npm - verimu - Versions diffs - 0.0.21 → 0.0.22 - Mend

verimu 0.0.21 → 0.0.22

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/index.mjs CHANGED Viewed

@@ -15717,8 +15717,8 @@ var PnpmScanner = class {
    *   "/pkg@1.0.0(dep@2.0.0)" → name: "pkg", version: "1.0.0"
    */
   parsePackagePath(pkgPath, lockfileVersion) {
-    const path14 = pkgPath.startsWith("/") ? pkgPath.slice(1) : pkgPath;
-    const cleanPath = path14.split("_")[0].split("(")[0];
+    const path15 = pkgPath.startsWith("/") ? pkgPath.slice(1) : pkgPath;
+    const cleanPath = path15.split("_")[0].split("(")[0];
     if (!cleanPath) {
       return { name: null, version: null };
     }
@@ -15730,30 +15730,30 @@ var PnpmScanner = class {
   /**
    * Parses v6+ format: "express@4.18.2" or "@types/node@20.11.5"
    */
-  parseV6Format(path14) {
-    if (path14.startsWith("@")) {
-      const lastAtIndex = path14.lastIndexOf("@");
+  parseV6Format(path15) {
+    if (path15.startsWith("@")) {
+      const lastAtIndex = path15.lastIndexOf("@");
       if (lastAtIndex <= 0) {
         return { name: null, version: null };
       }
-      const name2 = path14.substring(0, lastAtIndex);
-      const version2 = path14.substring(lastAtIndex + 1);
+      const name2 = path15.substring(0, lastAtIndex);
+      const version2 = path15.substring(lastAtIndex + 1);
       return { name: name2, version: version2 };
     }
-    const atIndex = path14.indexOf("@");
+    const atIndex = path15.indexOf("@");
     if (atIndex < 0) {
       return { name: null, version: null };
     }
-    const name = path14.substring(0, atIndex);
-    const version = path14.substring(atIndex + 1);
+    const name = path15.substring(0, atIndex);
+    const version = path15.substring(atIndex + 1);
     return { name, version };
   }
   /**
    * Parses v5.x format: "express/4.18.2" or "@types/node/20.11.5"
    */
-  parseV5Format(path14) {
-    if (path14.startsWith("@")) {
-      const parts = path14.split("/");
+  parseV5Format(path15) {
+    if (path15.startsWith("@")) {
+      const parts = path15.split("/");
       if (parts.length < 3) {
         return { name: null, version: null };
       }
@@ -15761,12 +15761,12 @@ var PnpmScanner = class {
       const version2 = parts[2];
       return { name: name2, version: version2 };
     }
-    const slashIndex = path14.indexOf("/");
+    const slashIndex = path15.indexOf("/");
     if (slashIndex < 0) {
       return { name: null, version: null };
     }
-    const name = path14.substring(0, slashIndex);
-    const version = path14.substring(slashIndex + 1);
+    const name = path15.substring(0, slashIndex);
+    const version = path15.substring(slashIndex + 1);
     return { name, version };
   }
   /**
@@ -17334,34 +17334,34 @@ var JsAstAnalyzer = class {
         matchCandidates.push({ packageKey: packageKey3, line, matchKind, calledSymbol, confidence });
       };
       traverseFn(ast, {
-        ImportDeclaration: (path14) => {
-          const source = path14.node.source;
+        ImportDeclaration: (path15) => {
+          const source = path15.node.source;
           if (!(0, import_types.isStringLiteral)(source)) return;
           const pkgKey = findPackageKey(resolveImportTarget(source.value), packageMap.byName);
           if (!pkgKey) return;
-          addMatch(pkgKey, path14.node.loc?.start.line ?? 1, "import", void 0, 0.95);
-          for (const specifier of path14.node.specifiers) {
+          addMatch(pkgKey, path15.node.loc?.start.line ?? 1, "import", void 0, 0.95);
+          for (const specifier of path15.node.specifiers) {
             if ((0, import_types.isImportDefaultSpecifier)(specifier) || (0, import_types.isImportNamespaceSpecifier)(specifier) || (0, import_types.isImportSpecifier)(specifier)) {
               symbolToPackage.set(specifier.local.name, pkgKey);
             }
           }
         },
-        ExportNamedDeclaration: (path14) => {
-          const source = path14.node.source;
+        ExportNamedDeclaration: (path15) => {
+          const source = path15.node.source;
           if (!source || !(0, import_types.isStringLiteral)(source)) return;
           const pkgKey = findPackageKey(resolveImportTarget(source.value), packageMap.byName);
           if (!pkgKey) return;
-          addMatch(pkgKey, path14.node.loc?.start.line ?? 1, "export_from", void 0, 0.85);
+          addMatch(pkgKey, path15.node.loc?.start.line ?? 1, "export_from", void 0, 0.85);
         },
-        ExportAllDeclaration: (path14) => {
-          const source = path14.node.source;
+        ExportAllDeclaration: (path15) => {
+          const source = path15.node.source;
           if (!(0, import_types.isStringLiteral)(source)) return;
           const pkgKey = findPackageKey(resolveImportTarget(source.value), packageMap.byName);
           if (!pkgKey) return;
-          addMatch(pkgKey, path14.node.loc?.start.line ?? 1, "export_from", void 0, 0.85);
+          addMatch(pkgKey, path15.node.loc?.start.line ?? 1, "export_from", void 0, 0.85);
         },
-        VariableDeclarator: (path14) => {
-          const node = path14.node;
+        VariableDeclarator: (path15) => {
+          const node = path15.node;
           if (!(0, import_types.isVariableDeclarator)(node)) return;
           if (!node.init || !(0, import_types.isCallExpression)(node.init)) return;
           if (!(0, import_types.isIdentifier)(node.init.callee, { name: "require" })) return;
@@ -17374,8 +17374,8 @@ var JsAstAnalyzer = class {
             symbolToPackage.set(identifier, pkgKey);
           }
         },
-        CallExpression: (path14) => {
-          const node = path14.node;
+        CallExpression: (path15) => {
+          const node = path15.node;
           if ((0, import_types.isIdentifier)(node.callee, { name: "require" })) {
             const firstArg = node.arguments[0];
             if (firstArg && (0, import_types.isStringLiteral)(firstArg)) {
@@ -17396,12 +17396,12 @@ var JsAstAnalyzer = class {
             0.75
           );
         },
-        ImportExpression: (path14) => {
-          const source = path14.node.source;
+        ImportExpression: (path15) => {
+          const source = path15.node.source;
           if (!(0, import_types.isStringLiteral)(source)) return;
           const pkgKey = findPackageKey(resolveImportTarget(source.value), packageMap.byName);
           if (!pkgKey) return;
-          addMatch(pkgKey, path14.node.loc?.start.line ?? 1, "dynamic_import", void 0, 0.9);
+          addMatch(pkgKey, path15.node.loc?.start.line ?? 1, "dynamic_import", void 0, 0.9);
         }
       });
       for (const candidate of matchCandidates) {
@@ -18946,10 +18946,12 @@ async function uploadToVerimu(report, config) {
     throw new Error("API key required for upload");
   }
   const client = new VerimuApiClient(config.apiKey, config.apiBaseUrl);
-  const projectName = basename(config.projectPath);
+  const projectName = config.uploadProjectName ?? basename(config.projectPath);
   const upsertRes = await client.upsertProject({
     name: projectName,
     ecosystem: report.project.ecosystem,
+    repositoryUrl: config.repositoryUrl,
+    platform: config.platform,
     groupName: config.groupName
   });
   const projectId = upsertRes.project.id;
@@ -19014,6 +19016,1611 @@ function sanitizeUsageContextForUpload(usageContext) {
   const { artifactPath: _artifactPath, ...rest } = usageContext;
   return rest;
 }
+// src/gitlab/client.ts
+import { execSync as execSync2 } from "child_process";
+import { mkdtempSync, rmSync, existsSync as existsSync14 } from "fs";
+import { join as join4 } from "path";
+import { tmpdir } from "os";
+var GitLabClient = class {
+  baseUrl;
+  token;
+  apiUrl;
+  constructor(baseUrl, token) {
+    this.baseUrl = baseUrl.replace(/\/+$/, "");
+    this.token = token;
+    this.apiUrl = `${this.baseUrl}/api/v4`;
+  }
+  // ─── Project Listing ────────────────────────────────────────
+  /**
+   * Lists all accessible projects, paginated.
+   * Returns all pages concatenated.
+   */
+  async listAllProjects(options) {
+    const perPage = options?.perPage ?? 100;
+    const maxPages = options?.maxPages ?? 100;
+    const allProjects = [];
+    let page = 1;
+    while (page <= maxPages) {
+      const params = new URLSearchParams({
+        per_page: String(perPage),
+        page: String(page),
+        order_by: "last_activity_at",
+        sort: "desc",
+        simple: "false"
+      });
+      if (options?.archived !== void 0) {
+        params.set("archived", String(options.archived));
+      }
+      const url = `${this.apiUrl}/projects?${params.toString()}`;
+      const projects = await this.fetch(url);
+      if (projects.length === 0) break;
+      allProjects.push(...projects);
+      page++;
+      if (projects.length < perPage) break;
+    }
+    return allProjects;
+  }
+  /**
+   * Lists projects within a specific group (and its subgroups).
