@getcodesentinel/codesentinel 1.7.0 → 1.9.0

package/dist/index.js

@@ -1349,9 +1349,1000 @@ var analyzeDependencyCandidateFromRegistry = async (input) => {
   return analyzeDependencyCandidate(input, metadataProvider);
 };
 
+// ../reporter/dist/index.js
+var SNAPSHOT_SCHEMA_VERSION = "codesentinel.snapshot.v1";
+var REPORT_SCHEMA_VERSION = "codesentinel.report.v1";
+var RISK_MODEL_VERSION = "deterministic-v1";
+var round43 = (value) => Number(value.toFixed(4));
+var toRiskTier = (score) => {
+  if (score < 20) {
+    return "low";
+  }
+  if (score < 40) {
+    return "moderate";
+  }
+  if (score < 60) {
+    return "elevated";
+  }
+  if (score < 80) {
+    return "high";
+  }
+  return "very_high";
+};
+var factorLabelById = {
+  "repository.structural": "Structural complexity",
+  "repository.evolution": "Change volatility",
+  "repository.external": "External dependency pressure",
+  "repository.composite.interactions": "Intersection amplification",
+  "file.structural": "File structural complexity",
+  "file.evolution": "File change volatility",
+  "file.external": "File external pressure",
+  "file.composite.interactions": "File interaction amplification",
+  "module.average_file_risk": "Average file risk",
+  "module.peak_file_risk": "Peak file risk",
+  "dependency.signals": "Dependency risk signals",
+  "dependency.staleness": "Dependency staleness",
+  "dependency.maintainer_concentration": "Maintainer concentration",
+  "dependency.topology": "Dependency topology pressure",
+  "dependency.bus_factor": "Dependency bus factor",
+  "dependency.popularity_dampening": "Popularity dampening"
+};
+var factorLabel = (factorId) => factorLabelById[factorId] ?? factorId;
+var summarizeEvidence = (factor) => {
+  const entries = Object.entries(factor.rawMetrics).filter(([, value]) => value !== null).sort((a, b) => a[0].localeCompare(b[0])).slice(0, 3).map(([key, value]) => `${key}=${value}`);
+  if (entries.length > 0) {
+    return entries.join(", ");
+  }
+  const evidence = [...factor.evidence].map((entry) => {
+    if (entry.kind === "file_metric") {
+      return `${entry.target}:${entry.metric}`;
+    }
+    if (entry.kind === "dependency_metric") {
+      return `${entry.target}:${entry.metric}`;
+    }
+    if (entry.kind === "repository_metric") {
+      return entry.metric;
+    }
+    if (entry.kind === "graph_cycle") {
+      return `cycle:${entry.cycleId}`;
+    }
+    return `${entry.fileA}<->${entry.fileB}`;
+  }).sort((a, b) => a.localeCompare(b));
+  return evidence.join(", ");
+};
+var diffSets = (current, baseline) => {
+  const currentSet = new Set(current);
+  const baselineSet = new Set(baseline);
+  const added = [...currentSet].filter((item) => !baselineSet.has(item)).sort((a, b) => a.localeCompare(b));
+  const removed = [...baselineSet].filter((item) => !currentSet.has(item)).sort((a, b) => a.localeCompare(b));
+  return { added, removed };
+};
+var diffScoreMap = (current, baseline) => {
+  const keys = [.../* @__PURE__ */ new Set([...current.keys(), ...baseline.keys()])].sort((a, b) => a.localeCompare(b));
+  return keys.map((key) => {
+    const before = baseline.get(key) ?? 0;
+    const after = current.get(key) ?? 0;
+    const delta = round43(after - before);
+    return {
+      target: key,
+      before: round43(before),
+      after: round43(after),
+      delta
+    };
+  }).filter((entry) => entry.delta !== 0).sort((a, b) => Math.abs(b.delta) - Math.abs(a.delta) || a.target.localeCompare(b.target));
+};
+var cycleKey = (nodes) => [...nodes].sort((a, b) => a.localeCompare(b)).join(" -> ");
+var compareSnapshots = (current, baseline) => {
+  const currentFileScores = new Map(
+    current.analysis.risk.fileScores.map((item) => [item.file, item.score])
+  );
+  const baselineFileScores = new Map(
+    baseline.analysis.risk.fileScores.map((item) => [item.file, item.score])
+  );
+  const currentModuleScores = new Map(
+    current.analysis.risk.moduleScores.map((item) => [item.module, item.score])
+  );
+  const baselineModuleScores = new Map(
+    baseline.analysis.risk.moduleScores.map((item) => [item.module, item.score])
+  );
+  const currentHotspots = current.analysis.risk.hotspots.slice(0, 10).map((item) => item.file);
+  const baselineHotspots = baseline.analysis.risk.hotspots.slice(0, 10).map((item) => item.file);
+  const currentCycles = current.analysis.structural.cycles.map((cycle) => cycleKey(cycle.nodes));
+  const baselineCycles = baseline.analysis.structural.cycles.map((cycle) => cycleKey(cycle.nodes));
+  const currentExternal = current.analysis.external.available ? current.analysis.external : {
+    highRiskDependencies: [],
+    singleMaintainerDependencies: [],
+    abandonedDependencies: []
+  };
+  const baselineExternal = baseline.analysis.external.available ? baseline.analysis.external : {
+    highRiskDependencies: [],
+    singleMaintainerDependencies: [],
+    abandonedDependencies: []
+  };
+  const highRisk = diffSets(currentExternal.highRiskDependencies, baselineExternal.highRiskDependencies);
+  const singleMaintainer = diffSets(
+    currentExternal.singleMaintainerDependencies,
+    baselineExternal.singleMaintainerDependencies
+  );
+  const abandoned = diffSets(currentExternal.abandonedDependencies, baselineExternal.abandonedDependencies);
+  const hotspots = diffSets(currentHotspots, baselineHotspots);
+  const cycles = diffSets(currentCycles, baselineCycles);
+  return {
+    repositoryScoreDelta: round43(current.analysis.risk.repositoryScore - baseline.analysis.risk.repositoryScore),
+    normalizedScoreDelta: round43(current.analysis.risk.normalizedScore - baseline.analysis.risk.normalizedScore),
+    fileRiskChanges: diffScoreMap(currentFileScores, baselineFileScores),
+    moduleRiskChanges: diffScoreMap(currentModuleScores, baselineModuleScores),
+    newHotspots: hotspots.added,
+    resolvedHotspots: hotspots.removed,
+    newCycles: cycles.added,
+    resolvedCycles: cycles.removed,
+    externalChanges: {
+      highRiskAdded: highRisk.added,
+      highRiskRemoved: highRisk.removed,
+      singleMaintainerAdded: singleMaintainer.added,
+      singleMaintainerRemoved: singleMaintainer.removed,
+      abandonedAdded: abandoned.added,
+      abandonedRemoved: abandoned.removed
+    }
+  };
+};
+var findTraceTarget = (snapshot, targetType, targetId) => snapshot.trace?.targets.find(
+  (target) => target.targetType === targetType && target.targetId === targetId
+);
+var toRenderedFactors = (target) => {
+  if (target === void 0) {
+    return [];
+  }
+  return [...target.factors].sort((a, b) => b.contribution - a.contribution || a.factorId.localeCompare(b.factorId)).slice(0, 4).map((factor) => ({
+    id: factor.factorId,
+    label: factorLabel(factor.factorId),
+    contribution: round43(factor.contribution),
+    confidence: round43(factor.confidence),
+    evidence: summarizeEvidence(factor)
+  }));
+};
+var suggestedActions = (target) => {
+  if (target === void 0) {
+    return [];
+  }
+  const actions = [];
+  for (const lever of target.reductionLevers) {
+    switch (lever.factorId) {
+      case "file.evolution":
+      case "repository.evolution":
+        actions.push("Reduce recent churn and volatile edit frequency in this area.");
+        break;
+      case "file.structural":
+      case "repository.structural":
+        actions.push("Reduce fan-in/fan-out concentration and simplify deep dependency paths.");
+        break;
+      case "file.composite.interactions":
+      case "repository.composite.interactions":
+        actions.push("Stabilize central files before concurrent structural changes.");
+        break;
+      case "file.external":
+      case "repository.external":
+        actions.push("Review external dependency pressure for this hotspot.");
+        break;
+      default:
+        actions.push(`Reduce ${factorLabel(lever.factorId).toLowerCase()} influence.`);
+        break;
+    }
+  }
+  return [...new Set(actions)].slice(0, 3);
+};
+var hotspotItems = (snapshot) => snapshot.analysis.risk.hotspots.slice(0, 10).map((hotspot) => {
+  const fileScore = snapshot.analysis.risk.fileScores.find((item) => item.file === hotspot.file);
+  const traceTarget = findTraceTarget(snapshot, "file", hotspot.file);
+  const factors = toRenderedFactors(traceTarget);
+  return {
+    target: hotspot.file,
+    score: hotspot.score,
+    normalizedScore: fileScore?.normalizedScore ?? round43(hotspot.score / 100),
+    topFactors: factors,
+    suggestedActions: suggestedActions(traceTarget),
+    biggestLevers: (traceTarget?.reductionLevers ?? []).slice(0, 3).map((lever) => `${factorLabel(lever.factorId)} (${lever.estimatedImpact})`)
+  };
+});
+var repositoryConfidence = (snapshot) => {
+  const target = findTraceTarget(snapshot, "repository", snapshot.analysis.structural.targetPath);
+  if (target === void 0 || target.factors.length === 0) {
+    return null;
+  }
+  const weight = target.factors.reduce((sum, factor) => sum + factor.contribution, 0);
+  if (weight <= 0) {
+    return null;
+  }
+  const weighted = target.factors.reduce(
+    (sum, factor) => sum + factor.confidence * factor.contribution,
+    0
+  );
+  return round43(weighted / weight);
+};
+var createReport = (snapshot, diff) => {
+  const external = snapshot.analysis.external;
+  return {
+    schemaVersion: REPORT_SCHEMA_VERSION,
+    generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    repository: {
+      targetPath: snapshot.analysis.structural.targetPath,
+      repositoryScore: snapshot.analysis.risk.repositoryScore,
+      normalizedScore: snapshot.analysis.risk.normalizedScore,
+      riskTier: toRiskTier(snapshot.analysis.risk.repositoryScore),
+      confidence: repositoryConfidence(snapshot)
+    },
+    hotspots: hotspotItems(snapshot),
+    structural: {
+      cycleCount: snapshot.analysis.structural.metrics.cycleCount,
+      cycles: snapshot.analysis.structural.cycles.map(
+        (cycle) => [...cycle.nodes].sort((a, b) => a.localeCompare(b)).join(" -> ")
+      ),
+      fragileClusters: snapshot.analysis.risk.fragileClusters.map((cluster) => ({
+        id: cluster.id,
+        kind: cluster.kind,
+        score: cluster.score,
+        files: [...cluster.files].sort((a, b) => a.localeCompare(b))
+      }))
+    },
+    external: !external.available ? {
+      available: false,
+      reason: external.reason
+    } : {
+      available: true,
+      highRiskDependencies: [...external.highRiskDependencies].sort((a, b) => a.localeCompare(b)),
