npm - @mneme-ai/xray - Versions diffs - 2.173.0 → 2.175.0 - Mend

@mneme-ai/xray 2.173.0 → 2.175.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@mneme-ai/xray",
-  "version": "2.173.0",
+  "version": "2.175.0",
   "description": "Mneme Repo X-Ray — a signed, raw-free, deterministic X-Ray of any repo. Every number is reproducible from git/AST/metadata and sealed with an offline-verifiable NOTARY receipt. No source code ever leaves the machine; no LLM guesses anything.",
   "type": "module",
   "main": "./dist/index.js",
@@ -47,7 +47,7 @@
     "mneme"
   ],
   "dependencies": {
-    "@mneme-ai/core": "2.173.0",
+    "@mneme-ai/core": "2.175.0",
     "@resvg/resvg-js": "^2.6.2"
   },
   "engines": {

package/public/card.js CHANGED Viewed

@@ -52,12 +52,58 @@
     return A;
   }
+  // VERDICT — turn the accurate metrics into a DECISION a human can act on:
+  // "should I trust / adopt / inherit this repo, and what do I do about it?"
+  // Every line is derived 100% from a signed metric (no new data, no AI guess).
+  function synthesizeVerdict(r) {
+    const num = (x) => (Number.isFinite(Number(x)) ? Number(x) : 0);
+    const dep = r.deps || {}, sec = r.secrets || {}, bf = r.busFactor || {}, age = r.age || {}, cx = r.complexity || {}, su = r.security || {}, hs = r.hotspots || {};
+    const dying = num((dep.byBand || {}).dead) + num((dep.byBand || {}).moribund);
+    const copyleft = num((dep.licenses || {})["strong-copyleft"]) + num((dep.licenses || {})["weak-copyleft"]);
+    const secrets = num(sec.totalFindings), destructive = (su.destructive || []).length;
+    const soloPct = num(bf.singleOwnerFilePct), topShare = num(bf.topContributorShare), busF = num(bf.busFactor);
+    const symbols = num(cx.totalSymbols), codeFiles = num(cx.filesAnalysed);
+    const isDocs = symbols < 30 && (codeFiles === 0 || symbols / Math.max(1, codeFiles) < 1.5);
+    const kind = isDocs ? "Docs / content repo" : "Code project";
+    // the takeaways — what it means + what to DO, severity-ranked, action-first
+    const T = [];
+    if (sec.worstVerdict === "BLOCK" && secrets > 0) T.push({ t: "bad", x: `🔴 ${secrets} live secret${secrets > 1 ? "s" : ""} in production code — rotate them now and add a pre-commit secret scan${sec.hits && sec.hits[0] ? ` (e.g. ${esc(sec.hits[0].file)}:${sec.hits[0].line})` : ""}.` });
+    else if (secrets > 0) T.push({ t: "warn", x: `🟠 ${secrets} credential-pattern match${secrets > 1 ? "es" : ""} to review in production code.` });
+    if (destructive > 0) T.push({ t: "bad", x: `🔴 ${destructive} destructive command${destructive > 1 ? "s" : ""} in build/CI (${esc((su.destructive[0] || {}).where || "ci")}) — audit before trusting this pipeline.` });
+    else if (num(su.injectionFindings) > 0) T.push({ t: "warn", x: `🟠 ${num(su.injectionFindings)} possible prompt-injection in docs — sanitize before feeding to an AI.` });
+    if (dying > 0) { const a = (dep.atRisk || [])[0]; T.push({ t: "warn", x: `🟠 ${dying} dependency${dying > 1 ? "ies" : "y"} dying/abandoned — plan a migration${a && a.successor ? ` (e.g. ${esc(a.name)} → ${esc(a.successor)})` : ""}.` }); }
+    if (copyleft > 0) T.push({ t: "warn", x: `🟠 ${copyleft} dependency${copyleft > 1 ? "ies" : "y"} with copyleft/unknown license — check before commercial use.` });
+    if (age.vitality === "archived" || age.dormant) T.push({ t: "warn", x: `🟠 No recent activity (${esc(age.vitality || "stalled")}) — may be unmaintained; pin a version if you depend on it.` });
+    else if (age.vitality === "active") T.push({ t: "ok", x: `✅ Actively maintained — ${num(age.totalCommits).toLocaleString()} commits over ${esc(age.lifespan || "its life")}, ${num(age.totalAuthors)} contributors. Low abandonment risk.` });
+    if (busF <= 1 && num(bf.authors) > 0) T.push({ t: "warn", x: `🟠 Key-person risk: one author owns ${topShare}% of commits${soloPct ? ` and ${soloPct}% of files have a single owner` : ""}. If they leave, those areas stall — spread reviews + document.` });
