verimu 0.0.21 → 0.0.22

package/dist/index.cjs

@@ -14106,7 +14106,12 @@ __export(index_exports, {
   CveSourceError: () => CveSourceError,
   CycloneDxGenerator: () => CycloneDxGenerator,
   DenoScanner: () => DenoScanner,
+  GitHubClient: () => GitHubClient,
+  GitHubOrchestrator: () => GitHubOrchestrator,
+  GitLabClient: () => GitLabClient,
+  GitLabOrchestrator: () => GitLabOrchestrator,
   GoScanner: () => GoScanner,
+  HtmlReporter: () => HtmlReporter,
   LockfileParseError: () => LockfileParseError,
   MavenScanner: () => MavenScanner,
   NoLockfileError: () => NoLockfileError,
@@ -14128,6 +14133,7 @@ __export(index_exports, {
   generateSbomArtifacts: () => generateSbomArtifacts,
   generateSpdxSbom: () => generateSpdxSbom,
   generateSwidTag: () => generateSwidTag,
+  parseProfile: () => parseProfile,
   printReport: () => printReport,
   scan: () => scan,
   shouldFailCi: () => shouldFailCi,
@@ -15763,8 +15769,8 @@ var PnpmScanner = class {
    *   "/pkg@1.0.0(dep@2.0.0)" → name: "pkg", version: "1.0.0"
    */
   parsePackagePath(pkgPath, lockfileVersion) {
-    const path14 = pkgPath.startsWith("/") ? pkgPath.slice(1) : pkgPath;
-    const cleanPath = path14.split("_")[0].split("(")[0];
+    const path15 = pkgPath.startsWith("/") ? pkgPath.slice(1) : pkgPath;
+    const cleanPath = path15.split("_")[0].split("(")[0];
     if (!cleanPath) {
       return { name: null, version: null };
     }
@@ -15776,30 +15782,30 @@ var PnpmScanner = class {
   /**
    * Parses v6+ format: "express@4.18.2" or "@types/node@20.11.5"
    */
-  parseV6Format(path14) {
-    if (path14.startsWith("@")) {
-      const lastAtIndex = path14.lastIndexOf("@");
+  parseV6Format(path15) {
+    if (path15.startsWith("@")) {
+      const lastAtIndex = path15.lastIndexOf("@");
       if (lastAtIndex <= 0) {
         return { name: null, version: null };
       }
-      const name2 = path14.substring(0, lastAtIndex);
-      const version2 = path14.substring(lastAtIndex + 1);
+      const name2 = path15.substring(0, lastAtIndex);
+      const version2 = path15.substring(lastAtIndex + 1);
       return { name: name2, version: version2 };
     }
-    const atIndex = path14.indexOf("@");
+    const atIndex = path15.indexOf("@");
     if (atIndex < 0) {
       return { name: null, version: null };
     }
-    const name = path14.substring(0, atIndex);
-    const version = path14.substring(atIndex + 1);
+    const name = path15.substring(0, atIndex);
+    const version = path15.substring(atIndex + 1);
     return { name, version };
   }
   /**
    * Parses v5.x format: "express/4.18.2" or "@types/node/20.11.5"
    */
-  parseV5Format(path14) {
-    if (path14.startsWith("@")) {
-      const parts = path14.split("/");
+  parseV5Format(path15) {
+    if (path15.startsWith("@")) {
+      const parts = path15.split("/");
       if (parts.length < 3) {
         return { name: null, version: null };
       }
@@ -15807,12 +15813,12 @@ var PnpmScanner = class {
       const version2 = parts[2];
       return { name: name2, version: version2 };
     }
-    const slashIndex = path14.indexOf("/");
+    const slashIndex = path15.indexOf("/");
     if (slashIndex < 0) {
       return { name: null, version: null };
     }
-    const name = path14.substring(0, slashIndex);
-    const version = path14.substring(slashIndex + 1);
+    const name = path15.substring(0, slashIndex);
+    const version = path15.substring(slashIndex + 1);
     return { name, version };
   }
   /**
@@ -17380,34 +17386,34 @@ var JsAstAnalyzer = class {
         matchCandidates.push({ packageKey: packageKey3, line, matchKind, calledSymbol, confidence });
       };
       traverseFn(ast, {
-        ImportDeclaration: (path14) => {
-          const source = path14.node.source;
+        ImportDeclaration: (path15) => {
+          const source = path15.node.source;
           if (!(0, import_types.isStringLiteral)(source)) return;
           const pkgKey = findPackageKey(resolveImportTarget(source.value), packageMap.byName);
           if (!pkgKey) return;
-          addMatch(pkgKey, path14.node.loc?.start.line ?? 1, "import", void 0, 0.95);
-          for (const specifier of path14.node.specifiers) {
+          addMatch(pkgKey, path15.node.loc?.start.line ?? 1, "import", void 0, 0.95);
+          for (const specifier of path15.node.specifiers) {
             if ((0, import_types.isImportDefaultSpecifier)(specifier) || (0, import_types.isImportNamespaceSpecifier)(specifier) || (0, import_types.isImportSpecifier)(specifier)) {
               symbolToPackage.set(specifier.local.name, pkgKey);
             }
           }
         },
-        ExportNamedDeclaration: (path14) => {
-          const source = path14.node.source;
+        ExportNamedDeclaration: (path15) => {
+          const source = path15.node.source;
           if (!source || !(0, import_types.isStringLiteral)(source)) return;
           const pkgKey = findPackageKey(resolveImportTarget(source.value), packageMap.byName);
           if (!pkgKey) return;
-          addMatch(pkgKey, path14.node.loc?.start.line ?? 1, "export_from", void 0, 0.85);
+          addMatch(pkgKey, path15.node.loc?.start.line ?? 1, "export_from", void 0, 0.85);
         },
-        ExportAllDeclaration: (path14) => {
-          const source = path14.node.source;
+        ExportAllDeclaration: (path15) => {
+          const source = path15.node.source;
           if (!(0, import_types.isStringLiteral)(source)) return;
           const pkgKey = findPackageKey(resolveImportTarget(source.value), packageMap.byName);
           if (!pkgKey) return;
-          addMatch(pkgKey, path14.node.loc?.start.line ?? 1, "export_from", void 0, 0.85);
+          addMatch(pkgKey, path15.node.loc?.start.line ?? 1, "export_from", void 0, 0.85);
         },
-        VariableDeclarator: (path14) => {
-          const node = path14.node;
+        VariableDeclarator: (path15) => {
+          const node = path15.node;
           if (!(0, import_types.isVariableDeclarator)(node)) return;
           if (!node.init || !(0, import_types.isCallExpression)(node.init)) return;
           if (!(0, import_types.isIdentifier)(node.init.callee, { name: "require" })) return;
@@ -17420,8 +17426,8 @@ var JsAstAnalyzer = class {
             symbolToPackage.set(identifier, pkgKey);
           }
         },
-        CallExpression: (path14) => {
-          const node = path14.node;
+        CallExpression: (path15) => {
+          const node = path15.node;
           if ((0, import_types.isIdentifier)(node.callee, { name: "require" })) {
             const firstArg = node.arguments[0];
             if (firstArg && (0, import_types.isStringLiteral)(firstArg)) {
@@ -17442,12 +17448,12 @@ var JsAstAnalyzer = class {
             0.75
           );
         },
-        ImportExpression: (path14) => {
-          const source = path14.node.source;
+        ImportExpression: (path15) => {
+          const source = path15.node.source;
           if (!(0, import_types.isStringLiteral)(source)) return;
           const pkgKey = findPackageKey(resolveImportTarget(source.value), packageMap.byName);
           if (!pkgKey) return;
-          addMatch(pkgKey, path14.node.loc?.start.line ?? 1, "dynamic_import", void 0, 0.9);
+          addMatch(pkgKey, path15.node.loc?.start.line ?? 1, "dynamic_import", void 0, 0.9);
         }
       });
       for (const candidate of matchCandidates) {
@@ -18992,10 +18998,12 @@ async function uploadToVerimu(report, config) {
     throw new Error("API key required for upload");
   }
   const client = new VerimuApiClient(config.apiKey, config.apiBaseUrl);
-  const projectName = (0, import_path17.basename)(config.projectPath);
+  const projectName = config.uploadProjectName ?? (0, import_path17.basename)(config.projectPath);
   const upsertRes = await client.upsertProject({
     name: projectName,
     ecosystem: report.project.ecosystem,
+    repositoryUrl: config.repositoryUrl,
+    platform: config.platform,
     groupName: config.groupName
   });
   const projectId = upsertRes.project.id;
@@ -19060,6 +19068,1611 @@ function sanitizeUsageContextForUpload(usageContext) {
   const { artifactPath: _artifactPath, ...rest } = usageContext;
   return rest;
 }
+
+// src/gitlab/client.ts
+var import_child_process2 = require("child_process");
+var import_fs14 = require("fs");
+var import_path18 = require("path");
+var import_os = require("os");
+var GitLabClient = class {
+  baseUrl;
+  token;
+  apiUrl;
+  constructor(baseUrl, token) {
+    this.baseUrl = baseUrl.replace(/\/+$/, "");
+    this.token = token;
+    this.apiUrl = `${this.baseUrl}/api/v4`;
+  }
+  // ─── Project Listing ────────────────────────────────────────
+  /**
+   * Lists all accessible projects, paginated.
