf("@");
+  if (at <= 0) return null;
+  const name = normalized.slice(0, at);
+  const version = normalized.slice(at + 1);
+  if (!name || !version) return null;
+  return { name, version };
+}
+function collectImporterDirect(lock) {
+  const all = /* @__PURE__ */ new Set();
+  const dev = /* @__PURE__ */ new Set();
+  const optional = /* @__PURE__ */ new Set();
+  const importers = lock.importers ?? {
+    ".": {
+      dependencies: lock.dependencies,
+      devDependencies: lock.devDependencies,
+      optionalDependencies: lock.optionalDependencies
+    }
+  };
+  for (const importer of Object.values(importers)) {
+    addKeys(importer.dependencies, all);
+    addKeys(importer.devDependencies, all, dev);
+    addKeys(importer.optionalDependencies, all, optional);
+  }
+  return { all, dev, optional };
+}
 function parseLockfileMajor(value) {
   if (typeof value === "number") return Math.trunc(value);
   if (typeof value === "string") {
-    const num = parseInt(value, 10);
-    return Number.isNaN(num) ? null : num;
+    const major = Number.parseInt(value, 10);
+    return Number.isNaN(major) ? null : major;
   }
   return null;
 }
-function collectDirectFromImporters(importers) {
-  const prod = /* @__PURE__ */ new Set();
-  const dev = /* @__PURE__ */ new Set();
-  const optional = /* @__PURE__ */ new Set();
-  for (const importer of Object.values(importers)) {
-    if (!importer) continue;
-    addDepNames(importer.dependencies, prod);
-    addDepNames(importer.devDependencies, dev);
-    addDepNames(importer.optionalDependencies, optional);
+function addKeys(value, all, bucket) {
+  if (!value) return;
+  for (const name of Object.keys(value)) {
+    all.add(name);
+    bucket?.add(name);
+  }
+}
+function registryFromResolved2(resolved) {
+  if (!resolved) return void 0;
+  try {
+    const url = new URL(resolved);
+    return `${url.protocol}//${url.host}`;
+  } catch {
+    return void 0;
+  }
+}
+function lineOf2(raw, needle) {
+  const idx = raw.indexOf(needle);
+  if (idx === -1) return void 0;
+  return raw.slice(0, idx).split(/\r?\n/).length;
+}
+
+// src/extractors/yarn-lock.ts
+import { readFileSync as readFileSync7 } from "fs";
+import { resolve as resolve5 } from "path";
+import { parse as parseYaml2 } from "yaml";
+import * as yarnClassicModule from "@yarnpkg/lockfile";
+var yarnClassic = "parse" in yarnClassicModule ? yarnClassicModule : yarnClassicModule.default;
+var LOCAL_YARN_PROTOCOLS = ["workspace:", "patch:", "portal:", "file:"];
+function parseYarnLock(filePath) {
+  const absolute = resolve5(filePath);
+  const raw = readFileSync7(absolute, "utf8");
+  return isBerryLock(raw) ? parseYarnBerryLock(absolute, raw) : parseYarnClassicLock(absolute, raw);
+}
+function parseYarnClassicLock(absolute, raw) {
+  const parsed = yarnClassic.parse(raw);
+  if (parsed.type === "conflict") {
+    throw new Error(`Yarn lockfile ${absolute} contains merge conflicts.`);
+  }
+  const rootInfo = readPackageJsonInfoFrom(absolute);
+  const instances = [];
+  for (const [descriptor, value] of Object.entries(parsed.object)) {
+    if (!isRecord3(value)) continue;
+    const entry = value;
+    if (!entry.version) continue;
+    const name = parseYarnDescriptorName(descriptor);
+    if (!name) continue;
+    const direct = rootInfo.allDirect.has(name);
+    instances.push({
+      name,
+      version: entry.version,
+      ecosystem: "npm",
+      path: descriptor,
+      direct,
+      dev: direct ? rootInfo.devDependencies.has(name) : false,
+      optional: direct ? rootInfo.optionalDependencies.has(name) : false,
+      inputKind: "lockfile",
+      sourceFile: absolute,
+      line: lineOf3(raw, descriptor),
+      manager: "yarn",
+      resolved: entry.resolved,
+      integrity: entry.integrity,
+      registry: registryFromResolved3(entry.resolved),
+      hasInstallScript: false
+    });
+  }
+  return dedupeInstances(instances);
+}
+function parseYarnBerryLock(absolute, raw) {
+  let parsed;
+  try {
+    parsed = parseYaml2(raw);
+  } catch (err) {
+    throw new Error(
+      `Failed to parse ${absolute}: ${err.message}`
+    );
+  }
+  const rootInfo = readPackageJsonInfoFrom(absolute);
+  const instances = [];
+  for (const [descriptor, value] of Object.entries(parsed)) {
+    if (descriptor === "__metadata" || !isRecord3(value)) continue;
+    const entry = value;
+    if (!entry.version) continue;
+    const resolution = entry.resolution ?? descriptor;
+    if (hasLocalYarnProtocol(resolution) || hasLocalYarnProtocol(descriptor)) {
+      continue;
+    }
+    const name = parseYarnDescriptorName(resolution) ?? parseYarnDescriptorName(descriptor);
+    if (!name) continue;
+    const direct = rootInfo.allDirect.has(name);
+    instances.push({
+      name,
+      version: entry.version,
+      ecosystem: "npm",
+      path: descriptor,
+      direct,
+      dev: direct ? rootInfo.devDependencies.has(name) : false,
+      optional: direct ? rootInfo.optionalDependencies.has(name) : false,
+      inputKind: "lockfile",
+      sourceFile: absolute,
+      line: lineOf3(raw, descriptor),
+      manager: "yarn",
+      integrity: entry.checksum,
+      hasInstallScript: false
+    });
+  }
+  return dedupeInstances(instances);
+}
+function hasLocalYarnProtocol(value) {
+  const normalized = value.trim().replace(/^"|"$/g, "");
+  return LOCAL_YARN_PROTOCOLS.some(
+    (protocol) => normalized.startsWith(protocol) || normalized.includes(`@${protocol}`)
+  );
+}
+function parseYarnDescriptorName(descriptor) {
+  const first = descriptor.split(",")[0]?.trim().replace(/^"|"$/g, "");
+  if (!first) return null;
+  for (const marker of ["@npm:", "@patch:", "@workspace:", "@portal:", "@file:"]) {
+    const idx = first.lastIndexOf(marker);
+    if (idx > 0) return first.slice(0, idx);
+  }
+  if (first.startsWith("@")) {
+    const slash = first.indexOf("/");
+    if (slash === -1) return null;
+    const at2 = first.indexOf("@", slash + 1);
+    return at2 === -1 ? first : first.slice(0, at2);
+  }
+  const at = first.indexOf("@");
+  return at === -1 ? first : first.slice(0, at);
+}
+function isBerryLock(raw) {
+  return raw.includes("__metadata:") || raw.includes("cacheKey:");
+}
+function dedupeInstances(instances) {
+  const seen = /* @__PURE__ */ new Set();
+  const out = [];
+  for (const instance of instances) {
+    const key = `${instance.name}@${instance.version}`;
+    if (seen.has(key)) continue;
+    seen.add(key);
+    out.push(instance);
+  }
+  return out;
+}
+function registryFromResolved3(resolved) {
+  if (!resolved) return void 0;
+  try {
+    const url = new URL(resolved);
+    return `${url.protocol}//${url.host}`;
+  } catch {
+    return void 0;
+  }
+}
+function lineOf3(raw, needle) {
+  const idx = raw.indexOf(needle);
+  if (idx === -1) return void 0;
+  return raw.slice(0, idx).split(/\r?\n/).length;
+}
+function isRecord3(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+
+// src/extractors/lockfile.ts
+function parseLockfile(filePath) {
+  const file = basename2(filePath);
+  if (file === "package-lock.json" || file === "npm-shrinkwrap.json") {
+    return parseNpmPackageLock(filePath);
+  }
+  if (file === "pnpm-lock.yaml") return parsePnpmLock(filePath);
+  if (file === "yarn.lock") return parseYarnLock(filePath);
+  throw new Error(
+    `Unsupported lockfile ${filePath}. Supported: package-lock.json, npm-shrinkwrap.json, pnpm-lock.yaml, yarn.lock.`
+  );
+}
+
+// src/extractors/sbom.ts
+import { readFileSync as readFileSync8 } from "fs";
+import { basename as basename3, resolve as resolve6 } from "path";
+import { XMLParser } from "fast-xml-parser";
+import { PackageURL } from "packageurl-js";
+function parseSbom(filePath) {
+  const absolute = resolve6(filePath);
+  const raw = readFileSync8(absolute, "utf8");
+  const trimmed = raw.trimStart();
+  if (trimmed.startsWith("{")) return parseJsonSbom(absolute, raw);
+  if (trimmed.startsWith("<")) return parseCycloneDxXml(absolute, raw);
+  return parseSpdxTagValue(absolute, raw);
+}
+function parseJsonSbom(absolute, raw) {
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch (err) {
+    throw new Error(
+      `Failed to parse ${absolute}: ${err.message}`
+    );
+  }
+  if (!isRecord4(parsed)) {