+    else if (soloPct >= 40) { const ff = (bf.fragileFiles || []).slice(0, 3).map((x) => esc(x.file)).join(", "); T.push({ t: "warn", x: `🟠 ${soloPct}% of files have a single owner — pair-review the fragile ones${ff ? `: ${ff}` : ""}.` }); }
+    if (secrets === 0 && destructive === 0 && dying === 0 && copyleft === 0) T.push({ t: "ok", x: `✅ Clean to adopt — no leaked secrets, no dying/risky-licensed deps, no destructive CI.` });
+    if ((hs.hotspots || [])[0] && !isDocs) { const h = hs.hotspots[0]; T.push({ t: "info", x: `ℹ️ If you change one thing first, it's <b>${esc(h.file)}</b> (highest churn×size)${h.expert ? ` — ${esc(h.expert)} knows it best` : ""}.` }); }
+    // the headline DECISION (worst-signal-wins)
+    const hasRed = secrets > 0 || destructive > 0;
+    const stale = age.vitality === "archived" || age.dormant;
+    const keyrisk = busF <= 1 || soloPct >= 60;
+    let tone, head;
+    if (hasRed) { tone = "bad"; head = "⚠️ Exposed risk — fix the red items before you trust this repo"; }
+    else if (stale) { tone = "warn"; head = "🪦 Looks unmaintained — risky to depend on without pinning"; }
+    else if (dying > 0) { tone = "warn"; head = "Adopt with care — aging dependencies need a migration plan"; }
+    else if (keyrisk) { tone = "warn"; head = "✅ Maintained — but ⚠️ concentrated in one person (key-person risk)"; }
+    else if (age.vitality === "active") { tone = "ok"; head = `✅ Healthy & actively maintained — safe to build on`; }
+    else { tone = "neutral"; head = `Reviewed — ${T.length} thing${T.length === 1 ? "" : "s"} to know below`; }
+    const top = T.slice(0, 5);
+    return { tone, head, kind, takeaways: top };
+  }
   function xrayCardHTML(signed, opts) {
     opts = opts || {};
     const r = signed.report, s = r.summary;
     const dep = r.deps, sec = r.secrets, bf = r.busFactor, age = r.age, cx = r.complexity;
     const verified = signed.receipt ? '<span class="verified"><span class="dot"></span>Ed25519 — verifies offline</span>' : "unsigned";
     const tri = triageOf(r);
+    const vd = synthesizeVerdict(r);
     const depChips = (dep.atRisk || []).slice(0, 6).map((d) =>
       `<span class="chip ${d.band === "dead" ? "bad" : "warn"}">${esc(d.name)} · ${d.band}${d.successor ? ` → ${esc(d.successor)}` : ""}</span>`).join("") || `<span class="chip">none dying</span>`;
@@ -86,6 +132,11 @@
           ${r.subject.kind === "git-url" ? `<a class="repourl" href="${esc(r.subject.ref)}" target="_blank" rel="noopener">${esc(r.subject.ref)} ↗</a>` : `<div class="repourl">${esc(r.subject.ref)}</div>`}
           <div class="head">${esc(s.headline)} · ${s.signalsRun} signals · @ ${esc(String(r.subject.commitHash).slice(0, 10))}</div></div>
       </div>
+      <div class="verdict v-${vd.tone}">
+        <div class="vhead">${esc(vd.head)}</div>
+        <div class="vkind">${esc(vd.kind)} · what this means for you ↓</div>
+        <ul class="vlist">${vd.takeaways.map((t) => `<li class="vt-${t.t}">${t.x}</li>`).join("")}</ul>
+      </div>
       <div class="membrane">
         <div class="mp"><span class="mpk">① CAPABILITY</span><span class="mpv">${s.signalsRun} deterministic signals · ${(sec.filesScanned || 0).toLocaleString()} files scanned</span></div>
         <div class="mp"><span class="mpk">② ATTENTION</span><span class="mpv">${tri.length ? `${tri.length} signal(s) need attention` : `all signals clear`}</span></div>

package/public/index.html CHANGED Viewed

@@ -70,6 +70,15 @@
   .top .repourl{display:inline-block;font-size:12.5px;color:var(--a);text-decoration:none;margin-top:3px;word-break:break-all;font-family:ui-monospace,Menlo,monospace}
   .top .repourl:hover{text-decoration:underline}
   .top .head{color:var(--sub);font-size:14px;margin-top:4px}
+  .verdict{padding:18px 30px;border-bottom:1px solid #eef0f2}
+  .verdict .vhead{font-size:17px;font-weight:680;letter-spacing:-.01em;line-height:1.3;color:#0b0b0f}
