verimu 0.0.18 → 0.0.20

package/dist/cli.mjs

@@ -13052,9 +13052,9 @@ var require_traverse = __commonJS({
     Object.defineProperty(exports, "__esModule", {
       value: true
     });
-    exports.default = traverse2;
+    exports.default = traverse;
     var _index = require_definitions();
-    function traverse2(node, handlers, state) {
+    function traverse(node, handlers, state) {
       if (typeof handlers === "function") {
         handlers = {
           enter: handlers
@@ -14096,7 +14096,7 @@ import { createRequire } from "module";
 
 // src/scan.ts
 import { writeFile } from "fs/promises";
-import { basename, join as join2, parse as parse2 } from "path";
+import { basename, join as join3, parse as parse2 } from "path";
 
 // src/scanners/npm/npm-scanner.ts
 import { readFile } from "fs/promises";
@@ -14178,9 +14178,10 @@ var NpmScanner = class {
     if (lockfile.packages) {
       for (const [pkgPath, pkgInfo] of Object.entries(lockfile.packages)) {
         if (pkgPath === "") continue;
+        if (!pkgPath.startsWith("node_modules/")) continue;
+        if (pkgInfo.link) continue;
         const name = this.extractPackageName(pkgPath);
         if (!name || !pkgInfo.version) continue;
-        if (pkgInfo.link) continue;
         deps.push({
           name,
           version: pkgInfo.version,
@@ -15468,8 +15469,8 @@ var PnpmScanner = class {
    *   "/pkg@1.0.0(dep@2.0.0)" → name: "pkg", version: "1.0.0"
    */
   parsePackagePath(pkgPath, lockfileVersion) {
-    const path14 = pkgPath.startsWith("/") ? pkgPath.slice(1) : pkgPath;
-    const cleanPath = path14.split("_")[0].split("(")[0];
+    const path15 = pkgPath.startsWith("/") ? pkgPath.slice(1) : pkgPath;
+    const cleanPath = path15.split("_")[0].split("(")[0];
     if (!cleanPath) {
       return { name: null, version: null };
     }
@@ -15481,30 +15482,30 @@ var PnpmScanner = class {
   /**
    * Parses v6+ format: "express@4.18.2" or "@types/node@20.11.5"
    */
-  parseV6Format(path14) {
-    if (path14.startsWith("@")) {
-      const lastAtIndex = path14.lastIndexOf("@");
+  parseV6Format(path15) {
+    if (path15.startsWith("@")) {
+      const lastAtIndex = path15.lastIndexOf("@");
       if (lastAtIndex <= 0) {
         return { name: null, version: null };
       }
-      const name2 = path14.substring(0, lastAtIndex);
-      const version2 = path14.substring(lastAtIndex + 1);
+      const name2 = path15.substring(0, lastAtIndex);
+      const version2 = path15.substring(lastAtIndex + 1);
       return { name: name2, version: version2 };
     }
-    const atIndex = path14.indexOf("@");
+    const atIndex = path15.indexOf("@");
     if (atIndex < 0) {
       return { name: null, version: null };
     }
-    const name = path14.substring(0, atIndex);
-    const version = path14.substring(atIndex + 1);
+    const name = path15.substring(0, atIndex);
+    const version = path15.substring(atIndex + 1);
     return { name, version };
   }
   /**
    * Parses v5.x format: "express/4.18.2" or "@types/node/20.11.5"
    */
-  parseV5Format(path14) {
-    if (path14.startsWith("@")) {
-      const parts = path14.split("/");
+  parseV5Format(path15) {
+    if (path15.startsWith("@")) {
+      const parts = path15.split("/");
       if (parts.length < 3) {
         return { name: null, version: null };
       }
@@ -15512,12 +15513,12 @@ var PnpmScanner = class {
       const version2 = parts[2];
       return { name: name2, version: version2 };
     }
-    const slashIndex = path14.indexOf("/");
+    const slashIndex = path15.indexOf("/");
     if (slashIndex < 0) {
       return { name: null, version: null };
     }
-    const name = path14.substring(0, slashIndex);
-    const version = path14.substring(slashIndex + 1);
+    const name = path15.substring(0, slashIndex);
+    const version = path15.substring(slashIndex + 1);
     return { name, version };
   }
   /**
@@ -16750,6 +16751,15 @@ var ConsoleReporter = class {
       lines.push(
         `    Findings: direct_evidence=${directEvidence}, indirect_no_evidence=${indirectNoEvidence}, unsupported=${unsupported}, analysis_error=${analysisErrors}`
       );
+      if (result.usageContext.ecosystemStatus.length > 0) {
+        lines.push("    Analyzer status:");
+        for (const status of result.usageContext.ecosystemStatus) {
+          const note = status.note ? ` (${status.note})` : "";
+          lines.push(
+            `      ${status.ecosystem}: ${status.status} via ${status.analyzer}${note}`
+          );
+        }
+      }
       if (result.usageContext.artifactPath) {
         lines.push(`    Artifact: ${result.usageContext.artifactPath}`);
       }
@@ -16816,7 +16826,8 @@ var VerimuApiClient = class {
         name: opts.name,
         ecosystem: this.mapEcosystem(opts.ecosystem),
         repository_url: opts.repositoryUrl ?? null,
-        platform: opts.platform ?? null
+        platform: opts.platform ?? null,
+        group_name: opts.groupName ?? null
       })
     });
     if (!res.ok) {
@@ -17001,7 +17012,7 @@ var import_types = __toESM(require_lib3(), 1);
 import { readdir, readFile as readFile14 } from "fs/promises";
 import { join } from "path";
 import { parse } from "@babel/parser";
-import traverse from "@babel/traverse";
+import traverseModule from "@babel/traverse";
 var JS_EXTENSIONS = /* @__PURE__ */ new Set([
   ".js",
   ".jsx",
@@ -17031,6 +17042,24 @@ var JsAstAnalyzer = class {
     return this.ecosystems.has(ecosystem);
   }
   async analyze(context) {
+    const traverseFn = resolveTraverseFunction(traverseModule);
+    if (!traverseFn) {
+      return {
+        packages: context.packages.map((pkg2) => ({
+          packageName: pkg2.packageName,
+          ecosystem: pkg2.ecosystem,
+          status: "analysis_error",
+          snippets: [],
+          notes: "Failed to resolve @babel/traverse runtime export"
+        })),
+        errors: [{
+          analyzer: this.name,
+          ecosystem: context.ecosystem,
+          error: "Failed to resolve @babel/traverse runtime export"
+        }],
+        snippetsProduced: 0
+      };
+    }
     const packageMap = this.buildPackageMaps(context.packages);
     const resultMap = /* @__PURE__ */ new Map();
     const snippetKeyMap = /* @__PURE__ */ new Map();
@@ -17094,41 +17123,41 @@ var JsAstAnalyzer = class {
       const matchCandidates = [];
       const matchSeen = /* @__PURE__ */ new Set();
       const symbolToPackage = /* @__PURE__ */ new Map();
-      const addMatch = (packageKey2, line, matchKind, calledSymbol, confidence = 0.8) => {
-        const candidateKey = `${packageKey2}:${line}:${matchKind}:${calledSymbol ?? ""}`;
+      const addMatch = (packageKey3, line, matchKind, calledSymbol, confidence = 0.8) => {
+        const candidateKey = `${packageKey3}:${line}:${matchKind}:${calledSymbol ?? ""}`;
         if (matchSeen.has(candidateKey)) return;
         matchSeen.add(candidateKey);
-        matchCandidates.push({ packageKey: packageKey2, line, matchKind, calledSymbol, confidence });
+        matchCandidates.push({ packageKey: packageKey3, line, matchKind, calledSymbol, confidence });
       };
-      traverse(ast, {
-        ImportDeclaration: (path14) => {
-          const source = path14.node.source;
+      traverseFn(ast, {
+        ImportDeclaration: (path15) => {
+          const source = path15.node.source;
           if (!(0, import_types.isStringLiteral)(source)) return;
           const pkgKey = findPackageKey(resolveImportTarget(source.value), packageMap.byName);
           if (!pkgKey) return;
-          addMatch(pkgKey, path14.node.loc?.start.line ?? 1, "import", void 0, 0.95);
-          for (const specifier of path14.node.specifiers) {
+          addMatch(pkgKey, path15.node.loc?.start.line ?? 1, "import", void 0, 0.95);
+          for (const specifier of path15.node.specifiers) {
             if ((0, import_types.isImportDefaultSpecifier)(specifier) || (0, import_types.isImportNamespaceSpecifier)(specifier) || (0, import_types.isImportSpecifier)(specifier)) {
               symbolToPackage.set(specifier.local.name, pkgKey);
             }
           }
         },
-        ExportNamedDeclaration: (path14) => {
-          const source = path14.node.source;
+        ExportNamedDeclaration: (path15) => {
+          const source = path15.node.source;
           if (!source || !(0, import_types.isStringLiteral)(source)) return;
           const pkgKey = findPackageKey(resolveImportTarget(source.value), packageMap.byName);
           if (!pkgKey) return;
-          addMatch(pkgKey, path14.node.loc?.start.line ?? 1, "export_from", void 0, 0.85);
+          addMatch(pkgKey, path15.node.loc?.start.line ?? 1, "export_from", void 0, 0.85);
         },
-        ExportAllDeclaration: (path14) => {
-          const source = path14.node.source;
+        ExportAllDeclaration: (path15) => {
+          const source = path15.node.source;
           if (!(0, import_types.isStringLiteral)(source)) return;
           const pkgKey = findPackageKey(resolveImportTarget(source.value), packageMap.byName);
           if (!pkgKey) return;
-          addMatch(pkgKey, path14.node.loc?.start.line ?? 1, "export_from", void 0, 0.85);
+          addMatch(pkgKey, path15.node.loc?.start.line ?? 1, "export_from", void 0, 0.85);
