@codesentinel/codesentinel 1.2.0 → 1.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/README.md +93 -0
  2. package/dist/index.js +1095 -51
  3. package/dist/index.js.map +1 -1
  4. package/package.json +4 -3
package/README.md CHANGED
@@ -12,6 +12,14 @@ CodeSentinel combines three signals into a single, explainable risk profile:
12
12
  - **Evolutionary risk**: change frequency, hotspots, bus factor, volatility.
13
13
  - **External risk**: transitive dependency exposure, maintainer risk, staleness and abandonment indicators.
14
14
 
15
+ The CLI output now includes a deterministic `risk` block composed from those dimensions:
16
+
17
+ - `repositoryScore` and `normalizedScore`
18
+ - ranked `hotspots`
19
+ - `fragileClusters` (structural cycles + change coupling components)
20
+ - `dependencyAmplificationZones`
21
+ - file/module/dependency score tables
22
+
15
23
  The goal is a practical, engineering-grade model that supports both strategic architecture decisions and daily code review workflows.
16
24
 
17
25
  ## Monorepo Layout
@@ -69,6 +77,19 @@ codesentinel analyze . --author-identity likely_merge
69
77
 
70
78
  # Deterministic: strict email identity, no heuristic merging
71
79
  codesentinel analyze . --author-identity strict_email
80
+
81
+ # Quiet mode (only JSON output)
82
+ codesentinel analyze . --log-level silent
83
+
84
+ # Verbose diagnostics to stderr
85
+ codesentinel analyze . --log-level debug
86
+
87
+ # Default compact output (summary)
88
+ codesentinel analyze .
89
+
90
+ # Full output (all sections and detailed arrays)
91
+ codesentinel analyze . --output json
92
+ codesentinel analyze . --json
72
93
  ```
73
94
 
74
95
  Notes:
@@ -77,6 +98,11 @@ Notes:
77
98
  - `strict_email` treats each canonical email as a distinct author, which avoids false merges but can split the same person across multiple emails.
78
99
  - Git mailmap is enabled (`git log --use-mailmap`). Put `.mailmap` in the repository being analyzed (the `codesentinel analyze [path]` target). Git will then deterministically unify known aliases before CodeSentinel computes `authorDistribution`.
79
100
  - `authorDistribution` returns whichever identity mode is selected.
101
+ - Logs are emitted to `stderr` and JSON output is written to `stdout`, so CI redirection still works.
102
+ - You can set a default log level with `CODESENTINEL_LOG_LEVEL` (`silent|error|warn|info|debug`).
103
+ - At `info`/`debug`, structural, evolution, and dependency stages report progress so long analyses are observable.
104
+ - `--output summary` (default) prints a compact result for terminal use.
105
+ - `--output json` (or `--json`) prints the full analysis object.
80
106
 
81
107
  When running through pnpm, pass CLI arguments after `--`:
82
108
 
@@ -87,6 +113,73 @@ pnpm dev -- analyze ../project
87
113
  pnpm dev -- analyze . --author-identity strict_email
88
114
  ```
89
115
 
116
+ ## Understanding Analyze Output
117
+
118
+ `codesentinel analyze` returns one JSON document with four top-level blocks:
119
+
120
+ - `structural`: file dependency graph shape and graph metrics.
121
+ - `evolution`: git-derived change behavior per file and coupling pairs.
122
+ - `external`: dependency exposure for direct packages plus propagated transitive signals.
123
+ - `risk`: deterministic composition of `structural + evolution + external`.
124
+
125
+ Minimal shape:
126
+
127
+ ```json
128
+ {
129
+ "structural": { "...": "..." },
130
+ "evolution": { "...": "..." },
131
+ "external": { "...": "..." },
132
+ "risk": {
133
+ "repositoryScore": 0,
134
+ "normalizedScore": 0,
135
+ "hotspots": [],
136
+ "fragileClusters": [],
137
+ "dependencyAmplificationZones": []
138
+ }
139
+ }
140
+ ```
141
+
142
+ How to read `risk` first:
143
+
144
+ - `repositoryScore`: overall repository fragility index (`0..100`).
145
+ - `hotspots`: ranked files to inspect first.
146
+ - `fragileClusters`: groups of files with structural-cycle or co-change fragility.
147
+ - `dependencyAmplificationZones`: files where external dependency pressure intersects with local fragility.
148
+
149
+ Interpretation notes:
150
+
151
+ - Scores are deterministic for the same inputs and config.
152
+ - Scores are meant for within-repo prioritization and trend tracking.
153
+ - Full model details and limits are in `packages/risk-engine/README.md`.
154
+
155
+ ### Score Guide
156
+
157
+ Use these ranges as operational guidance:
158
+
159
+ - `0-20`: low fragility.
160
+ - `20-40`: moderate fragility.
161
+ - `40-60`: elevated fragility (prioritize top hotspots).
162
+ - `60-80`: high fragility (expect higher change coordination cost).
163
+ - `80-100`: very high fragility (investigate immediately).
164
+
165
+ These ranges are heuristics for triage, not incident probability.
166
+
167
+ ### What Moves Scores
168
+
169
+ `risk.repositoryScore` and `risk.fileScores[*].score` increase when:
170
+
171
+ - structurally central files/modules change frequently,
172
+ - ownership is highly concentrated in volatile files,
173
+ - files in central areas are exposed to high external dependency pressure,
174
+ - tightly coupled change patterns emerge.
175
+
176
+ They decrease when:
177
+
178
+ - change concentrates less around central files,
179
+ - ownership spreads or volatility decreases,
180
+ - dependency pressure decreases (shallower trees, fewer high-risk signals),
181
+ - hotspot concentration drops.
182
+
90
183
  ### External Risk Signal Semantics
91
184
 
92
185
  For `external.dependencies`, each direct dependency now exposes three signal fields: