@codesentinel/codesentinel 1.0.1 → 1.2.0

package/dist/index.js

@@ -1,11 +1,14 @@
 #!/usr/bin/env node
 
 // src/index.ts
-import { Command } from "commander";
-import { readFileSync } from "fs";
+import { Command, Option } from "commander";
+import { readFileSync as readFileSync2 } from "fs";
 import { dirname, resolve as resolve3 } from "path";
 import { fileURLToPath } from "url";
 
+// src/application/run-analyze-command.ts
+import { resolve as resolve2 } from "path";
+
 // ../code-graph/dist/index.js
 import { extname, isAbsolute, relative, resolve } from "path";
 import * as ts from "typescript";
@@ -445,28 +448,1188 @@ var buildProjectGraphSummary = (input) => {
   return createGraphAnalysisSummary(input.projectPath, graphData);
 };
 
-// ../core/dist/index.js
-import { resolve as resolve2 } from "path";
-var resolveTargetPath = (inputPath, cwd = process.cwd()) => {
-  const absolutePath = resolve2(cwd, inputPath ?? ".");
-  return { absolutePath };
+// ../dependency-firewall/dist/index.js
+import { existsSync, readFileSync } from "fs";
+import { join } from "path";
+var round4 = (value) => Number(value.toFixed(4));
+var normalizeNodes = (nodes) => {
+  const byName = /* @__PURE__ */ new Map();
+  for (const node of nodes) {
+    const bucket = byName.get(node.name) ?? [];
+    bucket.push(node);
+    byName.set(node.name, bucket);
+  }
+  const normalized = [];
+  for (const [name, candidates] of byName.entries()) {
+    if (candidates.length === 0) {
+      continue;
+    }
+    candidates.sort((a, b) => b.version.localeCompare(a.version));
+    const selected = candidates[0];
+    if (selected === void 0) {
+      continue;
+    }
+    const deps = selected.dependencies.map((dep) => {
+      const at = dep.lastIndexOf("@");
+      return at <= 0 ? dep : dep.slice(0, at);
+    }).filter((depName) => depName.length > 0).sort((a, b) => a.localeCompare(b));
+    normalized.push({
+      key: `${name}@${selected.version}`,
+      name,
+      version: selected.version,
+      dependencies: deps
+    });
+  }
+  return normalized.sort((a, b) => a.name.localeCompare(b.name));
+};
+var computeDepths = (nodeByName, directNames) => {
+  const visiting = /* @__PURE__ */ new Set();
+  const depthByName = /* @__PURE__ */ new Map();
+  const compute = (name) => {
+    const known = depthByName.get(name);
+    if (known !== void 0) {
+      return known;
+    }
+    if (visiting.has(name)) {
+      return 0;
+    }
+    visiting.add(name);
+    const node = nodeByName.get(name);
+    if (node === void 0) {
+      visiting.delete(name);
+      depthByName.set(name, 0);
+      return 0;
+    }
+    let maxChildDepth = 0;
+    for (const dependencyName of node.dependencies) {
+      const childDepth = compute(dependencyName);
+      if (childDepth > maxChildDepth) {
+        maxChildDepth = childDepth;
+      }
+    }
+    visiting.delete(name);
+    const ownDepth = directNames.has(name) ? 0 : maxChildDepth + 1;
+    depthByName.set(name, ownDepth);
+    return ownDepth;
+  };
+  for (const name of nodeByName.keys()) {
+    compute(name);
+  }
+  let maxDepth = 0;
+  for (const depth of depthByName.values()) {
+    if (depth > maxDepth) {
+      maxDepth = depth;
+    }
+  }
+  return { depthByName, maxDepth };
+};
+var rankCentrality = (nodes, dependentsByName, directNames, topN) => [...nodes].map((node) => ({
+  name: node.name,
+  dependents: dependentsByName.get(node.name) ?? 0,
+  fanOut: node.dependencies.length,
+  direct: directNames.has(node.name)
+})).sort(
+  (a, b) => b.dependents - a.dependents || b.fanOut - a.fanOut || a.name.localeCompare(b.name)
+).slice(0, topN);
+var canPropagateSignal = (signal) => signal === "abandoned" || signal === "high_centrality" || signal === "deep_chain" || signal === "high_fanout";
+var collectTransitiveDependencies = (rootName, nodeByName) => {
+  const seen = /* @__PURE__ */ new Set();
+  const stack = [...nodeByName.get(rootName)?.dependencies ?? []];
+  while (stack.length > 0) {
+    const current = stack.pop();
+    if (current === void 0 || seen.has(current) || current === rootName) {
+      continue;
+    }
+    seen.add(current);
+    const currentNode = nodeByName.get(current);
+    if (currentNode === void 0) {
+      continue;
+    }
+    for (const next of currentNode.dependencies) {
+      if (!seen.has(next)) {
+        stack.push(next);
+      }
+    }
+  }
+  return [...seen].sort((a, b) => a.localeCompare(b));
+};
+var buildExternalAnalysisSummary = (targetPath, extraction, metadataByKey, config) => {
+  const nodes = normalizeNodes(extraction.nodes);
+  const directNames = new Set(extraction.directDependencies.map((dep) => dep.name));
+  const directSpecByName = new Map(extraction.directDependencies.map((dep) => [dep.name, dep.requestedRange]));
+  const nodeByName = new Map(nodes.map((node) => [node.name, node]));
+  const dependentsByName = /* @__PURE__ */ new Map();
+  for (const node of nodes) {
+    dependentsByName.set(node.name, dependentsByName.get(node.name) ?? 0);
+  }
+  for (const node of nodes) {
+    for (const dependencyName of node.dependencies) {
+      if (!nodeByName.has(dependencyName)) {
+        continue;
+      }
+      dependentsByName.set(dependencyName, (dependentsByName.get(dependencyName) ?? 0) + 1);
+    }
+  }
+  const { depthByName, maxDepth } = computeDepths(nodeByName, directNames);
+  const centralityRanking = rankCentrality(nodes, dependentsByName, directNames, config.centralityTopN);
+  const topCentralNames = new Set(
