@rainy-updates/cli 0.5.2 → 0.5.4

package/CHANGELOG.md

@@ -2,6 +2,79 @@
 
 All notable changes to this project are documented in this file.
 
+## [0.5.4] - 2026-03-01
+
+Production hotfix for interactive review stability.
+
+### Fixed
+
+- Fixed a production bug where `review --interactive` could leak raw output from aggregated runners such as `resolve` before the Ink TUI rendered.
+- Fixed the review aggregation silencing model so concurrent dependency analysis no longer races on `stdout` / `stderr` restoration.
+- Restored the intended interactive entry experience for review mode:
+  - `Rainy Review Queue`
+  - `Review Queue`
+  - `Decision Panel`
+
+### Changed
+
+- Clarified `doctor --verdict-only` help text so it matches the real 3-line quick-verdict contract.
+- Added dedicated TUI usage documentation in `docs/tui-guide.md` and linked it from the review workflow docs and README.
+
+## [0.5.3] - 2026-03-01
+
+GA stabilization and review-centered workflow refinement.
+
+### Added
+
+- **Dedicated risk engine layer** under `src/risk/`:
+  - formal risk scoring with `riskScore`, `riskLevel`, `riskReasons`, `riskCategories`, and `recommendedAction`,
+  - deterministic scoring for:
+    - known vulnerabilities,
+    - install lifecycle scripts,
+    - typosquatting heuristic,
+    - newly published packages,
+    - suspicious metadata,
+    - mutable git/http dependencies,
+    - maintainer stability heuristic,
+    - peer conflicts,
+    - license violations,
+    - stale/deprecated health signals,
+    - major version jumps.
+- **Benchmark tooling and methodology**:
+  - `scripts/generate-benchmark-fixtures.mjs`,
+  - `scripts/benchmark.mjs`,
+  - generated fixtures under `benchmarks/fixtures/`,
+  - benchmark methodology doc: `docs/benchmarks.md`.
+- **New workflow docs**:
+  - `docs/command-model.md`
+  - `docs/review-workflow.md`
+  - `docs/risk-engine.md`
+
+### Changed
+
+- `review` is now the explicit product center:
+  - `check` detects,
+  - `doctor` summarizes,
+  - `review` decides,
+  - `upgrade` applies.
+- CLI help, README, and docs now reflect the review-centered workflow instead of a flat command surface.
+- Review outputs now carry formal risk engine results instead of ad hoc composite signals.
+- TUI language has been upgraded to decision-oriented semantics:
+  - review queue,
+  - decision panel,
+  - explicit state labels,
+  - recommended action per candidate.
+- GitHub annotations, SARIF, and human-readable output now expose formal risk score/action metadata additively.
+
+### Benchmarks
+
+- Added package scripts for reproducible benchmark runs:
+  - `bench:fixtures`
+  - `bench:check`
+  - `bench:review`
+  - `bench:resolve`
+  - `bench:ci`
+
 ## [0.5.2] - 2026-03-01
 
 ### Added

package/README.md

@@ -1,19 +1,68 @@
 # @rainy-updates/cli
 
-The fastest DevOps-first dependency CLI. Checks, audits, upgrades, bisects, and automates npm/pnpm dependencies in CI.
+Rainy Updates is a deterministic dependency review and upgrade operator for Node monorepos and CI.
 
-`@rainy-updates/cli` is built for teams that need fast dependency intelligence, security auditing, policy-aware upgrades, and automation-ready output for CI/CD and pull request workflows.
+`@rainy-updates/cli` is built for teams that need fast dependency detection, trustworthy review, controlled upgrades, and automation-ready outputs for CI/CD.
 
 Comparison:
 [Why Rainy vs Dependabot and Renovate](./docs/why-rainy-vs-dependabot-renovate.md)
 
-## Why this package
+Command model:
+[Check → Doctor → Review → Upgrade](./docs/command-model.md)
+
+Review workflow:
+[Review workflow guide](./docs/review-workflow.md)
+
+TUI usage:
+[TUI guide](./docs/tui-guide.md)
+
+Risk engine:
+[Risk engine guide](./docs/risk-engine.md)
+
+Benchmarks:
+[Benchmark methodology](./docs/benchmarks.md)
+
+## What it is
+
+Rainy Updates gives teams one dependency lifecycle:
+
+- `check` detects candidate updates.
+- `doctor` summarizes the current situation.
+- `review` decides what should happen.
+- `upgrade` applies the approved change set.
+
+Everything else supports that lifecycle: CI orchestration, advisory lookup, peer resolution, licenses, snapshots, baselines, and fix-PR automation.
+
+## Who it is for
+
+- Node monorepo teams that want deterministic CI artifacts.
+- Engineers who want to review dependency risk locally before applying changes.
+- Teams that need fewer, better upgrade decisions instead of noisy automated PR churn.
+
+## 60-second workflow
+
+```bash
+# 1) Detect what changed
+npx @rainy-updates/cli check --workspace --show-impact
+
+# 2) Summarize what matters
+npx @rainy-updates/cli doctor --workspace
+
+# 3) Decide in the review surface
+npx @rainy-updates/cli review --interactive
+
+# 4) Apply the approved set
+npx @rainy-updates/cli upgrade --interactive
+```
+
+## Why teams use it
 
 - Detects updates quickly across single-package repos and workspaces.
+- Centralizes security, peer, license, health, and behavioral risk review.
 - Applies updates safely with configurable targets (`patch`, `minor`, `major`, `latest`).
-- Enforces policy rules per package (ignore rules and max upgrade level).
+- Enforces policy rules per package.
 - Supports offline and cache-warmed execution for deterministic CI runs.
-- Produces machine-readable artifacts (JSON, SARIF, GitHub outputs, PR markdown report).
+- Produces machine-readable artifacts: JSON, SARIF, GitHub outputs, and PR reports.
 
 ## Install
 
@@ -52,15 +101,18 @@ npx @rainy-updates/cli ci --workspace --mode strict
 
 ## Commands
 
-### Dependency management
+### Primary workflow
+
+- `check` — detect candidate dependency updates
+- `doctor` — summarize the current dependency situation
+- `review` — decide what to do with security, risk, peer, and policy context
+- `upgrade` — apply the approved change set
+
+### Supporting workflow
 
-- `check` — analyze dependencies and report available updates
-- `upgrade` — rewrite dependency ranges in manifests, optionally install lockfile updates
 - `ci` — run CI-focused dependency automation (warm cache, check/upgrade, policy gates)
 - `warm-cache` — prefetch package metadata for fast and offline checks
 - `baseline` — save and compare dependency baseline snapshots
-- `review` — guided review across updates, security, peer conflicts, licenses, and risk
-- `doctor` — fast verdict command for local triage and CI summaries
 
 ### Security & health (_new in v0.5.1_)
 
@@ -77,31 +129,35 @@ npx @rainy-updates/cli ci --workspace --mode strict
 npx @rainy-updates/cli check --format table
 rup check --format table                      # if installed
 
-# 2) Strict CI mode (non-zero when updates exist)
-npx @rainy-updates/cli check --workspace --ci --format json --json-file .artifacts/updates.json
-rup check --workspace --ci --format json --json-file .artifacts/updates.json
+# 2) Summarize the state
+npx @rainy-updates/cli doctor --workspace
+rup doctor --workspace
+
+# 3) Review and decide
+npx @rainy-updates/cli review --security-only
+rup review --interactive
+
+# 4) Apply upgrades with workspace sync
+npx @rainy-updates/cli upgrade --target latest --workspace --sync --install
+rup upgrade --target latest --workspace --sync --install
 
-# 3) CI orchestration with policy gates
+# 5) CI orchestration with policy gates
 npx @rainy-updates/cli ci --workspace --mode strict --format github
 rup ci --workspace --mode strict --format github
 