+  .verdict .vkind{font-size:12px;color:#8b8f98;margin:3px 0 12px;font-weight:560}
+  .verdict .vlist{margin:0;padding:0;list-style:none;display:flex;flex-direction:column;gap:8px}
+  .verdict .vlist li{font-size:13.5px;line-height:1.5;color:#33333b}
+  .v-bad{background:#fff5f6} .v-bad .vhead{color:#be123c}
+  .v-warn{background:#fffaf0} .v-warn .vhead{color:#b45309}
+  .v-ok{background:#f0fdf4} .v-ok .vhead{color:#15803d}
+  .v-neutral{background:#fafafb}
   .trustbar{display:flex;align-items:center;gap:14px;padding:13px 30px;background:#f0fdf4;border-bottom:1px solid #dcfce7;flex-wrap:wrap}
   .hgauge{display:inline-flex;align-items:center;gap:8px;font-weight:680;color:#15803d;font-size:14px;white-space:nowrap}
   .hdot{width:10px;height:10px;border-radius:50%;background:#16a34a;box-shadow:0 0 0 4px rgba(22,163,74,.16)}
@@ -146,6 +155,10 @@
   .listfoot{display:flex;justify-content:space-between;align-items:center;padding:14px 4px 0;font-size:13px}
   .moreb{height:38px;padding:0 18px;border:1px solid var(--line);background:#fff;border-radius:10px;cursor:pointer;font-size:13px;font-weight:540;transition:border-color .15s}
   .moreb:hover{border-color:var(--ink)}
+  .pagenav{display:inline-flex;gap:8px}
+  .pagenav .moreb{background:var(--ink);color:#fff;border-color:var(--ink)}
+  .pagenav .moreb:hover{opacity:.88}
+  .pagenav .moreb:disabled{background:#fff;color:#c8ccd2;border-color:var(--line);opacity:1;cursor:not-allowed}
   /* share + buttons */
   .share{display:flex;flex-wrap:wrap;align-items:center;gap:10px;padding:18px 30px;border-top:1px solid var(--line2)}
   .badgeimg{height:20px}
@@ -182,7 +195,9 @@
   .bridgebox{margin-top:14px;border-top:1px solid var(--line);padding-top:12px}
   .bridgebox summary{cursor:pointer;font-size:12.5px;color:var(--a);font-weight:560;list-style:none}
   .lscard{margin-top:12px;border:1px solid var(--line);border-radius:12px;background:#fff;padding:14px 16px;text-align:left}
-  .lscard .lsh{font-size:14px;color:var(--ink);margin-bottom:8px}
+  .lscard .lstop{display:flex;align-items:center;gap:14px;margin-bottom:8px}
+  .lscard .lsgrade{width:46px;height:46px;border-radius:12px;display:flex;align-items:center;justify-content:center;font-size:23px;font-weight:700;color:#fff;flex-shrink:0;letter-spacing:-.02em}
+  .lscard .lsh{font-size:15px;color:var(--ink)}
   .lscard .lsrow{display:flex;gap:12px;padding:7px 0;border-top:1px solid var(--line2);font-size:13px}
   .lscard .lsk{width:110px;color:var(--sub);font-weight:560;flex-shrink:0}
   .lscard .lsv{color:var(--ink2)} .lscard .lsv.bad{color:var(--red)} .lscard .lsv.ok{color:var(--green)}
@@ -190,19 +205,24 @@
   .lscard .lsok{margin:6px 0;font-size:12.5px;color:var(--green)}
   .lscard .pill{display:inline-block;font-size:11px;background:var(--soft);border:1px solid var(--line);border-radius:20px;padding:1px 8px;color:var(--ink2)}
   .lscard .lsnote{margin-top:10px;font-size:11.5px;color:var(--sub);line-height:1.5;border-top:1px solid var(--line2);padding-top:9px}
-  /* SHOWCASE — selling points + grand graphic at the bottom */
-  .showcase{max-width:980px;margin:64px auto 0;text-align:center;padding:0 20px}
-  .showcase .sctitle{font-size:30px;font-weight:700;letter-spacing:-.02em;color:var(--ink);margin:0 0 10px;line-height:1.2}
+  /* SHOWCASE — selling points; the graphic sits to the SIDE (grid areas, no markup move) */
+  .showcase{max-width:1060px;margin:64px auto 0;padding:0 20px;text-align:left;
+    display:grid;column-gap:36px;row-gap:10px;align-items:start;align-content:start;
+    grid-template-columns:1fr 380px;grid-template-areas:"title art" "sub art" "cards cards"}
+  .showcase .sctitle{grid-area:title;font-size:30px;font-weight:700;letter-spacing:-.02em;color:var(--ink);margin:0;line-height:1.2}
   .showcase .sctitle .hl{color:var(--a)}
-  .showcase .scsub{font-size:15px;color:var(--sub);max-width:640px;margin:0 auto 30px;line-height:1.6}