+      highRiskDevelopmentDependencies: [...external.highRiskDevelopmentDependencies].sort((a, b) => a.localeCompare(b)),
+      singleMaintainerDependencies: [...external.singleMaintainerDependencies].sort((a, b) => a.localeCompare(b)),
+      abandonedDependencies: [...external.abandonedDependencies].sort((a, b) => a.localeCompare(b))
+    },
+    appendix: {
+      snapshotSchemaVersion: snapshot.schemaVersion,
+      riskModelVersion: snapshot.riskModelVersion,
+      timestamp: snapshot.generatedAt,
+      normalization: "Scores are deterministic 0-100 outputs from risk-engine normalized factors and interaction terms.",
+      ...snapshot.analysisConfig === void 0 ? {} : { analysisConfig: snapshot.analysisConfig }
+    },
+    ...diff === void 0 ? {} : { diff }
+  };
+};
+var renderTextDiff = (report) => {
+  if (report.diff === void 0) {
+    return [];
+  }
+  return [
+    "",
+    "Diff",
+    `  repositoryScoreDelta: ${report.diff.repositoryScoreDelta}`,
+    `  normalizedScoreDelta: ${report.diff.normalizedScoreDelta}`,
+    `  newHotspots: ${report.diff.newHotspots.join(", ") || "none"}`,
+    `  resolvedHotspots: ${report.diff.resolvedHotspots.join(", ") || "none"}`,
+    `  newCycles: ${report.diff.newCycles.join(", ") || "none"}`,
+    `  resolvedCycles: ${report.diff.resolvedCycles.join(", ") || "none"}`
+  ];
+};
+var renderTextReport = (report) => {
+  const lines = [];
+  lines.push("Repository Summary");
+  lines.push(`  target: ${report.repository.targetPath}`);
+  lines.push(`  repositoryScore: ${report.repository.repositoryScore}`);
+  lines.push(`  normalizedScore: ${report.repository.normalizedScore}`);
+  lines.push(`  riskTier: ${report.repository.riskTier}`);
+  lines.push(`  confidence: ${report.repository.confidence ?? "n/a"}`);
+  lines.push("");
+  lines.push("Top Hotspots");
+  for (const hotspot of report.hotspots) {
+    lines.push(`  - ${hotspot.target} | score=${hotspot.score}`);
+    for (const factor of hotspot.topFactors) {
+      lines.push(
+        `    factor: ${factor.label} contribution=${factor.contribution} confidence=${factor.confidence}`
+      );
+      lines.push(`    evidence: ${factor.evidence}`);
+    }
+    lines.push(`    actions: ${hotspot.suggestedActions.join(" | ") || "none"}`);
+    lines.push(`    levers: ${hotspot.biggestLevers.join(" | ") || "none"}`);
+  }
+  lines.push("");
+  lines.push("Structural Observations");
+  lines.push(`  cycleCount: ${report.structural.cycleCount}`);
+  lines.push(`  cycles: ${report.structural.cycles.join(" ; ") || "none"}`);
+  lines.push(`  fragileClusters: ${report.structural.fragileClusters.length}`);
+  lines.push("");
+  lines.push("External Exposure");
+  if (!report.external.available) {
+    lines.push(`  unavailable: ${report.external.reason}`);
+  } else {
+    lines.push(`  highRiskDependencies: ${report.external.highRiskDependencies.join(", ") || "none"}`);
+    lines.push(
+      `  highRiskDevelopmentDependencies: ${report.external.highRiskDevelopmentDependencies.join(", ") || "none"}`
+    );
+    lines.push(
+      `  singleMaintainerDependencies: ${report.external.singleMaintainerDependencies.join(", ") || "none"}`
+    );
+    lines.push(`  abandonedDependencies: ${report.external.abandonedDependencies.join(", ") || "none"}`);
+  }
+  lines.push("");
+  lines.push("Appendix");
+  lines.push(`  snapshotSchemaVersion: ${report.appendix.snapshotSchemaVersion}`);
+  lines.push(`  riskModelVersion: ${report.appendix.riskModelVersion}`);
+  lines.push(`  timestamp: ${report.appendix.timestamp}`);
+  lines.push(`  normalization: ${report.appendix.normalization}`);
+  lines.push(...renderTextDiff(report));
+  return lines.join("\n");
+};
+var renderMarkdownDiff = (report) => {
+  if (report.diff === void 0) {
+    return [];
+  }
+  return [
+    "",
+    "## Diff",
+    `- repositoryScoreDelta: \`${report.diff.repositoryScoreDelta}\``,
+    `- normalizedScoreDelta: \`${report.diff.normalizedScoreDelta}\``,
+    `- newHotspots: ${report.diff.newHotspots.map((item) => `\`${item}\``).join(", ") || "none"}`,
+    `- resolvedHotspots: ${report.diff.resolvedHotspots.map((item) => `\`${item}\``).join(", ") || "none"}`,
+    `- newCycles: ${report.diff.newCycles.map((item) => `\`${item}\``).join(", ") || "none"}`,
+    `- resolvedCycles: ${report.diff.resolvedCycles.map((item) => `\`${item}\``).join(", ") || "none"}`
+  ];
+};
+var renderMarkdownReport = (report) => {
+  const lines = [];
+  lines.push("# CodeSentinel Report");
+  lines.push("");
+  lines.push("## Repository Summary");
+  lines.push(`- target: \`${report.repository.targetPath}\``);
+  lines.push(`- repositoryScore: \`${report.repository.repositoryScore}\``);
+  lines.push(`- normalizedScore: \`${report.repository.normalizedScore}\``);
+  lines.push(`- riskTier: \`${report.repository.riskTier}\``);
+  lines.push(`- confidence: \`${report.repository.confidence ?? "n/a"}\``);
+  lines.push("");
+  lines.push("## Top Hotspots");
+  for (const hotspot of report.hotspots) {
+    lines.push(`- **${hotspot.target}** (score: \`${hotspot.score}\`)`);
+    lines.push(`  - Top factors:`);
+    for (const factor of hotspot.topFactors) {
+      lines.push(
+        `  - ${factor.label}: contribution=\`${factor.contribution}\`, confidence=\`${factor.confidence}\``
+      );
+      lines.push(`  - evidence: \`${factor.evidence}\``);
+    }
+    lines.push(`  - Suggested actions: ${hotspot.suggestedActions.join(" | ") || "none"}`);
+    lines.push(`  - Biggest levers: ${hotspot.biggestLevers.join(" | ") || "none"}`);
+  }
+  lines.push("");
+  lines.push("## Structural Observations");
+  lines.push(`- cycles detected: \`${report.structural.cycleCount}\``);
+  lines.push(`- cycles: ${report.structural.cycles.map((cycle) => `\`${cycle}\``).join(", ") || "none"}`);
+  lines.push(`- fragile clusters: \`${report.structural.fragileClusters.length}\``);
+  lines.push("");
+  lines.push("## External Exposure Summary");
+  if (!report.external.available) {
+    lines.push(`- unavailable: \`${report.external.reason}\``);
+  } else {
+    lines.push(`- high-risk dependencies: ${report.external.highRiskDependencies.map((item) => `\`${item}\``).join(", ") || "none"}`);
+    lines.push(
+      `- high-risk development dependencies: ${report.external.highRiskDevelopmentDependencies.map((item) => `\`${item}\``).join(", ") || "none"}`
+    );
+    lines.push(
+      `- single maintainer dependencies: ${report.external.singleMaintainerDependencies.map((item) => `\`${item}\``).join(", ") || "none"}`
+    );
+    lines.push(`- abandoned dependencies: ${report.external.abandonedDependencies.map((item) => `\`${item}\``).join(", ") || "none"}`);
+  }
+  lines.push("");
+  lines.push("## Appendix");
+  lines.push(`- snapshot schema: \`${report.appendix.snapshotSchemaVersion}\``);
+  lines.push(`- risk model version: \`${report.appendix.riskModelVersion}\``);
+  lines.push(`- timestamp: \`${report.appendix.timestamp}\``);
+  lines.push(`- normalization: ${report.appendix.normalization}`);
+  lines.push(...renderMarkdownDiff(report));
+  return lines.join("\n");
+};
+var createSnapshot = (input) => ({
+  schemaVersion: SNAPSHOT_SCHEMA_VERSION,
+  generatedAt: input.generatedAt ?? (/* @__PURE__ */ new Date()).toISOString(),
+  riskModelVersion: RISK_MODEL_VERSION,
+  source: {
+    targetPath: input.analysis.structural.targetPath
+  },
+  analysis: input.analysis,
+  ...input.trace === void 0 ? {} : { trace: input.trace },
+  ...input.analysisConfig === void 0 ? {} : { analysisConfig: input.analysisConfig }
+});
+var parseSnapshot = (raw) => {
+  const parsed = JSON.parse(raw);
+  if (parsed.schemaVersion !== SNAPSHOT_SCHEMA_VERSION) {
+    throw new Error("unsupported_snapshot_schema");
+  }
+  if (typeof parsed.generatedAt !== "string") {
+    throw new Error("invalid_snapshot_generated_at");
+  }
+  if (parsed.analysis === void 0 || parsed.analysis === null) {
+    throw new Error("invalid_snapshot_analysis");
+  }
+  if (parsed.source === void 0 || typeof parsed.source.targetPath !== "string") {
+    throw new Error("invalid_snapshot_source");
+  }
+  return parsed;
+};
+var formatReport = (report, format) => {
+  if (format === "json") {
+    return JSON.stringify(report, null, 2);
+  }
+  if (format === "md") {
+    return renderMarkdownReport(report);
+  }
+  return renderTextReport(report);
+};
+
+// ../governance/dist/index.js
+import { mkdirSync, rmSync } from "fs";
+import { basename, join as join2, resolve } from "path";
+import { execFile } from "child_process";
+import { promisify } from "util";
+var EXIT_CODES = {
+  ok: 0,
+  errorViolation: 1,
+  warnViolation: 2,
+  invalidConfiguration: 3,
+  internalError: 4
+};
+var GovernanceConfigurationError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "GovernanceConfigurationError";
+  }
+};
+var DEFAULT_NEW_HOTSPOT_SCORE_THRESHOLD = 60;
+var severityRank = {
+  info: 0,
+  warn: 1,
+  error: 2
+};
+var compareSeverity = (left, right) => {
+  if (left === null) {
+    return right;
+  }
+  if (right === null) {
+    return left;
+  }
+  return severityRank[left] >= severityRank[right] ? left : right;
+};
+var stableSortViolations = (violations) => [...violations].sort((a, b) => {
+  const severity = severityRank[b.severity] - severityRank[a.severity];
+  if (severity !== 0) {
+    return severity;
+  }
+  if (a.id !== b.id) {
+    return a.id.localeCompare(b.id);
+  }
+  const aTarget = a.targets[0] ?? "";
+  const bTarget = b.targets[0] ?? "";
+  if (aTarget !== bTarget) {
+    return aTarget.localeCompare(bTarget);
+  }
+  return a.message.localeCompare(b.message);
+});
+var makeViolation = (id, severity, message, targets, evidenceRefs) => ({
+  id,
+  severity,
+  message,
+  targets: [...targets].sort((a, b) => a.localeCompare(b)),
+  evidenceRefs
+});
+var requireDiff = (input, gateId) => {
+  if (input.baseline === void 0 || input.diff === void 0) {
+    throw new GovernanceConfigurationError(`${gateId} requires --compare <baseline.json>`);
+  }
+};
+var validateGateConfig = (input) => {
+  const config = input.gateConfig;
+  if (config.maxRepoDelta !== void 0 && (!Number.isFinite(config.maxRepoDelta) || config.maxRepoDelta < 0)) {
+    throw new GovernanceConfigurationError("max-repo-delta must be a finite number >= 0");
+  }
+  if (config.maxNewHotspots !== void 0 && (!Number.isInteger(config.maxNewHotspots) || config.maxNewHotspots < 0)) {
+    throw new GovernanceConfigurationError("max-new-hotspots must be an integer >= 0");
+  }