+   * Returns all pages concatenated.
+   */
+  async listAllProjects(options) {
+    const perPage = options?.perPage ?? 100;
+    const maxPages = options?.maxPages ?? 100;
+    const allProjects = [];
+    let page = 1;
+    while (page <= maxPages) {
+      const params = new URLSearchParams({
+        per_page: String(perPage),
+        page: String(page),
+        order_by: "last_activity_at",
+        sort: "desc",
+        simple: "false"
+      });
+      if (options?.archived !== void 0) {
+        params.set("archived", String(options.archived));
+      }
+      const url = `${this.apiUrl}/projects?${params.toString()}`;
+      const projects = await this.fetch(url);
+      if (projects.length === 0) break;
+      allProjects.push(...projects);
+      page++;
+      if (projects.length < perPage) break;
+    }
+    return allProjects;
+  }
+  /**
+   * Lists projects within a specific group (and its subgroups).
+   */
+  async listGroupProjects(groupPath, options) {
+    const perPage = options?.perPage ?? 100;
+    const includeSubgroups = options?.includeSubgroups ?? true;
+    const allProjects = [];
+    let page = 1;
+    while (true) {
+      const params = new URLSearchParams({
+        per_page: String(perPage),
+        page: String(page),
+        include_subgroups: String(includeSubgroups),
+        order_by: "last_activity_at",
+        sort: "desc"
+      });
+      const encoded = encodeURIComponent(groupPath);
+      const url = `${this.apiUrl}/groups/${encoded}/projects?${params.toString()}`;
+      const projects = await this.fetch(url);
+      if (projects.length === 0) break;
+      allProjects.push(...projects);
+      page++;
+      if (projects.length < perPage) break;
+    }
+    return allProjects;
+  }
+  /**
+   * Lists all groups accessible to the token.
+   */
+  async listGroups() {
+    const allGroups = [];
+    let page = 1;
+    while (true) {
+      const params = new URLSearchParams({
+        per_page: "100",
+        page: String(page)
+      });
+      const url = `${this.apiUrl}/groups?${params.toString()}`;
+      const groups = await this.fetch(url);
+      if (groups.length === 0) break;
+      allGroups.push(...groups);
+      page++;
+      if (groups.length < 100) break;
+    }
+    return allGroups;
+  }
+  // ─── Cloning ────────────────────────────────────────────────
+  /**
+   * Shallow-clones a repo into a temporary directory.
+   * Returns the path to the cloned repo.
+   *
+   * Uses HTTPS with token auth embedded in the URL
+   * (works for self-hosted GitLab with private-token).
+   */
+  cloneToTemp(project, branch) {
+    const tempDir = (0, import_fs14.mkdtempSync)((0, import_path18.join)((0, import_os.tmpdir)(), `verimu-gl-${project.id}-`));
+    const cloneUrl = this.buildAuthUrl(project.http_url_to_repo);
+    const targetBranch = branch ?? project.default_branch;
+    try {
+      (0, import_child_process2.execSync)(
+        `git clone --depth 1 --branch "${targetBranch}" --single-branch "${cloneUrl}" "${tempDir}"`,
+        {
+          stdio: "pipe",
+          timeout: 12e4,
+          // 2 minute timeout per clone
+          env: {
+            ...process.env,
+            GIT_TERMINAL_PROMPT: "0"
+            // Never prompt for auth
+          }
+        }
+      );
+    } catch (err) {
+      this.cleanupTemp(tempDir);
+      const msg = err instanceof Error ? err.message : String(err);
+      throw new Error(`Clone failed for ${project.path_with_namespace}: ${msg}`);
+    }
+    return tempDir;
+  }
+  /**
+   * Removes a temporary clone directory.
+   */
+  cleanupTemp(tempDir) {
+    if ((0, import_fs14.existsSync)(tempDir)) {
+      (0, import_fs14.rmSync)(tempDir, { recursive: true, force: true });
+    }
+  }
+  // ─── Helpers ────────────────────────────────────────────────
+  /**
+   * Builds an authenticated HTTPS URL for git clone.
+   * Embeds the token as oauth2 password.
+   */
+  buildAuthUrl(httpUrl) {
+    const url = new URL(httpUrl);
+    url.username = "oauth2";
+    url.password = this.token;
+    return url.toString();
+  }
+  /**
+   * Makes an authenticated GET request to the GitLab API.
+   */
+  async fetch(url) {
+    const response = await globalThis.fetch(url, {
+      headers: {
+        "PRIVATE-TOKEN": this.token,
+        "Accept": "application/json"
+      }
+    });
+    if (!response.ok) {
+      const body = await response.text().catch(() => "no body");
+      throw new Error(
+        `GitLab API error: ${response.status} ${response.statusText} \u2014 ${url}
+${body}`
+      );
+    }
+    return response.json();
+  }
+};
+
+// src/discovery/lockfile-discovery.ts
+var import_promises17 = require("fs/promises");
+var import_fs15 = require("fs");
+var import_path19 = __toESM(require("path"), 1);
+var LOCKFILE_MAP = {
+  "pnpm-lock.yaml": { ecosystem: "npm", scanner: "pnpm" },
+  "yarn.lock": { ecosystem: "npm", scanner: "yarn" },
+  "package-lock.json": { ecosystem: "npm", scanner: "npm" },
+  "deno.lock": { ecosystem: "npm", scanner: "deno" },
+  "Cargo.lock": { ecosystem: "cargo", scanner: "cargo" },
+  "go.sum": { ecosystem: "go", scanner: "go" },
+  "Gemfile.lock": { ecosystem: "ruby", scanner: "ruby" },
+  "composer.lock": { ecosystem: "composer", scanner: "composer" },
+  "packages.lock.json": { ecosystem: "nuget", scanner: "nuget" },
+  "poetry.lock": { ecosystem: "poetry", scanner: "poetry" },
+  "uv.lock": { ecosystem: "uv", scanner: "uv" },
+  "Pipfile.lock": { ecosystem: "pip", scanner: "pip" },
+  "requirements.txt": { ecosystem: "pip", scanner: "pip" },
+  "pom.xml": { ecosystem: "maven", scanner: "maven" }
+};
+var DEFAULT_EXCLUDES = [
+  "node_modules",
+  ".git",
+  ".hg",
+  ".svn",
+  "vendor",
+  "target",
+  "dist",
+  "build",
+  ".next",
+  ".nuxt",
+  "__pycache__",
+  ".venv",
+  "venv",
+  ".tox",
+  "coverage",
+  ".cache",
+  "out",
+  ".output"
+];
+var LockfileDiscovery = class {
+  lockfileNames = Object.keys(LOCKFILE_MAP);
+  /**
+   * Discovers all lockfiles recursively starting from rootPath.
+   * Returns a list of projects that can be scanned.
+   */
+  async discover(options) {
+    const { rootPath, exclude, maxDepth } = options;
+    const absoluteRoot = import_path19.default.resolve(rootPath);
+    const discovered = [];
+    const excludePatterns = this.buildExcludePatterns(exclude);
+    await this.walkDirectory(absoluteRoot, absoluteRoot, discovered, {
+      excludePatterns,
+      maxDepth: maxDepth ?? Infinity,
+      //not set, infinite for now, can add as a cli-flag later if needed
+      currentDepth: 0
+    });
+    discovered.sort((a, b) => a.relativePath.localeCompare(b.relativePath));
+    return discovered;
+  }
+  /**
+   * Recursively walks directories looking for lockfiles.
+   * Stops descending into a directory once a lockfile is found
+   * (to avoid scanning nested node_modules, etc.)
+   */
+  async walkDirectory(currentPath, rootPath, results, options) {
+    const { excludePatterns, maxDepth, currentDepth } = options;
+    if (currentDepth > maxDepth) return;
+    const relativePath = import_path19.default.relative(rootPath, currentPath) || ".";
+    if (this.matchesAnyPattern(relativePath, excludePatterns)) {
+      return;
+    }
+    const foundLockfile = await this.findLockfileInDir(currentPath);
+    if (foundLockfile) {
+      results.push({
+        projectPath: currentPath,
+        relativePath,
+        lockfile: {
+          name: foundLockfile.name,
+          path: import_path19.default.join(currentPath, foundLockfile.name)
+        },
+        ecosystem: foundLockfile.ecosystem,
+        scannerType: foundLockfile.scanner
+      });
+      return;
+    }
+    let entries;
+    try {
+      entries = await (0, import_promises17.readdir)(currentPath);
+    } catch {
+      return;
+    }
+    for (const entry of entries) {
+      const entryPath = import_path19.default.join(currentPath, entry);
+      try {
+        const stats = await (0, import_promises17.stat)(entryPath);
+        if (stats.isDirectory()) {
+          if (this.isDefaultExclude(entry)) continue;
+          await this.walkDirectory(entryPath, rootPath, results, {
+            ...options,
+            currentDepth: currentDepth + 1
+          });
+        }
+      } catch {
+      }
+    }
+  }
+  /**
+   * Looks for a lockfile in the given directory.
+   * Returns the first match in priority order.
+   */
+  async findLockfileInDir(dirPath) {
+    const priorityOrder = [
+      "pnpm-lock.yaml",
+      "yarn.lock",
+      "package-lock.json",
+      "deno.lock",
+      "Cargo.lock",
+      "go.sum",
+      "poetry.lock",
+      "uv.lock",
+      "Pipfile.lock",
+      "composer.lock",
+      "Gemfile.lock",
+      "packages.lock.json",
+      "pom.xml",
+      "requirements.txt"
+    ];
+    for (const lockfileName of priorityOrder) {
+      const lockfilePath = import_path19.default.join(dirPath, lockfileName);
+      if ((0, import_fs15.existsSync)(lockfilePath)) {
+        const info = LOCKFILE_MAP[lockfileName];
+        return { name: lockfileName, ...info };
+      }
+    }
+    return null;
+  }
+  /**
+   * Builds exclude patterns from user input + defaults.
+   */
+  buildExcludePatterns(userExcludes) {
+    const patterns = [];
+    for (const dir of DEFAULT_EXCLUDES) {
+      patterns.push(`**/${dir}`);
+      patterns.push(`**/${dir}/**`);
+    }
+    if (userExcludes) {
+      patterns.push(...userExcludes);
+    }
+    return patterns;
+  }
+  /**
+   * Quick check if a directory name is in the default exclude list.
+   */
+  isDefaultExclude(dirName) {
+    return DEFAULT_EXCLUDES.includes(dirName);
+  }
+  /**
+   * Checks if a path matches any of the given glob patterns.
+   * Uses simple glob matching (supports *, **, ?).
+   */
+  matchesAnyPattern(relativePath, patterns) {
+    const normalized = relativePath.replace(/\\/g, "/");
+    for (const pattern of patterns) {
+      if (this.matchGlob(normalized, pattern)) {
+        return true;
+      }
+    }
+    return false;
+  }
+  /**
+   * Simple glob matcher supporting:
+   * - * (matches any characters except /)
+   * - ** (matches any characters including /)
+   * - ? (matches single character)
+   */
+  matchGlob(str, pattern) {
+    let regex = pattern.replace(/\\/g, "/").replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*\*/g, "{{GLOBSTAR}}").replace(/\*/g, "[^/]*").replace(/{{GLOBSTAR}}/g, ".*").replace(/\?/g, ".");
+    regex = `^${regex}$`;
+    return new RegExp(regex).test(str);
+  }
+};
+
+// src/gitlab/orchestrator.ts
+var GitLabOrchestrator = class {
+  discovery = new LockfileDiscovery();
+  /**
+   * Scans all accessible repos on a GitLab instance.
+   */
+  async scanInstance(config) {
+    const startTime = Date.now();
+    const client = new GitLabClient(config.url, config.token);
+    console.log(`
+  Connecting to ${config.url}...`);
+    let projects;
+    if (config.groups && config.groups.length > 0) {
+      const grouped = [];
+      for (const group of config.groups) {
+        console.log(`  Listing projects in group: ${group}`);
+        const groupProjects = await client.listGroupProjects(group);
+        grouped.push(...groupProjects);
+      }
+      const seen = /* @__PURE__ */ new Set();
+      projects = grouped.filter((p) => {
+        if (seen.has(p.id)) return false;
+        seen.add(p.id);
+        return true;
+      });
+    } else {
+      console.log("  Listing all accessible projects...");
+      projects = await client.listAllProjects({
+        archived: config.excludeArchived !== false ? false : void 0
+      });
+    }
+    console.log(`  Found ${projects.length} projects
+`);
+    const { toScan, skipped } = this.filterProjects(projects, config);
+    console.log(`  Scanning ${toScan.length} repos (${skipped.length} skipped)
+`);
+    const scannedRepos = [];
+    const failedRepos = [];
+    for (let i = 0; i < toScan.length; i++) {
+      const project = toScan[i];
+      const label = `[${i + 1}/${toScan.length}]`;
+      console.log(`  ${label} ${project.path_with_namespace}`);
+      const repoStart = Date.now();
+      let tempDir = null;
+      try {
+        process.stdout.write("    Cloning... ");
+        tempDir = client.cloneToTemp(project, config.branch);
+        console.log("done");
+        const discovered = await this.discovery.discover({
+          rootPath: tempDir
+        });
+        if (discovered.length === 0) {
+          console.log("    no lockfile found");
+          scannedRepos.push({
+            project,
+            reports: [],
+            hasLockfile: false,
+            durationMs: Date.now() - repoStart
+          });
+          continue;
+        }
+        console.log(`    Found ${discovered.length} project(s)`);
+        const reports = [];
+        for (const disc of discovered) {
+          const subLabel = discovered.length > 1 ? ` (${disc.relativePath})` : "";
+          const uploadProjectName = discovered.length > 1 && disc.relativePath !== "." ? `${project.path_with_namespace}/${disc.relativePath}` : project.path_with_namespace;
+          const safeArtifactSuffix = uploadProjectName.replace(/[\\/:*?"<>|]/g, "-").replace(/\s+/g, "-").toLowerCase();
+          const sbomOutput = `${tempDir}/sbom.${safeArtifactSuffix}.cdx.json`;
+          process.stdout.write(`    Scanning${subLabel}... `);
+          try {
+            const report = await scan({
+              projectPath: disc.projectPath,
+              sbomOutput,
+              skipCveCheck: config.skipCveCheck ?? false,
+              apiKey: config.apiKey,
+              apiBaseUrl: config.apiBaseUrl,
+              groupName: config.groupName,
+              uploadProjectName,
+              repositoryUrl: project.web_url,
+              platform: "gitlab"
+            });
+            const vulnCount = report.summary.totalVulnerabilities;
+            const depCount = report.summary.totalDependencies;
+            if (vulnCount > 0) {
+              console.log(
+                `${depCount} deps, ${vulnCount} vulns (C:${report.summary.critical} H:${report.summary.high} M:${report.summary.medium} L:${report.summary.low})`
+              );
+            } else {
+              console.log(`${depCount} deps, clean`);
+            }
+            reports.push(report);
+          } catch (scanErr) {
+            const msg = scanErr instanceof Error ? scanErr.message : String(scanErr);
+            console.log(`FAILED: ${msg.slice(0, 80)}`);
+          }
+        }
+        const durationMs = Date.now() - repoStart;
+        scannedRepos.push({
+          project,
+          reports,
+          hasLockfile: true,
+          durationMs
+        });
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        const durationMs = Date.now() - repoStart;
+        if (msg.includes("No supported lockfile") || msg.includes("NoLockfileError")) {
+          console.log("    no lockfile found");
+          scannedRepos.push({
+            project,
+            reports: [],
+            hasLockfile: false,
+            durationMs
+          });
+        } else {
+          console.log(`    FAILED: ${msg.slice(0, 100)}`);
+          failedRepos.push({ project, error: msg });
+        }
+      } finally {
+        if (tempDir) {
+          client.cleanupTemp(tempDir);
+        }
+      }
+      console.log("");
+    }
+    const result = this.aggregate(
+      config.url,
+      projects.length,
+      scannedRepos,
+      skipped,
+      failedRepos,
+      Date.now() - startTime
+    );
+    this.printSummary(result);
+    return result;
+  }
+  // ─── Filtering ──────────────────────────────────────────────
+  filterProjects(projects, config) {
+    const toScan = [];
+    const skipped = [];
+    for (const project of projects) {
+      if (config.excludeArchived !== false && project.archived) {
+        skipped.push({ project, reason: "archived" });
+        continue;
+      }
+      if (config.excludeEmpty !== false && project.empty_repo) {
+        skipped.push({ project, reason: "empty repository" });
+        continue;
+      }
+      if (config.excludePatterns?.length) {
+        const matched = config.excludePatterns.some(
+          (pattern) => this.matchGlob(project.path_with_namespace, pattern)
+        );
+        if (matched) {
+          skipped.push({ project, reason: "matched exclude pattern" });
+          continue;
+        }
+      }
+      toScan.push(project);
+    }
+    if (config.maxRepos && toScan.length > config.maxRepos) {
+      const trimmed = toScan.splice(config.maxRepos);
+      for (const p of trimmed) {
+        skipped.push({ project: p, reason: "exceeded --max-repos limit" });
+      }
+    }
+    return { toScan, skipped };
+  }
+  matchGlob(str, pattern) {
