SocketDev · Jeppe Fredsgaard Blaabjerg (jfblaa) · Jun 2, 2026 · Jun 3, 2026 · Jun 3, 2026 · Jun 3, 2026
diff --git a/.config/rollup.dist.config.mjs b/.config/rollup.dist.config.mjs
@@ -79,24 +79,6 @@ async function copyInitGradle() {
   await fs.copyFile(filepath, destPath)
 }
 
-async function copySocketFactsInitGradle() {
-  const filepath = path.join(
-    constants.srcPath,
-    'commands/manifest/socket-facts.init.gradle',
-  )
-  const destPath = path.join(constants.distPath, 'socket-facts.init.gradle')
-  await fs.copyFile(filepath, destPath)
-}
-
-async function copySocketFactsSbtPlugin() {
-  const filepath = path.join(
-    constants.srcPath,
-    'commands/manifest/socket-facts.plugin.scala',
-  )
-  const destPath = path.join(constants.distPath, 'socket-facts.plugin.scala')
-  await fs.copyFile(filepath, destPath)
-}
-
 async function copyBashCompletion() {
   const filepath = path.join(
     constants.srcPath,
@@ -476,8 +458,6 @@ export default async () => {
           async writeBundle() {
             await Promise.all([
               copyInitGradle(),
-              copySocketFactsInitGradle(),
-              copySocketFactsSbtPlugin(),
               copyBashCompletion(),
               updatePackageJson(),
               // Remove dist/vendor.js.map file.

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,6 +12,13 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 ### Changed
 - **Bazel diagnostics** — `socket manifest bazel --verbose` now emits bounded subprocess traces with argv, cwd, duration, exit status, output sizes, and failure stderr tails to make customer log-only triage safer and faster.
 
+## [1.1.113](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.113) - 2026-06-03
+
+### Changed
+- `socket manifest gradle`, `kotlin`, and `scala` now generate a Socket facts file (`.socket.facts.json`) by default; pass `--pom` to generate `pom.xml` manifests instead.
+- Replaced `--configs` with `--include-configs` and `--exclude-configs` on `socket manifest gradle/kotlin/scala` for finer control over which build configurations are resolved.
+- Updated the Coana CLI to v `15.3.19`.
+
 ## [1.1.112](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.112) - 2026-05-29
 
 ### Fixed

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "socket",
-  "version": "1.1.112",
+  "version": "1.1.113",
   "description": "CLI for Socket.dev",
   "homepage": "https://github.com/SocketDev/socket-cli",
   "license": "MIT AND OFL-1.1",
@@ -96,7 +96,7 @@
     "@babel/preset-typescript": "7.27.1",
     "@babel/runtime": "7.28.4",
     "@biomejs/biome": "2.2.4",
-    "@coana-tech/cli": "15.3.15",
+    "@coana-tech/cli": "15.3.19",
     "@cyclonedx/cdxgen": "12.1.2",
     "@dotenvx/dotenvx": "1.49.0",
     "@eslint/compat": "1.3.2",

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/src/commands/manifest/cmd-manifest-gradle.mts b/src/commands/manifest/cmd-manifest-gradle.mts
@@ -21,7 +21,7 @@ import type {
 const config: CliCommandConfig = {
   commandName: 'gradle',
   description:
-    '[beta] Use Gradle to generate a manifest file (`pom.xml`) for a Gradle/Java/Kotlin/etc project',
+    '[beta] Generate a Socket facts file (or `pom.xml` with --pom) for a Gradle/Java/Kotlin/etc project',
   hidden: false,
   flags: {
     ...commonFlags,
@@ -32,12 +32,22 @@ const config: CliCommandConfig = {
     facts: {
       type: 'boolean',
       description:
-        'Emit a Socket facts JSON file (`.socket.facts.json`) describing the resolved dependency graph instead of generating `pom.xml` files',
+        'Emit a Socket facts JSON file (`.socket.facts.json`) describing the resolved dependency graph. This is the default; pass `--pom` to generate `pom.xml` files instead',
     },
-    configs: {
+    pom: {
+      type: 'boolean',
+      description:
+        'Generate `pom.xml` manifest file(s) instead of the default Socket facts file (`.socket.facts.json`)',
+    },
+    includeConfigs: {
+      type: 'string',
+      description:
+        'When generating facts: comma-separated glob patterns matched against Gradle configuration names (case-sensitive, `*` and `?` wildcards). Only configurations matching at least one pattern are resolved. e.g. `*CompileClasspath,*RuntimeClasspath`. Default: every resolvable configuration except AGP instrumented-test classpaths',
+    },
+    excludeConfigs: {
       type: 'string',
       description:
-        'With --facts: comma-separated glob patterns matched against Gradle configuration names (case-sensitive, `*` and `?` wildcards). e.g. `*CompileClasspath,*RuntimeClasspath` to skip tooling configs. Default: every resolvable configuration except AGP instrumented-test classpaths',
+        'When generating facts: comma-separated glob patterns; Gradle configurations matching any pattern are skipped (applied after --include-configs)',
     },
     ignoreUnresolved: {
       type: 'boolean',
@@ -61,38 +71,32 @@ const config: CliCommandConfig = {
     Options
       ${getFlagListOutput(config.flags)}
 
