@codesentinel/codesentinel 1.1.0 → 1.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +44 -0
- package/dist/index.js +830 -16
- package/dist/index.js.map +1 -1
- package/package.json +3 -2
package/README.md
CHANGED
|
@@ -61,14 +61,58 @@ codesentinel analyze .
|
|
|
61
61
|
codesentinel analyze ../project
|
|
62
62
|
```
|
|
63
63
|
|
|
64
|
+
Author identity mode:
|
|
65
|
+
|
|
66
|
+
```bash
|
|
67
|
+
# Default: heuristic merge of likely same person across emails
|
|
68
|
+
codesentinel analyze . --author-identity likely_merge
|
|
69
|
+
|
|
70
|
+
# Deterministic: strict email identity, no heuristic merging
|
|
71
|
+
codesentinel analyze . --author-identity strict_email
|
|
72
|
+
```
|
|
73
|
+
|
|
74
|
+
Notes:
|
|
75
|
+
|
|
76
|
+
- `likely_merge` (default) may merge multiple emails that likely belong to the same person based on repository history.
|
|
77
|
+
- `strict_email` treats each canonical email as a distinct author, which avoids false merges but can split the same person across multiple emails.
|
|
78
|
+
- Git mailmap is enabled (`git log --use-mailmap`). Put `.mailmap` in the repository being analyzed (the `codesentinel analyze [path]` target). Git will then deterministically unify known aliases before CodeSentinel computes `authorDistribution`.
|
|
79
|
+
- `authorDistribution` returns whichever identity mode is selected.
|
|
80
|
+
|
|
64
81
|
When running through pnpm, pass CLI arguments after `--`:
|
|
65
82
|
|
|
66
83
|
```bash
|
|
67
84
|
pnpm dev -- analyze
|
|
68
85
|
pnpm dev -- analyze .
|
|
69
86
|
pnpm dev -- analyze ../project
|
|
87
|
+
pnpm dev -- analyze . --author-identity strict_email
|
|
70
88
|
```
|
|
71
89
|
|
|
90
|
+
### External Risk Signal Semantics
|
|
91
|
+
|
|
92
|
+
For `external.dependencies`, each direct dependency now exposes three signal fields:
|
|
93
|
+
|
|
94
|
+
- `ownRiskSignals`: signals computed from that package itself.
|
|
95
|
+
- `inheritedRiskSignals`: signals propagated from transitive dependencies in its subtree.
|
|
96
|
+
- `riskSignals`: union of `ownRiskSignals` and `inheritedRiskSignals`.
|
|
97
|
+
|
|
98
|
+
Propagation policy is explicit and deterministic:
|
|
99
|
+
|
|
100
|
+
- `single_maintainer`: **not propagated**
|
|
101
|
+
- Rationale: maintainer concentration is package-specific governance, not a transferable property.
|
|
102
|
+
- `abandoned`: **propagated**
|
|
103
|
+
- Rationale: depending on abandoned transitive packages is still real operational exposure.
|
|
104
|
+
- Note: `abandonedDependencies` list only includes packages with **own** `abandoned`.
|
|
105
|
+
- `high_centrality`: **propagated**
|
|
106
|
+
- Rationale: highly central transitive packages can become systemic weak points for a parent dependency.
|
|
107
|
+
- `deep_chain`: **propagated**
|
|
108
|
+
- Rationale: deep transitive trees increase update/debug complexity for top-level dependencies.
|
|
109
|
+
- `high_fanout`: **propagated**
|
|
110
|
+
- Rationale: broad transitive fan-out increases blast radius and maintenance surface.
|
|
111
|
+
- `metadata_unavailable`: **not propagated**
|
|
112
|
+
- Rationale: unknown metadata for one child should not automatically degrade parent classification.
|
|
113
|
+
|
|
114
|
+
This keeps package-level facts local while still surfacing meaningful transitive exposure.
|
|
115
|
+
|
|
72
116
|
## Release Automation
|
|
73
117
|
|
|
74
118
|
- Pull requests to `main` run build and tests via `.github/workflows/ci.yml`.
|