+    const regex = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*\*/g, "{{GLOBSTAR}}").replace(/\*/g, "[^/]*").replace(/{{GLOBSTAR}}/g, ".*").replace(/\?/g, ".");
+    return new RegExp(`^${regex}$`).test(str);
+  }
+  // ─── Aggregation ────────────────────────────────────────────
+  aggregate(instanceUrl, totalDiscovered, scannedRepos, skippedRepos, failedRepos, durationMs) {
+    const reposWithData = scannedRepos.filter((r) => r.reports.length > 0);
+    const ecosystemBreakdown = {};
+    let totalDeps = 0;
+    let totalVulns = 0;
+    let critical = 0;
+    let high = 0;
+    let medium = 0;
+    let low = 0;
+    let exploitedInWild = 0;
+    let reposWithVulns = 0;
+    for (const { reports } of reposWithData) {
+      let repoHasVulns = false;
+      for (const report of reports) {
+        totalDeps += report.summary.totalDependencies;
+        totalVulns += report.summary.totalVulnerabilities;
+        critical += report.summary.critical;
+        high += report.summary.high;
+        medium += report.summary.medium;
+        low += report.summary.low;
+        exploitedInWild += report.summary.exploitedInWild;
+        if (report.summary.totalVulnerabilities > 0) {
+          repoHasVulns = true;
+        }
+        const eco = report.project.ecosystem;
+        ecosystemBreakdown[eco] = (ecosystemBreakdown[eco] ?? 0) + 1;
+      }
+      if (repoHasVulns) reposWithVulns++;
+    }
+    const vulnMap = /* @__PURE__ */ new Map();
+    for (const { project, reports } of reposWithData) {
+      for (const report of reports) {
+        for (const vuln of report.cveCheck.vulnerabilities) {
+          const existing = vulnMap.get(vuln.id);
+          if (existing) {
+            if (!existing.affectedRepos.includes(project.path_with_namespace)) {
+              existing.affectedRepos.push(project.path_with_namespace);
+            }
+          } else {
+            vulnMap.set(vuln.id, {
+              id: vuln.id,
+              severity: vuln.severity,
+              summary: vuln.summary,
+              affectedRepos: [project.path_with_namespace],
+              fixedVersion: vuln.fixedVersion,
+              exploitedInWild: vuln.exploitedInWild
+            });
+          }
+        }
+      }
+    }
+    const severityOrder2 = {
+      CRITICAL: 0,
+      HIGH: 1,
+      MEDIUM: 2,
+      LOW: 3,
+      UNKNOWN: 4
+    };
+    const topVulnerabilities = Array.from(vulnMap.values()).sort((a, b) => {
+      const sevDiff = severityOrder2[a.severity] - severityOrder2[b.severity];
+      if (sevDiff !== 0) return sevDiff;
+      return b.affectedRepos.length - a.affectedRepos.length;
+    });
+    return {
+      instanceUrl,
+      totalReposDiscovered: totalDiscovered,
+      scannedRepos,
+      skippedRepos,
+      failedRepos,
+      summary: {
+        totalRepos: reposWithData.length,
+        reposWithVulnerabilities: reposWithVulns,
+        totalDependencies: totalDeps,
+        totalVulnerabilities: totalVulns,
+        critical,
+        high,
+        medium,
+        low,
+        exploitedInWild,
+        ecosystemBreakdown
+      },
+      topVulnerabilities,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      durationMs
+    };
+  }
+  // ─── Summary Printing ───────────────────────────────────────
+  printSummary(result) {
+    console.log("\n" + "\u2550".repeat(60));
+    console.log("  VERIMU GITLAB INSTANCE SCAN \u2014 COMPLETE");
+    console.log("\u2550".repeat(60));
+    console.log(`
+  Instance:     ${result.instanceUrl}`);
+    console.log(`  Repos found:  ${result.totalReposDiscovered}`);
+    console.log(`  Repos scanned: ${result.summary.totalRepos}`);
+    console.log(`  Repos with vulns: ${result.summary.reposWithVulnerabilities}`);
+    console.log(`  Skipped:      ${result.skippedRepos.length}`);
+    console.log(`  Failed:       ${result.failedRepos.length}`);
+    console.log("");
+    console.log(`  Total dependencies:     ${result.summary.totalDependencies}`);
+    console.log(`  Total vulnerabilities:  ${result.summary.totalVulnerabilities}`);
+    console.log(`    Critical: ${result.summary.critical}`);
+    console.log(`    High:     ${result.summary.high}`);
+    console.log(`    Medium:   ${result.summary.medium}`);
+    console.log(`    Low:      ${result.summary.low}`);
+    if (result.summary.exploitedInWild > 0) {
+      console.log(`
+  \u{1F534} ${result.summary.exploitedInWild} actively exploited \u2014 CRA 24h reporting required`);
+    }
+    if (Object.keys(result.summary.ecosystemBreakdown).length > 0) {
+      console.log("\n  Ecosystems:");
+      for (const [eco, count] of Object.entries(result.summary.ecosystemBreakdown)) {
+        console.log(`    ${eco}: ${count} project(s)`);
+      }
+    }
+    console.log(`
+  Completed in ${(result.durationMs / 1e3).toFixed(1)}s`);
+    console.log("");
+  }
+};
+
+// src/reporters/html.ts
+var HtmlReporter = class {
+  name = "html";
+  generate(result) {
+    return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Verimu Security Report \u2014 ${this.escapeHtml(result.instanceUrl)}</title>
+${this.styles()}
+</head>
+<body>
+<div class="container">
+  ${this.header(result)}
+  ${this.summaryCards(result)}
+  ${this.severityChart(result)}
+  ${this.topVulnerabilities(result)}
+  ${this.repoBreakdown(result)}
+  ${this.ecosystemBreakdown(result)}
+  ${this.craTimeline(result)}
+  ${this.footer(result)}
+</div>
+</body>
+</html>`;
+  }
+  // ─── Sections ─────────────────────────────────────────────
+  header(result) {
+    const date = new Date(result.scannedAt).toLocaleDateString("en-US", {
+      year: "numeric",
+      month: "long",
+      day: "numeric"
+    });
+    return `
+  <header>
+    <div class="brand">
+      <div class="logo">V</div>
+      <div>
+        <h1>Security posture report</h1>
+        <p class="subtitle">${this.escapeHtml(result.instanceUrl)} \u2014 ${date}</p>
+      </div>
+    </div>
+    <p class="intro">
+      This report summarizes the current vulnerability landscape across
+      <strong>${result.summary.totalRepos} repositories</strong> containing
+      <strong>${result.summary.totalDependencies.toLocaleString()} dependencies</strong>.
+      Generated by <a href="https://verimu.com">Verimu</a> CRA Compliance Scanner.
+    </p>
+  </header>`;
+  }
+  summaryCards(result) {
+    const s = result.summary;
+    const vulnRepoPercent = s.totalRepos > 0 ? Math.round(s.reposWithVulnerabilities / s.totalRepos * 100) : 0;
+    return `
+  <section class="cards">
+    <div class="card">
+      <div class="card-value">${s.totalRepos}</div>
+      <div class="card-label">Repos scanned</div>
+    </div>
+    <div class="card">
+      <div class="card-value">${s.totalDependencies.toLocaleString()}</div>
+      <div class="card-label">Total dependencies</div>
+    </div>
+    <div class="card card-danger">
+      <div class="card-value">${s.totalVulnerabilities}</div>
+      <div class="card-label">Vulnerabilities found</div>
+    </div>
+    <div class="card ${vulnRepoPercent > 50 ? "card-danger" : vulnRepoPercent > 25 ? "card-warn" : ""}">
+      <div class="card-value">${vulnRepoPercent}%</div>
+      <div class="card-label">Repos with vulns</div>
+    </div>
+  </section>`;
+  }
+  severityChart(result) {
+    const s = result.summary;
+    const total = s.totalVulnerabilities || 1;
+    const bars = [
+      { label: "Critical", count: s.critical, cls: "sev-critical" },
+      { label: "High", count: s.high, cls: "sev-high" },
+      { label: "Medium", count: s.medium, cls: "sev-medium" },
+      { label: "Low", count: s.low, cls: "sev-low" }
+    ];
+    const barHtml = bars.map((b) => {
+      const width = Math.max(2, b.count / total * 100);
+      return `
+      <div class="bar-row">
+        <span class="bar-label">${b.label}</span>
+        <div class="bar-track">
+          <div class="bar-fill ${b.cls}" style="width: ${width}%"></div>
+        </div>
+        <span class="bar-count">${b.count}</span>
+      </div>`;
+    }).join("");
+    return `
+  <section>
+    <h2>Severity breakdown</h2>
+    <div class="chart">${barHtml}</div>
+    ${s.exploitedInWild > 0 ? `
+    <div class="alert alert-critical">
+      <strong>\u26A0 ${s.exploitedInWild} vulnerabilit${s.exploitedInWild === 1 ? "y" : "ies"} actively exploited in the wild.</strong>
+      Under the EU Cyber Resilience Act, actively exploited vulnerabilities require
+      notification to ENISA within 24 hours of awareness.
