@codesentinel/codesentinel 1.1.0 → 1.2.0

package/dist/index.js

@@ -1,8 +1,8 @@
 #!/usr/bin/env node
 
 // src/index.ts
-import { Command } from "commander";
-import { readFileSync } from "fs";
+import { Command, Option } from "commander";
+import { readFileSync as readFileSync2 } from "fs";
 import { dirname, resolve as resolve3 } from "path";
 import { fileURLToPath } from "url";
 
@@ -448,10 +448,794 @@ var buildProjectGraphSummary = (input) => {
   return createGraphAnalysisSummary(input.projectPath, graphData);
 };
 
+// ../dependency-firewall/dist/index.js
+import { existsSync, readFileSync } from "fs";
+import { join } from "path";
+var round4 = (value) => Number(value.toFixed(4));
+var normalizeNodes = (nodes) => {
+  const byName = /* @__PURE__ */ new Map();
+  for (const node of nodes) {
+    const bucket = byName.get(node.name) ?? [];
+    bucket.push(node);
+    byName.set(node.name, bucket);
+  }
+  const normalized = [];
+  for (const [name, candidates] of byName.entries()) {
+    if (candidates.length === 0) {
+      continue;
+    }
+    candidates.sort((a, b) => b.version.localeCompare(a.version));
+    const selected = candidates[0];
+    if (selected === void 0) {
+      continue;
+    }
+    const deps = selected.dependencies.map((dep) => {
+      const at = dep.lastIndexOf("@");
+      return at <= 0 ? dep : dep.slice(0, at);
+    }).filter((depName) => depName.length > 0).sort((a, b) => a.localeCompare(b));
+    normalized.push({
+      key: `${name}@${selected.version}`,
+      name,
+      version: selected.version,
+      dependencies: deps
+    });
+  }
+  return normalized.sort((a, b) => a.name.localeCompare(b.name));
+};
+var computeDepths = (nodeByName, directNames) => {
+  const visiting = /* @__PURE__ */ new Set();
+  const depthByName = /* @__PURE__ */ new Map();
+  const compute = (name) => {
+    const known = depthByName.get(name);
+    if (known !== void 0) {
+      return known;
+    }
+    if (visiting.has(name)) {
+      return 0;
+    }
+    visiting.add(name);
+    const node = nodeByName.get(name);
+    if (node === void 0) {
+      visiting.delete(name);
+      depthByName.set(name, 0);
+      return 0;
+    }
+    let maxChildDepth = 0;
+    for (const dependencyName of node.dependencies) {
+      const childDepth = compute(dependencyName);
+      if (childDepth > maxChildDepth) {
+        maxChildDepth = childDepth;
+      }
+    }
+    visiting.delete(name);
+    const ownDepth = directNames.has(name) ? 0 : maxChildDepth + 1;
+    depthByName.set(name, ownDepth);
+    return ownDepth;
+  };
+  for (const name of nodeByName.keys()) {
+    compute(name);
+  }
+  let maxDepth = 0;
+  for (const depth of depthByName.values()) {
+    if (depth > maxDepth) {
+      maxDepth = depth;
+    }
+  }
+  return { depthByName, maxDepth };
+};
+var rankCentrality = (nodes, dependentsByName, directNames, topN) => [...nodes].map((node) => ({
+  name: node.name,
+  dependents: dependentsByName.get(node.name) ?? 0,
+  fanOut: node.dependencies.length,
+  direct: directNames.has(node.name)
+})).sort(
+  (a, b) => b.dependents - a.dependents || b.fanOut - a.fanOut || a.name.localeCompare(b.name)
+).slice(0, topN);
+var canPropagateSignal = (signal) => signal === "abandoned" || signal === "high_centrality" || signal === "deep_chain" || signal === "high_fanout";
+var collectTransitiveDependencies = (rootName, nodeByName) => {
+  const seen = /* @__PURE__ */ new Set();
+  const stack = [...nodeByName.get(rootName)?.dependencies ?? []];
+  while (stack.length > 0) {
+    const current = stack.pop();
+    if (current === void 0 || seen.has(current) || current === rootName) {
+      continue;
+    }
+    seen.add(current);
+    const currentNode = nodeByName.get(current);
+    if (currentNode === void 0) {
+      continue;
+    }
+    for (const next of currentNode.dependencies) {
+      if (!seen.has(next)) {
+        stack.push(next);
+      }
+    }
+  }
+  return [...seen].sort((a, b) => a.localeCompare(b));
+};
+var buildExternalAnalysisSummary = (targetPath, extraction, metadataByKey, config) => {
+  const nodes = normalizeNodes(extraction.nodes);
+  const directNames = new Set(extraction.directDependencies.map((dep) => dep.name));
+  const directSpecByName = new Map(extraction.directDependencies.map((dep) => [dep.name, dep.requestedRange]));
+  const nodeByName = new Map(nodes.map((node) => [node.name, node]));
+  const dependentsByName = /* @__PURE__ */ new Map();
+  for (const node of nodes) {