-# 4) Batch fix branches by scope (enterprise)
+# 6) Batch fix branches by scope (enterprise)
 npx @rainy-updates/cli ci --workspace --mode enterprise --group-by scope --fix-pr --fix-pr-batch-size 2
 rup ci --workspace --mode enterprise --group-by scope --fix-pr --fix-pr-batch-size 2
 
-# 5) Apply upgrades with workspace sync
-npx @rainy-updates/cli upgrade --target latest --workspace --sync --install
-rup upgrade --target latest --workspace --sync --install
-
-# 6) Warm cache → deterministic offline CI check
+# 7) Warm cache → deterministic offline CI check
 npx @rainy-updates/cli warm-cache --workspace --concurrency 32
 npx @rainy-updates/cli check --workspace --offline --ci
 
-# 7) Save and compare baseline drift
+# 8) Save and compare baseline drift
 npx @rainy-updates/cli baseline --save --file .artifacts/deps-baseline.json --workspace
 npx @rainy-updates/cli baseline --check --file .artifacts/deps-baseline.json --workspace --ci
 
-# 8) Scan for known CVEs  ── NEW in v0.5.1
+# 9) Scan for known CVEs
 npx @rainy-updates/cli audit
 npx @rainy-updates/cli audit --severity high
 npx @rainy-updates/cli audit --summary
@@ -111,26 +167,20 @@ rup audit --severity high                   # if installed
 
 `audit` prefers npm/pnpm lockfiles today for exact installed-version inference, and now also reads simple `bun.lock` workspace entries when available. It reports source-health warnings when OSV or GitHub returns only partial coverage.
 
-# 9) Check dependency maintenance health  ── NEW in v0.5.1
+# 10) Check dependency maintenance health
 npx @rainy-updates/cli health
 npx @rainy-updates/cli health --stale 6m   # flag packages with no release in 6 months
 npx @rainy-updates/cli health --stale 180d # same but in days
 rup health --stale 6m                       # if installed
 
-# 10) Find which version introduced a breaking change  ── NEW in v0.5.1
+# 11) Find which version introduced a breaking change
 npx @rainy-updates/cli bisect axios --cmd "bun test"
 npx @rainy-updates/cli bisect react --range "18.0.0..19.0.0" --cmd "npm test"
 npx @rainy-updates/cli bisect lodash --cmd "npm run test:unit" --dry-run
 rup bisect axios --cmd "bun test"           # if installed
 