+    throw new Error(`SBOM ${absolute} must contain a JSON object.`);
+  }
+  if (Array.isArray(parsed.components)) {
+    return parseCycloneDxJson(absolute, raw, parsed.components);
+  }
+  if (Array.isArray(parsed.packages)) {
+    return parseSpdxJson(absolute, raw, parsed.packages);
+  }
+  throw new Error(
+    `Could not detect SBOM format for ${absolute}; expected CycloneDX or SPDX.`
+  );
+}
+function parseCycloneDxJson(absolute, raw, components) {
+  const instances = [];
+  for (const component of components) {
+    if (!isRecord4(component) || typeof component.purl !== "string") continue;
+    const pkg = parsePurlPackage(component.purl);
+    if (!pkg) continue;
+    instances.push(sbomPackage(pkg, absolute, raw, component.purl));
+  }
+  return dedupe(instances);
+}
+function parseCycloneDxXml(absolute, raw) {
+  const parser = new XMLParser({
+    ignoreAttributes: false,
+    attributeNamePrefix: "",
+    textNodeName: "#text"
+  });
+  let parsed;
+  try {
+    parsed = parser.parse(raw);
+  } catch (err) {
+    throw new Error(
+      `Failed to parse ${absolute}: ${err.message}`
+    );
+  }
+  const bom = isRecord4(parsed) ? parsed.bom : void 0;
+  const components = isRecord4(bom) && isRecord4(bom.components) ? arrayify(bom.components.component) : [];
+  const instances = [];
+  for (const component of components) {
+    if (!isRecord4(component) || typeof component.purl !== "string") continue;
+    const pkg = parsePurlPackage(component.purl);
+    if (!pkg) continue;
+    instances.push(sbomPackage(pkg, absolute, raw, component.purl));
+  }
+  return dedupe(instances);
+}
+function parseSpdxJson(absolute, raw, packages) {
+  const instances = [];
+  for (const pkgRecord of packages) {
+    if (!isRecord4(pkgRecord)) continue;
+    const externalRefs = Array.isArray(pkgRecord.externalRefs) ? pkgRecord.externalRefs : [];
+    for (const ref of externalRefs) {
+      if (!isRecord4(ref)) continue;
+      const locator = ref.referenceLocator;
+      const type = String(ref.referenceType ?? "").toLowerCase();
+      if (type !== "purl" || typeof locator !== "string") continue;
+      const pkg = parsePurlPackage(locator);
+      if (!pkg) continue;
+      instances.push(sbomPackage(pkg, absolute, raw, locator));
+    }
+  }
+  return dedupe(instances);
+}
+function parseSpdxTagValue(absolute, raw) {
+  if (!raw.includes("SPDXVersion:")) {
+    throw new Error(
+      `Could not detect SBOM format for ${absolute}; expected CycloneDX or SPDX.`
+    );
+  }
+  const instances = [];
+  for (const line of raw.split(/\r?\n/)) {
+    const match = line.match(/^ExternalRef:\s+PACKAGE-MANAGER\s+purl\s+(\S+)/);
+    if (!match?.[1]) continue;
+    const pkg = parsePurlPackage(match[1]);
+    if (!pkg) continue;
+    instances.push(sbomPackage(pkg, absolute, raw, match[1]));
+  }
+  return dedupe(instances);
+}
+function parsePurlPackage(purl) {
+  let parsed;
+  try {
+    parsed = PackageURL.fromString(purl);
+  } catch {
+    return null;
+  }
+  if (!parsed.version) return null;
+  const ecosystem = purlTypeToOsvEcosystem(parsed.type);
+  if (!ecosystem) return null;
+  return {
+    name: purlName(parsed),
+    version: parsed.version,
+    ecosystem,
+    purl
+  };
+}
+function sbomPackage(pkg, absolute, raw, needle) {
+  return {
+    name: pkg.name,
+    version: pkg.version,
+    ecosystem: pkg.ecosystem,
+    path: `${basename3(absolute)}:${pkg.purl}`,
+    direct: false,
+    dev: false,
+    optional: false,
+    inputKind: "sbom",
+    purl: pkg.purl,
+    sourceFile: absolute,
+    line: lineOf4(raw, needle),
+    manager: "sbom"
+  };
+}
+function purlTypeToOsvEcosystem(type) {
+  switch (type.toLowerCase()) {
+    case "npm":
+      return "npm";
+    case "pypi":
+      return "PyPI";
+    case "maven":
+      return "Maven";
+    case "gem":
+      return "RubyGems";
+    case "nuget":
+      return "NuGet";
+    case "golang":
+    case "go":
+      return "Go";
+    case "cargo":
+      return "crates.io";
+    case "composer":
+      return "Packagist";
+    case "deb":
+      return "Debian";
+    case "apk":
+      return "Alpine";
+    default:
+      return null;
+  }
+}
+function purlName(purl) {
+  if (purl.type.toLowerCase() === "npm" && purl.namespace) {
+    const scope = purl.namespace.startsWith("@") ? purl.namespace : `@${purl.namespace}`;
+    return `${scope}/${purl.name}`;
+  }
+  if (purl.type.toLowerCase() === "maven" && purl.namespace) {
+    return `${purl.namespace}:${purl.name}`;
+  }
+  return purl.namespace ? `${purl.namespace}/${purl.name}` : purl.name;
+}
+function dedupe(instances) {
+  const seen = /* @__PURE__ */ new Set();
+  const out = [];
+  for (const instance of instances) {
+    const key = instance.purl ?? `${instance.ecosystem}:${instance.name}@${instance.version}`;
+    if (seen.has(key)) continue;
+    seen.add(key);
+    out.push(instance);
+  }
+  return out;
+}
+function arrayify(value) {
+  if (value === void 0) return [];
+  return Array.isArray(value) ? value : [value];
+}
+function lineOf4(raw, needle) {
+  const idx = raw.indexOf(needle);
+  if (idx === -1) return void 0;
+  return raw.slice(0, idx).split(/\r?\n/).length;
+}
+function isRecord4(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+
+// src/ignore.ts
+function applyIgnores(findings, ignores, now) {
+  if (ignores.length === 0) return { active: findings, ignored: [], warnings: [] };
+  const warnings = [];
+  const activeIgnores = ignores.filter((entry) => {
+    const expires = /* @__PURE__ */ new Date(`${entry.expires}T23:59:59.999Z`);
+    if (Number.isNaN(expires.getTime()) || expires < now) {
+      warnings.push(
+        `Ignore for ${entry.id} expired on ${entry.expires} and was not applied.`
+      );
+      return false;
+    }
+    return true;
+  });
+  const active = [];
+  const ignored = [];
+  for (const finding of findings) {
+    const matched = activeIgnores.some((entry) => matchesIgnore(finding, entry));
+    if (matched) {
+      ignored.push({ ...finding, ignored: true });
+    } else {
+      active.push(finding);
+    }
+  }
+  return { active, ignored, warnings };
+}
+function matchesIgnore(finding, entry) {
+  const ids = /* @__PURE__ */ new Set([finding.id, ...finding.aliases]);
+  if (!ids.has(entry.id)) return false;
+  if (entry.package && entry.package !== finding.packageName) return false;
+  if (entry.ecosystem && entry.ecosystem !== finding.ecosystem) return false;
+  if (entry.version && entry.version !== finding.installedVersion) return false;
+  return true;
+}
+
+// src/policy.ts
+var POLICY_PRESETS = {
+  ci: {
+    failOn: "high",
+    risk: true,
+    env: false,
+    includeDev: true
+  },
+  strict: {
+    failOn: "moderate",
+    risk: true,
+    env: true,
+    includeDev: true
+  },
+  library: {
+    failOn: "moderate",
+    risk: true,
+    env: false,
+    includeDev: false
+  },
+  app: {
+    failOn: "high",
+    risk: true,
+    env: true,
+    includeDev: true
+  }
+};
+function resolvePolicy(requested, configured) {
+  const name = requested ?? configured;
+  return name ? POLICY_PRESETS[name] : void 0;
+}
+
+// src/risk.ts
+var REGISTRY_URL = "https://registry.npmjs.org";
+var REGISTRY_ENV = "TRAWLY_NPM_REGISTRY_URL";
+var REQUEST_TIMEOUT_MS = 15e3;
+var NEW_VERSION_DAYS = 30;
+var NEW_PACKAGE_DAYS = 90;
+var PACKUMENT_CONCURRENCY = 8;
+var PACKUMENT_MAX_RETRIES = 3;
+var PACKUMENT_BACKOFF_MS = 250;
+async function collectRiskSignals(packages, options) {
+  if (!options.enabled) return { findings: [], warnings: [] };
+  const findings = [];
+  const warnings = [];
+  for (const pkg of packages) {
+    if (pkg.hasInstallScript) {
+      findings.push(riskFinding(pkg, {
+        id: "TRAWLY-INSTALL-SCRIPT",
+        severity: "moderate",
+        summary: `${pkg.name}@${pkg.version} declares install-time scripts or requires a build step.`
+      }));
+    }
+    const registry = normalizeRegistry(pkg.registry);
+    if (registry && !isAllowedRegistry(registry, options.allowedRegistries)) {
+      findings.push(riskFinding(pkg, {
+        id: "TRAWLY-UNEXPECTED-REGISTRY",
+        severity: "moderate",
+        summary: `${pkg.name}@${pkg.version} was resolved from unexpected registry ${registry}.`
+      }));
+    }
+  }
+  const npmPackageGroups = groupNpmPackages(packages);
+  const fetchImpl = options.fetchImpl ?? fetch;
+  const groupsByName = /* @__PURE__ */ new Map();
+  for (const group of npmPackageGroups) {
+    const name = group[0]?.name;
+    if (!name) continue;
+    const list = groupsByName.get(name) ?? [];
+    list.push(group);
+    groupsByName.set(name, list);
+  }
+  await mapWithConcurrency(
+    [...groupsByName.entries()],
+    PACKUMENT_CONCURRENCY,
+    async ([name, groups]) => {
+      let packument;
+      try {
+        packument = await fetchPackument(fetchImpl, name);
+      } catch (err) {
+        warnings.push(
+          `Could not fetch npm publish metadata for ${name}: ${err.message}`
+        );
+        return;
+      }
+      const createdAt = parseDate(packument.time?.created);
+      const isNewPackage = !!createdAt && daysBetween(createdAt, options.now) < NEW_PACKAGE_DAYS;
+      for (const group of groups) {
+        const representative = group[0];
+        if (!representative) continue;
+        const versionAt = parseDate(packument.time?.[representative.version]);
+        const deprecated = packument.versions?.[representative.version]?.deprecated;
+        if (isNewPackage) {
+          for (const pkg of group) {
+            findings.push(
+              riskFinding(pkg, {
+                id: "TRAWLY-NEW-PACKAGE",
+                severity: "moderate",
+                summary: `${pkg.name} was first published less than ${NEW_PACKAGE_DAYS} days ago.`
+              })
+            );
+          }
+        }
+        if (deprecated) {
+          for (const pkg of group) {
+            findings.push(
+              riskFinding(pkg, {
+                id: "TRAWLY-DEPRECATED-PACKAGE",
+                severity: "moderate",
+                summary: `${pkg.name}@${pkg.version} is deprecated: ${deprecated}`
+              })
+            );
+          }
+        }
+        if (versionAt && daysBetween(versionAt, options.now) < NEW_VERSION_DAYS) {
+          for (const pkg of group) {
+            findings.push(
+              riskFinding(pkg, {
+                id: "TRAWLY-NEW-VERSION",
+                severity: "low",
+                summary: `${pkg.name}@${pkg.version} was published less than ${NEW_VERSION_DAYS} days ago.`
+              })
+            );
+          }
+        }
+      }
+    }
+  );
+  return { findings, warnings };
+}
+function riskFinding(pkg, input) {
+  return {
+    id: input.id,
+    source: "trawly",
+    type: "risk-signal",
+    severity: input.severity,
+    ecosystem: pkg.ecosystem,
+    packageName: pkg.name,
+    installedVersion: pkg.version,
+    summary: input.summary,
+    fixedVersions: [],
+    affectedPaths: [pkg.path],
+    fingerprint: fingerprintFinding({
+      source: "trawly",
+      type: "risk-signal",
+      id: input.id,
+      ecosystem: pkg.ecosystem,
+      packageName: pkg.name,
+      installedVersion: pkg.version
+    }),
+    aliases: [],
+    sourceFile: pkg.sourceFile,
+    line: pkg.line
+  };
+}
+function groupNpmPackages(packages) {
+  const groups = /* @__PURE__ */ new Map();
+  for (const pkg of packages) {
+    if (pkg.ecosystem !== "npm") continue;
+    const key = `${pkg.name}@${pkg.version}`;
+    const group = groups.get(key) ?? [];
+    group.push(pkg);
+    groups.set(key, group);
+  }
+  return [...groups.values()];
+}
+async function fetchPackument(fetchImpl, name) {
+  const registry = (process.env[REGISTRY_ENV] ?? REGISTRY_URL).replace(/\/+$/, "");
+  const url = `${registry}/${encodePackageName(name)}`;
+  let lastErr;
+  for (let attempt = 0; attempt <= PACKUMENT_MAX_RETRIES; attempt++) {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS);
+    try {
+      const res = await fetchImpl(url, {
+        signal: controller.signal,
+        headers: { accept: "application/json" }
+      });
+      if (res.ok) return await res.json();
+      const err = new RegistryHttpError(
+        `registry ${res.status}: ${res.statusText}`,
+        res.status,
+        retryAfterMs(res.headers)
+      );
+      if (!isRetryableRegistryError(err) || attempt === PACKUMENT_MAX_RETRIES) {
+        throw err;
+      }
+      lastErr = err;
+      await sleep(retryDelayMs(err, attempt));
+    } catch (err) {
+      if (err instanceof RegistryHttpError) throw err;
+      lastErr = err;
+      if (attempt === PACKUMENT_MAX_RETRIES) break;
+      await sleep(retryDelayMs(void 0, attempt));
+    } finally {
+      clearTimeout(timer);
+    }
+  }
+  throw lastErr;
+}
+async function mapWithConcurrency(items, concurrency, worker) {
+  let next = 0;
+  const workers = Array.from(
+    { length: Math.min(concurrency, items.length) },
+    async () => {
+      while (next < items.length) {
+        const item = items[next++];
+        if (item !== void 0) await worker(item);
+      }
+    }
+  );
+  await Promise.all(workers);
+}
+var RegistryHttpError = class extends Error {
+  constructor(message, status, retryAfterMs3) {
+    super(message);
+    this.status = status;
+    this.retryAfterMs = retryAfterMs3;
   }
-  return { prod, dev, optional };
+  status;
+  retryAfterMs;
+};
+function isRetryableRegistryError(err) {
+  return err.status === 429 || err.status >= 500;
 }
-function addDepNames(block, into) {
-  if (!block) return;
-  for (const name of Object.keys(block)) into.add(name);
+function retryDelayMs(err, attempt) {
+  if (err?.retryAfterMs !== void 0) return err.retryAfterMs;
+  const base = PACKUMENT_BACKOFF_MS * 2 ** attempt;
+  return base + Math.floor(Math.random() * Math.min(base, 100));
 }
-function parsePnpmPackageKey(key) {
-  let working = key.startsWith("/") ? key.slice(1) : key;
-  const parenIdx = working.indexOf("(");
-  if (parenIdx !== -1) working = working.slice(0, parenIdx);
-  const startSearch = working.startsWith("@") ? 1 : 0;
-  const atIdx = working.indexOf("@", startSearch);
-  if (atIdx <= 0) return null;
-  const name = working.slice(0, atIdx);
-  const version = working.slice(atIdx + 1);
-  if (!name || !version) return null;
-  return { name, version };
+function retryAfterMs(headers) {
+  const value = headers.get("retry-after");
+  if (!value) return void 0;
+  const seconds = Number(value);
+  if (Number.isFinite(seconds) && seconds >= 0) return seconds * 1e3;
+  const date = Date.parse(value);
+  if (Number.isNaN(date)) return void 0;
+  return Math.max(0, date - Date.now());
 }
-
-// src/extractors/yarn-lock.ts
-import { existsSync, readFileSync as readFileSync3 } from "fs";
-import { dirname, join, resolve as resolve3 } from "path";
-import yaml2 from "js-yaml";
-function parseYarnLock(filePath) {
-  const absolute = resolve3(filePath);
-  const content = readFileSync3(absolute, "utf8");
-  const projectDir = dirname(absolute);
-  const directs = readDirectDepsFromPackageJson(projectDir);
-  const isBerry = /^__metadata:/m.test(content);
-  return isBerry ? parseBerry(absolute, content, directs) : parseClassic(absolute, content, directs);
-}
-function readDirectDepsFromPackageJson(projectDir) {
-  const result = {
-    prod: /* @__PURE__ */ new Set(),
-    dev: /* @__PURE__ */ new Set(),
-    optional: /* @__PURE__ */ new Set(),
-    any: /* @__PURE__ */ new Set()
-  };
-  const pkgPath = join(projectDir, "package.json");
-  if (!existsSync(pkgPath)) return result;
-  try {
-    const pkg = JSON.parse(readFileSync3(pkgPath, "utf8"));
-    for (const name of Object.keys(pkg.dependencies ?? {})) result.prod.add(name);
-    for (const name of Object.keys(pkg.devDependencies ?? {})) result.dev.add(name);
-    for (const name of Object.keys(pkg.optionalDependencies ?? {}))
-      result.optional.add(name);
-    for (const set of [result.prod, result.dev, result.optional]) {
-      for (const n of set) result.any.add(n);
-    }
-    for (const name of Object.keys(pkg.peerDependencies ?? {})) result.any.add(name);
-  } catch {
-  }
-  return result;
+function sleep(ms) {
+  return new Promise((resolve11) => setTimeout(resolve11, ms));
 }
-function parseClassic(absolute, content, directs) {
-  const entries = parseClassicEntries(content);
-  const instances = [];
-  for (const entry of entries) {
-    const version = entry.fields.version;
-    if (!version) continue;
