verimu 0.0.3 → 0.0.4

package/dist/cli.mjs

@@ -0,0 +1,1616 @@
+#!/usr/bin/env node
+
+// src/cli.ts
+import { resolve } from "path";
+
+// src/scan.ts
+import { writeFile } from "fs/promises";
+import { basename } from "path";
+
+// src/scanners/npm/npm-scanner.ts
+import { readFile } from "fs/promises";
+import { existsSync } from "fs";
+import path from "path";
+
+// src/core/errors.ts
+var VerimuError = class extends Error {
+  constructor(message, code) {
+    super(message);
+    this.code = code;
+    this.name = "VerimuError";
+  }
+};
+var NoLockfileError = class extends VerimuError {
+  constructor(projectPath) {
+    super(
+      `No supported lockfile found in ${projectPath}. Supported: package-lock.json (npm), packages.lock.json (NuGet), Cargo.lock (Rust), requirements.txt / Pipfile.lock (Python), pom.xml (Maven), go.sum (Go), Gemfile.lock (Ruby)`,
+      "NO_LOCKFILE"
+    );
+    this.name = "NoLockfileError";
+  }
+};
+var LockfileParseError = class extends VerimuError {
+  constructor(lockfilePath, reason) {
+    super(`Failed to parse ${lockfilePath}: ${reason}`, "LOCKFILE_PARSE_ERROR");
+    this.name = "LockfileParseError";
+  }
+};
+
+// src/scanners/npm/npm-scanner.ts
+var NpmScanner = class {
+  ecosystem = "npm";
+  lockfileNames = ["package-lock.json"];
+  async detect(projectPath) {
+    const lockfilePath = path.join(projectPath, "package-lock.json");
+    return existsSync(lockfilePath) ? lockfilePath : null;
+  }
+  async scan(projectPath, lockfilePath) {
+    const [lockfileRaw, packageJsonRaw] = await Promise.all([
+      readFile(lockfilePath, "utf-8"),
+      readFile(path.join(projectPath, "package.json"), "utf-8").catch(() => null)
+    ]);
+    let lockfile;
+    try {
+      lockfile = JSON.parse(lockfileRaw);
+    } catch {
+      throw new LockfileParseError(lockfilePath, "Invalid JSON");
+    }
+    const directNames = /* @__PURE__ */ new Set();
+    if (packageJsonRaw) {
+      try {
+        const pkg = JSON.parse(packageJsonRaw);
+        for (const name of Object.keys(pkg.dependencies ?? {})) {
+          directNames.add(name);
+        }
+        for (const name of Object.keys(pkg.devDependencies ?? {})) {
+          directNames.add(name);
+        }
+      } catch {
+      }
+    }
+    const dependencies = this.parseLockfile(lockfile, directNames);
+    return {
+      projectPath,
+      ecosystem: "npm",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Parses package-lock.json and extracts dependencies.
+   * Supports lockfile v2 and v3 (uses the `packages` field).
+   * Falls back to `dependencies` field for lockfile v1.
+   */
+  parseLockfile(lockfile, directNames) {
+    const deps = [];
+    if (lockfile.packages) {
+      for (const [pkgPath, pkgInfo] of Object.entries(lockfile.packages)) {
+        if (pkgPath === "") continue;
+        const name = this.extractPackageName(pkgPath);
+        if (!name || !pkgInfo.version) continue;
+        if (pkgInfo.link) continue;
+        deps.push({
+          name,
+          version: pkgInfo.version,
+          direct: directNames.has(name),
+          ecosystem: "npm",
+          purl: this.buildPurl(name, pkgInfo.version)
+        });
+      }
+    } else if (lockfile.dependencies) {
+      this.parseDependenciesV1(lockfile.dependencies, directNames, deps);
+    }
+    return deps;
+  }
+  /**
+   * Builds a purl (Package URL) for an npm package.
+   *
+   * Per the purl spec (https://github.com/package-url/purl-spec/blob/main/types-doc/npm-definition.md):
+   * "The npm scope @ sign prefix is always percent encoded."
+   *
+   * So @types/node@20.11.5 → pkg:npm/%40types/node@20.11.5
+   * And express@4.18.2 → pkg:npm/express@4.18.2
+   */
+  buildPurl(name, version) {
+    if (name.startsWith("@")) {
+      return `pkg:npm/%40${name.slice(1)}@${version}`;
+    }
+    return `pkg:npm/${name}@${version}`;
+  }
+  /** Extracts the package name from a node_modules path */
+  extractPackageName(pkgPath) {
+    const parts = pkgPath.split("node_modules/");
+    const last = parts[parts.length - 1];
+    return last || null;
+  }
+  /** Recursively parses lockfile v1 `dependencies` tree */
+  parseDependenciesV1(depsObj, directNames, result) {
+    for (const [name, info] of Object.entries(depsObj)) {
+      if (info.version) {
+        result.push({
+          name,
+          version: info.version,
+          direct: directNames.has(name),
+          ecosystem: "npm",
+          purl: this.buildPurl(name, info.version)
+        });
+      }
+      if (info.dependencies) {
+        this.parseDependenciesV1(info.dependencies, directNames, result);
+      }
+    }
+  }
+};
+
+// src/scanners/nuget/nuget-scanner.ts
+import { readFile as readFile2 } from "fs/promises";
+import { existsSync as existsSync2 } from "fs";
+import path2 from "path";
+var NugetScanner = class {
+  ecosystem = "nuget";
+  lockfileNames = ["packages.lock.json"];
+  async detect(projectPath) {
+    const lockfilePath = path2.join(projectPath, "packages.lock.json");
+    return existsSync2(lockfilePath) ? lockfilePath : null;
+  }
+  async scan(projectPath, lockfilePath) {
+    const lockfileRaw = await readFile2(lockfilePath, "utf-8");
+    let lockfile;
+    try {
+      lockfile = JSON.parse(lockfileRaw);
+    } catch {
+      throw new LockfileParseError(lockfilePath, "Invalid JSON");
+    }
+    if (!lockfile.dependencies) {
+      throw new LockfileParseError(lockfilePath, 'Missing "dependencies" field');
+    }
+    const dependencies = this.parseLockfile(lockfile);
+    return {
+      projectPath,
+      ecosystem: "nuget",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Parses packages.lock.json and extracts dependencies across all
+   * target frameworks. Deduplicates by package name (keeps highest version
+   * if the same package appears under multiple frameworks).
+   */
+  parseLockfile(lockfile) {
+    const depMap = /* @__PURE__ */ new Map();
+    for (const [_framework, packages] of Object.entries(lockfile.dependencies)) {
+      for (const [name, info] of Object.entries(packages)) {
+        if (!info.resolved) continue;
+        const isDirect = info.type === "Direct";
+        const existing = depMap.get(name);
+        if (!existing) {
+          depMap.set(name, {
+            name,
+            version: info.resolved,
+            direct: isDirect,
+            ecosystem: "nuget",
+            purl: this.buildPurl(name, info.resolved)
+          });
+        } else if (isDirect && !existing.direct) {
+          existing.direct = true;
+        }
+      }
+    }
+    return Array.from(depMap.values());
+  }
+  /**
+   * Builds a purl for a NuGet package.
