@westbayberry/dg 1.1.4 → 1.2.0

package/dist/index.mjs

@@ -910,15 +910,15 @@ var require_route = __commonJS({
       };
     }
     function wrapConversion(toModel, graph) {
-      const path2 = [graph[toModel].parent, toModel];
+      const path = [graph[toModel].parent, toModel];
       let fn = conversions[graph[toModel].parent][toModel];
       let cur = graph[toModel].parent;
       while (graph[cur].parent) {
-        path2.unshift(graph[cur].parent);
+        path.unshift(graph[cur].parent);
         fn = link2(conversions[graph[cur].parent][cur], fn);
         cur = graph[cur].parent;
       }
-      fn.conversion = path2;
+      fn.conversion = path;
       return fn;
     }
     module.exports = function(fromModel) {
@@ -1590,8 +1590,8 @@ var require_source = __commonJS({
 // src/telemetry.ts
 import { platform, arch } from "node:os";
 function telemetryEnabled() {
-  if (process.env.DG_TELEMETRY === "0") return false;
   if (process.env.DO_NOT_TRACK === "1") return false;
+  if (process.env.DG_TELEMETRY === "0") return false;
   return true;
 }
 function classifyError(err) {
@@ -2004,17 +2004,17 @@ function ensureConfigDir() {
     mkdirSync(dir, { recursive: true, mode: 448 });
   }
 }
-function ensureConfigPerms(path2) {
+function ensureConfigPerms(path) {
   let st;
   try {
-    st = lstatSync(path2);
+    st = lstatSync(path);
   } catch {
     return;
   }
   if (!st || typeof st.isSymbolicLink !== "function") return;
   if (st.isSymbolicLink()) {
     process.stderr.write(
-      `Warning: ${path2} is a symlink; refusing to chmod (would affect the symlink target). Replace with a regular file to enforce 0o600.
+      `Warning: ${path} is a symlink; refusing to chmod (would affect the symlink target). Replace with a regular file to enforce 0o600.
 `
     );
     return;
@@ -2023,12 +2023,12 @@ function ensureConfigPerms(path2) {
   const mode = (st.mode ?? 384) & 511;
   if (mode === 384) return;
   process.stderr.write(
-    `Warning: ${path2} has perms 0o${mode.toString(8)} (expected 0o600); re-tightening.
+    `Warning: ${path} has perms 0o${mode.toString(8)} (expected 0o600); re-tightening.
 `
   );
   let fd;
   try {
-    fd = openSync(path2, fsConstants.O_RDONLY | fsConstants.O_NOFOLLOW);
+    fd = openSync(path, fsConstants.O_RDONLY | fsConstants.O_NOFOLLOW);
     fchmodSync(fd, 384);
   } catch {
   } finally {
@@ -2185,11 +2185,11 @@ async function fetchCliPolicy(opts) {
     return null;
   }
 }
-async function postCliEvent(path2, body, apiUrl, apiKey, timeoutMs = 3e3) {
+async function postCliEvent(path, body, apiUrl, apiKey, timeoutMs = 3e3) {
   try {
     const ctrl = new AbortController();
     const timer = setTimeout(() => ctrl.abort(), timeoutMs);
-    await globalThis.fetch(`${apiUrl}${path2}`, {
+    await globalThis.fetch(`${apiUrl}${path}`, {
       method: "POST",
       headers: {
         "Content-Type": "application/json",
@@ -2263,9 +2263,9 @@ function authStatusCachePath() {
 }
 function readCachedAuthStatus() {
   try {
-    const path2 = authStatusCachePath();
-    if (!existsSync(path2)) return null;
-    const raw = readFileSync(path2, "utf-8");
+    const path = authStatusCachePath();
+    if (!existsSync(path)) return null;
+    const raw = readFileSync(path, "utf-8");
     const cached = JSON.parse(raw);
     if (typeof cached.fetchedAt !== "number") return null;
     if (Date.now() - cached.fetchedAt > AUTH_STATUS_TTL_MS) return null;
@@ -2276,10 +2276,10 @@ function readCachedAuthStatus() {
 }
 function writeCachedAuthStatus(status) {
   try {
-    const path2 = authStatusCachePath();
-    const dir = dirname(path2);
+    const path = authStatusCachePath();
+    const dir = dirname(path);
     if (!existsSync(dir)) mkdirSync(dir, { recursive: true, mode: 448 });
-    writeFileSync(path2, JSON.stringify(status), { mode: 384 });
+    writeFileSync(path, JSON.stringify(status), { mode: 384 });
   } catch {
   }
 }
@@ -2369,8 +2369,8 @@ async function preflightAuthCheck(apiUrl) {
 }
 function clearAuthStatusCache() {
   try {
-    const path2 = authStatusCachePath();
-    if (existsSync(path2)) unlinkSync(path2);
+    const path = authStatusCachePath();
+    if (existsSync(path)) unlinkSync(path);
   } catch {
   }
 }
@@ -2816,7 +2816,7 @@ var init_config = __esm({
     DG_DEBUG=1               Enable debug output
     DG_QUIET=1               Same as passing --quiet
     DG_WORKSPACE             Workspace subdirectory to scan
-    DG_TELEMETRY=1           Opt in to anonymous crash reports (off by default)
+    DG_TELEMETRY=0           Opt out of anonymous crash reports (on by default; DO_NOT_TRACK=1 also opts out)
     DG_FORCE_POSTINSTALL=1   Force postinstall to run even outside a TTY
                              (useful for re-running setup manually)
     DG_NO_RC_EDIT=1          Postinstall installs shims but does not edit
@@ -2865,23 +2865,23 @@ function cacheFile() {
   return dgCachePath("update-check.json");
 }
 function readCache() {
-  const path2 = cacheFile();
+  const path = cacheFile();
   let stat = null;
   try {
-    stat = lstatSync2(path2, { throwIfNoEntry: false }) ?? null;
+    stat = lstatSync2(path, { throwIfNoEntry: false }) ?? null;
   } catch {
     return null;
   }
   if (!stat) return null;
   if (!stat.isFile() || stat.size > MAX_CACHE_BYTES) {
     try {
-      unlinkSync2(path2);
+      unlinkSync2(path);
     } catch {
     }
     return null;
   }
   try {
-    const raw = readFileSync3(path2, "utf-8");
+    const raw = readFileSync3(path, "utf-8");
     const data = JSON.parse(raw);
     if (typeof data.latest === "string" && typeof data.checkedAt === "number") {
       return data;
@@ -2892,14 +2892,14 @@ function readCache() {
 }
 function writeCache(entry) {
   try {
-    const path2 = cacheFile();
-    const parent = dirname3(path2);
+    const path = cacheFile();
+    const parent = dirname3(path);
     if (!existsSync3(parent)) mkdirSync2(parent, { recursive: true, mode: 448 });
     const serialized = JSON.stringify(entry);
     if (serialized.length > MAX_CACHE_BYTES) return;
-    writeFileSync2(path2, serialized, { encoding: "utf-8", mode: 384 });
+    writeFileSync2(path, serialized, { encoding: "utf-8", mode: 384 });
     try {
-      chmodSync2(path2, 384);
+      chmodSync2(path, 384);
     } catch {
     }
   } catch {
@@ -3050,17 +3050,17 @@ function ensureUnderHome(target) {
     throw new UnsafePathError(`refusing to operate on path outside $HOME: ${target}`, target);
   }
 }
-function lstatNoSymlink(path2) {
+function lstatNoSymlink(path) {
   let st;
   try {
-    st = lstatSync3(path2);
+    st = lstatSync3(path);
   } catch (e) {
     const code = e.code;
     if (code === "ENOENT") return;
     throw e;
   }
   if (st.isSymbolicLink()) {
-    throw new UnsafePathError(`refusing: ${path2} is a symlink`, path2);
+    throw new UnsafePathError(`refusing: ${path} is a symlink`, path);
   }
 }
 function safeMkdirRecursive(target, mode = 493) {
@@ -3090,9 +3090,9 @@ function atomicWriteFile(target, content, mode = 420) {
   writeFileSync3(tmp, content, { mode });
   renameSync(tmp, target);
 }
-function isExecutable(path2) {
+function isExecutable(path) {
   try {
-    const st = statSync(path2);
+    const st = statSync(path);
     return st.isFile() && (st.mode & 73) !== 0;
   } catch {
     return false;
@@ -3117,9 +3117,9 @@ var init_safe_fs = __esm({
   "src/shims/safe-fs.ts"() {
     "use strict";
     UnsafePathError = class extends Error {
-      constructor(message, path2) {
+      constructor(message, path) {
         super(message);
-        this.path = path2;
+        this.path = path;
         this.name = "UnsafePathError";
       }
     };
@@ -3151,16 +3151,29 @@ var init_templates = __esm({
       "mamba"
     ];
     UNIX_SHIM_BODY = `#!/bin/sh
+nonce=$(cat "$HOME/.dg/state/shim-nonce" 2>/dev/null)
 if [ -n "\${DG_SHIM_ACTIVE:-}" ]; then
   cleaned_path=$(printf '%s' "$PATH" | awk -v RS=':' -v ORS=':' '$0 != ENVIRON["HOME"]"/.dg/shims"' | sed 's/:$//')
-  real_bin=$(PATH="$cleaned_path" command -v __ECOSYSTEM__)
-  if [ -n "$real_bin" ]; then
-    exec "$real_bin" "$@"
+  # Only honor DG_SHIM_ACTIVE as the recursion guard when it equals the
+  # on-disk nonce \u2014 that is the value our own wrapper sets before running the
+  # real installer. A non-matching value was set outside dg (stale or a
+  # bypass attempt) and must NOT skip scanning.
+  if [ -n "$nonce" ] && [ "$DG_SHIM_ACTIVE" = "$nonce" ]; then
+    real_bin=$(PATH="$cleaned_path" command -v __ECOSYSTEM__)
+    if [ -n "$real_bin" ]; then
+      exec "$real_bin" "$@"
+    fi
+    echo "dg: real __ECOSYSTEM__ not found on PATH" >&2
+    exit 127
   fi
-  echo "dg: real __ECOSYSTEM__ not found on PATH" >&2
-  exit 127
+  if [ -z "$nonce" ]; then
+    echo "dg: shim nonce missing (reinstall dg) \u2014 cannot verify; passing through __ECOSYSTEM__ UNSCANNED." >&2
+    real_bin=$(PATH="$cleaned_path" command -v __ECOSYSTEM__)
+    if [ -n "$real_bin" ]; then exec "$real_bin" "$@"; fi
+    exit 127
+  fi
+  echo "dg: ignoring externally-set DG_SHIM_ACTIVE (nonce mismatch); scanning __ECOSYSTEM__." >&2
 fi
-nonce=$(cat "$HOME/.dg/state/shim-nonce" 2>/dev/null)
 dg_entry=$(cat "$HOME/.dg/state/dg-entry" 2>/dev/null)
 if [ -n "$dg_entry" ] && [ -x "$dg_entry" ]; then
   DG_SHIM_ACTIVE="$nonce" DG_SHIM_PARENT_PATH="$PATH" exec "$dg_entry" __wrap __ECOSYSTEM__ "$@"
@@ -3180,6 +3193,8 @@ exit 127
 `;
     WINDOWS_SHIM_BODY = `@echo off
 setlocal enabledelayedexpansion
+set "DG_SHIM_NONCE="
+if exist "%USERPROFILE%\\.dg\\state\\shim-nonce" set /p DG_SHIM_NONCE=<"%USERPROFILE%\\.dg\\state\\shim-nonce"
 if not "%DG_SHIM_ACTIVE%"=="" (
   set "_dg_realpath="
   for /f "tokens=*" %%i in ('where __ECOSYSTEM__ 2^>nul') do (
@@ -3187,15 +3202,25 @@ if not "%DG_SHIM_ACTIVE%"=="" (
       if not defined _dg_realpath set "_dg_realpath=%%i"
     )
   )
-  if defined _dg_realpath (
-    "!_dg_realpath!" %*
-    exit /b !errorlevel!
