fix(cli): replace broken --dry-run with meaningful preview output

The --dry-run flag was completely broken across all 43+ commands - it just
exited immediately with "[DryRun]: Bailing now" without showing users what
would happen. This made the flag useless for its intended purpose.

Changes:
- Add new dry-run output utilities in src/utils/dry-run/output.mts
- Fix all read-only commands to show "Would fetch <resource>" message
- Fix all write commands to show detailed preview of actions
- Fix critical commands (fix, optimize, scan create) with comprehensive previews

Read-only commands now explain they're non-destructive:
  [DryRun]: Would fetch analytics data
  This is a read-only operation that does not modify any data.

Write commands now show what would happen:
  [DryRun]: Would upload CI scan
  Details:
    organizationSlug: "my-org"
    branchName: "main"
    targets: ["."]

Critical commands (fix, optimize) show detailed action plans:
  [DryRun]: Analyze and compute fixes for 3 vulnerabilities
  Actions that would be performed:
    - [fetch] Scan project dependencies
    - [modify] Update package manifest files
    - [execute] Run package manager to install

Commands updated:
- analytics, audit-log, config/*, organization/*, package/*, repository/*
- scan/create, scan/del, scan/diff, scan/github, scan/list, scan/metadata
- scan/reach, scan/report, scan/setup, scan/view, threat-feed
- fix, optimize, ci, login, logout, oops, wrapper
- npm, npx, pnpm, yarn, raw-npm, raw-npx, sfw, pycli
- manifest/auto, manifest/cdxgen, manifest/conda, manifest/gradle
- manifest/kotlin, manifest/scala, manifest/setup
- install/completion, uninstall/completion

Author: jdalton

packages/cli/src/commands/analytics/cmd-analytics.mts

@@ -1,11 +1,8 @@
 import { getDefaultLogger } from '@socketsecurity/lib/logger'
 
 import { handleAnalytics } from './handle-analytics.mts'
-import {
-  DRY_RUN_BAILING_NOW,
-  FLAG_JSON,
-  FLAG_MARKDOWN,
-} from '../../constants/cli.mts'
+import { FLAG_JSON, FLAG_MARKDOWN } from '../../constants/cli.mts'
+import { outputDryRunFetch } from '../../utils/dry-run/output.mts'
 import { V1_MIGRATION_GUIDE_URL } from '../../constants/socket.mts'
 import { commonFlags, outputFlags } from '../../flags.mts'
 import { meowOrExit } from '../../utils/cli/with-subcommands.mjs'
@@ -187,7 +184,7 @@ async function run(
   }
 
   if (dryRun) {
-    logger.log(DRY_RUN_BAILING_NOW)
+    outputDryRunFetch('analytics data')
     return
   }
 

packages/cli/src/commands/audit-log/cmd-audit-log.mts

@@ -1,11 +1,8 @@
 import { getDefaultLogger } from '@socketsecurity/lib/logger'
 
 import { handleAuditLog } from './handle-audit-log.mts'
-import {
-  DRY_RUN_BAILING_NOW,
-  FLAG_JSON,
-  FLAG_MARKDOWN,
-} from '../../constants/cli.mts'
+import { FLAG_JSON, FLAG_MARKDOWN } from '../../constants/cli.mts'
+import { outputDryRunFetch } from '../../utils/dry-run/output.mts'
 import { V1_MIGRATION_GUIDE_URL } from '../../constants/socket.mjs'
 import { commonFlags, outputFlags } from '../../flags.mts'
 import { meowOrExit } from '../../utils/cli/with-subcommands.mjs'
@@ -182,8 +179,7 @@ async function run(
   }
 
   if (dryRun) {
-    const logger = getDefaultLogger()
-    logger.log(DRY_RUN_BAILING_NOW)
+    outputDryRunFetch('audit log entries')
     return
   }
 

packages/cli/src/commands/ci/cmd-ci.mts

@@ -1,9 +1,15 @@
 import { getDefaultLogger } from '@socketsecurity/lib/logger'
 
