@getcodesentinel/codesentinel 1.4.2 → 1.5.0

package/README.md

@@ -11,6 +11,7 @@ CodeSentinel combines three signals into a single, explainable risk profile:
 - **Structural risk**: dependency graph topology, cycles, coupling, fan-in/fan-out, boundary violations.
 - **Evolutionary risk**: change frequency, hotspots, bus factor, volatility.
 - **External risk**: transitive dependency exposure, maintainer risk, staleness and abandonment indicators.
+  - Includes bounded popularity dampening (weekly npm downloads) as a secondary stability signal.
 
 The CLI output now includes a deterministic `risk` block composed from those dimensions:
 
@@ -188,6 +189,12 @@ For `external.dependencies`, each direct dependency now exposes three signal fie
 - `inheritedRiskSignals`: signals propagated from transitive dependencies in its subtree.
 - `riskSignals`: union of `ownRiskSignals` and `inheritedRiskSignals`.
 
+Classification lists:
+
+- `highRiskDependencies`: **production** direct packages classified from strong **own** signals (not inherited-only signals).
+- `highRiskDevelopmentDependencies`: same classification model for direct development dependencies.
+- `transitiveExposureDependencies`: direct packages carrying inherited transitive exposure signals.
+
 Propagation policy is explicit and deterministic:
 
 - `single_maintainer`: **not propagated**

package/dist/index.js

@@ -21,7 +21,12 @@ var createSummaryShape = (summary) => ({
   external: summary.external.available ? {
     available: true,
     metrics: summary.external.metrics,
-    highRiskDependenciesTop: summary.external.highRiskDependencies.slice(0, 10)
+    highRiskDependenciesTop: summary.external.highRiskDependencies.slice(0, 10),
+    highRiskDevelopmentDependenciesTop: summary.external.highRiskDevelopmentDependencies.slice(
+      0,
+      10
+    ),
+    transitiveExposureDependenciesTop: summary.external.transitiveExposureDependencies.slice(0, 10)
   } : {
     available: false,
     reason: summary.external.reason
@@ -640,6 +645,7 @@ var buildProjectGraphSummary = (input) => {
 // ../dependency-firewall/dist/index.js
 import { existsSync, readFileSync } from "fs";
 import { join } from "path";
+import { setTimeout as sleep } from "timers/promises";
 var round4 = (value) => Number(value.toFixed(4));
 var normalizeNodes = (nodes) => {
   const byName = /* @__PURE__ */ new Map();
@@ -745,7 +751,7 @@ var collectTransitiveDependencies = (rootName, nodeByName) => {
 var buildExternalAnalysisSummary = (targetPath, extraction, metadataByKey, config) => {
   const nodes = normalizeNodes(extraction.nodes);
   const directNames = new Set(extraction.directDependencies.map((dep) => dep.name));
-  const directSpecByName = new Map(extraction.directDependencies.map((dep) => [dep.name, dep.requestedRange]));
+  const directSpecByName = new Map(extraction.directDependencies.map((dep) => [dep.name, dep]));
   const nodeByName = new Map(nodes.map((node) => [node.name, node]));
   const dependentsByName = /* @__PURE__ */ new Map();
   for (const node of nodes) {
@@ -795,9 +801,11 @@ var buildExternalAnalysisSummary = (targetPath, extraction, metadataByKey, confi
     allDependencies.push({
       name: node.name,
       direct: directNames.has(node.name),
-      requestedRange: directSpecByName.get(node.name) ?? null,
+      dependencyScope: directSpecByName.get(node.name)?.scope ?? "prod",
+      requestedRange: directSpecByName.get(node.name)?.requestedRange ?? null,
       resolvedVersion: node.version,
       transitiveDependencies: [],
+      weeklyDownloads: metadata?.weeklyDownloads ?? null,
       dependencyDepth,
       fanOut: node.dependencies.length,
       dependents,
@@ -836,7 +844,23 @@ var buildExternalAnalysisSummary = (targetPath, extraction, metadataByKey, confi
       riskSignals: [...allSignals].sort((a, b) => a.localeCompare(b))
     };
   }).sort((a, b) => a.name.localeCompare(b.name));
-  const highRiskDependencies = dependencies.filter((dep) => dep.riskSignals.length > 1).sort((a, b) => b.riskSignals.length - a.riskSignals.length || a.name.localeCompare(b.name)).slice(0, config.maxHighRiskDependencies).map((dep) => dep.name);
+  const highRiskDependencies = dependencies.filter(
+    (dep) => dep.ownRiskSignals.includes("abandoned") || dep.ownRiskSignals.filter(