+    dependentsByName.set(node.name, dependentsByName.get(node.name) ?? 0);
+  }
+  for (const node of nodes) {
+    for (const dependencyName of node.dependencies) {
+      if (!nodeByName.has(dependencyName)) {
+        continue;
+      }
+      dependentsByName.set(dependencyName, (dependentsByName.get(dependencyName) ?? 0) + 1);
+    }
+  }
+  const { depthByName, maxDepth } = computeDepths(nodeByName, directNames);
+  const centralityRanking = rankCentrality(nodes, dependentsByName, directNames, config.centralityTopN);
+  const topCentralNames = new Set(
+    centralityRanking.slice(0, Math.max(1, Math.ceil(centralityRanking.length * 0.25))).map((entry) => entry.name)
+  );
+  const allDependencies = [];
+  let metadataAvailableCount = 0;
+  for (const node of nodes) {
+    const metadata = metadataByKey.get(node.key) ?? null;
+    if (metadata !== null) {
+      metadataAvailableCount += 1;
+    }
+    const dependencyDepth = depthByName.get(node.name) ?? 0;
+    const dependents = dependentsByName.get(node.name) ?? 0;
+    const riskSignals = [];
+    if ((metadata?.maintainerCount ?? 0) === 1) {
+      riskSignals.push("single_maintainer");
+    }
+    if ((metadata?.daysSinceLastRelease ?? 0) >= config.abandonedDaysThreshold) {
+      riskSignals.push("abandoned");
+    }
+    if (topCentralNames.has(node.name) && dependents > 0) {
+      riskSignals.push("high_centrality");
+    }
+    if (dependencyDepth >= config.deepChainThreshold) {
+      riskSignals.push("deep_chain");
+    }
+    if (node.dependencies.length >= config.fanOutHighThreshold) {
+      riskSignals.push("high_fanout");
+    }
+    if (metadata === null) {
+      riskSignals.push("metadata_unavailable");
+    }
+    allDependencies.push({
+      name: node.name,
+      direct: directNames.has(node.name),
+      requestedRange: directSpecByName.get(node.name) ?? null,
+      resolvedVersion: node.version,
+      transitiveDependencies: [],
+      dependencyDepth,
+      fanOut: node.dependencies.length,
+      dependents,
+      maintainerCount: metadata?.maintainerCount ?? null,
+      releaseFrequencyDays: metadata?.releaseFrequencyDays ?? null,
+      daysSinceLastRelease: metadata?.daysSinceLastRelease ?? null,
+      repositoryActivity30d: metadata?.repositoryActivity30d ?? null,
+      busFactor: metadata?.busFactor ?? null,
+      ownRiskSignals: [...riskSignals].sort((a, b) => a.localeCompare(b)),
+      inheritedRiskSignals: [],
+      riskSignals
+    });
+  }
+  allDependencies.sort((a, b) => a.name.localeCompare(b.name));
+  const allByName = new Map(allDependencies.map((dep) => [dep.name, dep]));
+  const dependencies = allDependencies.filter((dep) => dep.direct).map((dep) => {
+    const transitiveDependencies = collectTransitiveDependencies(dep.name, nodeByName);
+    const inheritedSignals = /* @__PURE__ */ new Set();
+    const allSignals = new Set(dep.ownRiskSignals);
+    for (const transitiveName of transitiveDependencies) {
+      const transitive = allByName.get(transitiveName);
+      if (transitive === void 0) {
+        continue;
+      }
+      for (const signal of transitive.riskSignals) {
+        if (canPropagateSignal(signal)) {
+          inheritedSignals.add(signal);
+          allSignals.add(signal);
+        }
+      }
+    }
+    return {
+      ...dep,
+      transitiveDependencies,
+      inheritedRiskSignals: [...inheritedSignals].sort((a, b) => a.localeCompare(b)),
+      riskSignals: [...allSignals].sort((a, b) => a.localeCompare(b))
+    };
+  }).sort((a, b) => a.name.localeCompare(b.name));
+  const highRiskDependencies = dependencies.filter((dep) => dep.riskSignals.length > 1).sort((a, b) => b.riskSignals.length - a.riskSignals.length || a.name.localeCompare(b.name)).slice(0, config.maxHighRiskDependencies).map((dep) => dep.name);
+  const singleMaintainerDependencies = dependencies.filter((dep) => dep.ownRiskSignals.includes("single_maintainer")).map((dep) => dep.name).sort((a, b) => a.localeCompare(b));
+  const abandonedDependencies = dependencies.filter((dep) => dep.ownRiskSignals.includes("abandoned")).map((dep) => dep.name).sort((a, b) => a.localeCompare(b));
+  return {
+    targetPath,
+    available: true,
+    metrics: {
+      totalDependencies: allDependencies.length,
+      directDependencies: dependencies.length,
+      transitiveDependencies: allDependencies.length - dependencies.length,
+      dependencyDepth: maxDepth,
+      lockfileKind: extraction.kind,
+      metadataCoverage: allDependencies.length === 0 ? 0 : round4(metadataAvailableCount / allDependencies.length)
+    },
+    dependencies,
+    highRiskDependencies,
+    singleMaintainerDependencies,
+    abandonedDependencies,
+    centralityRanking
+  };
+};
+var DEFAULT_EXTERNAL_ANALYSIS_CONFIG = {
+  abandonedDaysThreshold: 540,
+  deepChainThreshold: 6,
+  fanOutHighThreshold: 25,
+  centralityTopN: 20,
+  maxHighRiskDependencies: 100,
+  metadataRequestConcurrency: 8
+};
+var LOCKFILE_CANDIDATES = [
+  { fileName: "pnpm-lock.yaml", kind: "pnpm" },
+  { fileName: "package-lock.json", kind: "npm" },
+  { fileName: "npm-shrinkwrap.json", kind: "npm-shrinkwrap" },
+  { fileName: "yarn.lock", kind: "yarn" },
+  { fileName: "bun.lock", kind: "bun" },
+  { fileName: "bun.lockb", kind: "bun" }
+];
+var loadPackageJson = (repositoryPath) => {
+  const packageJsonPath2 = join(repositoryPath, "package.json");
+  if (!existsSync(packageJsonPath2)) {
+    return null;
+  }
+  return {
+    path: packageJsonPath2,
+    raw: readFileSync(packageJsonPath2, "utf8")
+  };
+};
+var selectLockfile = (repositoryPath) => {
+  for (const candidate of LOCKFILE_CANDIDATES) {
+    const absolutePath = join(repositoryPath, candidate.fileName);
+    if (!existsSync(absolutePath)) {
+      continue;
+    }
+    return {
+      path: absolutePath,
+      kind: candidate.kind,
+      raw: readFileSync(absolutePath, "utf8")
+    };
+  }
+  return null;
+};
+var parsePackageJson = (raw) => {
+  const parsed = JSON.parse(raw);
+  const merged = /* @__PURE__ */ new Map();
+  for (const block of [
+    parsed.dependencies,
+    parsed.devDependencies,
+    parsed.optionalDependencies,
+    parsed.peerDependencies
+  ]) {
+    if (block === void 0) {
+      continue;
+    }
+    for (const [name, versionRange] of Object.entries(block)) {
+      merged.set(name, versionRange);
+    }
+  }
+  return [...merged.entries()].map(([name, requestedRange]) => ({ name, requestedRange })).sort((a, b) => a.name.localeCompare(b.name));
+};
+var parsePackageLock = (raw, directSpecs) => {
+  const parsed = JSON.parse(raw);
+  const nodes = [];
+  if (parsed.packages !== void 0) {
+    for (const [packagePath, packageData] of Object.entries(parsed.packages)) {
+      if (packagePath.length === 0 || packageData.version === void 0) {
+        continue;
+      }
+      const segments = packagePath.split("node_modules/");
+      const name = segments[segments.length - 1] ?? "";
+      if (name.length === 0) {
+        continue;
+      }
+      const dependencies = Object.entries(packageData.dependencies ?? {}).map(([depName, depRange]) => `${depName}@${String(depRange)}`).sort((a, b) => a.localeCompare(b));
+      nodes.push({
+        name,
+        version: packageData.version,
+        dependencies
+      });
+    }
+  } else if (parsed.dependencies !== void 0) {
+    for (const [name, dep] of Object.entries(parsed.dependencies)) {
+      if (dep.version === void 0) {
+        continue;
+      }
+      const dependencies = Object.entries(dep.dependencies ?? {}).map(([depName, depVersion]) => `${depName}@${String(depVersion)}`).sort((a, b) => a.localeCompare(b));
+      nodes.push({
+        name,
+        version: dep.version,
+        dependencies
+      });
+    }
+  }
+  nodes.sort((a, b) => a.name.localeCompare(b.name) || a.version.localeCompare(b.version));
+  return {
+    kind: "npm",
+    directDependencies: directSpecs,
+    nodes
+  };
+};
+var sanitizeValue = (value) => value.replace(/^['"]|['"]$/g, "").trim();
+var parsePackageKey = (rawKey) => {
+  const key = sanitizeValue(rawKey.replace(/:$/, ""));
+  const withoutSlash = key.startsWith("/") ? key.slice(1) : key;
+  const lastAt = withoutSlash.lastIndexOf("@");
+  if (lastAt <= 0) {
+    return null;
+  }
+  const name = withoutSlash.slice(0, lastAt);
+  const versionWithPeers = withoutSlash.slice(lastAt + 1);
+  const version2 = versionWithPeers.split("(")[0] ?? versionWithPeers;
+  if (name.length === 0 || version2.length === 0) {
+    return null;
+  }
+  return { name, version: version2 };
+};
+var parsePnpmLockfile = (raw, directSpecs) => {
+  const lines = raw.split("\n");
+  let state = "root";
+  let currentPackage = null;
+  let currentDependencyName = null;
+  const dependenciesByNode = /* @__PURE__ */ new Map();
+  for (const line of lines) {
+    if (line.trim().length === 0 || line.trimStart().startsWith("#")) {
+      continue;
+    }
+    if (line.startsWith("importers:")) {
+      state = "importers";