+   */
+  async listGroupProjects(groupPath, options) {
+    const perPage = options?.perPage ?? 100;
+    const includeSubgroups = options?.includeSubgroups ?? true;
+    const allProjects = [];
+    let page = 1;
+    while (true) {
+      const params = new URLSearchParams({
+        per_page: String(perPage),
+        page: String(page),
+        include_subgroups: String(includeSubgroups),
+        order_by: "last_activity_at",
+        sort: "desc"
+      });
+      const encoded = encodeURIComponent(groupPath);
+      const url = `${this.apiUrl}/groups/${encoded}/projects?${params.toString()}`;
+      const projects = await this.fetch(url);
+      if (projects.length === 0) break;
+      allProjects.push(...projects);
+      page++;
+      if (projects.length < perPage) break;
+    }
+    return allProjects;
+  }
+  /**
+   * Lists all groups accessible to the token.
+   */
+  async listGroups() {
+    const allGroups = [];
+    let page = 1;
+    while (true) {
+      const params = new URLSearchParams({
+        per_page: "100",
+        page: String(page)
+      });
+      const url = `${this.apiUrl}/groups?${params.toString()}`;
+      const groups = await this.fetch(url);
+      if (groups.length === 0) break;
+      allGroups.push(...groups);
+      page++;
+      if (groups.length < 100) break;
+    }
+    return allGroups;
+  }
+  // ─── Cloning ────────────────────────────────────────────────
+  /**
+   * Shallow-clones a repo into a temporary directory.
+   * Returns the path to the cloned repo.
+   *
+   * Uses HTTPS with token auth embedded in the URL
+   * (works for self-hosted GitLab with private-token).
+   */
+  cloneToTemp(project, branch) {
+    const tempDir = mkdtempSync(join4(tmpdir(), `verimu-gl-${project.id}-`));
+    const cloneUrl = this.buildAuthUrl(project.http_url_to_repo);
+    const targetBranch = branch ?? project.default_branch;
+    try {
+      execSync2(
+        `git clone --depth 1 --branch "${targetBranch}" --single-branch "${cloneUrl}" "${tempDir}"`,
+        {
+          stdio: "pipe",
+          timeout: 12e4,
+          // 2 minute timeout per clone
+          env: {
+            ...process.env,
+            GIT_TERMINAL_PROMPT: "0"
+            // Never prompt for auth
+          }
+        }
+      );
+    } catch (err) {
+      this.cleanupTemp(tempDir);
+      const msg = err instanceof Error ? err.message : String(err);
+      throw new Error(`Clone failed for ${project.path_with_namespace}: ${msg}`);
+    }
+    return tempDir;
+  }
+  /**
+   * Removes a temporary clone directory.
+   */
+  cleanupTemp(tempDir) {
+    if (existsSync14(tempDir)) {
+      rmSync(tempDir, { recursive: true, force: true });
+    }
+  }
+  // ─── Helpers ────────────────────────────────────────────────
+  /**
+   * Builds an authenticated HTTPS URL for git clone.
+   * Embeds the token as oauth2 password.
+   */
+  buildAuthUrl(httpUrl) {
+    const url = new URL(httpUrl);
+    url.username = "oauth2";
+    url.password = this.token;
+    return url.toString();
+  }
+  /**
+   * Makes an authenticated GET request to the GitLab API.
+   */
+  async fetch(url) {
+    const response = await globalThis.fetch(url, {
+      headers: {
+        "PRIVATE-TOKEN": this.token,
+        "Accept": "application/json"
+      }
+    });
+    if (!response.ok) {
+      const body = await response.text().catch(() => "no body");
+      throw new Error(
+        `GitLab API error: ${response.status} ${response.statusText} \u2014 ${url}
+${body}`
+      );
+    }
+    return response.json();
+  }
+};
+// src/discovery/lockfile-discovery.ts
+import { readdir as readdir3, stat } from "fs/promises";
+import { existsSync as existsSync15 } from "fs";
+import path14 from "path";
+var LOCKFILE_MAP = {
+  "pnpm-lock.yaml": { ecosystem: "npm", scanner: "pnpm" },
+  "yarn.lock": { ecosystem: "npm", scanner: "yarn" },
+  "package-lock.json": { ecosystem: "npm", scanner: "npm" },
+  "deno.lock": { ecosystem: "npm", scanner: "deno" },
+  "Cargo.lock": { ecosystem: "cargo", scanner: "cargo" },
+  "go.sum": { ecosystem: "go", scanner: "go" },
+  "Gemfile.lock": { ecosystem: "ruby", scanner: "ruby" },
+  "composer.lock": { ecosystem: "composer", scanner: "composer" },
+  "packages.lock.json": { ecosystem: "nuget", scanner: "nuget" },
+  "poetry.lock": { ecosystem: "poetry", scanner: "poetry" },
+  "uv.lock": { ecosystem: "uv", scanner: "uv" },
+  "Pipfile.lock": { ecosystem: "pip", scanner: "pip" },
+  "requirements.txt": { ecosystem: "pip", scanner: "pip" },
+  "pom.xml": { ecosystem: "maven", scanner: "maven" }
+};
+var DEFAULT_EXCLUDES = [
+  "node_modules",
+  ".git",
+  ".hg",
+  ".svn",
+  "vendor",
+  "target",
+  "dist",
+  "build",
+  ".next",
+  ".nuxt",
+  "__pycache__",
+  ".venv",
+  "venv",
+  ".tox",
+  "coverage",
+  ".cache",
+  "out",
+  ".output"
+];
+var LockfileDiscovery = class {
+  lockfileNames = Object.keys(LOCKFILE_MAP);
+  /**
+   * Discovers all lockfiles recursively starting from rootPath.
+   * Returns a list of projects that can be scanned.
+   */
+  async discover(options) {
+    const { rootPath, exclude, maxDepth } = options;
+    const absoluteRoot = path14.resolve(rootPath);
+    const discovered = [];
+    const excludePatterns = this.buildExcludePatterns(exclude);
+    await this.walkDirectory(absoluteRoot, absoluteRoot, discovered, {
+      excludePatterns,
+      maxDepth: maxDepth ?? Infinity,
+      //not set, infinite for now, can add as a cli-flag later if needed
+      currentDepth: 0
+    });
+    discovered.sort((a, b) => a.relativePath.localeCompare(b.relativePath));
+    return discovered;
+  }
+  /**
+   * Recursively walks directories looking for lockfiles.
+   * Stops descending into a directory once a lockfile is found
+   * (to avoid scanning nested node_modules, etc.)
+   */
+  async walkDirectory(currentPath, rootPath, results, options) {
+    const { excludePatterns, maxDepth, currentDepth } = options;
+    if (currentDepth > maxDepth) return;
+    const relativePath = path14.relative(rootPath, currentPath) || ".";
+    if (this.matchesAnyPattern(relativePath, excludePatterns)) {
+      return;
+    }
+    const foundLockfile = await this.findLockfileInDir(currentPath);
+    if (foundLockfile) {
+      results.push({
+        projectPath: currentPath,
+        relativePath,
+        lockfile: {
+          name: foundLockfile.name,
+          path: path14.join(currentPath, foundLockfile.name)
+        },
+        ecosystem: foundLockfile.ecosystem,
+        scannerType: foundLockfile.scanner
+      });
+      return;
+    }
+    let entries;
+    try {
+      entries = await readdir3(currentPath);
+    } catch {
+      return;
+    }
+    for (const entry of entries) {
+      const entryPath = path14.join(currentPath, entry);
+      try {
+        const stats = await stat(entryPath);
+        if (stats.isDirectory()) {
+          if (this.isDefaultExclude(entry)) continue;
+          await this.walkDirectory(entryPath, rootPath, results, {
+            ...options,
+            currentDepth: currentDepth + 1
+          });
+        }
+      } catch {
+      }
+    }
+  }
+  /**
+   * Looks for a lockfile in the given directory.
+   * Returns the first match in priority order.
+   */
+  async findLockfileInDir(dirPath) {
+    const priorityOrder = [
+      "pnpm-lock.yaml",
+      "yarn.lock",
+      "package-lock.json",
+      "deno.lock",
+      "Cargo.lock",
+      "go.sum",
+      "poetry.lock",
+      "uv.lock",
+      "Pipfile.lock",
+      "composer.lock",
+      "Gemfile.lock",
+      "packages.lock.json",
+      "pom.xml",
+      "requirements.txt"
+    ];
+    for (const lockfileName of priorityOrder) {
+      const lockfilePath = path14.join(dirPath, lockfileName);
+      if (existsSync15(lockfilePath)) {
+        const info = LOCKFILE_MAP[lockfileName];
+        return { name: lockfileName, ...info };
+      }
+    }
+    return null;
+  }
+  /**
+   * Builds exclude patterns from user input + defaults.