-  .showcase .sc3{display:grid;grid-template-columns:repeat(3,1fr);gap:16px;text-align:left}
-  @media(max-width:760px){.showcase .sc3{grid-template-columns:1fr}}
+  .showcase .scsub{grid-area:sub;font-size:15px;color:var(--sub);margin:0;line-height:1.6}
+  .showcase .bigart{grid-area:art;display:flex;justify-content:center;align-self:center;opacity:.95}
+  .showcase .sc3{grid-area:cards;display:grid;grid-template-columns:repeat(3,1fr);gap:16px;margin-top:14px}
   .showcase .sccard{background:var(--soft);border:1px solid var(--line);border-radius:16px;padding:20px}
   .showcase .scico{font-size:26px;margin-bottom:8px}
   .showcase .sccard b{display:block;font-size:15px;color:var(--ink);margin-bottom:6px}
   .showcase .sccard span{font-size:13px;color:var(--sub);line-height:1.55}
-  .showcase .bigart{margin-top:8px;display:flex;justify-content:center;opacity:.92}
-  @media(max-width:760px){.showcase .bigart svg{width:300px;height:auto}}
+  @media(max-width:820px){
+    .showcase{grid-template-columns:1fr;grid-template-areas:"title" "sub" "art" "cards"}
+    .showcase .sc3{grid-template-columns:1fr}
+    .showcase .bigart svg{width:300px;height:auto}
+  }
   .picker{display:none;margin-top:12px;border:1px solid var(--line);border-radius:10px;background:#fff;overflow:hidden}
   .picker.on{display:block}
   .pkbar{display:flex;align-items:center;gap:8px;padding:10px 12px;border-bottom:1px solid var(--line2);font-size:12.5px}
@@ -434,12 +454,7 @@ function mountTracking(r){
   const gitUrl = r.subject.ref;
   panel.style.display="block";
   panel.innerHTML = `<div class="thead"><span class="ticon">🛰</span><b>Live tracking</b><span class="tnew">new</span></div>
-  <div class="thelp">Turn this one-shot X-Ray into an <b>AI Auditor for your team</b>. Pick a branch and press Track live — when you, a teammate, or an AI pushes, this report <b>re-scans itself</b> and shows what changed. No re-click.</div>
-  <div class="tfeat">
-    <div class="tf"><b>🛡 AI Code Drift</b><span>a new pushed secret, a destructive CI command, a grade drop — flagged the moment it lands</span></div>
-    <div class="tf"><b>🔁 Continuous audit</b><span>re-checked on every push (or every 30s) — 24/7, no one has to click</span></div>
-    <div class="tf"><b>🕰 Time-Machine</b><span>a timeline of how code-health drifted, commit by commit</span></div>
-  </div>
+  <div class="thelp">Pick a branch and press <b>Track live</b> — when you, a teammate, or an AI pushes, this report <b>re-scans itself</b> and shows what changed. No re-click. <span class="muted">(What you get → see “AI Auditor for your team” below.)</span></div>
   <div class="trow">
     <span class="tlabel">Branch</span>
     <select id="tbranch"><option value="">loading branches…</option></select>
@@ -461,12 +476,13 @@ function mountTracking(r){
   const toggle=document.getElementById("ttoggle");
   const stateEl=()=>document.getElementById("tstate");
   const noteEl=()=>document.getElementById("tnote");
-  function stop(){ if(es){es.close();es=null;} toggle.className="tbtn off"; toggle.textContent="● Track live"; stateEl().textContent="stopped"; const n=noteEl(); if(n) n.style.display="none"; }
+  function stop(){ if(es){es.close();es=null;} toggle.className="tbtn off"; toggle.textContent="● Track live"; stateEl().textContent="stopped"; const n=noteEl(); if(n) n.style.display="none"; const sel=document.getElementById("tbranch"); if(sel) sel.disabled=false; }
   function showDrift(d){ const el=document.getElementById("tdrift"); if(!el||!d) return; el.className="drift "+d.drift; el.style.display="block"; el.textContent=((d.highlights&&d.highlights[0])||("changed → grade "+d.gradeTo))+"  ·  just now"; }
   function pushTL(d){ history.push(d); const el=document.getElementById("ttl"); if(!el) return; el.innerHTML='<span class="tlabel">Timeline</span> '+history.slice(-14).map(h=>{const c=h.drift==="degraded"?"deg":h.drift==="improved"?"imp":""; return '<span class="pill '+c+'">'+esc(h.gradeTo)+(h.newSecretLeaks>0?" 🔴":"")+'</span>';}).join(" "); }