         },
-        VariableDeclarator: (path14) => {
-          const node = path14.node;
+        VariableDeclarator: (path15) => {
+          const node = path15.node;
           if (!(0, import_types.isVariableDeclarator)(node)) return;
           if (!node.init || !(0, import_types.isCallExpression)(node.init)) return;
           if (!(0, import_types.isIdentifier)(node.init.callee, { name: "require" })) return;
@@ -17141,8 +17170,8 @@ var JsAstAnalyzer = class {
             symbolToPackage.set(identifier, pkgKey);
           }
         },
-        CallExpression: (path14) => {
-          const node = path14.node;
+        CallExpression: (path15) => {
+          const node = path15.node;
           if ((0, import_types.isIdentifier)(node.callee, { name: "require" })) {
             const firstArg = node.arguments[0];
             if (firstArg && (0, import_types.isStringLiteral)(firstArg)) {
@@ -17163,12 +17192,12 @@ var JsAstAnalyzer = class {
             0.75
           );
         },
-        ImportExpression: (path14) => {
-          const source = path14.node.source;
+        ImportExpression: (path15) => {
+          const source = path15.node.source;
           if (!(0, import_types.isStringLiteral)(source)) return;
           const pkgKey = findPackageKey(resolveImportTarget(source.value), packageMap.byName);
           if (!pkgKey) return;
-          addMatch(pkgKey, path14.node.loc?.start.line ?? 1, "dynamic_import", void 0, 0.9);
+          addMatch(pkgKey, path15.node.loc?.start.line ?? 1, "dynamic_import", void 0, 0.9);
         }
       });
       for (const candidate of matchCandidates) {
@@ -17222,6 +17251,18 @@ var JsAstAnalyzer = class {
     return `${ecosystem}::${packageName}`;
   }
 };
+function resolveTraverseFunction(moduleValue) {
+  if (typeof moduleValue === "function") {
+    return moduleValue;
+  }
+  if (typeof moduleValue === "object" && moduleValue !== null && "default" in moduleValue) {
+    const candidate = moduleValue.default;
+    if (typeof candidate === "function") {
+      return candidate;
+    }
+  }
+  return null;
+}
 async function collectSourceFiles(rootPath) {
   const files = [];
   async function walk(dirPath) {
@@ -17317,9 +17358,9 @@ function collectIdentifiers(pattern) {
 function resolveCallMatch(callee, symbolToPackage) {
   const normalized = unwrapExpression(callee);
   if ((0, import_types.isIdentifier)(normalized)) {
-    const packageKey2 = symbolToPackage.get(normalized.name);
-    if (!packageKey2) return null;
-    return { packageKey: packageKey2, calledSymbol: normalized.name };
+    const packageKey3 = symbolToPackage.get(normalized.name);
+    if (!packageKey3) return null;
+    return { packageKey: packageKey3, calledSymbol: normalized.name };
   }
   if ((0, import_types.isMemberExpression)(normalized) || (0, import_types.isOptionalMemberExpression)(normalized)) {
     return resolveMemberCallMatch(normalized, symbolToPackage);
@@ -17336,13 +17377,13 @@ function unwrapExpression(expression) {
 function resolveMemberCallMatch(memberExpression, symbolToPackage) {
   const objectExpr = unwrapExpression(memberExpression.object);
   if (!(0, import_types.isIdentifier)(objectExpr)) return null;
-  const packageKey2 = symbolToPackage.get(objectExpr.name);
-  if (!packageKey2) return null;
+  const packageKey3 = symbolToPackage.get(objectExpr.name);
+  if (!packageKey3) return null;
   const propertyName = propertyNameOf(memberExpression);
   if (!propertyName) {
-    return { packageKey: packageKey2, calledSymbol: objectExpr.name };
+    return { packageKey: packageKey3, calledSymbol: objectExpr.name };
   }
-  return { packageKey: packageKey2, calledSymbol: `${objectExpr.name}.${propertyName}` };
+  return { packageKey: packageKey3, calledSymbol: `${objectExpr.name}.${propertyName}` };
 }
 function propertyNameOf(memberExpression) {
   if (memberExpression.computed) {
@@ -17359,34 +17400,1021 @@ function propertyNameOf(memberExpression) {
   return null;
 }
 
-// src/context/analyzers/unsupported-analyzer.ts
-var UnsupportedAnalyzer = class {
-  name;
-  ecosystems;
-  note;
-  constructor(name, ecosystems, note) {
-    this.name = name;
-    this.ecosystems = new Set(ecosystems);
-    this.note = note;
+// src/context/analyzers/shared.ts
+import { readdir as readdir2, readFile as readFile15 } from "fs/promises";
+import { join as join2 } from "path";
+var DEFAULT_IGNORED_DIRS = /* @__PURE__ */ new Set([
+  ".git",
+  ".hg",
+  ".svn",
+  "node_modules",
+  "dist",
+  "build",
+  "coverage",
+  ".next",
+  ".nuxt",
+  ".turbo",
+  "vendor",
+  ".venv",
+  "venv",
+  "target",
+  "bin",
+  "obj"
+]);
+function packageKey(ecosystem, packageName) {
+  return `${ecosystem}::${packageName}`;
+}
+function initState(packages) {
+  const resultMap = /* @__PURE__ */ new Map();
+  const snippetKeyMap = /* @__PURE__ */ new Map();
+  for (const pkg2 of packages) {
+    const key = packageKey(pkg2.ecosystem, pkg2.packageName);
+    resultMap.set(key, {
+      packageName: pkg2.packageName,
+      ecosystem: pkg2.ecosystem,
+      status: "indirect_no_evidence",
+      snippets: []
+    });
+    snippetKeyMap.set(key, /* @__PURE__ */ new Set());
+  }
+  return {
+    resultMap,
+    snippetKeyMap,
+    errors: [],
+    snippetsProduced: 0
+  };
+}
+function errorResultFromMessage(context, analyzerName, message, notes) {
+  return {
+    packages: context.packages.map((pkg2) => ({
+      packageName: pkg2.packageName,
+      ecosystem: pkg2.ecosystem,
+      status: "analysis_error",
+      snippets: [],
+      notes
+    })),
+    errors: [{ analyzer: analyzerName, ecosystem: context.ecosystem, error: message }],
+    snippetsProduced: 0
+  };
+}
+function toAnalyzerResult(state) {
+  for (const result of state.resultMap.values()) {
+    result.snippets = dedupeSnippets(result.snippets);
+    if (result.snippets.length > 0) {
+      result.status = "direct_evidence";
+    }
   }
+  return {
+    packages: Array.from(state.resultMap.values()),
+    errors: state.errors,
+    snippetsProduced: state.snippetsProduced
+  };
+}
+async function collectSourceFiles2(rootPath, extensions, ignoredDirs = DEFAULT_IGNORED_DIRS) {
+  const files = [];
+  async function walk(dirPath) {
+    const entries = await readdir2(dirPath, { withFileTypes: true });
+    for (const entry of entries) {
+      const fullPath = join2(dirPath, entry.name);
+      if (entry.isDirectory()) {
+        if (ignoredDirs.has(entry.name)) continue;
+        await walk(fullPath);
+        continue;
+      }
+      if (!entry.isFile()) continue;
+      if (!extensions.has(extensionOf2(entry.name))) continue;
+      files.push(fullPath);
+    }
+  }
+  await walk(rootPath);
+  return files;
+}
+async function readSourceFile(analyzerName, ecosystem, filePath, errors) {
+  try {
+    return await readFile15(filePath, "utf-8");
+  } catch (err) {
+    errors.push({
+      analyzer: analyzerName,
+      ecosystem,
+      error: `Failed to read ${filePath}: ${err instanceof Error ? err.message : String(err)}`
+    });
+    return null;
+  }
+}
+function addCandidate(context, state, filePath, sourceText, candidate) {
+  if (state.snippetsProduced >= context.maxSnippetsTotal) return;
+  const packageResult = state.resultMap.get(candidate.packageKey);
+  if (!packageResult) return;
+  if (packageResult.snippets.length >= context.maxSnippetsPerPackage) return;
+  const snippet = buildSnippet({
+    projectPath: context.projectPath,
+    filePath,
+    sourceText,
+    line: candidate.line,
+    numContextLines: context.numContextLines,
+    matchKind: candidate.matchKind,
+    calledSymbol: candidate.calledSymbol,
+    confidence: candidate.confidence ?? 0.8
+  });
+  const dedupeKey = `${snippet.filePath}:${snippet.startLine}:${snippet.endLine}:${snippet.matchKind}:${snippet.calledSymbol ?? ""}`;
+  const packageSnippetKeys = state.snippetKeyMap.get(candidate.packageKey);
+  if (!packageSnippetKeys || packageSnippetKeys.has(dedupeKey)) return;
+  packageSnippetKeys.add(dedupeKey);
+  packageResult.snippets.push(snippet);
+  state.snippetsProduced += 1;
+}
+function extensionOf2(fileName) {
+  const index = fileName.lastIndexOf(".");
+  return index === -1 ? "" : fileName.slice(index).toLowerCase();
+}
+function basePackageName(name) {
+  const slash = name.includes("/") ? name.split("/").at(-1) ?? name : name;
+  const colon = slash.includes(":") ? slash.split(":").at(-1) ?? slash : slash;
+  return colon;
+}
+function toIdentifierToken(value) {
+  return value.replace(/[^A-Za-z0-9_]/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toLowerCase();
+}
+function uniqueTokens(values) {
+  const result = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const value of values) {
+    const trimmed = value.trim();
+    if (!trimmed) continue;
+    const key = trimmed.toLowerCase();
+    if (seen.has(key)) continue;
+    seen.add(key);
+    result.push(trimmed);
+  }
+  return result;
+}
+
+// src/context/analyzers/python-ast-analyzer.ts
+var PYTHON_EXTENSIONS = /* @__PURE__ */ new Set([".py"]);
+var PythonAstAnalyzer = class {
+  name = "python-ast-analyzer";
+  ecosystems = /* @__PURE__ */ new Set(["pip", "poetry", "uv"]);
   supports(ecosystem) {
