@getcodesentinel/codesentinel 1.9.3 → 1.9.5

package/dist/index.js

@@ -254,6 +254,46 @@ var DEFAULT_EXTERNAL_ANALYSIS_CONFIG = {
   maxHighRiskDependencies: 100,
   metadataRequestConcurrency: 8
 };
+var mapWithConcurrency = async (values, limit, handler) => {
+  const effectiveLimit = Math.max(1, limit);
+  const workerCount = Math.min(effectiveLimit, values.length);
+  const results = new Array(values.length);
+  let index = 0;
+  const workers = Array.from({ length: workerCount }, async () => {
+    while (true) {
+      const current = index;
+      index += 1;
+      if (current >= values.length) {
+        return;
+      }
+      const value = values[current];
+      if (value !== void 0) {
+        results[current] = await handler(value);
+      }
+    }
+  });
+  await Promise.all(workers);
+  return results;
+};
+var collectDependencyMetadata = async (extraction, metadataProvider, concurrency, onProgress) => {
+  const directNames = new Set(extraction.directDependencies.map((dependency) => dependency.name));
+  let completed = 0;
+  return mapWithConcurrency(extraction.nodes, concurrency, async (node) => {
+    const result = {
+      key: `${node.name}@${node.version}`,
+      metadata: await metadataProvider.getMetadata(node.name, node.version, {
+        directDependency: directNames.has(node.name)
+      })
+    };
+    completed += 1;
+    onProgress?.({
+      completed,
+      total: extraction.nodes.length,
+      packageName: node.name
+    });
+    return result;
+  });
+};
 var LOCKFILE_CANDIDATES = [
   { fileName: "pnpm-lock.yaml", kind: "pnpm" },
   { fileName: "package-lock.json", kind: "npm" },
@@ -545,6 +585,24 @@ var parseYarnLock = (raw, directSpecs) => {
 var parseBunLock = (_raw, _directSpecs) => {
   throw new Error("unsupported_lockfile_format");
 };
+var parseLockfileExtraction = (lockfileKind, lockfileRaw, directSpecs) => {
+  switch (lockfileKind) {
+    case "pnpm":
+      return parsePnpmLockfile(lockfileRaw, directSpecs);
+    case "npm":
+    case "npm-shrinkwrap":
+      return {
+        ...parsePackageLock(lockfileRaw, directSpecs),
+        kind: lockfileKind
+      };
+    case "yarn":
+      return parseYarnLock(lockfileRaw, directSpecs);
+    case "bun":
+      return parseBunLock(lockfileRaw, directSpecs);
+    default:
+      throw new Error("unsupported_lockfile_format");
+  }
+};
 var parseRetryAfterMs = (value) => {
   if (value === null) {
     return null;
@@ -977,77 +1035,31 @@ var resolveRegistryGraphFromDirectSpecs = async (directSpecs, options) => {
     truncated
   };
 };
-var withDefaults = (overrides) => ({
-  ...DEFAULT_EXTERNAL_ANALYSIS_CONFIG,
-  ...overrides
-});
-var parseExtraction = (lockfileKind, lockfileRaw, directSpecs) => {
-  switch (lockfileKind) {
-    case "pnpm":
-      return parsePnpmLockfile(lockfileRaw, directSpecs);
-    case "npm":
-    case "npm-shrinkwrap":
-      return {
-        ...parsePackageLock(lockfileRaw, directSpecs),
-        kind: lockfileKind
-      };
-    case "yarn":
-      return parseYarnLock(lockfileRaw, directSpecs);
-    case "bun":
-      return parseBunLock(lockfileRaw, directSpecs);
-    default:
-      throw new Error("unsupported_lockfile_format");
-  }
-};
-var mapWithConcurrency = async (values, limit, handler) => {
-  const effectiveLimit = Math.max(1, limit);
-  const workerCount = Math.min(effectiveLimit, values.length);
-  const results = new Array(values.length);
-  let index = 0;
-  const workers = Array.from({ length: workerCount }, async () => {
-    while (true) {
-      const current = index;
-      index += 1;
-      if (current >= values.length) {
-        return;
-      }
-      const value = values[current];
-      if (value !== void 0) {
-        results[current] = await handler(value);
-      }
-    }
-  });
-  await Promise.all(workers);
-  return results;
-};
-var analyzeDependencyExposure = async (input, metadataProvider, onProgress) => {
-  const config = withDefaults(input.config);
-  const packageJson = loadPackageJson(input.repositoryPath);
+var prepareDependencyExtraction = async (repositoryPath) => {
+  const packageJson = loadPackageJson(repositoryPath);
   if (packageJson === null) {
     return {
-      targetPath: input.repositoryPath,
       available: false,
       reason: "package_json_not_found"
     };
   }
-  onProgress?.({ stage: "package_json_loaded" });
-  try {