+  rem Only honor DG_SHIM_ACTIVE as the recursion guard when it equals the nonce.
+  if "%DG_SHIM_ACTIVE%"=="!DG_SHIM_NONCE!" (
+    if defined _dg_realpath (
+      "!_dg_realpath!" %*
+      exit /b !errorlevel!
+    )
+    echo dg: real __ECOSYSTEM__ not found on PATH 1>&2
+    exit /b 127
+  )
+  if "!DG_SHIM_NONCE!"=="" (
+    echo dg: shim nonce missing ^(reinstall dg^) -- passing through __ECOSYSTEM__ UNSCANNED. 1>&2
+    if defined _dg_realpath (
+      "!_dg_realpath!" %*
+      exit /b !errorlevel!
+    )
+    exit /b 127
   )
-  echo dg: real __ECOSYSTEM__ not found on PATH 1>&2
-  exit /b 127
+  echo dg: ignoring externally-set DG_SHIM_ACTIVE ^(nonce mismatch^); scanning __ECOSYSTEM__. 1>&2
 )
-set "DG_SHIM_NONCE="
-if exist "%USERPROFILE%\\.dg\\state\\shim-nonce" set /p DG_SHIM_NONCE=<"%USERPROFILE%\\.dg\\state\\shim-nonce"
 set "DG_ENTRY="
 if exist "%USERPROFILE%\\.dg\\state\\dg-entry" set /p DG_ENTRY=<"%USERPROFILE%\\.dg\\state\\dg-entry"
 set "DG_SHIM_ACTIVE=!DG_SHIM_NONCE!"
@@ -3237,9 +3262,9 @@ exit /b 127
 import { homedir as homedir3 } from "node:os";
 import { join as join3 } from "node:path";
 import { existsSync as existsSync5, readFileSync as readFileSync4, lstatSync as lstatSync4, appendFileSync, writeFileSync as writeFileSync4 } from "node:fs";
-function expandHome(path2) {
-  if (path2.startsWith("~/")) return join3(homedir3(), path2.slice(2));
-  return path2;
+function expandHome(path) {
+  if (path.startsWith("~/")) return join3(homedir3(), path.slice(2));
+  return path;
 }
 function detectShellKind(envShell) {
   const s = (envShell ?? "").toLowerCase();
@@ -3463,6 +3488,7 @@ var init_resolve = __esm({
 var install_exports = {};
 __export(install_exports, {
   bypassLogPath: () => bypassLogPath,
+  childInstallEnv: () => childInstallEnv,
   currentDgEntry: () => currentDgEntry,
   dgShimDir: () => dgShimDir,
   ensureDgEntryRecorded: () => ensureDgEntryRecorded,
@@ -3509,15 +3535,15 @@ function ensureDgEntryRecorded(targetHome = homedir5()) {
   try {
     const entry = currentDgEntry();
     if (!entry) return;
-    const path2 = dgEntryStatePath(targetHome);
+    const path = dgEntryStatePath(targetHome);
     let existing = null;
     try {
-      existing = readFileSync6(path2, "utf-8").trim();
+      existing = readFileSync6(path, "utf-8").trim();
     } catch {
     }
     if (existing === entry) return;
-    safeMkdirRecursive(dirname5(path2), 493);
-    safeWriteFile(path2, entry + "\n", 420);
+    safeMkdirRecursive(dirname5(path), 493);
+    safeWriteFile(path, entry + "\n", 420);
   } catch {
   }
 }
@@ -3529,11 +3555,21 @@ function readNonce() {
     return null;
   }
 }
-function chownIfNeeded(path2, uid, gid) {
+function childInstallEnv() {
+  const env3 = {};
+  for (const [k, v] of Object.entries(process.env)) {
+    if (k.startsWith("DG_")) continue;
+    env3[k] = v;
+  }
+  const nonce = readNonce();
+  if (nonce) env3.DG_SHIM_ACTIVE = nonce;
+  return env3;
+}
+function chownIfNeeded(path, uid, gid) {
   if (uid === void 0 || gid === void 0) return;
   if (process.platform === "win32") return;
   try {
-    chownSync(path2, uid, gid);
+    chownSync(path, uid, gid);
   } catch {
   }
 }
@@ -28803,10 +28839,10 @@ var require_react_reconciler_development = __commonJS({
         var setErrorHandler = null;
         var setSuspenseHandler = null;
         {
-          var copyWithDeleteImpl = function(obj, path2, index2) {
-            var key = path2[index2];
+          var copyWithDeleteImpl = function(obj, path, index2) {
+            var key = path[index2];
             var updated = isArray(obj) ? obj.slice() : assign({}, obj);
-            if (index2 + 1 === path2.length) {
+            if (index2 + 1 === path.length) {
               if (isArray(updated)) {
                 updated.splice(key, 1);
               } else {
@@ -28814,11 +28850,11 @@ var require_react_reconciler_development = __commonJS({
               }
               return updated;
             }
-            updated[key] = copyWithDeleteImpl(obj[key], path2, index2 + 1);
+            updated[key] = copyWithDeleteImpl(obj[key], path, index2 + 1);
             return updated;
           };
-          var copyWithDelete = function(obj, path2) {
-            return copyWithDeleteImpl(obj, path2, 0);
+          var copyWithDelete = function(obj, path) {
+            return copyWithDeleteImpl(obj, path, 0);
           };
           var copyWithRenameImpl = function(obj, oldPath, newPath, index2) {
             var oldKey = oldPath[index2];
@@ -28856,17 +28892,17 @@ var require_react_reconciler_development = __commonJS({
             }
             return copyWithRenameImpl(obj, oldPath, newPath, 0);
           };
-          var copyWithSetImpl = function(obj, path2, index2, value) {
-            if (index2 >= path2.length) {
+          var copyWithSetImpl = function(obj, path, index2, value) {
+            if (index2 >= path.length) {
               return value;
             }
-            var key = path2[index2];
+            var key = path[index2];
             var updated = isArray(obj) ? obj.slice() : assign({}, obj);
-            updated[key] = copyWithSetImpl(obj[key], path2, index2 + 1, value);
+            updated[key] = copyWithSetImpl(obj[key], path, index2 + 1, value);
             return updated;
           };
-          var copyWithSet = function(obj, path2, value) {
-            return copyWithSetImpl(obj, path2, 0, value);
+          var copyWithSet = function(obj, path, value) {
+            return copyWithSetImpl(obj, path, 0, value);
           };
           var findHook = function(fiber, id) {
             var currentHook2 = fiber.memoizedState;
@@ -28876,10 +28912,10 @@ var require_react_reconciler_development = __commonJS({
             }
             return currentHook2;
           };
-          overrideHookState = function(fiber, id, path2, value) {
+          overrideHookState = function(fiber, id, path, value) {
             var hook = findHook(fiber, id);
             if (hook !== null) {
-              var newState = copyWithSet(hook.memoizedState, path2, value);
+              var newState = copyWithSet(hook.memoizedState, path, value);
               hook.memoizedState = newState;
               hook.baseState = newState;
               fiber.memoizedProps = assign({}, fiber.memoizedProps);
@@ -28889,10 +28925,10 @@ var require_react_reconciler_development = __commonJS({
               }
             }
           };
-          overrideHookStateDeletePath = function(fiber, id, path2) {
+          overrideHookStateDeletePath = function(fiber, id, path) {
             var hook = findHook(fiber, id);
             if (hook !== null) {
-              var newState = copyWithDelete(hook.memoizedState, path2);
+              var newState = copyWithDelete(hook.memoizedState, path);
               hook.memoizedState = newState;
               hook.baseState = newState;
               fiber.memoizedProps = assign({}, fiber.memoizedProps);
@@ -28915,8 +28951,8 @@ var require_react_reconciler_development = __commonJS({
               }
             }
           };
-          overrideProps = function(fiber, path2, value) {
-            fiber.pendingProps = copyWithSet(fiber.memoizedProps, path2, value);
+          overrideProps = function(fiber, path, value) {
+            fiber.pendingProps = copyWithSet(fiber.memoizedProps, path, value);
             if (fiber.alternate) {
               fiber.alternate.pendingProps = fiber.pendingProps;
             }
@@ -28925,8 +28961,8 @@ var require_react_reconciler_development = __commonJS({
               scheduleUpdateOnFiber(root, fiber, SyncLane, NoTimestamp);
             }
           };
-          overridePropsDeletePath = function(fiber, path2) {
-            fiber.pendingProps = copyWithDelete(fiber.memoizedProps, path2);
+          overridePropsDeletePath = function(fiber, path) {
+            fiber.pendingProps = copyWithDelete(fiber.memoizedProps, path);
             if (fiber.alternate) {
               fiber.alternate.pendingProps = fiber.pendingProps;
             }
@@ -36994,8 +37030,8 @@ var init_ErrorOverview = __esm({
     init_dist3();
     init_Box();
     init_Text();
-    cleanupPath = (path2) => {
-      return path2?.replace(`file://${cwd()}/`, "");
+    cleanupPath = (path) => {
+      return path?.replace(`file://${cwd()}/`, "");
     };
     stackUtils = new import_stack_utils.default({
       cwd: cwd(),
@@ -41664,18 +41700,19 @@ async function readNdjsonAnalyzeResponse(response, onPackageProgress) {
   }
   buf += decoder.decode();