+   * NuGet purls are straightforward: pkg:nuget/Name@Version
+   */
+  buildPurl(name, version) {
+    return `pkg:nuget/${name}@${version}`;
+  }
+};
+
+// src/scanners/cargo/cargo-scanner.ts
+import { readFile as readFile3 } from "fs/promises";
+import { existsSync as existsSync3 } from "fs";
+import path3 from "path";
+var CargoScanner = class {
+  ecosystem = "cargo";
+  lockfileNames = ["Cargo.lock"];
+  async detect(projectPath) {
+    const lockfilePath = path3.join(projectPath, "Cargo.lock");
+    return existsSync3(lockfilePath) ? lockfilePath : null;
+  }
+  async scan(projectPath, lockfilePath) {
+    const [lockfileRaw, cargoTomlRaw] = await Promise.all([
+      readFile3(lockfilePath, "utf-8"),
+      readFile3(path3.join(projectPath, "Cargo.toml"), "utf-8").catch(() => null)
+    ]);
+    const packages = this.parseLockfile(lockfileRaw, lockfilePath);
+    const directNames = cargoTomlRaw ? this.parseCargoToml(cargoTomlRaw) : /* @__PURE__ */ new Set();
+    const rootName = packages.length > 0 ? packages[0].name : null;
+    const dependencies = [];
+    for (const pkg of packages) {
+      if (pkg.name === rootName && pkg.source === void 0) continue;
+      dependencies.push({
+        name: pkg.name,
+        version: pkg.version,
+        direct: directNames.has(pkg.name),
+        ecosystem: "cargo",
+        purl: this.buildPurl(pkg.name, pkg.version)
+      });
+    }
+    return {
+      projectPath,
+      ecosystem: "cargo",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Parses Cargo.lock by splitting on [[package]] blocks.
+   * This is a lightweight parser that handles the regular structure
+   * of Cargo.lock without needing a full TOML parser.
+   */
+  parseLockfile(content, lockfilePath) {
+    const packages = [];
+    const blocks = content.split(/^\[\[package\]\]$/m);
+    for (const block of blocks) {
+      if (!block.trim()) continue;
+      const name = this.extractField(block, "name");
+      const version = this.extractField(block, "version");
+      const source = this.extractField(block, "source");
+      if (name && version) {
+        packages.push({ name, version, source: source || void 0 });
+      }
+    }
+    if (packages.length === 0 && content.includes("[[package]]")) {
+      throw new LockfileParseError(lockfilePath, "Failed to parse any packages from Cargo.lock");
+    }
+    return packages;
+  }
+  /**
+   * Extracts a string field value from a TOML block.
+   * Handles: `name = "value"` format.
+   */
+  extractField(block, fieldName) {
+    const regex = new RegExp(`^${fieldName}\\s*=\\s*"([^"]*)"`, "m");
+    const match = block.match(regex);
+    return match ? match[1] : null;
+  }
+  /**
+   * Parses Cargo.toml to extract direct dependency names.
+   * Looks for [dependencies] and [dev-dependencies] sections.
+   */
+  parseCargoToml(content) {
+    const directNames = /* @__PURE__ */ new Set();
+    let inDepsSection = false;
+    for (const rawLine of content.split("\n")) {
+      const line = rawLine.trim();
+      if (line.startsWith("[")) {
+        inDepsSection = line === "[dependencies]" || line === "[dev-dependencies]" || line === "[build-dependencies]";
+        continue;
+      }
+      if (inDepsSection && line && !line.startsWith("#")) {
+        const match = line.match(/^([a-zA-Z0-9_-]+)\s*=/);
+        if (match) {
+          directNames.add(match[1]);
+        }
+      }
+    }
+    return directNames;
+  }
+  /**
+   * Builds a purl for a Cargo (crates.io) package.
+   */
+  buildPurl(name, version) {
+    return `pkg:cargo/${name}@${version}`;
+  }
+};
+
+// src/scanners/pip/pip-scanner.ts
+import { readFile as readFile4 } from "fs/promises";
+import { existsSync as existsSync4 } from "fs";
+import path4 from "path";
+var PipScanner = class {
+  ecosystem = "pip";
+  lockfileNames = ["requirements.txt", "Pipfile.lock"];
+  async detect(projectPath) {
+    for (const lockfile of this.lockfileNames) {
+      const fullPath = path4.join(projectPath, lockfile);
+      if (existsSync4(fullPath)) return fullPath;
+    }
+    return null;
+  }
+  async scan(projectPath, lockfilePath) {
+    const raw = await readFile4(lockfilePath, "utf-8");
+    const filename = path4.basename(lockfilePath);
+    let dependencies;
+    if (filename === "Pipfile.lock") {
+      dependencies = this.parsePipfileLock(raw, lockfilePath);
+    } else {
+      dependencies = this.parseRequirementsTxt(raw, lockfilePath);
+    }
+    return {
+      projectPath,
+      ecosystem: "pip",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Parses `requirements.txt` format.
+   *
+   * Supports:
+   *   - `package==1.2.3` (pinned)
+   *   - `package>=1.2.0` (minimum — uses the specified version)
+   *   - `package~=1.2.0` (compatible release)
+   *   - Comments (`#`) and blank lines are skipped
+   *   - `-r other-file.txt` (include directive) — skipped for now
+   *   - `--index-url` and other pip flags — skipped
+   */
+  parseRequirementsTxt(content, lockfilePath) {
+    const deps = [];
+    for (const rawLine of content.split("\n")) {
+      const line = rawLine.trim();
+      if (!line || line.startsWith("#") || line.startsWith("-") || line.startsWith("--")) {
+        continue;
+      }
+      const match = line.match(/^([a-zA-Z0-9_][a-zA-Z0-9._-]*)\s*(?:[~=!<>]=?)\s*(.+)$/);
+      if (match) {
+        const [, name, versionSpec] = match;
+        const version = this.extractVersion(versionSpec);
+        if (name && version) {
+          deps.push({
+            name: this.normalizePipName(name),
+            version,
+            direct: true,
+            // requirements.txt doesn't distinguish
+            ecosystem: "pip",
+            purl: this.buildPurl(name, version)
+          });
+        }
+      }
+    }
+    return deps;
+  }
+  /**
+   * Parses `Pipfile.lock` (JSON format from Pipenv).
+   *
+   * Structure:
+   * ```json
+   * {
+   *   "_meta": { ... },
+   *   "default": {
+   *     "requests": { "version": "==2.31.0", ... }
+   *   },
+   *   "develop": {
+   *     "pytest": { "version": "==7.4.0", ... }
+   *   }
+   * }
+   * ```
+   */
+  parsePipfileLock(content, lockfilePath) {
+    let lockfile;
+    try {
+      lockfile = JSON.parse(content);
+    } catch {
+      throw new LockfileParseError(lockfilePath, "Invalid JSON in Pipfile.lock");
+    }
+    const deps = [];
+    if (lockfile.default) {
+      for (const [name, info] of Object.entries(lockfile.default)) {
+        const version = info.version?.replace(/^==/, "") ?? "";
+        if (version) {
+          deps.push({
+            name: this.normalizePipName(name),
+            version,
+            direct: true,
+            ecosystem: "pip",
+            purl: this.buildPurl(name, version)
+          });
+        }
+      }
+    }
+    if (lockfile.develop) {
+      for (const [name, info] of Object.entries(lockfile.develop)) {
+        const version = info.version?.replace(/^==/, "") ?? "";
+        if (version) {
+          deps.push({
+            name: this.normalizePipName(name),
+            version,
+            direct: true,
+            ecosystem: "pip",
+            purl: this.buildPurl(name, version)
+          });
+        }
+      }
+    }
+    return deps;
+  }
+  /**
+   * Extracts the version number from a pip version specifier.