+import { getDefaultOrgSlug } from './fetch-default-org-slug.mts'
 import { handleCi } from './handle-ci.mts'
-import { DRY_RUN_BAILING_NOW } from '../../constants/cli.mts'
 import { commonFlags } from '../../flags.mts'
 import { meowOrExit } from '../../utils/cli/with-subcommands.mjs'
+import { outputDryRunUpload } from '../../utils/dry-run/output.mts'
+import {
+  detectDefaultBranch,
+  getRepoName,
+  gitBranch,
+} from '../../utils/git/operations.mjs'
 import { getFlagListOutput } from '../../utils/output/formatting.mts'
 
 import type {
@@ -70,11 +76,25 @@ async function run(
   })
 
   const dryRun = !!cli.flags['dryRun']
+  const autoManifest = Boolean(cli.flags['autoManifest'])
 
   if (dryRun) {
-    logger.log(DRY_RUN_BAILING_NOW)
+    const orgSlugCResult = await getDefaultOrgSlug()
+    const cwd = process.cwd()
+    const branchName = (await gitBranch(cwd)) || (await detectDefaultBranch(cwd))
+    const repoName = await getRepoName(cwd)
+
+    outputDryRunUpload('CI scan', {
+      autoManifest,
+      branchName: branchName || '(default)',
+      cwd,
+      organizationSlug: orgSlugCResult.ok ? orgSlugCResult.data : '(from API token)',
+      repoName: repoName || '(auto-detected)',
+      report: true,
+      targets: ['.'],
+    })
     return
   }
 
-  await handleCi(Boolean(cli.flags['autoManifest']))
+  await handleCi(autoManifest)
 }

packages/cli/src/commands/config/cmd-config-auto.mts

@@ -1,11 +1,6 @@
-import { getDefaultLogger } from '@socketsecurity/lib/logger'
-
 import { handleConfigAuto } from './handle-config-auto.mts'
-import {
-  DRY_RUN_BAILING_NOW,
-  FLAG_JSON,
-  FLAG_MARKDOWN,
-} from '../../constants/cli.mts'
+import { FLAG_JSON, FLAG_MARKDOWN } from '../../constants/cli.mts'
+import { outputDryRunWrite } from '../../utils/dry-run/output.mts'
 import { commonFlags, outputFlags } from '../../flags.mts'
 import { meowOrExit } from '../../utils/cli/with-subcommands.mjs'
 import {
@@ -22,8 +17,6 @@ import type {
 } from '../../utils/cli/with-subcommands.mjs'
 import type { LocalConfig } from '../../utils/config.mts'
 
-const logger = getDefaultLogger()
-
 // Flags interface for type safety.
 interface ConfigAutoFlags {
   json: boolean
@@ -109,7 +102,15 @@ ${getSupportedConfigEntries()
   }
 
   if (dryRun) {
-    logger.log(DRY_RUN_BAILING_NOW)
+    const configPath = `${process.env['HOME']}/.config/socket/config.json`
+    outputDryRunWrite(
+      configPath,
+      `auto-discover and set config value for "${key}"`,
+      [
+        `Discover the correct value for config key: ${key}`,
+        `Update config file with discovered value`,
+      ],
+    )
     return
   }
 

packages/cli/src/commands/config/cmd-config-list.mts

@@ -1,11 +1,8 @@
 import { getDefaultLogger } from '@socketsecurity/lib/logger'
 
 import { outputConfigList } from './output-config-list.mts'
-import {
-  DRY_RUN_BAILING_NOW,
-  FLAG_JSON,
-  FLAG_MARKDOWN,
-} from '../../constants/cli.mjs'
+import { FLAG_JSON, FLAG_MARKDOWN } from '../../constants/cli.mjs'
+import { outputDryRunFetch } from '../../utils/dry-run/output.mts'
 import { commonFlags, outputFlags } from '../../flags.mts'
 import { meowOrExit } from '../../utils/cli/with-subcommands.mjs'
 import { getFlagListOutput } from '../../utils/output/formatting.mts'
@@ -79,7 +76,7 @@ async function run(
   }
 
   if (dryRun) {
-    logger.log(DRY_RUN_BAILING_NOW)
+    outputDryRunFetch('configuration settings')
     return
   }
 

packages/cli/src/commands/config/config-command-factory.mts

@@ -1,10 +1,5 @@
-import { getDefaultLogger } from '@socketsecurity/lib/logger'
-
-import {
-  DRY_RUN_BAILING_NOW,
-  FLAG_JSON,
-  FLAG_MARKDOWN,
-} from '../../constants/cli.mjs'
+import { FLAG_JSON, FLAG_MARKDOWN } from '../../constants/cli.mjs'
+import { outputDryRunWrite } from '../../utils/dry-run/output.mts'
 import { commonFlags, outputFlags } from '../../flags.mts'
 import { meowOrExit } from '../../utils/cli/with-subcommands.mjs'
 import {
@@ -23,8 +18,6 @@ import type {
 } from '../../utils/cli/with-subcommands.mjs'
 import type { LocalConfig } from '../../utils/config.mts'
 