   if (buf.trim()) processLine(buf);
-  if (!finalPayload) {
+  const payload = finalPayload;
+  if (!payload) {
     throw new APIError(
       "Streaming response ended without a result event",
       0,
       ""
     );
   }
-  if (typeof finalPayload.score !== "number" || !Array.isArray(finalPayload.packages)) {
+  if (typeof payload.score !== "number" || !Array.isArray(payload.packages)) {
     throw new APIError("Invalid streamed result payload", 0, "");
   }
-  checkVersionFloor(finalPayload);
-  return sanitizeResponse(finalPayload);
+  checkVersionFloor(payload);
+  return sanitizeResponse(payload);
 }
 async function callPyPIAnalyzeAPI(packages, config, onProgress) {
   const batchSize = config.apiKey ? BATCH_SIZE : ANON_BATCH_SIZE;
@@ -41992,9 +42029,9 @@ function parseLockfile(content) {
   const lockfileVersion = json.lockfileVersion ?? 1;
   const packages = /* @__PURE__ */ new Map();
   if (lockfileVersion >= 2 && json.packages) {
-    for (const [path2, entry] of Object.entries(json.packages)) {
-      if (path2 === "") continue;
-      const pathName = extractPackageName(path2);
+    for (const [path, entry] of Object.entries(json.packages)) {
+      if (path === "") continue;
+      const pathName = extractPackageName(path);
       if (!pathName) continue;
       const e = entry;
       const entryName = typeof e.name === "string" && e.name.length > 0 ? e.name : void 0;
@@ -42266,12 +42303,12 @@ var init_parse_package_json = __esm({
 // src/lockfile/index.ts
 import { readFileSync as readFileSync8, existsSync as existsSync11, statSync as statSync3 } from "node:fs";
 import { join as join6 } from "node:path";
-function readFileSafe(path2) {
-  const size = statSync3(path2).size;
+function readFileSafe(path) {
+  const size = statSync3(path).size;
   if (size > MAX_LOCKFILE_BYTES) {
-    throw new Error(`Lockfile too large (${(size / 1024 / 1024).toFixed(0)} MB, max 50 MB): ${path2}`);
+    throw new Error(`Lockfile too large (${(size / 1024 / 1024).toFixed(0)} MB, max 50 MB): ${path}`);
   }
-  return readFileSync8(path2, "utf-8");
+  return readFileSync8(path, "utf-8");
 }
 function discoverChanges(cwd2, config) {
   if (config.workspace) {
@@ -42537,6 +42574,12 @@ var init_lockfile = __esm({
 });
 
 // src/commands/wrapper-shared.ts
+function injectIgnoreScripts(args, opts) {
+  if (!opts.isNpmFamily) return args;
+  if (!(opts.strict || opts.dgNoScripts)) return args;
+  if (args.includes("--ignore-scripts")) return args;
+  return [...args, "--ignore-scripts"];
+}
 function stripDgFlags(args) {
   let dgForce = false;
   let dgForceReason;
@@ -42619,9 +42662,7 @@ function realNpmBinary() {
   return real;
 }
 function shimSentinelEnv() {
-  const nonce = readNonce();
-  if (!nonce) return process.env;
-  return { ...process.env, DG_SHIM_ACTIVE: nonce };
+  return childInstallEnv();
 }
 function parseNpmArgs(args) {
   const { filtered, dgForce, dgForceReason, dgNoScripts } = stripDgFlags(args);
@@ -42889,9 +42930,9 @@ function readLockfilePins(cwd2) {
       ...Object.keys(root.optionalDependencies ?? {}),
       ...Object.keys(root.peerDependencies ?? {})
     ]);
-    for (const [path2, entry] of Object.entries(lock.packages ?? {})) {
-      if (path2 === "") continue;
-      const m = path2.match(/^node_modules\/((?:@[^/]+\/)?[^/]+)$/);
+    for (const [path, entry] of Object.entries(lock.packages ?? {})) {
+      if (path === "") continue;
+      const m = path.match(/^node_modules\/((?:@[^/]+\/)?[^/]+)$/);
       if (!m) continue;
       const name = m[1];
       if (!directDeps.has(name)) continue;
@@ -43067,6 +43108,22 @@ function parsePipSpec(spec) {
     versionSpec: match[2] ?? null
   };
 }
+function pinPipArgs(rawArgs, userSpecs, resolved) {
+  const specNames = new Set(userSpecs.map((s) => parsePipSpec(s).name.toLowerCase()));
+  const pinByName = /* @__PURE__ */ new Map();
+  for (const p of resolved) {
+    const key = p.name.toLowerCase();
+    if (specNames.has(key) && !pinByName.has(key)) {
+      pinByName.set(key, `${p.name}==${p.version}`);
+    }
+  }
+  const specSet = new Set(userSpecs);
+  return rawArgs.map((a) => {
+    if (!specSet.has(a)) return a;
+    const { name } = parsePipSpec(a);
+    return pinByName.get(name.toLowerCase()) ?? a;
+  });
+}
 async function resolvePipVersion(spec) {
   const { name, versionSpec } = parsePipSpec(spec);
   if (versionSpec?.startsWith("==")) {
@@ -43128,9 +43185,7 @@ async function resolvePackages2(specs) {
   return { resolved, failed };
 }
 function shimSentinelEnv2() {
-  const nonce = readNonce();
-  if (!nonce) return process.env;
-  return { ...process.env, DG_SHIM_ACTIVE: nonce };
+  return childInstallEnv();
 }
 async function detectPipBinary() {
   const py3 = walkPathExcludingShimDir("python3");
@@ -43427,16 +43482,16 @@ function collectNpmLockSha512Hashes(packageLock) {
   const root = packageLock;
   const packages = root["packages"];
   if (packages && typeof packages === "object") {
-    for (const [path2, raw] of Object.entries(packages)) {
-      if (path2 === "") continue;
+    for (const [path, raw] of Object.entries(packages)) {
+      if (path === "") continue;
       if (!raw || typeof raw !== "object") continue;
       const entry = raw;
       const version = typeof entry.version === "string" ? entry.version : void 0;
       const integrity = typeof entry.integrity === "string" ? entry.integrity : void 0;
       if (!version || !integrity) continue;
-      const idx = path2.lastIndexOf("node_modules/");
+      const idx = path.lastIndexOf("node_modules/");
       if (idx < 0) continue;
-      const name = path2.slice(idx + "node_modules/".length);
+      const name = path.slice(idx + "node_modules/".length);
       if (!name) continue;
       const hex = npmIntegrityToSha512Hex(integrity);
       if (hex) out.set(`${name}@${version}`, hex);
@@ -43678,7 +43733,7 @@ var init_FileSavePrompt = __esm({
           return;
         }
         if ((key.backspace || key.delete) && !state.filterText) {
-          const parentDir = path.dirname(state.directory);
+          const parentDir = dirname8(state.directory);
           if (parentDir !== state.directory) {
             dispatch({ type: "SET_DIRECTORY", directory: parentDir, entries: listDirectory(parentDir) });
           }
@@ -43691,7 +43746,7 @@ var init_FileSavePrompt = __esm({
         if (key.return) {
           const entry = filteredEntries[state.browserCursor];
           if (!entry || !entry.isDirectory) return;
-          const newDir = entry.name === ".." ? path.dirname(state.directory) : path.join(state.directory, entry.name);
+          const newDir = entry.name === ".." ? dirname8(state.directory) : join8(state.directory, entry.name);
           dispatch({ type: "SET_DIRECTORY", directory: newDir, entries: listDirectory(newDir) });
           return;
         }
@@ -43967,9 +44022,9 @@ async function scanDir(dir, depth, _root) {
   }
   return { subdirs, lockfileHits };
 }
-async function isSafeRegularFile(path2) {
+async function isSafeRegularFile(path) {
   try {
-    const st = await lstat(path2);
+    const st = await lstat(path);
     return st.isFile() && !st.isSymbolicLink();
   } catch {
     return false;
@@ -44104,9 +44159,9 @@ function discoverProjectsConsolidated(projectPaths, config) {
   const seenPy = /* @__PURE__ */ new Set();
   const unparseable = [];
   let rawCount = 0;
-  for (const path2 of projectPaths) {
+  for (const path of projectPaths) {
     try {
-      const d = discoverChanges(path2, config);
+      const d = discoverChanges(path, config);
       for (const pkg of d.packages) {
         rawCount++;
         const key = `${pkg.name}@${pkg.version}`;
@@ -44122,7 +44177,7 @@ function discoverProjectsConsolidated(projectPaths, config) {
         pythonPackages.push(pkg);
       }
     } catch {
-      unparseable.push(path2);
+      unparseable.push(path);
     }
   }
   return {
@@ -44371,21 +44426,21 @@ function validateAllowlist(raw) {
   return { ok: true, allowlist: { schemaVersion: 1, rules, packages } };
 }
 function loadAllowlist(cwd2) {
-  const path2 = findAllowlistFile(cwd2);
-  if (!path2) return null;
+  const path = findAllowlistFile(cwd2);
+  if (!path) return null;
   let raw;
   try {
-    raw = JSON.parse(readFileSync10(path2, "utf-8"));
+    raw = JSON.parse(readFileSync10(path, "utf-8"));
   } catch (e) {
     process.stderr.write(
-      `dg: .dg-allowlist.json at ${path2} is not valid JSON (${e.message}). Ignoring.
+      `dg: .dg-allowlist.json at ${path} is not valid JSON (${e.message}). Ignoring.
