@getcodesentinel/codesentinel 1.4.2 → 1.6.0

package/dist/index.js

@@ -2,1157 +2,981 @@
 
 // src/index.ts
 import { Command, Option } from "commander";
-import { readFileSync as readFileSync2 } from "fs";
-import { dirname, resolve as resolve3 } from "path";
-import { fileURLToPath } from "url";
 
-// src/application/format-analyze-output.ts
-var createSummaryShape = (summary) => ({
-  targetPath: summary.structural.targetPath,
-  structural: summary.structural.metrics,
-  evolution: summary.evolution.available ? {
-    available: true,
-    metrics: summary.evolution.metrics,
-    hotspotsTop: summary.evolution.hotspots.slice(0, 5).map((hotspot) => hotspot.filePath)
-  } : {
-    available: false,
-    reason: summary.evolution.reason
-  },
-  external: summary.external.available ? {
-    available: true,
-    metrics: summary.external.metrics,
-    highRiskDependenciesTop: summary.external.highRiskDependencies.slice(0, 10)
-  } : {
-    available: false,
-    reason: summary.external.reason
-  },
-  risk: {
-    repositoryScore: summary.risk.repositoryScore,
-    normalizedScore: summary.risk.normalizedScore,
-    hotspotsTop: summary.risk.hotspots.slice(0, 5).map((hotspot) => ({
-      file: hotspot.file,
-      score: hotspot.score
-    })),
-    fragileClusterCount: summary.risk.fragileClusters.length,
-    dependencyAmplificationZoneCount: summary.risk.dependencyAmplificationZones.length
+// ../dependency-firewall/dist/index.js
+import { existsSync, readFileSync } from "fs";
+import { join } from "path";
+import { setTimeout as sleep } from "timers/promises";
+var round4 = (value) => Number(value.toFixed(4));
+var normalizeNodes = (nodes) => {
+  const byName = /* @__PURE__ */ new Map();
+  for (const node of nodes) {
+    const bucket = byName.get(node.name) ?? [];
+    bucket.push(node);
+    byName.set(node.name, bucket);
   }
-});
-var formatAnalyzeOutput = (summary, mode) => mode === "json" ? JSON.stringify(summary, null, 2) : JSON.stringify(createSummaryShape(summary), null, 2);
-
-// src/application/logger.ts
-var logLevelRank = {
-  error: 0,
-  warn: 1,
-  info: 2,
-  debug: 3
-};
-var noop = () => {
-};
-var createSilentLogger = () => ({
-  error: noop,
-  warn: noop,
-  info: noop,
-  debug: noop
-});
-var shouldLog = (configuredLevel, messageLevel) => {
-  if (configuredLevel === "silent") {
-    return false;
+  const normalized = [];
+  for (const [name, candidates] of byName.entries()) {
+    if (candidates.length === 0) {
+      continue;
+    }
+    candidates.sort((a, b) => b.version.localeCompare(a.version));
+    const selected = candidates[0];
+    if (selected === void 0) {
+      continue;
+    }
+    const deps = selected.dependencies.map((dep) => {
+      const at = dep.lastIndexOf("@");
+      return at <= 0 ? dep : dep.slice(0, at);
+    }).filter((depName) => depName.length > 0).sort((a, b) => a.localeCompare(b));
+    normalized.push({
+      key: `${name}@${selected.version}`,
+      name,
+      version: selected.version,
+      dependencies: deps
+    });
   }
-  return logLevelRank[messageLevel] <= logLevelRank[configuredLevel];
-};
-var write = (messageLevel, message) => {
-  process.stderr.write(`[codesentinel] ${messageLevel.toUpperCase()} ${message}
-`);
+  return normalized.sort((a, b) => a.name.localeCompare(b.name));
 };
-var createStderrLogger = (level) => {
-  if (level === "silent") {
-    return createSilentLogger();
-  }
-  return {
-    error: (message) => {
-      if (shouldLog(level, "error")) {
-        write("error", message);
-      }
-    },
-    warn: (message) => {
-      if (shouldLog(level, "warn")) {
-        write("warn", message);
-      }
-    },
-    info: (message) => {
-      if (shouldLog(level, "info")) {
-        write("info", message);
-      }
-    },
-    debug: (message) => {
-      if (shouldLog(level, "debug")) {
-        write("debug", message);
+var computeDepths = (nodeByName, directNames) => {
+  const visiting = /* @__PURE__ */ new Set();
+  const depthByName = /* @__PURE__ */ new Map();
+  const compute = (name) => {
+    const known = depthByName.get(name);
+    if (known !== void 0) {
+      return known;
+    }
+    if (visiting.has(name)) {
+      return 0;
+    }
+    visiting.add(name);
+    const node = nodeByName.get(name);
+    if (node === void 0) {
+      visiting.delete(name);
+      depthByName.set(name, 0);
+      return 0;
+    }
+    let maxChildDepth = 0;
+    for (const dependencyName of node.dependencies) {
+      const childDepth = compute(dependencyName);
+      if (childDepth > maxChildDepth) {
+        maxChildDepth = childDepth;
       }
     }
+    visiting.delete(name);
+    const ownDepth = directNames.has(name) ? 0 : maxChildDepth + 1;
+    depthByName.set(name, ownDepth);
+    return ownDepth;
   };
-};
-var parseLogLevel = (value) => {
-  switch (value) {
-    case "silent":
-    case "error":
-    case "warn":
-    case "info":
-    case "debug":
-      return value;
-    default:
-      return "info";
+  for (const name of nodeByName.keys()) {
+    compute(name);
+  }
+  let maxDepth = 0;
+  for (const depth of depthByName.values()) {
+    if (depth > maxDepth) {
+      maxDepth = depth;
+    }
   }
+  return { depthByName, maxDepth };
 };
-
-// src/application/run-analyze-command.ts
-import { resolve as resolve2 } from "path";
-
-// ../code-graph/dist/index.js
-import { extname, isAbsolute, relative, resolve } from "path";
-import * as ts from "typescript";
-var edgeKey = (from, to) => `${from}\0${to}`;
-var createGraphData = (nodes, rawEdges) => {
-  const sortedNodes = [...nodes].sort((a, b) => a.id.localeCompare(b.id));
-  const knownNodeIds = new Set(sortedNodes.map((node) => node.id));
-  const uniqueEdgeMap = /* @__PURE__ */ new Map();
-  for (const edge of rawEdges) {
-    if (edge.from === edge.to) {
+var rankCentrality = (nodes, dependentsByName, directNames, topN) => [...nodes].map((node) => ({
+  name: node.name,
+  dependents: dependentsByName.get(node.name) ?? 0,
+  fanOut: node.dependencies.length,
+  direct: directNames.has(node.name)
+})).sort(
+  (a, b) => b.dependents - a.dependents || b.fanOut - a.fanOut || a.name.localeCompare(b.name)
+).slice(0, topN);
+var canPropagateSignal = (signal) => signal === "abandoned" || signal === "high_centrality" || signal === "deep_chain" || signal === "high_fanout";
+var collectTransitiveDependencies = (rootName, nodeByName) => {
+  const seen = /* @__PURE__ */ new Set();
+  const stack = [...nodeByName.get(rootName)?.dependencies ?? []];
+  while (stack.length > 0) {
+    const current = stack.pop();
+    if (current === void 0 || seen.has(current) || current === rootName) {
       continue;
     }
-    if (!knownNodeIds.has(edge.from) || !knownNodeIds.has(edge.to)) {
+    seen.add(current);
+    const currentNode = nodeByName.get(current);
+    if (currentNode === void 0) {
       continue;
     }
-    uniqueEdgeMap.set(edgeKey(edge.from, edge.to), edge);
-  }
-  const sortedEdges = [...uniqueEdgeMap.values()].sort((a, b) => {
-    const fromCompare = a.from.localeCompare(b.from);
-    if (fromCompare !== 0) {
-      return fromCompare;
+    for (const next of currentNode.dependencies) {
+      if (!seen.has(next)) {
+        stack.push(next);
+      }
     }
-    return a.to.localeCompare(b.to);
-  });
-  const adjacency = /* @__PURE__ */ new Map();
-  for (const node of sortedNodes) {
-    adjacency.set(node.id, []);
-  }
-  for (const edge of sortedEdges) {
-    adjacency.get(edge.from)?.push(edge.to);
-  }
-  const adjacencyById = /* @__PURE__ */ new Map();
-  for (const [nodeId, targets] of adjacency.entries()) {
-    adjacencyById.set(nodeId, [...targets]);
   }
-  return {
-    nodes: sortedNodes,
-    edges: sortedEdges,
-    adjacencyById
-  };
+  return [...seen].sort((a, b) => a.localeCompare(b));
 };
-var runTarjanScc = (adjacencyById) => {
-  let index = 0;
-  const indices = /* @__PURE__ */ new Map();
-  const lowLink = /* @__PURE__ */ new Map();
-  const stack = [];
-  const onStack = /* @__PURE__ */ new Set();
-  const components = [];
-  const strongConnect = (nodeId) => {
-    indices.set(nodeId, index);
-    lowLink.set(nodeId, index);
-    index += 1;
-    stack.push(nodeId);
-    onStack.add(nodeId);
-    const neighbors = adjacencyById.get(nodeId) ?? [];
-    for (const nextId of neighbors) {
-      if (!indices.has(nextId)) {
-        strongConnect(nextId);
-        const nodeLowLink2 = lowLink.get(nodeId);
-        const nextLowLink = lowLink.get(nextId);
-        if (nodeLowLink2 !== void 0 && nextLowLink !== void 0 && nextLowLink < nodeLowLink2) {
-          lowLink.set(nodeId, nextLowLink);
-        }
+var buildExternalAnalysisSummary = (targetPath, extraction, metadataByKey, config) => {
+  const nodes = normalizeNodes(extraction.nodes);
+  const directNames = new Set(extraction.directDependencies.map((dep) => dep.name));
+  const directSpecByName = new Map(extraction.directDependencies.map((dep) => [dep.name, dep]));
+  const nodeByName = new Map(nodes.map((node) => [node.name, node]));
+  const dependentsByName = /* @__PURE__ */ new Map();
+  for (const node of nodes) {
+    dependentsByName.set(node.name, dependentsByName.get(node.name) ?? 0);
+  }
+  for (const node of nodes) {
+    for (const dependencyName of node.dependencies) {
+      if (!nodeByName.has(dependencyName)) {
         continue;
       }
-      if (onStack.has(nextId)) {
-        const nodeLowLink2 = lowLink.get(nodeId);
-        const nextIndex = indices.get(nextId);
-        if (nodeLowLink2 !== void 0 && nextIndex !== void 0 && nextIndex < nodeLowLink2) {
-          lowLink.set(nodeId, nextIndex);
-        }
-      }
-    }
-    const nodeLowLink = lowLink.get(nodeId);
-    const nodeIndex = indices.get(nodeId);
-    if (nodeLowLink === void 0 || nodeIndex === void 0 || nodeLowLink !== nodeIndex) {
-      return;
-    }
-    const component = [];
-    for (; ; ) {
-      const popped = stack.pop();
-      if (popped === void 0) {
-        break;
-      }
-      onStack.delete(popped);
-      component.push(popped);
-      if (popped === nodeId) {
-        break;
-      }
-    }
-    component.sort((a, b) => a.localeCompare(b));
-    components.push(component);
-  };
-  const nodeIds = [...adjacencyById.keys()].sort((a, b) => a.localeCompare(b));
-  for (const nodeId of nodeIds) {
-    if (!indices.has(nodeId)) {
-      strongConnect(nodeId);
+      dependentsByName.set(dependencyName, (dependentsByName.get(dependencyName) ?? 0) + 1);
     }
   }
-  components.sort((a, b) => {
-    const firstA = a[0] ?? "";
-    const firstB = b[0] ?? "";
-    return firstA.localeCompare(firstB);
-  });
-  return { components };
-};
-var hasSelfLoop = (nodeId, adjacencyById) => {
-  const targets = adjacencyById.get(nodeId) ?? [];
-  return targets.includes(nodeId);
-};
-var computeCyclesAndDepth = (graph) => {
-  const { components } = runTarjanScc(graph.adjacencyById);
-  const cycles = [];
-  const componentByNodeId = /* @__PURE__ */ new Map();
-  components.forEach((component, index) => {
-    for (const nodeId of component) {
-      componentByNodeId.set(nodeId, index);
+  const { depthByName, maxDepth } = computeDepths(nodeByName, directNames);
+  const centralityRanking = rankCentrality(nodes, dependentsByName, directNames, config.centralityTopN);
+  const topCentralNames = new Set(
+    centralityRanking.slice(0, Math.max(1, Math.ceil(centralityRanking.length * 0.25))).map((entry) => entry.name)
+  );
+  const allDependencies = [];
+  let metadataAvailableCount = 0;
+  for (const node of nodes) {
+    const metadata = metadataByKey.get(node.key) ?? null;
+    if (metadata !== null) {
+      metadataAvailableCount += 1;
     }
-    if (component.length > 1) {
-      cycles.push({ nodes: [...component] });
-      return;
+    const dependencyDepth = depthByName.get(node.name) ?? 0;
+    const dependents = dependentsByName.get(node.name) ?? 0;
+    const riskSignals = [];
+    if ((metadata?.maintainerCount ?? 0) === 1) {
+      riskSignals.push("single_maintainer");
     }
-    const onlyNode = component[0];
-    if (onlyNode !== void 0 && hasSelfLoop(onlyNode, graph.adjacencyById)) {
-      cycles.push({ nodes: [...component] });
+    if ((metadata?.daysSinceLastRelease ?? 0) >= config.abandonedDaysThreshold) {
+      riskSignals.push("abandoned");
     }
-  });
-  const dagOutgoing = /* @__PURE__ */ new Map();
-  const inDegree = /* @__PURE__ */ new Map();
-  for (let i = 0; i < components.length; i += 1) {
-    dagOutgoing.set(i, /* @__PURE__ */ new Set());
-    inDegree.set(i, 0);
-  }
-  for (const edge of graph.edges) {
-    const fromComponent = componentByNodeId.get(edge.from);
-    const toComponent = componentByNodeId.get(edge.to);
-    if (fromComponent === void 0 || toComponent === void 0 || fromComponent === toComponent) {
-      continue;
+    if (topCentralNames.has(node.name) && dependents > 0) {
+      riskSignals.push("high_centrality");
     }
-    const outgoing = dagOutgoing.get(fromComponent);
-    if (outgoing?.has(toComponent) === true) {
-      continue;
+    if (dependencyDepth >= config.deepChainThreshold) {
+      riskSignals.push("deep_chain");
     }
-    outgoing?.add(toComponent);
-    inDegree.set(toComponent, (inDegree.get(toComponent) ?? 0) + 1);
-  }
-  const queue = [];
-  const depthByComponent = /* @__PURE__ */ new Map();
-  for (let i = 0; i < components.length; i += 1) {
-    if ((inDegree.get(i) ?? 0) === 0) {
-      queue.push(i);
-      depthByComponent.set(i, 0);
+    if (node.dependencies.length >= config.fanOutHighThreshold) {
+      riskSignals.push("high_fanout");
     }
-  }
-  let cursor = 0;
-  while (cursor < queue.length) {
-    const componentId = queue[cursor];
-    cursor += 1;
-    if (componentId === void 0) {
-      continue;
+    if (metadata === null) {
+      riskSignals.push("metadata_unavailable");
     }
-    const currentDepth = depthByComponent.get(componentId) ?? 0;
-    const outgoing = dagOutgoing.get(componentId) ?? /* @__PURE__ */ new Set();
-    for (const nextComponent of outgoing) {
-      const nextDepth = depthByComponent.get(nextComponent) ?? 0;
-      if (currentDepth + 1 > nextDepth) {
-        depthByComponent.set(nextComponent, currentDepth + 1);
+    allDependencies.push({
+      name: node.name,
+      direct: directNames.has(node.name),
+      dependencyScope: directSpecByName.get(node.name)?.scope ?? "prod",
+      requestedRange: directSpecByName.get(node.name)?.requestedRange ?? null,
+      resolvedVersion: node.version,
+      transitiveDependencies: [],
+      weeklyDownloads: metadata?.weeklyDownloads ?? null,
+      dependencyDepth,
+      fanOut: node.dependencies.length,
+      dependents,
+      maintainerCount: metadata?.maintainerCount ?? null,
+      releaseFrequencyDays: metadata?.releaseFrequencyDays ?? null,
+      daysSinceLastRelease: metadata?.daysSinceLastRelease ?? null,
+      repositoryActivity30d: metadata?.repositoryActivity30d ?? null,
+      busFactor: metadata?.busFactor ?? null,
+      ownRiskSignals: [...riskSignals].sort((a, b) => a.localeCompare(b)),
+      inheritedRiskSignals: [],
+      riskSignals
+    });
+  }
+  allDependencies.sort((a, b) => a.name.localeCompare(b.name));
+  const allByName = new Map(allDependencies.map((dep) => [dep.name, dep]));
+  const dependencies = allDependencies.filter((dep) => dep.direct).map((dep) => {
+    const transitiveDependencies = collectTransitiveDependencies(dep.name, nodeByName);
+    const inheritedSignals = /* @__PURE__ */ new Set();
+    const allSignals = new Set(dep.ownRiskSignals);
+    for (const transitiveName of transitiveDependencies) {
