Jfblaa/bump coana 15 4 6 for real (#1368)

* bump coana to 15.4.6

* update socket cli version

fix(config): persist `config set` under an env token; fail on ephemer…

…al overrides (1.1.121) (#1366)

A Socket API token supplied via env (SOCKET_CLI_API_TOKEN / SOCKET_SECURITY_API_TOKEN
and legacy aliases) used to put the entire config into read-only mode, so
`socket config set <key> <value>` silently failed to save while still printing
`OK`, and a later `socket config get` then showed nothing. A token from the
environment now overrides authentication only: unrelated keys such as defaultOrg
are written to disk as expected, while the env token itself is still never
persisted (getDefaultApiToken resolves it straight from the environment, so it is
no longer mirrored into the cached config).

When the config is genuinely ephemeral, because it was fully overridden via
--config, SOCKET_CLI_CONFIG, or SOCKET_CLI_NO_API_TOKEN, `socket config set` now
fails with a clear error instead of pretending it succeeded; the in-memory-only
change is a no-op for a one-shot command.

`config get apiToken` still reports the env-supplied token, which takes
precedence over persisted / --config values. Adds unit and command-level
regression tests and bumps the CLI to 1.1.121.

feat(scan): forward socket.json build-tool config into reachability (…

…1.1.120, Coana 15.4.1) (#1362)

* feat(scan): forward socket.json build-tool config into reachability

socket scan create --reach now maps socket.json's per-ecosystem manifest
build-tool options (bin, include/exclude-configs, gradle/sbt opts) into a
Coana-defined AutoManifestConfig and passes it to `coana run` via
--auto-manifest-config (a temp JSON file path Coana reads), so reach-time
dependency resolution invokes the build tool the way the project is configured
rather than with defaults. Under --auto-manifest the config also carries
top-level failOnBuildToolError=true (fail-closed: Coana treats a build-tool
step failure as fatal instead of tolerating it); plain --reach leaves it unset
and stays permissive.

This is the socket-cli side of the manifest-flag-propagation gap. The Coana
`--auto-manifest-config` option is not yet released, so this must not ship
until Coana publishes it and the pinned @coana-tech/cli is bumped; until then
it is exercised via SOCKET_CLI_COANA_LOCAL_PATH.

- add src/utils/auto-manifest-config.mts: BuildToolOptions/AutoManifestConfig
  types + buildAutoManifestConfig (socket.json -> config) + tests
- ReachabilityOptions.autoManifestConfig; write the config to a temp file and
  pass its path to coana run, cleaning it up after
- build the config at the cmd-scan-create assembly point

* chore(release): 1.1.120 — Coana 15.4.1 and socket.json build-tool config forwarding

Bump @coana-tech/cli to 15.4.1 (which ships the --auto-manifest-config
option the feat commit depends on), bump the package version to 1.1.120,
and add the changelog entry.

* fix(scan): gate --auto-manifest-config on Coana version support

Only forward the socket.json build-tool config to `coana run` when the
resolved Coana version supports `--auto-manifest-config` (>= 15.4.1).
Passing the flag to an older Coana, pinned via --reach-version, would abort
the run on an unknown flag; we now skip it and warn instead. A local Coana
build (SOCKET_CLI_COANA_LOCAL_PATH) has no resolvable version and is treated
as supported.

Also drop internal tracker references from source comments.

* fix(scan): drop Coana version gate, clean up config temp file in finally

Coana is pinned to a specific version in the CLI, so gating
--auto-manifest-config on a minimum version added no real safety; remove
coanaSupportsAutoManifestConfig and forward the config unconditionally
when non-empty. Move the temp config file cleanup into a finally block so
it runs even if the Coana run throws.

* fix changelog entry

* bump coana to 15.4.5

upgrading coana to version 15.3.26 (#1361)

upgrading coana to version 15.3.24 (#1358)

fix(license): drop unused OFL-1.1 font from the published package (#1357

)

The vendored copy of `blessed` pulls in the Terminus bitmap font (external/blessed/usr/fonts/ter-u14*.json), which is licensed OFL-1.1 and is only read by blessed's BigText widget — a widget the CLI never instantiates. Shipping it forced the package's declared license to be `MIT AND OFL-1.1`.