-# 11) Review updates with risk and security context  ── NEW in v0.5.2 GA
-npx @rainy-updates/cli review --security-only
-rup review --interactive
+# 12) Focus review on high-risk changes
 rup review --risk high --diff major
-
-# 12) Get a fast dependency verdict for CI or local triage  ── NEW in v0.5.2 GA
-npx @rainy-updates/cli doctor
-rup doctor --verdict-only
 ```
 
 ## What it does in production
@@ -185,6 +235,13 @@ npx @rainy-updates/cli check --policy-file .rainyupdates-policy.json
 - `--format table`
 - `--format minimal`
 
+Review-centered outputs:
+
+- `check` is optimized for detection.
+- `doctor` is optimized for summary.
+- `review` is optimized for decision-making.
+- `upgrade` is optimized for safe application.
+
 ### Automation output
 
 - `--format json`

package/dist/bin/cli.js

@@ -85,7 +85,7 @@ async function main() {
             process.exitCode = result.totalFlagged > 0 ? 1 : 0;
             return;
         }
-        // ─── v0.5.2 commands ─────────────────────────────────────────────────────
+        // ─── v0.5.4 commands ─────────────────────────────────────────────────────
         if (parsed.command === "unused") {
             const { runUnused } = await import("../commands/unused/runner.js");
             const result = await runUnused(parsed.options);
@@ -226,7 +226,11 @@ function renderHelp(command) {
     if (isCommand && command === "check") {
         return `rainy-updates check [options]
 
-Detect available dependency updates.
+Detect candidate dependency updates. This is the first step in the flow:
+  check detects
+  doctor summarizes
+  review decides
+  upgrade applies
 
 Options:
   --workspace
@@ -291,7 +295,7 @@ Options:
     if (isCommand && command === "upgrade") {
         return `rainy-updates upgrade [options]
 
-Apply dependency updates to package.json manifests.
+Apply an approved change set to package.json manifests.
 
 Options:
   --workspace
@@ -318,7 +322,11 @@ Options:
     if (isCommand && command === "ci") {
         return `rainy-updates ci [options]
 
-Run CI-oriented dependency automation pipeline.
+Run CI-oriented automation around the same lifecycle:
+  check detects
+  doctor summarizes
+  review decides
+  upgrade applies
 
 Options:
   --workspace
@@ -396,7 +404,8 @@ Options:
     if (isCommand && command === "review") {
         return `rainy-updates review [options]
 
-Review updates with risk, security, peer, and policy context.
+Review is the decision center of Rainy Updates.
+Use it to inspect risk, security, peer, license, and policy context before applying changes.
 
 Options:
   --workspace
@@ -414,7 +423,7 @@ Options:
     if (isCommand && command === "doctor") {
         return `rainy-updates doctor [options]
 
-Produce a fast overall dependency verdict.
+Produce a fast summary verdict and point the operator to review when action is needed.
 
 Options:
   --workspace
@@ -424,9 +433,11 @@ Options:
     return `rainy-updates (rup / rainy-up) <command> [options]
 
 Commands:
-  check       Detect available updates
-  upgrade     Apply updates to manifests
-  ci          Run CI-focused update pipeline
+  check       Detect candidate updates
+  doctor      Summarize what matters
+  review      Decide what to do
+  upgrade     Apply the approved change set
+  ci          Run CI-focused orchestration
   warm-cache  Warm local cache for fast/offline checks
   init-ci     Scaffold GitHub Actions workflow
   baseline    Save/check dependency baseline snapshots
@@ -437,8 +448,6 @@ Commands:
   resolve     Check peer dependency conflicts (pure-TS, no subprocess)
   licenses    Scan dependency licenses and generate SPDX SBOM
   snapshot    Save, list, restore, and diff dependency state snapshots
-  review      Guided dependency review with risk/security context
-  doctor      Fast dependency verdict for local or CI use
 
 Global options:
   --cwd <path>

package/dist/commands/doctor/parser.js

@@ -85,7 +85,7 @@ Usage:
   rup doctor [options]
 
 Options:
-  --verdict-only         Print one-line verdict for CI summaries
+  --verdict-only         Print the 3-line quick verdict without counts
   --workspace            Scan all workspace packages
   --json-file <path>     Write JSON doctor report to file
   --cwd <path>

package/dist/core/check.js

@@ -93,7 +93,8 @@ export async function check(options) {
                 latestVersion: cached.latestVersion,
                 availableVersions: cached.availableVersions,
                 publishedAtByVersion: {},
-                hasInstallScript: false,
+                installScriptByVersion: {},
+                maintainerCount: null,
             });
         }
         else {
@@ -111,7 +112,8 @@ export async function check(options) {
                         latestVersion: stale.latestVersion,
                         availableVersions: stale.availableVersions,
                         publishedAtByVersion: {},
-                        hasInstallScript: false,
+                        installScriptByVersion: {},
+                        maintainerCount: null,
                     });
                     warnings.push(`Using stale cache for ${packageName} because --offline is enabled.`);
                 }
@@ -143,7 +145,8 @@ export async function check(options) {
                     publishedAtByVersion: metadata.publishedAtByVersion,
                     homepage: metadata.homepage,
                     repository: metadata.repository,
-                    hasInstallScript: metadata.hasInstallScript,
+                    installScriptByVersion: metadata.installScriptByVersion,
+                    maintainerCount: metadata.maintainerCount,
                 });
                 if (metadata.latestVersion) {
                     await cache.set(packageName, options.target, metadata.latestVersion, metadata.versions, options.cacheTtlSeconds);
@@ -158,7 +161,8 @@ export async function check(options) {
                         latestVersion: stale.latestVersion,
                         availableVersions: stale.availableVersions,
                         publishedAtByVersion: {},
-                        hasInstallScript: false,
+                        installScriptByVersion: {},
+                        maintainerCount: null,
                     });
                     warnings.push(`Using stale cache for ${packageName} due to registry error: ${error}`);
                 }
@@ -214,6 +218,17 @@ export async function check(options) {
             autofix: rule?.autofix !== false,
             reason: rule?.maxTarget ? `policy maxTarget=${rule.maxTarget}` : undefined,
             homepage: metadata.homepage,
+            repository: metadata.repository,
+            publishedAt: metadata.publishedAtByVersion[picked]
+                ? new Date(metadata.publishedAtByVersion[picked]).toISOString()
+                : undefined,
+            publishAgeDays: metadata.publishedAtByVersion[picked]
+                ? Math.max(0, Math.floor((Date.now() - metadata.publishedAtByVersion[picked]) /
+                    (1000 * 60 * 60 * 24)))
+                : null,
+            hasInstallScript: metadata.installScriptByVersion[picked] ?? false,
+            maintainerCount: metadata.maintainerCount,
+            maintainerChurn: deriveMaintainerChurn(metadata.maintainerCount, metadata.publishedAtByVersion[picked]),
         });
         emitStream(`[update] ${task.dependency.name} ${task.dependency.range} -> ${nextRange} (${classifyDiff(task.dependency.range, picked)})`);
     }
@@ -265,6 +280,16 @@ export async function check(options) {
         warnings: sortedWarnings,
     };
 }
+function deriveMaintainerChurn(maintainerCount, publishedAt) {
+    if (maintainerCount === null || publishedAt === undefined) {
+        return "unknown";
+    }
+    const ageDays = Math.max(0, Math.floor((Date.now() - publishedAt) / (1000 * 60 * 60 * 24)));
+    if (maintainerCount <= 1 && ageDays <= 30) {
+        return "elevated-change";
+    }
+    return "stable";
+}
 function groupUpdates(updates, groupBy) {
     if (updates.length === 0) {
         return [];

package/dist/core/review-model.js

@@ -3,6 +3,7 @@ import process from "node:process";
 import { check } from "./check.js";
 import { createSummary, finalizeSummary } from "./summary.js";
 import { applyImpactScores } from "./impact.js";
+import { applyRiskAssessments } from "../risk/index.js";
 export async function buildReviewResult(options) {
     const baseCheckOptions = {
         ...options,
@@ -11,13 +12,13 @@ export async function buildReviewResult(options) {
         showHomepage: true,
     };