+      (signal) => signal === "high_centrality" || signal === "deep_chain" || signal === "high_fanout"
+    ).length >= 2 || dep.ownRiskSignals.includes("single_maintainer") && ((dep.daysSinceLastRelease ?? 0) >= config.abandonedDaysThreshold / 2 || (dep.repositoryActivity30d ?? 1) <= 0)
+  ).filter((dep) => dep.dependencyScope === "prod").sort(
+    (a, b) => b.ownRiskSignals.length - a.ownRiskSignals.length || a.name.localeCompare(b.name)
+  ).slice(0, config.maxHighRiskDependencies).map((dep) => dep.name);
+  const highRiskDevelopmentDependencies = dependencies.filter(
+    (dep) => dep.dependencyScope === "dev" && (dep.ownRiskSignals.includes("abandoned") || dep.ownRiskSignals.filter(
+      (signal) => signal === "high_centrality" || signal === "deep_chain" || signal === "high_fanout"
+    ).length >= 2 || dep.ownRiskSignals.includes("single_maintainer") && ((dep.daysSinceLastRelease ?? 0) >= config.abandonedDaysThreshold / 2 || (dep.repositoryActivity30d ?? 1) <= 0))
+  ).sort(
+    (a, b) => b.ownRiskSignals.length - a.ownRiskSignals.length || a.name.localeCompare(b.name)
+  ).slice(0, config.maxHighRiskDependencies).map((dep) => dep.name);
+  const transitiveExposureDependencies = dependencies.filter((dep) => dep.inheritedRiskSignals.length > 0).sort(
+    (a, b) => b.inheritedRiskSignals.length - a.inheritedRiskSignals.length || a.name.localeCompare(b.name)
+  ).map((dep) => dep.name);
   const singleMaintainerDependencies = dependencies.filter((dep) => dep.ownRiskSignals.includes("single_maintainer")).map((dep) => dep.name).sort((a, b) => a.localeCompare(b));
   const abandonedDependencies = dependencies.filter((dep) => dep.ownRiskSignals.includes("abandoned")).map((dep) => dep.name).sort((a, b) => a.localeCompare(b));
   return {
@@ -845,6 +869,8 @@ var buildExternalAnalysisSummary = (targetPath, extraction, metadataByKey, confi
     metrics: {
       totalDependencies: allDependencies.length,
       directDependencies: dependencies.length,
+      directProductionDependencies: dependencies.filter((dependency) => dependency.dependencyScope === "prod").length,
+      directDevelopmentDependencies: dependencies.filter((dependency) => dependency.dependencyScope === "dev").length,
       transitiveDependencies: allDependencies.length - dependencies.length,
       dependencyDepth: maxDepth,
       lockfileKind: extraction.kind,
@@ -852,6 +878,8 @@ var buildExternalAnalysisSummary = (targetPath, extraction, metadataByKey, confi
     },
     dependencies,
     highRiskDependencies,
+    highRiskDevelopmentDependencies,
+    transitiveExposureDependencies,
     singleMaintainerDependencies,
     abandonedDependencies,
     centralityRanking
@@ -900,20 +928,23 @@ var selectLockfile = (repositoryPath) => {
 var parsePackageJson = (raw) => {
   const parsed = JSON.parse(raw);
   const merged = /* @__PURE__ */ new Map();
-  for (const block of [
-    parsed.dependencies,
-    parsed.devDependencies,
-    parsed.optionalDependencies,
-    parsed.peerDependencies
-  ]) {
+  const addBlock = (block, scope) => {
     if (block === void 0) {
-      continue;
+      return;
     }
     for (const [name, versionRange] of Object.entries(block)) {
-      merged.set(name, versionRange);
+      const existing = merged.get(name);
+      if (existing?.scope === "prod" && scope === "dev") {
+        continue;
+      }
+      merged.set(name, { name, requestedRange: versionRange, scope });
     }
-  }
-  return [...merged.entries()].map(([name, requestedRange]) => ({ name, requestedRange })).sort((a, b) => a.name.localeCompare(b.name));
+  };
+  addBlock(parsed.dependencies, "prod");
+  addBlock(parsed.optionalDependencies, "prod");
+  addBlock(parsed.peerDependencies, "prod");
+  addBlock(parsed.devDependencies, "dev");
+  return [...merged.values()].sort((a, b) => a.name.localeCompare(b.name));
 };
 var parsePackageLock = (raw, directSpecs) => {
   const parsed = JSON.parse(raw);
@@ -1219,6 +1250,7 @@ var analyzeDependencyExposure = async (input, metadataProvider, onProgress) => {
     const directSpecs = parsePackageJson(packageJson.raw);
     const extraction = parseExtraction(lockfile.kind, lockfile.raw, directSpecs);
     const config = withDefaults(input.config);
+    const directNames = new Set(extraction.directDependencies.map((dependency) => dependency.name));
     onProgress?.({