-    const directSpecs = parsePackageJson(packageJson.raw);
-    const lockfile = selectLockfile(input.repositoryPath);
-    let extraction;
-    if (lockfile === null) {
-      const resolvedGraph = await resolveRegistryGraphFromDirectSpecs(directSpecs, {
-        maxNodes: 500,
-        maxDepth: 8
-      });
-      if (resolvedGraph.nodes.length === 0) {
-        return {
-          targetPath: input.repositoryPath,
-          available: false,
-          reason: "lockfile_not_found"
-        };
-      }
-      extraction = {
+  const directSpecs = parsePackageJson(packageJson.raw);
+  const lockfile = selectLockfile(repositoryPath);
+  if (lockfile === null) {
+    const resolvedGraph = await resolveRegistryGraphFromDirectSpecs(directSpecs, {
+      maxNodes: 500,
+      maxDepth: 8
+    });
+    if (resolvedGraph.nodes.length === 0) {
+      return {
+        available: false,
+        reason: "lockfile_not_found"
+      };
+    }
+    return {
+      available: true,
+      lockfileKind: "npm",
+      extraction: {
         kind: "npm",
         directDependencies: resolvedGraph.directDependencies.map((dependency) => ({
           name: dependency.name,
@@ -1055,46 +1067,61 @@ var analyzeDependencyExposure = async (input, metadataProvider, onProgress) => {
           scope: dependency.scope
         })),
         nodes: resolvedGraph.nodes
+      }
+    };
+  }
+  return {
+    available: true,
+    lockfileKind: lockfile.kind,
+    extraction: parseLockfileExtraction(lockfile.kind, lockfile.raw, directSpecs)
+  };
+};
+var withDefaults = (overrides) => ({
+  ...DEFAULT_EXTERNAL_ANALYSIS_CONFIG,
+  ...overrides
+});
+var analyzeDependencyExposure = async (input, metadataProvider, onProgress) => {
+  const config = withDefaults(input.config);
+  try {
+    const prepared = await prepareDependencyExtraction(input.repositoryPath);
+    if (!prepared.available) {
+      return {
+        targetPath: input.repositoryPath,
+        available: false,
+        reason: prepared.reason
       };
-      onProgress?.({ stage: "lockfile_selected", kind: "npm" });
-    } else {
-      extraction = parseExtraction(lockfile.kind, lockfile.raw, directSpecs);
-      onProgress?.({ stage: "lockfile_selected", kind: lockfile.kind });
     }
-    const directNames = new Set(extraction.directDependencies.map((dependency) => dependency.name));
+    onProgress?.({ stage: "package_json_loaded" });
+    onProgress?.({ stage: "lockfile_selected", kind: prepared.lockfileKind });
+    const { extraction } = prepared;
     onProgress?.({
       stage: "lockfile_parsed",
       dependencyNodes: extraction.nodes.length,
       directDependencies: extraction.directDependencies.length
     });
     onProgress?.({ stage: "metadata_fetch_started", total: extraction.nodes.length });
-    let completed = 0;
-    const metadataEntries = await mapWithConcurrency(
-      extraction.nodes,
+    const metadataEntries = await collectDependencyMetadata(
+      extraction,
+      metadataProvider,
       config.metadataRequestConcurrency,
-      async (node) => {
-        const result = {
-          key: `${node.name}@${node.version}`,
-          metadata: await metadataProvider.getMetadata(node.name, node.version, {
-            directDependency: directNames.has(node.name)
-          })
-        };
-        completed += 1;
-        onProgress?.({
-          stage: "metadata_fetch_progress",
-          completed,
-          total: extraction.nodes.length,
-          packageName: node.name
-        });
-        return result;
-      }
+      (event) => onProgress?.({
+        stage: "metadata_fetch_progress",
+        completed: event.completed,
+        total: event.total,
+        packageName: event.packageName
+      })
     );
     onProgress?.({ stage: "metadata_fetch_completed", total: extraction.nodes.length });
     const metadataByKey = /* @__PURE__ */ new Map();
     for (const entry of metadataEntries) {
       metadataByKey.set(entry.key, entry.metadata);
     }
-    const summary = buildExternalAnalysisSummary(input.repositoryPath, extraction, metadataByKey, config);
+    const summary = buildExternalAnalysisSummary(
+      input.repositoryPath,
+      extraction,
+      metadataByKey,
+      config
+    );
     if (summary.available) {
       onProgress?.({
         stage: "summary_built",
@@ -5343,10 +5370,7 @@ program.command("analyze").argument("[path]", "path to the project to analyze").