     return this.ecosystems.has(ecosystem);
   }
   async analyze(context) {
-    const packages = context.packages.map((pkg2) => ({
-      packageName: pkg2.packageName,
-      ecosystem: pkg2.ecosystem,
-      status: "unsupported",
-      snippets: [],
-      notes: this.note
-    }));
+    const state = initState(context.packages);
+    const packagePatterns = context.packages.map(
+      (pkg2) => this.patternForPackage(pkg2.packageName, pkg2.ecosystem)
+    );
+    let files;
+    try {
+      files = await collectSourceFiles2(context.projectPath, PYTHON_EXTENSIONS);
+    } catch (err) {
+      return errorResultFromMessage(
+        context,
+        this.name,
+        err instanceof Error ? err.message : String(err),
+        "Failed to enumerate Python source files"
+      );
+    }
+    for (const filePath of files) {
+      if (state.snippetsProduced >= context.maxSnippetsTotal) break;
+      const sourceText = await readSourceFile(this.name, context.ecosystem, filePath, state.errors);
+      if (sourceText === null) continue;
+      const aliasToPackage = /* @__PURE__ */ new Map();
+      const lines = sourceText.split(/\r?\n/);
+      for (let idx = 0; idx < lines.length; idx++) {
+        const line = lines[idx];
+        const trimmed = stripInlineComment(line).trim();
+        const lineNumber = idx + 1;
+        if (!trimmed) continue;
+        const importMatch = trimmed.match(/^import\s+(.+)$/);
+        if (importMatch) {
+          const segments = importMatch[1].split(",").map((part) => part.trim()).filter(Boolean);
+          for (const segment of segments) {
+            const parsed = segment.match(/^([A-Za-z_][A-Za-z0-9_\.]*)(?:\s+as\s+([A-Za-z_][A-Za-z0-9_]*))?$/);
+            if (!parsed) continue;
+            const moduleName = parsed[1];
+            const alias = parsed[2] ?? moduleName.split(".").at(0) ?? moduleName;
+            this.addImportForModule(
+              context,
+              state,
+              filePath,
+              sourceText,
+              packagePatterns,
+              aliasToPackage,
+              moduleName,
+              alias,
+              lineNumber
+            );
+          }
+          continue;
+        }
+        const fromMatch = trimmed.match(
+          /^from\s+([A-Za-z_][A-Za-z0-9_\.]*)\s+import\s+(.+)$/
+        );
+        if (fromMatch) {
+          const moduleName = fromMatch[1];
+          const imported = fromMatch[2].split(",").map((part) => part.trim()).filter(Boolean);
+          for (const part of imported) {
+            const parsed = part.match(/^([A-Za-z_][A-Za-z0-9_]*)(?:\s+as\s+([A-Za-z_][A-Za-z0-9_]*))?$/);
+            if (!parsed) continue;
+            const name = parsed[1];
+            const alias = parsed[2] ?? name;
+            this.addImportForModule(
+              context,
+              state,
+              filePath,
+              sourceText,
+              packagePatterns,
+              aliasToPackage,
+              moduleName,
+              alias,
+              lineNumber
+            );
+          }
+          continue;
+        }
+        for (const [alias, pkgKey] of aliasToPackage.entries()) {
+          const escapedAlias = escapeRegex(alias);
+          const directCall = new RegExp(`\\b${escapedAlias}\\s*\\(`);
+          if (directCall.test(trimmed)) {
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkgKey,
+              line: lineNumber,
+              matchKind: "call",
+              calledSymbol: alias,
+              confidence: 0.78
+            });
+          }
+          const memberCall = new RegExp(`\\b${escapedAlias}\\s*\\.\\s*([A-Za-z_][A-Za-z0-9_]*)\\s*\\(`);
+          const match = trimmed.match(memberCall);
+          if (match) {
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkgKey,
+              line: lineNumber,
+              matchKind: "call",
+              calledSymbol: `${alias}.${match[1]}`,
+              confidence: 0.8
+            });
+          }
+        }
+      }
+    }
+    return toAnalyzerResult(state);
+  }
+  addImportForModule(context, state, filePath, sourceText, packagePatterns, aliasToPackage, moduleName, alias, lineNumber) {
+    const normalizedModule = moduleName.toLowerCase();
+    for (const pkg2 of packagePatterns) {
+      const matched = pkg2.modules.some(
+        (candidate) => normalizedModule === candidate || normalizedModule.startsWith(`${candidate}.`)
+      );
+      if (!matched) continue;
+      aliasToPackage.set(alias, pkg2.key);
+      aliasToPackage.set(moduleName.split(".").at(0) ?? moduleName, pkg2.key);
+      addCandidate(context, state, filePath, sourceText, {
+        packageKey: pkg2.key,
+        line: lineNumber,
+        matchKind: "import",
+        confidence: 0.95
+      });
+    }
+  }
+  patternForPackage(packageName, ecosystem) {
+    const normalized = toIdentifierToken(packageName).replace(/_/g, "-");
+    const base = toIdentifierToken(basePackageName(packageName));
+    const packageModules = [
+      normalized.replace(/-/g, "_"),
+      base.replace(/-/g, "_"),
+      base.replace(/_/g, "")
+    ];
+    if (normalized === "pyyaml" || base === "pyyaml") {
+      packageModules.push("yaml");
+    }
+    return {
+      key: packageKey(ecosystem, packageName),
+      modules: uniqueTokens(packageModules.map((v) => v.toLowerCase()))
+    };
+  }
+};
+function stripInlineComment(line) {
+  const hashIndex = line.indexOf("#");
+  return hashIndex === -1 ? line : line.slice(0, hashIndex);
+}
+function escapeRegex(value) {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+
+// src/context/analyzers/java-ast-analyzer.ts
+var JAVA_EXTENSIONS = /* @__PURE__ */ new Set([".java"]);
+var JavaAstAnalyzer = class {
+  name = "java-ast-analyzer";
+  ecosystems = /* @__PURE__ */ new Set(["maven"]);
+  supports(ecosystem) {
+    return this.ecosystems.has(ecosystem);
+  }
+  async analyze(context) {
+    const state = initState(context.packages);
+    const packagePatterns = context.packages.map(
+      (pkg2) => this.patternForPackage(pkg2.packageName, pkg2.ecosystem)
+    );
+    let files;
+    try {
+      files = await collectSourceFiles2(context.projectPath, JAVA_EXTENSIONS);
+    } catch (err) {
+      return errorResultFromMessage(
+        context,
+        this.name,
+        err instanceof Error ? err.message : String(err),
+        "Failed to enumerate Java source files"
+      );
+    }
+    for (const filePath of files) {
+      if (state.snippetsProduced >= context.maxSnippetsTotal) break;
+      const sourceText = await readSourceFile(this.name, context.ecosystem, filePath, state.errors);
+      if (sourceText === null) continue;
+      const lines = sourceText.split(/\r?\n/);
+      const symbolToPackage = /* @__PURE__ */ new Map();
+      for (let idx = 0; idx < lines.length; idx++) {
+        const line = stripLineComment(lines[idx]).trim();
+        const lineNumber = idx + 1;
+        if (!line) continue;
+        const importMatch = line.match(/^import\s+(?:static\s+)?([A-Za-z0-9_.*]+)\s*;/);
+        if (importMatch) {
+          const importPath = importMatch[1].replace(/\.\*$/, "");
+          const simpleName = importPath.split(".").at(-1) ?? importPath;
+          for (const pkg2 of packagePatterns) {
+            if (!pkg2.candidates.some((candidate) => importPath.startsWith(candidate))) continue;
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkg2.key,
+              line: lineNumber,
+              matchKind: "import",
+              confidence: 0.94
+            });
+            if (simpleName && /^[A-Za-z_][A-Za-z0-9_]*$/.test(simpleName)) {
+              symbolToPackage.set(simpleName, pkg2.key);
+            }
+          }
+          continue;
+        }
+        const varDecl = line.match(/^([A-Za-z_][A-Za-z0-9_]*)\s+([A-Za-z_][A-Za-z0-9_]*)\s*(?:=|;)/);
+        if (varDecl) {
+          const typeName = varDecl[1];
+          const variableName = varDecl[2];
+          const pkgKey2 = symbolToPackage.get(typeName);
+          if (pkgKey2) {
+            symbolToPackage.set(variableName, pkgKey2);
+          }
+        }
+        const callMatch = line.match(/\b([A-Za-z_][A-Za-z0-9_]*)\s*\.\s*([A-Za-z_][A-Za-z0-9_]*)\s*\(/);
+        if (!callMatch) continue;
+        const lhs = callMatch[1];
+        const member = callMatch[2];
+        const pkgKey = symbolToPackage.get(lhs);
+        if (!pkgKey) continue;
+        addCandidate(context, state, filePath, sourceText, {
+          packageKey: pkgKey,
+          line: lineNumber,
+          matchKind: "call",
+          calledSymbol: `${lhs}.${member}`,
+          confidence: 0.8
+        });
+      }
+    }
+    return toAnalyzerResult(state);
+  }
+  patternForPackage(packageName, ecosystem) {
+    const [groupIdRaw, artifactIdRaw] = packageName.split(":");
+    const groupId = (groupIdRaw ?? "").trim();
+    const artifactId = (artifactIdRaw ?? "").trim();
+    const candidates = uniqueTokens([
+      groupId,
+      groupId && artifactId ? `${groupId}.${artifactId.replace(/-/g, ".")}` : "",
+      artifactId ? artifactId.replace(/-/g, ".") : "",
+      artifactId ? toIdentifierToken(artifactId).replace(/_/g, ".") : ""
+    ]);
+    return {
+      key: packageKey(ecosystem, packageName),
+      candidates
+    };
+  }