 `
     );
     return null;
   }
   const validation = validateAllowlist(raw);
   if (!validation.ok) {
-    process.stderr.write(`dg: .dg-allowlist.json at ${path2} failed validation:
+    process.stderr.write(`dg: .dg-allowlist.json at ${path} failed validation:
 `);
     for (const err of validation.errors) {
       process.stderr.write(`  ${err.path}: ${err.message}
@@ -44395,7 +44450,7 @@ function loadAllowlist(cwd2) {
 `);
     return null;
   }
-  return { ...validation.allowlist, sourcePath: path2 };
+  return { ...validation.allowlist, sourcePath: path };
 }
 function findingRuleId(f) {
   return (f.category ?? f.title ?? "").toString();
@@ -44516,8 +44571,31 @@ function findingFingerprint(pkg, f) {
 function buildSarif(response, opts = {}) {
   const ruleMap = /* @__PURE__ */ new Map();
   const results = [];
+  const INCOMPLETE_RULE = "dg.analysis_incomplete";
   for (const pkg of response.packages) {
+    if (pkg.action === "analysis_incomplete") {
+      if (!ruleMap.has(INCOMPLETE_RULE)) {
+        ruleMap.set(INCOMPLETE_RULE, {
+          id: INCOMPLETE_RULE,
+          name: INCOMPLETE_RULE,
+          shortDescription: { text: "Package could not be fully analyzed \u2014 treat as unverified" },
+          defaultConfiguration: { level: "warning" }
+        });
+      }
+      results.push({
+        ruleId: INCOMPLETE_RULE,
+        level: "warning",
+        message: { text: `${pkg.name} ${pkg.version}: analysis incomplete \u2014 the scanner could not fully evaluate this package. Treat as unverified, not safe.` },
+        locations: [{
+          physicalLocation: {
+            artifactLocation: { uri: opts.lockfileUri ?? `dg:${pkg.name}@${pkg.version}` }
+          }
+        }],
+        partialFingerprints: { dg_finding: `${pkg.name}@${pkg.version}#${INCOMPLETE_RULE}`.slice(0, 240) }
+      });
+    }
     const findings = pkg.findings ?? [];
+    let pkgResultCount = 0;
     for (const f of findings) {
       const id = findingId(f);
       const level = severityToLevel(f.severity);
@@ -44541,6 +44619,32 @@ function buildSarif(response, opts = {}) {
         }],
         partialFingerprints: { dg_finding: findingFingerprint(pkg, f) }
       });
+      pkgResultCount++;
+    }
+    if (pkgResultCount === 0 && (pkg.action === "block" || pkg.action === "warn")) {
+      const ruleId = pkg.action === "block" ? "dg.block" : "dg.warn";
+      const level = pkg.action === "block" ? "error" : "warning";
+      if (!ruleMap.has(ruleId)) {
+        ruleMap.set(ruleId, {
+          id: ruleId,
+          name: ruleId,
+          shortDescription: {
+            text: pkg.action === "block" ? "Package blocked by Dependency Guardian" : "Package flagged (warn) by Dependency Guardian"
+          },
+          defaultConfiguration: { level }
+        });
+      }
+      results.push({
+        ruleId,
+        level,
+        message: { text: `${pkg.name} ${pkg.version}: ${pkg.action} verdict from Dependency Guardian (no individual findings surfaced at this tier).` },
+        locations: [{
+          physicalLocation: {
+            artifactLocation: { uri: opts.lockfileUri ?? `dg:${pkg.name}@${pkg.version}` }
+          }
+        }],
+        partialFingerprints: { dg_finding: `${pkg.name}@${pkg.version}#${ruleId}`.slice(0, 240) }
+      });
     }
   }
   return {
@@ -44677,7 +44781,7 @@ function shouldFireAudit(policy, decisionAction) {
   return false;
 }
 function flagPackages(packages) {
-  return packages.filter((p) => p.score >= 60);
+  return packages.filter((p) => (p.action ?? "pass") !== "pass");
 }
 async function dispatchPublishCheckAudit(opts) {
   try {
@@ -44704,8 +44808,8 @@ function bypassLogPath2() {
 }
 function recordBypassLocally(record) {
   try {
-    const path2 = bypassLogPath2();
-    const dir = dirname10(path2);
+    const path = bypassLogPath2();
+    const dir = dirname10(path);
     if (!existsSync16(dir)) mkdirSync6(dir, { recursive: true, mode: 448 });
     const full = {
       ts: (/* @__PURE__ */ new Date()).toISOString(),
@@ -44716,7 +44820,7 @@ function recordBypassLocally(record) {
       reason: record.reason,
       packages: record.packages
     };
-    appendFileSync3(path2, JSON.stringify(full) + "\n", { mode: 384 });
+    appendFileSync3(path, JSON.stringify(full) + "\n", { mode: 384 });
   } catch {
   }
 }
@@ -44789,13 +44893,13 @@ function wrapperPackagesFromResult(result, topLevelNames) {
   }));
 }
 function loadPackageLockJson(cwd2 = process.cwd()) {
-  const path2 = resolvePath(cwd2, "package-lock.json");
-  if (!existsSync17(path2)) return null;
+  const path = resolvePath(cwd2, "package-lock.json");
+  if (!existsSync17(path)) return null;
   try {
-    const st = lstatSync5(path2);
+    const st = lstatSync5(path);
     if (!st.isFile()) return null;
     if (st.size > MAX_PACKAGE_LOCK_BYTES) return null;
-    return JSON.parse(readFileSync11(path2, "utf8"));
+    return JSON.parse(readFileSync11(path, "utf8"));
   } catch {
     return null;
   }
@@ -44875,7 +44979,7 @@ function maybePrintFirstScanNotice(config) {
     if (getScanNoticeShownAt2() !== null) return;
     process.stderr.write(
       import_chalk5.default.dim(
-        "  Dependency Guardian sends package names + versions to api.westbayberry.com.\n  Anonymous crash reports are on; set DG_TELEMETRY=0 to opt out.\n  Terms: https://westbayberry.com/terms \xB7 Privacy: https://westbayberry.com/privacy\n"
+        "  Dependency Guardian sends package names + versions to api.westbayberry.com.\n  Anonymous crash reports are on to help us fix early bugs (no source, paths, or package names);\n  opt out with DG_TELEMETRY=0 or DO_NOT_TRACK=1.\n  Terms: https://westbayberry.com/terms \xB7 Privacy: https://westbayberry.com/privacy\n"
       )
     );
     recordScanNoticeShown2();
@@ -44941,6 +45045,7 @@ function handleFreeCapReached2(error, jsonMode = false) {
 function actionColor(action) {
   if (action === "block") return import_chalk5.default.red;
   if (action === "warn") return import_chalk5.default.yellow;
+  if (action === "analysis_incomplete") return import_chalk5.default.cyan;
   return import_chalk5.default.green;
 }
 function actionBadge(pkg) {
@@ -44957,6 +45062,9 @@ function isBlocked(p) {
 function isWarned(p) {
   return p.action === "warn";
 }
+function isIncomplete(p) {
+  return p.action === "analysis_incomplete";
+}
 function renderResultClean(result, _config) {
   const lines = [];
   const total = result.packages.length;
@@ -44968,7 +45076,8 @@ function renderResultClean(result, _config) {
   }
   const blocked = result.packages.filter(isBlocked);
   const warned = result.packages.filter(isWarned);
-  if (result.action === "pass" && blocked.length === 0 && warned.length === 0) {
+  const incomplete = result.packages.filter(isIncomplete);
+  if (result.action === "pass" && blocked.length === 0 && warned.length === 0 && incomplete.length === 0) {
     lines.push("");
     lines.push(`  ${import_chalk5.default.green("\u2713")} ${import_chalk5.default.bold("Dependency Guardian")} checked ${total} package${total !== 1 ? "s" : ""}. ${import_chalk5.default.green("No risky behavior found.")}`);
     if (result.durationMs) {
@@ -44977,11 +45086,18 @@ function renderResultClean(result, _config) {
     lines.push("");
     return lines.join("\n");
   }
-  const headerColor = result.action === "block" ? import_chalk5.default.red : import_chalk5.default.yellow;
-  const headerLabel = result.action === "block" ? "BLOCK" : "WARN";
+  const headerLabel = result.action === "block" ? "BLOCK" : result.action === "warn" ? "WARN" : result.action === "analysis_incomplete" ? "UNKNOWN" : "PASS";
+  const headerColor = actionColor(result.action);
+  const cleanCount = total - blocked.length - warned.length - incomplete.length;
+  const countParts = [
+    `${blocked.length} block`,
+    `${warned.length} warn`,
+    ...incomplete.length > 0 ? [`${incomplete.length} unknown`] : [],
+    `${cleanCount} clean`
+  ];
   lines.push("");
   lines.push(`  ${headerColor(import_chalk5.default.bold(headerLabel))}  ${import_chalk5.default.bold("Dependency Guardian")} ${import_chalk5.default.dim(`(score ${result.score})`)}`);
-  lines.push(`  ${import_chalk5.default.dim(`${total} package${total !== 1 ? "s" : ""} scanned \xB7 ${blocked.length} block \xB7 ${warned.length} warn \xB7 ${total - blocked.length - warned.length} clean`)}`);
+  lines.push(`  ${import_chalk5.default.dim(`${total} package${total !== 1 ? "s" : ""} scanned \xB7 ${countParts.join(" \xB7 ")}`)}`);
   lines.push("");
   const showFirst = (pkgs, color, label) => {
     if (pkgs.length === 0) return;
@@ -44997,10 +45113,13 @@ function renderResultClean(result, _config) {
   };
   showFirst(blocked, import_chalk5.default.red, "Blocked");
   showFirst(warned, import_chalk5.default.yellow, "Warnings");
+  showFirst(incomplete, import_chalk5.default.cyan, "Could not analyze");
   if (result.action === "block") {
     lines.push(`  ${import_chalk5.default.dim("Next step:")} review the findings above, then either pin a safe version or use ${import_chalk5.default.bold("--dg-force")} to bypass.`);
   } else if (result.action === "warn") {
     lines.push(`  ${import_chalk5.default.dim("Next step:")} review the warnings; install proceeds unless you set ${import_chalk5.default.bold("--mode block")}.`);
+  } else if (result.action === "analysis_incomplete") {
+    lines.push(`  ${import_chalk5.default.dim("Next step:")} one or more packages could not be fully analyzed \u2014 treat as unverified, not safe. Re-run to retry.`);
   }
   lines.push("");
   return lines.join("\n");
@@ -45019,13 +45138,21 @@ function renderResultDetails(result, _config) {
   lines.push("");
   const blocked = result.packages.filter(isBlocked);
   const warned = result.packages.filter(isWarned);
-  const passWithScore = result.packages.filter((p) => p.score > 0 && p.score < 60);
-  const clean = result.packages.filter((p) => p.score === 0);
+  const incomplete = result.packages.filter(isIncomplete);
+  const rest = result.packages.filter((p) => !isBlocked(p) && !isWarned(p) && !isIncomplete(p));
+  const passWithScore = rest.filter((p) => p.score > 0 && p.score < 60);
+  const clean = rest.filter((p) => p.score === 0);
   const total = result.packages.length;
   const needsAttention = blocked.length + warned.length;
-  if (needsAttention > 0) {
+  if (needsAttention > 0 || incomplete.length > 0) {
+    const segs = [
+      import_chalk5.default.red(`${blocked.length} block`),
+      import_chalk5.default.yellow(`${warned.length} warn`),
+      ...incomplete.length > 0 ? [import_chalk5.default.cyan(`${incomplete.length} unknown`)] : [],
+      import_chalk5.default.green(`${clean.length + passWithScore.length} pass`)
+    ];
     lines.push(
-      `  ${total} package${total !== 1 ? "s" : ""} scanned ${import_chalk5.default.dim("\u2502")} ${import_chalk5.default.red(`${blocked.length} block`)} ${import_chalk5.default.dim("\u2502")} ${import_chalk5.default.yellow(`${warned.length} warn`)} ${import_chalk5.default.dim("\u2502")} ${import_chalk5.default.green(`${clean.length + passWithScore.length} pass`)}`
+      `  ${total} package${total !== 1 ? "s" : ""} scanned ${import_chalk5.default.dim("\u2502")} ${segs.join(` ${import_chalk5.default.dim("\u2502")} `)}`
     );
   } else {
     lines.push(
@@ -45038,8 +45165,8 @@ function renderResultDetails(result, _config) {
     lines.push("");
     return lines.join("\n");
   }
-  if (needsAttention > 0) {
-    const groups = groupPackages([...blocked, ...warned]);
+  if (needsAttention > 0 || incomplete.length > 0) {
+    const groups = groupPackages([...blocked, ...warned, ...incomplete]);
     lines.push(`  ${import_chalk5.default.bold("Needs Attention")}`);
     lines.push(`  ${import_chalk5.default.dim("\u2500".repeat(60))}`);
     for (const group of groups) {
@@ -45183,14 +45310,7 @@ async function runStatic(config) {
     }
     if (discovery.pythonPackages.length > 0) {
       const pyResult = await callPyPIAnalyzeAPI(discovery.pythonPackages, config);
-      result.packages.push(...pyResult.packages);
-      result.score = Math.max(result.score, pyResult.score);
-      if (pyResult.action === "block" || pyResult.action === "warn" && result.action === "pass") {
-        result.action = pyResult.action;
-      }
-      if (pyResult.freeScansRemaining !== void 0) {
-        result.freeScansRemaining = pyResult.freeScansRemaining;
-      }
+      result = mergeResponses([result, pyResult]);
     }
     clearSpinner();
     dbg(
@@ -45354,11 +45474,11 @@ function buildInstallArgs(parsed, topLevelSpecs, tree, config) {
   if (tree.length > 0 && topLevelSpecs.length > 0) {
     args = pinTopLevelArgs(args, topLevelSpecs, tree);
   }
-  const wantsNoScripts = parsed.dgNoScripts || config.strict;
-  if (wantsNoScripts && !args.includes("--ignore-scripts")) {
-    args = [...args, "--ignore-scripts"];
-  }
-  return args;
+  return injectIgnoreScripts(args, {
+    isNpmFamily: true,
+    strict: config.strict,
+    dgNoScripts: parsed.dgNoScripts
+  });
 }
 async function scanAndInstallStatic(resolved, parsed, config) {
   const topLevelSpecs = resolved.map((p) => `${p.name}@${p.version}`);
@@ -45387,6 +45507,14 @@ async function scanAndInstallStatic(resolved, parsed, config) {
       process.stderr.write(
         import_chalk5.default.dim("  Only top-level packages would be scanned; transitive deps would slip through. Use --dg-force to bypass.\n\n")
       );
+      emitWrapperJson(config, {
+        ecosystem: "npm",
+        packages: [],
+        scanVerdict: "scan_failed",
+        installRan: false,
+        installExitCode: null,
+        error: { code: "tree_resolution_failed", message: treeError }
+      });
       process.exit(2);
     }
     process.stderr.write(
@@ -45606,6 +45734,42 @@ ${installLine}
     });
     process.exit(2);
   }
+  if (result.action === "analysis_incomplete") {
+    const topLevel = resolved.map((p) => `${p.name} ${p.version}`).join(", ");
+    const refuse = (config.mode === "block" || config.strict) && !parsed.dgForce;
+    if (refuse) {
+      const specArg = topLevelSpecs.length > 0 ? topLevelSpecs.join(" ") : resolved.map((p) => `${p.name}@${p.version}`).join(" ");
+      process.stderr.write(
+        `  ${import_chalk5.default.cyan("?")} ${import_chalk5.default.bold("DG could not verify")} ${topLevel} \u2014 treating as unverified, not safe.