       stage: "lockfile_parsed",
       dependencyNodes: extraction.nodes.length,
@@ -1232,7 +1264,9 @@ var analyzeDependencyExposure = async (input, metadataProvider, onProgress) => {
       async (node) => {
         const result = {
           key: `${node.name}@${node.version}`,
-          metadata: await metadataProvider.getMetadata(node.name, node.version)
+          metadata: await metadataProvider.getMetadata(node.name, node.version, {
+            directDependency: directNames.has(node.name)
+          })
         };
         completed += 1;
         onProgress?.({
@@ -1274,7 +1308,35 @@ var analyzeDependencyExposure = async (input, metadataProvider, onProgress) => {
     };
   }
 };
+var parseRetryAfterMs = (value) => {
+  if (value === null) {
+    return null;
+  }
+  const seconds = Number.parseInt(value, 10);
+  if (!Number.isFinite(seconds) || seconds <= 0) {
+    return null;
+  }
+  return seconds * 1e3;
+};
+var shouldRetryStatus = (status) => status === 429 || status >= 500;
+var fetchJsonWithRetry = async (url, options) => {
+  for (let attempt = 0; attempt <= options.retries; attempt += 1) {
+    const response = await fetch(url);
+    if (response.ok) {
+      return await response.json();
+    }
+    if (!shouldRetryStatus(response.status) || attempt === options.retries) {
+      return null;
+    }
+    const retryAfterMs = parseRetryAfterMs(response.headers.get("retry-after"));
+    const backoffMs = retryAfterMs ?? options.baseDelayMs * 2 ** attempt;
+    await sleep(backoffMs);
+  }
+  return null;
+};
 var ONE_DAY_MS = 24 * 60 * 60 * 1e3;
+var MAX_RETRIES = 3;
+var RETRY_BASE_DELAY_MS = 500;
 var round42 = (value) => Number(value.toFixed(4));
 var parseDate = (iso) => {
   if (iso === void 0) {
@@ -1285,19 +1347,36 @@ var parseDate = (iso) => {
 };
 var NpmRegistryMetadataProvider = class {
   cache = /* @__PURE__ */ new Map();
-  async getMetadata(name, version2) {
+  async fetchWeeklyDownloads(name) {
+    const encodedName = encodeURIComponent(name);
+    const payload = await fetchJsonWithRetry(
+      `https://api.npmjs.org/downloads/point/last-week/${encodedName}`,
+      { retries: MAX_RETRIES, baseDelayMs: RETRY_BASE_DELAY_MS }
+    );
+    if (payload === null) {
+      return null;
+    }
+    const downloads = payload.downloads;
+    if (typeof downloads !== "number" || Number.isNaN(downloads) || downloads < 0) {
+      return null;
+    }
+    return Math.floor(downloads);
+  }
+  async getMetadata(name, version2, context) {
     const key = `${name}@${version2}`;
     if (this.cache.has(key)) {
       return this.cache.get(key) ?? null;
     }
     try {
       const encodedName = encodeURIComponent(name);
-      const response = await fetch(`https://registry.npmjs.org/${encodedName}`);
-      if (!response.ok) {
+      const payload = await fetchJsonWithRetry(
+        `https://registry.npmjs.org/${encodedName}`,
+        { retries: MAX_RETRIES, baseDelayMs: RETRY_BASE_DELAY_MS }
+      );
+      if (payload === null) {
         this.cache.set(key, null);
         return null;
       }
-      const payload = await response.json();
       const timeEntries = payload.time ?? {};
       const publishDates = Object.entries(timeEntries).filter(([tag]) => tag !== "created" && tag !== "modified").map(([, date]) => parseDate(date)).filter((value) => value !== null).sort((a, b) => a - b);
       const modifiedAt = parseDate(timeEntries["modified"]);
@@ -1318,9 +1397,11 @@ var NpmRegistryMetadataProvider = class {
       }
       const maintainers = payload.maintainers ?? [];
       const maintainerCount = maintainers.length > 0 ? maintainers.length : null;
+      const weeklyDownloads = context.directDependency ? await this.fetchWeeklyDownloads(name).catch(() => null) : null;
       const metadata = {
         name,
         version: version2,
+        weeklyDownloads,
         maintainerCount,
         releaseFrequencyDays,
         daysSinceLastRelease,
@@ -1336,7 +1417,7 @@ var NpmRegistryMetadataProvider = class {
   }
 };
 var NoopMetadataProvider = class {
-  async getMetadata(_name, _version) {
+  async getMetadata(_name, _version, _context) {
     return null;
   }
 };
@@ -1899,25 +1980,18 @@ var DEFAULT_RISK_ENGINE_CONFIG = {
     inheritedSignalMultiplier: 0.45,
     // At this age, staleness reaches 50% risk.
     abandonedHalfLifeDays: 540,
-    missingMetadataPenalty: 0.5
+    missingMetadataPenalty: 0.5,
+    // At this download volume, popularity reaches 50% of its dampening effect.
+    popularityHalfLifeDownloads: 1e5,
+    // Popularity can only reduce dependency risk by this fraction.
+    popularityMaxDampening: 0.12
   },
   externalDimension: {
     topDependencyPercentile: 0.85,
     dependencyDepthHalfLife: 6
   }
 };
-var clamp01 = (value) => {
-  if (Number.isNaN(value)) {
-    return 0;
-  }
-  if (value <= 0) {
-    return 0;
-  }
-  if (value >= 1) {
-    return 1;
-  }
-  return value;
-};
+var toUnitInterval = (value) => Number.isFinite(value) ? Math.min(1, Math.max(0, value)) : 0;
 var round44 = (value) => Number(value.toFixed(4));
 var average = (values) => {
   if (values.length === 0) {
@@ -1934,7 +2008,7 @@ var percentile = (values, p) => {
     return values[0] ?? 0;
   }
   const sorted = [...values].sort((a, b) => a - b);
-  const position = clamp01(p) * (sorted.length - 1);
+  const position = toUnitInterval(p) * (sorted.length - 1);
   const lowerIndex = Math.floor(position);
   const upperIndex = Math.ceil(position);
   const lower = sorted[lowerIndex] ?? 0;
@@ -1946,18 +2020,18 @@ var percentile = (values, p) => {
   return lower + (upper - lower) * ratio;
 };
 var saturatingComposite = (baseline, amplifications) => {
-  let value = clamp01(baseline);
+  let value = toUnitInterval(baseline);
   for (const amplification of amplifications) {
-    const boundedAmplification = clamp01(amplification);
+    const boundedAmplification = toUnitInterval(amplification);
     value += (1 - value) * boundedAmplification;
   }
-  return clamp01(value);
+  return toUnitInterval(value);
 };
 var halfLifeRisk = (value, halfLife) => {
   if (value <= 0 || halfLife <= 0) {
     return 0;
   }
-  return clamp01(value / (value + halfLife));
+  return toUnitInterval(value / (value + halfLife));
 };
 var normalizeWeights = (weights, enabled) => {
   let total = 0;
@@ -2004,7 +2078,7 @@ var normalizeWithScale = (value, scale) => {
   if (scale.upper <= scale.lower) {
     return value > 0 ? 1 : 0;
   }
-  return clamp01((value - scale.lower) / (scale.upper - scale.lower));
+  return toUnitInterval((value - scale.lower) / (scale.upper - scale.lower));
 };
 var normalizePath2 = (path) => path.replaceAll("\\", "/");
 var dependencySignalWeights = {
@@ -2030,7 +2104,7 @@ var computeDependencySignalScore = (ownSignals, inheritedSignals, inheritedSigna
   if (maxWeightedTotal <= 0) {
     return 0;
   }
-  return clamp01(weightedTotal / maxWeightedTotal);
+  return toUnitInterval(weightedTotal / maxWeightedTotal);
 };
 var computeDependencyScores = (external, config) => {
   if (!external.available) {
@@ -2065,7 +2139,7 @@ var computeDependencyScores = (external, config) => {
       dependency.inheritedRiskSignals,
       config.dependencySignals.inheritedSignalMultiplier
     );
-    const maintainerConcentrationRisk = dependency.maintainerCount === null ? config.dependencySignals.missingMetadataPenalty : clamp01(1 / Math.max(1, dependency.maintainerCount));
+    const maintainerConcentrationRisk = dependency.maintainerCount === null ? config.dependencySignals.missingMetadataPenalty : toUnitInterval(1 / Math.max(1, dependency.maintainerCount));
     const stalenessRisk = dependency.daysSinceLastRelease === null ? config.dependencySignals.missingMetadataPenalty : halfLifeRisk(
       dependency.daysSinceLastRelease,
       config.dependencySignals.abandonedHalfLifeDays
@@ -2076,11 +2150,17 @@ var computeDependencyScores = (external, config) => {
     );
     const centralityRisk = normalizeWithScale(logScale(dependency.dependents), dependentScale);
     const chainDepthRisk = normalizeWithScale(dependency.dependencyDepth, chainDepthScale);