     "log verbosity: silent, error, warn, info, debug (logs are written to stderr)"
   ).choices(["silent", "error", "warn", "info", "debug"]).default(parseLogLevel(process.env["CODESENTINEL_LOG_LEVEL"]))
 ).addOption(
-  new Option(
-    "--output <mode>",
-    "output mode: summary (default) or json (full analysis object)"
-  ).choices(["summary", "json"]).default("summary")
+  new Option("--output <mode>", "output mode: summary (default) or json (full analysis object)").choices(["summary", "json"]).default("summary")
 ).option("--json", "shortcut for --output json").action(
   async (path, options) => {
     const logger = createStderrLogger(options.logLevel);
@@ -5378,12 +5402,7 @@ program.command("explain").argument("[path]", "path to the project to analyze").
       top: Number.isFinite(top) ? top : 5,
       format: options.format
     };
-    const result = await runExplainCommand(
-      path,
-      options.authorIdentity,
-      explainOptions,
-      logger
-    );
+    const result = await runExplainCommand(path, options.authorIdentity, explainOptions, logger);
     process.stdout.write(`${formatExplainOutput(result, options.format)}
 `);
   }
@@ -5394,10 +5413,7 @@ program.command("dependency-risk").argument("<dependency>", "dependency spec to
     "log verbosity: silent, error, warn, info, debug (logs are written to stderr)"
   ).choices(["silent", "error", "warn", "info", "debug"]).default(parseLogLevel(process.env["CODESENTINEL_LOG_LEVEL"]))
 ).addOption(
-  new Option(
-    "--output <mode>",
-    "output mode: summary (default) or json (full analysis object)"
-  ).choices(["summary", "json"]).default("summary")
+  new Option("--output <mode>", "output mode: summary (default) or json (full analysis object)").choices(["summary", "json"]).default("summary")
 ).option("--json", "shortcut for --output json").option("--max-nodes <count>", "maximum dependency nodes to resolve", "250").option("--max-depth <count>", "maximum dependency depth to traverse", "6").action(
   async (dependency, options) => {
     const logger = createStderrLogger(options.logLevel);
@@ -5432,7 +5448,7 @@ program.command("report").argument("[path]", "path to the project to analyze").a
     "log verbosity: silent, error, warn, info, debug (logs are written to stderr)"
   ).choices(["silent", "error", "warn", "info", "debug"]).default(parseLogLevel(process.env["CODESENTINEL_LOG_LEVEL"]))
 ).addOption(
-  new Option("--format <mode>", "output format: text, json, md").choices(["text", "json", "md"]).default("text")
+  new Option("--format <mode>", "output format: text, json, md").choices(["text", "json", "md"]).default("md")
 ).option("--output <path>", "write rendered report to a file path").option("--compare <baseline>", "compare against a baseline snapshot JSON file").option("--snapshot <path>", "write current snapshot JSON artifact").option("--no-trace", "disable trace embedding in generated snapshot").action(
   async (path, options) => {
     const logger = createStderrLogger(options.logLevel);
@@ -5505,7 +5521,11 @@ program.command("check").argument("[path]", "path to the project to analyze").ad
     "--log-level <level>",
     "log verbosity: silent, error, warn, info, debug (logs are written to stderr)"
   ).choices(["silent", "error", "warn", "info", "debug"]).default(parseLogLevel(process.env["CODESENTINEL_LOG_LEVEL"]))
-).option("--compare <baseline>", "baseline snapshot path").option("--max-repo-delta <value>", "maximum allowed normalized repository score increase").option("--no-new-cycles", "fail if new structural cycles are introduced").option("--no-new-high-risk-deps", "fail if new high-risk direct dependencies are introduced").option("--max-new-hotspots <count>", "maximum allowed number of new hotspots").option("--new-hotspot-score-threshold <score>", "minimum hotspot score to count as new hotspot").option("--max-repo-score <score>", "absolute repository score limit (0..100)").addOption(new Option("--fail-on <level>", "failing severity threshold").choices(["error", "warn"]).default("error")).addOption(new Option("--format <mode>", "output format: text, json, md").choices(["text", "json", "md"]).default("text")).option("--output <path>", "write check output to a file path").option("--no-trace", "disable trace embedding in generated snapshot").action(