     const checkResult = await check(baseCheckOptions);
-    const [auditResult, resolveResult, healthResult, licenseResult, unusedResult] = await Promise.all([
-        runSilenced(() => import("../commands/audit/runner.js").then((mod) => mod.runAudit(toAuditOptions(options)))),
-        runSilenced(() => import("../commands/resolve/runner.js").then((mod) => mod.runResolve(toResolveOptions(options)))),
-        runSilenced(() => import("../commands/health/runner.js").then((mod) => mod.runHealth(toHealthOptions(options)))),
-        runSilenced(() => import("../commands/licenses/runner.js").then((mod) => mod.runLicenses(toLicenseOptions(options)))),
-        runSilenced(() => import("../commands/unused/runner.js").then((mod) => mod.runUnused(toUnusedOptions(options)))),
-    ]);
+    const [auditResult, resolveResult, healthResult, licenseResult, unusedResult] = await runSilenced(() => Promise.all([
+        import("../commands/audit/runner.js").then((mod) => mod.runAudit(toAuditOptions(options))),
+        import("../commands/resolve/runner.js").then((mod) => mod.runResolve(toResolveOptions(options))),
+        import("../commands/health/runner.js").then((mod) => mod.runHealth(toHealthOptions(options))),
+        import("../commands/licenses/runner.js").then((mod) => mod.runLicenses(toLicenseOptions(options))),
+        import("../commands/unused/runner.js").then((mod) => mod.runUnused(toUnusedOptions(options))),
+    ]));
     const advisoryPackages = new Set(auditResult.packages.map((pkg) => pkg.packageName));
     const impactedUpdates = applyImpactScores(checkResult.updates, {
         advisoryPackages,
@@ -47,9 +48,12 @@ export async function buildReviewResult(options) {
         list.push(issue);
         unusedByName.set(issue.name, list);
     }
-    const items = impactedUpdates
+    const baseItems = impactedUpdates
         .map((update) => enrichUpdate(update, advisoriesByName, conflictsByName, healthByName, licenseByName, licenseViolationNames, unusedByName))
         .filter((item) => matchesReviewFilters(item, options));
+    const items = applyRiskAssessments(baseItems, {
+        knownPackageNames: new Set(checkResult.updates.map((item) => item.name)),
+    }).filter((item) => matchesReviewFilters(item, options));
     const summary = createReviewSummary(checkResult.summary, items, [
         ...checkResult.errors,
         ...auditResult.errors,
@@ -76,7 +80,7 @@ export async function buildReviewResult(options) {
     };
 }
 export function createDoctorResult(review) {
-    const verdict = review.summary.verdict ?? deriveVerdict(review.items);
+    const verdict = review.summary.verdict ?? deriveVerdict(review.items, review.errors);
     const primaryFindings = buildPrimaryFindings(review);
     return {
         verdict,
@@ -101,6 +105,9 @@ export function renderReviewResult(review) {
             const notes = [
                 item.update.diffType,
                 item.update.riskLevel ? `risk=${item.update.riskLevel}` : undefined,
+                typeof item.update.riskScore === "number"
+                    ? `score=${item.update.riskScore}`
+                    : undefined,
                 item.update.advisoryCount ? `security=${item.update.advisoryCount}` : undefined,
                 item.update.peerConflictSeverity && item.update.peerConflictSeverity !== "none"
                     ? `peer=${item.update.peerConflictSeverity}`
@@ -113,6 +120,9 @@ export function renderReviewResult(review) {
             if (item.update.riskReasons && item.update.riskReasons.length > 0) {
                 lines.push(`  reasons: ${item.update.riskReasons.join("; ")}`);
             }
+            if (item.update.recommendedAction) {
+                lines.push(`  action: ${item.update.recommendedAction}`);
+            }
             if (item.update.homepage) {
                 lines.push(`  homepage: ${item.update.homepage}`);
             }
@@ -153,16 +163,6 @@ function enrichUpdate(update, advisoriesByName, conflictsByName, healthByName, l
     const health = healthByName.get(update.name);
     const license = licenseByName.get(update.name);
     const unusedIssues = unusedByName.get(update.name) ?? [];
-    const riskReasons = [
-        advisories.length > 0 ? `${advisories.length} advisory finding(s)` : undefined,
-        peerConflicts.some((item) => item.severity === "error") ? "peer conflict requires review" : undefined,
-        health?.flags.includes("deprecated") ? "package is deprecated" : undefined,
-        health?.flags.includes("stale") ? "package is stale" : undefined,
-        licenseViolationNames.has(update.name) ? "license policy violation" : undefined,
-        unusedIssues.length > 0 ? `${unusedIssues.length} unused/missing dependency signal(s)` : undefined,
-        update.diffType === "major" ? "major version jump" : undefined,
-    ].filter((value) => Boolean(value));
-    const riskLevel = deriveRiskLevel(update, advisories.length, peerConflicts.length, licenseViolationNames.has(update.name), health?.flags ?? []);
     return {
         update: {
             ...update,
@@ -178,8 +178,6 @@ function enrichUpdate(update, advisoriesByName, conflictsByName, healthByName, l
                     ? "allowed"
                     : "review",
             healthStatus: health?.flags[0] ?? "healthy",
-            riskLevel,
-            riskReasons,
         },
         advisories,
         health,
@@ -244,10 +242,10 @@ function createReviewSummary(base, items, errors, warnings, interactiveSession)
     summary.riskPackages = items.filter((item) => item.update.riskLevel === "critical" || item.update.riskLevel === "high").length;
     summary.peerConflictPackages = items.filter((item) => item.update.peerConflictSeverity && item.update.peerConflictSeverity !== "none").length;
     summary.licenseViolationPackages = items.filter((item) => item.update.licenseStatus === "denied").length;
-    summary.verdict = deriveVerdict(items);
+    summary.verdict = deriveVerdict(items, errors);
     return summary;
 }
-function deriveVerdict(items) {
+function deriveVerdict(items, errors) {
     if (items.some((item) => item.update.peerConflictSeverity === "error" ||
         item.update.licenseStatus === "denied")) {
         return "blocked";
@@ -255,23 +253,12 @@ function deriveVerdict(items) {
     if (items.some((item) => item.advisories.length > 0 || item.update.riskLevel === "critical")) {
         return "actionable";
     }
-    if (items.some((item) => item.update.riskLevel === "high" || item.update.diffType === "major")) {
+    if (errors.length > 0 ||
+        items.some((item) => item.update.riskLevel === "high" || item.update.diffType === "major")) {
         return "review";
     }
     return "safe";
 }
-function deriveRiskLevel(update, advisories, conflicts, hasLicenseViolation, healthFlags) {
-    if (hasLicenseViolation || conflicts > 0 || advisories > 0) {
-        return update.diffType === "major" || advisories > 0 ? "critical" : "high";
-    }
-    if (healthFlags.includes("deprecated") || update.diffType === "major") {
-        return "high";
-    }
-    if (healthFlags.length > 0 || update.diffType === "minor") {
-        return "medium";
-    }
-    return update.impactScore?.rank ?? "low";
-}
 function buildPrimaryFindings(review) {
     const findings = [];
     if ((review.summary.peerConflictPackages ?? 0) > 0) {
@@ -286,6 +273,9 @@ function buildPrimaryFindings(review) {
     if ((review.summary.riskPackages ?? 0) > 0) {
         findings.push(`${review.summary.riskPackages} package(s) are high risk.`);
     }
+    if (review.errors.length > 0) {
+        findings.push(`${review.errors.length} execution error(s) need review before treating the result as clean.`);
+    }
     if (findings.length === 0) {
         findings.push("No blocking findings; remaining updates are low-risk.");
     }
@@ -293,10 +283,10 @@ function buildPrimaryFindings(review) {
 }
 function recommendCommand(review, verdict) {
     if (verdict === "blocked")
-        return "rup resolve --after-update";
+        return "rup review --interactive";
     if ((review.summary.securityPackages ?? 0) > 0)
-        return "rup audit --fix";
-    if (review.items.length > 0)
+        return "rup review --security-only";
+    if (review.errors.length > 0 || review.items.length > 0)
         return "rup review --interactive";
     return "rup check";
 }

package/dist/index.d.ts

@@ -8,4 +8,5 @@ export { createSarifReport } from "./output/sarif.js";
 export { writeGitHubOutput, renderGitHubAnnotations } from "./output/github.js";