+      const transitive = allByName.get(transitiveName);
+      if (transitive === void 0) {
+        continue;
       }
-      const remainingIncoming = (inDegree.get(nextComponent) ?? 0) - 1;
-      inDegree.set(nextComponent, remainingIncoming);
-      if (remainingIncoming === 0) {
-        queue.push(nextComponent);
+      for (const signal of transitive.riskSignals) {
+        if (canPropagateSignal(signal)) {
+          inheritedSignals.add(signal);
+          allSignals.add(signal);
+        }
       }
     }
-  }
-  const depthByNodeId = /* @__PURE__ */ new Map();
-  let graphDepth = 0;
-  components.forEach((component, componentId) => {
-    const componentDepth = depthByComponent.get(componentId) ?? 0;
-    if (componentDepth > graphDepth) {
-      graphDepth = componentDepth;
-    }
-    for (const nodeId of component) {
-      depthByNodeId.set(nodeId, componentDepth);
-    }
-  });
-  cycles.sort((a, b) => {
-    const firstA = a.nodes[0] ?? "";
-    const firstB = b.nodes[0] ?? "";
-    return firstA.localeCompare(firstB);
-  });
+    return {
+      ...dep,
+      transitiveDependencies,
+      inheritedRiskSignals: [...inheritedSignals].sort((a, b) => a.localeCompare(b)),
+      riskSignals: [...allSignals].sort((a, b) => a.localeCompare(b))
+    };
+  }).sort((a, b) => a.name.localeCompare(b.name));
+  const highRiskDependencies = dependencies.filter(
+    (dep) => dep.ownRiskSignals.includes("abandoned") || dep.ownRiskSignals.filter(
+      (signal) => signal === "high_centrality" || signal === "deep_chain" || signal === "high_fanout"
+    ).length >= 2 || dep.ownRiskSignals.includes("single_maintainer") && ((dep.daysSinceLastRelease ?? 0) >= config.abandonedDaysThreshold / 2 || (dep.repositoryActivity30d ?? 1) <= 0)
+  ).filter((dep) => dep.dependencyScope === "prod").sort(
+    (a, b) => b.ownRiskSignals.length - a.ownRiskSignals.length || a.name.localeCompare(b.name)
+  ).slice(0, config.maxHighRiskDependencies).map((dep) => dep.name);
+  const highRiskDevelopmentDependencies = dependencies.filter(
+    (dep) => dep.dependencyScope === "dev" && (dep.ownRiskSignals.includes("abandoned") || dep.ownRiskSignals.filter(
+      (signal) => signal === "high_centrality" || signal === "deep_chain" || signal === "high_fanout"
+    ).length >= 2 || dep.ownRiskSignals.includes("single_maintainer") && ((dep.daysSinceLastRelease ?? 0) >= config.abandonedDaysThreshold / 2 || (dep.repositoryActivity30d ?? 1) <= 0))
+  ).sort(
+    (a, b) => b.ownRiskSignals.length - a.ownRiskSignals.length || a.name.localeCompare(b.name)
+  ).slice(0, config.maxHighRiskDependencies).map((dep) => dep.name);
+  const transitiveExposureDependencies = dependencies.filter((dep) => dep.inheritedRiskSignals.length > 0).sort(
+    (a, b) => b.inheritedRiskSignals.length - a.inheritedRiskSignals.length || a.name.localeCompare(b.name)
+  ).map((dep) => dep.name);
+  const singleMaintainerDependencies = dependencies.filter((dep) => dep.ownRiskSignals.includes("single_maintainer")).map((dep) => dep.name).sort((a, b) => a.localeCompare(b));
+  const abandonedDependencies = dependencies.filter((dep) => dep.ownRiskSignals.includes("abandoned")).map((dep) => dep.name).sort((a, b) => a.localeCompare(b));
   return {
-    depthByNodeId,
-    graphDepth,
-    cycles
+    targetPath,
+    available: true,
+    metrics: {
+      totalDependencies: allDependencies.length,
+      directDependencies: dependencies.length,
+      directProductionDependencies: dependencies.filter((dependency) => dependency.dependencyScope === "prod").length,
+      directDevelopmentDependencies: dependencies.filter((dependency) => dependency.dependencyScope === "dev").length,
+      transitiveDependencies: allDependencies.length - dependencies.length,
+      dependencyDepth: maxDepth,
+      lockfileKind: extraction.kind,
+      metadataCoverage: allDependencies.length === 0 ? 0 : round4(metadataAvailableCount / allDependencies.length)
+    },
+    dependencies,
+    highRiskDependencies,
+    highRiskDevelopmentDependencies,
+    transitiveExposureDependencies,
+    singleMaintainerDependencies,
+    abandonedDependencies,
+    centralityRanking
   };
 };
-var createGraphAnalysisSummary = (targetPath, graph) => {
-  const fanInById = /* @__PURE__ */ new Map();
-  const fanOutById = /* @__PURE__ */ new Map();
-  for (const node of graph.nodes) {
-    fanInById.set(node.id, 0);
-    fanOutById.set(node.id, graph.adjacencyById.get(node.id)?.length ?? 0);
-  }
-  for (const edge of graph.edges) {
-    fanInById.set(edge.to, (fanInById.get(edge.to) ?? 0) + 1);
+var DEFAULT_EXTERNAL_ANALYSIS_CONFIG = {
+  abandonedDaysThreshold: 540,
+  deepChainThreshold: 6,
+  fanOutHighThreshold: 25,
+  centralityTopN: 20,
+  maxHighRiskDependencies: 100,
+  metadataRequestConcurrency: 8
+};
+var LOCKFILE_CANDIDATES = [
+  { fileName: "pnpm-lock.yaml", kind: "pnpm" },
+  { fileName: "package-lock.json", kind: "npm" },
+  { fileName: "npm-shrinkwrap.json", kind: "npm-shrinkwrap" },
+  { fileName: "yarn.lock", kind: "yarn" },
+  { fileName: "bun.lock", kind: "bun" },
+  { fileName: "bun.lockb", kind: "bun" }
+];
+var loadPackageJson = (repositoryPath) => {
+  const packageJsonPath2 = join(repositoryPath, "package.json");
+  if (!existsSync(packageJsonPath2)) {
+    return null;
   }
-  const { cycles, depthByNodeId, graphDepth } = computeCyclesAndDepth(graph);
-  let maxFanIn = 0;
-  let maxFanOut = 0;
-  const files = graph.nodes.map((node) => {
-    const fanIn = fanInById.get(node.id) ?? 0;
-    const fanOut = fanOutById.get(node.id) ?? 0;
-    if (fanIn > maxFanIn) {
-      maxFanIn = fanIn;
-    }
-    if (fanOut > maxFanOut) {
-      maxFanOut = fanOut;
+  return {
+    path: packageJsonPath2,
+    raw: readFileSync(packageJsonPath2, "utf8")
+  };
+};
+var selectLockfile = (repositoryPath) => {
+  for (const candidate of LOCKFILE_CANDIDATES) {
+    const absolutePath = join(repositoryPath, candidate.fileName);
+    if (!existsSync(absolutePath)) {
+      continue;
     }
     return {
-      id: node.id,
-      relativePath: node.relativePath,
-      directDependencies: graph.adjacencyById.get(node.id) ?? [],
-      fanIn,
-      fanOut,
-      depth: depthByNodeId.get(node.id) ?? 0
+      path: absolutePath,
+      kind: candidate.kind,
+      raw: readFileSync(absolutePath, "utf8")
     };
-  });
-  const metrics = {
-    nodeCount: graph.nodes.length,
-    edgeCount: graph.edges.length,
-    cycleCount: cycles.length,
-    graphDepth,
-    maxFanIn,
-    maxFanOut
-  };
-  return {
-    targetPath,
-    nodes: graph.nodes,
-    edges: graph.edges,
-    cycles,
-    files,
-    metrics
-  };
-};
-var SOURCE_EXTENSIONS = /* @__PURE__ */ new Set([".ts", ".tsx", ".mts", ".cts", ".js", ".jsx", ".mjs", ".cjs"]);
-var SCAN_EXCLUDES = [
-  "**/node_modules/**",
-  "**/.git/**",
-  "**/dist/**",
-  "**/build/**",
-  "**/.next/**",
-  "**/coverage/**",
-  "**/.turbo/**",
-  "**/.cache/**",
-  "**/out/**"
-];
-var SCAN_INCLUDES = ["**/*"];
-var IGNORED_SEGMENTS = /* @__PURE__ */ new Set([
-  "node_modules",
-  ".git",
-  "dist",
-  "build",
-  ".next",
-  "coverage",
-  ".turbo",
-  ".cache",
-  "out"
-]);
-var normalizePath = (pathValue) => pathValue.replaceAll("\\", "/");
-var isProjectSourceFile = (filePath, projectRoot) => {
-  const extension = extname(filePath);
-  if (!SOURCE_EXTENSIONS.has(extension)) {
-    return false;
-  }
-  const relativePath = relative(projectRoot, filePath);
-  if (relativePath.startsWith("..")) {
-    return false;
   }
-  const normalizedRelativePath = normalizePath(relativePath);
-  const segments = normalizedRelativePath.split("/");
-  return !segments.some((segment) => IGNORED_SEGMENTS.has(segment));
+  return null;
 };
-var discoverSourceFilesByScan = (projectRoot) => {
-  const files = ts.sys.readDirectory(
-    projectRoot,
-    [...SOURCE_EXTENSIONS],
-    SCAN_EXCLUDES,
-    SCAN_INCLUDES
-  );
-  return files.map((filePath) => resolve(filePath));
+var parsePackageJson = (raw) => {
+  const parsed = JSON.parse(raw);
+  const merged = /* @__PURE__ */ new Map();
+  const addBlock = (block, scope) => {
+    if (block === void 0) {
+      return;
+    }
+    for (const [name, versionRange] of Object.entries(block)) {
+      const existing = merged.get(name);
+      if (existing?.scope === "prod" && scope === "dev") {
+        continue;
+      }
+      merged.set(name, { name, requestedRange: versionRange, scope });
+    }
+  };
+  addBlock(parsed.dependencies, "prod");
+  addBlock(parsed.optionalDependencies, "prod");
+  addBlock(parsed.peerDependencies, "prod");
+  addBlock(parsed.devDependencies, "dev");
+  return [...merged.values()].sort((a, b) => a.name.localeCompare(b.name));
 };
-var parseTsConfigFile = (configPath) => {
-  const parsedCommandLine = ts.getParsedCommandLineOfConfigFile(
-    configPath,
-    {},
-    {
-      ...ts.sys,
-      onUnRecoverableConfigFileDiagnostic: () => {
-        throw new Error(`Failed to parse TypeScript configuration at ${configPath}`);
+var parsePackageLock = (raw, directSpecs) => {
+  const parsed = JSON.parse(raw);
+  const nodes = [];
+  if (parsed.packages !== void 0) {
+    for (const [packagePath, packageData] of Object.entries(parsed.packages)) {
+      if (packagePath.length === 0 || packageData.version === void 0) {
+        continue;
+      }
+      const segments = packagePath.split("node_modules/");
+      const name = segments[segments.length - 1] ?? "";
+      if (name.length === 0) {
+        continue;
+      }
+      const dependencies = Object.entries(packageData.dependencies ?? {}).map(([depName, depRange]) => `${depName}@${String(depRange)}`).sort((a, b) => a.localeCompare(b));
+      nodes.push({
+        name,
+        version: packageData.version,
+        dependencies
+      });
+    }
+  } else if (parsed.dependencies !== void 0) {
+    for (const [name, dep] of Object.entries(parsed.dependencies)) {
+      if (dep.version === void 0) {
+        continue;
       }
+      const dependencies = Object.entries(dep.dependencies ?? {}).map(([depName, depVersion]) => `${depName}@${String(depVersion)}`).sort((a, b) => a.localeCompare(b));
+      nodes.push({
+        name,
+        version: dep.version,
+        dependencies
+      });
     }
-  );
-  if (parsedCommandLine === void 0) {
-    throw new Error(`Failed to parse TypeScript configuration at ${configPath}`);
   }
-  return parsedCommandLine;
+  nodes.sort((a, b) => a.name.localeCompare(b.name) || a.version.localeCompare(b.version));
+  return {
+    kind: "npm",
+    directDependencies: directSpecs,
+    nodes
+  };
 };
-var collectFilesFromTsConfigGraph = (projectRoot) => {
-  const rootConfigPath = ts.findConfigFile(projectRoot, ts.sys.fileExists, "tsconfig.json");
-  if (rootConfigPath === void 0) {
+var sanitizeValue = (value) => value.replace(/^['"]|['"]$/g, "").trim();
+var parsePackageKey = (rawKey) => {
+  const key = sanitizeValue(rawKey.replace(/:$/, ""));
+  const withoutSlash = key.startsWith("/") ? key.slice(1) : key;
+  const lastAt = withoutSlash.lastIndexOf("@");
+  if (lastAt <= 0) {
     return null;
   }
-  const visitedConfigPaths = /* @__PURE__ */ new Set();
-  const collectedFiles = /* @__PURE__ */ new Set();
-  let rootOptions = null;
-  const visitConfig = (configPath) => {
-    const absoluteConfigPath = resolve(configPath);
-    if (visitedConfigPaths.has(absoluteConfigPath)) {
-      return;
+  const name = withoutSlash.slice(0, lastAt);
+  const versionWithPeers = withoutSlash.slice(lastAt + 1);
+  const version2 = versionWithPeers.split("(")[0] ?? versionWithPeers;
+  if (name.length === 0 || version2.length === 0) {
+    return null;
+  }
+  return { name, version: version2 };
+};
+var parsePnpmLockfile = (raw, directSpecs) => {
+  const lines = raw.split("\n");
+  let state = "root";
+  let currentPackage = null;
+  let currentDependencyName = null;
+  const dependenciesByNode = /* @__PURE__ */ new Map();
+  for (const line of lines) {
+    if (line.trim().length === 0 || line.trimStart().startsWith("#")) {
+      continue;
     }
-    visitedConfigPaths.add(absoluteConfigPath);
-    const parsed = parseTsConfigFile(absoluteConfigPath);
-    if (rootOptions === null) {
-      rootOptions = parsed.options;
+    if (line.startsWith("importers:")) {
+      state = "importers";
+      continue;
     }
-    for (const filePath of parsed.fileNames) {
-      collectedFiles.add(resolve(filePath));
+    if (line.startsWith("packages:")) {
+      state = "packages";
+      continue;
     }
-    for (const reference of parsed.projectReferences ?? []) {
-      const referencePath = resolve(reference.path);
-      const referenceConfigPath = ts.sys.directoryExists(referencePath) ? ts.findConfigFile(referencePath, ts.sys.fileExists, "tsconfig.json") : referencePath;
-      if (referenceConfigPath !== void 0 && ts.sys.fileExists(referenceConfigPath)) {
-        visitConfig(referenceConfigPath);
+    if (state === "packages" || state === "packageDeps") {
+      const packageMatch = line.match(/^\s{2}([^\s].+):\s*$/);
+      if (packageMatch !== null) {
+        const parsedKey = parsePackageKey(packageMatch[1] ?? "");
+        if (parsedKey !== null) {
+          currentPackage = `${parsedKey.name}@${parsedKey.version}`;
+          dependenciesByNode.set(currentPackage, /* @__PURE__ */ new Set());
+          state = "packageDeps";
+          currentDependencyName = null;
+        }
+        continue;
+      }
+    }
+    if (state === "packageDeps" && currentPackage !== null) {
+      const depLine = line.match(/^\s{6}([^:\s]+):\s*(.+)$/);
+      if (depLine !== null) {
+        const depName = sanitizeValue(depLine[1] ?? "");
+        const depRef = sanitizeValue(depLine[2] ?? "");
+        const depVersion = depRef.split("(")[0] ?? depRef;
+        if (depName.length > 0 && depVersion.length > 0) {
+          dependenciesByNode.get(currentPackage)?.add(`${depName}@${depVersion}`);
+        }
+        currentDependencyName = null;
+        continue;
+      }
+      const depBlockLine = line.match(/^\s{6}([^:\s]+):\s*$/);
+      if (depBlockLine !== null) {
+        currentDependencyName = sanitizeValue(depBlockLine[1] ?? "");
+        continue;
+      }
+      const depVersionLine = line.match(/^\s{8}version:\s*(.+)$/);
+      if (depVersionLine !== null && currentDependencyName !== null) {
+        const depRef = sanitizeValue(depVersionLine[1] ?? "");
+        const depVersion = depRef.split("(")[0] ?? depRef;
+        if (depVersion.length > 0) {
+          dependenciesByNode.get(currentPackage)?.add(`${currentDependencyName}@${depVersion}`);
+        }
+        currentDependencyName = null;
+        continue;
+      }
+      if (line.match(/^\s{4}(dependencies|optionalDependencies):\s*$/) !== null) {
+        continue;
       }
     }
-  };
-  visitConfig(rootConfigPath);
-  return {
-    fileNames: [...collectedFiles],
-    rootOptions: rootOptions ?? {
-      moduleResolution: ts.ModuleResolutionKind.NodeNext
-    },
-    visitedConfigCount: visitedConfigPaths.size
-  };
-};
-var createCompilerOptions = (base) => ({
-  ...base,
-  allowJs: true,
-  moduleResolution: base?.moduleResolution ?? ts.ModuleResolutionKind.NodeNext
-});
-var parseTsConfig = (projectRoot) => {
-  const collected = collectFilesFromTsConfigGraph(projectRoot);
-  if (collected === null) {
-    return {
-      fileNames: discoverSourceFilesByScan(projectRoot),
-      options: createCompilerOptions(void 0),
-      tsconfigCount: 0,
-      usedFallbackScan: true
-    };
   }
-  if (collected.fileNames.length === 0) {
+  const nodes = [...dependenciesByNode.entries()].map(([nodeId, deps]) => {