-    const busFactorRisk = dependency.busFactor === null ? config.dependencySignals.missingMetadataPenalty : clamp01(1 / Math.max(1, dependency.busFactor));
+    const busFactorRisk = dependency.busFactor === null ? config.dependencySignals.missingMetadataPenalty : toUnitInterval(1 / Math.max(1, dependency.busFactor));
     const weights = config.dependencyFactorWeights;
-    const normalizedScore = clamp01(
+    const baseScore = toUnitInterval(
       signalScore * weights.signals + stalenessRisk * weights.staleness + maintainerConcentrationRisk * weights.maintainerConcentration + transitiveBurdenRisk * weights.transitiveBurden + centralityRisk * weights.centrality + chainDepthRisk * weights.chainDepth + busFactorRisk * weights.busFactorRisk
     );
+    const hasHardRiskSignal = dependency.ownRiskSignals.includes("abandoned") || dependency.ownRiskSignals.includes("metadata_unavailable") || dependency.ownRiskSignals.includes("single_maintainer");
+    const popularityDampener = dependency.weeklyDownloads === null || hasHardRiskSignal ? 1 : 1 - halfLifeRisk(
+      dependency.weeklyDownloads,
+      config.dependencySignals.popularityHalfLifeDownloads
+    ) * config.dependencySignals.popularityMaxDampening;
+    const normalizedScore = toUnitInterval(baseScore * popularityDampener);
     return {
       dependency: dependency.name,
       score: round44(normalizedScore * 100),
@@ -2098,7 +2178,7 @@ var computeDependencyScores = (external, config) => {
     external.metrics.dependencyDepth,
     config.externalDimension.dependencyDepthHalfLife
   );
-  const repositoryExternalPressure = clamp01(
+  const repositoryExternalPressure = toUnitInterval(
     highDependencyRisk * 0.5 + averageDependencyRisk * 0.3 + depthRisk * 0.2
   );
   return {
@@ -2166,8 +2246,8 @@ var buildFragileClusters = (structural, evolution, fileScoresByFile, config) =>
     const averageRisk = average(
       files.map((filePath) => fileScoresByFile.get(filePath)?.normalizedScore ?? 0)
     );
-    const cycleSizeRisk = clamp01((files.length - 1) / 5);
-    const score = round44(clamp01(averageRisk * 0.75 + cycleSizeRisk * 0.25) * 100);
+    const cycleSizeRisk = toUnitInterval((files.length - 1) / 5);
+    const score = round44(toUnitInterval(averageRisk * 0.75 + cycleSizeRisk * 0.25) * 100);
     cycleClusterCount += 1;
     clusters.push({
       id: `cycle:${cycleClusterCount}`,
@@ -2241,7 +2321,7 @@ var buildFragileClusters = (structural, evolution, fileScoresByFile, config) =>
         files.map((filePath) => fileScoresByFile.get(filePath)?.normalizedScore ?? 0)
       );
       const meanCoupling = average(componentPairs.map((pair) => pair.couplingScore));
-      const score = round44(clamp01(meanFileRisk * 0.65 + meanCoupling * 0.35) * 100);
+      const score = round44(toUnitInterval(meanFileRisk * 0.65 + meanCoupling * 0.35) * 100);
       couplingClusterCount += 1;
       clusters.push({
         id: `coupling:${couplingClusterCount}`,
@@ -2289,10 +2369,10 @@ var computeRiskSummary = (structural, evolution, external, config) => {
     const fanOutRisk = normalizeWithScale(logScale(file.fanOut), fanOutScale);
     const depthRisk = normalizeWithScale(file.depth, depthScale);
     const structuralWeights = config.structuralFactorWeights;
-    const structuralFactor = clamp01(
+    const structuralFactor = toUnitInterval(
       fanInRisk * structuralWeights.fanIn + fanOutRisk * structuralWeights.fanOut + depthRisk * structuralWeights.depth + inCycle * structuralWeights.cycleParticipation
     );
-    const structuralCentrality = clamp01((fanInRisk + fanOutRisk) / 2);
+    const structuralCentrality = toUnitInterval((fanInRisk + fanOutRisk) / 2);
     let evolutionFactor = 0;
     const evolutionMetrics = evolutionByFile.get(filePath);