+   */
+  buildExcludePatterns(userExcludes) {
+    const patterns = [];
+    for (const dir of DEFAULT_EXCLUDES) {
+      patterns.push(`**/${dir}`);
+      patterns.push(`**/${dir}/**`);
+    }
+    if (userExcludes) {
+      patterns.push(...userExcludes);
+    }
+    return patterns;
+  }
+  /**
+   * Quick check if a directory name is in the default exclude list.
+   */
+  isDefaultExclude(dirName) {
+    return DEFAULT_EXCLUDES.includes(dirName);
+  }
+  /**
+   * Checks if a path matches any of the given glob patterns.
+   * Uses simple glob matching (supports *, **, ?).
+   */
+  matchesAnyPattern(relativePath, patterns) {
+    const normalized = relativePath.replace(/\\/g, "/");
+    for (const pattern of patterns) {
+      if (this.matchGlob(normalized, pattern)) {
+        return true;
+      }
+    }
+    return false;
+  }
+  /**
+   * Simple glob matcher supporting:
+   * - * (matches any characters except /)
+   * - ** (matches any characters including /)
+   * - ? (matches single character)
+   */
+  matchGlob(str, pattern) {
+    let regex = pattern.replace(/\\/g, "/").replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*\*/g, "{{GLOBSTAR}}").replace(/\*/g, "[^/]*").replace(/{{GLOBSTAR}}/g, ".*").replace(/\?/g, ".");
+    regex = `^${regex}$`;
+    return new RegExp(regex).test(str);
+  }
+};
+// src/gitlab/orchestrator.ts
+var GitLabOrchestrator = class {
+  discovery = new LockfileDiscovery();
+  /**
+   * Scans all accessible repos on a GitLab instance.
+   */
+  async scanInstance(config) {
+    const startTime = Date.now();
+    const client = new GitLabClient(config.url, config.token);
+    console.log(`
+  Connecting to ${config.url}...`);
+    let projects;
+    if (config.groups && config.groups.length > 0) {
+      const grouped = [];
+      for (const group of config.groups) {
+        console.log(`  Listing projects in group: ${group}`);
+        const groupProjects = await client.listGroupProjects(group);
+        grouped.push(...groupProjects);
+      }
+      const seen = /* @__PURE__ */ new Set();
+      projects = grouped.filter((p) => {
+        if (seen.has(p.id)) return false;
+        seen.add(p.id);
+        return true;
+      });
+    } else {
+      console.log("  Listing all accessible projects...");
+      projects = await client.listAllProjects({
+        archived: config.excludeArchived !== false ? false : void 0
+      });
+    }
+    console.log(`  Found ${projects.length} projects
+`);
+    const { toScan, skipped } = this.filterProjects(projects, config);
+    console.log(`  Scanning ${toScan.length} repos (${skipped.length} skipped)
+`);
+    const scannedRepos = [];
+    const failedRepos = [];
+    for (let i = 0; i < toScan.length; i++) {
+      const project = toScan[i];
+      const label = `[${i + 1}/${toScan.length}]`;
+      console.log(`  ${label} ${project.path_with_namespace}`);
+      const repoStart = Date.now();
+      let tempDir = null;
+      try {
+        process.stdout.write("    Cloning... ");
+        tempDir = client.cloneToTemp(project, config.branch);
+        console.log("done");
+        const discovered = await this.discovery.discover({
+          rootPath: tempDir
+        });
+        if (discovered.length === 0) {
+          console.log("    no lockfile found");
+          scannedRepos.push({
+            project,
+            reports: [],
+            hasLockfile: false,
+            durationMs: Date.now() - repoStart
+          });
+          continue;
+        }
+        console.log(`    Found ${discovered.length} project(s)`);
+        const reports = [];
+        for (const disc of discovered) {
+          const subLabel = discovered.length > 1 ? ` (${disc.relativePath})` : "";
+          const uploadProjectName = discovered.length > 1 && disc.relativePath !== "." ? `${project.path_with_namespace}/${disc.relativePath}` : project.path_with_namespace;
+          const safeArtifactSuffix = uploadProjectName.replace(/[\\/:*?"<>|]/g, "-").replace(/\s+/g, "-").toLowerCase();
+          const sbomOutput = `${tempDir}/sbom.${safeArtifactSuffix}.cdx.json`;
+          process.stdout.write(`    Scanning${subLabel}... `);
+          try {
+            const report = await scan({
+              projectPath: disc.projectPath,
+              sbomOutput,
+              skipCveCheck: config.skipCveCheck ?? false,
+              apiKey: config.apiKey,
+              apiBaseUrl: config.apiBaseUrl,
+              groupName: config.groupName,
+              uploadProjectName,
+              repositoryUrl: project.web_url,
+              platform: "gitlab"
+            });
+            const vulnCount = report.summary.totalVulnerabilities;
+            const depCount = report.summary.totalDependencies;
+            if (vulnCount > 0) {
+              console.log(
+                `${depCount} deps, ${vulnCount} vulns (C:${report.summary.critical} H:${report.summary.high} M:${report.summary.medium} L:${report.summary.low})`
+              );
+            } else {
+              console.log(`${depCount} deps, clean`);
+            }
+            reports.push(report);
+          } catch (scanErr) {
+            const msg = scanErr instanceof Error ? scanErr.message : String(scanErr);
+            console.log(`FAILED: ${msg.slice(0, 80)}`);
+          }
+        }
+        const durationMs = Date.now() - repoStart;
+        scannedRepos.push({
+          project,
+          reports,
+          hasLockfile: true,
+          durationMs
+        });
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        const durationMs = Date.now() - repoStart;
+        if (msg.includes("No supported lockfile") || msg.includes("NoLockfileError")) {
+          console.log("    no lockfile found");
+          scannedRepos.push({
+            project,
+            reports: [],
+            hasLockfile: false,
+            durationMs
+          });
+        } else {
+          console.log(`    FAILED: ${msg.slice(0, 100)}`);
+          failedRepos.push({ project, error: msg });
+        }
+      } finally {
+        if (tempDir) {
+          client.cleanupTemp(tempDir);
+        }
+      }
+      console.log("");
+    }
+    const result = this.aggregate(
+      config.url,
+      projects.length,
+      scannedRepos,
+      skipped,
+      failedRepos,
+      Date.now() - startTime
+    );
+    this.printSummary(result);
+    return result;
+  }
+  // ─── Filtering ──────────────────────────────────────────────
+  filterProjects(projects, config) {
+    const toScan = [];
+    const skipped = [];
+    for (const project of projects) {
+      if (config.excludeArchived !== false && project.archived) {
+        skipped.push({ project, reason: "archived" });
+        continue;
+      }
+      if (config.excludeEmpty !== false && project.empty_repo) {
+        skipped.push({ project, reason: "empty repository" });
+        continue;
+      }
+      if (config.excludePatterns?.length) {
+        const matched = config.excludePatterns.some(
+          (pattern) => this.matchGlob(project.path_with_namespace, pattern)
+        );
+        if (matched) {
+          skipped.push({ project, reason: "matched exclude pattern" });
+          continue;
+        }
+      }
+      toScan.push(project);
+    }
+    if (config.maxRepos && toScan.length > config.maxRepos) {
+      const trimmed = toScan.splice(config.maxRepos);
+      for (const p of trimmed) {
+        skipped.push({ project: p, reason: "exceeded --max-repos limit" });
+      }
+    }
+    return { toScan, skipped };
+  }
+  matchGlob(str, pattern) {
+    const regex = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*\*/g, "{{GLOBSTAR}}").replace(/\*/g, "[^/]*").replace(/{{GLOBSTAR}}/g, ".*").replace(/\?/g, ".");
+    return new RegExp(`^${regex}$`).test(str);
+  }
+  // ─── Aggregation ────────────────────────────────────────────
+  aggregate(instanceUrl, totalDiscovered, scannedRepos, skippedRepos, failedRepos, durationMs) {
+    const reposWithData = scannedRepos.filter((r) => r.reports.length > 0);