+    const at = nodeId.lastIndexOf("@");
     return {
-      fileNames: discoverSourceFilesByScan(projectRoot),
-      options: createCompilerOptions(collected.rootOptions),
-      tsconfigCount: collected.visitedConfigCount,
-      usedFallbackScan: true
+      name: nodeId.slice(0, at),
+      version: nodeId.slice(at + 1),
+      dependencies: [...deps].sort((a, b) => a.localeCompare(b))
     };
-  }
+  }).sort(
+    (a, b) => a.name.localeCompare(b.name) || a.version.localeCompare(b.version)
+  );
   return {
-    fileNames: collected.fileNames,
-    options: createCompilerOptions(collected.rootOptions),
-    tsconfigCount: collected.visitedConfigCount,
-    usedFallbackScan: false
+    kind: "pnpm",
+    directDependencies: directSpecs,
+    nodes
   };
 };
-var getSpecifierFromExpression = (expression) => {
-  if (ts.isStringLiteral(expression)) {
-    return expression.text;
-  }
-  if (ts.isNoSubstitutionTemplateLiteral(expression)) {
-    return expression.text;
-  }
-  return void 0;
-};
-var hasRuntimeImport = (importDeclaration) => {
-  const importClause = importDeclaration.importClause;
-  if (importClause === void 0) {
-    return true;
-  }
-  if (importClause.isTypeOnly) {
-    return false;
-  }
-  if (importClause.name !== void 0) {
-    return true;
-  }
-  const namedBindings = importClause.namedBindings;
-  if (namedBindings === void 0) {
-    return false;
-  }
-  if (ts.isNamespaceImport(namedBindings)) {
-    return true;
+var stripQuotes = (value) => value.replace(/^['"]|['"]$/g, "");
+var parseVersionSelector = (selector) => {
+  const npmIndex = selector.lastIndexOf("@npm:");
+  if (npmIndex >= 0) {
+    return selector.slice(npmIndex + 5);
   }
-  if (namedBindings.elements.length === 0) {
-    return true;
+  const lastAt = selector.lastIndexOf("@");
+  if (lastAt <= 0) {
+    return null;
   }
-  return namedBindings.elements.some((element) => !element.isTypeOnly);
+  return selector.slice(lastAt + 1);
 };
-var extractModuleSpecifiers = (sourceFile) => {
-  const specifiers = /* @__PURE__ */ new Set();
-  const visit = (node) => {
-    if (ts.isImportDeclaration(node)) {
-      if (hasRuntimeImport(node) && node.moduleSpecifier !== void 0) {
-        const specifier = getSpecifierFromExpression(node.moduleSpecifier);
-        if (specifier !== void 0) {
-          specifiers.add(specifier);
-        }
-      }
-      return;
-    }
-    if (ts.isExportDeclaration(node)) {
-      if (!node.isTypeOnly && node.moduleSpecifier !== void 0) {
-        const specifier = getSpecifierFromExpression(node.moduleSpecifier);
-        if (specifier !== void 0) {
-          specifiers.add(specifier);
-        }
-      }
+var parseYarnLock = (raw, directSpecs) => {
+  const lines = raw.split("\n");
+  const nodes = [];
+  let selectors = [];
+  let version2 = null;
+  let readingDependencies = false;
+  let dependencies = [];
+  const flushEntry = () => {
+    if (selectors.length === 0 || version2 === null) {
+      selectors = [];
+      version2 = null;
+      dependencies = [];
+      readingDependencies = false;
       return;
     }
-    if (ts.isCallExpression(node)) {
-      if (node.expression.kind === ts.SyntaxKind.ImportKeyword && node.arguments.length > 0) {
-        const firstArgument = node.arguments[0];
-        if (firstArgument !== void 0) {
-          const specifier = getSpecifierFromExpression(firstArgument);
-          if (specifier !== void 0) {
-            specifiers.add(specifier);
-          }
-        }
+    for (const selector of selectors) {
+      const parsedVersion = parseVersionSelector(selector);
+      const at = selector.lastIndexOf("@");
+      const name = at <= 0 ? selector : selector.slice(0, at);
+      if (name.length === 0) {
+        continue;
       }
-      if (ts.isIdentifier(node.expression) && node.expression.text === "require" && node.arguments.length > 0) {
-        const firstArgument = node.arguments[0];
-        if (firstArgument !== void 0) {
-          const specifier = getSpecifierFromExpression(firstArgument);
-          if (specifier !== void 0) {
-            specifiers.add(specifier);
-          }
-        }
+      nodes.push({
+        name,
+        version: version2,
+        dependencies: [...dependencies].sort((a, b) => a.localeCompare(b))
+      });
+      if (parsedVersion !== null) {
+        nodes.push({
+          name,
+          version: parsedVersion,
+          dependencies: [...dependencies].sort((a, b) => a.localeCompare(b))
+        });
       }
     }
-    ts.forEachChild(node, visit);
+    selectors = [];
+    version2 = null;
+    dependencies = [];
+    readingDependencies = false;
   };
-  visit(sourceFile);
-  return [...specifiers];
-};
-var parseTypescriptProject = (projectPath, onProgress) => {
-  const projectRoot = isAbsolute(projectPath) ? projectPath : resolve(projectPath);
-  const { fileNames, options, tsconfigCount, usedFallbackScan } = parseTsConfig(projectRoot);
-  onProgress?.({ stage: "config_resolved", tsconfigCount, usedFallbackScan });
-  const sourceFilePaths = fileNames.filter((filePath) => isProjectSourceFile(filePath, projectRoot)).map((filePath) => normalizePath(resolve(filePath)));
-  const uniqueSourceFilePaths = [...new Set(sourceFilePaths)].sort((a, b) => a.localeCompare(b));
-  const sourceFilePathSet = new Set(uniqueSourceFilePaths);
-  onProgress?.({ stage: "files_discovered", totalSourceFiles: uniqueSourceFilePaths.length });
-  const program2 = ts.createProgram({
-    rootNames: uniqueSourceFilePaths,
-    options
-  });
-  onProgress?.({ stage: "program_created", totalSourceFiles: uniqueSourceFilePaths.length });
-  const nodeByAbsolutePath = /* @__PURE__ */ new Map();
-  for (const sourcePath of uniqueSourceFilePaths) {
-    const relativePath = normalizePath(relative(projectRoot, sourcePath));
-    const nodeId = relativePath;
-    nodeByAbsolutePath.set(sourcePath, {
-      id: nodeId,
-      absolutePath: sourcePath,
-      relativePath
-    });
-  }
-  const resolverCache = /* @__PURE__ */ new Map();
-  const edges = [];
-  for (const [index, sourcePath] of uniqueSourceFilePaths.entries()) {
-    const sourceFile = program2.getSourceFile(sourcePath);
-    if (sourceFile === void 0) {
+  for (const line of lines) {
+    if (line.trim().length === 0) {
       continue;
     }
-    const fromNode = nodeByAbsolutePath.get(sourcePath);
-    if (fromNode === void 0) {
+    if (!line.startsWith(" ") && line.endsWith(":")) {
+      flushEntry();
+      const keyText = line.slice(0, -1);
+      selectors = keyText.split(",").map((part) => stripQuotes(part.trim())).filter((part) => part.length > 0);
       continue;
     }
-    const moduleSpecifiers = extractModuleSpecifiers(sourceFile);
-    for (const specifier of moduleSpecifiers) {
-      const cacheKey = `${sourcePath}\0${specifier}`;
-      let resolvedPath = resolverCache.get(cacheKey);
-      if (resolvedPath === void 0 && !resolverCache.has(cacheKey)) {
-        const resolved = ts.resolveModuleName(specifier, sourcePath, options, ts.sys).resolvedModule;
-        if (resolved !== void 0) {
-          resolvedPath = normalizePath(resolve(resolved.resolvedFileName));
-        }
-        resolverCache.set(cacheKey, resolvedPath);
-      }
-      if (resolvedPath === void 0 || !sourceFilePathSet.has(resolvedPath)) {
-        continue;
-      }
-      const toNode = nodeByAbsolutePath.get(resolvedPath);
-      if (toNode === void 0) {
+    if (line.match(/^\s{2}version\s+/) !== null) {
+      const value = line.replace(/^\s{2}version\s+/, "").trim();
+      version2 = stripQuotes(value);
+      readingDependencies = false;
+      continue;
+    }
+    if (line.match(/^\s{2}dependencies:\s*$/) !== null) {
+      readingDependencies = true;
+      continue;
+    }
+    if (readingDependencies && line.match(/^\s{4}[^\s].+$/) !== null) {
+      const depLine = line.trim();
+      const firstSpace = depLine.indexOf(" ");
+      if (firstSpace <= 0) {
         continue;
       }
-      edges.push({ from: fromNode.id, to: toNode.id });
+      const depName = stripQuotes(depLine.slice(0, firstSpace));
+      const depRef = stripQuotes(depLine.slice(firstSpace + 1).trim());
+      const depVersion = parseVersionSelector(depRef) ?? depRef;
+      dependencies.push(`${depName}@${depVersion}`);
+      continue;
     }
-    const processed = index + 1;
-    if (processed === 1 || processed === uniqueSourceFilePaths.length || processed % 50 === 0) {
-      onProgress?.({
-        stage: "file_processed",
-        processed,
-        total: uniqueSourceFilePaths.length,
-        filePath: fromNode.id
-      });
+    readingDependencies = false;
+  }
+  flushEntry();
+  const deduped = /* @__PURE__ */ new Map();
+  for (const node of nodes) {
+    const key = `${node.name}@${node.version}`;
+    if (!deduped.has(key)) {
+      deduped.set(key, node);
     }
   }
-  onProgress?.({ stage: "edges_resolved", totalEdges: edges.length });
   return {
-    nodes: [...nodeByAbsolutePath.values()],
-    edges
+    kind: "yarn",
+    directDependencies: directSpecs,
+    nodes: [...deduped.values()].sort((a, b) => a.name.localeCompare(b.name) || a.version.localeCompare(b.version))
   };
 };
-var buildProjectGraphSummary = (input) => {
-  const parsedProject = parseTypescriptProject(input.projectPath, input.onProgress);
-  const graphData = createGraphData(parsedProject.nodes, parsedProject.edges);
-  return createGraphAnalysisSummary(input.projectPath, graphData);
+var parseBunLock = (_raw, _directSpecs) => {
+  throw new Error("unsupported_lockfile_format");
 };
-
-// ../dependency-firewall/dist/index.js
-import { existsSync, readFileSync } from "fs";
-import { join } from "path";
-var round4 = (value) => Number(value.toFixed(4));
-var normalizeNodes = (nodes) => {
-  const byName = /* @__PURE__ */ new Map();
-  for (const node of nodes) {
-    const bucket = byName.get(node.name) ?? [];
-    bucket.push(node);
-    byName.set(node.name, bucket);
+var parseRetryAfterMs = (value) => {
+  if (value === null) {
+    return null;
   }
-  const normalized = [];
-  for (const [name, candidates] of byName.entries()) {
-    if (candidates.length === 0) {
-      continue;
+  const seconds = Number.parseInt(value, 10);
+  if (!Number.isFinite(seconds) || seconds <= 0) {
+    return null;
+  }
+  return seconds * 1e3;
+};
+var shouldRetryStatus = (status) => status === 429 || status >= 500;
+var fetchJsonWithRetry = async (url, options) => {
+  for (let attempt = 0; attempt <= options.retries; attempt += 1) {
+    const response = await fetch(url);
+    if (response.ok) {
+      return await response.json();
     }
-    candidates.sort((a, b) => b.version.localeCompare(a.version));
-    const selected = candidates[0];
-    if (selected === void 0) {
-      continue;
+    if (!shouldRetryStatus(response.status) || attempt === options.retries) {
+      return null;
     }
-    const deps = selected.dependencies.map((dep) => {
-      const at = dep.lastIndexOf("@");
-      return at <= 0 ? dep : dep.slice(0, at);
-    }).filter((depName) => depName.length > 0).sort((a, b) => a.localeCompare(b));
-    normalized.push({
-      key: `${name}@${selected.version}`,
-      name,
-      version: selected.version,
-      dependencies: deps
-    });
+    const retryAfterMs = parseRetryAfterMs(response.headers.get("retry-after"));
+    const backoffMs = retryAfterMs ?? options.baseDelayMs * 2 ** attempt;
+    await sleep(backoffMs);
   }
-  return normalized.sort((a, b) => a.name.localeCompare(b.name));
+  return null;
 };
-var computeDepths = (nodeByName, directNames) => {
-  const visiting = /* @__PURE__ */ new Set();
-  const depthByName = /* @__PURE__ */ new Map();
-  const compute = (name) => {
-    const known = depthByName.get(name);
-    if (known !== void 0) {
-      return known;
+var MAX_RETRIES = 3;
+var RETRY_BASE_DELAY_MS = 500;
+var parsePrerelease = (value) => {
+  if (value === void 0 || value.length === 0) {
+    return [];
+  }
+  return value.split(".").map((part) => {
+    const asNumber = Number.parseInt(part, 10);
+    if (!Number.isNaN(asNumber) && `${asNumber}` === part) {
+      return asNumber;
     }
-    if (visiting.has(name)) {
+    return part;
+  });
+};
+var parseSemver = (value) => {
+  const trimmed = value.trim();
+  const semverMatch = trimmed.match(
+    /^v?(\d+)\.(\d+)\.(\d+)(?:-([0-9A-Za-z.-]+))?(?:\+[0-9A-Za-z.-]+)?$/
+  );
+  if (semverMatch === null) {
+    return null;
+  }
+  const major = Number.parseInt(semverMatch[1] ?? "", 10);
+  const minor = Number.parseInt(semverMatch[2] ?? "", 10);
+  const patch = Number.parseInt(semverMatch[3] ?? "", 10);
+  if (!Number.isFinite(major) || !Number.isFinite(minor) || !Number.isFinite(patch)) {
+    return null;
+  }
+  return {
+    major,
+    minor,
+    patch,
+    prerelease: parsePrerelease(semverMatch[4])
+  };
+};
+var compareIdentifier = (left, right) => {
+  if (typeof left === "number" && typeof right === "number") {
+    return left - right;
+  }
+  if (typeof left === "number") {
+    return -1;
+  }
+  if (typeof right === "number") {
+    return 1;
+  }
+  return left.localeCompare(right);
+};
+var compareSemver = (left, right) => {
+  if (left.major !== right.major) {
+    return left.major - right.major;
+  }
+  if (left.minor !== right.minor) {
+    return left.minor - right.minor;
+  }
+  if (left.patch !== right.patch) {
+    return left.patch - right.patch;
+  }
+  if (left.prerelease.length === 0 && right.prerelease.length === 0) {
+    return 0;
+  }
+  if (left.prerelease.length === 0) {
+    return 1;
+  }
+  if (right.prerelease.length === 0) {
+    return -1;
+  }
+  const maxLength = Math.max(left.prerelease.length, right.prerelease.length);
+  for (let i = 0; i < maxLength; i += 1) {
+    const leftPart = left.prerelease[i];
+    const rightPart = right.prerelease[i];
+    if (leftPart === void 0 && rightPart === void 0) {
       return 0;
     }
-    visiting.add(name);
-    const node = nodeByName.get(name);
-    if (node === void 0) {
-      visiting.delete(name);
-      depthByName.set(name, 0);
-      return 0;
+    if (leftPart === void 0) {
+      return -1;
     }
-    let maxChildDepth = 0;
-    for (const dependencyName of node.dependencies) {
-      const childDepth = compute(dependencyName);
-      if (childDepth > maxChildDepth) {
-        maxChildDepth = childDepth;
-      }
+    if (rightPart === void 0) {
+      return 1;
     }
-    visiting.delete(name);
-    const ownDepth = directNames.has(name) ? 0 : maxChildDepth + 1;
-    depthByName.set(name, ownDepth);
-    return ownDepth;
-  };
-  for (const name of nodeByName.keys()) {
-    compute(name);
-  }
-  let maxDepth = 0;
-  for (const depth of depthByName.values()) {
-    if (depth > maxDepth) {
-      maxDepth = depth;
+    const diff = compareIdentifier(leftPart, rightPart);
+    if (diff !== 0) {
+      return diff;
     }
   }
-  return { depthByName, maxDepth };
+  return 0;
 };
-var rankCentrality = (nodes, dependentsByName, directNames, topN) => [...nodes].map((node) => ({
-  name: node.name,
-  dependents: dependentsByName.get(node.name) ?? 0,
-  fanOut: node.dependencies.length,
-  direct: directNames.has(node.name)
-})).sort(
-  (a, b) => b.dependents - a.dependents || b.fanOut - a.fanOut || a.name.localeCompare(b.name)
-).slice(0, topN);
-var canPropagateSignal = (signal) => signal === "abandoned" || signal === "high_centrality" || signal === "deep_chain" || signal === "high_fanout";
-var collectTransitiveDependencies = (rootName, nodeByName) => {
-  const seen = /* @__PURE__ */ new Set();
-  const stack = [...nodeByName.get(rootName)?.dependencies ?? []];