+      continue;
+    }
+    if (line.startsWith("packages:")) {
+      state = "packages";
+      continue;
+    }
+    if (state === "packages" || state === "packageDeps") {
+      const packageMatch = line.match(/^\s{2}([^\s].+):\s*$/);
+      if (packageMatch !== null) {
+        const parsedKey = parsePackageKey(packageMatch[1] ?? "");
+        if (parsedKey !== null) {
+          currentPackage = `${parsedKey.name}@${parsedKey.version}`;
+          dependenciesByNode.set(currentPackage, /* @__PURE__ */ new Set());
+          state = "packageDeps";
+          currentDependencyName = null;
+        }
+        continue;
+      }
+    }
+    if (state === "packageDeps" && currentPackage !== null) {
+      const depLine = line.match(/^\s{6}([^:\s]+):\s*(.+)$/);
+      if (depLine !== null) {
+        const depName = sanitizeValue(depLine[1] ?? "");
+        const depRef = sanitizeValue(depLine[2] ?? "");
+        const depVersion = depRef.split("(")[0] ?? depRef;
+        if (depName.length > 0 && depVersion.length > 0) {
+          dependenciesByNode.get(currentPackage)?.add(`${depName}@${depVersion}`);
+        }
+        currentDependencyName = null;
+        continue;
+      }
+      const depBlockLine = line.match(/^\s{6}([^:\s]+):\s*$/);
+      if (depBlockLine !== null) {
+        currentDependencyName = sanitizeValue(depBlockLine[1] ?? "");
+        continue;
+      }
+      const depVersionLine = line.match(/^\s{8}version:\s*(.+)$/);
+      if (depVersionLine !== null && currentDependencyName !== null) {
+        const depRef = sanitizeValue(depVersionLine[1] ?? "");
+        const depVersion = depRef.split("(")[0] ?? depRef;
+        if (depVersion.length > 0) {
+          dependenciesByNode.get(currentPackage)?.add(`${currentDependencyName}@${depVersion}`);
+        }
+        currentDependencyName = null;
+        continue;
+      }
+      if (line.match(/^\s{4}(dependencies|optionalDependencies):\s*$/) !== null) {
+        continue;
+      }
+    }
+  }
+  const nodes = [...dependenciesByNode.entries()].map(([nodeId, deps]) => {
+    const at = nodeId.lastIndexOf("@");
+    return {
+      name: nodeId.slice(0, at),
+      version: nodeId.slice(at + 1),
+      dependencies: [...deps].sort((a, b) => a.localeCompare(b))
+    };
+  }).sort(
+    (a, b) => a.name.localeCompare(b.name) || a.version.localeCompare(b.version)
+  );
+  return {
+    kind: "pnpm",
+    directDependencies: directSpecs,
+    nodes
+  };
+};
+var stripQuotes = (value) => value.replace(/^['"]|['"]$/g, "");
+var parseVersionSelector = (selector) => {
+  const npmIndex = selector.lastIndexOf("@npm:");
+  if (npmIndex >= 0) {
+    return selector.slice(npmIndex + 5);
+  }
+  const lastAt = selector.lastIndexOf("@");
+  if (lastAt <= 0) {
+    return null;
+  }
+  return selector.slice(lastAt + 1);
+};
+var parseYarnLock = (raw, directSpecs) => {
+  const lines = raw.split("\n");
+  const nodes = [];
+  let selectors = [];
+  let version2 = null;
+  let readingDependencies = false;
+  let dependencies = [];
+  const flushEntry = () => {
+    if (selectors.length === 0 || version2 === null) {
+      selectors = [];
+      version2 = null;
+      dependencies = [];
+      readingDependencies = false;
+      return;
+    }
+    for (const selector of selectors) {
+      const parsedVersion = parseVersionSelector(selector);
+      const at = selector.lastIndexOf("@");
+      const name = at <= 0 ? selector : selector.slice(0, at);
+      if (name.length === 0) {
+        continue;
+      }
+      nodes.push({
+        name,
+        version: version2,
+        dependencies: [...dependencies].sort((a, b) => a.localeCompare(b))
+      });
+      if (parsedVersion !== null) {
+        nodes.push({
+          name,
+          version: parsedVersion,
+          dependencies: [...dependencies].sort((a, b) => a.localeCompare(b))
+        });
+      }
+    }
+    selectors = [];
+    version2 = null;
+    dependencies = [];
+    readingDependencies = false;
+  };
+  for (const line of lines) {
+    if (line.trim().length === 0) {
+      continue;
+    }
+    if (!line.startsWith(" ") && line.endsWith(":")) {
+      flushEntry();
+      const keyText = line.slice(0, -1);
+      selectors = keyText.split(",").map((part) => stripQuotes(part.trim())).filter((part) => part.length > 0);
+      continue;
+    }
+    if (line.match(/^\s{2}version\s+/) !== null) {
+      const value = line.replace(/^\s{2}version\s+/, "").trim();
+      version2 = stripQuotes(value);