+    centralityRanking.slice(0, Math.max(1, Math.ceil(centralityRanking.length * 0.25))).map((entry) => entry.name)
+  );
+  const allDependencies = [];
+  let metadataAvailableCount = 0;
+  for (const node of nodes) {
+    const metadata = metadataByKey.get(node.key) ?? null;
+    if (metadata !== null) {
+      metadataAvailableCount += 1;
+    }
+    const dependencyDepth = depthByName.get(node.name) ?? 0;
+    const dependents = dependentsByName.get(node.name) ?? 0;
+    const riskSignals = [];
+    if ((metadata?.maintainerCount ?? 0) === 1) {
+      riskSignals.push("single_maintainer");
+    }
+    if ((metadata?.daysSinceLastRelease ?? 0) >= config.abandonedDaysThreshold) {
+      riskSignals.push("abandoned");
+    }
+    if (topCentralNames.has(node.name) && dependents > 0) {
+      riskSignals.push("high_centrality");
+    }
+    if (dependencyDepth >= config.deepChainThreshold) {
+      riskSignals.push("deep_chain");
+    }
+    if (node.dependencies.length >= config.fanOutHighThreshold) {
+      riskSignals.push("high_fanout");
+    }
+    if (metadata === null) {
+      riskSignals.push("metadata_unavailable");
+    }
+    allDependencies.push({
+      name: node.name,
+      direct: directNames.has(node.name),
+      requestedRange: directSpecByName.get(node.name) ?? null,
+      resolvedVersion: node.version,
+      transitiveDependencies: [],
+      dependencyDepth,
+      fanOut: node.dependencies.length,
+      dependents,
+      maintainerCount: metadata?.maintainerCount ?? null,
+      releaseFrequencyDays: metadata?.releaseFrequencyDays ?? null,
+      daysSinceLastRelease: metadata?.daysSinceLastRelease ?? null,
+      repositoryActivity30d: metadata?.repositoryActivity30d ?? null,
+      busFactor: metadata?.busFactor ?? null,
+      ownRiskSignals: [...riskSignals].sort((a, b) => a.localeCompare(b)),
+      inheritedRiskSignals: [],
+      riskSignals
+    });
+  }
+  allDependencies.sort((a, b) => a.name.localeCompare(b.name));
+  const allByName = new Map(allDependencies.map((dep) => [dep.name, dep]));
+  const dependencies = allDependencies.filter((dep) => dep.direct).map((dep) => {
+    const transitiveDependencies = collectTransitiveDependencies(dep.name, nodeByName);
+    const inheritedSignals = /* @__PURE__ */ new Set();
+    const allSignals = new Set(dep.ownRiskSignals);
+    for (const transitiveName of transitiveDependencies) {
+      const transitive = allByName.get(transitiveName);
+      if (transitive === void 0) {
+        continue;
+      }
+      for (const signal of transitive.riskSignals) {
+        if (canPropagateSignal(signal)) {
+          inheritedSignals.add(signal);
+          allSignals.add(signal);
+        }
+      }
+    }
+    return {
+      ...dep,
+      transitiveDependencies,
+      inheritedRiskSignals: [...inheritedSignals].sort((a, b) => a.localeCompare(b)),
+      riskSignals: [...allSignals].sort((a, b) => a.localeCompare(b))
+    };
+  }).sort((a, b) => a.name.localeCompare(b.name));
+  const highRiskDependencies = dependencies.filter((dep) => dep.riskSignals.length > 1).sort((a, b) => b.riskSignals.length - a.riskSignals.length || a.name.localeCompare(b.name)).slice(0, config.maxHighRiskDependencies).map((dep) => dep.name);
+  const singleMaintainerDependencies = dependencies.filter((dep) => dep.ownRiskSignals.includes("single_maintainer")).map((dep) => dep.name).sort((a, b) => a.localeCompare(b));
+  const abandonedDependencies = dependencies.filter((dep) => dep.ownRiskSignals.includes("abandoned")).map((dep) => dep.name).sort((a, b) => a.localeCompare(b));
+  return {
+    targetPath,
+    available: true,
+    metrics: {
+      totalDependencies: allDependencies.length,
+      directDependencies: dependencies.length,
+      transitiveDependencies: allDependencies.length - dependencies.length,
+      dependencyDepth: maxDepth,
+      lockfileKind: extraction.kind,
+      metadataCoverage: allDependencies.length === 0 ? 0 : round4(metadataAvailableCount / allDependencies.length)
+    },
+    dependencies,
+    highRiskDependencies,
+    singleMaintainerDependencies,
+    abandonedDependencies,
+    centralityRanking
+  };
+};
+var DEFAULT_EXTERNAL_ANALYSIS_CONFIG = {
+  abandonedDaysThreshold: 540,
+  deepChainThreshold: 6,
+  fanOutHighThreshold: 25,
+  centralityTopN: 20,
+  maxHighRiskDependencies: 100,
+  metadataRequestConcurrency: 8
+};
+var LOCKFILE_CANDIDATES = [
+  { fileName: "pnpm-lock.yaml", kind: "pnpm" },
+  { fileName: "package-lock.json", kind: "npm" },
+  { fileName: "npm-shrinkwrap.json", kind: "npm-shrinkwrap" },
+  { fileName: "yarn.lock", kind: "yarn" },
+  { fileName: "bun.lock", kind: "bun" },
+  { fileName: "bun.lockb", kind: "bun" }
+];
+var loadPackageJson = (repositoryPath) => {
+  const packageJsonPath2 = join(repositoryPath, "package.json");
+  if (!existsSync(packageJsonPath2)) {
+    return null;
+  }
+  return {
+    path: packageJsonPath2,
+    raw: readFileSync(packageJsonPath2, "utf8")
+  };
+};
+var selectLockfile = (repositoryPath) => {
+  for (const candidate of LOCKFILE_CANDIDATES) {
+    const absolutePath = join(repositoryPath, candidate.fileName);
+    if (!existsSync(absolutePath)) {
+      continue;
+    }
+    return {
+      path: absolutePath,
+      kind: candidate.kind,
+      raw: readFileSync(absolutePath, "utf8")
+    };
+  }
+  return null;
+};
+var parsePackageJson = (raw) => {
+  const parsed = JSON.parse(raw);
+  const merged = /* @__PURE__ */ new Map();
+  for (const block of [
+    parsed.dependencies,
+    parsed.devDependencies,
+    parsed.optionalDependencies,