+   * "1.2.3" → "1.2.3"
+   * "1.2.3,<2.0" → "1.2.3"
+   */
+  extractVersion(spec) {
+    const cleaned = spec.split(",")[0].trim();
+    return cleaned;
+  }
+  /**
+   * Normalizes a pip package name per PEP 503.
+   * Converts to lowercase and replaces any run of [-_.] with a single hyphen.
+   */
+  normalizePipName(name) {
+    return name.toLowerCase().replace(/[-_.]+/g, "-");
+  }
+  /**
+   * Builds a purl for a PyPI package.
+   * Per purl spec, the type is "pypi" (not "pip").
+   */
+  buildPurl(name, version) {
+    return `pkg:pypi/${this.normalizePipName(name)}@${version}`;
+  }
+};
+
+// src/scanners/maven/maven-scanner.ts
+import { readFile as readFile5 } from "fs/promises";
+import { existsSync as existsSync5 } from "fs";
+import { execSync } from "child_process";
+import path5 from "path";
+var MavenScanner = class {
+  ecosystem = "maven";
+  lockfileNames = ["pom.xml"];
+  /** Allow injection for testing */
+  execSyncFn;
+  constructor(execSyncImpl) {
+    this.execSyncFn = execSyncImpl ?? execSync;
+  }
+  async detect(projectPath) {
+    const pomPath = path5.join(projectPath, "pom.xml");
+    return existsSync5(pomPath) ? pomPath : null;
+  }
+  async scan(projectPath, _lockfilePath) {
+    const depTreePath = path5.join(projectPath, "dependency-tree.txt");
+    if (existsSync5(depTreePath)) {
+      const content = await readFile5(depTreePath, "utf-8");
+      const dependencies = this.parseDependencyList(content, depTreePath);
+      return this.buildResult(projectPath, depTreePath, dependencies);
+    }
+    if (this.isMavenAvailable()) {
+      const output = this.runMavenDependencyList(projectPath);
+      const dependencies = this.parseDependencyList(output, "mvn dependency:list");
+      return this.buildResult(projectPath, path5.join(projectPath, "pom.xml"), dependencies);
+    }
+    throw new LockfileParseError(
+      path5.join(projectPath, "pom.xml"),
+      "Maven project detected (pom.xml found) but could not resolve dependencies. Either install Maven (`mvn` must be on $PATH) or pre-generate a dependency list:\n  mvn dependency:list -DoutputFile=dependency-tree.txt -DappendOutput=true"
+    );
+  }
+  /**
+   * Parses Maven `dependency:list` output.
+   *
+   * Each dependency line has the format:
+   *   groupId:artifactId:type:version:scope
+   *   groupId:artifactId:type:classifier:version:scope
+   *
+   * Lines are typically indented with leading whitespace.
+   */
+  parseDependencyList(content, source) {
+    const deps = [];
+    const depPattern = /^\s*([a-zA-Z0-9._-]+):([a-zA-Z0-9._-]+):([a-z]+):(?:([a-zA-Z0-9._-]+):)?([a-zA-Z0-9._-]+):([a-z]+)/;
+    for (const rawLine of content.split("\n")) {
+      const line = rawLine.trim();
+      if (!line) continue;
+      const match = line.match(depPattern);
+      if (match) {
+        const groupId = match[1];
+        const artifactId = match[2];
+        const version = match[4] && match[5] ? match[5] : match[4] ?? match[5];
+        const scope = match[4] && match[5] ? match[6] : match[5] && match[6] ? match[6] : match[5];
+        const parts = line.split(":");
+        if (parts.length >= 5) {
+          const gId = parts[0].trim();
+          const aId = parts[1];
+          const ver = parts.length === 6 ? parts[4] : parts[3];
+          const scp = parts.length === 6 ? parts[5] : parts[4];
+          if (gId && aId && ver) {
+            const name = `${gId}:${aId}`;
+            deps.push({
+              name,
+              version: ver,
+              direct: scp === "compile" || scp === "runtime" || scp === "provided",
+              ecosystem: "maven",
+              purl: this.buildPurl(gId, aId, ver)
+            });
+          }
+        }
+      }
+    }
+    return deps;
+  }
+  /** Checks if `mvn` is available on PATH */
+  isMavenAvailable() {
+    try {
+      this.execSyncFn("mvn --version", { stdio: "pipe", timeout: 1e4 });
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Runs `mvn dependency:list` and returns the output.
+   */
+  runMavenDependencyList(projectPath) {
+    try {
+      const output = this.execSyncFn(
+        "mvn dependency:list -DoutputType=text -DincludeScope=compile",
+        {
+          cwd: projectPath,
+          stdio: "pipe",
+          timeout: 12e4,
+          // 2 minute timeout
+          encoding: "utf-8"
+        }
+      );
+      return output.toString();
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      throw new LockfileParseError(
+        path5.join(projectPath, "pom.xml"),
+        `Failed to run 'mvn dependency:list': ${message}`
+      );
+    }
+  }
+  /**
+   * Builds a purl for a Maven package.
+   * Format: pkg:maven/groupId/artifactId@version
+   */
+  buildPurl(groupId, artifactId, version) {
+    return `pkg:maven/${groupId}/${artifactId}@${version}`;
+  }
+  buildResult(projectPath, lockfilePath, dependencies) {
+    return {
+      projectPath,
+      ecosystem: "maven",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+};
+
+// src/scanners/go/go-scanner.ts
+import { readFile as readFile6 } from "fs/promises";
+import { existsSync as existsSync6 } from "fs";
+import path6 from "path";
+var GoScanner = class {
+  ecosystem = "go";
+  lockfileNames = ["go.sum"];
+  async detect(projectPath) {
+    const goSumPath = path6.join(projectPath, "go.sum");
+    return existsSync6(goSumPath) ? goSumPath : null;
+  }
+  async scan(projectPath, lockfilePath) {
+    const [goSumRaw, goModRaw] = await Promise.all([
+      readFile6(lockfilePath, "utf-8"),
+      readFile6(path6.join(projectPath, "go.mod"), "utf-8").catch(() => null)
+    ]);
+    const { directNames, indirectNames } = goModRaw ? this.parseGoMod(goModRaw) : { directNames: /* @__PURE__ */ new Set(), indirectNames: /* @__PURE__ */ new Set() };
+    const dependencies = this.parseGoSum(goSumRaw, lockfilePath, directNames, indirectNames);
+    return {
+      projectPath,
+      ecosystem: "go",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Parses go.sum and extracts unique module dependencies.
+   *
+   * Each module may appear twice in go.sum (once for the source archive,
+   * once for go.mod). We deduplicate by module path + version, keeping
+   * only the `h1:` entry (not the `/go.mod` entry).
+   */
+  parseGoSum(content, lockfilePath, directNames, indirectNames) {
+    const depMap = /* @__PURE__ */ new Map();
+    for (const rawLine of content.split("\n")) {
+      const line = rawLine.trim();
+      if (!line) continue;
+      const parts = line.split(/\s+/);
+      if (parts.length < 3) continue;
+      const modulePath = parts[0];
+      let version = parts[1];
+      if (version.endsWith("/go.mod")) continue;
+      version = version.replace(/\+incompatible$/, "");
+      const key = `${modulePath}@${version}`;
+      if (depMap.has(key)) continue;
+      const isDirect = directNames.size > 0 || indirectNames.size > 0 ? directNames.has(modulePath) || (!indirectNames.has(modulePath) && !directNames.has(modulePath) ? false : directNames.has(modulePath)) : true;
+      depMap.set(key, {
+        name: modulePath,
+        version,
+        direct: isDirect,
+        ecosystem: "go",
+        purl: this.buildPurl(modulePath, version)
+      });
+    }
+    return Array.from(depMap.values());
+  }
+  /**
+   * Parses go.mod to extract direct and indirect dependency names.
+   *
+   * Handles both single-line and block `require` directives:
+   * ```
+   * require github.com/pkg/errors v0.9.1
+   *
+   * require (
+   *     github.com/gin-gonic/gin v1.9.1
+   *     golang.org/x/text v0.14.0 // indirect
+   * )
+   * ```
+   */
+  parseGoMod(content) {
+    const directNames = /* @__PURE__ */ new Set();
+    const indirectNames = /* @__PURE__ */ new Set();
+    let inRequireBlock = false;
+    for (const rawLine of content.split("\n")) {
+      const line = rawLine.trim();
+      if (line.startsWith("require ") && !line.includes("(")) {
+        const match = line.match(/^require\s+(\S+)\s+\S+(.*)$/);
+        if (match) {
+          const modulePath = match[1];
+          const rest = match[2];
+          if (rest.includes("// indirect")) {
+            indirectNames.add(modulePath);
+          } else {
+            directNames.add(modulePath);
+          }
+        }
+        continue;
+      }
+      if (line === "require (" || line.startsWith("require (")) {
+        inRequireBlock = true;
+        continue;
+      }
+      if (inRequireBlock && line === ")") {
+        inRequireBlock = false;
+        continue;
+      }
+      if (inRequireBlock && line && !line.startsWith("//")) {
+        const match = line.match(/^(\S+)\s+\S+(.*)$/);
+        if (match) {
+          const modulePath = match[1];
+          const rest = match[2];
+          if (rest.includes("// indirect")) {
+            indirectNames.add(modulePath);
+          } else {
+            directNames.add(modulePath);
+          }
+        }
+      }
+    }
+    return { directNames, indirectNames };
+  }
+  /**
+   * Builds a purl for a Go module.
+   *
+   * Per purl spec, the type is "golang" and the module path
+   * uses `/` separators (no encoding needed for path segments).
+   *
+   * Example: `pkg:golang/github.com/gin-gonic/gin@v1.9.1`
+   */
+  buildPurl(modulePath, version) {
+    return `pkg:golang/${modulePath}@${version}`;
+  }
+};
+
+// src/scanners/ruby/ruby-scanner.ts
+import { readFile as readFile7 } from "fs/promises";
+import { existsSync as existsSync7 } from "fs";
+import path7 from "path";
+var RubyScanner = class {
+  ecosystem = "ruby";
+  lockfileNames = ["Gemfile.lock"];
+  async detect(projectPath) {
+    const lockfilePath = path7.join(projectPath, "Gemfile.lock");
+    return existsSync7(lockfilePath) ? lockfilePath : null;
+  }
+  async scan(projectPath, lockfilePath) {
+    const content = await readFile7(lockfilePath, "utf-8");
+    const specs = this.parseSpecs(content, lockfilePath);
+    const directNames = this.parseDependencies(content);
+    const dependencies = specs.map(({ name, version }) => ({
+      name,
+      version,
+      direct: directNames.has(name),
+      ecosystem: "ruby",
+      purl: `pkg:gem/${name}@${version}`
+    }));
+    return {
+      projectPath,
+      ecosystem: "ruby",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Parses the GEM > specs section to extract all resolved gems.
+   *
+   * Gems at the top level of the specs section (indented 4 spaces) are
+   * resolved packages. Their sub-dependencies (indented 6+ spaces) are
+   * constraints, not separate entries — those sub-deps appear as their
+   * own top-level spec entries elsewhere.
+   *
+   * Format: `    gem-name (1.2.3)`
+   */
+  parseSpecs(content, lockfilePath) {
+    const gems = [];
+    let inGemSection = false;
+    let inSpecs = false;
+    for (const rawLine of content.split("\n")) {
+      const line = rawLine;
+      if (line.length > 0 && line[0] !== " ") {
+        if (line.startsWith("GEM")) {
+          inGemSection = true;
+          inSpecs = false;
+          continue;
+        }
+        inGemSection = false;
+        inSpecs = false;
+        continue;
+      }
+      if (inGemSection && line.trimStart().startsWith("specs:")) {
+        inSpecs = true;
+        continue;
+      }
+      if (!inSpecs) continue;
+      const match = line.match(/^ {4}(\S+)\s+\(([^)]+)\)$/);
+      if (match) {
+        const [, name, version] = match;
+        gems.push({ name, version });
+      }
+    }
+    if (gems.length === 0) {
+      throw new LockfileParseError(
+        lockfilePath,
+        "No gems found in GEM specs section"
+      );
+    }
+    return gems;
+  }
+  /**
+   * Parses the DEPENDENCIES section to get direct dependency names.
+   *
+   * Format: `  gem-name (>= 1.0)` or `  gem-name`
+   * The version constraint is optional and we only need the name.
+   */
+  parseDependencies(content) {
+    const directNames = /* @__PURE__ */ new Set();
+    let inDependencies = false;
+    for (const rawLine of content.split("\n")) {
+      const line = rawLine;
+      if (line.length > 0 && line[0] !== " ") {
+        if (line.startsWith("DEPENDENCIES")) {
+          inDependencies = true;
+          continue;
+        }
+        if (inDependencies) break;
+        continue;
+      }
+      if (!inDependencies) continue;
+      const match = line.match(/^ {2}(\S+?)!?\s*(?:\(|$)/);
+      if (match) {
+        directNames.add(match[1]);
+      }
+    }
+    return directNames;
+  }
+};
+
+// src/scanners/registry.ts
+var ScannerRegistry = class {
+  scanners;
+  constructor() {
+    this.scanners = [
+      new NpmScanner(),
+      new NugetScanner(),
+      new CargoScanner(),
+      new PipScanner(),
+      new MavenScanner(),
+      new GoScanner(),
+      new RubyScanner()
+    ];
+  }
+  /**
+   * Auto-detects the project's ecosystem and scans dependencies.
+   * Tries each registered scanner in order until one matches.
+   */
+  async detectAndScan(projectPath) {
+    for (const scanner of this.scanners) {
+      const lockfilePath = await scanner.detect(projectPath);
+      if (lockfilePath) {
+        return scanner.scan(projectPath, lockfilePath);
+      }
+    }
+    throw new NoLockfileError(projectPath);
+  }
+  /** Returns a specific scanner by ecosystem name */
+  getScanner(ecosystem) {
+    return this.scanners.find((s) => s.ecosystem === ecosystem);
+  }
+  /** Lists all registered ecosystems */
+  listEcosystems() {
+    return this.scanners.map((s) => s.ecosystem);
+  }
+};
+
+// src/sbom/cyclonedx.ts
+import { randomUUID } from "crypto";
+var CycloneDxGenerator = class {
+  format = "cyclonedx-json";
+  generate(scanResult, toolVersion = "0.1.0") {
+    const bom = this.buildBom(scanResult, toolVersion);
+    const content = JSON.stringify(bom, null, 2);
+    return {
+      format: "cyclonedx-json",
+      specVersion: "1.7",
+      content,
+      componentCount: scanResult.dependencies.length,
+      generatedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  buildBom(scanResult, toolVersion) {
+    const projectName = this.extractProjectName(scanResult.projectPath);
+    return {
+      $schema: "http://cyclonedx.org/schema/bom-1.7.schema.json",
+      bomFormat: "CycloneDX",
+      specVersion: "1.7",
+      serialNumber: `urn:uuid:${randomUUID()}`,
+      version: 1,
+      metadata: {
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        tools: {
+          components: [
+            {
+              type: "application",
+              name: "verimu",
+              version: toolVersion,
+              description: "Verimu CRA Compliance Scanner",
+              supplier: { name: "Verimu" },
+              externalReferences: [
+                {
+                  type: "website",
+                  url: "https://verimu.com"
+                }
+              ]
+            }
+          ]
+        },
+        // NTIA: metadata.supplier — the org supplying the root software
+        supplier: {
+          name: projectName
+        },
+        component: {
+          type: "application",
+          name: projectName,
+          "bom-ref": "root-component",
+          supplier: { name: projectName }
+        }
+      },
+      components: scanResult.dependencies.map((dep) => this.toComponent(dep)),
+      dependencies: this.buildDependencyGraph(scanResult)
+    };
+  }
+  /** Converts a Verimu Dependency to a CycloneDX component */
+  toComponent(dep) {
+    return {
+      type: "library",
+      name: dep.name,
+      version: dep.version,
+      purl: dep.purl,
+      "bom-ref": dep.purl,
+      scope: dep.direct ? "required" : "optional",
+      // NTIA: component.supplier — derived from npm scope or package name
+      supplier: {
+        name: this.deriveSupplierName(dep.name)
+      }
+    };
+  }
+  /**
+   * Derives a supplier name from a package name.
+   *
+   * For scoped packages like "@vue/reactivity" → "@vue"
+   * For unscoped packages like "express" → "express"
+   *
+   * This is the same heuristic used by Syft, Trivy, and other SBOM tools
+   * when registry metadata (author/publisher) isn't available from the lockfile.
+   */
+  deriveSupplierName(packageName) {
+    if (packageName.startsWith("@")) {
+      const scope = packageName.split("/")[0];
+      return scope;
+    }
+    return packageName;
+  }
+  /**
+   * Builds the dependency graph section of the SBOM.
+   *
+   * The root component depends on all dependencies (direct + transitive).
+   * This ensures a single root node in the graph, which NTIA validators expect.
+   *
+   * We include ALL deps under root (not just direct) because from a flat lockfile
+   * we can't reliably reconstruct which transitive dep belongs to which direct dep.
+   * This is still valid per the CycloneDX spec — it represents a complete but flat
+   * dependency relationship.
+   */
+  buildDependencyGraph(scanResult) {
+    const allDepPurls = scanResult.dependencies.map((d) => d.purl);
+    return [
+      {
+        ref: "root-component",
+        dependsOn: allDepPurls
+      }
+    ];
+  }
+  /** Extracts project name from path */
+  extractProjectName(projectPath) {
+    const parts = projectPath.replace(/\\/g, "/").split("/");
+    return parts[parts.length - 1] || "unknown-project";
+  }
+};
+
+// src/cve/osv.ts
+var OSV_API_BASE = "https://api.osv.dev/v1";
+var BATCH_SIZE = 1e3;
+var OsvSource = class {
+  sourceId = "osv";
+  name = "OSV.dev (Google Open Source Vulnerabilities)";
+  fetchFn;
+  constructor(fetchImpl) {
+    this.fetchFn = fetchImpl ?? globalThis.fetch;
+  }
+  async checkDependencies(dependencies) {
+    if (dependencies.length === 0) return [];
+    const allVulns = [];
+    for (let i = 0; i < dependencies.length; i += BATCH_SIZE) {
+      const batch = dependencies.slice(i, i + BATCH_SIZE);
+      const batchVulns = await this.queryBatch(batch);
+      allVulns.push(...batchVulns);
+    }
+    return allVulns;
+  }
+  /** Uses OSV's /querybatch endpoint for efficient bulk lookups */
+  async queryBatch(dependencies) {
+    const queries = dependencies.map((dep) => ({
+      version: dep.version,
+      package: {
+        name: dep.name,
+        ecosystem: this.mapEcosystem(dep.ecosystem)
+      }
+    }));
+    const response = await this.fetchFn(`${OSV_API_BASE}/querybatch`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ queries })
+    });
+    if (!response.ok) {
+      throw new Error(`OSV API error: ${response.status} ${response.statusText}`);
+    }
+    const data = await response.json();
+    const vulnerabilities = [];
+    for (let i = 0; i < data.results.length; i++) {
+      const result = data.results[i];
+      const dep = dependencies[i];
+      if (result.vulns && result.vulns.length > 0) {
+        for (const vuln of result.vulns) {
+          vulnerabilities.push(this.mapVulnerability(vuln, dep));
+        }
+      }
+    }
+    return vulnerabilities;
+  }
+  /** Maps an OSV vulnerability record to our Vulnerability type */
+  mapVulnerability(osvVuln, dep) {
+    const cveId = this.extractCveId(osvVuln);
+    const severity = this.extractSeverity(osvVuln);
+    return {
+      id: cveId || osvVuln.id,
+      aliases: Array.from(/* @__PURE__ */ new Set([osvVuln.id, ...osvVuln.aliases ?? []])),
+      summary: osvVuln.summary ?? osvVuln.details?.slice(0, 200) ?? "No description available",
+      severity: severity.level,
+      cvssScore: severity.score,
+      packageName: dep.name,
+      ecosystem: dep.ecosystem,
+      affectedVersionRange: this.extractAffectedRange(osvVuln, dep.name),
+      fixedVersion: this.extractFixedVersion(osvVuln, dep.name),
+      exploitedInWild: false,
+      // OSV doesn't track this — CISA KEV does
+      source: "osv",
+      referenceUrl: `https://osv.dev/vulnerability/${osvVuln.id}`,
+      publishedAt: osvVuln.published
+    };
+  }
+  /** Extracts CVE ID from aliases (prefers CVE-xxxx over GHSA-xxxx) */
+  extractCveId(vuln) {
+    if (vuln.id.startsWith("CVE-")) return vuln.id;
+    if (vuln.aliases) {
+      const cve = vuln.aliases.find((a) => a.startsWith("CVE-"));
+      if (cve) return cve;
+    }
+    return null;
+  }
+  /** Extracts severity from CVSS scores in the OSV record */
+  extractSeverity(vuln) {
+    if (vuln.severity && vuln.severity.length > 0) {
+      for (const sev of vuln.severity) {
+        if (sev.type === "CVSS_V3") {
+          const score = this.parseCvssScore(sev.score);
+          if (score !== null) {
+            return { level: this.scoreToSeverity(score), score };
+          }
+        }
+      }
+    }
+    if (vuln.database_specific?.severity) {
+      const s = vuln.database_specific.severity.toUpperCase();
+      if (["CRITICAL", "HIGH", "MEDIUM", "LOW"].includes(s)) {
+        return { level: s };
+      }
+    }
+    return { level: "UNKNOWN" };
+  }
+  /** Parses CVSS v3 vector string to extract the base score */
+  parseCvssScore(vectorOrScore) {
+    const num = parseFloat(vectorOrScore);
+    if (!isNaN(num) && num >= 0 && num <= 10) return num;
+    return null;
+  }
+  /** Converts a CVSS score (0-10) to a severity level */
+  scoreToSeverity(score) {
+    if (score >= 9) return "CRITICAL";
+    if (score >= 7) return "HIGH";
+    if (score >= 4) return "MEDIUM";
+    if (score > 0) return "LOW";
+    return "UNKNOWN";
+  }
+  /** Extracts affected version range for a specific package */
+  extractAffectedRange(vuln, packageName) {
+    if (!vuln.affected) return void 0;
+    for (const affected of vuln.affected) {
+      if (affected.package?.name === packageName && affected.ranges) {
+        for (const range of affected.ranges) {
+          if (range.events) {
+            const introduced = range.events.find((e) => e.introduced)?.introduced;
+            const fixed = range.events.find((e) => e.fixed)?.fixed;
+            if (introduced && fixed) return `>=${introduced}, <${fixed}`;
+            if (introduced) return `>=${introduced}`;
+          }
+        }
+      }
+    }
+    return void 0;
+  }
+  /** Extracts the fixed version for a specific package */
+  extractFixedVersion(vuln, packageName) {
+    if (!vuln.affected) return void 0;
+    for (const affected of vuln.affected) {
+      if (affected.package?.name === packageName && affected.ranges) {
+        for (const range of affected.ranges) {
+          if (range.events) {
+            const fixed = range.events.find((e) => e.fixed)?.fixed;
+            if (fixed) return fixed;
+          }
+        }
+      }
+    }
+    return void 0;
+  }
+  /** Maps our ecosystem names to OSV ecosystem names */
+  mapEcosystem(ecosystem) {
+    const map = {
+      npm: "npm",
+      nuget: "NuGet",
+      cargo: "crates.io",
+      maven: "Maven",
+      pip: "PyPI",
+      go: "Go",
+      ruby: "RubyGems"
+    };
+    return map[ecosystem] ?? ecosystem;
+  }
+};
+
+// src/cve/aggregator.ts
+var CveAggregator = class {
+  sources;
+  constructor(sources) {
+    this.sources = sources ?? [
+      new OsvSource()
+      // Future: new NvdSource(), new EuvdSource(), new CisaKevSource()
+    ];
+  }
+  /**
+   * Checks dependencies against all registered CVE sources.
+   * Runs sources in parallel and merges/deduplicates results.
+   */
+  async check(dependencies) {
+    const startTime = Date.now();
+    const sourcesQueried = [];
+    const sourceErrors = [];
+    const allVulns = [];
+    const results = await Promise.allSettled(
+      this.sources.map(async (source) => {
+        const vulns = await source.checkDependencies(dependencies);
+        return { sourceId: source.sourceId, vulns };
+      })
+    );
+    for (const result of results) {
+      if (result.status === "fulfilled") {
+        sourcesQueried.push(result.value.sourceId);
+        allVulns.push(...result.value.vulns);
+      } else {
+        const sourceIndex = results.indexOf(result);
+        const sourceId = this.sources[sourceIndex].sourceId;
+        sourceErrors.push({
+          source: sourceId,
+          error: result.reason instanceof Error ? result.reason.message : String(result.reason)
+        });
+      }
+    }
+    const deduplicated = this.deduplicateVulnerabilities(allVulns);
+    return {
+      vulnerabilities: deduplicated,
+      sourcesQueried,
+      sourceErrors,
+      checkDurationMs: Date.now() - startTime
+    };
+  }
+  /**
+   * Deduplicates vulnerabilities by ID.
+   * When the same CVE appears from multiple sources,
+   * keeps the one with more complete data (has CVSS score, has fix version, etc.)
+   */
+  deduplicateVulnerabilities(vulns) {
+    const byKey = /* @__PURE__ */ new Map();
+    for (const vuln of vulns) {
+      const key = `${vuln.id}::${vuln.packageName}`;
+      const existing = byKey.get(key);
+      if (!existing) {
+        byKey.set(key, vuln);
+      } else {
+        byKey.set(key, this.pickBetterEntry(existing, vuln));
+      }
+    }
+    return Array.from(byKey.values());
+  }
+  /** Picks the vulnerability entry with more complete data */
+  pickBetterEntry(a, b) {
+    let scoreA = 0;
+    let scoreB = 0;
+    if (a.cvssScore !== void 0) scoreA++;
+    if (b.cvssScore !== void 0) scoreB++;
+    if (a.fixedVersion) scoreA++;
+    if (b.fixedVersion) scoreB++;
+    if (a.affectedVersionRange) scoreA++;
+    if (b.affectedVersionRange) scoreB++;
+    if (a.severity !== "UNKNOWN") scoreA++;
+    if (b.severity !== "UNKNOWN") scoreB++;
+    const strip = (obj) => Object.fromEntries(Object.entries(obj).filter(([, v]) => v !== void 0 && v !== null));
+    const winner = scoreB > scoreA ? { ...strip(a), ...strip(b) } : { ...strip(b), ...strip(a) };
+    const allAliases = /* @__PURE__ */ new Set([...a.aliases, ...b.aliases]);
+    winner.aliases = Array.from(allAliases);
+    winner.exploitedInWild = a.exploitedInWild || b.exploitedInWild;
+    return winner;
+  }
+};
+
+// src/reporters/console.ts
+var ConsoleReporter = class {
+  name = "console";
+  report(result) {
+    const lines = [];
+    lines.push("");
+    lines.push("\u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510");
+    lines.push("\u2502          VERIMU CRA COMPLIANCE SCAN         \u2502");
+    lines.push("\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518");
+    lines.push("");
+    lines.push(`  Project:      ${result.project.path}`);
+    lines.push(`  Ecosystem:    ${result.project.ecosystem}`);