+    </div>` : ""}
+  </section>`;
+  }
+  topVulnerabilities(result) {
+    if (result.topVulnerabilities.length === 0) {
+      return `
+  <section>
+    <h2>Vulnerabilities</h2>
+    <p class="empty">No known vulnerabilities detected. Nice work.</p>
+  </section>`;
+    }
+    const top = result.topVulnerabilities.slice(0, 30);
+    const rows = top.map(
+      (vuln) => `
+      <tr>
+        <td><span class="sev-badge ${this.sevClass(vuln.severity)}">${vuln.severity}</span></td>
+        <td class="vuln-id">${this.escapeHtml(vuln.id)}</td>
+        <td>${this.escapeHtml(vuln.summary.slice(0, 120))}</td>
+        <td>${vuln.fixedVersion ? this.escapeHtml(vuln.fixedVersion) : '<span class="no-fix">none</span>'}</td>
+        <td>${vuln.affectedRepos.length}</td>
+        <td>${vuln.exploitedInWild ? '<span class="exploited">YES</span>' : ""}</td>
+      </tr>`
+    ).join("");
+    return `
+  <section>
+    <h2>Top vulnerabilities</h2>
+    <p class="section-desc">Sorted by severity, then by number of affected repositories.</p>
+    <div class="table-wrap">
+      <table>
+        <thead>
+          <tr>
+            <th>Severity</th>
+            <th>ID</th>
+            <th>Summary</th>
+            <th>Fix</th>
+            <th>Repos</th>
+            <th>Exploited</th>
+          </tr>
+        </thead>
+        <tbody>${rows}</tbody>
+      </table>
+    </div>
+  </section>`;
+  }
+  repoBreakdown(result) {
+    const repos = result.scannedRepos.filter((r) => r.reports.length > 0).sort((a, b) => {
+      const aVulns = a.reports.reduce((s, r) => s + r.summary.totalVulnerabilities, 0);
+      const bVulns = b.reports.reduce((s, r) => s + r.summary.totalVulnerabilities, 0);
+      return bVulns - aVulns;
+    });
+    const rows = repos.map((r) => {
+      const s = r.reports.reduce((acc, rpt) => ({ totalVulnerabilities: acc.totalVulnerabilities + rpt.summary.totalVulnerabilities, critical: acc.critical + rpt.summary.critical, high: acc.high + rpt.summary.high, medium: acc.medium + rpt.summary.medium, low: acc.low + rpt.summary.low, totalDependencies: acc.totalDependencies + rpt.summary.totalDependencies }), { totalVulnerabilities: 0, critical: 0, high: 0, medium: 0, low: 0, totalDependencies: 0 });
+      const vulnBadge = s.totalVulnerabilities > 0 ? `<span class="sev-badge ${s.critical > 0 ? "sev-critical" : s.high > 0 ? "sev-high" : s.medium > 0 ? "sev-medium" : "sev-low"}">${s.totalVulnerabilities}</span>` : '<span class="clean">clean</span>';
+      return `
+      <tr>
+        <td class="repo-name">${this.escapeHtml(r.project.path_with_namespace)}</td>
+        <td>${r.reports.map((rpt) => rpt.project.ecosystem).filter((v, i, a) => a.indexOf(v) === i).join(", ")}</td>
+        <td>${s.totalDependencies}</td>
+        <td>${vulnBadge}</td>
+        <td>${s.critical}</td>
+        <td>${s.high}</td>
+        <td>${s.medium}</td>
+        <td>${s.low}</td>
+      </tr>`;
+    }).join("");
+    return `
+  <section>
+    <h2>Repository breakdown</h2>
+    <p class="section-desc">${repos.length} repositories with dependency lockfiles.</p>
+    <div class="table-wrap">
+      <table>
+        <thead>
+          <tr>
+            <th>Repository</th>
+            <th>Ecosystem</th>
+            <th>Deps</th>
+            <th>Vulns</th>
+            <th>Crit</th>
+            <th>High</th>
+            <th>Med</th>
+            <th>Low</th>
+          </tr>
+        </thead>
+        <tbody>${rows}</tbody>
+      </table>
+    </div>
+  </section>`;
+  }
+  ecosystemBreakdown(result) {
+    const eco = result.summary.ecosystemBreakdown;
+    if (Object.keys(eco).length === 0) return "";
+    const items = Object.entries(eco).sort((a, b) => b[1] - a[1]).map(([name, count]) => `
+        <div class="eco-item">
+          <span class="eco-name">${name}</span>
+          <span class="eco-count">${count} repo${count !== 1 ? "s" : ""}</span>
+        </div>`).join("");
+    return `
+  <section>
+    <h2>Ecosystem distribution</h2>
+    <div class="eco-grid">${items}</div>
+  </section>`;
+  }
+  craTimeline(result) {
+    const s = result.summary;
+    if (s.totalVulnerabilities === 0) return "";
+    return `
+  <section>
+    <h2>CRA compliance implications</h2>
+    <div class="cra-box">
+      <p>The <strong>EU Cyber Resilience Act</strong> (Regulation 2024/2847) establishes
+      mandatory cybersecurity requirements for products with digital elements.
+      Key obligations relevant to this scan:</p>
+      <ul>
+        <li><strong>Article 14(2):</strong> Manufacturers must identify and document
+        vulnerabilities, including in third-party components (your dependencies).</li>
+        <li><strong>Article 14(4):</strong> Actively exploited vulnerabilities must be
+        reported to ENISA within 24 hours of awareness${s.exploitedInWild > 0 ? ` \u2014 <strong class="text-danger">${s.exploitedInWild} found in this scan</strong>` : ""}.</li>
+        <li><strong>Article 14(3):</strong> Security updates must be provided free of charge
+        for the support period.</li>
+        <li><strong>Annex I, Part II(1):</strong> An SBOM documenting all components must
+        be maintained \u2014 Verimu generates these in CycloneDX, SPDX, and SWID formats.</li>
+      </ul>
+      <p class="cra-note">Full enforcement begins <strong>11 December 2027</strong>.
+      Vulnerability reporting obligations apply from <strong>11 September 2026</strong>.</p>
+    </div>
+  </section>`;
+  }
+  footer(result) {
+    const duration = (result.durationMs / 1e3).toFixed(1);
+    return `
+  <footer>
+    <p>Generated by <a href="https://verimu.com">Verimu</a> CRA Compliance Scanner
+    in ${duration}s on ${new Date(result.scannedAt).toISOString()}</p>
+    <p class="footer-cta">
+      Continuous monitoring, SBOM management, and CRA compliance dashboards available at
+      <a href="https://app.verimu.com">app.verimu.com</a>
+    </p>
+  </footer>`;
+  }
+  // ─── Styling ──────────────────────────────────────────────
+  styles() {
+    return `<style>
+  :root {
+    --bg: #ffffff; --bg2: #f7f8fa; --text: #1a1a2e; --text2: #555770;
+    --border: #e2e4ea; --accent: #4f46e5; --accent-light: #eef2ff;
+    --crit: #dc2626; --crit-bg: #fef2f2;
+    --high: #ea580c; --high-bg: #fff7ed;
+    --med: #d97706; --med-bg: #fffbeb;
+    --low: #2563eb; --low-bg: #eff6ff;
+    --green: #16a34a; --green-bg: #f0fdf4;
+    --radius: 8px; --radius-lg: 12px;
+  }
+  @media (prefers-color-scheme: dark) {
+    :root {
+      --bg: #0f0f1a; --bg2: #1a1a2e; --text: #e4e4f0; --text2: #9595ad;
+      --border: #2a2a40; --accent: #818cf8; --accent-light: #1e1b4b;
+      --crit-bg: #2a0a0a; --high-bg: #2a1a0a; --med-bg: #2a2200; --low-bg: #0a1a2e;
+      --green-bg: #0a2a1a;
+    }
+  }
+  * { box-sizing: border-box; margin: 0; padding: 0; }
+  body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', system-ui, sans-serif;
+    background: var(--bg); color: var(--text); line-height: 1.6; }
+  .container { max-width: 960px; margin: 0 auto; padding: 2rem 1.5rem; }
+  a { color: var(--accent); text-decoration: none; }
+  a:hover { text-decoration: underline; }
+
+  /* Header */
+  header { margin-bottom: 2rem; }
+  .brand { display: flex; align-items: center; gap: 1rem; margin-bottom: 1rem; }
+  .logo { width: 48px; height: 48px; background: var(--accent); color: #fff;
+    border-radius: var(--radius); display: flex; align-items: center; justify-content: center;
+    font-size: 24px; font-weight: 700; }
+  h1 { font-size: 22px; font-weight: 600; }
+  .subtitle { color: var(--text2); font-size: 14px; }
+  .intro { color: var(--text2); font-size: 15px; max-width: 700px; }
+
+  /* Cards */
+  .cards { display: grid; grid-template-columns: repeat(auto-fit, minmax(140px, 1fr));
+    gap: 12px; margin-bottom: 2rem; }
+  .card { background: var(--bg2); border-radius: var(--radius-lg); padding: 1.25rem;
+    border: 1px solid var(--border); }
+  .card-value { font-size: 28px; font-weight: 700; }
+  .card-label { font-size: 13px; color: var(--text2); margin-top: 4px; }
+  .card-danger .card-value { color: var(--crit); }
+  .card-warn .card-value { color: var(--med); }
+
+  /* Sections */
+  section { margin-bottom: 2.5rem; }
+  h2 { font-size: 18px; font-weight: 600; margin-bottom: 0.75rem; }
+  .section-desc { color: var(--text2); font-size: 14px; margin-bottom: 1rem; }