-const logger = getDefaultLogger()
-
 type ConfigCommandSpec = {
   commandName: string
   description: string
@@ -137,7 +130,17 @@ ${spec.helpExamples.map(ex => `      $ ${command} ${ex}`).join('\n')}
       }
 
       if (dryRun) {
-        logger.log(DRY_RUN_BAILING_NOW)
+        const configPath = `${process.env['HOME']}/.config/socket/config.json`
+        const changes = spec.needsValue
+          ? [`Set "${key}" to: ${value}`]
+          : [`Remove "${key}" from config`]
+        outputDryRunWrite(
+          configPath,
+          spec.needsValue
+            ? `set config value for "${key}"`
+            : `unset config value for "${key}"`,
+          changes,
+        )
         return
       }
 

packages/cli/src/commands/fix/cmd-fix.mts

@@ -4,13 +4,15 @@ import terminalLink from 'terminal-link'
 
 import { arrayUnique, joinAnd, joinOr } from '@socketsecurity/lib/arrays'
 import { getDefaultLogger } from '@socketsecurity/lib/logger'
+import { pluralize } from '@socketsecurity/lib/words'
 
 import { handleFix } from './handle-fix.mts'
-import { DRY_RUN_NOT_SAVING, FLAG_ID } from '../../constants/cli.mts'
+import { FLAG_ID } from '../../constants/cli.mts'
 import { ERROR_UNABLE_RESOLVE_ORG } from '../../constants/errors.mts'
 import * as constants from '../../constants.mts'
 import { commonFlags, outputFlags } from '../../flags.mts'
 import { meowOrExit } from '../../utils/cli/with-subcommands.mjs'
+import { outputDryRunPreview } from '../../utils/dry-run/output.mts'
 import { getEcosystemChoicesForMeow } from '../../utils/ecosystem/types.mts'
 import {
   getFlagApiRequirementsOutput,
@@ -22,6 +24,8 @@ import { RangeStyles } from '../../utils/semver.mts'
 import { checkCommandInput } from '../../utils/validation/check-input.mts'
 import { getDefaultOrgSlug } from '../ci/fetch-default-org-slug.mts'
 
+import type { DryRunAction } from '../../utils/dry-run/output.mts'
+
 import type { MeowFlag, MeowFlags } from '../../flags.mts'
 import type {
   CliCommandConfig,
@@ -395,11 +399,6 @@ async function run(
     return
   }
 
-  if (dryRun) {
-    logger.log(DRY_RUN_NOT_SAVING)
-    return
-  }
-
   const orgSlugCResult = await getDefaultOrgSlug()
   if (!orgSlugCResult.ok) {
     process.exitCode = orgSlugCResult.code ?? 1
@@ -421,6 +420,52 @@ async function run(
   const includePatterns = cmdFlagValueToArray(include)
   const excludePatterns = cmdFlagValueToArray(exclude)
 
+  if (dryRun) {
+    const actions: DryRunAction[] = [
+      {
+        type: 'fetch',
+        description: 'Scan project dependencies for vulnerabilities',
+        target: cwd,
+      },
+      {
+        type: 'fetch',
+        description: 'Analyze vulnerability fix options',
+      },
+    ]
+
+    if (applyFixes) {
+      actions.push({
+        type: 'modify',
+        description: 'Update package manifest files with fixes',
+        target: 'package.json and lock files',
+      })
+    }
+
+    if (spinner) {
+      actions.push({
+        type: 'execute',
+        description: 'Run package manager to install updated dependencies',
+      })
+    }
+
+    const targetDescription = all
+      ? 'all vulnerabilities'
+      : ghsas.length
+        ? `${ghsas.length} specified ${pluralize('vulnerability', { count: ghsas.length })}`
+        : 'discovered vulnerabilities'
+
+    const fixModeDescription = applyFixes
+      ? 'compute and apply fixes'
+      : 'compute fixes only (not applying)'
+
+    outputDryRunPreview({
+      summary: `Analyze and ${fixModeDescription} for ${targetDescription}`,
+      actions,
+      wouldSucceed: true,
+    })
+    return
+  }
+
   await handleFix({
     all,
     applyFixes,