+    lines.push(`  Dependencies: ${result.project.dependencyCount}`);
+    lines.push(`  Scanned at:   ${result.generatedAt}`);
+    lines.push("");
+    lines.push(`  \u2713 SBOM generated (${result.sbom.format}, ${result.sbom.specVersion})`);
+    lines.push(`    Components: ${result.sbom.componentCount}`);
+    lines.push("");
+    const vulns = result.cveCheck.vulnerabilities;
+    if (vulns.length === 0) {
+      lines.push("  \u2713 No known vulnerabilities found");
+    } else {
+      lines.push(`  \u26A0 ${vulns.length} vulnerabilit${vulns.length === 1 ? "y" : "ies"} found:`);
+      lines.push("");
+      const sorted = [...vulns].sort((a, b) => severityOrder(a.severity) - severityOrder(b.severity));
+      for (const vuln of sorted) {
+        const badge = severityBadge(vuln.severity);
+        const fix = vuln.fixedVersion ? ` \u2192 fix: ${vuln.fixedVersion}` : "";
+        lines.push(`    ${badge}  ${vuln.id}`);
+        lines.push(`           ${vuln.packageName}@${vuln.affectedVersionRange ?? "?"}${fix}`);
+        lines.push(`           ${vuln.summary.slice(0, 100)}`);
+        if (vuln.exploitedInWild) {
+          lines.push(`           \u{1F534} ACTIVELY EXPLOITED \u2014 24h CRA reporting required`);
+        }
+        lines.push("");
+      }
+    }
+    const sources = result.cveCheck.sourcesQueried.join(", ");
+    lines.push(`  Sources queried: ${sources} (${result.cveCheck.checkDurationMs}ms)`);
+    if (result.cveCheck.sourceErrors.length > 0) {
+      for (const err of result.cveCheck.sourceErrors) {
+        lines.push(`  \u26A0 ${err.source}: ${err.error}`);
+      }
+    }
+    lines.push("");
+    lines.push("  \u2500\u2500\u2500 Summary \u2500\u2500\u2500");
+    lines.push(`  Total: ${result.summary.totalVulnerabilities}  |  Critical: ${result.summary.critical}  |  High: ${result.summary.high}  |  Medium: ${result.summary.medium}  |  Low: ${result.summary.low}`);
+    if (result.summary.exploitedInWild > 0) {
+      lines.push(`  \u{1F534} ${result.summary.exploitedInWild} actively exploited \u2014 immediate action required`);
+    }
+    lines.push("");
+    return lines.join("\n");
+  }
+};
+function severityOrder(s) {
+  const order = {
+    CRITICAL: 0,
+    HIGH: 1,
+    MEDIUM: 2,
+    LOW: 3,
+    UNKNOWN: 4
+  };
+  return order[s] ?? 5;
+}
+function severityBadge(s) {
+  const badges = {
+    CRITICAL: "[CRIT]",
+    HIGH: "[HIGH]",
+    MEDIUM: "[MED] ",
+    LOW: "[LOW] ",
+    UNKNOWN: "[???] "
+  };
+  return badges[s] ?? "[???] ";
+}
+
+// src/api/client.ts
+var DEFAULT_API_BASE = "https://api.verimu.com";
+var VerimuApiClient = class {
+  baseUrl;
+  apiKey;
+  constructor(apiKey, baseUrl) {
+    this.apiKey = apiKey;
+    this.baseUrl = (baseUrl ?? DEFAULT_API_BASE).replace(/\/+$/, "");
+  }
+  /**
+   * Upsert a project — finds by name or creates it.
+   * Used so `npx verimu` auto-registers projects without manual dashboard setup.
+   */
+  async upsertProject(opts) {
+    const res = await fetch(`${this.baseUrl}/api/projects/upsert`, {
+      method: "POST",
+      headers: this.headers(),
+      body: JSON.stringify({
+        name: opts.name,
+        ecosystem: this.mapEcosystem(opts.ecosystem),
+        repository_url: opts.repositoryUrl ?? null,
+        platform: opts.platform ?? null
+      })
+    });
+    if (!res.ok) {
+      const body = await res.text();
+      throw new Error(`Verimu API: upsert project failed (${res.status}): ${body}`);
+    }
+    return res.json();
+  }
+  /**
+   * Upload a CycloneDX SBOM to a project and trigger CVE scanning.
+   */
+  async uploadSbom(projectId, sbomContent) {
+    const sbomJson = JSON.parse(sbomContent);
+    const res = await fetch(`${this.baseUrl}/api/projects/${projectId}/scan`, {
+      method: "POST",
+      headers: this.headers(),
+      body: JSON.stringify(sbomJson)
+    });
+    if (!res.ok) {
+      const body = await res.text();
+      throw new Error(`Verimu API: upload SBOM failed (${res.status}): ${body}`);
+    }
+    return res.json();
+  }
+  headers() {
+    return {
+      "Content-Type": "application/json",
+      "X-API-Key": this.apiKey
+    };
+  }
+  /**
+   * Maps internal ecosystem names to what the backend expects.
+   * Currently 1:1, but keeps the mapping explicit.
+   */
+  mapEcosystem(eco) {
+    const map = {
+      npm: "npm",
+      pip: "pip",
+      maven: "maven",
+      nuget: "nuget",
+      go: "gomod",
+      cargo: "cargo",
+      ruby: "bundler"
+    };
+    return map[eco] ?? eco;
+  }
+};
+
+// src/scan.ts
+async function scan(config) {
+  const {
+    projectPath,
+    sbomOutput = "./sbom.cdx.json",
+    skipCveCheck = false
+  } = config;
+  const registry = new ScannerRegistry();
+  const scanResult = await registry.detectAndScan(projectPath);
+  const sbomGenerator = new CycloneDxGenerator();
+  const sbom = sbomGenerator.generate(scanResult);
+  await writeFile(sbomOutput, sbom.content, "utf-8");
+  let cveCheck;
+  if (skipCveCheck) {
+    cveCheck = {
+      vulnerabilities: [],
+      sourcesQueried: [],
+      sourceErrors: [],
+      checkDurationMs: 0
+    };
+  } else {
+    const aggregator = new CveAggregator();
+    cveCheck = await aggregator.check(scanResult.dependencies);
+  }
+  const summary = {
+    totalDependencies: scanResult.dependencies.length,
+    totalVulnerabilities: cveCheck.vulnerabilities.length,
+    critical: cveCheck.vulnerabilities.filter((v) => v.severity === "CRITICAL").length,
+    high: cveCheck.vulnerabilities.filter((v) => v.severity === "HIGH").length,
+    medium: cveCheck.vulnerabilities.filter((v) => v.severity === "MEDIUM").length,
+    low: cveCheck.vulnerabilities.filter((v) => v.severity === "LOW").length,
+    exploitedInWild: cveCheck.vulnerabilities.filter((v) => v.exploitedInWild).length
+  };
+  const report = {
+    project: {
+      path: projectPath,
+      ecosystem: scanResult.ecosystem,
+      dependencyCount: scanResult.dependencies.length
+    },
+    sbom,
+    cveCheck,
+    summary,
+    generatedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  if (config.apiKey) {
+    try {
+      const uploadResult = await uploadToVerimu(report, config);
+      report.upload = uploadResult;
+    } catch {
+    }
+  }
+  return report;
+}
+async function uploadToVerimu(report, config) {
+  if (!config.apiKey) {
+    throw new Error("API key required for upload");
+  }
+  const client = new VerimuApiClient(config.apiKey, config.apiBaseUrl);
+  const projectName = basename(config.projectPath);
+  const upsertRes = await client.upsertProject({
+    name: projectName,
+    ecosystem: report.project.ecosystem
+  });
+  const projectId = upsertRes.project.id;
+  const scanRes = await client.uploadSbom(projectId, report.sbom.content);