-    const names = uniq(entry.specs.map((s) => parseYarnSpec(s).name).filter(Boolean));
-    const name = names[0];
-    if (!name) continue;
-    const isDirect = names.some((n) => directs.any.has(n));
-    const inProd = names.some((n) => directs.prod.has(n));
-    const inDev = names.some((n) => directs.dev.has(n));
-    const inOpt = names.some((n) => directs.optional.has(n));
-    instances.push({
-      name,
-      version,
-      ecosystem: "npm",
-      path: `${name}@${version}`,
-      direct: isDirect,
-      dev: inDev && !inProd,
-      optional: inOpt && !inProd && !inDev,
-      resolved: entry.fields.resolved,
-      integrity: entry.fields.integrity
-    });
-  }
-  void absolute;
-  return instances;
+function isAllowedRegistry(registry, allowed) {
+  const normalizedAllowed = allowed.map(normalizeRegistry).filter(isString);
+  return normalizedAllowed.includes(registry);
 }
-function parseClassicEntries(content) {
-  const lines = content.split(/\r?\n/);
-  const entries = [];
-  let current = null;
-  for (const rawLine of lines) {
-    if (rawLine === "" || rawLine.trimStart().startsWith("#")) continue;
-    if (!/^\s/.test(rawLine)) {
-      if (current) entries.push(current);
-      const header = rawLine.replace(/:\s*$/, "");
-      current = { specs: splitClassicSpecs(header), fields: {} };
-      continue;
-    }
-    if (!current) continue;
-    const indent = rawLine.match(/^ +/)?.[0].length ?? 0;
-    if (indent !== 2) continue;
-    const trimmed = rawLine.trim();
-    const m = trimmed.match(/^([^\s"]+)\s+"((?:[^"\\]|\\.)*)"$/) ?? trimmed.match(/^([^\s"]+)\s+(\S+)$/);
-    if (m && m[1] !== void 0 && m[2] !== void 0) {
-      current.fields[m[1]] = m[2];
-    }
+function normalizeRegistry(value) {
+  if (!value) return void 0;
+  try {
+    const url = new URL(value);
+    return `${url.protocol}//${url.host}`;
+  } catch {
+    return value.replace(/\/+$/, "");
   }
-  if (current) entries.push(current);
-  return entries;
 }
-function splitClassicSpecs(header) {
-  const out = [];
-  let cur = "";
-  let inQuote = false;
-  for (const ch of header) {
-    if (ch === '"') {
-      inQuote = !inQuote;
-      continue;
-    }
-    if (ch === "," && !inQuote) {
-      const spec = cur.trim();
-      if (spec) out.push(spec);
-      cur = "";
-      continue;
+function encodePackageName(name) {
+  if (name.startsWith("@")) {
+    const slash = name.indexOf("/");
+    if (slash !== -1) {
+      return `${encodeURIComponent(name.slice(0, slash))}%2F${encodeURIComponent(name.slice(slash + 1))}`;
     }
-    cur += ch;
   }
-  const last = cur.trim();
-  if (last) out.push(last);
-  return out;
+  return encodeURIComponent(name);
 }
-function parseBerry(absolute, content, directs) {
-  let parsed;
-  try {
-    parsed = yaml2.load(content) ?? {};
-  } catch (err) {
-    throw new Error(
-      `Failed to parse ${absolute}: ${err.message}`
-    );
-  }
-  const instances = [];
-  for (const [key, value] of Object.entries(parsed)) {
-    if (key === "__metadata") continue;
-    if (!value || typeof value !== "object") continue;
-    const entry = value;
-    if (!entry.version) continue;
-    const specs = splitClassicSpecs(key);
-    const names = uniq(specs.map((s) => parseYarnSpec(s).name).filter(Boolean));
-    const name = names[0];
-    if (!name) continue;
-    const isDirect = names.some((n) => directs.any.has(n));
-    const inProd = names.some((n) => directs.prod.has(n));
-    const inDev = names.some((n) => directs.dev.has(n));
-    const inOpt = names.some((n) => directs.optional.has(n));
-    instances.push({
-      name,
-      version: entry.version,
-      ecosystem: "npm",
-      path: `${name}@${entry.version}`,
-      direct: isDirect,
-      dev: inDev && !inProd,
-      optional: inOpt && !inProd && !inDev,
-      resolved: entry.resolution,
-      integrity: entry.checksum
-    });
-  }
-  return instances;
+function parseDate(value) {
+  if (!value) return void 0;
+  const date = new Date(value);
+  return Number.isNaN(date.getTime()) ? void 0 : date;
 }
-function parseYarnSpec(spec) {
-  const startSearch = spec.startsWith("@") ? 1 : 0;
-  const atIdx = spec.indexOf("@", startSearch);
-  if (atIdx <= 0) return { name: spec, selector: "" };
-  const name = spec.slice(0, atIdx);
-  let selector = spec.slice(atIdx + 1);
-  if (selector.startsWith("npm:")) selector = selector.slice(4);
-  return { name, selector };
+function daysBetween(a, b) {
+  return (b.getTime() - a.getTime()) / 864e5;
 }
-function uniq(values) {
-  return Array.from(new Set(values));
+function isString(value) {
+  return typeof value === "string";
 }
 
 // src/sources/osv.ts
 var OSV_QUERYBATCH_URL = "https://api.osv.dev/v1/querybatch";
 var OSV_VULN_URL = "https://api.osv.dev/v1/vulns";
 var QUERY_CHUNK_SIZE = 500;
-var REQUEST_TIMEOUT_MS = 15e3;
+var REQUEST_TIMEOUT_MS2 = 15e3;
 var MAX_RETRIES = 2;
+var DETAIL_CONCURRENCY = 8;
 function dedupeForQuery(packages) {
   const seen = /* @__PURE__ */ new Set();
   const out = [];
   for (const pkg of packages) {
-    const key = `${pkg.name}@${pkg.version}`;
+    const key = packageKey(pkg);
     if (seen.has(key)) continue;
     seen.add(key);
-    out.push({ name: pkg.name, version: pkg.version });
+    if (pkg.purl) out.push({ name: pkg.name, version: pkg.version, purl: pkg.purl });
+    else if (pkg.ecosystem === "npm") out.push({ name: pkg.name, version: pkg.version });
+    else {
+      out.push({
+        name: pkg.name,
+        version: pkg.version,
+        ecosystem: pkg.ecosystem
+      });
+    }
   }
   return out;
 }
@@ -365,33 +1383,14 @@ async function queryOsv(packages, deps = {}) {
   if (unique.length === 0) return [];
   const idsByPackage = /* @__PURE__ */ new Map();
   for (const chunk of chunked(unique, QUERY_CHUNK_SIZE)) {
-    const body = {
-      queries: chunk.map((q) => ({
-        package: { ecosystem: "npm", name: q.name },
-        version: q.version
-      }))
-    };
-    const res = await postJson(
-      fetchImpl,
-      OSV_QUERYBATCH_URL,
-      body
-    );
-    res.results.forEach((result, i) => {
-      const q = chunk[i];
-      if (!q) return;
-      const key = `${q.name}@${q.version}`;
-      if (!result.vulns || result.vulns.length === 0) return;
-      const ids = idsByPackage.get(key) ?? /* @__PURE__ */ new Set();
-      for (const v of result.vulns) ids.add(v.id);
-      idsByPackage.set(key, ids);
-    });
+    await queryBatchWithPagination(fetchImpl, chunk, idsByPackage);
   }
   const allIds = /* @__PURE__ */ new Set();
   for (const ids of idsByPackage.values()) {
     for (const id of ids) allIds.add(id);
   }
   const detailsById = /* @__PURE__ */ new Map();
-  for (const id of allIds) {
+  await mapWithConcurrency2([...allIds], DETAIL_CONCURRENCY, async (id) => {
     try {
       const detail = await getJson(
         fetchImpl,
@@ -400,10 +1399,10 @@ async function queryOsv(packages, deps = {}) {
       detailsById.set(id, detail);
     } catch {
     }
-  }
+  });
   const findings = [];
   for (const pkg of packages) {
-    const key = `${pkg.name}@${pkg.version}`;
+    const key = packageKey(pkg);
     const ids = idsByPackage.get(key);
     if (!ids) continue;
     for (const id of ids) {
@@ -413,28 +1412,88 @@ async function queryOsv(packages, deps = {}) {
   }
   return findings;
 }
+async function queryBatchWithPagination(fetchImpl, initial, idsByPackage) {
+  let pending = initial;
+  const pageTokens = /* @__PURE__ */ new Map();
+  while (pending.length > 0) {
+    const res = await postJson(
+      fetchImpl,
+      OSV_QUERYBATCH_URL,
+      { queries: pending.map((q) => toOsvQuery(q, pageTokens.get(queryKey(q)))) }
+    );
+    const next = [];
+    res.results.forEach((result, i) => {
+      const q = pending[i];
+      if (!q) return;
+      const key = queryKey(q);
+      if (result.vulns && result.vulns.length > 0) {
+        const ids = idsByPackage.get(key) ?? /* @__PURE__ */ new Set();
+        for (const v of result.vulns) ids.add(v.id);
+        idsByPackage.set(key, ids);
+      }
+      if (result.next_page_token) {
+        pageTokens.set(key, result.next_page_token);
+        next.push(q);
+      } else {
+        pageTokens.delete(key);
+      }
+    });
+    pending = next;
+  }
+}
+function toOsvQuery(q, pageToken) {
+  const query = q.purl ? { package: { purl: q.purl } } : {
+    package: { ecosystem: q.ecosystem ?? "npm", name: q.name },
+    version: q.version
+  };
+  return pageToken ? { ...query, page_token: pageToken } : query;
+}
+function queryKey(q) {
+  return q.purl ?? `${q.ecosystem ?? "npm"}:${q.name}@${q.version}`;
+}
 function buildFinding(pkg, id, detail) {
-  const severity = detail ? parseSeverity(detail) : "unknown";
+  const severity = detail ? parseSeverity(detail, pkg.name) : "unknown";
   const summary = detail?.summary ?? detail?.details ?? id;
+  const aliases = detail?.aliases ?? [];
+  const fingerprint = fingerprintFinding({
+    source: "osv",
+    type: "vulnerability",
+    id,
+    ecosystem: pkg.ecosystem,
+    packageName: pkg.name,
+    installedVersion: pkg.version
+  });
   return {
     id,
     source: "osv",
     type: "vulnerability",
     severity,
+    ecosystem: pkg.ecosystem,
     packageName: pkg.name,
     installedVersion: pkg.version,
     summary: truncate(summary, 240),
     url: pickAdvisoryUrl(detail) ?? `https://osv.dev/vulnerability/${id}`,
     fixedVersions: detail ? collectFixedVersions(detail, pkg.name) : [],
-    affectedPaths: [pkg.path]
+    affectedPaths: [pkg.path],
+    fingerprint,
+    aliases,
+    sourceFile: pkg.sourceFile,
+    line: pkg.line
   };
 }
-function parseSeverity(detail) {
+function parseSeverity(detail, packageName) {
   const dbSpecific = detail.database_specific?.severity?.toLowerCase();
   if (dbSpecific === "critical" || dbSpecific === "high" || dbSpecific === "moderate" || dbSpecific === "low") {
     return dbSpecific;
   }
   if (dbSpecific === "medium") return "moderate";
+  for (const aff of matchingAffected(detail, packageName)) {
+    const ecosystemSeverity = aff.ecosystem_specific?.severity?.toLowerCase();
+    if (ecosystemSeverity === "critical" || ecosystemSeverity === "high" || ecosystemSeverity === "moderate" || ecosystemSeverity === "low") {
+      return ecosystemSeverity;
+    }
+    if (ecosystemSeverity === "medium") return "moderate";
+  }
   const cvss = detail.severity?.find((s) => s.type?.startsWith("CVSS_"));
   if (cvss) {
     const score = parseCvssScore(cvss.score);
@@ -458,8 +1517,7 @@ function pickAdvisoryUrl(detail) {
 }
 function collectFixedVersions(detail, packageName) {
   const out = /* @__PURE__ */ new Set();
-  for (const aff of detail.affected ?? []) {
-    if (aff.package?.name && aff.package.name !== packageName) continue;
+  for (const aff of matchingAffected(detail, packageName)) {
     for (const range of aff.ranges ?? []) {
       for (const event of range.events ?? []) {
         if (event.fixed) out.add(event.fixed);
@@ -468,15 +1526,35 @@ function collectFixedVersions(detail, packageName) {
   }
   return [...out];
 }
+function matchingAffected(detail, packageName) {
+  if (!packageName) return detail.affected ?? [];
+  return (detail.affected ?? []).filter((aff) => {
+    const affectedName = aff.package?.name;
+    return !affectedName || affectedName === packageName;
+  });
+}
 function* chunked(items, size) {
   for (let i = 0; i < items.length; i += size) {
     yield items.slice(i, i + size);
   }
 }
+async function mapWithConcurrency2(items, concurrency, worker) {
+  let next = 0;
+  const workers = Array.from(
+    { length: Math.min(concurrency, items.length) },
+    async () => {
+      while (next < items.length) {
+        const item = items[next++];
+        if (item !== void 0) await worker(item);
+      }
+    }
+  );
+  await Promise.all(workers);
+}
 async function postJson(fetchImpl, url, body) {
   return withRetry(async () => {
     const controller = new AbortController();
-    const timer = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS);
+    const timer = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS2);
     try {
       const res = await fetchImpl(url, {
         method: "POST",
@@ -485,7 +1563,11 @@ async function postJson(fetchImpl, url, body) {
         signal: controller.signal
       });
       if (!res.ok) {
-        throw new HttpError(`OSV ${res.status}: ${res.statusText}`, res.status);
+        throw new HttpError(
+          `OSV ${res.status}: ${res.statusText}`,
+          res.status,
+          retryAfterMs2(res.headers)
+        );
       }
       return await res.json();
     } finally {
@@ -496,11 +1578,15 @@ async function postJson(fetchImpl, url, body) {
 async function getJson(fetchImpl, url) {
   return withRetry(async () => {
     const controller = new AbortController();
-    const timer = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS);
+    const timer = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS2);
     try {
       const res = await fetchImpl(url, { signal: controller.signal });
       if (!res.ok) {
-        throw new HttpError(`OSV ${res.status}: ${res.statusText}`, res.status);
+        throw new HttpError(
+          `OSV ${res.status}: ${res.statusText}`,
+          res.status,
+          retryAfterMs2(res.headers)
+        );
       }
       return await res.json();
     } finally {
@@ -509,11 +1595,13 @@ async function getJson(fetchImpl, url) {
   });
 }
 var HttpError = class extends Error {
-  constructor(message, status) {
+  constructor(message, status, retryAfterMs3) {
     super(message);
     this.status = status;
+    this.retryAfterMs = retryAfterMs3;
   }
   status;
+  retryAfterMs;
 };
 async function withRetry(fn) {
   let lastErr;
@@ -523,15 +1611,25 @@ async function withRetry(fn) {
     } catch (err) {
       lastErr = err;
       if (!isRetryable(err) || attempt === MAX_RETRIES) break;
-      await new Promise((r) => setTimeout(r, 250 * 2 ** attempt));
+      const delay = err instanceof HttpError && err.retryAfterMs !== void 0 ? err.retryAfterMs : 250 * 2 ** attempt;
+      await new Promise((r) => setTimeout(r, delay));
     }
   }
   throw lastErr;
 }
 function isRetryable(err) {
-  if (err instanceof HttpError) return err.status >= 500;
+  if (err instanceof HttpError) return err.status === 429 || err.status >= 500;
   return true;
 }
+function retryAfterMs2(headers) {
+  const value = headers.get("retry-after");
+  if (!value) return void 0;
+  const seconds = Number(value);
+  if (Number.isFinite(seconds) && seconds >= 0) return seconds * 1e3;
+  const date = Date.parse(value);
+  if (Number.isNaN(date)) return void 0;
+  return Math.max(0, date - Date.now());
+}
 function truncate(s, max) {
   if (s.length <= max) return s;
   return `${s.slice(0, max - 1)}\u2026`;
@@ -547,80 +1645,125 @@ var SEVERITY_RANK = {
 };
 
 // src/scanner.ts
+var DEFAULT_ALLOWED_REGISTRIES = [
+  "https://registry.npmjs.org",
+  "https://registry.yarnpkg.com"
+];
 async function scanProject(options = {}) {
-  const cwd = resolve4(options.cwd ?? process.cwd());
-  const lockfilePath = options.lockfile ? resolve4(cwd, options.lockfile) : detectLockfile(cwd);
-  if (!lockfilePath) {
+  const cwd = resolve7(options.cwd ?? process.cwd());
+  const loadedConfig = loadConfig(cwd, options.config);
+  const policy = resolvePolicy(options.policy, loadedConfig.config.policy);
+  const lockfilePaths = options.lockfile ? normalizePaths(cwd, options.lockfile) : detectLockfiles(cwd);
+  const sbomPaths = normalizePaths(cwd, options.sbom);
+  const envEnabled = options.env ?? loadedConfig.config.env ?? policy?.env ?? false;
+  if (lockfilePaths.length === 0 && sbomPaths.length === 0 && !envEnabled) {
     throw new ScanInputError(
-      `No supported lockfile found in ${cwd}. Pass --lockfile or run in a directory with package-lock.json, pnpm-lock.yaml, or yarn.lock.`
+      `No supported lockfile or SBOM found in ${cwd}. Pass --lockfile/--sbom or run in a directory with package-lock.json, pnpm-lock.yaml, or yarn.lock.`
     );
   }
   return scanLockfile({
-    lockfilePath,
-    includeDev: options.includeDev,
+    lockfilePath: lockfilePaths,
+    sbom: sbomPaths,
+    cwd,
+    config: options.config,
+    policy: options.policy,
+    baseline: options.baseline,
+    writeBaseline: options.writeBaseline,
+    risk: options.risk ?? loadedConfig.config.risk ?? policy?.risk,
+    env: envEnabled,
+    allowedRegistries: options.allowedRegistries ?? loadedConfig.config.allowedRegistries,