Scope the blessed vendoring keep-list to `usr/*` so the terminfo files are retained while usr/fonts/** is dropped, and declare the license as plain `MIT`. Bump to 1.1.117.

upgrading coana to version 15.3.22 (#1355)

fix(manifest): stream Coana output and surface the real failure reason (

#1353)

* fix(manifest): stream Coana output and surface the real failure reason

`socket manifest {gradle,kotlin,scala}` delegate Socket facts generation to
the Coana CLI via spawnCoanaDlx, passing `{ stdio: 'inherit' }` so the
build-tool and Coana output streams to the user. On the dlx path that stdio
was silently dropped: shadowNpmBase configures the child's stdio from its
`options` arg, not the registry-spawn `extra` arg, so Coana ran piped and its
output — including the actual failure reason — never reached the user. A
generation failure then collapsed to an unhelpful
"Coana command failed (exit code 1): command failed" with no detail.

- spawnCoanaDlx now promotes the requested stdio (from spawnExtra, falling
  back to options) into the dlx launcher options, aligning the dlx path with
  the local-path and npm-install branches that already honor spawnExtra.stdio.
- buildDlxErrorResult falls back to captured stdout when stderr is empty,
  since Coana logs some failures (e.g. unresolved dependencies) to stdout.

Add regression tests and bump the CLI to 1.1.115.

* fix(dlx): report launcher-vs-Coana failures honestly; stop muzzling the launcher

On the dlx path the spawned process is the package-manager launcher
(npx / pnpm dlx / yarn dlx), which downloads @coana-tech/cli and only then runs
it. A failure there may be the launcher dying before Coana ever started (e.g.
the package failed to download), yet buildDlxErrorResult always claimed "Coana
command failed", and `silent: true` (npm loglevel silent) hid npm's own
download/registry errors — so the user got a bare exit code with no cause and no
hint that Coana itself may never have run.

- buildDlxErrorResult now distinguishes three cases: Coana booted (banner seen)
  -> "Coana command failed"; launcher died before Coana started (spawn error /
  signal / exit >= 128) -> "Failed to launch Coana via the package manager ...";
  ambiguous small-int exit -> neutral "Coana failed to run via the package
  manager" (no false blame on Coana).
- Drop the forced `--silent` on the Coana launcher; shadowNpmBase still defaults
  to `--loglevel error`, so real launcher/download errors surface while success
  stays quiet.
- Factor the launcher-vs-Coana heuristic into dlxLauncherFailedBeforeCoana and
  coanaBannerSeen, shared by shouldFallbackOnDlxError and the message builder.

Known gap: the npm-install + node fallback (#1327) still fires only for spawn
errors / signals / exit >= 128, not for a small-int exit. A broken npx that
exits 1 (common for download failures) is therefore not yet auto-recovered.

Add regression tests for the new wording and the un-muzzled launcher.

* fix(dlx): don't mislabel ambiguous Coana failures as launcher failures

Bugbot flagged that with stdio:'inherit' the spawn rejection carries no
captured output, so coanaBannerSeen is always false and a Coana process that
started then died by signal / exit >= 128 (e.g. OOM, exit 137) was wrongly
reported as "the launcher exited before Coana started".

Empirically, `coana manifest gradle` writes all output to stdout and never
prints the "Coana CLI version" banner, so banner-based detection never worked
for the manifest / reachability (inherit) paths anyway. Only a spawn-level
error (a string `code` like ENOENT) definitively proves the launcher never
started.

- buildDlxErrorResult now claims a launch failure ONLY for a spawn-level error;
  signals and non-zero exits get neutral wording ("Coana failed to run via the
  package manager (exit code N)") since we cannot tell launcher-vs-Coana apart
  without captured output.
- Soften the fallback warning to drop the "before Coana started" claim (it
  fires on the ambiguous >= 128 / signal cases too).

The npm-install + node fallback gating is unchanged (pre-existing #1327
behavior): it still retries on spawn errors / signals / exit >= 128. Fully
suppressing a retry when Coana actually ran would require capturing the
launcher output, which conflicts with live streaming (and the reachability
spinner); left as a possible follow-up.

Update tests for the definitive (ENOENT) vs ambiguous (signal / >= 128) split.

feat(manifest): default to Socket facts, delegate generation to Coana…

… CLI (#1352)

* feat(manifest): default to Socket facts, delegate generation to Coana CLI

Make `socket manifest {gradle,kotlin,scala,auto}` emit `.socket.facts.json`
by default; add `--pom` for the legacy pom.xml generation. `--facts` is still
accepted (it is now the default) and socket.json `facts: false` still selects
pom generation.