+};
+function stripLineComment(line) {
+  const idx = line.indexOf("//");
+  return idx === -1 ? line : line.slice(0, idx);
+}
+
+// src/context/analyzers/dotnet-ast-analyzer.ts
+var CSHARP_EXTENSIONS = /* @__PURE__ */ new Set([".cs"]);
+var DotnetAstAnalyzer = class {
+  name = "dotnet-ast-analyzer";
+  ecosystems = /* @__PURE__ */ new Set(["nuget"]);
+  supports(ecosystem) {
+    return this.ecosystems.has(ecosystem);
+  }
+  async analyze(context) {
+    const state = initState(context.packages);
+    const packagePatterns = context.packages.map(
+      (pkg2) => this.patternForPackage(pkg2.packageName, pkg2.ecosystem)
+    );
+    let files;
+    try {
+      files = await collectSourceFiles2(context.projectPath, CSHARP_EXTENSIONS);
+    } catch (err) {
+      return errorResultFromMessage(
+        context,
+        this.name,
+        err instanceof Error ? err.message : String(err),
+        "Failed to enumerate C# source files"
+      );
+    }
+    for (const filePath of files) {
+      if (state.snippetsProduced >= context.maxSnippetsTotal) break;
+      const sourceText = await readSourceFile(this.name, context.ecosystem, filePath, state.errors);
+      if (sourceText === null) continue;
+      const lines = sourceText.split(/\r?\n/);
+      const symbolToPackage = /* @__PURE__ */ new Map();
+      for (let idx = 0; idx < lines.length; idx++) {
+        const line = stripLineComment2(lines[idx]).trim();
+        const lineNumber = idx + 1;
+        if (!line) continue;
+        const aliasUsing = line.match(/^using\s+([A-Za-z_][A-Za-z0-9_]*)\s*=\s*([A-Za-z0-9_.]+)\s*;/);
+        if (aliasUsing) {
+          const alias = aliasUsing[1];
+          const targetNamespace = aliasUsing[2];
+          for (const pkg2 of packagePatterns) {
+            if (!pkg2.namespaceCandidates.some((candidate) => targetNamespace.startsWith(candidate))) continue;
+            symbolToPackage.set(alias, pkg2.key);
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkg2.key,
+              line: lineNumber,
+              matchKind: "import",
+              confidence: 0.93
+            });
+          }
+          continue;
+        }
+        const usingMatch = line.match(/^using\s+([A-Za-z0-9_.]+)\s*;/);
+        if (usingMatch) {
+          const namespaceName = usingMatch[1];
+          const tailSymbol = namespaceName.split(".").at(-1) ?? namespaceName;
+          for (const pkg2 of packagePatterns) {
+            if (!pkg2.namespaceCandidates.some((candidate) => namespaceName.startsWith(candidate))) continue;
+            symbolToPackage.set(tailSymbol, pkg2.key);
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkg2.key,
+              line: lineNumber,
+              matchKind: "import",
+              confidence: 0.93
+            });
+          }
+          continue;
+        }
+        const varDecl = line.match(/^([A-Za-z_][A-Za-z0-9_.]*)\s+([A-Za-z_][A-Za-z0-9_]*)\s*(?:=|;)/);
+        if (varDecl) {
+          const typeName = varDecl[1].split(".").at(-1) ?? varDecl[1];
+          const variableName = varDecl[2];
+          const pkgKey = symbolToPackage.get(typeName);
+          if (pkgKey) {
+            symbolToPackage.set(variableName, pkgKey);
+          }
+        }
+        const memberCall = line.match(/\b([A-Za-z_][A-Za-z0-9_]*)\s*\.\s*([A-Za-z_][A-Za-z0-9_]*)\s*\(/);
+        if (memberCall) {
+          const lhs = memberCall[1];
+          const method = memberCall[2];
+          const pkgKey = symbolToPackage.get(lhs) ?? this.findSymbolCandidatePackage(lhs, packagePatterns);
+          if (pkgKey) {
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkgKey,
+              line: lineNumber,
+              matchKind: "call",
+              calledSymbol: `${lhs}.${method}`,
+              confidence: 0.79
+            });
+          }
+        }
+      }
+    }
+    return toAnalyzerResult(state);
+  }
+  patternForPackage(packageName, ecosystem) {
+    const dotted = packageName.replace(/-/g, ".");
+    const segments = dotted.split(".");
+    const symbolCandidates = uniqueTokens([
+      segments.at(-1) ?? "",
+      segments.at(-2) ?? "",
+      packageName.split(".").at(-1) ?? ""
+    ]);
+    const namespaceCandidates = uniqueTokens([
+      dotted,
+      segments.slice(0, -1).join("."),
+      segments.slice(0, Math.min(2, segments.length)).join(".")
+    ]);
     return {
-      packages,
-      errors: [],
-      snippetsProduced: 0
+      key: packageKey(ecosystem, packageName),
+      namespaceCandidates,
+      symbolCandidates
     };
   }
+  findSymbolCandidatePackage(symbol, packagePatterns) {
+    for (const pkg2 of packagePatterns) {
+      if (pkg2.symbolCandidates.includes(symbol)) {
+        return pkg2.key;
+      }
+    }
+    return null;
+  }
 };
+function stripLineComment2(line) {
+  const idx = line.indexOf("//");
+  return idx === -1 ? line : line.slice(0, idx);
+}
+
+// src/context/analyzers/rust-ast-analyzer.ts
+var RUST_EXTENSIONS = /* @__PURE__ */ new Set([".rs"]);
+var RustAstAnalyzer = class {
+  name = "rust-ast-analyzer";
+  ecosystems = /* @__PURE__ */ new Set(["cargo"]);
+  supports(ecosystem) {
+    return this.ecosystems.has(ecosystem);
+  }
+  async analyze(context) {
+    const state = initState(context.packages);
+    const packagePatterns = context.packages.map(
+      (pkg2) => this.patternForPackage(pkg2.packageName, pkg2.ecosystem)
+    );
+    let files;
+    try {
+      files = await collectSourceFiles2(context.projectPath, RUST_EXTENSIONS);
+    } catch (err) {
+      return errorResultFromMessage(
+        context,
+        this.name,
+        err instanceof Error ? err.message : String(err),
+        "Failed to enumerate Rust source files"
+      );
+    }
+    for (const filePath of files) {
+      if (state.snippetsProduced >= context.maxSnippetsTotal) break;
+      const sourceText = await readSourceFile(this.name, context.ecosystem, filePath, state.errors);
+      if (sourceText === null) continue;
+      const lines = sourceText.split(/\r?\n/);
+      const symbolToPackage = /* @__PURE__ */ new Map();
+      for (let idx = 0; idx < lines.length; idx++) {
+        const line = stripLineComment3(lines[idx]).trim();
+        const lineNumber = idx + 1;
+        if (!line) continue;
+        const useMatch = line.match(/^use\s+([A-Za-z_][A-Za-z0-9_:]*)(?:\s+as\s+([A-Za-z_][A-Za-z0-9_]*))?\s*;/);
+        if (useMatch) {
+          const pathExpr = useMatch[1];
+          const alias = useMatch[2] ?? pathExpr.split("::").at(0) ?? pathExpr;
+          const crate = pathExpr.split("::").at(0) ?? pathExpr;
+          for (const pkg2 of packagePatterns) {
+            if (!pkg2.crateNames.includes(crate)) continue;
+            symbolToPackage.set(alias, pkg2.key);
+            symbolToPackage.set(crate, pkg2.key);
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkg2.key,
+              line: lineNumber,
+              matchKind: "import",
+              confidence: 0.94
+            });
+          }
+          continue;
+        }
+        const externMatch = line.match(/^extern\s+crate\s+([A-Za-z_][A-Za-z0-9_]*)(?:\s+as\s+([A-Za-z_][A-Za-z0-9_]*))?\s*;/);
+        if (externMatch) {
+          const crate = externMatch[1];
+          const alias = externMatch[2] ?? crate;
+          for (const pkg2 of packagePatterns) {
+            if (!pkg2.crateNames.includes(crate)) continue;
+            symbolToPackage.set(alias, pkg2.key);
+            symbolToPackage.set(crate, pkg2.key);
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkg2.key,
+              line: lineNumber,
+              matchKind: "import",
+              confidence: 0.94
+            });
+          }
+          continue;
+        }
+        const scopedCall = line.match(/\b([A-Za-z_][A-Za-z0-9_]*)::([A-Za-z_][A-Za-z0-9_]*)\s*\(/);
+        if (scopedCall) {
+          const lhs = scopedCall[1];
+          const func = scopedCall[2];
+          const pkgKey = symbolToPackage.get(lhs);
+          if (pkgKey) {
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkgKey,
+              line: lineNumber,
+              matchKind: "call",
+              calledSymbol: `${lhs}::${func}`,
+              confidence: 0.8
+            });
+          }
+        }
+        const methodCall = line.match(/\b([A-Za-z_][A-Za-z0-9_]*)\s*\.\s*([A-Za-z_][A-Za-z0-9_]*)\s*\(/);
+        if (methodCall) {
+          const lhs = methodCall[1];
+          const method = methodCall[2];
+          const pkgKey = symbolToPackage.get(lhs);
+          if (pkgKey) {
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkgKey,
+              line: lineNumber,
+              matchKind: "call",
+              calledSymbol: `${lhs}.${method}`,
+              confidence: 0.78
+            });
+          }
+        }
+      }
+    }
+    return toAnalyzerResult(state);
+  }
+  patternForPackage(packageName, ecosystem) {
+    const crateName = packageName.replace(/-/g, "_");
+    return {
+      key: packageKey(ecosystem, packageName),
+      crateNames: uniqueTokens([crateName, packageName])
+    };
+  }
+};
+function stripLineComment3(line) {
+  const idx = line.indexOf("//");
+  return idx === -1 ? line : line.slice(0, idx);
+}
+
+// src/context/analyzers/go-ast-analyzer.ts
+var GO_EXTENSIONS = /* @__PURE__ */ new Set([".go"]);
+var GoAstAnalyzer = class {
+  name = "go-ast-analyzer";
+  ecosystems = /* @__PURE__ */ new Set(["go"]);
+  supports(ecosystem) {
+    return this.ecosystems.has(ecosystem);
+  }
+  async analyze(context) {
+    const state = initState(context.packages);
+    const packagePatterns = context.packages.map((pkg2) => this.patternForPackage(pkg2.packageName, pkg2.ecosystem));
+    let files;
+    try {
+      files = await collectSourceFiles2(context.projectPath, GO_EXTENSIONS);
+    } catch (err) {
+      return errorResultFromMessage(
+        context,
+        this.name,
+        err instanceof Error ? err.message : String(err),
+        "Failed to enumerate Go source files"
+      );
+    }
+    for (const filePath of files) {
+      if (state.snippetsProduced >= context.maxSnippetsTotal) break;
+      const sourceText = await readSourceFile(this.name, context.ecosystem, filePath, state.errors);
+      if (sourceText === null) continue;
+      const aliasesByPackage = /* @__PURE__ */ new Map();
+      for (const pkg2 of packagePatterns) {
+        aliasesByPackage.set(pkg2.key, new Set(pkg2.aliases));
+      }
+      const lines = sourceText.split(/\r?\n/);
+      let inImportBlock = false;
+      for (let idx = 0; idx < lines.length; idx++) {
+        const lineNumber = idx + 1;
+        const line = lines[idx];
+        const trimmed = line.trim();
+        if (trimmed.startsWith("import (")) {
+          inImportBlock = true;
+          continue;
+        }
+        if (inImportBlock && trimmed === ")") {
+          inImportBlock = false;
+          continue;
+        }
+        const match = this.extractImport(trimmed, inImportBlock);
+        if (match) {
+          for (const pkg2 of packagePatterns) {
+            if (match.importPath !== pkg2.packageName) continue;
+            const alias = match.alias && match.alias !== "_" && match.alias !== "." ? toIdentifierToken(match.alias) : pkg2.aliases[0];
+            if (alias) {
+              aliasesByPackage.get(pkg2.key)?.add(alias);
+            }
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkg2.key,
+              line: lineNumber,
+              matchKind: "import",
+              confidence: 0.95
+            });
+          }
+        }
+        for (const pkg2 of packagePatterns) {
+          const aliases = aliasesByPackage.get(pkg2.key);
+          if (!aliases) continue;
+          for (const alias of aliases) {
+            if (!alias) continue;
+            const escapedAlias = escapeRegex2(alias);
+            const callRegex = new RegExp(`\\b${escapedAlias}\\s*\\.\\s*([A-Za-z_][A-Za-z0-9_]*)\\s*\\(`);
+            const callMatch = line.match(callRegex);
+            if (!callMatch) continue;
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkg2.key,
+              line: lineNumber,
+              matchKind: "call",
+              calledSymbol: `${alias}.${callMatch[1]}`,
+              confidence: 0.8
+            });
+          }
+        }
+      }
+    }
+    return toAnalyzerResult(state);
+  }
+  patternForPackage(packageName, ecosystem) {
+    const baseName = basePackageName(packageName);
+    const identifierBase = toIdentifierToken(baseName.replace(/^v[0-9]+$/, ""));
+    const shortened = identifierBase.replace(/go$/i, "") || identifierBase;
+    return {
+      key: packageKey(ecosystem, packageName),
+      packageName,
+      aliases: uniqueTokens([identifierBase, shortened])
+    };
+  }
+  extractImport(trimmedLine, inImportBlock) {
+    if (!inImportBlock && !trimmedLine.startsWith("import ")) return null;
+    if (inImportBlock) {
+      const blockMatch = trimmedLine.match(/^(?:(\.|_|[A-Za-z_][A-Za-z0-9_]*)\s+)?\"([^\"]+)\"/);
+      if (!blockMatch) return null;
+      return {
+        alias: blockMatch[1] ?? null,
+        importPath: blockMatch[2]
+      };
+    }
+    const singleMatch = trimmedLine.match(/^import\s+(?:(\.|_|[A-Za-z_][A-Za-z0-9_]*)\s+)?\"([^\"]+)\"/);
+    if (!singleMatch) return null;
+    return {
+      alias: singleMatch[1] ?? null,
+      importPath: singleMatch[2]
+    };
+  }
+};
+function escapeRegex2(value) {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+
+// src/context/analyzers/ruby-ast-analyzer.ts
+var RUBY_EXTENSIONS = /* @__PURE__ */ new Set([".rb"]);
+var RubyAstAnalyzer = class {
+  name = "ruby-ast-analyzer";
+  ecosystems = /* @__PURE__ */ new Set(["ruby"]);
+  supports(ecosystem) {
+    return this.ecosystems.has(ecosystem);
+  }
+  async analyze(context) {
+    const state = initState(context.packages);
+    const packagePatterns = context.packages.map(
+      (pkg2) => this.patternForPackage(pkg2.packageName, pkg2.ecosystem)
+    );
+    let files;
+    try {
+      files = await collectSourceFiles2(context.projectPath, RUBY_EXTENSIONS);
+    } catch (err) {
+      return errorResultFromMessage(
+        context,
+        this.name,
+        err instanceof Error ? err.message : String(err),
+        "Failed to enumerate Ruby source files"
+      );
+    }
+    for (const filePath of files) {
+      if (state.snippetsProduced >= context.maxSnippetsTotal) break;
+      const sourceText = await readSourceFile(this.name, context.ecosystem, filePath, state.errors);
+      if (sourceText === null) continue;
+      const lines = sourceText.split(/\r?\n/);
+      const symbolToPackage = /* @__PURE__ */ new Map();
+      for (let idx = 0; idx < lines.length; idx++) {
+        const line = stripInlineComment2(lines[idx]).trim();
+        const lineNumber = idx + 1;
+        if (!line) continue;
+        const requireMatch = line.match(/^require(?:_relative)?\s+['"]([^'"]+)['"]/);
+        if (requireMatch) {
+          const requiredPath = requireMatch[1];
+          for (const pkg2 of packagePatterns) {
+            if (!pkg2.requireCandidates.some((candidate) => requiredPath.includes(candidate))) continue;
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkg2.key,
+              line: lineNumber,
+              matchKind: "require",
+              confidence: 0.93
+            });
+            for (const constant of pkg2.constantCandidates) {
+              symbolToPackage.set(constant, pkg2.key);
+            }
+          }
+          continue;
+        }
+        const includeMatch = line.match(/^include\s+([A-Za-z_][A-Za-z0-9_:]*)/);
+        if (includeMatch) {
+          const moduleName = includeMatch[1];
+          for (const pkg2 of packagePatterns) {
+            if (!pkg2.constantCandidates.some((candidate) => moduleName.startsWith(candidate))) continue;
+            symbolToPackage.set(moduleName.split("::").at(0) ?? moduleName, pkg2.key);
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkg2.key,
+              line: lineNumber,
+              matchKind: "import",
+              confidence: 0.9
+            });
+          }
+          continue;
+        }
+        const namespacedCall = line.match(/\b([A-Z][A-Za-z0-9_:]*)\s*(?:\.|::)\s*([A-Za-z_][A-Za-z0-9_]*)\s*\(/);
+        if (namespacedCall) {
+          const lhs = namespacedCall[1].split("::").at(0) ?? namespacedCall[1];
+          const method = namespacedCall[2];
+          const pkgKey = symbolToPackage.get(lhs) ?? this.findConstantCandidatePackage(lhs, packagePatterns);
+          if (pkgKey) {
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkgKey,
+              line: lineNumber,
+              matchKind: "call",
+              calledSymbol: `${lhs}.${method}`,
+              confidence: 0.78
+            });
+          }
+        }
+      }
+    }
+    return toAnalyzerResult(state);
+  }
+  patternForPackage(packageName, ecosystem) {
+    const base = basePackageName(packageName);
+    const normalized = base.toLowerCase();
+    const requireCandidates = uniqueTokens([
+      normalized,
+      normalized.replace(/-/g, "/"),
+      normalized.replace(/-/g, "_")
+    ]);
+    const constantParts = normalized.replace(/[^a-z0-9_/-]/g, "").split(/[\/_-]+/).filter(Boolean).map((part) => part[0]?.toUpperCase() + part.slice(1));
+    const constant = constantParts.join("::");
+    const collapsedConstant = constantParts.join("");
+    return {
+      key: packageKey(ecosystem, packageName),
+      requireCandidates,
+      constantCandidates: uniqueTokens([constant, collapsedConstant, constantParts.at(0) ?? ""])
+    };
+  }
+  findConstantCandidatePackage(constant, packagePatterns) {
+    for (const pkg2 of packagePatterns) {
+      if (pkg2.constantCandidates.includes(constant)) {
+        return pkg2.key;
+      }
+    }
+    return null;
+  }
+};
+function stripInlineComment2(line) {
+  const idx = line.indexOf("#");
+  return idx === -1 ? line : line.slice(0, idx);
+}
+
+// src/context/analyzers/php-ast-analyzer.ts
+var PHP_EXTENSIONS = /* @__PURE__ */ new Set([".php"]);
+var PhpAstAnalyzer = class {
+  name = "php-ast-analyzer";
+  ecosystems = /* @__PURE__ */ new Set(["composer"]);
+  supports(ecosystem) {
+    return this.ecosystems.has(ecosystem);
+  }
+  async analyze(context) {
+    const state = initState(context.packages);
+    const packagePatterns = context.packages.map(
+      (pkg2) => this.patternForPackage(pkg2.packageName, pkg2.ecosystem)
+    );
+    let files;
+    try {
+      files = await collectSourceFiles2(context.projectPath, PHP_EXTENSIONS);