     if (evolution.available && evolutionMetrics !== void 0) {
@@ -2304,16 +2384,16 @@ var computeRiskSummary = (structural, evolution, external, config) => {
         logScale(evolutionMetrics.churnTotal),
         evolutionScales.churnTotal
       );
-      const volatilityRisk = clamp01(evolutionMetrics.recentVolatility);
-      const ownershipConcentrationRisk = clamp01(evolutionMetrics.topAuthorShare);
-      const busFactorRisk = clamp01(1 - normalizeWithScale(evolutionMetrics.busFactor, evolutionScales.busFactor));
+      const volatilityRisk = toUnitInterval(evolutionMetrics.recentVolatility);
+      const ownershipConcentrationRisk = toUnitInterval(evolutionMetrics.topAuthorShare);
+      const busFactorRisk = toUnitInterval(1 - normalizeWithScale(evolutionMetrics.busFactor, evolutionScales.busFactor));
       const evolutionWeights = config.evolutionFactorWeights;
-      evolutionFactor = clamp01(
+      evolutionFactor = toUnitInterval(
         frequencyRisk * evolutionWeights.frequency + churnRisk * evolutionWeights.churn + volatilityRisk * evolutionWeights.recentVolatility + ownershipConcentrationRisk * evolutionWeights.ownershipConcentration + busFactorRisk * evolutionWeights.busFactorRisk
       );
     }
-    const dependencyAffinity = clamp01(structuralCentrality * 0.6 + evolutionFactor * 0.4);
-    const externalFactor = external.available ? clamp01(dependencyComputation.repositoryExternalPressure * dependencyAffinity) : 0;
+    const dependencyAffinity = toUnitInterval(structuralCentrality * 0.6 + evolutionFactor * 0.4);
+    const externalFactor = external.available ? toUnitInterval(dependencyComputation.repositoryExternalPressure * dependencyAffinity) : 0;
     const baseline = structuralFactor * dimensionWeights.structural + evolutionFactor * dimensionWeights.evolution + externalFactor * dimensionWeights.external;
     const interactions = [
       structuralFactor * evolutionFactor * config.interactionWeights.structuralEvolution,
@@ -2359,7 +2439,7 @@ var computeRiskSummary = (structural, evolution, external, config) => {
   const moduleScores = [...moduleFiles.entries()].map(([module, values]) => {
     const averageScore = average(values);
     const peakScore = values.reduce((max, value) => Math.max(max, value), 0);
-    const normalizedScore = clamp01(averageScore * 0.65 + peakScore * 0.35);
+    const normalizedScore = toUnitInterval(averageScore * 0.65 + peakScore * 0.35);
     return {
       module,
       score: round44(normalizedScore * 100),
@@ -2374,10 +2454,10 @@ var computeRiskSummary = (structural, evolution, external, config) => {
     percentile(externalPressures, config.amplificationZone.percentileThreshold)
   );
   const dependencyAmplificationZones = fileScores.map((fileScore) => {
-    const intensity = clamp01(
+    const intensity = toUnitInterval(
       fileScore.factors.external * Math.max(fileScore.factors.structural, fileScore.factors.evolution)
     );
-    const normalizedZoneScore = clamp01(intensity * 0.7 + fileScore.normalizedScore * 0.3);
+    const normalizedZoneScore = toUnitInterval(intensity * 0.7 + fileScore.normalizedScore * 0.3);
     return {
       file: fileScore.file,
       score: round44(normalizedZoneScore * 100),
@@ -2398,7 +2478,7 @@ var computeRiskSummary = (structural, evolution, external, config) => {
   );
   const dependencyAmplification = average(
     dependencyAmplificationZones.map(
-      (zone) => clamp01(zone.externalPressure * zone.score / 100)
+      (zone) => toUnitInterval(zone.externalPressure * zone.score / 100)
     )
   );
   const repositoryBaseline = structuralDimension * dimensionWeights.structural + evolutionDimension * dimensionWeights.evolution + externalDimension * dimensionWeights.external;