+    const ecosystemBreakdown = {};
+    let totalDeps = 0;
+    let totalVulns = 0;
+    let critical = 0;
+    let high = 0;
+    let medium = 0;
+    let low = 0;
+    let exploitedInWild = 0;
+    let reposWithVulns = 0;
+    for (const { reports } of reposWithData) {
+      let repoHasVulns = false;
+      for (const report of reports) {
+        totalDeps += report.summary.totalDependencies;
+        totalVulns += report.summary.totalVulnerabilities;
+        critical += report.summary.critical;
+        high += report.summary.high;
+        medium += report.summary.medium;
+        low += report.summary.low;
+        exploitedInWild += report.summary.exploitedInWild;
+        if (report.summary.totalVulnerabilities > 0) {
+          repoHasVulns = true;
+        }
+        const eco = report.project.ecosystem;
+        ecosystemBreakdown[eco] = (ecosystemBreakdown[eco] ?? 0) + 1;
+      }
+      if (repoHasVulns) reposWithVulns++;
+    }
+    const vulnMap = /* @__PURE__ */ new Map();
+    for (const { project, reports } of reposWithData) {
+      for (const report of reports) {
+        for (const vuln of report.cveCheck.vulnerabilities) {
+          const existing = vulnMap.get(vuln.id);
+          if (existing) {
+            if (!existing.affectedRepos.includes(project.path_with_namespace)) {
+              existing.affectedRepos.push(project.path_with_namespace);
+            }
+          } else {
+            vulnMap.set(vuln.id, {
+              id: vuln.id,
+              severity: vuln.severity,
+              summary: vuln.summary,
+              affectedRepos: [project.path_with_namespace],
+              fixedVersion: vuln.fixedVersion,
+              exploitedInWild: vuln.exploitedInWild
+            });
+          }
+        }
+      }
+    }
+    const severityOrder2 = {
+      CRITICAL: 0,
+      HIGH: 1,
+      MEDIUM: 2,
+      LOW: 3,
+      UNKNOWN: 4
+    };
+    const topVulnerabilities = Array.from(vulnMap.values()).sort((a, b) => {
+      const sevDiff = severityOrder2[a.severity] - severityOrder2[b.severity];
+      if (sevDiff !== 0) return sevDiff;
+      return b.affectedRepos.length - a.affectedRepos.length;
+    });
+    return {
+      instanceUrl,
+      totalReposDiscovered: totalDiscovered,
+      scannedRepos,
+      skippedRepos,
+      failedRepos,
+      summary: {
+        totalRepos: reposWithData.length,
+        reposWithVulnerabilities: reposWithVulns,
+        totalDependencies: totalDeps,
+        totalVulnerabilities: totalVulns,
+        critical,
+        high,
+        medium,
+        low,
+        exploitedInWild,
+        ecosystemBreakdown
+      },
+      topVulnerabilities,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      durationMs
+    };
+  }
+  // ─── Summary Printing ───────────────────────────────────────
+  printSummary(result) {
+    console.log("\n" + "\u2550".repeat(60));
+    console.log("  VERIMU GITLAB INSTANCE SCAN \u2014 COMPLETE");
+    console.log("\u2550".repeat(60));
+    console.log(`
+  Instance:     ${result.instanceUrl}`);
+    console.log(`  Repos found:  ${result.totalReposDiscovered}`);
+    console.log(`  Repos scanned: ${result.summary.totalRepos}`);
+    console.log(`  Repos with vulns: ${result.summary.reposWithVulnerabilities}`);
+    console.log(`  Skipped:      ${result.skippedRepos.length}`);
+    console.log(`  Failed:       ${result.failedRepos.length}`);
+    console.log("");
+    console.log(`  Total dependencies:     ${result.summary.totalDependencies}`);
+    console.log(`  Total vulnerabilities:  ${result.summary.totalVulnerabilities}`);
+    console.log(`    Critical: ${result.summary.critical}`);
+    console.log(`    High:     ${result.summary.high}`);
+    console.log(`    Medium:   ${result.summary.medium}`);
+    console.log(`    Low:      ${result.summary.low}`);
+    if (result.summary.exploitedInWild > 0) {
+      console.log(`
+  \u{1F534} ${result.summary.exploitedInWild} actively exploited \u2014 CRA 24h reporting required`);
+    }
+    if (Object.keys(result.summary.ecosystemBreakdown).length > 0) {
+      console.log("\n  Ecosystems:");
+      for (const [eco, count] of Object.entries(result.summary.ecosystemBreakdown)) {
+        console.log(`    ${eco}: ${count} project(s)`);
+      }
+    }
+    console.log(`
+  Completed in ${(result.durationMs / 1e3).toFixed(1)}s`);
+    console.log("");
+  }
+};
+// src/reporters/html.ts
+var HtmlReporter = class {
+  name = "html";
+  generate(result) {
+    return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Verimu Security Report \u2014 ${this.escapeHtml(result.instanceUrl)}</title>
+${this.styles()}
+</head>
+<body>
+<div class="container">
+  ${this.header(result)}
+  ${this.summaryCards(result)}
+  ${this.severityChart(result)}
+  ${this.topVulnerabilities(result)}
+  ${this.repoBreakdown(result)}
+  ${this.ecosystemBreakdown(result)}
+  ${this.craTimeline(result)}
+  ${this.footer(result)}
+</div>
+</body>
+</html>`;
+  }
+  // ─── Sections ─────────────────────────────────────────────
+  header(result) {
+    const date = new Date(result.scannedAt).toLocaleDateString("en-US", {
+      year: "numeric",
+      month: "long",
+      day: "numeric"
+    });
+    return `
+  <header>
+    <div class="brand">
+      <div class="logo">V</div>
+      <div>
+        <h1>Security posture report</h1>
+        <p class="subtitle">${this.escapeHtml(result.instanceUrl)} \u2014 ${date}</p>
+      </div>
+    </div>
+    <p class="intro">
+      This report summarizes the current vulnerability landscape across
+      <strong>${result.summary.totalRepos} repositories</strong> containing
+      <strong>${result.summary.totalDependencies.toLocaleString()} dependencies</strong>.
+      Generated by <a href="https://verimu.com">Verimu</a> CRA Compliance Scanner.
+    </p>
+  </header>`;
+  }
+  summaryCards(result) {
+    const s = result.summary;
+    const vulnRepoPercent = s.totalRepos > 0 ? Math.round(s.reposWithVulnerabilities / s.totalRepos * 100) : 0;
+    return `
+  <section class="cards">
+    <div class="card">
+      <div class="card-value">${s.totalRepos}</div>
+      <div class="card-label">Repos scanned</div>
+    </div>
+    <div class="card">
+      <div class="card-value">${s.totalDependencies.toLocaleString()}</div>
+      <div class="card-label">Total dependencies</div>
+    </div>
+    <div class="card card-danger">
+      <div class="card-value">${s.totalVulnerabilities}</div>
+      <div class="card-label">Vulnerabilities found</div>
+    </div>
+    <div class="card ${vulnRepoPercent > 50 ? "card-danger" : vulnRepoPercent > 25 ? "card-warn" : ""}">
+      <div class="card-value">${vulnRepoPercent}%</div>
+      <div class="card-label">Repos with vulns</div>
+    </div>
+  </section>`;
+  }
+  severityChart(result) {
+    const s = result.summary;
+    const total = s.totalVulnerabilities || 1;
+    const bars = [
+      { label: "Critical", count: s.critical, cls: "sev-critical" },
+      { label: "High", count: s.high, cls: "sev-high" },
+      { label: "Medium", count: s.medium, cls: "sev-medium" },
+      { label: "Low", count: s.low, cls: "sev-low" }
+    ];
+    const barHtml = bars.map((b) => {
+      const width = Math.max(2, b.count / total * 100);
+      return `
+      <div class="bar-row">
+        <span class="bar-label">${b.label}</span>
+        <div class="bar-track">
+          <div class="bar-fill ${b.cls}" style="width: ${width}%"></div>
+        </div>
+        <span class="bar-count">${b.count}</span>
+      </div>`;
+    }).join("");
+    return `
+  <section>
+    <h2>Severity breakdown</h2>
+    <div class="chart">${barHtml}</div>
+    ${s.exploitedInWild > 0 ? `
+    <div class="alert alert-critical">
+      <strong>\u26A0 ${s.exploitedInWild} vulnerabilit${s.exploitedInWild === 1 ? "y" : "ies"} actively exploited in the wild.</strong>
+      Under the EU Cyber Resilience Act, actively exploited vulnerabilities require
+      notification to ENISA within 24 hours of awareness.