+  Real install was NOT run (--mode block). To override:
+` + import_chalk5.default.dim(`    npm install ${specArg} --dg-force --dg-force-reason="<reason>"
+
+`)
+      );
+      emitWrapperJson(config, {
+        ecosystem: "npm",
+        packages: wrapperPackagesFromResult(result, new Set(resolved.map((p) => p.name))),
+        scanVerdict: "analysis_incomplete",
+        installRan: false,
+        installExitCode: null
+      });
+      process.exit(4);
+    }
+    process.stderr.write(
+      import_chalk5.default.dim(`  DG could not fully verify ${topLevel}; proceeding (mode is not block).
+
+`)
+    );
+    const code = await runNpm(buildInstallArgs(parsed, topLevelSpecs, tree.packages, config), { stdoutToStderr: !!config.json });
+    emitWrapperJson(config, {
+      ecosystem: "npm",
+      packages: wrapperPackagesFromResult(result, new Set(resolved.map((p) => p.name))),
+      scanVerdict: "analysis_incomplete",
+      installRan: true,
+      installExitCode: code
+    });
+    process.exit(code);
+  }
 }
 async function runStaticPip(pipArgs, config) {
   config = mergeProjectConfig(config, process.argv.slice(2));
@@ -45695,6 +45859,17 @@ async function runStaticPip(pipArgs, config) {
       )
     );
   }
+  const isRequirementsInstall = !!parsed.requirementsFile;
+  if (isRequirementsInstall && !(pipTreeOk && pipTree.hashes.size > 0) && (config.mode === "block" || config.strict) && !parsed.dgForce) {
+    process.stderr.write(
+      import_chalk5.default.red(import_chalk5.default.bold("  BLOCKED: ")) + import_chalk5.default.red(`a -r requirements install cannot be pinned to exact versions and no dry-run hashes are available to verify the artifacts.
+`) + import_chalk5.default.dim(`  Install aborted${config.strict ? " in --strict" : " in --mode block"} (resolve\u2192install mismatch risk). Use --mode warn or --dg-force to bypass.
+
+`)
+    );
+    process.exit(2);
+  }
+  const pipInstallArgs = pinPipArgs(parsed.rawArgs, parsed.packages, resolved);
   note(
     config,
     import_chalk5.default.dim(
@@ -45723,14 +45898,14 @@ async function runStaticPip(pipArgs, config) {
       process.stderr.write(
         import_chalk5.default.yellow(import_chalk5.default.bold("  --dg-force: Bypassing block. Install at your own risk.\n\n"))
       );
-      const code2 = await runPip(parsed.rawArgs, { stdoutToStderr: !!config.json });
+      const code2 = await runPip(pipInstallArgs, { stdoutToStderr: !!config.json });
       process.exit(code2);
     }
     process.stderr.write(
       import_chalk5.default.yellow(`  Warning: Scan failed (${msg}). Proceeding with install (mode=${config.mode}).
 `)
     );
-    const code = await runPip(parsed.rawArgs, { stdoutToStderr: !!config.json });
+    const code = await runPip(pipInstallArgs, { stdoutToStderr: !!config.json });
     process.exit(code);
     return;
   }
@@ -45767,7 +45942,7 @@ ${installLine}
 `);
     printTrialBanner(result, config);
     process.stderr.write("\n");
-    const code = await runPip(parsed.rawArgs, { stdoutToStderr: !!config.json });
+    const code = await runPip(pipInstallArgs, { stdoutToStderr: !!config.json });
     emitWrapperJson(config, {
       ecosystem: "pypi",
       packages: wrapperPackagesFromResult(result, pipTopLevelNames),
@@ -45799,7 +45974,7 @@ ${installLine}
       });
       process.exit(1);
     }
-    const code = await runPip(parsed.rawArgs, { stdoutToStderr: !!config.json });
+    const code = await runPip(pipInstallArgs, { stdoutToStderr: !!config.json });
     emitWrapperJson(config, {
       ecosystem: "pypi",
       packages: wrapperPackagesFromResult(result, pipTopLevelNames),
@@ -45822,7 +45997,7 @@ ${installLine}
       process.stderr.write(
         import_chalk5.default.yellow(import_chalk5.default.bold("  --dg-force: Bypassing block. Install at your own risk.\n\n"))
       );
-      const code = await runPip(parsed.rawArgs, { stdoutToStderr: !!config.json });
+      const code = await runPip(pipInstallArgs, { stdoutToStderr: !!config.json });
       emitWrapperJson(config, {
         ecosystem: "pypi",
         packages: wrapperPackagesFromResult(result, pipTopLevelNames),
@@ -45857,6 +46032,42 @@ ${installLine}
     });
     process.exit(2);
   }
+  if (result.action === "analysis_incomplete") {
+    const pipTopLevel = resolved.map((p) => `${p.name} ${p.version}`).join(", ");
+    const refuse = (config.mode === "block" || config.strict) && !parsed.dgForce;
+    if (refuse) {
+      const pipSpecArg = resolved.map((p) => `${p.name}==${p.version}`).join(" ");
+      process.stderr.write(
+        `  ${import_chalk5.default.cyan("?")} ${import_chalk5.default.bold("DG could not verify")} ${pipTopLevel} \u2014 treating as unverified, not safe.
+  Real install was NOT run (--mode block). To override:
+` + import_chalk5.default.dim(`    pip install ${pipSpecArg} --dg-force --dg-force-reason="<reason>"
+
+`)
+      );
+      emitWrapperJson(config, {
+        ecosystem: "pypi",
+        packages: wrapperPackagesFromResult(result, pipTopLevelNames),
+        scanVerdict: "analysis_incomplete",
+        installRan: false,
+        installExitCode: null
+      });
+      process.exit(4);
+    }
+    process.stderr.write(
+      import_chalk5.default.dim(`  DG could not fully verify ${pipTopLevel}; proceeding (mode is not block).