-  while (stack.length > 0) {
-    const current = stack.pop();
-    if (current === void 0 || seen.has(current) || current === rootName) {
-      continue;
+var isWildcardPart = (value) => value === void 0 || value === "*" || value.toLowerCase() === "x";
+var matchesPartialVersion = (version2, token) => {
+  const normalized = token.trim().replace(/^v/, "");
+  if (normalized === "*" || normalized.length === 0) {
+    return true;
+  }
+  const [majorPart, minorPart, patchPart] = normalized.split(".");
+  if (majorPart !== void 0 && !isWildcardPart(majorPart)) {
+    const major = Number.parseInt(majorPart, 10);
+    if (!Number.isFinite(major) || major !== version2.major) {
+      return false;
     }
-    seen.add(current);
-    const currentNode = nodeByName.get(current);
-    if (currentNode === void 0) {
-      continue;
+  }
+  if (minorPart !== void 0 && !isWildcardPart(minorPart)) {
+    const minor = Number.parseInt(minorPart, 10);
+    if (!Number.isFinite(minor) || minor !== version2.minor) {
+      return false;
     }
-    for (const next of currentNode.dependencies) {
-      if (!seen.has(next)) {
-        stack.push(next);
-      }
+  }
+  if (patchPart !== void 0 && !isWildcardPart(patchPart)) {
+    const patch = Number.parseInt(patchPart, 10);
+    if (!Number.isFinite(patch) || patch !== version2.patch) {
+      return false;
     }
   }
-  return [...seen].sort((a, b) => a.localeCompare(b));
+  return true;
 };
-var buildExternalAnalysisSummary = (targetPath, extraction, metadataByKey, config) => {
-  const nodes = normalizeNodes(extraction.nodes);
-  const directNames = new Set(extraction.directDependencies.map((dep) => dep.name));
-  const directSpecByName = new Map(extraction.directDependencies.map((dep) => [dep.name, dep.requestedRange]));
-  const nodeByName = new Map(nodes.map((node) => [node.name, node]));
-  const dependentsByName = /* @__PURE__ */ new Map();
-  for (const node of nodes) {
-    dependentsByName.set(node.name, dependentsByName.get(node.name) ?? 0);
+var parseComparatorToken = (token) => {
+  const operators = [">=", "<=", ">", "<", "="];
+  for (const operator of operators) {
+    if (token.startsWith(operator)) {
+      return {
+        operator,
+        versionToken: token.slice(operator.length).trim()
+      };
+    }
   }
-  for (const node of nodes) {
-    for (const dependencyName of node.dependencies) {
-      if (!nodeByName.has(dependencyName)) {
-        continue;
-      }
-      dependentsByName.set(dependencyName, (dependentsByName.get(dependencyName) ?? 0) + 1);
+  return {
+    operator: "=",
+    versionToken: token.trim()
+  };
+};
+var satisfiesComparator = (version2, token) => {
+  if (token.length === 0 || token === "*") {
+    return true;
+  }
+  if (token.startsWith("^")) {
+    const base = parseSemver(token.slice(1));
+    if (base === null) {
+      return null;
     }
+    let upper;
+    if (base.major > 0) {
+      upper = { major: base.major + 1, minor: 0, patch: 0, prerelease: [] };
+    } else if (base.minor > 0) {
+      upper = { major: 0, minor: base.minor + 1, patch: 0, prerelease: [] };
+    } else {
+      upper = { major: 0, minor: 0, patch: base.patch + 1, prerelease: [] };
+    }
+    return compareSemver(version2, base) >= 0 && compareSemver(version2, upper) < 0;
   }
-  const { depthByName, maxDepth } = computeDepths(nodeByName, directNames);
-  const centralityRanking = rankCentrality(nodes, dependentsByName, directNames, config.centralityTopN);
-  const topCentralNames = new Set(
-    centralityRanking.slice(0, Math.max(1, Math.ceil(centralityRanking.length * 0.25))).map((entry) => entry.name)
-  );
-  const allDependencies = [];
-  let metadataAvailableCount = 0;
-  for (const node of nodes) {
-    const metadata = metadataByKey.get(node.key) ?? null;
-    if (metadata !== null) {
-      metadataAvailableCount += 1;
+  if (token.startsWith("~")) {
+    const base = parseSemver(token.slice(1));
+    if (base === null) {
+      return null;
     }
-    const dependencyDepth = depthByName.get(node.name) ?? 0;
-    const dependents = dependentsByName.get(node.name) ?? 0;
-    const riskSignals = [];
-    if ((metadata?.maintainerCount ?? 0) === 1) {
-      riskSignals.push("single_maintainer");
+    const upper = {
+      major: base.major,
+      minor: base.minor + 1,
+      patch: 0,
+      prerelease: []
+    };
+    return compareSemver(version2, base) >= 0 && compareSemver(version2, upper) < 0;
+  }
+  const parsedComparator = parseComparatorToken(token);
+  const hasWildcard = /(^|[.])(?:x|X|\*)($|[.])/.test(parsedComparator.versionToken);
+  if (hasWildcard) {
+    if (parsedComparator.operator !== "=") {
+      return null;
     }
-    if ((metadata?.daysSinceLastRelease ?? 0) >= config.abandonedDaysThreshold) {
-      riskSignals.push("abandoned");
+    return matchesPartialVersion(version2, parsedComparator.versionToken);
+  }
+  const parsedVersion = parseSemver(parsedComparator.versionToken);
+  if (parsedVersion === null) {
+    if (parsedComparator.operator !== "=") {
+      return null;
     }
-    if (topCentralNames.has(node.name) && dependents > 0) {
-      riskSignals.push("high_centrality");
+    return matchesPartialVersion(version2, parsedComparator.versionToken);
+  }
+  const comparison = compareSemver(version2, parsedVersion);
+  switch (parsedComparator.operator) {
+    case ">":
+      return comparison > 0;
+    case ">=":
+      return comparison >= 0;
+    case "<":
+      return comparison < 0;
+    case "<=":
+      return comparison <= 0;
+    case "=":
+      return comparison === 0;
+    default:
+      return null;
+  }
+};
+var satisfiesRangeClause = (version2, clause) => {
+  const hyphenMatch = clause.match(/^\s*(.+?)\s+-\s+(.+?)\s*$/);
+  if (hyphenMatch !== null) {
+    const lower = hyphenMatch[1];
+    const upper = hyphenMatch[2];
+    if (lower === void 0 || upper === void 0) {
+      return null;
     }
-    if (dependencyDepth >= config.deepChainThreshold) {
-      riskSignals.push("deep_chain");
+    const lowerResult = satisfiesComparator(version2, `>=${lower}`);
+    const upperResult = satisfiesComparator(version2, `<=${upper}`);
+    if (lowerResult === null || upperResult === null) {
+      return null;
     }
-    if (node.dependencies.length >= config.fanOutHighThreshold) {
-      riskSignals.push("high_fanout");
+    return lowerResult && upperResult;
+  }
+  const tokens = clause.split(/\s+/).map((token) => token.trim()).filter((token) => token.length > 0);
+  if (tokens.length === 0) {
+    return true;
+  }
+  for (const token of tokens) {
+    const matched = satisfiesComparator(version2, token);
+    if (matched === null) {
+      return null;
     }
-    if (metadata === null) {
-      riskSignals.push("metadata_unavailable");
+    if (!matched) {
+      return false;
     }
-    allDependencies.push({
-      name: node.name,
-      direct: directNames.has(node.name),
-      requestedRange: directSpecByName.get(node.name) ?? null,
-      resolvedVersion: node.version,
-      transitiveDependencies: [],
-      dependencyDepth,
-      fanOut: node.dependencies.length,
-      dependents,
-      maintainerCount: metadata?.maintainerCount ?? null,
-      releaseFrequencyDays: metadata?.releaseFrequencyDays ?? null,
-      daysSinceLastRelease: metadata?.daysSinceLastRelease ?? null,
-      repositoryActivity30d: metadata?.repositoryActivity30d ?? null,
-      busFactor: metadata?.busFactor ?? null,
-      ownRiskSignals: [...riskSignals].sort((a, b) => a.localeCompare(b)),
-      inheritedRiskSignals: [],
-      riskSignals
-    });
   }
-  allDependencies.sort((a, b) => a.name.localeCompare(b.name));
-  const allByName = new Map(allDependencies.map((dep) => [dep.name, dep]));
-  const dependencies = allDependencies.filter((dep) => dep.direct).map((dep) => {
-    const transitiveDependencies = collectTransitiveDependencies(dep.name, nodeByName);
-    const inheritedSignals = /* @__PURE__ */ new Set();
-    const allSignals = new Set(dep.ownRiskSignals);
-    for (const transitiveName of transitiveDependencies) {
-      const transitive = allByName.get(transitiveName);
-      if (transitive === void 0) {
+  return true;
+};
+var resolveRangeVersion = (versions, requested) => {
+  const clauses = requested.split("||").map((clause) => clause.trim()).filter((clause) => clause.length > 0);
+  if (clauses.length === 0) {
+    return null;
+  }
+  const parsedVersions = versions.map((version2) => ({ version: version2, parsed: parseSemver(version2) })).filter((candidate) => candidate.parsed !== null).sort((a, b) => compareSemver(b.parsed, a.parsed));
+  for (const candidate of parsedVersions) {
+    let clauseMatched = false;
+    let clauseUnsupported = false;
+    for (const clause of clauses) {
+      const matched = satisfiesRangeClause(candidate.parsed, clause);
+      if (matched === null) {
+        clauseUnsupported = true;
         continue;
       }
-      for (const signal of transitive.riskSignals) {
-        if (canPropagateSignal(signal)) {
-          inheritedSignals.add(signal);
-          allSignals.add(signal);
-        }
+      if (matched) {
+        clauseMatched = true;
+        break;
       }
     }
-    return {
-      ...dep,
-      transitiveDependencies,
-      inheritedRiskSignals: [...inheritedSignals].sort((a, b) => a.localeCompare(b)),
-      riskSignals: [...allSignals].sort((a, b) => a.localeCompare(b))
-    };
-  }).sort((a, b) => a.name.localeCompare(b.name));
-  const highRiskDependencies = dependencies.filter((dep) => dep.riskSignals.length > 1).sort((a, b) => b.riskSignals.length - a.riskSignals.length || a.name.localeCompare(b.name)).slice(0, config.maxHighRiskDependencies).map((dep) => dep.name);
-  const singleMaintainerDependencies = dependencies.filter((dep) => dep.ownRiskSignals.includes("single_maintainer")).map((dep) => dep.name).sort((a, b) => a.localeCompare(b));
-  const abandonedDependencies = dependencies.filter((dep) => dep.ownRiskSignals.includes("abandoned")).map((dep) => dep.name).sort((a, b) => a.localeCompare(b));
-  return {
-    targetPath,
-    available: true,
-    metrics: {
-      totalDependencies: allDependencies.length,
-      directDependencies: dependencies.length,
-      transitiveDependencies: allDependencies.length - dependencies.length,
-      dependencyDepth: maxDepth,
-      lockfileKind: extraction.kind,
-      metadataCoverage: allDependencies.length === 0 ? 0 : round4(metadataAvailableCount / allDependencies.length)
-    },
-    dependencies,
-    highRiskDependencies,
-    singleMaintainerDependencies,
-    abandonedDependencies,
-    centralityRanking
-  };
-};
-var DEFAULT_EXTERNAL_ANALYSIS_CONFIG = {
-  abandonedDaysThreshold: 540,
-  deepChainThreshold: 6,
-  fanOutHighThreshold: 25,
-  centralityTopN: 20,
-  maxHighRiskDependencies: 100,
-  metadataRequestConcurrency: 8
+    if (clauseMatched) {
+      return candidate.version;
+    }
+    if (clauseUnsupported && clauses.length === 1) {
+      return null;
+    }
+  }
+  return null;
 };
-var LOCKFILE_CANDIDATES = [
-  { fileName: "pnpm-lock.yaml", kind: "pnpm" },
-  { fileName: "package-lock.json", kind: "npm" },
-  { fileName: "npm-shrinkwrap.json", kind: "npm-shrinkwrap" },
-  { fileName: "yarn.lock", kind: "yarn" },
-  { fileName: "bun.lock", kind: "bun" },
-  { fileName: "bun.lockb", kind: "bun" }
-];
-var loadPackageJson = (repositoryPath) => {
-  const packageJsonPath2 = join(repositoryPath, "package.json");
-  if (!existsSync(packageJsonPath2)) {
+var fetchPackument = async (name) => {
+  const encodedName = encodeURIComponent(name);
+  try {
+    return await fetchJsonWithRetry(`https://registry.npmjs.org/${encodedName}`, {
+      retries: MAX_RETRIES,
+      baseDelayMs: RETRY_BASE_DELAY_MS
+    });
+  } catch {
     return null;
   }
-  return {
-    path: packageJsonPath2,
-    raw: readFileSync(packageJsonPath2, "utf8")
-  };
 };
-var selectLockfile = (repositoryPath) => {
-  for (const candidate of LOCKFILE_CANDIDATES) {
-    const absolutePath = join(repositoryPath, candidate.fileName);
-    if (!existsSync(absolutePath)) {
-      continue;
-    }
+var resolveRequestedVersion = (packument, requested) => {
+  const versions = packument.versions ?? {};
+  const versionKeys = Object.keys(versions);
+  const tags = packument["dist-tags"] ?? {};
+  const latest = tags["latest"];
+  if (requested !== null && versions[requested] !== void 0) {
     return {
-      path: absolutePath,
-      kind: candidate.kind,
-      raw: readFileSync(absolutePath, "utf8")
+      version: requested,
+      resolution: "exact",
+      fallbackUsed: false
     };
   }
-  return null;
-};
-var parsePackageJson = (raw) => {
-  const parsed = JSON.parse(raw);
-  const merged = /* @__PURE__ */ new Map();
-  for (const block of [
-    parsed.dependencies,
-    parsed.devDependencies,
-    parsed.optionalDependencies,
-    parsed.peerDependencies
-  ]) {
-    if (block === void 0) {
-      continue;
+  if (requested !== null) {
+    const tagged = tags[requested];
+    if (tagged !== void 0 && versions[tagged] !== void 0) {
+      return {
+        version: tagged,
+        resolution: "tag",
+        fallbackUsed: false
+      };
     }
-    for (const [name, versionRange] of Object.entries(block)) {
-      merged.set(name, versionRange);
-    }
-  }
-  return [...merged.entries()].map(([name, requestedRange]) => ({ name, requestedRange })).sort((a, b) => a.name.localeCompare(b.name));
-};
-var parsePackageLock = (raw, directSpecs) => {
-  const parsed = JSON.parse(raw);
-  const nodes = [];
-  if (parsed.packages !== void 0) {
-    for (const [packagePath, packageData] of Object.entries(parsed.packages)) {
-      if (packagePath.length === 0 || packageData.version === void 0) {
-        continue;
-      }
-      const segments = packagePath.split("node_modules/");
-      const name = segments[segments.length - 1] ?? "";
-      if (name.length === 0) {
-        continue;
-      }
-      const dependencies = Object.entries(packageData.dependencies ?? {}).map(([depName, depRange]) => `${depName}@${String(depRange)}`).sort((a, b) => a.localeCompare(b));
-      nodes.push({
-        name,
-        version: packageData.version,
-        dependencies
-      });
-    }
-  } else if (parsed.dependencies !== void 0) {
-    for (const [name, dep] of Object.entries(parsed.dependencies)) {
-      if (dep.version === void 0) {
-        continue;
-      }
-      const dependencies = Object.entries(dep.dependencies ?? {}).map(([depName, depVersion]) => `${depName}@${String(depVersion)}`).sort((a, b) => a.localeCompare(b));
-      nodes.push({
-        name,
-        version: dep.version,
-        dependencies
-      });
-    }
-  }
-  nodes.sort((a, b) => a.name.localeCompare(b.name) || a.version.localeCompare(b.version));
-  return {
-    kind: "npm",
-    directDependencies: directSpecs,
-    nodes
-  };
-};
-var sanitizeValue = (value) => value.replace(/^['"]|['"]$/g, "").trim();
-var parsePackageKey = (rawKey) => {
-  const key = sanitizeValue(rawKey.replace(/:$/, ""));
-  const withoutSlash = key.startsWith("/") ? key.slice(1) : key;
-  const lastAt = withoutSlash.lastIndexOf("@");
-  if (lastAt <= 0) {
-    return null;
-  }
-  const name = withoutSlash.slice(0, lastAt);
-  const versionWithPeers = withoutSlash.slice(lastAt + 1);
-  const version2 = versionWithPeers.split("(")[0] ?? versionWithPeers;
-  if (name.length === 0 || version2.length === 0) {
-    return null;
   }
-  return { name, version: version2 };
-};
-var parsePnpmLockfile = (raw, directSpecs) => {
-  const lines = raw.split("\n");
-  let state = "root";