packages/cli/src/commands/install/cmd-install-completion.mts

@@ -1,7 +1,5 @@
-import { getDefaultLogger } from '@socketsecurity/lib/logger'
-
 import { handleInstallCompletion } from './handle-install-completion.mts'
-import { DRY_RUN_BAILING_NOW } from '../../constants/cli.mts'
+import { outputDryRunWrite } from '../../utils/dry-run/output.mts'
 import { commonFlags } from '../../flags.mts'
 import { meowOrExit } from '../../utils/cli/with-subcommands.mjs'
 import { getFlagListOutput } from '../../utils/output/formatting.mts'
@@ -67,14 +65,20 @@ async function run(
   })
 
   const dryRun = !!cli.flags['dryRun']
+  const targetName = cli.input[0] || 'socket'
 
   if (dryRun) {
-    const logger = getDefaultLogger()
-    logger.log(DRY_RUN_BAILING_NOW)
+    const bashRcPath = `${process.env['HOME']}/.bashrc`
+    outputDryRunWrite(
+      bashRcPath,
+      `install bash completion for "${targetName}"`,
+      [
+        'Add completion script source command to ~/.bashrc',
+        'Enable tab completion in current shell',
+      ],
+    )
     return
   }
 
-  const targetName = cli.input[0] || 'socket'
-
   await handleInstallCompletion(String(targetName))
 }

packages/cli/src/commands/login/cmd-login.mts

@@ -1,8 +1,7 @@
 import isInteractive from '@socketregistry/is-interactive/index.cjs'
-import { getDefaultLogger } from '@socketsecurity/lib/logger'
 
 import { attemptLogin } from './attempt-login.mts'
-import { DRY_RUN_BAILING_NOW } from '../../constants/cli.mts'
+import { outputDryRunWrite } from '../../utils/dry-run/output.mts'
 import { commonFlags } from '../../flags.mts'
 import { meowOrExit } from '../../utils/cli/with-subcommands.mjs'
 import { InputError } from '../../utils/error/errors.mjs'
@@ -16,8 +15,6 @@ import type {
   CliCommandContext,
 } from '../../utils/cli/with-subcommands.mjs'
 
-const logger = getDefaultLogger()
-
 // Flags interface for type safety.
 interface LoginFlags {
   apiBaseUrl?: string | undefined
@@ -86,7 +83,15 @@ async function run(
   const dryRun = !!cli.flags['dryRun']
 
   if (dryRun) {
-    logger.log(DRY_RUN_BAILING_NOW)
+    const configPath = `${process.env['HOME']}/.config/socket/config.json`
+    const changes = [
+      'Prompt for Socket API token',
+      'Verify token with Socket API',
+      'Save API token to config',
+      'Optionally set default organization',
+      'Optionally install bash completion',
+    ]
+    outputDryRunWrite(configPath, 'authenticate with Socket API', changes)
     return
   }
 

packages/cli/src/commands/logout/cmd-logout.mts

@@ -1,6 +1,6 @@
 import { getDefaultLogger } from '@socketsecurity/lib/logger'
 
-import { DRY_RUN_BAILING_NOW } from '../../constants/cli.mts'
+import { outputDryRunDelete } from '../../utils/dry-run/output.mts'
 import {
   CONFIG_KEY_API_BASE_URL,
   CONFIG_KEY_API_PROXY,
@@ -83,7 +83,8 @@ async function run(
   const dryRun = !!cli.flags['dryRun']
 
   if (dryRun) {
-    logger.log(DRY_RUN_BAILING_NOW)
+    const configPath = `${process.env['HOME']}/.config/socket/config.json`
+    outputDryRunDelete('Socket API credentials', configPath)
     return
   }