 export { renderPrReport } from "./output/pr-report.js";
 export { buildReviewResult, createDoctorResult } from "./core/review-model.js";
-export type { CheckOptions, CheckResult, CiProfile, DependencyKind, FailOnLevel, GroupBy, OutputFormat, PackageUpdate, RunOptions, TargetLevel, UpgradeOptions, UpgradeResult, ReviewOptions, ReviewResult, DoctorOptions, DoctorResult, Verdict, RiskLevel, } from "./types/index.js";
+export { applyRiskAssessments } from "./risk/index.js";
+export type { CheckOptions, CheckResult, CiProfile, DependencyKind, FailOnLevel, GroupBy, OutputFormat, PackageUpdate, RunOptions, TargetLevel, UpgradeOptions, UpgradeResult, ReviewOptions, ReviewResult, DoctorOptions, DoctorResult, Verdict, RiskLevel, RiskCategory, RiskAssessment, RiskFactor, MaintainerChurnStatus, } from "./types/index.js";

package/dist/index.js

@@ -8,3 +8,4 @@ export { createSarifReport } from "./output/sarif.js";
 export { writeGitHubOutput, renderGitHubAnnotations } from "./output/github.js";
 export { renderPrReport } from "./output/pr-report.js";
 export { buildReviewResult, createDoctorResult } from "./core/review-model.js";
+export { applyRiskAssessments } from "./risk/index.js";

package/dist/output/format.js

@@ -8,6 +8,11 @@ export function renderResult(result, format, display = {}) {
         if (result.updates.length === 0 && result.summary.warmedPackages > 0) {
             return `Cache warmed for ${result.summary.warmedPackages} package(s).`;
         }
+        if (result.updates.length === 0 && result.errors.length > 0) {
+            const [firstError] = result.errors;
+            const suffix = result.errors.length > 1 ? ` (+${result.errors.length - 1} more errors)` : "";
+            return `${firstError}${suffix}`;
+        }
         if (result.updates.length === 0)
             return "No updates found.";
         return result.updates
@@ -16,6 +21,9 @@ export function renderResult(result, format, display = {}) {
             if (display.showImpact && item.impactScore) {
                 parts.push(`impact=${item.impactScore.rank}:${item.impactScore.score}`);
             }
+            if (typeof item.riskScore === "number") {
+                parts.push(`risk=${item.riskLevel}:${item.riskScore}`);
+            }
             if (display.showHomepage && item.homepage) {
                 parts.push(item.homepage);
             }
@@ -80,9 +88,13 @@ export function renderResult(result, format, display = {}) {
                     : undefined,
                 display.showHomepage && update.homepage ? update.homepage : undefined,
                 update.riskLevel ? `risk=${update.riskLevel}` : undefined,
+                typeof update.riskScore === "number" ? `score=${update.riskScore}` : undefined,
             ]
                 .filter(Boolean)
                 .join(", ")})`);
+            if (update.recommendedAction) {
+                lines.push(`  action: ${update.recommendedAction}`);
+            }
         }
     }
     if (result.errors.length > 0) {

package/dist/output/github.js

@@ -42,7 +42,7 @@ export function renderGitHubAnnotations(result) {
         return left.packagePath.localeCompare(right.packagePath);
     });
     for (const update of sortedUpdates) {
-        lines.push(`::notice title=Dependency Update::${update.name} ${update.fromRange} -> ${update.toRange} (${update.packagePath})`);
+        lines.push(`::notice title=Dependency Update::${update.name} ${update.fromRange} -> ${update.toRange} (${update.packagePath})${typeof update.riskScore === "number" ? ` [risk=${update.riskLevel}:${update.riskScore}]` : ""}`);
     }
     for (const warning of [...result.warnings].sort((a, b) => a.localeCompare(b))) {
         lines.push(`::warning title=Rainy Updates::${warning}`);

package/dist/output/sarif.js

@@ -33,6 +33,9 @@ export function createSarifReport(result) {
             impactRank: update.impactScore?.rank,
             impactScore: update.impactScore?.score,
             riskLevel: update.riskLevel,
+            riskScore: update.riskScore,
+            riskCategories: update.riskCategories ?? [],
+            recommendedAction: update.recommendedAction,
             advisoryCount: update.advisoryCount ?? 0,
             peerConflictSeverity: update.peerConflictSeverity ?? "none",
             licenseStatus: update.licenseStatus ?? "allowed",

package/dist/registry/npm.d.ts

@@ -24,7 +24,8 @@ export interface ResolveManyResult {
         publishedAtByVersion: Record<string, number>;
         homepage?: string;
         repository?: string;
-        hasInstallScript: boolean;
+        installScriptByVersion: Record<string, boolean>;
+        maintainerCount: number | null;
     }>;
     errors: Map<string, string>;
 }
@@ -39,7 +40,8 @@ export declare class NpmRegistryClient {
         publishedAtByVersion: Record<string, number>;
         homepage?: string;
         repository?: string;
-        hasInstallScript: boolean;
+        installScriptByVersion: Record<string, boolean>;
+        maintainerCount: number | null;
     }>;
     resolveLatestVersion(packageName: string, timeoutMs?: number): Promise<string | null>;
     resolveManyPackageMetadata(packageNames: string[], options: ResolveManyOptions): Promise<ResolveManyResult>;

package/dist/registry/npm.js

@@ -22,7 +22,13 @@ export class NpmRegistryClient {
             try {
                 const response = await requester(packageName, timeoutMs);
                 if (response.status === 404) {
-                    return { latestVersion: null, versions: [], publishedAtByVersion: {}, hasInstallScript: false };
+                    return {
+                        latestVersion: null,
+                        versions: [],
+                        publishedAtByVersion: {},
+                        installScriptByVersion: {},
+                        maintainerCount: null,
+                    };
                 }
                 if (response.status === 429 || response.status >= 500) {
                     throw new RetryableRegistryError(`Registry temporary error: ${response.status}`, response.retryAfterMs ?? computeBackoffMs(attempt));
@@ -37,7 +43,10 @@ export class NpmRegistryClient {
                     publishedAtByVersion: extractPublishTimes(response.data?.time),
                     homepage: response.data?.homepage,
                     repository: normalizeRepository(response.data?.repository),
-                    hasInstallScript: detectInstallScript(response.data?.versions),
+                    installScriptByVersion: detectInstallScriptsByVersion(response.data?.versions),
+                    maintainerCount: Array.isArray(response.data?.maintainers)
+                        ? response.data?.maintainers.length
+                        : null,
                 };
             }
             catch (error) {
@@ -104,18 +113,15 @@ function normalizeRepository(value) {
         return value;
     return value.url;
 }
-function detectInstallScript(versions) {
+function detectInstallScriptsByVersion(versions) {
     if (!versions)
-        return false;
-    for (const metadata of Object.values(versions)) {
+        return {};
+    const results = {};
+    for (const [version, metadata] of Object.entries(versions)) {
         const scripts = metadata?.scripts;
-        if (!scripts)
-            continue;
-        if (scripts.preinstall || scripts.install || scripts.postinstall) {
-            return true;
-        }
+        results[version] = Boolean(scripts?.preinstall || scripts?.install || scripts?.postinstall);
     }
-    return false;
+    return results;
 }
 function computeBackoffMs(attempt) {
     const baseMs = Math.max(120, attempt * 180);

package/dist/risk/index.d.ts

@@ -0,0 +1,3 @@
+import type { ReviewItem } from "../types/index.js";
+import type { RiskContext } from "./types.js";
+export declare function applyRiskAssessments(items: ReviewItem[], context: RiskContext): ReviewItem[];

package/dist/risk/index.js

@@ -0,0 +1,24 @@
+import { assessRisk } from "./scorer.js";
+export function applyRiskAssessments(items, context) {
+    return items.map((item) => {
+        const assessment = assessRisk({
+            update: item.update,
+            advisories: item.advisories,
+            health: item.health,
+            peerConflicts: item.peerConflicts,
+            licenseViolation: item.update.licenseStatus === "denied",
+            unusedIssues: item.unusedIssues,
+        }, context);
+        return {
+            ...item,
+            update: {
+                ...item.update,
+                riskLevel: assessment.level,