-  let currentPackage = null;
-  let currentDependencyName = null;
-  const dependenciesByNode = /* @__PURE__ */ new Map();
-  for (const line of lines) {
-    if (line.trim().length === 0 || line.trimStart().startsWith("#")) {
-      continue;
-    }
-    if (line.startsWith("importers:")) {
-      state = "importers";
-      continue;
-    }
-    if (line.startsWith("packages:")) {
-      state = "packages";
-      continue;
-    }
-    if (state === "packages" || state === "packageDeps") {
-      const packageMatch = line.match(/^\s{2}([^\s].+):\s*$/);
-      if (packageMatch !== null) {
-        const parsedKey = parsePackageKey(packageMatch[1] ?? "");
-        if (parsedKey !== null) {
-          currentPackage = `${parsedKey.name}@${parsedKey.version}`;
-          dependenciesByNode.set(currentPackage, /* @__PURE__ */ new Set());
-          state = "packageDeps";
-          currentDependencyName = null;
-        }
-        continue;
-      }
-    }
-    if (state === "packageDeps" && currentPackage !== null) {
-      const depLine = line.match(/^\s{6}([^:\s]+):\s*(.+)$/);
-      if (depLine !== null) {
-        const depName = sanitizeValue(depLine[1] ?? "");
-        const depRef = sanitizeValue(depLine[2] ?? "");
-        const depVersion = depRef.split("(")[0] ?? depRef;
-        if (depName.length > 0 && depVersion.length > 0) {
-          dependenciesByNode.get(currentPackage)?.add(`${depName}@${depVersion}`);
-        }
-        currentDependencyName = null;
-        continue;
-      }
-      const depBlockLine = line.match(/^\s{6}([^:\s]+):\s*$/);
-      if (depBlockLine !== null) {
-        currentDependencyName = sanitizeValue(depBlockLine[1] ?? "");
-        continue;
-      }
-      const depVersionLine = line.match(/^\s{8}version:\s*(.+)$/);
-      if (depVersionLine !== null && currentDependencyName !== null) {
-        const depRef = sanitizeValue(depVersionLine[1] ?? "");
-        const depVersion = depRef.split("(")[0] ?? depRef;
-        if (depVersion.length > 0) {
-          dependenciesByNode.get(currentPackage)?.add(`${currentDependencyName}@${depVersion}`);
-        }
-        currentDependencyName = null;
-        continue;
-      }
-      if (line.match(/^\s{4}(dependencies|optionalDependencies):\s*$/) !== null) {
-        continue;
-      }
+  if (requested !== null) {
+    const matched = resolveRangeVersion(versionKeys, requested);
+    if (matched !== null && versions[matched] !== void 0) {
+      return {
+        version: matched,
+        resolution: "range",
+        fallbackUsed: false
+      };
     }
   }
-  const nodes = [...dependenciesByNode.entries()].map(([nodeId, deps]) => {
-    const at = nodeId.lastIndexOf("@");
+  if (latest !== void 0 && versions[latest] !== void 0) {
     return {
-      name: nodeId.slice(0, at),
-      version: nodeId.slice(at + 1),
-      dependencies: [...deps].sort((a, b) => a.localeCompare(b))
+      version: latest,
+      resolution: "latest",
+      fallbackUsed: requested !== null
     };
-  }).sort(
-    (a, b) => a.name.localeCompare(b.name) || a.version.localeCompare(b.version)
-  );
-  return {
-    kind: "pnpm",
-    directDependencies: directSpecs,
-    nodes
-  };
-};
-var stripQuotes = (value) => value.replace(/^['"]|['"]$/g, "");
-var parseVersionSelector = (selector) => {
-  const npmIndex = selector.lastIndexOf("@npm:");
-  if (npmIndex >= 0) {
-    return selector.slice(npmIndex + 5);
   }
-  const lastAt = selector.lastIndexOf("@");
-  if (lastAt <= 0) {
+  const semverSorted = versionKeys.map((version2) => ({ version: version2, parsed: parseSemver(version2) })).filter((candidate) => candidate.parsed !== null).sort((a, b) => compareSemver(b.parsed, a.parsed)).map((candidate) => candidate.version);
+  const fallbackVersion = semverSorted[0] ?? versionKeys.sort((a, b) => b.localeCompare(a))[0];
+  if (fallbackVersion === void 0) {
     return null;
   }
-  return selector.slice(lastAt + 1);
+  return {
+    version: fallbackVersion,
+    resolution: "latest",
+    fallbackUsed: requested !== null
+  };
 };
-var parseYarnLock = (raw, directSpecs) => {
-  const lines = raw.split("\n");
-  const nodes = [];
-  let selectors = [];
-  let version2 = null;
-  let readingDependencies = false;
-  let dependencies = [];
-  const flushEntry = () => {
-    if (selectors.length === 0 || version2 === null) {
-      selectors = [];
-      version2 = null;
-      dependencies = [];
-      readingDependencies = false;
-      return;
-    }
-    for (const selector of selectors) {
-      const parsedVersion = parseVersionSelector(selector);
-      const at = selector.lastIndexOf("@");
-      const name = at <= 0 ? selector : selector.slice(0, at);
-      if (name.length === 0) {
-        continue;
-      }
-      nodes.push({
-        name,
-        version: version2,
-        dependencies: [...dependencies].sort((a, b) => a.localeCompare(b))
-      });
-      if (parsedVersion !== null) {
-        nodes.push({
-          name,
-          version: parsedVersion,
-          dependencies: [...dependencies].sort((a, b) => a.localeCompare(b))
-        });
+var resolveRegistryGraphFromDirectSpecs = async (directSpecs, options) => {
+  const maxNodes = Math.max(1, options.maxNodes);
+  const maxDepth = Math.max(0, options.maxDepth);
+  const queue = directSpecs.map((spec) => ({
+    name: spec.name,
+    requested: spec.requestedRange,
+    depth: 0
+  }));
+  const scopeByName = new Map(directSpecs.map((spec) => [spec.name, spec.scope]));
+  const requestedByName = new Map(directSpecs.map((spec) => [spec.name, spec.requestedRange]));
+  const packumentByName = /* @__PURE__ */ new Map();
+  const nodesByKey = /* @__PURE__ */ new Map();
+  const directByName = /* @__PURE__ */ new Map();
+  const assumptions = /* @__PURE__ */ new Set();
+  let truncated = false;
+  while (queue.length > 0) {
+    if (nodesByKey.size >= maxNodes) {
+      truncated = true;
+      assumptions.add(`Dependency graph truncated at ${maxNodes} nodes.`);
+      break;
+    }
+    const item = queue.shift();
+    if (item === void 0) {
+      break;
+    }
+    let packument = packumentByName.get(item.name) ?? null;
+    if (!packumentByName.has(item.name)) {
+      packument = await fetchPackument(item.name);
+      packumentByName.set(item.name, packument);
+    }
+    if (packument === null) {
+      if (scopeByName.has(item.name)) {
+        assumptions.add(`Could not resolve direct dependency from registry: ${item.name}.`);
       }
-    }
-    selectors = [];
-    version2 = null;
-    dependencies = [];
-    readingDependencies = false;
-  };
-  for (const line of lines) {
-    if (line.trim().length === 0) {
       continue;
     }
-    if (!line.startsWith(" ") && line.endsWith(":")) {
-      flushEntry();
-      const keyText = line.slice(0, -1);
-      selectors = keyText.split(",").map((part) => stripQuotes(part.trim())).filter((part) => part.length > 0);
+    const resolved = resolveRequestedVersion(packument, item.requested);
+    if (resolved === null) {
+      if (scopeByName.has(item.name)) {
+        assumptions.add(`Could not resolve direct dependency version: ${item.name}.`);
+      }
       continue;
     }
-    if (line.match(/^\s{2}version\s+/) !== null) {
-      const value = line.replace(/^\s{2}version\s+/, "").trim();
-      version2 = stripQuotes(value);
-      readingDependencies = false;
-      continue;
+    if (scopeByName.has(item.name) && !directByName.has(item.name)) {
+      directByName.set(item.name, {
+        name: item.name,
+        requestedRange: requestedByName.get(item.name) ?? "latest",
+        resolvedVersion: resolved.version,
+        resolution: resolved.resolution,
+        scope: scopeByName.get(item.name) ?? "prod"
+      });
     }
-    if (line.match(/^\s{2}dependencies:\s*$/) !== null) {
-      readingDependencies = true;
+    if (resolved.fallbackUsed && item.requested !== null) {
+      assumptions.add(
+        `Resolved ${item.name}@${item.requested} to latest (${resolved.version}) because exact/tag/range match was unavailable.`
+      );
+    }
+    const nodeKey = `${item.name}@${resolved.version}`;
+    if (nodesByKey.has(nodeKey)) {
       continue;
     }
-    if (readingDependencies && line.match(/^\s{4}[^\s].+$/) !== null) {
-      const depLine = line.trim();
-      const firstSpace = depLine.indexOf(" ");
-      if (firstSpace <= 0) {
-        continue;
-      }
-      const depName = stripQuotes(depLine.slice(0, firstSpace));
-      const depRef = stripQuotes(depLine.slice(firstSpace + 1).trim());
-      const depVersion = parseVersionSelector(depRef) ?? depRef;
-      dependencies.push(`${depName}@${depVersion}`);
+    const manifest = (packument.versions ?? {})[resolved.version] ?? {};
+    const dependencies = Object.entries(manifest.dependencies ?? {}).filter(([dependencyName, dependencyRange]) => dependencyName.length > 0 && dependencyRange.length > 0).sort((a, b) => a[0].localeCompare(b[0]));
+    nodesByKey.set(nodeKey, {
+      name: item.name,
+      version: resolved.version,
+      dependencies: dependencies.map(([dependencyName, dependencyRange]) => `${dependencyName}@${dependencyRange}`)
+    });
+    if (item.depth >= maxDepth && dependencies.length > 0) {
+      truncated = true;
+      assumptions.add(`Dependency graph truncated at depth ${maxDepth}.`);
       continue;
     }
-    readingDependencies = false;
-  }
-  flushEntry();
-  const deduped = /* @__PURE__ */ new Map();
-  for (const node of nodes) {
-    const key = `${node.name}@${node.version}`;
-    if (!deduped.has(key)) {
-      deduped.set(key, node);
+    for (const [dependencyName, dependencyRange] of dependencies) {
+      if (nodesByKey.size + queue.length >= maxNodes) {
+        truncated = true;
+        assumptions.add(`Dependency graph truncated at ${maxNodes} nodes.`);
+        break;
+      }
+      queue.push({
+        name: dependencyName,
+        requested: dependencyRange,
+        depth: item.depth + 1
+      });
     }
   }
   return {
-    kind: "yarn",
-    directDependencies: directSpecs,
-    nodes: [...deduped.values()].sort((a, b) => a.name.localeCompare(b.name) || a.version.localeCompare(b.version))
+    nodes: [...nodesByKey.values()].sort(
+      (a, b) => a.name.localeCompare(b.name) || a.version.localeCompare(b.version)
+    ),
+    directDependencies: [...directByName.values()].sort((a, b) => a.name.localeCompare(b.name)),
+    assumptions: [...assumptions].sort((a, b) => a.localeCompare(b)),
+    truncated
   };
 };
-var parseBunLock = (_raw, _directSpecs) => {
-  throw new Error("unsupported_lockfile_format");
-};
 var withDefaults = (overrides) => ({
   ...DEFAULT_EXTERNAL_ANALYSIS_CONFIG,
   ...overrides
@@ -1177,26 +1001,27 @@ var parseExtraction = (lockfileKind, lockfileRaw, directSpecs) => {
 };
 var mapWithConcurrency = async (values, limit, handler) => {
   const effectiveLimit = Math.max(1, limit);
+  const workerCount = Math.min(effectiveLimit, values.length);
   const results = new Array(values.length);
   let index = 0;
-  const workers = Array.from({ length: Math.min(effectiveLimit, values.length) }, async () => {
-    for (; ; ) {
+  const workers = Array.from({ length: workerCount }, async () => {
+    while (true) {
       const current = index;
       index += 1;
       if (current >= values.length) {
         return;
       }
       const value = values[current];
-      if (value === void 0) {
-        return;
+      if (value !== void 0) {
+        results[current] = await handler(value);
       }
-      results[current] = await handler(value);
     }
   });
   await Promise.all(workers);
   return results;
 };
 var analyzeDependencyExposure = async (input, metadataProvider, onProgress) => {
+  const config = withDefaults(input.config);
   const packageJson = loadPackageJson(input.repositoryPath);
   if (packageJson === null) {
     return {
@@ -1206,19 +1031,37 @@ var analyzeDependencyExposure = async (input, metadataProvider, onProgress) => {
     };
   }
   onProgress?.({ stage: "package_json_loaded" });
-  const lockfile = selectLockfile(input.repositoryPath);
-  if (lockfile === null) {
-    return {
-      targetPath: input.repositoryPath,
-      available: false,
-      reason: "lockfile_not_found"
-    };
-  }
-  onProgress?.({ stage: "lockfile_selected", kind: lockfile.kind });
   try {
     const directSpecs = parsePackageJson(packageJson.raw);
-    const extraction = parseExtraction(lockfile.kind, lockfile.raw, directSpecs);
-    const config = withDefaults(input.config);
+    const lockfile = selectLockfile(input.repositoryPath);
+    let extraction;
+    if (lockfile === null) {
+      const resolvedGraph = await resolveRegistryGraphFromDirectSpecs(directSpecs, {
+        maxNodes: 500,
+        maxDepth: 8
+      });
+      if (resolvedGraph.nodes.length === 0) {
+        return {
+          targetPath: input.repositoryPath,
+          available: false,
+          reason: "lockfile_not_found"
+        };
+      }
+      extraction = {
+        kind: "npm",
+        directDependencies: resolvedGraph.directDependencies.map((dependency) => ({
+          name: dependency.name,
+          requestedRange: dependency.requestedRange,
+          scope: dependency.scope
+        })),
+        nodes: resolvedGraph.nodes
+      };
+      onProgress?.({ stage: "lockfile_selected", kind: "npm" });
+    } else {
+      extraction = parseExtraction(lockfile.kind, lockfile.raw, directSpecs);
+      onProgress?.({ stage: "lockfile_selected", kind: lockfile.kind });
+    }
+    const directNames = new Set(extraction.directDependencies.map((dependency) => dependency.name));
     onProgress?.({
       stage: "lockfile_parsed",
       dependencyNodes: extraction.nodes.length,
@@ -1232,7 +1075,9 @@ var analyzeDependencyExposure = async (input, metadataProvider, onProgress) => {
       async (node) => {
         const result = {
           key: `${node.name}@${node.version}`,
-          metadata: await metadataProvider.getMetadata(node.name, node.version)
+          metadata: await metadataProvider.getMetadata(node.name, node.version, {
+            directDependency: directNames.has(node.name)
+          })
         };
         completed += 1;
         onProgress?.({
@@ -1268,81 +1113,907 @@ var analyzeDependencyExposure = async (input, metadataProvider, onProgress) => {
       };
     }
     return {
-      targetPath: input.repositoryPath,
-      available: false,
-      reason: "invalid_lockfile"
+      targetPath: input.repositoryPath,
+      available: false,
+      reason: "invalid_lockfile"
+    };
+  }
+};
+var DEFAULT_MAX_NODES = 250;
+var DEFAULT_MAX_DEPTH = 6;
+var withDefaults2 = (overrides) => ({
+  ...DEFAULT_EXTERNAL_ANALYSIS_CONFIG,
+  ...overrides
+});
+var parseDependencySpec = (value) => {
+  const trimmed = value.trim();
+  if (trimmed.length === 0 || /\s/.test(trimmed)) {
+    return null;
+  }
+  if (trimmed.startsWith("@")) {
+    const splitIndex2 = trimmed.lastIndexOf("@");
+    if (splitIndex2 <= 0) {
+      return { name: trimmed, requested: null };
+    }
+    const name2 = trimmed.slice(0, splitIndex2);
+    const requested2 = trimmed.slice(splitIndex2 + 1);
+    if (name2.length === 0 || requested2.length === 0) {
+      return null;
+    }
+    return { name: name2, requested: requested2 };
+  }
+  const splitIndex = trimmed.lastIndexOf("@");
+  if (splitIndex <= 0) {
+    return { name: trimmed, requested: null };
+  }
+  const name = trimmed.slice(0, splitIndex);
+  const requested = trimmed.slice(splitIndex + 1);
+  if (name.length === 0 || requested.length === 0) {
+    return null;
+  }
+  return { name, requested };