+    } catch (err) {
+      return errorResultFromMessage(
+        context,
+        this.name,
+        err instanceof Error ? err.message : String(err),
+        "Failed to enumerate PHP source files"
+      );
+    }
+    for (const filePath of files) {
+      if (state.snippetsProduced >= context.maxSnippetsTotal) break;
+      const sourceText = await readSourceFile(this.name, context.ecosystem, filePath, state.errors);
+      if (sourceText === null) continue;
+      const lines = sourceText.split(/\r?\n/);
+      const symbolToPackage = /* @__PURE__ */ new Map();
+      for (let idx = 0; idx < lines.length; idx++) {
+        const line = stripLineComment4(lines[idx]).trim();
+        const lineNumber = idx + 1;
+        if (!line) continue;
+        const useMatch = line.match(/^use\s+([A-Za-z0-9_\\]+)(?:\s+as\s+([A-Za-z_][A-Za-z0-9_]*))?\s*;/i);
+        if (useMatch) {
+          const namespacePath = useMatch[1];
+          const alias = useMatch[2] ?? namespacePath.split("\\").at(-1) ?? namespacePath;
+          for (const pkg2 of packagePatterns) {
+            const normalizedNamespace = namespacePath.toLowerCase();
+            if (!pkg2.namespaceCandidates.some((candidate) => normalizedNamespace.startsWith(candidate.toLowerCase()))) continue;
+            symbolToPackage.set(alias, pkg2.key);
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkg2.key,
+              line: lineNumber,
+              matchKind: "import",
+              confidence: 0.94
+            });
+          }
+          continue;
+        }
+        const requireMatch = line.match(/^require(?:_once)?\s*\(?\s*['"]([^'"]+)['"]\s*\)?\s*;/i);
+        if (requireMatch) {
+          const pathExpr = requireMatch[1].toLowerCase();
+          for (const pkg2 of packagePatterns) {
+            const hasVendor = pathExpr.includes(pkg2.vendor.toLowerCase());
+            const hasPackage = pathExpr.includes(pkg2.package.toLowerCase());
+            if (!hasVendor && !hasPackage) continue;
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkg2.key,
+              line: lineNumber,
+              matchKind: "require",
+              confidence: 0.9
+            });
+          }
+          continue;
+        }
+        const staticCall = line.match(/\b([A-Za-z_][A-Za-z0-9_]*)::([A-Za-z_][A-Za-z0-9_]*)\s*\(/);
+        if (staticCall) {
+          const lhs = staticCall[1];
+          const method = staticCall[2];
+          const pkgKey = symbolToPackage.get(lhs) ?? this.findSymbolCandidatePackage(lhs, packagePatterns);
+          if (pkgKey) {
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkgKey,
+              line: lineNumber,
+              matchKind: "call",
+              calledSymbol: `${lhs}::${method}`,
+              confidence: 0.8
+            });
+          }
+        }
+        const constructorMatch = line.match(/new\s+([A-Za-z_][A-Za-z0-9_]*)\b/);
+        if (constructorMatch) {
+          const className = constructorMatch[1];
+          const pkgKey = symbolToPackage.get(className) ?? this.findSymbolCandidatePackage(className, packagePatterns);
+          if (pkgKey) {
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkgKey,
+              line: lineNumber,
+              matchKind: "call",
+              calledSymbol: `new ${className}`,
+              confidence: 0.76
+            });
+          }
+        }
+      }
+    }
+    return toAnalyzerResult(state);
+  }
+  patternForPackage(packageName, ecosystem) {
+    const [vendorRaw, packageRaw] = packageName.split("/");
+    const vendor = vendorRaw ?? packageName;
+    const packagePart = packageRaw ?? packageName;
+    const namespaceCandidates = uniqueTokens([
+      pascalize(vendor),
+      pascalize(packagePart),
+      `${pascalize(vendor)}\\${pascalize(packagePart)}`,
+      `${pascalize(vendor)}\\${pascalize(packagePart.replace(/-/g, "_"))}`
+    ]);
+    const symbolCandidates = uniqueTokens([
+      pascalize(packagePart),
+      pascalize(vendor),
+      pascalize(packagePart).split("\\").at(-1) ?? ""
+    ]);
+    return {
+      key: packageKey(ecosystem, packageName),
+      vendor,
+      package: packagePart,
+      namespaceCandidates,
+      symbolCandidates
+    };
+  }
+  findSymbolCandidatePackage(symbol, packagePatterns) {
+    const normalized = symbol.toLowerCase();
+    for (const pkg2 of packagePatterns) {
+      if (pkg2.symbolCandidates.some((candidate) => candidate.toLowerCase() === normalized)) {
+        return pkg2.key;
+      }
+    }
+    return null;
+  }
+};
+function pascalize(input) {
+  return input.split(/[\/_.-]+/).filter(Boolean).map((part) => part[0]?.toUpperCase() + part.slice(1)).join("\\");
+}
+function stripLineComment4(line) {
+  const slashIdx = line.indexOf("//");
+  if (slashIdx !== -1) return line.slice(0, slashIdx);
+  const hashIdx = line.indexOf("#");
+  return hashIdx === -1 ? line : line.slice(0, hashIdx);
+}
 
 // src/context/usage-context-engine.ts
 var DEFAULT_MAX_SNIPPETS_PER_PACKAGE = 20;
@@ -17396,41 +18424,13 @@ var UsageContextEngine = class {
   constructor(analyzers) {
     this.analyzers = analyzers ?? [
       new JsAstAnalyzer(),
-      new UnsupportedAnalyzer(
-        "python-ast-analyzer",
-        ["pip", "poetry", "uv"],
-        "Python AST analyzer is not yet implemented in this release"
-      ),
-      new UnsupportedAnalyzer(
-        "java-ast-analyzer",
-        ["maven"],
-        "Java AST analyzer is not yet implemented in this release"
-      ),
-      new UnsupportedAnalyzer(
-        "dotnet-ast-analyzer",
-        ["nuget"],
-        "NuGet/C# AST analyzer is not yet implemented in this release"
-      ),
-      new UnsupportedAnalyzer(
-        "rust-ast-analyzer",
-        ["cargo"],
-        "Rust AST analyzer is not yet implemented in this release"
-      ),
-      new UnsupportedAnalyzer(
-        "go-ast-analyzer",
-        ["go"],
-        "Go AST analyzer is not yet implemented in this release"
-      ),
-      new UnsupportedAnalyzer(
-        "ruby-ast-analyzer",
-        ["ruby"],
-        "Ruby AST analyzer is not yet implemented in this release"
-      ),
-      new UnsupportedAnalyzer(
-        "php-ast-analyzer",
-        ["composer"],
-        "PHP AST analyzer is not yet implemented in this release"
-      )
+      new PythonAstAnalyzer(),
+      new JavaAstAnalyzer(),
+      new DotnetAstAnalyzer(),
+      new RustAstAnalyzer(),
+      new GoAstAnalyzer(),
+      new RubyAstAnalyzer(),
+      new PhpAstAnalyzer()
     ];
   }
   async analyze(input) {
@@ -17490,7 +18490,7 @@ var UsageContextEngine = class {
       try {
         const result = await analyzer.analyze(runContext);
         const resultByKey = new Map(
-          result.packages.map((pkg2) => [packageKey(pkg2.ecosystem, pkg2.packageName), pkg2])
+          result.packages.map((pkg2) => [packageKey2(pkg2.ecosystem, pkg2.packageName), pkg2])
         );
         errors.push(...result.errors);
         remainingSnippets = Math.max(0, remainingSnippets - result.snippetsProduced);
@@ -17498,7 +18498,7 @@ var UsageContextEngine = class {
         let unsupportedCount = 0;
         let analysisErrorCount = 0;
         for (const pkg2 of packages) {
-          const analyzed = resultByKey.get(packageKey(pkg2.ecosystem, pkg2.packageName)) ?? {
+          const analyzed = resultByKey.get(packageKey2(pkg2.ecosystem, pkg2.packageName)) ?? {
             packageName: pkg2.packageName,
             ecosystem: pkg2.ecosystem,
             status: "analysis_error",
@@ -17603,13 +18603,13 @@ var UsageContextEngine = class {
   buildVulnerablePackages(vulnerabilities, dependencies) {
     const directMap = /* @__PURE__ */ new Map();
     for (const dependency of dependencies) {
-      const key = packageKey(dependency.ecosystem, dependency.name);
+      const key = packageKey2(dependency.ecosystem, dependency.name);
       const existing = directMap.get(key) ?? false;
       directMap.set(key, existing || dependency.direct);
     }
     const grouped = /* @__PURE__ */ new Map();
     for (const vulnerability of vulnerabilities) {
-      const key = packageKey(vulnerability.ecosystem, vulnerability.packageName);
+      const key = packageKey2(vulnerability.ecosystem, vulnerability.packageName);
       const existing = grouped.get(key);
       if (existing) {
         existing.vulnerabilities.push(vulnerability);
@@ -17633,7 +18633,7 @@ var UsageContextEngine = class {
     return n > 0 ? n : fallback;
   }
 };
-function packageKey(ecosystem, packageName) {
+function packageKey2(ecosystem, packageName) {
   return `${ecosystem}::${packageName}`;
 }
 function groupByEcosystem(packages) {
@@ -17745,7 +18745,8 @@ async function uploadToVerimu(report, config) {
   const projectName = basename(config.projectPath);
   const upsertRes = await client.upsertProject({
     name: projectName,
-    ecosystem: report.project.ecosystem
+    ecosystem: report.project.ecosystem,
+    groupName: config.groupName
   });
   const projectId = upsertRes.project.id;
   const scanRes = await client.uploadSbom(projectId, buildUploadPayload(report));
@@ -17779,9 +18780,9 @@ function deriveArtifactOutputPaths(cycloneDxOutput) {
   }
   return {
     cyclonedx: cycloneDxOutput,