   function startSSE(id, branch){
     es=new EventSource("/api/track/"+id+"/stream");
     toggle.className="tbtn stop"; toggle.textContent="Stop"; toggle.disabled=false;
+    const sel=document.getElementById("tbranch"); if(sel) sel.disabled=true; // lock branch while LIVE
     stateEl().innerHTML='<span class="live"><span class="dot"></span>LIVE · '+esc(branch||"default")+'</span>';
     const n=noteEl(); if(n){ n.style.display="block"; n.innerHTML='✓ <b>Now monitoring '+esc(branch||"the default branch")+'.</b> Leave this tab open to watch changes appear here live. The monitor keeps running on the server even if you close the tab — come back and X-Ray this same repo to reconnect. <span class="muted">Switching repo or branch starts a separate monitor; a refresh reconnects this view.</span>'; }
     es.addEventListener("update", ev=>{ try{ const p=JSON.parse(ev.data); renderCard(p.signed); showDrift(p.delta); pushTL(p.delta);}catch{} });
@@ -548,7 +564,7 @@ document.getElementById("savekey").addEventListener("click", ()=>{
 });
 let tab="board", offset=0, loaded=[];
-const PAGE=20;
+const PAGE=5;
 function fmtDate(s){ if(!s) return "—"; const d=new Date(s); return isNaN(d)?"—":d.toLocaleDateString(undefined,{year:"numeric",month:"short",day:"numeric"}); }
 function rowHTML(b){
   const lock = b.visibility==="private" ? '<span class="lock" title="private — only you can open this">🔒</span>' : "";
@@ -578,16 +594,18 @@ async function loadList(reset=true){
   }
   try{
     const data=await fetchPage(offset);
-    loaded=loaded.concat(data.items||[]);
-    if(loaded.length===0){
-      el.innerHTML=`<div class="bitem muted">${tab==="mine"?"Nothing here yet — run an <b>X-Ray</b> or <b>📦 AI Pack</b> above and it appears here automatically. (Private folder? use the local Browse panel.)":"No reports yet — be the first."}</div>`;
+    const items=data.items||[];
+    if((data.total||0)===0){
+      el.innerHTML=`<div class="bitem muted">${tab==="mine"?"Nothing here yet — run an <b>X-Ray</b> or <b>📦 AI Pack</b> above and it appears here automatically. (Private folder? use the Choose-a-folder panel.)":"No reports yet — be the first."}</div>`;
       return;
     }
-    const more = (data.offset+data.limit) < data.total;
-    el.innerHTML = `<div class="listbox">${loaded.map(rowHTML).join("")}</div>`
-      + `<div class="listfoot"><span class="muted">${loaded.length} of ${data.total} repos</span>${more?'<button class="moreb" id="moreb">Load more</button>':""}</div>`;
+    const start=data.offset+1, end=data.offset+items.length;
+    const hasPrev=data.offset>0, hasNext=(data.offset+data.limit)<data.total;
+    el.innerHTML = `<div class="listbox">${items.map(rowHTML).join("")}</div>`
+      + `<div class="listfoot"><span class="muted">${start}–${end} of ${data.total} repos</span><span class="pagenav"><button class="moreb" id="prevb"${hasPrev?"":" disabled"}>← Prev</button><button class="moreb" id="nextb"${hasNext?"":" disabled"}>Next →</button></span></div>`;
     el.querySelectorAll(".bitem[data-fp]").forEach(n=>n.addEventListener("click",()=>openReport(n.dataset.fp, n.dataset.priv==="1")));
-    const mb=document.getElementById("moreb"); if(mb) mb.addEventListener("click",()=>{ offset+=PAGE; loadList(false); });
+    const pb=document.getElementById("prevb"); if(pb&&hasPrev) pb.addEventListener("click",()=>{ offset=Math.max(0,offset-PAGE); loadList(false); window.scrollTo({top:document.getElementById("board").offsetTop-80,behavior:"smooth"}); });
+    const nb=document.getElementById("nextb"); if(nb&&hasNext) nb.addEventListener("click",()=>{ offset+=PAGE; loadList(false); window.scrollTo({top:document.getElementById("board").offsetTop-80,behavior:"smooth"}); });
   }catch{ el.innerHTML='<div class="bitem muted">Could not load.</div>'; }
 }