+};
+var mapWithConcurrency2 = async (values, limit, handler) => {
+  const effectiveLimit = Math.max(1, limit);
+  const workerCount = Math.min(effectiveLimit, values.length);
+  const results = new Array(values.length);
+  let index = 0;
+  const workers = Array.from({ length: workerCount }, async () => {
+    while (true) {
+      const current = index;
+      index += 1;
+      if (current >= values.length) {
+        return;
+      }
+      const value = values[current];
+      if (value !== void 0) {
+        results[current] = await handler(value);
+      }
+    }
+  });
+  await Promise.all(workers);
+  return results;
+};
+var analyzeDependencyCandidate = async (input, metadataProvider) => {
+  const parsed = parseDependencySpec(input.dependency);
+  if (parsed === null) {
+    return {
+      available: false,
+      reason: "invalid_dependency_spec",
+      dependency: input.dependency
+    };
+  }
+  const maxNodes = Math.max(1, input.maxNodes ?? DEFAULT_MAX_NODES);
+  const maxDepth = Math.max(0, input.maxDepth ?? DEFAULT_MAX_DEPTH);
+  const config = withDefaults2(input.config);
+  const graph = await resolveRegistryGraphFromDirectSpecs(
+    [
+      {
+        name: parsed.name,
+        requestedRange: parsed.requested ?? "latest",
+        scope: "prod"
+      }
+    ],
+    { maxNodes, maxDepth }
+  );
+  const direct = graph.directDependencies.find((dependency) => dependency.name === parsed.name);
+  if (direct === void 0 || graph.nodes.length === 0) {
+    return {
+      available: false,
+      reason: "package_not_found",
+      dependency: input.dependency
+    };
+  }
+  const metadataEntries = await mapWithConcurrency2(
+    graph.nodes,
+    config.metadataRequestConcurrency,
+    async (node) => ({
+      key: `${node.name}@${node.version}`,
+      metadata: await metadataProvider.getMetadata(node.name, node.version, {
+        directDependency: node.name === parsed.name
+      })
+    })
+  );
+  const metadataByKey = /* @__PURE__ */ new Map();
+  for (const entry of metadataEntries) {
+    metadataByKey.set(entry.key, entry.metadata);
+  }
+  const extraction = {
+    kind: "npm",
+    directDependencies: [
+      {
+        name: parsed.name,
+        requestedRange: parsed.requested ?? "latest",
+        scope: "prod"
+      }
+    ],
+    nodes: graph.nodes
+  };
+  const external = buildExternalAnalysisSummary(
+    `npm:${parsed.name}`,
+    extraction,
+    metadataByKey,
+    config
+  );
+  return {
+    available: true,
+    dependency: {
+      name: parsed.name,
+      requested: parsed.requested,
+      resolvedVersion: direct.resolvedVersion,
+      resolution: direct.resolution
+    },
+    graph: {
+      nodeCount: graph.nodes.length,
+      truncated: graph.truncated,
+      maxNodes,
+      maxDepth
+    },
+    assumptions: graph.assumptions,
+    external
+  };
+};
+var ONE_DAY_MS = 24 * 60 * 60 * 1e3;
+var MAX_RETRIES2 = 3;
+var RETRY_BASE_DELAY_MS2 = 500;
+var round42 = (value) => Number(value.toFixed(4));
+var parseDate = (iso) => {
+  if (iso === void 0) {
+    return null;
+  }
+  const value = Date.parse(iso);
+  return Number.isNaN(value) ? null : value;
+};
+var NpmRegistryMetadataProvider = class {
+  cache = /* @__PURE__ */ new Map();
+  async fetchWeeklyDownloads(name) {
+    const encodedName = encodeURIComponent(name);
+    const payload = await fetchJsonWithRetry(
+      `https://api.npmjs.org/downloads/point/last-week/${encodedName}`,
+      { retries: MAX_RETRIES2, baseDelayMs: RETRY_BASE_DELAY_MS2 }
+    );
+    if (payload === null) {
+      return null;
+    }
+    const downloads = payload.downloads;
+    if (typeof downloads !== "number" || Number.isNaN(downloads) || downloads < 0) {
+      return null;
+    }
+    return Math.floor(downloads);
+  }
+  async getMetadata(name, version2, context) {
+    const key = `${name}@${version2}`;
+    if (this.cache.has(key)) {
+      return this.cache.get(key) ?? null;
+    }
+    try {
+      const encodedName = encodeURIComponent(name);
+      const payload = await fetchJsonWithRetry(
+        `https://registry.npmjs.org/${encodedName}`,
+        { retries: MAX_RETRIES2, baseDelayMs: RETRY_BASE_DELAY_MS2 }
+      );
+      if (payload === null) {
+        this.cache.set(key, null);
+        return null;
+      }
+      const timeEntries = payload.time ?? {};
+      const publishDates = Object.entries(timeEntries).filter(([tag]) => tag !== "created" && tag !== "modified").map(([, date]) => parseDate(date)).filter((value) => value !== null).sort((a, b) => a - b);
+      const modifiedAt = parseDate(timeEntries["modified"]);
+      const now = Date.now();
+      const daysSinceLastRelease = modifiedAt === null ? null : Math.max(0, round42((now - modifiedAt) / ONE_DAY_MS));
+      let releaseFrequencyDays = null;
+      if (publishDates.length >= 2) {
+        const totalIntervals = publishDates.length - 1;
+        let sum = 0;
+        for (let i = 1; i < publishDates.length; i += 1) {
+          const current = publishDates[i];
+          const previous = publishDates[i - 1];
+          if (current !== void 0 && previous !== void 0) {
+            sum += current - previous;
+          }
+        }
+        releaseFrequencyDays = round42(sum / totalIntervals / ONE_DAY_MS);
+      }
+      const maintainers = payload.maintainers ?? [];
+      const maintainerCount = maintainers.length > 0 ? maintainers.length : null;
+      const weeklyDownloads = context.directDependency ? await this.fetchWeeklyDownloads(name).catch(() => null) : null;
+      const metadata = {
+        name,
+        version: version2,
+        weeklyDownloads,
+        maintainerCount,
+        releaseFrequencyDays,
+        daysSinceLastRelease,
+        repositoryActivity30d: null,
+        busFactor: null
+      };
+      this.cache.set(key, metadata);
+      return metadata;
+    } catch {
+      this.cache.set(key, null);
+      return null;
+    }
+  }
+};
+var NoopMetadataProvider = class {
+  async getMetadata(_name, _version, _context) {
+    return null;
+  }
+};
+var analyzeDependencyExposureFromProject = async (input, onProgress) => {
+  const metadataProvider = process.env["CODESENTINEL_EXTERNAL_METADATA"] === "none" ? new NoopMetadataProvider() : new NpmRegistryMetadataProvider();
+  return analyzeDependencyExposure(input, metadataProvider, onProgress);
+};
+var analyzeDependencyCandidateFromRegistry = async (input) => {
+  const metadataProvider = process.env["CODESENTINEL_EXTERNAL_METADATA"] === "none" ? new NoopMetadataProvider() : new NpmRegistryMetadataProvider();
+  return analyzeDependencyCandidate(input, metadataProvider);
+};
+
+// src/index.ts
+import { readFileSync as readFileSync2 } from "fs";
+import { dirname, resolve as resolve3 } from "path";
+import { fileURLToPath } from "url";
+
+// src/application/format-analyze-output.ts
+var createSummaryShape = (summary) => ({
+  targetPath: summary.structural.targetPath,
+  structural: summary.structural.metrics,
+  evolution: summary.evolution.available ? {
+    available: true,
+    metrics: summary.evolution.metrics,
+    hotspotsTop: summary.evolution.hotspots.slice(0, 5).map((hotspot) => hotspot.filePath)
+  } : {
+    available: false,
+    reason: summary.evolution.reason
+  },
+  external: summary.external.available ? {
+    available: true,
+    metrics: summary.external.metrics,
+    highRiskDependenciesTop: summary.external.highRiskDependencies.slice(0, 10),
+    highRiskDevelopmentDependenciesTop: summary.external.highRiskDevelopmentDependencies.slice(
+      0,
+      10
+    ),
+    transitiveExposureDependenciesTop: summary.external.transitiveExposureDependencies.slice(0, 10)
+  } : {
+    available: false,
+    reason: summary.external.reason
+  },
+  risk: {
+    repositoryScore: summary.risk.repositoryScore,
+    normalizedScore: summary.risk.normalizedScore,
+    hotspotsTop: summary.risk.hotspots.slice(0, 5).map((hotspot) => ({
+      file: hotspot.file,
+      score: hotspot.score
+    })),
+    fragileClusterCount: summary.risk.fragileClusters.length,
+    dependencyAmplificationZoneCount: summary.risk.dependencyAmplificationZones.length
+  }
+});
+var formatAnalyzeOutput = (summary, mode) => mode === "json" ? JSON.stringify(summary, null, 2) : JSON.stringify(createSummaryShape(summary), null, 2);
+
+// src/application/format-dependency-risk-output.ts
+var createSummaryShape2 = (result) => {
+  if (!result.available) {
+    return {
+      available: false,
+      reason: result.reason,
+      dependency: result.dependency
+    };
+  }
+  const direct = result.external.dependencies[0];
+  return {
+    available: true,
+    dependency: result.dependency,
+    graph: result.graph,
+    assumptions: result.assumptions,
+    external: {
+      metrics: result.external.metrics,
+      ownRiskSignals: direct?.ownRiskSignals ?? [],
+      inheritedRiskSignals: direct?.inheritedRiskSignals ?? [],
+      highRiskDependenciesTop: result.external.highRiskDependencies.slice(0, 10),
+      transitiveExposureDependenciesTop: result.external.transitiveExposureDependencies.slice(0, 10)
+    }
+  };
+};
+var formatDependencyRiskOutput = (result, mode) => mode === "json" ? JSON.stringify(result, null, 2) : JSON.stringify(createSummaryShape2(result), null, 2);
+
+// src/application/logger.ts
+var logLevelRank = {
+  error: 0,
+  warn: 1,
+  info: 2,
+  debug: 3
+};
+var noop = () => {
+};
+var createSilentLogger = () => ({
+  error: noop,
+  warn: noop,
+  info: noop,
+  debug: noop
+});
+var shouldLog = (configuredLevel, messageLevel) => {
+  if (configuredLevel === "silent") {
+    return false;
+  }
+  return logLevelRank[messageLevel] <= logLevelRank[configuredLevel];
+};
+var write = (messageLevel, message) => {
+  process.stderr.write(`[codesentinel] ${messageLevel.toUpperCase()} ${message}
+`);
+};
+var createStderrLogger = (level) => {
+  if (level === "silent") {
+    return createSilentLogger();
+  }
+  return {
+    error: (message) => {
+      if (shouldLog(level, "error")) {
+        write("error", message);
+      }
+    },
+    warn: (message) => {
+      if (shouldLog(level, "warn")) {
+        write("warn", message);
+      }
+    },
+    info: (message) => {
+      if (shouldLog(level, "info")) {
+        write("info", message);
+      }
+    },
+    debug: (message) => {
+      if (shouldLog(level, "debug")) {
+        write("debug", message);
+      }
+    }
+  };
+};
+var parseLogLevel = (value) => {
+  switch (value) {
+    case "silent":
+    case "error":
+    case "warn":
+    case "info":
+    case "debug":
+      return value;
+    default:
+      return "info";
+  }
+};
+
+// src/application/run-analyze-command.ts
+import { resolve as resolve2 } from "path";
+
+// ../code-graph/dist/index.js
+import { extname, isAbsolute, relative, resolve } from "path";
+import * as ts from "typescript";
+var edgeKey = (from, to) => `${from}\0${to}`;
+var createGraphData = (nodes, rawEdges) => {
+  const sortedNodes = [...nodes].sort((a, b) => a.id.localeCompare(b.id));
+  const knownNodeIds = new Set(sortedNodes.map((node) => node.id));
+  const uniqueEdgeMap = /* @__PURE__ */ new Map();
+  for (const edge of rawEdges) {
+    if (edge.from === edge.to) {
+      continue;
+    }
+    if (!knownNodeIds.has(edge.from) || !knownNodeIds.has(edge.to)) {
+      continue;
+    }
+    uniqueEdgeMap.set(edgeKey(edge.from, edge.to), edge);
+  }
+  const sortedEdges = [...uniqueEdgeMap.values()].sort((a, b) => {
+    const fromCompare = a.from.localeCompare(b.from);
+    if (fromCompare !== 0) {
+      return fromCompare;
+    }
+    return a.to.localeCompare(b.to);
+  });
+  const adjacency = /* @__PURE__ */ new Map();
+  for (const node of sortedNodes) {
+    adjacency.set(node.id, []);
+  }
+  for (const edge of sortedEdges) {
+    adjacency.get(edge.from)?.push(edge.to);
+  }
+  const adjacencyById = /* @__PURE__ */ new Map();
+  for (const [nodeId, targets] of adjacency.entries()) {
+    adjacencyById.set(nodeId, [...targets]);
+  }
+  return {
+    nodes: sortedNodes,
+    edges: sortedEdges,
+    adjacencyById
+  };
+};
+var runTarjanScc = (adjacencyById) => {
+  let index = 0;
+  const indices = /* @__PURE__ */ new Map();
+  const lowLink = /* @__PURE__ */ new Map();
+  const stack = [];
+  const onStack = /* @__PURE__ */ new Set();
+  const components = [];
+  const strongConnect = (nodeId) => {
+    indices.set(nodeId, index);
+    lowLink.set(nodeId, index);
+    index += 1;
+    stack.push(nodeId);
+    onStack.add(nodeId);
+    const neighbors = adjacencyById.get(nodeId) ?? [];
+    for (const nextId of neighbors) {
+      if (!indices.has(nextId)) {
+        strongConnect(nextId);
+        const nodeLowLink2 = lowLink.get(nodeId);
+        const nextLowLink = lowLink.get(nextId);
+        if (nodeLowLink2 !== void 0 && nextLowLink !== void 0 && nextLowLink < nodeLowLink2) {
+          lowLink.set(nodeId, nextLowLink);
+        }
+        continue;
+      }
+      if (onStack.has(nextId)) {
+        const nodeLowLink2 = lowLink.get(nodeId);
+        const nextIndex = indices.get(nextId);
+        if (nodeLowLink2 !== void 0 && nextIndex !== void 0 && nextIndex < nodeLowLink2) {
+          lowLink.set(nodeId, nextIndex);
+        }
+      }
+    }
+    const nodeLowLink = lowLink.get(nodeId);
+    const nodeIndex = indices.get(nodeId);
+    if (nodeLowLink === void 0 || nodeIndex === void 0 || nodeLowLink !== nodeIndex) {
+      return;
+    }
+    const component = [];
+    for (; ; ) {
+      const popped = stack.pop();
+      if (popped === void 0) {
+        break;
+      }
+      onStack.delete(popped);
+      component.push(popped);
+      if (popped === nodeId) {
+        break;
+      }
+    }
+    component.sort((a, b) => a.localeCompare(b));
+    components.push(component);
+  };
+  const nodeIds = [...adjacencyById.keys()].sort((a, b) => a.localeCompare(b));
+  for (const nodeId of nodeIds) {
+    if (!indices.has(nodeId)) {
+      strongConnect(nodeId);
+    }
+  }
+  components.sort((a, b) => {
+    const firstA = a[0] ?? "";
+    const firstB = b[0] ?? "";
+    return firstA.localeCompare(firstB);
+  });
+  return { components };
+};
+var hasSelfLoop = (nodeId, adjacencyById) => {
+  const targets = adjacencyById.get(nodeId) ?? [];
+  return targets.includes(nodeId);
+};
+var computeCyclesAndDepth = (graph) => {
+  const { components } = runTarjanScc(graph.adjacencyById);
+  const cycles = [];
+  const componentByNodeId = /* @__PURE__ */ new Map();
+  components.forEach((component, index) => {
+    for (const nodeId of component) {
+      componentByNodeId.set(nodeId, index);
+    }
+    if (component.length > 1) {
+      cycles.push({ nodes: [...component] });
+      return;
+    }
+    const onlyNode = component[0];
+    if (onlyNode !== void 0 && hasSelfLoop(onlyNode, graph.adjacencyById)) {
+      cycles.push({ nodes: [...component] });
+    }
+  });
+  const dagOutgoing = /* @__PURE__ */ new Map();
+  const inDegree = /* @__PURE__ */ new Map();
+  for (let i = 0; i < components.length; i += 1) {
+    dagOutgoing.set(i, /* @__PURE__ */ new Set());
+    inDegree.set(i, 0);
+  }
+  for (const edge of graph.edges) {
+    const fromComponent = componentByNodeId.get(edge.from);
+    const toComponent = componentByNodeId.get(edge.to);
+    if (fromComponent === void 0 || toComponent === void 0 || fromComponent === toComponent) {
+      continue;
+    }
+    const outgoing = dagOutgoing.get(fromComponent);
+    if (outgoing?.has(toComponent) === true) {
+      continue;
+    }
+    outgoing?.add(toComponent);
+    inDegree.set(toComponent, (inDegree.get(toComponent) ?? 0) + 1);
+  }
+  const queue = [];