+    </div>` : ""}
+  </section>`;
+  }
+  topVulnerabilities(result) {
+    if (result.topVulnerabilities.length === 0) {
+      return `
+  <section>
+    <h2>Vulnerabilities</h2>
+    <p class="empty">No known vulnerabilities detected. Nice work.</p>
+  </section>`;
+    }
+    const top = result.topVulnerabilities.slice(0, 30);
+    const rows = top.map(
+      (vuln) => `
+      <tr>
+        <td><span class="sev-badge ${this.sevClass(vuln.severity)}">${vuln.severity}</span></td>
+        <td class="vuln-id">${this.escapeHtml(vuln.id)}</td>
+        <td>${this.escapeHtml(vuln.summary.slice(0, 120))}</td>
+        <td>${vuln.fixedVersion ? this.escapeHtml(vuln.fixedVersion) : '<span class="no-fix">none</span>'}</td>
+        <td>${vuln.affectedRepos.length}</td>
+        <td>${vuln.exploitedInWild ? '<span class="exploited">YES</span>' : ""}</td>
+      </tr>`
+    ).join("");
+    return `
+  <section>
+    <h2>Top vulnerabilities</h2>
+    <p class="section-desc">Sorted by severity, then by number of affected repositories.</p>
+    <div class="table-wrap">
+      <table>
+        <thead>
+          <tr>
+            <th>Severity</th>
+            <th>ID</th>
+            <th>Summary</th>
+            <th>Fix</th>
+            <th>Repos</th>
+            <th>Exploited</th>
+          </tr>
+        </thead>
+        <tbody>${rows}</tbody>
+      </table>
+    </div>
+  </section>`;
+  }
+  repoBreakdown(result) {
+    const repos = result.scannedRepos.filter((r) => r.reports.length > 0).sort((a, b) => {
+      const aVulns = a.reports.reduce((s, r) => s + r.summary.totalVulnerabilities, 0);
+      const bVulns = b.reports.reduce((s, r) => s + r.summary.totalVulnerabilities, 0);
+      return bVulns - aVulns;
+    });
+    const rows = repos.map((r) => {
+      const s = r.reports.reduce((acc, rpt) => ({ totalVulnerabilities: acc.totalVulnerabilities + rpt.summary.totalVulnerabilities, critical: acc.critical + rpt.summary.critical, high: acc.high + rpt.summary.high, medium: acc.medium + rpt.summary.medium, low: acc.low + rpt.summary.low, totalDependencies: acc.totalDependencies + rpt.summary.totalDependencies }), { totalVulnerabilities: 0, critical: 0, high: 0, medium: 0, low: 0, totalDependencies: 0 });
+      const vulnBadge = s.totalVulnerabilities > 0 ? `<span class="sev-badge ${s.critical > 0 ? "sev-critical" : s.high > 0 ? "sev-high" : s.medium > 0 ? "sev-medium" : "sev-low"}">${s.totalVulnerabilities}</span>` : '<span class="clean">clean</span>';
+      return `
+      <tr>
+        <td class="repo-name">${this.escapeHtml(r.project.path_with_namespace)}</td>
+        <td>${r.reports.map((rpt) => rpt.project.ecosystem).filter((v, i, a) => a.indexOf(v) === i).join(", ")}</td>
+        <td>${s.totalDependencies}</td>
+        <td>${vulnBadge}</td>
+        <td>${s.critical}</td>
+        <td>${s.high}</td>
+        <td>${s.medium}</td>
+        <td>${s.low}</td>
+      </tr>`;
+    }).join("");
+    return `
+  <section>
+    <h2>Repository breakdown</h2>
+    <p class="section-desc">${repos.length} repositories with dependency lockfiles.</p>
+    <div class="table-wrap">
+      <table>
+        <thead>
+          <tr>
+            <th>Repository</th>
+            <th>Ecosystem</th>
+            <th>Deps</th>
+            <th>Vulns</th>
+            <th>Crit</th>
+            <th>High</th>
+            <th>Med</th>
+            <th>Low</th>
+          </tr>
+        </thead>
+        <tbody>${rows}</tbody>
+      </table>
+    </div>
+  </section>`;
+  }
+  ecosystemBreakdown(result) {
+    const eco = result.summary.ecosystemBreakdown;
+    if (Object.keys(eco).length === 0) return "";
+    const items = Object.entries(eco).sort((a, b) => b[1] - a[1]).map(([name, count]) => `
+        <div class="eco-item">
+          <span class="eco-name">${name}</span>
+          <span class="eco-count">${count} repo${count !== 1 ? "s" : ""}</span>
+        </div>`).join("");
+    return `
+  <section>
+    <h2>Ecosystem distribution</h2>
+    <div class="eco-grid">${items}</div>
+  </section>`;
+  }
+  craTimeline(result) {
+    const s = result.summary;
+    if (s.totalVulnerabilities === 0) return "";
+    return `
+  <section>
+    <h2>CRA compliance implications</h2>
+    <div class="cra-box">
+      <p>The <strong>EU Cyber Resilience Act</strong> (Regulation 2024/2847) establishes
+      mandatory cybersecurity requirements for products with digital elements.
+      Key obligations relevant to this scan:</p>
+      <ul>
+        <li><strong>Article 14(2):</strong> Manufacturers must identify and document
+        vulnerabilities, including in third-party components (your dependencies).</li>
+        <li><strong>Article 14(4):</strong> Actively exploited vulnerabilities must be
+        reported to ENISA within 24 hours of awareness${s.exploitedInWild > 0 ? ` \u2014 <strong class="text-danger">${s.exploitedInWild} found in this scan</strong>` : ""}.</li>
+        <li><strong>Article 14(3):</strong> Security updates must be provided free of charge
+        for the support period.</li>
+        <li><strong>Annex I, Part II(1):</strong> An SBOM documenting all components must
+        be maintained \u2014 Verimu generates these in CycloneDX, SPDX, and SWID formats.</li>
+      </ul>
+      <p class="cra-note">Full enforcement begins <strong>11 December 2027</strong>.
+      Vulnerability reporting obligations apply from <strong>11 September 2026</strong>.</p>
+    </div>
+  </section>`;
+  }
+  footer(result) {
+    const duration = (result.durationMs / 1e3).toFixed(1);
+    return `
+  <footer>
+    <p>Generated by <a href="https://verimu.com">Verimu</a> CRA Compliance Scanner
+    in ${duration}s on ${new Date(result.scannedAt).toISOString()}</p>
+    <p class="footer-cta">
+      Continuous monitoring, SBOM management, and CRA compliance dashboards available at
+      <a href="https://app.verimu.com">app.verimu.com</a>
+    </p>
+  </footer>`;
+  }
+  // ─── Styling ──────────────────────────────────────────────
+  styles() {
+    return `<style>
+  :root {
+    --bg: #ffffff; --bg2: #f7f8fa; --text: #1a1a2e; --text2: #555770;
+    --border: #e2e4ea; --accent: #4f46e5; --accent-light: #eef2ff;
+    --crit: #dc2626; --crit-bg: #fef2f2;
+    --high: #ea580c; --high-bg: #fff7ed;
+    --med: #d97706; --med-bg: #fffbeb;
+    --low: #2563eb; --low-bg: #eff6ff;
+    --green: #16a34a; --green-bg: #f0fdf4;
+    --radius: 8px; --radius-lg: 12px;
+  }
+  @media (prefers-color-scheme: dark) {
+    :root {
+      --bg: #0f0f1a; --bg2: #1a1a2e; --text: #e4e4f0; --text2: #9595ad;
+      --border: #2a2a40; --accent: #818cf8; --accent-light: #1e1b4b;
+      --crit-bg: #2a0a0a; --high-bg: #2a1a0a; --med-bg: #2a2200; --low-bg: #0a1a2e;
+      --green-bg: #0a2a1a;
+    }
+  }
+  * { box-sizing: border-box; margin: 0; padding: 0; }
+  body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', system-ui, sans-serif;
+    background: var(--bg); color: var(--text); line-height: 1.6; }
+  .container { max-width: 960px; margin: 0 auto; padding: 2rem 1.5rem; }
+  a { color: var(--accent); text-decoration: none; }
+  a:hover { text-decoration: underline; }
+  /* Header */
+  header { margin-bottom: 2rem; }
+  .brand { display: flex; align-items: center; gap: 1rem; margin-bottom: 1rem; }
+  .logo { width: 48px; height: 48px; background: var(--accent); color: #fff;
+    border-radius: var(--radius); display: flex; align-items: center; justify-content: center;
+    font-size: 24px; font-weight: 700; }
+  h1 { font-size: 22px; font-weight: 600; }
+  .subtitle { color: var(--text2); font-size: 14px; }
+  .intro { color: var(--text2); font-size: 15px; max-width: 700px; }
+  /* Cards */
+  .cards { display: grid; grid-template-columns: repeat(auto-fit, minmax(140px, 1fr));
+    gap: 12px; margin-bottom: 2rem; }
+  .card { background: var(--bg2); border-radius: var(--radius-lg); padding: 1.25rem;
+    border: 1px solid var(--border); }
+  .card-value { font-size: 28px; font-weight: 700; }
+  .card-label { font-size: 13px; color: var(--text2); margin-top: 4px; }
+  .card-danger .card-value { color: var(--crit); }
+  .card-warn .card-value { color: var(--med); }
+  /* Sections */
+  section { margin-bottom: 2.5rem; }
+  h2 { font-size: 18px; font-weight: 600; margin-bottom: 0.75rem; }
+  .section-desc { color: var(--text2); font-size: 14px; margin-bottom: 1rem; }
+  .empty { color: var(--green); font-weight: 500; }
+  /* Bar chart */
+  .chart { max-width: 500px; }
+  .bar-row { display: flex; align-items: center; gap: 8px; margin-bottom: 8px; }