+  if (config.maxRepoScore !== void 0 && (!Number.isFinite(config.maxRepoScore) || config.maxRepoScore < 0 || config.maxRepoScore > 100)) {
+    throw new GovernanceConfigurationError("max-repo-score must be a number in [0, 100]");
+  }
+  if (config.newHotspotScoreThreshold !== void 0 && (!Number.isFinite(config.newHotspotScoreThreshold) || config.newHotspotScoreThreshold < 0 || config.newHotspotScoreThreshold > 100)) {
+    throw new GovernanceConfigurationError("new-hotspot-score-threshold must be a number in [0, 100]");
+  }
+};
+var evaluateGates = (input) => {
+  validateGateConfig(input);
+  const config = input.gateConfig;
+  const violations = [];
+  const evaluatedGates = [];
+  if (config.maxRepoScore !== void 0) {
+    evaluatedGates.push("max-repo-score");
+    const current = input.current.analysis.risk.repositoryScore;
+    if (current > config.maxRepoScore) {
+      violations.push(
+        makeViolation(
+          "max-repo-score",
+          "error",
+          `Repository score ${current} exceeds configured max ${config.maxRepoScore}.`,
+          [input.current.analysis.structural.targetPath],
+          [{ kind: "repository_metric", metric: "repositoryScore" }]
+        )
+      );
+    }
+  }
+  if (config.maxRepoDelta !== void 0) {
+    evaluatedGates.push("max-repo-delta");
+    requireDiff(input, "max-repo-delta");
+    const baseline = input.baseline;
+    if (baseline === void 0) {
+      throw new GovernanceConfigurationError("max-repo-delta requires baseline snapshot");
+    }
+    const delta = input.current.analysis.risk.normalizedScore - baseline.analysis.risk.normalizedScore;
+    if (delta > config.maxRepoDelta) {
+      violations.push(
+        makeViolation(
+          "max-repo-delta",
+          "error",
+          `Repository normalized score delta ${delta.toFixed(4)} exceeds allowed ${config.maxRepoDelta}.`,
+          [input.current.analysis.structural.targetPath],
+          [{ kind: "repository_metric", metric: "normalizedScore" }]
+        )
+      );
+    }
+  }
+  if (config.noNewCycles === true) {
+    evaluatedGates.push("no-new-cycles");
+    requireDiff(input, "no-new-cycles");
+    const diff = input.diff;
+    if (diff === void 0) {
+      throw new GovernanceConfigurationError("no-new-cycles requires diff");
+    }
+    if (diff.newCycles.length > 0) {
+      violations.push(
+        makeViolation(
+          "no-new-cycles",
+          "error",
+          `Detected ${diff.newCycles.length} new structural cycle(s).`,
+          diff.newCycles,
+          [{ kind: "repository_metric", metric: "cycleCount" }]
+        )
+      );
+    }
+  }
+  if (config.noNewHighRiskDeps === true) {
+    evaluatedGates.push("no-new-high-risk-deps");
+    requireDiff(input, "no-new-high-risk-deps");
+    const diff = input.diff;
+    if (diff === void 0) {
+      throw new GovernanceConfigurationError("no-new-high-risk-deps requires diff");
+    }
+    if (diff.externalChanges.highRiskAdded.length > 0) {
+      violations.push(
+        makeViolation(
+          "no-new-high-risk-deps",
+          "error",
+          `Detected ${diff.externalChanges.highRiskAdded.length} new high-risk dependency(ies).`,
+          diff.externalChanges.highRiskAdded,
+          diff.externalChanges.highRiskAdded.map((name) => ({
+            kind: "dependency_metric",
+            target: name,
+            metric: "highRiskDependencies"
+          }))
+        )
+      );
+    }
+  }
+  if (config.maxNewHotspots !== void 0) {
+    evaluatedGates.push("max-new-hotspots");
+    requireDiff(input, "max-new-hotspots");
+    const diff = input.diff;
+    if (diff === void 0) {
+      throw new GovernanceConfigurationError("max-new-hotspots requires diff");
+    }
+    const scoreByFile = new Map(
+      input.current.analysis.risk.fileScores.map((item) => [item.file, item.score])
+    );
+    const threshold = config.newHotspotScoreThreshold ?? DEFAULT_NEW_HOTSPOT_SCORE_THRESHOLD;
+    const counted = diff.newHotspots.filter((file) => (scoreByFile.get(file) ?? 0) >= threshold);
+    if (counted.length > config.maxNewHotspots) {
+      violations.push(
+        makeViolation(
+          "max-new-hotspots",
+          "warn",
+          `Detected ${counted.length} new hotspot(s) above score ${threshold}; allowed max is ${config.maxNewHotspots}.`,
+          counted,
+          counted.map((file) => ({ kind: "file_metric", target: file, metric: "score" }))
+        )
+      );
+    }
+  }
+  const ordered = stableSortViolations(violations);
+  const highestSeverity = ordered.reduce(
+    (current, violation) => compareSeverity(current, violation.severity),
+    null
+  );
+  const exitCode = highestSeverity === "error" ? 1 : highestSeverity === "warn" && config.failOn === "warn" ? 2 : 0;
+  return {
+    violations: ordered,
+    highestSeverity,
+    exitCode,
+    evaluatedGates: [...evaluatedGates].sort((a, b) => a.localeCompare(b))
+  };
+};
+var renderViolationText = (violation) => {
+  const targets = violation.targets.join(", ") || "n/a";
+  return `- [${violation.severity}] ${violation.id}: ${violation.message} (targets: ${targets})`;
+};
+var renderCheckText = (snapshot, result) => {
+  const lines = [];
+  lines.push("CodeSentinel Check");
+  lines.push(`target: ${snapshot.analysis.structural.targetPath}`);
+  lines.push(`repositoryScore: ${snapshot.analysis.risk.repositoryScore}`);
+  lines.push(`evaluatedGates: ${result.evaluatedGates.join(", ") || "none"}`);
+  lines.push(`violations: ${result.violations.length}`);
+  lines.push(`exitCode: ${result.exitCode}`);
+  lines.push("");
+  lines.push("Violations");
+  if (result.violations.length === 0) {
+    lines.push("- none");
+  } else {
+    for (const violation of result.violations) {
+      lines.push(renderViolationText(violation));
+    }
+  }
+  return lines.join("\n");
+};
+var renderCheckMarkdown = (snapshot, result) => {
+  const lines = [];
+  lines.push("## CodeSentinel CI Summary");
+  lines.push(`- target: \`${snapshot.analysis.structural.targetPath}\``);
+  lines.push(`- repositoryScore: \`${snapshot.analysis.risk.repositoryScore}\``);
+  lines.push(`- evaluatedGates: ${result.evaluatedGates.map((item) => `\`${item}\``).join(", ") || "none"}`);
+  lines.push(`- violations: \`${result.violations.length}\``);
+  lines.push(`- exitCode: \`${result.exitCode}\``);
+  const repositoryTrace = snapshot.trace?.targets.find(
+    (target) => target.targetType === "repository" && target.targetId === snapshot.analysis.structural.targetPath
+  );
+  if (repositoryTrace !== void 0) {
+    lines.push("");
+    lines.push("### Why");
+    const topFactors = [...repositoryTrace.factors].sort((a, b) => b.contribution - a.contribution || a.factorId.localeCompare(b.factorId)).slice(0, 3);
+    for (const factor of topFactors) {
+      lines.push(
+        `- ${factorLabel(factor.factorId)}: contribution=\`${factor.contribution}\`, evidence=\`${summarizeEvidence(factor)}\``
+      );
+    }
+  }
+  lines.push("");
+  lines.push("### Violations");
+  if (result.violations.length === 0) {
+    lines.push("- none");
+  } else {
+    for (const violation of result.violations) {
+      lines.push(`- [${violation.severity}] **${violation.id}**: ${violation.message}`);
+      if (violation.targets.length > 0) {
+        lines.push(`  - targets: ${violation.targets.map((target) => `\`${target}\``).join(", ")}`);
+      }
+    }
+  }
+  return lines.join("\n");
+};
+var BaselineAutoResolutionError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "BaselineAutoResolutionError";
+  }
+};
+var DEFAULT_MAIN_BRANCH_CANDIDATES = ["main", "master"];
+var providerBaseBranchKeys = [
+  "GITHUB_BASE_REF",
+  "CI_MERGE_REQUEST_TARGET_BRANCH_NAME",
+  "BITBUCKET_PR_DESTINATION_BRANCH"
+];
+var normalizeMainBranches = (input) => {
+  const source = input === void 0 || input.length === 0 ? DEFAULT_MAIN_BRANCH_CANDIDATES : input;
+  const seen = /* @__PURE__ */ new Set();
+  const values = [];
+  for (const candidate of source) {
+    const trimmed = candidate.trim();
+    if (trimmed.length === 0 || seen.has(trimmed)) {
+      continue;
+    }
+    seen.add(trimmed);
+    values.push(trimmed);
+  }
+  return values.length > 0 ? values : DEFAULT_MAIN_BRANCH_CANDIDATES;
+};
+var firstNonEmptyEnv = (environment) => {
+  for (const key of providerBaseBranchKeys) {
+    const value = environment[key]?.trim();
+    if (value !== void 0 && value.length > 0) {
+      return { key, value };
+    }
+  }
+  return void 0;
+};
+var asBoolean = (value) => {
+  return value.trim().toLowerCase() === "true";
+};
+var buildNoBaselineMessage = () => {
+  return "unable to resolve auto baseline; set --baseline-ref <ref> explicitly or provide --baseline <snapshot.json>";
+};
+var resolveAutoBaseline = async (input) => {
+  const attempts = [];
+  const mainBranches = normalizeMainBranches(input.mainBranchCandidates);
+  const environment = input.environment ?? {};
+  const baselineSha = input.baselineSha?.trim();
+  if (baselineSha !== void 0 && baselineSha.length > 0) {
+    const result = await input.git.resolveCommit(`${baselineSha}^{commit}`);
+    if (result.ok) {
+      attempts.push({ step: "explicit-sha", candidate: baselineSha, outcome: "resolved" });
+      return {
+        strategy: "explicit_sha",
+        resolvedRef: baselineSha,
+        resolvedSha: result.stdout,
+        attempts
+      };
+    }
+    attempts.push({
+      step: "explicit-sha",
+      candidate: baselineSha,
+      outcome: "failed",
+      detail: result.message
+    });
+    throw new BaselineAutoResolutionError(
+      `invalid --baseline-sha '${baselineSha}': ${result.message}`
+    );
+  }
+  const providerBaseBranch = firstNonEmptyEnv(environment);
+  if (providerBaseBranch !== void 0) {
+    const originRef = `origin/${providerBaseBranch.value}`;
+    const originResult = await input.git.resolveCommit(`${originRef}^{commit}`);
+    if (originResult.ok) {
+      attempts.push({
+        step: `ci-base-branch:${providerBaseBranch.key}`,
+        candidate: originRef,
+        outcome: "resolved"
+      });
+      return {
+        strategy: "ci_base_branch",
+        resolvedRef: originRef,
+        resolvedSha: originResult.stdout,
+        attempts,
+        baseBranch: providerBaseBranch.value
+      };
+    }
+    attempts.push({
+      step: `ci-base-branch:${providerBaseBranch.key}`,
+      candidate: originRef,
+      outcome: "failed",
+      detail: originResult.message
+    });
+    const localRef = providerBaseBranch.value;