+      readingDependencies = false;
+      continue;
+    }
+    if (line.match(/^\s{2}dependencies:\s*$/) !== null) {
+      readingDependencies = true;
+      continue;
+    }
+    if (readingDependencies && line.match(/^\s{4}[^\s].+$/) !== null) {
+      const depLine = line.trim();
+      const firstSpace = depLine.indexOf(" ");
+      if (firstSpace <= 0) {
+        continue;
+      }
+      const depName = stripQuotes(depLine.slice(0, firstSpace));
+      const depRef = stripQuotes(depLine.slice(firstSpace + 1).trim());
+      const depVersion = parseVersionSelector(depRef) ?? depRef;
+      dependencies.push(`${depName}@${depVersion}`);
+      continue;
+    }
+    readingDependencies = false;
+  }
+  flushEntry();
+  const deduped = /* @__PURE__ */ new Map();
+  for (const node of nodes) {
+    const key = `${node.name}@${node.version}`;
+    if (!deduped.has(key)) {
+      deduped.set(key, node);
+    }
+  }
+  return {
+    kind: "yarn",
+    directDependencies: directSpecs,
+    nodes: [...deduped.values()].sort((a, b) => a.name.localeCompare(b.name) || a.version.localeCompare(b.version))
+  };
+};
+var parseBunLock = (_raw, _directSpecs) => {
+  throw new Error("unsupported_lockfile_format");
+};
+var withDefaults = (overrides) => ({
+  ...DEFAULT_EXTERNAL_ANALYSIS_CONFIG,
+  ...overrides
+});
+var parseExtraction = (lockfileKind, lockfileRaw, directSpecs) => {
+  switch (lockfileKind) {
+    case "pnpm":
+      return parsePnpmLockfile(lockfileRaw, directSpecs);
+    case "npm":
+    case "npm-shrinkwrap":
+      return {
+        ...parsePackageLock(lockfileRaw, directSpecs),
+        kind: lockfileKind
+      };
+    case "yarn":
+      return parseYarnLock(lockfileRaw, directSpecs);
+    case "bun":
+      return parseBunLock(lockfileRaw, directSpecs);
+    default:
+      throw new Error("unsupported_lockfile_format");
+  }
+};
+var mapWithConcurrency = async (values, limit, handler) => {
+  const effectiveLimit = Math.max(1, limit);
+  const results = new Array(values.length);
+  let index = 0;
+  const workers = Array.from({ length: Math.min(effectiveLimit, values.length) }, async () => {
+    for (; ; ) {
+      const current = index;
+      index += 1;
+      if (current >= values.length) {
+        return;
+      }
+      const value = values[current];
+      if (value === void 0) {
+        return;
+      }
+      results[current] = await handler(value);
+    }
+  });
+  await Promise.all(workers);
+  return results;
+};
+var analyzeDependencyExposure = async (input, metadataProvider) => {
+  const packageJson = loadPackageJson(input.repositoryPath);
+  if (packageJson === null) {
+    return {
+      targetPath: input.repositoryPath,
+      available: false,
+      reason: "package_json_not_found"
+    };
+  }
+  const lockfile = selectLockfile(input.repositoryPath);
+  if (lockfile === null) {
+    return {
+      targetPath: input.repositoryPath,
+      available: false,
+      reason: "lockfile_not_found"
+    };
+  }
+  try {
+    const directSpecs = parsePackageJson(packageJson.raw);
+    const extraction = parseExtraction(lockfile.kind, lockfile.raw, directSpecs);
+    const config = withDefaults(input.config);
+    const metadataEntries = await mapWithConcurrency(
+      extraction.nodes,
+      config.metadataRequestConcurrency,
+      async (node) => ({
+        key: `${node.name}@${node.version}`,
+        metadata: await metadataProvider.getMetadata(node.name, node.version)
+      })
+    );
+    const metadataByKey = /* @__PURE__ */ new Map();
+    for (const entry of metadataEntries) {
+      metadataByKey.set(entry.key, entry.metadata);
+    }
+    return buildExternalAnalysisSummary(input.repositoryPath, extraction, metadataByKey, config);
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "unknown";
+    if (message.includes("unsupported_lockfile_format")) {
+      return {
+        targetPath: input.repositoryPath,
+        available: false,
+        reason: "unsupported_lockfile_format"
+      };
+    }
+    return {
+      targetPath: input.repositoryPath,
+      available: false,
+      reason: "invalid_lockfile"
+    };
+  }
+};
+var ONE_DAY_MS = 24 * 60 * 60 * 1e3;
+var round42 = (value) => Number(value.toFixed(4));
+var parseDate = (iso) => {
+  if (iso === void 0) {
+    return null;
+  }
+  const value = Date.parse(iso);
+  return Number.isNaN(value) ? null : value;
+};
+var NpmRegistryMetadataProvider = class {
+  cache = /* @__PURE__ */ new Map();