+  const depthByComponent = /* @__PURE__ */ new Map();
+  for (let i = 0; i < components.length; i += 1) {
+    if ((inDegree.get(i) ?? 0) === 0) {
+      queue.push(i);
+      depthByComponent.set(i, 0);
+    }
+  }
+  let cursor = 0;
+  while (cursor < queue.length) {
+    const componentId = queue[cursor];
+    cursor += 1;
+    if (componentId === void 0) {
+      continue;
+    }
+    const currentDepth = depthByComponent.get(componentId) ?? 0;
+    const outgoing = dagOutgoing.get(componentId) ?? /* @__PURE__ */ new Set();
+    for (const nextComponent of outgoing) {
+      const nextDepth = depthByComponent.get(nextComponent) ?? 0;
+      if (currentDepth + 1 > nextDepth) {
+        depthByComponent.set(nextComponent, currentDepth + 1);
+      }
+      const remainingIncoming = (inDegree.get(nextComponent) ?? 0) - 1;
+      inDegree.set(nextComponent, remainingIncoming);
+      if (remainingIncoming === 0) {
+        queue.push(nextComponent);
+      }
+    }
+  }
+  const depthByNodeId = /* @__PURE__ */ new Map();
+  let graphDepth = 0;
+  components.forEach((component, componentId) => {
+    const componentDepth = depthByComponent.get(componentId) ?? 0;
+    if (componentDepth > graphDepth) {
+      graphDepth = componentDepth;
+    }
+    for (const nodeId of component) {
+      depthByNodeId.set(nodeId, componentDepth);
+    }
+  });
+  cycles.sort((a, b) => {
+    const firstA = a.nodes[0] ?? "";
+    const firstB = b.nodes[0] ?? "";
+    return firstA.localeCompare(firstB);
+  });
+  return {
+    depthByNodeId,
+    graphDepth,
+    cycles
+  };
+};
+var createGraphAnalysisSummary = (targetPath, graph) => {
+  const fanInById = /* @__PURE__ */ new Map();
+  const fanOutById = /* @__PURE__ */ new Map();
+  for (const node of graph.nodes) {
+    fanInById.set(node.id, 0);
+    fanOutById.set(node.id, graph.adjacencyById.get(node.id)?.length ?? 0);
+  }
+  for (const edge of graph.edges) {
+    fanInById.set(edge.to, (fanInById.get(edge.to) ?? 0) + 1);
+  }
+  const { cycles, depthByNodeId, graphDepth } = computeCyclesAndDepth(graph);
+  let maxFanIn = 0;
+  let maxFanOut = 0;
+  const files = graph.nodes.map((node) => {
+    const fanIn = fanInById.get(node.id) ?? 0;
+    const fanOut = fanOutById.get(node.id) ?? 0;
+    if (fanIn > maxFanIn) {
+      maxFanIn = fanIn;
+    }
+    if (fanOut > maxFanOut) {
+      maxFanOut = fanOut;
+    }
+    return {
+      id: node.id,
+      relativePath: node.relativePath,
+      directDependencies: graph.adjacencyById.get(node.id) ?? [],
+      fanIn,
+      fanOut,
+      depth: depthByNodeId.get(node.id) ?? 0
+    };
+  });
+  const metrics = {
+    nodeCount: graph.nodes.length,
+    edgeCount: graph.edges.length,
+    cycleCount: cycles.length,
+    graphDepth,
+    maxFanIn,
+    maxFanOut
+  };
+  return {
+    targetPath,
+    nodes: graph.nodes,
+    edges: graph.edges,
+    cycles,
+    files,
+    metrics
+  };
+};
+var SOURCE_EXTENSIONS = /* @__PURE__ */ new Set([".ts", ".tsx", ".mts", ".cts", ".js", ".jsx", ".mjs", ".cjs"]);
+var SCAN_EXCLUDES = [
+  "**/node_modules/**",
+  "**/.git/**",
+  "**/dist/**",
+  "**/build/**",
+  "**/.next/**",
+  "**/coverage/**",
+  "**/.turbo/**",
+  "**/.cache/**",
+  "**/out/**"
+];
+var SCAN_INCLUDES = ["**/*"];
+var IGNORED_SEGMENTS = /* @__PURE__ */ new Set([
+  "node_modules",
+  ".git",
+  "dist",
+  "build",
+  ".next",
+  "coverage",
+  ".turbo",
+  ".cache",
+  "out"
+]);
+var normalizePath = (pathValue) => pathValue.replaceAll("\\", "/");
+var isProjectSourceFile = (filePath, projectRoot) => {
+  const extension = extname(filePath);
+  if (!SOURCE_EXTENSIONS.has(extension)) {
+    return false;
+  }
+  const relativePath = relative(projectRoot, filePath);
+  if (relativePath.startsWith("..")) {
+    return false;
+  }
+  const normalizedRelativePath = normalizePath(relativePath);
+  const segments = normalizedRelativePath.split("/");
+  return !segments.some((segment) => IGNORED_SEGMENTS.has(segment));
+};
+var discoverSourceFilesByScan = (projectRoot) => {
+  const files = ts.sys.readDirectory(
+    projectRoot,
+    [...SOURCE_EXTENSIONS],
+    SCAN_EXCLUDES,
+    SCAN_INCLUDES
+  );
+  return files.map((filePath) => resolve(filePath));
+};
+var parseTsConfigFile = (configPath) => {
+  const parsedCommandLine = ts.getParsedCommandLineOfConfigFile(
+    configPath,
+    {},
+    {
+      ...ts.sys,
+      onUnRecoverableConfigFileDiagnostic: () => {
+        throw new Error(`Failed to parse TypeScript configuration at ${configPath}`);
+      }
+    }
+  );
+  if (parsedCommandLine === void 0) {
+    throw new Error(`Failed to parse TypeScript configuration at ${configPath}`);
+  }
+  return parsedCommandLine;
+};
+var collectFilesFromTsConfigGraph = (projectRoot) => {
+  const rootConfigPath = ts.findConfigFile(projectRoot, ts.sys.fileExists, "tsconfig.json");
+  if (rootConfigPath === void 0) {
+    return null;
+  }
+  const visitedConfigPaths = /* @__PURE__ */ new Set();
+  const collectedFiles = /* @__PURE__ */ new Set();
+  let rootOptions = null;
+  const visitConfig = (configPath) => {
+    const absoluteConfigPath = resolve(configPath);
+    if (visitedConfigPaths.has(absoluteConfigPath)) {
+      return;
+    }
+    visitedConfigPaths.add(absoluteConfigPath);
+    const parsed = parseTsConfigFile(absoluteConfigPath);
+    if (rootOptions === null) {
+      rootOptions = parsed.options;
+    }
+    for (const filePath of parsed.fileNames) {
+      collectedFiles.add(resolve(filePath));
+    }
+    for (const reference of parsed.projectReferences ?? []) {
+      const referencePath = resolve(reference.path);
+      const referenceConfigPath = ts.sys.directoryExists(referencePath) ? ts.findConfigFile(referencePath, ts.sys.fileExists, "tsconfig.json") : referencePath;
+      if (referenceConfigPath !== void 0 && ts.sys.fileExists(referenceConfigPath)) {
+        visitConfig(referenceConfigPath);
+      }
+    }
+  };
+  visitConfig(rootConfigPath);
+  return {
+    fileNames: [...collectedFiles],
+    rootOptions: rootOptions ?? {
+      moduleResolution: ts.ModuleResolutionKind.NodeNext
+    },
+    visitedConfigCount: visitedConfigPaths.size
+  };
+};
+var createCompilerOptions = (base) => ({
+  ...base,
+  allowJs: true,
+  moduleResolution: base?.moduleResolution ?? ts.ModuleResolutionKind.NodeNext
+});
+var parseTsConfig = (projectRoot) => {
+  const collected = collectFilesFromTsConfigGraph(projectRoot);
+  if (collected === null) {
+    return {
+      fileNames: discoverSourceFilesByScan(projectRoot),
+      options: createCompilerOptions(void 0),
+      tsconfigCount: 0,
+      usedFallbackScan: true
+    };
+  }
+  if (collected.fileNames.length === 0) {
+    return {
+      fileNames: discoverSourceFilesByScan(projectRoot),
+      options: createCompilerOptions(collected.rootOptions),
+      tsconfigCount: collected.visitedConfigCount,
+      usedFallbackScan: true
     };
   }
+  return {
+    fileNames: collected.fileNames,
+    options: createCompilerOptions(collected.rootOptions),
+    tsconfigCount: collected.visitedConfigCount,
+    usedFallbackScan: false
+  };
 };
-var ONE_DAY_MS = 24 * 60 * 60 * 1e3;
-var round42 = (value) => Number(value.toFixed(4));
-var parseDate = (iso) => {
-  if (iso === void 0) {
-    return null;
+var getSpecifierFromExpression = (expression) => {
+  if (ts.isStringLiteral(expression)) {
+    return expression.text;
   }
-  const value = Date.parse(iso);
-  return Number.isNaN(value) ? null : value;
+  if (ts.isNoSubstitutionTemplateLiteral(expression)) {
+    return expression.text;
+  }
+  return void 0;
 };
-var NpmRegistryMetadataProvider = class {
-  cache = /* @__PURE__ */ new Map();
-  async getMetadata(name, version2) {
-    const key = `${name}@${version2}`;
-    if (this.cache.has(key)) {
-      return this.cache.get(key) ?? null;
+var hasRuntimeImport = (importDeclaration) => {
+  const importClause = importDeclaration.importClause;
+  if (importClause === void 0) {
+    return true;
+  }
+  if (importClause.isTypeOnly) {
+    return false;
+  }
+  if (importClause.name !== void 0) {
+    return true;
+  }
+  const namedBindings = importClause.namedBindings;
+  if (namedBindings === void 0) {
+    return false;
+  }
+  if (ts.isNamespaceImport(namedBindings)) {
+    return true;
+  }
+  if (namedBindings.elements.length === 0) {
+    return true;
+  }
+  return namedBindings.elements.some((element) => !element.isTypeOnly);
+};
+var extractModuleSpecifiers = (sourceFile) => {
+  const specifiers = /* @__PURE__ */ new Set();
+  const visit = (node) => {
+    if (ts.isImportDeclaration(node)) {
+      if (hasRuntimeImport(node) && node.moduleSpecifier !== void 0) {
+        const specifier = getSpecifierFromExpression(node.moduleSpecifier);
+        if (specifier !== void 0) {
+          specifiers.add(specifier);
+        }
+      }
+      return;
     }
-    try {
-      const encodedName = encodeURIComponent(name);
-      const response = await fetch(`https://registry.npmjs.org/${encodedName}`);
-      if (!response.ok) {
-        this.cache.set(key, null);
-        return null;
+    if (ts.isExportDeclaration(node)) {
+      if (!node.isTypeOnly && node.moduleSpecifier !== void 0) {
+        const specifier = getSpecifierFromExpression(node.moduleSpecifier);
+        if (specifier !== void 0) {
+          specifiers.add(specifier);
+        }
       }
-      const payload = await response.json();
-      const timeEntries = payload.time ?? {};
-      const publishDates = Object.entries(timeEntries).filter(([tag]) => tag !== "created" && tag !== "modified").map(([, date]) => parseDate(date)).filter((value) => value !== null).sort((a, b) => a - b);
-      const modifiedAt = parseDate(timeEntries["modified"]);
-      const now = Date.now();
-      const daysSinceLastRelease = modifiedAt === null ? null : Math.max(0, round42((now - modifiedAt) / ONE_DAY_MS));
-      let releaseFrequencyDays = null;
-      if (publishDates.length >= 2) {
-        const totalIntervals = publishDates.length - 1;
-        let sum = 0;
-        for (let i = 1; i < publishDates.length; i += 1) {
-          const current = publishDates[i];
-          const previous = publishDates[i - 1];
-          if (current !== void 0 && previous !== void 0) {
-            sum += current - previous;
+      return;
+    }
+    if (ts.isCallExpression(node)) {
+      if (node.expression.kind === ts.SyntaxKind.ImportKeyword && node.arguments.length > 0) {
+        const firstArgument = node.arguments[0];
+        if (firstArgument !== void 0) {
+          const specifier = getSpecifierFromExpression(firstArgument);
+          if (specifier !== void 0) {
+            specifiers.add(specifier);
+          }
+        }
+      }
+      if (ts.isIdentifier(node.expression) && node.expression.text === "require" && node.arguments.length > 0) {
+        const firstArgument = node.arguments[0];
+        if (firstArgument !== void 0) {
+          const specifier = getSpecifierFromExpression(firstArgument);
+          if (specifier !== void 0) {
+            specifiers.add(specifier);
           }
         }
-        releaseFrequencyDays = round42(sum / totalIntervals / ONE_DAY_MS);
       }
-      const maintainers = payload.maintainers ?? [];
-      const maintainerCount = maintainers.length > 0 ? maintainers.length : null;
-      const metadata = {
-        name,
-        version: version2,
-        maintainerCount,
-        releaseFrequencyDays,
-        daysSinceLastRelease,
-        repositoryActivity30d: null,
-        busFactor: null
-      };
-      this.cache.set(key, metadata);
-      return metadata;
-    } catch {
-      this.cache.set(key, null);
-      return null;
     }
-  }
+    ts.forEachChild(node, visit);
+  };
+  visit(sourceFile);
+  return [...specifiers];
 };
-var NoopMetadataProvider = class {
-  async getMetadata(_name, _version) {
-    return null;
+var parseTypescriptProject = (projectPath, onProgress) => {
+  const projectRoot = isAbsolute(projectPath) ? projectPath : resolve(projectPath);
+  const { fileNames, options, tsconfigCount, usedFallbackScan } = parseTsConfig(projectRoot);
+  onProgress?.({ stage: "config_resolved", tsconfigCount, usedFallbackScan });
+  const sourceFilePaths = fileNames.filter((filePath) => isProjectSourceFile(filePath, projectRoot)).map((filePath) => normalizePath(resolve(filePath)));
+  const uniqueSourceFilePaths = [...new Set(sourceFilePaths)].sort((a, b) => a.localeCompare(b));
+  const sourceFilePathSet = new Set(uniqueSourceFilePaths);
+  onProgress?.({ stage: "files_discovered", totalSourceFiles: uniqueSourceFilePaths.length });
+  const program2 = ts.createProgram({
+    rootNames: uniqueSourceFilePaths,
+    options
+  });
+  onProgress?.({ stage: "program_created", totalSourceFiles: uniqueSourceFilePaths.length });
+  const nodeByAbsolutePath = /* @__PURE__ */ new Map();
+  for (const sourcePath of uniqueSourceFilePaths) {
+    const relativePath = normalizePath(relative(projectRoot, sourcePath));
+    const nodeId = relativePath;
+    nodeByAbsolutePath.set(sourcePath, {
+      id: nodeId,
+      absolutePath: sourcePath,
+      relativePath
+    });
+  }
+  const resolverCache = /* @__PURE__ */ new Map();
+  const edges = [];
+  for (const [index, sourcePath] of uniqueSourceFilePaths.entries()) {
+    const sourceFile = program2.getSourceFile(sourcePath);
+    if (sourceFile === void 0) {
+      continue;
+    }
+    const fromNode = nodeByAbsolutePath.get(sourcePath);
+    if (fromNode === void 0) {
+      continue;
+    }
+    const moduleSpecifiers = extractModuleSpecifiers(sourceFile);
+    for (const specifier of moduleSpecifiers) {
+      const cacheKey = `${sourcePath}\0${specifier}`;
+      let resolvedPath = resolverCache.get(cacheKey);
+      if (resolvedPath === void 0 && !resolverCache.has(cacheKey)) {
+        const resolved = ts.resolveModuleName(specifier, sourcePath, options, ts.sys).resolvedModule;
+        if (resolved !== void 0) {
+          resolvedPath = normalizePath(resolve(resolved.resolvedFileName));
+        }
+        resolverCache.set(cacheKey, resolvedPath);
+      }
+      if (resolvedPath === void 0 || !sourceFilePathSet.has(resolvedPath)) {
+        continue;
+      }
+      const toNode = nodeByAbsolutePath.get(resolvedPath);
+      if (toNode === void 0) {
+        continue;
+      }
+      edges.push({ from: fromNode.id, to: toNode.id });
+    }
+    const processed = index + 1;
+    if (processed === 1 || processed === uniqueSourceFilePaths.length || processed % 50 === 0) {
+      onProgress?.({
+        stage: "file_processed",
+        processed,
+        total: uniqueSourceFilePaths.length,
+        filePath: fromNode.id
+      });
+    }
   }
+  onProgress?.({ stage: "edges_resolved", totalEdges: edges.length });
+  return {
+    nodes: [...nodeByAbsolutePath.values()],
+    edges
+  };
 };
-var analyzeDependencyExposureFromProject = async (input, onProgress) => {
-  const metadataProvider = process.env["CODESENTINEL_EXTERNAL_METADATA"] === "none" ? new NoopMetadataProvider() : new NpmRegistryMetadataProvider();
-  return analyzeDependencyExposure(input, metadataProvider, onProgress);
+var buildProjectGraphSummary = (input) => {
+  const parsedProject = parseTypescriptProject(input.projectPath, input.onProgress);
+  const graphData = createGraphData(parsedProject.nodes, parsedProject.edges);
+  return createGraphAnalysisSummary(input.projectPath, graphData);
 };
 
 // ../git-analyzer/dist/index.js
@@ -1899,25 +2570,18 @@ var DEFAULT_RISK_ENGINE_CONFIG = {
     inheritedSignalMultiplier: 0.45,
     // At this age, staleness reaches 50% risk.