+                riskScore: assessment.score,
+                riskReasons: assessment.reasons,
+                riskCategories: assessment.categories,
+                recommendedAction: assessment.recommendedAction,
+            },
+        };
+    });
+}

package/dist/risk/scorer.d.ts

@@ -0,0 +1,3 @@
+import type { RiskAssessment } from "../types/index.js";
+import type { RiskContext, RiskInput } from "./types.js";
+export declare function assessRisk(input: RiskInput, context: RiskContext): RiskAssessment;

package/dist/risk/scorer.js

@@ -0,0 +1,114 @@
+import { detectInstallScriptsRisk } from "./signals/install-scripts.js";
+import { detectTyposquatRisk } from "./signals/typosquat.js";
+import { detectFreshPackageRisk } from "./signals/fresh-package.js";
+import { detectSuspiciousMetadataRisk } from "./signals/metadata.js";
+import { detectMutableSourceRisk } from "./signals/mutable-source.js";
+import { detectMaintainerChurnRisk } from "./signals/maintainer-churn.js";
+export function assessRisk(input, context) {
+    // Base factors model direct supply-chain behavior; modifiers adjust operational severity.
+    const baseFactors = [];
+    const modifierFactors = [];
+    if (input.advisories.length > 0) {
+        baseFactors.push({
+            code: "known-vulnerability",
+            weight: 35,
+            category: "known-vulnerability",
+            message: `${input.advisories.length} known vulnerability finding(s) affect this package.`,
+        });
+    }
+    const installScripts = detectInstallScriptsRisk(input);
+    if (installScripts)
+        baseFactors.push(installScripts);
+    const typosquat = detectTyposquatRisk(input, context);
+    if (typosquat)
+        baseFactors.push(typosquat);
+    const freshPackage = detectFreshPackageRisk(input);
+    if (freshPackage)
+        baseFactors.push(freshPackage);
+    const metadata = detectSuspiciousMetadataRisk(input);
+    if (metadata)
+        baseFactors.push(metadata);
+    const mutableSource = detectMutableSourceRisk(input);
+    if (mutableSource)
+        baseFactors.push(mutableSource);
+    const maintainerChurn = detectMaintainerChurnRisk(input);
+    if (maintainerChurn)
+        baseFactors.push(maintainerChurn);
+    if (input.peerConflicts.some((conflict) => conflict.severity === "error")) {
+        modifierFactors.push({
+            code: "peer-conflict",
+            weight: 20,
+            category: "operational-health",
+            message: "Peer dependency conflicts block safe application.",
+        });
+    }
+    if (input.licenseViolation) {
+        modifierFactors.push({
+            code: "license-violation",
+            weight: 20,
+            category: "operational-health",
+            message: "License policy would block or require review for this update.",
+        });
+    }
+    if (input.health?.flags.includes("deprecated")) {
+        modifierFactors.push({
+            code: "deprecated-package",
+            weight: 10,
+            category: "operational-health",
+            message: "Package is deprecated.",
+        });
+    }
+    else if (input.health?.flags.includes("stale") ||
+        input.health?.flags.includes("unmaintained")) {
+        modifierFactors.push({
+            code: "stale-package",
+            weight: 5,
+            category: "operational-health",
+            message: "Package has stale operational health signals.",
+        });
+    }
+    if (input.update.diffType === "major") {
+        modifierFactors.push({
+            code: "major-version",
+            weight: 10,
+            category: "operational-health",
+            message: "Update crosses a major version boundary.",
+        });
+    }
+    const baseScore = baseFactors.reduce((sum, factor) => sum + factor.weight, 0);
+    const modifierScore = modifierFactors.reduce((sum, factor) => sum + factor.weight, 0);
+    const factors = [...baseFactors, ...modifierFactors];
+    const score = Math.min(100, baseScore + modifierScore);
+    const level = scoreToLevel(score);
+    const categories = Array.from(new Set(factors.map((factor) => factor.category)));
+    const reasons = factors.map((factor) => factor.message);
+    return {
+        score,
+        level,
+        reasons,
+        categories,
+        recommendedAction: recommendAction(level, input),
+        factors,
+    };
+}
+function scoreToLevel(score) {
+    if (score >= 70)
+        return "critical";
+    if (score >= 45)
+        return "high";
+    if (score >= 20)
+        return "medium";
+    return "low";
+}
+function recommendAction(level, input) {
+    if (input.peerConflicts.some((conflict) => conflict.severity === "error")) {
+        return "Run `rup resolve --after-update` before applying this update.";
+    }
+    if (input.advisories.length > 0) {
+        return "Review in `rup review` and consider `rup audit --fix` for the secure minimum patch.";
+    }
+    if (level === "critical" || level === "high") {
+        return "Keep this update in review until the risk reasons are cleared.";
+    }
+    return "Safe to keep in the review queue and apply after normal verification.";
+}

package/dist/risk/signals/fresh-package.d.ts

@@ -0,0 +1,3 @@
+import type { RiskFactor } from "../../types/index.js";
+import type { RiskInput } from "../types.js";
+export declare function detectFreshPackageRisk(input: RiskInput): RiskFactor | null;

package/dist/risk/signals/fresh-package.js

@@ -0,0 +1,22 @@
+export function detectFreshPackageRisk(input) {
+    const age = input.update.publishAgeDays;
+    if (typeof age !== "number")
+        return null;
+    if (age <= 7) {
+        return {
+            code: "fresh-package-7d",
+            weight: 20,
+            category: "behavioral-risk",
+            message: `Resolved version was published ${age} day(s) ago.`,
+        };
+    }
+    if (age <= 30) {
+        return {
+            code: "fresh-package-30d",
+            weight: 10,
+            category: "behavioral-risk",
+            message: `Resolved version was published ${age} day(s) ago.`,
+        };
+    }
+    return null;
+}

package/dist/risk/signals/install-scripts.d.ts

@@ -0,0 +1,3 @@
+import type { RiskFactor } from "../../types/index.js";
+import type { RiskInput } from "../types.js";
+export declare function detectInstallScriptsRisk(input: RiskInput): RiskFactor | null;

package/dist/risk/signals/install-scripts.js

@@ -0,0 +1,10 @@
+export function detectInstallScriptsRisk(input) {
+    if (!input.update.hasInstallScript)
+        return null;
+    return {
+        code: "install-scripts",
+        weight: 20,
+        category: "behavioral-risk",
+        message: "Resolved package includes install lifecycle scripts.",
+    };
+}

package/dist/risk/signals/maintainer-churn.d.ts

@@ -0,0 +1,3 @@
+import type { RiskFactor } from "../../types/index.js";
+import type { RiskInput } from "../types.js";
+export declare function detectMaintainerChurnRisk(input: RiskInput): RiskFactor | null;

package/dist/risk/signals/maintainer-churn.js

@@ -0,0 +1,11 @@
+export function detectMaintainerChurnRisk(input) {
+    if (input.update.maintainerChurn !== "elevated-change") {
+        return null;
+    }
+    return {
+        code: "maintainer-churn",
+        weight: 15,
+        category: "behavioral-risk",
+        message: "Maintainer profile looks unstable for a recent release based on available registry metadata.",
+    };
+}

package/dist/risk/signals/metadata.d.ts

@@ -0,0 +1,3 @@
+import type { RiskFactor } from "../../types/index.js";
+import type { RiskInput } from "../types.js";
+export declare function detectSuspiciousMetadataRisk(input: RiskInput): RiskFactor | null;

package/dist/risk/signals/metadata.js

@@ -0,0 +1,18 @@
+export function detectSuspiciousMetadataRisk(input) {
+    const { homepage, repository } = input.update;
+    const homepageMissing = !homepage;
+    const repositoryMissing = !repository;
+    const repositoryMalformed = typeof repository === "string" &&
+        !repository.startsWith("http://") &&
+        !repository.startsWith("https://") &&
+        !repository.startsWith("git+");
+    if ((homepageMissing && repositoryMissing) || repositoryMalformed) {
+        return {
+            code: "suspicious-metadata",
+            weight: 10,
+            category: "behavioral-risk",
+            message: "Package metadata is incomplete or uses a non-canonical repository reference.",
+        };
+    }
+    return null;
+}

package/dist/risk/signals/mutable-source.d.ts

@@ -0,0 +1,3 @@
+import type { RiskFactor } from "../../types/index.js";