Facts generation now delegates to the Coana CLI's `manifest gradle|sbt`
command (the Gradle init script and sbt plugin live in Coana now), forwarding
--bin/--configs/--ignore-unresolved/--gradle-opts/--sbt-opts via spawnCoanaDlx
(which honors SOCKET_CLI_COANA_LOCAL_PATH for local builds).

Remove the now-dead bundled socket-facts.init.gradle, the sbt plugin, their
rollup copy steps, and the ported gradle-facts test fixtures. The pom-path
init.gradle is unchanged.

REA-507

* refactor(manifest): split --configs into --include-configs/--exclude-configs

Match the Coana CLI's split of `--configs` into `--include-configs` and
`--exclude-configs` for `socket manifest {gradle,kotlin,scala,auto}`; both
forward to Coana as `--include-configs` / `--exclude-configs`. `--include-configs`
keeps the old include-only semantics; `--exclude-configs` skips matching
configurations (applied after the include filter).

The old `--configs` flag and its socket.json `configs` key are removed (beta;
clean break, no deprecated alias).

REA-507

* docs(manifest): align sbt --include-configs wording with gradle

Match the gradle flag description and help prose: drop the sbt-only
"bare names act as exact-name filters" / "for variants" asides so both
ecosystems document the include/exclude config flags identically as globs.

* feat(manifest): configure facts options in the setup wizard

`socket manifest setup` now reflects Socket facts as the default for the gradle
and sbt generators and lets you configure the facts-only options it previously
couldn't: --include-configs, --exclude-configs, and --ignore-unresolved. These
are prompted only when facts generation is selected (not --pom), and the sbt
pom output questions (stdout/outfile) now only appear when pom is chosen.
Refreshes the stale "generate pom.xml (default)" wording left over from the
facts-by-default switch.

* chore: cut 1.1.113 and bump @coana-tech/cli to 15.3.19

Finalizes the manifest facts-by-default / Coana-delegation work: bumps the
socket-cli version to 1.1.113 and pins @coana-tech/cli to the published 15.3.19
(which ships the `manifest gradle|sbt` commands this PR delegates to), plus the
1.1.113 CHANGELOG entry.

REA-507

* refactor(manifest): pin facts output path and verify it before claiming success

Address PR review feedback on the facts-by-default flow:

- Align the `--ignore-unresolved` help text with the adjacent config flags
  ("When generating facts: ...") across gradle, kotlin, and scala.
- Pin the `.socket.facts.json` output location explicitly via Coana's
  `--output-dir`/`--output-file` instead of relying on its project-root
  default. The pinned path is the single source of truth for both what we
  ask Coana to write and what we verify, so the two can't drift.
- Verify the facts file exists after a successful Coana run before printing
  the success/next-step message; warn instead when no facts were written
  (e.g. no resolvable dependencies), rather than trusting the exit code.
- Reject `--out`/`--stdout` in scala facts mode with a usage error (they only
  apply to `--pom`); facts always land in the project root so `socket scan
  create` finds them. Clarify the flag help and add a regression test.

* chore: bump @coana-tech/cli to 15.3.21

fix(scan): finalize tier1 reachability scan from `socket scan reach` (#…

…1331)

* fix(scan): finalize tier1 reachability scan from `socket scan reach`

`socket scan reach` invokes Coana which registers a tier1 reachability
scan row on the backend. Until now socket-cli never followed up with a
finalize call from this flow because there was no full-scan id to bind
to, so every standalone reachability run left the row at an
intermediate post-Coana state indistinguishable from a stuck run.

Now that the backend's `tier1-reachability-scan/finalize` endpoint
accepts a null `report_run_id` for flows that have no full scan, call
it from `handle-scan-reach.mts` once Coana has emitted the tier1
reachability scan id. The standalone reachability row reaches its DONE
terminal state, and "stuck at the intermediate state" becomes an
unambiguous signal of a real problem rather than a normal `scan reach`
outcome.

Broaden the `finalizeTier1Scan` wrapper signature so the second
argument is `string | null`. Best-effort: a finalize failure logs a
warning but does not block the user-visible reachability output.

* chore: bump version to 1.1.109

* upgrading coana to version 15.3.20

* test(scan): cover tier1 finalize failure path in scan reach

Add a third handleScanReach case for when finalizeTier1Scan returns the
non-ok CResult shape: assert a single warning is logged (carrying the
message and cause) and that outputScanReach still runs and the handler
resolves normally, so a finalize failure never blocks the user-visible
scan output.

* chore: bump version to 1.1.113

---------

Co-authored-by: John-David Dalton <jdalton@users.noreply.github.com>