+    parsed.peerDependencies
+  ]) {
+    if (block === void 0) {
+      continue;
+    }
+    for (const [name, versionRange] of Object.entries(block)) {
+      merged.set(name, versionRange);
+    }
+  }
+  return [...merged.entries()].map(([name, requestedRange]) => ({ name, requestedRange })).sort((a, b) => a.name.localeCompare(b.name));
+};
+var parsePackageLock = (raw, directSpecs) => {
+  const parsed = JSON.parse(raw);
+  const nodes = [];
+  if (parsed.packages !== void 0) {
+    for (const [packagePath, packageData] of Object.entries(parsed.packages)) {
+      if (packagePath.length === 0 || packageData.version === void 0) {
+        continue;
+      }
+      const segments = packagePath.split("node_modules/");
+      const name = segments[segments.length - 1] ?? "";
+      if (name.length === 0) {
+        continue;
+      }
+      const dependencies = Object.entries(packageData.dependencies ?? {}).map(([depName, depRange]) => `${depName}@${String(depRange)}`).sort((a, b) => a.localeCompare(b));
+      nodes.push({
+        name,
+        version: packageData.version,
+        dependencies
+      });
+    }
+  } else if (parsed.dependencies !== void 0) {
+    for (const [name, dep] of Object.entries(parsed.dependencies)) {
+      if (dep.version === void 0) {
+        continue;
+      }
+      const dependencies = Object.entries(dep.dependencies ?? {}).map(([depName, depVersion]) => `${depName}@${String(depVersion)}`).sort((a, b) => a.localeCompare(b));
+      nodes.push({
+        name,
+        version: dep.version,
+        dependencies
+      });
+    }
+  }
+  nodes.sort((a, b) => a.name.localeCompare(b.name) || a.version.localeCompare(b.version));
+  return {
+    kind: "npm",
+    directDependencies: directSpecs,
+    nodes
+  };
+};
+var sanitizeValue = (value) => value.replace(/^['"]|['"]$/g, "").trim();
+var parsePackageKey = (rawKey) => {
+  const key = sanitizeValue(rawKey.replace(/:$/, ""));
+  const withoutSlash = key.startsWith("/") ? key.slice(1) : key;
+  const lastAt = withoutSlash.lastIndexOf("@");
+  if (lastAt <= 0) {
+    return null;
+  }
+  const name = withoutSlash.slice(0, lastAt);
+  const versionWithPeers = withoutSlash.slice(lastAt + 1);
+  const version2 = versionWithPeers.split("(")[0] ?? versionWithPeers;
+  if (name.length === 0 || version2.length === 0) {
+    return null;
+  }
+  return { name, version: version2 };
+};
+var parsePnpmLockfile = (raw, directSpecs) => {
+  const lines = raw.split("\n");
+  let state = "root";
+  let currentPackage = null;
+  let currentDependencyName = null;
+  const dependenciesByNode = /* @__PURE__ */ new Map();
+  for (const line of lines) {
+    if (line.trim().length === 0 || line.trimStart().startsWith("#")) {
+      continue;
+    }
+    if (line.startsWith("importers:")) {
+      state = "importers";
+      continue;
+    }
+    if (line.startsWith("packages:")) {
+      state = "packages";
+      continue;
+    }
+    if (state === "packages" || state === "packageDeps") {
+      const packageMatch = line.match(/^\s{2}([^\s].+):\s*$/);
+      if (packageMatch !== null) {
+        const parsedKey = parsePackageKey(packageMatch[1] ?? "");
+        if (parsedKey !== null) {
+          currentPackage = `${parsedKey.name}@${parsedKey.version}`;
+          dependenciesByNode.set(currentPackage, /* @__PURE__ */ new Set());
+          state = "packageDeps";
+          currentDependencyName = null;
+        }
+        continue;
+      }
+    }
+    if (state === "packageDeps" && currentPackage !== null) {
+      const depLine = line.match(/^\s{6}([^:\s]+):\s*(.+)$/);
+      if (depLine !== null) {
+        const depName = sanitizeValue(depLine[1] ?? "");
+        const depRef = sanitizeValue(depLine[2] ?? "");
+        const depVersion = depRef.split("(")[0] ?? depRef;
+        if (depName.length > 0 && depVersion.length > 0) {
+          dependenciesByNode.get(currentPackage)?.add(`${depName}@${depVersion}`);
+        }
+        currentDependencyName = null;
+        continue;
+      }
+      const depBlockLine = line.match(/^\s{6}([^:\s]+):\s*$/);
+      if (depBlockLine !== null) {
+        currentDependencyName = sanitizeValue(depBlockLine[1] ?? "");
+        continue;
+      }
+      const depVersionLine = line.match(/^\s{8}version:\s*(.+)$/);
+      if (depVersionLine !== null && currentDependencyName !== null) {
+        const depRef = sanitizeValue(depVersionLine[1] ?? "");
+        const depVersion = depRef.split("(")[0] ?? depRef;
+        if (depVersion.length > 0) {
+          dependenciesByNode.get(currentPackage)?.add(`${currentDependencyName}@${depVersion}`);
+        }
+        currentDependencyName = null;
+        continue;
+      }
+      if (line.match(/^\s{4}(dependencies|optionalDependencies):\s*$/) !== null) {
+        continue;
+      }
+    }
+  }
+  const nodes = [...dependenciesByNode.entries()].map(([nodeId, deps]) => {
+    const at = nodeId.lastIndexOf("@");
+    return {
+      name: nodeId.slice(0, at),
+      version: nodeId.slice(at + 1),
+      dependencies: [...deps].sort((a, b) => a.localeCompare(b))
+    };
+  }).sort(
+    (a, b) => a.name.localeCompare(b.name) || a.version.localeCompare(b.version)
+  );
+  return {
+    kind: "pnpm",
+    directDependencies: directSpecs,
+    nodes
+  };
+};
+var stripQuotes = (value) => value.replace(/^['"]|['"]$/g, "");
+var parseVersionSelector = (selector) => {
+  const npmIndex = selector.lastIndexOf("@npm:");
+  if (npmIndex >= 0) {
+    return selector.slice(npmIndex + 5);
+  }