+    includeDev: options.includeDev ?? policy?.includeDev,
     prodOnly: options.prodOnly,
-    fetchImpl: options.fetchImpl
+    fetchImpl: options.fetchImpl,
+    now: options.now
   });
 }
 async function scanLockfile(options) {
-  const { lockfilePath } = options;
-  if (!existsSync2(lockfilePath)) {
-    throw new ScanInputError(`Lockfile does not exist: ${lockfilePath}`);
-  }
-  const stat = statSync(lockfilePath);
-  if (!stat.isFile()) {
-    throw new ScanInputError(`Lockfile path is not a file: ${lockfilePath}`);
-  }
-  const allInstances = parseLockfile(lockfilePath);
-  const instances = filterInstances(allInstances, options);
+  const initialCwd = resolve7(options.cwd ?? process.cwd());
+  const lockfilePaths = normalizePaths(initialCwd, options.lockfilePath);
+  const sbomPaths = normalizePaths(initialCwd, options.sbom);
+  const cwd = options.cwd ? initialCwd : deriveCwdFromInputs(lockfilePaths, sbomPaths, initialCwd);
+  const now = options.now ?? /* @__PURE__ */ new Date();
+  const loadedConfig = loadConfig(cwd, options.config);
+  const policy = resolvePolicy(options.policy, loadedConfig.config.policy);
+  const envEnabled = options.env ?? loadedConfig.config.env ?? policy?.env ?? false;
+  for (const path of [...lockfilePaths, ...sbomPaths]) validateFile(path);
+  const allInstances = [
+    ...lockfilePaths.flatMap((path) => parseLockfile(path)),
+    ...sbomPaths.flatMap((path) => parseSbom(path))
+  ];
+  const instances = filterInstances(allInstances, {
+    ...options,
+    includeDev: options.includeDev ?? policy?.includeDev
+  });
   const errors = [];
-  let findings = [];
+  const warnings = [];
+  const envResult = envEnabled ? scanEnvFiles(cwd) : { findings: [], warnings: [], filesScanned: 0 };
+  warnings.push(...envResult.warnings);
+  let findings = [...envResult.findings];
   try {
-    findings = await queryOsv(instances, { fetchImpl: options.fetchImpl });
+    findings.push(...await queryOsv(instances, { fetchImpl: options.fetchImpl }));
   } catch (err) {
     errors.push({
       message: "Failed to query OSV advisory database",
       cause: err.message
     });
   }
+  const riskEnabled = options.risk ?? loadedConfig.config.risk ?? policy?.risk ?? true;
+  const risk = await collectRiskSignals(instances, {
+    enabled: riskEnabled,
+    allowedRegistries: options.allowedRegistries ?? loadedConfig.config.allowedRegistries ?? DEFAULT_ALLOWED_REGISTRIES,
+    fetchImpl: options.fetchImpl,
+    now
+  });
+  findings.push(...risk.findings);
+  warnings.push(...risk.warnings);
+  const ignoreResult = applyIgnores(
+    findings,
+    loadedConfig.config.ignore,
+    now
+  );
+  warnings.push(...ignoreResult.warnings);
+  findings = ignoreResult.active;
   findings.sort(compareFindings);
+  ignoreResult.ignored.sort(compareFindings);
+  const appliedBaseline = applyBaseline(findings, cwd, options.baseline);
+  let baseline = appliedBaseline?.result;
+  if (appliedBaseline) {
+    findings = appliedBaseline.findings;
+  }
+  if (options.writeBaseline) {
+    baseline = writeBaseline(findings, cwd, options.writeBaseline, baseline);
+  }
   return {
-    scannedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    scannedAt: now.toISOString(),
     packagesScanned: instances.length,
     findings,
+    ignoredFindings: ignoreResult.ignored,
     summary: summarize(findings),
-    errors
+    errors,
+    warnings,
+    baseline
   };
 }
+function deriveCwdFromInputs(lockfilePaths, sbomPaths, fallback) {
+  const firstInput = lockfilePaths[0] ?? sbomPaths[0];
+  return firstInput ? dirname3(firstInput) : fallback;
+}
 var ScanInputError = class extends Error {
   constructor(message) {
     super(message);
     this.name = "ScanInputError";
   }
 };
-var LOCKFILE_CANDIDATES = [
-  "pnpm-lock.yaml",
-  "yarn.lock",
-  "package-lock.json",
-  "npm-shrinkwrap.json"
-];
-function detectLockfile(cwd) {
-  for (const file of LOCKFILE_CANDIDATES) {
-    const candidate = join2(cwd, file);
-    if (existsSync2(candidate)) return candidate;
-  }
-  return void 0;
-}
-function parseLockfile(lockfilePath) {
-  const name = basename(lockfilePath);
-  if (name === "pnpm-lock.yaml") return parsePnpmLock(lockfilePath);
-  if (name === "yarn.lock") return parseYarnLock(lockfilePath);
-  if (name === "package-lock.json" || name === "npm-shrinkwrap.json") {
-    return parseNpmPackageLock(lockfilePath);
-  }
-  throw new ScanInputError(
-    `Unsupported lockfile name: ${name}. Supported: package-lock.json, npm-shrinkwrap.json, pnpm-lock.yaml, yarn.lock.`
-  );
+function detectLockfiles(cwd) {
+  const candidates = [
+    "package-lock.json",
+    "npm-shrinkwrap.json",
+    "pnpm-lock.yaml",
+    "yarn.lock"
+  ].map((file) => join4(cwd, file));
+  return candidates.filter((candidate) => existsSync4(candidate));
 }
 function filterInstances(instances, options) {
   const includeDev = options.prodOnly ? false : options.includeDev !== false;
@@ -630,6 +1773,7 @@ function filterInstances(instances, options) {
 function compareFindings(a, b) {
   const sev = SEVERITY_RANK[b.severity] - SEVERITY_RANK[a.severity];
   if (sev !== 0) return sev;
+  if (a.source !== b.source) return a.source.localeCompare(b.source);
   if (a.packageName !== b.packageName) {
     return a.packageName.localeCompare(b.packageName);
   }
@@ -652,20 +1796,603 @@ function summarize(findings) {
 function meetsThreshold(findings, threshold) {
   if (threshold === "none") return false;
   const min = SEVERITY_RANK[threshold];
-  return findings.some((f) => SEVERITY_RANK[f.severity] >= min);
+  return findings.some(
+    (f) => f.baseline !== "existing" && SEVERITY_RANK[f.severity] >= min
+  );
+}
+function normalizePaths(cwd, value) {
+  if (!value) return [];
+  const values = Array.isArray(value) ? value : [value];
+  return [...new Set(values.map((path) => resolve7(cwd, path)))];
+}
+function validateFile(path) {
+  if (!existsSync4(path)) {
+    throw new ScanInputError(`Input file does not exist: ${path}`);
+  }
+  const stat = statSync2(path);
+  if (!stat.isFile()) {
+    throw new ScanInputError(`Input path is not a file: ${path}`);
+  }
+}
+
+// src/env-scan.ts
+import { spawn } from "child_process";
+import { existsSync as existsSync5, readdirSync as readdirSync2, readFileSync as readFileSync9 } from "fs";
+import { join as join5, relative as relative2, resolve as resolve8, sep } from "path";
+var DEFAULT_SKIP_DIRS = /* @__PURE__ */ new Set([
+  "node_modules",
+  ".git",
+  "dist",
+  "build",
+  ".next",
+  ".nuxt",
+  ".svelte-kit",
+  ".turbo",
+  ".cache",
+  "coverage",
+  "out",
+  ".vercel",
+  ".output"
+]);
+var EXAMPLE_NAME = /^\.env(\.[^.]+)*\.(example|sample|template|dist)$/i;
+var EXAMPLE_SUFFIX_NAME = /(\.|^)(example|sample|template)$/i;
+async function scanEnv(options = {}) {
+  const cwd = resolve8(options.cwd ?? process.cwd());
+  const skipDirs = options.skipDirs ? new Set(options.skipDirs) : DEFAULT_SKIP_DIRS;
+  const maxDepth = options.maxDepth ?? 6;
+  const errors = [];
+  const envFiles = discoverEnvFiles(cwd, skipDirs, maxDepth);
+  const inGit = isGitRepo(cwd);
+  const gitignorePath = join5(cwd, ".gitignore");
+  const hasGitignore = existsSync5(gitignorePath);
+  const exampleFiles = envFiles.filter(isExampleFile);
+  const realEnvFiles = envFiles.filter((f) => !isExampleFile(f));
+  const [trackedSet, ignoredMap, publishCheck, exampleSecrets] = await Promise.all([
+    inGit ? gitTracked(cwd, envFiles) : Promise.resolve(/* @__PURE__ */ new Set()),
+    inGit ? gitCheckIgnore(cwd, envFiles) : Promise.resolve(fallbackIgnoreMap(cwd, envFiles)),
+    checkPublishExposure(cwd, realEnvFiles),
+    scanExampleFilesForSecrets(cwd, exampleFiles)
+  ]).catch((err) => {
+    errors.push({
+      message: "env scan: parallel checks failed",
+      cause: err.message
+    });
+    return [
+      /* @__PURE__ */ new Set(),
+      /* @__PURE__ */ new Map(),
+      [],
+      []
+    ];
+  });
+  const issues = [];
+  if (envFiles.length > 0 && !hasGitignore) {
+    issues.push({
+      kind: "no-gitignore",
+      severity: "moderate",
+      file: ".gitignore",
+      message: "Project has env files but no .gitignore.",
+      detail: "Add a .gitignore that includes .env and .env.* before committing."