-    spdx: join2(parsed.dir, `${baseName}.spdx.json`),
-    swid: join2(parsed.dir, `${baseName}.swid.xml`),
-    usageContext: join2(parsed.dir, `${baseName}.usage-context.json`)
+    spdx: join3(parsed.dir, `${baseName}.spdx.json`),
+    swid: join3(parsed.dir, `${baseName}.swid.xml`),
+    usageContext: join3(parsed.dir, `${baseName}.usage-context.json`)
   };
 }
 function buildUploadPayload(report) {
@@ -17840,16 +18841,27 @@ function renderPlatformScan(projectPath, result) {
   return lines.join("\n");
 }
 function collectVulnerabilities(result) {
-  return (result.scanResponse.scan_results ?? []).flatMap(
-    (scanResult) => (scanResult.vulnerabilities ?? []).map((vuln) => ({
-      dependencyName: scanResult.dependency_name,
-      version: scanResult.version,
-      cveId: vuln.cve_id,
-      severity: normalizeSeverity(vuln.severity ?? "UNKNOWN"),
-      summary: pickSummary(vuln),
-      fixedVersion: pickFixedVersion(vuln)
-    }))
-  );
+  const deduped = /* @__PURE__ */ new Map();
+  for (const scanResult of result.scanResponse.scan_results ?? []) {
+    for (const vuln of scanResult.vulnerabilities ?? []) {
+      const next = {
+        dependencyName: scanResult.dependency_name,
+        version: scanResult.version,
+        cveId: vuln.cve_id,
+        severity: normalizeSeverity(vuln.severity ?? "UNKNOWN"),
+        summary: pickSummary(vuln),
+        fixedVersion: pickFixedVersion(vuln)
+      };
+      const key = `${next.dependencyName}::${next.version}::${next.cveId}`;
+      const existing = deduped.get(key);
+      if (!existing) {
+        deduped.set(key, next);
+        continue;
+      }
+      deduped.set(key, mergeVulnerability(existing, next));
+    }
+  }
+  return Array.from(deduped.values());
 }
 function pickSummary(vuln) {
   const value = vuln.summary ?? vuln.description;
@@ -17882,6 +18894,26 @@ function normalizeSeverity(severity) {
       return "UNKNOWN";
   }
 }
+function mergeVulnerability(current, incoming) {
+  const severity = severityOrder2(incoming.severity) < severityOrder2(current.severity) ? incoming.severity : current.severity;
+  const summary = pickPreferredSummary(current.summary, incoming.summary);
+  const fixedVersion = current.fixedVersion ?? incoming.fixedVersion ?? null;
+  return {
+    ...current,
+    severity,
+    summary,
+    fixedVersion
+  };
+}
+function pickPreferredSummary(a, b) {
+  const normalizedA = (a ?? "").trim();
+  const normalizedB = (b ?? "").trim();
+  if (!normalizedA) return normalizedB || "No description available";
+  if (!normalizedB) return normalizedA;
+  if (normalizedA === "No description available") return normalizedB;
+  if (normalizedB === "No description available") return normalizedA;
+  return normalizedB.length > normalizedA.length ? normalizedB : normalizedA;
+}
 function summarizeBySeverity(severities) {
   const summary = {
     CRITICAL: 0,
@@ -17916,6 +18948,325 @@ function severityBadge2(severity) {
   return badges[severity] ?? "[???] ";
 }
 
+// src/discovery/lockfile-discovery.ts
+import { readdir as readdir3, stat } from "fs/promises";
+import { existsSync as existsSync14 } from "fs";
+import path14 from "path";
+var LOCKFILE_MAP = {
+  "pnpm-lock.yaml": { ecosystem: "npm", scanner: "pnpm" },
+  "yarn.lock": { ecosystem: "npm", scanner: "yarn" },
+  "package-lock.json": { ecosystem: "npm", scanner: "npm" },
+  "deno.lock": { ecosystem: "npm", scanner: "deno" },
+  "Cargo.lock": { ecosystem: "cargo", scanner: "cargo" },
+  "go.sum": { ecosystem: "go", scanner: "go" },
+  "Gemfile.lock": { ecosystem: "ruby", scanner: "ruby" },
+  "composer.lock": { ecosystem: "composer", scanner: "composer" },
+  "packages.lock.json": { ecosystem: "nuget", scanner: "nuget" },
+  "poetry.lock": { ecosystem: "poetry", scanner: "poetry" },
+  "uv.lock": { ecosystem: "uv", scanner: "uv" },
+  "Pipfile.lock": { ecosystem: "pip", scanner: "pip" },
+  "requirements.txt": { ecosystem: "pip", scanner: "pip" },
+  "pom.xml": { ecosystem: "maven", scanner: "maven" }
+};
+var DEFAULT_EXCLUDES = [
+  "node_modules",
+  ".git",
+  ".hg",
+  ".svn",
+  "vendor",
+  "target",
+  "dist",
+  "build",
+  ".next",
+  ".nuxt",
+  "__pycache__",
+  ".venv",
+  "venv",
+  ".tox",
+  "coverage",
+  ".cache",
+  "out",
+  ".output"
+];
+var LockfileDiscovery = class {
+  lockfileNames = Object.keys(LOCKFILE_MAP);
+  /**
+   * Discovers all lockfiles recursively starting from rootPath.
+   * Returns a list of projects that can be scanned.
+   */
+  async discover(options) {
+    const { rootPath, exclude, maxDepth } = options;
+    const absoluteRoot = path14.resolve(rootPath);
+    const discovered = [];
+    const excludePatterns = this.buildExcludePatterns(exclude);
+    await this.walkDirectory(absoluteRoot, absoluteRoot, discovered, {
+      excludePatterns,
+      maxDepth: maxDepth ?? Infinity,
+      //not set, infinite for now, can add as a cli-flag later if needed
+      currentDepth: 0
+    });
+    discovered.sort((a, b) => a.relativePath.localeCompare(b.relativePath));
+    return discovered;
+  }
+  /**
+   * Recursively walks directories looking for lockfiles.
+   * Stops descending into a directory once a lockfile is found
+   * (to avoid scanning nested node_modules, etc.)
+   */
+  async walkDirectory(currentPath, rootPath, results, options) {
+    const { excludePatterns, maxDepth, currentDepth } = options;
+    if (currentDepth > maxDepth) return;
+    const relativePath = path14.relative(rootPath, currentPath) || ".";
+    if (this.matchesAnyPattern(relativePath, excludePatterns)) {
+      return;
+    }
+    const foundLockfile = await this.findLockfileInDir(currentPath);
+    if (foundLockfile) {
+      results.push({
+        projectPath: currentPath,
+        relativePath,
+        lockfile: {
+          name: foundLockfile.name,
+          path: path14.join(currentPath, foundLockfile.name)
+        },
+        ecosystem: foundLockfile.ecosystem,
+        scannerType: foundLockfile.scanner
+      });
+      return;
+    }
+    let entries;
+    try {
+      entries = await readdir3(currentPath);
+    } catch {
+      return;
+    }
+    for (const entry of entries) {
+      const entryPath = path14.join(currentPath, entry);
+      try {
+        const stats = await stat(entryPath);
+        if (stats.isDirectory()) {
+          if (this.isDefaultExclude(entry)) continue;
+          await this.walkDirectory(entryPath, rootPath, results, {
+            ...options,
+            currentDepth: currentDepth + 1
+          });
+        }
+      } catch {
+      }
+    }
+  }
+  /**
+   * Looks for a lockfile in the given directory.
+   * Returns the first match in priority order.
+   */
+  async findLockfileInDir(dirPath) {
+    const priorityOrder = [
+      "pnpm-lock.yaml",
+      "yarn.lock",
+      "package-lock.json",
+      "deno.lock",
+      "Cargo.lock",
+      "go.sum",
+      "poetry.lock",
+      "uv.lock",
+      "Pipfile.lock",
+      "composer.lock",
+      "Gemfile.lock",
+      "packages.lock.json",
+      "pom.xml",
+      "requirements.txt"
+    ];
+    for (const lockfileName of priorityOrder) {
+      const lockfilePath = path14.join(dirPath, lockfileName);
+      if (existsSync14(lockfilePath)) {
+        const info = LOCKFILE_MAP[lockfileName];
+        return { name: lockfileName, ...info };
+      }
+    }
+    return null;
+  }
+  /**
+   * Builds exclude patterns from user input + defaults.
+   */
+  buildExcludePatterns(userExcludes) {
+    const patterns = [];
+    for (const dir of DEFAULT_EXCLUDES) {
+      patterns.push(`**/${dir}`);
+      patterns.push(`**/${dir}/**`);
+    }
+    if (userExcludes) {
+      patterns.push(...userExcludes);
+    }
+    return patterns;
+  }
+  /**
+   * Quick check if a directory name is in the default exclude list.
+   */
+  isDefaultExclude(dirName) {
+    return DEFAULT_EXCLUDES.includes(dirName);
+  }
+  /**
+   * Checks if a path matches any of the given glob patterns.
+   * Uses simple glob matching (supports *, **, ?).
+   */
+  matchesAnyPattern(relativePath, patterns) {
+    const normalized = relativePath.replace(/\\/g, "/");
+    for (const pattern of patterns) {
+      if (this.matchGlob(normalized, pattern)) {
+        return true;
+      }
+    }
+    return false;
+  }
+  /**
+   * Simple glob matcher supporting:
+   * - * (matches any characters except /)
+   * - ** (matches any characters including /)
+   * - ? (matches single character)
+   */
+  matchGlob(str, pattern) {
+    let regex = pattern.replace(/\\/g, "/").replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*\*/g, "{{GLOBSTAR}}").replace(/\*/g, "[^/]*").replace(/{{GLOBSTAR}}/g, ".*").replace(/\?/g, ".");
+    regex = `^${regex}$`;
+    return new RegExp(regex).test(str);
+  }
+};
+
+// src/discovery/orchestrator.ts
+import { basename as basename2 } from "path";
+var MultiProjectOrchestrator = class {
+  discovery = new LockfileDiscovery();
+  reporter = new ConsoleReporter();
+  /**
+   * Gets a display name for a project (uses directory name instead of "." for root)
+   */
+  getDisplayName(project, rootPath) {
+    if (project.relativePath === ".") {
+      return basename2(rootPath);
+    }
+    return project.relativePath;
+  }
+  /**
+   * Discovers and scans all projects in a directory tree.