+
+`)
+    );
+    const code = await runPip(pipInstallArgs, { stdoutToStderr: !!config.json });
+    emitWrapperJson(config, {
+      ecosystem: "pypi",
+      packages: wrapperPackagesFromResult(result, pipTopLevelNames),
+      scanVerdict: "analysis_incomplete",
+      installRan: true,
+      installExitCode: code
+    });
+    process.exit(code);
+  }
 }
 async function runStaticLogin() {
   const {
@@ -45969,6 +46180,7 @@ var init_static_output = __esm({
     init_lockfile();
     init_npm_wrapper();
     init_pip_wrapper();
+    init_wrapper_shared();
     init_artifact_integrity();
     init_sanitize();
     init_format_helpers();
@@ -46763,11 +46975,11 @@ var init_InteractiveResultsView = __esm({
       const scanUsage = usageDisplay ? usageDisplay.text : result.freeScansRemaining !== void 0 ? `${result.freeScansRemaining.toLocaleString()} packages left` : scanUsageProp;
       const usageNearLimit = usageDisplay?.nearLimit ?? false;
       const flagged = (0, import_react30.useMemo)(
-        () => result.packages.filter((p) => p.score > 0),
+        () => result.packages.filter((p) => (p.action ?? "pass") !== "pass"),
         [result.packages]
       );
       const clean = (0, import_react30.useMemo)(
-        () => result.packages.filter((p) => p.score === 0),
+        () => result.packages.filter((p) => (p.action ?? "pass") === "pass"),
         [result.packages]
       );
       const total = result.packages.length;
@@ -47063,8 +47275,8 @@ var init_InteractiveResultsView = __esm({
           const { body, ext } = formatExport(payload, scope, format);
           const scopeTag = scope === "current-license" && currentLicenseIdx !== null ? `${(licenseGroups[currentLicenseIdx]?.spdx ?? "license").replace(/[^A-Za-z0-9._-]/g, "_").slice(0, 32)}` : scope;
           const filename = `dg-scan-${ts}-${scopeTag}.${ext}`;
-          const path2 = resolvePath2(process.cwd(), filename);
-          writeFileSync11(path2, body, "utf-8");
+          const path = resolvePath2(process.cwd(), filename);
+          writeFileSync11(path, body, "utf-8");
           showExportMsg(`\u2713 Exported to ${filename}`);
         } catch (e) {
           showExportMsg(`Export failed: ${e.message}`);
@@ -48461,6 +48673,7 @@ var publish_check_exports = {};
 __export(publish_check_exports, {
   findPypiArtifacts: () => findPypiArtifacts,
   npmPackDryRun: () => npmPackDryRun,
+  publishCheckExitCode: () => publishCheckExitCode,
   renderPublishCheckResult: () => renderPublishCheckResult,
   runNpmPublishCheck: () => runNpmPublishCheck,
   runPypiPublishCheck: () => runPypiPublishCheck,
@@ -48597,6 +48810,12 @@ function summarize(ecosystem, artifact, files, findings) {
     action
   };
 }
+function publishCheckExitCode(action, force) {
+  if (force) return 0;
+  if (action === "block") return 2;
+  if (action === "warn") return 1;
+  return 0;
+}
 async function runNpmPublishCheck(cwd2 = process.cwd()) {
   const pack = await npmPackDryRun(cwd2);
   if (!pack.ok) return { ok: false, errorMessage: pack.errorMessage };
@@ -48658,10 +48877,10 @@ function parseTar(buf) {
   }
   return out;
 }
-async function readGzipped(path2) {
+async function readGzipped(path) {
   return new Promise((resolve3, reject) => {
     const chunks = [];
-    const stream = createReadStream(path2).pipe(createGunzip());
+    const stream = createReadStream(path).pipe(createGunzip());
     stream.on("data", (c) => chunks.push(c));
     stream.on("end", () => resolve3(Buffer.concat(chunks)));
     stream.on("error", reject);
@@ -48894,11 +49113,11 @@ function validateEntry(raw) {
   };
 }
 function readRegistry() {
-  const path2 = registryPath();
-  if (!existsSync20(path2)) return [];
+  const path = registryPath();
+  if (!existsSync20(path)) return [];
   let raw;
   try {
-    raw = readFileSync14(path2, "utf-8");
+    raw = readFileSync14(path, "utf-8");
   } catch {
     return [];
   }
@@ -48919,13 +49138,13 @@ function readRegistry() {
   return out;
 }
 function writeRegistry(entries) {
-  const path2 = registryPath();
-  const parent = dirname12(path2);
+  const path = registryPath();
+  const parent = dirname12(path);
   if (!existsSync20(parent)) mkdirSync8(parent, { recursive: true, mode: 448 });
   const payload = { version: 1, entries };
-  writeFileSync12(path2, JSON.stringify(payload, null, 2) + "\n", { encoding: "utf-8", mode: 384 });
+  writeFileSync12(path, JSON.stringify(payload, null, 2) + "\n", { encoding: "utf-8", mode: 384 });
   try {
-    chmodSync4(path2, 384);
+    chmodSync4(path, 384);
   } catch {
   }
 }
@@ -49524,9 +49743,9 @@ function installPrefix(resolvedBinPath) {
   if (idx < 0) return null;
   return resolvedBinPath.slice(0, idx);
 }
-function canWrite(path2) {
+function canWrite(path) {
   try {
-    accessSync(path2, constants2.W_OK);
+    accessSync(path, constants2.W_OK);
     return true;
   } catch {
     return false;
@@ -49949,9 +50168,9 @@ async function revokeApiKey(apiKey) {
     return { ok: false, reason: e.message };
   }
 }
-function rmFile(path2) {
+function rmFile(path) {
   try {
-    unlinkSync7(path2);
+    unlinkSync7(path);
     return { ok: true };
   } catch (e) {
     const code = e.code;
@@ -49959,9 +50178,9 @@ function rmFile(path2) {
     return { ok: false, reason: e.message };
   }
 }
-function rmTree(path2) {
+function rmTree(path) {
   try {
-    rmSync2(path2, { recursive: true, force: true });
+    rmSync2(path, { recursive: true, force: true });
     return { ok: true };
   } catch (e) {
     return { ok: false, reason: e.message };
@@ -50950,8 +51169,8 @@ var init_ProjectSelector = __esm({
           const ecoCountPlainLen = `${proj.ecosystem} ${proj.packageCount} packages`.length;
           const fixedPrefixLen = 4;
           const pathColWidth = Math.max(20, termCols - fixedPrefixLen - ecoCountPlainLen - 3);
-          const path2 = sanitize(proj.relativePath);
-          const pathTruncated = path2.length > pathColWidth ? path2.slice(0, Math.max(1, pathColWidth - 1)) + "\u2026" : path2.padEnd(pathColWidth);
+          const path = sanitize(proj.relativePath);
+          const pathTruncated = path.length > pathColWidth ? path.slice(0, Math.max(1, pathColWidth - 1)) + "\u2026" : path.padEnd(pathColWidth);
           return /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { backgroundColor: isCursor ? "#1a1a2e" : void 0, wrap: "truncate-end", children: [
             prefix,
             check,
@@ -51046,6 +51265,7 @@ var init_App2 = __esm({
     await init_ProjectSelector();
     await init_SetupBanner();
     await init_useTerminalSize();
+    init_static_output();
     init_terminal_state();
     import_jsx_runtime13 = __toESM(require_jsx_runtime(), 1);
     App2 = ({ config, userStatus, scanUsage, setupIssues = [] }) => {
@@ -51084,16 +51304,7 @@ var init_App2 = __esm({
       }, []);
       const handleResultsExit = (0, import_react36.useCallback)(() => {
         if (state.phase === "results") {
-          const { result } = state;
-          if (result.action === "block" && config.mode === "block") {
-            process.exitCode = 2;
-          } else if (result.action === "block" || result.action === "warn") {
-            process.exitCode = 1;
-          } else if (result.action === "analysis_incomplete") {
-            process.exitCode = 4;
-          } else {
-            process.exitCode = 0;
-          }
+          process.exitCode = scanExitCode(state.result.action, config.mode);
         }
         leaveAltScreen();
         exit();
@@ -51122,7 +51333,10 @@ var init_App2 = __esm({
 `, 3);
           return () => clearTimeout(timer);
         }
-      }, [state, exitWithMessage]);
+        if (state.phase === "results") {
+          process.exitCode = scanExitCode(state.result.action, config.mode);
+        }
+      }, [state, config, exitWithMessage]);
       use_input_default((input, key) => {
         if (state.phase === "discovering" || state.phase === "scanning") {
           if (input === "q" || key.escape) {
@@ -51272,9 +51486,9 @@ function locateInkInstancesPath() {
 async function initInkInstances() {
   if (realInstances) return;
   try {
-    const path2 = locateInkInstancesPath();
-    if (!path2) return;
-    const mod = await import(path2);
+    const path = locateInkInstancesPath();
+    if (!path) return;
+    const mod = await import(path);
     realInstances = mod.default ?? null;
   } catch {
     realInstances = null;
@@ -51524,6 +51738,8 @@ function reducer4(_state, action) {
       return { phase: "warn", result: action.result, dgForce: action.dgForce };
     case "BLOCKED":
       return { phase: "blocked", result: action.result, dgForce: action.dgForce };
+    case "INCOMPLETE":
+      return { phase: "incomplete", result: action.result, message: action.message, proceed: action.proceed };
     case "INSTALLING":
       return { phase: "installing" };
     case "DONE":
@@ -51558,6 +51774,7 @@ function useInstallWrapper(rawArgs, config, opts, exit) {
     if (started.current) return;
     started.current = true;
     const parsed = parsedRef.current;
+    let installArgs = parsed.rawArgs;
     (async () => {
       try {
         if (!parsed.shouldScan) {
@@ -51586,14 +51803,45 @@ function useInstallWrapper(rawArgs, config, opts, exit) {
           dispatch({ type: "DONE", exitCode: code });
           return;
         }
-        dispatch({ type: "SCANNING", count: resolved.length });
-        const result = await opts.callAnalyze(resolved, config);
+        const isRequirementsInstall = opts.ecosystem === "pypi" && (parsed.rawArgs.includes("-r") || parsed.rawArgs.includes("--requirement"));
+        if (isRequirementsInstall && (config.mode === "block" || config.strict) && !parsed.dgForce) {
+          dispatch({
+            type: "ERROR",
+            message: `A -r requirements install cannot be pinned to the exact scanned versions; refusing in ${config.strict ? "--strict" : "--mode block"} (resolve\u2192install mismatch risk). Use --mode warn or --dg-force to bypass.`,
+            proceed: false
+          });
+          dispatch({ type: "DONE", exitCode: 2 });
+          return;
+        }
+        const pinnedArgs = isRequirementsInstall ? parsed.rawArgs : opts.ecosystem === "npm" ? pinTopLevelArgs(parsed.rawArgs, parsed.packages, resolved) : pinPipArgs(parsed.rawArgs, parsed.packages, resolved);
+        installArgs = injectIgnoreScripts(pinnedArgs, {
+          isNpmFamily: opts.ecosystem === "npm",
+          strict: config.strict,
+          dgNoScripts: parsed.dgNoScripts
+        });
+        let scanSet = resolved;
+        if (opts.resolveTree) {
+          const tree = await opts.resolveTree(specs);
+          if (tree.ok && tree.packages.length > 0) {
+            scanSet = tree.packages;
+          } else if ((config.mode === "block" || config.strict) && !parsed.dgForce) {
+            dispatch({
+              type: "ERROR",
+              message: `Could not enumerate the dependency tree (${tree.errorMessage ?? "dry-run produced no tree"}); transitive deps would install unscanned. Install aborted in ${config.strict ? "--strict" : "--mode block"}. Use --dg-force to bypass.`,
+              proceed: false
+            });
+            dispatch({ type: "DONE", exitCode: 2 });
+            return;
+          }
+        }
+        dispatch({ type: "SCANNING", count: scanSet.length });
+        const result = await opts.callAnalyze(scanSet, config);
         if (result.action === "pass") {
           if (exit) exit();
           const chalk18 = (await Promise.resolve().then(() => __toESM(require_source(), 1))).default;
           const line = formatPassLine(result, chalk18);
           process.stderr.write("  " + line + "\n\n");
-          const code = await opts.runInstall(parsed.rawArgs);