 async function openReport(fp, isPrivate){
@@ -648,14 +666,21 @@ function renderLocalScan(r){
   const s=r.summary, out=document.getElementById("localout"); if(!out) return;
   const sec=s.secrets, secCls=sec.totalFindings>0?"bad":"ok";
   const langs=s.langs.map(([e,n])=>`<span class="pill">${esc(e)} ${n}</span>`).join(" ");
+  const g=s.git, vit = !g.has ? "" : (s.dormantDays>365?"dormant":s.dormantDays>120?"slowing":"active");
+  const gitRows = g.has ? `
+    <div class="lsrow"><span class="lsk">Bus factor</span><span class="lsv ${g.authors===1?"bad":""}"><b>${g.authors}</b> author${g.authors===1?" — single point of failure":"s"} · top author ${Math.round(g.topShare*100)}% of ${g.commits} commits</span></div>
+    <div class="lsrow"><span class="lsk">Vitality</span><span class="lsv ${vit==="dormant"?"bad":""}"><b>${vit}</b> · ${s.ageDays}d span · last activity ${s.dormantDays}d ago</span></div>`
+    : `<div class="lsrow"><span class="lsk">Git history</span><span class="lsv muted">— no .git reflog in this folder (bus factor / vitality unavailable)</span></div>`;
   out.innerHTML=`<div class="lscard">
-    <div class="lsh"><b>📂 ${esc(r.folder)}</b> <span class="muted">— scanned in your browser · ${r.files} files · nothing uploaded</span></div>
+    <div class="lstop"><div class="lsgrade g-${("ABCDEF".includes(s.grade)?s.grade:"C")}">${esc(s.grade)}</div>
+      <div><div class="lsh"><b>📂 ${esc(r.folder)}</b></div><div class="muted" style="font-size:12px">scanned in your browser · ${r.files} files · nothing uploaded</div></div></div>
     <div class="lsrow"><span class="lsk">Secrets</span><span class="lsv ${secCls}"><b>${sec.totalFindings}</b> in production code${sec.excludedTestHits?` · ${sec.excludedTestHits} in tests (excluded)`:""}</span></div>
     ${sec.hits.length?`<div class="lshits">${sec.hits.slice(0,6).map(h=>`<div>🔴 ${esc(h.kind)} — ${esc(h.file)}:${h.line}</div>`).join("")}</div>`:`<div class="lsok">✓ no leaked credentials in production code</div>`}
+    ${gitRows}
     <div class="lsrow"><span class="lsk">Dependencies</span><span class="lsv"><b>${s.deps.total}</b> total · ${s.deps.deps} deps · ${s.deps.devDeps} dev</span></div>
-    <div class="lsrow"><span class="lsk">Size</span><span class="lsv"><b>${s.filesScanned}</b> source files · ${s.loc.toLocaleString()} lines</span></div>
+    <div class="lsrow"><span class="lsk">Complexity</span><span class="lsv"><b>${(s.symbols||0).toLocaleString()}</b> symbols · ${s.filesScanned} files · ${s.loc.toLocaleString()} lines</span></div>
     <div class="lsrow"><span class="lsk">Languages</span><span class="lsv">${langs||"—"}</span></div>
-    <div class="lsnote">Quick local scan — secrets · dependencies · size, computed <b>in your browser</b> (unsigned, no upload). The full <b>signed</b> report with git history, bus factor &amp; vitality needs a public URL above or the bridge.</div>
+    <div class="lsnote">Computed <b>in your browser</b> (unsigned, nothing uploaded). Secrets · dependencies · complexity from your files; bus factor &amp; vitality from <code>.git</code> reflog. The full <b>signed</b> report (dep mortality, hotspots, coupling) needs a public URL above or the bridge.</div>
   </div>`;
 }
 const pick=document.getElementById("pickfolder");

package/public/local-scan.js CHANGED Viewed

@@ -51,10 +51,44 @@
     } catch { return { total: 0, deps: 0, devDeps: 0, names: [] }; }
   }
-  /** Compose a deterministic local report from already-read files. Pure. */
-  function summarize(files) {
+  // structural complexity — count declared symbols (deterministic, regex-based)
+  const SYMBOL_RE = /\b(function\s+\w+|class\s+\w+|interface\s+\w+|def\s+\w+|func\s+\w+|fn\s+\w+|export\s+(?:const|function|class|default)|=>\s*[{(])/g;
+  function countSymbols(text) { const m = String(text).match(SYMBOL_RE); return m ? m.length : 0; }
+  // REAL git signals from .git/logs/HEAD (the reflog — plain text the browser can read).