-    Uses gradle, preferably through your local project \`gradlew\`, to generate a
-    \`pom.xml\` file for each task. If you have no \`gradlew\` you can try the
-    global \`gradle\` binary but that may not work (hard to predict).
-
-    The \`pom.xml\` is a manifest file similar to \`package.json\` for npm or
-    or ${REQUIREMENTS_TXT} for PyPi), but specifically for Maven, which is Java's
-    dependency repository. Languages like Kotlin and Scala piggy back on it too.
+    By default, emits a single \`.socket.facts.json\` describing the resolved
+    dependency graph of the whole build, using gradle (preferably your local
+    \`gradlew\`). An unresolved dependency is a fatal error. You can pass
+    --include-configs / --exclude-configs (comma-separated glob patterns) to
+    control which configurations are resolved (e.g.
+    --include-configs=\`*CompileClasspath,*RuntimeClasspath\`), and
+    --ignore-unresolved to warn on unresolved dependencies instead of failing.
 
-    There are some caveats with the gradle to \`pom.xml\` conversion:
+    Pass --pom to instead generate \`pom.xml\` manifest files via gradle (one per
+    task). The \`pom.xml\` is a manifest file similar to \`package.json\` for npm
+    (or ${REQUIREMENTS_TXT} for PyPi), but specifically for Maven, which is
+    Java's dependency repository. Caveats of the \`pom.xml\` conversion:
 
-    - each task will generate its own xml file and by default it generates one xml
-      for every task. (This may be a good thing!)
+    - each task generates its own xml file (one per task by default)
 
-    - it's possible certain features don't translate well into the xml. If you
-      think something is missing that could be supported please reach out.
+    - certain features may not translate well into the xml; reach out if
+      something you need is missing
 
     - it works with your \`gradlew\` from your repo and local settings and config
 
-    Pass --facts to instead emit a single \`.socket.facts.json\` describing the
-    resolved dependency graph of the whole build (no \`pom.xml\` files). An
-    unresolved dependency is a fatal error. With --facts you can pass
-    --configs=<comma-separated glob patterns> to restrict resolution to
-    matching configurations (e.g. \`*CompileClasspath,*RuntimeClasspath\`),
-    and --ignore-unresolved to warn on unresolved dependencies instead of
-    failing the run.
-
     Support is beta. Please report issues or give us feedback on what's missing.
 
     Examples
 
       $ ${command} .
-      $ ${command} --facts .
+      $ ${command} --pom .
       $ ${command} --bin=../gradlew .
   `,
 }
@@ -135,7 +139,15 @@ async function run(
     sockJson?.defaults?.manifest?.gradle,
   )
 
-  let { bin, configs, facts, gradleOpts, ignoreUnresolved, verbose } = cli.flags
+  let {
+    bin,
+    excludeConfigs,
+    facts,
+    gradleOpts,
+    ignoreUnresolved,
+    includeConfigs,
+    verbose,
+  } = cli.flags
 