+    const localResult = await input.git.resolveCommit(`${localRef}^{commit}`);
+    if (localResult.ok) {
+      attempts.push({
+        step: `ci-base-branch-local:${providerBaseBranch.key}`,
+        candidate: localRef,
+        outcome: "resolved"
+      });
+      return {
+        strategy: "ci_base_branch",
+        resolvedRef: localRef,
+        resolvedSha: localResult.stdout,
+        attempts,
+        baseBranch: providerBaseBranch.value
+      };
+    }
+    attempts.push({
+      step: `ci-base-branch-local:${providerBaseBranch.key}`,
+      candidate: localRef,
+      outcome: "failed",
+      detail: localResult.message
+    });
+  } else {
+    attempts.push({
+      step: "ci-base-branch",
+      candidate: providerBaseBranchKeys.join(","),
+      outcome: "skipped",
+      detail: "no CI base branch environment variable found"
+    });
+  }
+  const branchResult = await input.git.currentBranch();
+  const branchName = branchResult.ok ? branchResult.stdout.trim() : void 0;
+  if (branchName !== void 0 && mainBranches.includes(branchName)) {
+    const headPrevious = await input.git.resolveCommit("HEAD~1^{commit}");
+    if (headPrevious.ok) {
+      attempts.push({
+        step: "main-branch-head-previous",
+        candidate: "HEAD~1",
+        outcome: "resolved"
+      });
+      return {
+        strategy: "main_branch_previous_commit",
+        resolvedRef: "HEAD~1",
+        resolvedSha: headPrevious.stdout,
+        attempts
+      };
+    }
+    attempts.push({
+      step: "main-branch-head-previous",
+      candidate: "HEAD~1",
+      outcome: "failed",
+      detail: headPrevious.message
+    });
+    throw new BaselineAutoResolutionError(
+      `unable to resolve baseline from HEAD~1 on branch '${branchName}': ${headPrevious.message}`
+    );
+  }
+  if (branchName === void 0) {
+    attempts.push({
+      step: "current-branch",
+      candidate: "HEAD",
+      outcome: "skipped",
+      detail: "detached HEAD or symbolic-ref unavailable"
+    });
+  } else {
+    attempts.push({
+      step: "current-branch",
+      candidate: branchName,
+      outcome: "resolved",
+      detail: "feature branch detected"
+    });
+  }
+  const mergeBaseCandidates = [
+    ...mainBranches.map((candidate) => `origin/${candidate}`),
+    ...mainBranches
+  ];
+  for (const candidate of mergeBaseCandidates) {
+    const mergeBase = await input.git.mergeBase("HEAD", candidate);
+    if (mergeBase.ok) {
+      attempts.push({
+        step: "merge-base",
+        candidate: `HEAD..${candidate}`,
+        outcome: "resolved"
+      });
+      return {
+        strategy: "feature_branch_merge_base",
+        resolvedRef: mergeBase.stdout,
+        resolvedSha: mergeBase.stdout,
+        attempts
+      };
+    }
+    attempts.push({
+      step: "merge-base",
+      candidate: `HEAD..${candidate}`,
+      outcome: "failed",
+      detail: mergeBase.message
+    });
+  }
+  const shallowResult = await input.git.isShallowRepository();
+  const shallowRepository = shallowResult.ok && asBoolean(shallowResult.stdout);
+  if (shallowRepository) {
+    throw new BaselineAutoResolutionError(
+      `${buildNoBaselineMessage()}; repository appears shallow. Fetch full history (for example: git fetch --unshallow or fetch-depth: 0).`
+    );
+  }
+  throw new BaselineAutoResolutionError(buildNoBaselineMessage());
+};
+var execFileAsync = promisify(execFile);
+var SENTINEL_TMP_DIR = ".codesentinel-tmp";
+var WORKTREE_DIR = "worktrees";
+var BaselineRefResolutionError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "BaselineRefResolutionError";
+  }
+};
+var runGit = async (repositoryPath, args) => {
+  const result = await tryRunGit(repositoryPath, args);
+  if (result.ok) {
+    return result.stdout;
+  }
+  throw new BaselineRefResolutionError(result.message);
+};
+var tryRunGit = async (repositoryPath, args) => {
+  try {
+    const { stdout } = await execFileAsync("git", ["-C", repositoryPath, ...args], {
+      encoding: "utf8"
+    });
+    return { ok: true, stdout: stdout.trim() };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "unknown git error";
+    return { ok: false, message };
+  }
+};
+var buildWorktreePath = (repoRoot, sha) => {
+  const tmpRoot = join2(repoRoot, SENTINEL_TMP_DIR, WORKTREE_DIR);
+  mkdirSync(tmpRoot, { recursive: true });
+  const baseName = `baseline-${sha.slice(0, 12)}-${process.pid}`;
+  const candidate = resolve(tmpRoot, baseName);
+  return candidate;
+};
+var sanitizeSnapshotForWorktree = (snapshot, worktreePath, canonicalPath) => {
+  const replacePrefix = (value) => value.startsWith(worktreePath) ? `${canonicalPath}${value.slice(worktreePath.length)}` : value;
+  const structural = snapshot.analysis.structural;
+  return {
+    ...snapshot,
+    source: {
+      targetPath: replacePrefix(snapshot.source.targetPath)
+    },
+    analysis: {
+      ...snapshot.analysis,
+      structural: {
+        ...structural,
+        targetPath: replacePrefix(structural.targetPath),
+        nodes: structural.nodes.map((node) => ({
+          ...node,
+          absolutePath: replacePrefix(node.absolutePath)
+        }))
+      },
+      evolution: {
+        ...snapshot.analysis.evolution,
+        targetPath: replacePrefix(snapshot.analysis.evolution.targetPath)
+      },
+      external: {
+        ...snapshot.analysis.external,
+        targetPath: replacePrefix(snapshot.analysis.external.targetPath)
+      }
+    }
+  };
+};
+var resolveBaselineSnapshotFromRef = async (input) => {
+  const repositoryPath = resolve(input.repositoryPath);
+  const ref = input.baselineRef.trim();
+  if (ref.length === 0) {
+    throw new BaselineRefResolutionError("baseline-ref cannot be empty");
+  }
+  const repoRoot = await runGit(repositoryPath, ["rev-parse", "--show-toplevel"]);
+  const sha = await runGit(repositoryPath, ["rev-parse", "--verify", `${ref}^{commit}`]);
+  const worktreePath = buildWorktreePath(repoRoot, sha);
+  const cleanup = () => {
+    try {
+      rmSync(worktreePath, { recursive: true, force: true });
+    } catch {
+    }
+  };
+  try {
+    await runGit(repoRoot, ["worktree", "add", "--detach", worktreePath, sha]);
+    const snapshot = await input.analyzeWorktree(worktreePath, repoRoot);
+    const sanitized = sanitizeSnapshotForWorktree(snapshot, worktreePath, repoRoot);
+    return {
+      baselineSnapshot: sanitized,
+      resolvedRef: ref,
+      resolvedSha: sha
+    };
+  } finally {
+    try {
+      await runGit(repoRoot, ["worktree", "remove", "--force", worktreePath]);
+    } catch {
+      cleanup();
+    }
+  }
+};
+var resolveAutoBaselineRef = async (input) => {
+  const repositoryPath = resolve(input.repositoryPath);
+  const repoRoot = await runGit(repositoryPath, ["rev-parse", "--show-toplevel"]);
+  try {
+    return await resolveAutoBaseline({
+      ...input.baselineSha === void 0 ? {} : { baselineSha: input.baselineSha },
+      ...input.environment === void 0 ? {} : { environment: input.environment },
+      ...input.mainBranchCandidates === void 0 ? {} : { mainBranchCandidates: input.mainBranchCandidates },
+      git: {
+        resolveCommit: async (ref) => tryRunGit(repoRoot, ["rev-parse", "--verify", ref]),
+        mergeBase: async (leftRef, rightRef) => tryRunGit(repoRoot, ["merge-base", leftRef, rightRef]),
+        currentBranch: async () => tryRunGit(repoRoot, ["symbolic-ref", "--quiet", "--short", "HEAD"]),
+        isShallowRepository: async () => tryRunGit(repoRoot, ["rev-parse", "--is-shallow-repository"])
+      }
+    });
+  } catch (error) {
+    if (error instanceof BaselineAutoResolutionError) {
+      throw new BaselineRefResolutionError(error.message);
+    }
+    throw error;
+  }
+};
+
 // src/index.ts
 import { readFileSync as readFileSync2 } from "fs";
-import { dirname, resolve as resolve3 } from "path";
+import { dirname, resolve as resolve5 } from "path";
 import { fileURLToPath } from "url";
 
 // src/application/format-analyze-output.ts
@@ -1406,7 +2397,7 @@ var toRiskBand = (score) => {
   }
   return "very_high";
 };
-var factorLabelById = {
+var factorLabelById2 = {
   "repository.structural": "Structural complexity",
   "repository.evolution": "Change volatility",
   "repository.external": "External dependency pressure",
@@ -1424,7 +2415,7 @@ var factorLabelById = {
   "dependency.bus_factor": "Dependency bus factor",
   "dependency.popularity_dampening": "Popularity dampening"
 };
-var formatFactorLabel = (factorId) => factorLabelById[factorId] ?? factorId;
+var formatFactorLabel = (factorId) => factorLabelById2[factorId] ?? factorId;
 var formatNumber = (value) => value === null || value === void 0 ? "n/a" : `${value}`;
 var formatFactorSummary = (factor) => `${formatFactorLabel(factor.factorId)} (+${factor.contribution}, confidence=${factor.confidence})`;
 var formatFactorEvidence = (factor) => {
@@ -1702,10 +2693,10 @@ var parseLogLevel = (value) => {
 };
 
 // src/application/run-analyze-command.ts
-import { resolve as resolve2 } from "path";
+import { resolve as resolve3 } from "path";
 
 // ../code-graph/dist/index.js
-import { extname, isAbsolute, relative, resolve } from "path";
+import { extname, isAbsolute, relative, resolve as resolve2 } from "path";
 import * as ts from "typescript";
 var edgeKey = (from, to) => `${from}\0${to}`;
 var createGraphData = (nodes, rawEdges) => {
@@ -1994,7 +2985,7 @@ var discoverSourceFilesByScan = (projectRoot) => {
     SCAN_EXCLUDES,
     SCAN_INCLUDES
   );
-  return files.map((filePath) => resolve(filePath));
+  return files.map((filePath) => resolve2(filePath));
 };
 var parseTsConfigFile = (configPath) => {
   const parsedCommandLine = ts.getParsedCommandLineOfConfigFile(
@@ -2021,7 +3012,7 @@ var collectFilesFromTsConfigGraph = (projectRoot) => {
   const collectedFiles = /* @__PURE__ */ new Set();
   let rootOptions = null;
   const visitConfig = (configPath) => {
-    const absoluteConfigPath = resolve(configPath);
+    const absoluteConfigPath = resolve2(configPath);
     if (visitedConfigPaths.has(absoluteConfigPath)) {
       return;
     }
@@ -2031,10 +3022,10 @@ var collectFilesFromTsConfigGraph = (projectRoot) => {
       rootOptions = parsed.options;
     }
     for (const filePath of parsed.fileNames) {
-      collectedFiles.add(resolve(filePath));
+      collectedFiles.add(resolve2(filePath));
     }
     for (const reference of parsed.projectReferences ?? []) {
-      const referencePath = resolve(reference.path);
+      const referencePath = resolve2(reference.path);
       const referenceConfigPath = ts.sys.directoryExists(referencePath) ? ts.findConfigFile(referencePath, ts.sys.fileExists, "tsconfig.json") : referencePath;
       if (referenceConfigPath !== void 0 && ts.sys.fileExists(referenceConfigPath)) {
         visitConfig(referenceConfigPath);
@@ -2159,10 +3150,10 @@ var extractModuleSpecifiers = (sourceFile) => {
   return [...specifiers];
 };
 var parseTypescriptProject = (projectPath, onProgress) => {
-  const projectRoot = isAbsolute(projectPath) ? projectPath : resolve(projectPath);
+  const projectRoot = isAbsolute(projectPath) ? projectPath : resolve2(projectPath);
   const { fileNames, options, tsconfigCount, usedFallbackScan } = parseTsConfig(projectRoot);
   onProgress?.({ stage: "config_resolved", tsconfigCount, usedFallbackScan });
-  const sourceFilePaths = fileNames.filter((filePath) => isProjectSourceFile(filePath, projectRoot)).map((filePath) => normalizePath(resolve(filePath)));
+  const sourceFilePaths = fileNames.filter((filePath) => isProjectSourceFile(filePath, projectRoot)).map((filePath) => normalizePath(resolve2(filePath)));
   const uniqueSourceFilePaths = [...new Set(sourceFilePaths)].sort((a, b) => a.localeCompare(b));
   const sourceFilePathSet = new Set(uniqueSourceFilePaths);
   onProgress?.({ stage: "files_discovered", totalSourceFiles: uniqueSourceFilePaths.length });
@@ -2199,7 +3190,7 @@ var parseTypescriptProject = (projectPath, onProgress) => {
       if (resolvedPath === void 0 && !resolverCache.has(cacheKey)) {
         const resolved = ts.resolveModuleName(specifier, sourcePath, options, ts.sys).resolvedModule;
         if (resolved !== void 0) {
-          resolvedPath = normalizePath(resolve(resolved.resolvedFileName));
+          resolvedPath = normalizePath(resolve2(resolved.resolvedFileName));
         }
         resolverCache.set(cacheKey, resolvedPath);
       }
@@ -2237,7 +3228,7 @@ var buildProjectGraphSummary = (input) => {
 // ../git-analyzer/dist/index.js
 import { execFileSync } from "child_process";
 var pairKey = (a, b) => `${a}\0${b}`;
-var round43 = (value) => Number(value.toFixed(4));
+var round44 = (value) => Number(value.toFixed(4));
 var normalizeName = (value) => value.toLowerCase().replace(/[^a-z0-9\s]/g, " ").replace(/\s+/g, " ").trim();
 var extractEmailStem = (authorId) => {
   const normalized = authorId.trim().toLowerCase();
@@ -2367,7 +3358,7 @@ var finalizeAuthorDistribution = (authorCommits) => {
   return [...authorCommits.entries()].map(([authorId, commits]) => ({
     authorId,
     commits,
-    share: round43(commits / totalCommits)
+    share: round44(commits / totalCommits)
   })).sort((a, b) => b.commits - a.commits || a.authorId.localeCompare(b.authorId));
 };
 var buildCouplingMatrix = (coChangeByPair, fileCommitCount, consideredCommits, skippedLargeCommits, maxCouplingPairs) => {
@@ -2380,7 +3371,7 @@ var buildCouplingMatrix = (coChangeByPair, fileCommitCount, consideredCommits, s
     const fileACommits = fileCommitCount.get(fileA) ?? 0;
     const fileBCommits = fileCommitCount.get(fileB) ?? 0;
     const denominator = fileACommits + fileBCommits - coChangeCommits;
-    const couplingScore = denominator === 0 ? 0 : round43(coChangeCommits / denominator);
+    const couplingScore = denominator === 0 ? 0 : round44(coChangeCommits / denominator);
     allPairs.push({
       fileA,
       fileB,
@@ -2479,12 +3470,12 @@ var computeRepositoryEvolutionSummary = (targetPath, commits, config) => {
     return {
       filePath,
       commitCount: stats.commitCount,
-      frequencyPer100Commits: commits.length === 0 ? 0 : round43(stats.commitCount / commits.length * 100),
+      frequencyPer100Commits: commits.length === 0 ? 0 : round44(stats.commitCount / commits.length * 100),
       churnAdded: stats.churnAdded,
       churnDeleted: stats.churnDeleted,
       churnTotal: stats.churnAdded + stats.churnDeleted,
       recentCommitCount: stats.recentCommitCount,
-      recentVolatility: stats.commitCount === 0 ? 0 : round43(stats.recentCommitCount / stats.commitCount),
+      recentVolatility: stats.commitCount === 0 ? 0 : round44(stats.recentCommitCount / stats.commitCount),
       topAuthorShare,
       busFactor: computeBusFactor(authorDistribution, config.busFactorCoverageThreshold),
       authorDistribution
@@ -2800,7 +3791,7 @@ var DEFAULT_RISK_ENGINE_CONFIG = {
   }
 };
 var toUnitInterval = (value) => Number.isFinite(value) ? Math.min(1, Math.max(0, value)) : 0;
-var round44 = (value) => Number(value.toFixed(4));
+var round45 = (value) => Number(value.toFixed(4));
 var average = (values) => {
   if (values.length === 0) {
     return 0;
@@ -2914,7 +3905,7 @@ var computeDependencySignalScore = (ownSignals, inheritedSignals, inheritedSigna
   }
   return toUnitInterval(weightedTotal / maxWeightedTotal);
 };
-var clampConfidence = (value) => round44(toUnitInterval(value));
+var clampConfidence = (value) => round45(toUnitInterval(value));
 var buildFactorTraces = (totalScore, inputs) => {
   const positiveInputs = inputs.filter((input) => input.strength > 0);
   const strengthTotal = positiveInputs.reduce((sum, input) => sum + input.strength, 0);
@@ -2951,7 +3942,7 @@ var buildFactorTraces = (totalScore, inputs) => {
       continue;
     }
     if (index === scored.length - 1) {
-      const remaining = round44(totalScore - distributed);
+      const remaining = round45(totalScore - distributed);
       traces[traceIndex] = {
         ...existing,
         contribution: Math.max(0, remaining)
@@ -2959,7 +3950,7 @@ var buildFactorTraces = (totalScore, inputs) => {
       distributed += Math.max(0, remaining);
       continue;
     }
-    const rounded = round44(current.contribution);
+    const rounded = round45(current.contribution);
     traces[traceIndex] = {
       ...existing,
       contribution: rounded
@@ -2972,7 +3963,7 @@ var buildReductionLevers = (factors) => factors.filter((factor) => factor.contri
   (a, b) => b.contribution - a.contribution || a.factorId.localeCompare(b.factorId)
 ).slice(0, 3).map((factor) => ({
   factorId: factor.factorId,
-  estimatedImpact: round44(factor.contribution)
+  estimatedImpact: round45(factor.contribution)
 }));
 var buildTargetTrace = (targetType, targetId, totalScore, normalizedScore, factors) => {
   const dominantFactors = [...factors].filter((factor) => factor.contribution > 0).sort(
@@ -2981,8 +3972,8 @@ var buildTargetTrace = (targetType, targetId, totalScore, normalizedScore, facto
   return {
     targetType,
     targetId,
-    totalScore: round44(totalScore),
-    normalizedScore: round44(normalizedScore),
+    totalScore: round45(totalScore),
+    normalizedScore: round45(normalizedScore),
     factors,
     dominantFactors,
     reductionLevers: buildReductionLevers(factors)
@@ -3053,14 +4044,14 @@ var computeDependencyScores = (external, config) => {
     ].filter((value) => value !== null).length;
     const confidence = toUnitInterval(0.5 + availableMetricCount * 0.125);
     dependencyContexts.set(dependency.name, {
-      signalScore: round44(signalScore),
-      stalenessRisk: round44(stalenessRisk),
-      maintainerConcentrationRisk: round44(maintainerConcentrationRisk),
-      transitiveBurdenRisk: round44(transitiveBurdenRisk),
-      centralityRisk: round44(centralityRisk),
-      chainDepthRisk: round44(chainDepthRisk),
-      busFactorRisk: round44(busFactorRisk),
-      popularityDampener: round44(popularityDampener),
+      signalScore: round45(signalScore),
+      stalenessRisk: round45(stalenessRisk),
+      maintainerConcentrationRisk: round45(maintainerConcentrationRisk),
+      transitiveBurdenRisk: round45(transitiveBurdenRisk),
+      centralityRisk: round45(centralityRisk),
+      chainDepthRisk: round45(chainDepthRisk),
+      busFactorRisk: round45(busFactorRisk),
+      popularityDampener: round45(popularityDampener),
       rawMetrics: {
         daysSinceLastRelease: dependency.daysSinceLastRelease,
         maintainerCount: dependency.maintainerCount,
@@ -3070,12 +4061,12 @@ var computeDependencyScores = (external, config) => {
         busFactor: dependency.busFactor,
         weeklyDownloads: dependency.weeklyDownloads
       },
-      confidence: round44(confidence)
+      confidence: round45(confidence)
     });
     return {
       dependency: dependency.name,
-      score: round44(normalizedScore * 100),
-      normalizedScore: round44(normalizedScore),
+      score: round45(normalizedScore * 100),
+      normalizedScore: round45(normalizedScore),
       ownRiskSignals: dependency.ownRiskSignals,
       inheritedRiskSignals: dependency.inheritedRiskSignals
     };
@@ -3094,7 +4085,7 @@ var computeDependencyScores = (external, config) => {
   );
   return {
     dependencyScores,
-    repositoryExternalPressure: round44(repositoryExternalPressure),
+    repositoryExternalPressure: round45(repositoryExternalPressure),
     dependencyContexts
   };
 };
@@ -3159,7 +4150,7 @@ var buildFragileClusters = (structural, evolution, fileScoresByFile, config) =>
       files.map((filePath) => fileScoresByFile.get(filePath)?.normalizedScore ?? 0)
     );
     const cycleSizeRisk = toUnitInterval((files.length - 1) / 5);
-    const score = round44(toUnitInterval(averageRisk * 0.75 + cycleSizeRisk * 0.25) * 100);
+    const score = round45(toUnitInterval(averageRisk * 0.75 + cycleSizeRisk * 0.25) * 100);
     cycleClusterCount += 1;
     clusters.push({
       id: `cycle:${cycleClusterCount}`,
@@ -3233,7 +4224,7 @@ var buildFragileClusters = (structural, evolution, fileScoresByFile, config) =>
         files.map((filePath) => fileScoresByFile.get(filePath)?.normalizedScore ?? 0)
       );
       const meanCoupling = average(componentPairs.map((pair) => pair.couplingScore));
-      const score = round44(toUnitInterval(meanFileRisk * 0.65 + meanCoupling * 0.35) * 100);
+      const score = round45(toUnitInterval(meanFileRisk * 0.65 + meanCoupling * 0.35) * 100);
       couplingClusterCount += 1;
       clusters.push({
         id: `coupling:${couplingClusterCount}`,
@@ -3323,21 +4314,21 @@ var computeRiskSummary = (structural, evolution, external, config, traceCollecto
     const normalizedScore = saturatingComposite(baseline, interactions);
     return {
       file: filePath,
-      score: round44(normalizedScore * 100),
-      normalizedScore: round44(normalizedScore),
+      score: round45(normalizedScore * 100),
+      normalizedScore: round45(normalizedScore),
       factors: {
-        structural: round44(structuralFactor),
-        evolution: round44(evolutionFactor),
-        external: round44(externalFactor)
+        structural: round45(structuralFactor),
+        evolution: round45(evolutionFactor),
+        external: round45(externalFactor)
       },
-      structuralCentrality: round44(structuralCentrality),
+      structuralCentrality: round45(structuralCentrality),
       traceTerms: {
-        structuralBase: round44(structuralBase),
-        evolutionBase: round44(evolutionBase),
-        externalBase: round44(externalBase),
-        interactionStructuralEvolution: round44(interactionStructuralEvolution),
-        interactionCentralInstability: round44(interactionCentralInstability),
-        interactionDependencyAmplification: round44(interactionDependencyAmplification)
+        structuralBase: round45(structuralBase),
+        evolutionBase: round45(evolutionBase),
+        externalBase: round45(externalBase),
+        interactionStructuralEvolution: round45(interactionStructuralEvolution),
+        interactionCentralInstability: round45(interactionCentralInstability),
+        interactionDependencyAmplification: round45(interactionDependencyAmplification)
       },
       rawMetrics: {
         fanIn: file.fanIn,
@@ -3349,18 +4340,18 @@ var computeRiskSummary = (structural, evolution, external, config, traceCollecto
         recentVolatility: evolutionMetrics?.recentVolatility ?? null,
         topAuthorShare: evolutionMetrics?.topAuthorShare ?? null,
         busFactor: evolutionMetrics?.busFactor ?? null,
-        dependencyAffinity: round44(dependencyAffinity),
-        repositoryExternalPressure: round44(dependencyComputation.repositoryExternalPressure)
+        dependencyAffinity: round45(dependencyAffinity),
+        repositoryExternalPressure: round45(dependencyComputation.repositoryExternalPressure)
       },
       normalizedMetrics: {
-        fanInRisk: round44(fanInRisk),
-        fanOutRisk: round44(fanOutRisk),
-        depthRisk: round44(depthRisk),
-        frequencyRisk: round44(frequencyRisk),
-        churnRisk: round44(churnRisk),
-        volatilityRisk: round44(volatilityRisk),
-        ownershipConcentrationRisk: round44(ownershipConcentrationRisk),
-        busFactorRisk: round44(busFactorRisk)
+        fanInRisk: round45(fanInRisk),
+        fanOutRisk: round45(fanOutRisk),
+        depthRisk: round45(depthRisk),
+        frequencyRisk: round45(frequencyRisk),
+        churnRisk: round45(churnRisk),
+        volatilityRisk: round45(volatilityRisk),
+        ownershipConcentrationRisk: round45(ownershipConcentrationRisk),
+        busFactorRisk: round45(busFactorRisk)
       }
     };
   }).sort((a, b) => b.score - a.score || a.file.localeCompare(b.file));
@@ -3490,8 +4481,8 @@ var computeRiskSummary = (structural, evolution, external, config, traceCollecto
     const normalizedScore = toUnitInterval(averageScore * 0.65 + peakScore * 0.35);
     return {
       module,
-      score: round44(normalizedScore * 100),
-      normalizedScore: round44(normalizedScore),
+      score: round45(normalizedScore * 100),
+      normalizedScore: round45(normalizedScore),
       fileCount: values.length
     };
   }).sort((a, b) => b.score - a.score || a.module.localeCompare(b.module));
@@ -3500,14 +4491,14 @@ var computeRiskSummary = (structural, evolution, external, config, traceCollecto
       const averageScore = average(values);
       const peakScore = values.reduce((max, value) => Math.max(max, value), 0);
       const normalizedScore = toUnitInterval(averageScore * 0.65 + peakScore * 0.35);
-      const totalScore = round44(normalizedScore * 100);
+      const totalScore = round45(normalizedScore * 100);
       const factors = buildFactorTraces(totalScore, [
         {
           factorId: "module.average_file_risk",
           family: "composite",
           strength: averageScore * 0.65,
-          rawMetrics: { averageFileRisk: round44(averageScore), fileCount: values.length },
-          normalizedMetrics: { normalizedModuleRisk: round44(normalizedScore) },
+          rawMetrics: { averageFileRisk: round45(averageScore), fileCount: values.length },
+          normalizedMetrics: { normalizedModuleRisk: round45(normalizedScore) },
           weight: 0.65,
           amplification: null,
           evidence: [{ kind: "repository_metric", metric: "moduleAggregation.average" }],
@@ -3517,8 +4508,8 @@ var computeRiskSummary = (structural, evolution, external, config, traceCollecto
           factorId: "module.peak_file_risk",
           family: "composite",
           strength: peakScore * 0.35,
-          rawMetrics: { peakFileRisk: round44(peakScore), fileCount: values.length },
-          normalizedMetrics: { normalizedModuleRisk: round44(normalizedScore) },
+          rawMetrics: { peakFileRisk: round45(peakScore), fileCount: values.length },
+          normalizedMetrics: { normalizedModuleRisk: round45(normalizedScore) },
           weight: 0.35,
           amplification: null,
           evidence: [{ kind: "repository_metric", metric: "moduleAggregation.peak" }],
@@ -3541,12 +4532,12 @@ var computeRiskSummary = (structural, evolution, external, config, traceCollecto
     const normalizedZoneScore = toUnitInterval(intensity * 0.7 + fileScore.normalizedScore * 0.3);
     return {
       file: fileScore.file,
-      score: round44(normalizedZoneScore * 100),
+      score: round45(normalizedZoneScore * 100),
       externalPressure: fileScore.factors.external
     };
   }).filter((zone) => external.available && zone.externalPressure >= pressureThreshold).sort((a, b) => b.score - a.score || a.file.localeCompare(b.file)).slice(0, config.amplificationZone.maxZones).map((zone) => ({
     ...zone,
-    externalPressure: round44(zone.externalPressure)
+    externalPressure: round45(zone.externalPressure)
   }));
   if (collector !== void 0 && external.available) {
     const dependencyByName = new Map(external.dependencies.map((dependency) => [dependency.name, dependency]));
@@ -3669,15 +4660,15 @@ var computeRiskSummary = (structural, evolution, external, config, traceCollecto
     criticalInstability * config.interactionWeights.centralInstability,
     dependencyAmplification * config.interactionWeights.dependencyAmplification
   ]);
-  const repositoryScore = round44(repositoryNormalizedScore * 100);
+  const repositoryScore = round45(repositoryNormalizedScore * 100);
   if (collector !== void 0) {
     const repositoryFactors = buildFactorTraces(repositoryScore, [
       {
         factorId: "repository.structural",
         family: "structural",
         strength: structuralDimension * dimensionWeights.structural,
-        rawMetrics: { structuralDimension: round44(structuralDimension) },
-        normalizedMetrics: { dimensionWeight: round44(dimensionWeights.structural) },
+        rawMetrics: { structuralDimension: round45(structuralDimension) },
+        normalizedMetrics: { dimensionWeight: round45(dimensionWeights.structural) },
         weight: dimensionWeights.structural,
         amplification: null,
         evidence: [{ kind: "repository_metric", metric: "structuralDimension" }],
@@ -3687,8 +4678,8 @@ var computeRiskSummary = (structural, evolution, external, config, traceCollecto
         factorId: "repository.evolution",
         family: "evolution",
         strength: evolutionDimension * dimensionWeights.evolution,
-        rawMetrics: { evolutionDimension: round44(evolutionDimension) },
-        normalizedMetrics: { dimensionWeight: round44(dimensionWeights.evolution) },
+        rawMetrics: { evolutionDimension: round45(evolutionDimension) },
+        normalizedMetrics: { dimensionWeight: round45(dimensionWeights.evolution) },
         weight: dimensionWeights.evolution,
         amplification: null,
         evidence: [{ kind: "repository_metric", metric: "evolutionDimension" }],
@@ -3698,8 +4689,8 @@ var computeRiskSummary = (structural, evolution, external, config, traceCollecto
         factorId: "repository.external",
         family: "external",
         strength: externalDimension * dimensionWeights.external,
-        rawMetrics: { externalDimension: round44(externalDimension) },
-        normalizedMetrics: { dimensionWeight: round44(dimensionWeights.external) },
+        rawMetrics: { externalDimension: round45(externalDimension) },
+        normalizedMetrics: { dimensionWeight: round45(dimensionWeights.external) },
         weight: dimensionWeights.external,
         amplification: null,
         evidence: [{ kind: "repository_metric", metric: "externalDimension" }],
@@ -3710,19 +4701,19 @@ var computeRiskSummary = (structural, evolution, external, config, traceCollecto
         family: "composite",
         strength: structuralDimension * evolutionDimension * config.interactionWeights.structuralEvolution + criticalInstability * config.interactionWeights.centralInstability + dependencyAmplification * config.interactionWeights.dependencyAmplification,
         rawMetrics: {
-          structuralEvolution: round44(
+          structuralEvolution: round45(
             structuralDimension * evolutionDimension * config.interactionWeights.structuralEvolution
           ),
-          centralInstability: round44(
+          centralInstability: round45(
             criticalInstability * config.interactionWeights.centralInstability
           ),
-          dependencyAmplification: round44(
+          dependencyAmplification: round45(
             dependencyAmplification * config.interactionWeights.dependencyAmplification
           )
         },
         normalizedMetrics: {
-          criticalInstability: round44(criticalInstability),
-          dependencyAmplification: round44(dependencyAmplification)
+          criticalInstability: round45(criticalInstability),
+          dependencyAmplification: round45(dependencyAmplification)
         },
         weight: null,
         amplification: config.interactionWeights.structuralEvolution + config.interactionWeights.centralInstability + config.interactionWeights.dependencyAmplification,
@@ -3742,7 +4733,7 @@ var computeRiskSummary = (structural, evolution, external, config, traceCollecto
   }
   return {
     repositoryScore,
-    normalizedScore: round44(repositoryNormalizedScore),
+    normalizedScore: round45(repositoryNormalizedScore),
     hotspots,
     fragileClusters,
     dependencyAmplificationZones,
@@ -3862,7 +4853,7 @@ var evaluateRepositoryRisk = (input, options = {}) => {
 };
 
 // src/application/run-analyze-command.ts
-var resolveTargetPath = (inputPath, cwd) => resolve2(cwd, inputPath ?? ".");
+var resolveTargetPath = (inputPath, cwd) => resolve3(cwd, inputPath ?? ".");
 var createExternalProgressReporter = (logger) => {
   let lastLoggedProgress = 0;
   return (event) => {
@@ -4030,6 +5021,273 @@ var runAnalyzeCommand = async (inputPath, authorIdentityMode, logger = createSil
   };
 };
 
+// src/application/run-check-command.ts
+import { readFile, writeFile } from "fs/promises";
+
+// src/application/build-analysis-snapshot.ts
+var buildAnalysisSnapshot = async (inputPath, authorIdentityMode, options, logger) => {
+  const analysisInputs = await collectAnalysisInputs(inputPath, authorIdentityMode, logger);
+  const evaluation = evaluateRepositoryRisk(analysisInputs, { explain: options.includeTrace });
+  const summary = {
+    ...analysisInputs,
+    risk: evaluation.summary
+  };
+  return createSnapshot({
+    analysis: summary,
+    ...evaluation.trace === void 0 ? {} : { trace: evaluation.trace },
+    analysisConfig: {
+      authorIdentityMode,
+      includeTrace: options.includeTrace
+    }
+  });
+};
+
+// src/application/run-check-command.ts
+var formatCheckResult = (result, format) => {
+  if (format === "json") {
+    return JSON.stringify(
+      {
+        current: result.current,
+        ...result.baseline === void 0 ? {} : { baseline: result.baseline },
+        ...result.diff === void 0 ? {} : { diff: result.diff },
+        violations: result.gateResult.violations,
+        evaluatedGates: result.gateResult.evaluatedGates,
+        highestSeverity: result.gateResult.highestSeverity,
+        exitCode: result.gateResult.exitCode
+      },
+      null,
+      2
+    );
+  }
+  if (format === "md") {
+    return renderCheckMarkdown(result.current, result.gateResult);
+  }
+  return renderCheckText(result.current, result.gateResult);
+};
+var runCheckCommand = async (inputPath, authorIdentityMode, options, logger = createSilentLogger()) => {
+  logger.info("building current snapshot for check");
+  const current = await buildAnalysisSnapshot(
+    inputPath,
+    authorIdentityMode,
+    { includeTrace: options.includeTrace },
+    logger
+  );
+  let baseline;
+  let diff;
+  if (options.baselinePath !== void 0) {
+    logger.info(`loading baseline snapshot: ${options.baselinePath}`);
+    const baselineRaw = await readFile(options.baselinePath, "utf8");
+    try {
+      baseline = parseSnapshot(baselineRaw);
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "invalid baseline snapshot";
+      throw new GovernanceConfigurationError(`invalid baseline snapshot: ${message}`);
+    }
+    diff = compareSnapshots(current, baseline);
+  }
+  const gateResult = evaluateGates({
+    current,
+    ...baseline === void 0 ? {} : { baseline },
+    ...diff === void 0 ? {} : { diff },
+    gateConfig: options.gateConfig
+  });
+  const rendered = formatCheckResult(
+    {
+      current,
+      ...baseline === void 0 ? {} : { baseline },
+      ...diff === void 0 ? {} : { diff },
+      gateResult,
+      rendered: ""
+    },
+    options.outputFormat
+  );
+  if (options.outputPath !== void 0) {
+    await writeFile(options.outputPath, rendered, "utf8");
+    logger.info(`check output written: ${options.outputPath}`);
+  }
+  return {
+    current,
+    ...baseline === void 0 ? {} : { baseline },
+    ...diff === void 0 ? {} : { diff },
+    gateResult,
+    rendered
+  };
+};
+
+// src/application/run-ci-command.ts
+import { readFile as readFile2, writeFile as writeFile2 } from "fs/promises";
+import { relative as relative2, resolve as resolve4 } from "path";
+var isPathOutsideBase = (value) => {
+  return value === ".." || value.startsWith("../") || value.startsWith("..\\");
+};
+var runCiCommand = async (inputPath, authorIdentityMode, options, logger = createSilentLogger()) => {
+  if (options.baselinePath !== void 0 && options.baselineRef !== void 0) {
+    throw new GovernanceConfigurationError(
+      "baseline configuration is ambiguous: use either --baseline or --baseline-ref"
+    );
+  }
+  if (options.baselineSha !== void 0 && options.baselineRef !== "auto") {
+    throw new GovernanceConfigurationError(
+      "baseline-sha requires --baseline-ref auto"
+    );
+  }
+  const resolvedTargetPath = resolve4(inputPath ?? process.cwd());
+  logger.info("building current snapshot");
+  const current = await buildAnalysisSnapshot(
+    inputPath,
+    authorIdentityMode,
+    { includeTrace: options.includeTrace },
+    logger
+  );
+  if (options.snapshotPath !== void 0) {
+    await writeFile2(options.snapshotPath, JSON.stringify(current, null, 2), "utf8");
+    logger.info(`snapshot written: ${options.snapshotPath}`);
+  }
+  let baseline;
+  let diff;
+  if (options.baselineRef !== void 0) {
+    let baselineRef = options.baselineRef;
+    if (options.baselineRef === "auto") {
+      logger.info("resolving baseline ref using auto strategy");
+      try {
+        const autoResolved = await resolveAutoBaselineRef({
+          repositoryPath: resolvedTargetPath,
+          ...options.baselineSha === void 0 ? {} : { baselineSha: options.baselineSha },
+          ...options.mainBranchCandidates === void 0 ? {} : { mainBranchCandidates: options.mainBranchCandidates },
+          environment: process.env
+        });
+        logger.info(
+          `baseline auto strategy selected: ${autoResolved.strategy} (${autoResolved.resolvedRef} -> ${autoResolved.resolvedSha})`
+        );
+        for (const attempt of autoResolved.attempts) {
+          const detail = attempt.detail === void 0 ? "" : ` (${attempt.detail})`;
+          logger.debug(
+            `baseline auto attempt: ${attempt.step} ${attempt.candidate} => ${attempt.outcome}${detail}`
+          );
+        }
+        baselineRef = autoResolved.resolvedRef;
+      } catch (error) {
+        if (error instanceof BaselineRefResolutionError) {
+          throw new GovernanceConfigurationError(
+            `unable to resolve baseline ref 'auto': ${error.message}`
+          );
+        }
+        throw error;
+      }
+    }
+    logger.info(`resolving baseline from git ref: ${baselineRef}`);
+    try {
+      const resolved = await resolveBaselineSnapshotFromRef({
+        repositoryPath: resolvedTargetPath,
+        baselineRef,
+        analyzeWorktree: async (worktreePath, repositoryRoot) => {
+          const relativeTargetPath = relative2(repositoryRoot, resolvedTargetPath);
+          if (isPathOutsideBase(relativeTargetPath)) {
+            throw new GovernanceConfigurationError(
+              `target path is outside git repository root: ${resolvedTargetPath}`
+            );
+          }
+          const baselineTargetPath = relativeTargetPath.length === 0 || relativeTargetPath === "." ? worktreePath : resolve4(worktreePath, relativeTargetPath);
+          return buildAnalysisSnapshot(
+            baselineTargetPath,
+            authorIdentityMode,
+            { includeTrace: options.includeTrace },
+            logger
+          );
+        }
+      });
+      baseline = resolved.baselineSnapshot;
+      logger.info(`baseline ref resolved to ${resolved.resolvedSha}`);
+    } catch (error) {
+      if (error instanceof BaselineRefResolutionError) {
+        throw new GovernanceConfigurationError(
+          `unable to resolve baseline ref '${baselineRef}': ${error.message}`
+        );
+      }
+      throw error;
+    }
+    diff = compareSnapshots(current, baseline);
+  } else if (options.baselinePath !== void 0) {
+    logger.info(`loading baseline snapshot: ${options.baselinePath}`);
+    const baselineRaw = await readFile2(options.baselinePath, "utf8");
+    try {
+      baseline = parseSnapshot(baselineRaw);
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "invalid baseline snapshot";
+      throw new GovernanceConfigurationError(`invalid baseline snapshot: ${message}`);
+    }
+    diff = compareSnapshots(current, baseline);
+  }
+  const gateResult = evaluateGates({
+    current,
+    ...baseline === void 0 ? {} : { baseline },
+    ...diff === void 0 ? {} : { diff },
+    gateConfig: options.gateConfig
+  });
+  const report = createReport(current, diff);
+  const reportMarkdown = formatReport(report, "md");
+  const ciMarkdown = renderCheckMarkdown(current, gateResult);
+  const markdownSummary = `${reportMarkdown}
+
+${ciMarkdown}`;
+  if (options.reportPath !== void 0) {
+    await writeFile2(options.reportPath, markdownSummary, "utf8");
+    logger.info(`report written: ${options.reportPath}`);
+  }
+  const machineReadable = {
+    current,
+    ...baseline === void 0 ? {} : { baseline },
+    ...diff === void 0 ? {} : { diff },
+    violations: gateResult.violations,
+    highestSeverity: gateResult.highestSeverity,
+    exitCode: gateResult.exitCode
+  };
+  if (options.jsonOutputPath !== void 0) {
+    await writeFile2(options.jsonOutputPath, JSON.stringify(machineReadable, null, 2), "utf8");
+    logger.info(`ci machine output written: ${options.jsonOutputPath}`);
+  }
+  return {
+    current,
+    ...baseline === void 0 ? {} : { baseline },
+    ...diff === void 0 ? {} : { diff },
+    gateResult,
+    markdownSummary,
+    machineReadable
+  };
+};
+
+// src/application/run-report-command.ts
+import { readFile as readFile3, writeFile as writeFile3 } from "fs/promises";
+var runReportCommand = async (inputPath, authorIdentityMode, options, logger = createSilentLogger()) => {
+  logger.info("building analysis snapshot");
+  const current = await buildAnalysisSnapshot(
+    inputPath,
+    authorIdentityMode,
+    { includeTrace: options.includeTrace },
+    logger
+  );
+  if (options.snapshotPath !== void 0) {
+    await writeFile3(options.snapshotPath, JSON.stringify(current, null, 2), "utf8");
+    logger.info(`snapshot written: ${options.snapshotPath}`);
+  }
+  let report;
+  if (options.comparePath === void 0) {
+    report = createReport(current);
+  } else {
+    logger.info(`loading baseline snapshot: ${options.comparePath}`);
+    const baselineRaw = await readFile3(options.comparePath, "utf8");
+    const baseline = parseSnapshot(baselineRaw);
+    const diff = compareSnapshots(current, baseline);
+    report = createReport(current, diff);
+  }
+  const rendered = formatReport(report, options.format);
+  if (options.outputPath !== void 0) {
+    await writeFile3(options.outputPath, rendered, "utf8");
+    logger.info(`report written: ${options.outputPath}`);
+  }
+  return { report, rendered };
+};
+
 // src/application/run-explain-command.ts
 var selectTargets = (trace, summary, options) => {