+  return {
+    projectId,
+    projectCreated: upsertRes.created,
+    totalDependencies: scanRes.summary.total_dependencies,
+    vulnerableDependencies: scanRes.summary.vulnerable_dependencies,
+    dashboardUrl: `https://app.verimu.com/dashboard/projects/${projectId}`
+  };
+}
+function shouldFailCi(report, threshold) {
+  const severityOrder2 = {
+    CRITICAL: 0,
+    HIGH: 1,
+    MEDIUM: 2,
+    LOW: 3,
+    UNKNOWN: 4
+  };
+  const thresholdLevel = severityOrder2[threshold] ?? 4;
+  return report.cveCheck.vulnerabilities.some(
+    (v) => severityOrder2[v.severity] <= thresholdLevel
+  );
+}
+
+// src/cli.ts
+var VERSION = "0.0.3";
+var BRAND = `
+  \u2566  \u2566\u250C\u2500\u2510\u252C\u2500\u2510\u252C\u250C\u252C\u2510\u252C \u252C
+  \u255A\u2557\u2554\u255D\u251C\u2524 \u251C\u252C\u2518\u2502\u2502\u2502\u2502\u2502 \u2502
+   \u255A\u255D \u2514\u2500\u2518\u2534\u2514\u2500\u2534\u2534 \u2534\u2514\u2500\u2518
+  CRA Compliance Scanner v${VERSION}
+`;
+function log(msg) {
+  console.log(`  ${msg}`);
+}
+function logSuccess(msg) {
+  console.log(`  \u2713 ${msg}`);
+}
+function logWarn(msg) {
+  console.log(`  \u26A0 ${msg}`);
+}
+function logError(msg) {
+  console.error(`  \u2717 ${msg}`);
+}
+function parseArgs(argv) {
+  const args = argv.slice(2);
+  const result = {
+    command: "scan",
+    projectPath: ".",
+    sbomOutput: "./sbom.cdx.json",
+    failOnSeverity: null,
+    skipCveCheck: false,
+    skipUpload: false
+  };
+  let i = 0;
+  while (i < args.length) {
+    const arg = args[i];
+    if (arg === "scan") {
+      result.command = "scan";
+    } else if (arg === "generate-sbom" || arg === "sbom") {
+      result.command = "generate-sbom";
+      result.skipCveCheck = true;
+    } else if (arg === "help" || arg === "--help" || arg === "-h") {
+      result.command = "help";
+    } else if (arg === "version" || arg === "--version" || arg === "-v") {
+      result.command = "version";
+    } else if (arg === "--path" || arg === "-p") {
+      result.projectPath = args[++i] ?? ".";
+    } else if (arg === "--output" || arg === "-o") {
+      result.sbomOutput = args[++i] ?? "./sbom.cdx.json";
+    } else if (arg === "--fail-on") {
+      const val = (args[++i] ?? "").toUpperCase();
+      if (["CRITICAL", "HIGH", "MEDIUM", "LOW"].includes(val)) {
+        result.failOnSeverity = val;
+      }
+    } else if (arg === "--skip-cve") {
+      result.skipCveCheck = true;
+    } else if (arg === "--skip-upload" || arg === "--offline") {
+      result.skipUpload = true;
+    }
+    i++;
+  }
+  return result;
+}
+async function main() {
+  const args = parseArgs(process.argv);
+  if (args.command === "version") {
+    console.log(`verimu ${VERSION}`);
+    return;
+  }
+  if (args.command === "help") {
+    printHelp();
+    return;
+  }
+  console.log(BRAND);
+  const apiKey = process.env.VERIMU_API_KEY;
+  const apiBaseUrl = process.env.VERIMU_API_URL;
+  log(`Scanning ${resolve(args.projectPath)}...`);
+  if (apiKey && !args.skipUpload) {
+    log("API key detected \u2014 results will sync to Verimu platform");
+  } else if (!apiKey) {
+    log("No VERIMU_API_KEY set \u2014 running in offline mode");
+    log("Get your API key at https://app.verimu.com/dashboard/api-keys");
+  }
+  console.log("");
+  const config = {
+    projectPath: resolve(args.projectPath),
+    sbomOutput: args.sbomOutput,
+    skipCveCheck: args.skipCveCheck,
+    // Don't pass apiKey to scan() if --skip-upload — we'll handle upload separately for better logging
+    apiKey: apiKey && !args.skipUpload ? void 0 : void 0,
+    apiBaseUrl
+  };
+  let report;
+  try {
+    report = await scan(config);
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    logError(msg);
+    process.exit(2);
+  }
+  const reporter = new ConsoleReporter();
+  console.log(reporter.report(report));
+  if (apiKey && !args.skipUpload) {
+    console.log("");
+    log("Syncing to Verimu platform...");
+    try {
+      const uploadConfig = {
+        ...config,
+        apiKey,
+        apiBaseUrl
+      };
+      const result = await uploadToVerimu(report, uploadConfig);
+      if (result.projectCreated) {
+        logSuccess(`Project created: ${report.project.path}`);
+      }
+      logSuccess(`${result.totalDependencies} dependencies tracked`);
+      if (result.vulnerableDependencies > 0) {
+        logWarn(`${result.vulnerableDependencies} vulnerable dependencies flagged`);
+      }
+      logSuccess(`Dashboard: ${result.dashboardUrl}`);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      logWarn(`Platform sync failed: ${msg}`);
+      log("Your SBOM was still generated locally. You can upload it manually.");
+    }
+  }
+  console.log("");
+  log("Thanks for using Verimu \u2014 keeping your software CRA-compliant \u{1F6E1}\uFE0F");
+  console.log("");
+  if (args.failOnSeverity && shouldFailCi(report, args.failOnSeverity)) {
+    logError(`Vulnerabilities found at or above ${args.failOnSeverity} severity`);
+    process.exit(1);
+  }
+}
+function printHelp() {
+  console.log(`
+  Verimu \u2014 CRA Compliance Scanner
+
+  Usage:
+    verimu                          Scan current directory
+    verimu scan [options]           Full scan (SBOM + CVE check)
+    verimu generate-sbom [options]  Generate SBOM only (no CVE check)
+    verimu help                     Show this help
+    verimu version                  Show version
+
+  Options:
+    --path, -p <dir>       Project directory to scan (default: .)
+    --output, -o <file>    SBOM output path (default: ./sbom.cdx.json)
+    --fail-on <severity>   Exit 1 if vulns at or above: CRITICAL, HIGH, MEDIUM, LOW
+    --skip-cve             Skip CVE vulnerability checking
+    --skip-upload          Don't sync to Verimu platform (even if API key is set)
+
+  Environment:
+    VERIMU_API_KEY         API key for Verimu platform (from app.verimu.com)
+    VERIMU_API_URL         Custom API URL (default: https://api.verimu.com)
+
+  Examples:
+    npx verimu                                    # Quick scan
+    VERIMU_API_KEY=vmu_xxx npx verimu             # Scan + sync to platform
+    npx verimu scan --fail-on HIGH                # Fail CI on HIGH+ vulns
+    npx verimu scan --path ./backend --output ./reports/sbom.json
+
+  Supported ecosystems:
+    npm (package-lock.json)         pip (requirements.txt)
+    Maven (pom.xml)                 NuGet (packages.lock.json)
+    Cargo (Cargo.lock)              Go (go.sum)
+    Ruby (Gemfile.lock)
+
+  Learn more: https://verimu.com
+  Dashboard: https://app.verimu.com
+`);
+}
+main().catch((err) => {
+  console.error("Fatal:", err);
+  process.exit(2);
+});
+//# sourceMappingURL=cli.mjs.map