+  async getMetadata(name, version2) {
+    const key = `${name}@${version2}`;
+    if (this.cache.has(key)) {
+      return this.cache.get(key) ?? null;
+    }
+    try {
+      const encodedName = encodeURIComponent(name);
+      const response = await fetch(`https://registry.npmjs.org/${encodedName}`);
+      if (!response.ok) {
+        this.cache.set(key, null);
+        return null;
+      }
+      const payload = await response.json();
+      const timeEntries = payload.time ?? {};
+      const publishDates = Object.entries(timeEntries).filter(([tag]) => tag !== "created" && tag !== "modified").map(([, date]) => parseDate(date)).filter((value) => value !== null).sort((a, b) => a - b);
+      const modifiedAt = parseDate(timeEntries["modified"]);
+      const now = Date.now();
+      const daysSinceLastRelease = modifiedAt === null ? null : Math.max(0, round42((now - modifiedAt) / ONE_DAY_MS));
+      let releaseFrequencyDays = null;
+      if (publishDates.length >= 2) {
+        const totalIntervals = publishDates.length - 1;
+        let sum = 0;
+        for (let i = 1; i < publishDates.length; i += 1) {
+          const current = publishDates[i];
+          const previous = publishDates[i - 1];
+          if (current !== void 0 && previous !== void 0) {
+            sum += current - previous;
+          }
+        }
+        releaseFrequencyDays = round42(sum / totalIntervals / ONE_DAY_MS);
+      }
+      const maintainers = payload.maintainers ?? [];
+      const maintainerCount = maintainers.length > 0 ? maintainers.length : null;
+      const metadata = {
+        name,
+        version: version2,
+        maintainerCount,
+        releaseFrequencyDays,
+        daysSinceLastRelease,
+        repositoryActivity30d: null,
+        busFactor: null
+      };
+      this.cache.set(key, metadata);
+      return metadata;
+    } catch {
+      this.cache.set(key, null);
+      return null;
+    }
+  }
+};
+var NoopMetadataProvider = class {
+  async getMetadata(_name, _version) {
+    return null;
+  }
+};
+var analyzeDependencyExposureFromProject = async (input) => {
+  const metadataProvider = process.env["CODESENTINEL_EXTERNAL_METADATA"] === "none" ? new NoopMetadataProvider() : new NpmRegistryMetadataProvider();
+  return analyzeDependencyExposure(input, metadataProvider);
+};
+
 // ../git-analyzer/dist/index.js
 import { execFileSync } from "child_process";
 var pairKey = (a, b) => `${a}\0${b}`;
-var round4 = (value) => Number(value.toFixed(4));
+var round43 = (value) => Number(value.toFixed(4));
+var normalizeName = (value) => value.toLowerCase().replace(/[^a-z0-9\s]/g, " ").replace(/\s+/g, " ").trim();
+var extractEmailStem = (authorId) => {
+  const normalized = authorId.trim().toLowerCase();
+  const githubNoReplyMatch = normalized.match(/^\d+\+([^@]+)@users\.noreply\.github\.com$/);
+  if (githubNoReplyMatch?.[1] !== void 0) {
+    return githubNoReplyMatch[1].replace(/[._+-]/g, "");
+  }
+  const atIndex = normalized.indexOf("@");
+  if (atIndex <= 0) {
+    return null;
+  }
+  return normalized.slice(0, atIndex).replace(/[._+-]/g, "");
+};
+var areNamesCompatible = (left, right) => {
+  if (left.length === 0 || right.length === 0) {
+    return false;
+  }
+  if (left === right) {
+    return true;
+  }
+  if (left.startsWith(`${right} `) || right.startsWith(`${left} `)) {
+    return true;
+  }
+  return false;
+};
+var chooseCanonicalAuthorId = (profiles) => {
+  const ordered = [...profiles].sort((a, b) => {
+    const aIsNoReply = a.authorId.includes("@users.noreply.github.com");
+    const bIsNoReply = b.authorId.includes("@users.noreply.github.com");
+    if (aIsNoReply !== bIsNoReply) {
+      return aIsNoReply ? 1 : -1;
+    }
+    if (a.commitCount !== b.commitCount) {
+      return b.commitCount - a.commitCount;
+    }
+    return a.authorId.localeCompare(b.authorId);
+  });
+  return ordered[0]?.authorId ?? "";
+};
+var buildAuthorAliasMap = (commits) => {
+  const nameCountsByAuthorId = /* @__PURE__ */ new Map();
+  const commitCountByAuthorId = /* @__PURE__ */ new Map();
+  for (const commit of commits) {
+    commitCountByAuthorId.set(commit.authorId, (commitCountByAuthorId.get(commit.authorId) ?? 0) + 1);
+    const normalizedName = normalizeName(commit.authorName);
+    const names = nameCountsByAuthorId.get(commit.authorId) ?? /* @__PURE__ */ new Map();
+    if (normalizedName.length > 0) {
+      names.set(normalizedName, (names.get(normalizedName) ?? 0) + 1);
+    }