+  // Each line: <old> <new> <Name> <email> <unixTs> <tz>\t<message>. Honest: this is
+  // HEAD-movement history (commits/resets/merges), a sound approximation of authorship
+  // + activity window without running git or parsing packfiles.
+  function parseGitLog(text) {
+    const authors = {}; let commits = 0, firstTs = 0, lastTs = 0;
+    for (const line of String(text || "").split("\n")) {
+      const m = line.match(/^[0-9a-f]+\s+[0-9a-f]+\s+(.+?)\s+<[^>]*>\s+(\d+)\s/);
+      if (!m) continue;
+      commits++;
+      authors[m[1]] = (authors[m[1]] || 0) + 1;
+      const ts = parseInt(m[2], 10) * 1000;
+      if (!firstTs || ts < firstTs) firstTs = ts;
+      if (ts > lastTs) lastTs = ts;
+    }
+    const names = Object.keys(authors);
+    const top = names.length ? Math.max(...names.map((n) => authors[n])) : 0;
+    return { commits, authors: names.length, topShare: commits ? top / commits : 0, firstTs, lastTs, has: commits > 0 };
+  }
+  const GRADES = ["A", "B", "C", "D", "F"];
+  /** A deterministic grade from the signals available IN-BROWSER. Honest: lighter
+   *  than the full server grade (no dep-mortality / hotspots), but real. */
+  function gradeLocal(s) {
+    let pen = 0;
+    if (s.secrets.totalFindings > 0) pen += s.secrets.totalFindings >= 3 ? 4 : s.secrets.totalFindings >= 1 ? 3 : 0; // a leaked secret is severe
+    if (s.git.has) { if (s.git.authors === 1) pen += 1; if (s.git.topShare > 0.8) pen += 1; if (s.ageDays > 0 && s.dormantDays > 365) pen += 1; }
+    return GRADES[Math.min(pen, 4)];
+  }
+  /** Compose a deterministic local report from already-read files + .git reflog. Pure. */
+  function summarize(files, gitLog, nowMs) {
     // files: [{ rel, text }]
-    let loc = 0, scanned = 0, testHits = 0;
+    let loc = 0, scanned = 0, testHits = 0, symbols = 0;
     const prodHits = [];
     const langs = {};
     let deps = { total: 0, deps: 0, devDeps: 0, names: [] };
@@ -64,18 +98,25 @@
       if (!TEXT_EXT.test(f.rel)) continue;
       scanned++;
       loc += f.text.split("\n").length;
+      symbols += countSymbols(f.text);
       const ext = (f.rel.match(/\.([a-z0-9]+)$/i) || [, "?"])[1].toLowerCase();
       langs[ext] = (langs[ext] || 0) + 1;
       for (const h of scanSecretsText(f.text, f.rel)) { if (h.isTest) testHits++; else prodHits.push(h); }
     }
-    return {
-      filesScanned: scanned, loc, deps,
+    const git = parseGitLog(gitLog);
+    const now = nowMs || (git.lastTs || 0);
+    const ageDays = git.has && git.firstTs ? Math.max(0, Math.round((git.lastTs - git.firstTs) / 86400000)) : 0;
+    const dormantDays = git.has && git.lastTs && now ? Math.max(0, Math.round((now - git.lastTs) / 86400000)) : 0;
+    const s = {
+      filesScanned: scanned, loc, symbols, deps, git, ageDays, dormantDays,
       secrets: { totalFindings: prodHits.length, excludedTestHits: testHits, hits: prodHits.slice(0, 20) },
       langs: Object.entries(langs).sort((a, b) => b[1] - a[1]).slice(0, 8),
     };
+    s.grade = gradeLocal(s);
+    return s;
   }