+   */
+  async scanAll(config) {
+    const startTime = Date.now();
+    const apiKey = config.apiKey;
+    const apiBaseUrl = config.apiBaseUrl;
+    console.log(`
+Discovering projects in ${config.projectPath}...`);
+    const projects = await this.discovery.discover({
+      rootPath: config.projectPath,
+      exclude: config.exclude
+    });
+    if (projects.length === 0) {
+      console.log("No projects with lockfiles found.");
+      return {
+        totalDiscovered: 0,
+        successful: [],
+        failed: [],
+        skipped: [],
+        durationMs: Date.now() - startTime
+      };
+    }
+    const isSingleProject = projects.length === 1;
+    const groupName = isSingleProject ? config.groupName : config.groupName || basename2(config.projectPath);
+    console.log(`Found ${projects.length} project(s):
+`);
+    for (const p of projects) {
+      const displayName = this.getDisplayName(p, config.projectPath);
+      console.log(`  \u2022 ${displayName} (${p.scannerType})`);
+    }
+    if (!isSingleProject) {
+      if (!config.groupName) {
+        console.log(`
+  \u2139 Auto-grouping projects as: "${groupName}"`);
+        console.log("  (Use --group to specify a custom group name)\n");
+      } else {
+        console.log(`
+  \u2139 Grouping projects as: "${groupName}"
+`);
+      }
+    } else {
+      console.log("");
+    }
+    const successful = [];
+    const failed = [];
+    for (let i = 0; i < projects.length; i++) {
+      const project = projects[i];
+      const displayName = this.getDisplayName(project, config.projectPath);
+      console.log("\u2500".repeat(60));
+      console.log(`[${i + 1}/${projects.length}] Scanning: ${displayName}`);
+      console.log("\u2500".repeat(60));
+      console.log("");
+      try {
+        const sbomOutput = this.deriveSbomPath(project, config.sbomOutput);
+        const report = await scan({
+          ...config,
+          projectPath: project.projectPath,
+          sbomOutput,
+          groupName,
+          // Use auto-derived or user-provided group name
+          apiKey: void 0
+          // Don't upload in scan, do it separately
+        });
+        console.log(this.reporter.report(report));
+        if (apiKey) {
+          console.log("");
+          console.log(`  Syncing ${displayName} to Verimu platform...`);
+          try {
+            const uploadConfig = {
+              ...config,
+              projectPath: project.projectPath,
+              groupName,
+              // Use auto-derived or user-provided group name
+              apiKey,
+              apiBaseUrl
+            };
+            const uploadResult = await uploadToVerimu(report, uploadConfig);
+            if (uploadResult.projectCreated) {
+              console.log(`  \u2713 Project created: ${displayName}`);
+            }
+            console.log(`  \u2713 ${uploadResult.totalDependencies} dependencies tracked`);
+            console.log(renderPlatformScan(displayName, uploadResult));
+            console.log(`  \u2713 Dashboard: ${uploadResult.dashboardUrl}`);
+          } catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            console.log(`  \u26A0 Platform sync failed: ${msg}`);
+            console.log("  Your SBOM was still generated locally. You can upload it manually.");
+          }
+        }
+        console.log("");
+        successful.push({ project, report });
+      } catch (error) {
+        const errorMsg = error instanceof Error ? error.message : String(error);
+        console.log(`  \u2717 Failed: ${errorMsg}`);
+        console.log("");
+        failed.push({ project, error: errorMsg });
+        throw error;
+      }
+    }
+    return {
+      totalDiscovered: projects.length,
+      successful,
+      failed,
+      skipped: [],
+      durationMs: Date.now() - startTime
+    };
+  }
+  /**
+   * Derives SBOM output path for a project.
+   * Places SBOMs in project directories by default.
+   */
+  deriveSbomPath(project, configOutput) {
+    if (configOutput) {
+      const base = configOutput.replace(/\.cdx\.json$/, "");
+      const sanitized = project.relativePath.replace(/[/\\]/g, "-");
+      return `${base}.${sanitized}.cdx.json`;
+    }
+    return `${project.projectPath}/sbom.cdx.json`;
+  }
+};
+
 // src/cli.ts
 var require2 = createRequire(import.meta.url);
 var pkg = require2("../package.json");
@@ -17948,7 +19299,11 @@ function parseArgs(argv) {
     skipCveCheck: false,
     skipUpload: false,
     cyclonedxVersion: "1.7",
-    contextLines: void 0
+    contextLines: void 0,
+    groupName: void 0,
+    recursive: true,
+    // Recursive by default
+    exclude: void 0
   };
   let i = 0;
   while (i < args.length) {
@@ -17994,6 +19349,20 @@ function parseArgs(argv) {
         throw new Error(`Invalid CycloneDX version: ${val}`);
       }
       result.cyclonedxVersion = val;
+    } else if (arg === "--group-name" || arg.startsWith("--group-name=")) {
+      const val = arg.startsWith("--group-name=") ? arg.split("=")[1] : args[++i];
+      if (!val || val.startsWith("--")) {
+        throw new Error("--group-name requires a value");
+      }
+      result.groupName = val;
+    } else if (arg === "--no-recursive" || arg === "--not-recursive") {
+      result.recursive = false;
+    } else if (arg === "--exclude") {
+      const val = args[++i];
+      if (!val || val.startsWith("--")) {
+        throw new Error("--exclude requires a comma-separated list of patterns");
+      }
+      result.exclude = val.split(",").map((p) => p.trim());
     }
     i++;
   }
@@ -18036,8 +19405,32 @@ async function main() {
     // Don't pass apiKey to scan() if --skip-upload — we'll handle upload separately for better logging
     apiKey: apiKey && !args.skipUpload ? void 0 : void 0,
     apiBaseUrl,
-    numContextLines: args.contextLines
+    numContextLines: args.contextLines,
+    groupName: args.groupName
   };
+  if (args.recursive) {
+    const orchestrator = new MultiProjectOrchestrator();
+    let result;
+    try {
+      result = await orchestrator.scanAll({
+        ...config,
+        recursive: true,
+        exclude: args.exclude,
+        // Pass API key for platform uploads
+        apiKey: apiKey && !args.skipUpload ? apiKey : void 0,
+        apiBaseUrl
+      });
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      logError(msg);
+      process.exit(2);
+    }
+    printMultiProjectSummary(result);
+    if (result.failed.length > 0) {
+      process.exit(1);
+    }
+    return;
+  }
   let report;
   try {
     report = await scan(config);
@@ -18078,12 +19471,50 @@ async function main() {
     process.exit(1);
   }
 }
+function printMultiProjectSummary(result) {
+  console.log("\n" + "\u2500".repeat(60));
+  console.log("Multi-Project Scan Summary");
+  console.log("\u2500".repeat(60));
+  console.log(`
+Projects discovered: ${result.totalDiscovered}`);
+  console.log(`  \u2713 Successful: ${result.successful.length}`);
+  console.log(`  \u2717 Failed: ${result.failed.length}`);
+  if (result.successful.length > 0) {
+    const totalDeps = result.successful.reduce(
+      (sum, r) => sum + r.report.summary.totalDependencies,
+      0
+    );
+    const totalVulns = result.successful.reduce(
+      (sum, r) => sum + r.report.summary.totalVulnerabilities,
+      0
+    );
+    console.log(`
+Total dependencies: ${totalDeps}`);
+    console.log(`Total vulnerabilities: ${totalVulns}`);
+    const critical = result.successful.reduce((sum, r) => sum + r.report.summary.critical, 0);
+    const high = result.successful.reduce((sum, r) => sum + r.report.summary.high, 0);
+    const medium = result.successful.reduce((sum, r) => sum + r.report.summary.medium, 0);
+    const low = result.successful.reduce((sum, r) => sum + r.report.summary.low, 0);
+    if (totalVulns > 0) {
+      console.log(`  Critical: ${critical}, High: ${high}, Medium: ${medium}, Low: ${low}`);
+    }
+  }
+  if (result.failed.length > 0) {
+    console.log("\nFailed projects:");
+    for (const f of result.failed) {
+      console.log(`  \u2022 ${f.project.relativePath}: ${f.error}`);
+    }
+  }
+  console.log(`
+Completed in ${(result.durationMs / 1e3).toFixed(2)}s`);
+  console.log("");
+}
 function printHelp() {
   console.log(`
   Verimu \u2014 CRA Compliance Scanner
 
   Usage:
-    verimu                          Scan current directory
+    verimu                          Scan current directory (recursively)
     verimu scan [options]           Full scan (SBOM + CVE check)
     verimu generate-sbom [options]  Generate SBOM only (no CVE check)
     verimu help                     Show this help
@@ -18092,23 +19523,35 @@ function printHelp() {
   Options:
     --path, -p <dir>       Project directory to scan (default: .)
     --output, -o <file>    CycloneDX output path (SPDX/SWID are written alongside it)
+    --group-name <name>    Group name for organizing related projects in dashboard
     --fail-on <severity>   Exit 1 if vulns at or above: CRITICAL, HIGH, MEDIUM, LOW
     --skip-cve             Skip CVE vulnerability checking
     --skip-upload          Don't sync to Verimu platform (even if API key is set)
     --context-lines <n>    Snippet context lines around matches (default: 4, clamped to 0..20)
     --cdx-version <ver>    CycloneDX spec: 1.4, 1.5, 1.6, 1.7 (default: 1.7)
 
+  Project Discovery:
+    --no-recursive         Disable recursive discovery (scan only root directory)
+    --exclude <patterns>   Exclude paths matching patterns (comma-separated globs)
+
+  Note: Verimu automatically discovers all projects recursively by default.
+  For monorepos with multiple lockfiles, projects are auto-grouped by directory name.
+  Single lockfile projects are treated normally without grouping.
+
   Environment:
     VERIMU_API_KEY         API key for Verimu platform (from app.verimu.com)
     VERIMU_API_URL         Custom API URL (default: https://api.verimu.com)
 
   Examples:
-    npx verimu                                    # Quick scan
+    npx verimu                                    # Scan all projects recursively
     VERIMU_API_KEY=vmu_xxx npx verimu             # Scan + sync to platform
     npx verimu scan --fail-on HIGH                # Fail CI on HIGH+ vulns
+    npx verimu scan --group-name my-app           # Group projects with custom name
     npx verimu scan --context-lines 8             # Wider context around usage snippets
     npx verimu scan --cdx-version 1.5             # Specify CycloneDX version
     npx verimu scan --path ./backend --output ./reports/sbom.json
+    npx verimu scan --no-recursive                # Scan only root directory
+    npx verimu scan --exclude "legacy/*"          # Exclude legacy projects
 
   Supported ecosystems:
     npm (package-lock.json)         pip (requirements.txt)