   // Set defaults for any flag/arg that is not given. Check socket.json first.
   if (!bin) {
@@ -169,16 +181,42 @@ async function run(
     if (sockJson.defaults?.manifest?.gradle?.facts !== undefined) {
       facts = sockJson.defaults?.manifest?.gradle?.facts
       logger.info(`Using default --facts from ${SOCKET_JSON}:`, facts)
+    } else {
+      // Socket facts generation is the default; pass --pom to generate poms.
+      facts = true
+    }
+  }
+  // --pom opts into legacy pom.xml generation. It overrides the facts default
+  // (and the socket.json default) but conflicts with an explicit --facts.
+  if (cli.flags['pom']) {
+    if (cli.flags['facts'] !== undefined) {
+      logger.warn(
+        'The `--facts` and `--pom` options are mutually exclusive; generating Socket facts.',
+      )
     } else {
       facts = false
     }
   }
-  if (configs === undefined) {
-    if (sockJson.defaults?.manifest?.gradle?.configs !== undefined) {
-      configs = sockJson.defaults?.manifest?.gradle?.configs
-      logger.info(`Using default --configs from ${SOCKET_JSON}:`, configs)
+  if (includeConfigs === undefined) {
+    if (sockJson.defaults?.manifest?.gradle?.includeConfigs !== undefined) {
+      includeConfigs = sockJson.defaults?.manifest?.gradle?.includeConfigs
+      logger.info(
+        `Using default --include-configs from ${SOCKET_JSON}:`,
+        includeConfigs,
+      )
+    } else {
+      includeConfigs = ''
+    }
+  }
+  if (excludeConfigs === undefined) {
+    if (sockJson.defaults?.manifest?.gradle?.excludeConfigs !== undefined) {
+      excludeConfigs = sockJson.defaults?.manifest?.gradle?.excludeConfigs
+      logger.info(
+        `Using default --exclude-configs from ${SOCKET_JSON}:`,
+        excludeConfigs,
+      )
     } else {
-      configs = ''
+      excludeConfigs = ''
     }
   }
   if (ignoreUnresolved === undefined) {
@@ -193,18 +231,18 @@ async function run(
     }
   }
 
-  // `--configs` and `--ignore-unresolved` only affect --facts; the pom path
-  // (the legacy `socketGenerateMaven` task) has no equivalent knobs. Warn
-  // rather than silently ignore an explicitly-passed flag. (socket.json
-  // defaults don't trip this — only a flag actually present on the command
-  // line does.)
+  // `--include-configs`, `--exclude-configs`, and `--ignore-unresolved` only
+  // affect facts generation; the pom path has no equivalent knobs. Warn rather
+  // than silently ignore an explicitly-passed flag. (socket.json defaults don't
+  // trip this — only a flag actually present on the command line does.)
   if (
     !facts &&
-    (cli.flags['configs'] !== undefined ||
+    (cli.flags['includeConfigs'] !== undefined ||
+      cli.flags['excludeConfigs'] !== undefined ||
       cli.flags['ignoreUnresolved'] !== undefined)
   ) {
     logger.warn(
-      'The `--configs` and `--ignore-unresolved` options only apply with `--facts`; ignoring them.',
+      'The `--include-configs`, `--exclude-configs`, and `--ignore-unresolved` options only apply when generating Socket facts (not with `--pom`); ignoring them.',
     )
   }
 
@@ -250,10 +288,11 @@ async function run(
   if (facts) {
     await convertGradleToFacts({
       bin: String(bin),
-      configs: String(configs || ''),
       cwd,
+      excludeConfigs: String(excludeConfigs || ''),
       gradleOpts: parsedGradleOpts,
       ignoreUnresolved: Boolean(ignoreUnresolved),
+      includeConfigs: String(includeConfigs || ''),
       verbose: Boolean(verbose),
     })
     return

diff --git a/src/commands/manifest/cmd-manifest-gradle.test.mts b/src/commands/manifest/cmd-manifest-gradle.test.mts
@@ -17,51 +17,47 @@ describe('socket manifest gradle', async () => {
       const { code, stderr, stdout } = await spawnSocketCli(binCliPath, cmd)
       expect(stdout).toMatchInlineSnapshot(
         `
-        "[beta] Use Gradle to generate a manifest file (\`pom.xml\`) for a Gradle/Java/Kotlin/etc project
+        "[beta] Generate a Socket facts file (or \`pom.xml\` with --pom) for a Gradle/Java/Kotlin/etc project
 
           Usage
             $ socket manifest gradle [options] [CWD=.]
 