+  .empty { color: var(--green); font-weight: 500; }
+
+  /* Bar chart */
+  .chart { max-width: 500px; }
+  .bar-row { display: flex; align-items: center; gap: 8px; margin-bottom: 8px; }
+  .bar-label { width: 60px; font-size: 13px; color: var(--text2); text-align: right; }
+  .bar-track { flex: 1; height: 24px; background: var(--bg2); border-radius: 4px;
+    overflow: hidden; border: 1px solid var(--border); }
+  .bar-fill { height: 100%; border-radius: 3px; transition: width 0.3s; }
+  .bar-count { width: 36px; font-size: 14px; font-weight: 600; }
+  .sev-critical, .bar-fill.sev-critical { background: var(--crit); color: #fff; }
+  .sev-high, .bar-fill.sev-high { background: var(--high); color: #fff; }
+  .sev-medium, .bar-fill.sev-medium { background: var(--med); color: #fff; }
+  .sev-low, .bar-fill.sev-low { background: var(--low); color: #fff; }
+
+  /* Tables */
+  .table-wrap { overflow-x: auto; border: 1px solid var(--border); border-radius: var(--radius-lg); }
+  table { width: 100%; border-collapse: collapse; font-size: 13px; }
+  th { background: var(--bg2); font-weight: 600; font-size: 12px; text-transform: uppercase;
+    letter-spacing: 0.5px; color: var(--text2); padding: 10px 12px; text-align: left;
+    border-bottom: 1px solid var(--border); }
+  td { padding: 10px 12px; border-bottom: 1px solid var(--border); vertical-align: middle; }
+  tr:last-child td { border-bottom: none; }
+  tr:hover td { background: var(--bg2); }
+  .repo-name { font-weight: 500; font-size: 13px; }
+  .vuln-id { font-family: monospace; font-size: 12px; white-space: nowrap; }
+
+  /* Badges */
+  .sev-badge { display: inline-block; padding: 2px 8px; border-radius: 4px;
+    font-size: 11px; font-weight: 700; text-transform: uppercase; }
+  .clean { color: var(--green); font-size: 12px; font-weight: 500; }
+  .no-fix { color: var(--text2); font-size: 12px; }
+  .exploited { color: var(--crit); font-weight: 700; font-size: 12px; }
+
+  /* Alert */
+  .alert { padding: 1rem 1.25rem; border-radius: var(--radius); margin-top: 1rem; font-size: 14px; }
+  .alert-critical { background: var(--crit-bg); border: 1px solid var(--crit); color: var(--crit); }
+
+  /* Ecosystem grid */
+  .eco-grid { display: flex; flex-wrap: wrap; gap: 8px; }
+  .eco-item { background: var(--bg2); border: 1px solid var(--border); border-radius: var(--radius);
+    padding: 8px 16px; display: flex; align-items: center; gap: 8px; }
+  .eco-name { font-weight: 600; font-size: 14px; }
+  .eco-count { color: var(--text2); font-size: 13px; }
+
+  /* CRA */
+  .cra-box { background: var(--accent-light); border: 1px solid var(--accent);
+    border-radius: var(--radius-lg); padding: 1.5rem; font-size: 14px; }
+  .cra-box ul { margin: 0.75rem 0; padding-left: 1.5rem; }
+  .cra-box li { margin-bottom: 0.5rem; }
+  .cra-note { margin-top: 1rem; font-weight: 600; }
+  .text-danger { color: var(--crit); }
+
+  /* Footer */
+  footer { border-top: 1px solid var(--border); padding-top: 1.5rem; margin-top: 2rem;
+    color: var(--text2); font-size: 13px; }
+  .footer-cta { margin-top: 0.5rem; }
+
+  @media print {
+    .container { max-width: 100%; }
+    .card { break-inside: avoid; }
+  }
+</style>`;
+  }
+  // ─── Helpers ──────────────────────────────────────────────
+  escapeHtml(str) {
+    return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+  }
+  sevClass(severity) {
+    const map = {
+      CRITICAL: "sev-critical",
+      HIGH: "sev-high",
+      MEDIUM: "sev-medium",
+      LOW: "sev-low",
+      UNKNOWN: "sev-low"
+    };
+    return map[severity] ?? "sev-low";
+  }
+};
+
+// src/github/client.ts
+var import_child_process3 = require("child_process");
+var import_fs16 = require("fs");
+var import_path20 = require("path");
+var import_os2 = require("os");
+function parseProfile(input, baseUrl) {
+  const trimmed = input.trim();
+  try {
+    const url = new URL(trimmed);
+    const pathSegments = url.pathname.split("/").filter(Boolean);
+    if (pathSegments.length >= 1) {
+      return { login: pathSegments[0] };
+    }
+  } catch {
+  }
+  if (trimmed.includes("/") && !trimmed.startsWith("http")) {
+    try {
+      const url = new URL(`https://${trimmed}`);
+      const pathSegments = url.pathname.split("/").filter(Boolean);
+      if (pathSegments.length >= 1) {
+        return { login: pathSegments[0] };
+      }
+    } catch {
+    }
+  }
+  if (!trimmed || trimmed.includes(" ")) {
+    throw new Error(`Invalid GitHub profile: "${input}". Provide an org/user handle or URL.`);
+  }
+  return { login: trimmed };
+}
+var GitHubClient = class {
+  baseUrl;
+  apiUrl;
+  token;
+  lastRateLimit;
+  constructor(baseUrl, token) {
+    this.baseUrl = baseUrl.replace(/\/+$/, "");
+    this.token = token;
+    if (this.baseUrl === "https://github.com" || this.baseUrl === "http://github.com") {
+      this.apiUrl = "https://api.github.com";
+    } else {
+      this.apiUrl = `${this.baseUrl}/api/v3`;
+    }
+  }
+  // ─── Owner Type Detection ──────────────────────────────────
+  /**
+   * Determines whether a login is a User or Organization by
+   * calling GET /users/{username} and reading the `type` field.
+   */
+  async detectOwnerType(login) {
+    const data = await this.fetch(`${this.apiUrl}/users/${encodeURIComponent(login)}`);
+    if (data.type === "Organization") return "org";
+    return "user";
+  }
+  // ─── Repo Listing ──────────────────────────────────────────
+  /**
+   * Lists repositories for an organization.
+   * Uses GET /orgs/{org}/repos with pagination.
+   */
+  async listOrgRepos(org) {
+    return this.paginate(
+      `${this.apiUrl}/orgs/${encodeURIComponent(org)}/repos`,
+      { type: "all", sort: "pushed", direction: "desc" }
+    );
+  }
+  /**
+   * Lists repositories for a user.
+   *
+    * - Without token: GET /users/{username}/repos
+    *   - default: type=all
+    *   - ownerOnly: type=owner
+   * - With token for own user: GET /user/repos filtered by owner login
+   *   (includes private repos the token can see)
+    * - With token for other user: GET /users/{username}/repos
+   *   (only public repos visible)
+   */
+  async listUserRepos(login, ownerOnly = false) {
+    if (this.token) {
+      try {
+        const authedUser = await this.fetch(`${this.apiUrl}/user`);
+        if (authedUser.login.toLowerCase() === login.toLowerCase()) {
+          const allRepos = await this.paginate(
+            `${this.apiUrl}/user/repos`,
+            { sort: "pushed", direction: "desc", affiliation: "owner" }
+          );
+          return allRepos;
+        }
+      } catch {
+      }
+    }
+    return this.paginate(
+      `${this.apiUrl}/users/${encodeURIComponent(login)}/repos`,
+      { type: ownerOnly ? "owner" : "all", sort: "pushed", direction: "desc" }
+    );
+  }
+  /**
+   * Lists repos based on resolved owner type.
+   */
+  async listRepos(login, ownerType, options) {
+    if (ownerType === "org") {
+      return this.listOrgRepos(login);
+    }
+    return this.listUserRepos(login, options?.ownerOnly ?? false);
+  }
+  // ─── Cloning ───────────────────────────────────────────────
+  /**
+   * Shallow-clones a repo into a temporary directory.
+   * Returns the path to the cloned repo.
+   *
+   * Uses HTTPS with token auth embedded in the URL (when token is available).
+   */
+  cloneToTemp(repo, branch) {
+    const tempDir = (0, import_fs16.mkdtempSync)((0, import_path20.join)((0, import_os2.tmpdir)(), `verimu-gh-${repo.id}-`));
+    const cloneUrl = this.token ? this.buildAuthUrl(repo.clone_url) : repo.clone_url;
+    const targetBranch = branch ?? repo.default_branch;
+    try {
+      (0, import_child_process3.execSync)(
+        `git clone --depth 1 --branch "${targetBranch}" --single-branch "${cloneUrl}" "${tempDir}"`,
+        {
+          stdio: "pipe",
+          timeout: 12e4,
+          // 2 minute timeout per clone
+          env: {
+            ...process.env,
+            GIT_TERMINAL_PROMPT: "0"
+            // Never prompt for auth
+          }
+        }
+      );
+    } catch (err) {
+      this.cleanupTemp(tempDir);
+      const msg = err instanceof Error ? err.message : String(err);
+      throw new Error(`Clone failed for ${repo.full_name}: ${msg}`);
+    }
+    return tempDir;
+  }
+  /**
+   * Removes a temporary clone directory.