+          const code = await opts.runInstall(installArgs);
           process.exit(code);
           return;
         }
@@ -51609,7 +51857,7 @@ function useInstallWrapper(rawArgs, config, opts, exit) {
             });
             dispatch({ type: "WARN", result, dgForce: true });
             dispatch({ type: "INSTALLING" });
-            const code = await opts.runInstall(parsed.rawArgs);
+            const code = await opts.runInstall(installArgs);
             dispatch({ type: "DONE", exitCode: code });
             return;
           }
@@ -51627,7 +51875,7 @@ function useInstallWrapper(rawArgs, config, opts, exit) {
               packages: result.packages.map((p) => ({ name: p.name, version: p.version, score: p.score }))
             });
             dispatch({ type: "INSTALLING" });
-            const code = await opts.runInstall(parsed.rawArgs);
+            const code = await opts.runInstall(installArgs);
             dispatch({ type: "DONE", exitCode: code });
           } else {
             dispatch({ type: "DONE", exitCode: 1 });
@@ -51646,7 +51894,7 @@ function useInstallWrapper(rawArgs, config, opts, exit) {
             });
             dispatch({ type: "BLOCKED", result, dgForce: true });
             dispatch({ type: "INSTALLING" });
-            const code = await opts.runInstall(parsed.rawArgs);
+            const code = await opts.runInstall(installArgs);
             dispatch({ type: "DONE", exitCode: code });
             return;
           }
@@ -51664,13 +51912,32 @@ function useInstallWrapper(rawArgs, config, opts, exit) {
               packages: result.packages.map((p) => ({ name: p.name, version: p.version, score: p.score }))
             });
             dispatch({ type: "INSTALLING" });
-            const code = await opts.runInstall(parsed.rawArgs);
+            const code = await opts.runInstall(installArgs);
             dispatch({ type: "DONE", exitCode: code });
           } else {
             dispatch({ type: "DONE", exitCode: 2 });
           }
           return;
         }
+        {
+          const refuseHard = config.mode === "block" || config.strict;
+          const baseMsg = "DG could not fully analyze the install set (analysis incomplete).";
+          if (refuseHard && !parsed.dgForce) {
+            dispatch({
+              type: "INCOMPLETE",
+              result,
+              proceed: false,
+              message: `${baseMsg} Refusing install in ${config.strict ? "--strict" : "--mode block"} \u2014 unverified is not safe. Use --mode warn or --dg-force to bypass.`
+            });
+            dispatch({ type: "DONE", exitCode: 4 });
+            return;
+          }
+          dispatch({ type: "INCOMPLETE", result, proceed: true, message: baseMsg });
+          dispatch({ type: "INSTALLING" });
+          const code = await opts.runInstall(installArgs);
+          dispatch({ type: "DONE", exitCode: code });
+          return;
+        }
       } catch (error) {
         if (error instanceof FreeCapReachedError) {
           dispatch({ type: "FREE_CAP_REACHED" });
@@ -51688,7 +51955,7 @@ function useInstallWrapper(rawArgs, config, opts, exit) {
         }
         dispatch({ type: "ERROR", message, proceed: true });
         dispatch({ type: "INSTALLING" });
-        const code = await opts.runInstall(parsedRef.current.rawArgs);
+        const code = await opts.runInstall(installArgs);
         dispatch({ type: "DONE", exitCode: code });
       }
     })();
@@ -51711,11 +51978,13 @@ var init_useWrapperBase = __esm({
     "use strict";
     import_react37 = __toESM(require_react(), 1);
     init_client();
+    init_wrapper_shared();
     init_npm_wrapper();
     init_pip_wrapper();
     NPM_OPTIONS = {
       parseArgs: parseNpmArgs,
       resolvePackages,
+      resolveTree: resolveTreeNpm,
       callAnalyze: callAnalyzeAPI,
       runInstall: runNpm,
       inferSpecsFromContext: () => readBareInstallPackages(process.cwd()),
@@ -51724,6 +51993,7 @@ var init_useWrapperBase = __esm({
     PIP_OPTIONS = {
       parseArgs: parsePipArgs,
       resolvePackages: resolvePackages2,
+      resolveTree: resolveTreePip,
       callAnalyze: callPyPIAnalyzeAPI,
       runInstall: runPip,
       inferSpecsFromContext: (parsed) => {
@@ -51787,8 +52057,8 @@ var init_ResultsView = __esm({
       config: _config,
       durationMs
     }) => {
-      const flagged = result.packages.filter((p) => p.score > 0);
-      const clean = result.packages.filter((p) => p.score === 0);
+      const flagged = result.packages.filter((p) => (p.action ?? "pass") !== "pass");
+      const clean = result.packages.filter((p) => (p.action ?? "pass") === "pass");
       const total = result.packages.length;
       const groups = groupPackages(flagged);
       return /* @__PURE__ */ (0, import_jsx_runtime15.jsxs)(Box_default, { flexDirection: "column", paddingLeft: 2, children: [
@@ -51832,7 +52102,7 @@ var init_ResultsView = __esm({
           import_chalk16.default.dim(`package${clean.length !== 1 ? "s" : ""} passed with score 0`)
         ] }),
         /* @__PURE__ */ (0, import_jsx_runtime15.jsx)(Newline, {}),
-        groups.filter((g) => g.packages[0].score > 0).map((group) => {
+        groups.filter((g) => (g.packages[0].action ?? "pass") !== "pass").map((group) => {
           const rep = group.packages[0];
           const names = group.packages.length === 1 ? `${rep.name}@${rep.version}` : group.packages.length <= 3 ? group.packages.map((p) => `${p.name}@${p.version}`).join(", ") : `${rep.name}@${rep.version} + ${group.packages.length - 1} identical packages`;
           const visibleFindings = rep.findings.filter((f) => f.severity > 1).sort((a, b) => b.severity - a.severity);
@@ -51943,13 +52213,15 @@ function reasonTag(pkg) {
 function countSummary(result) {
   let block = 0;
   let warn = 0;
+  let unknown = 0;
   let clean = 0;
   for (const p of result.packages) {
     if (p.action === "block") block++;
     else if (p.action === "warn") warn++;
+    else if (p.action === "analysis_incomplete") unknown++;
     else clean++;
   }
-  return { block, warn, clean };
+  return { block, warn, unknown, clean };
 }
 var import_jsx_runtime17, WrapperVerdictLine;
 var init_WrapperVerdictLine = __esm({
@@ -52020,6 +52292,7 @@ var init_WrapperVerdictLine = __esm({
       const parts = [];
       if (counts.block > 0) parts.push(`${counts.block} block`);
       if (counts.warn > 0) parts.push(`${counts.warn} warn`);
+      if (counts.unknown > 0) parts.push(`${counts.unknown} unknown`);
       if (counts.clean > 0) parts.push(`${counts.clean} clean`);
       return /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(Box_default, { flexDirection: "row", children: [
         /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(Text, { color, children: [
@@ -52118,6 +52391,14 @@ var init_WrapperApp = __esm({
             showDetails && /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(Box_default, { marginTop: 1, children: /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(ResultsView, { result: state.result, config, durationMs: state.result.durationMs }) }),
             !state.dgForce && /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(ConfirmPrompt, { message: "", onConfirm: handleConfirm, onReject: handleReject })
           ] });
+        case "incomplete":
+          if (state.proceed) {
+            return /* @__PURE__ */ (0, import_jsx_runtime18.jsxs)(Text, { color: "yellow", children: [
+              state.message,
+              " Proceeding with install."
+            ] });
+          }
+          return /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(ErrorView, { error: new Error(state.message) });
         case "installing":
           return /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(Spinner2, { label: labels.installing });
         case "done":
@@ -52197,26 +52478,33 @@ function parseCondaArgs(args) {
 async function resolveTopLevel(_parsed) {
   return { resolved: [], failed: [] };
 }
-async function runStaticConda(args) {
+async function runStaticConda(args, ecosystem, config) {
   const parsed = parseCondaArgs(args);
-  if (process.stderr.isTTY && parsed.shouldScan) {
+  if (parsed.shouldScan && (config.mode === "block" || config.strict) && !parsed.dgForce) {
+    process.stderr.write(
+      import_chalk18.default.red(import_chalk18.default.bold("  \u2717 BLOCKED: ")) + import_chalk18.default.red(`${ecosystem} packages cannot be scanned (the scanner backend does not support this ecosystem).
+`) + import_chalk18.default.dim(`  --mode ${config.strict ? "strict" : "block"} \u21D2 refusing to install unscanned packages. Use --mode warn or --dg-force to bypass.
+
+`)
+    );
+    return 2;
+  }
+  if (parsed.shouldScan && process.stderr.isTTY) {
     process.stderr.write(
-      import_chalk18.default.yellow(`\u2139\uFE0F  DG: conda packages aren't yet scanned (conda-forge isn't supported in the scanner backend yet).
-`) + import_chalk18.default.dim(`   Passing through to real conda. Use \`dg verify\` for individual pypi-known packages.
+      import_chalk18.default.yellow(`\u2139\uFE0F  DG: ${ecosystem} packages aren't yet scanned (the scanner backend doesn't support this ecosystem yet).
+`) + import_chalk18.default.dim(`   Passing through to real ${ecosystem}. Use \`dg verify\` for individual pypi-known packages.
 
 `)
     );
   }
-  const real = resolveRealBinary("conda");
+  const real = resolveRealBinary(ecosystem);
   if (!real) {
-    process.stderr.write(`dg: real conda not found on PATH
+    process.stderr.write(`dg: real ${ecosystem} not found on PATH
 `);
     return 127;
   }
-  const nonce = readNonce();
-  const env3 = nonce ? { ...process.env, DG_SHIM_ACTIVE: nonce } : { ...process.env };
   return await new Promise((resolve3) => {
-    const child = spawn5(real, parsed.rawArgs, { stdio: "inherit", env: env3 });
+    const child = spawn5(real, parsed.rawArgs, { stdio: "inherit", env: childInstallEnv() });
     child.on("close", (code) => resolve3(code ?? 1));
     child.on("error", () => resolve3(1));
   });
@@ -52596,7 +52884,11 @@ function parseUvArgs(args) {
     for (let i = argStart; i < filtered.length; i++) {
       const arg = filtered[i];
       if (arg === "-r" || arg === "--requirement") {
-        if (i + 1 < filtered.length) i++;
+        const file = filtered[i + 1];
+        if (file !== void 0) {
+          i++;
+          packages.push(...parseRequirementsFile(file));
+        }
         continue;
       }
       if (arg.startsWith("-")) {
@@ -52757,9 +53049,7 @@ function emitJson(config, result) {
   process.stdout.write(JSON.stringify(result, null, 2) + "\n");
 }
 function shimSentinelEnv3() {
-  const nonce = readNonce();
-  if (!nonce) return process.env;
-  return { ...process.env, DG_SHIM_ACTIVE: nonce };
+  return childInstallEnv();
 }
 async function spawnRealBinary(adapter7, args) {
   const real = resolveRealBinary(adapter7.realBinaryName);
@@ -52804,8 +53094,46 @@ async function runEcosystemWrapper(adapter7, args, config) {
 `)
     );
   }
+  const isRequirementsInstall = adapter7.apiKind === "pypi" && (parsed.rawArgs.includes("-r") || parsed.rawArgs.includes("--requirement"));
+  let pinnedArgs = parsed.rawArgs;
+  if (adapter7.apiKind === "npm") {
+    pinnedArgs = pinTopLevelArgs(parsed.rawArgs, parsed.packages, resolved);
+  } else if (!isRequirementsInstall) {
+    pinnedArgs = pinPipArgs(parsed.rawArgs, parsed.packages, resolved);
+  }
+  if (isRequirementsInstall && (config.mode === "block" || config.strict) && !parsed.dgForce) {
+    if (!config.json && !config.quiet) {
+      process.stderr.write(
+        import_chalk19.default.red(import_chalk19.default.bold("  \u2717 BLOCKED: ")) + import_chalk19.default.red(`a -r requirements install cannot be pinned to the exact scanned versions.