-  g.MnemeLocalScan = { scanSecretsText, parseDeps, summarize, _patterns: SECRET_PATTERNS };
+  g.MnemeLocalScan = { scanSecretsText, parseDeps, countSymbols, parseGitLog, gradeLocal, summarize, _patterns: SECRET_PATTERNS };
   // ── File System Access glue (browser-only; needs a user gesture + HTTPS) ────
   g.MnemeLocalScan.supported = typeof g.showDirectoryPicker === "function";
@@ -99,6 +140,14 @@
     const dir = await g.showDirectoryPicker(); // native picker — user grants ONE folder
     const files = [];
     await readDir(dir, "", files, cap);
-    return { folder: dir.name || "folder", files: files.length, summary: summarize(files) };
+    // REAL git signals: read .git/logs/HEAD (plain text) for authors / commits / age
+    let gitLog = "";
+    try {
+      const gitDir = await dir.getDirectoryHandle(".git");
+      const logsDir = await gitDir.getDirectoryHandle("logs");
+      const headFile = await logsDir.getFileHandle("HEAD");
+      gitLog = await (await headFile.getFile()).text();
+    } catch { /* not a git repo, or no reflog — file signals only */ }
+    return { folder: dir.name || "folder", files: files.length, summary: summarize(files, gitLog, Date.now()) };
   };
 })(typeof window !== "undefined" ? window : globalThis);

package/public/report.html CHANGED Viewed

@@ -23,6 +23,15 @@
   .g-A{background:linear-gradient(135deg,#1fb255,#15863f)}.g-B{background:linear-gradient(135deg,#7bb736,#5c8f1e)}
   .g-C{background:linear-gradient(135deg,#eaa83a,#c9821a)}.g-D{background:linear-gradient(135deg,#f0742e,#d4571a)}.g-F{background:linear-gradient(135deg,#f43f5e,#be123c)}
   .top .repo{font-size:22px;font-weight:640;letter-spacing:-.02em;color:var(--ink);word-break:break-all;line-height:1.2}.top .repobr{font-size:13px;font-weight:600;color:var(--a);background:var(--a-soft);border-radius:6px;padding:1px 7px;vertical-align:middle}.top .repourl{display:inline-block;font-size:12.5px;color:var(--a);text-decoration:none;margin-top:3px;word-break:break-all;font-family:ui-monospace,Menlo,monospace}.top .repourl:hover{text-decoration:underline}.top .head{color:var(--sub);font-size:14px;margin-top:4px}
+  .verdict{padding:18px 30px;border-bottom:1px solid #eef0f2}
+  .verdict .vhead{font-size:17px;font-weight:680;letter-spacing:-.01em;line-height:1.3;color:#0b0b0f}
+  .verdict .vkind{font-size:12px;color:#8b8f98;margin:3px 0 12px;font-weight:560}
+  .verdict .vlist{margin:0;padding:0;list-style:none;display:flex;flex-direction:column;gap:8px}
+  .verdict .vlist li{font-size:13.5px;line-height:1.5;color:#33333b}
+  .v-bad{background:#fff5f6} .v-bad .vhead{color:#be123c}
+  .v-warn{background:#fffaf0} .v-warn .vhead{color:#b45309}
+  .v-ok{background:#f0fdf4} .v-ok .vhead{color:#15803d}
+  .v-neutral{background:#fafafb}
   .trustbar{display:flex;align-items:center;gap:14px;padding:13px 30px;background:#f0fdf4;border-bottom:1px solid #dcfce7;flex-wrap:wrap}
   .hgauge{display:inline-flex;align-items:center;gap:8px;font-weight:680;color:#15803d;font-size:14px}
   .hdot{width:10px;height:10px;border-radius:50%;background:#16a34a;box-shadow:0 0 0 4px rgba(22,163,74,.16)}