+    });
+  }
+  for (const file of realEnvFiles) {
+    if (trackedSet.has(file)) {
+      issues.push({
+        kind: "tracked-by-git",
+        severity: "critical",
+        file,
+        message: `${file} is tracked by git.`,
+        detail: "This file is committed to the repo. Run `git rm --cached` and rotate any secrets that were exposed."
+      });
+      continue;
+    }
+    const ignored = ignoredMap.get(file);
+    if (hasGitignore && ignored === false) {
+      issues.push({
+        kind: "not-gitignored",
+        severity: "high",
+        file,
+        message: `${file} exists but is not covered by .gitignore.`,
+        detail: "Add a matching pattern (e.g. `.env*`) to .gitignore."
+      });
+    }
+  }
+  for (const f of publishCheck) {
+    issues.push({
+      kind: "would-be-published",
+      severity: "critical",
+      file: f.file,
+      message: `${f.file} would be included in the published npm tarball.`,
+      detail: f.reason
+    });
+  }
+  for (const f of exampleSecrets) {
+    issues.push({
+      kind: "secret-in-example",
+      severity: "high",
+      file: f.file,
+      message: `${f.file} appears to contain a real secret.`,
+      detail: `Matched pattern: ${f.pattern} on key \`${f.key}\`. Example files should hold placeholder values only.`
+    });
+  }
+  issues.sort(compareIssues);
+  return {
+    scannedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    cwd,
+    envFiles,
+    issues,
+    summary: summarizeIssues(issues),
+    errors
+  };
+}
+function compareIssues(a, b) {
+  const rank = {
+    critical: 4,
+    high: 3,
+    moderate: 2,
+    low: 1,
+    unknown: 0
+  };
+  const sev = rank[b.severity] - rank[a.severity];
+  if (sev !== 0) return sev;
+  if (a.file !== b.file) return a.file.localeCompare(b.file);
+  return a.kind.localeCompare(b.kind);
+}
+function summarizeIssues(issues) {
+  const out = {
+    critical: 0,
+    high: 0,
+    moderate: 0,
+    low: 0,
+    unknown: 0
+  };
+  for (const i of issues) out[i.severity]++;
+  return out;
+}
+function discoverEnvFiles(cwd, skipDirs, maxDepth) {
+  const found = [];
+  walk(cwd, cwd, 0);
+  found.sort();
+  return found;
+  function walk(dir, root, depth) {
+    if (depth > maxDepth) return;
+    let entries;
+    try {
+      entries = readdirSync2(dir, { withFileTypes: true });
+    } catch {
+      return;
+    }
+    for (const entry of entries) {
+      if (entry.isDirectory()) {
+        if (skipDirs.has(entry.name) || entry.name.startsWith(".git")) continue;
+        walk(join5(dir, entry.name), root, depth + 1);
+        continue;
+      }
+      if (!entry.isFile() && !entry.isSymbolicLink()) continue;
+      if (isEnvFilename(entry.name)) {
+        found.push(toPosix(relative2(root, join5(dir, entry.name))));
+      }
+    }
+  }
+}
+function isEnvFilename(name) {
+  if (name === ".env") return true;
+  if (name.startsWith(".env.")) return true;
+  return false;
+}
+function isExampleFile(file) {
+  const base = file.split("/").pop() ?? file;
+  if (EXAMPLE_NAME.test(base)) return true;
+  const segments = base.split(".");
+  const last = segments[segments.length - 1] ?? "";
+  return EXAMPLE_SUFFIX_NAME.test(last);
+}
+function toPosix(p) {
+  return sep === "/" ? p : p.split(sep).join("/");
+}
+function isGitRepo(cwd) {
+  let dir = cwd;
+  for (let i = 0; i < 32; i++) {
+    if (existsSync5(join5(dir, ".git"))) return true;
+    const parent = resolve8(dir, "..");
+    if (parent === dir) return false;
+    dir = parent;
+  }
+  return false;
+}
+async function gitTracked(cwd, files) {
+  if (files.length === 0) return /* @__PURE__ */ new Set();
+  const { stdout, code } = await runGit(cwd, ["ls-files", "-z", "--", ...files]);
+  if (code !== 0) return /* @__PURE__ */ new Set();
+  const tracked = stdout.split("\0").filter(Boolean).map(toPosix);
+  return new Set(tracked);
+}
+async function gitCheckIgnore(cwd, files) {
+  const result = /* @__PURE__ */ new Map();
+  if (files.length === 0) return result;
+  const stdin = `${files.join("\0")}\0`;
+  const { stdout, code } = await runGit(
+    cwd,
+    ["check-ignore", "--no-index", "-v", "-n", "-z", "--stdin"],
+    stdin
+  );
+  if (code !== 0 && code !== 1) {
+    for (const f of files) result.set(f, false);
+    return result;
+  }
+  const parts = stdout.split("\0");
+  for (let i = 0; i + 3 < parts.length; i += 4) {
+    const source = parts[i];
+    const pathname = toPosix(parts[i + 3] ?? "");
+    if (!pathname) continue;
+    result.set(pathname, source !== "");
+  }
+  for (const f of files) {
+    if (!result.has(f)) result.set(f, false);
+  }
+  return result;
+}
+function fallbackIgnoreMap(cwd, files) {
+  const result = /* @__PURE__ */ new Map();
+  const patterns = readIgnoreFile(join5(cwd, ".gitignore"));
+  for (const f of files) result.set(f, matchesAny(f, patterns));
+  return result;
+}
+function runGit(cwd, args, stdin) {
+  return new Promise((resolveP) => {
+    const child = spawn("git", args, {
+      cwd,
+      stdio: [stdin === void 0 ? "ignore" : "pipe", "pipe", "pipe"]
+    });
+    let stdout = "";
+    let stderr = "";
+    child.stdout?.on("data", (d) => {
+      stdout += d.toString("utf8");
+    });
+    child.stderr?.on("data", (d) => {
+      stderr += d.toString("utf8");
+    });
+    child.on("error", () => resolveP({ stdout, stderr, code: -1 }));
+    child.on(
+      "close",
+      (code) => resolveP({ stdout, stderr, code: code ?? -1 })
+    );
+    if (stdin !== void 0 && child.stdin) {
+      child.stdin.end(stdin);
+    }
+  });
+}
+async function checkPublishExposure(cwd, envFiles) {
+  if (envFiles.length === 0) return [];
+  const pkgPath = join5(cwd, "package.json");
+  if (!existsSync5(pkgPath)) return [];
+  let pkg;
+  try {
+    pkg = JSON.parse(readFileSync9(pkgPath, "utf8"));
+  } catch {
+    return [];
+  }
+  if (pkg.private === true) return [];
+  const findings = [];
+  if (Array.isArray(pkg.files)) {
+    const allowList = pkg.files.filter((x) => typeof x === "string");
+    for (const file of envFiles) {
+      if (matchesAny(file, allowList)) {
+        findings.push({
+          file,
+          reason: `package.json "files" allowlist matches this path. Remove the entry or move the file.`
+        });
+      }
+    }
+    return findings;
+  }
+  const npmignorePath = join5(cwd, ".npmignore");
+  const ignorePath = existsSync5(npmignorePath) ? npmignorePath : join5(cwd, ".gitignore");
+  const ignoreSource = existsSync5(ignorePath) ? ignorePath === npmignorePath ? ".npmignore" : ".gitignore" : null;
+  const patterns = ignoreSource ? readIgnoreFile(ignorePath) : [];
+  for (const file of envFiles) {
+    if (!matchesAny(file, patterns)) {
+      findings.push({
+        file,
+        reason: ignoreSource ? `Not matched by any pattern in ${ignoreSource}. Add an entry like \`.env*\`.` : `No .npmignore or .gitignore present, so npm will include this file in the published tarball. Add an .npmignore.`
+      });
+    }
+  }
+  return findings;
+}
+function readIgnoreFile(path) {
+  if (!existsSync5(path)) return [];
+  try {
+    return readFileSync9(path, "utf8").split(/\r?\n/).map((l) => l.trim()).filter((l) => l.length > 0 && !l.startsWith("#"));
+  } catch {
+    return [];
+  }
+}
+function matchesAny(file, patterns) {
+  let matched = false;
+  for (const raw of patterns) {
+    let pattern = raw;
+    let negate = false;
+    if (pattern.startsWith("!")) {
+      negate = true;
+      pattern = pattern.slice(1);
+    }
+    if (pattern.endsWith("/")) pattern = pattern.slice(0, -1);
+    if (matchesPattern(file, pattern)) matched = !negate;
+  }
+  return matched;
+}
+function matchesPattern(file, pattern) {
+  if (!pattern) return false;
+  const anchored = pattern.startsWith("/");
+  const pat = anchored ? pattern.slice(1) : pattern;
+  const hasSlash = pat.includes("/");
+  const candidates = anchored ? [file] : hasSlash ? [file] : [file, file.split("/").pop() ?? file];
+  const re = globToRegex(pat);
+  return candidates.some((c) => re.test(c));
+}
+function globToRegex(pattern) {