+  const lastAt = selector.lastIndexOf("@");
+  if (lastAt <= 0) {
+    return null;
+  }
+  return selector.slice(lastAt + 1);
+};
+var parseYarnLock = (raw, directSpecs) => {
+  const lines = raw.split("\n");
+  const nodes = [];
+  let selectors = [];
+  let version2 = null;
+  let readingDependencies = false;
+  let dependencies = [];
+  const flushEntry = () => {
+    if (selectors.length === 0 || version2 === null) {
+      selectors = [];
+      version2 = null;
+      dependencies = [];
+      readingDependencies = false;
+      return;
+    }
+    for (const selector of selectors) {
+      const parsedVersion = parseVersionSelector(selector);
+      const at = selector.lastIndexOf("@");
+      const name = at <= 0 ? selector : selector.slice(0, at);
+      if (name.length === 0) {
+        continue;
+      }
+      nodes.push({
+        name,
+        version: version2,
+        dependencies: [...dependencies].sort((a, b) => a.localeCompare(b))
+      });
+      if (parsedVersion !== null) {
+        nodes.push({
+          name,
+          version: parsedVersion,
+          dependencies: [...dependencies].sort((a, b) => a.localeCompare(b))
+        });
+      }
+    }
+    selectors = [];
+    version2 = null;
+    dependencies = [];
+    readingDependencies = false;
+  };
+  for (const line of lines) {
+    if (line.trim().length === 0) {
+      continue;
+    }
+    if (!line.startsWith(" ") && line.endsWith(":")) {
+      flushEntry();
+      const keyText = line.slice(0, -1);
+      selectors = keyText.split(",").map((part) => stripQuotes(part.trim())).filter((part) => part.length > 0);
+      continue;
+    }
+    if (line.match(/^\s{2}version\s+/) !== null) {
+      const value = line.replace(/^\s{2}version\s+/, "").trim();
+      version2 = stripQuotes(value);
+      readingDependencies = false;
+      continue;
+    }
+    if (line.match(/^\s{2}dependencies:\s*$/) !== null) {
+      readingDependencies = true;
+      continue;
+    }
+    if (readingDependencies && line.match(/^\s{4}[^\s].+$/) !== null) {
+      const depLine = line.trim();
+      const firstSpace = depLine.indexOf(" ");
+      if (firstSpace <= 0) {
+        continue;
+      }
+      const depName = stripQuotes(depLine.slice(0, firstSpace));
+      const depRef = stripQuotes(depLine.slice(firstSpace + 1).trim());
+      const depVersion = parseVersionSelector(depRef) ?? depRef;
+      dependencies.push(`${depName}@${depVersion}`);
+      continue;
+    }
+    readingDependencies = false;
+  }
+  flushEntry();
+  const deduped = /* @__PURE__ */ new Map();
+  for (const node of nodes) {
+    const key = `${node.name}@${node.version}`;
+    if (!deduped.has(key)) {
+      deduped.set(key, node);
+    }
+  }
+  return {
+    kind: "yarn",
+    directDependencies: directSpecs,
+    nodes: [...deduped.values()].sort((a, b) => a.name.localeCompare(b.name) || a.version.localeCompare(b.version))
+  };
+};
+var parseBunLock = (_raw, _directSpecs) => {
+  throw new Error("unsupported_lockfile_format");
+};
+var withDefaults = (overrides) => ({
+  ...DEFAULT_EXTERNAL_ANALYSIS_CONFIG,
+  ...overrides
+});
+var parseExtraction = (lockfileKind, lockfileRaw, directSpecs) => {
+  switch (lockfileKind) {
+    case "pnpm":
+      return parsePnpmLockfile(lockfileRaw, directSpecs);
+    case "npm":
+    case "npm-shrinkwrap":
+      return {
+        ...parsePackageLock(lockfileRaw, directSpecs),
+        kind: lockfileKind
+      };
+    case "yarn":
+      return parseYarnLock(lockfileRaw, directSpecs);
+    case "bun":
+      return parseBunLock(lockfileRaw, directSpecs);
+    default:
+      throw new Error("unsupported_lockfile_format");
+  }
+};
+var mapWithConcurrency = async (values, limit, handler) => {
+  const effectiveLimit = Math.max(1, limit);
+  const results = new Array(values.length);
+  let index = 0;
+  const workers = Array.from({ length: Math.min(effectiveLimit, values.length) }, async () => {
+    for (; ; ) {
+      const current = index;
+      index += 1;
+      if (current >= values.length) {
+        return;
+      }
+      const value = values[current];
+      if (value === void 0) {
+        return;
+      }
+      results[current] = await handler(value);
+    }
+  });
+  await Promise.all(workers);
+  return results;
+};
+var analyzeDependencyExposure = async (input, metadataProvider) => {
+  const packageJson = loadPackageJson(input.repositoryPath);
+  if (packageJson === null) {
+    return {
+      targetPath: input.repositoryPath,
+      available: false,
+      reason: "package_json_not_found"
+    };
+  }
+  const lockfile = selectLockfile(input.repositoryPath);
+  if (lockfile === null) {
+    return {
+      targetPath: input.repositoryPath,
+      available: false,
+      reason: "lockfile_not_found"
+    };
+  }
+  try {
+    const directSpecs = parsePackageJson(packageJson.raw);
+    const extraction = parseExtraction(lockfile.kind, lockfile.raw, directSpecs);
+    const config = withDefaults(input.config);
+    const metadataEntries = await mapWithConcurrency(
+      extraction.nodes,
+      config.metadataRequestConcurrency,
+      async (node) => ({
+        key: `${node.name}@${node.version}`,
+        metadata: await metadataProvider.getMetadata(node.name, node.version)
+      })
+    );
+    const metadataByKey = /* @__PURE__ */ new Map();
+    for (const entry of metadataEntries) {
+      metadataByKey.set(entry.key, entry.metadata);
+    }
+    return buildExternalAnalysisSummary(input.repositoryPath, extraction, metadataByKey, config);
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "unknown";
+    if (message.includes("unsupported_lockfile_format")) {
+      return {
+        targetPath: input.repositoryPath,
+        available: false,
+        reason: "unsupported_lockfile_format"
+      };
+    }
+    return {
+      targetPath: input.repositoryPath,
+      available: false,
+      reason: "invalid_lockfile"
+    };
+  }
+};
+var ONE_DAY_MS = 24 * 60 * 60 * 1e3;
+var round42 = (value) => Number(value.toFixed(4));
+var parseDate = (iso) => {
+  if (iso === void 0) {
+    return null;
+  }
+  const value = Date.parse(iso);
+  return Number.isNaN(value) ? null : value;
+};
+var NpmRegistryMetadataProvider = class {
+  cache = /* @__PURE__ */ new Map();
+  async getMetadata(name, version2) {
+    const key = `${name}@${version2}`;
+    if (this.cache.has(key)) {
+      return this.cache.get(key) ?? null;
+    }
+    try {
+      const encodedName = encodeURIComponent(name);
+      const response = await fetch(`https://registry.npmjs.org/${encodedName}`);
+      if (!response.ok) {
+        this.cache.set(key, null);
+        return null;
+      }
+      const payload = await response.json();
+      const timeEntries = payload.time ?? {};
+      const publishDates = Object.entries(timeEntries).filter(([tag]) => tag !== "created" && tag !== "modified").map(([, date]) => parseDate(date)).filter((value) => value !== null).sort((a, b) => a - b);
+      const modifiedAt = parseDate(timeEntries["modified"]);
+      const now = Date.now();
+      const daysSinceLastRelease = modifiedAt === null ? null : Math.max(0, round42((now - modifiedAt) / ONE_DAY_MS));
+      let releaseFrequencyDays = null;
+      if (publishDates.length >= 2) {
+        const totalIntervals = publishDates.length - 1;
+        let sum = 0;
+        for (let i = 1; i < publishDates.length; i += 1) {
+          const current = publishDates[i];
+          const previous = publishDates[i - 1];
+          if (current !== void 0 && previous !== void 0) {
+            sum += current - previous;
+          }
+        }
+        releaseFrequencyDays = round42(sum / totalIntervals / ONE_DAY_MS);
+      }
+      const maintainers = payload.maintainers ?? [];
+      const maintainerCount = maintainers.length > 0 ? maintainers.length : null;
+      const metadata = {
+        name,
+        version: version2,
+        maintainerCount,
+        releaseFrequencyDays,
+        daysSinceLastRelease,
+        repositoryActivity30d: null,
+        busFactor: null
+      };
+      this.cache.set(key, metadata);
+      return metadata;
+    } catch {
+      this.cache.set(key, null);
+      return null;
+    }
+  }
+};
+var NoopMetadataProvider = class {
+  async getMetadata(_name, _version) {
+    return null;
+  }
+};
+var analyzeDependencyExposureFromProject = async (input) => {
+  const metadataProvider = process.env["CODESENTINEL_EXTERNAL_METADATA"] === "none" ? new NoopMetadataProvider() : new NpmRegistryMetadataProvider();
+  return analyzeDependencyExposure(input, metadataProvider);
+};
+
+// ../git-analyzer/dist/index.js
+import { execFileSync } from "child_process";
+var pairKey = (a, b) => `${a}\0${b}`;
+var round43 = (value) => Number(value.toFixed(4));
+var normalizeName = (value) => value.toLowerCase().replace(/[^a-z0-9\s]/g, " ").replace(/\s+/g, " ").trim();
+var extractEmailStem = (authorId) => {
+  const normalized = authorId.trim().toLowerCase();
+  const githubNoReplyMatch = normalized.match(/^\d+\+([^@]+)@users\.noreply\.github\.com$/);
+  if (githubNoReplyMatch?.[1] !== void 0) {
+    return githubNoReplyMatch[1].replace(/[._+-]/g, "");
+  }
+  const atIndex = normalized.indexOf("@");
+  if (atIndex <= 0) {
+    return null;
+  }
+  return normalized.slice(0, atIndex).replace(/[._+-]/g, "");
+};
+var areNamesCompatible = (left, right) => {
+  if (left.length === 0 || right.length === 0) {
+    return false;
+  }
+  if (left === right) {
+    return true;
+  }
+  if (left.startsWith(`${right} `) || right.startsWith(`${left} `)) {
+    return true;
+  }
+  return false;
+};
+var chooseCanonicalAuthorId = (profiles) => {
+  const ordered = [...profiles].sort((a, b) => {
+    const aIsNoReply = a.authorId.includes("@users.noreply.github.com");
+    const bIsNoReply = b.authorId.includes("@users.noreply.github.com");
+    if (aIsNoReply !== bIsNoReply) {
+      return aIsNoReply ? 1 : -1;
+    }
+    if (a.commitCount !== b.commitCount) {
+      return b.commitCount - a.commitCount;
+    }
+    return a.authorId.localeCompare(b.authorId);
+  });
+  return ordered[0]?.authorId ?? "";
+};
+var buildAuthorAliasMap = (commits) => {
+  const nameCountsByAuthorId = /* @__PURE__ */ new Map();
+  const commitCountByAuthorId = /* @__PURE__ */ new Map();
+  for (const commit of commits) {
+    commitCountByAuthorId.set(commit.authorId, (commitCountByAuthorId.get(commit.authorId) ?? 0) + 1);
+    const normalizedName = normalizeName(commit.authorName);
+    const names = nameCountsByAuthorId.get(commit.authorId) ?? /* @__PURE__ */ new Map();
+    if (normalizedName.length > 0) {
+      names.set(normalizedName, (names.get(normalizedName) ?? 0) + 1);
+    }
+    nameCountsByAuthorId.set(commit.authorId, names);
+  }
+  const profiles = [...commitCountByAuthorId.entries()].map(([authorId, commitCount]) => {
+    const names = nameCountsByAuthorId.get(authorId);
+    const primaryName = names === void 0 ? "" : [...names.entries()].sort((a, b) => b[1] - a[1] || a[0].localeCompare(b[0]))[0]?.[0] ?? "";
+    const normalizedAuthorId = authorId.toLowerCase();