+import type { RiskInput } from "../types.js";
+export declare function detectMutableSourceRisk(input: RiskInput): RiskFactor | null;

package/dist/risk/signals/mutable-source.js

@@ -0,0 +1,24 @@
+const MUTABLE_PATTERNS = [
+    "git+",
+    "github:",
+    "gitlab:",
+    "http://",
+    "https://",
+    "git://",
+];
+export function detectMutableSourceRisk(input) {
+    const raw = input.update.fromRange;
+    if (!MUTABLE_PATTERNS.some((pattern) => raw.startsWith(pattern))) {
+        return null;
+    }
+    const immutableCommitPinned = /#[a-f0-9]{7,40}$/i.test(raw);
+    if (immutableCommitPinned) {
+        return null;
+    }
+    return {
+        code: "mutable-source",
+        weight: 25,
+        category: "behavioral-risk",
+        message: "Dependency uses a mutable git/http source without an immutable commit pin.",
+    };
+}

package/dist/risk/signals/typosquat.d.ts

@@ -0,0 +1,3 @@
+import type { RiskFactor } from "../../types/index.js";
+import type { RiskContext, RiskInput } from "../types.js";
+export declare function detectTyposquatRisk(input: RiskInput, context: RiskContext): RiskFactor | null;

package/dist/risk/signals/typosquat.js

@@ -0,0 +1,70 @@
+const HIGH_VALUE_PACKAGES = [
+    "react",
+    "react-dom",
+    "next",
+    "typescript",
+    "lodash",
+    "axios",
+    "zod",
+    "vite",
+    "eslint",
+    "express",
+];
+export function detectTyposquatRisk(input, context) {
+    const target = normalizeName(input.update.name);
+    if (target.length < 4)
+        return null;
+    const candidates = new Set([
+        ...HIGH_VALUE_PACKAGES,
+        ...Array.from(context.knownPackageNames),
+    ]);
+    for (const candidate of candidates) {
+        const normalizedCandidate = normalizeName(candidate);
+        if (!normalizedCandidate || normalizedCandidate === target)
+            continue;
+        if (Math.abs(normalizedCandidate.length - target.length) > 1)
+            continue;
+        if (isTransposition(normalizedCandidate, target) || levenshtein(normalizedCandidate, target) === 1) {
+            return {
+                code: "typosquat-heuristic",
+                weight: 25,
+                category: "behavioral-risk",
+                message: `Package name is highly similar to "${candidate}", which may indicate typosquatting.`,
+            };
+        }
+    }
+    return null;
+}
+function normalizeName(value) {
+    const trimmed = value.startsWith("@") ? value.split("/")[1] ?? value : value;
+    return trimmed.replace(/[^a-z0-9]/gi, "").toLowerCase();
+}
+function isTransposition(left, right) {
+    if (left.length !== right.length || left === right)
+        return false;
+    const mismatches = [];
+    for (let index = 0; index < left.length; index += 1) {
+        if (left[index] !== right[index])
+            mismatches.push(index);
+        if (mismatches.length > 2)
+            return false;
+    }
+    if (mismatches.length !== 2)
+        return false;
+    const [first, second] = mismatches;
+    return left[first] === right[second] && left[second] === right[first];
+}
+function levenshtein(left, right) {
+    const matrix = Array.from({ length: left.length + 1 }, () => Array(right.length + 1).fill(0));
+    for (let i = 0; i <= left.length; i += 1)
+        matrix[i][0] = i;
+    for (let j = 0; j <= right.length; j += 1)
+        matrix[0][j] = j;
+    for (let i = 1; i <= left.length; i += 1) {
+        for (let j = 1; j <= right.length; j += 1) {
+            const cost = left[i - 1] === right[j - 1] ? 0 : 1;
+            matrix[i][j] = Math.min(matrix[i - 1][j] + 1, matrix[i][j - 1] + 1, matrix[i - 1][j - 1] + cost);
+        }
+    }
+    return matrix[left.length][right.length];
+}

package/dist/risk/types.d.ts

@@ -0,0 +1,15 @@
+import type { HealthResult, PackageUpdate, PeerConflict, RiskAssessment, UnusedDependency, CveAdvisory } from "../types/index.js";
+export interface RiskInput {
+    update: PackageUpdate;
+    advisories: CveAdvisory[];
+    health?: HealthResult["metrics"][number];
+    peerConflicts: PeerConflict[];
+    licenseViolation: boolean;
+    unusedIssues: UnusedDependency[];
+}
+export interface RiskContext {
+    knownPackageNames: ReadonlySet<string>;
+}
+export interface RiskSignalResult {
+    assessment: RiskAssessment;
+}

package/dist/risk/types.js

@@ -0,0 +1 @@
+export {};

package/dist/types/index.d.ts

@@ -5,6 +5,8 @@ export type CiProfile = "minimal" | "strict" | "enterprise";
 export type LockfileMode = "preserve" | "update" | "error";
 export type Verdict = "safe" | "review" | "blocked" | "actionable";
 export type RiskLevel = "critical" | "high" | "medium" | "low";
+export type RiskCategory = "known-vulnerability" | "behavioral-risk" | "operational-health";
+export type MaintainerChurnStatus = "unknown" | "stable" | "elevated-change";
 export type OutputFormat = "table" | "json" | "minimal" | "github" | "metrics";
 export type FailOnLevel = "none" | "patch" | "minor" | "major" | "any";
 export type LogLevel = "error" | "warn" | "info" | "debug";
@@ -91,8 +93,17 @@ export interface PackageUpdate {
     reason?: string;
     impactScore?: ImpactScore;
     homepage?: string;
+    repository?: string;
+    publishedAt?: string;
+    publishAgeDays?: number | null;
+    hasInstallScript?: boolean;
+    maintainerCount?: number | null;
+    maintainerChurn?: MaintainerChurnStatus;
     riskLevel?: RiskLevel;
+    riskScore?: number;
     riskReasons?: string[];
+    riskCategories?: RiskCategory[];
+    recommendedAction?: string;
     advisoryCount?: number;
     peerConflictSeverity?: "none" | PeerConflictSeverity;
     licenseStatus?: "allowed" | "review" | "denied";
@@ -323,8 +334,25 @@ export interface ResolveResult {
 }
 export interface RiskSignal {
     packageName: string;
+    code: string;
+    weight: number;
+    category: RiskCategory;
+    level: RiskLevel;
+    reasons: string[];
+}
+export interface RiskFactor {
+    code: string;
+    weight: number;
+    category: RiskCategory;
+    message: string;
+}
+export interface RiskAssessment {
+    score: number;
     level: RiskLevel;
     reasons: string[];
+    categories: RiskCategory[];
+    recommendedAction: string;
+    factors: RiskFactor[];
 }
 export interface ReviewItem {
     update: PackageUpdate;

package/dist/ui/tui.js

@@ -34,6 +34,30 @@ function diffColor(level) {
             return "cyan";
     }
 }
+function decisionLabel(update) {
+    if (update.peerConflictSeverity === "error" || update.licenseStatus === "denied") {
+        return "blocked";
+    }
+    if (update.advisoryCount && update.advisoryCount > 0) {
+        return "actionable";
+    }
+    if (update.riskLevel === "critical" || update.riskLevel === "high") {
+        return "review";
+    }
+    return "safe";
+}
+function decisionColor(label) {
+    switch (label) {
+        case "blocked":
+            return "red";
+        case "actionable":
+            return "yellow";
+        case "review":
+            return "cyan";
+        default:
+            return "green";
+    }
+}
 function TuiApp({ updates, onComplete }) {
     const [cursorIndex, setCursorIndex] = useState(0);
     const [filterIndex, setFilterIndex] = useState(0);
@@ -90,12 +114,13 @@ function TuiApp({ updates, onComplete }) {
             onComplete(updates.filter((_, index) => selectedIndices.has(index)));
         }
     });
-    return (_jsxs(Box, { flexDirection: "column", padding: 1, children: [_jsx(Text, { bold: true, color: "cyan", children: "Rainy Review TUI" }), _jsx(Text, { color: "gray", children: "Left/Right filter  Up/Down move  Space toggle  A select all view  N clear  Enter confirm" }), _jsx(Box, { marginTop: 1, children: FILTER_ORDER.map((filter, index) => (_jsx(Box, { marginRight: 2, children: _jsxs(Text, { color: index === filterIndex ? "cyan" : "gray", children: ["[", filter, "]"] }) }, filter))) }), _jsxs(Box, { marginTop: 1, flexDirection: "row", children: [_jsxs(Box, { width: 72, flexDirection: "column", borderStyle: "round", borderColor: "gray", paddingX: 1, children: [_jsx(Text, { bold: true, children: "Updates" }), filteredIndices.length === 0 ? (_jsx(Text, { color: "gray", children: "No updates match this filter." })) : (filteredIndices.map((index, visibleIndex) => {