+  .bar-label { width: 60px; font-size: 13px; color: var(--text2); text-align: right; }
+  .bar-track { flex: 1; height: 24px; background: var(--bg2); border-radius: 4px;
+    overflow: hidden; border: 1px solid var(--border); }
+  .bar-fill { height: 100%; border-radius: 3px; transition: width 0.3s; }
+  .bar-count { width: 36px; font-size: 14px; font-weight: 600; }
+  .sev-critical, .bar-fill.sev-critical { background: var(--crit); color: #fff; }
+  .sev-high, .bar-fill.sev-high { background: var(--high); color: #fff; }
+  .sev-medium, .bar-fill.sev-medium { background: var(--med); color: #fff; }
+  .sev-low, .bar-fill.sev-low { background: var(--low); color: #fff; }
+  /* Tables */
+  .table-wrap { overflow-x: auto; border: 1px solid var(--border); border-radius: var(--radius-lg); }
+  table { width: 100%; border-collapse: collapse; font-size: 13px; }
+  th { background: var(--bg2); font-weight: 600; font-size: 12px; text-transform: uppercase;
+    letter-spacing: 0.5px; color: var(--text2); padding: 10px 12px; text-align: left;
+    border-bottom: 1px solid var(--border); }
+  td { padding: 10px 12px; border-bottom: 1px solid var(--border); vertical-align: middle; }
+  tr:last-child td { border-bottom: none; }
+  tr:hover td { background: var(--bg2); }
+  .repo-name { font-weight: 500; font-size: 13px; }
+  .vuln-id { font-family: monospace; font-size: 12px; white-space: nowrap; }
+  /* Badges */
+  .sev-badge { display: inline-block; padding: 2px 8px; border-radius: 4px;
+    font-size: 11px; font-weight: 700; text-transform: uppercase; }
+  .clean { color: var(--green); font-size: 12px; font-weight: 500; }
+  .no-fix { color: var(--text2); font-size: 12px; }
+  .exploited { color: var(--crit); font-weight: 700; font-size: 12px; }
+  /* Alert */
+  .alert { padding: 1rem 1.25rem; border-radius: var(--radius); margin-top: 1rem; font-size: 14px; }
+  .alert-critical { background: var(--crit-bg); border: 1px solid var(--crit); color: var(--crit); }
+  /* Ecosystem grid */
+  .eco-grid { display: flex; flex-wrap: wrap; gap: 8px; }
+  .eco-item { background: var(--bg2); border: 1px solid var(--border); border-radius: var(--radius);
+    padding: 8px 16px; display: flex; align-items: center; gap: 8px; }
+  .eco-name { font-weight: 600; font-size: 14px; }
+  .eco-count { color: var(--text2); font-size: 13px; }
+  /* CRA */
+  .cra-box { background: var(--accent-light); border: 1px solid var(--accent);
+    border-radius: var(--radius-lg); padding: 1.5rem; font-size: 14px; }
+  .cra-box ul { margin: 0.75rem 0; padding-left: 1.5rem; }
+  .cra-box li { margin-bottom: 0.5rem; }
+  .cra-note { margin-top: 1rem; font-weight: 600; }
+  .text-danger { color: var(--crit); }
+  /* Footer */
+  footer { border-top: 1px solid var(--border); padding-top: 1.5rem; margin-top: 2rem;
+    color: var(--text2); font-size: 13px; }
+  .footer-cta { margin-top: 0.5rem; }
+  @media print {
+    .container { max-width: 100%; }
+    .card { break-inside: avoid; }
+  }
+</style>`;
+  }
+  // ─── Helpers ──────────────────────────────────────────────
+  escapeHtml(str) {
+    return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+  }
+  sevClass(severity) {
+    const map = {
+      CRITICAL: "sev-critical",
+      HIGH: "sev-high",
+      MEDIUM: "sev-medium",
+      LOW: "sev-low",
+      UNKNOWN: "sev-low"
+    };
+    return map[severity] ?? "sev-low";
+  }
+};
+// src/github/client.ts
+import { execSync as execSync3 } from "child_process";
+import { mkdtempSync as mkdtempSync2, rmSync as rmSync2, existsSync as existsSync16 } from "fs";
+import { join as join5 } from "path";
+import { tmpdir as tmpdir2 } from "os";
+function parseProfile(input, baseUrl) {
+  const trimmed = input.trim();
+  try {
+    const url = new URL(trimmed);
+    const pathSegments = url.pathname.split("/").filter(Boolean);
+    if (pathSegments.length >= 1) {
+      return { login: pathSegments[0] };
+    }
+  } catch {
+  }
+  if (trimmed.includes("/") && !trimmed.startsWith("http")) {
+    try {
+      const url = new URL(`https://${trimmed}`);
+      const pathSegments = url.pathname.split("/").filter(Boolean);
+      if (pathSegments.length >= 1) {
+        return { login: pathSegments[0] };
+      }
+    } catch {
+    }
+  }
+  if (!trimmed || trimmed.includes(" ")) {
+    throw new Error(`Invalid GitHub profile: "${input}". Provide an org/user handle or URL.`);
+  }
+  return { login: trimmed };
+}
+var GitHubClient = class {
+  baseUrl;
+  apiUrl;
+  token;
+  lastRateLimit;
+  constructor(baseUrl, token) {
+    this.baseUrl = baseUrl.replace(/\/+$/, "");
+    this.token = token;
+    if (this.baseUrl === "https://github.com" || this.baseUrl === "http://github.com") {
+      this.apiUrl = "https://api.github.com";
+    } else {
+      this.apiUrl = `${this.baseUrl}/api/v3`;
+    }
+  }
+  // ─── Owner Type Detection ──────────────────────────────────
+  /**
+   * Determines whether a login is a User or Organization by
+   * calling GET /users/{username} and reading the `type` field.
+   */
+  async detectOwnerType(login) {
+    const data = await this.fetch(`${this.apiUrl}/users/${encodeURIComponent(login)}`);
+    if (data.type === "Organization") return "org";
+    return "user";
+  }
+  // ─── Repo Listing ──────────────────────────────────────────
+  /**
+   * Lists repositories for an organization.
+   * Uses GET /orgs/{org}/repos with pagination.
+   */
+  async listOrgRepos(org) {
+    return this.paginate(
+      `${this.apiUrl}/orgs/${encodeURIComponent(org)}/repos`,
+      { type: "all", sort: "pushed", direction: "desc" }
+    );
+  }
+  /**
+   * Lists repositories for a user.
+   *
+    * - Without token: GET /users/{username}/repos
+    *   - default: type=all
+    *   - ownerOnly: type=owner
+   * - With token for own user: GET /user/repos filtered by owner login
+   *   (includes private repos the token can see)
+    * - With token for other user: GET /users/{username}/repos
+   *   (only public repos visible)
+   */
+  async listUserRepos(login, ownerOnly = false) {
+    if (this.token) {
+      try {
+        const authedUser = await this.fetch(`${this.apiUrl}/user`);
+        if (authedUser.login.toLowerCase() === login.toLowerCase()) {
+          const allRepos = await this.paginate(
+            `${this.apiUrl}/user/repos`,
+            { sort: "pushed", direction: "desc", affiliation: "owner" }
+          );
+          return allRepos;
+        }
+      } catch {
+      }
+    }
+    return this.paginate(
+      `${this.apiUrl}/users/${encodeURIComponent(login)}/repos`,
+      { type: ownerOnly ? "owner" : "all", sort: "pushed", direction: "desc" }
+    );
+  }
+  /**
+   * Lists repos based on resolved owner type.
+   */
+  async listRepos(login, ownerType, options) {
+    if (ownerType === "org") {
+      return this.listOrgRepos(login);
+    }
+    return this.listUserRepos(login, options?.ownerOnly ?? false);
+  }
+  // ─── Cloning ───────────────────────────────────────────────
+  /**
+   * Shallow-clones a repo into a temporary directory.
+   * Returns the path to the cloned repo.
+   *
+   * Uses HTTPS with token auth embedded in the URL (when token is available).
+   */
+  cloneToTemp(repo, branch) {
+    const tempDir = mkdtempSync2(join5(tmpdir2(), `verimu-gh-${repo.id}-`));
+    const cloneUrl = this.token ? this.buildAuthUrl(repo.clone_url) : repo.clone_url;
+    const targetBranch = branch ?? repo.default_branch;
+    try {
+      execSync3(
+        `git clone --depth 1 --branch "${targetBranch}" --single-branch "${cloneUrl}" "${tempDir}"`,
+        {
+          stdio: "pipe",
+          timeout: 12e4,
+          // 2 minute timeout per clone
+          env: {
+            ...process.env,
+            GIT_TERMINAL_PROMPT: "0"
+            // Never prompt for auth
+          }
+        }
+      );
+    } catch (err) {
+      this.cleanupTemp(tempDir);
+      const msg = err instanceof Error ? err.message : String(err);
+      throw new Error(`Clone failed for ${repo.full_name}: ${msg}`);
+    }
+    return tempDir;
+  }
+  /**
+   * Removes a temporary clone directory.
+   */
+  cleanupTemp(tempDir) {
+    if (existsSync16(tempDir)) {
+      rmSync2(tempDir, { recursive: true, force: true });
+    }
+  }
+  // ─── Rate Limit Accessors ──────────────────────────────────
+  /** Returns the last observed rate limit info, if any. */
+  getRateLimit() {
+    return this.lastRateLimit;
+  }
+  /**
+   * Returns the hourly rate limit for this client configuration.