+    const isBot = normalizedAuthorId.includes("[bot]");
+    return {
+      authorId,
+      commitCount,
+      primaryName,
+      emailStem: isBot ? null : extractEmailStem(authorId),
+      isBot
+    };
+  });
+  const groupsByStem = /* @__PURE__ */ new Map();
+  for (const profile of profiles) {
+    if (profile.emailStem === null || profile.emailStem.length < 4) {
+      continue;
+    }
+    const current = groupsByStem.get(profile.emailStem) ?? [];
+    current.push(profile);
+    groupsByStem.set(profile.emailStem, current);
+  }
+  const aliasMap = /* @__PURE__ */ new Map();
+  for (const profile of profiles) {
+    aliasMap.set(profile.authorId, profile.authorId);
+  }
+  for (const group of groupsByStem.values()) {
+    if (group.length < 2) {
+      continue;
+    }
+    const compatible = [];
+    for (const profile of group) {
+      if (profile.isBot || profile.primaryName.length === 0) {
+        continue;
+      }
+      compatible.push(profile);
+    }
+    if (compatible.length < 2) {
+      continue;
+    }
+    const canonical = chooseCanonicalAuthorId(compatible);
+    const canonicalProfile = compatible.find((candidate) => candidate.authorId === canonical);
+    if (canonicalProfile === void 0) {
+      continue;
+    }
+    for (const profile of compatible) {
+      if (areNamesCompatible(profile.primaryName, canonicalProfile.primaryName)) {
+        aliasMap.set(profile.authorId, canonical);
+      }
+    }
+  }
+  return aliasMap;
+};
+var computeBusFactor = (authorDistribution, threshold) => {
+  if (authorDistribution.length === 0) {
+    return 0;
+  }
+  let coveredShare = 0;
+  for (let i = 0; i < authorDistribution.length; i += 1) {
+    const entry = authorDistribution[i];
+    if (entry === void 0) {
+      continue;
+    }
+    coveredShare += entry.share;
+    if (coveredShare >= threshold) {
+      return i + 1;
+    }
+  }
+  return authorDistribution.length;
+};
+var finalizeAuthorDistribution = (authorCommits) => {
+  const totalCommits = [...authorCommits.values()].reduce((sum, value) => sum + value, 0);
+  if (totalCommits === 0) {
+    return [];
+  }
+  return [...authorCommits.entries()].map(([authorId, commits]) => ({
+    authorId,
+    commits,
+    share: round43(commits / totalCommits)
+  })).sort((a, b) => b.commits - a.commits || a.authorId.localeCompare(b.authorId));
+};
+var buildCouplingMatrix = (coChangeByPair, fileCommitCount, consideredCommits, skippedLargeCommits, maxCouplingPairs) => {
+  const allPairs = [];
+  for (const [key, coChangeCommits] of coChangeByPair.entries()) {
+    const [fileA, fileB] = key.split("\0");
+    if (fileA === void 0 || fileB === void 0) {
+      continue;
+    }
+    const fileACommits = fileCommitCount.get(fileA) ?? 0;
+    const fileBCommits = fileCommitCount.get(fileB) ?? 0;
+    const denominator = fileACommits + fileBCommits - coChangeCommits;
+    const couplingScore = denominator === 0 ? 0 : round43(coChangeCommits / denominator);
+    allPairs.push({
+      fileA,
+      fileB,
+      coChangeCommits,
+      couplingScore
+    });
+  }
+  allPairs.sort(
+    (a, b) => b.coChangeCommits - a.coChangeCommits || b.couplingScore - a.couplingScore || a.fileA.localeCompare(b.fileA) || a.fileB.localeCompare(b.fileB)
+  );
+  const truncated = allPairs.length > maxCouplingPairs;
+  return {
+    pairs: truncated ? allPairs.slice(0, maxCouplingPairs) : allPairs,
+    totalPairCount: allPairs.length,
+    consideredCommits,
+    skippedLargeCommits,
+    truncated
+  };
+};
+var selectHotspots = (files, config) => {
+  if (files.length === 0) {
+    return { hotspots: [], threshold: 0 };
+  }
+  const sorted = [...files].sort(
+    (a, b) => b.commitCount - a.commitCount || b.churnTotal - a.churnTotal || a.filePath.localeCompare(b.filePath)
+  );
+  const hotspotCount = Math.max(config.hotspotMinFiles, Math.ceil(sorted.length * config.hotspotTopPercent));
+  const selected = sorted.slice(0, hotspotCount);
+  const hotspots = selected.map((file, index) => ({
+    filePath: file.filePath,
+    rank: index + 1,
+    commitCount: file.commitCount,
+    churnTotal: file.churnTotal
+  }));
+  const threshold = selected[selected.length - 1]?.commitCount ?? 0;
+  return { hotspots, threshold };
+};
+var computeRepositoryEvolutionSummary = (targetPath, commits, config) => {
+  const authorAliasById = config.authorIdentityMode === "likely_merge" ? buildAuthorAliasMap(commits) : /* @__PURE__ */ new Map();
+  const fileStats = /* @__PURE__ */ new Map();
+  const coChangeByPair = /* @__PURE__ */ new Map();
+  const headCommitTimestamp = commits.length === 0 ? null : commits[commits.length - 1]?.authoredAtUnix ?? null;
+  const recentWindowStart = headCommitTimestamp === null ? Number.NEGATIVE_INFINITY : headCommitTimestamp - config.recentWindowDays * 24 * 60 * 60;
+  let consideredCommits = 0;
+  let skippedLargeCommits = 0;
+  for (const commit of commits) {
+    const uniqueFiles = /* @__PURE__ */ new Set();
+    for (const fileChange of commit.fileChanges) {
+      uniqueFiles.add(fileChange.filePath);
+      const current = fileStats.get(fileChange.filePath) ?? {
+        commitCount: 0,
+        recentCommitCount: 0,
+        churnAdded: 0,
+        churnDeleted: 0,
+        authors: /* @__PURE__ */ new Map()
+      };
+      current.churnAdded += fileChange.additions;
+      current.churnDeleted += fileChange.deletions;
+      fileStats.set(fileChange.filePath, current);
+    }
+    for (const filePath of uniqueFiles) {