+   */
+  cleanupTemp(tempDir) {
+    if ((0, import_fs16.existsSync)(tempDir)) {
+      (0, import_fs16.rmSync)(tempDir, { recursive: true, force: true });
+    }
+  }
+  // ─── Rate Limit Accessors ──────────────────────────────────
+  /** Returns the last observed rate limit info, if any. */
+  getRateLimit() {
+    return this.lastRateLimit;
+  }
+  /**
+   * Returns the hourly rate limit for this client configuration.
+   * - Unauthenticated: 60 requests/hour
+   * - Authenticated (PAT/OAuth): 5,000 requests/hour
+   */
+  getExpectedRateLimit() {
+    return this.token ? 5e3 : 60;
+  }
+  // ─── Internals ─────────────────────────────────────────────
+  /**
+   * Paginated GET — fetches all pages of a list endpoint.
+   * GitHub uses `per_page` (max 100) and `page` parameters.
+   */
+  async paginate(url, params = {}) {
+    const all = [];
+    let page = 1;
+    const perPage = 100;
+    while (true) {
+      const searchParams = new URLSearchParams({
+        ...params,
+        per_page: String(perPage),
+        page: String(page)
+      });
+      const fullUrl = `${url}?${searchParams.toString()}`;
+      const items = await this.fetch(fullUrl);
+      if (items.length === 0) break;
+      all.push(...items);
+      page++;
+      if (items.length < perPage) break;
+    }
+    return all;
+  }
+  /**
+   * Builds an authenticated HTTPS URL for git clone.
+   * Embeds the token as a password with "x-access-token" user.
+   */
+  buildAuthUrl(httpUrl) {
+    const url = new URL(httpUrl);
+    url.username = "x-access-token";
+    url.password = this.token;
+    return url.toString();
+  }
+  /**
+   * Makes an authenticated GET request to the GitHub API.
+   *
+   * Rate limit handling:
+   * - Reads X-RateLimit-Remaining and X-RateLimit-Reset headers
+   * - If remaining is 0, waits until the reset time or throws with actionable message
+   * - Retries on transient 502/503/504 with exponential backoff (up to 3 retries)
+   * - Returns 403/429 rate limit errors with reset time information
+   */
+  async fetch(url) {
+    const maxRetries = 3;
+    let lastError = null;
+    for (let attempt = 0; attempt <= maxRetries; attempt++) {
+      if (this.lastRateLimit && this.lastRateLimit.remaining === 0) {
+        const now = Date.now();
+        const resetMs = this.lastRateLimit.resetAt.getTime();
+        if (now < resetMs) {
+          const waitSec = Math.ceil((resetMs - now) / 1e3);
+          if (waitSec <= 60) {
+            console.log(`    Rate limit reached. Waiting ${waitSec}s for reset...`);
+            await this.sleep(waitSec * 1e3);
+          } else {
+            throw new Error(
+              `GitHub API rate limit exceeded. Limit: ${this.lastRateLimit.limit} requests/hour${this.token ? "" : " (unauthenticated \u2014 use --token for 5,000/hour)"}. Resets at ${this.lastRateLimit.resetAt.toLocaleTimeString()} (${waitSec}s from now).`
+            );
+          }
+        }
+      }
+      const headers = {
+        "Accept": "application/vnd.github+json",
+        "X-GitHub-Api-Version": "2022-11-28"
+      };
+      if (this.token) {
+        headers["Authorization"] = `Bearer ${this.token}`;
+      }
+      let response;
+      try {
+        response = await globalThis.fetch(url, { headers });
+      } catch (err) {
+        lastError = err instanceof Error ? err : new Error(String(err));
+        if (attempt < maxRetries) {
+          await this.sleep(1e3 * 2 ** attempt);
+          continue;
+        }
+        throw lastError;
+      }
+      this.updateRateLimit(response);
+      if (response.ok) {
+        return response.json();
+      }
+      if (response.status === 403 || response.status === 429) {
+        const body2 = await response.text().catch(() => "no body");
+        if (body2.includes("rate limit") || body2.includes("API rate limit") || response.status === 429) {
+          const resetHeader = response.headers.get("X-RateLimit-Reset");
+          const resetAt = resetHeader ? new Date(Number(resetHeader) * 1e3) : new Date(Date.now() + 6e4);
+          const waitSec = Math.ceil((resetAt.getTime() - Date.now()) / 1e3);
+          const retryAfter = response.headers.get("Retry-After");
+          if (retryAfter && attempt < maxRetries) {
+            const waitMs = Number(retryAfter) * 1e3;
+            console.log(`    Rate limited (secondary). Waiting ${retryAfter}s...`);
+            await this.sleep(Math.min(waitMs, 6e4));
+            continue;
+          }
+          throw new Error(
+            `GitHub API rate limit exceeded (${response.status}). ${this.token ? "" : "Unauthenticated requests are limited to 60/hour \u2014 use --token for 5,000/hour. "}Resets at ${resetAt.toLocaleTimeString()} (${Math.max(0, waitSec)}s from now).`
+          );
+        }
+        throw new Error(
+          `GitHub API error: ${response.status} ${response.statusText} \u2014 ${url}
+${body2}`
+        );
+      }
+      if ([502, 503, 504].includes(response.status) && attempt < maxRetries) {
+        lastError = new Error(`GitHub API error: ${response.status} ${response.statusText}`);
+        await this.sleep(1e3 * 2 ** attempt);
+        continue;
+      }
+      const body = await response.text().catch(() => "no body");
+      throw new Error(
+        `GitHub API error: ${response.status} ${response.statusText} \u2014 ${url}
+${body}`
+      );
+    }
+    throw lastError ?? new Error(`GitHub API request failed after ${maxRetries} retries`);
+  }
+  /**
+   * Updates internal rate limit tracker from response headers.
+   */
+  updateRateLimit(response) {
+    const limit = response.headers.get("X-RateLimit-Limit");
+    const remaining = response.headers.get("X-RateLimit-Remaining");
+    const reset = response.headers.get("X-RateLimit-Reset");
+    const used = response.headers.get("X-RateLimit-Used");
+    if (limit && remaining && reset) {
+      this.lastRateLimit = {
+        limit: Number(limit),
+        remaining: Number(remaining),
+        resetAt: new Date(Number(reset) * 1e3),
+        used: used ? Number(used) : 0
+      };
+    }
+  }
+  sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+  }
+};
+
+// src/github/orchestrator.ts
+var GitHubOrchestrator = class {
+  discovery = new LockfileDiscovery();
+  /**
+   * Scans all repos for a GitHub profile (org or user).
+   */
+  async scanProfile(config) {
+    const startTime = Date.now();
+    const client = new GitHubClient(config.baseUrl, config.token);
+    const { login } = parseProfile(config.profile, config.baseUrl);
+    console.log(`
+  GitHub profile: ${login}`);
+    console.log(`  Base URL: ${config.baseUrl}`);
+    console.log(`  Auth: ${config.token ? "token provided (5,000 req/h)" : "unauthenticated (60 req/h)"}`);
+    process.stdout.write("  Detecting profile type... ");
+    const ownerType = await client.detectOwnerType(login);
+    console.log(ownerType);
+    console.log("  Listing repositories...");
+    const repos = await client.listRepos(login, ownerType, {
+      ownerOnly: config.ownerOnly ?? false
+    });
+    console.log(`  Found ${repos.length} repositories
+`);
+    const { toScan, skipped } = this.filterRepos(repos, config);
+    console.log(`  Scanning ${toScan.length} repos (${skipped.length} skipped)
+`);
+    const scannedRepos = [];
+    const failedRepos = [];
+    for (let i = 0; i < toScan.length; i++) {
+      const repo = toScan[i];
+      const label = `[${i + 1}/${toScan.length}]`;
+      console.log(`  ${label} ${repo.full_name}`);
+      const repoStart = Date.now();
+      let tempDir = null;
+      try {
+        process.stdout.write("    Cloning... ");
+        tempDir = client.cloneToTemp(repo, config.branch);
+        console.log("done");
+        const discovered = await this.discovery.discover({
+          rootPath: tempDir
+        });
+        if (discovered.length === 0) {
+          console.log("    no lockfile found");
+          scannedRepos.push({
+            repo,
+            reports: [],
+            hasLockfile: false,
+            durationMs: Date.now() - repoStart
+          });
+          continue;
+        }
+        console.log(`    Found ${discovered.length} project(s)`);
+        const reports = [];
+        const autoGroupName = this.getAutoGroupName(repo, discovered.length, config.groupName);
+        for (const disc of discovered) {
+          const subLabel = discovered.length > 1 ? ` (${disc.relativePath})` : "";
+          const uploadProjectName = this.getUploadProjectName(repo, disc.relativePath, discovered.length);
+          const safeArtifactSuffix = uploadProjectName.replace(/[\\/:*?"<>|]/g, "-").replace(/\s+/g, "-").toLowerCase();
+          const sbomOutput = `${tempDir}/sbom.${safeArtifactSuffix}.cdx.json`;
+          process.stdout.write(`    Scanning${subLabel}... `);
+          try {
+            const report = await scan({
+              projectPath: disc.projectPath,
+              sbomOutput,