+`) + import_chalk19.default.dim(`  --mode ${config.strict ? "strict" : "block"} \u21D2 refusing (would risk a resolve\u2192install mismatch). Use --mode warn or --dg-force to bypass.
+
+`)
+      );
+    }
+    emitJson(config, {
+      ecosystem: adapter7.ecosystem,
+      packages: [],
+      scanVerdict: "scan_failed",
+      installRan: false,
+      installExitCode: null,
+      error: { code: "unpinnable_requirements", message: "-r requirements install cannot be pinned to exact versions" }
+    });
+    return 2;
+  }
+  if (isRequirementsInstall && !config.json && !config.quiet) {
+    process.stderr.write(
+      import_chalk19.default.dim(`  Note: -r requirements install cannot be pinned to exact versions; installing as specified.
+`)
+    );
+  }
+  const installArgs = injectIgnoreScripts(pinnedArgs, {
+    isNpmFamily: adapter7.apiKind === "npm",
+    strict: config.strict,
+    dgNoScripts: parsed.dgNoScripts
+  });
   let scanSet = resolved;
   let treeOk = true;
+  let treeError;
   if (adapter7.resolveTransitive) {
     const tree = await adapter7.resolveTransitive(parsed);
     if (tree.ok && tree.packages.length > 0) {
@@ -52825,15 +53153,36 @@ async function runEcosystemWrapper(adapter7, args, config) {
 `)
         );
       }
-    } else if (!tree.ok && !config.json && !config.quiet) {
+    } else if (!tree.ok) {
       treeOk = false;
+      treeError = tree.errorMessage ?? "unknown";
+    }
+  }
+  if (!treeOk && (config.mode === "block" || config.strict) && !parsed.dgForce) {
+    if (!config.json && !config.quiet) {
       process.stderr.write(
-        import_chalk19.default.dim(`  Transitive resolution unavailable (${tree.errorMessage ?? "unknown"}); scanning top-level only.
+        import_chalk19.default.red(import_chalk19.default.bold("  \u2717 BLOCKED: ")) + import_chalk19.default.red(`could not enumerate transitive dependencies (${treeError}); they would install unscanned.
+`) + import_chalk19.default.dim(`  --mode block \u21D2 refusing install. Use --mode warn or --dg-force to bypass.
+
 `)
       );
     }
+    emitJson(config, {
+      ecosystem: adapter7.ecosystem,
+      packages: [],
+      scanVerdict: "scan_failed",
+      installRan: false,
+      installExitCode: null,
+      error: { code: "tree_resolution_failed", message: treeError ?? "transitive resolution failed" }
+    });
+    return 2;
+  }
+  if (!treeOk && !config.json && !config.quiet) {
+    process.stderr.write(
+      import_chalk19.default.dim(`  Transitive resolution unavailable (${treeError}); scanning top-level only.
+`)
+    );
   }
-  void treeOk;
   let result;
   try {
     if (adapter7.apiKind === "npm") {
@@ -52859,10 +53208,10 @@ async function runEcosystemWrapper(adapter7, args, config) {
       });
       return 1;
     }
-    if (config.mode === "block" && !parsed.dgForce) {
+    if ((config.mode === "block" || config.strict) && !parsed.dgForce) {
       process.stderr.write(
         import_chalk19.default.red(`  \u2717 DG scan failed: ${err.message}
-`) + import_chalk19.default.dim(`  --mode block + scan failure \u21D2 refusing install. Use --mode warn or --dg-force to bypass.
+`) + import_chalk19.default.dim(`  --mode ${config.strict ? "strict" : "block"} + scan failure \u21D2 refusing install. Use --mode warn or --dg-force to bypass.
 
 `)
       );
@@ -52874,7 +53223,7 @@ async function runEcosystemWrapper(adapter7, args, config) {
         installExitCode: null,
         error: { code: "scan_failed", message: err.message }
       });
-      return 3;
+      return 2;
     }
     if (!config.json && !config.quiet) {
       process.stderr.write(
@@ -52882,7 +53231,7 @@ async function runEcosystemWrapper(adapter7, args, config) {
 `)
       );
     }
-    const code2 = await spawnRealBinary(adapter7, parsed.rawArgs);
+    const code2 = await spawnRealBinary(adapter7, installArgs);
     emitJson(config, {
       ecosystem: adapter7.ecosystem,
       packages: [],
@@ -52911,7 +53260,7 @@ ${installLine}
       }
       process.stderr.write("\n");
     }
-    const code2 = await spawnRealBinary(adapter7, parsed.rawArgs);
+    const code2 = await spawnRealBinary(adapter7, installArgs);
     emitJson(config, {
       ecosystem: adapter7.ecosystem,
       packages: packagesFromResult(result, topLevelNames),
@@ -52958,7 +53307,7 @@ ${installLine}
     } else if (!config.json && !config.quiet) {
       process.stderr.write(import_chalk19.default.dim("  Proceeding (non-interactive).\n"));
     }
-    const code2 = await spawnRealBinary(adapter7, parsed.rawArgs);
+    const code2 = await spawnRealBinary(adapter7, installArgs);
     emitJson(config, {
       ecosystem: adapter7.ecosystem,
       packages: packagesFromResult(result, topLevelNames),
@@ -52986,7 +53335,7 @@ ${installLine}
 
 `));
       }
-      const code2 = await spawnRealBinary(adapter7, parsed.rawArgs);
+      const code2 = await spawnRealBinary(adapter7, installArgs);
       emitJson(config, {
         ecosystem: adapter7.ecosystem,
         packages: packagesFromResult(result, topLevelNames),
@@ -53024,11 +53373,38 @@ ${installLine}
     });
     return 2;
   }
-  const code = await spawnRealBinary(adapter7, parsed.rawArgs);
+  const refuseHard = config.mode === "block" || config.strict;
+  const unverifiedList = resolved.map((p) => `${p.name} ${p.version}`).join(", ");
+  if (refuseHard && !parsed.dgForce) {
+    if (!config.json) {
+      process.stderr.write(
+        `  ${import_chalk19.default.red("\u2717")} ${import_chalk19.default.bold("DG could not verify")} ${unverifiedList} \u2014 analysis incomplete.
+` + import_chalk19.default.dim(`  --mode ${config.strict ? "strict" : "block"} \u21D2 refusing install (unverified is not safe). Use --mode warn or --dg-force to bypass.
+
+`)
+      );
+    }
+    emitJson(config, {
+      ecosystem: adapter7.ecosystem,
+      packages: packagesFromResult(result, topLevelNames),
+      scanVerdict: "analysis_incomplete",
+      installRan: false,
+      installExitCode: null,
+      error: { code: "analysis_incomplete", message: "scanner could not fully analyze the install set" }
+    });
+    return 4;
+  }
+  if (!config.json && !config.quiet) {
+    process.stderr.write(
+      import_chalk19.default.yellow(`  \u26A0 DG could not fully verify ${unverifiedList} (analysis incomplete). Proceeding with install (mode=${config.mode}).
+`)
+    );
+  }
+  const code = await spawnRealBinary(adapter7, installArgs);
   emitJson(config, {
     ecosystem: adapter7.ecosystem,
     packages: packagesFromResult(result, topLevelNames),
-    scanVerdict: "skipped",
+    scanVerdict: "analysis_incomplete",
     installRan: true,
     installExitCode: code
   });
@@ -53044,6 +53420,9 @@ var init_wrapper_factory = __esm({
     init_install();
     init_audit_dispatcher();
     init_allowlist();
+    init_wrapper_shared();
+    init_npm_wrapper();
+    init_pip_wrapper();
   }
 });
 
@@ -53264,7 +53643,7 @@ async function main() {
       const v = args[ecoArgIdx + 1];
       if (v === "npm" || v === "pypi") ecosystem = v;
     }
-    const { runNpmPublishCheck: runNpmPublishCheck2, runPypiPublishCheck: runPypiPublishCheck2, renderPublishCheckResult: renderPublishCheckResult2 } = await Promise.resolve().then(() => (init_publish_check(), publish_check_exports));
+    const { runNpmPublishCheck: runNpmPublishCheck2, runPypiPublishCheck: runPypiPublishCheck2, renderPublishCheckResult: renderPublishCheckResult2, publishCheckExitCode: publishCheckExitCode2 } = await Promise.resolve().then(() => (init_publish_check(), publish_check_exports));
     const { existsSync: existsSync25 } = await import("node:fs");
     const { join: join15 } = await import("node:path");
     if (ecosystem === "auto") {
@@ -53294,7 +53673,7 @@ async function main() {
     } else {
       process.stderr.write(renderPublishCheckResult2(result));
     }
-    if (result.action === "block" || result.action === "block" && force) {
+    if (result.action === "block") {
       try {
         const reasonIdx = args.indexOf("--dg-force-reason");
         const bypassReason = reasonIdx >= 0 ? args[reasonIdx + 1] : void 0;
@@ -53314,9 +53693,7 @@ async function main() {
       } catch {
       }
     }
-    if (result.action === "block" && !force) process.exit(2);
-    if (result.action === "analysis_incomplete") process.exit(4);
-    process.exit(0);
+    process.exit(publishCheckExitCode2(result.action, force));
   }
   if (rawCommand === "hook") {
     const { handleHookCommand: handleHookCommand2 } = await Promise.resolve().then(() => (init_hook(), hook_exports));
@@ -53520,10 +53897,8 @@ async function handleWrapInternal(argv) {
   const ecoTyped = ecosystem;
   const spawnReal = async (real, args) => {
     const { spawn: spawn7 } = await import("node:child_process");
-    const { readNonce: readNonce3 } = await Promise.resolve().then(() => (init_install(), install_exports));
-    const nonce = readNonce3();
-    const env3 = nonce ? { ...process.env, DG_SHIM_ACTIVE: nonce } : { ...process.env };
-    const child = spawn7(real, args, { stdio: "inherit", env: env3 });
+    const { childInstallEnv: childInstallEnv2 } = await Promise.resolve().then(() => (init_install(), install_exports));
+    const child = spawn7(real, args, { stdio: "inherit", env: childInstallEnv2() });
     return await new Promise((resolve3) => {
       child.on("close", (code) => resolve3(code ?? 1));
       child.on("error", () => resolve3(1));
@@ -53573,7 +53948,7 @@ async function handleWrapInternal(argv) {
   }
   if (ecosystem === "conda" || ecosystem === "mamba") {
     const { runStaticConda: runStaticConda2 } = await Promise.resolve().then(() => (init_conda_wrapper(), conda_wrapper_exports));
-    return await runStaticConda2(wrapperArgs);
+    return await runStaticConda2(wrapperArgs, ecosystem, config);
   }
   const adapterImports = {
     pnpm: () => Promise.resolve().then(() => (init_pnpm_wrapper(), pnpm_wrapper_exports)),