+      const current = fileStats.get(filePath);
+      if (current === void 0) {
+        continue;
+      }
+      current.commitCount += 1;
+      if (commit.authoredAtUnix >= recentWindowStart) {
+        current.recentCommitCount += 1;
+      }
+      const effectiveAuthorId = authorAliasById.get(commit.authorId) ?? commit.authorId;
+      current.authors.set(effectiveAuthorId, (current.authors.get(effectiveAuthorId) ?? 0) + 1);
+    }
+    const orderedFiles = [...uniqueFiles].sort((a, b) => a.localeCompare(b));
+    if (orderedFiles.length > 1) {
+      if (orderedFiles.length <= config.maxFilesPerCommitForCoupling) {
+        consideredCommits += 1;
+        for (let i = 0; i < orderedFiles.length - 1; i += 1) {
+          for (let j = i + 1; j < orderedFiles.length; j += 1) {
+            const fileA = orderedFiles[i];
+            const fileB = orderedFiles[j];
+            if (fileA === void 0 || fileB === void 0) {
+              continue;
+            }
+            const key = pairKey(fileA, fileB);
+            coChangeByPair.set(key, (coChangeByPair.get(key) ?? 0) + 1);
+          }
+        }
+      } else {
+        skippedLargeCommits += 1;
+      }
+    }
+  }
+  const files = [...fileStats.entries()].map(([filePath, stats]) => {
+    const authorDistribution = finalizeAuthorDistribution(stats.authors);
+    const topAuthorShare = authorDistribution[0]?.share ?? 0;
+    return {
+      filePath,
+      commitCount: stats.commitCount,
+      frequencyPer100Commits: commits.length === 0 ? 0 : round43(stats.commitCount / commits.length * 100),
+      churnAdded: stats.churnAdded,
+      churnDeleted: stats.churnDeleted,
+      churnTotal: stats.churnAdded + stats.churnDeleted,
+      recentCommitCount: stats.recentCommitCount,
+      recentVolatility: stats.commitCount === 0 ? 0 : round43(stats.recentCommitCount / stats.commitCount),
+      topAuthorShare,
+      busFactor: computeBusFactor(authorDistribution, config.busFactorCoverageThreshold),
+      authorDistribution
+    };
+  }).sort((a, b) => a.filePath.localeCompare(b.filePath));
+  const fileCommitCount = new Map(files.map((file) => [file.filePath, file.commitCount]));
+  const coupling = buildCouplingMatrix(
+    coChangeByPair,
+    fileCommitCount,
+    consideredCommits,
+    skippedLargeCommits,
+    config.maxCouplingPairs
+  );
+  const { hotspots, threshold } = selectHotspots(files, config);
+  return {
+    targetPath,
+    available: true,
+    files,
+    hotspots,
+    coupling,
+    metrics: {
+      totalCommits: commits.length,
+      totalFiles: files.length,
+      headCommitTimestamp,
+      recentWindowDays: config.recentWindowDays,
+      hotspotTopPercent: config.hotspotTopPercent,
+      hotspotThresholdCommitCount: threshold
+    }
+  };
+};
+var DEFAULT_EVOLUTION_CONFIG = {
+  authorIdentityMode: "likely_merge",
+  recentWindowDays: 30,
+  hotspotTopPercent: 0.1,
+  hotspotMinFiles: 1,
+  maxFilesPerCommitForCoupling: 200,
+  maxCouplingPairs: 500,
+  busFactorCoverageThreshold: 0.6
+};
+var createEffectiveConfig = (overrides) => ({
+  ...DEFAULT_EVOLUTION_CONFIG,
+  ...overrides
+});
+var analyzeRepositoryEvolution = (input, historyProvider) => {
+  if (!historyProvider.isGitRepository(input.repositoryPath)) {
+    return {
+      targetPath: input.repositoryPath,
+      available: false,
+      reason: "not_git_repository"
+    };
+  }
+  const commits = historyProvider.getCommitHistory(input.repositoryPath);
+  const config = createEffectiveConfig(input.config);
+  return computeRepositoryEvolutionSummary(input.repositoryPath, commits, config);
+};
+var GitCommandError = class extends Error {
+  args;
+  constructor(message, args) {
+    super(message);
+    this.name = "GitCommandError";
+    this.args = args;
+  }
+};
+var ExecGitCommandClient = class {
+  run(repositoryPath, args) {
+    try {
+      return execFileSync("git", ["-C", repositoryPath, ...args], {
+        encoding: "utf8",
+        maxBuffer: 1024 * 1024 * 64,
+        stdio: ["ignore", "pipe", "pipe"]
+      });
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "Unknown git execution error";
+      throw new GitCommandError(message, args);
+    }
+  }
+};
+var COMMIT_RECORD_SEPARATOR = "";
+var COMMIT_FIELD_SEPARATOR = "";
+var GIT_LOG_FORMAT = `%x1e%H%x1f%at%x1f%an%x1f%ae`;
+var parseInteger = (value) => {
+  if (value.length === 0) {
+    return null;
+  }
+  const parsed = Number.parseInt(value, 10);
+  if (Number.isNaN(parsed)) {
+    return null;
+  }
+  return parsed;
+};
+var normalizeAuthorIdentity = (authorName, authorEmail) => {
+  const normalizedName = authorName.trim().replace(/\s+/g, " ").toLowerCase();
+  const normalizedEmail = authorEmail.trim().toLowerCase();
+  if (/\[bot\]/i.test(normalizedName) || /\[bot\]/i.test(normalizedEmail)) {
+    return normalizedEmail.length > 0 ? normalizedEmail : normalizedName;
+  }
+  const githubNoReplyMatch = normalizedEmail.match(/^\d+\+([^@]+)@users\.noreply\.github\.com$/);
+  const githubHandle = githubNoReplyMatch?.[1]?.trim().toLowerCase();
+  if (githubHandle !== void 0 && githubHandle.length > 0) {
+    return `${githubHandle}@users.noreply.github.com`;
+  }
+  if (normalizedEmail.length > 0) {
+    return normalizedEmail;
+  }
+  return normalizedName;
+};
+var parseRenamedPath = (pathSpec) => {
+  if (!pathSpec.includes(" => ")) {
+    return pathSpec;
+  }
+  const braceRenameMatch = pathSpec.match(/^(.*)\{(.+) => (.+)\}(.*)$/);
+  if (braceRenameMatch !== null) {
+    const [, prefix, , renamedTo, suffix] = braceRenameMatch;