+    return (_jsxs(Box, { flexDirection: "column", padding: 1, children: [_jsx(Text, { bold: true, color: "cyan", children: "Rainy Review Queue" }), _jsx(Text, { color: "gray", children: "Detect with check, summarize with doctor, decide here in review, then apply with upgrade." }), _jsx(Text, { color: "gray", children: "Left/Right filter  Up/Down move  Space toggle  A select visible  N clear  Enter confirm" }), _jsx(Box, { marginTop: 1, children: FILTER_ORDER.map((filter, index) => (_jsx(Box, { marginRight: 2, children: _jsxs(Text, { color: index === filterIndex ? "cyan" : "gray", children: ["[", filter, "]"] }) }, filter))) }), _jsxs(Box, { marginTop: 1, flexDirection: "row", children: [_jsxs(Box, { width: 72, flexDirection: "column", borderStyle: "round", borderColor: "gray", paddingX: 1, children: [_jsx(Text, { bold: true, children: "Review Queue" }), filteredIndices.length === 0 ? (_jsx(Text, { color: "gray", children: "No review candidates match this filter." })) : (filteredIndices.map((index, visibleIndex) => {
                                 const update = updates[index];
                                 const isFocused = visibleIndex === boundedCursor;
                                 const isSelected = selectedIndices.has(index);
-                                return (_jsxs(Box, { flexDirection: "row", children: [_jsxs(Text, { color: isFocused ? "cyan" : "gray", children: [isFocused ? ">" : " ", " ", isSelected ? "[x]" : "[ ]", " "] }), _jsx(Box, { width: 22, children: _jsx(Text, { bold: isFocused, children: update.name }) }), _jsx(Box, { width: 10, children: _jsx(Text, { color: diffColor(update.diffType), children: update.diffType }) }), _jsx(Box, { width: 18, children: _jsx(Text, { color: riskColor(update.riskLevel), children: update.riskLevel ?? update.impactScore?.rank ?? "low" }) }), _jsx(VersionDiff, { from: update.fromRange, to: update.toVersionResolved })] }, `${update.packagePath}:${update.name}`));
-                            }))] }), _jsxs(Box, { marginLeft: 1, width: 46, flexDirection: "column", borderStyle: "round", borderColor: "gray", paddingX: 1, children: [_jsx(Text, { bold: true, children: "Details" }), focusedUpdate ? (_jsxs(_Fragment, { children: [_jsx(Text, { children: focusedUpdate.name }), _jsxs(Text, { color: "gray", children: ["package: ", focusedUpdate.packagePath] }), _jsxs(Text, { children: ["diff: ", _jsx(Text, { color: diffColor(focusedUpdate.diffType), children: focusedUpdate.diffType })] }), _jsxs(Text, { children: ["risk: ", _jsx(Text, { color: riskColor(focusedUpdate.riskLevel), children: focusedUpdate.riskLevel ?? focusedUpdate.impactScore?.rank ?? "low" })] }), _jsxs(Text, { children: ["impact: ", focusedUpdate.impactScore?.score ?? 0] }), _jsxs(Text, { children: ["advisories: ", focusedUpdate.advisoryCount ?? 0] }), _jsxs(Text, { children: ["peer: ", focusedUpdate.peerConflictSeverity ?? "none"] }), _jsxs(Text, { children: ["license: ", focusedUpdate.licenseStatus ?? "allowed"] }), _jsxs(Text, { children: ["health: ", focusedUpdate.healthStatus ?? "healthy"] }), focusedUpdate.homepage ? (_jsxs(Text, { color: "blue", children: ["homepage: ", focusedUpdate.homepage] })) : (_jsx(Text, { color: "gray", children: "homepage: unavailable" })), focusedUpdate.riskReasons && focusedUpdate.riskReasons.length > 0 ? (_jsxs(_Fragment, { children: [_jsx(Text, { bold: true, children: "Reasons" }), focusedUpdate.riskReasons.slice(0, 4).map((reason) => (_jsxs(Text, { color: "gray", children: ["- ", reason] }, reason)))] })) : (_jsx(Text, { color: "gray", children: "No elevated risk reasons." }))] })) : (_jsx(Text, { color: "gray", children: "No update selected." }))] })] }), _jsx(Box, { marginTop: 1, borderStyle: "round", borderColor: "gray", paddingX: 1, children: _jsxs(Text, { color: "gray", children: [selectedIndices.size, " selected of ", updates.length, ". Filter: ", activeFilter, "."] }) })] }));
+                                const decision = decisionLabel(update);
+                                return (_jsxs(Box, { flexDirection: "row", children: [_jsxs(Text, { color: isFocused ? "cyan" : "gray", children: [isFocused ? ">" : " ", " ", isSelected ? "[x]" : "[ ]", " "] }), _jsx(Box, { width: 22, children: _jsx(Text, { bold: isFocused, children: update.name }) }), _jsx(Box, { width: 10, children: _jsx(Text, { color: diffColor(update.diffType), children: update.diffType }) }), _jsx(Box, { width: 18, children: _jsx(Text, { color: riskColor(update.riskLevel), children: update.riskLevel ?? update.impactScore?.rank ?? "low" }) }), _jsx(Box, { width: 12, children: _jsx(Text, { color: decisionColor(decision), children: decision }) }), _jsx(Box, { width: 10, children: _jsx(Text, { color: decisionColor(decision), children: typeof update.riskScore === "number" ? update.riskScore : "--" }) }), _jsx(VersionDiff, { from: update.fromRange, to: update.toVersionResolved })] }, `${update.packagePath}:${update.name}`));
+                            }))] }), _jsxs(Box, { marginLeft: 1, width: 46, flexDirection: "column", borderStyle: "round", borderColor: "gray", paddingX: 1, children: [_jsx(Text, { bold: true, children: "Decision Panel" }), focusedUpdate ? (_jsxs(_Fragment, { children: [_jsx(Text, { children: focusedUpdate.name }), _jsxs(Text, { color: "gray", children: ["package: ", focusedUpdate.packagePath] }), _jsxs(Text, { children: ["state:", " ", _jsx(Text, { color: decisionColor(decisionLabel(focusedUpdate)), children: decisionLabel(focusedUpdate) })] }), _jsxs(Text, { children: ["diff: ", _jsx(Text, { color: diffColor(focusedUpdate.diffType), children: focusedUpdate.diffType })] }), _jsxs(Text, { children: ["risk: ", _jsx(Text, { color: riskColor(focusedUpdate.riskLevel), children: focusedUpdate.riskLevel ?? focusedUpdate.impactScore?.rank ?? "low" })] }), _jsxs(Text, { children: ["risk score: ", focusedUpdate.riskScore ?? 0] }), _jsxs(Text, { children: ["impact score: ", focusedUpdate.impactScore?.score ?? 0] }), _jsxs(Text, { children: ["advisories: ", focusedUpdate.advisoryCount ?? 0] }), _jsxs(Text, { children: ["peer: ", focusedUpdate.peerConflictSeverity ?? "none"] }), _jsxs(Text, { children: ["license: ", focusedUpdate.licenseStatus ?? "allowed"] }), _jsxs(Text, { children: ["health: ", focusedUpdate.healthStatus ?? "healthy"] }), _jsxs(Text, { children: ["action:", " ", _jsx(Text, { color: decisionColor(decisionLabel(focusedUpdate)), children: focusedUpdate.recommendedAction ?? "Safe to keep in the review queue." })] }), focusedUpdate.homepage ? (_jsxs(Text, { color: "blue", children: ["homepage: ", focusedUpdate.homepage] })) : (_jsx(Text, { color: "gray", children: "homepage: unavailable" })), focusedUpdate.riskReasons && focusedUpdate.riskReasons.length > 0 ? (_jsxs(_Fragment, { children: [_jsx(Text, { bold: true, children: "Reasons" }), focusedUpdate.riskReasons.slice(0, 4).map((reason) => (_jsxs(Text, { color: "gray", children: ["- ", reason] }, reason)))] })) : (_jsx(Text, { color: "gray", children: "No elevated risk reasons." }))] })) : (_jsx(Text, { color: "gray", children: "No review candidate selected." }))] })] }), _jsx(Box, { marginTop: 1, borderStyle: "round", borderColor: "gray", paddingX: 1, children: _jsxs(Text, { color: "gray", children: [selectedIndices.size, " selected for apply of ", updates.length, ". Filter: ", activeFilter, ". Enter confirms the review decision set."] }) })] }));
 }
 export async function runTui(updates) {
     return new Promise((resolve) => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rainy-updates/cli",
-  "version": "0.5.2",
+  "version": "0.5.4",
   "description": "The fastest DevOps-first dependency CLI. Checks, audits, upgrades, bisects, and automates npm/pnpm dependencies in CI.",
   "type": "module",
   "private": false,
@@ -56,6 +56,11 @@
     "test": "bun test",
     "lint": "bunx biome check src tests",
     "check": "bun run typecheck && bun test",
+    "bench:fixtures": "node scripts/generate-benchmark-fixtures.mjs",
+    "bench:check": "bun run build && bun run bench:fixtures && node scripts/benchmark.mjs single-100 check cold 3 && node scripts/benchmark.mjs single-100 check warm 3",
+    "bench:review": "bun run build && bun run bench:fixtures && node scripts/benchmark.mjs single-100 review cold 3 && node scripts/benchmark.mjs single-100 review warm 3",
+    "bench:resolve": "bun run build && bun run bench:fixtures && node scripts/benchmark.mjs single-100 resolve cold 3 && node scripts/benchmark.mjs single-100 resolve warm 3",
+    "bench:ci": "bun run build && bun run bench:fixtures && node scripts/benchmark.mjs mono-1000 ci cold 3 && node scripts/benchmark.mjs mono-1000 ci warm 3",
     "perf:smoke": "node scripts/perf-smoke.mjs && RAINY_UPDATES_PERF_SCENARIO=resolve node scripts/perf-smoke.mjs && RAINY_UPDATES_PERF_SCENARIO=ci node scripts/perf-smoke.mjs",
     "perf:check": "node scripts/perf-smoke.mjs",
     "perf:resolve": "RAINY_UPDATES_PERF_SCENARIO=resolve node scripts/perf-smoke.mjs",