+).option("--compare <baseline>", "baseline snapshot path").option("--max-repo-delta <value>", "maximum allowed normalized repository score increase").option("--no-new-cycles", "fail if new structural cycles are introduced").option("--no-new-high-risk-deps", "fail if new high-risk direct dependencies are introduced").option("--max-new-hotspots <count>", "maximum allowed number of new hotspots").option("--new-hotspot-score-threshold <score>", "minimum hotspot score to count as new hotspot").option("--max-repo-score <score>", "absolute repository score limit (0..100)").addOption(
+  new Option("--fail-on <level>", "failing severity threshold").choices(["error", "warn"]).default("error")
+).addOption(
+  new Option("--format <mode>", "output format: text, json, md").choices(["text", "json", "md"]).default("text")
+).option("--output <path>", "write check output to a file path").option("--no-trace", "disable trace embedding in generated snapshot").action(
   async (path, options) => {
     const logger = createStderrLogger(options.logLevel);
     try {
@@ -5548,7 +5568,13 @@ program.command("ci").argument("[path]", "path to the project to analyze").addOp
     "--log-level <level>",
     "log verbosity: silent, error, warn, info, debug (logs are written to stderr)"
   ).choices(["silent", "error", "warn", "info", "debug"]).default(parseLogLevel(process.env["CODESENTINEL_LOG_LEVEL"]))
-).option("--baseline <path>", "baseline snapshot path").option("--baseline-ref <gitRef>", "resolve baseline snapshot from a git reference (for example origin/main)").option("--baseline-sha <sha>", "explicit baseline commit SHA (only valid with --baseline-ref auto)").addOption(
+).option("--baseline <path>", "baseline snapshot path").option(
+  "--baseline-ref <gitRef>",
+  "resolve baseline snapshot from a git reference (for example origin/main)"
+).option(
+  "--baseline-sha <sha>",
+  "explicit baseline commit SHA (only valid with --baseline-ref auto)"
+).addOption(
   new Option(
     "--main-branch <name>",
     "add a default branch candidate for auto baseline resolution (repeatable)"
@@ -5556,7 +5582,9 @@ program.command("ci").argument("[path]", "path to the project to analyze").addOp
 ).option(
   "--main-branches <names>",
   "comma-separated default branch candidates for auto baseline resolution (for example: main,master)"
-).option("--snapshot <path>", "write current snapshot JSON to path").option("--report <path>", "write markdown CI summary report").option("--json-output <path>", "write machine-readable CI JSON output").option("--max-repo-delta <value>", "maximum allowed normalized repository score increase").option("--no-new-cycles", "fail if new structural cycles are introduced").option("--no-new-high-risk-deps", "fail if new high-risk direct dependencies are introduced").option("--max-new-hotspots <count>", "maximum allowed number of new hotspots").option("--new-hotspot-score-threshold <score>", "minimum hotspot score to count as new hotspot").option("--max-repo-score <score>", "absolute repository score limit (0..100)").addOption(new Option("--fail-on <level>", "failing severity threshold").choices(["error", "warn"]).default("error")).option("--no-trace", "disable trace embedding in generated snapshot").action(
+).option("--snapshot <path>", "write current snapshot JSON to path").option("--report <path>", "write markdown CI summary report").option("--json-output <path>", "write machine-readable CI JSON output").option("--max-repo-delta <value>", "maximum allowed normalized repository score increase").option("--no-new-cycles", "fail if new structural cycles are introduced").option("--no-new-high-risk-deps", "fail if new high-risk direct dependencies are introduced").option("--max-new-hotspots <count>", "maximum allowed number of new hotspots").option("--new-hotspot-score-threshold <score>", "minimum hotspot score to count as new hotspot").option("--max-repo-score <score>", "absolute repository score limit (0..100)").addOption(
+  new Option("--fail-on <level>", "failing severity threshold").choices(["error", "warn"]).default("error")
+).option("--no-trace", "disable trace embedding in generated snapshot").action(
   async (path, options) => {
     const logger = createStderrLogger(options.logLevel);
     try {