+    return `${prefix}${renamedTo}${suffix}`;
+  }
+  const parts = pathSpec.split(" => ");
+  const finalPart = parts[parts.length - 1];
+  return finalPart ?? pathSpec;
+};
+var parseNumstatLine = (line) => {
+  const parts = line.split("	");
+  if (parts.length < 3) {
+    return null;
+  }
+  const additionsRaw = parts[0];
+  const deletionsRaw = parts[1];
+  const pathRaw = parts.slice(2).join("	");
+  if (additionsRaw === void 0 || deletionsRaw === void 0) {
+    return null;
+  }
+  const additions = additionsRaw === "-" ? 0 : parseInteger(additionsRaw);
+  const deletions = deletionsRaw === "-" ? 0 : parseInteger(deletionsRaw);
+  if (additions === null || deletions === null) {
+    return null;
+  }
+  const filePath = parseRenamedPath(pathRaw);
+  return {
+    filePath,
+    additions,
+    deletions
+  };
+};
+var parseGitLog = (rawLog) => {
+  const records = rawLog.split(COMMIT_RECORD_SEPARATOR).map((record) => record.trim()).filter((record) => record.length > 0);
+  const commits = [];
+  for (const record of records) {
+    const lines = record.split("\n").map((line) => line.trimEnd()).filter((line) => line.length > 0);
+    if (lines.length === 0) {
+      continue;
+    }
+    const headerParts = lines[0]?.split(COMMIT_FIELD_SEPARATOR) ?? [];
+    if (headerParts.length !== 4) {
+      continue;
+    }
+    const [hash, authoredAtRaw, authorName, authorEmail] = headerParts;
+    if (hash === void 0 || authoredAtRaw === void 0 || authorName === void 0 || authorEmail === void 0) {
+      continue;
+    }
+    const authoredAtUnix = parseInteger(authoredAtRaw);
+    if (authoredAtUnix === null) {
+      continue;
+    }
+    const fileChanges = [];
+    for (const line of lines.slice(1)) {
+      const parsedLine = parseNumstatLine(line);
+      if (parsedLine !== null) {
+        fileChanges.push(parsedLine);
+      }
+    }
+    commits.push({
+      hash,
+      authorId: normalizeAuthorIdentity(authorName, authorEmail),
+      authorName,
+      authoredAtUnix,
+      fileChanges
+    });
+  }
+  commits.sort((a, b) => a.authoredAtUnix - b.authoredAtUnix || a.hash.localeCompare(b.hash));
+  return commits;
+};
+var NON_GIT_CODES = ["not a git repository", "not in a git directory"];
+var isNotGitError = (error) => {
+  const lower = error.message.toLowerCase();
+  return NON_GIT_CODES.some((code) => lower.includes(code));
+};
+var GitCliHistoryProvider = class {
+  constructor(gitClient) {
+    this.gitClient = gitClient;
+  }
+  isGitRepository(repositoryPath) {
+    try {
+      const output = this.gitClient.run(repositoryPath, ["rev-parse", "--is-inside-work-tree"]);
+      return output.trim() === "true";
+    } catch (error) {
+      if (error instanceof GitCommandError && isNotGitError(error)) {
+        return false;
+      }
+      throw error;
+    }
+  }
+  getCommitHistory(repositoryPath) {
+    const output = this.gitClient.run(repositoryPath, [
+      "-c",
+      "core.quotepath=false",
+      "log",
+      "--use-mailmap",
+      "--no-merges",
+      "--date=unix",
+      `--pretty=format:${GIT_LOG_FORMAT}`,
+      "--numstat",
+      "--find-renames"
+    ]);
+    return parseGitLog(output);
+  }
+};
+var analyzeRepositoryEvolutionFromGit = (input) => {
+  const historyProvider = new GitCliHistoryProvider(new ExecGitCommandClient());
+  return analyzeRepositoryEvolution(input, historyProvider);
 };
 
 // src/application/run-analyze-command.ts
-var runAnalyzeCommand = (inputPath) => {
+var resolveTargetPath = (inputPath, cwd) => resolve2(cwd, inputPath ?? ".");
+var runAnalyzeCommand = async (inputPath, authorIdentityMode) => {
   const invocationCwd = process.env["INIT_CWD"] ?? process.cwd();
-  const target = resolveTargetPath(inputPath, invocationCwd);
-  const summary = buildProjectGraphSummary({ projectPath: target.absolutePath });
+  const targetPath = resolveTargetPath(inputPath, invocationCwd);
+  const structural = buildProjectGraphSummary({ projectPath: targetPath });
+  const evolution = analyzeRepositoryEvolutionFromGit({
+    repositoryPath: targetPath,
+    config: { authorIdentityMode }
+  });
+  const external = await analyzeDependencyExposureFromProject({ repositoryPath: targetPath });
+  const summary = {
+    structural,
+    evolution,
+    external
+  };
   return JSON.stringify(summary, null, 2);
 };
 
 // src/index.ts
 var program = new Command();
 var packageJsonPath = resolve3(dirname(fileURLToPath(import.meta.url)), "../package.json");
-var { version } = JSON.parse(readFileSync(packageJsonPath, "utf8"));
+var { version } = JSON.parse(readFileSync2(packageJsonPath, "utf8"));
 program.name("codesentinel").description("Structural and evolutionary risk analysis for TypeScript/JavaScript codebases").version(version);
-program.command("analyze").argument("[path]", "path to the project to analyze").action((path) => {
-  const output = runAnalyzeCommand(path);
+program.command("analyze").argument("[path]", "path to the project to analyze").addOption(
+  new Option(
+    "--author-identity <mode>",
+    "author identity mode: likely_merge (heuristic) or strict_email (deterministic)"
+  ).choices(["likely_merge", "strict_email"]).default("likely_merge")
+).action(async (path, options) => {
+  const output = await runAnalyzeCommand(path, options.authorIdentity);
   process.stdout.write(`${output}
 `);
 });
@@ -474,5 +1637,5 @@ if (process.argv.length <= 2) {
   program.outputHelp();
   process.exit(0);
 }
-program.parse(process.argv);
+await program.parseAsync(process.argv);
 //# sourceMappingURL=index.js.map