+    nameCountsByAuthorId.set(commit.authorId, names);
+  }
+  const profiles = [...commitCountByAuthorId.entries()].map(([authorId, commitCount]) => {
+    const names = nameCountsByAuthorId.get(authorId);
+    const primaryName = names === void 0 ? "" : [...names.entries()].sort((a, b) => b[1] - a[1] || a[0].localeCompare(b[0]))[0]?.[0] ?? "";
+    const normalizedAuthorId = authorId.toLowerCase();
+    const isBot = normalizedAuthorId.includes("[bot]");
+    return {
+      authorId,
+      commitCount,
+      primaryName,
+      emailStem: isBot ? null : extractEmailStem(authorId),
+      isBot
+    };
+  });
+  const groupsByStem = /* @__PURE__ */ new Map();
+  for (const profile of profiles) {
+    if (profile.emailStem === null || profile.emailStem.length < 4) {
+      continue;
+    }
+    const current = groupsByStem.get(profile.emailStem) ?? [];
+    current.push(profile);
+    groupsByStem.set(profile.emailStem, current);
+  }
+  const aliasMap = /* @__PURE__ */ new Map();
+  for (const profile of profiles) {
+    aliasMap.set(profile.authorId, profile.authorId);
+  }
+  for (const group of groupsByStem.values()) {
+    if (group.length < 2) {
+      continue;
+    }
+    const compatible = [];
+    for (const profile of group) {
+      if (profile.isBot || profile.primaryName.length === 0) {
+        continue;
+      }
+      compatible.push(profile);
+    }
+    if (compatible.length < 2) {
+      continue;
+    }
+    const canonical = chooseCanonicalAuthorId(compatible);
+    const canonicalProfile = compatible.find((candidate) => candidate.authorId === canonical);
+    if (canonicalProfile === void 0) {
+      continue;
+    }
+    for (const profile of compatible) {
+      if (areNamesCompatible(profile.primaryName, canonicalProfile.primaryName)) {
+        aliasMap.set(profile.authorId, canonical);
+      }
+    }
+  }
+  return aliasMap;
+};
 var computeBusFactor = (authorDistribution, threshold) => {
   if (authorDistribution.length === 0) {
     return 0;
@@ -477,7 +1261,7 @@ var finalizeAuthorDistribution = (authorCommits) => {
   return [...authorCommits.entries()].map(([authorId, commits]) => ({
     authorId,
     commits,
-    share: round4(commits / totalCommits)
+    share: round43(commits / totalCommits)
   })).sort((a, b) => b.commits - a.commits || a.authorId.localeCompare(b.authorId));
 };
 var buildCouplingMatrix = (coChangeByPair, fileCommitCount, consideredCommits, skippedLargeCommits, maxCouplingPairs) => {
@@ -490,7 +1274,7 @@ var buildCouplingMatrix = (coChangeByPair, fileCommitCount, consideredCommits, s
     const fileACommits = fileCommitCount.get(fileA) ?? 0;
     const fileBCommits = fileCommitCount.get(fileB) ?? 0;
     const denominator = fileACommits + fileBCommits - coChangeCommits;
-    const couplingScore = denominator === 0 ? 0 : round4(coChangeCommits / denominator);
+    const couplingScore = denominator === 0 ? 0 : round43(coChangeCommits / denominator);
     allPairs.push({
       fileA,
       fileB,
@@ -529,6 +1313,7 @@ var selectHotspots = (files, config) => {
   return { hotspots, threshold };
 };
 var computeRepositoryEvolutionSummary = (targetPath, commits, config) => {
+  const authorAliasById = config.authorIdentityMode === "likely_merge" ? buildAuthorAliasMap(commits) : /* @__PURE__ */ new Map();
   const fileStats = /* @__PURE__ */ new Map();
   const coChangeByPair = /* @__PURE__ */ new Map();
   const headCommitTimestamp = commits.length === 0 ? null : commits[commits.length - 1]?.authoredAtUnix ?? null;
@@ -559,7 +1344,8 @@ var computeRepositoryEvolutionSummary = (targetPath, commits, config) => {
       if (commit.authoredAtUnix >= recentWindowStart) {
         current.recentCommitCount += 1;
       }
-      current.authors.set(commit.authorId, (current.authors.get(commit.authorId) ?? 0) + 1);
+      const effectiveAuthorId = authorAliasById.get(commit.authorId) ?? commit.authorId;
+      current.authors.set(effectiveAuthorId, (current.authors.get(effectiveAuthorId) ?? 0) + 1);
     }
     const orderedFiles = [...uniqueFiles].sort((a, b) => a.localeCompare(b));
     if (orderedFiles.length > 1) {
@@ -587,12 +1373,12 @@ var computeRepositoryEvolutionSummary = (targetPath, commits, config) => {
     return {
       filePath,
       commitCount: stats.commitCount,
-      frequencyPer100Commits: commits.length === 0 ? 0 : round4(stats.commitCount / commits.length * 100),
+      frequencyPer100Commits: commits.length === 0 ? 0 : round43(stats.commitCount / commits.length * 100),