   if (options.file !== void 0) {
@@ -4071,7 +5329,7 @@ var runExplainCommand = async (inputPath, authorIdentityMode, options, logger =
 
 // src/index.ts
 var program = new Command();
-var packageJsonPath = resolve3(dirname(fileURLToPath(import.meta.url)), "../package.json");
+var packageJsonPath = resolve5(dirname(fileURLToPath(import.meta.url)), "../package.json");
 var { version } = JSON.parse(readFileSync2(packageJsonPath, "utf8"));
 program.name("codesentinel").description("Structural and evolutionary risk analysis for TypeScript/JavaScript codebases").version(version);
 program.command("analyze").argument("[path]", "path to the project to analyze").addOption(
@@ -4163,6 +5421,183 @@ program.command("dependency-risk").argument("<dependency>", "dependency spec to
 `);
   }
 );
+program.command("report").argument("[path]", "path to the project to analyze").addOption(
+  new Option(
+    "--author-identity <mode>",
+    "author identity mode: likely_merge (heuristic) or strict_email (deterministic)"
+  ).choices(["likely_merge", "strict_email"]).default("likely_merge")
+).addOption(
+  new Option(
+    "--log-level <level>",
+    "log verbosity: silent, error, warn, info, debug (logs are written to stderr)"
+  ).choices(["silent", "error", "warn", "info", "debug"]).default(parseLogLevel(process.env["CODESENTINEL_LOG_LEVEL"]))
+).addOption(
+  new Option("--format <mode>", "output format: text, json, md").choices(["text", "json", "md"]).default("text")
+).option("--output <path>", "write rendered report to a file path").option("--compare <baseline>", "compare against a baseline snapshot JSON file").option("--snapshot <path>", "write current snapshot JSON artifact").option("--no-trace", "disable trace embedding in generated snapshot").action(
+  async (path, options) => {
+    const logger = createStderrLogger(options.logLevel);
+    const result = await runReportCommand(
+      path,
+      options.authorIdentity,
+      {
+        format: options.format,
+        ...options.output === void 0 ? {} : { outputPath: options.output },
+        ...options.compare === void 0 ? {} : { comparePath: options.compare },
+        ...options.snapshot === void 0 ? {} : { snapshotPath: options.snapshot },
+        includeTrace: options.trace
+      },
+      logger
+    );
+    if (options.output === void 0) {
+      process.stdout.write(`${result.rendered}
+`);
+    }
+  }
+);
+var parseGateNumber = (value, optionName) => {
+  if (value === void 0) {
+    return void 0;
+  }
+  const parsed = Number.parseFloat(value);
+  if (!Number.isFinite(parsed)) {
+    throw new GovernanceConfigurationError(`${optionName} must be numeric`);
+  }
+  return parsed;
+};
+var collectOptionValues = (value, previous = []) => {
+  return [...previous, value];
+};
+var parseMainBranches = (options) => {
+  const fromRepeated = options.mainBranch ?? [];
+  const fromCsv = options.mainBranches === void 0 ? [] : options.mainBranches.split(",").map((value) => value.trim()).filter((value) => value.length > 0);
+  const merged = [...fromRepeated, ...fromCsv];
+  if (merged.length === 0) {
+    return void 0;
+  }
+  const unique = Array.from(new Set(merged));
+  return unique.length > 0 ? unique : void 0;
+};
+var buildGateConfigFromOptions = (options) => {
+  const maxRepoDelta = parseGateNumber(options.maxRepoDelta, "--max-repo-delta");
+  const maxNewHotspots = parseGateNumber(options.maxNewHotspots, "--max-new-hotspots");
+  const maxRepoScore = parseGateNumber(options.maxRepoScore, "--max-repo-score");
+  const newHotspotScoreThreshold = parseGateNumber(
+    options.newHotspotScoreThreshold,
+    "--new-hotspot-score-threshold"
+  );
+  return {
+    ...maxRepoDelta === void 0 ? {} : { maxRepoDelta },
+    ...options.noNewCycles === true ? { noNewCycles: true } : {},
+    ...options.noNewHighRiskDeps === true ? { noNewHighRiskDeps: true } : {},
+    ...maxNewHotspots === void 0 ? {} : { maxNewHotspots },
+    ...maxRepoScore === void 0 ? {} : { maxRepoScore },
+    ...newHotspotScoreThreshold === void 0 ? {} : { newHotspotScoreThreshold },
+    failOn: options.failOn
+  };
+};
+program.command("check").argument("[path]", "path to the project to analyze").addOption(
+  new Option(
+    "--author-identity <mode>",
+    "author identity mode: likely_merge (heuristic) or strict_email (deterministic)"
+  ).choices(["likely_merge", "strict_email"]).default("likely_merge")
+).addOption(
+  new Option(
+    "--log-level <level>",
+    "log verbosity: silent, error, warn, info, debug (logs are written to stderr)"
+  ).choices(["silent", "error", "warn", "info", "debug"]).default(parseLogLevel(process.env["CODESENTINEL_LOG_LEVEL"]))
+).option("--compare <baseline>", "baseline snapshot path").option("--max-repo-delta <value>", "maximum allowed normalized repository score increase").option("--no-new-cycles", "fail if new structural cycles are introduced").option("--no-new-high-risk-deps", "fail if new high-risk direct dependencies are introduced").option("--max-new-hotspots <count>", "maximum allowed number of new hotspots").option("--new-hotspot-score-threshold <score>", "minimum hotspot score to count as new hotspot").option("--max-repo-score <score>", "absolute repository score limit (0..100)").addOption(new Option("--fail-on <level>", "failing severity threshold").choices(["error", "warn"]).default("error")).addOption(new Option("--format <mode>", "output format: text, json, md").choices(["text", "json", "md"]).default("text")).option("--output <path>", "write check output to a file path").option("--no-trace", "disable trace embedding in generated snapshot").action(
+  async (path, options) => {
+    const logger = createStderrLogger(options.logLevel);
+    try {
+      const gateConfig = buildGateConfigFromOptions(options);
+      const result = await runCheckCommand(
+        path,
+        options.authorIdentity,
+        {
+          ...options.compare === void 0 ? {} : { baselinePath: options.compare },
+          includeTrace: options.trace,
+          gateConfig,
+          outputFormat: options.format,
+          ...options.output === void 0 ? {} : { outputPath: options.output }
+        },
+        logger
+      );
+      if (options.output === void 0) {
+        process.stdout.write(`${result.rendered}
+`);
+      }
+      process.exitCode = result.gateResult.exitCode;
+    } catch (error) {
+      if (error instanceof GovernanceConfigurationError) {
+        logger.error(error.message);
+        process.exitCode = EXIT_CODES.invalidConfiguration;
+        return;
+      }
+      logger.error(error instanceof Error ? error.message : "internal error");
+      process.exitCode = EXIT_CODES.internalError;
+    }
+  }
+);
+program.command("ci").argument("[path]", "path to the project to analyze").addOption(
+  new Option(
+    "--author-identity <mode>",
+    "author identity mode: likely_merge (heuristic) or strict_email (deterministic)"
+  ).choices(["likely_merge", "strict_email"]).default("likely_merge")
+).addOption(
+  new Option(
+    "--log-level <level>",
+    "log verbosity: silent, error, warn, info, debug (logs are written to stderr)"
+  ).choices(["silent", "error", "warn", "info", "debug"]).default(parseLogLevel(process.env["CODESENTINEL_LOG_LEVEL"]))
+).option("--baseline <path>", "baseline snapshot path").option("--baseline-ref <gitRef>", "resolve baseline snapshot from a git reference (for example origin/main)").option("--baseline-sha <sha>", "explicit baseline commit SHA (only valid with --baseline-ref auto)").addOption(
+  new Option(
+    "--main-branch <name>",
+    "add a default branch candidate for auto baseline resolution (repeatable)"
+  ).argParser(collectOptionValues)
+).option(
+  "--main-branches <names>",
+  "comma-separated default branch candidates for auto baseline resolution (for example: main,master)"
+).option("--snapshot <path>", "write current snapshot JSON to path").option("--report <path>", "write markdown CI summary report").option("--json-output <path>", "write machine-readable CI JSON output").option("--max-repo-delta <value>", "maximum allowed normalized repository score increase").option("--no-new-cycles", "fail if new structural cycles are introduced").option("--no-new-high-risk-deps", "fail if new high-risk direct dependencies are introduced").option("--max-new-hotspots <count>", "maximum allowed number of new hotspots").option("--new-hotspot-score-threshold <score>", "minimum hotspot score to count as new hotspot").option("--max-repo-score <score>", "absolute repository score limit (0..100)").addOption(new Option("--fail-on <level>", "failing severity threshold").choices(["error", "warn"]).default("error")).option("--no-trace", "disable trace embedding in generated snapshot").action(
+  async (path, options) => {
+    const logger = createStderrLogger(options.logLevel);
+    try {
+      const gateConfig = buildGateConfigFromOptions(options);
+      const mainBranchCandidates = parseMainBranches(options);
+      const result = await runCiCommand(
+        path,
+        options.authorIdentity,
+        {
+          ...options.baseline === void 0 ? {} : { baselinePath: options.baseline },
+          ...options.baselineRef === void 0 ? {} : { baselineRef: options.baselineRef },
+          ...options.baselineSha === void 0 ? {} : { baselineSha: options.baselineSha },
+          ...mainBranchCandidates === void 0 ? {} : { mainBranchCandidates },
+          ...options.snapshot === void 0 ? {} : { snapshotPath: options.snapshot },
+          ...options.report === void 0 ? {} : { reportPath: options.report },
+          ...options.jsonOutput === void 0 ? {} : { jsonOutputPath: options.jsonOutput },
+          includeTrace: options.trace,
+          gateConfig
+        },
+        logger
+      );
+      if (options.report === void 0) {
+        process.stdout.write(`${result.markdownSummary}
+`);
+      }
+      if (options.jsonOutput === void 0) {
+        process.stdout.write(`${JSON.stringify(result.machineReadable, null, 2)}
+`);
+      }
+      process.exitCode = result.gateResult.exitCode;
+    } catch (error) {
+      if (error instanceof GovernanceConfigurationError) {
+        logger.error(error.message);
+        process.exitCode = EXIT_CODES.invalidConfiguration;
+        return;
+      }
+      logger.error(error instanceof Error ? error.message : "internal error");
+      process.exitCode = EXIT_CODES.internalError;
+    }
+  }
+);
 if (process.argv.length <= 2) {
   program.outputHelp();
   process.exit(0);