+   * - Unauthenticated: 60 requests/hour
+   * - Authenticated (PAT/OAuth): 5,000 requests/hour
+   */
+  getExpectedRateLimit() {
+    return this.token ? 5e3 : 60;
+  }
+  // ─── Internals ─────────────────────────────────────────────
+  /**
+   * Paginated GET — fetches all pages of a list endpoint.
+   * GitHub uses `per_page` (max 100) and `page` parameters.
+   */
+  async paginate(url, params = {}) {
+    const all = [];
+    let page = 1;
+    const perPage = 100;
+    while (true) {
+      const searchParams = new URLSearchParams({
+        ...params,
+        per_page: String(perPage),
+        page: String(page)
+      });
+      const fullUrl = `${url}?${searchParams.toString()}`;
+      const items = await this.fetch(fullUrl);
+      if (items.length === 0) break;
+      all.push(...items);
+      page++;
+      if (items.length < perPage) break;
+    }
+    return all;
+  }
+  /**
+   * Builds an authenticated HTTPS URL for git clone.
+   * Embeds the token as a password with "x-access-token" user.
+   */
+  buildAuthUrl(httpUrl) {
+    const url = new URL(httpUrl);
+    url.username = "x-access-token";
+    url.password = this.token;
+    return url.toString();
+  }
+  /**
+   * Makes an authenticated GET request to the GitHub API.
+   *
+   * Rate limit handling:
+   * - Reads X-RateLimit-Remaining and X-RateLimit-Reset headers
+   * - If remaining is 0, waits until the reset time or throws with actionable message
+   * - Retries on transient 502/503/504 with exponential backoff (up to 3 retries)
+   * - Returns 403/429 rate limit errors with reset time information
+   */
+  async fetch(url) {
+    const maxRetries = 3;
+    let lastError = null;
+    for (let attempt = 0; attempt <= maxRetries; attempt++) {
+      if (this.lastRateLimit && this.lastRateLimit.remaining === 0) {
+        const now = Date.now();
+        const resetMs = this.lastRateLimit.resetAt.getTime();
+        if (now < resetMs) {
+          const waitSec = Math.ceil((resetMs - now) / 1e3);
+          if (waitSec <= 60) {
+            console.log(`    Rate limit reached. Waiting ${waitSec}s for reset...`);
+            await this.sleep(waitSec * 1e3);
+          } else {
+            throw new Error(
+              `GitHub API rate limit exceeded. Limit: ${this.lastRateLimit.limit} requests/hour${this.token ? "" : " (unauthenticated \u2014 use --token for 5,000/hour)"}. Resets at ${this.lastRateLimit.resetAt.toLocaleTimeString()} (${waitSec}s from now).`
+            );
+          }
+        }
+      }
+      const headers = {
+        "Accept": "application/vnd.github+json",
+        "X-GitHub-Api-Version": "2022-11-28"
+      };
+      if (this.token) {
+        headers["Authorization"] = `Bearer ${this.token}`;
+      }
+      let response;
+      try {
+        response = await globalThis.fetch(url, { headers });
+      } catch (err) {
+        lastError = err instanceof Error ? err : new Error(String(err));
+        if (attempt < maxRetries) {
+          await this.sleep(1e3 * 2 ** attempt);
+          continue;
+        }
+        throw lastError;
+      }
+      this.updateRateLimit(response);
+      if (response.ok) {
+        return response.json();
+      }
+      if (response.status === 403 || response.status === 429) {
+        const body2 = await response.text().catch(() => "no body");
+        if (body2.includes("rate limit") || body2.includes("API rate limit") || response.status === 429) {
+          const resetHeader = response.headers.get("X-RateLimit-Reset");
+          const resetAt = resetHeader ? new Date(Number(resetHeader) * 1e3) : new Date(Date.now() + 6e4);
+          const waitSec = Math.ceil((resetAt.getTime() - Date.now()) / 1e3);
+          const retryAfter = response.headers.get("Retry-After");
+          if (retryAfter && attempt < maxRetries) {
+            const waitMs = Number(retryAfter) * 1e3;
+            console.log(`    Rate limited (secondary). Waiting ${retryAfter}s...`);
+            await this.sleep(Math.min(waitMs, 6e4));
+            continue;
+          }
+          throw new Error(
+            `GitHub API rate limit exceeded (${response.status}). ${this.token ? "" : "Unauthenticated requests are limited to 60/hour \u2014 use --token for 5,000/hour. "}Resets at ${resetAt.toLocaleTimeString()} (${Math.max(0, waitSec)}s from now).`
+          );
+        }
+        throw new Error(
+          `GitHub API error: ${response.status} ${response.statusText} \u2014 ${url}
+${body2}`
+        );
+      }
+      if ([502, 503, 504].includes(response.status) && attempt < maxRetries) {
+        lastError = new Error(`GitHub API error: ${response.status} ${response.statusText}`);
+        await this.sleep(1e3 * 2 ** attempt);
+        continue;
+      }
+      const body = await response.text().catch(() => "no body");
+      throw new Error(
+        `GitHub API error: ${response.status} ${response.statusText} \u2014 ${url}
+${body}`
+      );
+    }
+    throw lastError ?? new Error(`GitHub API request failed after ${maxRetries} retries`);
+  }
+  /**
+   * Updates internal rate limit tracker from response headers.
+   */
+  updateRateLimit(response) {
+    const limit = response.headers.get("X-RateLimit-Limit");
+    const remaining = response.headers.get("X-RateLimit-Remaining");
+    const reset = response.headers.get("X-RateLimit-Reset");
+    const used = response.headers.get("X-RateLimit-Used");
+    if (limit && remaining && reset) {
+      this.lastRateLimit = {
+        limit: Number(limit),
+        remaining: Number(remaining),
+        resetAt: new Date(Number(reset) * 1e3),
+        used: used ? Number(used) : 0
+      };
+    }
+  }
+  sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+  }
+};
+// src/github/orchestrator.ts
+var GitHubOrchestrator = class {
+  discovery = new LockfileDiscovery();
+  /**
+   * Scans all repos for a GitHub profile (org or user).
+   */
+  async scanProfile(config) {
+    const startTime = Date.now();
+    const client = new GitHubClient(config.baseUrl, config.token);
+    const { login } = parseProfile(config.profile, config.baseUrl);
+    console.log(`
+  GitHub profile: ${login}`);
+    console.log(`  Base URL: ${config.baseUrl}`);
+    console.log(`  Auth: ${config.token ? "token provided (5,000 req/h)" : "unauthenticated (60 req/h)"}`);
+    process.stdout.write("  Detecting profile type... ");
+    const ownerType = await client.detectOwnerType(login);
+    console.log(ownerType);
+    console.log("  Listing repositories...");
+    const repos = await client.listRepos(login, ownerType, {
+      ownerOnly: config.ownerOnly ?? false
+    });
+    console.log(`  Found ${repos.length} repositories
+`);
+    const { toScan, skipped } = this.filterRepos(repos, config);
+    console.log(`  Scanning ${toScan.length} repos (${skipped.length} skipped)
+`);
+    const scannedRepos = [];
+    const failedRepos = [];
+    for (let i = 0; i < toScan.length; i++) {
+      const repo = toScan[i];
+      const label = `[${i + 1}/${toScan.length}]`;
+      console.log(`  ${label} ${repo.full_name}`);
+      const repoStart = Date.now();
+      let tempDir = null;
+      try {
+        process.stdout.write("    Cloning... ");
+        tempDir = client.cloneToTemp(repo, config.branch);
+        console.log("done");
+        const discovered = await this.discovery.discover({
+          rootPath: tempDir
+        });
+        if (discovered.length === 0) {
+          console.log("    no lockfile found");
+          scannedRepos.push({
+            repo,
+            reports: [],
+            hasLockfile: false,
+            durationMs: Date.now() - repoStart
+          });
+          continue;
+        }
+        console.log(`    Found ${discovered.length} project(s)`);
+        const reports = [];
+        const autoGroupName = this.getAutoGroupName(repo, discovered.length, config.groupName);
+        for (const disc of discovered) {
+          const subLabel = discovered.length > 1 ? ` (${disc.relativePath})` : "";
+          const uploadProjectName = this.getUploadProjectName(repo, disc.relativePath, discovered.length);
+          const safeArtifactSuffix = uploadProjectName.replace(/[\\/:*?"<>|]/g, "-").replace(/\s+/g, "-").toLowerCase();
+          const sbomOutput = `${tempDir}/sbom.${safeArtifactSuffix}.cdx.json`;
+          process.stdout.write(`    Scanning${subLabel}... `);
+          try {
+            const report = await scan({
+              projectPath: disc.projectPath,
+              sbomOutput,
+              skipCveCheck: config.skipCveCheck ?? false,
+              apiKey: config.apiKey,
+              apiBaseUrl: config.apiBaseUrl,