       churnAdded: stats.churnAdded,
       churnDeleted: stats.churnDeleted,
       churnTotal: stats.churnAdded + stats.churnDeleted,
       recentCommitCount: stats.recentCommitCount,
-      recentVolatility: stats.commitCount === 0 ? 0 : round4(stats.recentCommitCount / stats.commitCount),
+      recentVolatility: stats.commitCount === 0 ? 0 : round43(stats.recentCommitCount / stats.commitCount),
       topAuthorShare,
       busFactor: computeBusFactor(authorDistribution, config.busFactorCoverageThreshold),
       authorDistribution
@@ -624,6 +1410,7 @@ var computeRepositoryEvolutionSummary = (targetPath, commits, config) => {
   };
 };
 var DEFAULT_EVOLUTION_CONFIG = {
+  authorIdentityMode: "likely_merge",
   recentWindowDays: 30,
   hotspotTopPercent: 0.1,
   hotspotMinFiles: 1,
@@ -682,6 +1469,22 @@ var parseInteger = (value) => {
   }
   return parsed;
 };
+var normalizeAuthorIdentity = (authorName, authorEmail) => {
+  const normalizedName = authorName.trim().replace(/\s+/g, " ").toLowerCase();
+  const normalizedEmail = authorEmail.trim().toLowerCase();
+  if (/\[bot\]/i.test(normalizedName) || /\[bot\]/i.test(normalizedEmail)) {
+    return normalizedEmail.length > 0 ? normalizedEmail : normalizedName;
+  }
+  const githubNoReplyMatch = normalizedEmail.match(/^\d+\+([^@]+)@users\.noreply\.github\.com$/);
+  const githubHandle = githubNoReplyMatch?.[1]?.trim().toLowerCase();
+  if (githubHandle !== void 0 && githubHandle.length > 0) {
+    return `${githubHandle}@users.noreply.github.com`;
+  }
+  if (normalizedEmail.length > 0) {
+    return normalizedEmail;
+  }
+  return normalizedName;
+};
 var parseRenamedPath = (pathSpec) => {
   if (!pathSpec.includes(" => ")) {
     return pathSpec;
@@ -747,7 +1550,7 @@ var parseGitLog = (rawLog) => {
     }
     commits.push({
       hash,
-      authorId: authorEmail.toLowerCase(),
+      authorId: normalizeAuthorIdentity(authorName, authorEmail),
       authorName,
       authoredAtUnix,
       fileChanges
@@ -781,6 +1584,7 @@ var GitCliHistoryProvider = class {
       "-c",
       "core.quotepath=false",
       "log",
+      "--use-mailmap",
       "--no-merges",
       "--date=unix",
       `--pretty=format:${GIT_LOG_FORMAT}`,
@@ -797,14 +1601,19 @@ var analyzeRepositoryEvolutionFromGit = (input) => {
 
 // src/application/run-analyze-command.ts
 var resolveTargetPath = (inputPath, cwd) => resolve2(cwd, inputPath ?? ".");
-var runAnalyzeCommand = (inputPath) => {
+var runAnalyzeCommand = async (inputPath, authorIdentityMode) => {
   const invocationCwd = process.env["INIT_CWD"] ?? process.cwd();
   const targetPath = resolveTargetPath(inputPath, invocationCwd);
   const structural = buildProjectGraphSummary({ projectPath: targetPath });
-  const evolution = analyzeRepositoryEvolutionFromGit({ repositoryPath: targetPath });
+  const evolution = analyzeRepositoryEvolutionFromGit({
+    repositoryPath: targetPath,
+    config: { authorIdentityMode }
+  });
+  const external = await analyzeDependencyExposureFromProject({ repositoryPath: targetPath });
   const summary = {
     structural,
-    evolution
+    evolution,
+    external
   };
   return JSON.stringify(summary, null, 2);
 };
@@ -812,10 +1621,15 @@ var runAnalyzeCommand = (inputPath) => {
 // src/index.ts
 var program = new Command();
 var packageJsonPath = resolve3(dirname(fileURLToPath(import.meta.url)), "../package.json");
-var { version } = JSON.parse(readFileSync(packageJsonPath, "utf8"));
+var { version } = JSON.parse(readFileSync2(packageJsonPath, "utf8"));
 program.name("codesentinel").description("Structural and evolutionary risk analysis for TypeScript/JavaScript codebases").version(version);
-program.command("analyze").argument("[path]", "path to the project to analyze").action((path) => {
-  const output = runAnalyzeCommand(path);
+program.command("analyze").argument("[path]", "path to the project to analyze").addOption(
+  new Option(
+    "--author-identity <mode>",
+    "author identity mode: likely_merge (heuristic) or strict_email (deterministic)"
+  ).choices(["likely_merge", "strict_email"]).default("likely_merge")
+).action(async (path, options) => {
+  const output = await runAnalyzeCommand(path, options.authorIdentity);
   process.stdout.write(`${output}
 `);
 });
@@ -823,5 +1637,5 @@ if (process.argv.length <= 2) {
   program.outputHelp();
   process.exit(0);
 }
-program.parse(process.argv);
+await program.parseAsync(process.argv);
 //# sourceMappingURL=index.js.map