+              skipCveCheck: config.skipCveCheck ?? false,
+              apiKey: config.apiKey,
+              apiBaseUrl: config.apiBaseUrl,
+              groupName: autoGroupName,
+              uploadProjectName,
+              repositoryUrl: repo.html_url,
+              platform: "github"
+            });
+            const vulnCount = report.summary.totalVulnerabilities;
+            const depCount = report.summary.totalDependencies;
+            if (vulnCount > 0) {
+              console.log(
+                `${depCount} deps, ${vulnCount} vulns (C:${report.summary.critical} H:${report.summary.high} M:${report.summary.medium} L:${report.summary.low})`
+              );
+            } else {
+              console.log(`${depCount} deps, clean`);
+            }
+            reports.push(report);
+          } catch (scanErr) {
+            const msg = scanErr instanceof Error ? scanErr.message : String(scanErr);
+            console.log(`FAILED: ${msg.slice(0, 80)}`);
+          }
+        }
+        const durationMs = Date.now() - repoStart;
+        scannedRepos.push({
+          repo,
+          reports,
+          hasLockfile: true,
+          durationMs
+        });
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        const durationMs = Date.now() - repoStart;
+        if (msg.includes("No supported lockfile") || msg.includes("NoLockfileError")) {
+          console.log("    no lockfile found");
+          scannedRepos.push({
+            repo,
+            reports: [],
+            hasLockfile: false,
+            durationMs
+          });
+        } else {
+          console.log(`    FAILED: ${msg.slice(0, 100)}`);
+          failedRepos.push({ repo, error: msg });
+        }
+      } finally {
+        if (tempDir) {
+          client.cleanupTemp(tempDir);
+        }
+      }
+      console.log("");
+    }
+    const result = this.aggregate(
+      config.baseUrl,
+      login,
+      ownerType,
+      repos.length,
+      scannedRepos,
+      skipped,
+      failedRepos,
+      Date.now() - startTime
+    );
+    this.printSummary(result);
+    return result;
+  }
+  // ─── Filtering ──────────────────────────────────────────────
+  filterRepos(repos, config) {
+    const toScan = [];
+    const skipped = [];
+    for (const repo of repos) {
+      if (config.excludeArchived !== false && repo.archived) {
+        skipped.push({ repo, reason: "archived" });
+        continue;
+      }
+      if (config.excludeForks && repo.fork) {
+        skipped.push({ repo, reason: "fork" });
+        continue;
+      }
+      toScan.push(repo);
+    }
+    if (config.maxRepos && toScan.length > config.maxRepos) {
+      const trimmed = toScan.splice(config.maxRepos);
+      for (const r of trimmed) {
+        skipped.push({ repo: r, reason: "exceeded --max-repos limit" });
+      }
+    }
+    return { toScan, skipped };
+  }
+  getUploadProjectName(repo, relativePath, totalProjectsInRepo) {
+    if (totalProjectsInRepo > 1) {
+      return relativePath === "." ? repo.name : relativePath;
+    }
+    return repo.full_name;
+  }
+  getAutoGroupName(repo, totalProjectsInRepo, configuredGroupName) {
+    if (configuredGroupName) {
+      return configuredGroupName;
+    }
+    return totalProjectsInRepo > 1 ? repo.full_name : void 0;
+  }
+  // ─── Aggregation ────────────────────────────────────────────
+  aggregate(instanceUrl, profile, profileType, totalDiscovered, scannedRepos, skippedRepos, failedRepos, durationMs) {
+    const reposWithData = scannedRepos.filter((r) => r.reports.length > 0);
+    const ecosystemBreakdown = {};
+    let totalDeps = 0;
+    let totalVulns = 0;
+    let critical = 0;
+    let high = 0;
+    let medium = 0;
+    let low = 0;
+    let exploitedInWild = 0;
+    let reposWithVulns = 0;
+    for (const { reports } of reposWithData) {
+      let repoHasVulns = false;
+      for (const report of reports) {
+        totalDeps += report.summary.totalDependencies;
+        totalVulns += report.summary.totalVulnerabilities;
+        critical += report.summary.critical;
+        high += report.summary.high;
+        medium += report.summary.medium;
+        low += report.summary.low;
+        exploitedInWild += report.summary.exploitedInWild;
+        if (report.summary.totalVulnerabilities > 0) {
+          repoHasVulns = true;
+        }
+        const eco = report.project.ecosystem;
+        ecosystemBreakdown[eco] = (ecosystemBreakdown[eco] ?? 0) + 1;
+      }
+      if (repoHasVulns) reposWithVulns++;
+    }
+    const vulnMap = /* @__PURE__ */ new Map();
+    for (const { repo, reports } of reposWithData) {
+      for (const report of reports) {
+        for (const vuln of report.cveCheck.vulnerabilities) {
+          const existing = vulnMap.get(vuln.id);
+          if (existing) {
+            if (!existing.affectedRepos.includes(repo.full_name)) {
+              existing.affectedRepos.push(repo.full_name);
+            }
+          } else {
+            vulnMap.set(vuln.id, {
+              id: vuln.id,
+              severity: vuln.severity,
+              summary: vuln.summary,
+              affectedRepos: [repo.full_name],
+              fixedVersion: vuln.fixedVersion,
+              exploitedInWild: vuln.exploitedInWild
+            });
+          }
+        }
+      }
+    }
+    const severityOrder2 = {
+      CRITICAL: 0,
+      HIGH: 1,
+      MEDIUM: 2,
+      LOW: 3,
+      UNKNOWN: 4
+    };
+    const topVulnerabilities = Array.from(vulnMap.values()).sort((a, b) => {
+      const sevDiff = severityOrder2[a.severity] - severityOrder2[b.severity];
+      if (sevDiff !== 0) return sevDiff;
+      return b.affectedRepos.length - a.affectedRepos.length;
+    });
+    return {
+      instanceUrl,
+      profile,
+      profileType,
+      totalReposDiscovered: totalDiscovered,
+      scannedRepos,
+      skippedRepos,
+      failedRepos,
+      summary: {
+        totalRepos: reposWithData.length,
+        reposWithVulnerabilities: reposWithVulns,
+        totalDependencies: totalDeps,
+        totalVulnerabilities: totalVulns,
+        critical,
+        high,
+        medium,
+        low,
+        exploitedInWild,
+        ecosystemBreakdown
+      },
+      topVulnerabilities,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      durationMs
+    };
+  }
+  // ─── Summary Printing ───────────────────────────────────────
+  printSummary(result) {
+    const noLockfile = result.scannedRepos.filter((r) => !r.hasLockfile).length;
+    const withLockfile = result.scannedRepos.filter((r) => r.hasLockfile).length;
+    console.log("\n" + "\u2550".repeat(60));
+    console.log("  VERIMU GITHUB SCAN \u2014 COMPLETE");
+    console.log("\u2550".repeat(60));
+    console.log(`
+  Profile:      ${result.profile} (${result.profileType})`);
+    console.log(`  Instance:     ${result.instanceUrl}`);
+    console.log("");
+    console.log(`  Repos found:      ${result.totalReposDiscovered}`);
+    console.log(`    With lockfile:  ${withLockfile}`);
+    console.log(`    No lockfile:    ${noLockfile}`);
+    console.log(`    Skipped:        ${result.skippedRepos.length}  (archived/fork/limit)`);
+    console.log(`    Failed:         ${result.failedRepos.length}  (clone/scan error)`);
+    console.log("");
+    console.log(`  Repos with vulns: ${result.summary.reposWithVulnerabilities} / ${withLockfile}`);
+    console.log("");
+    console.log(`  Total dependencies:     ${result.summary.totalDependencies}`);
+    console.log(`  Total vulnerabilities:  ${result.summary.totalVulnerabilities}`);
+    console.log(`    Critical: ${result.summary.critical}`);
+    console.log(`    High:     ${result.summary.high}`);
+    console.log(`    Medium:   ${result.summary.medium}`);
+    console.log(`    Low:      ${result.summary.low}`);
+    if (result.summary.exploitedInWild > 0) {
+      console.log(`
+  \u{1F534} ${result.summary.exploitedInWild} actively exploited \u2014 CRA 24h reporting required`);
+    }
+    if (Object.keys(result.summary.ecosystemBreakdown).length > 0) {
+      console.log("\n  Ecosystems:");
+      for (const [eco, count] of Object.entries(result.summary.ecosystemBreakdown)) {
+        console.log(`    ${eco}: ${count} project(s)`);
+      }
+    }
+    console.log(`
+  Completed in ${(result.durationMs / 1e3).toFixed(1)}s`);
+    console.log("");
+  }
+};
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   ApiKeyRequiredError,
@@ -19070,7 +20683,12 @@ function sanitizeUsageContextForUpload(usageContext) {
   CveSourceError,
   CycloneDxGenerator,
   DenoScanner,
+  GitHubClient,
+  GitHubOrchestrator,
+  GitLabClient,
+  GitLabOrchestrator,
   GoScanner,
+  HtmlReporter,
   LockfileParseError,
   MavenScanner,
   NoLockfileError,
@@ -19092,6 +20710,7 @@ function sanitizeUsageContextForUpload(usageContext) {
   generateSbomArtifacts,
   generateSpdxSbom,
   generateSwidTag,
+  parseProfile,
   printReport,
   scan,
   shouldFailCi,