           Options
             --bin               Location of gradlew binary to use, default: CWD/gradlew
-            --configs           With --facts: comma-separated glob patterns matched against Gradle configuration names (case-sensitive, \`*\` and \`?\` wildcards). e.g. \`*CompileClasspath,*RuntimeClasspath\` to skip tooling configs. Default: every resolvable configuration except AGP instrumented-test classpaths
-            --facts             Emit a Socket facts JSON file (\`.socket.facts.json\`) describing the resolved dependency graph instead of generating \`pom.xml\` files
+            --exclude-configs   When generating facts: comma-separated glob patterns; Gradle configurations matching any pattern are skipped (applied after --include-configs)
+            --facts             Emit a Socket facts JSON file (\`.socket.facts.json\`) describing the resolved dependency graph. This is the default; pass \`--pom\` to generate \`pom.xml\` files instead
             --gradle-opts       Additional options to pass on to ./gradlew, see \`./gradlew --help\`
             --ignore-unresolved  With --facts: warn on unresolved dependencies instead of failing the run (unresolved deps are not emitted to the facts file)
+            --include-configs   When generating facts: comma-separated glob patterns matched against Gradle configuration names (case-sensitive, \`*\` and \`?\` wildcards). Only configurations matching at least one pattern are resolved. e.g. \`*CompileClasspath,*RuntimeClasspath\`. Default: every resolvable configuration except AGP instrumented-test classpaths
+            --pom               Generate \`pom.xml\` manifest file(s) instead of the default Socket facts file (\`.socket.facts.json\`)
             --verbose           Print debug messages
 
-          Uses gradle, preferably through your local project \`gradlew\`, to generate a
-          \`pom.xml\` file for each task. If you have no \`gradlew\` you can try the
-          global \`gradle\` binary but that may not work (hard to predict).
+          By default, emits a single \`.socket.facts.json\` describing the resolved
+          dependency graph of the whole build, using gradle (preferably your local
+          \`gradlew\`). An unresolved dependency is a fatal error. You can pass
+          --include-configs / --exclude-configs (comma-separated glob patterns) to
+          control which configurations are resolved (e.g.
+          --include-configs=\`*CompileClasspath,*RuntimeClasspath\`), and
+          --ignore-unresolved to warn on unresolved dependencies instead of failing.
 
-          The \`pom.xml\` is a manifest file similar to \`package.json\` for npm or
-          or requirements.txt for PyPi), but specifically for Maven, which is Java's
-          dependency repository. Languages like Kotlin and Scala piggy back on it too.
+          Pass --pom to instead generate \`pom.xml\` manifest files via gradle (one per
+          task). The \`pom.xml\` is a manifest file similar to \`package.json\` for npm
+          (or requirements.txt for PyPi), but specifically for Maven, which is
+          Java's dependency repository. Caveats of the \`pom.xml\` conversion:
 
-          There are some caveats with the gradle to \`pom.xml\` conversion:
+          - each task generates its own xml file (one per task by default)
 
-          - each task will generate its own xml file and by default it generates one xml
-            for every task. (This may be a good thing!)
-
-          - it's possible certain features don't translate well into the xml. If you
-            think something is missing that could be supported please reach out.
+          - certain features may not translate well into the xml; reach out if
+            something you need is missing
 
           - it works with your \`gradlew\` from your repo and local settings and config
 
-          Pass --facts to instead emit a single \`.socket.facts.json\` describing the
-          resolved dependency graph of the whole build (no \`pom.xml\` files). An
-          unresolved dependency is a fatal error. With --facts you can pass
-          --configs=<comma-separated glob patterns> to restrict resolution to
-          matching configurations (e.g. \`*CompileClasspath,*RuntimeClasspath\`),
-          and --ignore-unresolved to warn on unresolved dependencies instead of
-          failing the run.
-
           Support is beta. Please report issues or give us feedback on what's missing.
 
           Examples
 
             $ socket manifest gradle .
-            $ socket manifest gradle --facts .
+            $ socket manifest gradle --pom .
             $ socket manifest gradle --bin=../gradlew ."
       `,
       )