+  let re = "^";
+  for (let i = 0; i < pattern.length; i++) {
+    const ch = pattern[i];
+    if (ch === "*") {
+      if (pattern[i + 1] === "*") {
+        re += ".*";
+        i++;
+        if (pattern[i + 1] === "/") i++;
+      } else {
+        re += "[^/]*";
+      }
+    } else if (ch === "?") {
+      re += "[^/]";
+    } else if (ch === ".") {
+      re += "\\.";
+    } else if (/[\\^$+()=!|{}[\]]/.test(ch ?? "")) {
+      re += `\\${ch}`;
+    } else {
+      re += ch;
+    }
+  }
+  re += "$";
+  return new RegExp(re);
+}
+var SECRET_PATTERNS = [
+  { name: "AWS access key id", re: /\bAKIA[0-9A-Z]{16}\b/ },
+  { name: "GitHub token", re: /\bgh[pousr]_[A-Za-z0-9]{36,}\b/ },
+  { name: "Slack token", re: /\bxox[abprs]-[A-Za-z0-9-]{10,}\b/ },
+  { name: "Stripe live key", re: /\bsk_live_[A-Za-z0-9]{16,}\b/ },
+  { name: "Google API key", re: /\bAIza[0-9A-Za-z_-]{35}\b/ },
+  { name: "Generic JWT", re: /\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/ },
+  { name: "Private key block", re: /-----BEGIN (RSA |EC |OPENSSH |DSA |PGP )?PRIVATE KEY-----/ }
+];
+var PLACEHOLDER_RE2 = /^(?:|x+|y+|<.*>|\{.*\}|change[-_ ]?me|todo|placeholder|your[-_ ].+|example|dummy|fake|test)$/i;
+async function scanExampleFilesForSecrets(cwd, files) {
+  const findings = [];
+  await Promise.all(
+    files.map(async (file) => {
+      let content;
+      try {
+        content = readFileSync9(join5(cwd, file), "utf8");
+      } catch {
+        return;
+      }
+      const lines = content.split(/\r?\n/);
+      for (const line of lines) {
+        const trimmed = line.trim();
+        if (!trimmed || trimmed.startsWith("#")) continue;
+        const eq = trimmed.indexOf("=");
+        if (eq <= 0) continue;
+        const key = trimmed.slice(0, eq).trim();
+        let value = trimmed.slice(eq + 1).trim();
+        if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+          value = value.slice(1, -1);
+        } else {
+          const hashIdx = value.indexOf(" #");
+          if (hashIdx >= 0) value = value.slice(0, hashIdx).trim();
+        }
+        if (!value || PLACEHOLDER_RE2.test(value)) continue;
+        for (const pat of SECRET_PATTERNS) {
+          if (pat.re.test(value)) {
+            findings.push({ file, key, pattern: pat.name });
+            break;
+          }
+        }
+      }
+    })
+  );
+  return findings;
+}
+function envIssuesMeetThreshold(issues, threshold) {
+  if (threshold === "none") return false;
+  const rank = {
+    critical: 4,
+    high: 3,
+    moderate: 2,
+    low: 1,
+    unknown: 0
+  };
+  const min = rank[threshold];
+  return issues.some((i) => rank[i.severity] >= min);
+}
+
+// src/init.ts
+import { existsSync as existsSync6, writeFileSync as writeFileSync2 } from "fs";
+import { resolve as resolve9 } from "path";
+async function initProject(options = {}) {
+  const cwd = resolve9(options.cwd ?? process.cwd());
+  const policy = options.policy ?? "ci";
+  const configPath = resolve9(cwd, options.config ?? "trawly.toml");
+  const baselinePath = options.baseline ?? "trawly-baseline.json";
+  const warnings = [];
+  let configWritten = false;
+  if (options.overwrite || !existsSync6(configPath)) {
+    writeFileSync2(configPath, renderConfig(policy, baselinePath));
+    configWritten = true;
+  } else {
+    warnings.push(`${configPath} already exists; leaving it unchanged.`);
+  }
+  let scan;
+  let baselineWritten = false;
+  if (options.writeBaseline !== false) {
+    try {
+      scan = await scanProject({
+        cwd,
+        config: configPath,
+        policy,
+        risk: options.risk,
+        env: options.env,
+        writeBaseline: baselinePath,
+        fetchImpl: options.fetchImpl
+      });
+      baselineWritten = scan.baseline?.written !== void 0;
+    } catch (err) {
+      if (err instanceof ScanInputError) {
+        warnings.push(
+          "No supported lockfile or SBOM was found, so no baseline was written."
+        );
+      } else {
+        throw err;
+      }
+    }
+  }
+  return {
+    configPath,
+    configWritten,
+    baselinePath: resolve9(cwd, baselinePath),
+    baselineWritten,
+    scan,
+    warnings
+  };
+}
+function renderConfig(policy, baselinePath) {
+  const preset = POLICY_PRESETS[policy];
+  return [
+    `policy = "${policy}"`,
+    `failOn = "${preset.failOn}"`,
+    `risk = ${String(preset.risk)}`,
+    `env = ${String(preset.env)}`,
+    'allowedRegistries = ["https://registry.npmjs.org", "https://registry.yarnpkg.com"]',
+    "",
+    `# Existing findings are tracked in ${baselinePath}.`,
+    "# Ignore entries must expire.",
+    "# [[ignore]]",
+    '# id = "GHSA-example"',
+    '# package = "example-package"',
+    '# expires = "2026-06-30"',
+    '# reason = "Not reachable in this application"',
+    ""
+  ].join("\n");
+}
+
+// src/why.ts
+import { existsSync as existsSync7 } from "fs";
+import { join as join6, resolve as resolve10 } from "path";
+function explainWhy(packageName, options = {}) {
+  const cwd = resolve10(options.cwd ?? process.cwd());
+  const lockfiles = options.lockfile ? normalizePaths2(cwd, options.lockfile) : detectLockfiles2(cwd);
+  const packages = lockfiles.flatMap((path) => parseLockfile(path));
+  const matches = packages.filter((pkg) => pkg.name === packageName).map((pkg) => ({
+    package: pkg,
+    chain: inferChain(pkg),
+    note: graphNote(pkg)
+  })).sort((a, b) => {
+    const source = (a.package.sourceFile ?? "").localeCompare(
+      b.package.sourceFile ?? ""
+    );
+    if (source !== 0) return source;
+    return a.package.path.localeCompare(b.package.path);
+  });
+  return { packageName, lockfiles, matches };
+}
+function inferChain(pkg) {
+  if (pkg.manager === "npm") {
+    const chain = packageNamesFromNodeModulesPath(pkg.path);
+    if (chain.length > 0) return chain;
+  }
+  return [pkg.name];
+}
+function graphNote(pkg) {
+  if (pkg.manager === "npm") return void 0;
+  if (pkg.direct) return "direct dependency";
+  return `${pkg.manager ?? "lockfile"} lock entry; full parent chain is not available yet`;
+}
+function packageNamesFromNodeModulesPath(path) {
+  const parts = path.split("/");
+  const names = [];
+  for (let i = 0; i < parts.length; i++) {
+    if (parts[i] !== "node_modules") continue;
+    const first = parts[i + 1];
+    if (!first) continue;
+    if (first.startsWith("@")) {
+      const second = parts[i + 2];
+      if (!second) continue;
+      names.push(`${first}/${second}`);
+      i += 2;
+    } else {
+      names.push(first);
+      i += 1;
+    }
+  }
+  return names;
+}
+function detectLockfiles2(cwd) {
+  const candidates = [
+    "package-lock.json",
+    "npm-shrinkwrap.json",
+    "pnpm-lock.yaml",
+    "yarn.lock"
+  ].map((file) => join6(cwd, file));
+  return candidates.filter((candidate) => existsSync7(candidate));
+}
+function normalizePaths2(cwd, value) {
+  if (!value) return [];
+  const values = Array.isArray(value) ? value : [value];
+  return [...new Set(values.map((path) => resolve10(cwd, path)))];
+}
+
+// src/version.ts
+import { readFileSync as readFileSync10 } from "fs";
+var FALLBACK_VERSION = "0.1.0";
+var TRAWLY_VERSION = readPackageVersion();
+function readPackageVersion() {
+  try {
+    const packageJson = JSON.parse(
+      readFileSync10(new URL("../package.json", import.meta.url), "utf8")
+    );
+    return typeof packageJson.version === "string" ? packageJson.version : FALLBACK_VERSION;
+  } catch {
+    return FALLBACK_VERSION;
+  }
 }
 export {
+  BaselineError,
+  ConfigError,
+  POLICY_PRESETS,
   SEVERITY_RANK,
   ScanInputError,
+  TRAWLY_VERSION,
+  applyBaseline,
   compareFindings,
   dedupeForQuery,
+  envIssuesMeetThreshold,
+  explainWhy,
+  initProject,
+  loadConfig,
   meetsThreshold,
+  parseLockfile,
   parseNpmPackageLock,
   parsePnpmLock,
+  parsePnpmPackageKey,
+  parsePurlPackage,
+  parseSbom,
+  parseYarnDescriptorName,
   parseYarnLock,
   queryOsv,
+  resolvePolicy,
+  scanEnv,
+  scanEnvFiles,
   scanLockfile,
   scanProject,
-  summarize
+  summarize,
+  writeBaseline
 };
 //# sourceMappingURL=index.js.map