+              groupName: autoGroupName,
+              uploadProjectName,
+              repositoryUrl: repo.html_url,
+              platform: "github"
+            });
+            const vulnCount = report.summary.totalVulnerabilities;
+            const depCount = report.summary.totalDependencies;
+            if (vulnCount > 0) {
+              console.log(
+                `${depCount} deps, ${vulnCount} vulns (C:${report.summary.critical} H:${report.summary.high} M:${report.summary.medium} L:${report.summary.low})`
+              );
+            } else {
+              console.log(`${depCount} deps, clean`);
+            }
+            reports.push(report);
+          } catch (scanErr) {
+            const msg = scanErr instanceof Error ? scanErr.message : String(scanErr);
+            console.log(`FAILED: ${msg.slice(0, 80)}`);
+          }
+        }
+        const durationMs = Date.now() - repoStart;
+        scannedRepos.push({
+          repo,
+          reports,
+          hasLockfile: true,
+          durationMs
+        });
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        const durationMs = Date.now() - repoStart;
+        if (msg.includes("No supported lockfile") || msg.includes("NoLockfileError")) {
+          console.log("    no lockfile found");
+          scannedRepos.push({
+            repo,
+            reports: [],
+            hasLockfile: false,
+            durationMs
+          });
+        } else {
+          console.log(`    FAILED: ${msg.slice(0, 100)}`);
+          failedRepos.push({ repo, error: msg });
+        }
+      } finally {
+        if (tempDir) {
+          client.cleanupTemp(tempDir);
+        }
+      }
+      console.log("");
+    }
+    const result = this.aggregate(
+      config.baseUrl,
+      login,
+      ownerType,
+      repos.length,
+      scannedRepos,
+      skipped,
+      failedRepos,
+      Date.now() - startTime
+    );
+    this.printSummary(result);
+    return result;
+  }
+  // ─── Filtering ──────────────────────────────────────────────
+  filterRepos(repos, config) {
+    const toScan = [];
+    const skipped = [];
+    for (const repo of repos) {
+      if (config.excludeArchived !== false && repo.archived) {
+        skipped.push({ repo, reason: "archived" });
+        continue;
+      }
+      if (config.excludeForks && repo.fork) {
+        skipped.push({ repo, reason: "fork" });
+        continue;
+      }
+      toScan.push(repo);
+    }
+    if (config.maxRepos && toScan.length > config.maxRepos) {
+      const trimmed = toScan.splice(config.maxRepos);
+      for (const r of trimmed) {
+        skipped.push({ repo: r, reason: "exceeded --max-repos limit" });
+      }
+    }
+    return { toScan, skipped };
+  }
+  getUploadProjectName(repo, relativePath, totalProjectsInRepo) {
+    if (totalProjectsInRepo > 1) {
+      return relativePath === "." ? repo.name : relativePath;
+    }
+    return repo.full_name;
+  }
+  getAutoGroupName(repo, totalProjectsInRepo, configuredGroupName) {
+    if (configuredGroupName) {
+      return configuredGroupName;
+    }
+    return totalProjectsInRepo > 1 ? repo.full_name : void 0;
+  }
+  // ─── Aggregation ────────────────────────────────────────────
+  aggregate(instanceUrl, profile, profileType, totalDiscovered, scannedRepos, skippedRepos, failedRepos, durationMs) {
+    const reposWithData = scannedRepos.filter((r) => r.reports.length > 0);
+    const ecosystemBreakdown = {};
+    let totalDeps = 0;
+    let totalVulns = 0;
+    let critical = 0;
+    let high = 0;
+    let medium = 0;
+    let low = 0;
+    let exploitedInWild = 0;
+    let reposWithVulns = 0;
+    for (const { reports } of reposWithData) {
+      let repoHasVulns = false;
+      for (const report of reports) {
+        totalDeps += report.summary.totalDependencies;
+        totalVulns += report.summary.totalVulnerabilities;
+        critical += report.summary.critical;
+        high += report.summary.high;
+        medium += report.summary.medium;
+        low += report.summary.low;
+        exploitedInWild += report.summary.exploitedInWild;
+        if (report.summary.totalVulnerabilities > 0) {
+          repoHasVulns = true;
+        }
+        const eco = report.project.ecosystem;
+        ecosystemBreakdown[eco] = (ecosystemBreakdown[eco] ?? 0) + 1;
+      }
+      if (repoHasVulns) reposWithVulns++;
+    }
+    const vulnMap = /* @__PURE__ */ new Map();
+    for (const { repo, reports } of reposWithData) {
+      for (const report of reports) {
+        for (const vuln of report.cveCheck.vulnerabilities) {
+          const existing = vulnMap.get(vuln.id);
+          if (existing) {
+            if (!existing.affectedRepos.includes(repo.full_name)) {
+              existing.affectedRepos.push(repo.full_name);
+            }
+          } else {
+            vulnMap.set(vuln.id, {
+              id: vuln.id,
+              severity: vuln.severity,
+              summary: vuln.summary,
+              affectedRepos: [repo.full_name],
+              fixedVersion: vuln.fixedVersion,
+              exploitedInWild: vuln.exploitedInWild
+            });
+          }
+        }
+      }
+    }
+    const severityOrder2 = {
+      CRITICAL: 0,
+      HIGH: 1,
+      MEDIUM: 2,
+      LOW: 3,
+      UNKNOWN: 4
+    };
+    const topVulnerabilities = Array.from(vulnMap.values()).sort((a, b) => {
+      const sevDiff = severityOrder2[a.severity] - severityOrder2[b.severity];
+      if (sevDiff !== 0) return sevDiff;
+      return b.affectedRepos.length - a.affectedRepos.length;
+    });
+    return {
+      instanceUrl,
+      profile,
+      profileType,
+      totalReposDiscovered: totalDiscovered,
+      scannedRepos,
+      skippedRepos,
+      failedRepos,
+      summary: {
+        totalRepos: reposWithData.length,
+        reposWithVulnerabilities: reposWithVulns,
+        totalDependencies: totalDeps,
+        totalVulnerabilities: totalVulns,
+        critical,
+        high,
+        medium,
+        low,
+        exploitedInWild,
+        ecosystemBreakdown
+      },
+      topVulnerabilities,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      durationMs
+    };
+  }
+  // ─── Summary Printing ───────────────────────────────────────
+  printSummary(result) {
+    const noLockfile = result.scannedRepos.filter((r) => !r.hasLockfile).length;
+    const withLockfile = result.scannedRepos.filter((r) => r.hasLockfile).length;
+    console.log("\n" + "\u2550".repeat(60));
+    console.log("  VERIMU GITHUB SCAN \u2014 COMPLETE");
+    console.log("\u2550".repeat(60));
+    console.log(`
+  Profile:      ${result.profile} (${result.profileType})`);
+    console.log(`  Instance:     ${result.instanceUrl}`);
+    console.log("");
+    console.log(`  Repos found:      ${result.totalReposDiscovered}`);
+    console.log(`    With lockfile:  ${withLockfile}`);
+    console.log(`    No lockfile:    ${noLockfile}`);
+    console.log(`    Skipped:        ${result.skippedRepos.length}  (archived/fork/limit)`);
+    console.log(`    Failed:         ${result.failedRepos.length}  (clone/scan error)`);
+    console.log("");
+    console.log(`  Repos with vulns: ${result.summary.reposWithVulnerabilities} / ${withLockfile}`);
+    console.log("");
+    console.log(`  Total dependencies:     ${result.summary.totalDependencies}`);
+    console.log(`  Total vulnerabilities:  ${result.summary.totalVulnerabilities}`);
+    console.log(`    Critical: ${result.summary.critical}`);
+    console.log(`    High:     ${result.summary.high}`);
+    console.log(`    Medium:   ${result.summary.medium}`);
+    console.log(`    Low:      ${result.summary.low}`);
+    if (result.summary.exploitedInWild > 0) {
+      console.log(`
+  \u{1F534} ${result.summary.exploitedInWild} actively exploited \u2014 CRA 24h reporting required`);
+    }
+    if (Object.keys(result.summary.ecosystemBreakdown).length > 0) {
+      console.log("\n  Ecosystems:");
+      for (const [eco, count] of Object.entries(result.summary.ecosystemBreakdown)) {
+        console.log(`    ${eco}: ${count} project(s)`);
+      }
+    }
+    console.log(`
+  Completed in ${(result.durationMs / 1e3).toFixed(1)}s`);
+    console.log("");
+  }
+};
 export {
   ApiKeyRequiredError,
   CargoScanner,
@@ -19023,7 +20630,12 @@ export {
   CveSourceError,
   CycloneDxGenerator,
   DenoScanner,
+  GitHubClient,
+  GitHubOrchestrator,
+  GitLabClient,
+  GitLabOrchestrator,
   GoScanner,
+  HtmlReporter,
   LockfileParseError,
   MavenScanner,
   NoLockfileError,
@@ -19045,6 +20657,7 @@ export {
   generateSbomArtifacts,
   generateSpdxSbom,
   generateSwidTag,
+  parseProfile,
   printReport,
   scan,
   shouldFailCi,