     abandonedHalfLifeDays: 540,
-    missingMetadataPenalty: 0.5
+    missingMetadataPenalty: 0.5,
+    // At this download volume, popularity reaches 50% of its dampening effect.
+    popularityHalfLifeDownloads: 1e5,
+    // Popularity can only reduce dependency risk by this fraction.
+    popularityMaxDampening: 0.12
   },
   externalDimension: {
     topDependencyPercentile: 0.85,
     dependencyDepthHalfLife: 6
   }
 };
-var clamp01 = (value) => {
-  if (Number.isNaN(value)) {
-    return 0;
-  }
-  if (value <= 0) {
-    return 0;
-  }
-  if (value >= 1) {
-    return 1;
-  }
-  return value;
-};
+var toUnitInterval = (value) => Number.isFinite(value) ? Math.min(1, Math.max(0, value)) : 0;
 var round44 = (value) => Number(value.toFixed(4));
 var average = (values) => {
   if (values.length === 0) {
@@ -1934,7 +2598,7 @@ var percentile = (values, p) => {
     return values[0] ?? 0;
   }
   const sorted = [...values].sort((a, b) => a - b);
-  const position = clamp01(p) * (sorted.length - 1);
+  const position = toUnitInterval(p) * (sorted.length - 1);
   const lowerIndex = Math.floor(position);
   const upperIndex = Math.ceil(position);
   const lower = sorted[lowerIndex] ?? 0;
@@ -1946,18 +2610,18 @@ var percentile = (values, p) => {
   return lower + (upper - lower) * ratio;
 };
 var saturatingComposite = (baseline, amplifications) => {
-  let value = clamp01(baseline);
+  let value = toUnitInterval(baseline);
   for (const amplification of amplifications) {
-    const boundedAmplification = clamp01(amplification);
+    const boundedAmplification = toUnitInterval(amplification);
     value += (1 - value) * boundedAmplification;
   }
-  return clamp01(value);
+  return toUnitInterval(value);
 };
 var halfLifeRisk = (value, halfLife) => {
   if (value <= 0 || halfLife <= 0) {
     return 0;
   }
-  return clamp01(value / (value + halfLife));
+  return toUnitInterval(value / (value + halfLife));
 };
 var normalizeWeights = (weights, enabled) => {
   let total = 0;
@@ -2004,7 +2668,7 @@ var normalizeWithScale = (value, scale) => {
   if (scale.upper <= scale.lower) {
     return value > 0 ? 1 : 0;
   }
-  return clamp01((value - scale.lower) / (scale.upper - scale.lower));
+  return toUnitInterval((value - scale.lower) / (scale.upper - scale.lower));
 };
 var normalizePath2 = (path) => path.replaceAll("\\", "/");
 var dependencySignalWeights = {
@@ -2030,7 +2694,7 @@ var computeDependencySignalScore = (ownSignals, inheritedSignals, inheritedSigna
   if (maxWeightedTotal <= 0) {
     return 0;
   }
-  return clamp01(weightedTotal / maxWeightedTotal);
+  return toUnitInterval(weightedTotal / maxWeightedTotal);
 };
 var computeDependencyScores = (external, config) => {
   if (!external.available) {
@@ -2065,7 +2729,7 @@ var computeDependencyScores = (external, config) => {
       dependency.inheritedRiskSignals,
       config.dependencySignals.inheritedSignalMultiplier
     );
-    const maintainerConcentrationRisk = dependency.maintainerCount === null ? config.dependencySignals.missingMetadataPenalty : clamp01(1 / Math.max(1, dependency.maintainerCount));
+    const maintainerConcentrationRisk = dependency.maintainerCount === null ? config.dependencySignals.missingMetadataPenalty : toUnitInterval(1 / Math.max(1, dependency.maintainerCount));
     const stalenessRisk = dependency.daysSinceLastRelease === null ? config.dependencySignals.missingMetadataPenalty : halfLifeRisk(
       dependency.daysSinceLastRelease,
       config.dependencySignals.abandonedHalfLifeDays
@@ -2076,11 +2740,17 @@ var computeDependencyScores = (external, config) => {
     );
     const centralityRisk = normalizeWithScale(logScale(dependency.dependents), dependentScale);
     const chainDepthRisk = normalizeWithScale(dependency.dependencyDepth, chainDepthScale);
-    const busFactorRisk = dependency.busFactor === null ? config.dependencySignals.missingMetadataPenalty : clamp01(1 / Math.max(1, dependency.busFactor));
+    const busFactorRisk = dependency.busFactor === null ? config.dependencySignals.missingMetadataPenalty : toUnitInterval(1 / Math.max(1, dependency.busFactor));
     const weights = config.dependencyFactorWeights;
-    const normalizedScore = clamp01(
+    const baseScore = toUnitInterval(
       signalScore * weights.signals + stalenessRisk * weights.staleness + maintainerConcentrationRisk * weights.maintainerConcentration + transitiveBurdenRisk * weights.transitiveBurden + centralityRisk * weights.centrality + chainDepthRisk * weights.chainDepth + busFactorRisk * weights.busFactorRisk
     );
+    const hasHardRiskSignal = dependency.ownRiskSignals.includes("abandoned") || dependency.ownRiskSignals.includes("metadata_unavailable") || dependency.ownRiskSignals.includes("single_maintainer");
+    const popularityDampener = dependency.weeklyDownloads === null || hasHardRiskSignal ? 1 : 1 - halfLifeRisk(
+      dependency.weeklyDownloads,
+      config.dependencySignals.popularityHalfLifeDownloads
+    ) * config.dependencySignals.popularityMaxDampening;
+    const normalizedScore = toUnitInterval(baseScore * popularityDampener);
     return {
       dependency: dependency.name,
       score: round44(normalizedScore * 100),
@@ -2098,7 +2768,7 @@ var computeDependencyScores = (external, config) => {
     external.metrics.dependencyDepth,
     config.externalDimension.dependencyDepthHalfLife
   );
-  const repositoryExternalPressure = clamp01(
+  const repositoryExternalPressure = toUnitInterval(
     highDependencyRisk * 0.5 + averageDependencyRisk * 0.3 + depthRisk * 0.2
   );
   return {
@@ -2166,8 +2836,8 @@ var buildFragileClusters = (structural, evolution, fileScoresByFile, config) =>
     const averageRisk = average(
       files.map((filePath) => fileScoresByFile.get(filePath)?.normalizedScore ?? 0)
     );
-    const cycleSizeRisk = clamp01((files.length - 1) / 5);
-    const score = round44(clamp01(averageRisk * 0.75 + cycleSizeRisk * 0.25) * 100);
+    const cycleSizeRisk = toUnitInterval((files.length - 1) / 5);
+    const score = round44(toUnitInterval(averageRisk * 0.75 + cycleSizeRisk * 0.25) * 100);
     cycleClusterCount += 1;
     clusters.push({
       id: `cycle:${cycleClusterCount}`,
@@ -2241,7 +2911,7 @@ var buildFragileClusters = (structural, evolution, fileScoresByFile, config) =>
         files.map((filePath) => fileScoresByFile.get(filePath)?.normalizedScore ?? 0)
       );
       const meanCoupling = average(componentPairs.map((pair) => pair.couplingScore));
-      const score = round44(clamp01(meanFileRisk * 0.65 + meanCoupling * 0.35) * 100);
+      const score = round44(toUnitInterval(meanFileRisk * 0.65 + meanCoupling * 0.35) * 100);
       couplingClusterCount += 1;
       clusters.push({
         id: `coupling:${couplingClusterCount}`,
@@ -2289,10 +2959,10 @@ var computeRiskSummary = (structural, evolution, external, config) => {
     const fanOutRisk = normalizeWithScale(logScale(file.fanOut), fanOutScale);
     const depthRisk = normalizeWithScale(file.depth, depthScale);
     const structuralWeights = config.structuralFactorWeights;
-    const structuralFactor = clamp01(
+    const structuralFactor = toUnitInterval(
       fanInRisk * structuralWeights.fanIn + fanOutRisk * structuralWeights.fanOut + depthRisk * structuralWeights.depth + inCycle * structuralWeights.cycleParticipation
     );
-    const structuralCentrality = clamp01((fanInRisk + fanOutRisk) / 2);
+    const structuralCentrality = toUnitInterval((fanInRisk + fanOutRisk) / 2);
     let evolutionFactor = 0;
     const evolutionMetrics = evolutionByFile.get(filePath);
     if (evolution.available && evolutionMetrics !== void 0) {
@@ -2304,16 +2974,16 @@ var computeRiskSummary = (structural, evolution, external, config) => {
         logScale(evolutionMetrics.churnTotal),
         evolutionScales.churnTotal
       );
-      const volatilityRisk = clamp01(evolutionMetrics.recentVolatility);
-      const ownershipConcentrationRisk = clamp01(evolutionMetrics.topAuthorShare);
-      const busFactorRisk = clamp01(1 - normalizeWithScale(evolutionMetrics.busFactor, evolutionScales.busFactor));
+      const volatilityRisk = toUnitInterval(evolutionMetrics.recentVolatility);
+      const ownershipConcentrationRisk = toUnitInterval(evolutionMetrics.topAuthorShare);
+      const busFactorRisk = toUnitInterval(1 - normalizeWithScale(evolutionMetrics.busFactor, evolutionScales.busFactor));
       const evolutionWeights = config.evolutionFactorWeights;
-      evolutionFactor = clamp01(
+      evolutionFactor = toUnitInterval(
         frequencyRisk * evolutionWeights.frequency + churnRisk * evolutionWeights.churn + volatilityRisk * evolutionWeights.recentVolatility + ownershipConcentrationRisk * evolutionWeights.ownershipConcentration + busFactorRisk * evolutionWeights.busFactorRisk
       );
     }
-    const dependencyAffinity = clamp01(structuralCentrality * 0.6 + evolutionFactor * 0.4);
-    const externalFactor = external.available ? clamp01(dependencyComputation.repositoryExternalPressure * dependencyAffinity) : 0;
+    const dependencyAffinity = toUnitInterval(structuralCentrality * 0.6 + evolutionFactor * 0.4);
+    const externalFactor = external.available ? toUnitInterval(dependencyComputation.repositoryExternalPressure * dependencyAffinity) : 0;
     const baseline = structuralFactor * dimensionWeights.structural + evolutionFactor * dimensionWeights.evolution + externalFactor * dimensionWeights.external;
     const interactions = [
       structuralFactor * evolutionFactor * config.interactionWeights.structuralEvolution,
@@ -2359,7 +3029,7 @@ var computeRiskSummary = (structural, evolution, external, config) => {
   const moduleScores = [...moduleFiles.entries()].map(([module, values]) => {
     const averageScore = average(values);
     const peakScore = values.reduce((max, value) => Math.max(max, value), 0);
-    const normalizedScore = clamp01(averageScore * 0.65 + peakScore * 0.35);
+    const normalizedScore = toUnitInterval(averageScore * 0.65 + peakScore * 0.35);
     return {
       module,
       score: round44(normalizedScore * 100),
@@ -2374,10 +3044,10 @@ var computeRiskSummary = (structural, evolution, external, config) => {
     percentile(externalPressures, config.amplificationZone.percentileThreshold)
   );
   const dependencyAmplificationZones = fileScores.map((fileScore) => {
-    const intensity = clamp01(
+    const intensity = toUnitInterval(
       fileScore.factors.external * Math.max(fileScore.factors.structural, fileScore.factors.evolution)
     );
-    const normalizedZoneScore = clamp01(intensity * 0.7 + fileScore.normalizedScore * 0.3);
+    const normalizedZoneScore = toUnitInterval(intensity * 0.7 + fileScore.normalizedScore * 0.3);
     return {
       file: fileScore.file,
       score: round44(normalizedZoneScore * 100),
@@ -2398,7 +3068,7 @@ var computeRiskSummary = (structural, evolution, external, config) => {
   );
   const dependencyAmplification = average(
     dependencyAmplificationZones.map(
-      (zone) => clamp01(zone.externalPressure * zone.score / 100)
+      (zone) => toUnitInterval(zone.externalPressure * zone.score / 100)
     )
   );
   const repositoryBaseline = structuralDimension * dimensionWeights.structural + evolutionDimension * dimensionWeights.evolution + externalDimension * dimensionWeights.external;
@@ -2670,6 +3340,39 @@ program.command("analyze").argument("[path]", "path to the project to analyze").
 `);
   }
 );
+program.command("dependency-risk").argument("<dependency>", "dependency spec to evaluate (for example: react or react@19.0.0)").addOption(
+  new Option(
+    "--log-level <level>",
+    "log verbosity: silent, error, warn, info, debug (logs are written to stderr)"
+  ).choices(["silent", "error", "warn", "info", "debug"]).default(parseLogLevel(process.env["CODESENTINEL_LOG_LEVEL"]))
+).addOption(
+  new Option(
+    "--output <mode>",
+    "output mode: summary (default) or json (full analysis object)"
+  ).choices(["summary", "json"]).default("summary")
+).option("--json", "shortcut for --output json").option("--max-nodes <count>", "maximum dependency nodes to resolve", "250").option("--max-depth <count>", "maximum dependency depth to traverse", "6").action(
+  async (dependency, options) => {
+    const logger = createStderrLogger(options.logLevel);
+    const maxNodes = Number.parseInt(options.maxNodes, 10);
+    const maxDepth = Number.parseInt(options.maxDepth, 10);
+    logger.info(`analyzing dependency candidate: ${dependency}`);
+    const result = await analyzeDependencyCandidateFromRegistry({
+      dependency,
+      maxNodes: Number.isFinite(maxNodes) ? maxNodes : 250,
+      maxDepth: Number.isFinite(maxDepth) ? maxDepth : 6
+    });
+    if (result.available) {
+      logger.info(
+        `dependency analysis completed (${result.dependency.name}@${result.dependency.resolvedVersion})`
+      );
+    } else {
+      logger.warn(`dependency analysis unavailable: ${result.reason}`);
+    }
+    const outputMode = options.json === true ? "json" : options.output;
+    process.stdout.write(`${formatDependencyRiskOutput(result, outputMode)}
+`);
+  }
+);
 if (process.argv.length <= 2) {
   program.outputHelp();
   process.exit(0);